From 5f0645961045c10b9ae45522e566a6e33d73f0f6 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 19 Aug 2021 10:03:12 -0700 Subject: [PATCH 001/458] new landing --- windows/security/index.yml | 46 +++++++++++++++++++++++++++++--------- 1 file changed, 36 insertions(+), 10 deletions(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index 83e7dcbb53..29ac6d128a 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -1,38 +1,64 @@ ### YamlMime:Hub title: Windows 10 Enterprise Security # < 60 chars -summary: Secure corporate data and manage risk. # < 160 chars +summary: Security from chip to cloud. # < 160 chars # brand: aspnet | azure | dotnet | dynamics | m365 | ms-graph | office | power-bi | power-platform | sql | sql-server | vs | visual-studio | windows | xamarin brand: windows metadata: title: Windows 10 Enterprise Security # Required; page title displayed in search results. Include the brand. < 60 chars. - description: Learn about enterprise-grade security features for Windows 10. # Required; article description that is displayed in search results. < 160 chars. + description: Learn about enterprise-grade security features in Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars. services: windows ms.product: windows ms.topic: hub-page # Required ms.collection: M365-security-compliance # Optional; Remove if no collection is used. author: dansimp #Required; your GitHub user alias, with correct capitalization. ms.author: dansimp #Required; microsoft alias of author; optional team alias. - ms.date: 01/08/2018 #Required; mm/dd/yyyy format. + ms.date: 09/30/2021 #Required; mm/dd/yyyy format. ms.localizationpriority: high # productDirectory section (optional) productDirectory: items: # Card - - title: Identity and access management + - title: Security foundation + imageSrc: https://docs.microsoft.com/media/common/i_information-protection.svg + summary: Security assurances and certifications + url: ./information-protection/index.md + + # Card + - title: Hardware security # imageSrc should be square in ratio with no whitespace imageSrc: https://docs.microsoft.com/media/common/i_identity-protection.svg - summary: Deploy secure enterprise-grade authentication and access control to protect accounts and data + summary: Hardware root of trust and silicon-assisted security url: ./identity-protection/index.md # Card - - title: Threat protection + - title: Operating system protection imageSrc: https://docs.microsoft.com/media/common/i_threat-protection.svg - summary: Stop cyberthreats and quickly identify and respond to breaches + summary: Windows security enhancements url: ./threat-protection/index.md # Card - - title: Information protection + - title: Threat protection imageSrc: https://docs.microsoft.com/media/common/i_information-protection.svg - summary: Identify and secure critical data to prevent data loss - url: ./information-protection/index.md \ No newline at end of file + summary: Protection from external attacks and threats + url: ./information-protection/index.md + # Card + - title: Application protection + imageSrc: https://docs.microsoft.com/media/common/i_information-protection.svg + summary: App protections + url: ./information-protection/index.md + # Card + - title: User protection + imageSrc: https://docs.microsoft.com/media/common/i_information-protection.svg + summary: Protecting your users + url: ./information-protection/index.md + # Card + - title: Privacy controls + imageSrc: https://docs.microsoft.com/media/common/i_information-protection.svg + summary: Manage your privacy settings + url: ./information-protection/index.md + # Card + - title: Cloud security + imageSrc: https://docs.microsoft.com/media/common/i_information-protection.svg + summary: Additional cloud-based security and management solutions + url: ./information-protection/index.md From f5cebb67e82a1893f586feaabf0f02709fa48561 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 19 Aug 2021 10:35:09 -0700 Subject: [PATCH 002/458] more --- windows/security/security-foundation/TOC.yml | 9 +++++ .../security/security-foundation/index.yml | 39 +++++++++++++++++++ 2 files changed, 48 insertions(+) create mode 100644 windows/security/security-foundation/TOC.yml create mode 100644 windows/security/security-foundation/index.yml diff --git a/windows/security/security-foundation/TOC.yml b/windows/security/security-foundation/TOC.yml new file mode 100644 index 0000000000..70e61e303f --- /dev/null +++ b/windows/security/security-foundation/TOC.yml @@ -0,0 +1,9 @@ +- name: Security + href: index.yml + items: + - name: Identity and access management + href: identity-protection/index.md + - name: Information protection + href: information-protection/index.md + - name: Threat protection + href: threat-protection/index.md diff --git a/windows/security/security-foundation/index.yml b/windows/security/security-foundation/index.yml new file mode 100644 index 0000000000..97eae49e18 --- /dev/null +++ b/windows/security/security-foundation/index.yml @@ -0,0 +1,39 @@ +### YamlMime:Landing + +title: Windows security foundation # < 60 chars +summary: Learn about Windows security foundations. # < 160 chars + +metadata: + title: Windows security foundation # Required; page title displayed in search results. Include the brand. < 60 chars. + description: Learn about Windows security foundation # Required; article description that is displayed in search results. < 160 chars. + ms.topic: landing-page # Required + ms.collection: m365-security-compliance + author: dansimp #Required; your GitHub user alias, with correct capitalization. + ms.author: dansimp #Required; microsoft alias of author; optional team alias. + ms.date: 09/30/2021 #Required; mm/dd/yyyy format. + localization_priority: Priority + +# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new + +landingContent: +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Security assurance + linkLists: + - linkListType: overview + links: + - text: Microsoft Security Development Lifecycle (SDL) + url: /previous-versions/windows/desktop/cc307891(v=msdn.10) + - text: Microsoft bounty program + url: https://www.microsoft.com/msrc/bounty + # Card + - title: Certifications + linkLists: + - linkListType: overview + links: + - text: Federal Information Processing Standard (FIPS) 140 Validation + url: /windows/security/threat-protection/fips-140-validation + - text: Common Criteria Certifications + url: /windows/security/threat-protection/windows-platform-common-criteria + \ No newline at end of file From 3ee4d7320172bb61dad3da1466c84c5ad5a9160d Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 19 Aug 2021 10:45:48 -0700 Subject: [PATCH 003/458] new toc --- windows/security/security-foundation/TOC.yml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/windows/security/security-foundation/TOC.yml b/windows/security/security-foundation/TOC.yml index 70e61e303f..e52bc796f3 100644 --- a/windows/security/security-foundation/TOC.yml +++ b/windows/security/security-foundation/TOC.yml @@ -1,9 +1,8 @@ -- name: Security +- name: Security foundation href: index.yml items: - - name: Identity and access management - href: identity-protection/index.md - - name: Information protection - href: information-protection/index.md - - name: Threat protection - href: threat-protection/index.md + - name: FIPS 140-2 Validation + href: /windows/security/threat-protection/fips-140-validation.md + - name: Common Criteria Certifications + href: /windows/security/threat-protection/windows-platform-common-criteria.md + From de0651579c191a6482de2d5ff59c35c9b7b8a6b2 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 19 Aug 2021 11:13:41 -0700 Subject: [PATCH 004/458] one big TOC --- windows/security/TOC.yml | 22 ++++++--- windows/security/index.yml | 94 +++++++++++++++----------------------- 2 files changed, 52 insertions(+), 64 deletions(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 70e61e303f..818858dece 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -1,9 +1,17 @@ -- name: Security + +- name: Windows security foundation href: index.yml + expanded: true items: - - name: Identity and access management - href: identity-protection/index.md - - name: Information protection - href: information-protection/index.md - - name: Threat protection - href: threat-protection/index.md + - name: FIPS 140-2 Validation + href: /windows/security/threat-protection/fips-140-validation.md + - name: Common Criteria Certifications + href: /windows/security/threat-protection/windows-platform-common-criteria.md +- name: Windows hardware Security + items: + - name: Trusted Platform Module (TPM) overview + href: /windows/security/information-protection/tpm/trusted-platform-module-overview.md + - name: Protect derived domain credentials with Windows Defender Credential Guard + href: /windows/security/identity-protection/credential-guard/credential-guard.md + - name: Kernel DMA Protection + href: /windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md \ No newline at end of file diff --git a/windows/security/index.yml b/windows/security/index.yml index 29ac6d128a..0e1f888e64 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -1,64 +1,44 @@ -### YamlMime:Hub +### YamlMime:Landing -title: Windows 10 Enterprise Security # < 60 chars -summary: Security from chip to cloud. # < 160 chars -# brand: aspnet | azure | dotnet | dynamics | m365 | ms-graph | office | power-bi | power-platform | sql | sql-server | vs | visual-studio | windows | xamarin -brand: windows +title: Windows security # < 60 chars +summary: Learn about Windows security from chip to cloud. # < 160 chars metadata: - title: Windows 10 Enterprise Security # Required; page title displayed in search results. Include the brand. < 60 chars. - description: Learn about enterprise-grade security features in Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars. - services: windows - ms.product: windows - ms.topic: hub-page # Required - ms.collection: M365-security-compliance # Optional; Remove if no collection is used. + title: Windows security # Required; page title displayed in search results. Include the brand. < 60 chars. + description: Learn about Windows security # Required; article description that is displayed in search results. < 160 chars. + ms.topic: landing-page # Required + ms.collection: m365-security-compliance author: dansimp #Required; your GitHub user alias, with correct capitalization. ms.author: dansimp #Required; microsoft alias of author; optional team alias. ms.date: 09/30/2021 #Required; mm/dd/yyyy format. - ms.localizationpriority: high + localization_priority: Priority + +# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new -# productDirectory section (optional) -productDirectory: - items: - # Card - - title: Security foundation - imageSrc: https://docs.microsoft.com/media/common/i_information-protection.svg - summary: Security assurances and certifications - url: ./information-protection/index.md - - # Card - - title: Hardware security - # imageSrc should be square in ratio with no whitespace - imageSrc: https://docs.microsoft.com/media/common/i_identity-protection.svg - summary: Hardware root of trust and silicon-assisted security - url: ./identity-protection/index.md - # Card - - title: Operating system protection - imageSrc: https://docs.microsoft.com/media/common/i_threat-protection.svg - summary: Windows security enhancements - url: ./threat-protection/index.md - # Card - - title: Threat protection - imageSrc: https://docs.microsoft.com/media/common/i_information-protection.svg - summary: Protection from external attacks and threats - url: ./information-protection/index.md - # Card - - title: Application protection - imageSrc: https://docs.microsoft.com/media/common/i_information-protection.svg - summary: App protections - url: ./information-protection/index.md - # Card - - title: User protection - imageSrc: https://docs.microsoft.com/media/common/i_information-protection.svg - summary: Protecting your users - url: ./information-protection/index.md - # Card - - title: Privacy controls - imageSrc: https://docs.microsoft.com/media/common/i_information-protection.svg - summary: Manage your privacy settings - url: ./information-protection/index.md - # Card - - title: Cloud security - imageSrc: https://docs.microsoft.com/media/common/i_information-protection.svg - summary: Additional cloud-based security and management solutions - url: ./information-protection/index.md +landingContent: +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Security foundations + linkLists: + - linkListType: overview + links: + - text: Federal Information Processing Standard (FIPS) 140 Validation + url: /windows/security/threat-protection/fips-140-validation + - text: Common Criteria Certifications + url: /windows/security/threat-protection/windows-platform-common-criteria + - text: Microsoft Security Development Lifecycle (SDL) + url: /previous-versions/windows/desktop/cc307891(v=msdn.10) + - text: Microsoft bounty program + url: https://www.microsoft.com/msrc/bounty + # Card (optional) + - title: Hardware security + linkLists: + - linkListType: overview + links: + - name: Trusted Platform Module (TPM) overview + href: /windows/security/information-protection/tpm/trusted-platform-module-overview.md + - name: Protect derived domain credentials with Windows Defender Credential Guard + href: /windows/security/identity-protection/credential-guard/credential-guard.md + - name: Kernel DMA Protection + href: /windows/security/information-protection/kernel-dma-protection-for-thunderbolt.m \ No newline at end of file From 49a29668dc3cda2dde74b920317854a71110a8e2 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 19 Aug 2021 11:19:38 -0700 Subject: [PATCH 005/458] fixing build issues --- windows/security/index.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index 0e1f888e64..aca0718a29 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -24,9 +24,9 @@ landingContent: - linkListType: overview links: - text: Federal Information Processing Standard (FIPS) 140 Validation - url: /windows/security/threat-protection/fips-140-validation + url: /windows/security/threat-protection/fips-140-validation.md - text: Common Criteria Certifications - url: /windows/security/threat-protection/windows-platform-common-criteria + url: /windows/security/threat-protection/windows-platform-common-criteria.md - text: Microsoft Security Development Lifecycle (SDL) url: /previous-versions/windows/desktop/cc307891(v=msdn.10) - text: Microsoft bounty program @@ -41,4 +41,4 @@ landingContent: - name: Protect derived domain credentials with Windows Defender Credential Guard href: /windows/security/identity-protection/credential-guard/credential-guard.md - name: Kernel DMA Protection - href: /windows/security/information-protection/kernel-dma-protection-for-thunderbolt.m \ No newline at end of file + href: /windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md \ No newline at end of file From d7b21ad9297c397a5c555bd129dc4b5ca4577b83 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 19 Aug 2021 11:20:13 -0700 Subject: [PATCH 006/458] rm --- windows/security/security-foundation/TOC.yml | 8 ---- .../security/security-foundation/index.yml | 39 ------------------- 2 files changed, 47 deletions(-) delete mode 100644 windows/security/security-foundation/TOC.yml delete mode 100644 windows/security/security-foundation/index.yml diff --git a/windows/security/security-foundation/TOC.yml b/windows/security/security-foundation/TOC.yml deleted file mode 100644 index e52bc796f3..0000000000 --- a/windows/security/security-foundation/TOC.yml +++ /dev/null @@ -1,8 +0,0 @@ -- name: Security foundation - href: index.yml - items: - - name: FIPS 140-2 Validation - href: /windows/security/threat-protection/fips-140-validation.md - - name: Common Criteria Certifications - href: /windows/security/threat-protection/windows-platform-common-criteria.md - diff --git a/windows/security/security-foundation/index.yml b/windows/security/security-foundation/index.yml deleted file mode 100644 index 97eae49e18..0000000000 --- a/windows/security/security-foundation/index.yml +++ /dev/null @@ -1,39 +0,0 @@ -### YamlMime:Landing - -title: Windows security foundation # < 60 chars -summary: Learn about Windows security foundations. # < 160 chars - -metadata: - title: Windows security foundation # Required; page title displayed in search results. Include the brand. < 60 chars. - description: Learn about Windows security foundation # Required; article description that is displayed in search results. < 160 chars. - ms.topic: landing-page # Required - ms.collection: m365-security-compliance - author: dansimp #Required; your GitHub user alias, with correct capitalization. - ms.author: dansimp #Required; microsoft alias of author; optional team alias. - ms.date: 09/30/2021 #Required; mm/dd/yyyy format. - localization_priority: Priority - -# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new - -landingContent: -# Cards and links should be based on top customer tasks or top subjects -# Start card title with a verb - # Card (optional) - - title: Security assurance - linkLists: - - linkListType: overview - links: - - text: Microsoft Security Development Lifecycle (SDL) - url: /previous-versions/windows/desktop/cc307891(v=msdn.10) - - text: Microsoft bounty program - url: https://www.microsoft.com/msrc/bounty - # Card - - title: Certifications - linkLists: - - linkListType: overview - links: - - text: Federal Information Processing Standard (FIPS) 140 Validation - url: /windows/security/threat-protection/fips-140-validation - - text: Common Criteria Certifications - url: /windows/security/threat-protection/windows-platform-common-criteria - \ No newline at end of file From fb6fc95b75a994efa5a2f8be614909bc7bd58df6 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 19 Aug 2021 11:23:32 -0700 Subject: [PATCH 007/458] url --- windows/security/index.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index aca0718a29..ee8986dea8 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -28,7 +28,7 @@ landingContent: - text: Common Criteria Certifications url: /windows/security/threat-protection/windows-platform-common-criteria.md - text: Microsoft Security Development Lifecycle (SDL) - url: /previous-versions/windows/desktop/cc307891(v=msdn.10) + url: /previous-versions/windows/desktop/cc307891(v=msdn.10) - text: Microsoft bounty program url: https://www.microsoft.com/msrc/bounty # Card (optional) @@ -37,8 +37,8 @@ landingContent: - linkListType: overview links: - name: Trusted Platform Module (TPM) overview - href: /windows/security/information-protection/tpm/trusted-platform-module-overview.md + url: /windows/security/information-protection/tpm/trusted-platform-module-overview.md - name: Protect derived domain credentials with Windows Defender Credential Guard - href: /windows/security/identity-protection/credential-guard/credential-guard.md + url: /windows/security/identity-protection/credential-guard/credential-guard.md - name: Kernel DMA Protection - href: /windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md \ No newline at end of file + url: /windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md \ No newline at end of file From b8c9dd3dba72cb7002e3fb1a802ddb427e583ff0 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 19 Aug 2021 11:28:22 -0700 Subject: [PATCH 008/458] t --- windows/security/index.yml | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index ee8986dea8..86e84caf8f 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -30,15 +30,4 @@ landingContent: - text: Microsoft Security Development Lifecycle (SDL) url: /previous-versions/windows/desktop/cc307891(v=msdn.10) - text: Microsoft bounty program - url: https://www.microsoft.com/msrc/bounty - # Card (optional) - - title: Hardware security - linkLists: - - linkListType: overview - links: - - name: Trusted Platform Module (TPM) overview - url: /windows/security/information-protection/tpm/trusted-platform-module-overview.md - - name: Protect derived domain credentials with Windows Defender Credential Guard - url: /windows/security/identity-protection/credential-guard/credential-guard.md - - name: Kernel DMA Protection - url: /windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md \ No newline at end of file + url: https://www.microsoft.com/msrc/bounty \ No newline at end of file From 326837bfb85dfa32a838f59d9c1f508751347800 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 19 Aug 2021 11:36:47 -0700 Subject: [PATCH 009/458] testing --- windows/security/index.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/windows/security/index.yml b/windows/security/index.yml index 86e84caf8f..74890e02e3 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -17,6 +17,21 @@ metadata: landingContent: # Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Security foundations + linkLists: + - linkListType: overview + links: + - text: Federal Information Processing Standard (FIPS) 140 Validation + url: /windows/security/threat-protection/fips-140-validation.md + - text: Common Criteria Certifications + url: /windows/security/threat-protection/windows-platform-common-criteria.md + - text: Microsoft Security Development Lifecycle (SDL) + url: /previous-versions/windows/desktop/cc307891(v=msdn.10) + - text: Microsoft bounty program + url: https://www.microsoft.com/msrc/bounty +# Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) - title: Security foundations From c0d3a328ddc11d8d8211321be73d4e3876a237fb Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 19 Aug 2021 11:53:30 -0700 Subject: [PATCH 010/458] adding more toc... --- windows/security/TOC.yml | 48 ++++++++++++++++++++++++++++++++++---- windows/security/index.yml | 25 +++++++++++++------- 2 files changed, 59 insertions(+), 14 deletions(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 818858dece..99d00bd691 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -1,17 +1,55 @@ -- name: Windows security foundation +- name: Windows security href: index.yml expanded: true +- name: Windows security foundations items: - name: FIPS 140-2 Validation href: /windows/security/threat-protection/fips-140-validation.md - name: Common Criteria Certifications href: /windows/security/threat-protection/windows-platform-common-criteria.md -- name: Windows hardware Security +- name: Windows hardware security items: - - name: Trusted Platform Module (TPM) overview - href: /windows/security/information-protection/tpm/trusted-platform-module-overview.md + - name: Trusted Platform Module + href: tpm/trusted-platform-module-top-node.md + items: + - name: Trusted Platform Module Overview + href: tpm/trusted-platform-module-overview.md + - name: TPM fundamentals + href: tpm/tpm-fundamentals.md + - name: How Windows 10 uses the TPM + href: tpm/how-windows-uses-the-tpm.md + - name: TPM Group Policy settings + href: tpm/trusted-platform-module-services-group-policy-settings.md + - name: Back up the TPM recovery information to AD DS + href: tpm/backup-tpm-recovery-information-to-ad-ds.md + - name: View status, clear, or troubleshoot the TPM + href: tpm/initialize-and-configure-ownership-of-the-tpm.md + - name: Understanding PCR banks on TPM 2.0 devices + href: tpm/switch-pcr-banks-on-tpm-2-0-devices.md + - name: TPM recommendations + href: tpm/tpm-recommendations.md - name: Protect derived domain credentials with Windows Defender Credential Guard href: /windows/security/identity-protection/credential-guard/credential-guard.md - name: Kernel DMA Protection - href: /windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md \ No newline at end of file + href: /windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md +- name: Windows operating system security + items: + - name: system security + items: + - name: Secure the Windows 10 boot process + href: secure-the-windows-10-boot-process.md + - name: Encryption and data protection + items: + - name: Bitlocker + href: information-protection/bitlocker/bitlocker-overview.md + - name: Network security + items: + - name: VPN + href: identity-protection/vpn/vpn-guide.md + - name: Windows Defender Firewall + href: threat-protection/windows-firewall/windows-firewall-with-advanced-security.md +- name: Windows threat protection + items: + - name: Microsoft Defender Antivirus + href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows.md \ No newline at end of file diff --git a/windows/security/index.yml b/windows/security/index.yml index 74890e02e3..4c3fe7d66c 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -34,15 +34,22 @@ landingContent: # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) - - title: Security foundations + - title: Hardware security linkLists: - linkListType: overview links: - - text: Federal Information Processing Standard (FIPS) 140 Validation - url: /windows/security/threat-protection/fips-140-validation.md - - text: Common Criteria Certifications - url: /windows/security/threat-protection/windows-platform-common-criteria.md - - text: Microsoft Security Development Lifecycle (SDL) - url: /previous-versions/windows/desktop/cc307891(v=msdn.10) - - text: Microsoft bounty program - url: https://www.microsoft.com/msrc/bounty \ No newline at end of file + - name: Trusted Platform Module + url: tpm/trusted-platform-module-top-node.md + - name: Kernel DMA Protection + href: information-protection/kernel-dma-protection-for-thunderbolt.md +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Operating system security + linkLists: + - linkListType: overview + links: + - name: Secure the Windows boot process + url: information-protection/secure-the-windows-10-boot-process.md + - name: Configure S/MIME for Windows 10 + url: identity-protection/configure-s-mime.md \ No newline at end of file From e1f59479bbcefdb167f347e225087986d6fe1deb Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 19 Aug 2021 12:04:14 -0700 Subject: [PATCH 011/458] fixing --- windows/security/TOC.yml | 22 +++++++++++----------- windows/security/index.yml | 8 ++++---- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 99d00bd691..f3f4538b86 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -11,24 +11,24 @@ - name: Windows hardware security items: - name: Trusted Platform Module - href: tpm/trusted-platform-module-top-node.md + href: /windows/security/information-protection/tpm/trusted-platform-module-top-node.md items: - name: Trusted Platform Module Overview - href: tpm/trusted-platform-module-overview.md + href: /windows/security/information-protection/tpm/trusted-platform-module-overview.md - name: TPM fundamentals - href: tpm/tpm-fundamentals.md + href: /windows/security/information-protection/tpm/tpm-fundamentals.md - name: How Windows 10 uses the TPM - href: tpm/how-windows-uses-the-tpm.md + href: /windows/security/information-protection/tpm/how-windows-uses-the-tpm.md - name: TPM Group Policy settings - href: tpm/trusted-platform-module-services-group-policy-settings.md + href: /windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md - name: Back up the TPM recovery information to AD DS - href: tpm/backup-tpm-recovery-information-to-ad-ds.md + href: /windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md - name: View status, clear, or troubleshoot the TPM - href: tpm/initialize-and-configure-ownership-of-the-tpm.md + href: /windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md - name: Understanding PCR banks on TPM 2.0 devices - href: tpm/switch-pcr-banks-on-tpm-2-0-devices.md + href: /windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md - name: TPM recommendations - href: tpm/tpm-recommendations.md + href: /windows/security/information-protection/tpm/tpm-recommendations.md - name: Protect derived domain credentials with Windows Defender Credential Guard href: /windows/security/identity-protection/credential-guard/credential-guard.md - name: Kernel DMA Protection @@ -38,11 +38,11 @@ - name: system security items: - name: Secure the Windows 10 boot process - href: secure-the-windows-10-boot-process.md + href: /windows/security/information-protection/secure-the-windows-10-boot-process.md - name: Encryption and data protection items: - name: Bitlocker - href: information-protection/bitlocker/bitlocker-overview.md + href: /windows/security/information-protection/bitlocker/bitlocker-overview.md - name: Network security items: - name: VPN diff --git a/windows/security/index.yml b/windows/security/index.yml index 4c3fe7d66c..3ebfbd536f 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -39,9 +39,9 @@ landingContent: - linkListType: overview links: - name: Trusted Platform Module - url: tpm/trusted-platform-module-top-node.md + url: /windows/security/information-protection/trusted-platform-module-top-node.md - name: Kernel DMA Protection - href: information-protection/kernel-dma-protection-for-thunderbolt.md + url: /windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) @@ -50,6 +50,6 @@ landingContent: - linkListType: overview links: - name: Secure the Windows boot process - url: information-protection/secure-the-windows-10-boot-process.md + url: /windows/security/information-protection/secure-the-windows-10-boot-process.md - name: Configure S/MIME for Windows 10 - url: identity-protection/configure-s-mime.md \ No newline at end of file + url: /windows/security/identity-protection/configure-s-mime.md \ No newline at end of file From bf753cf37da5935e75c69155b36ca0e6066d4009 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 19 Aug 2021 12:10:46 -0700 Subject: [PATCH 012/458] text --- windows/security/index.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index 3ebfbd536f..2761ee94c4 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -38,9 +38,9 @@ landingContent: linkLists: - linkListType: overview links: - - name: Trusted Platform Module - url: /windows/security/information-protection/trusted-platform-module-top-node.md - - name: Kernel DMA Protection + - text: Trusted Platform Module + url: /windows/security/information-protection/tpm/trusted-platform-module-top-node.md + - text: Kernel DMA Protection url: /windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb @@ -49,7 +49,7 @@ landingContent: linkLists: - linkListType: overview links: - - name: Secure the Windows boot process + - text: Secure the Windows boot process url: /windows/security/information-protection/secure-the-windows-10-boot-process.md - - name: Configure S/MIME for Windows 10 + - text: Configure S/MIME for Windows 10 url: /windows/security/identity-protection/configure-s-mime.md \ No newline at end of file From 78d73dc75dd270b75b37b012226b13cef5fe73da Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 19 Aug 2021 12:30:47 -0700 Subject: [PATCH 013/458] oops all broken --- windows/security/TOC.yml | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index f3f4538b86..237dfd3ad2 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -5,44 +5,44 @@ - name: Windows security foundations items: - name: FIPS 140-2 Validation - href: /windows/security/threat-protection/fips-140-validation.md + href: threat-protection/fips-140-validation.md - name: Common Criteria Certifications - href: /windows/security/threat-protection/windows-platform-common-criteria.md + href: threat-protection/windows-platform-common-criteria.md - name: Windows hardware security items: - name: Trusted Platform Module - href: /windows/security/information-protection/tpm/trusted-platform-module-top-node.md + href: information-protection/tpm/trusted-platform-module-top-node.md items: - name: Trusted Platform Module Overview - href: /windows/security/information-protection/tpm/trusted-platform-module-overview.md + href: information-protection/tpm/trusted-platform-module-overview.md - name: TPM fundamentals - href: /windows/security/information-protection/tpm/tpm-fundamentals.md + href: information-protection/tpm/tpm-fundamentals.md - name: How Windows 10 uses the TPM - href: /windows/security/information-protection/tpm/how-windows-uses-the-tpm.md + href: information-protection/tpm/how-windows-uses-the-tpm.md - name: TPM Group Policy settings - href: /windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md + href: information-protection/tpm/trusted-platform-module-services-group-policy-settings.md - name: Back up the TPM recovery information to AD DS - href: /windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md + href: information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md - name: View status, clear, or troubleshoot the TPM - href: /windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md + href: information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md - name: Understanding PCR banks on TPM 2.0 devices - href: /windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md + href: information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md - name: TPM recommendations - href: /windows/security/information-protection/tpm/tpm-recommendations.md + href: information-protection/tpm/tpm-recommendations.md - name: Protect derived domain credentials with Windows Defender Credential Guard - href: /windows/security/identity-protection/credential-guard/credential-guard.md + href: identity-protection/credential-guard/credential-guard.md - name: Kernel DMA Protection - href: /windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md + href: information-protection/kernel-dma-protection-for-thunderbolt.md - name: Windows operating system security items: - name: system security items: - name: Secure the Windows 10 boot process - href: /windows/security/information-protection/secure-the-windows-10-boot-process.md + href: information-protection/secure-the-windows-10-boot-process.md - name: Encryption and data protection items: - name: Bitlocker - href: /windows/security/information-protection/bitlocker/bitlocker-overview.md + href: information-protection/bitlocker/bitlocker-overview.md - name: Network security items: - name: VPN From f5909d966ce0745152e4c1702151f99d2d58a82a Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 19 Aug 2021 12:39:26 -0700 Subject: [PATCH 014/458] add --- windows/security/TOC.yml | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 237dfd3ad2..743bbc0044 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -2,13 +2,13 @@ - name: Windows security href: index.yml expanded: true -- name: Windows security foundations +- name: Security foundations items: - name: FIPS 140-2 Validation href: threat-protection/fips-140-validation.md - name: Common Criteria Certifications href: threat-protection/windows-platform-common-criteria.md -- name: Windows hardware security +- name: Hardware security items: - name: Trusted Platform Module href: information-protection/tpm/trusted-platform-module-top-node.md @@ -33,9 +33,9 @@ href: identity-protection/credential-guard/credential-guard.md - name: Kernel DMA Protection href: information-protection/kernel-dma-protection-for-thunderbolt.md -- name: Windows operating system security +- name: Operating system security items: - - name: system security + - name: System security items: - name: Secure the Windows 10 boot process href: information-protection/secure-the-windows-10-boot-process.md @@ -49,7 +49,15 @@ href: identity-protection/vpn/vpn-guide.md - name: Windows Defender Firewall href: threat-protection/windows-firewall/windows-firewall-with-advanced-security.md -- name: Windows threat protection +- name: Threat protection items: - name: Microsoft Defender Antivirus - href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows.md \ No newline at end of file + href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows.md +- name: Application protection + items: +- name: User protection + items: +- name: Privacy controls + items: + - name: Windows Privacy controls + href: https://docs.microsoft.com/windows/privacy/windows-10-and-privacy-compliance \ No newline at end of file From 7c596eaee5dc82515be9f2d6536ef0d2384e7ebe Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 19 Aug 2021 12:56:00 -0700 Subject: [PATCH 015/458] adding in bitlocker --- windows/security/TOC.yml | 74 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 74 insertions(+) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 743bbc0044..91ff61ce6f 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -41,8 +41,82 @@ href: information-protection/secure-the-windows-10-boot-process.md - name: Encryption and data protection items: + - name: Encrypted Hard Drive + href: encrypted-hard-drive.md - name: Bitlocker href: information-protection/bitlocker/bitlocker-overview.md + items: + - name: Overview of BitLocker Device Encryption in Windows 10 + href: information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md + - name: BitLocker frequently asked questions (FAQ) + href: information-protection/bitlocker/bitlocker-frequently-asked-questions.yml + items: + - name: Overview and requirements + href: information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml + - name: Upgrading + href: information-protection/bitlocker/bitlocker-upgrading-faq.yml + - name: Deployment and administration + href: information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml + - name: Key management + href: information-protection/bitlocker/bitlocker-key-management-faq.yml + - name: BitLocker To Go + href: information-protection/bitlocker/bitlocker-to-go-faq.yml + - name: Active Directory Domain Services + href: information-protection/bitlocker/bitlocker-and-adds-faq.yml + - name: Security + href: information-protection/bitlocker/bitlocker-security-faq.yml + - name: BitLocker Network Unlock + href: information-protection/bitlocker/bitlocker-network-unlock-faq.yml + - name: General + href: information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml + - name: "Prepare your organization for BitLocker: Planning and policies" + href: information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md + - name: BitLocker deployment comparison + href: information-protection/bitlocker/bitlocker-deployment-comparison.md + - name: BitLocker basic deployment + href: information-protection/bitlocker/bitlocker-basic-deployment.md + - name: Deploy BitLocker on Windows Server 2012 and later + href: information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md + - name: BitLocker management for enterprises + href: information-protection/bitlocker/bitlocker-management-for-enterprises.md + - name: Enable Network Unlock with BitLocker + href: information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md + - name: Use BitLocker Drive Encryption Tools to manage BitLocker + href: information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md + - name: Use BitLocker Recovery Password Viewer + href: information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md + - name: BitLocker Group Policy settings + href: information-protection/bitlocker/bitlocker-group-policy-settings.md + - name: BCD settings and BitLocker + href: information-protection/bitlocker/bcd-settings-and-bitlocker.md + - name: BitLocker Recovery Guide + href: information-protection/bitlocker/bitlocker-recovery-guide-plan.md + - name: BitLocker Countermeasures + href: information-protection/bitlocker/bitlocker-countermeasures.md + - name: Protecting cluster shared volumes and storage area networks with BitLocker + href: information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md + - name: Troubleshoot BitLocker + items: + - name: Troubleshoot BitLocker + href: information-protection/bitlocker/troubleshoot-bitlocker.md + - name: "BitLocker cannot encrypt a drive: known issues" + href: information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md + - name: "Enforcing BitLocker policies by using Intune: known issues" + href: information-protection/bitlocker/ts-bitlocker-intune-issues.md + - name: "BitLocker Network Unlock: known issues" + href: information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md + - name: "BitLocker recovery: known issues" + href: information-protection/bitlocker/ts-bitlocker-recovery-issues.md + - name: "BitLocker configuration: known issues" + href: information-protection/bitlocker/ts-bitlocker-config-issues.md + - name: Troubleshoot BitLocker and TPM issues + items: + - name: "BitLocker cannot encrypt a drive: known TPM issues" + href: information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md + - name: "BitLocker and TPM: other known issues" + href: information-protection/bitlocker/ts-bitlocker-tpm-issues.md + - name: Decode Measured Boot logs to track PCR changes + href: information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md - name: Network security items: - name: VPN From 5d9ce6746c4edbc594141d686bb734992c89bb34 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 19 Aug 2021 13:00:01 -0700 Subject: [PATCH 016/458] attempting to redirect TOC --- windows/security/information-protection/{TOC.yml => TOC-BAK.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename windows/security/information-protection/{TOC.yml => TOC-BAK.yml} (100%) diff --git a/windows/security/information-protection/TOC.yml b/windows/security/information-protection/TOC-BAK.yml similarity index 100% rename from windows/security/information-protection/TOC.yml rename to windows/security/information-protection/TOC-BAK.yml From e47977ed23df6f18a968ec290c7860028090fac8 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 19 Aug 2021 13:04:05 -0700 Subject: [PATCH 017/458] build fail --- .../information-protection/TOC-BAK.yml | 149 ------------------ 1 file changed, 149 deletions(-) delete mode 100644 windows/security/information-protection/TOC-BAK.yml diff --git a/windows/security/information-protection/TOC-BAK.yml b/windows/security/information-protection/TOC-BAK.yml deleted file mode 100644 index bcaa9d74d7..0000000000 --- a/windows/security/information-protection/TOC-BAK.yml +++ /dev/null @@ -1,149 +0,0 @@ -- name: Information protection - href: index.md - items: - - name: BitLocker - href: bitlocker\bitlocker-overview.md - items: - - name: Overview of BitLocker Device Encryption in Windows 10 - href: bitlocker\bitlocker-device-encryption-overview-windows-10.md - - name: BitLocker frequently asked questions (FAQ) - href: bitlocker\bitlocker-frequently-asked-questions.yml - items: - - name: Overview and requirements - href: bitlocker\bitlocker-overview-and-requirements-faq.yml - - name: Upgrading - href: bitlocker\bitlocker-upgrading-faq.yml - - name: Deployment and administration - href: bitlocker\bitlocker-deployment-and-administration-faq.yml - - name: Key management - href: bitlocker\bitlocker-key-management-faq.yml - - name: BitLocker To Go - href: bitlocker\bitlocker-to-go-faq.yml - - name: Active Directory Domain Services - href: bitlocker\bitlocker-and-adds-faq.yml - - name: Security - href: bitlocker\bitlocker-security-faq.yml - - name: BitLocker Network Unlock - href: bitlocker\bitlocker-network-unlock-faq.yml - - name: General - href: bitlocker\bitlocker-using-with-other-programs-faq.yml - - name: "Prepare your organization for BitLocker: Planning and policies" - href: bitlocker\prepare-your-organization-for-bitlocker-planning-and-policies.md - - name: BitLocker deployment comparison - href: bitlocker\bitlocker-deployment-comparison.md - - name: BitLocker basic deployment - href: bitlocker\bitlocker-basic-deployment.md - - name: "BitLocker: How to deploy on Windows Server 2012 and later" - href: bitlocker\bitlocker-how-to-deploy-on-windows-server.md - - name: "BitLocker: Management for enterprises" - href: bitlocker\bitlocker-management-for-enterprises.md - - name: "BitLocker: How to enable Network Unlock" - href: bitlocker\bitlocker-how-to-enable-network-unlock.md - - name: "BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker" - href: bitlocker\bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md - - name: "BitLocker: Use BitLocker Recovery Password Viewer" - href: bitlocker\bitlocker-use-bitlocker-recovery-password-viewer.md - - name: BitLocker Group Policy settings - href: bitlocker\bitlocker-group-policy-settings.md - - name: BCD settings and BitLocker - href: bitlocker\bcd-settings-and-bitlocker.md - - name: BitLocker Recovery Guide - href: bitlocker\bitlocker-recovery-guide-plan.md - - name: BitLocker Countermeasures - href: bitlocker\bitlocker-countermeasures.md - - name: Protecting cluster shared volumes and storage area networks with BitLocker - href: bitlocker\protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md - - name: Troubleshoot BitLocker - items: - - name: Troubleshoot BitLocker - href: bitlocker\troubleshoot-bitlocker.md - - name: "BitLocker cannot encrypt a drive: known issues" - href: bitlocker\ts-bitlocker-cannot-encrypt-issues.md - - name: "Enforcing BitLocker policies by using Intune: known issues" - href: bitlocker\ts-bitlocker-intune-issues.md - - name: "BitLocker Network Unlock: known issues" - href: bitlocker\ts-bitlocker-network-unlock-issues.md - - name: "BitLocker recovery: known issues" - href: bitlocker\ts-bitlocker-recovery-issues.md - - name: "BitLocker configuration: known issues" - href: bitlocker\ts-bitlocker-config-issues.md - - name: Troubleshoot BitLocker and TPM issues - items: - - name: "BitLocker cannot encrypt a drive: known TPM issues" - href: bitlocker\ts-bitlocker-cannot-encrypt-tpm-issues.md - - name: "BitLocker and TPM: other known issues" - href: bitlocker\ts-bitlocker-tpm-issues.md - - name: Decode Measured Boot logs to track PCR changes - href: bitlocker\ts-bitlocker-decode-measured-boot-logs.md - - name: Encrypted Hard Drive - href: encrypted-hard-drive.md - - name: Kernel DMA Protection - href: kernel-dma-protection-for-thunderbolt.md - - name: Protect your enterprise data using Windows Information Protection (WIP) - href: windows-information-protection\protect-enterprise-data-using-wip.md - items: - - name: Create a WIP policy using Microsoft Intune - href: windows-information-protection\overview-create-wip-policy.md - items: - - name: Create a WIP policy with MDM using the Azure portal for Microsoft Intune - href: windows-information-protection\create-wip-policy-using-intune-azure.md - items: - - name: Deploy your WIP policy using the Azure portal for Microsoft Intune - href: windows-information-protection\deploy-wip-policy-using-intune-azure.md - - name: Associate and deploy a VPN policy for WIP using the Azure portal for Microsoft Intune - href: windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md - - name: Create and verify an EFS Data Recovery Agent (DRA) certificate - href: windows-information-protection\create-and-verify-an-efs-dra-certificate.md - - name: Determine the Enterprise Context of an app running in WIP - href: windows-information-protection\wip-app-enterprise-context.md - - name: Create a WIP policy using Microsoft Endpoint Configuration Manager - href: windows-information-protection\overview-create-wip-policy-configmgr.md - items: - - name: Create and deploy a WIP policy using Microsoft Endpoint Configuration Manager - href: windows-information-protection\create-wip-policy-using-configmgr.md - - name: Create and verify an EFS Data Recovery Agent (DRA) certificate - href: windows-information-protection\create-and-verify-an-efs-dra-certificate.md - - name: Determine the Enterprise Context of an app running in WIP - href: windows-information-protection\wip-app-enterprise-context.md - - name: Mandatory tasks and settings required to turn on WIP - href: windows-information-protection\mandatory-settings-for-wip.md - - name: Testing scenarios for WIP - href: windows-information-protection\testing-scenarios-for-wip.md - - name: Limitations while using WIP - href: windows-information-protection\limitations-with-wip.md - - name: How to collect WIP audit event logs - href: windows-information-protection\collect-wip-audit-event-logs.md - - name: General guidance and best practices for WIP - href: windows-information-protection\guidance-and-best-practices-wip.md - items: - - name: Enlightened apps for use with WIP - href: windows-information-protection\enlightened-microsoft-apps-and-wip.md - - name: Unenlightened and enlightened app behavior while using WIP - href: windows-information-protection\app-behavior-with-wip.md - - name: Recommended Enterprise Cloud Resources and Neutral Resources network settings with WIP - href: windows-information-protection\recommended-network-definitions-for-wip.md - - name: Using Outlook Web Access with WIP - href: windows-information-protection\using-owa-with-wip.md - - name: Fine-tune WIP Learning - href: windows-information-protection\wip-learning.md - - name: Secure the Windows 10 boot process - href: secure-the-windows-10-boot-process.md - - name: Trusted Platform Module - href: tpm/trusted-platform-module-top-node.md - items: - - name: Trusted Platform Module Overview - href: tpm/trusted-platform-module-overview.md - - name: TPM fundamentals - href: tpm/tpm-fundamentals.md - - name: How Windows 10 uses the TPM - href: tpm/how-windows-uses-the-tpm.md - - name: TPM Group Policy settings - href: tpm/trusted-platform-module-services-group-policy-settings.md - - name: Back up the TPM recovery information to AD DS - href: tpm/backup-tpm-recovery-information-to-ad-ds.md - - name: View status, clear, or troubleshoot the TPM - href: tpm/initialize-and-configure-ownership-of-the-tpm.md - - name: Understanding PCR banks on TPM 2.0 devices - href: tpm/switch-pcr-banks-on-tpm-2-0-devices.md - - name: TPM recommendations - href: tpm/tpm-recommendations.md From 9caab07acfd421dc1f240e5c97105ee4a107dcb5 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 19 Aug 2021 13:17:47 -0700 Subject: [PATCH 018/458] adding wip --- windows/security/TOC.yml | 49 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 48 insertions(+), 1 deletion(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 91ff61ce6f..2370e36f4e 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -42,7 +42,7 @@ - name: Encryption and data protection items: - name: Encrypted Hard Drive - href: encrypted-hard-drive.md + href: information-protection/encrypted-hard-drive.md - name: Bitlocker href: information-protection/bitlocker/bitlocker-overview.md items: @@ -117,6 +117,53 @@ href: information-protection/bitlocker/ts-bitlocker-tpm-issues.md - name: Decode Measured Boot logs to track PCR changes href: information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md + - name: Windows Information Protection (WIP) + href: information-protection/windows-information-protection/protect-enterprise-data-using-wip.md + items: + - name: Create a WIP policy using Microsoft Intune + href: information-protection/windows-information-protection/overview-create-wip-policy.md + items: + - name: Create a WIP policy with MDM using the Azure portal for Microsoft Intune + href: information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md + items: + - name: Deploy your WIP policy using the Azure portal for Microsoft Intune + href: information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md + - name: Associate and deploy a VPN policy for WIP using the Azure portal for Microsoft Intune + href: information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md + - name: Create and verify an EFS Data Recovery Agent (DRA) certificate + href: information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md + - name: Determine the Enterprise Context of an app running in WIP + href: information-protection/windows-information-protection/wip-app-enterprise-context.md + - name: Create a WIP policy using Microsoft Endpoint Configuration Manager + href: information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md + items: + - name: Create and deploy a WIP policy using Microsoft Endpoint Configuration Manager + href: information-protection/windows-information-protection/create-wip-policy-using-configmgr.md + - name: Create and verify an EFS Data Recovery Agent (DRA) certificate + href: information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md + - name: Determine the Enterprise Context of an app running in WIP + href: information-protection/windows-information-protection/wip-app-enterprise-context.md + - name: Mandatory tasks and settings required to turn on WIP + href: information-protection/windows-information-protection/mandatory-settings-for-wip.md + - name: Testing scenarios for WIP + href: information-protection/windows-information-protection/testing-scenarios-for-wip.md + - name: Limitations while using WIP + href: information-protection/windows-information-protection/limitations-with-wip.md + - name: How to collect WIP audit event logs + href: information-protection/windows-information-protection/collect-wip-audit-event-logs.md + - name: General guidance and best practices for WIP + href: information-protection/windows-information-protection/guidance-and-best-practices-wip.md + items: + - name: Enlightened apps for use with WIP + href: information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md + - name: Unenlightened and enlightened app behavior while using WIP + href: information-protection/windows-information-protection/app-behavior-with-wip.md + - name: Recommended Enterprise Cloud Resources and Neutral Resources network settings with WIP + href: information-protection/windows-information-protection/recommended-network-definitions-for-wip.md + - name: Using Outlook Web Access with WIP + href: information-protection/windows-information-protection/using-owa-with-wip.md + - name: Fine-tune WIP Learning + href: information-protection/windows-information-protection/wip-learning.md - name: Network security items: - name: VPN From e794bc48fc50b76664029c2cce9571e35116adba Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 19 Aug 2021 15:11:13 -0700 Subject: [PATCH 019/458] adding identity --- windows/security/TOC.yml | 129 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 128 insertions(+), 1 deletion(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 2370e36f4e..51021a5be7 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -117,6 +117,8 @@ href: information-protection/bitlocker/ts-bitlocker-tpm-issues.md - name: Decode Measured Boot logs to track PCR changes href: information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md + - name: Configure S/MIME for Windows 10 + href: configure-s-mime.md - name: Windows Information Protection (WIP) href: information-protection/windows-information-protection/protect-enterprise-data-using-wip.md items: @@ -166,8 +168,31 @@ href: information-protection/windows-information-protection/wip-learning.md - name: Network security items: - - name: VPN + - name: VPN technical guide href: identity-protection/vpn/vpn-guide.md + items: + - name: VPN connection types + href: identity-protection/vpn/vpn-connection-type.md + - name: VPN routing decisions + href: identity-protection/vpn/vpn-routing.md + - name: VPN authentication options + href: identity-protection/vpn/vpn-authentication.md + - name: VPN and conditional access + href: identity-protection/vpn/vpn-conditional-access.md + - name: VPN name resolution + href: identity-protection/vpn/vpn-name-resolution.md + - name: VPN auto-triggered profile options + href: identity-protection/vpn/vpn-auto-trigger-profile.md + - name: VPN security features + href: identity-protection/vpn/vpn-security-features.md + - name: VPN profile options + href: identity-protection/vpn/vpn-profile-options.md + - name: How to configure Diffie Hellman protocol over IKEv2 VPN connections + href: identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md + - name: How to use single sign-on (SSO) over VPN and Wi-Fi connections + href: identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md + - name: Optimizing Office 365 traffic with the Windows 10 VPN client + href: identity-protection/vpn/vpn-office-365-optimization.md - name: Windows Defender Firewall href: threat-protection/windows-firewall/windows-firewall-with-advanced-security.md - name: Threat protection @@ -178,6 +203,108 @@ items: - name: User protection items: + - name: Technical support policy for lost or forgotten passwords + href: identity-protection/password-support-policy.md + - name: Access Control Overview + href: identity-protection/access-control/access-control.md + items: + - name: Dynamic Access Control Overview + href: identity-protection/access-control/dynamic-access-control.md + - name: Security identifiers + href: identity-protection/access-control/security-identifiers.md + - name: Security Principals + href: identity-protection/access-control/security-principals.md + - name: Local Accounts + href: identity-protection/access-control/local-accounts.md + - name: Active Directory Accounts + href: identity-protection/access-control/active-directory-accounts.md + - name: Microsoft Accounts + href: identity-protection/access-control/microsoft-accounts.md + - name: Service Accounts + href: identity-protection/access-control/service-accounts.md + - name: Active Directory Security Groups + href: identity-protection/access-control/active-directory-security-groups.md + - name: Special Identities + href: identity-protection/access-control/special-identities.md + - name: User Account Control + href: identity-protection/user-account-control/user-account-control-overview.md + items: + - name: How User Account Control works + href: identity-protection/user-account-control/how-user-account-control-works.md + - name: User Account Control security policy settings + href: identity-protection/user-account-control/user-account-control-security-policy-settings.md + - name: User Account Control Group Policy and registry key settings + href: identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md + - name: Windows Hello for Business + href: identity-protection/hello-for-business/index.yml + - name: Windows credential theft mitigation guide + href: identity-protection/windows-credential-theft-mitigation-guide-abstract.md + - name: Enterprise Certificate Pinning + href: identity-protection/enterprise-certificate-pinning.md + - name: Protect derived domain credentials with Credential Guard + href: identity-protection/credential-guard/credential-guard.md + items: + - name: How Credential Guard works + href: identity-protection/credential-guard/credential-guard-how-it-works.md + - name: Credential Guard Requirements + href: identity-protection/credential-guard/credential-guard-requirements.md + - name: Manage Credential Guard + href: identity-protection/credential-guard/credential-guard-manage.md + - name: Hardware readiness tool + href: identity-protection/credential-guard/dg-readiness-tool.md + - name: Credential Guard protection limits + href: identity-protection/credential-guard/credential-guard-protection-limits.md + - name: Considerations when using Credential Guard + href: identity-protection/credential-guard/credential-guard-considerations.md + - name: "Credential Guard: Additional mitigations" + href: identity-protection/credential-guard/additional-mitigations.md + - name: "Credential Guard: Known issues" + href: identity-protection/credential-guard/credential-guard-known-issues.md + - name: Protect Remote Desktop credentials with Remote Credential Guard + href: identity-protection/remote-credential-guard.md + - name: Smart Cards + href: identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md + items: + - name: How Smart Card Sign-in Works in Windows + href: identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md + items: + - name: Smart Card Architecture + href: identity-protection/smart-cards/smart-card-architecture.md + - name: Certificate Requirements and Enumeration + href: identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md + - name: Smart Card and Remote Desktop Services + href: identity-protection/smart-cards/smart-card-and-remote-desktop-services.md + - name: Smart Cards for Windows Service + href: identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md + - name: Certificate Propagation Service + href: identity-protection/smart-cards/smart-card-certificate-propagation-service.md + - name: Smart Card Removal Policy Service + href: identity-protection/smart-cards/smart-card-removal-policy-service.md + - name: Smart Card Tools and Settings + href: identity-protection/smart-cards/smart-card-tools-and-settings.md + items: + - name: Smart Cards Debugging Information + href: identity-protection/smart-cards/smart-card-debugging-information.md + - name: Smart Card Group Policy and Registry Settings + href: identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md + - name: Smart Card Events + href: identity-protection/smart-cards/smart-card-events.md + - name: Virtual Smart Cards + href: identity-protection/virtual-smart-cards/virtual-smart-card-overview.md + items: + - name: Understanding and Evaluating Virtual Smart Cards + href: identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md + items: + - name: "Get Started with Virtual Smart Cards: Walkthrough Guide" + href: identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md + - name: Use Virtual Smart Cards + href: identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md + - name: Deploy Virtual Smart Cards + href: identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md + - name: Evaluate Virtual Smart Card Security + href: identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md + - name: Tpmvscmgr + href: identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md - name: Privacy controls items: - name: Windows Privacy controls From ef521bf2852e395d97a501d4ec210b69d110f162 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 19 Aug 2021 15:19:28 -0700 Subject: [PATCH 020/458] rm identity-protection toc --- windows/security/identity-protection/TOC.yml | 132 ------------------- 1 file changed, 132 deletions(-) delete mode 100644 windows/security/identity-protection/TOC.yml diff --git a/windows/security/identity-protection/TOC.yml b/windows/security/identity-protection/TOC.yml deleted file mode 100644 index 5e4680879e..0000000000 --- a/windows/security/identity-protection/TOC.yml +++ /dev/null @@ -1,132 +0,0 @@ -- name: Identity and access management - href: index.md - items: - - name: Technical support policy for lost or forgotten passwords - href: password-support-policy.md - - name: Access Control Overview - href: access-control/access-control.md - items: - - name: Dynamic Access Control Overview - href: access-control/dynamic-access-control.md - - name: Security identifiers - href: access-control/security-identifiers.md - - name: Security Principals - href: access-control/security-principals.md - - name: Local Accounts - href: access-control/local-accounts.md - - name: Active Directory Accounts - href: access-control/active-directory-accounts.md - - name: Microsoft Accounts - href: access-control/microsoft-accounts.md - - name: Service Accounts - href: access-control/service-accounts.md - - name: Active Directory Security Groups - href: access-control/active-directory-security-groups.md - - name: Special Identities - href: access-control/special-identities.md - - name: User Account Control - href: user-account-control\user-account-control-overview.md - items: - - name: How User Account Control works - href: user-account-control\how-user-account-control-works.md - - name: User Account Control security policy settings - href: user-account-control\user-account-control-security-policy-settings.md - - name: User Account Control Group Policy and registry key settings - href: user-account-control\user-account-control-group-policy-and-registry-key-settings.md - - name: Windows Hello for Business - href: hello-for-business/index.yml - - name: Protect derived domain credentials with Credential Guard - href: credential-guard/credential-guard.md - items: - - name: How Credential Guard works - href: credential-guard/credential-guard-how-it-works.md - - name: Credential Guard Requirements - href: credential-guard/credential-guard-requirements.md - - name: Manage Credential Guard - href: credential-guard/credential-guard-manage.md - - name: Hardware readiness tool - href: credential-guard/dg-readiness-tool.md - - name: Credential Guard protection limits - href: credential-guard/credential-guard-protection-limits.md - - name: Considerations when using Credential Guard - href: credential-guard/credential-guard-considerations.md - - name: "Credential Guard: Additional mitigations" - href: credential-guard/additional-mitigations.md - - name: "Credential Guard: Known issues" - href: credential-guard/credential-guard-known-issues.md - - name: Protect Remote Desktop credentials with Remote Credential Guard - href: remote-credential-guard.md - - name: Smart Cards - href: smart-cards/smart-card-windows-smart-card-technical-reference.md - items: - - name: How Smart Card Sign-in Works in Windows - href: smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md - items: - - name: Smart Card Architecture - href: smart-cards/smart-card-architecture.md - - name: Certificate Requirements and Enumeration - href: smart-cards/smart-card-certificate-requirements-and-enumeration.md - - name: Smart Card and Remote Desktop Services - href: smart-cards/smart-card-and-remote-desktop-services.md - - name: Smart Cards for Windows Service - href: smart-cards/smart-card-smart-cards-for-windows-service.md - - name: Certificate Propagation Service - href: smart-cards/smart-card-certificate-propagation-service.md - - name: Smart Card Removal Policy Service - href: smart-cards/smart-card-removal-policy-service.md - - name: Smart Card Tools and Settings - href: smart-cards/smart-card-tools-and-settings.md - items: - - name: Smart Cards Debugging Information - href: smart-cards/smart-card-debugging-information.md - - name: Smart Card Group Policy and Registry Settings - href: smart-cards/smart-card-group-policy-and-registry-settings.md - - name: Smart Card Events - href: smart-cards/smart-card-events.md - - name: Virtual Smart Cards - href: virtual-smart-cards\virtual-smart-card-overview.md - items: - - name: Understanding and Evaluating Virtual Smart Cards - href: virtual-smart-cards\virtual-smart-card-understanding-and-evaluating.md - items: - - name: "Get Started with Virtual Smart Cards: Walkthrough Guide" - href: virtual-smart-cards\virtual-smart-card-get-started.md - - name: Use Virtual Smart Cards - href: virtual-smart-cards\virtual-smart-card-use-virtual-smart-cards.md - - name: Deploy Virtual Smart Cards - href: virtual-smart-cards\virtual-smart-card-deploy-virtual-smart-cards.md - - name: Evaluate Virtual Smart Card Security - href: virtual-smart-cards\virtual-smart-card-evaluate-security.md - - name: Tpmvscmgr - href: virtual-smart-cards\virtual-smart-card-tpmvscmgr.md - - name: Enterprise Certificate Pinning - href: enterprise-certificate-pinning.md - - name: Windows 10 credential theft mitigation guide abstract - href: windows-credential-theft-mitigation-guide-abstract.md - - name: Configure S/MIME for Windows 10 - href: configure-s-mime.md - - name: VPN technical guide - href: vpn\vpn-guide.md - items: - - name: VPN connection types - href: vpn\vpn-connection-type.md - - name: VPN routing decisions - href: vpn\vpn-routing.md - - name: VPN authentication options - href: vpn\vpn-authentication.md - - name: VPN and conditional access - href: vpn\vpn-conditional-access.md - - name: VPN name resolution - href: vpn\vpn-name-resolution.md - - name: VPN auto-triggered profile options - href: vpn\vpn-auto-trigger-profile.md - - name: VPN security features - href: vpn\vpn-security-features.md - - name: VPN profile options - href: vpn\vpn-profile-options.md - - name: How to configure Diffie Hellman protocol over IKEv2 VPN connections - href: vpn\how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md - - name: How to use single sign-on (SSO) over VPN and Wi-Fi connections - href: vpn\how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md - - name: Optimizing Office 365 traffic with the Windows 10 VPN client - href: vpn\vpn-office-365-optimization.md From 6b0616f71f6d79769a0b54b135aec3d139b867a0 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Wed, 25 Aug 2021 11:34:51 +0530 Subject: [PATCH 021/458] Updated --- images/no.png | Bin 0 -> 874 bytes images/yes.png | Bin 0 -> 614 bytes includes/appliesto-2013-2016-2019-xxx-md.md | 1 + .../appliesto-xxx-2016-2019-SUB-xxx-md.md | 1 + .../mdm/policy-csp-abovelock.md | 20 ++++++++---------- 5 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 images/no.png create mode 100644 images/yes.png create mode 100644 includes/appliesto-2013-2016-2019-xxx-md.md create mode 100644 includes/appliesto-xxx-2016-2019-SUB-xxx-md.md diff --git a/images/no.png b/images/no.png new file mode 100644 index 0000000000000000000000000000000000000000..1aa084e6a3326f74e77306adc0bab27e6225b291 GIT binary patch literal 874 zcmV-w1C{)VP)1D+=^TCDiFvbv#PS{_?BS{~Hb)mp=v5JDn;p0srp zDBgaW-85T$xMZegr&Ez=(t>Ey}+rZ+~|$YN#|mt~xI#DM*RC1^}GS&Ol&CvNL58mSw8<`_Yj=Sus;0jgQ;anX**WR8^qo z!zlEI6Xk~wOloK@0FDs|c7az*3xk0BemZ5p zjtJ`U`t0HIYnvwcd45-~uA9K~|2CI5q&^}j=W^>fmpdpo@%1}K$7cZm1$j9T(lqo- zD;NlAE&y;ixwWXF)~)TqKWm$=fS#PwK{Yl50H`P_L}f)WYN{%Bn#-^p1h&}h;M|_6 zsG(k;PdPsOP3!af0RW6h2#TU`t+WW2&z}LXcg8}R1|t%IqISA>L^Hi$wr({A8Advh znp(TgD!)wp4on-P*&22V8O^rc_nG+x>kCEi-6M}dLI~Pk4?I*)YBzZP|D#Z=GuU2s z54MK$i3&;x!LwIAWgWdrt;u5Zhl6c9IP&J>=weG}-~EF;qQ2Sypi!<6CnX$zBw@ux zu@W{-!ZJym%VTqLt~Ce8Ef~$V$Mto!=7Z}00)LUfCpD&o@&Et;07*qoM6N<$f~ppT Awg3PC literal 0 HcmV?d00001 diff --git a/images/yes.png b/images/yes.png new file mode 100644 index 0000000000000000000000000000000000000000..d2285c5c46cfb8c983a2a725f4ff13e241a5f319 GIT binary patch literal 614 zcmV-s0-61ZP)Mxgdo$d#k7bF$_Of$yBR1%&{?RX(S-St3z34+VrXLUxEO`o(2VC^ z&+dKC``+ikIsC3rO5tTmTbu{3118W0ECLx|N?K~XR#&)%N?U}1$3VPBECs}*rB?S1 zmA1GByabvx;(1^|T58NQRNA5u$N~}VQ$hi_EG_lbY5H7zU_=M#69$IQzbk`4QrhBx zYpAqE6u6_4?QTsFyE=~F2=7`QK(A})PI1q5ZRg z^H1P-gUOB71V0No-put^_M={)ZBB8!{R91Gn!^WM00`C{)YRo0a`@ zUZ9IkkzRO6sJ@B5s7*s4!p)1LGzL!cc0SJf@3}quy3mYMgz(MDvjB-=e++ih~EgalK(_1H>BM+G@)tWBhcwIC%->I;N$c9E4Ear zT6YO}<}}<)q!wTX2x%S^KmlFSQfa5DJ&~lPz5(}vzb=4}DuLkbFLMD%0_`e6c&_{XFn7~=ecbB33Xr4+-ZB*-T1Bh3d_?=3=T>t<807*qoM6N<$f|?{1 AbN~PV literal 0 HcmV?d00001 diff --git a/includes/appliesto-2013-2016-2019-xxx-md.md b/includes/appliesto-2013-2016-2019-xxx-md.md new file mode 100644 index 0000000000..9a496e3070 --- /dev/null +++ b/includes/appliesto-2013-2016-2019-xxx-md.md @@ -0,0 +1 @@ +**APPLIES TO:** ![yes](../media/yes.png)2013 ![yes](../media/yes.png)2016 ![yes](../media/yes.png)2019 ![no](../media/no.png)SharePoint in Microsoft 365 diff --git a/includes/appliesto-xxx-2016-2019-SUB-xxx-md.md b/includes/appliesto-xxx-2016-2019-SUB-xxx-md.md new file mode 100644 index 0000000000..a97c23d538 --- /dev/null +++ b/includes/appliesto-xxx-2016-2019-SUB-xxx-md.md @@ -0,0 +1 @@ +**APPLIES TO:** ![no-img-13](../media/no.png)2013 ![yes-img-16](../media/yes.png)2016 ![yes-img-19](../media/yes.png)2019 ![yes-img-se](../media/yes.png)Subscription Edition ![no-img-sop](../media/no.png)SharePoint in Microsoft 365 diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md index 23c1bb8142..b1bc434f3a 100644 --- a/windows/client-management/mdm/policy-csp-abovelock.md +++ b/windows/client-management/mdm/policy-csp-abovelock.md @@ -14,6 +14,7 @@ manager: dansimp # Policy CSP - AboveLock +[!INCLUDE[appliesto-xxx-xxx-xxx-SUB-xxx-md](../includes/appliesto-xxx-xxx-xxx-SUB-xxx-md.md)]
@@ -40,29 +41,26 @@ manager: dansimp - - + + + - + - - - - - + - + - - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark1
Businesscheck mark1Yes, starting in Windows 10, version 1903Yes
Enterprisecheck mark1Yes, starting in Windows 10, version 1909Yes
Educationcheck mark1
Yes, starting in Windows 10, version 2004Yes
From 46599fc90e9a126c62c59d6343a3e3e47230f1cb Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Thu, 26 Aug 2021 15:01:43 +0530 Subject: [PATCH 022/458] Updated --- .vscode/settings.json | 5 - .../policy-csp-admx-activexinstallservice.md | 2 +- .../mdm/policy-csp-admx-addremoveprograms.md | 243 +++++++++++------- .../mdm/policy-csp-admx-appcompat.md | 199 ++++++++------ 4 files changed, 281 insertions(+), 168 deletions(-) delete mode 100644 .vscode/settings.json diff --git a/.vscode/settings.json b/.vscode/settings.json deleted file mode 100644 index f66a07d2e4..0000000000 --- a/.vscode/settings.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "cSpell.words": [ - "emie" - ] -} \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md index a4020d12f2..67982daf0e 100644 --- a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md +++ b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md @@ -95,7 +95,7 @@ If the trusted site uses the HTTPS protocol, this policy setting can also contro ADMX Info: -- GP English name: *Establish ActiveX installation policy for sites in Trusted zones* +- GP Friendly name: *Establish ActiveX installation policy for sites in Trusted zones* - GP name: *AxISURLZonePolicies* - GP path: *Windows Components\ActiveX Installer Service* - GP ADMX file name: *ActiveXInstallService.admx* diff --git a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md index 647cff6ce4..478ce5c0d7 100644 --- a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md +++ b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md @@ -67,28 +67,33 @@ manager: dansimp - - + + + - + + - + + - + + - - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck mark
YesYes
Educationcross markNoNo
@@ -125,7 +130,7 @@ If you disable this setting or do not configure it, all programs (Category: All) ADMX Info: -- GP English name: *Specify default category for Add New Programs* +- GP Friendly name: *Specify default category for Add New Programs* - GP name: *DefaultCategory* - GP path: *Control Panel/Add or Remove Programs* - GP ADMX file name: *addremoveprograms.admx* @@ -150,28 +155,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markYesYes
Enterprisecheck markNoNo
Educationcross markNoNo
@@ -206,7 +217,7 @@ If you disable this setting or do not configure it, the "Add a program from CD-R ADMX Info: -- GP English name: *Hide the "Add a program from CD-ROM or floppy disk" option* +- GP Friendly name: *Hide the "Add a program from CD-ROM or floppy disk" option* - GP name: *NoAddFromCDorFloppy* - GP path: *Control Panel/Add or Remove Programs* - GP ADMX file name: *addremoveprograms.admx* @@ -231,28 +242,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -287,7 +304,7 @@ If you disable this setting or do not configure it, "Add programs from Microsoft ADMX Info: -- GP English name: *Hide the "Add programs from Microsoft" option* +- GP Friendly name: *Hide the "Add programs from Microsoft" option* - GP name: *NoAddFromInternet* - GP path: *Control Panel/Add or Remove Programs* - GP ADMX file name: *addremoveprograms.admx* @@ -312,28 +329,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -370,7 +393,7 @@ If you disable this setting or do not configure it, "Add programs from your netw ADMX Info: -- GP English name: *Hide the "Add programs from your network" option* +- GP Friendly name: *Hide the "Add programs from your network" option* - GP name: *NoAddFromNetwork* - GP path: *Control Panel/Add or Remove Programs* - GP ADMX file name: *addremoveprograms.admx* @@ -394,28 +417,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -447,7 +476,7 @@ If you disable this setting or do not configure it, the Add New Programs button ADMX Info: -- GP English name: *Hide Add New Programs page* +- GP Friendly name: *Hide Add New Programs page* - GP name: *NoAddPage* - GP path: *Control Panel/Add or Remove Programs* - GP ADMX file name: *addremoveprograms.admx* @@ -472,28 +501,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -525,7 +560,7 @@ If you disable this setting or do not configure it, Add or Remove Programs is av ADMX Info: -- GP English name: *Remove Add or Remove Programs* +- GP Friendly name: *Remove Add or Remove Programs* - GP name: *NoAddRemovePrograms* - GP path: *Control Panel/Add or Remove Programs* - GP ADMX file name: *addremoveprograms.admx* @@ -550,28 +585,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -604,7 +645,7 @@ If you disable this setting or do not configure it, the Set Program Access and D ADMX Info: -- GP English name: *Hide the Set Program Access and Defaults page* +- GP Friendly name: *Hide the Set Program Access and Defaults page* - GP name: *NoChooseProgramsPage* - GP path: *Control Panel/Add or Remove Programs* - GP ADMX file name: *addremoveprograms.admx* @@ -629,28 +670,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -682,7 +729,7 @@ If you disable this setting or do not configure it, the Change or Remove Program ADMX Info: -- GP English name: *Hide Change or Remove Programs page* +- GP Friendly name: *Hide Change or Remove Programs page* - GP name: *NoRemovePage* - GP path: *Control Panel/Add or Remove Programs* - GP ADMX file name: *addremoveprograms.admx* @@ -707,28 +754,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -763,7 +816,7 @@ If you disable this setting or do not configure it, "Set up services" appears on ADMX Info: -- GP English name: *Go directly to Components Wizard* +- GP Friendly name: *Go directly to Components Wizard* - GP name: *NoServices* - GP path: *Control Panel/Add or Remove Programs* - GP ADMX file name: *addremoveprograms.admx* @@ -788,28 +841,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -844,7 +903,7 @@ If you disable this setting or do not configure it, the Support Info hyperlink a ADMX Info: -- GP English name: *Remove Support Information* +- GP Friendly name: *Remove Support Information* - GP name: *NoSupportInfo* - GP path: *Control Panel/Add or Remove Programs* - GP ADMX file name: *addremoveprograms.admx* @@ -869,28 +928,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -922,7 +987,7 @@ If you disable this setting or do not configure it, the Add/Remove Windows Compo ADMX Info: -- GP English name: *Hide Add/Remove Windows Components page* +- GP Friendly name: *Hide Add/Remove Windows Components page* - GP name: *NoWindowsSetupPage* - GP path: *Control Panel/Add or Remove Programs* - GP ADMX file name: *addremoveprograms.admx* diff --git a/windows/client-management/mdm/policy-csp-admx-appcompat.md b/windows/client-management/mdm/policy-csp-admx-appcompat.md index ff2c292c54..901a7a04b6 100644 --- a/windows/client-management/mdm/policy-csp-admx-appcompat.md +++ b/windows/client-management/mdm/policy-csp-admx-appcompat.md @@ -70,28 +70,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -131,7 +137,7 @@ If the status is set to Not Configured, the OS falls back on a local policy set ADMX Info: -- GP English name: *Prevent access to 16-bit applications* +- GP Friendly name: *Prevent access to 16-bit applications* - GP name: *AppCompatPrevent16BitMach* - GP path: *Windows Components/Application Compatibility* - GP ADMX file name: *AppCompat.admx* @@ -147,28 +153,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -202,7 +214,7 @@ Enabling this policy setting removes the property page from the context-menus, b ADMX Info: -- GP English name: *Remove Program Compatibility Property Page* +- GP Friendly name: *Remove Program Compatibility Property Page* - GP name: *AppCompatRemoveProgramCompatPropPage* - GP path: *Windows Components/Application Compatibility* - GP ADMX file name: *AppCompat.admx* @@ -218,28 +230,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -277,7 +295,7 @@ Disabling telemetry will take effect on any newly launched applications. To ensu ADMX Info: -- GP English name: *Turn off Application Telemetry* +- GP Friendly name: *Turn off Application Telemetry* - GP name: *AppCompatTurnOffApplicationImpactTelemetry* - GP path: *Windows Components/Application Compatibility* - GP ADMX file name: *AppCompat.admx* @@ -293,28 +311,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -353,7 +377,7 @@ Reboot the system after changing the setting to ensure that your system accurate ADMX Info: -- GP English name: *Turn off SwitchBack Compatibility Engine* +- GP Friendly name: *Turn off SwitchBack Compatibility Engine* - GP name: *AppCompatTurnOffSwitchBack* - GP path: *Windows Components/Application Compatibility* - GP ADMX file name: *AppCompat.admx* @@ -369,29 +393,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross mark
NoNo
@@ -431,7 +460,7 @@ This option is useful to server administrators who require faster performance an ADMX Info: -- GP English name: *Turn off Application Compatibility Engine* +- GP Friendly name: *Turn off Application Compatibility Engine* - GP name: *AppCompatTurnOffEngine* - GP path: *Windows Components/Application Compatibility* - GP ADMX file name: *AppCompat.admx* @@ -447,28 +476,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -498,7 +533,7 @@ Available in the latest Windows 10 Insider Preview Build. This policy setting ex ADMX Info: -- GP English name: *Turn off Program Compatibility Assistant* +- GP Friendly name: *Turn off Program Compatibility Assistant* - GP name: *AppCompatTurnOffProgramCompatibilityAssistant_1* - GP path: *Windows Components/Application Compatibility* - GP ADMX file name: *AppCompat.admx* @@ -514,28 +549,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -572,7 +613,7 @@ If you disable or do not configure this policy setting, the PCA will be turned o ADMX Info: -- GP English name: *Turn off Program Compatibility Assistant* +- GP Friendly name: *Turn off Program Compatibility Assistant* - GP name: *AppCompatTurnOffProgramCompatibilityAssistant_2* - GP path: *Windows Components/Application Compatibility* - GP ADMX file name: *AppCompat.admx* @@ -588,28 +629,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -645,7 +692,7 @@ If you disable or do not configure this policy setting, Steps Recorder will be e ADMX Info: -- GP English name: *Turn off Steps Recorder* +- GP Friendly name: *Turn off Steps Recorder* - GP name: *AppCompatTurnOffUserActionRecord* - GP path: *Windows Components/Application Compatibility* - GP ADMX file name: *AppCompat.admx* @@ -661,28 +708,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -721,7 +774,7 @@ If you disable or do not configure this policy setting, the Inventory Collector ADMX Info: -- GP English name: *Turn off Inventory Collector* +- GP Friendly name: *Turn off Inventory Collector* - GP name: *AppCompatTurnOffProgramInventory* - GP path: *Windows Components/Application Compatibility* - GP ADMX file name: *AppCompat.admx* From 19d5bb2f415b2a41bd8ba454cd00152705e5bb09 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Fri, 27 Aug 2021 11:29:08 +0530 Subject: [PATCH 023/458] Updated --- .../mdm/policy-csp-abovelock.md | 12 +++++------ .../mdm/policy-csp-activexcontrols.md | 20 ++++++++----------- .../policy-csp-admx-activexinstallservice.md | 17 ++++++---------- 3 files changed, 20 insertions(+), 29 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md index b1bc434f3a..341da28ece 100644 --- a/windows/client-management/mdm/policy-csp-abovelock.md +++ b/windows/client-management/mdm/policy-csp-abovelock.md @@ -14,7 +14,6 @@ manager: dansimp # Policy CSP - AboveLock -[!INCLUDE[appliesto-xxx-xxx-xxx-SUB-xxx-md](../includes/appliesto-xxx-xxx-xxx-SUB-xxx-md.md)]
@@ -55,11 +54,11 @@ manager: dansimp Enterprise - Yes, starting in Windows 10, version 1909Yes + Yes, starting in Windows 10, version 1903Yes Education - Yes, starting in Windows 10, version 2004Yes + Yes, starting in Windows 10, version 1903Yes @@ -81,7 +80,7 @@ Added in Windows 10, version 1607. Specifies whether or not the user can intera ADMX Info: -- GP English name: *Allow Cortana above lock screen* +- GP Friendly name: *Allow Cortana above lock screen* - GP name: *AllowCortanaAboveLock* - GP path: *Windows Components/Search* - GP ADMX file name: *Search.admx* @@ -104,8 +103,9 @@ The following list shows the supported values: - - + + + diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md index d760021b1e..218006e1a3 100644 --- a/windows/client-management/mdm/policy-csp-activexcontrols.md +++ b/windows/client-management/mdm/policy-csp-activexcontrols.md @@ -36,29 +36,25 @@ manager: dansimp
Windows EditionSupported?EditionWindows 10Windows 11
Home
- - + + + - + - - - - - + - + - - +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark
Businesscheck markYes, starting in Windows 10, version 1607Yes
Enterprisecheck markYes, starting in Windows 10, version 1607Yes
Educationcheck mark
Yes, starting in Windows 10, version 1607Yes
@@ -92,7 +88,7 @@ Note: Wild card characters cannot be used when specifying the host URLs. ADMX Info: -- GP English name: *Approved Installation Sites for ActiveX Controls* +- GP Friendly name: *Approved Installation Sites for ActiveX Controls* - GP name: *ApprovedActiveXInstallSites* - GP path: *Windows Components/ActiveX Installer Service* - GP ADMX file name: *ActiveXInstallService.admx* diff --git a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md index 67982daf0e..b4cea8e9e5 100644 --- a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md +++ b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md @@ -37,28 +37,23 @@ manager: dansimp - - + + - + - - - - - + - + - - +
Windows EditionSupported?
Windows 10Windows 11
Homecross markNoNo
Procross mark
Businesscross markYes, starting in Windows 10, version 1903Yes
Enterprisecheck markYes, starting in Windows 10, version 1903Yes
Educationcross mark
Yes, starting in Windows 10, version 1903Yes
From adf9cd22ec20145172714adc3b549405de7a2ebb Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Mon, 30 Aug 2021 11:21:34 +0530 Subject: [PATCH 024/458] Updated --- .../mdm/policy-csp-abovelock.md | 19 +++++++------------ .../mdm/policy-csp-accounts.md | 13 +++++-------- 2 files changed, 12 insertions(+), 20 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md index 341da28ece..ce57cf318f 100644 --- a/windows/client-management/mdm/policy-csp-abovelock.md +++ b/windows/client-management/mdm/policy-csp-abovelock.md @@ -50,15 +50,15 @@ manager: dansimp Pro - Yes, starting in Windows 10, version 1903Yes + Yes, starting in Windows 10, version 1607Yes Enterprise - Yes, starting in Windows 10, version 1903Yes + Yes, starting in Windows 10, version 1607Yes Education - Yes, starting in Windows 10, version 1903Yes + Yes, starting in Windows 10, version 1607Yes @@ -109,24 +109,19 @@ The following list shows the supported values: Home - cross mark + NoNo Pro - check mark - - - Business - check mark + Yes, starting in Windows 10, version 1607Yes Enterprise - check mark + Yes, starting in Windows 10, version 1607Yes Education - check mark - + Yes, starting in Windows 10, version 1607Yes diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md index 644ff6136e..2d31514b75 100644 --- a/windows/client-management/mdm/policy-csp-accounts.md +++ b/windows/client-management/mdm/policy-csp-accounts.md @@ -42,20 +42,17 @@ manager: dansimp - - + + + - + - - - - - + From 6eba2559e4af31eace4ef68e41f6e0984e96e28f Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Tue, 31 Aug 2021 11:04:58 +0530 Subject: [PATCH 025/458] Updated --- .../mdm/policy-csp-abovelock.md | 11 - .../mdm/policy-csp-admx-addremoveprograms.md | 45 ++- .../mdm/policy-csp-admx-appcompat.md | 2 +- .../mdm/policy-csp-admx-appxpackagemanager.md | 22 +- .../mdm/policy-csp-admx-appxruntime.md | 89 +++-- .../mdm/policy-csp-admx-attachmentmanager.md | 111 ++++--- .../mdm/policy-csp-admx-auditsettings.md | 22 +- .../mdm/policy-csp-admx-bits.md | 306 +++++++++++------- 8 files changed, 379 insertions(+), 229 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md index 23c1bb8142..79d9b5b8d3 100644 --- a/windows/client-management/mdm/policy-csp-abovelock.md +++ b/windows/client-management/mdm/policy-csp-abovelock.md @@ -159,16 +159,5 @@ The following list shows the supported values:
-Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - diff --git a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md index 0c7c4b543b..c68d969b32 100644 --- a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md +++ b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md @@ -67,28 +67,34 @@ manager: dansimp
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark
Businesscheck markYes, starting in Windows 10, version 1607Yes
Enterprise
- - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -150,28 +156,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -231,8 +243,9 @@ ADMX Info: - - + + + diff --git a/windows/client-management/mdm/policy-csp-admx-appcompat.md b/windows/client-management/mdm/policy-csp-admx-appcompat.md index e145a37e11..0dfe1a0429 100644 --- a/windows/client-management/mdm/policy-csp-admx-appcompat.md +++ b/windows/client-management/mdm/policy-csp-admx-appcompat.md @@ -70,7 +70,7 @@ manager: dansimp
Windows EditionSupported?EditionWindows 10Windows 11
Home
- + diff --git a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md index f3aef0211f..0b8b0533a4 100644 --- a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md +++ b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md @@ -36,28 +36,34 @@ manager: dansimp
Windows EditionEdition Supported?
- - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -74,7 +80,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the deployment of Windows Store apps when the user is signed in using a special profile. +This policy setting allows you to manage the deployment of Windows Store apps when the user is signed in using a special profile. Special profiles are the following user profiles, where changes are discarded after the user signs off: diff --git a/windows/client-management/mdm/policy-csp-admx-appxruntime.md b/windows/client-management/mdm/policy-csp-admx-appxruntime.md index c30dafd023..aaec3dafb9 100644 --- a/windows/client-management/mdm/policy-csp-admx-appxruntime.md +++ b/windows/client-management/mdm/policy-csp-admx-appxruntime.md @@ -45,29 +45,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross mark
NoNo
@@ -83,7 +88,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of the app manifest and apply to all Windows Store apps that use the enterpriseAuthentication capability on a computer. +This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of the app manifest and apply to all Windows Store apps that use the enterpriseAuthentication capability on a computer. If you enable this policy setting, you can define additional Content URI Rules that all Windows Store apps that use the enterpriseAuthentication capability on a computer can use. @@ -114,28 +119,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -153,7 +164,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a Windows Store app might compromise the system by opening a file in the default desktop app for a file type. +This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a Windows Store app might compromise the system by opening a file in the default desktop app for a file type. If you enable this policy setting, Windows Store apps cannot open files in the default desktop app for a file type; they can open files only in other Windows Store apps. @@ -184,28 +195,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -222,7 +239,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether Universal Windows apps with Windows Runtime API access directly from web content can be launched. +This policy setting controls whether Universal Windows apps with Windows Runtime API access directly from web content can be launched. If you enable this policy setting, Universal Windows apps which declare Windows Runtime API access in ApplicationContentUriRules section of the manifest cannot be launched; Universal Windows apps which have not declared Windows Runtime API access in the manifest are not affected. @@ -256,28 +273,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -295,7 +318,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting lets you control whether Windows Store apps can open URIs using the default desktop app for a URI scheme. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a URI scheme launched by a Windows Store app might compromise the system by launching a desktop app. +This policy setting lets you control whether Windows Store apps can open URIs using the default desktop app for a URI scheme. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a URI scheme launched by a Windows Store app might compromise the system by launching a desktop app. If you enable this policy setting, Windows Store apps cannot open URIs in the default desktop app for a URI scheme; they can open URIs only in other Windows Store apps. diff --git a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md index 7a82136079..ad8afe2281 100644 --- a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md +++ b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md @@ -48,28 +48,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -86,7 +92,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the logic that Windows uses to determine the risk for file attachments. +This policy setting allows you to configure the logic that Windows uses to determine the risk for file attachments. Preferring the file handler instructs Windows to use the file handler data over the file type data. For example, trust notepad.exe, but don't trust .txt files. @@ -123,28 +129,33 @@ ADMX Info: - - + + + - - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross mark
NoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -161,7 +172,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the default risk level for file types. To fully customize the risk level for file attachments, you may also need to configure the trust logic for file attachments. +This policy setting allows you to manage the default risk level for file types. To fully customize the risk level for file attachments, you may also need to configure the trust logic for file attachments. High Risk: If the attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file. @@ -200,28 +211,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -238,7 +255,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the list of high-risk file types. If the file attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file. This inclusion list takes precedence over the medium-risk and low-risk inclusion lists (where an extension is listed in more than one inclusion list). +This policy setting allows you to configure the list of high-risk file types. If the file attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file. This inclusion list takes precedence over the medium-risk and low-risk inclusion lists (where an extension is listed in more than one inclusion list). If you enable this policy setting, you can create a custom list of high-risk file types. @@ -271,28 +288,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -309,7 +332,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the list of low-risk file types. If the attachment is in the list of low-risk file types, Windows will not prompt the user before accessing the file, regardless of the file's zone information. This inclusion list overrides the list of high-risk file types built into Windows and has a lower precedence than the high-risk or medium-risk inclusion lists (where an extension is listed in more than one inclusion list). +This policy setting allows you to configure the list of low-risk file types. If the attachment is in the list of low-risk file types, Windows will not prompt the user before accessing the file, regardless of the file's zone information. This inclusion list overrides the list of high-risk file types built into Windows and has a lower precedence than the high-risk or medium-risk inclusion lists (where an extension is listed in more than one inclusion list). If you enable this policy setting, you can specify file types that pose a low risk. @@ -342,28 +365,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -380,7 +409,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the list of moderate-risk file types. If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file. This inclusion list overrides the list of potentially high-risk file types built into Windows and it takes precedence over the low-risk inclusion list but has a lower precedence than the high-risk inclusion list (where an extension is listed in more than one inclusion list). +This policy setting allows you to configure the list of moderate-risk file types. If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file. This inclusion list overrides the list of potentially high-risk file types built into Windows and it takes precedence over the low-risk inclusion list but has a lower precedence than the high-risk inclusion list (where an extension is listed in more than one inclusion list). If you enable this policy setting, you can specify file types which pose a moderate risk. diff --git a/windows/client-management/mdm/policy-csp-admx-auditsettings.md b/windows/client-management/mdm/policy-csp-admx-auditsettings.md index 56d9939332..e2ccc80ff4 100644 --- a/windows/client-management/mdm/policy-csp-admx-auditsettings.md +++ b/windows/client-management/mdm/policy-csp-admx-auditsettings.md @@ -36,28 +36,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -74,7 +80,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting determines what information is logged in security audit events when a new process has been created. This setting only applies when the Audit Process Creation policy is enabled. +This policy setting determines what information is logged in security audit events when a new process has been created. This setting only applies when the Audit Process Creation policy is enabled. If you enable this policy setting, the command line information for every process will be logged in plain text in the security event log as part of the Audit Process Creation event 4688, "a new process has been created," on the workstations and servers on which this policy setting is applied. diff --git a/windows/client-management/mdm/policy-csp-admx-bits.md b/windows/client-management/mdm/policy-csp-admx-bits.md index 9a5fd957e7..76a477a1a4 100644 --- a/windows/client-management/mdm/policy-csp-admx-bits.md +++ b/windows/client-management/mdm/policy-csp-admx-bits.md @@ -75,28 +75,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -113,7 +119,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This setting affects whether the BITS client is allowed to use Windows Branch Cache. If the Windows Branch Cache component is installed and enabled on a computer, BITS jobs on that computer can use Windows Branch Cache by default. +This setting affects whether the BITS client is allowed to use Windows Branch Cache. If the Windows Branch Cache component is installed and enabled on a computer, BITS jobs on that computer can use Windows Branch Cache by default. If you enable this policy setting, the BITS client does not use Windows Branch Cache. @@ -147,28 +153,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -185,7 +197,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the computer will act as a BITS peer caching client. By default, when BITS peer caching is enabled, the computer acts as both a peer caching server (offering files to its peers) and a peer caching client (downloading files from its peers). +This policy setting specifies whether the computer will act as a BITS peer caching client. By default, when BITS peer caching is enabled, the computer acts as both a peer caching server (offering files to its peers) and a peer caching client (downloading files from its peers). If you enable this policy setting, the computer will no longer use the BITS peer caching feature to download files; files will be downloaded only from the origin server. However, the computer will still make files available to its peers. @@ -219,28 +231,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -257,7 +275,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the computer will act as a BITS peer caching server. By default, when BITS peer caching is enabled, the computer acts as both a peer caching server (offering files to its peers) and a peer caching client (downloading files from its peers). +This policy setting specifies whether the computer will act as a BITS peer caching server. By default, when BITS peer caching is enabled, the computer acts as both a peer caching server (offering files to its peers) and a peer caching client (downloading files from its peers). If you enable this policy setting, the computer will no longer cache downloaded files and offer them to its peers. However, the computer will still download files from peers. @@ -292,28 +310,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -330,7 +354,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines if the Background Intelligent Transfer Service (BITS) peer caching feature is enabled on a specific computer. By default, the files in a BITS job are downloaded only from the origin server specified by the job's owner. +This policy setting determines if the Background Intelligent Transfer Service (BITS) peer caching feature is enabled on a specific computer. By default, the files in a BITS job are downloaded only from the origin server specified by the job's owner. If BITS peer caching is enabled, BITS caches downloaded files and makes them available to other BITS peers. When transferring a download job, BITS first requests the files for the job from its peers in the same IP subnet. If none of the peers in the subnet have the requested files, BITS downloads them from the origin server. @@ -364,28 +388,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -402,7 +432,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the network bandwidth that BITS uses for peer cache transfers (this setting does not affect transfers from the origin server). +This policy setting limits the network bandwidth that BITS uses for peer cache transfers (this setting does not affect transfers from the origin server). To prevent any negative impact to a computer caused by serving other peers, by default BITS will use up to 30 percent of the bandwidth of the slowest active network interface. For example, if a computer has both a 100 Mbps network card and a 56 Kbps modem, and both are active, BITS will use a maximum of 30 percent of 56 Kbps. @@ -440,28 +470,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -478,7 +514,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the maintenance days and hours. Maintenance schedules further limit the network bandwidth that is used for background transfers. +This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the maintenance days and hours. Maintenance schedules further limit the network bandwidth that is used for background transfers. If you enable this policy setting, you can define a separate set of network bandwidth limits and set up a schedule for the maintenance period. @@ -515,28 +551,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -553,7 +595,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the work and non-work days and hours. The work schedule is defined using a weekly calendar, which consists of days of the week and hours of the day. All hours and days that are not defined in a work schedule are considered non-work hours. +This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the work and non-work days and hours. The work schedule is defined using a weekly calendar, which consists of days of the week and hours of the day. All hours and days that are not defined in a work schedule are considered non-work hours. If you enable this policy setting, you can set up a schedule for limiting network bandwidth during both work and non-work hours. After the work schedule is defined, you can set the bandwidth usage limits for each of the three BITS background priority levels: high, normal, and low. @@ -587,28 +629,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -625,7 +673,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the maximum amount of disk space that can be used for the BITS peer cache, as a percentage of the total system disk size. BITS will add files to the peer cache and make those files available to peers until the cache content reaches the specified cache size. By default, BITS will use 1 percent of the total system disk for the peercache. +This policy setting limits the maximum amount of disk space that can be used for the BITS peer cache, as a percentage of the total system disk size. BITS will add files to the peer cache and make those files available to peers until the cache content reaches the specified cache size. By default, BITS will use 1 percent of the total system disk for the peercache. If you enable this policy setting, you can enter the percentage of disk space to be used for the BITS peer cache. You can enter a value between 1 percent and 80 percent. @@ -659,28 +707,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -731,28 +785,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYestd>
Educationcross markNoNo
@@ -769,7 +829,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the amount of time that Background Intelligent Transfer Service (BITS) will take to download the files in a BITS job. +This policy setting limits the amount of time that Background Intelligent Transfer Service (BITS) will take to download the files in a BITS job. The time limit applies only to the time that BITS is actively downloading files. When the cumulative download time exceeds this limit, the job is placed in the error state. @@ -804,28 +864,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -842,7 +908,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the number of files that a BITS job can contain. By default, a BITS job is limited to 200 files. You can use this setting to raise or lower the maximum number of files a BITS jobs can contain. +This policy setting limits the number of files that a BITS job can contain. By default, a BITS job is limited to 200 files. You can use this setting to raise or lower the maximum number of files a BITS jobs can contain. If you enable this policy setting, BITS will limit the maximum number of files a job can contain to the specified number. @@ -876,28 +942,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -914,7 +986,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the number of BITS jobs that can be created for all users of the computer. By default, BITS limits the total number of jobs that can be created on the computer to 300 jobs. You can use this policy setting to raise or lower the maximum number of user BITS jobs. +This policy setting limits the number of BITS jobs that can be created for all users of the computer. By default, BITS limits the total number of jobs that can be created on the computer to 300 jobs. You can use this policy setting to raise or lower the maximum number of user BITS jobs. If you enable this policy setting, BITS will limit the maximum number of BITS jobs to the specified number. @@ -948,28 +1020,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -986,7 +1064,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the number of BITS jobs that can be created by a user. By default, BITS limits the total number of jobs that can be created by a user to 60 jobs. You can use this setting to raise or lower the maximum number of BITS jobs a user can create. +This policy setting limits the number of BITS jobs that can be created by a user. By default, BITS limits the total number of jobs that can be created by a user to 60 jobs. You can use this setting to raise or lower the maximum number of BITS jobs a user can create. If you enable this policy setting, BITS will limit the maximum number of BITS jobs a user can create to the specified number. @@ -1020,28 +1098,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1058,7 +1142,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the number of ranges that can be added to a file in a BITS job. By default, files in a BITS job are limited to 500 ranges per file. You can use this setting to raise or lower the maximum number ranges per file. +This policy setting limits the number of ranges that can be added to a file in a BITS job. By default, files in a BITS job are limited to 500 ranges per file. You can use this setting to raise or lower the maximum number ranges per file. If you enable this policy setting, BITS will limit the maximum number of ranges that can be added to a file to the specified number. From 0b7421daacf85820649220cc21036be50cd158ab Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Tue, 31 Aug 2021 20:55:26 +0530 Subject: [PATCH 026/458] Updated --- .../mdm/policy-csp-admx-ciphersuiteorder.md | 44 +- .../mdm/policy-csp-admx-com.md | 44 +- .../mdm/policy-csp-admx-controlpanel.md | 90 ++- .../policy-csp-admx-controlpaneldisplay.md | 624 ++++++++++++------ .../mdm/policy-csp-admx-cpls.md | 27 +- .../policy-csp-admx-credentialproviders.md | 81 ++- .../mdm/policy-csp-admx-credssp.md | 296 ++++++--- .../mdm/policy-csp-admx-credui.md | 52 +- .../mdm/policy-csp-admx-ctrlaltdel.md | 108 ++- 9 files changed, 952 insertions(+), 414 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md index 44e91fe2e9..b0f0a3ca01 100644 --- a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md +++ b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md @@ -40,28 +40,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -78,7 +84,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the cipher suites used by the Secure Socket Layer (SSL). +This policy setting determines the cipher suites used by the Secure Socket Layer (SSL). If you enable this policy setting, SSL cipher suites are prioritized in the order specified. @@ -113,28 +119,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -151,7 +163,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the priority order of ECC curves used with ECDHE cipher suites. +This policy setting determines the priority order of ECC curves used with ECDHE cipher suites. If you enable this policy setting, ECC curves are prioritized in the order specified. Enter one curve name per line. diff --git a/windows/client-management/mdm/policy-csp-admx-com.md b/windows/client-management/mdm/policy-csp-admx-com.md index 13d4fabf45..515d46c987 100644 --- a/windows/client-management/mdm/policy-csp-admx-com.md +++ b/windows/client-management/mdm/policy-csp-admx-com.md @@ -40,28 +40,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -78,7 +84,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires. +This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires. Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs cannot perform all their functions unless Windows has internally registered the required components. @@ -115,28 +121,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -153,7 +165,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires. +This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires. Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs cannot perform all their functions unless Windows has internally registered the required components. diff --git a/windows/client-management/mdm/policy-csp-admx-controlpanel.md b/windows/client-management/mdm/policy-csp-admx-controlpanel.md index 9dec30ad01..bd127d636b 100644 --- a/windows/client-management/mdm/policy-csp-admx-controlpanel.md +++ b/windows/client-management/mdm/policy-csp-admx-controlpanel.md @@ -45,28 +45,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -83,7 +89,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This setting allows you to display or hide specified Control Panel items, such as Mouse, System, or Personalization, from the Control Panel window and the Start screen. The setting affects the Start screen and Control Panel window, as well as other ways to access Control Panel items, such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings. +This setting allows you to display or hide specified Control Panel items, such as Mouse, System, or Personalization, from the Control Panel window and the Start screen. The setting affects the Start screen and Control Panel window, as well as other ways to access Control Panel items, such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings. If you enable this setting, you can select specific items not to display on the Control Panel window and the Start screen. @@ -122,28 +128,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -160,7 +172,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the default Control Panel view, whether by category or icons. +This policy setting controls the default Control Panel view, whether by category or icons. If this policy setting is enabled, the Control Panel opens to the icon view. @@ -196,28 +208,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -277,28 +295,38 @@ ADMX Info: - - + + + - + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -315,7 +343,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls which Control Panel items such as Mouse, System, or Personalization, are displayed on the Control Panel window and the Start screen. The only items displayed in Control Panel are those you specify in this setting. This setting affects the Start screen and Control Panel, as well as other ways to access Control Panel items such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings. +This policy setting controls which Control Panel items such as Mouse, System, or Personalization, are displayed on the Control Panel window and the Start screen. The only items displayed in Control Panel are those you specify in this setting. This setting affects the Start screen and Control Panel, as well as other ways to access Control Panel items such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings. To display a Control Panel item, enable this policy setting and click Show to access the list of allowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft.Mouse, Microsoft.System, or Microsoft.Personalization. diff --git a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md index f1f3907cbe..828dd52285 100644 --- a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md +++ b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md @@ -105,28 +105,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -143,7 +149,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. Disables the Display Control Panel. +Disables the Display Control Panel. If you enable this setting, the Display Control Panel does not run. When users try to start Display, a message appears explaining that a setting prevents the action. @@ -174,28 +180,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -212,7 +229,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Removes the Settings tab from Display in Control Panel. +Removes the Settings tab from Display in Control Panel. This setting prevents users from using Control Panel to add, configure, or change the display settings on the computer. @@ -241,28 +258,40 @@ ADMX Info: - - + + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -279,7 +308,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting forces the theme color scheme to be the default color scheme. +This setting forces the theme color scheme to be the default color scheme. If you enable this setting, a user cannot change the color scheme of the current desktop theme. @@ -312,28 +341,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -350,7 +390,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting disables the theme gallery in the Personalization Control Panel. +This setting disables the theme gallery in the Personalization Control Panel. If you enable this setting, users cannot change or save a theme. Elements of a theme such as the desktop background, color, sounds, and screen saver can still be changed (unless policies are set to turn them off). @@ -384,28 +424,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -422,7 +473,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users or applications from changing the visual style of the windows and buttons displayed on their screens. +Prevents users or applications from changing the visual style of the windows and buttons displayed on their screens. When enabled on Windows XP, this setting disables the "Windows and buttons" drop-down list on the Appearance tab in Display Properties. @@ -453,28 +504,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -491,7 +553,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Enables desktop screen savers. +Enables desktop screen savers. If you disable this setting, screen savers do not run. Also, this setting disables the Screen Saver section of the Screen Saver dialog in the Personalization or Display Control Panel. As a result, users cannot change the screen saver options. @@ -526,28 +588,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -564,7 +637,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting allows you to force a specific default lock screen and logon image by entering the path (location) of the image file. The same image will be used for both the lock and logon screens. +This setting allows you to force a specific default lock screen and logon image by entering the path (location) of the image file. The same image will be used for both the lock and logon screens. This setting lets you specify the default lock screen and logon image shown when no user is signed in, and also sets the specified image as the default for all users (it replaces the inbox default image). @@ -599,28 +672,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -637,7 +721,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the size of the font in the windows and buttons displayed on their screens. +Prevents users from changing the size of the font in the windows and buttons displayed on their screens. If this setting is enabled, the "Font size" drop-down list on the Appearance tab in Display Properties is disabled. @@ -668,28 +752,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -706,7 +801,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the background image shown when the machine is locked or when on the logon screen. +Prevents users from changing the background image shown when the machine is locked or when on the logon screen. By default, users can change the background image shown when the machine is locked or displaying the logon screen. @@ -737,28 +832,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -775,7 +881,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the look of their start menu background, such as its color or accent. +Prevents users from changing the look of their start menu background, such as its color or accent. By default, users can change the look of their start menu background, such as its color or accent. @@ -810,28 +916,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -848,7 +965,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Disables the Color (or Window Color) page in the Personalization Control Panel, or the Color Scheme dialog in the Display Control Panel on systems where the Personalization feature is not available. +Disables the Color (or Window Color) page in the Personalization Control Panel, or the Color Scheme dialog in the Display Control Panel on systems where the Personalization feature is not available. This setting prevents users from using Control Panel to change the window border and taskbar color (on Windows 8), glass color (on Windows Vista and Windows 7), system colors, or color scheme of the desktop and windows. @@ -881,28 +998,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -919,7 +1047,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from adding or changing the background design of the desktop. +Prevents users from adding or changing the background design of the desktop. By default, users can use the Desktop Background page in the Personalization or Display Control Panel to add a background design (wallpaper) to their desktop. @@ -956,28 +1084,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -994,7 +1133,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the desktop icons. +Prevents users from changing the desktop icons. By default, users can use the Desktop Icon Settings dialog in the Personalization or Display Control Panel to show, hide, or change the desktop icons. @@ -1027,28 +1166,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1096,28 +1246,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1165,28 +1326,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1203,7 +1375,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents the Screen Saver dialog from opening in the Personalization or Display Control Panel. +Prevents the Screen Saver dialog from opening in the Personalization or Display Control Panel. This setting prevents users from using Control Panel to add, configure, or change the screen saver on the computer. It does not prevent a screen saver from running. @@ -1232,28 +1404,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1270,7 +1453,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the sound scheme. +Prevents users from changing the sound scheme. By default, users can use the Sounds tab in the Sound Control Panel to add, remove, or change the system Sound Scheme. @@ -1301,28 +1484,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1339,7 +1533,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Forces Windows to use the specified colors for the background and accent. The color values are specified in hex as #RGB. +Forces Windows to use the specified colors for the background and accent. The color values are specified in hex as #RGB. By default, users can change the background and accent colors. @@ -1370,28 +1564,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1408,7 +1613,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Determines whether screen savers used on the computer are password protected. +Determines whether screen savers used on the computer are password protected. If you enable this setting, all screen savers are password protected. If you disable this setting, password protection cannot be set on any screen saver. @@ -1446,8 +1651,9 @@ ADMX Info: - - + + + @@ -1455,19 +1661,27 @@ ADMX Info: - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Home
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1484,7 +1698,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Specifies how much user idle time must elapse before the screen saver is launched. +Specifies how much user idle time must elapse before the screen saver is launched. When configured, this idle time can be set from a minimum of 1 second to a maximum of 86,400 seconds, or 24 hours. If set to zero, the screen saver will not be started. @@ -1530,23 +1744,33 @@ ADMX Info: Home - cross mark + No + No + Pro - cross mark + No + No + Business - cross mark + No + No + Enterprise - check mark + Yes + Yes + Education - cross mark + No + No + @@ -1563,7 +1787,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Specifies the screen saver for the user's desktop. +Specifies the screen saver for the user's desktop. If you enable this setting, the system displays the specified screen saver on the user's desktop. Also, this setting disables the drop-down list of screen savers in the Screen Saver dialog in the Personalization or Display Control Panel, which prevents users from changing the screen saver. @@ -1601,28 +1825,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1675,23 +1910,33 @@ ADMX Info: Home - cross mark + No + No + Pro - cross mark + No + No + Business - cross mark + No + No + Enterprise - check mark + Yes + Yes + Education - cross mark + No + No + @@ -1708,7 +1953,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting allows you to force a specific visual style file by entering the path (location) of the visual style file. +This setting allows you to force a specific visual style file by entering the path (location) of the visual style file. This can be a local computer visual style (aero.msstyles), or a file located on a remote server using a UNC path (\\Server\Share\aero.msstyles). @@ -1748,28 +1993,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1786,7 +2042,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Forces the Start screen to use one of the available backgrounds, 1 through 20, and prevents the user from changing it. +Forces the Start screen to use one of the available backgrounds, 1 through 20, and prevents the user from changing it. If this setting is set to zero or not configured, then Start uses the default background, and users can change it. diff --git a/windows/client-management/mdm/policy-csp-admx-cpls.md b/windows/client-management/mdm/policy-csp-admx-cpls.md index 6ad7cad008..e1ee9b86de 100644 --- a/windows/client-management/mdm/policy-csp-admx-cpls.md +++ b/windows/client-management/mdm/policy-csp-admx-cpls.md @@ -36,28 +36,39 @@ manager: dansimp - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -74,7 +85,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows an administrator to standardize the account pictures for all users on a system to the default account picture. One application for this policy setting is to standardize the account pictures to a company logo. +This policy setting allows an administrator to standardize the account pictures for all users on a system to the default account picture. One application for this policy setting is to standardize the account pictures to a company logo. > [!NOTE] > The default account picture is stored at %PROGRAMDATA%\Microsoft\User Account Pictures\user.jpg. The default guest picture is stored at %PROGRAMDATA%\Microsoft\User Account Pictures\guest.jpg. If the default pictures do not exist, an empty frame is displayed. diff --git a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md index b7ed4ab54a..0cad585609 100644 --- a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md +++ b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md @@ -42,28 +42,39 @@ manager: dansimp - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -80,7 +91,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether a user can change the time before a password is required when a Connected Standby device screen turns off. +This policy setting allows you to control whether a user can change the time before a password is required when a Connected Standby device screen turns off. If you enable this policy setting, a user on a Connected Standby device can change the amount of time after the device's screen turns off before a password is required when waking the device. The time is limited by any EAS settings or Group Policies that affect the maximum idle time before a device locks. Additionally, if a password is required when a screensaver turns on, the screensaver timeout will limit the options the user may choose. @@ -115,28 +126,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -153,7 +175,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows the administrator to assign a specified credential provider as the default credential provider. +This policy setting allows the administrator to assign a specified credential provider as the default credential provider. If you enable this policy setting, the specified credential provider is selected on other user tile. @@ -188,28 +210,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -226,7 +259,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows the administrator to exclude the specified credential providers from use during authentication. +This policy setting allows the administrator to exclude the specified credential providers from use during authentication. > [!NOTE] > Credential providers are used to process and validate user credentials during logon or when authentication is required. Windows Vista provides two default credential providers: Password and Smart Card. An administrator can install additional credential providers for different sets of credentials (for example, to support biometric authentication). diff --git a/windows/client-management/mdm/policy-csp-admx-credssp.md b/windows/client-management/mdm/policy-csp-admx-credssp.md index 04bbf46ba4..f55b199a4f 100644 --- a/windows/client-management/mdm/policy-csp-admx-credssp.md +++ b/windows/client-management/mdm/policy-csp-admx-credssp.md @@ -66,28 +66,38 @@ manager: dansimp - - + + + - + + + - + + + - + + + - + + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -104,7 +114,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). +This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved via NTLM. @@ -146,28 +156,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -184,7 +205,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). +This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved by using a trusted X509 certificate or Kerberos. @@ -231,28 +252,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -269,7 +301,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the CredSSP component (for example: Remote Desktop Connection). +This policy setting applies to applications using the CredSSP component (for example: Remote Desktop Connection). Some versions of the CredSSP protocol are vulnerable to an encryption oracle attack against the client. This policy controls compatibility with vulnerable clients and servers. This policy allows you to set the level of protection desired for the encryption oracle vulnerability. @@ -311,28 +343,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -349,7 +392,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). +This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved via a trusted X509 certificate or Kerberos. @@ -393,28 +436,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -431,7 +485,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). +This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved via NTLM. @@ -475,28 +529,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -513,7 +578,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). +This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved via a trusted X509 certificate or Kerberos. @@ -557,28 +622,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -595,7 +671,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). +This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved via NTLM. @@ -639,28 +715,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -677,7 +764,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). +This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). If you enable this policy setting, you can specify the servers to which the user's default credentials cannot be delegated (default credentials are those that you use when first logging on to Windows). @@ -719,28 +806,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -757,7 +855,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). +This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). If you enable this policy setting, you can specify the servers to which the user's fresh credentials cannot be delegated (fresh credentials are those that you are prompted for when executing the application). @@ -799,28 +897,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -837,7 +946,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). +This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). If you enable this policy setting, you can specify the servers to which the user's saved credentials cannot be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager). @@ -879,28 +988,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -917,7 +1037,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. When running in Restricted Admin or Remote Credential Guard mode, participating apps do not expose signed in or supplied credentials to a remote host. Restricted Admin limits access to resources located on other servers or networks from the remote host because credentials are not delegated. Remote Credential Guard does not limit access to resources because it redirects all requests back to the client device. +When running in Restricted Admin or Remote Credential Guard mode, participating apps do not expose signed in or supplied credentials to a remote host. Restricted Admin limits access to resources located on other servers or networks from the remote host because credentials are not delegated. Remote Credential Guard does not limit access to resources because it redirects all requests back to the client device. Participating apps: Remote Desktop Client diff --git a/windows/client-management/mdm/policy-csp-admx-credui.md b/windows/client-management/mdm/policy-csp-admx-credui.md index acb7942b92..d1ad1b5737 100644 --- a/windows/client-management/mdm/policy-csp-admx-credui.md +++ b/windows/client-management/mdm/policy-csp-admx-credui.md @@ -39,28 +39,39 @@ manager: dansimp - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -77,7 +88,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting requires the user to enter Microsoft Windows credentials using a trusted path, to prevent a Trojan horse or other types of malicious code from stealing the user’s Windows credentials. +This policy setting requires the user to enter Microsoft Windows credentials using a trusted path, to prevent a Trojan horse or other types of malicious code from stealing the user’s Windows credentials. > [!NOTE] > This policy affects nonlogon authentication tasks only. As a security best practice, this policy should be enabled. @@ -111,28 +122,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
diff --git a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md index b42e1e9ad0..9836d5e9d0 100644 --- a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md +++ b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md @@ -45,28 +45,39 @@ manager: dansimp - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -83,7 +94,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from changing their Windows password on demand. +This policy setting prevents users from changing their Windows password on demand. If you enable this policy setting, the 'Change Password' button on the Windows Security dialog box will not appear when you press Ctrl+Alt+Del. @@ -115,28 +126,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -153,7 +175,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from locking the system. +This policy setting prevents users from locking the system. While locked, the desktop is hidden and the system cannot be used. Only the user who locked the system or the system administrator can unlock it. @@ -188,28 +210,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -226,7 +259,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from starting Task Manager. +This policy setting prevents users from starting Task Manager. Task Manager (**taskmgr.exe**) lets users start and stop programs, monitor the performance of their computers, view and monitor all programs running on their computers, including system services, find the executable names of programs, and change the priority of the process in which programs run. @@ -259,28 +292,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -297,7 +341,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting disables or removes all menu items and buttons that log the user off the system. +This policy setting disables or removes all menu items and buttons that log the user off the system. If you enable this policy setting, users will not see the Log off menu item when they press Ctrl+Alt+Del. This will prevent them from logging off unless they restart or shutdown the computer, or clicking Log off from the Start menu. From cb6d02d109476697d70ea11c7d247d53ab6b902c Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 1 Sep 2021 16:02:44 -0700 Subject: [PATCH 027/458] new article --- .../block-untrusted-fonts-in-enterprise.md | 2 +- .../threat-protection/fips-140-validation.md | 2 +- .../mbsa-removal-and-guidance.md | 2 +- .../msft-security-dev-lifecycle.md | 17 +++++++++++++++++ 4 files changed, 20 insertions(+), 3 deletions(-) create mode 100644 windows/security/threat-protection/msft-security-dev-lifecycle.md diff --git a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md index c1ffec9b59..3fff0198ed 100644 --- a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md +++ b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md @@ -13,7 +13,7 @@ author: dansimp ms.author: dansimp ms.date: 08/14/2017 ms.localizationpriority: medium -ms.technology: mde +ms.technology: other --- # Block untrusted fonts in an enterprise diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md index 9b2b985db5..b7e5fddec5 100644 --- a/windows/security/threat-protection/fips-140-validation.md +++ b/windows/security/threat-protection/fips-140-validation.md @@ -10,7 +10,7 @@ ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.reviewer: -ms.technology: mde +ms.technology: other --- # FIPS 140-2 Validation diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md index 83a6f5e00b..a12edb4f83 100644 --- a/windows/security/threat-protection/mbsa-removal-and-guidance.md +++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md @@ -9,7 +9,7 @@ ms.author: dansimp author: dansimp ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: other --- # What is Microsoft Baseline Security Analyzer and its uses? diff --git a/windows/security/threat-protection/msft-security-dev-lifecycle.md b/windows/security/threat-protection/msft-security-dev-lifecycle.md new file mode 100644 index 0000000000..18ce55f174 --- /dev/null +++ b/windows/security/threat-protection/msft-security-dev-lifecycle.md @@ -0,0 +1,17 @@ +--- +title: Microsoft Security Development Lifecycle +description: Download the Microsoft Security Development Lifecycle white paper which covers a security assurance process focused on software development. +ms.prod: m365-security +audience: ITPro +author: dansimp +ms.author: dansimp +manager: dansimp +ms.collection: M365-identity-device-management +ms.topic: article +ms.localizationpriority: medium +ms.reviewer: +ms.technology: other +--- + +# Microsoft Security Development Lifecycle + From a32eabdf469edad81bfa879dccf2f2bdb05cfb41 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 1 Sep 2021 16:19:36 -0700 Subject: [PATCH 028/458] Create simplified-sdl.png --- .../images/simplified-sdl.png | Bin 0 -> 218369 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 windows/security/threat-protection/images/simplified-sdl.png diff --git a/windows/security/threat-protection/images/simplified-sdl.png b/windows/security/threat-protection/images/simplified-sdl.png new file mode 100644 index 0000000000000000000000000000000000000000..004814102fc3e8272429bde640e4adc1e752f333 GIT binary patch literal 218369 zcmY(qcR1Vc|2 zSI7*hDS<1;mDjd_Co;dMdOBAshj=!DH`iRW4YjXase#d6I8p%bX}tBV{jOYLXa4sf zbAgWn|AJKb=)Si3Tl<|Him;p56Xd4xp2y=-)A!93`r*_90$uvlGIEX0&5wP8g7AwB zWIDGRLrb|IJhwG?ymo;Kc3#h!2~y;y_SoBl;vu=JS*bG_!Ej{)*jPkvjDG<_KoMYk z63~;2v%`hUQ*sEA7!-x&?Dit9gZMCwTW=%qWkb%_ki<)>3nNL=`8HN_{#-^QC1q~0 zeV<=*o=`(Xp`e!scuh#u0+d7#A?!|B_EZ6X&5W_S%pvn9omHXWYGD`Ns}bZ>myb7a z-h_iqGq?*1oAvF+4J)DSxi{`%s{?nYl7ipT1%QLJU$o5hYW`bEd>1GGL3_e|5 z600DhHq{XU&bJXO=U$hW8$Eybu21Z14m!Nxk9+i3B63D{MXzwUTg~r z8hS|>gXiMZz~?{5&?%Xj=R+y)@Rp>@IVltwioMNmap58h>H+CgminU(C+=f{WOR;^ zy}RYxL7D0o6pNDupvC4;|s=VF1IEGb%Hy=2s>nG3&9wv8KY_peOU)WRzf>Rnl1!4CW&76 zl5D)O2aNkW$|1zncg<6+P0wsLj1)UbQmxJF@m1jc(3nFrA| z3?F`Q96mgB99}uhj}-Xru#xn~vvKGBn~OkhTO@%s%x{lY34feH6CWS{qp#mHOTi2C47P zKOO+rtL#dKV1>72f_ndbnA0ppm%wP1;D2u zE;!@G%azuw-e`XD36dk|VCCW|j%8yIZbzuYwcd^06I<7?$q8g{ITZVw?vhPVx-=rD z)h(>ImJnYzEl|1t@VDR7XvY-KE}YdySiS3Qui1kwMH5uQAcPctW00!7;eTFeNk~BD ztV=^xJ602N)emXE{4w+!;ni-?8i}-vE(lN*s(x#nPH+!UQQyb`W(UJddI!m=C*Z~* z?wB;3DoP!UyibZDxMB8$ePJypDFi!B67@Fe#`Mu{;D9=)b1FSl65{s?z1dVuvT;Ru z(oRVZgzWaDqCC}G8ElYqWG&r631~`t!q|4}1e6M2bJDz`kss2=1oSlV2!wTeSa7T$ zB%N)!L@4L`aFicp|CKK&2!onN3k{K#5i43}iI#4fI>Bf=yfyBO#}73{yHsn#-}zm1 zYH2Hoosm~5NNb(1pzrADWbJI9V0gMR#QF9F!*jYh7ysKl=5^$z!Yk=qu1mXQ-@}lLQnB>{In(%dG7O}c9aCc{y6~Y;#?x2LVl{oP(MaPX`zrN2 zRUu-s(IX`FCi-UkOXv77**;1{e|p`suyiS4g5z5Y5?>9gUq8;Eu0w^d4vYnFB|uic6$H;mj5{`&Qn|972bVd}@f z=$5)vjG}M(s{6#4a>ffP*hYwPeN{B5)JaIRQq8K=$&NjhE7_t%;5UcCt=ByYC@_%! zrtxPF@>g8G@>wR~rXRb$aZPZoxE*$JYBiev?5TrO((ow@o7Be}w>iK9zqx%&uAblj zXh|0BowN@MAiJ=%5BH7ZuUWo&DyR{M|9hD5LqEegdo+%Hx#@`K^K)N@_YxYkb>7IS zoHK?b@WGYg1OBOE$eXj;CUSO$RRiKnQZc({cI+r z()fl(UemK%zj2a_SwmpE0NF$wHoxoE8^k_EEm9oS?=wU83gp zRYN+&b%adjtgDFYrFBpYUjiE(Nv)32!ngY0sz<#?5R-lrf9?f^n8I=x4&SoaOmF8rEdkRt+*yr1I5A z>_ISI9<}My+NQ3qF47aCT=0C%T(Q9M;Y*H#gST;n#yedgcM&x9ax8E}VYI&ABWSI4 z6FCoFM|v;Vk=D|m+sWjNBCyOk+kyUjkE!}kGD_yE^a3n#|JR!abkG(6O5ZP={YhMB zdtF5LXLt)zAJM7;wc5G`y%}Qsk-%iRrM>p&*zu_Dk@wD_uJ^$@r_$-crEYv_{9n}i z^vjjS)K!(<)+aG$ApV#KQ(ts)U~}4Zl{UFhb9^D8;zV_vSl}QOUax#& zR0{*74E9G+d@u&moyX2GI8RU&E9Zte`MWK>JZV5 zUlrjs4#^@|M3Yt_w-NjyO$t8=jf^{I{_M8rmvpb-pXY3h-Xu7$f0%23-0W8jsV9}w zDjK!d8`tZEhJlZI6BE%wn6%5Wlm6Wx3&Prg_iif&3P9<4V_Bs){3ot3eke#4fp4Pm zNLy;A$BF|AMiJs~}Rw+@6be(bwojjNf2jDaK3jCy!? zI}eIKnrltit|`6CX{Zk>E;>4zbaSf~?RPpx{&;9XC8h~`h0djk3MC)iY}_Q8gJY4z z?7a*tM)+!~*MYX}GdFA-3PM3D-uoIJc$x`-VWJo_caU7E1%4R?;A$Y74eUY7msDel{3~JhrN^&vf*3`Zk|geu+4e=y%IuR!Int; zCC9J-++@@9`TU}L!auGEWc_;66tTFX$6;tC)A~iE!aLmdmf%gjm*iinUmNMS7 zKD(J{NhyEIRB(p)d$kkVP4VA5lav*f2*Z0R4cZB2srHIhlmn(Ot9oNN zZA#Qj6=Yq4^0XPMEJrL2%!YIF56dGlz3sl|<;LK-2q zPIe~0CMH^2d8vl*4D73pA=)g5KW72ee}9h($hF_ta(N!?>l|T-WntWFt!GupF^rC2 zk3D=uL8%?kyjnkc;+K88*H82(cqNr@#SclSs#x;M@IohWEL$2%9T=!GDWG?lX(Cim z7ag<@LR6ijFv*h2ewq=GgT;Puc6bS{7t~G@x1a0NBy-=c5|vq@E13{2;lk{Qs@ttT zS?yQ%3rzeiIgT0+@!TfOdxs2md88>;A3Dv>Y?_b^R7--tr;g3;je$(_F8|jKFhYd>LGP3=WFcYJhyt% z4>rL7P?OVST!LdsT6vlD{ofF<=9CXD;cSQv$cM21o331BKhZKPbmy`hSAIDMto9&p zP$_Y>weX~XpoSlhc%Ej{QQ=qXfDIl{XP<2U(Md}wDw1h9nR-W@)=Q~&{S;Sj<8U}r z_Yjv)`=6_gZBx~`SI`14Y3<;PQy#ada($qsKcsZScA~(KR8>Mm6OkPxIv>yhfX0@@ zhABu60fE-VWi`3nT+a=t#;$l&pG^P72q~mDiOTrwlhm5ND6zI;uI?W{J3Sr?-akET z)o1*cmIv!&KSi?>Z=TEMhRL*bxptYRB%SIzR>zNAq$ED5Gkxunp18!>J0+xaLf}jS z^JnMJkrH|y=vwj$#i~G}c`R*Mp805nw3~tjpueTMOHrY;-@Kw{{p;jGnkj=*l?i(A zKy4Lqf1Q%eSxU(H8|jP78Lsec)x`#>Nf6X~G&A(_QdIUu`P?XLwhc%AQ)@ zy1YV-F-p-cvM;nXnu%Kqyx{)Gpu_}@d9{;a?v87}6ZC~Qhjxs?DEt|=Strpw?5iC? zjIy%)G$xKCV%v$%hVJ6(1Fl>2n)OEY+@Q|k0D5FXvPfjn)aT*C;R}|Fuk1fhuaSrA zJmxiMb9E-u{SZ4T72ydMIYD7d=0qDzoB0)X2)P;?)0?I+35nfa(1TbpE^%c~!~IsC z#~PJ4E8Z+!?}guD|Hi(muO1<6oBtRsjb{3{w1$pHOUc!@1K92=$*tf^n|tYQ%+}5|CU(*e zJ;{CRzZu^oz1JqU5&RYIvlcr9ZYGU_RVa%{NjO=OJdVXTY?b4Yf6{czy^*uNk>FiP z#Ier~9A(;IjCr`*I&FeiCtCf}3}1$Mq48S)O9}ZWiITiYhC$zqSHHO9n@B~3!3@Gg zG+`9l3C?!V$H(`lZE3F-B8Cs&f~>q9RPL%OGrq#{A`2EeAl5PG8O)TT7pQ@6kIdNl zGH5<94n{KR#p<^F`PwH|5A&!}nW=AD(AsI90OOF|V6|L?Q)N=3O0J4#c2oC=a#_%< zo&WaAv}Tsmf<{x~EVw2g7kch<1PBU{jv{5WEU=YBm0MLv+(lzRS5@%4bqg5;w_O-> z9dagvL0a8e@UE%`<9gAP77gFyyjuXK3{K0oPX3BA+mleg$6mz8!zh6Y@)-b_$4|{s zpbgVronTpfNiRwrPon`e!{0t*gJ*5yS0EJz@ni??g;AhIfNLBBlv}L8mZmVNd~Wji zd1x;>rJhhmT21f(GzrYoM@!^Y{6oDMZ5+U(S>V0TEMj)qQ^$|JM8e7QsNLA07xOJ zsm>iU{t(_hDq4mYIBlfMF1$KmzrTHt_E?tJ3cbp2JT#O}Ikiq^n?Z$=N{kYP_ldAe za{i!sXkwO-`SKGaL9}8-EO}7D?bjp9JJVT#Cq?r&*y#c~q*MIm7ZK(1?zw;6fZgS9@6AtuTpKxp`F>P@$zYM_5uHD*x(Jx{H;AaAiD1yvRH7DIj>T&J@SVw$bgpmH4FXCAC_xcxFQ{#T~Ft;wBa zmWba)+)TpOUQZu5C_Mk(CDyfcqQ8vMnnT|-As@F}-QL|c8399{mk^vB=3Ih?c@=}= z?7i$0-4x6QWlVeH1$t1BfU@Wwo1_;1h+B$QW~m?NKk9Y}&zK8~RUq1^Z$GmSzY?6f z)qj}Hip}R)Za{ajA6P>eex>=8)VL{Fq9W7sR+no{-Yi+iS%t8LRB4cRDuALO?nB^N z@JRBN^_Ip&TSZ{Y#R%~YXh@Uw;J7IVQ2{TY9onGqzqH9<)Auw~;NX5KGugMMi}#ZA z|780IDd?u1KAi$DJ>DVH=D+s@;PQ3L9Fa#QRdrQS1%xo{zDL6z?0&;u)pemK@mj*Y zx`MrZbmp(BU*sEbg6ygVc{*4Hd7nn5GF9H@sHE1YSzqd>vr@C2A!o}slBCXbFpDbv z+Z}Qvq?Ey2eU2k`hd*4~UG2%d`qosk%{zaV*;<>bHM{plXxZhBY~2)x{@jt_wYSFe zFInf(>q!?JCA~eVg!|7g=Xibm``-_likB_C765sH-o<-zA1N_jFk>!}*LQGp0R0v< z2XN&X-jHO0_b?RBBE4=xiLwvo}p3IzWV6RG@dyR*m zpzH}2c$&@DEo4XqX&zUc=*exHkAv}IE?wka|Btu?k|quU09C1p7d9kG0K_FIHT0#^ z#8zuYXvZ+PUtJeZA8AbxY5Ue91m&v>_I5F!Pj|rEpj)Q9FrCIj8giz6>JmBYe0umf zKRl^pw(4-~{g9u_@2R;d$FFmgSS!1Rf;qfpL^t^Uajr>ky#62X7}N#VY)yzEAZFpu z)-BzU{_qKiKXUXzzj}Z*E+eAJ<)l4c+H-E$0$dyd3mP&{95-+xde)ahfs`)w87sq}&W{NZVA2x73QfA1f|@fBP+ zIDxt@*&y91>y>V*1gpzkdW%OYT;+e^)TdoJJ#MPnHuEoA##t_vWEmE>{7;W}PRoPL zV!yC&k%UR+ZO~y-cRk-lNb!SGv(U=cE8u7FsCDrnEe>~xUG#f>X~C?QpQ`24Ze?4A z(umOre$+=~vXiv z;am*jxbowm_f%NYwWDn~MvlOtn?}xY<1XGX6V&P;Oqif~!(nMEvz;ET7TKJqtMuJh%6F65xn&`27dmVfzJ;|o2tLjE^`(xlw{i=Azn zt*lB>yH8~)X|2-YL~aBnw|RHFUaMJd zn3TEsLvrypc|0PV3^0bIw{&hZ`?N}$tAMC%Xn^>K^@iZzuMR;aCyoKHl z-jD~QdsB~o|G+=r<{iD|rOm$%ir|Gk{2|2@P=3waq)Wfi6^(WxcI6HROV4V155S)! z03$L8=CbspCIX$4?-Ck}gR;cA;8w2b`hdUQ~FdBYXRrRV#e(t|(q8d7rjU;ONCwIgMGahkF;)MIx}+kvS^Jq=%!P z6hL|C?dO^=r*m}ojM~w%Z%|sU51Xhk#pq7FHlk`0(hW`o0N1$035RCszVk&!?($9& z*W${iP6GpX2x)Lvw%#m4vuI9AT?IK7i8RKx4ycFVY0B};W8h9GJC0=lyo7usmT_6U z3kk>~RQfWO6RiMmY5=;_Dv!UdRX3LCIGo!mtsL)*`Urnlxjpv`u#|~xfqyw_b_-JO z;r-P{Q=R!Dogp3V;8s#BX@?`D_d`++fSJFJGZr$0ip-)XR3ny)$ux33{kKiM*C7ul zAvtre+ZTFa#RViDmrKF--amj+wlYC4lIk24EvzKnuNuYEwrq)F;!wXn8P->Wj$5{TfY z*y5mhl55FwFkypBLRE15NoritR_~{JeQs^{uu9eo{~FZ`AGh0WYc%^8r~4>Lj|~w& z6v&rVoHVRsN}3BX>OUG1AJR=LEY2VKWOhR*vD$*&S~nrnsa-!VI`g&uG*^oEeUJJd zvE_Nbf};Jgvvi+-Kg>@`KMr{Tl0l#n@^@=I;Nt#-^B>c&V)0cD{ncsx)$~UR54WCc z)NfghP5&t>Te_x`bi++{!nNe9&HeB^wHF>Gx#XH;^5znT6T&W>&LtU$X#nUr_wO4> zEPuB8ePH!A)AUXI>;Ke9a?w&s6uWFW;ka_irN7fNlq-s%(tF)foFP>k&!E32TN!(B z=hT!Qd-R4zb)9_=AD;-nrnm7(h_C0Yzv1>PUdmb4yOf1t`(@N(etE6%f76}sRDZV} z8tA)NjppOv?>XNOI3@G#^o}vj$tZT*WHe_E_(jcEIV*eG_}4+WhVt$hZO5Ct87Z{q z4eeHKFMc|VOLIMT`+ZMzO6_HQU(Bub7rJo|$7up@8dVoaI{elVOs1x@OdXn1pl&r` zSvHz{*Qy%2cz;=lqrMQe()w6c{>A!-*@ahbvM_8Cb*4 z{CpLo?U>VKiCxsRdkAiqGC*oET7ME!1A^+|X}&jblI2)RZ6d)W^Gj!R!x_9DP)JkF zUXu_UM1H+hwQj*5`F;>wMl2&ZVp*zBrov-OB^)*;Tcthm4jjLlrZy#IZEmt})y^)s z1Y=`6>raB8EYRP>bKpLp3(k!RUI!o^p%wr?S$yd%`28=xbtBz&6){j5zlFmgLpx0ZN~w`F*`J7xX1G_RS`tWbd!! zar&9yA>L}bCu)f1OK827AIu+w=|!6Dk}Lz@r`v8wRUEQ^b^)D#(wq`ng0t~s!~@PT z(%cNA=x0pD5tH%iNOC~ky&0A8j~@;|e$^!%Lx_$B$Qf@>j<&x1{q4=m{ZlSG$N#vU z{1@h3Ex6sU$y;w~`oC1bRv4;w%#X7SYOeG@GCUl!1$B~#m(>Au-kcnbSe&|Q&n(qqpZ+FsTA<88wt{`48Qr8};*i`T}r zBQ3LC25a(CvH60`zqZt(rAzuk$aH)jMSo{nbXtm=dD%kE8Jm! zu=;WuM!%=-k2$@r(a71DjNq6{WjlI4dGsqmb9+QyBhhJz^6x3<;z8ogX?O}O%Zj^% z$^D6#z|Q-ZlUm&}H&-|fobKiwC{#V^CTx&5-MIVfmgabo+v4>Zb9E}RF5lL>RdN=@ zG*hSJyQef(P64H^6+eo$I3I3yQ`_XmjD8r3occPJ@U*LA%w*KHBKIncqBu|K=^G6n zuJ;3~^f4b7gM0J4e>n~FY1Yo{=!%xp+uKFYNO`t=32>8k)olpvY&eO~ut8|Auy{;+ z@y@(lVUCf!&|w{Sc39LImvTIpa3QCJycU;3B!IRoPuW$$n|}XY@y?ufEgRkuqm=Gr zZMUGiS2-Nbm$oq}kPI&!Hh(eqtfN(mIRGmB>U1f+w?};^zb`zgj+ZAYHqA$kV>hv8 zX{Fl~Y9^5{QyD}P#VXK~%d@Dl@9@A-c+yJ8m|5~g8)EvZn_Y)@42zqQA3$x`Wo+%V zBo&;^o&O`-4ik!N4qtjda^nRD$B!YWHl43SORHB)6WR@!gDV;CXLp7Nu(dm%Ha$;} zzP(`^5U2i(J><>qH6iaG>fU~+W=vXrxzJA+mR+OTtYA8;x!v)7Ua;eE4{rF}AynwL zFW!b5_n1VFmulW?RqlDlXl`ttb_uLEG<3V3c?&XKvv>FhVXX94%4f4RAdCmoa0Z+A zBjq%qh>94!VdC>xV8v}h0{oF%6fQW$SC@XkQhX7qeF^XEqd40uBD8NnPB$}$Uj=b< zAWGTkW@fq1D>l{Y`W8hVrpSMF?BWJb`De+z5H?r+r3WS}4{wT+BAWS$7^z(G{pkVl|@B^|$~-w~(_ z7r+iiZnf5(D4JdvcY>`6sH{4;$kYHh>RKo9qn~^R>6lS2CckS_cF8g{o z$BGEhA4joX*r7%54n0QufKK-+0fHiPGD6n;1tEEW=??^z?^g%_;ese9Sg#TENoceKs@h-aWO$|au%KP48Tf7 zH_iNU00_U4eAxeKVFuisA1c@#XG+926|?=c@HJkL&k-qYa(Pn~KETL$luj;6d6kFz z3d;B-R&=UFV3M28qR#JZ#b!u%52y-A&ZC6Ow76GY~}tO#1|> z?pCpEoXp+%YgHH%V!JyHLkdlbl#S|J^rj}(-sgqtgb1kBgkMVUSe6P-A*fZv|1+F` z3G-eXH%T?LSaq|}=8kw%c3rww4KaH4b&{rHl#7dM8^7K;SvD^nis4u#B-n$X^KX_& zJKO|-n&ezI46T04FkFX6i`2q&5}Wh{-kvF!R4=Pt6R7Cx=W@Sz|A5B*N2Nl(h`9UD z_v>ZX<)2&YnrM6coE=e+9g8niE=NO6{pU960yHh|4jKpBzL|z$KIp8Nyq4EXO1#gj z82=`Ft~aC7?G?R6w7hu?JM-UYyFx_vqT$5ft{;AjUY%Z>*0EJ>E`8SX=5}E{d35s6 z*fZV=tfv%l&mH;LxoczT5<6HLc7q(&#fmJ@S6W(G6o zZmqdh3p!o!ar_Xg&Z4TpQC%bMzYq@U5#4{BVyMvdl3SD~;O2CiREJJlwl^);Vw$oe zeWTo_iO9VEiZ}cV!4({5<_ZWZq`{ruET{wt z8fZQ1<_Qg}guZaus4n0gSAIwM{BU=w$@rHTo+hVUW%Zife1qoRbqqH1-$1fF!&;0x zE%6WzWOF9f_0oqPo8#>W@W5S5OwiH7R_k-Zm_J-(ToRL32XB@FfCnO+NVvbB;kE&_ zD5*s<9kpi~)wN8O1-`Q}a!&`9NckH7>1kn6RpWA9&7J%QptAs(3b@=xiw@MR@oi+A zjwqM-O|Wh$FG?a%!v1p`bmey++;GXsR%VNqED;GDN5B6Z@!_&HtpY0d|%Eu6U6__Hf^|%uk%3Bp+^S=@cYC%gmI%Uycz~m zu1AyS$cm|u{3{WHE%Pi0RO-G*C;)QR{F=C*IG^|lpw0$-k<~E>zKAQ%0r-@}-OIxP zz>`MI8qaV08QXmzBrD)cPh|1(O`<#I^g?)(`pueO$5!T-nth=N2|k_+*t-PWUOnBjH# zFy(7{Se5>B0SQCN2CYnSxz64!>D(MQ+K;p3i~gE#1FPM)db4I%S++<4hLdlY=od<4 zeD)F$vPs&Q($X7>htlS@foxZ;b$59Rmfs)lY(1NKQ&7&S8*d@vm_U0Y$^7}QJ`lV~ zj8eCf^lsF}47n7zNX z67ugSl}GnvDVm<0T7JB%Nfi+p?mVuq?%oc)Q=A>S_eqwH{{^6O*go6&Q}*9g@h}Nl zdcFU2-`1PUKthQ^m_m3Rew8sgv#cAN6a7Meq>0C^j5!9I9j+63QERNFaoeGXNk9G5 zRr>YpSgsVar)3P&pR;D9F1!?xKAn~2HkiHCX*Ly+`snlC{SPe0FU|!G+qA3+f{>AW z`yVW|Kpk&J1t2TNW860l;r1Yf8jK?{L)KrOsts1N`{PAG;SaecK zq*@@ZfG;RXMIkGL>X4bie?$* z)W~ePc@R&*XeEOMl#u>Ul~N@eMlpD|cg+3VLhr&Sl0)P7sP$I6A}K1y?gvn7*d;Rg zmx+DWWTCQP5Y{5p4d$Z|C&M0w*aUhl<%SK6@8566Hx-U=MciBGZ> zCTJbmjLQO`#B0F&Xki3ALF$hs0VzIcp{!Dk3EDEtAP_H}TX~(Vctv3Kt-Nb}lg!a` z44bzOJ?|Gez#itg00Dv^`1adhGd`~mt<|UMV))9R>u!JFxR{Yc>#h2j!@dV!fLaLA zL%TnRzxS$F%)MCv1{4VlXli7^-0S@R4XBv!z!Or=zasA_v>AAWVuE%dD()mscK~+) z>4&KbzxI_x)4Z+Skor9j6?-xqY<>9o%OTe)^FKM|W>g?z_pAXjOp8iPivONB?=#i( zj<;6M7v`D0n`;FgJzM7joQ`}O7$JSmeStmR6KSW@YtTNj`_lxbs>jR1>Vi`}2ZUS> zVaOLYV&c1`k^F^FL^9ZQ!EL)ED}bxUR0HZQckmUSiA}{3!gx8jMf2_T+}eA1xpuTr zmCk1@GKvtVmb7)S)(eMy00Xxzk=(TNOC0hD8vg$0|KIHikDzJ^F zlUsnfa$~jCX*Vc0bf*pk4_$tXn;GW_`GFpzRJrSMPwj1WM(BpYBvt6_P?V6}6^6h_ z5G*jVm_G=pGreEW7%@qqSExICnD{Kd#i!W)?`CEMQ7fphP~6|pBxvNjl;P;a?TOu> zhfbQ4f#W`=-m~|G$3?{Q<(|g>%q&e9;u$en`yE?0Ywm$^95iR0F?mpV<71LH8L4n0W(mq5RJk`nlu{6gyPyvv{M zx*3-lLLK=fH|Dx{u$hFugWPip0c!W3vnJf&A7oa2LvCQ%r_4>~FEW1@xjf&Pckewo z>;^lBa&Bo*uWHPi!lEb!Wm1OyRQ#(9X}S1$eJ@Aripm8r7((L{(zPe~j&BzB~5P*9WJ7Sg7 zc}I?Lt>D&E2R2d7PwaiN+e)9aK3%uyZ>~XS2?%ka#swy5RY`fGWpQ zAxfc~OSeU6&}zCYfRB7C_+s>d8@yL)iB=>)(qWN#yg5AoasDO6#VAtWfkTUn!=cf{ zbtC#A9i4n-|KxO ztVGN2MH=Hp); zEZZ=|n#J|=_-A5ZD_g9=rY5h@apQzzqc_|nd-$yC@PqdsFc3{+#f0)ydqoj&W8eTy zOZn-dKo4uO0q1I>F~9j%5@Y1eC)Y5K=dADR`d^HEn>~wE1h!#uLz_ z*$&dRZqiRo)qfXNx2U!7QLrBEg5%@7vA?f|AHvyFN$Y$3Naj4J3!Syt}ILR<>r*GVr|0GuUp{%{t?;@%0}Y^?yy zojN-F=5^t}AOycJv*`4D!jBUwK{EYBUYcPt_Ylj9U5_+{*(uMr7VfwVvj#_kGd+KR z{S41@CtPXyDqqJwNI7r_1C*zpxcEaJ9VN{U2UqIi?P)KXdl2+Vmp1rzG-Ia+Z5d%% zi38Wr>9pGadLr1es&*L-wkNEm_YvrpG=o6ve1|;4QD>hu8@{9&0+6u|=z43*$sfQn_NpR&KGRL=sYQ=*`We5oNDpNj=kFO{Z*X1_ znt$8aviU}7oZ(gzy_zPPE!Tecy0J#Gp}br5qmchf=v6|=s~QqDBsaF>>VseFO@PN6S)!%+8g^_hq%s$S18@rmgasMsGkgX6Y`c7q}K( z^-i6QKeQ}VdSsiGkct(pH_2z-y`pD;)Q%4G`jsVUQd>OSdsp3e$HcMk_52%~z%K$> z-q(m`R})yVx9;CSEdQdY)8>%0b}sy6b~N~e%HPmfG|>bLkUOxd@Ro*hCxmCTqlU(f z&&*}mXR1BdtVb^??M-gkZ=cj_*ROtgUZY@!(o*hQmR%J6IB34`ptzmtfUP=qONRkK zIwcDGPiMt#W3DB+s{^Vu!Z#Sdo!T@fZL zjNV&&2~Hom^9%Q)Z^m)8u)h%DjW7@j#9ha={ssT#^BN$I|o?6@f|yF&BYm;j>&n;Giol4VrKc)6!&uc0Is-sYobL3 zeWC0)Do(&&a%$tpRHbv#9$N})%?Z=ztu2Q@<#JPo;Tck%WMmIy6?1I-JhRs5^Nzos z55IK+mjrOZC=TJx|MGW#-;SjdNoyMUxPtf)Iwfc!q3dy@)P?B(QYe@z6p*2wsyhXi z_7J8RaEyT4Mibf@aJ^i0$cuQ6|DbAIWnQHb_EVj+3)Go|-|GtIqeCXqvV|eFY>&6q zU7LTlKVIeY8!+Ur7_!P4Z7L2rvdAZdZ7cZh5c1DG_0$=7@I*^>2vfy8i|@em=fKH> zOXOQzsoNiQpAMi(m4<6BBg*H0N)Fw@{h8&LazlE9PK|+=UaPsRiFs#VLl)%HZRMjg zq|jCBGCk#IzYy5Dr9%n!DS1Ce`MEBcA6PyeK0hwSx|1wPs~n#r18na6m}ShrU(pzX zpC>@m5V$kcc^9RGFGq$G9^$6XVNH7fVup1<%n*TgI;}zgy)PrQr-yP?tT$0%>yU~W zcIAq)AT(vr-_Y&$`q)E(LW;KeqJ6bGVYMb5OW`s@1;hg8{fK{^;*ojC%tnsFY|pB= z4*rae5I8ro>mE|0sD^pK7fOF3^Fzz2B&n2_=dk>~3;np(?#Ay_hJ;?r*}0E~=Izd3 z>2(avSqn2l9*yec$(c(TWC|MIeIUxv@M_X-)fkd1vx)t1 zbVK+06dcsD+_LVt;}w-zT9N;r;Rd8jkU{>bwQRuBo&9J3efTWEmi=PTJbvmTh0gfJ z{Gx`b{nnWaPgGdsFWDrW+)a_D zWZSNv1tza{AV(pL=3IU^BB}QDD~4aYJ$r?0oXBMxYaIFI#+WJfBs}(myH1BTQ{#|= z%kYF@9nFPrC71!(MiDTyl&1F7(qu22&i>h!8MR*&B~}LgOUEC+Nr!<*yYeR^==>IF zg4O&>dUw~D$gF(7=t8&LJ9-V1^1rQH(^({}a}*7jI7gSu8gfhwIW+2&-Q(iyg7H|s*=K9T zRos$jBu2cA>c$4sZVw-t1nH@>Y21l6z-N$p4%VIWlD;ps_CRxNhK7~1k~cKW-huh= za{Q~N!rn2IBc(p@&_-n8Sc*uit%D?4G!P=ORQEXd0#e0Nn1*v8(z}WD2LU@ea9RT1 z$}|K#Q;A)s>EVgP#Jta9AFF?f$$>szF~m-t7PcRqN)Cki9D42&L!vk>TomohX*0hP zj;AJLpNnSwjjva-9{{Tr0mUL7OXW)vveE0@3#XcosMJ*tlzO+^G704LwtjUv@3P~X z%?K+$0Y`^l2%UDxjT`HFZbsO}vBVN$Nt3huFUx@?_v=J2f;9499EhLM5IY&YZbjf8 zsLbV1RkBjBp7}mBKK;;e-4Z$-<|yIX7>(r%6oxC=|46zZEo(R~Fh)TI@MC{T&c3jJ z0Y!EEGzR9o+9LmYzHC5r2h{6&y1xKpjW%<(dRrRnR|c>M z4tHoyPI~CjiVt(sI|tl~jNuqGQA(vDJKs-1Xarm&>rd!7{euy`iLV1n=o)y^M5EL{ zis_ErY^|N$OAjr34&W#~DQA_h|AN)*YyQco+g-fea}#1PW^*J52uOTUnqC=v$L%&0 zL!>7QoO*}7W4N@rHuUSDC)4v9X0JykGa&lS;<2~3F?S1EcMk2(f;rEAv7iy}2^!V$ zaO+=r0Zpjp*HcV(%8TjIe*k`xRPf$4&t5=fCXcc#TJdRO?AF>zWFXf|Sqtydy1dlL zS(68n^;(&8u9Pq-ISbcFxmRj0`N+xmi`vhuO= z7SVCic4oy)OA83U+u-QASlx0%+Liq?e=Xxxww%beLKgw=K2Az`YwH3F6Vo3%cdv;@ z-}t)uo2$}@+AocDQwtBFN9@+<&Uwv<`hdFUPvw&0Bh~D8;Go|QR%7M~u=fBT;V>NU zes+=U`@y?uLr!w=RoOzv*y4v%j<{D_S6SRjfEra8jaNy?;EIV^>VL{B$;00>E>j_d=o0Lph<WZMES{3 z$)N)K1-v)p!Zbf`BZJN6MWPm7ozRlX6XRW)j4f}~5Ouf11CFIF4uHli%g|ZUF;ynLXnf(&$oyH8xqIKmJk~dE zuSTDG;Tgr&KvGN(ZJGA2at){}F@gH!I(JIq`$FbdUD+N#tHs8g>DsUnD$w$BsnFzJS9TrYNXP&G9H5NS@0Bc?Y zKkp!%hLL16X$VsV9Q|QLfE=ODB~AZPat(dI9`LGLqe@x0j9V5o4u&mOcul4=t0R{p z-d8aGb7E0|$xFBsq+wFHo_bgiL^4ntD?SkPhI3&n{e!xKdT|^;$Qfjtii`jqggN zJFHL_Kfk(`8{+pLe*Bf?y~&$Ry<31D*~Ux(5_P|-t<{e11HP&QEa*fG^0)t_jT8D8 zRo>FTg91QVp>J?NEa>E)r~EI%l!_L*XmEiD;RoW2{T7ucA&*l6yhCA%{BO!yZ+zOi zvQt8VO5tuBd+cBM!qUO=C)Y44PS?+P6hj~Kjq#mG5v~88F$+ck5#>puQPGeJSF88T zPm1TAkqd||N)E9ujLK_?7%^`dHyVBx!By%8U_wo5cxDN+ThaU2EeaZWGY|TSL&J|f z*As8p=pOT!g0u$B=S|keBlKLDp68a5BX_C>f5n0WmS%d~wl@}TvHhRHOW%t$MNFM5 zYeb!d2O)PCWnVCU2EF}6>N{PQrTh_ZNk$|1<#}nzjW^z31h`Y7!WGJ5_3xZ8uUHAK zoN>ekA=rmsUV7?DQa!I}*LLqNo79eTuCW;y$z0q3QNSrg=4p*|X3nzjMUEa;RKMCn z1LuFfeb(ty9yd{E;Hy>crs#fk@K6lPaZ}(GU(`PYNYd8sG5t?ECk2)sc=PYQB(2<1 zy;}`Bm3Q6=h<5`C?PC*GlP>==zDd~`uMjE801nKT>5EvaJWT3>r0s9`lKkvB4 z58i9+JdWfV>F-i&P)H%As?@S9m3*vbsl-eS3IOq-y--iQRgE5&R5)o& zA=UlEuMkX4RTDQL|7;5jgSV)M7|%pSz>+CQrGV*F0Hd;(s)~xLD$)SY1S4@H;)*1K zg~`L6buOJ6+Y>tYwBa2wWdVlqDexU2m)~A>MSrt@{@tT^qK#X}9i!ueh9<@H7cPba z+?sIg{=jT^NjVF)7RLmWo5f>X7Ju-N3Tn`*EFRkwA*yZz1>qO>D5;IR9Nj7*xIMgB zpb?RGYH z_&4Rvq%_&R>N@05QfQiLE9Vol2fSeT>eQ*|h9zWcc$5a0G}b!Z@WeVkT-_9x)q z%_72Su-m_f55PR%@1$CCI{!o1Zj8w_l z+5dkWqP1+hA}fAc4&gZOsJM9nld8Tw@XFm~*aJ3!!;X$iTsXbGoL6VCB23T$nBP-< z<4T(`9sb1(aZIy>&#3gwz4ymj)S3$VgJ>h%x{MNs zyD|@V1-Kmbs_3t2$4;Id!MyFl*K$VH!CH@N#GW5-q?>=KUwr+pz}(;+3uq>y-xitc zykpY&S~hfTizT9K_#S`W9k_Hcl!Y%Ui*oX+P(<_{R#ZPl^p&A`r-qt4SK!o?NJ2DX za#p_^J=TC-|8Txh{NdYaUVvDZ$hrL>UuJHWcRsbc(Ye9eiQ_i?4)=F1@l$Sq;EI

%F^uf!-YdA%?x=IK6bpwj@QLKNQ(>&h)jUGN`4ik8*G( zj!+QE>it>Se#s|GD27zWR49$*Ynig5=Y(s>m(aJxLbmiFTdIQc(;4h@I($OgoMaSa z3OHI&vh)w3iHyS$I*KAE25Sc6!WRNN8E#Z=xNchPdQ5|?S|3uPBB&U(dUiv}I3?d= zdS5Q%fZGpNY3y5Kz>Y%pwo%?0Gf+%DvDF*ew%1o=anKrYH^*pWtFB&?h&hxHG~Z_uMD(xGxtP!+KX4jwW4Q9J5H=sqLztQ0N$3z~x% z(->9aN@h?aBuztz1L|ACYFI$2uxyefnZ!z^8*uRyPbCgD5Rci6R{b7qIn?v!dX5tn zsVLqp9!mNST`tRjwn*udvpU!KDJanmi-V}XSG2Z2lwi<5{o%F>z_E#>E8(=lWMCfXLZTew( z2jA9qDZ5{mupIv6{PlB*9=>`3Koo`T2C01+FXfLnKx8_9YqHnzKfGeG-SG|9T6#O< zAF+J00npZ+0P;P+IX5E~ma9FHmTadQ1QC(_RyvM)oCetp7={CAnrEt~H9I*&y5yPt z+5`dI?%JLsGUq2GTfcyWg|dhP*dKlqWI7$b(&FFycV3#y2mZes%^cPc4xy3zkAtNg z{sB3=9gx{P7>0Pa%iv~VhM4yEhix{j)5AyU>k$^%e$)QWtllzv8C*>1zTEP^i#A9T z{cmvv&z`}sXW-J5bfOiqYgs zrG;ulK^u2Vef*>2+EQ}|CQCUmuS-;?}N zCu3z)`bWJE@Hs&sc4Q~KWrIqA*^yCdGf%oKg zvSA*GPifAYagR4U&9vT%O3w6;(bdcE<0Wt?onVav zXf?z?6tP2o-#KZ9L6Y>D(jGxswFst_MABV!n8Ji*(PjJI#MKV#ZyFSX;0BZVBI81H;JXTi&pZwOTFJE zg{Buvvaieqt9L%1JElufm&jWH2Zg{W{BNY37P~mH4nZ%Oe9*|o17d;>@mixl-GjkK zn2K|K4985zWWNvnz;jG4BD?W?Yz{}~&Fe>fjxk~(LUFYd`14Hjg4v$~ zMGr62r#_gja(Ez=f5|N7U%Yy@Et3yybLB$j5a17_fRlp;-H;Bzks4sEUvEZ4BPSp# zGe;f$$lLt@b@AkN8k|IZRHhGZL`s@iZKRTQFY#?Vu*||}$Uaugs3M!E^`~zCJS6%d zPEyY37)k0l`>>U^T&~<&k`noT?pRPQ7dVWXh3h9O+Frx65tCr>z&*)sKKXDDRhS`$ z??ICFd~o!JkimJVVB3Am_iCADaAOC4syGofKJr8|Ohg47#-G%!Z#h1)+SEaF_JrU{ z`miPAuTTcTfe-u!fxmMO{BDG6o#Uf`tggd?yL@|M>R;8DARxBe>Dc<87hhRzT)2yI zSvNdxY;j)j{|uaw#EdA6xTd6dhU}*hQi&=*`%_B?SlO?3zl@P>)X7>%NVRoy#9_yf zOz0~9LHw#7?hr=uH4nPv zwk_^5K<}g$0?c4cAkzh#v^fIu7^%1~-~cR915%?QDOR{v4rpBiE>~~7487et=xZ=o zUQK_jWs%Mgl z2_mP93d4rwlw!l<3?uBM3Z{3BozM7*=W?IDMy)iN5%6@#6DH@3%-{JS@t$Z zhFyPJ*Wl8Oqn3alY3)w^yD$a0LErN-bPvs;G(k?0=G(nsHbWt;*^?2k@cXtT#bK4-T)B!ia`FjS* zkrTB(aky~EtzI6f8jDNX z>RnKUGjjBm(Bi4TBeIjvP-SEjP?BK!S32`t@{1*t`qTVqOz!SYniwqkZ@pxdV=m;W z>VOCir6I+|GmKy*t9t#S<~3cPOBfmhxa6zr$)fj?Z{-GW;%sh~lPGF&`|*KVu=#^= zsiel37apOo;g)3?|0k?;_>M?u8LE?U*?%T<_9m%8`(1U-^cs{~n|silvi))9Z8JIU zJdFz09{93PsE}vR0xy#m`Mg(3An@$ApM9x^c#;_2j|4b52lATa*QGp0BZ%PvDXQhkdfA&Rl=v5a5jX8jc! z&B;B@4DOtv470xBpO=ve_w9|>`aOGF42;~bz|-{&`2qe0XxbQWKkUi2GUAYP!t)R* zg7DBd?yn@j2BipvErw`z{Qg@~~<@nUQ4HrJubnEjW{q*AY+`>HyhSw`t#RFUP9A0F^vDRt;jY^kLo58!nlBia?0dOEPEuqL`!DJqa9lq(q$#gVJp85O?^n#wTbo}lYFKuE zap);bqFXcg{*X|6?h|G(V$h*WX3NBL;MEQRAE9xWomub01x(cUctH_7D9VHk(k6R3 zojU`v(he>NG52~?QGUA!{DdFJrkrzLJXaGE12hSDXIjBXKP?~mPd42ap)L5YrFMQU zC9X`Qd!dX-bWdW}{W*|I+fKq*bB`|>r&Aeek*7vq;(P9dw4wd}G(HxBD$(*i;^i?3lW~M+Lg9RL zVg?DxuTB*%=Uq%+(Q5ITBl)4y8KP(lt=iV|9~CAq^2C>k${G7lgXR*Za+6!oP@jkA zn|0#XzB>Fcf}mT*BseC-L`{6!ZgKI}Kg2tQh5G_;3+*!Z`*p7N>mPF z45}is0)oZhQUk3w7#Lg_;au`)g_25iJ(iwWs44P>%2X^2Jp^tFgah(eEEK_PTvU~M zuYUz@3P0!AtsZ$Y;DkG${0QltLen5&0{BreSTh@jNPtc$yz)X#0nlr4ijK~Yj9xp5LH82_^jV1 zq{`;Iz?g&lkcmfN6Qx0>1#x-tf;Fil?C$ebwfohx>F?{|zaD!^?fS<#04b;$gd?lT z8Tlf9%_nNjH@Nj=1F6w8dF!<)yAS{c+VNb3vpZuM=S>@gAb#{! zj#I&P$8H^~a>CFUUexZwksD%xK6mfpjpu*UMt@UGbsCIrBz|M0Zno0~V$GX%pkzmY zTR*?jZi_*LuK6?j!;Szgumr>(g75^mU)iY4JTGjt1z;QX?(tilTfkoff>|(;J}|D% z8fgO?Fxn$^Cfn6vR_<$c?a?XU1q#mlb;@s9G!%CmbO#L6?T?WwE!vTeNmWw+fI7Yy zdEkkBbF=8n?{mFeeNRVB1n$XJ+|Kg?(Op{epoiQsgp{qVdaP}+6*T>^2K_)a&jFt; zzvYD+bV2kn6u96qr!6l6671gCg03RUzwL*#39OS!6zxIfMMSQbK~M?Q6jg*iH^L- zStdD-BNDTH%GMJvOhttxR(0|p>aF)|>t7_a7?nnSj4s8G*K%XXeNHsjv-qf9`UNRN zZfUo7U+ILmcblZNr9lW{P#hjvIKT1O4XSE5Va3|Oed9vKIOu-1G+_Cu@9(ME>n=uZ z<5b$<5wn2i8@siA)awY_cz+p(*=M+Q4Q7}x%&LO@+QotM)RPPO5Q zz8#(5DG?c^ra?-wkZE6uLW3{jg^51gP`<7r^6}8l9ipX9-U`$o1W?0v;7ng2O@Y7@jA-QwLy|AbxOj2*)`hbIy ztdhX0^!1#jlH{k&!$(1zBYE7RxIKDUSti0;kI1mQpFTrlOz6WZ$lrRHWx|8TZr!Cm z0Bm@VB);ed$Z1spbdqWlPY%x@03l$rIYZg|<;1)>IY`|~41;I*G3iM*ifboC+5(Hp z6h$$O0}YR-xzz>PBav~v^?9(`%!(h$)IVuV^(s0iVrZUtPYKokx^qL;=W$?wE<77x z>Nx`R3yAm3xyH2};jPthkQp))7(lQO85|BbAY|m1^)y-o-rx-Wz~3Ytk+au*KSGQ<5$YU{G|5XoZndZ+A=t+Ce|H zYPrt@d;)jm|QXi=fnp(-uycWUjKo`v7_3ghF(VQ(`fr?R#yqwF7LmSSWo zmj}%}m$7y(RtHWunYeFdrYbsL3q|$mH}DO$JVR6lD+C!Bwx#n14s|EmSqzs9%Sr6Z z-L^JWx*h*fPmbChp*~!=>N%;nz4NYX`mIvh#s}N|K=60t2X&tg{RH_>_>P9_)jVgyaI5{hCymEM&IF2f+3?k=F!K)cj{ktn&pWmZRghZBsnu^5_?}(SMSX~UCyB7tnNSQ z0qMfA{GV~7fsv6@GDY9Up4$$`HJuNaG>K3cN3*#2kV!dc7yu7$1oE=>#ahx>K4{Gx zbgy@q2N;#~P6Kdu0KnkdCqESDCoURh^+bP=6MudhXw*vmPlIfB%$1(#y_0xNXt(1u zfz>@Eli+zu;N5u4?cFFb^M3xsS>)wh1c;scUBt6eVX3js)X#8@&xLYFH3CG9yGi(X z%pPw@b@|9qKPz1HQaL@Do67UeMy=OEM?i_)%w7^}|5DI@$&JCnYVHv2SBC3r+cn>y(Hg!RrmHQn+S8%D3o0GUGnDxuINfZrm zwDKGcdWMC!A7GTD{=u-q+@i_{r0H;0!VZ7 zi+6)T84_ujazzdy8zZm&{n!*j{wo`Kv|6GTJRj&LbNhcD!B`;Poha0>Y49T)xW@32 z7JWc1>9PI|xeroB4g=D+IyU7r*@teQfNlWQ5r(M>cO71ZY8=RYeJ3P!TLWBeyXl9%I1=%3PHSUsL{NS#ZYn?4bZqJ z&LgfuJeTI>cJxIyQ&yj01`@X-4y_N5>Zc^pFDJj0=1BD(2AYC4qy#~|DZ2>?EP)ly z^6zwR$?|2loYY^QeG5SpT(&}Gt8Z`U1ROejL1BFXR9CbBdwFr}HS3RJvE45Fz;7@$ z)Gg#QitX3+kxL#(NJcfJ&6o1+wp9I)^@z-_3h?J=2sW$SF5O9DzRgBK*r^!|W^Z!C z1wxM|?)xcs_$zBTByPgD$9w#9Q+&c%)lGG>GHmlAw+#w?+On$R0Xu^zu6>22C26wu z`}%_t^&zN3| z>@ie=T!Z+2voHXuWFQZJiYr1p`oRDR>_DJy26#DivPhn={T7J^rovd@cJyy_=uCoG zw>Vea3c=q(yo?a{v~Y&++`R}4;$NHGtYQq_A^^d^vZFFr<{7>Mv-&WumDU6~VT+xd zK3ViSh{a9=*+OcNoRN3;q*>4AK}KpYo0r3S_(H;PamR+<+pq4i zv~18QX@kV2@*#G&tAb+@^I!#TdH1&U(4X?AN}Tw}Lc`7OY44`MBJSYP-mKP$?F}b; zI*5c)-`N{`=^Gb;RM)SnOj{eGIfIP^TMn0oL3R#)4~6OMm?aKDzAYbpxg%MJT(CAmVpz}q1FSxntC z*@`n(KP6+LR!mLCj>xufHtxM&2Pa#}5to(SGVy6m7j0QTd9>y(SwlB%SyoTdcOBt| zjUB}pl%(f>asO)W=qLg|ABT=2xmB!zme%W+I3Z#N5=+k%FBI*IaAY4TbMX8Yqb=Ji zpQ~hvVjYrHs8gw-ts`jsfm=tw^1i9dI%vSIWlC{ZT!ZgMjU1Dtr?mqaGZEwm{yIY{af}|HqK3MQMajIq5v(_zHJR?bIZxTTr&_QX>)skn)DrvGsFJ# zKvaI%`G>>lz+?T?0tzw=KCUu5b0T!*PpS3NQ*%>)8*-*+IN!Kkw~v|o0q5uQ%?P9CbUI$QS2p2pmk)7U`qdZ?LZD9u~jXnqR=z*_6 z;NmXG!$Ts?VVkg4V+8UeJnFm^$?Zni3<%em6M%XY-amnSaO}nN)B)@xTnEO5X2sJZ0M`k*I7#z0FTPy4PoET?08~tCw%nw@ z|M6nW2`gM@4+`)m4diVSHy5n+tFO{=8Yp;$XRtkndH-PZ#v#lzEvD0FjiY$HSFUBU z*W5y9VF+u}&ZJ$~4asLKPp&Kfci2}x?pV??tHEM&j+&#LaYkA`ujSvRn!fFJZG2&$ z=kS4~CEQLq|A{93+uta5ng-LV4LTOx3(sZLG!4|~C$JTs=u=~(0KI1cyR@v94yoa@ zCkAC1pvx&&iSix@VWC?xXiuXVY#PlhXP0AOeZ7fkU&>Gu1byPlBZ1+xH7Unx7@ljC zf^MRVlf%z|mJO{sJ3+srg7{fmcH_vmwDa4xNUeOecJ%=XexT1|2s&gmLxlySWI@0wN14wz>bhcg~R}v zcobJcAj;!Jpz++6@EIr(aEssGp>z0R{rlldH@BEg8x>hPP1at_LM76a)WXt4ZYnk7 zZzDYViNqd;+(OdWbp-3EFCv)cr0JE1Fv=}CYxQeT>j;>BnspDZA9Yf%z3m{on|>>C z^P_tPTFo(LKb~dm)ZeoA?qHt(#Cr11CvWVuK*z@cuQfBI%061V4A;>09lBy->=jus z;HEnwzH2bS9)&Z>x5bL%J=0PXjB5Dwa72MG9OdQ0(E_JM5*bSw~MDh#e9D&>7p1`q|*-7(x*?NsGdx-pON^p()%E%k~XD3XVB zrTq2n>CPn{;Eb?}K3&la6?n_M`5FAEo6i#$NiU!JbhjNpko~8TrFbY;rjo#Evt|$$ zpXSJWrPF31T9j^w0>DC#qJE1Y`$W=yRyDLButKZg3(Pa!Mm{5{`$_OGiz+_dKLX9M z%qhmIo!mn$ZdkleXjlG5<4jg%iR5A zx%U~O|7bItm(6$Y#ny$cEa$wK*p)WlXlCV;X%aK(OLQ)N2s|KUf?fKl@UtgEk->)pR^b!6k%hg^Mf7W1~qs#H} z6|lmy84!w)VR*M8Q7Pb!KZI+3dv>Q+pi)IK=C`{y&1XSd9psY>9(*Z0_sLX~OI(b- zvaM?J`M{6a!0tA9>v3J}oeONxg;quPufp8$BF2h)A6_AVPC9Y^!7497TtjXWWP1at z#c}8COAP?O}gm zxC`qcIfKMIW@sDh=Y+r72UX;O=veb77#53yBy)4HnV2-n`2A$EW%47;XHT-w6u{2KlP z=cmoy8Et3jxpo_M=kx?w*6Cj0LQca~CoOLXvhv4+wUZhOb#09|3aJ`OH+iiEWeM8hk@qzxE3ZmW1S8!y^j7|535$< z6He)aM|R952`CN)TH;vfRG=)ismaQlgMMR2Q2YUqo?A;u44MoJvQxXoXodequ`db` z=ccX`EcLPf;<+OW8jm;pHuPFLEc5S+JLKMr*>Tq5E@7V#*8T_)_HMPLZ9^uy*AXmX zoLnwpAy>QwZ;ad7PS+ctayKV5vxfpua^&ZWv88hFlb6~u|MnhKGle~RtxtZ*A?}JP zFlU2>eZXuKOd6o}TnK|BY~Kb?gQlF-+C*<@GHTi4l?DKMnZs1^&Jz(c?5{1PA8YPI z&-LChhO^;s`bL?QgbE6%a)rWT_gK}+pJI{lmZpaWMgLMXuthtL3dO+*@@0PHA{Ji0 z3X0Pv#;zB!)kb{s3Lttm8gWC&w?30%VdLsk6&bWOT1PU+42M1lNfgr}pmHPW?ny?` zEE0QN(}RsBPl}Cu)hIOCbE4&b4bn>cMdmj)#$kC=r9}sja31x%$S0KX? zJ^w>3@;&}uw}CI<{=aM#ysJU_2$(GLeGK9FeYfq~mU^ua z75~>tQ>78H(`3=6|8sfFPXz8UzLvS0Bb)9U{u;JKG9J)f48M9d+VH|Npf5a|_ShM4RuoAK(^GfIwaBrm?kib{fF3+N1Zh&N@-rk2~pK z%5;j6Y|uXg_JPw2jQ=dhI}Hi~wK#*;iMus;Y+YbX=T$4N9=U}rxsQ<`xamx;9hTGy zq^AndHrDUUCt9%S=EU);yB#^^}oVBFoA7hVj-tjKV3eV@+xO>iK6|BVJ9tW{dWx@SH#AT-^HiovZ$&vck0K(o6wf|O-3HarrM~4;X2~T6 zH*;o5e0*O9U0jGtgtbIj?J1E@0u3sh5Sw72ONN<^2FC0ai8_7Cl1PUy$7&q3f^hs@ zfzlY+uIr+YKKX7d9BuOC$OP5NnJ^?b_2UCxK9orciViRTk9TOccNQLndHvNk7Y?Tj z4kEU^|KeLdGwF}}oN6INHbgFnrsj*@6qhhZKLKQz#g>A((CljB^sbszcZ31 zpBpHPwnn`m>g~mTC#u5X8m%Rn{y4g6R7u5Vw*It_3=>CFfQyql7X_W{Z@gUBkXT&O zqH<0x<|8o{YPVRyVJ_aK7iSSq7j(~yJqw^7q=gkv;( z_^#As^1Y6|j%;Z?SF~omHQf4_ZsZTEz%>bRE22J=u1`hQ7Wg6DT4fWUIWddXT~gjL z$5WvYc*I1^t@cG+8B_^1st*uWUTnpw&ovRGEtrZ)soXI{VV1l#-K`Sj)KtX@kCcn# z!(I_%1Oe0q4^Ll8@cA*G@Tr|;-g5V!m7t(#;;~b5oyaXqOTFG?;&K7b+I4l@7=f^S zHRfP4bXJGRo+;KBln=fcl8`T?Hf~OuZ#T5iB~!h?ioUoZiiVFr3~ROfnk6P){l4xm z&kM7TlUGH95ow>{w?xqwBLw6W=rpAGFkY`;unxpMMRX+B0@mR4ja~zmB<;fDsG(H= z>A6OF0MwQMfW-PgAb(IT%%wAH6G*FDPAUNI*w`BX_C7Rz(BBwje+;ULwinOUlk5k4 zINi@ho%&THF9%LQz8H#0E$|Ihy&|2fXQ{{);PgeXw1K_+dt9QC5&apg zdwGp-rAR?H%qA&iH%Gy7onODm?vf|jcc1dTd@98HV;1pU$)Nutkj`3EUY2BEd)`Gj z+SGq79D z-?sWfo3mW{*FY{_9;{BjAws$DXAvBOUmvvAC5s4u70!{Amvt@>RXX0!%zrGdw((Q^ zX{@gCTbg2ynP8f1l2?UEr4fUBhB}Mrm&Ik-%cnc(tnxu(I-2%9NrhR1DrK(a%wJ0j z5f#m04F=XY z7j)WF`Vzuwfr5UdYEfN6MyzynO1(qD^G7t&jBXf92#}aT0Oltf0;P*yRHAq z4y2Kzv5lL-yz?j?j8P~ z;BX!gl2v%ANTBqXZAk?dLN^o<{GR1`U0pF3)PJ~!l}8aCS)q%rSQ^Dm)t2;!!5Xs- zKK+3w*S_DbRUxlmi5u(5c9Lv6ftP)JN{NZdIN+<~BxzIy1_DaNlBEyR4EU?cm_9m6(cE@g^^{$rlo@j z%FpNBi|1n)po%=D)2iFP+*Fd^ZdZcJ$; zch2I&-wAbty1{>=!n;-hK+o@~eN3zr$%QR3n$rJ2sc<82V z{vSwO1565ze70I$FI8yYx#nuOPv?cLRdx|9^)M zcwn}z0rHW7*lAbNNAShYp3enbKpP%zNKE2JpO43RB2hUZd`Inm$Lkd%W5$`4*DH38 z#!XO!oG$E7p2cJ5n15;GGFrD@z5ai148bfSy=di{Thn|GZr;}02YyO|^xl*}wu>$u zRsnwV7r0aa8mqF14}Z0jYwR*Wk)glw z+5=f6RKM;MNou~4B4^!lr(`(Xv=bT9egC})>5-9D2y-1(bvAewQ(Qhj%vSGuRY9V0Hj{9lSb$*uS7ewRsfac>;P?}oREFaDwHjDxmh zpRh_XZRaoN}W+lum{udmFno(l0|*Wrw@gETiiwgp>mhtdEg zVBuYUZb-$MS&sTU61! z(US(QU$^Zg=&hZ&{g^x9r=E$G(_~2oy?sN^4d(SSh@FX=%}DH+ zdK4<Z{(pU}cnjN#<#mSSddF{46zZBiBqS3DKedV~7}m<|cZ@igBB zGmR*)VJ*j5jVNzix+p(j!9#H|L;V>hG(sEtNlqc@-GEWt`a(3``gi#(J~~D`T@q(J zU5c7?(!c7`)WyF-gS#H|cL^A#1}6h#Hi&8DK?q4czWx(e%jE4!kGMq~biZmS2_vVZ zI3d~L9RnFGgZ!^oK;Uzr_dv4M+a<+8#@Ek=*LQDu!ajD!S0f&v>|JjwDL&_XvPN2d z!c7eYXyrl2JTTqT-gPD*CT=;NLoLQ`arW7LI4AS#T_^obs}BIFdNT6AtgRT~bOm^1 z1b`)8T{*ilt}7Y~lQUX`ifH3*E44gL^U`;#_vHZQ^LKT7C+By1Zk7r|P6HU{<4IH+7(A+4;z{4O zB21BU9t61*fbX( zhDCX{ulP2ed3{`Ag6}xq%C9KMtRaTK_+BD4-QvvvLY(HgUJE9uTxk}sQVB)#l}Xf8 z-zlCwf`41_kJaQdtP4_0dg1a=Y z%3D#mg(%zv*!bF$eWU%9KnC_8L_hD$w=fyfYcIE(gYs&<)3kKaSEqCklc-7HlZEF$ z%3X#Y(91Bxq{d}bO+9lT*_9QiQciiPx7c@%-=1Fs+cT`w`WWg7Bzh3w-T|=CliM^f z_XX0xaFN1K&bECcx3&e~9=pvPfs1fL&SsUD!|Iv~5FSf4^D9rM$KILyxY}_dp&T4v zxyH4a=A)}} z>h@s~$=R+;jIO~bZ%DLvslnOSjUMhr)jfUclB>E0Sz$!?f*XfR^~p}e`||V>swKv( ze38jAtIVKzDCXtr#Oc?WN!+pRzf!aAX>VLME zEL}Tx(|J08O8IJ-M$U8CK?JH;T>fL@*oY@@ClvMfp}zg6kCNSMoNt~Bj6%z zrYPsz!Y-r`#x^EDA4EBqM)WZLS8bY^=&-@kKo}LpR%4z2p9h{&izD zpieoegVrT#N^d5@3j}TOmp2|C-Z*`yLC~A2qxSe_vYVc7}^sHzxUWcgbxcah& zp2P$Vy`suNBkt3})0EmJ=}kh%)5Vy6Pu+p4NXne{#L6~lk3K7bo+|m5|4XOA;Xfbn zlu7Vp@Y)z-R#@^KS@vZec^m^*ci468EUZgwQZB<32#;x*+0UGq7W(5O=y$K)_iwOT z!v6?rQOSnOM+0roqtH$MrQjr{B0AKNN=TM3abT$h7b+~*O*ZM{2i zQ?}>MZ#)Ij^du_{8sri9?V$DEFzjLe+I`*KM?$%FI;^xAC+uT8p^sE&qnPiJ*Ixmk zM;2ipmAaPd_)%#&31sGGg@$YV2O%qC53(Js{@aIkktD= znVz{i0L)Q=-#2V5J8k;#arZ}>AjA)bX@)6n$~2e*Ob=L%I2L z{s(>^SM35;bXF~tk4_^9%SDWr_gDv#sq9@Zoo&3uaeWU%pmGu^!1PRM!Fo zSt2yUS6mW4EV7(4z{SVp{#`c}d2 z26TKaSo|2h=DNMe&!uIWBT|cjAv``|kf~|BUNgmOK-kL%NRGvTlVIMz7x@GtcGw}+ zta1SikuPA0n#>>8&tDzM@fq^MwvXuCCVe}hCx0i1@}*Zzjwk1@_&WWv*V~^%F*`6u zCc)yRSOdF;^+dc;nb0ke!&2e7ekkX|?U4QAZ0w_o)0D&h%Y=rtQUsPv$?NY3X~Zm4 zM0$#jhVgAIRGsI%g8N_O<0I)s`D*ee4@RqwR*&_=b`f}Kh6NpJ8jR*80wC+%FL?xfZAjtjoG8|NCf;pV|+=IOaAJ#7Oy$&LzhHyd^$`vO zJ88=1!`e?&u%h$9o+jwDO^D~h!BnHh2u?T+q`?zoe^xqG|lCdsrp<0GC&mvayy z_|*82Y~Vty?9}_Z0ZsEu(~IT=E+>q(RX6Hns=!YcuH{cO#|OBCraiZl6JqtT9rA<- z1Wabh z@2nov#c1pMS0$b8n8ZKyUy#neEr|Q&&^@D+qOqX5i~q*7WLfpiI5-+An_@{mkaIf} z{H@S=ftn(s%cjnfQXA5nS?VFeJ@~f3l&0)5y!?F;Gf;f*x9aAJ>b`oS<-4NhG3@KV zD8F|(x+!Nr7W#Z1+U+oJYd&f4<~f?XdG`DIfD%5fy4;t$Z&+or?)J>b17b0^Nr*y ztCEg)58SnYFVvZ%T%dio zVwt*eD@eR19dyh;n`Pl`p;;>1G%(GyfTk#$r#yp{=HY990}kgeI329<;L!pEp= z#y-}0J>Y!c#?!&W)BYwXP2K5Zn?Hi5O=oe*$o;41Q=iGmpZXt4TSr;_eriWtBGpgG z4%6u0l4N%tNhMVGt}y1qQrR7HQmcKT$2XTLH>(FCC&5TMi^wH?`ho*WymAojGO=nL z)rXA|0b>!D_=a7MbIoAo{eLUA>i-#zbxq&cN^vf}ke2N$6My;UoM^O4<)ead7N^p2 z>4@JWFYbb)%BUg`L%|W;r}vo_mK6UaNc;MZ=;r)L`0D%)I>p}1a#czAbkdb1sG8{| z*cA?iNfoqI{{jBbOr3O?*^P0V9jqFJSfFNmHPNU&#s|~A!;SI%zLu{i+&i+}=0~{C zRQBw~XHjI8e=+pZfkdhJm0Rum{Y``Ss}m0WAN&*CnZxq_ zcci_)tbKaX>zp?+5pGh=L*x0sNAn~HNFJ~qV!gsaI>o$yJJR+T{tP;NBt(0w319)I zmg*~Q(u0|!nxES{KMV@^zpAEb_2n*JbtNRRY%I*KoSvpd)a?J&Hs_C_^;4$U`{|w2iDD4U1TJOQoYOjQMgUsdWZ#yK+b0%jjd`5AIU<|? zAfUqe8vJg^l`eT>SJ{oKg%@<^z2+ee!Jmv0-)lOQzNQb!UB7+noSN}3mkLia$xQKd zL3K>j=mg&cmY-EPDq{p6uAou#+`Kv_J^kI7ySd!1op;^wbEAp+Mi}H5u3rM{{^gyB1Lso;b4oK(j%4R&F%Vz7V>!h7y+(xhQ)eP1Hp(xP7Tq!^02(ywFMPIg1f0M?RmKPV zeE;pZjyE60CcY-6s(gHg+J(+y31^hTNz^|QJB zpmK+za?LqT9?Zy*n8Be!n~C1rL@ei0*CS&6xi>mPmI(l z-qtC<45Mx-@0?F|Aj{No2EkvYxVvMI>FkRGI{C8X@eQ#>3=B=q$c{pHXrB(C$#XO29dy~Wq;k4Ft0AKOG{U^q9LU@&Zd zd7^98!E+b27_lvVVOHmwWkF zN}+L=qr+yr9mG;9n7_mffw2G~Ejh1TysFSplnr$gsV(De^mpU6kB;K#&gW}=IbN3D zBs(=sjJ~*w^In7GwG;tg6Fjij_8T775pGux%f62fBNVZrRsS7M7|GPiR1piubl)K_ zJyDls{$NV|9{@!`y1qp0;0&Y&szf$Xc_Z~5N&hV-{WdFX;`H5UrOyUrJ*PLZ&PuOD z!CE~%Ro1}UY49$-=Z)4&;kByM;k9aW;I)`3-)9ON8N{47n@yQ=wR*cfei=Q@({^gB8TDsBviu&q%Lz6}EvBMQP4Lh-rKtvG=&z=?x~U<^#bTR0UlSeb;gC55dZ zyic%jgxkr%K%@|e#ftFR5D0NQYrywUz87W!+4nR^N4>BjueRyT9Gyq(^22~79?_b9KO3aatsa@fh-+p1|+3&yqhVXNbc>ddSHYvVz_X@1|WHr=JY6?E< z0?@Y*%XuLEcZIv|mrC@80mlc6vxna{UE2aBmX_t-Gxt^how-j-;XiY~g4KW3eda&9 zkGSPNYoJQdZ-PxA6jb+Dq1(7DO-pi}mh!%IpG~CEbJc$~nGpO5?z8vcvdGZ9khfzN z$k*c?$kXwy&4rr1nU$F@+@~gM?zUN0k^6Z%WQJ0sia_OUG3dYPKJ$2MG#vUqm5rfv zilE#4^NS#8eK<4FVcSEudr$8}!iM_bvnIev?YGwb zbh%Gxe77RqCY;rM!tQ=rwcqMKQF@&plw9l0))}=uj=hI@@63P2eM{{Z?iXL_1tnIM zg`f@i-Mq0f^S8C0qFMnQ0 z*gPks`^J*i?+e8z6oq_UaFX2(Yk!9<-(~OkW*{@)l6&6jh`HyP%snA8_n`aft^KO| zs{iD7@a72E_w503T0iV?YPW+d-rxL@O zeH?R-H`YaJlB>7n7gvJM%JR%vs+%(|%@)s?wx*m!z^+NZ_e<$uM zIMjZs^Y;3$)_%3#t99S*zpVT698hzQaG%wF)o~Tof4a~77k;bQ-ABBZ;Q2a>=N`If zB46ise$Ue`b5Ef>-FWV4{FYzt&RIUD^8;T4{&Rdp?upMZ_np;#v+g_A{S|liRbr&KjW3GXEyW+E3?6qrJ`Hr|0H* z*key0D7DO6b^k?c zzbp4ur2qJyQn)NUBoE6y`Fmil>G;-`?5*E?pP4V*-`nS%EO(}SxC$2JfakM5gr8QI zg{Oz>0&B2Rv(+j18hV`;YLq&owiBpHiX5r|Pf}~c^B+&*Oc{jFV&2T=&gl8`NAT;z z&)}!em&1dDb>K-#Jif0cd+*aj)s>~Bnue_;4h3p(zCCaUv|M!xzj%IS>;CcKQ;30kRL> zlP=yKxD#UM9fmuPpRsj4{rMMYJTD2}?7kL09K0Jo9Ky*amc$46xSgyBHBhsDv2j8`U?8+zuF%j0m!jUZ` zSy+z~W+(V5upqUbLya+?b$B14`xK%mOtEl9VG2W&0Si(XlI#IWgs9ROo>*|QBLmb* zYMPo*cq+N9EL7c63nrhL24`-cg~Q(+fq-Qp;IY`toJ3H7l2DMcgeeL_0t`kJh_oyq z%9_kiKQt*XF{2dZ@0k^YR%Xc4Da&tp+h*=6l&2f>pRVZ0+3~H*c{*o?yq(?#zggb= zN)4P~IJ!@m{!91yl20VUw<22zoIGdOMo`zVx5GCr3J@bYT+=cW(4c zj*pHGg|chPGl%W|m&b{J09~CVezy3oqH$hAjh}kE8yl1IUw``*hU^^%9t*tC@ASBj zSll=LXYMoqh5IylVD9t#4(==Wnfp5bUAXTsfl$c^_tnQ<(tURR%qt6pKFS5TJD}HH zvq0{4Z*6=x>fN`P`NI7y6|%gOyUkn6^K`-I+rJ5=MizpI%~9-^Yvew;9JZ+noV<0K zjiddx==4$uSP_g~i^(&&&-_=NH-DDy(=XPf`)1vj{+sUe+K;Xa|5f)ZqWe_m$%SDj zMv5&0_~G%7P-9JPD7&(pQu{;9+K++NS?zb*eL~|sVX6DN+AloUp}J3vBxkjseD_-G z3$Z(Dz@+n2;n>aNaOKWbsF+v@JXia$^T1i{*SYVt8XaEc15J}!!h*|-;qwPyz^W^2 zpvZ!fP+~dOQuKS-r4`}`1DyEkB$S;|4m=i?*1IqLH{2%__g&V0@>fCUcN$RbFE*|S zn`r0l@)qRkl=;hS%`%r`=Bv4<OY8-8ds_^t{R&U5_M1;L7ItHmn-?moQ>wbwKN-<5$5?pt#YLd_$}JT7vN4?5E% zsRi8m=?+`}FTef*eRlQ-uSLGhr>Jf5@a04E0*XsFEoM8vpI?yYOFipZSh;z2$*+u=wL;%*WLquZ5D!%YZk2W{EXrp!UuN zaO3e!wmr{(eGdJ14}_xgOLFJeAsY9c`OnbQelNB5JFENYsr`SF`;>d~vE1_(}phMil(|lZ3TRe7b8>Kdqqik3kr%#e2Ir}9MjK`9FoJadA!9&4=y(agQ zkUf>)-kxx{mlO_nad~$)=guyZA9jXWxJ^(qb$cjh8|Nl+V=L!-VhiW`mJs-EGv`|Z zYY_1bfi;NudSfu-E37{+%9qF&xUQQkO2gAxIRNHoho{rCfART<4}F;Vf8mXHcfDI@ z$y8d!;_%kh$I-a?L4eLb`4e>z6^^}F2ae=Z-~>5Cb7T4&aa+Jj-^9ZZF=hk2(|IXm8@P=<_x>RM?~>Aze*TcI6vg$t)qgu=>AwTl&mSi~z;(aV zZ!1Jj-2;6Rk3ig{&G265CGdW~&FpjOeeWQ&9q$do&!ug{?RvfMHU@1Y|2I%&<5V_H z@jc>o|J!>jyxwOkyp5m#cK>aVx$joSTgW@2flAw8Vr`(lZLkU6?jzX{<_qZxR(Oq?tkILtW(po$ zj5)7NHgYt3vt7;(nV;os|2h=t`2hss#F_qWzKAUtqBct~OeuupWLy%kz9Mu;?hKE9 zc`S?s*mZd~4A}k=jM_UE4t#b{Jj!opZk&ZmYoZ`fZw!Y(oRIiom?)Q6 zflW?=@G-jDm6mj6P0)rgMuiQb;J>Z{_^d6@f_{1Y{6H)+{y0%7hmRBV7_EaI^Ggim z;JW?samKoetf5N5jn+ZSa`;*bWpu^rpnXGN;I6?CJU0xy7WlCD(`&rf`ZMT0t&e`w z>$%#SJw~5Pj}i2<7fyIftu6~*Ykb*f&^mkt^fM1Xerz4yY+nM{YfG#u4JB8VVb9S% z(z?pxYiV5`bfwYC(ioO}*<)-S@;A-`&sE+~e1#_zTV4u0R(P?WS%4BDio#PVoIIBl zc&)&ogp^oT8j3D1$tbzB42CEQQ}kyz-jIJ@VOV%^u^2&s%Qvrp_snuoc&-POT8!ad zgem&>z>3ZHgd+GjJy&#YN${BOWerdcA*u}f6E_QUO-iN{_Pzz);4!rX2CesiCegV& zyzwY|vwzeR%F~V2{%j31m&@7yt*f~@(`()WpP6OY6*FuyVYqMgUv)nmCkK+SO(vn6 zA`L<;pzjjHeVj-jz4)xvvxz68FP zJomu!fgYFsTPG31dllS11Drq*Ud#D8z?OtMiBKjJUU)8eE#Y_)asnYH5ey9b9GdhB z-(9(H_g^|Jd`=Ja9#33v$vLH=;D8*Et37(%IWy#J{rb#I!I}QS%onvkZ`CYs=WO-n zs@yoy&e`@2@EBGADs8F)k=x?9=Nqd)w|%`J<%<+y4{y#So>>Qt)-;6*E3kgc#t-^S zu7{)hbf0Q3K@OAm{5*)jI!(1Z2+CvqC8yc@h5td+6j~o*KtI!K$WL;H>L;y}+z;Fk zf^PW3&|~J6c|Sb<0jjS`U{}(!W+}dwz6a=ie3HrCA%FRIg@nEb_;(5UMz5#Gq~qk4 ztoICBA9^O;r}veU&#B<+$SBnd^jdI6rEENO5r$%uZn^p`-egQodco5oM2YlXq~F-v~A=pof8EA{;*~q z@|ygl98+>N)qS3u=yeiuo!mWn>lE7_x^29?2@1?Aisz6w%S0uXmw}q=>%z$WqoHMD z8z?aiJz7$h*M5Zj=kC*A+?3+(FUK6T0=J7@d1|fwEDK@YDS^;0k}30)T8cSlQ7I_0 zs3a6$cCGc>iI{C8gW3G&qjIV{lm?FxF2r;&T!#XR#SNc7A0f}_`C^!VC=3-e#peuvy6owvDf$vpP#Lm0USk?!05cW|H216=!$`<8*Z zhmg6aK!2Wl=)#GdZQh)bDX%s69H9U3)s$?jVBUxD^Ng(UbfqV6e$thyhiVHFoZzZq zYNv*V>Lw}i@c2Lt_~i%lyZ7n+Z{b?@%wLZE43%w+Z_&1 z55yTfNsbmx#!9^5NDWNZAk{QG>G^%(@OWPsTe6>%si}$2(Qtm;JqGOYx$SBc3rRB)I779zKd5X(IBRB=^;JONo;N%}J z!29`d$r#4TD;d5A@(knT9=aQH4cH7hdai;GyDo#*+b)1!YmbW44&d>#Um$!`BD~dh zK77!1DP%*k_goFR2X2Kt_+DzHX6e5jKXVUMn064u=U(_=&`x-(-*(oBq{qD{CPTo~ zgHRTi*#_=_*L!b;tOIvKwvTo(J{YtEGWS>qZ**D)nLDq5tke+2$3FOICwz#{XU8S+ z9=`XVy|&`M?16HVQ=sgGWO#qTc6hVTHnu+EeI#?w4e)xW<&1axY=rmlHPoQ}U=V&D zTk@++|EK2`*081RD z<8}_feL>#uw*}s%#%UkXNW~?iw`ii$ve!lvYNAr(w5J05c^$ls$AULck?s=NNJYA> zF`t5gnu@f2d`C`1h2)+fY&Nd zJf5k-V26_~N3%CNWN-WC&pF!h$wq}`LF{UdN*J1ma12U1!Zt>Ne_{}{+t<+&OhzP) zf&vqYK*?F9A#_m$T)25rJj1WhsIevi{8j}(Fovf9ED+u}$&A_(3w3ulWFaSVV>Fb- zpin-s0t8{5AQ%S(YDzCM0ib*QnUHttImb_E8# z-Uovs?JG40=<^u(T6$lxp{Wc`Aj&TH zpIk5iGkI7yye41$)0K+M{Bh*=X4q01|Q=e)8|Vvd&*qHsc_f}x0@a8z=3#!+f6 z9=A!wA$R9@ASX^XvbTTZZjKgj)Dg;4-Dm#OpUvfHm-$N0PH*rg>+~`Zxiy+y(dWv4 za$gdPlLko$P8h6&qbHnTMi`@_4VrWZtq+9?40M@!FWt97o{&dv_jRx|SbJ^h1Np`j z#0j(y_|7g5^;S28w&> zPQX`qF=xqlf+nvtX{GZZc55}Lf#+WwzBUNYJ9@v5cwMO_82)FKgrYM`LYc+*IDVFN zpVmoE)A?Rwdjf=Qhy;)2p6nc;bAh1s(9Z-rUuYXv<3t3viJC-3mzIRk4G~anYfXsU zPz5}edO?Y0UQmWj9?)|;!hMO?GBIJ6h{=NiI?usL(IOMpSi*^eBNXsC#^ga_nLsGs zEABJ@H4eWp=zfWrUXZ_UcGf)2)gd$FX!YjgyiKf=jm+Vh-^ri4? zK?uk3h}?>kYV_V~Nm&?~I$D^6S>xx&&}d~7@S5!nVe2CCHBqb<(~{ixL!an=gWZjx z-tI;af;EfR@K9DmtKgW^bG3KYg9=!u%i$zc`cLNu)l-6M9XUpIJqDeuhu;a+x7C7j zs{>e_rSFWgxEykHnAkFaA0GVx)mGF5&!uHqZTG{;EB%=}IbL;J4M;$*XMVa|Z?#bTbjm|mR$=s6-f|gfwJNKkj_gOt( z8v?t&*e#AMj@85Oq4J603-={aQ^$}*vNTqXd*) z$-fWiH69B+q3{gM8`FzHDXhI^mYa3I*piY^WU&W3_OY9)GWRPbMnQ?i=&^90H;=Hs zBW0HQg7-4qPCO=MmiR)k`6a<)fhR<+tpf4ut3!q5!B7~pO-Z_H+o<;{)Yx=U`&r#5 zl)A6f{tVAOczzbc^OxnG_E^_3_k7sm%>bh zN9R4Eb6@Ab%sp!6ag}>`_R;4as(rl<_7z6(Tf-GiAosZZ=sL66BFjA3IYk+azU%0F zBM|2;p7^~(>y}XNFS4`*`wpV-hgh5|lv@=Dg|Xh#yugxqB<|)OLS`Q|^SH`A&fF)` zaG&|Fari}{x?hrVPoEEY?&(Oi|MiI;37P(foW~n;e`ANt@BKI_>l&Dw4W3PZAD&Q? zHKiu7t5R8Ww3b-vnxujhYLe1Y-mj*h{#;dn_YdHb5f4w3W8v}sYVgZ#^Sk%{_h;ZF z?!%`m{ozv_(;v>y6VLG5jS~~$*4AJ!8k^K;+>gs6P2kC~mhd>W0c$WmP6`Fy$Q10w z$Myul6Z~xU+M~_k3BLBx{up@78lBYetc*nA`lu0$>)cxj9`CLIPjFw@>kl`?b>m~S z9;4Z*G(C3*z~jAmKeZlyMl*bUV_a7}JlYk&w$pqq|GdZhE8}P5axX&ru{#hyt0vpN z$0@bp(e5DpEPNkrdr}yK*2Oqb4IZU7WIRl+0rz)>!h>DGxTL0P7~I?ahAh@=Av8HlRi*LCsXwP#t0=$Do~%ZNN6hKf7;)o}12zQ;s)S zL&t1}H@dEccl&LH5BhI~QAt-}-?dw??~~i?wbkYyhSV>9gximvLBB2MaUJU+cHR+K zaO^95{0@A5?eF!e%R3nSe}XUXJc0H2df)N;;GexV z!<&7#v8L;mOE+N8$G2eT)tgXhMhg6Qw+&Eu*w2`%l_`L^^5IrFN98JKc*8XUfU1X8~{3^UHof>KLLvkB4CE6X7j*GA)vskqvAT8NH9Vf)QptKNpS@X z(gX!+lZp)aO8|0Eg&IYzliI;^wZXc*H{_pQ7`#`MW8M_O$wBy%%5e3z`R^$H^86QQ zxup$wEb?R%kdn(wL-VATu>H%O@Wq2K;VwG+&BJe)M;-QcW^NfxDLmIlog9Pb%wg`> zvpdZ5Q@2h-kK|rZcp*-9HpQ}Y@erOr2fs^&wn-hB_cS^1Smp_}(fuu7Y{k#|0?(Zv z;PQ``VeE7^A=VPy#0C)PMpClR)Z1T~^O*;UtwI)PA;lLs+@C?&B^AXxJhgFPW85A;h1 zhQs6;ebl)Bs{AiGy9{_tD+T#_WrG|z*~r-`GknehT~+qGWf0zfC;B233GUZwblAIPvdjJ}2Zw&r8Sr~t264rREmpEqR%$~23pw6}itZ80uO#s%v zo^a&GQ8;?z7}n!WtR~L9FdII;`!W28HTJ8AU$eSZds}@rf%IDG4IdpIDz=PY$w}WU zo{P({2{pOh>rh`f@LdXg`{+AXi$A~rIs3k7u%i)_Sn36(R+M2)t36-uWlocSw7um0 zQQVfBPp}^1w(iFLjN6FoURD;yoE!&d@%xGP@mo9xwtc<>Vm4NVlFM+?%>H8^-t3%e zpWG3WzS#?3<95?$fBE1m*!|@mXu7incr5W`uL)UK2{wPe#rR%nwW}>O-`xsQaa-s= zw(|Ys8|*x4vZFcVUr-q8?`X)j^^5yoioFJS_WT(f{^|&%U@h;Q)C~&HD-O+fwPb%< zee&ihw*5cicfnWq`TM_4hIYFopXhT5P@z1!>zmeT_M|UW@l>b858?(*$Qxn;9bfaGq z#4V}@B^Q)tzc?OrbTF%Z^zTbjUH@}EjdOEAU^a}#YMD+b~ z>CR=$Ft^$HOs`r0=|-r&xfT>(T8f=N!;g<-pLOrqeYQPxyMbOLe|Z45<9SAzCv0s5 zY{T!DgWny3gWn#4<~v$J@r9*WS0p0xZA00yE@!Jb%7tPJVj#Q`q^%ZfL)! z6L`$`gc1wz++S3NEytgjgy&c)I}auun+%m#M#K7R8{o_TN8Ve2M{%z2|Dor!ND?Rz zA?|JjcP~_F3lw*EcXvVv5#sIycPX@#LZQXo-QBHz?*H?=GqW?Z*+A&&Ip_Pk{%`xa zW_MH7=y`^D({O=L}JDH;$riY6H@*w4bQItT7^~Zs3v8ivEt#_K|ih z15K8-5cNPH`SLdF+vBOGjv2gm7`zhwXkSuO1e-kYBaOBT-nMuhw@K^V$A<5VK+XKR zVju+{+~93@@{d!6=Gmw4XY#hl`!a1Uz}rzE?SuHB1#6$Tb-r1n)>n-rU&Xo($*n5R zE^D#!V`Lo9qVIoPtdsW>Ki%Ae*+0$`2eSh*LR1f=^*mbNW6JwzLsKOc*8`3@b`9b7+dKr8VH_`X+9dB9jL8Mjwt61xQy^N`V7rB9W`5m8f z-x^XtS_IoUC{<7bQ)61He5df4%%>9DJ`w@suXlfv)kbyI?ISq5qye68`4CSwHNc~v zM$1d2c5Qb!uCJ;mhm_6m^O2eO{qAo3`RXSA_3I=2@$3?Qx&Aet?&^!Dn;Xz;KER8u zjqqZ}SNP>ZHhzD2gkF1Fy!Ou**YVrEeR%RiUp(1R6EF7;66^Z?-X8pV^BX+g(F3ne zEW{s=PvFm=@8ge`H}LE2@A34<0eHHpF2qPx9)Y^00iJ(D-{sgmdjAjj;EBt&e4Szg6D}C0pi+Fh< z9}l;DM8AVasWukxf3~|1e!aF1zdt#RKYzJLJfO$t@$&Lo+}-ps9;~m2hwE$O;nyGH z#mNNxdjAlu?=HRWK7M_898XVW;MT@ZaC>zv+!KLn1KeTON^pp(<<{!@f}5-A{XGpkA zS8+B>Hw&DmNjMteFjc}{ut}hd5Vf1K3Fc$hV(glu@+K#bU=3f3vZI!x;-rnRo4gU< zpO#(Tq8;N4Mc&^1>*qWs(M zzoU87W|$3FjE|Fc;a~ENwf;rs@!OL(#AD<3&8eHPpRfx57_kx!7pbQla_gM>9nAXW zA!yzf`Ypf7bAj(p-=u<04G)xd;^rgxOkIsq!rr7v)B+Py^JFj1r&{BRD+O1gOImOa!RIv}i`58U?B4hDaE~&%sP~5oDq4 zAX8+@Xdf%jHSqhj>l>0y-ysL3IwqpThYJN}jb^l#_0G+3WW%5Gr&V^TkFB$Mqe6;FQGT-OrCBW{BKcY@j zJu(4R!J{m-rzaY>Ef=?<9({*UDyVBw=d$eV3VDgX@y)2jmBQsVZp#EQnvx4+rTuhu z52~a{M{#|!{HXv~BrgH(Kf8}+*)8Cm>W^(#zmw-e6t3R!eyF{;9!@_vBhLkXyz-MU z?n;~f?F@Ltdn4mSR*~1lJooTCzF5&3j!CZQv!%a0m$#dL;rmPa%P1&q>&0(SaB`{q zOy5?XT!mmVI$T@?WCUXo6*St>jM~N{XF9Ix0{cbIXuYZ}e);_uc?q!Xy!v~!?bz+( z2#yQIgl{Ivb4<5UYsa8@`iHox31D@N{v02tdVYxS?yz5z1u3Jqkq@D(hTruCLmF+tQ_N(F?VzQhs<9Yxbm&7xZ7td^YoS_xO?V{xVD1lLI$h4+u>fuf zUI-wQ&mq*~U(|wD+xW&SW51(qDU}Z%RKw!aOXMYmTlT>m*hM?y3o4kkmkZ(3OFa{P z;F}eI_8U8ig9oM>7qd#c^5BXHXIzrpsc=xQv-#-dBm8ttJ>suznTN9ApG1XvdSxmY zs5r`0@1^NvrXP6N>H+pWQ^~ zb=}~S?2fkUJJ9R?ke86}xVT;1WWu=Zxv>`+N3!H+`o;lc)yx{=V1$2G5N7=}N7u({ z+v8V{(Qng0xF&m|`En|xG-1+?OFOB+SG}6j_~t^jGU{T`mLc*S(=B30B-~@Xv4;xo zq8i`CW#ERvaEWolsxxckxu#poj4zP3FI|2nU7xdZbX9oJXH-k8i8W`|%1cbQ12+z! zMaD;Pif~2ajAnSO`K{Z}eXlzxtF$W*ub^>KGk7laQMJsP*P_+ASZ?&3w<)>ccAx4D z`vI1)?`MHZ-3=r8RP9r%)U(WFyZ(~zaUE%c`uT76J;r^%((h~ge%^k*SlLE|&PvNW zlrQ$%wU*Qoef{^>)P4Vk6B`i}9U?|krXSBV+*HoEU3qc^9oKY*e`X*WENLX3EA7Xt zKjGFh)!R?nIt9&hKh&*j;QGO6nA=3$DZQw6_TD+_wP)=nm zIv87|&JSEa2)~3tF>?CF?=R%Jg&Q9r`*6u8aHH*E{e=zkT+{92oKNvl!6&-w{ZHI7 z86I&y@J{hV|IGt&LvvFuS_uoeQ46T>@e(x|Z@;&8+@2S+=JYAMMH-rAI z+F8`M?`wHa_#X29lJAkUUtHf~O8Z6o9@+cIzK0*b&iAnAVXck)P9HXPUeXoL@$T@< z^g-)&ZNL2G->{0c&Gb`dL;Lh>HQ-&_Ej!1 z?(k0Y69*$s+}GbETHA7t#0{J&NZs_B{-}-r#-y6TXKvu1q!hESB~aiqd}( z+7BS@`$Y%Bd9)4r9zL*ae!k3CWh$}Wsj=>b|F2WW%<@5`)wjPVTH#sL`*@KT1QDDn zK`IBX0&P&LMF~x1wsCN34E0xnkM(@ZBRD_R1*}iV^PI`4f~T8mi_xP$UtBCN0si>y zSDann7dKbb#Ph99@$2~v^7N{2(YD`dTX?vmAD*nMffwI>iQn(5ms~M!w|7m&-Q@vz zaZs)E{`mb@yt-}rJ-@%ajR)I%;OU0ic*&zow>HPG*IwUm|N8JG9&YQ5C+lnD+4`z@ zby~ft;_u{lUfkF%Khw7-r?PQ-WlcO@R};^E9E3k!sWrE@{r=l8xUlL=+*%fj2b({^ zFSmEfOA5CaH+SLM>K3>~>%FtOzTo!idbqVpW@SCxl)1sIkhs30F0L=Hi)%7hmq}ca zxxBQFflIV+XD-TIpnA=i^W+T_&gB=)Sq-L^YuCeEkVDwpX}GyFF0rR!2ajJ@g zj*YONB4H;}X|k3LuqDKF(gu_swHl*W=|`|O30nh;5zA11!Ui#db<+v;8m)i)DH*FP z_nzR&-N%@?>_=D*$-$OWx3KU0P0U=e3*8epqgTone0y9qYI`o;L8Y9=U{sEeCP!fm$f=k^7dhTSbssFY;Tw zkb_g6-#-3pnDwUOc=jgTdLrGyQ3(U~oV|fXoA%@M4e0{?O6!-k110+BiqWVEJI~2; zrMBb56-2H73A<103wgddSKaAL@LvB+l;csX+R>+l0#u^N@YFa!CFB5AB1d8{lPxGa zNFfWBG9nBem?@L-A3$FBU}9(v%5+P{J1rLQWddNnjXh zK8$vZfvA;NM;Cxzx_=2XHqOHIO*3)nfjUBG&dz!8Nc6&_AEdj8D(%9(3&{E@8{5uo zljlf{H8o=0NO;70Va++UfaGhNg~V4ua26R)GB)9R7RXDaqOMVD6A{YtNC~BFJ@XAb zqkK>+w+;?zj*#EEd-j@F+it zI)a)^K2zI3jr>}I>O@F(DEe&fs|#4itmhG|o~W8v166aY)3iGLG6K04&NDbfWkS9~ExLW@T7nz(TiT%z4jBeymc>uO)Xr=xB;xfSWV({b_sMR~5&PTo3+ zdWj9-66c0#JJk@4*Z12WzhUj+wOD>&1?~IPfbahEduW{2l!|6QwRoVSK?fHTR4fFi zPys>&CCkXgLm{Ym2oi;ZR4j<80zW4+Z?D|`<_Agm~QPxA2yrEh3uxMDRcbRjQ`kKSOe>pLNn~Upec{QP@&G?X#vIypw$~=cl>y zT(#{yw-XsZX5z?oedv*WI7fu`lXs|h6u^7E}nBcdG{2mrPe^B{KmSwv~xRr?FelX8904g9d*ua!q*eg zGXG0#KD}A&`;^8bSa+WL0pFe8j=oF!i9mhN^}RTF4PqK1>8E6Q3B*mV0_O+AEz%RI2h-%aQrmZN zKT@`*V$;#h;#$2*`}WMY@DBGy{p5zY@kDbGcNc%nwr*G-3E?;5OHTG_BS9 z+v=aU$I9@U7K7|9*<@*_+&WbOWQ-k4Cf1=6I?(0N!`S08~qk?`{~$0 z?|t+_GoqUG$o^;Tk+rBBUmqXkeWE)UH+t*7qyAe;e(~z9)iw&rmDa4djCd7J0Jdb&ckax9w-~(uO?0>nQd;wMF0mR@x`c z8}u)0|8>4c@jOgzgYT&;c^)I*!+wW@(vjOn%Ks8li}@iIeK+>Q)ZNo?{Qe1ft~6Mp zO=eqh`G|nbVC0-sZ_;=B$!*NtJQw5EjK{H?>SfE~_a?$6-W{!0x6vKo8nj9}5LGRw zh8Qiav=cW^V8WV-nEmx^+;}YYX}s->*)kRmvCe3}t|R%T8~FOf*O*B)&5-3oF=xvh zTz#l|=!89qaE)_E=k;CihrAt0`->$QymSaAuA79_N7i8Krs;59=#FYxHFO8gj$S*8 zF)PMmHvJwx>wp^%avHpTDAhjFWm^oshdqz%dxEsSNAW)Fb4>akIVdfr?-AN(otx6X zR_lsRwfZfRVrZXH*2x%rk3IGMJc8Bya{1=vl>^I$c6)xs#?NCaod0D}1w4zj#mkko z@#?$JiI#Y^jrq(3pQ?QOi3vW|^UX&FUJ5>x;M485euQ7|sQcxY4=>`z_R)B8U=n`4 zv>5;TL-G;aZc$BrBC9SQuBjnLuF^lYnEwZPk81~WapvpscyNBJn8)qqt)Fm*f6sB% zzy0>}6I}i&5ob1!!Q~&qai3m)dCOqjUJ`^Cd&kl$^?~i<>j!b|Ko%Zd)gQ2ZcI6wf z?q}<3;g_=+@?5Dsrv2O11KGHDb_@Q{9DI9u^GDoS-3X6Y1>?nW^%6(iI3T@!ay_w@ zevkT_e|~%oS66?AyDO^U*IVj=$Y=M?;pErTadOjmT;7|4TPN1wRKdr%v7{KLP@bu0pc`k5ge;h95SHbNSb#Y7P=5nTd)E1o2tAz{1Ib(A5oRv`?8!tDYSqHCMz@I~X z?2XJIyo$BP^XQ7WFtdDnS@QqG)^t{*63xP{nKh5VJ1xScaCO#JxK00>*lfU6#%0^L-?q=y4k!Nm0jY&2L;SdWq;R$4VTe*uo|@#b>?q^)u42keH8_>j`1+-oQM_?8_3W} zMfBqrzo5aqbujCbiw+q-k};7sXc4f^TLrV;+4vxKyCGoZR

?EPKSjtV1-~#cei( zvfPH}?}S;;4AhO-stZ`##crbc>F}Sq(Gak5+jjI49Qwz>tZf7u&s`}#S7}k34x&VF zde4mYR0OF<;n(arO-3S`ep5J^ie!9!^s>A}3Rvq*Ta0)6rlahzB}4(SSkKUWl_7aX z@Ca05Fr$n@l`#aUQixi1pdQPCnKBs?15A;wr+-@U(Y@Dby@NARrh5|J`7j(MK8!+% zX0tDvRUf2WhgBTKuGGWAx>E158!8R3gmq7I_)K$0gT;+RxWplAVaQA^mZ*|l4ShDL z*YV=UhJi;5D2)rQ)3?rG{OXAaT);Q72u8oJ`{QQ-96{s0c?1OqcJ0#Iq1>eMczshTNa?^ zg4(FJs6Lt`HN`0^nz?a-6ZZ9dn2)i*yOT+Gw4>n0zq3htGqhXL!4R-=TYg|U z+^2b<(lmR7eK+6mTexjJwh_KF{ZVPE9j0!cCeM{x_ky1AjP}Nl*VW)EZD%?xMwG?7 zV@kp|%pYg(NyP;h;;ph*ONaZ-E~ihg-w850BupM8)>zorUr>Bbd0zsMOo?Pn%w4;4(rA zSGmA`llJQ^rXs=!4oyXHnok9Uj=HGLM8^_A}5JZ(=p92Ynv>sYothYEHos$HhJ zq2#2}u$fZ{o6oA(4jj5}IL2*NuYtzFX4mX)FrQ?J3bQN1E5aL9;;O?d-Ult0eXa{w zCv2DqoA65Lv$-GXTHPNcexC%->0Yp(;eZw?ABoXJO5=dFZhSpB$GBqZ_p0WV?apzs zGaRQoA?o{Rd5N^FLvBa0J(vznsox<26E$cH2c>urkV%g-LMa+d6%V3-V7-yI1dZILZk-N~I4{iJt&UXYmig60LoWv(0QCpN^s>*|P#Gk4FTN@6vP z-KJ`i1J)MlAHhE<5PRjbBDfdjeyiO03Me(TjQDprcV9Z2;?=J&(Yl~5TI7AG3s^by z_n#dAo9UG>Ve>@YcinwqH$vuBhRw7}7`1Mc?l+FxI8Ge2*myw=aXE0Zo?wfT6HCK+ zo-6iVlfIV-mRI><>7OP-yR^{iqpU8&;ET&?>79?mk!lz6FPtz;l5Y+`~PwV4GSr zaR60&eqH#{cMez(gwTX)Xp{F90_Fvw?6~()esV=roJM_neh)Evl^X}DUu1kK4tfQL zSH>>-T}oTAe+AseyTf;uKRoAoBXhqxYIpCYeejv>hbC!FrL#ulw(ih+1WgWx?HD__ zOmaiyx6y{6kN5o@vpS(#R1ICgy6?h1RG(G@?++`FFA}~G;fK-+_7=c-x-043U#I<| z^{>}HZ)dzsdd>2n0{eZiud(T2e%|`CvYsS)*1qa{`k1e;L`Ap_`5xaH(n00o_@1Ks zeSP0wIkO5TemBXmPv?Ua-In)&YrF?0?VMuxJ8>A=B%vv4q}IftJF3@M^xYy@O|pi? zbW2o=uYrqHgmZiG%L{y-|0SxVSHr3MYVpY0V*gQVVI8r)(AcVIS@4A}I2yQe5Imwi z;k(EWT?)F25#!ug>w}gKhWA`w1Vqw)oBBe&goDzSA6@~kg+8d7Q3EILsiD^SyBE+Z zxfNVzxWRdjD=J4-!3U`=MDS8CyFR|mZ%y028_G?s0IS(Hu$g6t*j;h*yMaU34N&3 z7ka;4->>xhMfUxs^epk0v`iw)i!WEV7MIH6 z#(j0){C+4st_(^}DUGl4+Zk>G%KMX`xDer8blb^_L9k!wfB{L zt%X~-I|7B@k$jKN^Zd7c5A&A3hbf-+8U6Yc-{Z=@r?&+v4YY(+ck^tLyP@Cbc0ame z)8|oE*ME2dBooIXqSQP{+%yEo7SO*}~UFZJ`TTNo4rfpTFsX&R?G0 z!S%xhIGouS*9xlR+2*GB@ zf3L3k7!Nmnf`9#@`hdICukKB5h=cLIIG!4UTYDGLPm=a;f6}^dem4TQ@;veUm>RJ1 zL4ot%N8rb3UmQvd#GS)xV9Vk0#q~XKeQ9m{_E_z|@0|V`yJ*`vyvPwp6TNXfvkuN? zSHayao$#;Uq(K)P?jBs)7vIgUfIZ>mac*sInkVHA&+eSSsoeUwzN7|jF0X?d9HP=^ zXt_pQU7~WOK+omHwQx!1V!jFosLc7inu2rGhZ%D=N6(q;w?q5hLhGjf^lC;h9>>@M z308O%S>f!80p;9f+5eAP;{^>$G!4IO_CW;x(L4;+1M|fwRS~96-2_)2l{$5!z*)u+ zrcRM?oU#E9ll9m$eA@n`4T4G&*XyvIz-%Da32Zc2kC(6-zg|#r+&WYs-W|FEBUh*f z?D?x-(QwWxlpL}ImZR68!r0Z=cw9B@$FANbgP91k9?5ujU>-^jU4k;hm*bs*i%}Y|efaDp8qHn>v!0n~7QM|7 zu=49W#H@o^r+EC6{(dgwR^ak|HFTS}^aq%APeGmVuXO=y+eI5_eyRvdZ)r~HAC>(L z%-Tiaz5cnVIBYR?ol^~X@;8U+dnKYx;&w8q()a!C_doDu_%fKajfDB299o`&Ug_V_ zXGqKMKYfAPQ}gi8-l?!0vY5yx@+1Z;F;CpFYFS`7uxH=aH$Bshd|Hp;SQh-q^?F>3&Lk z_Uai177P+$U6mBR>u?}q_N%Apb8$6#^=ORUIu2vL8;hu)q79?v*cf*z=!EM}u8Zf~ zVz+z2W5Jt;4 zoQjO0*0AX%g{xK_En?05%`6n{bF=PcF@cJV->s?0a2{@pT4}YU0(&tP6&n4U(th1M zDjm8hLdMMZ8M12uD~n9xvzc8&_wvumIR?Kqk0L^XQO^Q!R;IEX4))o5A`RkEuJ zLbIyEFD(E)HuTg7tZPQYd7%qJvO*D($u}Sig;%lOZ5Tk z_;nLdX`USx{G^6L51&6oM3De`IH z%@?(R(_Cjb(eLcIw6o#&a{<&VuQxm*Jmtb6NP>z6rFali9&I6`77k?0nMInZf_7wt zGEzbm4rK1N(BJcQ#{VyA-_(3lXxBpoaG^oCj;A7{mnCfbi6Y~t3Ln1bPm(tj8MfWb z8(H_YxMI`S9F_W(LuC$Em2iplUL~^{!hclzNe(W0F6kvsvF*6Fvo7eEy?Kr(2rH*n z!N>WZ=&tKIf9re^lm;dTp+)Y8;<}1ToBPc?5%$dbVYWPngN{dNnfy82BHU3qtqNQg zxglb={#unSGCst}uhmgacc0!xr!*doRB0ylm9buEoJswzCIFqdVIrz?0H(P< zYTn*F3|vK@P21Ga&BMhh^GciZ&0JKCtELNBXKk7dyJ-&ait#}p>2lW<^`PRKqif+h z&kgnw4w(DBdgHO{RBVUNuLAc49#jwq!Y9@b?h8H8Dz7zWZ=Wkh`))e7SzPi(35&Uq z@0!z1^y^*`KG=Eb2Qi=9lD$jFo7#yW*K2_{vJPkh){A@LG2Ih`R}VIf?c>qAU6Q-N zdaMogw|=x=c15Gu#=5|i1HYiTA-aHd=IU9n9aRZ#v)$o6$487@RN9(@Yv44=8NLhr zOzYhkjrRR%`{KTz!_`Xt%E5+5uJ$s2P`-^hkK$nMi?bJOdYRi2lJDsuA5qP|WWu;I2G{y?84ec`l#_Un9!r{oaqxT206T7GB+oaeiu{i+UlE*G-= zJ*KUn2Ae6i@Qd{q!H#ddKfL({R7oN5O7IrJX`i)y5lOyo$;qYohKltoPt?(Te89X) zR8@E`@`hiWzfSi{_Ai0`3`cm!_zHg{0#?m-H+=aBxXt$vm+(;9))VC0rh18>%{Rs$ zj$uwn(1cq&lCWufGdP7gW8En=VEy6j4{)344v%@BaGB?dux(-T684B!(J-bYCv}_WGtF&#v#f0xsJkP(Qebx8Wl08o?8PmRp zpDVtHVc)}k$0yYn!?q5S|0PVfYY(sCi{vk1JJU{tiXP zzj+)r<7|hyU#j$`5H~H%p+39sx_+WR z=aJTYHeU7-^s5hFK^!q82_kg_jTcr9*xrbuu^h&Xs+@I4yOW779%{m&x<6lhO3bkn>>xS zy7s3WuD)1a3u46TH=p9w)=xBiY{W+rTNFOj&_eKX3x}t~*9spP(M)1q0e-!0 z`t*3wsBgV-xB&a(LvS^}3ZAa5iI+RO;m@C?`i;ZO8wWCQYx@|yI4~8@_D;dCkLAnp zkshvZ8;`r1%P4XC`N3&CJDG|n+k4{v@+x?^vN|5Gu8yZaj={g=nw!JP<172(WU@Ez zudI#Ri~Vtb*JKffa{HZX&`ayPHtsE}f*Y$o#&0jw zvw&_NNW!HIcRW23CC>p~J-vei87*)=D+o6WLU4O)AO6{*{rShAIJdqZE@TGa)eY4j z{7E(Qvui)#!M^#pweE9V%?-l!ykI=qtKRhVXYz<=znO_^+s5Gj594ree-!?ZxA&jP z(;dtE6qjYpb@s=7?w1eYlr;XHW*oQ!asv;hv2)(h+>7RHXKG+~`Ugs0>6*o>2~ z9=BG9)mVv&M1?VHbd)FFAH4?e3|fW}%hj-l1J(w!R^r`(`7j^33h$3viH*lqBb)!j z37GdzMwy{YQI?jM8McDV@M^^GIEM!>)FXi0_y~q_q)r5^;cH;lIR))gcd7yF^OtBe zYdOrirJ-5Ww@?DsUw-`^ts>W=M9*}T9J~~66ISE&E%o%%35$1%QL=UBZPEv<(d%e_ z68xvG!L7$?z&bE}E6lnipwyrOSdS!Arn$ar(w2iT>lBNji+_^m(8l}d8LE%Z#yj1U zMR;n~CktQ1ZlwZ1`YaK!PRhkUd!)c}P%bP7=4g(GUr zN&wnNAw@>}SRvUo^lxXt)N+CGx`=*hDBU#y?=+uBx}MM4er{G{a6eK!k6>cVEc#kl zQE{R}$Jky-->HP-}8-<1x}xg6vKQUT$GVVj2;iq|)_J_UX7RbE>|z{+7NA9Z(M;0~WS zAG9iHr3+E}=J$m&75tuyJkc`0C2enN7|=bZJKAJ_rMnj5>)NJe0#TLqqBp5pJ*A-e-^KGu(#=f>B5 z4d1o^eqnwhWc4HC??**=A?E)Zm{^}b87|-XzHl67L&dWN71?6sYMNOkGi#FlKUw?S zXxVrwH2&ZM+i9o`YNgafBQCIo_GSIk_E1lt=wH=-9m7D<&bb4}8ZTX?)aG&Fj!@C8gMMER+K$}9+!08{f(|Me6r>RsRETP!LP1BA5!7#pz9W*1 zyq1L;gvr-H1ps3x22AMGfGJ%U2UF|f&!u9+ZM+i|8B}2RqrSbH#evdwN>?Mvv&jc)M136VNERkuG2zv~&XJ zVm0I)$t(0dc)zIh0U}_{>>>{8`A7L<*JU-(TDET)oTfOzXQ2~xp9lvkguTP)bLM)B zQH4rdy?-^FNWZ>ezNU4rU_$>KuzJn#M5TW3!=^X&{oT!i6}1KlksUX;rZNq}q3GIkN>#)0*ML-Q)5cVA%3u zaG2+Sp6h$bbKcy>Zx|2%7=N6+r(TyaX=f7L=D8s#IS9ej|9jK6^X0NH#f>SIHelHR zvCVnJQy;prqhT2bto@hvhexCb0+Is|oD_^5mo)+F!R2t6?SK)R)k_lb$iWU79mJ@) zkmL{qCkGqwiI=vaAE+2s4nQl7^{BLq_bwoGK`6Xqyb+ubjNMn&&|%sBW#muX5D*_A zJkS^UU+4nXVatZWW3C4-Ke{Z>A%C_r9gb6-;Lq3Lq&~@Gp$8^!nJh1r`;WxWU_Z+q z>rScx>$a2I;6BA2z7f9gSm1$~TUDK3zIPe*BkIF#uG?Go{iby)Fs13@Vq$%~{qZ*A zNM43LjW}bcqj{=XSu?)LiQf10w*14odl@(nvqkOHT7`U%*7HdE|4;dz>TmQttl^Pap}UOB?#n--erf~wB>KQJ(Gv@PRL{P6UE_m9pQU|<=9w+@0qfEM zu$gUxjpx(>1g~q{7gvj{h88(3u>1OM-3VK5+8W{f-SY^X9|%9v=(3}Q@3X*X_wly( zNzNzmi1NgSGq1nSrP4S6<}*pWBfSmYM;T>W$oCj~pW^r)t?o@}|9_-^@tO45ZsX)| zRrWn)8kea`k~bV!yT71flc!Nu*Zx>k5l^CQ@M2j_y!!Sth(Oh3a7ujL!ieSu48iH< zW<}6cVp9{D#u6JF;Q7X;`1Q8B?|t#$5>9O#hkK_r16Ii2-rF0F`zxyA#hOsO+&u*U z`cto~qT00`vvH2L&6k?NK}!4cm&bT{aTV^bYmSG@g7IY6Xp#SL`}x^joGfUA>v@&& zWNjThTwWQEb`Hazav#pugT1i6A8zfKD4uis_2pw6U(yy=bAs@AO&vU5T@!a#HNdZr zRUdHs=wh5n_P~=v>cR4tkFVosR#V(4sD}H?tK!}_J=6^9kKb{6O+TDV^~9}j2IAKj z_r-i|`~CS%JlGeGtGSi&_^5iY<8_Tk#vaaXg>xApxVpF|uH+MW5|?Ez<<-EYT#1WJ zj>H9-^GtRPoD)>XIqJ`tvodF>Ut>-)8HG8OQB8u+K+$kggYh!yJ*L-pn)=wwsX=%Y zRSAE@TH#4##V0?Euuyyt=RN;}fVJ7QdL^39y}&oLdZ*bORP2)@f>q}!8{sr*J;7n> zdJ(89I2c0Ib+DU2QyJqx)kZ-MQw@Qt9HJ^gs&SagL2CKY5*(;9 zN~S^^u>OMjGgsiB1M*R3_)3%;u>u=30c-a6$5EzFD#{F53X5SY@a~``7^}I4>!sTd zF@4GRXdAH#onzMG@e67690#l)&!^Apn27c%JJm}BJbQ_TvzEcEYYLi1Zq)^>ts~dM ztVbH&8(2UE-b$RgtqEB3cZkugwdZcs1*~61(R(^3z<0`O+|&fDgEPK?S?2_l9GC~| z5e4}6lv;=+a=_Xl2Ez-~fc5U<=cq9u8zs6Y!(wnAeUEf>NZN+qWh2J{YpqE+_(%67 zSPaM^vWYAWnXu@uB}1a00*^d3LKmhIh9FhKyibZmZ-rzHNv7##ibNUBJX7yg*4;N1 zrMtxAAI;~YM3Z?a(P+-ocWMkCOo}fLxh6c~Jdkr# z4P4ly^XM2p#fRaeuzN4<6{jS!sqeR>pJ9Y5w=rwRz-hjd_-r;)pDg|a_vGtxv8INu z917?8&RBg)4OqW9{SEDeX-6DSJK-2N%-x}$k}3k$*apIgYmLm-lUqfwR6VJ>E?`aG zkqobSo(PDOO#k2wgAL}1N2DIVeq0oz2QJZXA^5lPbH3K;7fD~BU9LKUmCaqx+#YbB z?=A|A){9%~0@nVE`@?y*vnYB#&;49iD0R#1hF0mV3^y3#qUZFD)7W!<5B6WA&%Q{1 zNB&%T&eKk5ozXN_KZ140;vsOI=_-nf;K*Pczoiy^so$qkALs<9*-l9LNex&JUp|b` znW6BU<0;GyzyH&?Pm#YnUlbz7ZPbcUaGCBR70k>$GDXEH;b`0JuH9Y0^4b@4QeLUK*PmUVCPU_q0v8UzbO6J z&Z;e_l|@AbQ8SZ@3Yi+2R8TM(64hxZs8Ee|luXt1s)8!%R8Yups3k}XMdh^0Dyfx) z-W6E)-B;@a*5NBhz#+^5fk}blK!RJW8yaLc(2d%A@caQ9MmI#QxLUe^=o04?fvl`(b0RQz=DC;a@YI?9^c?#sIo6di;Qvp>`YtYcS= z6+sS%K1$;NwMuvuct=qY5FZH7XiqHsK{Z_>V2!K;r!Xf>{YDK~xqxXA*FtP7ZVTPe zaY;wRX?|?Vx@UD4Aygn06M|@oLWM(=zl2;s=vYVvMNx%A1RHtT%!e1jdnv=S8s>?Bb#V{)F7ic(l^t;Bxf-xe*)TWU&oFQmd)6qp61BKXT$i0@Qd>k+kso0o9=)ZUk;#YLQ@Q1 zKU|(81+4XB>!WQ!TSLIg{o$#br*!+4eY8(uUGubSPFFNbZl()Z`TBPr;U4gc^}=U) zpQ&1=Heu}qaj?lZ))!4Po9e<*)_LRj#=4Qa=Wd@9+Z1n4$~MK%c{*a*2vm)%s$0jD zbyMIx%Nc%){1CJ#2;W~+N0IYEOYUd+Zx!~v`nTX~fLEPY6<&P#0Qwtiwesy54n3E%KJ`T}mF;0Y3A6;1%YD%zc^i5;f= z)%#Y%X{-}`=M-~aA?sg!{&aU#>RVnMT(Ie8{-olkr3aGa%?aUq_*(PA_t3T>!d3P? zq<8i`hQ7ZTzDL{l>-&9u-_QNMZ=x?oeLcz$N?v_*6;n1%G3@90;AH*i`f!eLM$dIU z#XP0)!6??NqF?q!doJyvd3(`4ue<2yPTo}m*0}9)a1C=6`v49(z2m&`-_p~o9U+S@3olh`;~sbm|AB3itnM%^Ob#% zb$8Of!OU-dn_5Auxn#E?z;8~n9PZHMXr2wzTobMhNBTGR+1Wf+ZMrR~Ie zrZv`|QSW8I;k?!-DIS~Q(f@p4c*{BU-V(dd?Z(vAQ^|XGLi~1B^SqA>nI9tU7s+=| zUN;%L&+iu3T-G-BRaK&@VAb(e@*L?5Aj#wJ7YMH=d;Gi~^AI{O6g~@lOoXQFdHz?v zr?uBwd(E2`n{>c;r(sag+S-=BdK@h*6LP(7PX3Rs)rMt&9CT~Zl$ zw{XBJ?OUXPwJ$ED`{PP>2+pnSB(6pKg5INTJfijLmf^Ugx$NKXzrMi3Ylm_F$^ksM zdJqq;9HhtliG8?zdK>nqx4@b75M0Tvfy*LDCC`#0aZymsz=iDUIIoZ;AqA?{1ZOj= z64h{q`ZngY5vQoH({eJ6sZxj&GSc$Gui<6d^@w#7C#i3}kP?K4QI+r;X`3|u_=ize zeM$04-oqiQ=>PwFt-+M~C7R5>BEr=svr(Z>wjo$`oG3G4Jsf20$FCFE$y8#-ahSRm zw&T{qM$1@Y%vx9r*1$?(^cqy8X$6{A7_}PZHN4M^T#a&qRbsTMV1$I_$d#}du@Ywe z3&>Qc*CP`F>-1&#XWtx@8L}MZhAqQ}qpARNIAHCSf--{^i;&fF=o0KWs~+|1pSS^L z&8NZa^92Z*xP*!*sbJ@T^`kKQy!P>Em-M|lf|Uc-=}TbNDG5y@zE%U)-+o8yg==8e zEgA3j&x7mOynJfuaC-0<$!fU7XHyC0T%tT z2st?ItH6P&79})Q(1)jj-YEt|fZ8kBh$KBd6N^EDN)OFr9j4wV(NqL=TJd8Pu#E!++3Ppf8X%ZV*;o8g9Pan*3}h8nP@>_`#e zBAb4%C@*}O`=vPI%#BBZ49gz|hcONaoEeCqnL+TI?g#Iw-Uyi;BG%Wnpo?MT9S5vE zvU`YN$ZMe&TIXs4RuXr=ynb+);UJ2hmRT)zg;LL~o~RpH*AN2m&U419>98MR5C5tD z2%HuGzsbJvoZx}rX+dzC?21p5KNZ&+QyLfET#R_n_eM~-egtdE_7pgdcNB$q%8zQm zdhF^^1WpNr{Sn5W9(38R&5N+9fk{c)Elv^KfE69licAw+glXP#bUOJ zd2fPDm(Lt3GKSdl(Q6T|R%laZajEiVe1UsqM`LE))nXhOvETW?g5yAI)QGPpMsL*3 zDnk1@{j1uqnNEd-4k{!R(x{lwK}AI>6%zs~Bn(g?k)pz*fK=4cKs=gA3m4AaR(90| ztb>;hLWLO>;I+sL0dfBLH2+h4e_0J_xaIE7h2vyLREs4|YYrOZ?9PVgL=X7Q@I%n- zAOy?|fcJDS@i=&1Fnr0dJB2&JX1X}T7FkyJiZSZhb?oxE`pwIXW4VU7c)Y*9xp-gtNe&10I2 zQAAuccU)`~ux4}@1+Y{^kl}ybC<}%Q1{pT!I+Q{|i=k*RLN@%qb4i1yFs0Qu@wWP> z&*AT22vI}bC$FC@M!~a&o98yy1+3FIP8a`Pfk^?h>;v5h)>)fp z!Ev6W{&Pql?Q`10KHOd$jN`C#v*t!Yr*EA`z`OvA+Mr&Sjsw<)u?^8Ur7?XkDS%;3 zOkXn%&f}dBI6DBrb4b^-{NX*r3zg@Fz=Qg&mRXaeb%||y8I;%45X4;8ubl8-n2<*I$F;55cb1g|EwZUWv8z4$ujeaediYgXOOU%daZ`4E!)Ykf~W(!1XG)G_G) zb-w3q`hKDN><@7Hp;T=0{(V0cdP-ZoXR!#Hc~pL@C9QM^t4A&!375&v2$~m!5bB2m z=J<=hOGsFV=%=d0Q}LwL;EG|)qs^p zu+lOf0m~sjhqv00fBF99aGK_Xw)yHAINVZprNCjPgXqiI5AoDxfeXIO`vMPNO8o%$ z9rfnagZVIXlp0kMGrv|xhw|ytmFHF#2MPFq*pFA#>k=;AzXY}uZQ(}!2Zy-qfpnJ$ zC>Rc>sZL^4u+k1)IfRfo!El`A0M~i+KKiZNAeAq16fz@31h;EXtd-|VBUs%gx``3h zZnNDm>uY_$T5n!Gxbn4ujr#sV{k;|wT74~l)%TDl9EaF|`gXqNDy-UD6eNR!^FVgqaEVlNmrb@m?@;+MM6RPt)l~aoLJ$xX52Qg?{ zx16rx0IWxZI~E^S@3zjD7UN5pSk1A*=*^?$xw7Yo`4n!GToFY30roY%Gw5$eh<(8v z+81P#zt+?-ye(KyvqI8d_3~JJz^>NpTJV_cA^P;dS%L7G?gM}J_|v`7GOeY-lkg3< z>d&o@($xQ&k2S}ft!l`B?#?;dACZq+;4OX!d!)eGf#Q191$!48`q$rn{|z6NSf`Tswi#DWSsG2Tlt_z|;VEP4a@@6h8#d2!0VaSeiw`5@lZXkQ#jsez*@wQwY<8V)Cf;z(+3 zoXM<-+l#BvSBC zw!`BC`Vp+hGMeIgPAG2Yhv3fU?zAqcrudWgM<-YI!MRj_+{_KZ`6M?SiSxz5^yWCd zX(C=}g4UY{b8vo>dda9?ogiNNtZayP;IAhO6DZ>cM2y`ipOyi^NPZ-Zt7#trv%}CWF`Dc z+I|#K;pL8@WtG8n?0eYz^Pr;tV!+yHM$Hn9W?V9BJO}SIo`Lc`GsLO?B1|2>PGAUB z$E`&r4Yp&MHLy__qawo8(W_BWVU&ajQ%9~c@V-pB5fWubtQ1%dS6BfHEyE*zrWe4hLp+)+*n}r9)qu6tg4HnV zk|@GnmoZCqmk1C6Yr7cKoV89Du(sh)w%sE5OjvFdux=5fRNw2H1*;)>`hfN811Qlx z3V!1YaPO&l#P8UZduS218g3)=(K}-Y9=%XcOX7gF=J-s!(>WIAebR|E4XH5it)Lxo zT8!Y7{I2rCzHpdo5BD%Pw9NQSS19$%?hEHBPWb-3S_E-8)jqWy0_XaZ0r5ed$l4gNq#xR( zwT9gkTYQ%CnJ!=*oI4oKlborj@Ip{npgv&TmJG+S_Ef+)B4MX`^!@RR#~7M71P!Aa zqDfq1j94`sZPMF_fZS?yMe0jju;H*e5_s+YwQw8j3hx=7@SR0Pv%<{3h;|(^eq^?M zs8DwrY)eIkC8&@<#r9>El(aQ-CE2sdlCHhiz0^orF2Yr(fmWy^j_8r-3z+GoeJ&_i`!wu`r)XTP=|_hXIM|Jh~D|V@QZxM za4rN|ENYHMaSipM)XH(FIH3aiF6%A!DN5UZ_B+}hK11W=Mp(2v#t_tUJ9+&CYR#`n zMY}zwY*t6h-FSE%&7(dL-=715j(Hu_K7<3-v~FpDkCvWD{BYTxghCceJQ$ z)7|`n7}?#u9D?Thp*{zzM%u5%S|{CiUD+AyPpbh0j}%JWnTQsd&C$A`wLV~7HwnHA zy@i%P$Zlo`R=7>uFcmITMEWQA(z2%dfOXSMIL@)hG|iPi6)tiv2b^U z;Q$u5oL$+ln{0zIo752$9I$>6+YBD0)t#5r>vf&Hc>*1?J0O^^0~g_kdhvBIVC4X` z$!-k?`rOZ{sMcO~W$@xbLSLQ{9{4ot6C*8;hw}_ReclUAk{gTbdCO3XpL3J zR?2gv{YtOAo(Ne$MelrH)QYKre#`rzLv9D5-$scIXdSAr;dMApb)bEx4+5wd)&;Bw zR*9g^X_f=#eyg5+!TYs|t0thqqWbtSr3DUMSFg_>_e~u9XZWJtqPn^O>gCTb(K)#@ z>?YZZ(f&KmtD_Y8`hIN^TccTAQ*od(eYbiba_{*)5 z^q%4lI}TU7TfnND#jA>+mSNvxNpPWIX4%EEqE$D`H9WGG0_l9~F<)lB(h- zO~82M`Vq9vZj0dPAOuDSpk7j4jM+FEpJjat*9Fd~or58}Eb>Rtq5ybB zdf?S*Lw+`oNb8-mmh$BG0CdIOTvfWL7Xd z=X<~}!dKkbRB5cOuTtBfMM`r7(Kh^P+Q(u9yV5vdDs`g8O}6@?DO?_fWr1zQ>w;PboVyXOca8e&KtpyOtSk)7|n9KCs|4&|306n!ca4 zZ_4**wQsEd*ZCer`^EJ=g}jf(_jp9RVbJ^Bp-xmS;VVKG2BB5v7Z|>JIDEpqg@0FG%Lf(uWcP;8Ja2R;=zvR))KUE$u=-Ko z+?rm`XJYVviMPoL6W&LU-0p@^xxbOW`e0!*bkFH#STB3NMcWpk#)9fXd%^RA@OkRz z7`bYM@clmXyo%|2G~TDUzUP0Tea6(f=yUw&^V#=^k*nOdcPewbTy2Bzk;B#Z>pxpq z@zSr+96(v)`Qj>4uquL7ZJ62=uQn<)5$HnH4ezyxZ~y@R^hrcPR0`TKwEht!&j+xK2F@^PRd8A%RpOM42t29ZWBBt< zBL)(?=@cMv1Iy=iGjEmSqZ;HS>efo3eR^AuP}ln&%THIe&vR?|HW{% z;j~&M8cw@pCIToaT;j#;!r7F%q^iQi!@5Hlro1WvoPqx{9W& zP;ulcRFEk@f?0|875MahnXYP6rk*&d~7(P30SuuMd|JdDBUj?Wd`Pnz%pl-YHoh{?GGHhd>>aHybuMj zawz~2u+CWqv(_B)v*0pni9TS>*#@((B2jb3 zYJI@U?`abapK(iZ^RZMca~qtpS-Qzp?+jQC%E7lM)E#Kz=Kc6*$0+=xYXV|6s|5wO zXRm(6g*&og)cl_NPhOzbxOBYJVG+!Gr4k&R%He5GQzXH>ha8^vNHmEdIHkX@F7)iC zB~DM**uNKLy*=VlszWs1X*LTb8WIhr|7uos@OV;uIYNZ1b{#CNY`R*mwCzDVqR!^< z9P5nQsWqje)@fv@7<#TyE0xTZOwE*Pf*LZ_$xKzJ4LpE~f^I9j=#0snO|#)eW;vA1 zly|fzhO8N+3xd|4Tu)}i3pxAM3%7H-_4Fo=+&+wBcaGt~%lqP{I(6e}!#T_Wqc^HY zr?~Nv>MM_~7;c88Oj%RImkvdR$?v20@?N5VQJV4|UN0LMel0g~`d4^eDy*I9yQw1` zwjAFAS1M|&MupZgX&Jh}DH?g#5} zR^n7w?J3)Q1f5UyKXl^|F3C68TDUa=6~~sxXUU)7;S2Qu%i!!maGu~uMTIAV<_6%{ zO?A|_2v|qi!)1yS1~1VYTpkg?r>BlxK3d!*{L#xt*n4>|zCQIe4qZDWPRUZ*;Iu(- z8bJl~bT7jDZ^M@haE8p54;AT-18rd4l}F}TqGFpeD@r<>@!b;*;i`4#GNY}#TmH&L zhGTy#R9_S-4lJr#Ed`ntxakhNIw0h}j03C()WcgKgx&BYBrl*al!bMFie-8_Ud z_s@s}A1e>9gxypd%-kxS!hM#OZ@aLK3h(W>r3s(DKeZj+lfCdkVl&)Uu3JeyY25O$ zu%BEBl_P?&QxoKHdq6r=ZeGU+8k8nRu+FOqhiP`0vPl!LKDbWBMpL-XaE8k)Cv?bG z?*uFY*3_SR&hs*Cw$4xspTK~yA(gKAV%8*88S&iel0vTFXd zEow(3KFj3rQN2Ftq%{-Z9Zr2nd;pqdHm3et4OpkHp8}^j4)BZhM$?QYx`1`&h8b{} zSqam=QAa8(2AhMQYfn@!!|l%F+h`H_0cp|}<2Q|!=Sl%<^F=g&hAnz6QSX?~jSps> zxN{tbZ&82vNa_z4d>aniY1a5W^D}+Gnl}(`GhE;i?v78=KgR8+nt*l1I5ZH~(_#UBuO~22G zem_;}_tn0i`h2(Rz(jbV*8z;hUmMyBsR>euum(t?4#lnS8sgLqQV6;Cx7r5bbqcdOn z=k$Zi3@0%vw0&MX@)T;o$_I2gp!HqIA-^BK*M$7b_AV8pgk5G!8Z`d5zC-(iOAjxJ zYftVvzYFyv>*<1czRc4R@{m|RK8X+F znxR>I6J5YMV)1a;PpE{DupnJX&+YcpTewPoPwa@~cJ%TQRG(apJdYDRX1ZbRQO$Mw zk8gw97#DFM*ln5%EL~+(TMg4J?(XjHPATs06nA$h#R(KBQrz9$DOyS)!QH(;3GQye z`SQHy`<0WNoZRFlcQU&>Gi&Fj%Vpe0*>qkf;<1(6_-cOiOaSH^K@>awxc115-G;MC# zrkmo+1fe`{9{C4#WE5i@TT$>U^WwBlfn}l!PNF?K$gTNTiADqO|R*NjFm}ohAXD3)uJzWqf+|1NS}q?^VG9pZZOn@`J$?@$MEV5<8RW!}mwV5v z?ni3>!#r%iNuQ8U;Qkj=VAQNbAy4@hD8{n;<>PI>iNeR8c4tGS=ltb~PKE-iv9?ml@`{XynMJEyG9;vcHkaI})9jWe3^m|DwM$hwi?Ivii3J2T*Pt(|uE za*SAOYquVcS0C;okADur8a%U&ziQb>j0AOeM6szz^i8UDUmjf4 zfF76Kxh~iGbso-owO+1NuRr^Spbn?=b9Hq=!)i<39+r`qE^qEGF2~QrI)C0?Ymf-z z?}e^`(TfR2?`rF2LuTz??r%xOpnG~iuP@}#J$##fc~}j0@S8(RTMsfjZ4V;#AhF+d z&**MULeoPV5oR4}#}Nw8x0%SoX>-V#d|@7RpFRi)edTeX3p#$kDmV3HEk_Loe5DL| zc|mS;JL?~3Te}?ZwuV}Ul@o4}FuBOS|GUZaaBkcff4Sf0H2WtOQ+Po!OvQCE3qB*t zGh4!8+UfQbr^7#(V-Ow?%VqV9q%2gbkDDJV)2+CWrq>@*%ElYgr1Hyq5|6O{L5eHw zam!U?8r8ZnCY+%P7TBQjr4u$`aOJ9cxVcZx2-3`Uw;KVxzgz4&_5UDmDB#0`S

8 z$>2=XPKR5Zt+iw;g|8MY&C>gs(L~Ck2&z-^XsxFdpJr7^4W{doA^HxpK$#XkGTa~2hdf^oaLBO;{5-lY*p`Y27jUWa6Z~E)Xx9lH zL$>T8=W=F%ZbA`;fdpCttg>2@+hiPFMdXJeitk7SQ~xr3Qs3t)*1YD(3o%LB-6*9i zziVn8eRzM=-kP{nEKeXg^SsRw>09rRb1|Zpera-EoIi_O!_tN4M{`D9V?^7k>$|y&*hJaIa9pKi>Lcn@ICF`6C$)$4^attKEkhP z{FE#0Kn-2}siyyTSMi(G$CI2Xxu&{0O6PpbAD`$Lq;-NU@xsS6Of&?R0Xx3g`;x zk$(uE>8VbfEujssQL)+v;Ykt&50@w*Efr2W-7aSY)}Wp!BH1K`4-+(>1I&VMNLhwchu4>D4ne9z`w^k67T8YZt(Hb@n4zM_M=0_ zYXVGSP=E_fi0|b#%L26+LgeYc=a*SKkyuu_a{+g2(^MfZKPqtIXW1*7 z&NoN1!e*^N`+}1sZT(I^;BdMCWJ325VDi5)jC^FhmftDvCZQVO{V12 zlxOs(%IuD+Bd>|-oAps%i62kap&eY^{(AI<_DT!Q$W`mZHG>kvw*xya-p8!6ucT~q z6ZT78I$43ksCuPrME7E?Vv4Jox9&4QXlu<0JOW{+ak>I%NX`~0+>15bv81|*DII_L6eQu)^Xg0qb=6YMS<^HnhRjEFj)WF-rHW{haxA0&5CJBs31*z58)9AzBD)qm%s;PKp6s;)cHD%yRfMcrxq{q14Wk;kr4b}Cj%!WjD!hJ68?ZO%K^YN(2Mfh>C!02 z!a<>No(IoRBF;+vq53>c6UD3Hy~g3~J-B)CO$7hnc)4~vQ63?AN~nE{ z_*kMM*mPWb(*a@OqwyX*0@%xQub$T7z>1H+R-^SQ@DoVTwtV8Ys0<^Sh_nooiYvl(?i%u%eJlMH<$^=Xd_lhIp{hF!Eac~H>j0; zWg(LNuxNog=B<`4U;Cv<#3>yHQ^!?a*&xw`4q z$QOf{*-F+bqOx36MN*Qf*ArNAW*>A*N7X(7$0&6rORp}g=``gZfvOn@PSVh>Dqpv&q)$d zM7ELWCQ!anc5{Y4hbmlKOvm!?CjzQzV}?d&gyVP>nQC=y&9P-tF-(NvxD^1l#wcY zxoYL%GW4WXn5i(IludK~WrV%p&lxKHtX1;1n`x)_bjXR;Q#q`a+%(ZnMzpzqNvtF% zZ{@w9RO`sh{=K(k>PIzAOblyP0kf8xBx39&f$O>|!Lcr}pnAOaiS@!Ujurn-R(a`_ z=V{a>8ia71_(BnjU&SeohfTryc20}Ag9HJ!)4X(0Ytcs|_Lm-RCq?+W z*eLB}7o@_+0^|ZR>H_r}~wlUs_Hq``#>D z%;7I`+z5HXbe{wcok&oHe+=YvHer}&>@fAoAJyH9k^UFG8!dMy*C6r@*!c`Kx#J~W z{8JOvd3;qvQIf)mH{=Ak(=CxzLwvXm6K=Ai16>0mw13Yw6}UF-U5vl`i#6m{G_O=6 z;91)_TguA3lsI_}o`YiG2}m;N>OL92xTrOHp32C{+e8chyfiu+e+tQmdOxuT<${u^ zWhEoz$O#Bw=Ro8Iq|h8>DOTDCBVWeorJmAcWKKp{S`zbB$}TOg226PlCN)k*gIrQX zTZ|t4CRa^cCuDMkzdw@JB_@zyborm7QtePSZG!1|U);7^Oe?fOe2t8Z9EHp=@pTt`Jc1$UXXc{G*ZBdz!}2SAsV!2t)+;`h z`kU~@m7FF2ig! zV;%oL#Q>>(fA1}^)TeFk^VnJ|k6uYf635?;9c8v)ZZ2Iz?2`FMq%F0rQG0=jo3ImI zrUk6pa2|xxq!-tel?vWp_7?YJhKJ-}l-^XhL1&qM8E)o~5At&d2@@2Y!G**4j)jK` z2s{^bk1f9&-N@!iDN{`bgSei8Y53rHXhVc~+bgZFupVh8T?K!koXW3m%dApyu3#sG zQ4!Jw$ncA!J;Mi=cJm0w2BXzGI}BMYPmq%c3d?Q)D-EjabF+*vM9 zBc8XuZ)$S-$x|cR+!H;g;~e$R*vQkZatZf3^SX|g-KhVd;L$c)Vk{w8m!A{g5qPpc z`;+J?U+%UC%}%F2%LOsNJ60#t`~Mr!!_@Z&S^U!yugbGoh5Wp41ArEw68Vcp)xpFg zp!v1fD$xA)W+Bse@+5Ay%QWde+YT+aFZTYdq!60n@*c6_QFun%&VqS2@0*lK4N7en zBjEe2CbQPjh~2XsL|>1@g)Rvm1kg{XNZ=OAh0s1Jh+mTRAcgdIe;e#lsLNlb^KWRnP?QN&2S;+iDDFTDYz*znEcg@XeT31 z?zr8C{WZD0$+fxAVQtRW5w-{Ks0m(xruCD}Lq>`y~LlRs1r4 zo8u)PY~t>x>MNHTEuZzvjq^HWLN)7w z=+tHQVZ;;)1y9JC=Yz_SVDv-pivKL|yDuw}h4XS@k znX+@E54;zfYukT}%b&^s8Tj%pKNhUA1e_6_1=7E=t?J*tx33DF1x7FXQ_A0qoxVQC zh4Qe;tC&Sq;eA$#^TRY4LBb6hlxj=F6EAaBUZslTfG+GsF^`6dIon)ujVz~D4M#Sz z)m}ZtaodNirF(^gWH%Olc^xeUA5Rn~eWc&dt&FKbl#*+q!>U9NYB%z~7C0AvO%ZjP zs1CTqFkbMW$J+^E14yVo+!P#zo*$Ve-@4KgUW^T&>hWn=D+^p-?=FAeS18gj;<|D- zunrbLpQMs*Q>Cxx)33{XzJ99)X!!?W=gF_dim!$=V69h(^t;Dkbu#%5hTUy#x7A%# zVI-GmG)m-mz4)yXuFT^PL$Et%7B&HjYwnk#6Ypb?pKqp-&_u;{GRQ08@c1IjUxOv! zrI=8E-N`?!TE8D~RY+S)ei?XSg+lxhP|sKRLK_CZM^cR@R^yV#x0;B4T`OP};Cs(bx9%19}>Y9kd? zq&@jShz%~}v>AnF5|{^qaYGSxogGQL5quvDH~TUiw{IWFqB3^I3fS}B0t7MlzYZ05 zuy*7TMmvv-_m*?$c=-GBHc**F)G8~0!7Tpz5c0S{fYu^a4Xea9QZPO@o)@h;-6gG?7N@D9D^ zJmSR<<`T1ofx)OgOhMoCZ$v$KX|VPAWIQ?YE5?C6zvFj2zup;;n+XylS=Vk`86h{= z!tZ=>qcd3%#T;IW8=TcEZIUP!?_Q=l$nfs@TkqwWycD?C!QaVdR* zc%XMj_Rq?OkQV`WG}RUIHgF?V0>5}Vf^qX6#c`1I)qCzcG!A`{wq>QUr@kcR;Ja+5 zO^goocu%9O`391z5W5_Eo zjT5eUFR;>?g}#!EVHid>qlRbpru^ha)fh)ND&bA46vfpejW@FU7Wwwb>(Ba{Ws*(K zBf#YMz3Q(%54UsMx9FZga^m|@Nk{1K<0OrGKNo<5*wUWN{ErTyJaGO?gxT$z`c-Q} z1oK}v80FTAIab)EJ9)^(|L? zRK=P>dp#s+P6BugpX60aRsS%LSXK)PFGiHRlV!;le^vOQ9TEMKTjYIp@HIhR>B%>+ za#lC3N&>A2xO)05CZ-D|_y`2#Q6zOOST^eb}(neLXu5Xk`^3O5JG6_1YC|!1cXrkk^u(KY9tCdM@xB- zDOrw17bzQ3tGMY(#|PW*4zC~b+}G(7V{l=dH!Orzn+XtLiMZ79&Njt+4dZ+~iEYt* zdAHB!^DKpyP}}L)`rOh4y6pXueiZiw)xfdFS3J_O_Bqy3yx95cXq_NbD*4s{Zinic?#dJ}!j` zz!kU>Uj#ZsR_M?PJ?5RjNk=s7cdHT*Wz^)E9LjqeN|#UKq0)u<3^(3y+e#NS(uLeF zi#U`3tR&zf)1*wGt0KFJo0* zMct8wY(`JRKkW;1P>opaaJfj=;KhVjEyYO+JJ3dq0;FTNzFm)sixoTSnj>aInX9)* zOP@*F@%w}`)za{Cpw&xW5n4FzH{p@o{;MegsTa~OJya`k#{yJX3Y(YoVa8Zk4kHX_@A?U$ zf=W66!fTP8gKK+XtOoj4cVzu?=LS-@Q;S8QYL%M8%}u-Mk$`U8!|X*(e=jT1V)HrL z-79KYASTa0dy#%`QrC;`HwPw%=)SOy~`Nau>Bc<0l1YkjR0h zF;{p%KexJ~T;gtfhWK6O2~tv$v)sG-i_BRDKuxgTmG=a|424!AsFTf{qQk%YT;upo z73O?P-m;(PJ}jNMtVRy4{l^^6y4)?gZ+y1+jOUu0RS!+hPX?P&>b#Ca{7BAP3=YP` zLm{U3)>T{;Z|TpHzh-a$_B*~Sti>MS>q9-we_IY)hW`>j1uS2+V$LqBTn5KVWVT%h zuO_sz-`#aJUS>(JojR=ADa-=no&ts~Zy_XS)VJf$Fbc=1{}kqYR3obTxs6%7OdXz+ zp8&a1w*bfY-P&1kD(a@n<=+^UuZVXSKH)Bhfq!Q1-89xd`y1SGB`SwIK9|Cp9VWKJ zZ0O%G*!Tg|!yQ4QE7?!M0UM39r$}pa;5;)n=Zt5kHJYWWm0zN)_bgbImYA0X)Ew62 zhwlA_z2grp-NU2ft*iEjE&d^U>d$&>4SNHJVwn2%;_UU^_gTAvB1*vF&TxcvM+rSX zsgpqdRU!ar^@8jvm}l|!RT)IZboWfNe!&Ki@F$=B@5a&e>=`h4^I?_KWR&Tz1|ybi zr|r7EFkMnt{2as!H2n&axVs4&rKRLKQ}5idNc2ACjuc&bP?rAHMe$Q&+x6$1f%A$s z_(J5b)&ucTPb2?bwv0%wA}N)e2xE7%4}H8>Nd2q?SFY-K2Z-^tWhvh=x260QtEHWZ9zpuc%l?l)Z;0#RC6PPIRH+wh8HySq8=wK~7?H^yCqIZ1Dw zBHecF^~HSsq|qKeFT9#jg}4a_9cMn?sp9e>9fql3f{puyF!u-P@yiCG!ATdT_~pLj zTEV_f55o|>{|@X7nlae3%G0KK(ggux4#;x zKcmQ5Ekk{5iVpVSx$osDG z_XA7(e71t9t%E-B2y-LPguYk;%v|erN77RKtkdV&*05@SqcjLhBVRCQNaSu{S@_t} z*;pRCev1uVN>?w$B;Qf*ZtDg0z+BE~>n+GxbR4s<);s>ni6g2yN77pjK!U05&l*)# zOCYS6-oK!y${~%S^&>rwyrQ9wvq^fJ;mS%*K-8SGrH-^<_LfAgkXNO43&r!(Jki0< zKM$v5wkZa`7_DL~BK>scs+d3i>7Fd3cuZC%p6p`;OoYF8lmock4kEXeYq-=ouX~b- z&B0G1)zaXPJFXR8eqY4i|ML^5Q&)X|7G5>0X->+ZzElNB-Z*rWg@7jpUgd zW&_S$wBVM^&Bc1R^4eD<8gVga1v`CG#x#kpj1rsbIBW&mIZuO<*Q!VM6*<l>lo6MOWV-2{gt zWL(Y8TJ*$}@*{~=F6p%@HO04k;+!cXnBg~;pJ(~ejC>iEi)OFYD*1iamiI?r)6NIB zsyx3bUj|Xg_p%_hATD6HwF*9*YT~1*VTWp;#eT~~i367!+E+4nL2QYY7Yb!N8C{pN zFW2jwB!Gc=#Uq>ZJ9Q!kHh+C8D6|5he&N5R@-9`#nNA}J-gm;)S)Z{H$cfFc-sFxv*c>Ki0yU%n%@&m8|lmkB5QSDK`1f7E8f?GJjqiZ);2SBFU} zuA`}iaFn^Xt3=4?Fhrje?PDGUP*cqki3mQL)U{~c5o??j_S~#T936aE1F%mr-5e=J zbS(QB4UPL7A)CF4@Hg&xJJ7TYN)-X7QMG$ypBgUxkGiz)?bPW51r6s$7VimPT}5&v z@Z{vDV~{bhBwfW35?ama5^gnC8yjYUX76ZHy0(*QumWV zc=Ek>*4#T;JIqq2Qk+0d(P9&fPQbF&ZNS;n?z9)F1)F0bs!Od8;V_5Odkc)xh9>lU z>vTry1&&*9-)gbSzZ^nX2ip#xV@mOI_g<@j0zj4hC7Xmy#kRsE!Z_U=xUARzM>%mxzla>U$M zbv6rq; z=g4bQ+8s{wQ`?Rai7J>hqioBRd|oa(?P1W}8yj5EzJ}B-q)k|t_n}}+1p42G_FDTI z%zR|N3}Jg(zI%oCy&cVKLsDPGsrW0Zaj6LwA$Y--W&OWzFVxn)xqV7XhVCcJH)C=% z^XHWKJmX*%EA<@nhEOJ^lOre}oImr?F%NOo96m;iCI1WY0J{rUxvY)8{O*OYBjcCqMO^Sy1IjP-TdCMv8;}1R z`vO39?|q&2it}>E=KaPGlpBO;!RBYrO8tnhe9fR`C$r!QqrIfG*Z50LX^_$6c(iM1 z21%(y{ykj{Qb4Lc?JM(IILqYt^kWZ%lBYK#{!XExvU8Gp@pzu4W~FXto`7y2)9V8kU=$YnN^6s_l~(D0e)>Sl zt-yxqD$N@+gTb9fTGnl|EP?_%ge`m9v>M#1h6X02DtW0IWG#WZy7I^>)GyyywJ;hp zRJu&e^e(MPq~;Hx3E<7Fe(k#3ELS!^2COS2w`Z*|b!D!oCGa6Awqxt#sU5k-B)(aB zV;ySqYy5k|+x|Yb>m%qxcX8AvDp-B-aTWpUHxCtB1Mw5sm&`h5J`4ibnL3U+gsRhy z!H7}iG#x3Y@y5AG&YU=x@CsgQTe@*key`E6)rqIIB^Gdx7l#qLlghTRTDji|PG|+MBoJfM} zJVa=anRZ}3MVGLK;opQQiN2*?g@)m^s%~}oIa1_WM@j9|n|nyTP)MUtOnIj=^J?2S0O5Kw6$sV}Aut@rMcGEd zvlvhS$v^kgvtsT^dXuPS7Q^<2Iz7^mS8)zLhi8_M)4(oDP2h$`2cV!EbTC#0ji>t<&sCy!!B(ukG*_CG|Cjg^ z<^@0;i{V&}UU98$7{rZsI<{5wktPN`Gt#cyMI>#q>8uZ-5G|XG$N|Ca6Y#EO%hY$YVx_;Co`7dp0>7d28)<^}UTpEm$ zhgY)A6Iuc|)8d|=j;!#xEMaQtI4-U5gFNab9)e+L&KM>RC)|#4szn?n1XaR*Y^rtr zxf2-&CJ&}e=*l6rMptt+os7wvAk(GBbdBk$Hj=lR}iAs~Gu0CHVLzR!hvdfX)E z2u^$ZXrkTbJ`>W^=3W+}vnqs-U3T(o0Vs)&Wul8+=gUF*@1%7)Ye8H_NBZ(J@$Cxn%E)i~_=9@X5CytzuhhEoap9)aMuSBtqEe@kC|IWS>lQR@ zbL-(%#Zc?TlGo&*>(r9^{jQ4%C7PIH^#k(bPiK7JX3?R(`tH|du&pKDTkI5U+Z!&L z{yfla^5f4()#%LxX&+=a`|5QoUIsV2FF#4+a>;+;_|>Q)w7yH=?znGq--T2Nmu*o$!cio@Q%2rt zn+F9HBe_kt48@{z{jCtca0X1jZ#REPl~G=x^!+LOPl?td{Kr9PINN}`OzAi$!L+`P>>=(33FCCMxRRVkGrS|f`|;d9+2n3_M#R5Rjm zi*UuV(bFl9!n9%4zO9CIxd&dD#})K8VS#^hfNI)yyp%Os4+#X^nEq4 zDWbQ$--Er4Sq2+wtu?F%e^YWiv3z`_@4ESmp5{dLh)7tX`w0P4UTx;Hr4)^FJ4T3@ zIl|4O!f?_~ z=s}^2vPc^qF8t;4lt9oALd30jn;*19YezNbHe&{EaJByx(gQLm|>0E8-tB z+bDB3H$U$AW&Ssj4%Z>F! z)-tzI;(*SrMmKcKcSGNTYKKW5xG}4^vt7szTp)sJcTXKs(9)#H=@9=v=RMubX;_}ygn!xLBgJqcdtdx-3_nRWFF zF;v-LUOj?s&(O*Xb|!h6UZwY!>2Lx=JB8kXvEkb}183uXnZdpodqrXD??z{AfRI_J zVD2KEnzbNy0qFT3D%3$05fN`s`+A-F*(k zQV+t>dF>8s0NZaA0V-CWmYv_*o`lN1b%>qKVv{4)9RCsTK#&KX4xe?v7lH#Y?GztP z+P>+18V}sdO+Qjg5sEY6Se`ruoM2|K)Lb;lv{jV^X(TmV*q^C9F+qhHP}DN3eO0 zmkdE&FN?=)vEsXdlq^6dn}$N-rYF0zS^%g7paWE>gd!i}D^d9?sOlY>YByZg4*t&4 z?d%_Zk9Gt$cy62r$wNfW_(J5~hXRD;OU-qRgd*<65dBPJE{Z_ z>^V}pXiT~#=4+16{t{q{nQLl&uhp1)y}CJm(oX73kg^Z(f%F>};zfVX^OvTB&5P+1v2QcI zn|;lCO1}Clvc7L zSzHBv@`P))6dClphzTicLc+;VE34z~FvSpZYIV*{k45?KwUB+?jz6A~zbWY--?v5< zMf!uFxD+xG*T1-GZMh*xND$c|89_6?AgTAg8g~zo6DL~J`$JTXip4BQvL}?a6hlYl zPM}1CGC5YeyKQ&Grc{@UQKj6zB90d|{jiuis`}r&=G=$EDXw`AxpKBt_SCXUm6AyK zv{RQDKf1EyVunwzp9X;038>ndM*KX?e|zy~!+h7|imfsofyTAB=DRcu z-Txr?LFWH5Yx%M(FVMIylRr+dS9zIhi@H0MjBqB*ST<0hCl(c}xQ!d2R5O^HD(xt8YDZ?$AY@a6`$em9gHQns%e;U>vu;X$<)&o1T0 zxZxjRR2GR>lP6~3RcH}#Ku_DMY7XPpu=&F8r|vEP?@<7|Js8tUXo&iYE4+B#GJ1pc zX)L#}&1cnO{Fd(!a6}VJ07V6Q>Niy!x~Nh!)FFAL-W6^~5*2y*p;QtbRaN2=T9Wc% z>$DbB0+dF%;QT8QVnJidehSOwh!}K1BZ{$-ZKi$4GC$)mwG3qadQkJJ+hXr^y7wn9 zX!=oN(O+?^g-Gb$8eI?PHfUzD_}NI@9aro0@-SP&ecRKrllfAJm$ld#UC#LA4hv&33PkRjBh`#mcmhT{+a7_W4=9G(C=|6S*<(Dc=BM&xHiOA<#W z=g-}C9ns_R>`x-7O}SRw){p$U`J}Lkqf>)(z?l%O)eyAT+=VOiLB)4D?JAJIU;O<$ zCUmn_C(nQHNIu6FeU&TWEp|q{G50xmIn?K;tNCY>^RTD;VS=2rBe@iPfQEUCuOldl zEiQN z8?drt6>HAv-Th9C^xu2_Dzqg)+U-nJ{|25HFLio)lt`tYr{|ia0 zzIN05{~C0v6$8qpj(5kQG$Y$NV%Ra*>1StHzpiW1m{d&|v_h(7EJe}HR1U3?we2#Y zy$WNgiaUTljEN&Undv7jI+f}-u#31;JQ1E}v2NcS?wQz;TmFS96$N+Qj+fr8TxC7& zcQRr0iE7P&Kz1z)uCiYZ?l%=BRw7$Y`Z?W5s=~yZ-iY-?&&OwnyjM<4CZQ;64OKYu z#OuBYc%wJcv~LUe_B#v%UXM-RL7{w}tU<@1Py-Z9Z31=96l@x&I4X5)(Zw(9M%&DI z40ICWv|hp~SBsv}Pu()2=~Ptgj7U|D{C4kQpvddsCbLi~bq?5GNNe3Ywlh5Xu`p)qftXj^u1-RafMY8og%=30QtmtNusL+|eNf-nPzbFq{7czhP zc4+=VCBS7i@i13oJ}3)f8pnHU5T{H4Q={shZT4F>L003V?4F|rrlxIxP0iN>M?|&% z=$6|xvu=Tpiri=edC|2lipCGlQBq;y^#1uNR21gFN|>ttt1MMs+Y<^7gTmO!Co9Me#5 z9fH`K4e5rffIcR(0F5IV0s}TfYp9(whb3<3-nD4zgv{vYp&4I4=QPN*$PwSsC!h+b zMV10npQ*2Izbe;G>g-SQHU^#WIta=)_G@{s+I3Bge-+b~7IH`v!55Jd5s@=;(0jEd z#Ssw97vsEDu~U1=k$H2wZknjF!AGVxZR_~U(ri_i5VM45Uu$O9S|KN)X0!OFXX66n zxHTwoN#XX!eO(I}w@Q0_r-U{!8UyjC$zl0cFXh>;jfma$5 z{6t~Xy#6@EmR~(WU1~eObUhtYnD&Fe)?n3a=}p4meW`x@Yw7kg3=yqK68zL{hP>-x zs|K;7`5Y7hmJdN$s}Q2CG}@G~6#p2s$xtK)Mt-(ZA3|IxQ?I_p2i(#iZrc?NS!hj%1}&;yp^-(O-^&1$fZdM~s4U0*6j7@^j>L|ZVQ7v88P3pLk&x6? zd$ZDzR49i8y#E78ID?}>>yX?zahdm}5EZaSPB6tg@ZNm>fKUE{2zmr?c?iQwI~$vN ze7l>g|ITZLZD-0ZMkWHY25`8h-k&z{yv5BLCKF~ikX9EO4hLib-`qo6Y=PFVsrP!X zWR4;2j%V+CK=Z?YuV?=i-rZp=-E1@0pfGvJd&Yfsh(5HS{>L^VA~b0147HYCm2h7L zFG9MooUd;M&)DCq9vrioADchaL4C{6bh&FWtiNPU7brPLH}X(Js=yi95y$`ll80Js z-#MU%?^1t8KLV$nlR!Tolml8Hdb^K@82@(&z6$XR`}1>Qr1920Ih&~ZRXXhA-as=nXyM9Enq!!l`=a9%Mi9JCgK-9nAmI6H{j?Kq`-MbD4`D6!XQ<>b)+$SYVAvhjrm9T z{qTZid9YC*e6RqE5}jt9f2ZKf^ZfP#u7+|lvIG5SJ~r(HNkJZ>aT*5S) z*y$CsP|L%a^CmGKgQqUd9FYRQB2CSNG^QFrmo~^lQ(m+Js6jpbNivb7pi=bnipHD4 zIPg*aQk3p~3L^LsG!tkm?D9_`FYhAK*h|=?Z7AOG^K$0>&r{VD{cB1FlUJ_xW4dmY z1yZk8*|RHVEoc0()`S%Knrr06Hw5PK&>BPmT~qWMAbHKcO0g4_t*#TL^8FM;8p|x3 zLWzC5Y6kyVGD|9r+MoFa$xhi{{3IV07bB{#6?N5;o(eLie#pXZoD2+%>+JE&@=Qe= z{J@-`#T!s;UB=~@RS)N#&hpU;flHQ~_p!7D#&E0UBKZAM6W(wYD@4ZYQb+`s`m?^| zIn?{J7u-0j@o2~gZ^TfZWIdaQf%-*XZu%XWwF1%2-3b_Ku>M%?&!4kti(c5sCR^U8 z|COjS&aJ${apUAQdHzfN6(~_7ryZ&`C{Muqxfl(9!~%zA3-}!?%r>lw&H}c-3whK4 zWki?d5Ix`Re*w2o^#|=LGOw1%h$K${9RuGF8aTe$2y~1c_6qSB zPhQ)AR%S$p^)<=D8^SDp1vx3iQTkHzM5XyM>fAEvpUEtY5$Ll&x21<_46*{ac={0B z!YMSXcb@wk41cw~luD!B_?JDzG~W-7EXLGNell)r^Bb&;T=lJ>wT>jJ@$Ar5Jv+I( zU}+ESTNQ%NJlZs%*F?qb`_ig?SxMiwb`R)ffgtznULG<}$`#W`$|M%=N!#D3eJJ2w z4Ml}zE9K`nl>FRniAKQC!1JK}$KIwuxs@P>L^CJHror{sf08L(Tg@K`j13=*0Jfge zCW1R`Dt|`N8Qkaq9U8>g1vZd7)HtZ7M;M#FZj82HJkimh2HKGHTC&c@ z%lscx-yN6a`@LW8v>dsz;i_D@N4ark!yE~&9Hp75r74aaNUkg`M{ZNm+_KVb6pqb25Xq&e>kQorp+doyQm_SWzsA= z#~y3wr5S=b?*%*pPMZmw9R_E4a-WnLapE)!mQmz1D=dTL67YBJ$M zW}!YMtl?cCipP0)d*acm&by1Xw89>+?>D`tE#H&8=r8C-Ep=ITH@-BK{r>Bc%$9He zu?v-WMh3fM3{kc#m&NEj?bpAM?K6fLlFA7-_Gt$+nX<0_b*Rv!R3Nf8V z$@*ud5`Ux=2$4)T!LQFGyu%zMB`cYJWm8#@owfA$`F=Z5LiVR&joQuYAgA3XZf)m? z!6c<;N!>h7c`}Is!|uvm??vmkHGePH7D#swcfOQ5EzNEs6x*m5ocKiNSZMc>1MB_d zk%%q`zY~@{{iN#t3UK+Uk5Xp+%?mhEM$HQqvm$z~m zKqr-SJsI(6TAH}QFQ5@YeDOA*ytAgDRrogQmjJwAaHVSBSgc?~H}iY$L+^Y zkvXPP@&bUS6I+-R4V;uW&>YGc{I6(0^T*Z&mPGO{H9=yO=<(|i7BmH1D{t9f<4rZTZ@pdEwcL0GK(DqD|L)U zK78AwA8BJ6&h50sJRdU%owrNqwwk{kC@SpE%qHBYJ$U+C)al3)vQS8vLYGL;sN2tD zUz4RkB*yyvIxG^V!$TjoCV<+{G8Dr-;Ya(##;`RAi28D}1 zU%Wu)G2UFi(V-io7zkrVeTG)6 zHm!JhwV}=J?uXV7UUsu-05L|;UEJ}E4ib^uGU1plJf?T zPhbTNi?rYx_k=r%&%`-M0TUnIlAD!;lvmC=W~qwvlL9PniGA2|a+kaPvL=Or73o*@ zH+e3(Z0n^BcWjWBRQLSUK70IQmn(lg-hOX+o+ZU=bSLab7e5gQ%0_$Gr5*$ z_%BGGd0cW_R>nP;`iQqUW-wK~IF{#0+~8Ri2%tTRFw5uj8|fEBm=t)<@sxMo@=(l_ zR2Fr;r+2fA`)0{^D4)=~dF5@;yI-On7UqTUGhMy;tqBDsj~K14M8)@s#?mjghATT( zQ`arZrzqm;pFN%*h8}VamZr?3dVzzYlPj#{h9)0;t$W#5n6a*j=A!oz0qRuk7T{sv z@Nh1qi+?o-5>Va0C%=GZ>)tB8<|z;x?lNa@4FDt90X$_DLe)|#2xU$IoF#Wi_NL1~ zO9&8G?*(I|hiHzQM~5xLt`rP^S#K@iYUS5eo7v2xhE4+{eDb5izEG#@RkEC$d)6M5 z{PvH94h~k2sz$;s|4~&1@XH&5rKB6c<>)S+Gts~n+I!K6FZ7vZ%Dt66Qg<`}o>r&M zSpne9fMO~(sncIGhjpxOk?g-5 zg!(%S&(ll7-Z0Ixl>>!t!%bnw#i=ic%`#L4N z&d)Xki|Gb`Zxql!eE~*X(m(9eok!aL86t{<U(@=syAK!C3RN^$D*+s z#&t+h1CD(RcXoj8ed~=wH$H)=?>^Rb&iKim$P0|aJzFLK*#F&R?mj{SpSFH`ESja) zQK5Z`rxKU~7o5fU3xHQ{ki*I z)`i>QO?k`lUgxVNZaE}Jfn)Cao)vU~`R6!a5sMr%Un zFc@i^vyIM3D7<;m&LXpGPA2y8J4SE}ipyL5J z6eK?wO6X`6y!Tew$m0{({B=z(lBxVo<{f|c&x_m;-jYB_Qq-6{yI0_&>1vaA$E4hmqEGNm+S`8}=(j^m2Y`4EL8JubZUdZJ9 zerX>x^XIVo$&;BhYdq1PkV`n!ZosdR|BPtW+$^kO6@I!tn_v24{E|JY)=Ac=+oj8c z26?~p)h-HOIH6_HbXHKVzOCs^qoANlT`rsThCR*>ddg;$FaFxx$G2eW zoTj*`Qb_*!>l#@%iQT*>@8~M$a$2!0eAHRAqWq9HN>b()yW_sOERkV(f+s2L+bct@ z@XvZJk#P}hx>>zfrBL}MQT%Xa599n-yy>7XJVyj>XV(E=m*lM|bb>#n47ta+FOLv^ zM=*Zf616Zpec3Cq%-%7y$oBEYYXU;N_gx}3n$6>%Pf|CMDASlLqf|XQ^u^3nT7gtL z#Wflm(zUYf)L#SA)(qnGq{)AH(MkmOz(J2RYz#5kLu~BhKQrud@?JT_K3@oH% zl~bWTp5~lh@#98W&sSU9Ng_utEcgr?`42qE=EF^S;sqLEIXsURO1w;G#F0KgLEFwR zN2RAE4_rqPE(KEu1NJMbC`Xmg^LS)#qsA>M1V-m_^K+}vmxz?LL~FcfI*xY{twdfU zV!0FCH)s5vcbtPjDfHkb1**awqF8ijmYy&n>V*ccF;wJ$Yf91|0qxmuIQLWpf%fj# z*;6Kin^EqF?c1F%`*jxE2X(%(LWHmSVJQKrq2a%=Lb`Q513C?qmGy;Y(vc6U<`6MN zjU>>vj7|}R8BjS~odi+8AOv@Uza9BP?ijrsceynkzZxM<{^G4-D@DTRtekk%_({3Rot%I+s43)7H-Exj&#pEh#T1ih~%_pCBs&cVw6 z{&fgWLo%fy2V)6mf^^j<g6pM11cu1A0o0Ep)i}Pva zhPfGLcXz}E%S$u08^`4CBkWwZcU@d+?Q-(o^;y4qGG7;iN-5V)V_ppd-Hg!mNm`6R zoh#JlhlD6j&}2{VDlyOR=x9{jPOm@=Rs=ZZI8ggnKxLX1!RAmn z>$(H=Na4W%dMjhHKTu~xnzH1a^PJOBlmmh?Ok*E+c9dGV=eDY#;2&~l*@Na#gj9wI zAdz6IPys&@q+?USK8~=+Lb8vG@PbQ_274wg zdmUnfyEu)P_O$#&ld>AGHBzFWnMh6lI7oZud2h$=Ef&XTMDfB0ja6Qp6}A>|ut>;J z&gkyly53Bs;Xla+=}ixTK&}5_%2WBIf!(MndqgH*aeQ7pk}ri5e4D3;5145G2>D0o zy3)|_sq-?o&hVe?cYT(^W^rCzJ^0Ou;uKEH_u{H{IZr=mTv0315EhM$PY_(>V2&ve zH9FCG<>#@|y=(JaLfms#-NO-CW26PtR?F@TOvD_9i4cEw6>dcu6PdChK15!!Lp}O7 zjpvOf!I&1&xDHF$3w-b2%l%Wv-<4dFmE>2}Rn40eh-D6>(TP_C^npq*tc$KaCGr~A zczgplLFMvy9!@9nc0yP}a=3c8MDxj}x5%d!bqcgD2~3)Ebgd~q_Cw@jr3EhS2EG;9 z4;mOR#EUOv=e?g|IfeHiW@xD&36Ir(CBE6#TEuv71xC?6B<;{Rztp~l!v6v;j%UP4 zT0NziuF>o>NIhyrjKJ|>uP9N^$!F*>qZ&=-dKo(>gA-n1R4y&+(oZS2a^7t~Im6oC zgKBPrYF|93d1wo~wG|t?b zGe}q0r)ekoapuk(sw;TZo!6I_orXfKd;#``x%R-q9 zCTa%7&dMt#E)7h%2>$}5Q-aI=p9kdSj4Zb*wS7N)=~T7TKbGx|)osA)8U$yPgNG(D z3QxaMea-_p;m73SXlXl5(jDLfwD9fd-&4hRidPjNb~4xCv~Sz{4%}9>3BbiErHGLE3j0OiO>%bqle}+-G)5MjmvO+b7GYXUB~dn~@7M ziZndy`jU6!4b?2rY^zR<|Y@=^8^eki|Gt6}^w@FnNfCov02Spq7bp_~5k9x=Wa zd7G5KBG@kKQNy%XrPcm>P>TuU`ff``^H*U#yv$TzQ~c?WN3n(#OC!0KRkn{+-x~J? zjR$$Y`K$6<~MF@FL!J^NiI5Lgx{yV|4T?;j9LoTb3 z{Ie(fyU5G+0-ubYDs#`h-Rd0MIxoI>!2RgEL}>3wzKQK5JC8g|oFbo5*|+FO4uj~- z+FoOQ?jQJ5N45;4owypMLofTsyFB_8Kg)&eP}MU|pB*+Ta5LGvHK3-|q`#Mu(}j%% zj@4b!?qK=nAS+pAWt7ih4XIy`Cb%9x>|zk)oRmn(11g|-^uCD31KA=9Qy@Z00|@)T z>%%`Rd$HHh-^YBFBz-GwAHUJaWiQHRl&L2E!Bs(|NOHmAwJ zdB5ol{C!ShV(&cd1%kpbL|vzGGzI|mdjJL{3OW%sbj5J;B|xM!*glgc@-DlcYQ@T- zG2ao^cT3m0kDXz+4&!0yKTu~pIz3cI@E0pycn-Y*cOnXg5(&XG`=DN`ERBN809G|T zn6bl2#?7}c1zt}=u=K7e<|kg=)NMS_Olb!`KbN?^mNcn$x#HLUOiNg$VxBN~-_Lxi zAT4%6*y-zEL})bm@JaYSsPNw=9|=wQC{ImLC#D38rW%j2v*_I!g09%{|Lyc?-sL+O z7z64O%WfUhHZ;CQWp6T*w-g6eC*=9{>qr-9y9sB7dQ%-|(lbh}XZrA~v8AQpa+zU{ z@pv|Qu!;Jbynn%ch(N_>@FilU2E6G(W%Wg381i6I8&a94WxCy=Ax}bVd=BYRB+Y0G`oZClz#`W@Cn)hbr6z{ybI21R(~%G zF&AD>FOPR8q=liaDr>7XE~-E!w6L*W4&W~=l#O_+R47tv@Av8L(=TGIlF>eD?R%ecriinjDW< zmL7J>o16lhv9BA9x_TZ`@3*HmAyyBZXFn!m$Qm)Q(ww?c~z1bw700{`VUz6iZ=cZQ?fQ|rxV{GC`2 zs|$mH%G;ybJL&Q;T$tp=;|w40=@wsLrC!|57WgyHnoh5Bhnd?y9>$sb$8Y>mu+#dy zZ5?vtKlKP=w#uaht`cH5Srl&V}wt5J0(`*7xfWafopk9^QbOc>x;4A%)h3xV`sh^xYXqz@0;AGEU>jPg{Vks@8pP3ad~te091RQ-)W|w?wLCy8iu)CSmD($(U)gK^gGOgPSp{+=Qw6*Xks0 zcTV4Fam`-`ORft1c#vqT;og##lerADt3AuGGb3{`5czc7HEVE8x5N6=t*=>-uXtK z0$t0bJSqM;sEW$SdgRA-c}Z*D`&A7tCw<9G=?07MkFj}Ic*5?)-1fm2mX+ODsAq15 z1Oyatq{KfX*bkjC#CvK9RH!ykjjjG*+FPpDFTnk}5oU>ugqKj*w=O!I^XpOWurnjOW~nf{t4}40nFTe|UuoQXfgBj=mX7;ZYuTzS zbUyThfyYS2pki;BdYzstx_-O8>RE&7PpNu#aR+PxgXtGFp6Qbd?!?PR@}(r*w`>y^1EP(k*(j`(!;2`74I*3 z8@=kgz;k;0>RyYj;*S_Tru51;!=DVrN*))~*n~L`focL)O`7B1{WX-)-Dn9V@kRrx zx(_R>obsxPHTs&M5V$(Q^Mlrn$93JbYh)d|9Pss={G9$i#yEkvMsp8v=3YcEfgEoA zrg2~mQO$}}*#u8#h1neX6}mLtd0cC&@JIs)l{haw+0W$irdk`i(-45A zD0uNg`gB|N8fSTPlz>=3thGity&{M}H6^kRQT_CDTPV7~Rbf#0Ir1K=otqqWtN>Kt zP0iE8!QTV5*%q76XcX(A)A&}sypJD!_5bVm&_>(-aL=jb8hOeuEwEbHqV5&@Z_TVw zAgM~0=4`C!tKrc^I0j`xo(Tj!CAyP0P>3lmeEX(WC4lbpC`JiHUZ5PGsOe$=VwIr3 zoOe0eDz^`Ql$Q-p$LIvag2R52T6E~L?`{Ak`DEHQ?4&tZk zS?*42Kx=mzW~)>jrnOw@JIJYp|56Nyh8T3}e z{D-_UsmRYNBF;RQe(!d}seMASbK=2YBKPpb@xfU14)Vp3&fLD$0;_iO;+y`dRI)00 z2QwacagyFt_lz)ubJ*XT(Q?zGeqTY;O@YD-25z_L=nmMfXw?m=m;PT@++U`=XM2+$ z`6H*iAKbyk1}PD~_aaM1eU%SVB$H4i4!LIK_O@TvuUW)wxEc&8NpMJ7QiK!h2!x$f(rg`aUBrs}DCbPIipEoBW7<&-Ps#}PQ`3EF%sWZpznQW%7X092%+@fLV5=OQoTQTP- z*P}u*W|sPVzCG96rQ1C{3}7>QA^paA>Ew~RSia&dF1|4l2>~In{3ZLt82iUywu6L{ z2SYRn>#vLV(b)p?bzKy7LnB*Ba$~VEGex8yhHqb@DTbdo*#sKfpZ1#p*dqkh2I!?* zI9sr^HR9TD;^<5aVVGV^tZ2XB4ZYRqL*{O;NC-sep(jsZ4We)umLv5?+{7F7&zQF& zBUri2r>vv8X&JlK#B>Ydfbq?CozSaZT*zYuM-dmAAV+;jqiz2ZTJOl)fswfxORMk_ z1(8qTbqr~j$pQ3YO7x~+ffgd3V)Ot*T~|B;MbbfxLQ|3%yX^!HKdlSP3(<2EUxurL z&L;?o=1P!(l|zu*UTx@#Rx%KI`uxzf9&zp5(CjXP@FXlXbk|F-*<5PElBfhQ0tDP; zS~QV23nz(9rbPRJ7I26@n8EQRA<$$=7#}22M2RM9GX$q|^pc+CC-SmjbYe@O*b_;i ztK@RcqWxK!tk8Lr-L&cFH!jEGQXUb>IjltYL7jQ?WnGHMci?KjVKl9N9XL1VB#~F2 z#sLo?ub6jjRH9P#UyvlrQ}X za{r~SaIZXY8gx~fV|))>lxKdL_jFpN!jQn*T+n{H?;;Fi4yL0Tqs4ghOdee)aFwo{?+evPJbus z)-T=om>zj70w)t}wz)2z;V#guE%(whVjzX%J|<ewj z@D@DGZyN!%M;!cJUW57j;evzjysr-ltlH`Ry((Ek{IfRMADTy*3?{7Z$KFWa*c|vc z5U7EXo;M8Qzmc%PfrjQtEoWon@ z7^avCrD!(Wz}lYz0%v)u**L*x?QOZmZz+8*{K=#sqwc_S@zbti@nu1QXtrB{ne)cc z32esKosvG+b(&i86i6yqNS$JcK`0(~mdKkA|2UhE^|*|tm59U}e;0E}7K^mr(B~J~ zpM3stA!ZB0&|H|TrS7>e2WleDA{#x(_n$o$S+W1vgr#v1bm(0`2>vX!Wz=v@PIam;xE%F%K0YlIME-oG* z0Xp&8e&#oU*56x6&pY-T;iW{9&Hvre!OLan-#0bwD<()#b;+<|FCl0m5xv{~hPZ|@xprTN9zY5pM=inhA2cgaO)x4zBXFXXGv>u7DwHdt zm6P$n_P<3DfzMO0s^p1FI6_5us7=mj1^h<%ch0KNmZ|*y@kaMwnhK`XzS9qWu2;6d zVuy6}7YKXVaQgnryU~4UPg5%}$CfJzT~tHPo|vM3KZ((8Lrdd7d6uhn-|j}QQax_5c=m+{~j+n=kgvM+CM z&bwp?Hd#0t73H`KmgKnenJe7VFqbYfO^aD=73f=t{IS%mt@#7b)6-S&__zRhXN=YT zYA)-OW*m0#7IelRFQ<5h6+gDn7AgMMmE{yB=(yylSLSZ%xHciK0-evbgYc&(STHa+kODdpz-@7tM0kmHm=m1r~drGe*u@$lMo#lnEOcBW0|(B%1UB z?v7QxiOLj`U^TNbRnd5e>`8sNKarJ_OO@cydYcK$Iwf|F6es~QR z{#;F7iO}RLq47ZvU9+u2RI}$q-I$Oex8n|SSwNpIZua_dh;=4Juqk;M>D3-WE?gE! zWs;Mv7iTbaI&QTclNqM-pMdA?0;iOm(oy?Ddsx@Y&GF_hW5qOZ6r>YK0R0izr#z^3 z=~aKwN(A%Y4W;FSOcfWIK!m{AKe!C7lzgE4f}F{J=%z$3nmeHD=r+buqBp#hc-l$B zv^8AO#FtdL6W7MW&LY-U*bLKuu!#eqH}P(Y$j)= z--q^c2*=tpV7)aWM;H{IKpb_^9L0%zr@o_k5%1Df0P;>@3i|^-IpHFn;|*khMF&hR z<+(OF9>i<1pFykZUF7v!F_lQlb9&wPzV1Hq;%k&|))UmRirES@BkdRg-jTTE{hi2eTsYgZL#AyaUd-@y5zNcOt#H*CpU~e{gW! zz}-keb2AMEsXXUYzq|*xiap~OvzX;DqdSfO9o`qSiYpq(DcZ@Lwd}ZD?Yz~9z?ei6i!7gvqg<~7JBzOQI;X-&9SFq-y-~cBcpf9Rrl-%l1;dh z7xby8FXB7Vxpi~|y{fRiE&dR-SEEk|+)_IWZv9E#?JdgO`FW+$q0I+Oe*oXv*uIoT z2|@i$a3yptxH(f+;QfKLs~bdU!{5*k^?Qk!fCgHfXszj2c8I){kUZEe3z>#Au>?}l z_~ldo8u0x45Yc~yzWm>x{G$u^EGkTOqT|5e63>`b{V%-ZR~_?LuOh9BgumG`dzO6~ zlUEn2!VNOlu#J!0>1iEizvEn9E?DsA+?qS-;$|D@=;HO&wXt^Aw-i_!wVe(HQcyWA z*|CAD)EMCP+n4oUaQpf*Wh42Loh-V49@~i;@KL1=Q~ArT&}~Q~{beym6>JtP z;(9#ZNyxi97dUv5uFR7nB5p?uz9p0Xs;pBR%+Ui|JjkPC(^EXp+t{{%m59-xl?#FgFwLTp;6 z$2h$(MgO*pcZ#WBT|DNQ@l#vc4IV|Yp^Xz@@Y%)$n_>y72HMhZplS2?#+7B*^MjqW z{F*Ej%%yN=vpa+kb6X8_Vbm*^)x>6IH)HBr18+Z+Sb#zVRy8bO#!C!&-Lz<%-#_Pu z6H_-fUEM3%Buj#j!l4b39FPvB0e%N0d-%hR`*?#rDH-rrKz=|1uRJc0QO{wARDmzu z)&h^qk9U=sj{i#zo-s(95*g0C!nE?ps4`QxCz=mL)JJ{e|1o*5P8hG!n56ELFI#xX zuswK1x%U=xBwK0-D(}`%~SXVm3+~_ny2IaJR8pY)RbE z;ptZj_+EupKGx`<^JE$+ic{O?7l@B_m{F^oQUj{;A1~$vIxqDQqxj%92Dfj)*b**c9VZ$oq_7k z!z5i1|5B!2jnjU%-2DL;cDIx^Lmzfyi&tXR{Ky|19*xiI~9 zN|-1@HOZ&rL}DK`XDN&U_UzrU<_KB87jgGJZ)xdkqC%^H_e5CxcKf8NkBWhmIVv{a z@;e?msAEFT5WaviQ5Shaj3tKBINC>WSm1lCKS%^Ni!-9rcQ1x_Tvgh$lH)*LA6il$RNP&EJ2i%BA@oD!7V`BHwd&(i+S8M!gkQQ|VbG_92ZRFFZmBMK}8{MK{q;&%@c0Z`AvSvUwNID>0UpwWhI~ z8aIzUdqKOl)bb4HaAo)hr+C@RfcAEYLxLgiYA!+YmwJtPMF3HwfIbAG+)R9)Ms@(; zJZ3zX^Iq!4i$Nq1!}9<}wso%{B?dKU?mx?LP5*fOFl)Y2)dW$l-i0q4j4>gpmzwIDb25-S4+}kAZuIp`g@K%SB~#*XsK54yfuAtp}I72hUo(?JpCD zq?g$zH-jFfl~I%&KFRE#kurOv-ybclvU4&mUSNicf$w9)yZw3_MYquR>}NvYjJv3- z%WGG@kdgzx5_P^yQ-1m6e!i3t&>whIZq=|cawDih#7yv`Q?)mw#k@zgu8D>WoRN|A zeGKABn8$3MI>l4%@UuXMsBG_=%F&j1lKC2c_3L9b34^qrE%v%H(Vrbi-60W27MgxX z#GM$VYJfP{<6sj~qaiS`L9tS@#Yc3R{z zE>qQpCz4K*C}2?O>q3^MmW-!@u`Rvo_6L~w(?Nt)@&H+oPA&=4;^}9h6__=dbHtyZ zM*tl7AJ|I!_9Yae4~_@W?mzUd6;FSJ!}h_4sDXRVPz{l!8wL6a=S6?0MCiU|fYDB$ zn<+iWx^d~jMmHyzc@z!#$Qm}`Tx|_+3HtPe)K4F4VXm}29)Dx}^+jIq5_$<<`)|!& zdSEu?3;?Q~w~4$*Bn^}QTebb)sw_w685GgxTPmL>&&KWrNMVO@&O6k8`tH+>0@7@L z9b{t~qB6c$APfeyFl|4P1LrczzZ0o}AN(0foyEU?U<;LqkTd3bftE>KGD5j zrpv{%L;AM-H@yq1w zFrA8VV9>FeD9dj_Hz7FN@U$#gME@SY=KFa|c4ga{I?+iV^7FvR6Y-(Ho z*#5yRV`JB~bn;E|jerV~n}7r5N|gNd^KJp5ds+64J_rS4Zs_@hWreQfFimdeYvIx7 znJNk*;@NvnMYCB3Hr?;=tQD-}yI5(I@A57tM!0sdaLhjcb5t6eRrG~2)o^1brfcVl zRJ(I;BrEBy1nsl2Gui2hiThZ*jIceq9DDU1f8fUdda3^iOipDrBF;K$sVAe|I-$(WNkYQ}w}Gi+tJ#>E|fdhV;9tg_6L zQ&S$StV0yPL zY7~-Boq%Gk$3txfQ@LaYaHHm$rd+aoUDRh#_`~wlaq2p>-A+Q99Z;r0lcu!E>d9e} z1jjzvT}Y^yL`RVp~S&V%-S} zxXn?4DB?079(j@DV`vzWk#2~>0!Uzz=I-ab<8<~rHHWJ3f>=6pPhfq|IR@>@h6}g#-QcvhAxMKla;)Zhxw%s{BUp36yb3%%Hd)b$;tDZ7Od2j!?&8`Wcy9?w;J}| z|JoBA>Jh*5>w~~QdOUJMuu;7xxAM-o@oj=z$6XFbCx;||CvI&JXhr*m!iu(5&7a^v z@A{p0vnv`y7^^r*_ZwQ~gPwuH1cQJlDLZBJ$wK!qU6HXRE!yfs_=xg*7^>BUTuP?& zdrVtos6-3yo~frl@qUXXDb>xxF#FUQ3_Wv8zR}B~LsE#~cTG=08+wxe9g7Q5+?%uG zo=dplu_VWh1euGwzC8OAC2;CK+3f0im3Sjay&5BDQ#z&@Bn+B;4R|Mdb-omoU5baC zzs&hA4YpAR&)9fbY1Kfr#8`(W1U6_siK!pwVr#R&UqXV*?2A{Et;<803Ima=#WFy` zD%&=L$V1u;_*0Pu91sYSSd)Pa%#zV_L*m}Y^@H2=jIVmW{xo)twtipn0$AoXBmV~v zivpoYoo8mxLWd_#*1=i+V&8|;c46=Z!OoRJpsK=`Q_qN?kdv?U0hg%{Z$_fa*oK`3 z%A15#@FG|HoxM!yvoJD0c}cu8HQrV>=dtf6wmVEZnpF!N*5ZmhaLZ%60s($T{^)&bRy+@IjT_W&Fi$DD&pkLa>PV{%hWFec;_I48 zHq*DJ;~RamyGb8fOLOno0k)NisSJP;|3f#xxzqnp7oum3{bn}XnQ#it^xoVsr5s~3 zLge1oFoC1*5Q3s@~OSLVM1T@9yOTAyQ{(nz{P$YN;$6H zXS{?qQ=KX1PjEf?n20*8VLUH<;X&JKao<Sno(2K{T5$%C3YPy2&K+F@1h2TvsYPw+moC;RJL*dHeR2?YRgFYb zpH%IlmoKsh7_BZ$83e@1SV`WvMYP1}ly{)wGk?$G%Jq$9QsnRRVm21eVxFIGRCb{? z^+a-*UuwIOYT;W}%h9vm4Ldd&bbQn_vUDW{auWBDs&o2?a=8^-ffm@^Q$B9n!M=l+ zG_nyz9!LhcwoBpAYX>Lkx=$nv9q_po8|s0-+noRGn;cg>`{A1Nc_Y!kfB#%@U`4e> zF%o?jVghs;w&VSf8t`}!66q3fg=C9&fuvO&c|%aH5G@A1^orGTdPvo#rJ^?Yi?BG0tyT-Xht zrhLL)Q$(}A_;~b3ExsN4TRg*K&Y|5$r1S|kE~BDhX365eA}(hWRC6rPU$f_;be6Y3 z_Ugr*{;OC(_6EWX^bIxvp9{WDj-cxT9+JkXiM9+PD}{veQIP!&J465UsiN6@cv5V5 zGTWloq|rTkDuWcSTl4Ke_}lZp*n}w`%{#Kn(d5N|4RXaVu7kisz5=a{*;(V8cF*Yj zf17o#`IME$^pYzUNhyIceawNn09K&jCXTuA;qp*;gYj29dKcl)IK@g^Kp|*g+v>@4 z-m&`hwzJKws9B17f8)FVUA&f};mFub0qG%Z9)@wvUf&={5W}`;@QZwTAvqN1m*!;p14L$RLI7&DpZRqlI7NO@wU5at^J;*P zpSefx!9tpS9-$Hx0U@7mCNvf0umzLFJKS8};9h<{`sGin`MH^>fRFpoQK)%TdMJ`y z`Lfva$8%0@^aWJu5rseWO=EDqH$qpLoa73S<>$zAI79{IxemDyS4f%RA@UxFUiD|) z?l`dRN9m1G^oAz|BMhb_$FTQ;+D8U;F0h1^hJ6@rL-;u_<+Ye0%R(Rf@10RFLk0l3 zV4+nvqkr7muD0I=k}p^h?NoVQ%i0_|0BNy>nFv(KVIIVf;#b$^Nnj+p;Z6Mb6GED? zclpuJu&vVB;LdB-A8{@Lfz7rs1JS#XhzH2)cZ7MgO^a8*_}3l1nx#q0lUHI^uQXbu z70YCl^E&J*k5fnGtjfV{&nq9~pEs6C3ju#(x3IfI-;XnwVNtX2y|v8juKy-6CT3IW#vZg7p#?jmMemlLB(jx0W1ZXIjG~WM z$>_(Q2F5g8f7sYR_cas}25t`$IV>a30t`Wc>w-&xoWO-{sR%Z^<5KkRq&KyAvFQvz zls4+!=GKp&`*xK_-z$mD?kvw|HlZe?-Vbk*ib4EfF1xB|{x7?=cwOeQn=b!MHLW0^ z|9&%@f0fw!^+np1?pzI5rfbcGtmisTh#E$|XXE>$$Z%WgOH#@y*vaAae1PQKFF?ER zLd6dVvO=?0IQipG+dquYht!+&+@%KoUJ}K(HTEuF|1^0W*fZ^cu8uby-C1W(_84iV ztb-l_tauFy6piEBoFSm`?Q`gDgrHC}eH{qZDFQPKMM2=aE*ZSP10igO)`BrA=*1G+Zz*D{R#_^VB79;;au+l9cy}2yd|&(d4}3P9-3X-R`W_w zX!{{0yA7F8+E|EcKa^zbW_X}3kNsWWie1%Bo&r9{BKpsT);d9;Eu>QV>G{TiH_6aV z&=*Sde&}YnNc6!aHwK#7VUX~NeJ$SKYHZu89P8m`6DN*vk*xszMd{{TUK`smhQdWk z0~_Pu-d3aU1%!?`6TJ6YY@XRPy7!bW!n@|Eqo~-{Mrh)TDFUd)XNanS7Y2HA-C&WQ z0GbG2t;f$63d_;=NuYHm>74mBXf{GKig$7mMCl&;Q7I7l8XdmJP?#3~83B3(cB%c5n zbu6?UA6`qJC!C)}W8oX*{QBZSYH);ZqbP8{G^jv3YcOACdML}fj0kuipT~N0;&=~` z)iAsZp1BhQiB`XW_cAu9hxiYByoC+wKj{}gg}m+tZYLw+uD+KM*L zIi8l3@9N+yrpiWBN#21u&v`$TKh-590+gD? zVc8r`EJlGVFZFe2^O~PM zqerro(Mg!MxcHX9t0lym?U(3UyeqhqXW_vbk-34FDl>Y{Y?T|{4au0s#sr^Ic2Eke zmB?4W)1iU)Sv}y_x3Ctz;qU`(>3ycj#km>L=01xEx~N%aDh%SGt3S_z;>K6WC1CF} z@=2r6w!KWU%*#7jaI!=Ec^X_cau9l&VXOT7_2&K$_~opI{ft2hI}bE5n5Xbij(K^v z6mth2y&N21eSaylzDbZF)s?@TY3oy-Cj*@4Ltrwt9!Cxu&Kh`Dlt42TS1qyZ(SCV& zuu_MLXS>f;x$Xx2mLpkDpRDZTD|aP5%v>U1j1-Zseig@B$w0JmP+4yIGi)sDs$$r5 zg#(b-0(qG~D6Un&c_gr;3jILfDSU8j=u*^%w$E$d{IG-SrA0&-w{8hP5nH-nbhzF` z6fneG{sR_{1|)0y=%eZKi%su-Cr>61s`V1jbNx;nI~e1bU!r18jcVUL{M`$BX*mW4 zUdj#hx%t0+SN@L0Hxuj=s2wk-b2{_9yt1~tf6ynAu=|CkXoB`jIR>4Vn%wEHmz19b zefPgTPjKJuhlT~FRf%FvkbN&TJ;xkUmrJ2c5 zqsDBYQ!Dl}_@n)0M?4b4waD$gxnIYz+=<#%avgYUshK0YocT(~c#$o5=8@eb7g{kT zU{X~pqP?xkqWJo!r00mepxFfbkTVDcp24nf%$x2jWZ@f;BdU8AKg$~BuL>8^#&h>w z7p*}wV4aJ9HElrx(qGfr2a-En8cxxp{2X0ZW~qUEdm4q)@VZq6E&1SB6;s6VbDem) z548C|_ERpIBniDH^R`q3-xWQML^CbiHSQq%DxSQIl@t3in2mbWY#~Sx7UsvSA{D?F zJVQ2~L6q{;rBX__un0c?fpH}zce8Og3X5RmI)k^g!R_UQt~_Hi4bBYM z$vIn=uwBo*$+mi({b{A#_F3f37N~C8QjkZMw4onCNuppcRp(WScV?F1@?e(EtLp5@ zPnV|A*Hn(0%KX#W7-ongM5U3*<<^_*-FrmFjV@27wGW`RKt>wx-jZMa1id=rk#-ZR9|jj9xx86 zJ)-QvPK3v@Zrjwxf~)XIhSg8?W>x$u+gb`n{f539e9ywZpqN?`MXYYXvKwNXVz(WA zDuT2Re}O(vl!z}rx}1e`#@nPc%Smlj70px~XgIB8J+^gP#Z@-&CAbE!>MIM*z_|6t zDt+9{*t^n`Nc`RhT3<~k+W`QYG*->#i#wgQD#spDG;g1Q_P1D$Y28sT; zq35rf94K*o@pg0^3Pmf4Drqc6J!o1j_3uA=0*Bq1!$DMG*leW1s3P3ncTvf!dK}2c zt?}lUWvK$t#UNsvgHCrs13@3JueLmgW`bEYuJ5m z4dRtS%P}I+i12T|YtkRP#_AzHCCng+4$@Fn7IND`)fh9utt7uVI&`$ex-^90c0S)$ z%8MyKjYr_lh@z@oKk@hBztjOG0kWF@&SLhr3D_(oya&38WpqRnIksxgeoI;$9I3hJ z5z?ztFIJ@e?54JW#idGCcE7I;DS>eNyNlN)v8+>2a{mb5B~Af}G`L*4grw+& zK*8S!-RujBefVK~%{yEN{@m6Vkr*WE(`!&W4Cq)G$-RcXPM}Juu3Cvsk<>~k;*hs( zhUFyfm0wT{&Whc*1Fh{EBh=d`aK-i%xu#-nIb!!_zfOJgHUUfc?Fin-x(nWBc@AxTy7D?M4?hwbaWVN;X=2 zq?aY3R!lM)!Fa$k6!~I_5F?WE5fa8-w&kPG(N2+RP?*gY{pW=hs&U;^%ZU9S;uapZ;{YTV~R% zSZ$N>(fe1u_tT%{P8J9sktEZ-NR8e!tDqr|C612eon?;A!Ygp+zU8Ni#Kwc~l39{j z2k?)pr2|U$w|^Dhw-4HT(OZ}$k@+BK&ZCo`r|{s~N=MiGsCc9@ z3A0r3g&`OHh~ZHNN`B3=Kd@vaD4h>`gtf0vOGZ9?I#fu-PRC`{A5QHTW8lKjTvhZbx!>;>({G|Jo+usFJ*Y@akT;TZpW{?5vStnz8ilrdEA2r#WUduX zqE4x+-I^*NW`DPIFX={x&ny8`P%d+!(PnBwoy@9(QLUBqHG=F>*eXa2dnCpb*|@{~SxV zlSwj{pkFG;!m3B=YaD{Ph$COuE_j)lT0~Eo-GO^tzmfmuXoz>snSnktx%cJh5}Kbs zB=7AGvxPs1&5~dE`ZZN`NeuT*z^F+-C2rIv8Mba+oNiikN64s8e^l7$a|$eLUO$Ce z0Mcgz5rZfRJScWNUlLHfCT28}zh*Y8HOg1P(cxHcxM;(i0wcF7K0GH1VMSP<}~Jp>_HVfnC!rKb5XNU47Dgws;H=x6SrFPI-G10xhv;Tj!0hG12A5kHQn;&pW9 z-MG9ZGW)v`I6fhA7$3+wI>n7rk?tRG>cV$)YyioU92v(BwhW>V49U9amC{4DnaIiqoOBf`SlZ)_g;6-x8S0r~m|RLT?6hY=G?Qk4}`qQejW3 z(#s6*V~iy4L2PSb5EvLd&SV(O#M^&n$kM>oKd8GXs^U}@8&10z%~_7C>f4P=|C8aS zHr7FHq83UPcY8Kgc{cV$Yiww1Y!&(22UyUh@p{Oe-$RM~9GnNiqlt1{~=^1$np!&zg0*BV! z&4N~pj~9B=T*&Jg)n{~L z`0;|MU-A2AWOAJtZ&)9wu+SLMkq%=zYGXP&&(Ci}?qOf?6mNR(&YiJuf9>9I z%b^yg2fMQjixPn3c|t}=l{Rq4WhSHdAXZgtDX?sljDwkWZI2yaMgCf<_*hJdmox|q z_^6+!PX{eu7?NE1emv9SDn@Y{BR@{D*YIL%-NHZvQvxz!#baR}7(74l6CRml{Wk|m zbA7T-=L-Le$eKTaD=S}h^Bcu^iM409HhD<13%mtIqkT4(ZY%TjAEk8Mi7 z#`irKu&&9-wD_eehS()!S>Vlle@$55ndAz?8-eB0d1Wg1-;BbY+*1W5grQ_Cgh;aV6m5PqwCLGf7V5$+S%mw{yK(aTde_&uxd*Gg znXEN)avL%I;f$3rQgkLKX-I}iM@KT%myDIv7e3Y058AcNUA3Pn8ZYR^i$rwe!E4HE zpeZ0Vmi+tXKuiF+odD5^MM|~}A0OV;`9S|TAh7a&1Y#GkLyPkC&F(;QaL1&%X8K8V zK%;KF03skL$BxQvLp7-Pyj0zXxRu82VF}JV#rJ0BB$&WtuQ@lunuSePBax)Lj(S<% zZ2jlmQeSZr5h1QkT9rd^7(5jQUT5!(QnjbTOsnoW-`t(1!reFj)7B#XB0gNBs~kd_ zW+ew_XV1l0mLMu_y@?1q6U6JtFy?S@v@uhFqn$Z4jG0Nwno;mEqZuvifvd-<_!lm( zkeD_#bi=|r!tZ@I{(<)2b?INPvtul1stG@Fxb>ww-C2%Eb7JKeGdgKDde z5Z-h_bMLQ$a0kK@Sfqz>qvvFe!A=&DDX{#2a>p8d$vz7PqX#mWp3uB>DSDY=^wZ-x z{W59WQmh$d&#jk!l2TacvHxuB?bcZ3EB6-}-}cv%0uU7?Qwhq&4?4!mTQC5_LvqcSTfRANN8@rv<-{S7h&kRRN#vl`rD1C7x|HL53*>p}Uv#-d5 zEd%I4_h)^)hvIvjT0%-+8*$ti*p;R3v5E8ZcH?XQ05|rpW!?r%0rUA_z%wNIpn*CO zr|zBAIkDJdYu6g^kV_Q9dymQRT~y9WzT=q=L1BY5bnA0+=8?;N@snAc8S&JVmDJ^Z$LfuVJWbLIsNLSjFR+6wT^+{M;Tb$O}OAxIkYQ#L;FN% z-h5Wl{5@aWI&{}hiGJr6-#?68asOW0Ao862_tIuAayG2|#!_kihFip7?t!DBut)Rf z{|e8*07&5(7=Q^Ffu;c{ZwtPxLq$$fe3rUd$%$*Sx#Bp{;CpcQFE|8V?ik8ECmF?6 z@I=hb+oThoXs}k&adIMwIF}{GczU5Xa{8y$E9%e0HO35+rxg6Ueh)&|u$SFs~=$*Ml{`4Y?G z04(0@e#17RtYGSr=1Uaz^1)2&_;}*q!BD(^|G|tLE@qGaam!Yu@cB}MZpzp+-vJb$hp=X6!Pq?KI)wigE$gBs{C0^XVr(64_kV$JwFHZhlSZC7Au zCYM#v%rj31PzL)AnLTXSf&thi3+5#fZ ztx;sEaJE!?FNyDmjHdaDx|e*B1ih*T*h5a(@CCZHg`=5tQi?#8huNOeUWC;1bbKd z3sd_Y+2WfZVjz^!wXfnr;JbEnXD&<~XnbK%ChMhnXnDLMz*_jvx~Q|6xMBV9Qe5%F zK>?Ou)lPsrBum64;>-jO>U01MTOcime+51NI?T3`2KGh0KYbf9V2h}6&leSQB*ysP zQN5=fj0mp=aSCo#4}xI+gN5LR1|3^`><>9ZH9fLZw1}8JD&~Sm0zLXEE8KL#x{M0L z&s9dBY%^DzSH3a;iKPP1B zaeTAE2maTNa4#I>=&&!Oyh!HI;(tn(;oUxf1?PA@lsrPT_&x%)Zz2iu0X)ChfxkG02Q7i*0RRf7RT5~sC`czF zdj0oxJe5)khmck(YUtFLAdHCVWT>nESPC(mofFG-Q3jYlRu^`T&kDArS9tPNqxR(=#k30QRdb!%REY-g=h9%t~|htDyrB?_;2E zNz$j3^weqwXdg{dh}fDsAOOFr)4FvRlnh||N*NgO;V zr0mt;_kTeI*Y*E$9wdlW@!FGEx1XxFgt0!pT>b*EmEJe}-C?^hNAnYR&hr?iN9E)J z56S{l!&+O1a;POp0H@L(Kj|0b4;2IO;?s{VQfQs)e^T+Y>V8&10Wm14f&`TN8VsxB zM!kx^bvQoCckIb55sVvcyEl4W<3zT8wey^a@A{Q4y6Hh#**)cTO=fT4PG94St2T9P zx8J+z#&l;LC&6O>%7Fi!1PhppyRcVo(LV$^&d7}ymiL>aJen{64X!<1q{s>u&w@O~ z2m5T2z4Ww$gfI#h@u&7IQ1sx@%TjX1r`-#^wejzdJ&LR9|H-3tkxK=f4>g1G$5n&Q>^DOt#G zOUjMP@;Fa1Tu9xo^j<@}AIT?$*TZ0ds|5gwaGV>BKJY1r>6I=S!$1zGSvw7pT4m8} zufqi0aMPa43r(7D5SWUet+ygRnlC+dfsNPWa@KS8Y`2bVH}!1mj_1}LE!G|2%>rX( z(4}5#lL%_f$dkftG!M1sy$)>nc{I?qOo_ORPJAd6(|v#$zPe>OsFHFFvVX>i6j;`! zz8!#FEgaG_-MU@V=To*ifrsH`S_n4VPxyyy0XX{+_#~EVqgf8ym5Us)R73l6fCR%T z^THjzA5q(!?&55TN=4V{!}Vb2>TdN#JcKRjmbTqUS^evFwRNAS)9V)SN|9RI#Eh=^ zLh4gH@5aYB4ao*iR&eM9S_v8H6;C8C!w^gvC2K-PwWXer_GFk{(zE)K$*=D*SJt|C z_8zQ{M3Y9cKuo`P^G0MWheg)VQ82t`vYfb4z^92(5i(4 z9qsOaQC^*m0~M2=Qf=!~ZYH9amah^Mr4_66i(1xx&an>3NjPva;Vi5al-Au5~)pA?#DWoX2_a4!qgUIXQ45`NEVEcJYg6N(f3c567=?!wex3|5Qg<1cu}8 z_AiJ70d(Wj4_U$7$MERbwisk3Eue^U4EgGviw}9sbD!9Z@QFXHd}f|_)T9rxn_7);2SGa(h%T@)jH;3%XU9a*`$5TAbsA12gjln>o!7Q}0y`Ptp72li7zX(EE&CDU_oK!$w^Ex3I=0gT3kZf| z>{AN2>;fClY-RSe;?0+UlGUV=m&8tmBl#Vdq-90s=dx(K62Ro&(EvE-b^(ruW7z&r z@M>dwOcqzSLjGDvZ#7DMY5i$}2>o%U$e6kOTWMgM`grPJiDMC@k&Z^ig(A^ibeMs;-- zVY5;^7;^t&;XDXQGX z(yK51Pd;E1j>*#MN_|OLV@d7eZw&xQtceqpd?E1}N7}vPZwGo@LAp6e%)k2eXG+%l zw$|Jev5+gPi%&F|OTFZf#Z)RR(IsTRXpGKQ%9rYT54W$*M4nY>lH{?jKJm$s5T7HML*LyWel7vuYv%hh_#jB! z&DjP4BJ;gp#G0#St>4;(GK7ir5z9X4o|V6J?qAL}9fRO1_1_0;_#~WXrkQFh^8}#0 z0z2R1Y%_e&t_&W6CUG-}!~_Cp=X;Hfa5En`xYJ5Qa_cXb5Dc?Hy`!sCT*xqQw^X03 z&M4+$r=pm{Evv;k`IjyKo6tp;oG9Jxgd<(k*sMmdrB}|d zQD##elqQ_D&u*tR+BIAmB#S%SD)^^(5OCZV3WVPf_sg;PkxJi^%$-4De=|igp|Org zvB&J-W0$UVJzo?u8Q`I&U?FQ~&H;Hf<|b!G=ZmU%uEpT1vVGo9*2YatvxIOIksj(EwBrx9jZrNqWe;P0^y5*As%W)gQ*2e>keK{MFWZ-X_ zHzJP+R_(1D=L2wJr3l`9p1PhmgkkV|*{Ef1^}&~I*1rJBM7@;>NLLbYCBe|^0J!38 za6Hr`UY;omheo2zbK!-_-S1jk8c~*LPD&v^BaUNswK;W5=^7$ z>Ij~Y&DqT>_+>k0CkF9UG9DEHK^J&zP}Hc+_5@pun*xs4q(kuYXhbt=Qa-r*@W=R! z@ee+b>Dclx+{*t&$F6=cmG|0;o}HH*J=|$!Vq-S<`JKVGP@0S;BKGDybVaJkTt#kI z7yh-C1{(imriS(>^clW*-?x5elY6K}{Ix-kXzncWYbv7|n0%!@#@ZvJsFL(vWZ}WczRif~GU!&j z+c<^aLVbB%4*z;cT>naJUMDmwtPoLzIfY%ZE}5+*6vu2VDq$MUId-8)#VDyuN{Az4 z;p4t>FmFVqL3oC4{969TdN7-ptA~h5czLR}>%0Qrgoz20 zqh6UvsZNkY(+S1d#Iy>F%{g7$DzY+5o$;r2xo;ne2dw-7wp z$<_FMC7-G3G8YuX;H{&Y`Hw`kUFN3=PcH?_bt}UQ}rI8ni#GxqkF9o{pPyS z@H1agL%Hc-e{M1~lR~OwBJsUh*H5KfP$YSkj?)Tl!SO6M1w&ttRfV9};M((l8iHNV zYaQ(kPfiYFFAe|Vj7**AnxEY9xVEx#xyhR2kMyP#8Divhtwl)8h)29X-HEBxKMx?m zf)exxdqlkzfVCa3cQp1uranv-L=fZDP2 zI27j`?r{9;$z+YI@%@n96On?sPmlVYOuM>J91>MN*~3$83&Fi#_t(ac?y#xRT+&WF zZ+LPj8(YQNE?;+dSSeaz-}A}g1$luZaJwdzPp+l@zC>#zVopgf2o10l|6%5Q_lvIj zl?uslHhE)x&{}8tcttfN*)(Klg4?jN;CI+)Ak7ze-CN2MYJ;Fxg7h?=#6Ya#fiFj; zb@jI^&{9imsONzeQI~iQ^?6^8s`O{C?=C{rzk%gbeO5-nQ`5GmTugxtmyrW%%MGH) z4A_eHqc2)!O5`ov9z%(g&wSStq=oe~_jza-(a>sU>s#uRHpN3<)hI5U`P0nc+iO^2Xy>5Zmu03%{Rg|z81fnC(JI0+_-HBkKoRyh zWlZh4ll(_p=@`mSf2KuETtmbZ#n6o~J(XEm4T z_I(R3K52fdyXnj`77Wg=Zv7%QQZjUkKfREK*wr=7A>nBB}7#Gvt%^gdZjfw&`UXt)2- z@TEJg91@TH1AbAjLJPtmDD9yXV1*T*9`OC>q-ClzN9qGA;U7l&o)^O@mLkv@M)KU* zZzPO$b71@Ww(W4u+Q$}|7Ye*E`{E8krEl*Qz3mBf{ssqymQj5f9II9vvRmQ}DV$N|?0ve5vI3^oc$$rP@${)|(NRdBEUSi^TpZ84M%6#^9!z<6L zif|Kx!iYi6s^?0a8{P%({D~D6B-gCOaB$E;PO)L6F1NcwvHH}#HO`4fCy86>S8eyw z4M@m>X|OPjg=ykrRWjNQl{ss>)O&}M+`*HWg}J$pRQAPY4rGY0td)Mt++r|(rB8tC zY;Ss=Qf6HpZCq*Euq$AaUw)Uh09z6K^_rE8ZWPRD!{_0R3?=PTrFz(cESrFZ`_1B@ zgzM}RJ|fI=j%zmf>b<4lw+jOT7fLMhkdqxUOlt8G;+SrcBYw+WiS zwMTjGzUI+N(F~;?qo6ga)`Fm_)xv$ztLW`lO?nfODzxi*3?GRiTKtQO%tc8&mMej` zLurg~95bK?NSsX~jK*jWZ1dQeD2+F&$Cz24z`Q6$>u?Q5BVE&n5a{SjSz(gjcWoN8 zg4RAC1fx|Ztzb8LLelKc^YnTx|C*Pm>zy}j>;=CM=QunM^zAJurK6rOp? ziV8s~IWIFn-TWEUF`vXn?tR^FuzAIklPrA<^q&V4=VdB#lwRKn_bFXNYo$VZJ`U_g zqc-J2mU1$tjFxhgU4>|kW)&?MqKP_3W{X_-;O7+-4b~}Rq3@P=sRkYXeD>Ozgd1)# zml9=7>Rp#FioQkq2PaBn0$1$b#9Ii6w;ewkf}1dc)S+}NUd()>{2jN#0Z{NN8WqKk z9=UbYj|!wL3C^0c6I^SCPy{}jy`@EasX4Eiz;84x$Z zQdq|#f(tT_j*MMd4~qv6=Tt;xODTSDbVSt_on;HvG&8?`q0~#a=UzA~=U!O*6ns_` zw)gzPkS$~Gvd^EZ1Srx(Z_w&T z`YHj(a&FH%TizaIx`IZ(0#PGb9djzaC^KE!9jfyyK26psgc4Re+aStyZz}eNJ$d4& zO_bZ13bs>|cyz3D-p{$WNFJV$*GSai)}E&lUD55nJ>su& zRzcGPU$o-utIt^D9HE5NT3YO`J|vfABp~fuoHLaFjrnUU8HsgdMe6;n!#aI)Gow~m zLj}e%x3;iQe!j!&a6eAfb#%$MdhqR7#2=(_foVha6cz0mDIbT=#6z?*=I#mc=5>aP zgBzXR7ngRXC*Tu%-qymfwCqUlyTtXSs~;Bj53!NNXn`qc-eo{-tJ`s#R1Oc^ex!6W z+F}f&VlfEz~WCDNuse%GaX6HGb$}^9mY7ZN2 zRy7lQ7cm)mUMs?bo2-c+6xn9I&Y*kYAwkfd#mqD6@PTatyyBz9hr^F`r@ju5DO5gR z3ihA&iGpWA`N3GbJyhC?<1v4Ng=%oWm^{;Tzjw#<=U7(GZGXO%*2gMJgfJe%&o>iR zo84;T>UC^^T&BxVt>+U1bAkmsAOTwiAg4nB+4Y$ussV-ek-rxHj#Pp!y3&^dsng}t z%~^8~@9orDp9=GSxOI{QN`6EfI_WdjSdCTwsYw{=Af?ND`rcX!#|0V6x3H6fx{TR| zyKJ>6YU33iJzb+2rj)X%bkMBg&G7Y-?cXWnGc=cO0t3f2S+V zU@!U3zi?{tUFZPjFLxjsa=;Ts%tMd(92DDVikU1*&SvmyQ?4&=`EY!)9%Vf*8(F8s zSA$TPVo+72bn0AJ7l!SUOF8^`#n)tL=Y@r9e~L3){X|F(!TErvR5Tx%7(b&LFkEy} z5ldXz&};qHaV}3z6vO$|CjGSRVaIeCEGrA_WP$b_%$5n73*R1X{=WYFgT`2Bh`We< zzdK;4L-fK&aN_Gt`y z16Ruf&W7F|F#Mxnpy6L0PGf|REZt{6{ay2Cx#724hc3$Du@hfWh}mYAA0IG*SHtS! zmx7>7k!F==*0unv-7M_Qz^rHZp!M7*p|E=+&i_z-_p);(j3c6z_rZ>{DX^yjGVjYT zWcySW^y`DF*;!@hN4*~zvm{08W*RI;99A$G z4*oGAWJ2M)_O!OReQkq_Q(nLg*k~M0o;3h0Y$du|XX9w`#V%iT3kq8!MG~&Ig+WeU zadFQPtBeQluHkb zd#at}+VI-Ro!+4X%x8p?0dHXE_%2M7XD8WVCyeiRLxnZq)5K|i?u=x!Lu)gS%)bSq^(Od>G>{^tu!wpdHiqAt8nB!)l*t|YD~BqOuwzZgsMw1>Ni#nvg@ z>tYYy%?8M9R_)|UIdq3X0&@hpptbr1t+X53p3N4O6FQ-9MfE~I24R^?Q(x2$Y=tTK zw0>*&vRTgOt5>F!eJ6O`PEeNSqQgFo(Z-Q8%KM`4lkK+jvxFNp7}*y8g08JQvmtp& zA1+uWrJt39tfD!&#Id!s?6G{`b1uDJjKx%i6)*6NPL{Pc!6^Y%A<^CodG3)u~c*P zQ`S#)1KC`~0@z+BmAWkBR>!{GAcZext%4s4JyMo}h%J~d?S6v z>Vx`w=68IUb)RxXy%L0+HYqx;pE#aX7$%WY|MHJOz+nPVz)}fFAOcDN%Y0`&VjN?3 z^~_=R)4fv3Csh;u%djWoBs4(dQxZTbrGT1s#;iGn#|VgD`o=xEpK>cbzVBgvqCvo8ILyran!~5l#-b^^QkmYV%r|W)&_8VJ?y5K}z9C5Hikj?B`Ypdf)V+ck)gWbl~+UcIC-3_@#YE-{2V!ej(4q82AJE>HKw5|A}CbLDE6w3P32 zT$;nkx{9#i%k{9#y$Tk#LvKc}-;}10w?|OAX=`S>+pqW*Wgc0v_BbJ2L{GM{l&0g% zudwSt=ffbk`jJnwD(vBy>8nAtNbIG?v0lD6KWD7Al#Qnbc zNgAWxKn}}R$Aj__b|gbMx&jJa;S;o?nkG8YIyLF$*WzZI`2Cta1(6@JFmZ(Q1K{rH0i8`GDY=Rdv!v6BcdFE=2X3Zl z$sU47ZlpO{QAv!U5EIZxk_Qs@yDAx5gy&5kapA&%@8@3a=hQf<+nV0~0J6oiVN?eH zE^5MX<5eTI@VmOZpU9?f{+9g;eC(_nBOdrkz3+Ig!~?mPuhH8dcwp9xFJ1eHM|6_& zF((kGlGo`1uCwY*+Wquxs-E8`%DAf%bSyqHet2p)_4c;{}P~-yn89(jMX8M+n z$M&cG7dgTI%WTuWJr;m?uaHrI68hbyV-gkAV)2G!V7C`W`dtSsiq|4u>&&*@_4R_HF zSLuzS7wTWQKRH}*Uw5}GzGse~px?Tdb9fLSv41W5q=@Wq*3Fz&v2ojGSufqzZ@_(; zS4y!{mIMaYKjz)BCG*n`(G~u#-16yZ<{LMC+xZQ2@YRXm^|~5XD>`J0o{$aWC_rK? z$B;K!|Kbv9wqA4zD-5y)zBKB?Pi2iU3s(a=}oM(QN9(IsR)c6 zUp)9*Vc;Mln0_$(#;B-CQ{T18-jO%RiSx!*}O9&ZkQ4By;H=p3FkJ6TW5CIeQ7iqnq;)&7iw9 z8^*kNu}SyMGva%&Qn7TDB^%9+7Ma(aQA;6uDq>W{A8sDxL}uc+(=k#3)8Y>EHa&Ox z@$*_j*z+0k$W-dFa9X29DtHNN>0vm9;P&LUVzc!n<>k_0+JM|VtKSxr-GLnFM2#g; z7mmYUFbR}FK}Ee+M6)$>zb6`m97n{MwB8@d*=-9dlA!X%InS(9P1I+Bz)-ZTi_gxU z0$BcEK~>sytkS4!t*Q{xFgjLjJb+C8-8%Sgl7{G7lt420(9h z_dzVZD?92aVEfDEvAijgw9==FR4OzmzL!nT9Qw`h)cK;<;?l_8uU#S7q=krrv2J(3 zZ>;PsM2vG*9o)awz3>9Tb|;+W>)|uLz!l0Q%l*OZKNXmJD&Z>Uz<8$FICOWM6sc5y zr_ulkr}>$!OiR79B5CRjxErCjMb_1!WxxA`vy9NgY8txY?) zVsGjtud9d%Z#9YjwiOGDs_m{}IUhuy&879LJWg9DTB@AZzx;{?g`@bR%jRROXO!DL zEhmf9d!W-*(ci9e@0=%QQ=Q-83Q%qrG7+N_Fp1n2%IcsL^2*$VTk)(AW{SPbhVlLz z%fTi$4s^mBOY5EldUMg8cg<>*F})oZS&a~y^-k*DXSA(h^r)nv;*Kv<~ zM-onu4IBh*&cB=-)8P3x{YN9U2GM7f93|a`OIY7(#5F|PO&ydoO9y)pggV45qZJ;Yrhi7GIPztdYD-)i4ljV=}n`jPRNF;oh2<&e3 zSf$?2Cb#F#vxeAr-#lEuHaK%+pj&(|xd>JxTyr#-?SLybSc!d zPzxQMcd*oro+wVu0aX|6FWI*fEPFemEUvh>g6*6Gsvawal`#ag3Lfm}IJuYcSXMB| znNwzn_bkKC`SgJ86N66)VTNgC$)8gg6-)&L45_t?nrM_C=GPWA&vk@6rZbVP_EaBF zKOfT2G&P{6JQg`o+y{{GJ}n0zc?0B@KWf~Ue%h7kZsA8+atQ5Sw?X(@nAp7m{JLTu zmzHuI)t>wcr55#P>ro%a73!`uXUY;}PT@TWClni{=%>eJSQ+Ji`_Yf4CETz~@*Zu? zuj$?d_v*T<$=g1yYo3{8(@gm*!J^}G5B=*HuD_#QXA(jAkIO-lh}szEQ7X*vo^C%= z=PLu3+RRso!2;C0A`$;$cE3*JXw0ZWYea{>I*VKZJ?l@XZGK$24ArelzH>{o(zkT$ zx=;C*ifPWkh6Do^?)J|0kqbt5@zMaxPnMsE_1oX4R%8W!&Y2cIlRDrDyeTO|Pym$g zy{Qn2JVRb>B1JD>9~4wlVa;1gD!vw|YK@amGM|T~R1U-!`e*sN^d>OsR_gz3&3^+o zm~5ItmVK+O+TN?ukpIm!@zR+0k_1teRqNz&J+37%_wxY$l)6_IwMC`lfMI1q?O+B& z!1eg82L)6~8z0nkh+`F$IPC+Ljo;4DKWVTPWy;L?T{=t|896eQQs~__5cZCoMjlHs z-^k(npS5<_UHjkE%tv|;usvU`vW#C!Q>$(18lFF zuJWbAywfx$M%`O&%w%mT(TI07Lo7^+U##ugX-~({K+fvIRDR5*U#EeP3zsYSU5eMe z)Jt_N)F-L*8Q;X7t=##v+RYh~A^BLd-_h%ou(Mk_|CQ+kEOpJ{guOsU|8wOCudL2P=3?Wb znB1^4ENS`wgO9ZGKUTV3r>79q^t59ZH9QRh-9a+!B!G5O7M6uRl{LpbiFY4pf0&YA zb;^HAJ5 zBkN)3&&Y8pEB>py38?BxdirBwea~gk-}Cl(B4|#VoILLDQR4*lA1%b9f=383FyR*S zTt7vWkcvpT1;+=)IL;4WllS=(Nn0+2{zpt}frQG+je^}wf-@ZlX}^fq;}l7A(0u75 zuF3cn@x3#e#&i1LGqMhIzX%y-KMwsy^9rB=*lFhwSQ%tJHziD4`iC%_^8#*1fc=+ zOr_mP;aqwOmeAwA4zh4kkB99^VHHY2PUg~kvet~sWI_hrx# zkep>`MlbkY_=rUHGnWO$6EZ-~fBIPaUvm+=dt;P)Z-`YH%{h)(f9&0?Sc1DhGSB0~ zf`t+;lZ1>UO*E<1afrkS5FhY_hc+?<(0El6+osNW@$?_OTx>kE1A1VX*pV3bC*cOy z@H(YAyqaKYGF;FY0phMjiNwdei4meV7Rt7*IE%I7y@2`cskCz}B_XxhJpO~qz}Z>| zV!e`a5#l5@T3R=B<)7}1Q1r;Sn~&pZfB-92!)g0pktFp3D#iD_eu2SL2MU9>e3JLd z6#zm6TFCqRZT1fPGC;=nE4 zDscCh%Lpz6Nw?Z-+*@KsA2g&Drm%>*bL-52Vc$Y9=RUA^5@jsrhKgQnI3C`c%3$lx zte-Pi3Oc2)@^?HVWv&ufAuu)mkv?#Kh{T8R>Aa>~hm6*(IP3i1>5wnB#rGO2)B46Bb@pJ4%Z|0{ z8EnL7+Y8DSQvJ7{#W$NwdGtfP<3=lwjhw--=o~O>a^|9#=lYNv0i$?rn>p#RnA^MG zUl(t308rD7FX*AKfQY$th8BrXlj6jh7g?M`@ADK_k|6^xBu>t9Nk!j`QkXna=&D-F zC(Z8;Zt0z)3Y>5Tk`{^7ey4_3{im5_%Nr2v*|_4Kc%Y1TVo9z0+n@D6I?|G&fsz}v zZOpn}LNgr;Vv_4|4*}3jbThrmpIN}VtM`rbaym|Ykkt6IFxxz<$hZ)UAW)G00_cRI zj@Ie}`_!mAc~`oWYvv^?K&@A8SZx1^Ni4ygqg{5+Ru$mdoJGmv{mWO&an z**thfCFNKqu)Q!&Tjd{ri;X!hh@9jrfQ%b7fZ0Y0alcGG8-QLctC0AwU$(7YK=QBI^M6>nw#k}gFyEehEbo;#9%HbvmF|Bz>@Xz5 zs!|_5J}D15Pm)TJq}0dmS`p<9T6Q>rK6L6~4~t-qR7}=s;oFns{}esUKRjs@hIk4X zJxcp_TFGqty|ZQ8uo{cJj&?{t2j_pfu#ZXebC+|Mbq&0QlJ8}tbvh-BMPS{HkCI@_HcP?#@m zai2ZY*WaRNu$RX@4nvd=ruU}j3g{f*XE{;MZM`bQL9t`orc7Gw*tdb6nqR#w#YE>b zg+JW%2n7~e-2h?j5nxVlLu53*yPn6dKTC-SkIUoj4(OLK>K23Uu z-%HHrW_#^p&OVT!^K(6S%j>(X3L9ZR*x`@>-aP7Cg@vy}Q9mmn!Qv3Hmg?VFBO6t83 zp1u5v{=Vly?nMg|)GI1FYnc;qxgcahVxNT2G)01S`Ju3za9$5sE3dpMym@?*h!|iW zK1`%XCgCT~k`@iRs?dyypQ#Y)6`c}9+Gmgl_HM3zSOBiqs|H3)pAXy|H`xEE?-Djm ztv0P}ohf+Ed^gE(cpZhmC#L!1g(H`+E$5aixM+eAq*2Kj%yU$_ciQ0O1%Xlto9=a> zXd(E$cVk6LYb5!Cy~wb0ZL+KhheQjOJ+gK&KtlH^vm8L|M{ih)R%Rpf-YsF-d)?2= z&ijt?O$cBoS4K4%14;(bZcCq`qnNmTicFLQ5t1)iAh}7#)D|u@%^c?d2hz`W0ry=9 zq68)x*=PrF#wLI>v|qlt_;S;K3AqmPk&NlE^&0rCe7%}FrhNlqK%ir_!QySq4uf`4 z%VfqrTVZ##?tej_D`oX&9t*i;UOQ3MG46SWaML!{@`=<%`>Fof2y95VMTA}Er<)N) z7C+n8?2O>%5hxBGQwVeiQ-SE?HdameJbz7x2p%%pxjy;Axy2?B$GV;BFFhEU zv}dr|v`Y4dDmsBaUx0yT^xWM}4NsH!7I5y@W!LWxoZ@Py4AaqTUUuQ?TbD3_bJoFh-2Y7hfid>46{WYj z4Nv3jeCTv3xaeV@l&=7_j{x-@fdr9t89NkolROi(N=19WsJ$?NJO(AHQ-NAzLPY_! z(5Ebl-W&a;cdT&_I)hHXXc%_4x%QpN(6oi1yT5j#`8mUiP7BDKYk%vs0<$}+>0$n1 zu!m?N)YauQm)ANVw%53s#7T3J5V4CmH4TTj3)6JX8s39Vy)j(NzTb@Z?5h?g*AbMH z)@7TPErdvsQg39Vj@$5u z|M{bof-Hu2sQ}0SUMpInh49yUr{hH)b5+eWc1MZk*Y!Ug3csInT8~(XNER2^s8Ra5 z8R>UMBW)1mO8;I?t6`wYDc0oeb9#|=t)UMU=#kf!T~c**93F zu}r%LlM~-bXw(c_5=FI%iF~1LzS>};!F1Ox&VfqF-7Ou|NuJLPSA_{^p zA9x<`@f@H(3)&vtYzg9kz`#x^Hsk9?V?T07g9EtesRgL11gb#LLZ?m3oO#3~acRlY zv~zG~G~F(0BuHrFtLO1`R2iyVDh8@w%S{qf3~(scB#KM9 zBYY=6s=Brvc~#m}&~Ukg`o^YKIlqF2=Sz1oDSE9~9b={M!Usj&2X;>=r{aWjSieZD zhHpW9_e2+E&G5&*B_gN2v$3fD?2WpG2&7RjcPcU=RlSNcsRP*&is0L0hAi**fPZ7{ z)Gp^}{>50P?hdK_H;WL_+a4dj+F^my#4#(#!{gd^f(26#a9w2e{{do_E8b>i%M4?Y;w$YiDz`sl zx%!2)neSFk^xLxx`4v!#7f_|LImhNKHj-rSw@<=Y!_pZyN$3 z8EVsPihq6oS-10qVKy7e)~{_Kn2OUzB9reZ;rAfKl|8HyQ%$^e@l3)wKC1xD=moBo zo3kF4+*?H!r3i!aq?Bl@zty;LVioVY0%4{=Q}~9ehjosf49u#c zOeOplL`(G_c7!RXJYd~x?RV|}fH|dyriIW2F7*-|eneT;-oyKwK!oc^YlwcMCmY$Le?s^QEhfmpH&V9wYEWg66ISIg<% zol_s)7GG0Er~76ggjV$@b2jb%%Lm15x18zw@^vb@((M+58U2O@wv@t)-`-Nf~sj>d1C>%4a2OZS*v zh`x>aNbH~hnazh~b3fA*Rm~dqXWB#Vj7Xvms`G#WkJ{$Jyp6Y1UF`fC+=964NuWT1 zNqAK;xgqJ7+P#Bun$wA6opo7WKZkLP9{yQ|@pU34Qy}I=zkHJKuhhh`p}-6@yckFcpP~7P(g!%0iuiE<1k0@T03O0hTkw{ zbGGW0Nj@Dv^5Fc?$i-%u99*|{%n?!x)CM`7SxlsU^O3$HW9(Pvh9Pv=A@T=dpa^;$&m^xg;K>qyt*U;ryFZy5U++Y7Qc+l7k@3C=Sl1ai)9WxqczRMO@Qqk$pf2;krv{xaVPVZOs_Z;V+G-t~4Xlf7G4}Bx18Z=$1BJImR zTRwS23||^K{iU!~(tlxduXB%>wZZ&I)Mq{t+onJoBg*#g6-L?%nG~-Iex0Xmk4P)E zkQ3x~Exn7Qeo5s^V7qndRw~QZ6n*d3@+;fnTiJ50<;>sNdVF63YF-Ne|3wXrVX?;7 z_}07DWfz`-I={@iI0aSiCqSd!Fe3vBkrTGv#|>1!(Gq&UpL5FMyxnWGdS7(k`s$_|UU-im_fZ=}7&0q8hQIG|1tSvDDY8vccS) zuC_&Z@$RIBtOnBjcy5q&m(1kFZXMalrPFVJ#qMz~YJ40}H`p z_M@}AT|VBDGZd+rE1Wt3w&|z4gu01oqz4_lt%_`xL##0{))Bzi$(#bRs>SZUrdT&v zYdt@D`}a&SO|(Hba+*Vt$z5vYQAQbOQLE)(X9taPdS@E z;(8y%X^J)7(D7Iitmo?Q&xW~>*L^wgzoF9xO5JVVm+(P+4V0fZzn5`-PTeN?YhbpY z$x2jBO%*KbsBxUJt+P%+{x7YsPzf5pR{&_X_kIqNvFP#IX{3Cv<#8h#)rws;PYYU* zx%Fkl{=+6*L3RV%vD>vg#ae#HbS3&P3x;QOZeMm0-+7q#h(?O?`3rY;xOJ4xGbOtY z$X(Ki9_yLhO2zN?{=B1Ua)2kZXv)h`$6uS6(hh~Iq|%r57Eh+K7yOVP2w}>$S&!-^ zumYQwJ}a1Oy0>dg5HIpetel>{Tg(~(({8IR-01bX7{CA0PO+G@Um`zL$IED)=AMqQR$bY1@WgkCwtKD}38VVjp z^9|LM!L>T!f#Y<0#NY1tfy-jekbhgm@r9BWG<_Vbx2YRQploozz|Yoo`+9{NiQ;l$ z$*+VBU0QFhNq0s7>Fuz~Eh>S@7(QKZA&RM20aq`;>8+_juTkLAQ#IL`f_!Fk`^_F7(I+ig&kBaFt z5I!Y4cIS?u{wwYIi_9l-zet1m#CjT) zzqoYe38G5x2>WP_BWkuLYV$bXr36UZ2^CnLhr;HPKP1&&>)4r5t0@o$C3a+zSiou3 z?ztDEZKfq4hF)bjUBE0l0^$yZ$y4!H@axz+$GjYFn+@IBWf{pLsh5gp?{{}~cLBR-pdb4O$!Sv&zlTW_}>wXes}qWELCLH!}NCx>AuIuj(1Nlsg;s)S+*CP z=nh-@swd^~BES5|Vt1K!Qio(&9WXY)C)A*dQ%$kx$?>%4c^%xk=4-0*ZR0ow ze9JQnx!H|b6bmCUm4(!1IRTjzwf1aXV%hu+5Xf12#Ig+yDOsruDJy1L=qWS3B@FEbxz+}kL2V9txGt8BfI;jtfwPVGz4 z)?7OF#kJv<|FyM{{V^y`TFp-~Y~Q}9uhUs%EZsz*e%sM zGoot4@BdwGSZg&p@|E{~jR>5PJ7yaJuz#kTjcIRH?kGU)z z7%9ciJzSo9(CwllltWB0X&!PWou%JxHJd0hur$X707^p}66jOSf$g6sF(7IoIousD zPbKhizQ)bCg|#boIylDmF&j?FvrrJx;e8!tkc8k^cvzoROX4#KVVG1Kk_p=k!AxU>j| zbZ{Dwr@FQ&1-R8-Y=|oz9S1X^YhQeWs*_wvkE&7`#4%B7P~DANCD+d8zGY<{DtWT; zyxDMNNU1k;D3Jx@8WCHJX9qUnZoADg=W zH7Io@L(Rs;$}`_u?0R=2(J+fbVw8KFt&v0Oy(@$0J&T@0_UQ%G!+cBf5a{)x%bDBt z<0$4Y6=B$E6%~2p@WG;9one5`p~>ixdW%06Iu^V`nP;biG1P-T27;$Tr+l(ZN=_PX zNmJ+ESajC#Qq4h^Qdw2o^LUAKM;pgut#&Uvd08%Y<6bN!OB+z7FPW@;8*@xO{#}Yw zY^S(-*D)Vrwl;V05Lsq!w_F?kE_!}@&Z`GaY?;W%im#ru2?LydMFEwn`V@h2LAXGqs+;rLM{VSV$!$HHHe zaK@LIGk(Z;9SR~u!d8PCw@anT%S9%^PjA0mw0>7NLbH9kvu)8N67(BE1C(@joV%o0 z;3rMfY@Y55o~CKBGYf3>{}RU~5@>DIATt^H5HteY3mVjx9lLLMB;$AFnMjY$8@u4M zT+h{>Cho65Z7BSy`bT9LoatT(>Sv`@9Zx&+iOiWwS>a4!h9MMT&jGh(1>9CE!WDXM zvfGL(6?JGTt#i3&u~EL@Ob(*I_I<4CWJ_XjDZDYrDXT!X9euS8gI_54)o#oAuGBM3 zfUw&EGsbf>v(0B&&a0#Q2=h)&0aY#*$t}A47y{EaZdlgzlpcd#c9|TUzsRkHyBz!K z`Q6kwd9|I9rB8y)_+TGaHS~l52ZhzXb^OW3+ zZ{gnrd&Gh-=)*m^l)$#-RH?bShS9CYF|ihp;n(somY?TJ`o8%eanQax?-vVi`B&Xc1% zEUWTG2;LW#I#t>$&UplTsqlyn(d=}gXb9c&gZor9Zy0T>i=WL-Zo|8Yo4urz0ILJr zg<{k1naf_1N0o2li6Gy00wg~xT=nxM`$c*Qm6&3shQZd{!Vg8HPQ zDc38TnN=yerkdhDIZgg*N^p8l6X3Q)A4@-j+C!8e5I`Z)9}|^Z`dUlOOudEE`6tI$ z`Wmsv3z>a(TRpAYCSye!QWj>8p6}mlS=t(OJN{^-!(S{19G$D2(%oN=m3D?*eWRT3Hg=yRm7m9wflVO+g};t( ziesfn0K>e*87|BkEn;|U;7IR?p`d zT>hXeJczW4pALyUz8>}1`G`y(O)M4Wm56+Ao7bXYL<+5T(xDW&<8f=n?kS)T(#S*h z<7SCzXX@VFmbo4kA#6#ol)& z?(5PGcEmm3pW!yJ`P@lc+#UrT6WnEAeo3=W-rl!aKIy{8`dbZ!{EjP{;GTz_bjB%u ziIv_FQ@bZtsPhhmO754$KqDQy6N@?ZJ*A4X97}8mj8pcQHRA94d9})E8d93G&hc4C z)a>aN+r{$5?1Fs$_Q3Ym@)9Q_%I){R#8u7=7un*dKhsk=G4Qs!wR&1ddA54mNREkl zt`IFgd?H0wo(7bTY;TC5gD>9gclCG=rYS0#@3PYDqF7l=A~z*`^Lq*=vuB1(Wy9Q9c{ej z5a{xB{OoL&%Ne{{u}92e5#IGM!Hr09)+k%)@o6Vy7PG6B2|O3Efz*znr9eAbi~3I- zsvC1tSoGR%Tc(j+bIJJK&wiJ3r;2G4g%od{ z%Nr$RyPl4Txi(1E9w0trO{>w){2Z6R&=R&FIfGldka9y2!AO51bu>UZg<(jXa(FF$AY46{;#q3l<#S~(xSt%X1ImSsUr->;zH(Vk}@(OX%0A^&-Iz1!$F6Dti% zDQO86+;d@3v++!j48%`W7E|TVY*lx;`QlOS867(96vG6Os#)8%pmV15`o(dy#zH(z z^t2B?Ii7iBb?lhTdFQrWJ2GiEVc-{Yw&BH)rKu6VV+;-U)Wq%R9&U@zqNsHvur;zY zcQwh*v1P{&p7pUFtMoqu>$=WD6N9o9-(v1araF3H_q%Ai_EU51YC zm&btZjf0B$%Y>guAR(6EFnUnFD_LkRi6B$%U@W^YrXj?qOQdGO8^hg^jm8?H2}IXJoWEu97z4$Jlw_4?QmXd2NtY2CvW~xv>ZKJ6>9|HqZ@cC>_TFI}lt6!uq~% zbqDi+?}=jYN*s*aZOn2Jmm*h zc1ePOz9iu0^);7;`Q!V~l>IN=3VG;dpbsLHi3%SV)$;rO!l8Inw(wQ|@uU~7QWi}-XFV(YClB~m2aN4Fn+Z!8n6HV;vYFigJriByI!&RJ5 z7Rr+7h9Qy?-oCju9o-a=OvzB(!#-jIT_xF*9EQIg!8~U-+s^ObQ(lyhE~WlFu!+G4s#Cdw8?32aVsZQVp{Dg@VR-{_)Ns=%+Yv@%%0~NA zYSHe2pAe0mZ{Dm^K}cK*#MptuC29cZxkG7yMwO~e9ac|TvO|FG^l+T{FO1)l$YB(( zm~vcH;Rr`T!C_?{1;K~>|0BN6kDvSv6xwCg|poo$nC>5}ImH*oN5XN)qZ5&$-D%u+*TNQ2AI zk>y;IlCQ?unrB0WBG`KTXD-`x56MnSLG_FgEr4ZrVZM924I{t)hq>&t#*W5=Q7TGD zp1oTrtlojcf2($TWq5@pBUe;sC~dUi3=dW}l{v+e6G7Dp}K%xlY$jf3EL zlXD!7k8bBrNa;TYRBAH)4(b3h{qEsvb9OJ*ViVwR?Rm&+S2^@94SaPp5A)>(y%nsI(>5&kcK~j*ee|(jScbiPg3jmYm zX%5M;%6W6i(oaW34k}^rM(5%?r4rrOFAd5Sp2XL>z490gBxWR^@;9+hc`ez@u{CAZ zHRnLl;Un5i^A%iX{YFB#$`C~#z6G7e8TnqiFcq)k{GHIR@rMupde~|@Yk2MELoFyP zIA%Xx=a`;I>dsdu)ymRsJbM;kiROxeEwK^$o!dKxj@xIpdX^sh#sRQGM+vpUk?1k8 zO$FI;7Q1@*;)QorNA&Dv5Lz0KE%5~Ch$ZF8G1E1YBCob706 z^1!%%#R`6>Bnij%XE@z_pu$tJKWxuAzy4!$8#Rt^zQCGc7s!vxdPdMb{o1sF-buVBw~( zg8IVU4Yr+n*=vE`C9QE8nF&5D^tzuSoR#hgj*42LX>;JMxu@=~jx-lsHeiIRBX+-0 z+U9{?;C^Z`AwSn%L~_y7P4^bFf3VUh$?m&~UsRrnO0Pw31HYM7E^rdM$+Y8p{e#T%BvZeoepV;^{a^|$q+)ck2rs7k2=@@5mfgFWD zD@#NT&qCCxvqGKzwTaJ`NCGhM+Lrkw&XY=kMeC-`$JE$}*$j~a!e;<)UpiKa?J~5= zF&ye-`z2(_@!5R9<4mjPIm4|E4C@H$bS@0*m{lf!dD3h_iJ!?kqt(;xvA%&JvgoZWjD&we|WvM^3}Qm&U@CJkCheGQ=iw7WL`RT-L>i7Yw;${fxk^s7ufqR zx4Q+l(v(QED$CotH?~#$%G-Kqe}=SA9~G;Lv)^UR@C*VI*JAy58I7Eiv$DIFPPsa} zMxe>IC7u!d3NcsJvh5wM#?PDTB?F9jADS*?&Oan_oNL=j(0j9skFrIwb_V^-9I)q z^kM9FY|f=JlW(&$L))piV_`)CX?hoB)H9tWd0SbR`Y9;>;3U%GXkPISs$lLV44xIpjgq2 z@D=Z=T^6E+Ylxm}j$k1{m;l75DB>)0nz_a>b1jo?tz(DxFJ?vW{ML9tgsI@sC6(9(X^dO6-lmLpX)MbV&wS=R z3Jxo@E7pElK==>`79L>mk`k_3!3i&k_cqFAz)H}=cAVbD`@n0~2F5*A%pbb7z|Cy3 z{revt)&F_knWA0yQ8vvm^XG2*mRGf!V+aS_oVQu>@W*ZQCx2!byWdm(%|4h1D8!5I z%Pu(h;p;F-qSK*1@InQP2zGltx^eIJoZL64_>`YIa$F0k>R2o*jY2}DBK-+L`u)9k3 zLSO3?xat=NJmG{J8|PvR@*J*NCW0lp!F)&1>Z98sl)F41C_TqNa`BD6D0x3l!|hcU zX`q8v^sa?%0YT-H(oIekiQf@V2xy!LMM?g>-Qx(8`v2x|y)?zRK)j5Mg4z*u5OHtw zUQE4~)7$Y}@NBEF+D0VqGmC0J5_jS1Wc}A4$7IFOltPCSb^i)zP=U~ZXNY5n-i8Pm zw29HK{u?tWU!N{*3A!bF(5;8^K^|LKDr^I>^Kf{3zF8#_2!($*>I3~=VOvduy2BbDY>|(^3 z?RNVBj`J&-%@-zYh=Vh&8OF?h!O#KQ9H>;HtQ=B40zt0#)I-5s_K~C!KnCnlPt)F9} zhREX&p7QQu7DudDF71MAL7s`id+#+4Xu?ewx%>uegAp$_J~fY8kek=!3LTm|@|zqi zSw|YIj-HRm8R90MCPrkm%Js`QkXNxJy#rsFgy{+it7U(Tx4oBqP!n^R7aT^FMC4%%;HZGlR2kj-+aR})(Xw_+Sju52 zB?@UEmix>~(Cyb*Pv%x&`(NmUbo{!o(t=|nNPd{XHJ|yRkj|8luDoBQA5dvKVMZ6S zj~AxQd#>{6zPsv1D3Qs_axX0yN}~huU>?krA@WHMKy}``=t!jQF%QY13~z z>^Vpoz5-R?aq2%BEyI1ix$aCc8_sHNv?(_+XXSW#hD&G5nk-mFT_f`s6qRtlwLVDW zV5Nl2MS;6K;3`k%A|uW*T;zgpu&?j)@{?&;9Morp_RiFiSb%4nkEA{0N1rbEOqQ;^ z2wq(vj{pL$27WzIeHHPS5PS;$mCCSd3fsYAx#VbNm~tpvod+HJmtB8(Jz+fCLt!5P zhDgv96N!^zcw41n(ac1VnukI>xp_1;1-j2&kRLub}YMjweJa3 z`Bp@keQkqq#l>MHR|JwD82w4)!FhEJ$sllaV+19Bufb`pw?{ZPXnBAdPc%8aIw> z4%obEJn`oKUvjqKc1WZL3=c*hUGcZ~s@Mwmc!i`(N%{E9T!nM8gTuws{qAcXE_}r{ z8WH?px5Gt;?_cMs{8()q!I2ek)acJ7DH169u z;$yRpxsPFC0+PHlgL3oJV|13XX>0Z&YzYa|^R>rVX!SU_FCT=p3lA4y3lI4W zha%1lyI;Ke{oBkG8|P2k6QKP2Q@McZ!QUqY+6BTCCzK*s+LS<=rWL`$2`7RrT2>Lc zP?ESjAq-U%X5~TFW@0kJV4^A$y8ppr6gu$N3sPq7ZODz`~}q}`x)WG0Ut zf3L&Tr|99rUW~kHXG7c~vgP!QEgOE={&PGAXud%0%SV+X6KxOjLxz-{ zE`gkc8mq`b>F{3zGxl=avk6jKz1dDlkASA~_I`h$wt}Tp*(bgm0J8tKrCd=~J^~K7 zV&b){$dfNl{Z-qp!Q(bhvDG;##`?xgPos-d9qPSesWDv?I^qgmSYF5c=jex4JB2(1 z!eT{eN^oD6oAA)}Fz`9r}5D zWLE?dori5u9TMFJY+H1Xp%7Wwk!U##>}^o}^p_4Uuj%!0J@egbHem2PCYN%jUtxo) z%3y0mlwxRL51l7k(uQeQj!%Qs0;+cTrMpoJyNUa;Uy(;C;;Yk%BVA1RCTrcj3m>B0 zP4jyc!n{`ZMf^Gb{UwOGAr16;!Pvvg3%Cr?$-rQMeRP8Q=HahD!w~rTneQQyI2Vsb zi>m!W5eP%Rb^=UfDE;mTB#F=nD)&4x77C(0FHjw>x8aFGf`nXrFln7LBMfkFiuON=ad0hrI<0wU(G{R}uCWAUU(R2SisOPcI=IXC*MfqzOQ`H z5G*{A!QqO57q)?It6|#alD8DFUI^oA@_WOz=RTh{cpfQEIAI;g0}Iu|M!I0EWG|o@ zj;NdJo6?`=jpZ?mgqNBSbel1{+opA4X}GQFeHB82XOQR2 zO0`!o(QIUz?)w^B0)a_IkQNB$C;yk4`h;)#FIwc%#Xr<4DK^C>bFV{>eBUtu0|>g4 zrCU3L8Z2flXFf0p6K@EhgQi?<%~wzr+i_XpzkS|eiG2?`mNQG$@0Xh^CPvUAnn8C~ zq?E^;Ds2PtLqGq(QD6leCMd2Lit2=Bo&wwS`rd`xrkm<$11~`ZQxYfFqnUoQn~qbY z-+yF`BOB~!kNj(qr5sN)GaTq!uB0lVYd<8Rr1}1k5S{1Wk`utcV7cm8U0aN z516Cj)ZaTxIfniQJ=s&&?H7F;HavO#jV8y5AspjZWu5&xez`Jt@H-|NhMI0IH74Vs zJ+*VSw@Ee8QHR)4z)jwnhYA?aFS=OG&3C|rsf2le`#QsuEe4#ppj8=~WCLxr>9Y&LF8C8^t+VC zk}wl_eUxf2hzd_QS)s0S<=Dx0AN!-g&M1|bU5?pC8tKfb8mWiVhYG>ddJ{watf5Ct%-=~(CTefCoZ znN~61I*idm!m_IxO(i;}_sc0M{|^B??AZJ7o;(qHV_e2Mc1GXtfGQK4N34YKJcu~m z#kQT^RYmhrTv9(&{~>;JxeC2=tC*BMTsC1mogjl1BxTenRF{d6chArxeKG4`**H#p zc|Y-4$0KaN83?w2NIi=psFJ7uA@@PEQVlbEa^%+6F(a#lK?>pb$Jjqp8%(A2o7=1% z`~iB3iV5KBlyn#UXknHSE8d?(kr(7H>zeAkPYAXcu&E=5hb>Sz8jy`s|ICZ>f8kQ< zDb9-%1T`kNy*n4=fBukPei7SQ5REChe=b%n|B}>Mm!Qe0?{r7-w~Uxu)V^hxIDEu20SeiVHDpH?5E!b}Z*9-K+LD8n6Q_;~s zJ){j*p)?#t4`dBIf-N`#6OO<>7QXMU#`;(CN6rGpg6ydAzZe&hj#ySj_DYkyIy`zs z*Nhuwg{_RN>qMJ%%TF%Xh!27IpIL0<{+K@9pxd^)}+Ct$?zChLf51s0P;t z4gJyHd_v2|wqG${y{kx=GYZkTeesGTo!SMo-8g_b%?=u!`(XY+_JiPFhiLd0=s;Fa ziPeIS$cy*13-~KN2M*@9j40jhYB(*m318Y`x<_4?9FboQGPZo81UFXCt2qQ17)BYpKw+LF#HULp^>OyVJ0doYrB;Gv*EhOmW0mgjJ4 zw6PG0vD;lWQ`ReHV~8Cnd@PxVP!Q|}1ZF45+x!Ad-CH>C zZs%f^7G_BRfnxePVSt+DfPwUVl0fHg=aWyDFKXVemSEiv2pEuOPqQMs5KXAAd(nZO;wXBx@QU zjr)1OSqEm4;EnswrS)MU9fr(|$5aA88+Fm$HTd#UZKn7)C&P|%m*L5tsEj<1}j}L8jB9uL!h`*mFSHOP`x^#8^UH=S;GZ(8gG)Uvr-T<$DzgE|$zYvb3?DN>_5MdK zy>W@P+pS`z%usHrRoJXho7_oy{u@HQf)Wl5yMIHSWDrz8{Zh}+?~69afH(2T=lOal zlve_9b151HP}1oP63pLQD8M$oY~| z<#KNyt)i5 z7eOKv?P*g3sj?Zq6$az;K~gAOV0{f5(Rlc;+(L|Lhe35yutOCV((w|_0Bjy`?RTdx z3?>VWb?_!7aTKhHxa<}B`oG{8&@~vqE~#>buuu23cfJ55!}^TBL9P&aVi>ncH!o#? z;5NijDv^RHK~#U63zGY6Fb4f|R;aA~o^xqw!zY)|S$f3SvQCe5*2C_{pa^ayC8aM! zv0xR#|0SBH&r`z#jThUjpEc>o? ziUw~Dz(Xn~06?+RfI{G?^!8_)uf2tx&5?KhDXwZoxW54}C)2lcr(t_BQv9YEeQ`DF z#x0cPHNP7p{QLrLF#iTD|A+n!Dgp!xH5}YmDs9pwcON5!Ek1y8LPHAP>|8-`l4w_lESLN(ZfsS7i*~82CJf$=-D~$b>wdfRKlB@ z(BCX`xG;67cd3wLD3acC#lh+SBcy_DRLt_!*X6+yvV%$DXqmNmz<;W50ZYZ;4&GL# z*9#i>H?-Bei6Ys)m?;!m(%@!)OcU@;px#9jLrr1?KpzJGj{4F--Jm-dx?^1$bFrXR)4wE`(5 z7%yzOWb!mmCz!4RZFE(p`b`a?#eyiHa;q*0{aY}|lsU6q65IlzUfuxaF)ca3yj zE>~2U?j};z%)KYAd96rf-B&#$EjH(njQn^0SH0WgG0_P&JN7<(UP}!&q%5Pa<90tk zoR&q)Cq;=vJ^vA%*wJalz8p42i)JbEp)R7KQ_Ha>Q)}|lj&v7n08T||Dv#8jzC?=z5Bjh^&X|Tspy5eD93us zq95mrr=-gESv$7z%ogPlicRaIycal1?}8_dRND2U;ONr=kKycnOed^*7{)R>WM8^W zPW`y~uh9=f%@1I_&b9U99kzhsc=b zEC0Xb3U=;2R8Ow~jwLSWx*uE?$DPlujNHSLWdH~?6eG%-PY~Ozc-9~Mory82mc)p)Ew1c2a{}lY0(c*zF1-~&ROE10tO|IH?=}~K0dcoxcL!@Aa z>qB=k44Xf~t+!h3&Ie*!UM-5uDn#R;H?jdka1T z9xxa6{4REy`sK)VyP$xIj#%oIspj@tH-)*Uz!!3A*hbim=EGG(@a#1LT}aU2K=`94 z?p`v$v)ZV=aRXR(jsr@?rYE^0Ab#c3Ihx3SLAgo$GBh+W`5k?Z=p%*O^ke2{Ij|{Y z#EEU{ar4&xI#(Z={D*sI7bsKXP7G~LSgG<9rsyh}18#@%nnlr1XmPg2^}y!&=Xx7Ep~ zt)l__Gd_aMA!%CW+^Pll(IlPEhdpD@F2jQd44J~vBY^(CiZ%NX?OA5dY}zd;oAw%3 zQe~_=Eo$Fft^IXAsmJ||o4@yhvuIKB^fZY&yi`+(B}0ZN@D|#TOE@*&*!1)Tp9T`$ zq^u;27;S~H0Xx{*jml7Tm@czV>nwE}NR$tAZ1=@=Q)1d6U|QP5s^fLz7TOlFTa;c-51bnw!=WNXDru#~)tp^JY&>>rY zkR1zDzd%owA$W{s0|X}M<)PDwOtUEGcBK#yLL7%DCSeBU+}dU}P!*AFCzzor+LW!} zyyt6{M{V3hT*wF&v1!eUtD}~6_uilmE17~H_egllDaB5vAJPaPT|)pK2uQYU>}0>o zPVQKBKLtWbXjv*+1s^aW^BvXK*cYG`?Gia#z&X)v6ML^Pi$wTlrI z#nQ{%0i*<*tjhr6Iv$o5@fY@;Mz(Y$v!}5qpzbwFNq!~D4>5bzXzzUhSHALxqo0JM z(d>XbamSIeHt83V+d5x>-zAOzr8i-X!ReW31$U@&Sp%9^5i;})Gt*u zXKqBl-A#|IOY z0L!|f@U&*Xj$ayit%yCTd~I_z{-wdIKi&aI0&(i6KkMgRarG0@7Z2c*?i!Avxio!n z;c#jG&(Qf2kL5CDK3%|LAu}ic#Y$&Nk%D8#sD!JW9vEtBasCFzzt`Zb?!F64yIGmW zr^6#=Rkk>F!Y#=C<%D#Mc$7m~-52V&+WKG~vEuIAdw+r|qagT-x6T;~f9u;}>&Q6y zzh!}1^oiy{3W4V?kKQ#sCzz8izj331Ne`Mds6t^rhc9J2jW-u5U2?O0T`iR9g+`K4 zV73*gkz+OnC?ZZKoN5%RnU3OT;EkE>XejrnMWG!E`&ze(g1`e^N*()L@zrx#9jr^T zEp{d!4xVsyfrrA2L1O4hc57ov;1(x_CBV>W^~Lz>eNs0{wu$BK=a7X~85tNxcrR#7 zcDjjquTOk6eWonO@@52VcKLg1PH+1S zpH+w1KC0w@bP80m7sJ|!gHL5GzY+_E*cgS5R;O@mZzsjSD9e=Z<>RDexlp0A2O^Uy zSBE+eMelvD-uo&2p3ImFN2zC+{QI<7&*M+zd=K=daZ^54l-02_N!O#p3y`^OT_RLO z%e07v2X{lKQ^hm-YuPR-Unl0F<431C)cNT@C5K*HS^8!6&Zf!ABx2ZN3zi>@DagTy zoDc$txVe8#50g7kdf*MuvnvaB*|36Bz~LWm{^-W`v^w-f9QQTJush5^o`2Ou32Ke# zX=rYrEiKR83r&^@NxasAG@v3>%t<3AVQGqQ(XTeWXXI690=gVL5=BVV7EUVXvu|u~ zdL4x7rY5dLanWto?N4DV!Hjcac$!a^cHMLRO;clR}}g8Tq@I9ua(F>hI+xMTp+v+<=QHM}tpkuG`b+@SDRkLL?V z?K6Ou$F+gGg=LhZ6e^l!dUYqZ;~$-QS@TFE-7!mi>-JtTO}1qkMGx^3yIoo77Lzhv;lQ zwhl}8*~-?#H=pew&i{^EP#HnR1f4fL>neL6lz`yT)`NSW)_duL*dOiD12ot^P|w;C z&gM?RFw*N_QNVOGCsh9%PgU>rhY#Y|aG|Kta6nS`2H~`b6P>p!b>{ zO~%O;E1c9cB=u&talCZ8ljHR5JCx_#jjX%ZL?N*j#HS)Jbp4~wqn~;0fne$p;(Anw z#)hH4IR%PKVsTJ`8vMeVWqMpS1;#js;Nw6^G{3&xz(JT<06a*PnknSx%2GXNA z`8h+65Ja(>4je?_iE!vR?_}06NPbn$lcoY48*&jpGY@D{>KF}3d zIAG91uq{ydUh_G7dNU)A?dHvNYpK#4z{{T<(;6@D}*;--HdbGAYukJ*v9BVP%n zEdx}Yh{M8QWZ#anfNVOKhXyu z)8qDK()?=+v(Wq#7x0eb=(u69H6bIu9M*tCQ3w8O;BRlv6`b1hqeRvYN8SRfJa*KZ zrF?Emz1MyS#{(-3(zSW6B_pU_Vgyk%P^ZlO&uKvP*X{e-C%4o+zG+z})bjcD31S-O z%-z@5KaZD^YAt4@2~8QwIu&|pS2Z&d6vA-pQQNUfo>}{6y|n7PFEw+MhgUm-A7+YT zg!x)l2I`$ML4X-{vaKhoBrCGC0|cduI)wI}l)A4`+uX61C0;>G2%`(gLp}zE*z8(e zLlllQaX=^tpUVERh zw`L?n@r^{mE_NOvA@$ofY3s7Cye+v6(@w|#iAhkkt;R5CDh@}x?m`F+^Xr9pAZ zBj+VSN)#JgE7sy(WbQ&@XKid+5E0PLS_ksEPh>VP1SB`f?(uGCQqcK!YyA(YCuZL7 zB91Xw=9Qc>@R;p*n*LbzTwN_+`^|doXo`? zIWs9k`-=P_hX?Y1Q#`Jnu;)brHc;1SWfW9*>pz#q4^&FN6w%Xn=>&BgGovy}HXhE> z@ko9=`s&2tgd?33S>LwArdI{#&+BvEhPea0lsV|7OaQ#9_FYS%N#dmg0i$yV*%${IJN7^MH}RSw$Q-a1NG{_3|Ksc31DWps`0q}mEV(MIlvI+) zp#zn(4kCw$jX9r^Q;~BcRt^wEw1 z`}bc~N}t2~b$UJ@uWz)eD%FBPnj?{V5j&3u&(K#2pX_>8Q|<+cEAc$KGoe!Zv4#-r z`FM-NcL$5VY?^585l+7DS3eqY_Hi2oXoNVm&rzEhgVisXAB{vS-dR$A(;m2tq?Usa z?j$oHc^#d682ZT`$d{1)v>m`-rw2@r0X1QThn^h%M2R< ziY5>}w=L=p_x}=vb!;2Q;$dd2o9{=GsXlcNaGqw;p;jAk1;vcGNmY8GTAy{`a}w0X zV=L&3!49<1;+N{pfL2CvN+`o0xP_Udp}Hm-M~QY3+T=?##H5A44dZ=2Xz!xEJfS_i&?U z`k6w}=d``FU8HK+O}}=8kV^V&LKld+AgisgE}sh;U_A*js~NiQG;{DettA&T^lINf z@-+5Qr#H&{bn(r>u%}G?*>$;}s)S|bDW zp9l+Bavz|rUpZH>U1-%=qPoZm^ls%aKjkH}KFDI9Lg6CpCL!{t#rf7vXmD}hRor;e z{*boQ#;5b(fw(CD{n*{UL93p)K#%>K3j5%RJibATDeK%fqJ`aQdrCmTZ-99srJ~EI z60hmYcK&=50mn4}oo$$8=eHR1G?}}wpB6>Tz`BPTfnSc3$8!uI;HA<*70V!JF1xWa zY2GJsR;GSGWUao>MQ5`5G+Z=5J!6EuFt_$AU!-U-akGd5+|pV9aXs9^obyv%=n$VO z;?{g?qXCkX-zV>*D+0&-aD6qlqe}3Mc%OiUKpCro;5Z$4g7+UODQG~bhgqCm-hPKV z$6c5=Oop+X&y>!~b532vH~+dRt^FTLb|FFb@Dd2){_3^+Nw94Vc>?x;0mX}y6x%ht zdzI6*i>x;KDHNr-*C>Y_2X|$<3F^1O^^wA=?@sK$QMT^YS{oK3t zxMYN}8yK6o=18cS#rai#Io?@br?TVeL*i+S6$pdcDw+W00pnJWAz7iMiU;afWe?;8 z2luX8+NBVC7wNYB)_=r!L&QJXyC)FHH~cZdahfz3HN1if^oyJ-XuKlbg~A6O zyCyoELRFjMZm2Q|;R-PW4ed!k9-2Hr+Kj~T=Z*!czm-CI`2YyB38m>XgL}m9_AlyR zwHME^Lp3O}8dwy)kjjvVk$3CEplU{(9i@!rQd$&C_>@C0&w8m#;_rQDS~< z$bgRCfBR8Gs}=5`b;x0&IJ!Y=gy`senKS_^KuIqR$%wXc@k)4>S5Iq&ehVh7#t4*^kOM+g`afYMu7 z>kh=#QVplBaYCmT8;O9&o{Kqrc!$!3nYy661fB@E$Rfn`3KbR4j+pWAl6Ii+S zKr;dJ(hl*O-9@~a*XBJY4M2RBkCOQToaVfLy!%RM!S_n+R#>edKEmSs%yNQrNd zqQk5uU-h!{FCor$B(~FVD@5`dvh>TuPUy^sc zd@MXvGF;Xsd#9;zlRuBKz}qfM3-iRVM&_GWP&c6xtzq=*ngBRj7n1j!vxMnbLmb%5 z3>tL=0*{o;7)L6`V>rTY5RC6aCRgpAT^3q#FS}qpByPb%d82JJR*&RL(NKODqO=IJ zQZiSbFMqF0zqXz-HDMo7uRcrc2fc zO1?%*(d-^sRIQ-O&lB5e4g_s6Njk}H=-5lBqodj{*e}(c9;tvh30iQR*7Ng3vMA^j z|86G~Jrl$hbor8$Xs7#YAo+{Jf>=As)8BO%yHrYe=~eUb@zq$c;MhKwb58^u+Z|5Ew%M3#f>m| zzcli6Fu?-+xe`gFqu=l)7HB;or4h=0X-+dqXnm`OWN@32JAsFj;=nQ5$04r8{=x~l z#k%fIkU1Xq9B4ySJElnKSEvSkt#al~n z0)n{_3C3tf>bm`C#r=VNk+ySXt*Lx__X=*3ANIw89m~Cu8c)rSFRl zim9X5t@+6YCPWftYmG>>rZ9I8=Z%Jlq6^dd@bS%X*@B$@WM8YzJ;PJ_MV&0xehO+# zl&P$^=TXd7brC=Az|A_+-Jv@{hf*#w!(tr5H^wxr-QM=kEJx4LK52tVB`yMSG6bwp z0GU7O&cljk2O~91FXMBO&>nXsyO_@ApRV5J08-)pU`DiT#>Mx^@9xY#-3O-+W>{@f zT`$+{&F;)_Xn;p{uFZe;UiJSj9zKkw+`GJ~7?VWpDBl(@6+bauY$1I_H^XeLm?8gQ zI)8!|7Y2=V5E)dO^FAiIJ)sPDG}#=@HE$Rvb~;Y3SzlTDlKN|1f7*yjwr%dxJUq6X z)eiD3rfuSwIn((*!R%+6r~>n~&36|%OPp`xmm`VMzbUg*v7@qu$E4j@w!i49gHgnb zI7_gMp*}X3==`wu)Xbr~*MI|?iPmsmjk`+Xk@lS>(89+9pP60LQdILuSU0+SzuUfC z{9}#RjzPV&tF!fL!`MM1tSzjCSNM8 zx+*Jnz^Sj4!JM|`gJ$2Mk+oy(47tq&uZofE*$P=dC)XlP$s!ezcbPFQXT0j>7&FUp z=?%{P^y#FAF~`t_v}c>oA80b3+w?=6Xh-67SnlUb|Z^IUADQxmSDhdwV(J8co#P&qd> z@s&u(J_T0WiIxz`dyv7hb`|izU*m26HqwKPhGIpKhLCOk_$Uf2L9Nwa|_c`mY$pF>Q zjP+SnNu(vIGbJWkHDW@HY*#XrD*3cJV++)HyzbgaY7Tjw;F6|49=vVi;G-#Kxcdp; zxVFo%zb7HLQ(d_*^1+L$8}GN=M!#H^pk*viC=jbcRF9Z)@9YN}>iUv=eplz!cJgZIlJMKi&xh1slF$Q(4kFDzRMhMo6UV~XGpA)+t# z$_!?Tw^civysZQjOmWy*05$Ph}Y%x{CW)J%6moyX$eaO?-_VvABO(F&TSq>;`Tgv2!Ul&GN>1+W%8tC64#2Wj7dA?!Sq#Tz)b(G@L2$F{OHi_ z5k4D>f&1isUnN@i9`c?3)MT$%dZE(%YL!~n?d!sdF}uP}H|)r_*cLxjqiH)?aj-7< zSfmGRkoYhqbaxy8)tL%njB3SQ}DU5nR?9=ZTgQ zhKk=>!ydOEVvAl9b+-w6IRz5mM%=f`qI0zUzu8HksR~-jfS_qgTg0kSB8cCFOpOWj#KuRAnoeD2QX{a zdX-;Cy`XMam?ky~Vi`IO=A&P=_-}+amQ{cGE?gUosO587d5Ccz!Rr_GANua=B0K;# z#)H)HXDtHP)#2Lgg=)gB`QNcib649-9m!c7LtBG!D z_0Tb@;q+hU>%1OEbP%TqRq=)bSc)*z^DF($X#E6a2aHr*bi@AE{Gk=U@xjZJNez^* zRH!_W-ex59u-3(burYpCoSU0hwSh%lSUgP#8jcL5C(*6-*RB1o4btbLrCn`bmp2ur z(QBT47WIe}iv%O-h}iq#p=ThHpFY#Cy|wY-5o-Xzv3r&{4Bq0U9zi=v(+YXjzR!I5 zE?LYL=qUE}YA8^ojSB#P37=g8WEfx8b@x!n=9I;;OR`X7(sxX*Zk(pb`jZZwtAk;+ z@67gBz>QujTX=ksH;6FbiR zP)1o3v`Mlhd(LzW&OO4TCV}wPUOT2AG8cMbD`;1~yA<_tAazy{TjQN6G&*WLD}oAJ zms&;1`b6;OZYGapZzP_&o?7fR+)h{%i`qYlkupdv9#0+VbL-)eK#Hh-V$rgO3nP=w zvN1zZ$t5fygETB4DRxxqgulN6?z0QE?k7jp)9}XXeZ#so)1M^=!2%9j`RE zF6=>=AzL&)$mntZ{q)r-tj5P+wYmP=GZRYoH&n4tVc&C+$-jzjk6t}Cx6s-AeKfrA z=HHFiZfD*T6od>T`bVmfNEEh@uH}^f6`oSvQVYQULTUj zV`=gBU`Ye6_nn4;pH^!F#y9;1{i#Au45*mv<{uUQDdUm!8EGC#g`MD-_a%B^#-WRoSA40eeake;vJA> z^0fqAY7;lPPx{PKXW+o-Es)23g;T1S?@m{Mx#S)x|?m;KDaJt+G8(C@LYs+;W>ue#Oq4V$}hLDv(7b-K(eGwRdQ;7DAG}tFz$lWNR`hteh5F{+!VG^CZj_=Q?%o9kvRR% zyy~qY_gf>M8GAn~$J~dCMQQ^n|46or0Jd7me9Vh9ab)HgYqt&S;EXZ@h1!}lvstmM zaC|$SBChqB{?~b`NxPx^RTjt=t^rh%XLJldwu!DqP+Wz*RO)%)74~^uZbC?%IJpuq z9&}rC?ZvsdOvK82OBnVJML)yhLI%{e7TWeQeQWgG=6Us?wCalceLtZgZu+YqN@9Z0 z3q~w~KAM4-5=!=cozgzYX;sRpl0DPeeOueSNY$jt(Fx@d=bYrh<(5DpLTK0Z%21)f z3oVsMA8kaq6jIdQ(zATF14g_d_;7YLRo41w5UXUPx+&ZfVH=k&>)Yip8-3ATz9_ff z$xm|LA`T)w?Z z#_}!gw0^qx%{2I znp+?3lLt`AD!p>GcYUj~Wy0Xk-b_K!@G8VG^j1(P<;S{=*F{fXJCL!#&}{R(cj*58SK)z1!6k zzcz}lU|xxh*n_8Y8+zt`OSiUcCd*i|&Qcjz9mEYt9D6q5$F!b*tQJ^0I$hGu8J6}R zv?|GLde#>wh?}rW_LIVI)#1WuwO-3~b_(BRra?%GWbz9p_>)sj4O;A4{SKWXJl1+D z=k+0Wx9QRhv9x81+NiX;6W_96Sr$JTyT_vR>Wwg|a%Ak*({F+ivTqrYP^JZsZmGFI zTwbksCY{Ha$7K4{mY^uX?k_!diY4{xgowP1M`C%Te3SwDe*U}sfxs*Ac@}3z@D$Fghnw;y3;b1J-6*V-d@EisPz z-9?rY4${OxWx6k1kbl!>bq}ASW3LqEyae*&(^5jCPmi-?Tm!Y8xqN)!halEZ+1Kxv zV}qfD{;>O*l9jb&QJp%^;h0~tn>S5y(cyyFr7@wnH_D`T@hjbPd#Szj(3%9l)6-)< z6?mI1f_(#M`Q~(d{rW-MsUXxXaPBMAnd>wB&N9Uf+#q!C zS5ur@X>qFi>MPJ+GbYG${Ty3So}cEMP!{b2Dr>Z*>s1uxWpVygP?X1!V_y0@#?jj* z-3x(w>h%E`gnZL-Me4u+`Eo%oaZAY_*fL-_Gv{ zuWR#%B)TO_^b`@yj4yfBg{@d_tLD2^tHXoW1TuuTb0s!Dn#Wn?#WI+69^-tiIMj_H zX3S9elxJKBXgmOJYdF{skm6U9aP`g+y5pmyxmG{25%eyAk?2rsial{-S4wm<9XKnE9 zXXVFm{R)@S^?A8*rQ}&z^p3x(5Hmh=%Mbb9Xjj?jz0UT4%te!xPS%MC@2anYCt!#q zH&rxm%@JvnUHLY>`fDadN|1cS+sbrzZTK8(d2`B^(1vutNFXOE2uqg^SKA2qD(Q}f zXUMfIn|p`vTKfhqEzf9e@eY!#q3~lXwdDEoOKK^9Gh(xy**%#&)ekpa3ZQ*aZ*-~- z0EI)(5ljETf`A|vwT5zlbse<5g^ZHhf_tk%dVd07lT0ApetCw_z}lppR#l60UnRfU zzK^fXf10=4W>OgQd?;`BkiW^SUSxrAo=mROl9I@nL%%+0`@O>;a8_sOmU#0rQkP%t!V$hlK%@dF-{r`-Y?qUb zvku*=c5Ahx6n)nxE@Z4z>)R`@kQObL zTD64oN0lZelUna=^n3#3c;{T?-)xJMLi+67rhi5JcJZ~X(6pl4+l;+4Q+FcH-N#?$ zK8nOKmGf=H{PMf*WqOu(-Nm~Sfh6)Y;1ivgJb-iZ5YA$zt#Xz77hr}Hl$PJpyFBJI z6|B!KZIoJvj?j7fD$Fxi`!j-jm%no1&EtHfOq;hqgYr~Y{0Q60Yx*{)lJ_-NjsAoJ zCU%U_x_mr)dFih0(sC$WKdj@`n@Sr*L;>y{re&t$&V7@)WO8h_; z8Wy!T`OHuqsM2cXyAF4m#4G+uH$wpLSBlV7KhCU}P; zF8LNN_MG)ri2Ygp`4Z);7i!)4 za;E_t7x6I0AX>){wE&UFzihZT?O1QAzbaQ}gkDqYV!fSv8C-_GF&zXB+m5Q{I`5Rg zmy@+rWt0NRd~VAmKBYZCrMJH_H-1C;-j(&LNYI!^0oA!BuEYI+w4o*77@q(!XX4ow zqns-fN%?mc+dn7pvH^plK220CAGwe`_R7Tn|pk#k1HL>m>`h4<7u2wdMb7+>d1^7m$HQ~J7(X(?krHAqQ)HP!Jv`_hfzKg|&L z58>w(PWfC2BE1Xn$bsG4TXl~6xqhW}IchBhUpaa;iS;lWa7)wMq4O1rVV4x zAoJ=4OmJ;>;esD6MW}^nJ+zf9ZrDaF@AD(EnVg2cjQG>bt&ED76{`v(fpA=trFuqY z9oKxzf^z9)O3#b1{fzS6Faa+A<1&1-tSkPIxznA&Ad*fNMpe8--oFMrSZO2Qyya`K z*$7twWB%1CWT4nSz97C&f>;-i%cVd2JN&6F+-kR1>W}=!snD(oQTh)V`CtFiSzukz zN_jVm1_g6?nfNmON|YpHqo3o@4`k8yEsA2V7_qmKJ4L|!J&fG{glI+;OJx4>(M)HcUx zicg`DI7#Z{tu3{-0$4D`s?^V=rt^8#?U)ii31mB=v?>fdPIoim*THdxjZ=oWJuZjt z966nyXr6J9c2n5RkUo&$9wYlFC@0gG zI~n2bC($3K?`|JTP~(2k@l=ib^?0byP?!XAybU4bFQW;`e;5?}=>c(}amTvq*MrQo zt`%sX_;7GPhDCyseT`#u%0lm>h#UUVp@+_ z;F7z%$q_veS0v^R_~I!%6A;}_Lgol~81}t+!;+lvhnubh$Q;KyQu#*vW`X>#32qvt zbDj|)gAk)6VJhVyjgkqu(+9S!oUI*J`(RV!)_ExPWKHSu&GQfWw@B&-CJr(Vq7H9? zVf*%OWof773)!`Gdo@X0e@RccbliquUSg5mP>LN4p}q<3EjJRN7}WT8DCv&>eNGk` zo+pcCCaYf0o?R9R%8cR8AP&-!6{utjb_EUQW*G)P-BC&xJYvCx3pG?`cGEn|(4N&zjdg7dJkLABw=FrWB|2DPV=P@3;i|1Xlr zFE@G3;3@L@Lw%yYKi99sm)T!E79u!Me5@V5K{wbnr)1r#Vie;JncqZ~?2aveY!>N8 zbnAUyXpwKwxM2Ef#WBqiugfx%eICI79U58jD9)iJcr*e(oS|CO@o3B)GZ2VURv+5w z9vJPR=Gp$Yr=`{17vzYr=`K0nzZ_j$rqbhh5-7~=@%Lc*3gq8UipGg&S7Caykv-1oT8Vu|4 ze0&*AsXhn`BfWYu(wO{?(l27^X*Yi>JH~OW*2fJeg^ZdbMx57QzqDoUQbHn%q+*0f zlaL|@)Sf4p3e@xM*3WPd^0K7&=)Mxlos-gE&5Hh_EtvK_<+x-xaWn4R5V{V*UJ+Ct$)c!ljqi!Yz32 z9BrD2XYtRe*c{s=+l7;Z4o!O2#$gc3?2uSn<#ocTBc?jXlefxU06V2@i?_X!mUpjU zSC<4*k8(MQluGrvgMZgk`Rwre!J|`wbI-N}zC4Cn*;^(1J|=BB&xV)0IT7%}53_N> z5J#U@M)_NUPX2OD+vP6CjUxZPt$iUpadoIMRo==lGZ?np46c0MaP{if@4ZHroNgmw?Nb`QG#6FNYs7&3Ro2qy#6-0|r!4~=Yu|>E&!u=H7z{i`3W%|@PlRF4(@Hqj`H-UwcQ44nw zMk!tQm_$rL2ePqvhDAhMgJQh{fi~I@`No(bC2t8-hRZ-8c{=iDnK1!|U~$n;u8J zE$U@tfi&gq6{ey+&T~H0HDU++9d#gUyQRhif{!xT? zdX3Xg*f&Y7z0eWM*y>g59a7i1q=l9)t58hsA1WCvW=!1clmq=MNdEgf);59Cl>)B? z1(uXmYV88oK2MNm>nFY!B;O=ptS>rBc~o4{5ANd=&wJYl+4@o7BQQ(jF6ExDT&cx) zTB{~%2Ygm4|I%=UVw`r)^kjYEZ=O$zj^SKoeGYY&{Kd)V@Z;{A%yIk?F1wmlzi%l|DdWpah&TAKH!?>)<~*RmW1F zXxPSEEB(4UfiK^VIxg53TAiW(F%UTjW>#k_KAUNEzkqd4XI<`p7hs;fKmD|X>?tQl zfTK$Lc>G3#GqZh_~T0dYAw zw`);W`Pa_fs2s^UZl{g}N6ZuI_Q?nNst$yRqF8GF&F-H5y%gC^Vpax-3H$-#F_*N2g`uL+=OJw8%~=Xi zEHwGZk?GN@$D3~vTnctgiSroa!-J>JNE$gzjrLz!ZW+1?>oGmUwkt?auTZ3R2k9RB`}KdvS&J%%8q9dxzdvb+rX-7AI7sQy<%p#fovCKNZ? zWK_~OO|vffr2VQJN3A+u%d1>|r7;@-GtYJjzAl8sZKVAYkwDU~gPJnauQ+*-k#}u) z@s2(c=N9l4HO;S5+9qKLrqx1zA0*@6DydneJeWnFgq%)zlV#J3o_cBYb4hNG5mtM8 z^xnkUhHbV6yTR|HS?X%#Iy0#Zz1xBK`#Q_`KGX+Q7x_ev55o|C3D6USG6 zx2#=7Vd5jko3JtIZ|PP@s+Kpz8QS_&KEaGPYQZp}msaD^`gh4Sv0R&B94em%nhMo) zYh+^;Tq)YRwvDEu%DOYYwsEnepD$lA;HOu9V0u5RxZEd6kC>4@^xF{~4_G36tHYjoP zQXH%JqtE1%592jYd;9>M&uwNSG+DL5da;joqB zM&sX&yTdfdb2DEjhL|^6o+eg=)b0_$mN;Fx$}R43s8rcH_Q^=9hr7A!+4((zKFK`B zdkZbP@bWD+0$L;cW)D@HBjWR%?q>u;^2u%TVfhYY&P2JPkh#h344+>@aY&1g5H4U^ z-)X#??GQzNz84Xsae4S0dV%zjDpg zGAq6nAA=1$E!_XM>>7S!(+`mp!hhq^l{MZTC}c}^$fI$0X&dbPw1sv^3LbnhJRulV0C|w zl5R&d)l{71PF@bYil%(^-KhCti3DwQH)g+A6>0--VN(^Nol~)%&c!HCXs&B%l;`zT zqa4`HP#C)`R>%q+YK(Z|O{&Vh&=^|;#!ia%`rv|`AZ@2ZxOo+aWRL+Td5p(W@>(si zl&|T7Zv=eV_Pq&JI+(RyQJqMuuxpi!wfGD=T4^5*ST8*^Wz zi&e#UfKi<^XH;jaJF|G5rhGs@tyF*B;~qCfX(3pDt-_)8G#G*c`TTut1oXZ6Y9r!T z-lo6FoE~4O)lT3h*3gkSDR<;oW=f~4OYp#eYi&wKF1wZP3(mPekXv;SO( zdnQ#s#ILYYb4w|8<43@BzzTY0p14X*9LCUxs~3iQtslZDhLfG0Df!w;M(?UqDm2oY zQR7y>kb-FvP-CO43$<>e+@K*7^!y3PR^&JE`W3s=ShKTKU~7bX=SDVV@ zpB@G+|B86=1B3InLq#f>FBbxjyyCdk_X5ihFi89qzTvr0n634~6KY)c?C8Y)%*h}5 zy`ce5BrVH)-MPmgPpXXcWgEV%+b!KyQCM-?{T}z>$G#gsWU8I(ueAP%$HH^7mg9D= z?{E_0#|{mqb%Pjm6M=%tfkt1WeyH)WJV_Yr7;gw0N#OIe+{^$$F;}9-^Yu`wBB3by zc|3CtPxc=M^C~NYDzaXen@YQf*|T3q25g4P-4@A~58DF#%J&H^89R}JMTg2x_};~l zmjd@vEY4-`^IDVg)AY3~$5itsKaolL+)d1;%B?hSl!o))5O&1SB1}(w?T-hAkV<`s z?*foWP(&At*871d%XA4DrKO^5tb|yjMQ1E{LVv z6sx(P6A5iYp$?TEekmN#5NImdYB}h6!uL#GW67!5F~MG6!hi{Jy_VacmHPuez1w*s zY;EsW3*5-KEV6YugzKc5jAl_Y-G~0m83<$3~4s*8x?%Fq;feVh*}H#`oML5kdW+dM@yMbIUxd1ytZy(3LLc6 zPbZA>c!r4YKBu=aS{m(ts3tEL^!IG;x5h~(2rNmVguG3XQ`+-%eS8yzUiG+ z?+HX+p=z(*FDkW;C#Tc5-supJNVUW$$KtKOjE_m(6FNuh{!!&UcERv33TkP|lxOM6 zxv2ZXHbeSz-(c)zQvh+L{3?&`vSYut>#bcH({}sxb3}f35PR zY?i-vEHon*7!rQ<=r_dnR@PYWHvQz10{*Fqdn~tBZISmKHgQ$Ab~%U{1r^Og=SIP%=eLr{=j4Hl|y1ae>M045 znh)C5B$0Y&E63kV5Vgx~hA-5GY=oLZl*X6AUeiuAi( zt&j!0zgI7R+s1Jax1O*0HvgQQKI_iRPdV|IV4lqQOX7o!W;MSK1=`}!m`hC1M%+n&4 zW5R6hWt(gMW5B<^hqC`Gu(1NmrG7W7VTh0869@b~4i4d8;^_il*XO9Fby%6pyE(rL zI2HWty(?{t5#A&-?uD1KsGq7)QTA;kImfk0$J6ce+V0;<-dl3`i=a`;9o-6@xV_mf zhhGjd#VX*viNm>hKMVyLvL)XZix^>Yn)opmm^&d-`tKpH-_770>`wp7jGVeCme6-# zB|1ZNn@PZrcbxV@W3pR{%_M?vpR39=?8=A#@7lDH=>u;vWbr3pg z3aKpTsGvGjao@KOutOXHvqI%WP4Y)`lbiKz7j7s0fmUFEFBuq+A8d;c=!mWMzXy?O zfZ_f}i7dJ;UfEt>#D%CIc%4JhX1kR?L9phKS*nGrK|2~Ybnz%zU@22<^cC@RCu3*Z z;_O7wwnt z53KK7Um~7Lhf>7Pc9@jXmu^B_g*oKQ%O?z+1LeDL9>eo1!qH-4M3X`*$lAqx=F0lCMm#g1~9zvm!)^9CXCc|f$)P{Dmcz!=t}O^zKe zsc*UCaT&OI#sg*8aZ#2-{69)g(!O6ud0W!$@?08)IjN#2RH3iVrY>B;{~bclwbA2T zeje6ozY+20K)oGU&Gxcw8zzpRC*7mjn{R#tW$MO<#GkX|Deis+Z09*%{6-^P*23@X z$h$Rbyg7mCNCr%e4#MvZ7l8Mp3XIU)O2h+XC?!DaBk1=$@~Pihw&x$rI6Rmx_u;v8 zRYJrm$?W?tXAPr3$BGZwR0KKe$eY*<87I3CV2oB5bIy6xB`18lxYEaed52M?H$hve zlye^w%2f)d7L3UA!!?6X*$!L|9sNIy7|zZ6&-Q0vB6ykYq9KqEuo>#bZNN!TrDyJY zghYKQ-`q(r*byB;=1BZrurP z8#irnEZBfDl|;`Z@8m2~0qLw*RUP$HiRf!O)FrwUYWy#Izj&95k^CoMe!dAP7k@F$ zm)T627qrkxRa*;94sYXs&DG#f?lB2tJE1+5ENM_LwLkQY|8HX{fN@NOu#rLDo3a%m zjhC$Nt3BC06ocKaj^{}Q{$B8d>4$XW_CNr>>Q+|e!{7HxS9JF&{XpQH1|qKR1Aw9- zq8FRdAScXr8)lr*<3?f>0Wtvo{UlpfFZ8NyPwv^JZ^Z#LysuB(A5y?S@7V7p-E308 z@feU9PdrRx)lSx9LYM)?%~$<{UujYe(zngY2=vOC5InP8u&e0x@$4> zBA9-Ihq4_IzWS4fN-LUveHeGWJr@L7PfrEWO5rNtPKmNnZ?FDMSo&9_idn2v9bK)P z&v;^_vv$7C{LL9!^BuUW%!-`%J|7JVNOl|-ci6dVJL;sLrIJ)6p4x=-~l9E z1;?8Z!oN}mDPAfVhOxxl;lS&S3~ZD480Trr{g*1XwH?kCpQmfjcJ;{J2C;}g|`ePrRLj?bOD=MH102=C_ zHEQ22IqtD%I*!<{w+%7-B(xE&BjwgKji_5{hfVBVsu)r8Ye#9~alD0L4e_!z4!{PD zYm)}!YdHic4ghk~lNT8(YtzWt53?WZ2?a@n_J21HZrg6GMdrFZJn|((=#9=v!6ESc zjnXO1&@MB1@%Ytz1;sdUaW2CCL5%$ejgj&nG{(Op4Y)CU9P9cZh%_P)6!G>baM*I_ z7ykpvxR2m?tII)bIaL8z+0U0DG{{UvQ4_lZ19p=fv^G2Ye~BqS4drX>5a$a}xJl+d z0Ep4p0W?m#SGT_#RNXFXRo1Nc-kO$xiFE-N?0=$*faUKGKsV=~_(90Vybabtv|3rZ zSymAP-$~~pMwr*$_yb(Gyk^+|Ke&24H$XsW2+h~xpz8thl=Gwms+F!F`=JJwJph*l zVWan)&0YX-;IK>J^|3wky;8aI*e@Xx!y?0#KWbxw>0o(hxb};x8iJ-jh-#fjyR$KQ z==8JMBK_4x4!vBzQ>pk}#_J$z3%rm7CkOyz^j_kCW^cCG&5jJ8$UR%yTM|qMq;;eF zB8q=%6GsYF3IEZ0?TGotE9~YsWsTFOfF6*$j5B z2SomnW~yZX}gpL&E#0PNL{$0Y0I6n0u%n0-}4_ck-NH>~BxnaW2-yDNBK?8Hy!t;edj?=%>7U(I2!5Pg`H2jw`SM7-E0oe~&`Qzw zmtOy5Dx|{tUi71u8$8F#nzw&2RbMF`u9H>K^M8<^%SOALWn;nsni>w-r%rH&AV8wo2{)q(3pFt#$J^RPCo=%Tu71!$g#>KFS8HWpbI4_qk zfw6;RM3a6!K0*ujsQpp91r^;=&wiH@e7cp8?*vBK?n37rHbpPYP~ht)uDF~$b+MVv zJ%oL&fY&_zP*BC*gh<%VbAk||d6xLEZDY%;E6gdy# zh^6rcm{s{5_>F341nFmnZ|e zewg^-#jj77TvyCDI$)#Cw=%UemU^E4=3o6;ziE_om&2>v4a*O%@wZ%=95HII>CGV2 z8((6-aR5K__8_h!+2=CuUh@S8E1TTSsNU+@HRt8ON_T0Qo%oCwx2J=id8nGxBB{e_$l{J2I~`XZ zR;qccUQ?i0+U%qSMncOivOAY0R*zg6+22Hu@D(|3;m3KIa*}~+(q-l{T~{i#gbJi~ z8h?;N>{phH`D%GTOTIUeU--}mx7{}r?_*SmRmkPvY4Z56`0J`@x^DZ{`Chua!$OyM z(T*s80aqg5Vb8a#%Z7E}ga(AO%`ctkfvr1g#5rV}%*~sl>|Kg4K%TC;cY`%?gMMJL zpt!1o!Db|Uju4r+{V_<|s8WPlw>V<6K4QLJII^94g!`fFX9n1QhoXpfFsROy$B7E) zu{nvLC(qTyPSb|*q=pA+E);Nrt4GsY8Ulq5X(sq~DIwd<=erDj$QaLM>m$$S4}}Qp zGv!*|ad;je)B6qPNdA`5#g7|*lUP=0o|R*c3kDUE?~S}RT|FC~zN3i-11)T{ps{o3 z$o?QX@1olN!lp2c4$w5Sm;QPBxqN_}2EVwO=i&i`&^fhIzUfwKEERz3$b$P6`{JxF z(zpL+cfiXH<0^KrQ91w~0OmHmtI0)cwXEr56BWh7M`l+8#S@~iXSKtmL8dM6_IACb zP}(W=@g|-08X>s@Jwn{r#200(mNy@dUIDi9#|4s7HV!4YsWUl67ih9)36er3z;PsZ zr$&Kj1wV7rLW6^tdUd&88#tK~8AbR@oa5j04}(}@$4=z2i~W4Fr>xgf4HQeWhV@-N zE(1`;S&B)|Sl05mUlOb2!BbSW_8;T-_}T;-`UUXPiD{d zWQtPRUG=E5GgTbm4hM?|AcM11-eD8nhoV3c6p81AXueH9(sm#ekF84Vr{cF{a2M4+k!oLXR_e%%~R-%HA~iTWkuJ1;>5P+NALRYgbr zV9^w4$VVu(LYqn3dpTMk1D|=28dK>|$|3NOfsh|fce#7e$e%yXV8!4lk{tq!_5$hO zLEvQ$X@~CuksB~<(>5N3Np6QCa?WxI=Bg&2*a~rxw1XO-_pSaedn=_$01IlcrvQos zs_Iaqx7xY@cz3Q44#Q4VbgJ+*fdo51UjawAVz4$OWZ;nh=BWT^(K4JHv1TdaALAEh z=xoZWgt$AF8nNM4$J|-O`{kHFxYm~c?LvauddLve5^N#u?o)=x&`C>+Y2_oElOu1? z{;b;W0TGwGg6U7=U)yi7SHF!X)q&m+nvB8YS8Gp{E+Tr10kYBV5wfG-;XR(B0q}w653Q zTXLH)Fc)5HTQ7-rC_y0@jJ_h?WIy*L4Zw1G)b{F8qg)2AH{aC2UUzOO!n@8;5Ekm8 zR#L%U?BQwUQNJ)je+oS4Wy|({1Cadjpu$K{jlS`83o~No%+y*KXki;ep`K~qEr(3( z(_6F4^N8P#mq*5szX4i~Y`W8El@u~S^-T&F<>~FS)Mk3okRI6bXi>|J4esT1Jv}dR z)4+CNkOqQ`droa>h#P>*dRW8Wl>P%$z60@_3hK-EySIvc0MROlorXWBd%*aw{O4@q zWO{5ysV^Jt>jfI3AlLYm3~0TTz*w)i{UA*|yx-@}jQBI<`#)L5Sd%!V9QH%c>s5{xevK*LQ(2lHL$qmev^T}2kS-+0Btv^tsbC! zf3optCvT`bCky5r7+$=!6nI!LuVc&WA*?*xq7LU}9_XmEa>UzxX zLb?&!9?zyoq{gDvWRQqNm*MyKa7+1d8$JsDDt+R+kp%&-pQK-{Y7RQL;z;m1y$_9M zpibH>x_YhzmFj2jklJIaYq?6YA-yaR(VbyV_c>Sb-2ms*lFE1^qupY&!ZPrgd6PTO5cp%EUwnCUR!>>tjg!l zw?HQd%aKGLP)GadgTk^bQ}jUA z@k{lqmWEY`~ zMuFIz^?mHpnI+kjWfjVtQdbZ0Q9R=n>e=lGC(D5f42a)yL{wA7zRgN zD4o4D@KWy9L!6zmFPMORBk6rRu(D;d@{qOiRAuj&m3sQzTy>guN6vwHSw#QE^ZuC8 zH_7jN3Td+^)iUYfE}tbZUt3#z5_X^OXlToEjhwNUR1+%na%%q>^Nk=x{&1P{0Xqra zqO)p+k`)11lG<~eWBEXWa^8(0tCISL@&@&(A1S*r62h5ZS;ZpuUk5Ll^wwXTyhOR_ z1>V_gr)h({eAHImQ<^(Sqa@d*J)lp}oliijm{p9B8F-(zCEm2}r#4S=;r2l0GxjVWgK7VxY3#W2;b(x0ruu&=5Nje35o*iT+Hb>PFbl4NF`>m`TNWZuiG1$??; z`_Aj9O7-y%^1T@AoZ>GpE+zIInV)(n2<(p&QJ-8cDcxaBT5X{irP)mDgG zN*g{7l$44Rxu$xKvMAe65|YVYA-vz%bGlkmUjcFTefFE-N5`sv?A1(DqI{L6TJvj1 zXXeP0?VaKEJjjWW1V}>IFo!9rVm$WzPE5%ee``Xe)!@%> zhsJ<9>MbR_?23+T8@g~ktF7(6(hBP>fMKxnvb=;qFTqSh*$dU=UyoIJGRO=~7Ap}zH$KS>nO>ZuazTgO}qn|&Ki=A`^51BavzHdo)z`KDV5Xu zPb#aqgUXJdU=l+4-%hRK4p*!y{b&)%c{?V@4hhWvZ< zK=W~2RNqB+*xNU$H7!u)mIwI^xIAcl1P0Fx-Ku?|<>6KwN4uLcuv|m83{h$GZVfh8 zAXfxQfF;eGH}Q>W#;v@=mnlUQHrG&`xSspvDc+Knwi_&lanceCP;xalzPHd!0&mB- z>$za3T+!*+9#uF{_2D_uexP7%0J07lu6;~GqMtSIZM@iIdf|D3YT3JWdUkujYql++v0Qh2s`B;goh z9SC6b&a;@K#8Z#KZV=rPs9Q+xGu*fEL6PmIt9z>4R!Ld3_O{*wX)K#o4fK%<{>j@K z&F$K!!TwKEJ1uhm*w4MDTek%;f8kj6L3PG+U3II;{4|*K(RIuc-rw5(nH&d%8+@`U?&;z3jZa{2S7q%4nF0@jWUvpc$Qec;-{ciEc@Zqx_TA zT8SJwZdvQsnB;8C%6@W^DO**_oOt1vp+$n}s7#+1d|NzSeWqZ&^5D#Xvjpcw=Rh%a z%JMA9oX-mveDYfd?lBGHA8z#~aye(IhAf92JBsoi1C%kT2>W^a@iCoe6n?_b9X^z& zM(No{ctHjpZF{zs$}$EP8yRWQK%H z09IKkFOl9-eO{CzRPV9UTeFN~nuYh&kyK(P>bStgb3_et zIuns!IBa_6<$~o|ot1y=RHQRlHHc|2ntfmwHK)`-U7atlQb%2$d-iqh&T5EBJ4x%D zbYDSEnS3^%;k0W7xl;>L+lL*6lvSfG?F8H@X5 zkoMA1yTdDlz3wIb1>FYch#~7>wd3Xy*33gIsdw`g`CF!4=0>GR+1KYOpt+2wkfc0n zzySDIWBa+*EXcJ#p_kYks*6o`i4wbl{Unch*Pw<;1G`=oAJO23SW!oNvWVM)%R;={ zGF3!e_ z1J}ZYz2(Q(vT{|*)yHKEB!MDk?#sbZDlYjHzA!<(yyTSB znNRgX#(LSGxRVvKwSgg4bEzFj3q~o)Ja>ZV>&Gv)Eo6r&{XKazF|Q{`f0qM%MQ@VENleL7dr z_|(}f)8;~Xj+@vega;O^?GK0mj`|sGm8* z&l!-N=GaO?VcX>k;A*FUf0F_LU=39<{$l}_5Om=?*u#HS$nLA|wb5X2KTo`oqzWd9 ziq4(oX4y~WbvjhcJfoP`aOiL+_g=sdqK}Vt?+o-I_@?TKsGC*q(fRswhvBJhbw5jU zHE#qkM?=ecXyiyN4{zaCH=>PDXTkPVbH|`hZ!-+kw%d|Jv+hM|MdmlYEBl@nHDo6Q z%t=*jr@ONM7A8AmG8v}f?1t^**7qt|0JToo*0)9YjpS=fOdDr%!2uD%ipAJ7<-HIoJmkiwjRm@+Y0P{B)Sfyj!5<&9YD(#K|8#4xN6yatD$~h=@DX?D>h-KWMJN}il%rx_UIP`kq&7KV zD^0GrNRYbleQ#w`0EWi5YzlI<6b}SSQg?z=zHmlGtkvPS8n`n**>yl+lXPfiwfni^ zvdZNSmAeAB+Ri-YN!H$>Bpkr}M6ij~dc?GHv-2*G)DxF<#X@3NX@h|#|=W8tD(46-O-Ds zul;CBuIV>QpZi=?-}^D!u8ceM^gZ$OPUGuYwZK_{TT;@rpF43TU9=O# zH<+X}eovqo;o-0Rp|T@;)Mp+xd~#UYJ9Hc+%r<9IG>KpSpaP z36PqeJL2F%db>!hBX!@@6V+?ytPbW>JUC$b*N_L}Sgrex?p$$j4dLb=YjZagJx(P> zfNF99XvGR+lXebF(v0-Wx;uCt&@{QaoIH#e2L>XEhW(Jrsgvx+qoOv?gB z>bUPSsjIZjw(g-5x{5^r&V8K&{Y5vG73t2T9A)AhZmDV;@92y3u8?6(=C+OU4^ol0aniC{pq9L@3by-GVxwc_uV~kcXo3x-|nLD{_h;D|e0mt;l z`v<1?@ee%4(l)q0P77E${!0gh@CBFpp-C3yP8MtRh<}y$3@Hvuhpj&~(K7;8W?$=P zm(=SUAi0dcbCLtu#+_}LEsG&|7NWs6iSq-eqom!8_bn8;am_W!Q|b=?0{JsSRHv;}?JuaTBJ z@Mz*j6wvwEFW#)s%zm*VFJx`Yn|6h_e)b$K27;$Le-NzRgX*MfCo?=t&*BTcWRI~X z8t}@WT!Giv2zh!NQ(#Y!s}fD?bn^YEZ=^vq*fd~760@;a*`2knf_xJn3c7;Y&7dk| zP0FD*f$};cQN&#&*$ZQG?9{Ku=l-h-J&)*}T>j{g+)o9_WQPLq>1`AyDgJ=-(z$4R$%EiQlDzlp!Fa~dO_1)iIuAy zAz8Nm6m^2=Ih6JMh@wANl-EGDcNSS&Xb>&&Y|4fh)VI#$$drk?9lK6nUftn^mo)w8 zJBYBJYta8nnEAF!D&#J1BE;i&Mj)7py-Tg~n!*?2f|?da=XMr{H^|-Z|E8<#qPQTd zoV>;*uwKW>thFydCbi&I<*k*O z=fp~n<97LKV%AIOje=|I;0K-0d^pg%_h(`scD^3&65vZ4y<3(n?MQLt6}}bgYD3Pl z`8u$^d1G=*<=}!g={07ECwcYgp%9Gl6X-&WH7@ zg_XnhquwdzWo!o$%6(Q}l*u-oQOrKZb57-Bw4!T%J6yjq{rwH`QEuP)GK6p4j-7Q6 zL-w;sR$SO>JZOA+3&-vXIoQO%22+ci>8J$`_;;?8rI+0N@p&~>0?i5^ztfE9k#E_n z7+r8cX#GWVO1*Z7JjQAq4=T-aIk&Glg+Y-6eLk`-pKf|rpOUuo}9DL=d9pS5GKT&ghxL%EibvjLS{zJF@vOzPFa)@?Qc;x5K;MjQn_9$vFCV^=9 zL66#T*39Y*jK!1ZnvazXAT4^@)0UxuW&Ce6LFQ)O3RfI&}>V1gKKYzqH zn1JRP@CZ0ryz34vDj0aI)#)XK<3J-j=f9MTvOv1zGaQms8~>|*a0A_)RgC+EO^Il& zwoIuP_p`)KuNl8E!E^2!zl3AGW*kKIVk~f3rcPk`wja|sQV6#kXb6c=_zojNQg=WH zt6u{t!CkdM>e}POZuVt9%7@BP-u>t*3f6ceat8ng2rXfF;n?t$x>d9^_Zs#shHuvs zwZ2&0J;Eg}=cePpnBHNv^$dqz-Hcxfq>#msu)9JiPSQ7(-+``1 zQgl~HcJ>qSUS7%D#GW%azQ)+_SpB#CYNa7_x2*Db*WtJGwi8*G%YAnOCF#jacQul! z4e>~u1_QBZ8+D!|pztm69%qs@!QfGW$YRWu1H@dpGb=LjlcNF}x`TLaN)Gq;+I42Z zy3o=~!JvKXLyqg$B6X|sc&|PQX6tm^Bp%u;sVGzGzq-cFB~RJ?F`NWbin%ZPjZX!8 zE3vsYY-?Qygtx_X#kM&$A~tZqQJn7|dvCvW@EiU42 z9V=_SqE8N;GNN>h4CP3+bwlmFqWsIUHYu%qWm~Yl{Q?4aw)62MTh&qL-ClTw^xr;M zJ0*!BE3oo^aBht;0ap1-5Hjs0MrR#-EWbNFxXB0CJdK?vSrb}& zC0nYZC!evm99%fLYOqmTfTe5mbjF|pCQXZb4SAaWh`lAOJ^*7mK5!k|@AZOCFfrFo zJ8=f{VJC(KhIBQ5Y3|3`tRvreN&>jRyTX5=n3+3hH%3*Mm+h6v$2CxuGc|ESJJQj+V8x;0(o$V4tx+BgYndiX?uaKmCB?< zg&oCE9rj}q4P&Kc9o*<(qW(gsY1eKC#?7tb~GXNCiGr=Ur&(j0>>S z!{F@&^%f(rFfm$F_B7d2)+W#0$a|tl%=R!n`!d6IP>^8rst{AP0g{1h@9oLikKtrr zdnZnGXW*)6dt$h9+sWk*yfVJasbZwo)`9%;Mzq7YjS!*j^m}cGAhnV;&em(MXsiLg z4W>j?^?8N)Ha#ou>d| z4Y@7<_+)&0cwn?b!wsk}p<>lkDi3wMfBrJpckOm30uq{gq;mtzB8w?BDU`2}b1{OkkbxUZ6JL$)OEH<_E=GHZF0j~y=D5ai|b!nNT=4k(vITiscc ztaIGL1xCjJbXrF>O{C; zPG6Mq!Oq%zRaMJqHvHsm|+t+u1hp~~NiUv{9j&fG#!wrJj#b)q>#g7G+9o-Q3rEZN?q&LEHiS*T z=2|;+?hXpDJc)kjK2o%)yS^Fhku+|_?bhpvz_rxt?9+@$5-l2-1%EMsbf=<4UCu3g zJgR201$(Ucz|_kxi3WB?3tC4lL{-&jp~#1&02)*o(1hZSxYJ^!N}aD%2GuGB zqJbcx7mOp`K0Vuwr1Dih3B|&$% zN?TG`FP0Oy@aKRI#<3w~C8zP>xi32m#N&3pxYR81{I=Peeg0RMOG$3qVVI-m^Xu7E z(?!FzdkyzNf+`S*7IU`6;+P>&*q(ksrD^D7fOt07TB0xShE2e@5+RC639m)ESDr+? z?SYZEuAc`4+v7{-Sh{}xK;s61D7=-?yn|vba|!K%oyV zj&$Na(n;yHXaFK`b^h>JOQ>Fy^$1#&)lW6rM}naAzS~ZAU|O}xck4&1h1VthtJs!v z>*Cf|OUrtRYhCWzxoq2lo#?5{=X&?hMdU4TZ%?n+e{;o4{PYLbjqyWZx$u&G$_}?% zV&NWK`i*2D)0b|<0d4Pkq@C#z8{18eUqF(M6D;??a44be+y08yAuQ=7+(-TtW}j0(>R6fIe|! zVj*fKnl%H0^L|jRD$iN%#j$WAiiG7LP{>_W<2*RCT5rqy-W=D-a|It4+1nMXFdxOL z6~VewyOFJf(6$-~-SCgk9{3+0v1@Ykr@ddTza}+lbK_0*yy)AsRf@om^Q6d0NZz_j z;b{SepUqf+zrRtJhd)^)O z*#I8}N!dea-$!VnN-mlbG5NCWjz!B5-DyK37U5bQ99-Rtj|EJ@`PlxoAZ=hQrxY$D ziK6=Rfq1E20dM=l++5oRL~a%85_N>}75TZ~(pi>WM#~3Y@0zT%mE`KPY?}QT8P4`n*y7MVvQ-K72I9svF^4?LeeG8{0kM;!jb1SrMBM z-;I17Ngf~dZ#JsEypU^WJR0e)1F=&_7;#Vu+97j(i}^T!U#YO-0u31(W6d%ljYZbn+rWv+woY@4+AEZ^sExaP;BG1ZZ%tU!%DdGL*wk` z)lz4rP(efpU)uXM`oel-=I8mW^@poE5q0n%VULgDsccn(@bXCJf+g0zwq5ZK^Qy*# z)Q;t0HLxm|8{ujtbAJRjWFe3pJr8)>*hxZTRm@I03Ac1vB^8?PeCw^%Q*}R$>)_oXO zCZNb$M23u@Bgge1)@EZ;B0JLP=4C@~>)7`tXqPyV^ciF3W%z5cLC+ zhYqz9+(OVOSA=){Teba9iiQnM3@g?|x8`sxYDL%}2+fwjNM$c}C&-nC-$nSd2>)?k zr{x&r!-1BYo0a6OOi~RequL33K?Hm>=>S^O1a0R@n{YerG>a>*R{J%d@Hhg3lO@Th zI+Vwa$;!H^-lZ}|r~(nRMIBk%LVm%Xh+E$|QE2rZ_XHZ+Agvy)L`%wAsUO!$8j_wZ z5S74);ZRhKT^pd|ztt-+VDZ2N^eAxIxZMQ2BUy${=oo^g>O$|SEtq}m@p$}0y2Z85 zFZ5cTo%G3b6ruPCYgFIT_Gzb1i{Q7zRZ55qG3SM8$YD^%ZNmT;6-|x4yCg$2UzfIW zQ_7}|acf~$vBZS_z`?>JkrF2CoU!s^fc&tJHt}H8O>?Ade1~YH!n_=l+2X_j__Jww zi0#|pq`Z^b_#72)x&K7k%ZK{{aJqa-kyszem_9iM@`E+UX|r{|O4asx|V-G&Za!l{|YU8_XT zF@#)*{0N80kIsA?M`WVM5rOaS3(V|IA9vgGy?4>1c;*``Pp~y1!d^~22iMRmJ8kqb zS~Hpm_aV3p$&P+q1DVv1ZY5pR)=3lvKRZ#aFvzw03GKsiPiF4zFcd}@xVksH;-dt< zW2>b+uAtZdYN-aHdFz)Q32BSTp~sfua;t?+*KIRIEKC+-UOkbRS5#GWV!8O~DS>z1 zjSrPw-*y%HE?#c=JZu+ByipRK{)Slm^B#qd3<_w_y;Dg!CMt{|V(rBxlp_%3IrRwTgO|x6@@u{>rLXyxucB{|)46#1J-C!eAEt{0pmSiT4e<5l@TLR+ zv#Ms|Q3sMLIs__Frp^sM_!#&@R#G|;BknlgimIr1coLgw|8rkSX3lx9Yg)MV|E2&1 zouc<8ZU}zkKuZYH61@42C|A}Z(VlNvSSDSm_b%sdYEJU_vVD$Cf=2bcqAHK&IM)bIIPATz70YZPZX_=Luj#6mJmOPyoX>sD!dSQ)y^`@_Q!LRy)#eP z)RaFVA;$FL@}m6sKI+MCyK?O-f4La^r3q?Y)HI%BWfNzDI0~X_M5HB{v%himZEM>yd~t1ipFY|C_CHhgiA9&yP%8 zOqv$nyhtzU-0zb^2t;}UMy`4^3GozI!B7^pWveY4<3sq_BJ4!U9)> zw(QMn8Wbkoq9k90US3q253bp7KP<*|MR>)4Pe5f5mI5)nMzZu{%1s)v*u|1de(?2v zzsIO}Ckp#x?oGO{?x|wGd&z##4x>?x;Ox+Q7Cljf%}YS5v$v1M2VoNZVu8G3O$?$P zOo zF|(k2wOh*f$pHAwfqIeEA(9ESj0^{lzzNVvZbNwkJ?^uARRIu(YHY--d4|LBLf{3} z^Crh%6Prc0@?L-Guu)QrPdyruIV?$E5V2y&qF51{++T&@>l%*87q|Io^GfQJc{w$5 zF*~?X?+I?TxS2X{KkZ#4e~CU6T7Ugp)>vhTCQe5iqGPoYi5wa>0y3DzfclWcN8*_M z5U&m^Ka`e!;yKP9$n5IwaK6B|uK-uqau(b9{wiPEmw~q;YCkIB=^mwpM@d~(8eY2= zq)wn2O@vF%j9zlok7LnX3=!)3dv^P&n6U#nxy7urI(@TcvHE#oBU*hOj3c<@;o z0a%j`<>3;7phI!ERzJ^UIhpwK3{<}ScgXYKkL<+KBaW0%bvTSb7`Lb+EjmF~UU*Q7 z5B%>ZdGHuf47}>!EJ$SA#%!S%=BoANP4*nVv0GW`yTa&~a6b$hfNsHm+0r;%QsxWG44a-{tE=`WJsXQ z;68J1u!Cb9=nG1^=p)|&`X*Sgg3w4WPC8pX9$0)`2 z>w`4WW3ek2AAIdg@E$A*Mwv>vH4a^_?&8qXzc0Qic@wBXK)JiaJh5E%>s-YN6^cgX z0;mg@$u%584$(DvVU$XRn=RFB^$X<7pYIF4#n;zCj4h;|S22jINUPGl1uudg4L}}y zN3U`eta3Zy5}A(LD*UD4V4-8vrt3CCtboP~3Tv_3o4usXi|01X2 zfZDaqPg)7*mF#^GB4?n09A$wsI0c(d+!~|gg(m9=3&LsAy0pJu4P_I=fj=9ob5H{Y zK7Aa`s!?Qn2=u66p@QIvMa}7yP&YBW zWso}n{9EYHJ2!-M)5O(BjFBUe8JS2F6$i z^a#f2oo^{x213s=tEjPIG zycC_uR*P$e{qY^qj(#e$8H6r=kc_^fuMMR9pMyD9R*kF)R=ZOLis+s>UwI>f8D3(n zIp3nu4WolwuUr2K36t%9p*x4+6==#rwNU7{GhHDNY6XJ?M6l)HViRVb6k#3)v zg0cCzUlng$Cv8P!uu%}>yaFMD79cJcQIwEw#$xdq0V)IXA|O01h79T5IeO3(f^s10 zNOxIQ+AnM<%c5NG5HNCdLynz0iVJzyS5(AVObFj_i!&f7-R*@=zhyL+|VMZhBRZ9G-;V%3;?!?a~?sb$$t1(a2 zZu*glIJkTu*9*DW8}Yu2AN>*~h29$e;W7DeWMoFnPdo*=Bb2uJ)IVLi9qf7UhJ;kaiMTt^zo*bYl|MgM$Oau}Ax6 z2DNS$j=C8Em|^9^23jm_)mce_ueZK;SeqrD(RNJ~Jpx_m4n(4iSO`diYEU#+8v!7; zGg_ffA-MHPdgmcj04=;Lpem@x?YKBIOzYU^NITH?Hg;gE`OU2Rx9E2RVt%L{5?~X5 zvwqPTzE$c^Dbf$O5a~Vo6gr1eUaUHoy*v_!2nhM(9 z0?&{eRbZTy1ti@k+WKgOL-iB_Ucdmxy@fIUraXYk@iNKUnp0rDtSg=?0xZCmp$0@H z?t=;}@Db@4cP@RZlCJ5x@WxRjE06wt6X-&0|07t0EDF>;2ErIOuDW9JeIeCJjz`t( zV!(VXpuBWMOnnBzuKz)g@`|BgpJx8I?+jScM=doI<NnFaAS7+msXC11)$yzZEE+PwVmySI@8^d;q30fw2hqQ1&GLWA2XYq9=14T(n zz!d41=)O}}`t9n3vh!)U;>GC~K-ptXEA{qmPqM3c$^A@g$fw$5%;3A27^QVk6B>R zFGhgGkrUrl2v5EF^%u8(IE}@Pxh{Q#ZOM~b5d<=TWh+i_KJp8`)FK(6^v z>jSXk``!K@hq0D{YcCFL<=Q=H({yONztyeF!Ch7M%Jk$eCFoB7l!M*~N+^x^LXJ+- zOzQSM*3r;{MaEo)Bb%>Q&eD)-dFQ{ZALdM2jM{Sr3U__w&z_gJ$#D#JIK!xOlX z3cpB20!?~I7j`>ox3fEHodV|&3~OK$1dZzaP*Jw-y6cfn>a#Ensk#5tV(PspW);i` z5_|tkJvjYx-v$HU>yh8KZ%ZwT@EEp6igl6ep~as7V8tJksXp%3IF|^ z*8;uuf0z;AoQGlUICL@RgSp_9m}&Bm>p)(KtU!~t(W-|=x-GdLlWZ6;smeoaUl!K~ z3DOv_0D@@%L3NN49VZQz-5WcU#@l=1Iu;rTN*?87s0oaqB9+%fcDQ{#@^mA)ym)2= zaIj!S{!_SNu_Pn+;LnV3TpNM|K90B?8Sml48tQ=0+>$HR*u!f-X||EsZ>G57sFPFF z`HTuEe!p1>h`k-){l81(n8Fmg58nUh6JW0Jkggo&Qqff8K3UWB2pz|SYDN_tmk4tI zSP{7V^ngbmXb695i>!TAh4cOkCa+g!)=P4VzSI7ksdrpx3GtU*Q!|wW>$Gr(b4QG^ z2YYng9}Q!a1NhwA3hAUz%{v3O5PHO5bqYQSV4(JU5J21z&_45uW-_96VK9k}0ab&C zoU!|70u!*0mPKP1BHhZ~m?+uz?K|OYeU%iId*_oz(}nZOfF3WpV`yw;*2&z?vDElu zYEetVb5&j?e$aa|f#{^>M~MnGaODO4FB5mYD4a`!R{j2F2%N;;9`;i?d0x@UtwZ4R zdk45KlaUiSCVWu;fWiBh7~?-Q`G^Gy0+VUbK!s8TzykCvi$ie*!^}17{h~k{Rac@5 z0v~)&e3#Nqh7D32e~#MD7j~NO#;(wW=WO~@?ZH{#|K0AZYk;31Sn8Vn2n=bh8Rd(2 zM!4UHdaA82M$yJ+`g{X^kyypiX$zdSpTyz}lHUM?1K2!*RDz+kucmB@o)2^@zkB<| zPaX*x?(w`^aB#u3dPa+uws3Lon4AOsAeV{s%=l!ms0iw(#{2%rlBFXU+^qYTg)%hu z2x1At7^~O`R`Kd}s(~CHQ(Zz@9DuF-w&lVlQm}WXhlPt=rY9+ZFCESdmuLLdvj16J z?N?e7zyWZ)0bQ@4Z4BqYD>}o|69MrrlTE~?qxx?%dKe}Kv@ZwlBB&E2Y^n(zsjJcX z3?6a4KP5$5i)57?HS;Q_@YM{qWL`g>=S=fC*bE{F@oIp&(53O4LkMvHdJ8XN#>s~o zP^mSUQ6FisI8a{k70GuF8qf4Rs-%1LN`>Nc?dU2b>cLdTdXdr2;{fYde|_dHRA)e> z8Soj>#UqZY;8?=0T}L&MKFK+jK2#@?y4h*gv9%S=_@;OHa0$o|=bkNEH6q4#D|J_| zMmEWhxM9MLo)l+z-#r4OLB974n@#WrNmzzqG?eK_b>2O>Tp7MToZKsmG%~8_u-mo< zuS^-T<|H?J^GYe*#y|WH?y`c2ckKq~#3z40wo7>Z;@%Ny^%o&~)Ls}4{Y87>Ep)oe z=y~z-wwPW71$DS>2KE zq0{C%k_oJvE$N5+FJ=4#W-|@N@oh|k$?D?VU6`7xxWv`hl_Ra@aXE;lhIx5$V_bf3 zmv+k2_K|-2>!7bNcZI1LQj)a#JIM`CJ9jE4e$fp1jv6@v`mBZ!=Mq84fWWHAI|AJe ztfE;(cj)7!DaO*XNrI2_C|FBH7k6bqBCe8nBk6bY)}7Ra^{w`)Md#sPng4RCdwa&_ zywUkG{c=UgstwqJl&(UDysko46yX7=&5}Nqt98NXHtjuUjK_KfJAWKlnR(_&7QThk|f}kgAc-IeEh^{GQpW_Gb`wI z{sVTKU(+GPH%W#YF4+q8mvL{@ad9dxGZL5$A2m`#S$k&=exQ%TidFeUJht=pMD>26 z$2*tS^dvKs1lBEvg2T{{pxP(~hybH2960bN!J*K#AaDX4=;th;7C(57J6(Zo?i%hU zgda+8_Z?7lx@?K!I?Auyi1Ih?Z~4iEa3qj+ybV0>;_d)^_QDP$!Gc)*?prjs1JiBc zn{YOVpEP!|{1qILuT&Y^^{=3(o#S|cb^Ia}!%2ZGsim|266 z6;#c*Amh@G8p7F(mT2^u{HK6pscd!v6i6C4G@nw(lyTb_90#4fTD|5Xw>;JvRT0^k#`AC{^31@ zH1RmqM1I}mQs!p1Kg}b;hX7>a2;wYzWkL6xzX6dl`)tU$@K&d?ZDBE*DyVNsOVy`0 zPNSFJemloxT@|$ZCYSz~KJyjNJ0#*{_S6^uK$N|J|wI<4Bk=$yNJBxPhId zXIyB&-%df?n4zPGbzvtMF+4y3ifU()SQ+CTF(ny+5pyNifBK=2{xTwGp@R>HnWrYdvB4e;Q8k9uAmNw#ttBJa{Y4{Myh8PI~}$O5UK)iXANU;Xp+I#8UpDae{qM!V*Rv1SGATzT)yB(8L{?ZT+BHA*q6jdK9{}K`;I*i7 zxuTm(pR}MDPoEp0H1F8#237M9=KvX;il*w&Rm|U?P}JJGplfW|L(e%&FB~rwu~n?w zZTq+s4<1`=|8)5MgOna~vLhht$G7q%I6uKs6CWmN^SuV_98WUSvb-*L^5WiSE&;{Ch*hvJJ236h%I2Ob-dyth*i z7>$1#)k<}JZ5@Qt>Q2(r2YrJtBzYiv7oR0U56D^PEKToqN!B){N%<;j#V>~*r#4FJ9ne$HY={WGXeC>^AS6om}^3;GZ1n*AZY zbhXOJ6sq!A_2!rSeeVGJ*YZTTAqejkD~5X9!Hq=My@-9h)@fjia4lP;6(J6H==xy? zbUyn@_@1JO)_r=)V>b<7GFFSv;)c>F&vD1>k!7Q*oFob_r0xE^R{Ld~DrYRNH&3pJ z3%&ZzPmo3@wgK-k8RqY%lvV#azBq(0xZGP0_i@X zN+X~2L~DaI97f>>Z*Be1N{(rbP?Q?Sk^K$_QGOdpUlfAbh)r{@#_?i>VOZldv(5&4hGQ^La~3H(HUDElfWj@B zpnbmaz_!$frlsW>j{r)hn-XbW-Loob8C(B?# zG9gcYJVNn-Ei&Mo$fy8f<6+v3ZwHHBd?OWM4O-rXqF9?heYS#075ha0|6CDLnEaP@ zi}t>M`BJC#Acu!yPERN+sR^JkhA|%UOtys()gC(2CoS`6{g2or-N@1FD*0hAh6c#r zU9<#VBp)IX3V$12FIC)4r2P}naBU*B(Fx~C*1>S*{btKO{}Zi{#du|U zhmnnf^b6Dja_W&i;y^2hVsH*o6$hsp#$r|;s3&iigemtQ9MS)GRcJ%$<6-MR$DL+l z>z&CZ4;0-13Y>kLqhbnq6wfp!Q{-Oyvg18EvoY#2dYc%?J`Bppl8jNPkx`Bv6MChU zlQK)cGVKz`khJ}Bo|4jU?vG>24}sM>k8*$kdpBC zubS^fCyIF#4L%M0!KoxO1hF8CDHaGcL5{FwkgTBjT>8XV*l<_TWbXR~TdbS@xG!HX zy#wNQkhazBZ!Sa#W%)R4Qoz&s&Ef2^ITUpHgDL8ANz2i3~0Yt+8u_gfimayQ-J(=~g|pIzaU`d6FEg3)UoU?KV2Hlu)&dmzis`m zl>tipFISS*XV5yp7oiv|tV6Y7CQg2Z?QSQC&uOJu+zMml9>6l5GtV~h%tjH!QR`U` zI=*^?XE|iP9RB5{DQkY`G_nt4o}6!I#pbp`U#co`pdv!aX}s0Vh!bgd&>;Zo>^U$f z?*VEH@Z90bqua105)gNSF&snin8RcLiQH58e9I5(!HTKSX_w)b18!72s`gLqH%=?? z$ck%5p7wvL3;qU!gg<+RI8_}j@zY>BI~j9VWI3XA)vwhI|}AuUs>4Z`WORP{F>r$yv}6 zJ!?`IX%pvUZ!x^g!Q2VP>+jTLgdY?@AxF4@!{QPO!46s#rN>TFQa`3Ym->6(`0%P5 z8prI4k70h6SaJEN0@Y@3nHNR!zHdEQ9r(K>tKNa2Kl|Um zK%pXO#ETqIBzxrz40wpCbASA!g^XD`Zot)fFPZ?t+wZ~Ai`cz7I05Da=g^AVY8xHY zR#%X{D9nt`>@}P{MmHx^Or&ym&0R4QF?=4!0lx1gl9>IwbcCE0`2J%>i;_m39vf=hLGwE1l%L9`5Ue34t}z_%w|ibe4t)w^!kCaI~xLT zdi?yfD!$Bakp%Q_&=5KeFc?`t%37Q9q5^w~KdB=ZiXg`ohF>%R&s!o2ltj>!k- z-&t_RMk)tag`lDH1M^WHUsXwx%D*D*=}GT3WrLT}Cjgib1@}s%`$VzN-xv{+l>kKm zeco%d4?ZO^ut4ooURa^evA4edN7k`hu%KXU5nIm1`*V>{KZ~ba?Znt*ub%t6%wh|?94ntCQM=~ zkE6-lGhWK)^6a!q+ZvOOC_>I3Idwd8G%0EJwfDQ?y*=I=A%=f})7= z`(bPgECGAtKB*U^vo_9?UlfO_O!*=xwwt(&B!P|;ZIAKs={6H4sT9`<6Yn)s*Z^dW z_@C%Q=sSZXkBDJ5JX`T<%vSJ8s~@W2IH;uD)i}k=cyhIXC7yt(}JerVu4F00rb56+a#gjrBR(oxu+;?yD8AkTGQ=1oN@NXnK*_a! zq4lv~FO_E0PT|n$0woj|_)tGx-63*DK5Mm(NBWN2E`4WJrmQ!|78Tp!v(k8Yz$=i@ z5#?f)Pm$ux9?WM;aT)kxRyjIZF8g;;yHp<--S4I^o)bfAG;RrR@V`!V>=vGJ+|EHi zYkMQa?pE_zl@FU|n^L#_7>za!4tEp$751FIjv$11nE@Q&jONN99|KW4igGOP)kU_g zmeiT1&Cf|iO@jh_7+F%({=}G>DUaC^$9!7Wkj~R_>zP`W;P#h41V==bZY9mXsAPZ( z4=yF{kV**Yd~Ubpu@cwJ`vLbI{yA_=$DA|gPDaJ1#YD?dn1q4MoJq-~TYaVyKH$qX zi+uT>?R0s($!+N8-Dwjt2S^ZbUd=BDj0_1vkev4*d<23JuN-uO_T67fkUaCV*6Xoj zU?nnw{;y}N_j{1}cfAm-cZXwS%(cktm|UncrM1TU!O0?f$VbKK@MpnU4gYo#_tpLo zDgw-M#z78GCivT~g0>wwc+jzTG0l4DDja9EJLtnYEe#y>H1_=VYlT7EO;F z%bpunYoAr#JL2gy!jd%--M#s}sShj~Q5rKO46fE65|^wo*(*yp@OhGsogg*@Iu}iGknrEFCYr5(tWnrC>~Vr7mNoSSx#M%G z>o`W*c{*^^i8cCZ0*xKyoNeq7wYKw4=y9B+-prj;rMRvfg>>%>zUjzSyp1b+72)rN zV$$OwjI2p}6`*)XPh!8yj^QU46hrx8;K23M26V(*=|(PJI;16t;(oV1?4nekdf1m- zQ&7&%n%XC-hdNf19*vvuoP`A5eT1`y1Y3iyhC^U|(2N{yw_Z9Hak&J&pecucBi$2U zIM`|V6X`r)dZb5Nnm|KbhZ~d9`FX*LHh9b!791Sr)ts}2-*Mr2!0nie6ZU^v2%m35GK9Aw zw_p3V12d1fUc_;q<@d!ZR_W9#pWA4-@ry?bz4EYOTWZ8gZ|sN?nVEMFUs4CxMn1^A(YY4L!glZk7J)ZUv` zHWH$ZIYOL=8x9eDwZHt_p_xXDd0miT3S2x=4b_b;;=}l)?ZxTq5Yu#T(oL8AM<;ce zY}+s;gYUp)N#x5;ytMC-(0kR9EjSx_q*E*z;w3n)8Ke93336(FiYWaCwDor>pX{j@ zzR;ZYmF5ltbu+;)hu&3qOXufT%Gb_y13ST>CKe2z@?@&5h$nMIqzRRV>N}s1d^_JQ z@X)ax9k`o!a~iydGqwzPa3F46GsiC}^{?!Py#b=WSbTQ#iEax3L;LhVOhK@7oX|n- zFGs>EODEvx!yZuYa~>CXQfQzT=BsX_8%hmQFqGJ#G5@&YQkw&alge8=4SXDw7O$mAMa{^(FtJLL^4 ziLul}dix4JW1nQ@f3A?+sx_`RT_8o&yn>+1d=&7nhpIkq zHQn7jPbuo+xcMIFRAKOpupSbJi>oZZ>u@%fbQNR7m4rxG*9uBn;rdCiyc4t)AC3?# zw0T?GL1}zWdOU)h<5;blyuDI&lB%X9Q=_$!A{HdF8p7h-R{j;M9`7JPbVhWII9jtf zZ@{}|23M(b!8T_f(sM4mwI$edSZMuR{n6%S4@AK;sBCUH9xKZ;ZOdL@x$i($ig7Hv z?!yLd;R9I7jhY4OxsN54=LWaituIY`PHWZ|*Qh70drNrQy}2tdv;GO;>x6wqohwqG zqVz3ozSckQAg}ObrV7oaM79?i(|R^+SL-^d%A>#|O6X^U?@V+4S6`9wo~GBb_%+)q zfw7<1#U3oM{wO+$TtisSC~U7e3M%kTF z9g+QkB7KjnVU#7Ga-%0pHWG;U#KS5D=>oUNMj4a-&6&0Wyo!HKb)Eka^=nIaEKEs! z6`nCK|23Uwg_@1ecL+A2u)m2I?@k{kvB@!7b$)PGX*c6Kju{Y}W!t$1ld-N0u@u^< z;hZK5SUc#Ee&sfq=;A35IvE(@rLm}W1+7R5oJW^mAAUz7)vBp)9oqZ#LK#fxM_Lqo z&f>mER~MHWKTucM6j-|P8u3kx65NSPb{yGAE1d+C8#`N&adhCyN59587r}o$u+__C zuJa+9Cd&NHT-+wpvQu7jF!#7!>-Ea}06_5JDo4)owdB|m@*Obc)Z@L;`bkAgIdHn< zL>x_R_Ev=&5V720>oE~Kupg31zS!XeLlD8E5c@Edh9JSl6)T>Ww}Uv^_+YM=F^ zEz&|%t9y3M`H!@&HTd{oui6JNZNqJR1SnZ|5fb;Qni*y_zQny5;rEwIJ#CE7 z=TOn^tu)0mS4WYh8l!4567ux*z-o0qOH1d^w}3nMc_g85g6k$~lOz4uSJJib-H(D2 z0!tR-q^mM~q6i(nw#Vj!aitHnvdYpp!`h(BF#1pxuNIdMJ&&$fQ+j z4wm%!StH06CM8)q)HnkBU>Y+5h-y+U5`m;dZrEq$3 z&U3Mq^SCf*`n#e@|ElZ5;?KkSz3oQ-xNRok2c#UeWXBPPype!kh=vM46_As`3V)v} z=`P*11+V@^dr1oxt(LGx6-O&tjy;M>s?@2eYtLNXi)ObX|NM}tc+f5XPK#C*ClQQQ%2&`#LoZj+f&)8lXQ$B@QG4v~0pym6Z~VWd#mtN) zOHk;;Zjel880x2<_aC2Bw?C)_Uun;#p0BnB6*=uCKArJ{j_o)Ft0Kkpbc1C89a2DC zO`=my+a7zu*T>lZTIRK2!rb7!D3)2=9ufyW*++oioyR<22D``Hyg_Y5L%eL9AL{#g zehB5te&cZg>dFMgRe0b43Mhh+;%8r3K74)Y{8bNdW4y}lg6vuU31#?20XI z{%1x%@$f9r%MI#|6X3Tb31}XhQe`Lz&1xy7fi zj`)}224O^8^yA(U{qsk!pO`;8Zww{3M_j(+&;Xen4g1y1)_4 zOi3E8+4x-BkkpKIp74>_+|hVAl+LIR;;=OyTZR@%eSO2&XxuGw9fE4BVssaOr9Md` zcHp_oATLCO#*1BSx!#09g>M8zy?8@af2JlkRhnnr=Nk4R(Lrk zNT=#7{-kLqo!ErCEmY|BE!M+!GDvjO`=xi`YWR;#`L6vRczEiA^5O;s%<#=Mk3!-gGQZHZt^AZk^X`#0B$$a)e^;x_Dd*PcXzHFNe_>+yfjN^BXR zf=47_&t*%m_wxcUoVgpK9t?5r%=Fwk47#mZ|3Ls`@&OyKL$f|J`DbaMfqhr@7M>L$ z(CYFt$AuYzRwtg5>^53o4wwABS?R5EemV-h+Aa_=fv4NQdCbSFsd;f-ZcUT~A z{)W631vC&4tCT0zvk3MEMcRnTR&QH-F{REO#C;;3urW}2%&1cpmiZzvvUZh$i~c&s z);I`#4V0q-=(s&!yF5ii#8BgA46verU9JW;|6VuA8Wl;(Pia2?vsA~S-2$~=?1OQA zRstl@%u^f%ue8uOzB5(TP$(y5`|o=Sciw7G0v%;m&AOC z?R6G~vkEKft)$Pp2fA%{E5D4GH&Eozx9AH$+OEd^i#+D_dUVihI$$C=I>GyEUCLhw zS5cdDvoo%~i8SF_zbl-+CJizzp7u6-quC?B`0=}Iob;`N-5mrHmWmqRF8#EEJe@sI zMZZDD0gX?6cK_ocUbc!d-*#IcvmxoTZ)8Z?jGq1gw8tu$@n+ywBRkmbGF=_(Mr^J@ z1KeeAY&2IRUArUBm(eM5InBLa(AHl2(Mo z-&5yiHG+V;6Zza=cdNSR%B&qDv1XdNOdGUGvGG-$;^9Z5PFqaxW@S*H;@;dNczzTd z#$1nD!fNb4R%)&OoH~J5Bk#NNcviJ*qYT!+of7-iF!%XY?TP2R&hqr=vp5r|Xo2U& zH49?#dy8v;^31sbO)r;9Zvk78hn5TNm-1skz9mzV1sd2n_hk!B6P;d40LcB?j)L52 z=&@#58Dk}v^I%wAB4MzNva{fm9DKiz4-w>q>s}UySy{!|8O!vBizbP{a%wak3n%2Em6sL2bsanjVL(ti+MrF zKoIVv7yNK?zDF+7wL2_xI2`|t0y*OE@)z$-bD;3pT_oQaa#yI3>ihj@JLXoAy|2iD z&Nx05K!+~4X=rKjL2~AGLV5 z30X&9&i=|W{>{Y<+W_(*q(m%SLk!2BFAcQ`7?*3V_R0A zQ4cX!J|AkKdrfXrZj*rwTn=L#!+aa8HFI-RR|mTfN-HE5_<~9|sxK!|$iGyH$w7Wm zpSIroIvjnvFJrTV1~jyRXr$<@M72Y;)X)X0fl~8>5!Tomi_+& zM*ckKflVnlF#4WbiKr=s+sj4hLnZ?L+rTS)EomUIvSq z>oaR*XODNI$|`2DEZLNPF4B=T4vjb;8n-LqD9^lk&XEaWq(`Xx$bzR=MvR=r{i%{c z`h^;p5UHS=r2tQ~evA;YD)dVCjM}c)R>Q|Vdt4;xqppUY%v2{7$x@GH=(A@F?>nTZ zz(pJl1D^S4qp!%c|9hCX&0w%+15&teNkd82?0U@*`#zCttq5WUwO0wxZ!~QJ0MceJ zblw8m_4mrVF$J09one=5DJrD0N6yyhDV(qoBT7%BiS%YA`gZkrl4AR&#K9VLB;d_4 zMF=i2Y39Fqy(3_0X+8Xe7hXrWXfw#chkTP=PCmuE;Q__`lCC;WCj@L=IN#Ea_upLZ zJ!Pq1dZ&ZQ8vXwXL zv`@+dV%?=a+Ql|GItnIakj9Q<;5s+b1SHes(=X@8By3z3Nmn`7o)7D%JSWVMLdF;l zmBW>EvxaMFEr|u^re^iI%}dpxFK#vmsJQ=cl6jtXr=TCe?+o9qENPZe^G!`56 z$Zx(NM}_09qof#ffjJ;nSiz(w?u-3V8v0#F11t&D!vD1o{n{(Qt4GGiC_<%)9T(&Q z-PkIi=}LA$@KXuJxHkb`YZr-g@cxg`=f4-4@9fA1)xrPGX9X1lpvnA;&k7P5@OP$5 z|AWE1Wg=C5`vNA{>#{%DFs6nE1M1GM`2s@65vrn{7kz+EerP_za$SP6p1r`vsnrvT zPv~FV_H5coYKo;CV@(>6jR$b~*Gk}VyB6eSyc%W{-rsF_AS`U7(35_1O=nbxC!k?I zRq0E22c;f&$(HWhQ^g1E}C{RlD{j#>9`Q)8_9#-L)1(RMkS5w>nt0J-FF?JIC zU*8j12bQSKMcepzo=z;~=>oRg?y-%Xq9~Gg3nfRVY>|662RFO6iXQE#X?V8Pn}r{i zoZkq5R+Z?)a(@8}1DKoPZk|>+mv!aEx#Le6pnR=jKWB8|M3zN@u+j%fz4G{4_CJNu;zo$k(iO_U1Q;syD02GQ-F6`E|(@0RSoY==g2IWM(!gI$H48--h z2i%fnWh^^P3@YUfg>zHkt)8<_b|u2cUAonJpWKcg3i7SP!nXVeB3QNT&jMaEDcEqIl48{K-4pgIaHEZ%>HITB;Hc-;t0? zR}@FMf7h(j?Lc?wO$J1#&f1RKP^2aUuGZD;+ygsm|M$1y^2*liHN;2#|7#*2@-L0Z zKy}i$klO8A(>DeW0X3)<|9hWGnelfZYcn|4M1YSP#ZAvf5>4Pzpeg1$YK9t z6$Aaj)W5t|lGM`xqbJV#_`75?1qN!_uC04?!nE~2Vv%xmq+h0mqu-EKFgmO zztyM@y#HhB8?^SX@}+8gy5z>Mh~*M~e90N+M8}_1Y&+^Q9_dFIgMk%lqZnL6ij1kC z0ZXgDcA$1%6(LA5fl_Atg2JgfI6K%-EKLtc7nIUByQTB)HBJ551yCEKW~n~z9b`dA zB*JqEON<@kKi6h`+oFrU6zH$Taj}|mPyAi`z1D#t7SziWW(|F}zv36dQgE5Mh|AqgKlM7@GgEabr~K1okNUn}ieUH6l^}A+ zli;EvPffKsUs0EizT4Ei1il;m9t3tO2^TKCKBizfoe4G9GVwRKcSJPRolDjn-boRC zW$TRido--fV-U5TxG@s0D%TV=&74#Q>VOICa^e%so^`mQwl@X=M!J$w`zGnt4OxRC zPLv*7wYqHV!Oij&yC>sJyoDQP^~ko1L^+JKMc#lB1og z`_B=TZx#D40(@#`ZUYQ+`K3qG&TUtYf5JQ&W*Cr=)b0!npHam^HU#Tso_O1)J!5o4oY60&7G$Kc5B+uX)tZ8wt<1 za5KKrA0*z==cZDUJHb^rb8(!%u)6YM4gZgiR{SDMNWN9VEscly;fb8i8B5Ed5GQuR z_BRW~n^Akdh^F<`|8zA`B*B_n9j^KE?D`^T3BQR|M0HH;T1yUaISU;7@pmkzEUk_4hT-+ zTu(B*+v}vDb$P!C)cem}87b=*{T%OJk?tGPi>+&c+G0lnx4T`=6w=c!A<6J4xK78v zayG$4rc952*Aoz#JsdqQnhqZ)i^Z zVi=2?>Xu&kTYLpBa3lCkAzXus(;V2i^s#!*=qi z34e1Jb_z_7r?WmHiiai=9F_}L%j-RCpXEFCP{%}G^~*u<1;jABPt=(x@9Jdw(NuDM z46|eX*h}jb?H+mYQgH$Gi3Mu`{1ZveyuZK_ADiYVZeP2%?s`x(A^wR4*l;}bb9&(P926uKRt3JD{{1T zsWS}s$ZC5g(UiJg60ClL@bj+AWZc`xdlHdKi8|nmMJV)^Z1&}TV+WxxX5vRcLlTJE z03KWjl9e608@wcwcNV;A3|@NOmS=JvVi~ar;p9T{@*)k76z)&Q_|8Q~-HX%KgtdHD zHTCY2qT1VOXRIet8GGpoclk_bIM1V#gC=ApWe)TeDEIX{>Py~5Z-$X%p?31Fh;lar z^G(ebP0I;ugjeM*ShvvO2K0E~-IS=)T97B+Dr1t6eSRDqgu>4cv|O2TL}=j}?+_wrlUSX@s{?)(@>t{TO$qb{d+$ptT|5mhXpKY-<8{2L<)ndEE z8*+0jx{LVm(dxsbkw))&H%S>tU(@5ms~1PUc!)_TJmJDq-fAy?P*7!EMkp_?P2o=h zS%nGJ6;R$>z@0oD)$~W_Vr+>RH1VRk&w3YX`7tdmLw`9`_uVsC3uFUi!$s19)U-dI}LNDm>lE8j<@aWDl-1N$*E_ca2s+8@FOSG=9bh~%n zPVRT~m*Z&fxMv zSY>y!LD-(=^K#{>F>gplTYX5(MWsX*aI1DB`42$$U`-N3ScF(^$+F&-6?}?J-+j)bZTu5- z&R;pAP$e+%2p4))^UlIWc6V_Fu_4X}Uqn9~RJF`!O%gt5qvV9XRqv+%8D5|ALJ%z= zSA-R)(mhnRogLAhK7Az3X1#6S7*lUWZ@R9@TV-b^@E{dzU*{KjL`}C_e{hA$DSSt3 z!NVtgMwlwN>h>(v(WbNDBC{En?TM9VvVQrgd!~a6ncsl|{LmKT9w|15AxL;$4Nv+( zV*&5B&wtvHj(3@6)-8aVbQVo8R_Q*->iGdUj3V&mO)lYHnhDcT@~FgiJD6^W>H zYFjq-?K%s`UdpPWEd2)?<|8?33HTZ&&Dgz&p@n1EvB9zK#73r4o@qyrRg{I#TVFq@ zue-EW`WQuohgIEnHbK%^BGIiKbmp40@-G|Z%5(A?po{+$atJ?F%( zLBMuq@A4xhUtRM9ZWa12mw(ZyIbN`_)%lXzkZ~b;iMc>Pa1KG8!%HT+^i~=#PCZX_1xl8=!PW7fG zRyq2JE)`$K^V{{N8|hjq(F)F-Nr$Pr-Pfp^J0zmpIDzT9Wj7tmxEkhlvF91v&Je%Z zlxDs0rRQ&qLeuXh9X3qlwWo?m*j5LQ9NYA79M3aFN&cU1Q`6G16Pl+>zir6e+ZF289IoAQPPji4z{v5gHNhVDm9b^F%G{4YyC5?^XsGex!qf{c-*mgqL zeV#O{pQ~o^v>xV|zZh9CscGaNc{62`KQmAO7-worgET1^+@3^w8;$l<~>R!Zf)eZyfv6VS(py)V`4GCG{(G$6M!Mhj5oh;>67n4 z+RSUT^b<`vVhhqXzmB(I>wZ=S%!4uV_F}rY#!XixlYZ?pdHdh3)Q2FCsb(SDO4$X5 z>{Lp~iy;urZD$x^{W_tuy={Z`G+$Ex0Cdj*Nc5d}BsdqY1CT=pjrWlgkh^!z1>|M_ z3PGPC9A6+OfQNjl^%bWXJbIGuS^gKsB9&d+Bn~Hu@@|Yod<&AzVrf^tli3gxeXm}s z-mSTQB<3O@4IV^sIfulwgy?^q2+_|NiD79HdVYX4DgJ2eM$7xC<`8+xVI~iB*DuZI zkH`WFX#qXz!zYRmehsmUsx~`Mf|V(f^RyG>8^05n_q0-`d)Y;K^L|0nuXrr?6DXOMjw|#lO?0RT2T^*T_&eZ?;&#m5Y{%@`&9pyjAa|Z@OgA%}L-a21Jzz-R zHJUG}WixOyVYovMPCVir&k#*hnLin%(t+E~E$xkOd@{oU;(;9q)H=Tdx9sj_2)J3m z@0*O7wTM7ztaq>H}!w8cKw!917xhu-Tr!Ywe~s0fBgJAoK>k?CSsm`T!30ND8m5~NbV*&N$bZ~^%fr@GXKz^iO} zk=V_QZU#HM`iZ$QFi87&`b(cy4_@Yjesbp^>JsnGNr~(Gf2Tj)Zu+eavRmLR!cFBk zPEU>+bc(za!EBVe6M=iBvF!+7f&>vQsY12q9ot@Lyje-bU8o(c9CID4rZD%YfI8Kc zAr9QfaM4ca1=pJte3t1`fR(S*Y0|NC`TV1a&6?VxKz+FuWYpgX6tA|JFaOjUUC*jvi_3e$e-PxHUc6yp`I2Ydf$s&Q zV#l8yIBJObEB%7EpABi1dsccYJD0$nt;`@M z=kGZP{VNj%Ar)Bcwfdbr=eJV_IL4v#$VhHx61+<%F;pipItT)tUimf^UvoMgtip2J zG|sPfd``m;@;yLrW6}*&VEd|BH1SmVAF;>+Q^bW$}@cz;kSUg-U!oAGu`W#-2dp_WP5{5v{Gzvlj4?+ zN_F93SnyvsSLT$o7B2CPAdm`z1Naw>xik|RII)oBr@cYRzZHH#T%E?W1Z8RB1j?z0 zsi72E;9&sonaXMzce0H3F=cQ~{6{L@BJdo;Vs{JV!*3_^@7Vf}lhG4ork2rv2LKa( zZe;?U$S!=#<{#vABi)9X^E{6zkHS=YnDTHI2}-U zsH_D|VgJL429_v8CGt{&v4iEDe<5-i6{YI`vo}Zmd6HB^({+I@7kQP{&HMF?tT#s2 z@S5#&K=6<0#J&Ew?BC-lz?Eb9wy0I$DdYbnPe!sJd$H=(u2ikTUQnfRW_4sg_~>w+ ziCX--1_LfYZzrcbw^K7c-^T`AdWekZ^|-F}@FOK40I297(+)Zt_N4wOIsGgYQke&Z*eO#IF;x)MFjLvF^G{Ke3tfz3FoZh zs)23gmFQ&^zV$s4g$I8pF8hH})JInHJm&d;yK>Mu;XD7$`3tc8Er)K3K6W)5Y1$AZ z;D9r@$Yi94r#c3riQa42dD4-h;Mf5D@$H;<>QAaa{PJ8E!MLI@>1FO&bj#k-6N^M6 z#1Ay3F`jlimUKg!%BZ0=yQ|vhGJgv2HK?t>&oSgnptw%^&9L^_%F`vGj5NAk^MrxGzE7J#kA6UhsWw%x6nof{`g_e z)1RmBCr3YyLF%1|L$dKA*<#-Jgk;^nAZC(?{w#Us!&zp|6T@{GYGfI~BJ_NOO~2PI zWbaRNv9}295inrE>Gd4hg5Z;Tv$649ebQyB7S@^n>Dm8p;5Y)#JnIr!)H?-zdwjf{ z@-W5vT(KLu>peM6$PKX;DUwtd8YP$YjN>%_2d5u8EA#1}c+D*^?l~8{Ctq#Z9^F(3 zYFCAY9&H!5WaMgd6@skPMz>${7-esI;AS+P?$q()FEg-)BDnth?#KdRoNglb!NS*h zp!VRi;1w;R3;*z%Ruq9ls63`AU%waZW7vRORaB%r!+;A}S;+w9_*~uL_+@VD zQ;&JlT(I7@9NBrxz-BY>Nj-9%(ojJxK+y)bhgY{Oy9MFQv3I7C7~Nq+jo%Y~D*qae z0SSevH^n!+wz5<#y;gOvM|T-1r%ol(J^cwT$YU$T0z2aMDp=ujeNZ_yib#7#OR5xh zWBAgF_vg@_*S_|-A#!H;AT>y^Gsw!IjPo7wV{nF3C;1tu@L7>@aXQ9lR&`JCGi`-8 z=KXVKpfmjox&M%k@wru2t_+us=Q&;69yLnvUoK4W(p`EPt9%a8u!gvi?%lW#dRy3B z2kaDk-S&@1<>lSUlK;su`tn3&3mZWgWP@^WKu^>GU;X@4Z)aSqJ?iemuVHe)CiKYy z!&)va*`D@X%6D$+zDPgH!)yK&p2sa@>Az}w`Dh}C-0bY#3uPs+py@^wtN9nKE}Oa5 zm1Es*cSqt(e9!^p-CZFOk*7HUT)+hRz;>NZmiF_^JR5)lpuoJ$Z;{3l`=lqt8^4@f z!JE>*on%^@~y5Ct{i+)KTB7UBBTS1P*@u7{!|&#WP-a5_S2P7I)!z zZ2ieS1rFM@LU$4;=odr@`1U)eg@XqPYYoc1?Ev##KesQ`a+Jb^Z?M%~-(f7v~Kp@Pv; zPfrLHx*$o$t9}X61ix?pYkDW&jaj0QWFh%`4C<#67x#zY*3UYL3y&c}%wiR|`2P&3 znbE);@}4|pg4!&4U2EeD$VXu~t=F2rYM3^#D9!W8-?4q``!F#*=-jDn*-%gm{a3QS zllrU!w*hQnFNgwWZ=AAZS;D{vk^FnjqZw$&m1%`o$Dp&pq{daR<`;eV(%odE(~Q}1 z&Ma_ofsDNyy3ClhK-_e~Ek{e@Nxql*E>Ix3)i1FP1giu@77F)ewmmyqpVec%GaOf_^xE3|JSQu4^^{DP0fK;y+jeK%DV z^zVOd8-q;FKjtJ2UOFZo({{(Mc?kPvqy4%L>9)o_TrU%U1 z4A4;KZ3gM=AJ3on+w-3R*ROBLm1`*_uOn?iH6Ok;`1wV1JO<<7FyBEj)c&sUzf@ok zfL;rT^BFUfVNorCxZ4w{w*`F_(xjl&(;kTW52f&6&6#+QdJn#vz-iZmJ!2y=&sl|d z3kP7{)Ymmu#f90SkIC<1$hmE-Nwh>KtDxkS0gi!UPrFjdF>m4&mP4TbsWSkB8fVWg z=fJiK@Fx@kHW~hr1vps>;-zTvFG>x8e|$Sd)nED5i0m2Igt^Nr>|vW3>r0+;4U{g* zDFyhZ6seo~Wi_s(LUPs}gI;TfO}+0AoJ&BDmo87hfabf0Tq+~2s;bwTLo&EPTYj^S z2|A6{Bow(uR1^#WEPW+rP7m#RxXXJiHF_&ns_R3K-^G5pj@OifQn!UemgQRyadMcqZ@@3J5r5Qo7C3w@w|9NJ z2ZK!yzU(CRa;9cp22;N)kd)J@g``piu!5axRDp7d%0LT}80`W1WL;kw)wvWD4e7tg zv>zZ&1+O96yO^-8DKblOihc!!VXqa2kQL>wq4GKxYX~PkY zGT|SZIWu8*z_>rW0=|ejj;FqcSZtFudPWwz)Fb7n9+G8vxxJQHB%SW&Oinr^uRGwa zc!4#sdcDo;JZdIM)adp;OGMwQRgX6Oj%QXiF^ufCZ=R(|O>d#$4KDTLsReTfE97jT zw!>zM$|P2T7xc1(wo}p71epN<(9~C(yBa=^s12^E z!pAhpw%g?X{g(1wbn)Un?GV*nL zh8+6oqi?F`(%FsZ+EFwgzeGiuEtjErd7?7*FQdTOoWCU)^iHjkF29>v`xoAYy?`@F z8D8_(lR4AXR}MxUSNXni$5;CuNkYCpsAZdxdXG_=+U179Aj~E>XoDXwpzOw~(^1up z9b2`21RX`0<#{`&AByK%p9E0gh&@`lQ&o#YB=NeMWcvB|)Z_tj?}MKUgpVKibep5A z7;?vCvu-o-u>@wvCH!~C#c3w$)iWd$H@iXK)p#$? zir{qvi&}qniDE90J-GoC7^v8XCkB+X)?J4WH}wzJT*%I+qt9Dr3KY($RmRf0KK2R7 zWWuknS*=H^pw=)w?s*G#MFwoyvi7C!6&|Qx1?T(1_1Y7!3eOB@&X*)AMe`rTkf?iY z9c8g4Hu;W>?OKVolKujfscR?H?$ihf&1esEa!OQ3Zt1V24cpdg;a6!(iOwjp(|ZcV?D~gy zb&qNreOwb}!A?`<7CR#s_sj+x3Wz-R$S`J|rQaq$+JJv7>C6~rv*hI677du|*uc-* z_j0qDlN!R30xBYBPS${CXhX1=USCo@w?=MDAISjAj&XyrTNG3a46QkgnovT=KsS4+ zi?xywm^0&DEca=?K7}ocN63SLN0Ai|-yqxnpbZZ(G47oPo?ryPP%gU@!)IYP@)XM! zdAMID(rYQBzg+BbU97<-4dQS63Rb5a!|7cf6pM7$KJ%j9I`K_BRc19MH z5yLbSnD>@O2F6aJ_&zo_o%3rj+I)jvZ{7ThPjL1G#cDeNz+s?bpzhkL)amT4qXg)L zJ_>!j7BuWSt3;i*?-ThU^WJV{Tx5!x8}ZSR30yyG=%W5e`oE-u#hBS zh@mTlF|Fs1$+Tfw?{LtnkG%%vLK;s}OD$uT@a$r&qh$ZhbIUcXaxD;VtiU&=b-XH- ze>D=~VaHdp7JFylDFqz^pL+LcY=%Jbs|=g)16zp;?$hDyHx5Ten<pbW&f3od44O1Q!yg8BF8Q;Nd{eDq`sj|vhiCNrF zxFl%_S|+r_DH3+{AgZrYr#IcCq;JfkSkojip-D(5itGG`rG`=0HmF44YNR@9$svVP z;S%4K8S8K^?tCggpWXC6KkHO)zfb73yQIW}Gnq|`11iyKkRMpa`bI-TTO+^WwUsRz z+;=Fvf5NCrB6sROpLw$ObkJL@sBORX?mYKb626?~=imQ*Q&MdIsV`ZSeK%nA*@c?s z)*`cl{r&V$8a8>MiFOb-n|BU$&o8kJBzEz_{$cwePX2b+RoN3=iOBjOd_#(xWbs$; z)tC<++=Y)0@w%LbuSVK7&=pJK!uUqbIYP-NLdOkS^BJN;V&1_Z|(3a)o~&h4SXtuA_>`tFnPy zl|l2~thJ`mTfTwsCe-HXfli;Oi=g!Jp@18$QcT^}@cXvu535R(jdD)J#`|A<`t7Zq zgX;Em(2UEOA-DoiYtH{<$fm}{b|2BX4Ie$JLHS~nVnTL{ro}z#CmRciu{WF>0*>hj ze@97g1}UK}n4)Fr!mzKTZgs77v9&Kg!5i&o^!k%a0eDgm|Hvp3wTLs^9Ojpd2DShBMy_iVWJWCO#+U6^st57-)f{~aoFN4NyHJ(CrY zYrWGG|4#^>N$FwYW}wT*jWk4FhBEtopw+b3ESy)nN#m^lS}uiRX{Ukln&8`McbpVf z>_oWu69<0xIXXgwWKlmYl4W&;s?#5!5BC>@_GA1|-}RxF#ZhyWVOod%Yu-LuNQb_d3mN%MvfYENdE35FWNFZ5L73Yt}p$R8rC zsj_~?ff1a3SR*vC)*wDpw;~AkDNQg@HYgtln=R-CRf#VW~cab>uYvWg#`zLjS6s{Kyk6*|@V9eW$ZXod2b*CsEul zBGOl>T|?wAx< z`G>fMI{3f311yi^SSR&G|-tt+xmSg3^=bsLz(-Z~ zhJT*~Xze$NfsyVHCRwVEu-UBtivtjM{0TA*#SJ`W)1H_Q4hT9qdb_e@Xw`V2Ha-h<9ex9`JNP%~doqb-p8>IKrxA2Z0=j1}Xpu4-6qom#>i~f_ z@VOl@SLz@XTCI@k`>3sRV%RC~MYXzc6=OTD>aIXnpfG^H#dhG=YL@GV$}}puP!eMW z^G^BCh44m+k#ei<-aYBw_6=>4>$jg}g5FyxCYC?g@1Onr<`HYK_`mEA(o20d1x>&C{+D(UF#20O{9{PuaoS&3q3K#8A)A->|)?6(*D*ROuhuccQ0a!comgr@oT)wfv`1Q5ul zZR3xFp=KmlHzpsSzw#gwy{%(w)U2U^j@aZ+f%XAP&zj`u)zY&2bY<~jA+*i#@IuJp{f=@fpO-L~i&4Wpii++HqH4CEX@yvy}V*CO|3 zt$R830y^1h`-POqWB(I(@l49*uFq|E-rsN9s{`spE++Uhol`(L^rq5-DxN(l77o(S z+kYquOo}3t-UCz~n5M%dV3}k;_|_=v(rd=GR z!L<$Ne@hTRV1V_&Mr`Pkqx19NxRxLne@F<&MiV;9dA zs7)p98qf(d3Ez*`UHwTa3V)&=V8trToqw)2qs6EB zHKq#5W0GqXsMaX{1A%TIu+H1{99|XsC6OQxt6RO{4?=sM8x}*P9~2Lpmbkqo=Jr^| zKj%|`eW`F4OK^#KzrJ*%pkkFmN8Q4V*cZ`NqJTSsO#s% z2+oWY*U$q`uRWeH#XiugY*}GM3Vwdqi;QtFIb}o))yWFKVrwj{i)Oe z(SwOe{==qup|#W7li8`{fzgJCBj5gQ6sM`~Mt?C@etpm|2?-aj()O?(2({;@*-kN= zNKbFqOBJ%TkwPMN%Z>2oc)3DXLZK_(GbghPR7wQc2INu^UsipbHbrT@=|v3%>@inf zIKPrx?RJYG7wK_6)Osj5qbYsgX}0Fq4O&sU1}xu|r9z-Z(SC9(%}ep>1gumBk)~; zSL*^k4h5|q(TU|35qoW=ff&8MeM?sRgW3l@X;)aqR>09I5qTdAzLJl?@xGvi2UatN zpChiNF!I>x_wV&=h-pn6Lx?i3ot?&Vx(iRa%yU74tKcK0mveB_U+J0fMx33o zIW>rCO39xIjtZk^h3$umxKvKM2OO2ZfzR##=suUB`<5uuB20+8E&KAnxR9K`iFbf@ zz0)MUB?isrD>!2Kf&1hMhGD{>FuUpMXUp>T@+e+BdS=15`iASHa#YNJg3Z zFo&A~+dJy~5JFm6XSV)!a* z>D6fOv#{NYIWPLjuSdrUbLlH)s_w;e9QTpFG4hcd1ue9Jpk*{Jre1EXb}KT(er4;; z!Rq^_mue^%7YVFtkTWUFCdrHCg(lIda50;-f-cV08Qza`a&N{%Q@AFy6xC5}O%Vaj zFW^7YXncj5g)Qf(2Tr7h_InsgC_t!QazA#*KA?=w#qv&1XPpp)sE#xN+;?LCmTTB9t>E1u(YvHM8P9>(TX zV%$pZcxoKL2F%`5@@W5f*%?8R@}>e34$Yf<%quj}?c0@)UDlmZpv;IG$_=M!lgEup2+?Ke=eC;m@kUmj0o z{=PqIN`<77q>@r(sU)Go^pPl)EXSICD5R5wBuf+`(t_+IAv;;lvG0Uvv*jF1mWmu( z969GWzx(|hO*J#0-}f_r&1IInYg5voB2s39!ZQ_Do8WG#)u21EHh_;^LB70lO(Y2t_P}WRE{?Cb$tv1BP zskFsuz8Rap6mFP4YG+mn&WbsW#bMAHP-rPvx2AF?4-5H>W%Jn*;yqQZo3GH?DK&l^ z#%4~Y={yvl6Ysb`Yx0%ZrgNlSduoy(B%>pY%iNFS6C^>Z8jgE1=<-ML+c~BKDgX2G z(bC~U_RGm;Xx8FJfH}_9(AcY2PAjEV@aPYkM>?1itJU3U(iQA>)KK-W44sdl=RY!a zT|qQ)n6mQ(yRE93ll)NWojv5?|F}zZe$XywLTcf26iyr)cDykQE4kSxSs$5e*xSXZ=BmVIR?6nnqN z^JRdv+ycbMgriUZm;5BfkV&bPNb|4mbbu+ zq;ZJeq>$ISM$zSBqp*Xh%SITQ{g|7@qai3u3p4zSlCjdVaJ-^HZwb+Ti%X>f!o=HU z*A^4J9R|CXw}=lJ#^{=lX1K zd5wBZ98afBHC&QTG%DjJQ)lr+5Uhi&u4Ca9xg{#l^?FtuU+D}EoaaTgAcqcz;d3tt$u!Qx=N##6+u5T)aLPH? zJ$~WdQQU{so*+=Z{01P{)>=)O_b?{0Jn*LYg4dP;fr1mIhe4m1mn=r*)8=SvKeXTK z#V!9Tv0vX9hT*)$?uTf~z>vio8?pc?f>}J4tpJZ&L&hd>$En`c==hy6+J@cP)A zrJsHBNOsHGF~VqAM9Jj-JfB->C36*=6!?Bmj#B_r;L=*O4b7!T`(F3f6c7EVcFz&d zDc#vP+sjwRm1?q_?kgJW=Q{*qO2kaK8SxyM8%dL)I-ALNZ+7z(`*3zlma-Vca1KiH z%RVZm*Gd``Y$8Q&SJa=foy`hh>H2@|={IkH1bJ&2Dpmqx+o)qPvyZ-Rp5=zCWYAFtDc}L>{nzLm7N3=9X)Pc2 zPqiQLOmS$P3J;JHcz$YE25Fx$Ci2$%tyx+V-B$&#+FZW7+s!kj54|*Tn6meKTGun)J(q!l z0<#2Rhx1oY9TIP15|s#WS^#2$fb&l|?CUu<`f-Q*fdeitvv2Z7)nOWY!Ejkx{YxK@ z*17K%hRTm#ywiv{UJA+;$A$4Xa-qQZyDIc-`PL>cULM)v83iei#>@SRSj^Qj2DbOk zH-%7kr*(|a-JpMaS+@C7>RZOD|CSNEDm{@|1SCZxo|gTdY94Kjs}u8WovM6c_>B@y zREg(Q;Osy^fcZ)m#AfTM+bWTRp&jIgCP*gc(Dilsx(^-RN+K?pz!;I2I6u^OJ=zL( z1v9WKtmQftticT0k||JdswE6sEyFW+4_cAhoa%OYx(@dxSBZft8|i!&w8Y3ZqBe(( zMiFWB*HHxxZ26<(oJ^g;A=$*(D1uCq&9QHZ7r>whmfgKm)iQV!F7^d!D`;A!3Xy83 z0#rMgEo3RD-VrTMee3!aje_iSlM|%9?SwnOA>Y9}FH%cW)L0{9Y$h-;fKjvxkgSqH3<##i6nrv-hb z&$g7+;jjyd}nYCZ2DXS{Ga3 ztG}z$<(EoSZrBX5BE@~j{YaDO84D89&pIgOEhCgk(;g$c7&7I784D}0v*5uWyNO!xcCzUDMMaZlm#1+mucpkI4 z5P@eYzCm^O!{igh996zUEUBRzkJyH_4Va3Dy1*Gx?PD#tzHzym(4+W}Shq+HZcfq; zzX*0ktvzG(TDts))7@(~o~*k5Lk)+Li?46JT=9(L;R~`C;@qQvVYPFu2^(4Wg=9#Z zE0#$z2hli7VEpU+_2Et2DzJ^{M99Ig3(f{8?O2v8NY7P1nleZ98BM0XvD=nr=!=Ji z4dT*7cNgmnQ}hSs=^v(@$b8f))^UL6Z($Q3#!@saDf)=4Z!Du5oR@8W;w@e(57|;* zuFtueHaNedztr17Nddw}K7q!ezW)m)@5?5KQu#CNteZewLD{5?us|F0LM`*5)FHQc zeXUrdQ&Pvo#`LYnTv#>*xSr~6w;M_1HqG7_sp#=UJCcSx)cjNjTC~8*ftEEV1(xS0M68ECeiK_FeZ%ED>0Qkht}kuf3iDRM{rEf+j+y9G;}XUeB0_vc5^8>gk@Rk)vZeX|WOCa@rZ^ z7%l`2GwPEWNT9#LE%lyP9X|J)@~kOn{`RK|&LkKs?s#xeg8u4KZ1zT3N*y<5H$p~n zqz1N>zd*Vp=s`-#Q}UeeXLoMm6HFWR2D0fNIxK$&ouK_`-h0lSQ%I`y&<<(8fjpEc zDRe&TwL|-v=JoNG%VAQ4Y#GUWm-8bx#?L&#!n_C~X^Hl7@P@&b(E|$mXGjC-Q5xwf zO{Oe4mTq54l}m8p!9ftF|7wdI4H-n9BhfvJb)y_cIl=?e?5A$iY8koPdgr~fC@m6a z$fOT{1q)_?d_~05@oP$%lLa*o>;q3_q;>CSm2LKgN6(n_n=8 z#rqk_x_Ue~D_)PCY%z7FCwj={T`J#t?+S9mp$Z-16Uv{pI?!}xPEbnHljzVxh;t61 zNmmw@^&4MehFvc(L%HRNqf#q!dcJY%_q3R(V=G(pe1+ad18v;6FAMc~6+`!el1iNZ zY!~R8B+-je5Q>qdh^&K{aN6QIQM`CbV9kVU8QxfD`-03CC6?>H`F)?h99-gh(nB45 zCF#$0>F>9vwQ2LWXwbG4W(E9e14Noz$TQ%tMb@;_JWy&_y8%F!bb1dCYB5NdmLI`| zDt(QU9HMkMU$Mu%w!^jpBwa9?o4}DvNAdNO@@9E2khA1py?@r_0S8^UOVyhiP3=fn z=>ToIey{*_4PO_-`xWJ^9$)jFdiP4q6#~(Zc6xy;qy(KHeWu%bW>*aRQN=AoyqR`} zMkW1mtU|O5j8CjS?9M?CC_WzO9}E&4lpH2d1zMusuyXA#9uaGj{}UUz|Js0khjWtv73cZ z;E2>-A`#*?J|wELu0#v#2Uu7R$7P03LO!qTVuW0b>&}(Q%l?&joaKKXUS;RDe6sNI z#TWfr)3cde(>3AgX`*QYghL;j&YG#=V7mkxY7USnJL1Oel)E=jF+zFe(bhvkxFx^q zU@zvhmFUCcV9ka%bn&#)+q35R`kIB7c;}k7vEzspFx8CJQ#v>OFo8d7*{Bzdbt$d@l~ z&M}&9P^8 zwSAYfvoY@2W9(c!-5wPs*m&(Ie@6U9%#RP6dyx6cu|x4i?GLivEEvHnIrWcKJ-uTp zIy8{E7nmTpuM7pZ$ZBd_^Hq}x#oX@`ub*>=XG<;f#^AvgD}Ula-B<(DJjYNhyN+SD z%smtlE^EqbFSr<`E{OKxjv&=$RNS!B)pNpjqGH&y0ERs9R55$@Jo=Th@s1U8kdv7x z@-FT+EuQp8wKkEwy@ZdKcQa$u>t>z9PwQ5;eun-JwCXGd7Mm#nJKxIYBX&4jhYcZI z+)~xIYJ_3p38_r8x@SQ$+a0k!diT!m%U@c?$drv)XO!2m=Hjev5DyEkZ!m1sFkzJH zpU!HArJAfvVcS>7;3`rtx=VB6D(jjgZ_Ef{KC5DuPB>;0&XI2g$rK$$@>?FNM6D|Zbj?rvB0~{s33+&JA4B)B$ygWhfF5dL zES+8?sHmujlriU`pJ+l}1S|@Qlm8rTRl}yVC`UjwK^!6i@9@A2r4#^+vP~|%uw5cM zH+j4xaoAXy^}wP{@{B1(rIVxu=HRxBnvI_Xa>FT=!!?9Dr1_b+nw$?WYu&N37&+_Y z>EO`(VjcBm--cN{!+ituez4n8^3E_m{DDYqrc#d-eId?o+a+t=`i5~N z(BkuFX+ z6?yF+&SNL$ynm3gi*_G#XN2!->daovjqFv(efoFPsV>WO3JV9CLPFmaOVK2=Gvdn$ zcmTv2yFUyovK61rU9dxqj5QPDR&(m_>zFM2)SLLeVGK4%fs1jVC}5guP1ji7MB0Y1 zbrK(>Ih;`xgXms#sd_%f?ji*|(LAavZvhLg=&Uy?RW0lW+dS}y=$SGMMef(Eq6j6V`yZ)$Mvz=|%W-@pz z9L%#j47J<-$TY+Vep6F}i-ayx?5L8N%0c9jf;B0ueqh8e2g3N?O78h^eZvQqB-j*V zqby9J8op}Tm{HO5Sjd$)aCfREr!rbYlBv!@Fw19Y(!#r~DcN*gDM}I-;M~^Jg`Z>H zpGK)n`CcF0j8ib@1;4s4td(K>79TAnBR4%S3qbc3?meo|>3O`nGbDSQzL;9-#h&ykj>8(4CG$f{arHtA8YvN9Q!T31n zh2b;#ryexjq5Gvth9W?HyHbhru@$EfY8>l%VuZC7=R^}469AeoyZ+4~+^(kK-pjL- z&f&Z7VQx&WXZ{gx9WJ~hW3`01NyHtM8WZtf#9#8N>bmgU+Jts{A$wG{obs@P#iYg( zS28>|tdEe=H96T@pZC;C#N)MHx9XnwLV#c_C5%6iW+^BBzi01qZJ>Z@%r4zgl9L$T z1s8_ZT$!ieL_C$oU4Rt%o3(A}g0<}x7r@cu93F3{tg{RMEW$dN+*`<-_PUU@2qmp- zO}~fXgr8y=kDc>i9Ldl~MjuN!vI$$QDduTq-0-gv#Y$_)KV>J{B^JDkp!&PF?L$zQ zrK~&&)D5hcVF8SCeyyk{j`L#mBff7W8_@(ae>B6OBr%uXKUOTqSPxw(lohT23cM|z zEkg8R3g^n`i6M#$->vCEUctfEwy)rsfIM3$!EBl)m)-FLE>-U~e-`JhTIDLiRr0(l zweI~M@1bVW=Td4UDN$8MkL@N0_=UThiKK+&FChMyq((oaNK-S^?#^} zPpr32kY;ff+Ez8$baLw*Rxsjnrb#s|*S7CptedO6?z<5=7?v1$bVRa=kAB`eh|4DC zbP(`r2MtF(a?vgm%)y;N-Ar8`L#t)xCboZ3w9syCe&U+fTEH@S`|4CTDfnKlL7jBN zWbnQRc)p~)Wt;9N55rb1U~Z$aMKfKTpH&^51)=Iowv0&N?l8sDGUkV8B8P|MT@SX@ zilDIoO7h>w0$4i@5csi~7=-C{sn7}`X-)q8^Qj$LIM+YjjHe|r$!P&jZ*y#sy~;Jr zVhg#x$;-MFhKipO)$UuJy{8ZSU0RJ5;=V6H)k*@$)*kI_n6t}3Z@lUhnFpImU+U{4*Dp!Hq z4i<$>r8EYwH2S8vF=N@!?3vF3dj<@W^q>4^np%vkh^AH~*@R7fq}>^rOg3m;PVV^n z<18_if@n**QUe@of+HiX$tc11groqI7?N?rF|MsU$J=zD&RTyT*ZWrcrhR^))>}E3 zS~Hu^13DKKuMa7#^W=Tkt{7ru%y`{sAfKe{i(|Rw!9fj`9xX(JnFPXV-zSD3VDdT~ z`ba;;3pfrRF`p+^Ipg2Tf>w7HHMH=)qjZa4Mm%+=Z>pIuzihUy&si!Ax$xeNQ+KW% zOY6$3LP2LSQaaHSa^@N>;*^EEO-0g@X(!@Oheya5b>njlm336zb+@WUXgmKBHw(Qq zyXbg{-U>L{$mHU2K$WRx8e}6Qv6NHfsqV@9w*)Yz3e;TR6)k^bs?dNnIP^umOKi;6 z{b9Ih$>dby-PljI8_dvVZv58r>Yt~^Ka#Dn_r8EBBep|F_dNP8cL~h;4przQL$v6_ zK~dF-4fmvPPESj-YLc>;#n5KuLJTtEYJ6sN*9C5CjMcPAk^O0F3OHN$`5dlOed{S+ zKQh-4zX%PBD#=Aj=QGmer<6*DVrEY?VXjqp&0r)$i)ns?rHiaDu_AFb`cT^Z8%6KO zFh`|~26Wr5odEVmA<$!YLCV*ru{q`rXNBi6 z?vG5M3}IgyR2xlu)(sBpF~J-Pp8un_6OA~2Na|{6hlzn>3gLnVH@0_# zIJiB|gf@n+g?ZKG#bNw8oSKs#Zt$si;BGqfgg66wx2wr`zH-6LHQj?J$>y$}6aKuZ zHB=;!`o;D1kAfnVAdY2UTfNTiVJ!!XVGXp+=C2YG#?N_ovLZ4TRPxDUBjUjJ;k3%A zRisJs$9pi4`IYMYCrI0-eV1+Ol8X6B@~wLcZWN3PF3ZbV%Z=@QfNcDZ_04>NThT*UYiNK_k2|Fe~9#zAMwg71Tw%N z(UjDKCTFxA?_!IF@M<{h$0JHUKcC*9Aj50HY;J{Lw|rGCr?39SN9UexDX>` znr1hvJV7ZD=`ncVveZvU_UB^oGX?OS3c7qkWPj-By6w|$cUs?F8&|;qaeG_rHGF6N z_)pO-yofkh1HGx?>QL6G3Bf8Mo=@YiTrJ$3Zg${$vh)^$L(G~2!GRczq!fC-f(-6M zZ`-lG(Z1Ujd_PTQ{xWW<&dV${_gA$-;!+k55y>Y0W@$D)~i??7oR-s?fGGfr}3vAk(E2XDEbGmDa zvq7n)l+^Qf{K4q_*HuVeR6Ds5TXHiGVBgpI!Y$QFYK=WHW)=hh1>=PCfV2b7*EWQ0--qVzo z(2FeO7-&lP-$uk;j@TKHLXDQp>~MGBb$gd$}r; zR#RlBG(o`AWrgKkR?a?uU>xSsKkoM`;Rw8Po2c6j4cyVKlukXXpMgvv=lmK{E*qj$up8Zss5HbG?k}!Y0 zs<+f7{MNnqz8Vc9)G}0>x)_n~H9Xr!uO32&^y#J?nD3c0%B2^F2?ZZIKsRq>Tn^i|_jH~z?CyElV>GMxjXxeES zHnY5F8jDJ{RpXCz?B*G8vbVSA19y<#Vf#_I6rEkM`;3-LGsMDoQvYA$n(g(fNKJK) zBd&~jX{+fVPvpiZD$C2Q?!o3?fL>PnPl$^cQO2Yx0&jwoL4<;hdtCseEw4|DzM0SD zEuxx;U~^CbEnZY>LZKOr=Vm_3>=K{R4ex{HlB@DLeUChHpaDv0Z=(=T0*8omeDrOu zK_TdDqP?g>AZ$^Ej^O`_+Lc`M^*b}x3^*Gozb(L4zc9-q3RQUSek!Ny!YI zI36N?WxMZMOC#53$?x69El2h+AsVV-BfH=C-V4z3DE3UtN5AJ44(Mn`A5m!ZsWHpk9aOJ%R9{j zRoxb7tZD$dYKsmiUXC4{hhaHHW-S9kvZs9(ueQ2$;$8cq`F2@K=#Q3>^K$@@lC5p~ zN!oaK^5gUfxx^GNf2%#hTUpy|Z=IempuH!*`l@TisL&7;3}raHL3{GPEA=oY<~z1n z&h>g~H0k*f6>^26j2m|-D~WI3DP7K84*|D7s1J9>8)6t z;Mx@I zJEvM}Oa(`lysR`+lSvtgY975HN6&z!co9X`z|?L}!n)RJKXeMK0al$o&m4)0yAR(2 z&~3^?faC~`>l(XjAC8&MTdE9qZ0=J-M5s#@yNJt}jpEro3BqpNN;}|$!>4^J1;3aV z{wApN`B+sC`kC;NZJN6AYI^?x-AqQ`_)ZS;r6 literal 0 HcmV?d00001 From 413783d35fdc2da875ade876b7da12cc05c02f44 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 1 Sep 2021 16:21:00 -0700 Subject: [PATCH 029/458] Update simplified-sdl.png --- .../images/simplified-sdl.png | Bin 218369 -> 174076 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/windows/security/threat-protection/images/simplified-sdl.png b/windows/security/threat-protection/images/simplified-sdl.png index 004814102fc3e8272429bde640e4adc1e752f333..97c7448b8c9b741540731dd89b14a92a744bc2de 100644 GIT binary patch literal 174076 zcmXtf1yCJL+w8%e;O_43uEE{igS)%C`+?w=;2a>hyA%8n+%35K&HLT@t9Ev(dV1&C z+In`TccwR1RapiFkpK|@0HDapN~r??Q2z>G1|Ig`nahr|P0N`T$S0Jnl z=l^5CdB`bA!yO<%;9_y~?ckLE50cjP5cl-3adrb#)=kO&gOEM`K~h%k7H+mK9=6U- z089jO%6~ZGf4HQxi?5rlwT%a$=F618KNR(UsGF79e^fFLTSqGZ_v06Ye=P|AwP-kh z^YAuvvjP~oeEvsA`d{a^?iLPa|EO+&*1qQCe=z)iu#TCVldY3AppWn{`X2`O|F8FS zv#F{g0+;>)~Jp_<1o;3jmM-xew*>PqsHn)v5ztZs(TTCXTEm)AbmHTR!C+~wOMk_)CK5+;g=kfY2r2vt z&k0{bK?aS1vx+&^qMld z6TGhC%1x9;({k<5`8vf|2B%9~CuJ9eO;peh~Q zAC@~THzFHsmcbv+yXOw|y?UEf3^8+KLqo?0)6v^Ng_$g_Z4Oe%@z*k4xaY*XQUff%myuYUeo6jyE@*Kga1 zeBiKNAvQiAaTS$WB&VmRr{9e)4iC7wS-Q|9nK!{46rT%qfntU1Vrr)P%jun77ee*D zy}_@cb(uVQoI05EIh`ipq%`RmMlb0cjUNAcpL^?q3X>#ge%`4D`0jhT8vQ@-sR13-O-HFR zEFuRP8Vt!oH?rpajXk$tF-k!um%eyJLo&XX z{q1)0s0(33)GHVHxP=2g2(RgdxL)uyr6c7Lr5pl<44sw-^t%Skj7erL-v_;5Ex$pm ze-s%Y8ITc}JQ|P4XP`G&1?BOfl9?(1Je;;0rqb>Zax%BpLGA`G+neRQfW8cFZc^&K z8eB%!y}9xGm?k_da{v}w%8b=RaWmp=)oY(b@d^`}N!1 zmLpc(x!|X8fNE@J(u&^oFeEZg@Ao zW+&PVNNE})-smD3f9OOs?goI|rkK(v|2utyS8bHac7f8;lwlQeo&sBIc>{wNDwpTQ z6{0C6Yl7uUch?Z1GxSxT!C=wuh*EwCZ}bGT#rvq!I>i68|yO}g=;vk z2|7F0lvzIn#^6Tt1tc6TBEOasFgq$8^P+-UH?I#OZ&M?g^YE92rNeNc^Aky-K- z*Hnz4sLk!^xVg_fR@A|^`149!JQNwblzC4?c2hWfvXY-L{KkjA9}GbErfTE0<)riR zzJboe6C@h6C^ZROnc(aJ0Fs?w-dE^CRYZZokh2Vg=+Ur|8CBpo)J9%UPEs9w5LwFy z5Z<^6p>lbJ(~K*od@PYj>_ZxZ_Hpml%YR)U@ z@JY~>kH7MVf8~%_?!fO@b9ninlxTuFT=B3rzIH}wu?cym{?&hqv$Mim`Mlk73EjH> zc_B%Zn;>%clbhqPvUlvA#Nd~(tg2$4_Vv|miiJo;oV6*tI4U0-m;`V0qa1X9q^L%F z$>@BJMrx4Viu$n4))vcCj$eJYm6)ae{`=y31GnoDh!p(zd-BV)+{mK8`}hfEP{F5g zRI@7;-Jz{%o=v(&x5DzW>zoXo zMg>c8{BT_5=<#1V#ncw%?Rnm@LXq?8%^iEhrCA;@hhcNeqlXQlSDp@7m(>NNGVAf} zBd^J8<=3womV~#oj@0Jcunt;JC~#fLB_STj&46+EnM==PQc~dhA6n>A>XSkFQBVzN z3x{M&58e%K2i6tQk9i9XHv`kJzuU&*(a}H7af5rfzSn+^WHsUk*Qr9V!z#JN30qIJ zb_-FiWg}>O2VJ?KdAEmozxtuehB2ez^J7W<9B#-xfF2Fk=^!EvqCv2}Sc)xMAkKSx zTL-Dzvu@d9to$1Mice{d``dY;Zpr7AND&82gEwBC83} z`izo(WXqtTM!fGx1~a+RoMrZKw=PBkt1HFhwDSd@DUBk~atCkElxg9WO@#gVKtbhm zUq{=xOZ|1s_p+B-BfDoG#tLb33|W#|x^G#gfuV&drZPqs&@Jmgxo>CKG@R8gOeFoS zxEU&vnUbc`!L7m5cT(0PKH$xoVS%vu#XRZg*{*f1MZJZL9}xk4Qa`hxVh@NI99lDO5WF*qx=y-@5ik_C(=T|$ z?^c5Q%ja&GqD;0U`}WuC>I&qI3Y^t$QcVnl+}FI<@9Bvpf*h6sfrbbXhzsbv++7<2 zM8pR#>sR|vucFtFh3^O4z3mm&#ub4mlXkSVR)h_-`7(LckUATM|KhrGO|3QXGYds) z_kP}hJAmyLbp+Pc7H7--qhX;4U6HsX%j1pW(~*KH$tCf{-;=*b34X=HbtjiVz_y&m z+Ki=C)rt9ntfE|STj?G6a9zLQeLjD2*wUGRTaPj0B!tasQQGQL7 zU1ARB*7CEnnJswq`rP0atmbm7XSvU{uj`jn5M25EJD#Y4U(rQbX*bbk)el+ZV{UFO z*74Z!8$X7EK95+Ne3K{1kTwm;b|@JBgZ7#KE}87}NO?t#j#jW{R@D{C*GGmsY}t;0U!cQou#oILPTw5hnF6sM?`Kx2}jeM?ii@$@7x0`KVQ9O7Jih zuCSYRSvDtKbB3*ej*O2^cz7?;mG#f#>9DO97bSG~AV2ILsYQHWmHf}2%R?!q1@oT- z)MNb8lP<+X@Q)Wm6R`>huHq6IP_C8BbWiSaDd(=oRs}&+J7uBa_o*z&lwINj*-tY$E^V5=w(jVy&wZQQ7nSxz>#cyW+w3ZpYe0XNS>*dGW_t5%+ z!1s>&&zI9Jt|0={3sr)wj2c9@SVW+Qh{m3LPT7q?FfU$Z+wu}GJR&dFA0r_Ik+UH`DusJ5R)8_+6l!+s zaf18v&UyCZxV2R{&-A+0qbf1bw>st|0yVOeEwwCNTH8;Q(uZ()!p!gy*8r6K0JFAw zv;2Pf15_CH!k17>cyy+LAf4@Rtbfre<8xSq=4{mC?m}luM`!hyE&8{4d82E1{>$1C ziSBD8XYbA1EXn)Ho~sRQbJI(bT<%x)Z}MH9*&zXIvyzjNMm$u~+A;G$h?VX^uV7!n zh29(=MhnK-=FRj$C6@jD4Fva!=yG1?*Dh+f;I-l#-!u72RkqADf1zb$*o8c}0JBt&=!F!81g0&g=AwVXP46xlgFi_M$sG9jg#J9Mn%DH=X z=9iD0yBr(pl8#taB(&tlTj|?5S#SVB3a?j}4Q-#&9_i8Tf%t$bm9=cldT6gd^@w|) zI|CCWld>*`hO4Sjl)2d{<5uVK6Dw3-_T}@P4rk8L5o{C8Uxx`vvnl>UR-*Hp&02(- zOy5gcn3dM*nqc3nOTn??C06fPM6-QM!#7%Oi{gl??aPVy>mftSoxS6olfNSE)le?i z@X7)EJJ2+Wiu?O2N%G_u8Asb^V>yU$Oi2d|!pGy>z-RO8i8JjD7lp0Smt9h!gS_t= zo|OtMRy1sjy3N;ApTLwvj$3{v3Z|MQVl)SPX2H&Pd}$>7BSrTVgwmvvr@APzXKXGg8H|)qm?RR?RsK_q zoI}^ob8`Y5holaT!G`Gq2Z2n!`7(>;)3R_97h6`m!@O{tGHn~4{#=Rl`QGLH{;}6; zGQVcL6<}Q>60{rDfv#wUVzVARJ2$#KOmOAVB)F;$Y~^rk+CNu}Uvl#3^L1}0$#ih` z6%=%Up{Ef_jRA=w8VU^wIc)wx=o(f#yy_uv-VvC3=uQ-lo?%+l+U4uuBmG0QiT8b? z_c7{mb;9#v){(2y#CDWEU?bkDfP)4By77jPDz2 z2&vW4L59{^C5BS@w$i>uV%HntmMrRu91#>rXug;+^?DC35z9>`QF6-8#XeaAemXo3 zI!-0SAp`QT#I=IAVbFjlz-5Uz`@=xs``eq1B>teI001^p>TSPiefJs?5aV~f8lQe) zo$Tb%E3=JFk6pVgSrulPqdzh9!_Q-L7d>U$dBx}EKyG9;)?KF!hJK4b%ZoMQE!LC) zXACk+*{dj!!x0N9antG2bS%ctDybbK_3b}6O9rlBVWqz#2A?pCp%96tu0Fw7@z z(c&i}D+R|h{jL}BAK=$I`!o$ig>F&LH-sW+>f?z)m))+X+at83%Gk+)g+7i$ShCb* zUrijT^byhdS<`b8xb?hrvXWOI>@Y6gN_&=W{deq;ebqsn8kPo6Umjp^ZS?gz^1*Z~ z(zPzkap?J#OaKmYtryGr!0)TYB&E-VIlbs)7fOC3*_xX2F#~F0ZunwGqrU*J=O(Yn zRp}_p%Lk0GBg(Y*@aZ0{ll@fb@4jN)rKFJONm4V14c+HlZfB!_YEwdF-&;?&=8u?N zX5XA~f#rBw(GiqA)FY`tV5;so7ADSd{dyW=qURTMswGtp&X` z-M{XYEq`IJ5!}+PU}`QH%%>&2uA23?FQ?zl`?$_`C)=~lO#X}$NkYsKcCJ=fZX6D? z`g*HvY60y$%&(@*disYf>jn?OoSx*>15`&xlZ!-8qz#11e5k5{v!PV=%yz48bya z!=+hO3@62FB+Se>2zrKz>JAITj`7a$`6F=+ZnO2Ri#xr^xiBD-h#tUqYv0>#sIau5 zDnDY8Zi}sohxeFIGndmy>qaj5=-s!2y7_k&Emc-#o>h;931@7ySC>pGEVBgHE6iOS z{##nnLuMG=*+zOW)|^2TNv1=}{G zs;bTvAhVpJK5X%$X*L}naUic zN*3@KSBiDmO#^+yZ1)Org)lf&S#CTz80|;OzN{*3^L|<$;ARksV2z~yBGeKZ`(1+k zA^na#j3NEksNN@Ae0;43*J3Oup3Ib~F2`ovREB_v5nXN1y`<=Sz1B)sQ>As#;}`S$ zSkCBNWUMtTI-Jnd;HM5AXZt2@g5jKoasm~%o=GKbkA;NT8)RxnqTpV;+ zXJ3mEow2u2{WX020ieXbUw#FglQ19@dAC^`3`;1!xVAsO&wF8=G{43SZrtH-vcgU2 zXc~w4vXooIa~h0U2o4^DE}^`;ymq{2MasCp8x0beGs3QU;N2r)rT3{Ow(gFn&^cJ| zI-KKy3QG$2fA^9&+fV&M17+XWH`{BW7+~DG@4Y`#9Z0kKqnFVa4$W8c;Av!zR(N{N zd=Y&b?B976bqP?Ad_n!ivTP!c=3{v8=rdl7C`3uOCo&VU*7Gk<=hWOdOIy4TX1KgH z_!_I+4{nu`D9M%B5-j!l>2F66_hhwqV@gTB8h=W=n(j)XydEn`3#bFG9)bh6En+PX z&-`fc>la4>(h!tsiFSuCe|8b^-=1Qk-`$JCc+p*FBvp;tW|xR4aK_526v>pSx^-Zm zXL+2hM&YkSDR#;|7h-lUq|S$)WnSMZw>C?n_H>_N!%i%J+hgP+WBRo}T}StN{Fw$^ zg|5x?u%yoSs5)q=9mj>!BgcJjzdN9NG!L^dREWI%M3h(6lTn%qN^Wuq(9B)MWhqBd zSun?Yeu6)qjME2BKvi4sy0WPh?0f8v(n?YGSweq*s@MVOLnSt{M_wyE+j!j5E2p5w!KLg7{JL#i2p!i&L}X*X&$fNm8pj7>6X%J?)OMcC`x)1$c*3|R_SJWLx7XS z9a1rMBr|$*`9A#P(|+N(H4ns;F27aDW5-A%fDJ@pAI*XMIJ#QSd_B9?-h9TrCW~+< zA0@#MA;98;faJThf(UbW{M=JMybzT2iR9Mu@V*SS0V}MP^ z$d)}JsDN&3_t(_726YT=PZo=tiVnrS%4g-6?NjwA(i_X#M)A1nR2HHSRM`8-!Cde` zv-AVoPC2wPj?)!MGMu~&V26^kDqY0jwPbfjGK@w{Eyoix%XEXBt)z8ZEC!(M=c9DR zQ`-g>+O;A8uBX1MsVER;t^k~)(b>(}4oVTcai3(LZF&Jq5QvKV5)Z#=8`mv2()^slQMNlywz{+0Kc zFaqnL?S+j185!FZp-)zmT4j>?^w!$`92hW&&mp+OE{rLv_Y{4{eSd5Ge9`+)`i?Ri zdbx8D_LeOcM6BjN;2>BkmJ%PBPK9<*Imo?X|Fsea6jQ0SPnWoe>cECTo=6+VYczVV zOa9Tqx_m>}JRp)|CW}FBdL3xya*Su(w+s#&Q0H&v_}xp3;<--1a`LwBFB0@gn)Eum zclt6v{Z9;FUebHfn0i+9Gj(3v=xBV#b>*WQXtpC&?5$Hn?rRPb zgxO4k=4`jLfeJnYFYlg<0M`a~HJCTmi!y8+BK^}Ott4}Og*?mKuvpzU7G{yzu#=`T z!g}VAeP(oZn6PJ_hckQEUM|kITxB(A+P~T+)YIKjg;r1juUq44NwtyIpvKo$O&Mp3 z%mSH);$0z(;sMUSedL&~-doX4AZj2(v6-Uer7ohMazxA^`P$NI08udm1EFLLX5;3(CTYOh0DViZXqKnkch8qYdG*r*S-N(hEu)nvH;#+OpB?p*J zc}J}i(ges3;M~Yv@`+x+5yf;4QP(Rv&A!h_4Rj$4=RMsm*;ifl@o5hS^%DYICq_Q_(;4$UQPhsm3We}US&kz3(WQ%g};`Z7A_=_ zDD;2Sa&N@t#k|o$R96fgXf=1!&Cw$%zpnS->_K~;GuR!DJPTq;NxZMeF6UT6e0C#w z?_!&1!lh&P8f5uIjIr+!IY20Y@+<4aQ9!QtHL6UtLE8(-pWc_Jn?nYuCU;8A8;jv(^^5WSu?B5`ldpw= z|JoPK)u9|eZ{my#KYwgZKELx?=T3L<_W=V$X+I)(qa{$ei)wAi@5MMhbH-ckk>$PG zV|YQ>4DZW~yZxB%bL0M_2EI&jU5OJ~h5->F%tSSB z!pN(xh~{Vf_T-x#H6Ffa$+Q>K!@GsTAZq5!6k@AmygAiehIc!T(XG#8?qp?@t>>h@ z+$IpWzGO$e?iQjvHL>*sg!&7S->)++wM~2^WLYJ5Dn$vi#=8wc5~3F{b*r%TOvO?k(?9*I>+x)q z-Q;ulBBfy@w2&WJQuQEqO+bG~OWe?bH zt|#%Y&DHGvIb$p35LDewX%#D<36n%H_TIqCr*o;3MiG82twfZXE(gDtGlxq5@)Pe1 zZ*Zc5p&sTGn~FAa^+$<-?{!ayH!X^{;uC-DUR-sEJ`LApOHtByNvjS0_s-ecK$~$4 zoHK*KDP~ZD7l`8rg1$-oy984<2u6xh>0+RJxTS?a)CCNyF=JSd-;n9WZD)3dsiC_U z7GtyzN;f5XQ@NMGg9~~MaQJ1Llm!7{po6IU&Z-I}ziJ7@Wrh0y6Si!kfei@-(D!}EHQ(fF z@u-kMjfnqiKRCj%PXeHUw z{81Cj{p}Eku%l1ImTeM4EN^;dF|>#7O7KMu6-dl$&4M}qlxBgjBLFj)XC0SDOYY1* z^W}#f$8IczjtXBqGm)5|zD$)v5u4uga!2BF<`2VLAh$(2yTZRQ+mE&5og=QiH`TT} znfsncOp6Qc2)&vH9%jl5ta@AlTLWIB14HJ02GORA!}9p>IoafP_tO8PownUY z`bqS2I$J7F8?hy6n0dTx0=7P6I=kd`2 zhMeoFjjR`p-#E+a7!4BzMd&A9UsYl7qL^+9Jk04=~ujuA)uc+oBhc@xRlH# z*>;RPE~s^Z=kmE(nQc6@l<9Fz^$N%S+7r|fBUK*Zw%Nt*yP012^N$$FsL8VoP;_7t zToRJHbELPx0jLdosR|HiQ((nuR)%*Dq;R zgmM)a>SD|CM_WUX^JCtmPa^zqamzxkGi_7t2ubwk`Z9wVGG;^*7J#$GEcGXLcM8R0 zH>aLR6IPoeb)6kW@wAhHMl|?c$JoEd+tazk-|6L0SHF{QV=M7*m{ZEIqjgmkCH9j2 z#{r4ubwQX9jKAze-Zp7u=n4+Pnki7T;MNe^pqC9JIcX}S_NQsLk69Y_+1cc{kHY9X zG*futkQe4Nkyq9r)iBw*9kRT#jGHyYH{-1$!hofw6(^teV9#Jl>);m|kihxWT^EVv z%O8mFaM^7~YzHGx>>=KW+C{xzJ_?&Y9?5i3^HQdS+&S^K!(~0%u0b4XB8Y2r1qk;T zzKkb8Hs@|4p&A${#r;~sOI}rg`XcAlUM+{3xLpx^pnP!0K+U62@bpN(q=@fWUPl6m zW-dj5-CdP+exsIbuvzOF`Gs%&i`pcv|F{9hyn4hPlMmtWYEhG^cOsC+JRn9iykkWH zldTI%5F^MRdO7Wh>ULR}e4A&ex_ih#Edr1!PE1e9uN$Jqb(yS!#Tsx|;iw@K_-$OB z`k!+sS7Wj%{x!wM5t>)Ac$EobO+PQw-|rHH?U_TUo3Cbu06K5#=ZV{EI;g$-fw1mR zvrXcbFlZqmpnqO=eI~6Ob5OCVr#Ur0~L-puaY z+kJ)D{yjU@sjNU}GWOtI;_BMl#ChQVHV4;NCA^fCpgkS*-ChAUV>97EW;DW%l)!?c zBaQR#k}}Ug*~xby1OQKJP9a0h)i~?uq{+)qlvqD;bp|p30aOKwjo=Sc<*XJRkAwB> z-WFTOEnB9|0C3m$U(IfEULQnUOvk@;OrJtWT6pS=kt2bOqHsRkl1@!kD~jM3-F6Ua zt`-P;sV%-dq@ubjG9V1KQ56Wb*|`%3tW_d5=W8_Fj39lDE&Lp~H!#lezV3P%!Fkxz z+6@-7dl9I1+TdAvzu55mpRW7ftteRsIYqf3 zfqK%R-7xnMK72HQ62w=9->`0MHwU9*4KuzUqTa|XpNiheRl_S(jpOMAxYIHfo!IMK z-CcvPiA|$CV2z8wU%b^HIG}r9+6pqW4>YBNqApXROQaSECL=;+Hy-?dyJ$SpzDVN|l2IUyMUE4KUlBe9luq`AQ~QNQK1C_V*xg*&qI; zx||41wLW^}Efc3vyLU;ct&}E?FLUzkqF*_ z$SFegPIQ}lz~0OAcdp^xWiSY+Kfas=@f2EPH2h3Lw#~gpOHiL!RsuJmtKl$pP}?Lo^7q)tIvu)QZ)s((HE$(*ye6USA@R+O1ejQP7#;L@lbn7-~Dt( zwR6`gUkliSik8{iRNl*AG$(XRa>TzRq=x(mBLIo3;y>9yI6U&*b$t|>-5?o%j%in{&-;-rGBIBm4Tup)OlLCu2$Iq)864PqZbnd$9>3wxxslt z2$&b0f_tBGaDQT!j8sw30_LGs8Q!bPh18|Ua#T)HQUZAOcOShuyS?i`xS#Pl;eRXpYxZq2L}>*gKll75d$5*DC=)43g4{w3uSQ3@B9 z;PM-68(iW*A|e$!A{wns+Q8e4WytM$<`rxkQ088N%B#7Hl(rgb_11HZs{Yy4Ei>c_ zxl>fif{6=gsNOlbBCgkpL-i4LG{q6wKd-d^sA-BNFIarUQufbKiUq(iUiGc5x@P5> zIg@^!kMvTW$tHMzfO%0H+fR!%_^Dnq>jmZ4F37YZ^c1Uic-C- zx&G%nR~;o*3MN)h*>8OQhFC|p5tx3n9{+?dBCGi8v+M$9=GKV6R`7i4AbTvJzxKSv z)ipJ>2Dr~M{^i0k@o-t2mX9-aA2KywN&Wkj{uE-x&XfpuApzX8!jO$+`wKj(|HpoytPDx35Vtt!YIio}tXPX{Q$ zkg^W^;fAEN7Ba&Ew;MPSudfDwZ6Rl8eV43N7OuA1f#jO~j^vb!4xV`5UtYX)#u=A1 zZRx^BR*z~>9{sQ|5VrIJPZV?BYQOYFJkfhz|4gp-f(ayyttBL(!T{JHKDm$__Q6lt zzV}S%ZoIavWn@Hg}n#^>XTGr@}x06D<^!qw51Z)TCaNKx1{ zH6l(6PcEf43lwfTn!(d)AGw2eKr`v*2iP z`T;+Sj10?b>bCHm9v`5kR?NW+Rw&kLNHO=c>cYMQ>_qffPqB2`U=`Cb%q^yfvsUZSae0 z^!<=$^FkS%(lP#KrGNk8J;HNW_bpaea*uZ@!%yz)?b*hF?~9b-pPaY>?F-Jhgmei? z(EaTaGck?czy-XxmZps&4BcsnS~EX+^eQro9`$inQbewpgc4cVUX|%t7CF7)Wz(Gm zFuqm;!p%}bU~Ak&TLP=-CtDUwRrC`BxKB~TEJw~b&mtt=qAmm4TD`B1|*Q2 zKM9sopAr~4cS+J>z#uk>Z^c5z1bMonTrZcyLLqC&%rS{uF>vS$g!lsN*%j@KfvqeO zzwv5{>G8r#+2Ti7mGDTxUK&AFkAu@2*L=N<%P9ht?&JM7e=kC8bJeY9l3I~*a(=g? zM$*SHy2d2+%y{ZrN@$q>#zNVQg=0mc)uDN$7Nf(X23k^-m!s*JlcB|ZMJIwzv^7oW zZ}tFg%i7c1D8~P^_<8t&J+Mp@U;CiBd@?b)Vq`&(3rW!Iy!s61Yvbcth7dw-_ zLd@+$h`04XG}4C!YvBSp@|&-wUsrJ~o1uLiJn{Efa zSBy|V)t%n20;JPA)3~_ua6#v2u#(xoTSUZCp?nEEXhnj?vn;aAC}JR(*RQf8wlhD& z`_qF!xj46mjde!+wjKYS)%OK2>T%579#L(oa{*MYo|bqDe_328r~r0Hg<>C z0}3o$&mFE{cKG~#Ncm*G?tN8KQ}87n-8_`1MToV#bb0(llfIGN z5<7!{ys?9Vs&)Idc{ijdVwlv854!D1_vcp@&+$E5w#4th=vbG)tFTUt$dtx-yc1S0 zmM@f@J=hK#LHz1~zK`pX$&f{q#Et1|{&>Nns;YP6#0DV2YAyPVMgs$hcwQ*+il(J` z+>btbGND?7pSmsPC`Zy5A{E1Pz$CM!8Pa9kw z6qUVx-micP&5h985X55(@8g(iYv`khm}X76P*jghSeO9{Sp5h!3?-?~?r-B_LEsQA zItM7$0?Eg~U0VP!SZ`0KXf8YV=&^WjJJJ-ng>x9%rJMjW%?=WQdZ$K$!^LI)j!0e` z;Y1g47d5U>8VtO@$mfYpaz}he0KoFjr8x|oxNpYx?~({{T;UY~I3z-i5fTHpuu?~| zd9{V_&!ORvr5;;XXmC0CNmtYw+9KohLPxlUmfGGo)zN6Tf}`sB5X_~+k#L;UD=OK3 zR1{y5grzd}hNQLIojoEsH!LyDnG|-XQZFVqvo_?@&mas{TQIh=x7nkc8ER-IY?;t6 zv9}OKj+v1=D^mVDibv3O_R^9}L%T{?Ap5szw7HlE+0SKmQa6%!6W3{m7Io=rvpL6^ z@7WXjw0D_&!-w7lxznJI(+t6SRI}oUH4gFMuyy7;wiXFYV8sC5WIrBJm>Sz>-}H^| zTCWkosUYjxSZ?N8b3#j%#T*6K<19ogQ%W~gbVRO{M52GNb)8L?X$tD+CF(d>+tWtc zh~_TC>_m6f4=>44lz=s{J4^8K(30T)(Ke6(SzH+&d&zWtjD_0W6zzq=*oN zg$?w#{wMx}C+W4Iv_k!>j|zV6kuFN(LZNo|aSX0Ik1)ch->f@5|J($aGV%)Kl~k%A z53HK7TW`qo{L->q33(;)BY}$P6BkhpK9fg{4_XhR_>Ybtp@uzjWSy_3X|dEO@z-Ah zgOeXL1ur)IL^UglSOsyv{PlrPAEDxs#;hV4>DISLo|K9_ll|$+Hj<*A=CiWC@Gpu` z!@t$J^=4cxN?*pmXz{Zl4Ke6oZk#oxl z&UAi#J;c=~Pj&pSAvp|}`;4c}+vQBPztUY3b?A7Mm<`B5_sidD>tRC9dA*2N^2@kE zha)}aM;v5EmtCCLT6iUcbn-Km*(H#6@_CA4+W2g4rgq4t?7f_2LXRbH`ncm?)Dkko zB}~V9C6&`t>XE4Xn~0&&oy`)`*^<@B3Lwj6z^6_H3Gjw$eS9)9W?y!P<+?Tdu}_jO zKI*_!b5ubKdJ|I&=e(z22+ zrQBQbvtChj*o|+$_q?5*zTF zIyixnz&FvSV`|!+FAniQ_+eLn(VOkR5_nm$`Oo>PISjYdY$0^OWWEOJn>Krh3K-^e z=s#%Jzh|ZCY))2=UBS55iN#l$>eA?l3 zQOFucjbmZsN`^tlGA~_WR5F8cOkhPTNg5?_}q%#2+zS^rWx;)B z28PO^yID%L*i`zR9LS_%zPEqo^C^zIeRDwC?-GQk;u!cP&JMv9=k`7_rrJl4&|$-L z1l_(8E(fQLziXm~vii*YA+(=#p>A_&`Y6-aZ2BVGL?nkPDT<%Ch4Ub>w1JZ$cLk<2 zM3OLTr-`wCz|sn%(0|ts`55ZACN@F*&O)?NtQB+gc8lmI+T-6R?8ZugUKQExs1)zv z`MIK{y@`YDQs&htLzd{Z%_j(LuiBwtB2VUy`FtRYl7&J5=4Rkk=kHwG;j1UMAkeEZ z7Y$*A0Bn~$F77iLA)j6h2oHywso%yI%iwm+Rd+?M&2Bgo5R&cH8-p9iTFO!Y!et#2 zEhFB}hgWxbxvwT4OUr9H74X2$M;<|Qwuk0rx=IBpjQ*OY5ljyZ3zDn%3StW+Aua52 zKZ<81{^LGI{?pz$s`5-i*wR7L-NKY5Uyk-HD`~`svZwJz;dsJ>qLLa-!yJ!MWjklb z`g#Gy+g!(%ch_z}<;V;&;|}uh$BWB{xV6RL)z`PvB@+mGXfKI>BK95iCaVm^HyC%` zJ9pn(8A=Gr{6H!q05tl9k4mEk zC1l7VJsx2oD4FNING4(2_GNhTWewMrh%6ZRB=a~nEACbo(VjW9g=JHm5v^Mh$R7Xi zFS_tp9uM7bLbl2qT%H!$t1buIk48D~US)s~lBc28RY7M{jZT>!@ga+ic!A=dRqq4t zMWUq)49%lDhW%{HW7rd5E;h&o4p3V)Hp(j2h#QQNQdFNtwXM!UZ|~8AFjd5yT-Q(WJwp(9vB|7+W1v`7o2yj}RG$kdC>_5Iz9d*q0sF zq~fN&fnUFCpErB+)O=x~;wA_0aMe@a27Hq5ks8 z_~VqHRN2huwuRMoQsO8r5`f2~@Fr*l9nXh6C|0^0(xS--OZ&JTyHePfmPE~0wI|DD zYnae41AG1F?(5JJ-^4cr8s2_9NeKnAx*>6B-F2xsrU42hb}cAV(lyyC1Ug0WemV&) ztg<`{Zs{iY^zW+J*k`cIJ3s#9gSlHU_nz7DNXS0w5t=s^wu8!ZdMg_apl0rNz0Z8bnxO^-s;4U6Qetnac%x z)0Cx4m203F{xcj#N*NH!FBeeO+P*)uVaiTIPZ^`8N=^GQ9#x;o9yX z;`$g&T^iA?sFLC_^9sYIaTF)T6uR&oD|r(3Wk6=LupZw8U3|`p`MT~^iRJ?EL^>Z7 z#?E|)GWjO7@v)mA!vfz}Ys-t+uyJzea;#qI=mAPgMIgKjzk6%2P#a9|)(spTw2M=* zC3y55PXkTI;x{u?0{xhcEuP`OPcq87AppRt8nSPdTf+iUhWtu7L<~6|cvg}e8$*Or zhIvyhZS)P@9L00H0>R#9KOZ}MYxyZT@$&o2w5Evv*N5=?d~9R~pK~UsT$_ta7`_IJ z0NUMdcCH_}4Hh17urjb}^NuW38GOi2ecP~_73AgAYCG7POvK1y|HRvfIh~%>ahB8N z9s1*Lx;~_(tES@G6XOZBZU>B0E}enE1Zq@n33+*WQAqJWIqHh($_p;9da^&2Jwy1T!psHAmOHXO--q}=0bTVv zGwS0@q!deol}MpD2_0G_CN8fK8d_|F<$6C?IO>n{hAHye$+}y)E+Eu+pKPB-4vQhSS;S*{cNi6{obMm&3&=N2$1BRtTWvX-hOa)azn3){$ zmIjb%!Wg0JvqjdMqS6(^MvMga|N*+WM!9j%sn0y3~$5*Vxmd#1k!?t%V$cm8CEd+~L1P-yS`rFVoH?Kf5S;m_0*hOSD{<%K zL^N-0YDOsCfL^G{TgDJ?Zvr<>R7S@?-rbs<2Jpo_KPsu(Db9=ATr|j^kvft5_9)7~-0Sq?+W;Om6VD!nfN$xqI#QueYDyLlbwT>4ka4&SgNV9x$UmE)tsP z{bve1TLy>}DCuqx6bx^D9Ezf#srMKp`}<%R1byrG5l^H5O9ycs1Oj6kn3@DJ1>mN= zgGKf{%9NPB!)290+yGM(ATj}N+c->33C^+wGRpv2c72!%rX}roZh@?#?E)xq5U&8- za`I2WS(OJ_CCA<&yDT*Ua00hVAj_~1Xecp2NkaT~fbSd$ymS2rFHZI=#Qh4Xw;nU9~X+l0^j>NzylrLnZ9 z1@B(ci47yuIBih}CQAmM+&Yfso%J}ZrxDqNidP1w@Z{Dpn4}#$>@fLz7G+ZT4jus9yxIE1mHiJ=0+uU;C&c%h66i=(eGg@vtYygr-<0eIWO zHcS+C{C49o%DUlszo#y2!NKiWJhyWKh89w0@}yw%K#gliH**xN#8S@9JK088NNGu&(tk4M)X%|0X#!90T8EM12sA~Nhl4N_ z07NhNxhKUe6IwQdgxLnm8alz4)^Bh9Q2K(=duX`#q~4EPOU7t$!{&=DlhoD)bDW_l z@YYpM5GQfBE))v&k6ifMFK#}ZI4sMbfPeAwFL1-tH=?z^4gav<-T1_DAIH(%N8!xg zf5dlQyA@?kK}V_`$Mhb9hIl<*9C-;Zj=cm$QNW2~Y16@2-ntAiC5BhWUc*acFJt4x zMoi`=v0EPiQyKE5Jm%H+;i%5HU|OHX3nMS0yRHW&H}UHDYiLO}8t4yIg)s16%k3wCn4lj(nh!@9RMqG_yY13jf z#vAeK=xgYz@4)ib71%tn8BYwX#e$~!IJ)yFkX^y7N&Gw{UXL2{^jrD8!hCqgsyuo8%ZM z?7`ytg;>_Q6!r0XY@XPPrv{#eMHY@~I}&g0IT_h_7Kb!0!3iD5V7xGf|Jw8brph^} zF%_k90rjygPV7Any$y3QS(?N%gU@2e)J|k#DXeH&hQ@dUULJlGbDQU2dHZs_F}exs z2cChd5EMl|2IUV20&zmTwF#EVQ8vad>OMI=-MhN?b31=h9_V^s)A^Oj(oc51_}VF) zbJTaXf-FlKfAX;>`(A~Lo%x-3bk}1zW8pvH$c~k`f5(5JOl2%@J_IpE!`kgn;rZd` zk!jB0n9ifoU*CuAx$RiD=NaTGIdr7kv9jfGjFv_*txw~~&Li>co@emXo~N);*@#h$ zVtLC_ENff}0MNOCzRtPWV-4ZSp|wc!6ml#N;)Hy03cYo`IK1sJG$)&|GrtS#hSoy` z!;!6rV^Py0FaR$Ozl@j1UPeMo;OO?FaD3-+sEgNOMe{O@8lxD~$MEp>hhZ8fEX{;o zv5!n2-F74vH!p%=8u;_@OV~KR0ji>*E|$Te?aN_V7B-DyZREmxm2>|b_Q#$Q?JclO4$GSOLf41W(|cYmeVrboSLb{%eQt3qfBTL< zzp}Dt*}ZX`>=U(3)T&-M^P_$P7i@VmW5KKjFg(jNu9@Ie#3n1 z$nC(>d)A?#Pb03z(VOYU@|I<2Nwr{CZnqOx1c;E)(m1~R81&W8#bjj)>ju|jPjL?n z%fS3bTNf|_)(x!38&jK+j@b(y-ux8AK(d#r>*PpmYw6=4w!+0N3yR8+>}UnIOwAh0 z-O&Bvy3)Y+rhn9T)$o(UH?*DKU`_rsQF(DeWzJF{l?8aMovB*R6akh6SOyqb&@0mz zd-m%{>e~@N`fAi4bQX|37$uz{&L)A>Txcza14;tM*o&a)O<;-&0-)9}h0?GHi~wWu zWl(-I)VldVq6t>+4JgT0s7=dZ6$W69t%t&Fr;4}%CA%1E!(xD`FsEJz&%Fu-1jMpX zn+^xJOz`Qgh_xOG#M@wuzW@}sf7QxDScyffY+!x6iG9%ZG-6vS#H5dWe?Ir0 zJBi^%K{o8~WX6yZp8s|`!b~yeXVcIS_;d{+6`ozPo9o_Q&%~;7=3Oy^#*R4CANqo0 z2UYUa`QzE%)Qv4*OjQJcch}YP(|;{z%E%JtTr!1KwJn_R=-2$<*dg3~#*wUR=)kXg zIHEiZz&{u5X|+dqBp!(p!b51&k#b1mS(UnEG9H%Zvm&A^oa2VY3uUiR}~e$%eHYo$~v z8&!i4f}U_CAw(uDEc4G)iRM=cg@gFK?mO;j-Hk_T+%Wb!emLwLJkkRStZrVzAHKbv zX0w^wrv8C*hyM^2mG)#iX(vrdpoF^?-a}KWiN|I=!ny++xZ?9G5xV61G1oDvYy#JO zavj}zlo!r;mK|+7xoF-c{AkEITrlz{tZQ1&go^PrbT+bV&oXYD@oT<6J}v z|0_b88ydB@yO!%d`!xwC!J{WUg6&xB?W$#b**H9!hdmv8x$dLuxqjTWj4vM#z`0|8 z#Q3Ul-16D2TsQMNrdLlzIucFOcyRthJig{hBEd+X+?ntG6S%tk@<8!{?Yn-As!&{0<%Z_wEN<63QOVpQN4Uy=FGrKvV?CGV2zI!6 zVIpJwhm42HXA|>Ad4B8j98orsAC5YQN#zqsuQ8c8U;=-haTg;BMj#zYQY3kN%~L$R z@fofjet)%-XvWK0FbGyHvz;d|gg=}B; zoR+&3Ur&1<7!Rja^TopxU)FxbZx;NPbjBkkr68K@=J=}PxO3Va3=R)Q3Q0mFd3eR& zczN5aTr=xxrj}1(&A~McEf`9Xzlf+A<((bxaZL3Lh8GM2;EkpXZl^7 zH1I@(aPwh5-SZhY%)g15!;azBskgADWg8wP zuQf06S?w1*ecBV~=x&~(3a@W^lP6a{#qCpXWng#!0Kb}X6_e^G@XqGTwhl;D!Bw5(v;7K<8|aL(`_Fs^JY5j9Mk)6T?_2>^Vy^K(49hrdj}hZCxg zca!!N$>+6Sa`VF9Gqh|7f1mX*^_}%7Dh!DX;rfqn;D_VRVdj8ixaO1VIAQP!oIdz8 z08SWo98(5P=9aH+<&tr;8C!ZZSATpRpYH#Z3y-*fnz^dkNq+L~MWh{* zduHCrS;No7laUp=%r2f;{Ve}j^*94cs(A3Y`_WaM?X5eQR5=k{(`o2#k3 z1ogmo2XzFgJv9polf+Fsj zemBQg&q4};RN$lCAM?9~H)CeJzDP)#aYFt)?wa~1PObSKicpY>*tdY+%>NyJUw{W^-Or@biAcxwT0gw(5guIoFc%*^n?Fpwg<@YZ zQc7A=ZQQx=ES zeR)4MzKXtK)|KAWvUJPc1(ywRIzIF`8zXkjIPiL1h3Jq6lKl?#e`uLe!g@{TAp;@- zFNWWhN6ha1IPq4r%9HUP@mr*?3?U@m!7*Z+9zpE?2;Y%6pbz)~j`V<{ArCGgvFc_D zkG>GC^jNHpt!RNtG=C9DL1OPaSX=*&M^n&;UxiWgBcv8U0){Y2?EN?C%@5)6mSG(I zM2L9*>hO=d9dE^n*g^$GBUSe~vE{!dGW`1l$NUbwMMxp> z4eOw7_5E1;ze3Z48KtSm1tD`pVHY$ha+gBr!8A8#l5AW5o;~~lGU)*hwyLquTftCO z6!}uozb?Nsf4+L?>Hqg1<@7tNklHNOtKtg>u^oYMgeznVfs@&U5I8+;PG&!ItY@=r z*K*yn3CFE0rXkU!%tqF#nTjte5?xUU`E+U`27mu(CGW4^O+1z6_PI-#`Nz4O_TWc! z#7(Z6IgBwSK9VWZ4Y5-t(o7;9fu^bqEebMc{#tH%{aYL<`O(;FMi=OqsT5vKA)rY_ zDv6p2Eg4ea=ka+J>PLa2=}`GX>;6brO5d|m_6lXsQh_&gd@dd z-RH-jA4J$T!gg_Sznx6EWtXUr88m~ZPkoa6XWok{6rNx5A`9vlaQ?_2bN-0)SiXBX z$2@T?k1YN>lgcM@*1$8FQ9PaVhM!9;5#yE*Zsn;(PZKdBXsQO5#IYPass~+qu*@`$ zZDFWhG*v^S9fa+M&UvL5Ct;yVxBAe8(s8`A`duEG{|K{3UdTB^f55wI-(}h((|L96 ztDG|UWX>LN7Kx-=@o!MxK;|xclSdak2EbXv&cNz6xn}OQGjC(D;}_ia{_V`FK9*U7X0mDDW=?tZdz}01k6F5FDFMZgv}Nz+NTe+ezghi{x#wa_ zu!LLg+)<9KM{!#I|WSJCk(8cxb4Bm?|*;*C^>DtUk1zqxeI-6h)tGEA!)gKRe$T_{o zWnX;z-}|t*=3*31EqHtQxsT3#?9LGjgR0f3x^6a6nB)VQ!uBdul>8T>s9mIpNt8X^XdUuhrWIYfOCeOjb^Gm@XZ6nP1lP4_%~1R?wa?o%rt-d>TjI(^y!@Y z(s>;0I>_v!E@XIc7!Q5@Fm-Kp0KB>4P5%1n12}dj%-B}ZER|cP|BfkDlbOF|K0kTp z0{*%1Sq9_};7`Z@k!qs~+qTd(ov@O}EpPmu&o+HVz#HJ~5ocjII(FJR%$Vqlt+WKf zmN=HgNo5zKK@BOV2t_UN=jY=wbZpDY(5FkI(&;;A^_)_=<{#{G;F2b{ngtKMY#KW6aurgu4Q$f1!yx(*DGbeK6yqgFcVXhi;B_st8E&LlT(G~#ywd5t9 zT=*2&5cCA`seV$i1eY8!n{!6|fPF3d_~oltaK}e?U?>JRO}mjP#gm97+_2$7e<4lH z2f6n3>!@w3r8->2NmVD3PNdvE{NK{;|HzN~@?@Fe$-=>L@MfiH+skP}QS$?ld{mEy zlZ&mB%acVPd~@4e{%g6RzqZrMpL5$BS8f2fcIq{}apoMZ9(x75n|Jfbw~x?fw(+a6 zS98LE<9KP=OH6xoIv;MG$JxWb&xz$H63fuKkPfMIip!3;gfj-8&O2+~VcOrP^V+)C z`QG4DID5cZL}T4NxAb{_@Zvd~@#2}RXWL^ z$2Z%*W=z3R+%f$&bfI(ZbLVpIOFt&)3Gmy=zad}dkxrR?vFYF6mdN(8yD$4;_#N0D zvVF&Vdsu8GiqmsXiIhs(BNPF!>X`|i>M&=hn(B7~1#WRY$3_tXML6yzGv7{T6Ap^7 zv+X#xt3c(*Z$jAU-XO)3Zy_-C3A~l3(7AsD?HisYkXMRvBhY%LV zu*|>-st4Os%&rB0rD4fK2*<`(b1tU01`3bC z7&@C&%4F9Uf28({n@K0T@ee&8r}z}icoaqTq8a&gv^KHpvzswH>(GN$i11|6#&C@4 zGf0~zTi^dB+uu2t<_&XDL&FJ;xfx4%S^wt6Y<=fKPz~}%UxP_L!b;3pjbeNz{aESif&Q z4=s5Jd z7FK4G6WGGav^!b+9AWpt^TUnvxaxzed4KQw%&3{38L)8D(I*iJ6=eSZ1eA>0xVnBd z|5*7ruWfscu2dJo5j?r{DW2W*EUOw<0T5Jz99uCHP1R^iv@w17G)4~?jYM)(*-=E4 z2$o|JPsMp`(LZ>8!wY;{y9j`MJkS_t0{4DPn2j?wcVQ6&a zQN!^^f;eeA!(4JE9yhLMHBZ{Js zr-Tq``%uBCXM(n*J4yG$g4~JJ5-w&=&N+^Y6_)6Wt^FO?I)|Ci9S7;SVZe!|4&qI1 zq`RHh?0w0%0g5iqI~zs35-KXJsXA&H-hdy+w0bStB4d@#gyOxq{tf=M^+o14%m-j; z?NXjx`y_Agew(C~bo2kD4=WSb|L=_-@YMRJcxmTLd{gUQGctcfHk{kEOpeGO!Ki|f zbf!8PSTc~~jyR6AOq1u!V_0w~Nz=_Ed~MC^JhSl`KCAuA#bVzY9$)!5bGFZ+E7gUn zC{!C&98=-aujWxXW$el11@ZtGTRaxWbos-#yT0Yo6_4@C)>molZX{%cNTd?Hwe4-< zb^=E@%-uMbWvxru*0z;~L?g4O&*oRhT}_@p4@Ffd@Z|H(*0*VhHUjX)_AhvM$2$ns zeYZq9#=uZD(+5n$veG>G#e=-R>pdP>@(80 zT=5uW+8r+kI`?zaM>lcb%KO-x+=K3MJwK{c_`3cpRyMB$V0-g+Uflcw&2|%NrYfkJ zHkny@3}J7WCA*jMr!Vi|^8;V-^7dC~Of;}^|4O_8FV~%T9p{ff4=E)@zCuVVytCtN z+EQ&UZ{PMIpX~bt)uZ4@H)J@d1~`78JC{7M@JZ%unZrNVKg*Z9zC=?sj;WY|opf_W zl4g=e7e2;|8(-w>JzoP*U=)BQ5mrB5+e6cbquc&G`MdaW54IAdEr>R@kZA4}c2eHk z@?zIomnR2qQ6!HPR+s0Mj~a}ssTrR9KV#b?GdNC9yXeQWd%s;}%FbHuM;46W+T4FFx&Ir->Q2>Js6Oeh|YG+lbI9h!jb+NvDOkc{aN%I8jVe;9R3F|fY>DVmoN{m@m+#s# zv+wlf$358E|A8lG?{PS+-D?yn5vEPFp@~FG)U-``N5|aMzHjcFrHxGNeIV>rZ8o?dgHIirKtv<%}9)r4c!$sA|7}Vk^Sm_kas~#g1UqPsRG8knz zW+w%u!zddv4MZAmcmSp>Bpp3~M^mUAb3P^2WAMe+p-VICwQFAgDoX7uXmu}>Zry;Y zsyKm>h{z-WTDH7{z3U~6{c}m|c^?H(iYAdvyR}-av`O3gr%~(YU>;lyfY2i(qMb-P zg%QYS;KYk4F0H}axspK1(I`eCcCv%w>LV#1JPCw_uV4_Cr;@a3x_Uy+CbIhy+jjam zYJ}q&pG8Ku$kjoFBQwfX-%aNJ7MabF*g`=~n^dRvljw+c?eA9p_`Qb?CjP&K_9>^_ zIRMrBifS0g71fmBFD}3~t$v|<83%Je_i}D>Sg-rJuR9vZmg}{Jz;>M86~={xjFm-o zS7K#%YaGH64Bg-_XOHEYDZ9#P0e^@01{~j`~m!i53{F2 zon>b&Hy~Z&%H)wGZ2^HGx>qM<3H+LZCLId=Zud5J#6kCgZV=5(_U9_gl^ z`&J&NE$5i*e@>rIf7dXFi862xD4L4hoh03ABI41FL~AdXYhTz^aA{z)hJ4){^pB|= zK7?RF9(F2C|Fw05%rKk`E+1|Bn3q=mi^tDPeI}YxoGExD+f!F~wuZpIt#L}@W&Pt~H9pR8lB|*CT?m^k7f21w49`C*Fd+_*G z%JNGI=2O&+c-v!0feWWxV?uE{Q%WhV*wg9MF0 zrg(^pm9!*ydfu%+ohmuxdALxF-u6D^c)0ref-)yf>R~l(Le9e13eo z;f5JXP#g&9!K@(f(KHkZ*G;{aD<)sT+P!O8wtE?aLp9`==Yt~&X~C>=;L$v8-b`lP z3L)^}LsxZ@W{OU;lY&qLOQwmLF3-}XC)*dMND~YNvmi>xRj@PbUL1;VhScM29VFVi zaJrr6+Lxq$FQpX4m*-s$^6~ugB45Rb8dO!qHhaP;bAxI7(rph-qkwH&EUa6=Pez~5 zu>)r^JT?@7FLr!^CDVj5{XDU1BIC=)<4A{f`_@t0Qj03whimF?rqk}AC{lz+(R$}( zM-Wi`_%cQjujVD+7k1B)*}+DE*A=o4bnhprB#8tfF7NdO_}lj$=9mG;@X7j5*jl@V zF{MYl<2}Q7HPszAx~5}zye|LGyr<^41uFnr;>`pDK{QRJ)9eJmPz}}dhEEU5xEmRw%lDkGowmfS;ymG*hIpAcQWxsR&1Gc$Mxnfs_A3JHA zcvCyc&Y0;$xuyNB#EWx(^dt53V>Uh*($yPN`BjMGfhfXum8I{9{g%1UbBLUm`R%w$ zn5ub5r(*2+;OCT#I*sD7KWE_dYe_6zk0V`tJ>DSxL8l`%FY&HcMEib{ty^ebbO(83 zuP3ki7}V-xNHxxi&H4hMt3>>2$Z% zW2bkJPNneJ?tkd3E99`z94NDu`;@-zy*(@YVtAO3qPPm7qiU#jngLETG7<0Ec2Hh3 z;r`AK;r~Oi3FVYKD@ZGIRG;tI!oj&pRIgIxKC8^x?|p&XyeZk!3Ax8)_H_Ypgj=FH zOCUmkZTCsE^(YFY(^Qm%xN!0yV#ySjJoX7KDL7;5DEHoulNF#O(p9W7Lb;l8xAs&i z0dN;B?Mb4h*J1!@nd&2olUZO?0n@T+Y>xskYjib5d0PnN1vq|GW#%5T*P3vM5|vB* zeYkk`c@J$rl<6P-fYNVQaaUcBB}up1hdF0GTxN7oM%-=JgT`jwqUNxPCyB6}7ukS_C z6iS1ov?bfP>4cjAm|ioT;!Q=A1{ljc}6g9`@p-r9G0a>7u z?=FTQe$D|^^f{9fVXxej-Q-+*^ zrfArX?S|m>j1#H4p&yp)EtlS7>GX&!Q|{aUIm%V<%jWF&o%jxy!g%O~|HUUWX(wB| zNw#-lcRL>>w{m5CORS^l693tX!V96I{KE1PgYXzSR?@_l7C|+DPjdyMJUxV0(X%wG z;0ggf*eEDj3%HV5lgG(evjL_InnJ;*2t~nSrdCY_U{}*l3i1ox{zRp*qY+2C>!tm1 z-tDY8xQ2p20YN=PYr2K2yjKCBN)=)D8b4H2mj-RO-!xUDE7n0%_W?!}59iHQZ}8mm z=kfb|lm*Laj5Tuc)Ys^1bD-k@P0=O>6%69op)=XGYAfRhj$>HKFf7}m_TV18 z6Wl^2np83&KfQ7NIJnkvwJ-LH3P^=ydl!k0E}U-hV%yx*ucee`(WQBpDTpWX%M1PG z!v~>g3YMAfJ2&*1Zv{CmS-REnu;IWucDLbBPCKa#hR!HRWNtW zTwYl9JbuGZS*VPLSOc?$&vKtrQCuFD78yfB<^}AGH>aoir;tcfBGbL+NJp}}We)(; z22W#Z#Z)%8Zz5vkGr4Rs#|$`z%?+Em=;aHUIBX&pOuYa>#``OTi!o5_D@3<7*P9^S zs*CYtjNL7}7+pG=lSZD%H+5f86|83R0Cz6gyl)G_?#(Mvgn~@>Vx7gs&f#bO8@l}u zJXulQ{Eb9wC#lXTcDH<>{q4jZybk4;27a%o%6*ZFVoHZrBZb7V?LLZ950bfjHy7J1 zCziP)W)3gT;mNKd)yv^yPL#Jdyv+$CPT;H~&f@0jH*@`m*V7blq9U(?IV)b}rPVJJ z@cAhZl~dPU$7x5pd2lK!-SIA3Vl9j)8o|43-{tA0PvJ9s6#0wjvbuTkqJLqi26ugQ z7awf@fVY1BmfI%|M7;UDwB{wAU-UdzPQQZNPQRTWj{G6dEpaPMw?*5y>a{Crh&E6Z zEGDQ2Xihid(|xX?E8F*d-?I-y{W0s8yMHL0|9fnO;}CD@Ak`5|%c#7){hh?4%vIFW zkBK}O)YThPkqTsSHHxr6<|=?Wc;(I;Qs%VhJVaLhwQ&>f+=mK?7R1&kF{@|dD;Y;> z=w-wXF2)boW}JqvZ-v+{G@}6YAbvH8ZYOE}WHzm(GZ=X4qxh&Bay}f~8Xch_~!Qm`U8VRu!b9V5c3V$aJ2N zsNM+n{%@$=`T>E#XEE%Ihw%+OiMEx`Q3{xecD8@`Ye?+F<1a$-1n`Ph@aou(=p!!Y zDpP&+jGXrVB67dqxzH-~{*br^3DvO}=(HdcvFN(};)ZDtbk4I&6r5noSQ9#SwGe6)%aU6_{pc?XdU3aP@ z2>V^Hfk#U8%)^9yI@mTokD7S~4J->)3iAD4f`$i=0`D%{!LLs}n&U^13f_4^1k*UUJXUl>I^#J+4FrV!Hh%=Bb1unFOaVQBNV|%5o-d51XsE&!GJ8B)c}9>qYhLFU(|^It5i@!D7q3v?RnO@1 z(LD0`!>rlAhM+fy@JJK^j@8>YKHZ0Hrm1bN1>on${hR?M189r2GQMU4tLs)Xrt)Y2 zmhV_jA`!J3J5d$$o z239iN*TQ*-$Em*pC9~(z?|AMr_MgzCaNY2J-R+CnlP~7{2|sZY{ec7R2e@b6-E3~# zL?9U8-F5G9!Nd!B?5B^hqG1J9kt(({ZsDIxpXTNBU!k_MmRKszpyC=1v>#w=!&Xil zc_IK2UzqI&w(-^WFF9lMnLPTV$M{XhZ>S7a;s|$X18kY~LhxePTW&iUIhg+^<_1`2lXU!9osnHuBuU zXSw_Ad${l1`#FEg`3x-`M#u>9>=*xJeZx9R!lmx}DLRg6L{}6$>b%naN%96MWuoNbz@-YxQ{l3RuWZ-=R87H7Wz$&u(QOZJ?xo>e ze}*O%_IEe3tbPeY$6t&WFN=08VqbS1A|QBm^{b3IeGIppdJ8i~x&2(=jd1bn7iATs zpf`ZD$rv^rm+t}^9vstMv&$VveuU+QEQO39C=l`l`E2tiEFHU)>4T>;=b}06YTJdO z89cM_8JeTb99exN^REAhvQQZTZvfkI@JNmBco+NH_c63^DEFUpKVw#p;iJv-@OgZw z0Ts)#cyY;#%o=P1HDG43?Zx>JPgSmWGRvlWA6(du>v{FMxP|pFs+2srP<`;F&U{y zihRXf`Q|U#)v|*LRpYti>^r#5ypGA0u3~FBHa{GB4p+>&ip6^uF{;EhcCX#Ln$I_X z#S%@s)yPMW?c6!CQ@@ep@O+6 zNVNQ+bT{vzZPVM76a+xe!=oz*>3YG*(3lh!YQY!=oO}<(2UdYmfTC)29o#|d<_{5{GZ}aOQ&{ag@D&ZGWycq^uXqTd<>8h=@5L(DxzGb~-{l?qwdZ1eDEwJPN&$qb zq1hG#Wji7nORjH{H%@=3>tC7sN&xN7JMa7-M#|wo%B;h1=RzW-KnRz?JDDnPZp>ltanW;3itIH~N;izcUD$@Kt143lw8XEHh(-BkO9Sf~ zyYYHG6#EqF4z}>whI*P4f<)S8=l)ho0v^I%cyIA07H{28b4Qd<*VWRMmJ|n7R_|!w zi_QD-8(#d1&EhTfEZNnH$K#=-?EZBCCg1i8#m16#;T2|M0 zVEDWgd0|WKe&%m&WJ_HqYxf=?;?pn`hu6MdO-DS<(KTg!v2GU&H#gw%dfj)FGV`9f z?<%vuW%eA|+upx#`fs^y*%6nssR|-yVzrrwMCTSdHeV_?zqPXBvfxPDuT3Af9HI*cWk4sxsH$)L~}GgT=OBZbd+Ib!&$a_DWB~4h?eeV@;rIi zX^Xi_=dz}LHErE(EZn((ZYxSe%V*8r)hyq)jEFy#W?fg0=hC;PrZmXc4wIY-hpFZ-_bFln2U*c1KyZ zdl@Smm$RmB4Z74R36v7iBkXD1&AfFV5VPYH8O3bayOwWvE+pZ^DGij8jHg(#V+lLj zcCfF#9>3y8lNwEJO)T57gqp%3j4B>UEFR~zZ|CsT{3mgAx5&n!_#bA=VFhMqoJ2<# zcFbO!-f3MPTbbTjdP&|iN60qgr_Y!5!4K)Uml?Gw-i{j|V=xk7WmzlAoWCkdozlml2Ca z$=CC#2vpF~)xj4VKW9tRCWaRdXITDlO8liP-LZuGKK=_ETGlh5U;v3&f~C8cvbAjs ztLj#wIUWM4pB;@m_+ZTk96Rb*I^rF?zH$zRZr~FJtM;s9_5M}p9-TsO5&N3znZJDj z?PjYRN|Zy7eQ@aaj#)32=ugXi+hu<&{}Z(uNK1l46zf5kl4whZu|2~Kp z0!88C@(}~j{che&54Mi5sSH$+j3?NBU@NI+%)< zUYvKClsu7FmLDh|QH|Qy)vV6}n98+MZ20je7)NkgM6)&^5 zeGi335t^g%`r_B9Z?9)h({2{-UPx!UlYK4qM7$AjU{~WVR@N;i--xh&&pMXZEn{=@ zCN|e^a&hq$(b?U>d&}SDFCYDxcBh?4FrT0jVoUvI7Vca~+=^4|D!`8*z$?)J@ew^XIqVF?HDf;p#N8rIjSP4_#QqO{&^XYb?w8mQKh<0Em)2NQZ ztE*mNXVXr1&JI-~O~K-Ai&?aLA$k5h0y4nLJu6v%U>#dqwy@{G9t_2xDp-YLsjS$! zjBj>)&DQ3v6nTpXd-GYjeFgJ2%p;zR@$HU<9PB>GktIhlqF^|wl*wDm=JM3Sr)U@L ztlYa2EGY69QEZgZ&|J^QYv-}AyTM&+@^D!6pLhE6BQ`cn@(KZ z*7k1d0f4RtiyjQ>%1w5D8I)9^%1r)KADK_0NRip3TX^D--@V^tjw9T>EJyJXcLH=Z zZo)dS7{ABCiPn=aC9$p!(uq!@8($!uwsAa#*m?=w?FVVy{yD^J5up*-fuT5BKCQbK z(zxJ$0_l1RMxBc%zlMf2b4exR*ixlw>*pL?{164+B%0MhN8JicTSMp(k|~Sk?O#&A z;C_PXJ@|tWk}^Ph;|`Jyi!fvyM=v6lu;{8=g6Q6hl0OO&8j2;n9N6+X4T~NnVAT^p zu$E*R@D?ESB05?cXxjQIYODcG(=y#Bvz4QzkcY}3!o^T#d0)>s=zHE_G0p4?6g1nW zMz*7-;@uneTQ^L9sQdXt^r1dh*8f(CI_VFkn9A#l5jrtEs0@E;k!!)p+)K(HaZYAs zkDe8(C2j{~MZW9=lKsMA`DQwdwPYYw(X-rb+icUZakW8nDrK1EwL400=z80%KNFMT2Q5DQ+f>c+O zbljeA?{t3AwZ`0Cet~a_gZieC@2@EzQH>GyVOvfX&n%)6TpOrMusvR4nPD=0tv|Bw zV`Yb~nX{ki3n_cRa9I-)9v6M+=JWTFeE^5cXtVHAvnQZgIjP2?(Q?V zOYq<_xCVE(%XioPUheQlR`s;hTZ(TX{7_#na7x z8O+nI)Q0Mfb>{W$M@aR+_FcSE;c6(oc=dn)dE9o|>Dv^BLrU3=sK_n!0CUnk+n*Qs zhGwfNqRP>>RoH5#!@1wFqvfe-s-E9+&(Jf2ui1XgKEljKsv1gu-r7qf7{{jK__V5! zaVinqfBsY(8k$^x{(#=@7p%b-O3X8*f#LtRDAnUz(JubJ#I)6mf-+pMl3a6n2KSz1Sl}end2Ezs4FmC zDN(NQFJ7`pw*DSBx%-r=goaG54lkn^8yPV^l9pU~ zqmT?X5YU>3D=&3{3MbAf^F@|rPE1;w5OMW@O+!(1*_i0`igp^soJ1@eOO_dhTz2G> zswxU%FtR3Aj5KGVs0?O;3`4lSlUN>>;i|kqb~m@3j}RP>8AyGr#koaE`EP>QiMCkb*D+Bwu z7x3VNjjIQaXG67OSw8FAtw7prnT@m$uK^S_>++zieuW~G3X@NgR2i{(Pp;ES8I&*| z<*^7kH8jQfei?HF3>{HrM;7Rkz_7~n%HMVRBj!w129GN8){&(~q{^df?S|0%g| zqTOFSJ@dwHU%E+SAtOu)k}z^f@|om$etL#^+q^PU!zO!`WR6y;pk|zeoYXe$;+mNj%S2Fp}ZqIGf`+k1tOXS*rFBVc5B!Lw- zgk9WCc)tC)9hp&v9+#I9DQ>Ul=n6-9h@&trfPgkx>6atUPUsbuT6{QzYLOTRo<#Yt zZ`41vy-+;G3M=v6WzNAK!pdTqTRiw$c`P-W1(+wJ=2cC zTTatf?ib`uXB|r2G`}f_`@O6yD;;A_Qf-~Sae*V-{IsO;8u$~O^S8iY%wPU+-`a$o z{j>8{O{L{jBAHj8P!fI^rC*5%202f>jawh}G)w!rQMuV@^T&$2e^Odb2@!)qH;|SK z^AJ#4N%C+B&ei@USHyv`xgnaS`fL~)ur4oeyJ`4UI@L=1%V$HMS4uZNSpjR)GEZcUV~wPMJS=qhACFWsl3!eyehhlN zwP=&u3llD_lwu(i=I5hjk`&=4$hp+obW2E`-xG4g7bW@O(gkg!;;Kry!)3 zi=<3?Mx=ElD}^!h^pAqQ13i+6jC+vNK2Q2*xo?7-Gt@si4?CmcPd}EvQrxZyC^h7_ z6TS(#PPDmnbtpPC+^`%|NA-swYj0XfNYbKieO^f$U|}1cOZ)Z-ahv4aEPCymf*-vT zOp7X&VPe|*X!BOJc1(D8K=)WTpwC75?z%1eM|t*>v}TsNm1pYdLBfe|?!I6NSiPk4 zMnH4YGrK&0ha3>36h7pT+1vHiiSg9P-n49OP+fUFA|f*E?WM(GyU71a_s=1`Pu%4h zp?kC~Db+UY4oELy7LuDzP237WE|91S*_c1Pt8>|p@|a|>&+wkQzbG$wRW8!<+j@@B z=L8wZv$DAxv}{p9duF~rL|%JQQiJLP%@*K6Z?bev-uSp7=hxJZKj@`tX+qQ-W}X8_ zYX%WY1mOH%58O9ajXVj9>5HS+n+*Z>3?V@w=>p&UO-v9e_)T)70ZA-W$wHp1xa7#N z^O0gnv#aC|wme?OMfm72a`Q&OB6kz>4#d8B$@<7A0@G}n1?hS*S{mfd9vaL@8g=$O z160>DHX@k%jb7D!y?-CeX!Lg3$sc52c=&}kIx>xToxqX#aoWY@ZTrg0_DQ8cRgW#d zovrVl+)m8H^_EIZjA@eN$8M8&beE!Z$4UfEJ3G#`C#TUe2kZ@E|JDueGUg zC<3XGR|4B)MBK->KS^mj*U@3YoFvopRk%thKKSbi+rHSFVX{xWIiH9X%}Ps`3|a0e zuNAYZCX4}x9_7Ri-Ql)6v#+g3#UGDcSConC@ayp#&ts$3BS!uALYwynF*lWkuK1#3 zV|o}UvUf#;Sp&yfMFdR})y^uvbJF(F1e`+p3q3jdXgD!{{mqKvT|4=_XH@@O0YGM* zRO|>0@$ZQarvVlX!NCN|EO`s>sdseim|0jP@7YZz$y)xPVZe|_M!wH>SQ{7-lrCPZ z$(Oj`qwxKSRM4>^vM+<{toeGf1<|kBdusmtHoD!_Tlwl{Ywu%wT3B^1M^4=a^J{>> z&AIBMXLMTErBCK*P3x-56HW;O^sxgE9yerPlw*J(&ZTYHuiy!rs)eBsT6?m&$F*%) zNX<3jbshp}AV)$DV1MSN5bb}=9T*@Kf>)(>sH#L9t7F2U4014UXyWbn4VEZ>CGj4) zI`z8O`ZlI7?;3JL5H$C1WLLRqeQd1#;c~emIZQZn5u}+R=!6z7Q$rz{;b0c6X7YQ8 zn<&x+3c(AuxE>u7*LoC;=|0KCSG2Mg3s4F7`1W~0(BA`{b(qQp zI^Cs$#%Ds>Tm{nQn>R17e{d?{g}o_J!XXJK`&$#F)nfa_U7~ijunI!PoE)%N9*3qtduKbKekYxMn0K1W%QfD2KIALeIzL$s%;C}ezdHVF_t_&3D zVTSsoP#SdoyO7XWpjmB*$Dxx{na`RF92d8V1X+tv_B*j`e-ri(2q-V@A44c)`i%{* zJKF+WQ~dSgh#M&(!4lZCEYXM)sL#AUaM($Bk*)mfF z=56In7WKo5`Zw~A`LUh7z!WO#-I?!*miLy8@|eivXjo6-<{^T2Cp{^L+$-+?3_EJS zn0r_fk^ooZj$P!t7>gcbvZ9@eF+v~MJ^k|kEnTB`B-eB*KUO-9e)5!aYsqWO{pUw; zrv#QsTh0(-5djvMmrtH=9NcjoXtvWt(lmek&FIHIEjOD$&v!$guX(dH=Q|bku8h1b z{XDmWzJ&(N?d8QH- z862cg>L;oG-SDHsNLbtYGWSvkn@p1!bI5=?y@%Y-n-7MzuhY3|m&>;Uczk^a+1xI(Ktq(t=EY!ZFXVNiO!g(tVK!)|?F z*N593VDMkTL4h?T(?92F!$ZGknZ*RaI`RQ22Yb4MSrU}ir1Inv?VjlQ5+;;k4%>HB zp!$AvBB}!4!a$`0ge8?TgXe|$qqLTehtMX%po`9_^t!tAZJwhTx*(3w%u$F}zJ zg=@T$-Fi<7O!%J82{`AH z${}q2t-knNSI21IYj9v4C~`7c6wk8Z8iLTr`xla`On)n;`9hMYf2SnZ9S@Jp5gk=3 z%-1U?$|*KXo0Zu+#GRzsJ!GJ9j>pvycgFm-N^2)a^O*OsGPvA|#PM;Db{$M`S?A6p zzE_+0q8phRpY;TLKxQWIr7OWNW@CY$<<*v_HETm4JoBgz(D8a2)5Kr*&dNxG86P{q zpmI(DK1COjsh{;A`X@>bY--g>$(8-3n9lk_4E;5naPzKUrHg_q*!pHz>@2w8ZjkK7 zqZs~v^#j1t$?P(K=vPexxIP4Hl)u#tZ{PAqC0Ajljnhkid_NjJvgS?py(=_UO3n%9 z>S-dpC7xctLMh_tc3NZVm9jbryBkdvy6Iqk`^J+39OEgKjGXX%5#Vi=(vZp)Y&9cg zYG_yn#ZP5?K}^`Lr478YPDNXro*Nk#ESWavqqOQ<@#bM6HN;yFR@-%F4*vaU^Gi+C zbvdo_Th#pbhF~S>!0%?IN%FC`Uqd{8Cj8)aI%F{FijK5nRUQA3PXp8Jy2H%t13fz@ z%W1LLL`cSky%p9YVHdRax)YGH{3x&SJr|tyTisQeZN{~JEbHik^V!qpE4WPXpf3s@ z_CvSOzE$xT9n?m-Xv`Ua~zKcNK>`bqBHe-LA@4na*}! z>8G`&(f4v?az2H8x`Gya&0jR=%j5GN4y}dxx?eUDLP{=xz4M;$4HX&8Jq1RK5AJrV z4FqoLk2W@y+G0RVrIFb1ssX#VCgJsAb;~;W8hH2+)x}#}vej@beW~RNR`?r&{GaWX z7ii!^y>dHNvPmm8tvu=qiv zBd2jH(RR-(erLYX58zw}jA%R2&xk`{v`N@KX2F7vX^Glpt@5JRg*@fY>)m5L$Lw>j zNSs0{nWUtdLMG&fx+0c!u0mS)S9ZmLEa0WO#MQ!=`*~t*!~t%IiMW6EIEI5~Z5!c( z%4OAn);D;r} zF)(-5?o`}znTPc}!Bbz{-+sLIILjaBMcjdQ3S@Rn-bRE)Iv|KjqGlx{26;V&+g?@> zymfef2CVqc9Va(|)+mdMMYyi?F4Ww#1*1%Q?0r8}kEo^`e;m;)xAnM$!9!u@x-{X~ zb);tADk;(ZGRJZvlS}RaR1LV0dlqD0_vz@jPqF**if8@0&r4=?+3!uSj}VEg!K-Px z_wZ$DD$G_4HVxS#)-m5mx()y1{aWC^-O1;pWaV3CQ_6QxKfHJX&q&H=-$7lAQM9CM z7ZeK-lv-<=Or8ks8rGW2&}h}%8XT4TgTA~vT}VVlr>iJX^kB~V-A3+m2OoH+Mj=qS z+9?w+)Yb3z;gdbn!&*EmKWUd#eM+emlJjSH9!!6jF#9*VwY!$K{TyM>kLn)2)|Jm! zGyGPZAi=|C1UjQe*9Lz6)S`?}%zszuw_Nln4GGPz2s(veR76U}fOMNtzqt4J3$4{c zPc@{B;zaum{-*aQvm$@H>R^dAnqoi8Ixah8Qu|A>>oT9j- zn-f5#>!9Ih$r}mbkcSCDZnkMZ6Lz^-I^dH~C_V*1A24s-*03zLXiHN$ddK>rf7CR# z^1G$b4JP?~DnXGZvm`E4+`4~8UmQ;Go|{;~EMUB;FLrRNyM=q|MKq@Yw+uP^d@}*l zQpwD!&UJ*%HmVYMHm9`e!88ha$)3W1`ZX6{lGCj(qjD8AEK8`I0hd&?S^ZicO2$~M za*UqnsC{a=^+|Jt>E|B`NUV^}l@RM8Z2BOX%V@T%&Sk*o+$9I&Qt;p9dCGocz7+SY-Yg zaF`{hoh);YLiSqFt(f9B^$APtDXMH!6xNzOw-0nu?*r>xacU6sA=&9?H3wGJaSnDm zoZuJ7m>+{}SFT!_$eCG18ytppKH}SafabT6CE+T~bE%B95FW0AA3!P7o?#{x4td<` zta=KXFKt7zzv$;n$cRVLhfdHjBj%*BGw2f7uPH$ zSsWz<&D_FhsxaIUD-|ER2US~hNn8lGT50n3qU<8-RXMINoW&YCA0TN7EsWyer_LxR zjOC&vOU@Z13wYhTlsK~y$BT-FHwKJ8PhQaWof*$g%OD{aOt zoJj|nI%JPseN9rU`bl23x?6l+5Cs)SKV0f*w}G~*ah4bnYM5Y2u~SRe@+`;SV6E_7 zeqmX?#OZuOdn(S+US(T+8oHD?kX7d|;jFi&eFYW&zE!gO)T0MmOrOUnYPZf#x)(3E z%ytu*?iQ6yz_a#Ji)$9sllhHRajELH%x|INIMC&)pl4BsCCCdYON&%h++h8ct*hNB zx9&gCPLCX5D924sEOu8e5HOrVt@kF^c(y@u0v+=J!FVk$0GA{M*o2qpQZiyS2fS_^OtuIuL869c`yQu;d#u_h-H*%0_m-Q%fM&i|CvcB}gq= zsUx&@E!G@Po9#vVipf&zDm6whC!&Tpi=1rTunL+j0WzgHMFAmqrpE8>G(NoHU=?ID!u)VmL;_qt#$u-lxOx05n#z) z_M&`wk!p5j_BwldaKDn*==}Tj(cXx9ufqP4NcL;B4QRiQYiwM%^H1k%-Qc`z7kTIS zO<4A%jxZRcHrTn@i)Nba;GKb_{WNs z`GVlVCcwh&C2NMy}eN7JGRFPfFRD(_tf!$#eRc&Jovrk zHW`r1urPA)U4@s@Cd~_iMH9jta?eS!^7bpK(IAq2r`1f+970a}k-S+EgQ8uIm}`D? zDQ-V5>$oGLNx@WYRKZns*>Iv~9G--38YtMS8ogxPTWlZv-kG9Idn?;1xLKgG>O(NC zau0LksJ2y8OzxbhMkV)0w3{2Gx*fRmUiw{Dw#2UL;9N zVvZZXS_QL{*l*D_r=ynC?y_ylY&Q{f?rzcgTGP}Dl6W2$8gZ?A!Q;!gkl48#W)<6( zYO}8Y^%4e*3AjJIhlIU-=GMPra8n4<6-5M9>(vW|%-9lKRiVfan-)%&n7cBu?mNm| zc~W#Le(o2Kw&OnGb0qsj+Cmsa3B?g@2(2als4;rz{=q-*WfD+($I9go(kkZh#@#+I zVGymHq*N5@CDL$6^rN3MC5vTpT9616p;)-V<}Q3~R*MeOAZ# zs~-AqI;G`_#pkqnXOQsx>(mwQ>mTW2ymotuhfGxJ-zs+bQ;~j`Hyu+^Id6H%>=@+| zFoJlDd{6i@Dwo0eAZJGJ5(N&QRNKZwpUX z(h0^YEiFw=#Pzqn-dk61t(^9kN;8AVQ}T2tO%TquKTHt-1H(3Y6%fhk2}%FaI^-4w!}igJTg7(Kn)$plxeCZ)7?-BwI2 zkWBeQc0jev*-Jekcds}1H-E@y=krDl)jFyw=j)bpMW@Su%AUun}Iz>X#PGFdU zH1`x`N}7c9ZVF;avSv1QVyzu$3`+(NDIk-GHp9y%zCOqbLL!kq1k?fDF6n`kwG#Ns zo{gp$;9Lh~;n>PzX_Wr8Zp7jarmU>sA$y&i=LZ-+{yHoYYOkoslwx>)FMu4&HNRPz z(QT~R)`-du=6C?&79&v(NOj1HFr0u2{ES!l>fRaibn)}bPG~F{6Z7->FUrzbiIO#` zMO3W<&DY@FNk}zfK>B`kmx9OPYC%KO;eD(u0G*hYz}&qOfyGkSc5`E^-Q^g21NJ*x z*6ryyWXE_V%c0?tci|J<#mUCvZQ}3?{rFeMxf&+fO=4RpHebw#d@V=+W}?@L%b1=n zKzEkIZ_gKxGjT!nSG+JU zpY!WM4`Ug?PZ=uXADWvk<9Hp9-gd;-1$cd(Tr&giFpDmx)#=?8as@P}ZJ14Wc{l$Q zK1BBZawHsV7n%6U@5$w4Oly;l)(k|lify=5R86a<6gByk-)(QVJ2Kx`r?viKp7|by4;p}DyDwgd!;&Mn9)spn2NZ5Ju zPQd7cxZ%X#F&-Fc6_XDoS;533)tbY{08F@!|43aAMe#JQ!2x~{#tFuS*HlkvmC(B> zi6y}h>wcXPD5v_@3pwiMW{mx@DOfjti;?TkkKZU?^XKa?Lr-$l&ZY-}0GgsYJNSxC z?1#%;cE}s~yA3DzXGFQtF36M~#pNGtnqyL{#mLA2wY-`0T#W;Vmbl~UTzA{_rQM6O zvR<#Zp@wXUM+w8#?PsYa%J-bR`rCZ$;t{oTqJNX_hVgHpVO=Zt=zwF-?Xjbw(QEKj z83~g*uGE8Kzz^MNCa#F5?7-2De1#0&i3fF&WBVLE{?KTgkzqSGK zI}oo}|5|~AfTvUV@7O34@flOC#W@1v36nORQre7U-jbeWLrQ^W*|)?<7Xe}&R?_p$ zX%KU)cdh!NqR6LME&y4vuQ9}$YC7?XnUxfrNYJw1QFZdI@%rL9u8Xx&8JvmX`1c;^ z?vLq1-USFd;00R<3cvij5|}(BWAC$ z7onWtAgpxO3H3O)2kxkiLEr^GTAJIquy`RGf$$MU< zBf@3H9v3YDpQBeQpqBWvxxPW2hxkzq!1y)4PG0tWE?IG|tS*#fgHa-Iq$`Xc?r;#I z+k#SfFC15OJ&yRA^q|#5Y|;>1OGX~4HAlhX-}0jR z-UV&`el#TRE_y6BX$TxACK?oc%@ruTv-V#uz|yWRW%^n_Ma`mYYT=Y5-gU%EhEw5H z$ud37(JJ@Z5MzX!rgr?@4|$jmE?`SLPgf>kl1j}A^kkyvfz zR0Ky;ibgFoJ{JxKkjIl7psI*eLOz!vFT$p8_{grj_0L>5NRsp0M%1I`bLkm?GL&!dB5Y z|JVs`ewwM-oSRENh$@Hr9vEnoFblSTeI=Mxvw*9!r;?&GZlsl;CD``e*tt4cHwu5N zPDQZ)Y!Z3=Kx=+Ai~mb>L~rJb$Uu5;mWpDD_oY>pMq)9V5_(7`pX1Pxp3Z+YNiLX` zUd0uw$iJ6DgQH z+l#Fz$kxlj({dVItu%Z@FY_aJd_1t-**s$goQE@-a~G&m^wJ`72YqInY?7Z*UPa#WOEG~>GJL7m7p`5=>eGPs*@2rTUNqV3Jq!9RV` z(-0trPzD^0id4XS&{~hn6n+aEtGGFcs(^+t8J)#VC)z+OfQt7jS=T9l?3W&fT`X1H zW-REJ9_aUbYc|SYsGhv+b!?kPAWNzkjY}@UK;z$!2XDrZSB<1=B`TYvk){K02%Llwd{l$3Zu9q9CfKc#lA>}LP`iC^IdkPyFC6Y;O zg1W>Xi8eV6`Rb60Lwsf<2Wy)Ft|7LY@R}+GP5SR>G+5-_Sv$N5ov3)1acU~QOhbWGNLmpp2A!uqQpheA~g|0T(ns51J-%gyaiJzsS1 zq`b;$@DvS$6`05{RS;ENQZzDV&-d(D*uY!1KTISS-@ zN2qNKg8r5VL&v*%s*HSCubj=Gp_v5jf7;e4a2e^Cptqj8!`Lgtr8l4VjpZ=*PAe>l zcm_Gp6u}?ZqPQY6tEAP*lQ;IOd2HA#7Q~(P64fg|gFrOp@)A`t!&)wLmoX>87M3l$ z=>;X6{jNnB{*Q}d_^+h_=wG$c7XqzpcBzSD?9_+hB==~3ij$QYn+;3a| zb-JI^!0H3)yx~zqLZeHmu$#>Fx$_rT{hDqJ0cjn%mw21W!fF}k?$N9oR7|iVt`CQi zb`aUL4iR#mC}~2&F-CjAhm?lYI8f*3^tOwtD7)@(672kxujm<5XRQ8Ju4DiOBM!H+ zvx_;si1Hu-kuL;0rk&Go<_wcxJXhiz8a&CK?R@KNJsedCfAdEI__+*>9aWIO9Q^Z;oTYC{R%J@AC1+5q z!e>fej$vPNVz1G#fCwz?7P%iZ%(Hoaim9M1f(R-P1~ePq8Z`JK$`nc7w)#gETgb7g zUOZmeu6_Q19s0el0&B=Va7-`VG(fa80-3)Y=dR{Y&AOxa5s%?p+2DzEg~Y+*@0Uua zM(OGzwG+?A2R!5NFe;+c%*V_FRR-NtOSSfLNfksln$s%;ZkPCR=Q6)}elTxm39Od# z`q?Q$D|o6BopX8=YMIfGGfD?>{u&}6jdu;Q<~-6^+S~DUwW{29#6{>Gv`>-YCzbe= zA}c{NbHt)lE%Pg;Yjp$=ADIqQ-ixEQv8vcs&3Rt<@?s=4`I#!O?w%ncCm|f7N^-88$gdL{VS*n%d zL4yyP%TQ`VH@*rLIJ%aN3Oc3MJksTTpBWPe*ZquOmKyMH`LcN0+|CMLgSvL?{YVpx zKmgPRlcZ;oQ6ud^E88bh5=Ukvo9!C~PPHvn^$4Mz2MfcHJh4TU@Qh7ES6Z)&Eq8t% zK=(1%py4s+i>pQTSK?JwPNb_=bPK=wQ!f#aWh-y9T~_b1>`atHgU=$I{)ALzg2O`e zN!=;>ij^JdhEJ|krA%3@*lbcf*+aqYujd$=b(@!U_H5;~1|8gph)nMai5l0#lJ=S##qdk~Qf{JG1#RnRt2q*Vw<(?cTwff!b zZ^vs?f;)Ux)ompBTuD)*-Bp}(RIsi5voaM*pXnH?6LMA)0v!A(Enn zX_*txG(i-B7P9!jy=y!Y;v$BMXY*tx%PO2=C0FoWu~ob?yoV@p**v=kJ&-XoupM?T z>6yQ?(9zQf!n~I-Q5e)GeaT3h<`FK8;Y)*imYEx1-;aiH*)X=04%dP>osfdq0{D` z3xC8A3?&`Xv-;)?uQ#A+Lm=E;-uGRs;>Z;HC#>}h15>94EW;7s@8Rf zsx5-7Q<0r=U8j?-aCEXsgTnTQoj|yP5UMSbk^u6$o-I^PKOTC?(39|QfcXt_MF&WG z3tjfd6??Y$zYsN?_c5#cY;n^^V6OqQ{tI{CbW3TpQ7Cu&@vesm6gVy+SOH4$;A zPSH$Z?_mU|qr7}UF^E+JKCb+A3l_28&d z3OPgDbaMYSIvoz+@%xVV3~RjsjhyOhB-Te%@6_a@69kAPT;6DaffEscfmHkakaT*^ zzuebcgkO8R-C(-R)36P#SgIm)KT4dOxJ4>lPI3OAz$BNPu$BHXJ*r13g>9M8E(Q zsi7}Lc2*Je85y-OMlXzej6j9HP{T709-1;}f$FjJB)MPgMr4md^anHnSYQ8sjlINO zSl0{*SI^YuUqWpQc!K$<=41m`&g-frQd#!rW+q?)R-)S@qRv6qZx5H}v*B|mDL)do zTEz6E=kpI`g!7^B4E>(UZrVqSh~Z+5$jF<1!z9n>KX#QmBEf}>Y_EAm_G;I_2r7}H zl=vy(3h3Ka@Yn%@8J9BY3xcv|7Y$rf1kqUGBgBY1G*TFJXFWrnfPNT;R7bQy97km; z*(+X1eZwAQWb@+6?e$t_mI`<#1&Jsg)x#O16<(|YY$G0tY&iP4r7Ph*^M?al?Jr1U zy4(x?fpC6|nst3B%dUY3(E{4Mg06CJlT9i1!OXlx)L%+T5tMf&>Lhm$%q4{cUb4PR(s+ z)XVlBnzU8Ja(c19<<=1Z(_m0dZ`8M-RMni=Nl41aQCiDqUtj(1#R;LLMlBX@<`SJs zZae8Fv^sS-xoe;nWWazJdj4P6;80}R5Y~2Y(Mk}a7EiU+gfxREIehr7&)!glgZHSv z%dLGQ4g%$u_|))`zjnt}CBI|JClQmci1K6s%z;f}t~9|_-H&1YG2Is7C(DfHdrCF% z(h(=|4itQc!w?Ax01NoYdYx)g$Ys`YuM`@fC;{tLz<`NK1}4>=Fbk%KsmvW7D@Ov8 ze*%kl`kG_IeFJgfCj9YBLIhCP3$$f_0Tput2(v$$wrNqrQV5M<_;y^#;cWob#7U;( ze|{>Y!myV4f0sSqzO9h`|AU{WRTBQko&WpbFH8VKm)DU(3yIe^mg<7=1dQtG_<6}D z)lV9KJC7z~Kh}xvckTL|sca85P32V zJJYre+2oANqTc>Jy9(%uK=Sl>6MIzml71^FYY!07jrF_vt!?MO#ccQ1=l%r5Lr0b*vKfKEc!Xi36uerLLe_`;BEr63_Jz-Po6-j0{5aa# zJ1zorVoOUrFVt(iO5XnL7OMPKh2#T-g~UD!1=!f8k(7Onm3m?i^LgSZ_A;o;Uq%BEWjC?=WGdC?EC?YQ=KXsNO2<6n80i@aXfRr}s72&G9{ zq;Uc2;iK{U)uH?N(~RE21QZm(na;4sm~GDO&9Yg4cr*1qCmgfp+Kd09b$d-bU-FHa zcE3Q~XN-`4h@nr4BjGfBY|QopJ{)J@IF;Klrxp6Y^Bp1w@AxDkJr*H;-h*W)J;dOx zy2v~Q{Ln8#8N(*X+z5Qq6?N0eYPX&Mv>$lQ)QHT}XPNEgRRMm=WJ<-~5IQglI{z}L zp(Q5k9<~=k|9mvZpe}RY{v-`%{88Nw3l|RvVeIIo+2ko^xW_H2i5$=c+yMdv8e8=; z%E%1)T3YQ~d*x#{$fuXX(d<|HZcu0P?hbw$FO!?Ej+K>D-3+^0cM=#J#frNjKe+PhxMI{h?1;z6zT=(wqv#?SDz}P8 zs^&m~2en4|R`t z4A$up(ZBMqImb72Y^LZcBwD6WlT>|8CC99(q|r<{7J>dMVC4C@TD|P4qF)RRUmnwm z)tEnxg&)aC37XPK4O`MQ7&_nav(ZgXJUim(7ud!p=ek-5 z6Ch?>h!M@Wwp)yIeo7Vb)K|X<>USgSPml8Bg^`Z4J2XUlDN~KORBPOzr;&yH`15TJ zp7Lkn$!F}o3oWAeFof)4#-+Ij0X(vCV;+Z;%th5ZElXuO*hF%yY3Qd<8~x#xXvH}> zFTGEjwMM=V@5(7Xjik56pKmcGA?f z?bnMw#-!lD2^k7Cn49g0rgH^!BSHiwb%MZv1jauWbt=D2UUuLDOpitP*=hv<2XCtx4;;Jf-$ZooxR*-mMZ@PxXuvj z=`+beXNkg)D!K!ON_>g>L6(YqYfV{gs6dX(40DRPrce)u7H`ogttCRxMgX3o8?97D zHt+=goCdJrZ+g=#yy$GzQWX#$HYN(Sc0HfoIMQXx*iT||Glte*OoRm%22wApGobew>@N{3a zLjg$C)0$2f#Wiz1>0G?1Dn`8XL|HIt+iV1aaF9+E38;>YTt{(-Z620_WSTlGU8PWt zs;h`gejoo7e#1Ce=&pB~TCGxuqr*{J2v9yfHA-(v001bONv8tAzvP36Bk}QQxojLj z1n6``EMpy7?sz(kz_PTak_^~DUF0HU7Ew7y%VCwuIRpfTqh*l}qXCdJ z(Ri0}pkGDBSc`*z+HzhRnfXZpkxM)k4xckoO<`=TFgIM+dR3vtGY>CO!#2_+KJqPG zmy=oRm#!=#^*`YJL8E$(9~&oElA0JJ0#MQzk#QTtdRYdpndyu;H}Uxow92qAyY{WQa) z6R7O=(azrUU6hIl?e&(OC&R&f!x=+*|03*FsDOcqD@<{3o7s{nTa?uP?>LCRrILR| zommvl9DK#6joCc=RUPh-AUg_>0N^af#2JC}_)}~oBkRy5?kHOss&TM&0CGeKC{l!` zMXm%@Se)YVu-MGhMaWVV(^1hbh?d`cdn%38jMc_I)|r;wpj7l>C8_*v5jjR>`-x(u z)(Vmnm9><)8XeI|CYmMzSIWi^+a|F}j8z_UHP&0;(P~w?l74`Z8IKs#GXu3!aN#vp zmyyD#^!FEr%Zf5bd_4H6lE4NirpvuL^pcq`rep1Fx}?=DL$32HF(!zWMa;d1b_10w z8_5}Cs6XS#auNnOwxiXWy0R~;dG)d93?yYmr$6CU5TM-TgHUIv*~c0VoW&>^bBMwP zg049?8x+zD@we@33Vs?5wW@y4l^}tN^<>IM<$GKYazhE#JVBV|l;;3?+nSIt20M<3 zK~(Y8?Xc+0QUejm_HT9LO<#Tq{f$Cebrgp)%k<7oIi7~g$5E`JUP&nL+-Q6LfcXF> zb=}tYyFa)42gl-(CkVD$LDVjP1$Eyg{q)gSu-Vnmtp3*SI^(tt&97^UcSw|{x3hz< z<=6I?bf>w#^tF+(KD6?cGnp5()3bF~t&cPp<*tGvNg(6sbO)ZrSp6WwKzXn1IEY&C zgRrcP3QtF8t|ucndZPE&I01IyBF%sp5Yc8k8D!{VKBg(RKQqrzR;A2>TNSCpY}0?t zXlbf8h!hWF<_l|TLr8jrtMNw#JDBbow+B71a-y(GS*B7sNhilRN#IE54{Bw1q$YeR zmdLkCt+i-;1m_8Pf|`NG7) zv9No06w`5za0|gg2g&NK%(bf7xw%jso=&mPk>BXyr;XGEZto&QSf8*lE!v7^MY50& zO-FG*+D|A9Iwv;mU|%fMM(46UkIVVEZ{-3Q0ny<&*d_Gl=l9$-RU+>@4F!Yq5#NL8 znIC(Y1H4~0zu2NNxG6o@!y@U!P+p>-AET4JCXMT%Wk@5tcz^k*$7(uqS=lphN@8X+ z1AE}Nk&?i~o>g+BeQYb(Em%j#y_oWC3{4`#K@{>J-l;f4>60n<_V?1RR6F(TQe5~I z0D3S!Kqhie37a1bdAwk~+kpDbGlZeOvogsI?o)`o@MDX}EdV17X|1NW(;S{;bsW0e47-pxn4B&XFVZ4Os_BJO25P0BAngOvOgxk{^J~ZVH|W0`9dSyb4owfu#2}+vw-kN zF|!J@&W$IY1~wr#>)o}kdo`eId?l+2i?=IUR|de%qlwPM7NzHT8MJk_OaQ9X0xTg^T!81Yg0(+ zPyvl>`S&%U+n#uU+ATq3Iec=8@i5J1|10J)e^kx9f!J3bq=9_W zYSn&N3C&iNR{fgdhu7e?3a8IZngpNZOAf_=U1}x)CC=Jef#>6;JR`AS!?6|=8Grr) zxMVU~&NKI=iB8Y zowNN&Hr-&Ea{^;1vrwEJ{f7@=1XnHiKd2jwd_CiGsNSPw6ANc`A_leNkb=w-OfZ7y z`%2LkMBTddWfe3*lZW4p*ao?-9zni%Dd-iFv-&Uxl%j7Yq;BaeOWoaP1w9H9ln&{% zP5J0Quh?d@`9#^9vBIH-3y3@lxP}BBBgMCA4$X)?)yZ`vmGH)N{HqdxVSDz)t50if zKEYR$8ioa!hC9P^C>`t8eg0J-Q`V+&1T%aY5Aa-mq-}gGFg*%0pefwX3E%7fFBjm{ zOEjrTNOJkn+;`mc2zLyO>1780b1ieCn#{Bf1!3v3XvBV^8;i*a+K?$wD~tO^Y?D+c zgxxrWu437Tw5Uj<5SnbN7Fl^C%T(J)`h`OrIE`vle>z;*u;qb|`!4NYme}bN%z@X% z*ytVBA)mad#F+INj}nEF?2H=Zy^hXMt5S_#0t@I-P+GP?$ zo=%4T6pn!u50AF`%&02(d&Eq9d9PCc4*&r{{=Q`Clz>QxU8nrfDP#6k1*->H(thoe z{}`Zbo4Q{*vCgm98F<#UAxL&on8TKHb+!`>MLiwdg*DLAzznc>|@4W)#9Eb(o= zod)LHo;;{;j}6}zV@nJ~0tf}oFuar^RjttdL4ZTx(qjW#OB-l?N}yk_^{FV{CD+X` zn}z_Apt1xpZKxs@3wH?YW4XM_(F3DgnN_SL0Ap@3st2<IM1b|6FfV2~x zNf!5WiVxk@MUp)UNwL%UwFuOw0Gm4nCJ~?Wr1RQ+C19*Ux_r07V5!Trd#LNRQ98Rd zR3S-Y_jo7cpQjJWHE);fr5=|~)~rUbYpMVOB3q`Lg8_RQu8L#gGp#sbX0~!YX+TOY z72?L@q@p^S5F)~srsR3)7^Y&p_xAn8i-C4vhn-13SLMPe0?}`UtBH=K$bj^lxd3;)IAib6<_jn;M1cH+FtFH z|5|MCGuRgLb^4wL$-|jU88QcbIO}wJ^S65+`UJ&d*V5?iH2^CB;2&--%lYcwa;SC< z`PSYKz_*$Ehl+2BjU~A(0439#J9%P11#;DocrvIw2Klz|eKTX+pnTgUE`8s<5A^cz z=q3{gT9HE88%HBd&7*+I5^;M!WN8*?7eDvWLTj=*^+`HN+7yfh>ALa}^@(>#5m+ct zSpgfYNW~T@0`{|7Tw!(4Q|u|@MW#1sur6(6T<#D-yYA@?^t7(REMU^d>Va|F)20=p zL>aA2Y4<-U?WU%e9g#6P8G98O)q*9!k=ZUiN;ZwqD~QSWp_-%j=`c2PU^v`iF)uYFfG_jxe=BatI2Y(RFF zAyot`XL4nx?)8oI0SI0g^~d7H&9_~>To)1cmkLDM!-6bk?w<-U&}=2gxB9lwy{mw4 z;if6LXBB}v%iu60Pr6~8?MxfRw`BO%yU?FUT5W z8a08=3ZOy|lcPitShm5zGT6%T9%E}SzE!NCWRRb3aPA^iR$h)c4=8%R`>PmI0BQt~ zLZ#+WZ`ymyGD~p)s@$uU9@*5-buVtpwYu%C#dWV&d?szrcw2_^P6WW0fXHmzb(9nj z++#;@52?k&hz@$pcGCz6j?Yk1idDqQXa}SZfmVX_IaBevA6;+leiv`NU^N7LZjwF2 ziJ3tvS?Hu(*FCenxYX(GrV%jPpTq3`tv8|I+<8w*pZBECd{V}3&z$$9*;OTLvdno; z%J?gqGSZtyNY*F#3YDDq6glTTF+)gt?g?||lUeMf*G3s7Pb+}RZdO5hk9h^9 z%mx}t*F~?5O7enPnRbOf-wS|}-dux4dAAF);^0ovR#G4JyS5H8Rhhw-+5)!Kc3|7s zPHe61K*=j3-+KvA0fZ=HQ)RXw-jM9z__5u%{=94OrZZj#L6it{W`HBS>eQFx`tz>A z$>S&BqV3Pb$IrVK=gys@m8MwmG9a6H!LCbj{dph8v$j1Qh}y`yU?k-NEJGk_Ve`mV zY_ILa_S#O&k8FVlFUg0EcO_6!8z)bkfa@;!Fn<5^mxE*o88tCeoyCYhlCHBmxiBM$ zw)O&H#Ve8UGnR{JueU)iLQ|DZDXh2EcA)H4GL30!qyiB6*i`L-wd!D3Z3nJD?;8B+ znQwqc9^wf)GoV7e;*^)+`tz>AsS~H*8Cx&F$IrVK=g&XcV9kjehHT<_JD-E=&;Kx< zvv83ftTXMT%hl;iRKn)b?budZNMVhz0haBwwX*A*|c=Oi1?}CcjnX-!OObU<$L?x=R;@#<{;r;%@a#I3E*{fi4Z9BHs7GgOtU7ZKQy7_QI zZt_C8bu2dWLDa?xO6m{1UHG;iwnxpkf*^e{ck0s2ynT&oxb=W9 z`H&ZFj7;8GVtC|X^T<|gsV!h@Z2=?xD7x}_w|0^p{N@S2j*p*zEl!_$JlM!X{qZWm zuO4?fu0Q|7IA`|f!0woxE4N^*HSw(1p<`}j9-eV2O4{H2rOGM576sT2!nbTJ$)2~{ zZH_CiWR{ZlKkCksTGx(yU6RI4Ie^<9!$~uU>z+yDy6zPcb$=%YAR-8l=lFxi&lhH2 z2gQoi_ukJD(7B7E0{};WV7+OCveqZ<>PJX#8ll%N=^Dn?C&~5yti*N6bvQ~)LcWMyz|sIQ+&WDmHdMu!UO(VCfs@>3%vKNH{y;9 zKaaaE`V#hD^kv+3;b(Eiaxrp_RrdUJ}zIl7+b6Jc+&I}@PdVl@UxST*PDFErcNKO z0zm^mzv&6Me8^2qjxk;VP6-0#($63L3^hC?Uf-WYmU~EpTuI zJ8RqUKaP7YE?&3*QP{*Y7M_l8Ui_~(YtyNa&4ZAEP7l)wW!QiWoADr_h@dLu6RF)P z29Cr&QCEs2)-T*y0V=|~&b%Up_3h8P0Y5W!8X#LatZUu~{^{KJ;oWEciM9w9VjW?& zya|^tT#V;$zYtQnSTmp$p0WAKxP0MaY_HDa>`kZR1q&D9>`iBAtfQ9x@*LEGpn;#= zbUH5IaWS4Sd5X47g{xXQ&R7UIYT=ae9=X?=wIqM3{ zSLO`91jW+9wG%gq##i?R4(d2#>SVlN*TwjSE$74*Mj6&2gH?@lP=_@6W!Qua8jv#7 z;Xz$nGMq_TJkeCzl|+?jhWyIb7?LZQiRo^?U0|`?2#V@>;qGUD3AbJNIh-?nma$Bd zwmOD&&39oFY_9Djio*stYH4d?PzOg%Gtf{HCIg*L1|UFNeJz$@E5R~q=`f?jD-{?X z*Crtqbqv-GNXJ4fWg8rM~VvO;A}T+Jv2?v~CBK$b*F5{`4T2*r0( z!yKvpaGI1wO`N^y3HZ@7K8>F|>kHU>(U-CB*pzRB;aQDk2o4%LUP*AIF;GzptRn0j-G&$LelDJ~{Q^{| zq~&eYHu$YVsf35)Nj3`Hys{tM`YBK*F2%PVAO+^aQHno+eDD3=ixA;%zweTu1vl2u4+ zu|D-mKmbXwh~}G8Z10tFE##-}7K6T*p zfDEvE(`ndN)!uD)uiSxpsMEG(2WQRxJj$gp+;Ze6SnV7Ji3;LIjXL<16MqfwJnIU4 z>49(JitoQ2o>#$>XP*diQ443zoQ0~W;HJa3qAW@{b?#?yU-KXUV8pB7=EJw)<==b*Zd$qx zCr%uPKY7CM;lzpE__>)UK!t6PU%@?%`*3glUU*c(S@S;!k39Tv=@vvP0t+Cl0*XZ1 zC!ctqh*ZOuYCJ3*olpLRUqj6w!5`oBE_~tsF92Q@w;Z_xVBqo7XJV=}5o3Mc=JRmr zwx{Du4}J@0&z+0!to#_e$4|tzk$EsP_O%Y+-j!QptRLtc!trCfvAMDd%V7hz9KIO< zqaHO4)&ig0|L<4{R`KckzofCAIt|-K<^clsF5iwusM9uO8)wd*jcR!Uw;j0?EA2&) zsKOB!@X5oL>Kyhr58x%=x&ovkyz^(@gg2l02RLcsc)aMVzmF)W!z+#9Nn4%*BEoGe zKf$5q{QwvXPMtpy5l8s`;*TI@1R`haTvOdhFqF?TqN%pPCB=969eX4l zjtbj6F{)k#HGc#ZuN;Ss*f3Gn?s#4WXV0C3k|-fm|Bt=*jO z&ojPe3X`iRkoR5s^8L8lGvir{BH#oAz^Rb7ku6PykgAWVMUO3Oi_EK(<*O>s`p?>w z*}|eJ*1+{Cxj!F}`9fKUwo@rq@iTHP=Z?{}w`FE#x3N3Zia<~wAI1DyW1i6KCJjxc#k|J-sE{!>C$}-XW;z

&bim{ipa2(~7-vm>=@fX@bY z3MJPCsoVy;;JO@b0bHq3F)_-@I%A6-3%$V!`Sw34Nr%q#PHxzAE5F$P3Z8CX!qdB7 zWLDz>YMpx4CtH|RJq-k`>{(0B%K!qr46_>Mn?nQ*Z}zR{SL<))`SxWz-S!gr9@Ukj z*thmzd_RX99AxHw*KA+%N%m=&$JmM{l5UC>ov$IR3KldSgs*&dX4;rjJA<6c^GfII zSO|`ua6A{!Ih$U$pZAVClBMmh(C;QeSmi-+;dSZrqI*Now(zfjyrWT4PfzTc8ttP1 zDl9g+X^EpGNdFz4li%gEC%Y#oXwRO3(?A*ta2g`taKLHU=i&Q%F?VVa!~pZKW1`MW ziSfYlk$+(5R0O0X-bUr`K$8XOC`$+Uf)ERcz+VFaU;$JJNOS-m0@NY`(4h;)ZUk;Z zU=xB06@Z2Sm52cIXagdQ)QRA}2=0pj_z(i906c-v=+GBKP@4eMg+K*}l(tmJO#yf^ z-!NuQUUc956M@%1W1eLiWxi$F6}Fp#a?P*EIff8{bW9nukD_)CfF~VjHxh!q0yGwt zt5s3FSJ1+@#%473=sqvj1oQ#SY1!GkV)oc=wyO`{+tW`!khrYr+rYBUSHMaDim%T8 zBG>Hub>cFHr#Vsh1Zp84>dEbn@QiB-+4@7==B-uNBY9eNeFY`6<4 zCC7|A9DwT%yNV6{TbNZljYoDo!-pO`of&o0SbEZfJhJU6PI>fmraz=a#UvWPD3+9z z_Ezbt9_i~EViJl6#9N~E+Ww6Jtt&x$d~xO%`04(aQ6VevQQW=#QBD|pBml>bK9s*7 z{u@5M>{9-8&^64dnT927Hl?=lvFFbw^7xy6X3A>|Vo7NB@S?CVv=! z*Sc17+EZsUD&EL#$KJ@4>In!T`Q6&T@_P4LetyVz_~FW5^LqOVetPItTs-d_6tFY3 zi-}du{BqTwxMay9{&LLq?AtJ#W$i0Ce9S@s7QOllzW4IASXKq102K)x1YEALEY;^1 z>1_+?uXnP+eDW^rwL^M`Qq{tHdF5i+34VFtBF>+221+TiD$fy5eS&zRnZF%zBeQCZ zkmYxq{>G)t7m-osFaiKK!@=VYVL{y-ZrFG$hczzXlnEc;%EWcF^{wNA1y}HmIp?va zZv*2JV`y+{d9mYFPJa4xRL2{6?)|ru_Ok5Gb~3wmI`n*MPf zYki&*#vR4iUcQ>YuKz1HA9Eugnebke)+D_YSHJ#ie)h%#taU%%>q_}Y^1aPXLexb?Ujm{mKS-h3Z9KTjr9 z9S+a?N>iClyON+15@}I%0Ai!JNKf}#zOM3Y`5(3E4j0MRYzHswUJUsjc4j+x`nbPw z=9H6I*T0G1E&M*O_r1wskDWq=73cZ){)6Q`t9h|=Ip3c9WnSx9&FFX&6B1)s*0quk zKKW^S^1b|e;Z>Y5@<9B>>*&?J>QO4Q8 zP}hU|ekkx%$hS%WaT(LXE3&1Lf(=$q4e;%M3TcHT?h8nVoc`Tlwpuzu-gT zj^U-wJ98*>fa4m_fFbkVhM z3A7Yr`|6U>J_r@n3%oF*IxI2BRvPc!iS7HE=1OR~07XqQKou`d62(6*P|*Jujty>;1X)|3FBm4M@}P@Z{koXZ$PCm ztTtglUZX|l6UKWoP9u!n6UMiOQB%}`8eOr|2obg+keG!Ug@y5+@U?H^JsGDF0hA(; z;+fJ3;`;i=EK94P?SblEfcemXA6S1C4mbfwB|K_9U(^d3w!92MA5h|=W0G+uW4uAMWmUXV=x?%c?Mru`dy~o^&ZAljNd+zx#tGm~6T=Nk$#+x`{!m(IF^5=E8k#|!_AwdT!U^b)o`*KZv z*gw7fdb{O{ZtETJ4G{MGZHHY?^5dI%`Th5^pm70L&AR|c*c|x8$2j285A(|n|HCJj zUIf7XJD=pp$4?~XrTNCnYiYQ14j)_mMW$Cx;{1KiLInZh8sqg`w&Ge2fATZ{ezN~J zNyJCv6{tx`VQ5`rRq@Sv7cwz1j?-WG3ghou$h})1Bq2?F#NK?8_dNVj7I(bDN5&t| z!ls4b=ZhUj1ZNJGkY)o=F^WyS8+fVxRiuziub#-|2Yj8=CV!aIp8gUC-2WjCXq?9n z7hb^?`(MoTn#r8A_%g=*ZC`F({|_py3Su&b>wBCu?IbRqcMkV&dz@*1KY+(~J{R<# zX^W>kEMf7lt&el`zfK|TWjK4*f74tw!AP^h%7yZw2I-IY}_zbUhuVT!<4&ejOoI%`*ar5E7rP{7y`oE6kk`+JX{OMZFev^&c>Y zLPB!tgb$+8{LiM_d7^DGqvMSnJNi)Ya?x1pcT+5U-~;@4&5azxNX95ebb8e(<)dD9)VW{ea* z>*aX=6Q}c7>vJ5^xIgb}J{CvDxp(_xG~Kz7iFY4CXRe1u`(4baiY79?Q4_px`{R7< z>2uJ)$&)_7MavekXyq?yh}Ch@ zk%1;c5go!*cwM5B3B_ueQT{>@RfcapyEsmmP;9a@`ahGbLPl$*BW#d%G;b~ITFIf0 zolIxGo3o~#N^|8z-aGC%t~>DCywS6c+5bA0!yY|_H+t4mZ6%1w7(xravESD?Zp>kP zd&SS#@Ba7FA8CnX*=N*&+J{n&R|z&H!c0!*!SKOc(H9MR-rxDkYQ&Bk^lf807*naR6H177t?kS zU5nn)#n;M!WY3~PB8q66O=enfWfE<@wf_HirIE&a8UctJvD#iy{|=$LS2l&VPs8P5 zWNjKEZ_%d(AU)7(MwvI?QYr#c0$Mf6PV%ib$jEL<2bMsAx4h8#f^h~R0_P0cI9dp` z(3CJHO9AW&?T!K`6GBD*1VMl#Uu$K&=@mJR2<0_`zy+SKlvK(%V?Y zWOt^OHT@fT-$H?p^}G&kwkQ%jSNOHGLa#gN^uI+a6)v?xig2S_weCQwwUqh*esZtmsDR&zeoOpTBn8s8|U-c8K(pA+qE~d zw(Vt>w!X-VyIwSl5CM=<8c+GA-US@HymJ-DKX^JnTl#|{z|fu9O`qEjz^+sqo!#rX zXUoIHWsDOh9K(r|-$!evofle{fp82MRNx8lEk?W5HIb3zu0QO`2<2~iCv@_yKpo~+ z8~(ysOD^PFZ~T;&OO6~twX*LqfQ@AijTvgio%vs3P2WcHfy&4|+aG0J+e<9#Ftl!PYALdL2xrW~Bk53*5ZoMJIgSrBABC@d zzCQn4etXyt0NAf#4$HgV0O0!vT*?m@UdE>WEu;b!L`T{jJN8fjZryk{TX(PEu9k;P z{{>rZOIYNU%dH#lW=Y#}cBFPu6RV;=RvXwz4pb}r=UN&inEc%W4`5QMc9d$f-zA3= zA#eH7!G(@~+rnaNax;qmQ{v9fzLU=H45(wMCH+UJDk zW2m$f{AvAdyu9NXUhi1RW80rZV3xx{?F#8N#3p;N1DZnG>Or*CfM;nCC4tfvt-|#? z-Yve}>r}4&4A=vSU>kVrmU~&*`6{dXHW0UBG*>k7k>=w8_|1l!S=at5OWR&#S=&oE z0UgFwG;vhZLegG_ziz&ZO&zcDz|N-tbKd^m=A(&8hiTQ5_{T9f@PX!IkU}uOZYCN< zZ@!NL105W=jxoAi8(!En*22Fv9 zSQtS{1w9xbPP5uZGOnn|aH3ZwBPhHIR|*{{TWW&(Rl7>mT4+(EN@7`TmRXgS9+m!H zm`Q~j&%1X%#>*{tfl~#s8a}o3V$PcMF+M%zRDQVMWmq!CojV@^0`(w2!;kj;I+xBo zo8N4_g(@q-!ut96%8%5!d~F;G$XFfqPAy3xbt7cSwtHGgKwhwtUkQ45$^Himb*+pqruOzXx>F! zKKqN@u<=%6(&3tmIC=6%_{!`r zFurOMuLPSituwq>}=qchjd(c=y!CLJUuctwR3Ckm4Q<$102RxlTM7APs2l~7}V zoe>43UT^30hyKsh`l7k9@WwzJeeL1p`yt=MVG}>hf%Wrg&vmgmxs|nj8`+lL#n)z^ zO|@OcJ=-6nwRI$cDZpxr~q8Pr98%H|2`>pP&O zm@(y7Q({{#+>!@~*?y-hoHc+r{FJ6+F576*N98yVp`7EAX_3 zjfG<;g8AA*qln8Gwy+QaTt6r`B)}lL71Oq;#|P0(mshtexDHM0b%n6qeyeC7#qrPj zYVC~mc(H>g z)s&bB`1b82yX2}%b7@K6FB*e0O|Fk0|j1@$U)01;>kMp(xD-w#ZplrS-!A~>joM)*OO z7dVY5@^#?{-w&Y@Mr|*&`9f%A0F^H47*vVV2#nZ_!1gHuW(7nql{gj9f8dxcNTnc4 zD}k=@JyDNB7TH_)p1s9#>9drs^!MVJER;xnWZbbdS~0Y+NNb-X8yE6;>r*tuM{&fc z18IoWkqsuz!$%#!`=)%H!y5KSY0Z5*pWvvbg8;ClF&0%?bKIE2IcN4cG{qa4TRVe) zZhx5GOdE+{B9_9Oj022v>bYRf`7G~V#hu$8=Cny4qAA{h6FAk0N#nviCe4tR$N} zd|~D%`R2Y~raj$GUA&I%saCcmw{z6kL-^|4v)ItLg_*U}NP8J`8XEL(+=@eBqa}k= zKS$c2{HU)!Ipbq=q;|2o?N#n+d4w}(o`$Pj{fA4} zvgb|yx%DAVpZpP;;tdgP9btpkrY|E}7XnFhCL@JpOuUJYPCNmreSUKAcWH_@aKVx* zd4B7oJUjV=9NKgMEy-;>u=ze_Htx%=bUWwHK7-ADTezd;0X{S1R7S@eh=(WP%4cc& z3IIMg^K`m09bB^Sx#pRPN{1sI;#NGOc}zM+4W{6vu2c=tw*?5%oaxQi5df*mm(xAs zsG1$dmGV1mY$0u)+`X9Yd>@zW^LgIv--tx=`KhO|CB2iS?Mpap-0>Va>R=w(@d*3Z z&*4*(KFXVYn|Pyl9rJ4U;kou@>`ZRqkkNRHFiuC*kjO-ph+4e>gj-t{7Fshu1&dLjR8d5BL=KZ#?<9nOXG&ISa>H6KCN z&lwt)?m9{?2hr9H#wH=v=)!zT>y1|K?epzhN+Gx?1MEY|)5JtGADnOkb#^t^9ds3y zb_M4yyPVek7SMuQTkhfVdFKOg_qIntxsjyak%mXZ`5QEI>t+G)Li@`s>v)X|=blT( z%OHdNLI@-hfrxkp1eP{@WC<$*(J|@ppp?dgU8cEXl|!QiI=P>Psc#X$|` zaBy1HB*s>bi^5$+YgBO1r?lpQolkMayf5>ux#!c7>7*fE&yLit=n$(T+r{FJS2?`t zKrWc|IbIpHkTa(l^=(^NJiF@!GJcl0732QxPmobA^XvBE)y_AlajJ;RSTKL92y_bs zzVDJ(F4JqK@cEgib9c+X=*jmRn`anAuc2+)i1uxRo(;pdQNU$UY_|#^1sn04(%b*O zv{zsRMxwemY`(I?cW>18_LL`lz87kHrMHH?QJP`=*)F<`JD5akQmF; zyI5i+o^uvi zKgVaDy^#Ai-Nl*DUCd7ozJk9UcLQ2$PI>Yiezfv8?AtJ#^XGh)CA*jNdiNS?>}r(u z@w7`BYcN~l6e+^f; zJh1C&e!S)ewkNmn%k?+&`KhPzn*+bc)oXsu!c4k%rb@ z8juCF4uUa9N#H4umgF`@#~Zohm>Up6u(5v&pLqI9{BzUY;8b(X@?X#xtK-}IU&wbC zTugVams6iSmjfH;^Q*(YkEc9V^{nFy&wqn`>u1rG>%rHG`#0XhHI4JRVE*U1>9}9A ztbGL<9c>;vvt6{M+au{~d$yCj@8bJr4isfJZAyS|iz?4@CIhVi&pxaDeJ&rn&3+5E zjeAU1j4jC)PF#F0Hy(I3e?8r5~uz&p=*7R-Q?=APy(YFb-;^xhF@xF0K z@}Y6Zuq|x_GfHXhIQI8Q1lO#(fd^XdXJ*4ZB!XR;-F$K88BDF3z><#Te09lpP;Q!( zm!T`yV@}J31;XO0mw$wXdsZ*)UtT@D=cYW&g{DB+|}|B z=}aeSY4M3C&*P?}f5E*c+yrQz+_{)Pzxj7Ac;VaJeC#i|=8!8`-Mx;NcE7^Js_}t} zt{5IX71CClb>EK*sdJ);Z-o+@oxJ+@Y_&@_*aZcO!rNNl`Yt;%ZA_|c=H8?Kh(NHi zXAPfU@(mu{_6S(j;HCJ-)(838oG-97wUftNp9iagl$WL}-$U9n^Km$T`%3Z9wnun! z>PcKW_Z(jBTE&}v8;!k__UX#^(3$JTS3XMnv}HT!%yoe_wl-b49+Ga7yq`C;S2@;n zuHw`u&gHj9{E*)t`4iBZZ!G%(%Fmg(6R}695v4!NT@OiH3`kbCsInbrA_0(k^$*(H z=kjqoZ2w*0+tQ@VT!i4F^tSKPST&K)PCb>bd=LB9&E|-vgJ{j{rYqlL)Z{gE=DKOm zb>U#Mc;_>G_Qgy2$pM#h+fl#4*FL8`dp_;CuIQa>S6t8hx|y6m>oe>~x3Q$-H5QJV zj}WlAdlesl=1bgo_%%HB!8<@}{^2$YMNj}%ZwJUGn znu9Orw}=0LjeRXVz5U5ZLj#5bPeXv>GWUj}t%(x`zNN=bx@uB<+oEj)e)WCPf@lAG z4?x}(k9%)Jk~M6b#R&3*-+4E{(;fh!GRkpSew9#6EDiD;U&)co?G+7 z4z#brUXM^x1Y#m7RR9#s=K>62fKmjWf`3AUD9Iq6Na|ypEhu5$7X?5gFjESu5Mm?| zc~%cSNDP!sVBTKNWx0x$3kU&}D3CsdkV-R9PZchP5uywI|7l48mtYdcKeaRXt zP^;W?su zX6O0g{h8kwzaUd9o@|>_+2~ok<%!+&y8~jt4ME1w;RrjTb&uPJ@-hXqu19M{Pp+F9 zr=*ss}=hOtMAz5ne8ghXePF%)GdMWbxB*LzU%ItSjIKn1j#YlTuY-t-QkT&kl z)46UcV+|zi3Nl`Xtd}KWCxZS9X&sz9XpJRps_ja1zAZ%XoeZgT2hyoR2+PEM5*AGr zjV1`A_UOy?Q|(j{vto!~6W5>ZqAFfb!b*^JQ`9)sG$lr}zGnlK(&iUO{)n??oz54Y zxr9Hj{tFEW<7u$ZO`^4;)~QAy=y#JS<%1~Rh--|myN2B=TiLHZzwsx#Zi{GpS@Xrc z1QO3nQyp&%)X5;3Pm%L;_;$z=H93_h=jW(#YDjx&@?H+*=cub_iX=|G`F?!mQ5&m4An3~* zd*NEA8jVo{Rm#KHKBMBJ5JE(BMGOaygNwHTprT6w2^Z?y{FT*d{n6Dw+qE@(mc3!- z2~Ji1A#3tZ3(I@=_%^J_9`l4h_MF!=dv5?#nfybx_dgUsmF5u|sciiAM*OsMX6*b8 zw~VYZL#II&b4shtT6d+j-)kXi6}Sc9Nd%tg!qF-Uq(2PU{1gUr3#CsXricKE3N3~V zbPA+TMnfl*>L?vafJ`R@V9JleSeb814H{1bz%7&@4FISJEGcbbR26`yuuzjVh!0gD zaSNnRp()1U7#eJd=wvmJm0 zA?eDr7nGp^iLfd_Ym)iCfMyP^pC_&R0E=9qN+=R(Rg!koq;vfsY^0DR-IRG>Sdkr5 z0P=DDJe@%-qM#w>giC`ZY!r%)bbItn3L7CL(oWEm?Fzo7k$*FUgY0h1 z58nnXHTAnfh^vEB5T)ouvBUOsqh}93Egvzhy%JjMQd%22ih$Nys}frG26-es5v?t{ zvOyjMDf$X%4at0eKx-S99BH=?Gc76lRSB)VG-{NMX|#jz0|ufo)ZicC(~%{orR=(6k?SpYSKPCwEZg zR5Pn?I)7aIH~#kK9au6(cdjP_?gHq{nv-=~+JR~qMKlrwlJgi9*rHe^SF%;)R7NTi z>YY6O48LPll68}0^Pz`diLfd`gR5P-vK@t)jcSc$ll9VM-Q>VK(vJE*uk*BL+5mwN zHsKWRYv1s_o1!9!U6qh=deXbWNq}%bT1a6LlMYSsMpF4SnOqN8F)S+q8v27VBSIe6 z8q12~t787Of_8);u0P)gS|fxNsgc@NWx&UQ^f=#X)(Ieg{hKv^-t^cKCKsD&1fgjkTfbJaEHRF5TJAl1vg|*P#6@a~tOK=l9>i zAx#Ier1LdyT=y4{F$9+3(R{z5BX$9gT1e@T^D^Yz6bK8~%aJCD6gIutUO*v*4MNZv z%qy03$a*<4dGn4y(izOHmawqwO8RrX^au49gXV&g#ukCb!CkjUU|hntz5wlrN~~hO zRa&%&te=y^QdVW`QZORo|2jc*w zbPV_ln=;H8FL%8sP(1ir<4Mq#Zq92N?V|uZM62{fm!<5{*zW?68i}{PD7_ot=|5ch zG?MlYmq!b<^sy=w*`$~rT{+}D$v~15ZXscSqvUZoJQy{ zE>x((7sgo%fJUf#7sY!rabI+>@C^8?Qv{o{;N=0jnQe6`cnaf8MIslC5(EBeis}(8 zvIYPK>Ul(7B#fKFAWK;2fa+c;cnT#`1NKnn9kW3jQuwOT&IN6gR3i(S6|% zbw*(@QsET5Tl`l9Wg0vx2i_}PAT>xVkTSYqz>|zfUDOmIAvhH)SFRKif|Jbwqf|5G zEa?<Q_FSoDYpBwK5B#v~DMSNjw4vOkg1n$gVB|yam zTC3uiG>XlZORuF!sJG*Bx3uiSzABa}!cyU|*im_UIP84=K3lyrs;y-t?QD-4j)E~G;^ z#xc%KipPg}DZDSj@lsl5NuLZwTL8}%AjQ;$=L!1&2toJ0)jtIOrg!H%YCgA^XzOAgZGC}1Z~O=C={BU50CX@P zhvGG5cvcM9t6GKQreN;0WWdV-Z7dm!ew%R<8>n+=OB2z_8E9w;Z3nlTGUKCUo-HNA z9{AReOB8+)-wKbdmMi+D(sA{60xl25x4K|@8uU&X+KTWUF?bCWvM5}oDB*d5Km^(W z(V|+ygHqT7%X<-RRX|UBP+cuiIL5RY8)21{HvC+;b`-8nh5b|byP(~ov>%3gr|?Jc z4WYmn0wv@q-*%e{U$64~T{%Z~pq$Z=Dqt+OkD@g#0 zjEDCDiBt%VBt&kSgSQK%Pomf^%7DMZI8P<3da2r8P}v}_D1W~&>EIh8_@FGzr%^HG zQtvymVrmg>J%3~5ZuhO6l9g*u>4ZM$@8AWX=y#b(ZRDqdWf~BDV~D(E7oH*NT>7nY z#g>AdLFI{jHw3Wi4C)dYy zulyVWgKMON6{`-^Wy;X4@S8)F7wY7DQcRfp3E`}{L%RT$CAL_;>Xp78$6J+J3^lF? z)vxfKA!xgozj6%-3+dEEs+q%;Pnogx zwrnVLnR%#exg~WNqTNb>wrJ{WXdVmf0C@AyJ;`a`9>3#l*}(mq`Bumn+fzHaYS~pL zqg`!4lpf+^{~>()w%3_q_|}&i&k_@k`JS+z{hrw-XkstCaM>f~ z+r3?vN}mtaw$9i%qcmSpoeJ^}_st>d{Fc_4GVRt{<2gv%wx$);@4}58>UaCJ z;X8BRGT%mJy>rs1Jp!mf-z$@M*l{{S5cRGAsDko`%(Iv67Cyq#6M0Hl9A6N;^ev=8 zKq`}`)2>Lh3e`RejYf$`9ZyHn9-qkb90Y(Q%m-0$S_ob@`Ghhq`i$L^S#_dmBJuAc9By_>Fa7GM=;oR znTsJN&oD4;L1BT-MCo_RT(h^}NuX37^8H{ZkalJH$#bX;)80(xBmHK{J*~CD*o8zd z`%Pm%MMdM_4MxE`g$J(65w&=+i3C6jKx(x`X4S~;Xi8~Ya9wU;ETV6uMkDvww|m@- zmK$RTl%EGT33jDX=_;z@$Y@Yl*Ma&B^-j6*Q@)Otkmy)#z=dM)f?xE`p2uL=-%0>B z<8xD{)dTGSW8?euwy1TxEKkiQKEfSYY1suohunniiT}#n+Y`^K0?A`x27y3Ym0(p8 zO_)(0Wlo~w4TCp9W+A|Lli=sTslp0_ud;^&j}guVdk3CIN?WtCc!C;Xi-`n43P5VM z$ebDxSqGQ3XTCMpd()=iTLtfELQlCMkVaw~YbbcPWYQUStZDpQA7~GpS}f@dYDc*` z3k05@gM1R4D(pZFeB^vPxLw1K@sabbZv^EN+H%cxKo`I?DLPjxwaaq#G-4x^HV#vE zcvx9Ti-BjutTAQoy(0&eBdGJx^(j9mhiwa$c+kO4M@W3-p>w?;Z0vaL+i26s>MDZ& zDH~*|N-iLMv4#9#DcgwBzf<~D^t~bS4cUhOQ0dd2+EezUWdNh_5JFE#Zk#r%`gr3g z=B=hd#xgs%kOzN@P&=g#?4h*swUI!%fNMr=;O9XHL6eLG%13K23Z|<-2Z3$TN};t2 zei$$}^r>!yQO5Sl(`IN0h1S|fYacKA&x8fm8YN6nTa+enXKo}(LK~Fkfi{71O?(NX zHmJ4IT9|)mUn`}w!q>hILJe!BjpK^|C~B=yN^7OGR=%lQ@Gc<+)EEHetAThy z0=44X=C^O+cqkWq7nFx~GXs-;xpy!_DfG-(T3qqi&qDidP^U6=E_`_pv>nu@(tJhl6udkF+J?t&zD0vn-V_Rw5_+r5 zXzv~8+i+YD*QPRUEXTLn_Xc=g`9tz;;T%{@4^s~v*d2ai<|n!MfJ+%)InK~;1bnN! z9CPbu^R%-3-^6RZGTDI8vatv1{ zmE&7V_!cnhtXH(wYA=H>4fI{6F9y-J>|8MDM^WCQ^>Ku}P&94}rJK57oB&#Bl<%RG zhw@#NGV7@4W*Czg&BX_OolnjAG!|C0whqa+<^GOfE-0j}*4o6~6-+JZCA7sRa=}63 zNHN5o0?S7ADBLg(ku~bdVe$^5Z~5(I`831<;h-}1(57MX4*L8^+8@0zM4qyB9wMLc z5K@nKJUMEQb>Bl8B$3j0X*Kz~V>W1iho!X(+S5hSClz|f3vGcy>5~ou+zN=ieuv=7 zj9v{!fnEy(!lK}}8p95O(+CtHKq^w*(*#EkzHv~lfg+dXfxVQ{1289aSuTj`>LWrE zt>D|C7p72EP#Ni4An7U!#2Y46sJd5>%Bk+XZRwL0wPHI$saVL2mTDFN}!dGlor1@@G6dOI+(gxEw-@Ok!j<~mDll9 z>+>L_c{OmaiV(;kzLLSOp>vY3PUg7^yza>$UXb#=U?-d5L(Ru=-62wpdo-8AjK{~{EoSGGfBEhvVM*lr<%AG=g}QcbKc@_2B*$pyA02Zf@#hK zU=21*NQ4k5FV8u%KE)@dok(}Cn>RaFVb+`=Ump_@>-9!vl|U&y>&* z7jcny#uwGW*BdNXC8ef*k9<2EZKG^^Xj7TL!=2_UFU<)PKftvIUWU?|3zmMDms(#y zI@M+~t9(qXywFRoj2w9=quQq}#(2tV0yY6$ zt+oE^mE+gh?hrfCz2w`_d-3=8zm)$PcO11&4UTl^%ysdDRlni>?T>`po8L z@{E)D_JJ3Yuqvo_sz|wMZr^k-KV9~7##S_O-4WkoUC&1D-|`4KH(j8RBZByp0?+r* z+Sp5m^L^yxr%eBsU26-+za#JkljmMF*IBb@&43$Vt=FoYjr6S`CeaY-|J3&B|Cc@u znOA_uCl(X+IbSyeYlePl&uI{l0uVacB51R~#~1(!qIgdQ&KgtzP(r8WrjiDS5Gu=s zavEKr#1RI-)xkFrM#vPnL5~&<6NooZrwf3ZnIDRPQB-b0Kwc4k$mA=E`D?ykXx9Wf z{8j{ylpf4nx;*$1S{OhVHd2=dS?04tNRpH=Dv9AJunO`H+5wne56dh4rtpNT>+>FU zH5sR)nZV=BitGD(r(8LHmlejhD4om;eu|RY1J6qrT|?@H_47HXaX)^);cs;0y7}h3 zFLB>7f8dzMKFO=Qmx7d3#~Tp{l5|s8LQ?5elkv0U zy&SeyoIL$RzBKQ%T)*OvB0_E?hjz^=(l<5Byb9fKU?(AIG4@ za&^B{H2TKrUGa;97LGm8HO!+m63L;B3)ruIHrKEHGaibs&pC&Oj=PD&9yyuyU8_LY z)CB5@{cb->`k%b@%$Rq+NaBpE-8>!yi0RV17$GJXbMDXL>N@P+Uq|B|u3LvjmfY7sAK3r#4wRMZ~m2Y{G^+@Yo}G z+8dBD=(_lUK;rryceFgfm{={JoPH_?joObpTK>hW?XR#QwaaYKe2jF&6(Mga7dMbnmFtJMq}DXt1{+4q zx4td#OZe8#sTRvqNvWuRNBMTRYev=&p~UsPnV(`|qY1Ko=8V&Lsci{bDdJX)xb4uF zPZGB(h)aj0m%>*bRrrVGc4 zQE8iaP&r}okB#?{cGEn({b^7hwpB@$U1`3rJ#v9&!ti`h*ubHmkCe6ovkLoCR7hn_ z29`$8ebr*+4M2HId|R~t(4aN@*3ROf#{IaZ-%rl?j4@X?f@eh532iM;R z7*tm@VF<~PHH>YK;22ASI+qu=vdOy>WJA_4LI|piN=EHba@G)1RyrO(1oagSejA<7 z?Z7ar$x74h|Avr4Qf*c-WDjH6c?=;@_9(R#js8LDqbkQ}ZV+K)TzSy+k8DG_5jvgW zn8o<&b`EIWhlRZ_am%Z}IlNxzZNu6clo-{PGvQD$ za+DVuT!S05+~vBv94=rW6`tL_Pp)Ulc8xMWXoPZ$tObRLdpHK07S4M&BB0;Gy8}Ik zFvsBX!j{|K9;{%Z*YV+*r}Lu&zC}%@hJ}4EF{NfAzgqD} zE`I46?mzZcnkpJN_^x-56&W6T`=98~ZRhB}oytDVdvW^oQ=D^ZgygoPujhg8$C*?; zo~^ll-gVy@96RwCt~>k^CRBH_bnB~}@yLHMWDW7iiMP`|w2{8iZ7k?GgsvUyx#f*N za`v2$QfJokm#%v_>ya-rYL9ZxzGrd40beF-WVv_k!+iRIvzgy<2)}&u)jYfTMOrFb znA0?q7kZcQp1V%xgy|>n)1!U}z}fRY#+>GveEIPU`0-Jfuz%}3Olk6i7k ztaSY*k-81ldHmUy8YT6FJ-^mi``TsO1^}d``=rvFrKP7}2%@|d5ge&}P2qh`Cd?Fjo+C88i%y*$LZ5g zVclRiomK7Jc*GC6d+meFYo5)rt;_k?L!aS2Gv33Mhg?8QMHA2UF6N^TeU6%JJ@*`c zE3fshAg?SAY1@xi`&aPi)&Ij6=Y0xO7~JyupZMw%-$nx8Jm4#QZNIaTLU8-a|KW2F zeV!Ah9>A@ zfq5Li6q3B1kE>~}zrJG8NDO1jwlI^;tD+kbMjrI;Jvq#u^;%?X5 zT{I-MJV_#%Azk}}{a4uh&`)L5y4R!OmC%?^oYaalu8L>w>y!}9ad-SzD-?xPKJ@9Fy z5Il6^Z4Bmz`RX$lamhj7;E?wDWTeT3FJ49Oa3815aN3049qYON=&N{B=OJWehF`w+ zJI;RWTnr%*@f{1PMojekn2h59s4}!^8%zzp&uFz?jH(f#bfr$nd(6DmxChO{waahe z=~cJ0PvdOfJL&Drte?t*tB3f|>@)e{{Bvo{*7Ib~3w-R!udrokBUc^zecm(acq+|G z?q2^OKU;n)Hy?gEFZaJreWs2%jk8#?5iUC5t29+KFpwYO zgnLeB&DP~yd(_pOIQdv|D#yhOuj1+@*Q14S_fiYzKw#kBb&v4K<&Zu(d)diwh3=8eiS-ECALGY~buizsdb;9^&`M{fzl-`|#+7r#NZqapYB= z?>uuEKVAF_GMVb~CoJ8+mCz`IMmZuU5-_AN&2DYmeJHa9@?$WdVw{hI{W}^^gomu@ z22>#bv3^fPypyn=9bj01xkoyZ@~*@Kg#>KWdSJ8G-5HHg2;13hxn>1P>l+*ev*Mezo&(0f~0sxEKqx;o1sw3kLnR?1;JABYa` zuT@Umvk2oSznA@+=CG{)bsp}1f>UOm#&ri@%q^>K=k&+V;iL)2 zaLN2{^5zN0aP#4p(>uD2GamaKBlakhYC36jH}X%c?qG7w1e{RTlF7B5OsweyG)QmXAF6 zdEPbccrH5pLh3WMbX2!Cdw+)S@BekKc;)AO^678z!Ko*6 z?ml1Oq$wxzlY=j0#r7^f{OH+K8I_E$8b?FMiEuZ$dV7=u299nByE1H?x zv?py9EmRp5bX2wR@mcR@dfj9;4Q}MklaAr{M_+Upp2A(P-_A|1IOpZw{L1gRYRQe< z_?D|Uc-;P+^T@e;{Qh(38S3$uE2i=_fe%`1Y*V0+(}T&flFdS~!LZzf9$!h|ZB%E= z;H|gMAaOZVEKMY_k0UH=0+1E;P}xkSd+u1hSqqhoAToSz&ZoHY;PZK6^Yfhcz$fV$ z*}`v+zLw)ByoHYH4(@r|tsLC8FQ0$%TU@&MCwyx5XF;sc{b#XmpxY0f9V=HkWs0_Q!SX>^XUCwoLOZkDwp0@(|KTK1$feFY z5m}k#`lEl$DN|42V-KCf&9DBBA02u=@1Axtc77yQ&Pg?$>^XTpCr>>NfERmTW?Qb` zS-PzhEtM^dSR=gi?lXAr-_E3?x}BdaxP-=vCR!>RnNl~A+Dr}SK6MH0RjqvM!2hD7 zc087yE6v-G&bqvnx=9&!$dg=^5!*Fl6?P`1Yq3j1VQ-LkCxH3c2H_&GG2M>9CCMof zSZ|I#jb@M5vJArjtWL?gRQYuPrc{~J%AE?EP?w?a8Vm(m?^(LA#jiv|N@duD9_SHl zG&P1&Xe|^@z&&SutP_MmyFnw|PYYQ7oTe=W50*w+1WoyTn zaV#mPgq|eZIv6-YE8DHVt*-z8AOJ~3K~%AygtNQBU9qbaO50i~TWIYp(^IaI=4yjd zF3noG`>zVd6BH!bGoFIdAl#br0!Qc+W5#1p$)FJuv=k`m29AgtPZSI&?cQnmB?hms z1iC)2sI3+%+Zj${tTu9bSb7b+hbIIR>2#u<55&G%?oy`T9r0uCJLdnfEx(<2KKu!` z4EJ*O%nt)lV^p(G(`;;Qb8P3E_}Gm1VF<}puiVI=Ub>NMU;UMf+wmNFr=&YxNyUgg z>d(m8?%I1xS?)d=c&&d0bN~DnKKtkw`QY?-QEgT^UWt~un9^i^>pW)GPa~&tyt3_e zE?amdx2?JhfWLO#%Z&@KZ$7@~sQ}bvYnjtL8(S;hGT{iCDx4(+e_eGC zzj*Ene!Kk70L*RLll9wH@z6SFRo3F(WjyivoopL*4*NX3^B^ju!S9#<8AT+bU$9R7 zzr&rX(75MYfHvqHkvV^J^P`Vy8(XaQ!rLbX1c~xCfsaXPq}Jr@JXx9HuA^__j-!6Y z>Vb8<`=O6xDT~j{Jk33YzLC8fW&&{Hgkv~k`g;JlY}xhP{?bj{u>3bJT8D;FkDuDn z;=HoRDd*XC*XG;Wa;8>*=Xw@1^AAVxjb|_BV>3U1Aq}Ju9MC)mAp}Qs9K__>@mR{@ z*`7uGc;OY?*>xWPx2?L9n_s+!=Xw?)h2)^NeK=#*d$E*7YgIF|n;g2|I&p!&T^qV@0d zI)S&^S^lLZlY^jQ`}Q8g)*B6P%chSbfw$53!F(gU-K78vfybg@t)uzdHdWaMJ~aJZ zXf)@)a5;A@`wdqt{TTqqPdu6@sNzSrZ zoc%QY?m@ywbR0}Zz#mrp1+*?4K~}8&LdR*1z=a3B5hfR5o+# z>whM1jk*Uk2kR_Qe(&ciaeul1X%lYiA4CrH^n>mT8&#aD6B;;UG>V+{wk?!&&V`}598$MMGYReXEl54mmW&$#*ZKhRv! z#GxGrGw2>_e@E9n-1y=Z{BFe^0L-eNj-~PprD zuf`dSujv5b&EpRTcOO%*0zNeJ6ka~GM}}!=j(Er1xdoDqERY+lf|@CBJEWa4(@jA<$V_ zrIF#ijjNXrqE#0va-3^SA4?fd!EDPhB0RVx!yxG@$9RJBji)edEcy>KT97~&8D75yL?KwlhLN}we6S2<^XYN32 z;l!m-cn9Wso*q%yBjwC!@?!4d7)cVX z{n3Y$uV**~8`yFV%Y~f?8lfqSmR%tTMcYg8KJ8L|IK~=)kXq>`%cdsO0A#gVJz~ir zsi+T~xSrOLB)!vxB_iIcNYf1namG_$;>7W9;T;o?;fU4)S<%133GWRY+O{8~)@&Zy z_!Mgf*3yu5?0}*C5C|ByhTSqa0rL&v9Pl+{4P%&wb3kSyZBCJ&?^(iz{w@#(m4>so zVs^s}##gnma(fp~Z+e~~YY0P_3|Ye8L)I`DRhVv&3R4(9-G{Xwz^FaKgXl{!v3zLODO|hcMn3=WH;_^$ z7*p}aJX%tX#+Fo7RLBVgLZBOp)rM7ois4M^KoaUR6#CfxJ1aAc*rS~B#FzNkj8i$h zb$fsQfTWyM|># zr{>krGn*H(bzlRS)lS_4`!?^*jM~X8>08Ez!42f?JObhH)7{?$Fq|I&v&ucR6*9u~ zHz6Z$ro`&+nRJn(64&(@P=m z`oAi&Za-OJWO<`!F(>@(G|rph+JOH7KoZXK9?X4@zq-lr6N*3rkzrT4~$yI@wY=%j#5N znV`395468@&k2X-M=IA!X(hDMp7%*BcPXFkS#+*f%U!;wTso9vXK9o|;NbQ{mJ?pK z7c`pJ>E=;I)x;^+2!Gl{ zY!#cOrF*39wkoB(Pl3DG5+HBzxpeDtzVO`n4CIHn=HLt1qkcLMZhR7e>zDtA1$Uju z=b!lwS1r4ddp0}@z;WY`WPJ19e0UGXgJCP>1c0zcXvoy@=5dE{Oy?2QXX>!Dg|}43 zVOe3gB!zHJZC4ggZF&KKd)Gh0k$-t7A9&!iT>a87Sk$|WnoO13*%s28?jXSHB>IN8 z@7*g8x2&uRi}hu6+6DJnGJ1zis>iCbZ1u z!+V?pIEp)Jk1}kJ&{^HiVI7BYOvmAv((pY|9$$nm?0AquI{dXpczW|fz?r>1@-HXy z(MOzUUaxL@149}PKXrk_&LFSAtBpfFEbe_7LmFJV@W&i=+i`s3>F@FLmv5op^&mPp zgfH8|jq>Q#(agr_Ol{wn{oCj9*@wTz=O1zQP8~J=FhDp9jsv_6@->aOw$@mJ7OTn# zEy>l2E-@OHl^AamcwLIOAsT`&Lb{*eok^3gpqvr(ylM~z10!2_dhgChJbxv{$zBrjCR7>Qmq4 zlMjCxfHzM#0x1n=J}p|V;JZLQ_+@kJD%C>~N*jkO%3G&n!j@!4GvNb14NI>PBPv%? zZ^z2p5bc^Uf75yE$gRzLr<_Q&S;cQw+|I=df5^GdewV+ke}tBbCf?k61j^ObXxo{$ z^BmcEB;%@D`QD4y@WF@9X3!cUYh(!yb}M9twSBL0`^vj`Q^&!~X`00!R{RwM!LbwG z#QD!%#z!7J2Y_QIETFcK zdh4pcaOB-5apsd><=R(&#jN`2+_(NwPP*^Iyw<;hqsJY}xXM;6ZSkh|gP7AcpHrqB z&y2b$EZO=BOL~{^%C;5EYnsi1aR)QKb$?Eu@g4@PAr|#4@eOLPee_!EoSkQ8>pqy$ zVa1-IO)WUGhpL2b%zd)T^cLwP4tB^|+2G$NS`k33u1w z39XeEr~&Q9dR2vA_dwrp)IAM>BXqqzJ5F450uch0R$6;?;KF;2rN#?a?mlX_Bhqdp z?Lu{Wf)m^Gv}1W72LMs4i0SHhqLE=luyh)4FkcYi+;jQuilCw3@Y4) z*9(=Lard-j+(BAKnq2k#)y!|5%MC|e#?^1S2!K=X`4pDBL?9zGptV1c$jA(c49|8y z%PU)!bNZg|WuMkLSazO$TKC4%Hoe1Jxair-vFtpiJCo+NkSdHU8JVH2vYF@B-pBciui%OU&*R2Jf56ulUdo*M zncRBhHH;p9847sUgP-8m<-g@!laAx_dwq;EW}Hg*P`6W0!enT;m+M~nH5bnR3QwMN z2QT(51zazl#`ka^(U}!zIsrpSjI@^1I`1VDv3lVQbBCcfKFn9gI1Vo^(OhgaIkw>hoakz4L>i~ihI;&J9n22F)M5#W*)}6aeZ$r+l6y7GL z)hK(EaW#`TeUDSnT65V;H}KLrCrHHlk*yp*;V90W`F+faN zjx}6y*aduI_J^o3ooI{#;p?C&Ot5qOa`_)PZRUFz%nx$c>ia+%d~M&eIOMn+u~eSE zk*$39*&i~eWj5gKqCRuZ8N6?gcQ9(_7_vq<@0st@Kico$jLB}9yiI@|i{5H-&Z(q-Z@Ai`NFg3(^A>Yh5LP(VQUyunq2VW6)f*xi3X%Fc=-6+Xsv8!<&HI6 zvgk^73~lDiPoKxnkGz8W-~Kz4)@;l5bJi2*vUbZW9NBTGLyL66-g~P!lva$Z8pl0v z|1C;6I`~-kGhDs+2JY^YZhG0%UjNHBRe`1UEUbLi5TegTa`woA3-pcx6!^f@Z*F- zQ5j@>S6h{0Yud(&9m<@>Su|zp zd1>2gY#Z4M(%|s61E@8td1CYPSjy(Gw*4`MNlxWh*te7&BYo6YwlcqEE_QyHj@k+Q z?&$0I`SRcLnMc0_(%_)B`P64>d1L!(##OZ<5G?F{iPp+yX4Ow;?cjR)b32&Zv?o2o zeZ1Dc0ub1C9w`lu>^Q_3RHJ#ZcPYcxFbB5n%V2(pMZHUDt88J<#y!|DxQUhhE1B6i zgK^buytefXy0@>Tp{kVw+xNwgCZpCU&u)5=x=amwH}A>jp&nk}x}1)hPG&Srb8)OD zZ;vvqaT?R>rnvjMMrp2Wat0y;-7M=}O2(){xJww5>o|R&q=70VwcFLL>%P-{n)iN> zFOQ!%I8OX|+r-KPM@<}mZ#ldzN`poUgL#d!sWGcqvh`JVjBdj;vK-cSAQd9Rqnnpc2Lckoi*GRD`8XL|h<*6divnjLG{t9dppl}#+`dySqQ>u9Z;z`iYW zFoeNSeu(Ebzer1EGkZ2pXZ=7otG2CVV*O;M)=gr~zH>Ygpd*8dumzF zr_tnN;%)rBC@HcI)!ThF2G2Ve*%B=)l# zpGQaoAq-T0kbT?d(_Ynz)`~^F%jg~K#x$##*{}!Ws#_9?^7<{jH6R_&KFB3_SB zzB|d=z^g>VIFdwbn;Ns016t-WWRI}8Z<%{sgQm)?Vt&g!lvebOY++ng8*2s}-I`iA zm5DXuS+%2!HQT$`qj3gPYbUX8a03~Up|PT#MSaWIqizaK6^*>mvzQ%Q-r!9$Pv)_A z{)L-f{Viuc@HtGgin+~u`F!mj+|1I=i&+ryr-25V@ z%({D|b|Y^~)KwuN)C~(&J)+O(x}f|2d9Np5(D9yuCiB<*ot4!(rLT4JEyY{s#h&%k zX{&7JmHrj<4)>segInj*l&$Bvz9sbMwzHu9U`%OZE1Tzf7t@q&U}pU^q!0{PLp-(a z5ssexRvtS358Tmp58qpSHMN-nR?YS^!BE(5s%Uf8^Z84XjJ zQa_1x0~^T7EDhN@7WXb=kA|rn!|c~Khf1T8mwI1jAUBYBzF%1Q<7_a6 zpl*QGmBad|)fadB5XLsn%gF zox?UQf6tR=02M-^$^x?*L%4@2=7*e*X0^jd zZx0j#j4BLiV%s^eMj$`HJNEn#e?9hQZh7NRobmAIKuEAgowP<4>^um8X;wS?k*s0o zy)Yp^1TuqZR{G@GTA}lUc%p(?v)DW~!V`(AEgZELpPx5aja1pz;(BJaiB36GnKDoi+$doZUJqpe|=57ijb za5g<#&b}65Ryzl8+9Q5rDl*kb3~V*(@Gw8XN9LW)FBe?FRZD-)7oYr=!#j6vJ2LCk zmk^j{4VFC$_9z(6IWo9=o=l_CuMk`1T^YltLkfYN8w6>PF>A=%qYiJ33Nl6o`TP)Q z3t?1Y8X5AIOCNv`WXx*k@MKrEvSuYY%cVtT$-4RHJUQ`$O1Ni%xF9#@ndu6yvQ6D-zS{vgjp}zlh~8 zuq;;>j7rA~>#V78JiC6IAdxQryyN~XYY4mpU5yGdZuGx=03Rxkf6%uy$#``ixXRk| z6w{Az`D5jZ@-~Po>2F-Ul?HV?`0sITxe9A3s_-`UfB+ z8ME45dRv6Y{@-DkM8kL|^tR46s2&#QuKD)5OFgj3-|F0dq}jZ8%fxK!&gpG9b7hY> zCdpB|S8v@QdWjpoex) z#iv)ET?U54D|KmK*0eTS`TiYRZ?DOVHjQ%%27b^8EwtkS!f6!*&UsIsZ(0YI?P={D z;p8+8LV593!HEM{@J9J*+zwRZY>z_t2j*&mo+ljrOAj4A{$tOr?oS9&er+QS($-MaMP(KYg9NLe&8CD_em!` zJ1+#Fl_m$R6?SeMumj+g+jM@y#S_-cyoQX3?`4bTkwinnH;HhKVeh?i4%{?r3$Rjx z$ixsB!l@f2Ox6sn=gu|v@nYXHgm9K*3Ll4d3@e;+nlfA9wn+>(X8EHoN8=wX4ybH)l(OK-Y!B`RA+Gs2xCZBSOkhkCN ztXt0H=*d}ni?rzU`s>7qdr7}3ycJ2XW286uEgrqk`OoxpA(YMyP!rVQK$!%P3Cf&@ zP!rHm?M$LX$1ff|{&P8l>txv2@}JOi8FdwabH@1^B}LmnZ%;e00if#|ott>k#PuSt z!7QP-W%4#ed$D#V`t0&d2HVa6E<+d&&%89gj;gTEqMb<(uPvp(Tf?lvLQrE?Gq-gv zYX;VH=?mAeq-QavYYb$}N}w`S-i%SeFTlYas;g4{SP|Yv)9kF?Y9@>GgwPi`A8N>S zk6Ms<41WLsAOJ~3K~#E+uxUjS=WU`4rW8Pfl$8is>C-3>7-lUY-Uf9_1JVfaNu%r$ zx`#G7eQnP|q}v8N#;jA(ht* zYI5tf*s!-^s+L+ip=rDkh(n!oIIq_vIeu7O*v;ks)5>2Ci2EEm8rS`!uyoJ;=Hc>| z1>zZC0HRkjbT%B8RjN(c zvd>Vu-Itow4kNj962)Lk4J;rg`G!%&vzuS!Gdvu0A^J2(1yo& zXwALO47O1b@7U6CG8SV$h1S5|W9DrF+|De?EXiB9Dr^B-FlpJ0hH78{pgPCUpsiP% zmYQQ3B6Vq>->RnMo$3i41HHj(%=J)8XN#sOUAJR0o>E|UwM;>rq55{aP+N%hQK@`G z3LL#PMl`ZAh@%7@k;lJ>-WJV&7xdONoaMa7-F~w3QfAyqj)*M&o9V4Gn6$sqQ3(tK zjAr@=HMMI^OV9EGyzL&n9Xq|=Wf)Z~>RamewHepb6rtfCp|?@q{-c*#^R-lz!xq5E_k0(0JuO$zb_jE zQ~Jks)iuDjG82Wa#Hf7$Q%2aK<#3l!Jtj78oIMM$HF&}Ga6%Db-tC?BDOjNbXYZ3N(}+rpx~B=9 z_Y{n}mvkk0pT=rL`4RU#g;yeGL}@p@t>fiJfRKR$esLocW|gIyOpTZlgf{bXqhYH} z(!-N<$1^E3>N@c3HZ=b7P927g{{~=PT;5q8rZh1!_0AyMhfTp1cwh3c$tbPpc=6n4 z5h`Dbw#L%x0&Hp>MG~jhd+=9B=m{iuCK%eZVYUZJGc_xXygi&+7fHMg)n%N97_L~E z5@2JvoI`hwOkE)mKoV_{{Ks?_P6-(hlsV82r47R+NA3#1mXgg@SS&E1NEx-XKgU$`ujVB>jruk467X%r`=7k#c*H=R&k5 z;SQzMB(_DdH1YDse*H8N-bV7(fI^SUTe>BfOlrN-$lD{adWh2T57*m-{1f?31V<^o z)ffoOY%OM{&hbE{;i3d@6X^)U{X_ItY6MIf0AFwSTe5x7P^>cSBJ!hyFT(F*(d2?< zD@Lzhu6RA5H6~tP8=SCA(A!A8lstPbR;D6#OGIyzuCd5#ER8PC+t9De+l2bo8gxcT z2~(ovNvW4(W$+>ohObbMlU$Y%Y_abi4ri9FtSbT=%Rcm?h{s5K-%G)iiz^CSjuGX+ z6>9z&=?*g9If zAQW9;scFv zJtcR#g)5P_(cfU*CJoqpIf?K#+7d^3n}W**L#sJ-vQWS11wz_gvFwOCh9~=-9~w<3rjsy+oIs> z0Bowf>M&fIY(?7w5jCJ}nq44&?HdjhpjQnfrZJ-`vIuIzsnDsU|kPhQa z)Z0)QqIbOf|7g9{Xly~_5QeX}x8JUnz*r?MJvO~1Kz9E^woqspnccSNmP&7zN;m$W-u@fwtcTS?M}#R$-cG-UZpj8Nn2)|_Qz2UU1E(rA~BQ!(n`izC`Ed{AsWi` zI3>U)qV``F@e~#No`|>Y@{;9d{IzF`0O4-`R)>=5L^Bj+o>wU5nC|jd#{AGK}*5ED)^v;LU z1iVi{FAn(LC+}}aUrLv@Y!B_Gb%RD=P;}XzZ>*IOq$1Ji3wWK18BrQiJx`wZ$zfM< zIzlunl--b5y1G^B@DeZqE5)detOX9tDY(y}k4cSLsN>S*HGn$sM-&I)=b}r15}%9U z43#fVYa;Fh*rH2-k{b3RIFsu;kS>Z-7rtqsK{9o(^Y`+jJk(WI^`q#Lc6?qSo>zH1 z2-53asWW(Kb&ycTw8Nc~(g0z{2UN7=$o6v;y zmLhsP23hp3G51Re&n0;~hPI$&Uz?b=TzQS;Unb6?6P78uC2)4O2%$SvR<#9_De{~1 zd3sQ09A}{vguE}suHC)&NeA*z{Z8`t7)%jdi3CJoisFqqj(YNr5hW{I*bbL*BM)TJy-}2>w;lQlmnf z6*1R-S_75zuI!nkB6t%T^V0d2kJE3=)2^|WX^iWY&#SrM%i+s)bt1~I=m$=J4J7R zWMDYtD$^qU&#M3T_9Rw$)#yic}pgGOlO7)#0tC4o|I;0UE4uOS#T zLgUX8c>A7$73$hLzW2#9HloIa*C3S>G(t;(a=lNneNTivIXY#}Q!u}z579kOXcB`) zXp+58!u33P-X|@R>G0tbJ#iHFkvRb;l&a5Kc5P=6%(Cq@(q^nd^MFbS}UxLkTD z7=~_&=B+&={w&$TpDnbc7HbSU(2#2#xXY(ESOz)zqr8pEc2u^acclCx5m)dz@-kIk-A-F+v;j(s4)KS=36eDxH5(0!%`!^E80k&q z?M~3^JrteAj@E6G3g3smYL0E4!wx&}Ayp0ytCPUF{ zj8PXtAB(kJUb%|(iwSj5ULc<$v|bNHu{AM9N`c#jm1ovDh}ni69sXeZwXeN4ptas0Eftr=Gj10^>~xv6qgsbN7gC7TG9Mr+1$W_Zom>z6 zFV)+iz9q?4F+E7o+jQA2t_P*`RtwQN-WcELWxes-jlI$q8=YmF#dRS{Z>S!VcTMct6UtqnM;Bn-?^Y)pyJbiiKF2Pd zlK;-YCYE2sziU7%gjD17w29+NXB@wZFYN;a_F5sg9)Oh-S_tKzG_MQNSUB%V=y1>o z_lkO)3dn&nm+qBZwx@CILJ`>Wl#ppT0V+!77rDlK-V-=W_e2~v23Kt9UZh@Q`DqYR zS$31wx;nH>s4`pGKO(GkLg_-(x1`2AMotta@<;0TAP!v|CW^BNOkvu%<|CF^c>b zMR4kJzDKVjhDa&66fy8%iw(;hfSs?OWSDUN>EDBw0Bp3T-5RRs$OO*!EB7kuk#ZpN zt0a9I@&au;lmvoCXk|M=BZShtu+=xm$@5%E9g&It^;K8MPCG$(8(F+4#BtPNNt5J57wuPLu*KNWNO3;{V+#!VS zl7W+v!{vxK>i@TqwK&cKO=)S|Kax7qV3|C;iF6g7wbp2%Yb_BDfv&Ts%KqPGfFrwNBZ*QVMaHN8G9|Au;-Mr$JO z1lWIjz13i&IxR&*@RNX5|m8rLBb&x>+e?mZzMBYZ_6;jI`(%Yo+1pih}gmX)) z$-&@G0ET2$eprGI45xP?C_)meoEPPKUy6MXUMcuuunBO9_zJMahGkCrG1QL-U-Uc0 z>!@h?1sa=dm8e%j{(U@BS`4n1qF12v0&Oa--O;<}Bi4Ao&SeJ;i=bw+o4i3m@6&Dw z8c{O8$d%@OveR(L`1_slKB-8)Y5B>xVW+G*rFC7)=mwgA%>WB8SUB8v<-|48j{;w! zlXh{1{wUH(7x0wsd}1FG8{3`mKK-+1v7>m4d@ow2QnV`26#|qITDLuF4sH;-xq zXySvV-LX;o{{n)PS*8S9)8(P?!7-AJdMz@cy^TW3)l%sZpdtx(N$*n`^8I%S2mi(02oD3`bYWWD{ntn?_Ie-x)E3R6DLvFmMsw`jDG<9eD$ z{c#jPKBrfh(ilb=RS281&N50TG4f(}dY^Uywul(~bG=Wy;C<7DUxmiVYUE%zQf|3d zNspA0{p*C-n%8PnXzd=tE3|T342KjiT)7a&i$YfMGnjL zU}4wt3m%jkxTEPkZ%_ya!Veq~rK8vZzajeEU=_aiDJ4HIz=d@05Do-dpz_sr&T6h6 z&Q^wJKy71<%op}s6kUU@wfjQ*KR!(0Id~}Ju5M)Y=^-#HUdsCv#Yv$|yJI73d27rA z^_4(w+McJxI*rmA=q!ZB*`}z~gr;koYCQaXoqfGBFM9m_Zv^WxN^h{fBJ~iYg~BZ7 z?g$7Htb?5m2ojT5A52pgZv*8I?)eeX@(_ki>kI*-GRsDYMv7 z{Yv4jU#_6MrVYlTI3u(Q?Sxadgqk3(Io?0ubM2BXJ;K&K;@??slX$zk^foFl|AKle zoRC_krR=G}_sU|ewDn*}Z;9w_61{2i?a3kuyiH7_!!$=o5AVS$Q@*{2px%-ouSIkr zb_dFzx>qkvUZXS;k=H11qc{_34b!ExYCzcGsEng>jke_ul#wzs0L2czHHAe zxFE1>FAzAQB+XG8-F&^^6iN9B9Pd+9p0scbC|e50)oe?su$5g~o6psRWKjl-!ub(E8=FQi8Xk-!SZ$g8-29w}Z3vAT01l3En1pUXt`m6HXkV&(~Y6(5MOH zc)i{S`x?ZC7GFq|lqh+bGS6^-;QR%hKD>Z&(g@S#SM!IzUg-_W;g+u--aV zs54r~klq?9yG?4*EpeVVT<8PDrn)+r^g13ZqT+4tpKUbjP5{-HK+`6gC%Yl#A?{jHpMug%eq=aKY`FSaUuCkO>UmINlW=ng$fL?#2TBtEk>4ZWJl@8s>oqhl(={U>sJ|#7# zDFd;1qh37!cxM)w5lc)H#95?VI$;(&tpf<+jdVbvnOqmnjq@_GLgEj|02Hhgd2A7y zg-M||u@fpX)0swVDcpkdJ|-&slb+DqN3iXU>NbFE7`d4Bvurb?#bk!5guH0uhm!s zM|cKF+Oj?H8pRZEP}KVr$S>(i^FDcolb6@dc%STm_bIrvF*xmIXOyz)Gn&fKMmk}L z4HB`{nIR2mNU*W-egpKBx0JxUbsR?^O?cKgMN4Cia2zht`xH!^l7Hd3fU__IopO7$ zM#~#WlRAr?02`w<@)-Aq6=>B;fzXY4a-kE~rP5telZ)X^qBrncbdz$iI!J&k+d~n> z8Gub*`jU`;5>Ef`6y8REgRlt=aH6~>;fm3bfGj2_kq;UWAfz65OUo_3k=%Vj_b^(o z6)H$;f_#U{gj@D9H=uiEOZ%>a`c^_`V>nZIJ4V?m%6b42UhQpn)NbBZ&Vh8s64u(eQl`BQF@8jL6o<;1aA}5mf&qteWlUrr*Uv5F3C*F zzeu@5!=hsSavH5sTxt0$jW95Up*kX^K?%7MWiqzNdqs=`A12|7)n_@lQg9~1gmI=C zPCkw@jHe)M(eLbf`BTdTx>)&zMhM+L)Hl!;O;_qFX-Mf)wUV;G8`*F8#z5%2C&K3* zMU9D4-Wh~|fbkTqfRGobg!ieaHz>jTlyrHAbj3a5${tu=RJ8Iz0g@%;q3f< zPeJdK7GTSQ_X!z^fEbtt@p0QiS+&Z_H+0Vbsqh1gRBW|3qEwIY8gwsR!f)zqSnvup zJb{M#|FierQF0Vl!}qVcd(!S~)@oN9l(U2)pooM(LMDSmGC7-UjL9Zg28;n412#4W zg9!$aM6^LfMS@U50!g48HfV#ic~W;*y?^w~?9A+JkRLzid%ttu)|sR2?&@1N)UB#p z_tvdWI=-}LtdLx`1I*}y#MQ8l9dQE8&IX)VIn}-{(dA@}M40J2_M}z5RQl8XQXeGz znQlcaiKax9q;#WHza;(%wMQrwNQIkjz)Fm@PtW@_`1XVcJu!?)p^X%|CY4voKj?^K zBFseDroy9R+0NQv;wpBRZ95g$M1)dhn}kpL_Nt`9mNKt}*MJ$y+bRyd%wkT|r zN2+kru@q9uJwmGB|8Mn{|3$q`#3P~X|8;t6E0A`c%T)0Rx4KU$PDyfzvest$CO5-W&P==H;U6qSnJ@eGW$|QQ8IyIvH zx4ch1rmLqkK}YXXC$NM9U1bQ(HK1#vI$qso?E^p$?n7@2p#@zCVMSY1=Y~jUSA3!` zaP~Z@1j-W2sVG$`o~J{p&&lxD4x=-}$>|I_JLf72Lv)Wvm;0R(@#v~PDN@^y^G)<& zqL(ho>y$uCS`VB;S~-?dnSJ*A$OaAq>|3xeocE``yM?733T5IaXCx#^@#hgGo7;G~1u8LXrtUDppdGSie>>B)O(bfMLo zQdS8?flB%2|7B&1-gH5Cr?Txyd+8KbnsQyWSE)c#dAL&o^~qRF6qX}xT&N^>LlwecD<#vDxt{ze|p

nKWMN0;{GlG z03ZNKL_t*ln|hmCm6RYUE73z)B%Bk5WS`lpESFz5lxET8!MjN?ds605%B3mWX){Pz zpYNin#LISDCI+lK<0?H4otNpPT&LYucl4)&<)lD24CRZ2^nt(^>7l2;x<5w>K$Df| zO#!r^ft@B>UhL}XyeEN3N*a-V!k?TpA_lX^=S#)l$YdDlj3`C2H>mw%=a(*NM7KDn z;+TMkg0!Bln7(N#MpVp#k9nS?XwQJCB^qTZw4@_cSYYSaNN4~gfdB;dRMEQNzanY_BfQFtHCY4(iyYoyP+u^T?zMH4%lh&NO_UKAJL&m z_w~mwCnjG{^+>s-*(`+Er~M}bb`NnlWZ9-E*R53)B_Nr`&v}J*^lS4_QpcW5nG9B>fsX>;eY&x2f%68pU+Trxji0YAtDzX0mkp52S zO7c2&TCNjVDw+b_3(^(?x}+h^)kBX|OSPsq2O;DKe>ncU+w-2Hh{ruCF-26M;_(0i zp+&tvUBK+NzJ#kovIvJwC>&h0G!k?Sz3%IZ;hYw~#1K57HDV*B!0*wcFr)24bnShT zs-1tax&$2?M)!tf^go3(ebSa$d8TO;0Q=%)HTGx{OQ76c4-hGTq-)4ZA(c$(u!Kls ztEW@S9!$by^b9jiXkFl!9;TFbJ8VP>jFiqf4cx@eTnIrR)C_hQ!;^z8ZB(Qc&6AB+ z_aK!-Dv6#-dk0u4FVoVHo~9%i0+dvJ%AYUy?7Mhh7+}!&s^)Jumse^Cq)LF@X&s&O zATC!xM|1M3{0~;KBcW!HCb}mFm*$Fh1)a97E?{=L+NnUH;&Ru7Mxw&SXwroqpM2O# zq7ls-(=8qeZA(eQ!A1bQ-dr@HC*asaniA-WV<|!Cc$E@;lFLOZG|hEDK>rRCiv&;J|MDt!z-$9E2ngJs z99+7QTt#lym;UoW=-^1|+>s%)!LkJ9x&(c2DqC*aW;ja`-N%=@IG z{asR>LhCrp{%?4n4#@+X=4GdS^8Zk8HGF8vdMm6*wdOJ!g%G8k>1|pZx+s&Vw+e+V zW&1+0JE4o7fm8AUgJ?nY1SU(F2;& zfA8RAE8FRJH65QP2T<6`MvIS83GmXjfgX-CiBt$@4%bT;Rxh9;_B_<$s&c!{11O^q z5h89-B*E;;Ad(&F6?)hBrGwdN_nkQQbyh}2U+SF|NGYyx4#kVjRnvUe9sNo{q}h4p z%1J4wAmWUxxU!>oB_rRx_bCc5);}e*i?pb^6qjh7j6KCypq*W8PtfhM@_SULUc?Tq38)e zK-dl+Vo5Aw=T1poT9I7C3Ko_pe$wf*h8C&Jka3*Epa2uM?Ff;>07+BJF28K8u z>FI9Y^U#i~QVP>HIe+Z=JTT{B2ITfKu$wZdVQnn_=ULn)LONQHl2PyoJ(#9nWT*5%9ln%c`dDQ`K zjP__)1ecGyg8PqtkbYTZn06$AkaRe9!UIxP7F7xkfGw@K%o8W2N=m|32qVFW3R$7# z$$L7w5-W+mx228W<>!v0@8XW5?9R(%eD)eVmC3mVr@UM8VR7v#Ov)=d82UG zU~BbSx`|dyCjmnk7|!l!49!3nI##3&({@5ndX%{T$+J_mfUZ3E8F&~vwfH$GstlRkLC9#KE@*_JW5%1 z31KUo7N$sPv+X<*D5+3V6>cu9?-hHsWx*B`DfazO^|sSJB&5Phz_$~9MKBA?t1DdXu>4NsvNMS9GP(+oV1@m8Soa-r7=?iM!k98&)JxC6uTaBBed1 z!?!2nQmVXSauCsb-CRELa-^~enjuh8 zBQAkY9oj%D+|;&BH)E|-URx%ox6i)g$Aef}4bn&`pV;D47Ozt4MF-)E{@l(l#>1p? zDKOK*N-o>8Jx>zsFx~oAlJ+~ra5kJ@2l~39U)rGi5F>6w4EZ^bu;3+a&@vFiZ$pf@ z19U$qlMWg8($b$;rv}mlWjpvL(Vxi2C@d*KlYP1O&@%V+$Rjl*Oxsp1T#ab$4>G~{ zQc=Sx#-teHDdBmsS0PIkX1k5s=L{~saAIkpp$nm;;;Aq9*4+8l=1MYMI;O4SOwojf z9tC0B3Z+2T1h!P@nm_|Ar^iAmFm%T>jD2rOHF0pS%tuchT{5~j%O?aPXj<~ZSJvFxnN;%i?uOt)i#F8ZGc=SYFroxnw$q5*nsb=1N(kSBPK>)4 z|5ehXc-a^X0SH}U=eVVvnRJ+(rfKy+EvW3Y19sv)bhsA^B4&VGPd3+%y^`z3UWQw9 zBa!@l)63kk>`u_#2%#eoNF{M;E{C0#iHfcyyL1;qX-H*b+GZTSTXSJclMLO>!^b>8 z&smq>c4^zvPCaZsE9r z$8heVOKA=_qH6{&&4s2ptAnN$L61&ullh&>=hy(5=6&MdP6${bN-G5Rwtp@vr76Q0 zcshL7&14}~XC%_fX+uus_tO_3mE@`=H}m=KPjS1mv89DAEi|D=ywe)w~i?)n^$E0c&7=7uA#V(!3W`RUu2(j2Jc@bW1< zJo|ngSn)8QZT}drC!2^JiSx;&yV|`SN?}T;-Pv}8jEvs=dgh%VG+y7dh}za#bfKdO z4VUgpFSo8_oA^vgY>V=o-9s~gRseOwo=Ene`|ra_EZ6>#6$vr2a1{SI<}rGC3&?i+ z0YOcmmfx-WGjDBskB}Wg7cQi-v828~u`yOQe`-%Q8~J8eia91k)I zL+I$5v)E&&v{jGpcAnYMXF}lCT?E1{Oevqj!ZThZ!|h|)t`+!<3@qD1MGw-|H9gL& zw6cxe+Y%{dp(R4SftvVhAu6RQO$=Pg->6RYHC1oBSaweHZF1T4A$uuhqyI%BZJay$ zr~G>AZFqDKnXU`~e)HucJpRq&pt*2quBhIc*viHbE`)FQI9&9;a2(= zkL7`5?xnhQKa0L!M0s8re?H++o>}`Gi#9Gqcln)pL9`E!*b!%nrMu`54wNX@u5?T( zuw{mlcJhKWfD*egwVA@L(ZN%aM$GX`Mi9g9LzJ8eMkZ)pz(%h5Db#!lx(=EfXKo!` zc#IobHmK-8kZ8~-g_5!0G2uK{rt`PvcIc219An5aHpGx$A_}G2J8qbRE_-RA_(jP&F7R?cC@~P^R=XO@KAsZL*_uVF~0*lh+X|5 z1ok;}+5vFqAx7K=nt`f#3uQJsN)R0j5PFm@>EJ1hD1)T~L%2YOz?FwK;Sp%rirlyW z+_~-ebdZOQ&|D>Ly#x7~34L;RSC0&-bw5*9=Hp{4G`&HSNUeSOCF;ISN>!eMSc<0(dHG&XbHuXI5Clw_o$GaHc??Ymp(+jpOd=+D z3@ty~ZFme#RJTN|!Yq%g&9r5pC2V8pqO>s64N!S7XcDm%x~5^;azt6K@6)TM4)VD* z?GHHIRzPp->qwHVM{eOg-tw~PSBECrc3LS?==8g!ltyO zBG+SR4IxtogQm*PbZeO|U26!MG8DE|QNGVGEk$D}B75cfwZ^b1uYLX7Dnmz9A850# zojo-Fw6Uc*)lDI*tRT}RGCX=~*pdxxVTk~LmRrxyaA~zI5jzx#W`F3Z@g!4>t~l?b zauEWgOGz`wg>WTz075k*M5Rz-uu=&M5#h_k(9Pm3aU{w2_br`l+c@0m`M#Sw%Vu^ z2%U>ZoWr1;{s3Gs{4AF3U4d)?I6rlvQ!Fs}GkQ{Fwepdz!p(Zj6FJ8k#W4M{t za0@=eM@dF8wz6psw~&`vNOQQE)^H{iZS{Bz4<-I$6pDZuq_(vdpYCDKpgH7cScHXW!FMG&|e4_VCNqTt;7@Rwh zFDh2?!ls27n!)PowPbtq$?;^<8VL|E+sN_ckYV^}4!0ncO>stV$5V~74l0$zmNuT~ z#5r~(N5~G-9BNJDWj@_s9$vxFuDG^eYi)>Hakh-)>>5 z=z?z#$J!J;(v?-xCd9AEC_*a%9OwG7K+D+Jt40lB`l(xzp-#*&PH zuPkb4*kHAQQRs9!kp{;o@)bGdA_pPoFtm}sMuln|c%gj|X#sCB=$Veu6WR~D*MYCQ zQ4MQR;d(^wc+~#IU^YQUf3QOiTz8&h^n~ji<4s1K`ZLOKawRzLYCmNC60UXgBT#K>!W(_9dg9WU-TgX{%di4=x^8n(cpX)xMg`URt+@ zkS%fPnwII(QHbNm^~rg1{;2ZuT%SiN#iH+O4&46k_f>mpTg(?OIlTYO!TH%AY^iTN zab#iM&)(dy=U=NU8=t@Ai2f&!F3MF3UR_st@VZyOt!R!|3L6IX%5>*uxLmsr2156J zw6!j@ry)#^&oHvx2Daq1Bl~7QF@IEPpB$g7x+!R0`{s95?|-?gY5cI>zQ@iOTQY56 zex_22r@!8PV1HA{y7ky0y?^!oru|R6zOnAXYp0i8IH^4En%6g0zOlZdb;XTG4G@}8 zKi0H`$CqbkT>A3b%B!aJ&u@-cc6qkXb;t1|dIS7y`oMxy4(pTc(uFt}w5($uTUJqB z(-wK}=QB%&6=iyk`or?QJFA;aTzU#$Qw%7jK&Dythz&NeQ75L%woo#X>5?*|k60pf zHOtvRkx{1(MvAq)wur9&C$7E-k{X;d*tS1VNTe0wsxg;wblEiiv3Vhvetex1^QwE$ zbPr>DkLC0EZ}VOK7Hnlxn9++Vugqma*)*P=^8|zQ22#^j%MD9z=dI1JvtY&o?woWJ z01cr=uKf5HG>2PQc;YhvoHTGQU!C_U6JI!*(}&OJ563(}jwhQ9wVSwd@eQo6UXR=G z5wXJz%p1r9Gw-G)+``%KT*8_iOQSRi?wWQpmyf-eosBzr=$QMsZ^c7A^7#YYdHgNh zc;q$Q`srQ#ZPk<9arE6Rn0Y4v&EXbq|Lh)~S@TSMf@IkiCl5W5D<)ioW!qdj?gFyh ze*ErCzPVxt)I4Fhc-2q<0_ac6uT#;pm7@9wfqsyl8@7fdpWXYO0^AeL=8-US5_GsvjkqnKVkh4;68Kp%e}P9Js>cQ3mir6m74`wenD zS!8?sth#I|RV~#F$r}W~vnM~vh+ackRkenfPk$Dd<|1N8c<75q`R($D(a^bj#_ilP z^+tRyAJwh--r68jhzni&$OGclELa}!Lx190r zMLaZf0cQX!L+{v{^T*1=a%b8d*fjn<6uWfphE8n}0 zY*z-q|H;FgHEKQ{-Oc*y4V?MgK zjD6Pwz3os>(zhznlSL1HZ9DW*+sQ1dPxw!v}N4S64 z1Nhuo>G9~wfa-v=>RJcW@ajL+TZAkQXn|bdKxI z%ZI@R445(aM1DE(S{CpAj9pE8`FQ@D)CCSuA3DHMrIV>@-Oq&|T+Q;GpYW4mr}D~) zPm|^LV=J3yHoVBqpZpS2S{>_FlA-xS@aS%~)c?pIzxpEt!aVKwlM(fTUpf9#9z6Qj zWP7vuu4WTgd~iK$_k6*uA#?ftu@5k|=r9zDJ3jw4{d4(gU|G^3C^JH=7XA8J#%5^N?^99rTPT{JpA_EvvKJzmR_=$=5PxqzH~YvGnni(PNc1?_M#jI4uTT#`aDgY^_EQdb}Oca zPy&UdW8#JM>*7v(iAKFtzlGZImZL-2#fVAoBmBdVt4@J%9on={p=~>I)tO)vAjUm` zD47pRqW1m+_1!HXLukY9LJYnc3?Brmu)n(reaxc}uE$<78FGfB&sc)0TZY_xC)(si zpm`A)ebJ9yhrRSDM3xIN@mYj_FobK68*fJKdlPh@V~90<4~^eK?s%yE96SZ+$9#zj zRzjo!Q83l1d-bJIy8_(VXd~}J489tKj%wM4T7NUz;Hx22i(UC1cb zQbM%{@v@;1=isQRz4zq$yKI~slJ%czD8U}PY2MxmNEV=p@yQFILYghv6; z23&y18-xA%@s2?zQp_JEu#tE?!XFA*r6gp^?e6MX);>Tt4(=181teOxXG4jE_fiRL zo2(qKYsP@QY^C7YRTT%YfE=$2pG%iPOHLbF;9qp{gh3udXlFdPdiz65c2u7;u210~ z=Z`K&*M!>;T9(IUoHDX^UUfq-az#<@AkWn9rnkorKQ5S9K4Wk})~)Y+Up?=cul9buy)KyNF$}-QrF(RtAr(Hirun@t z-DL<(A%)Mai@}9i-l+rgGk4Xrg~Fy(ee*M1!+U3WUS7Me<)M$a)d4JAv#;^2N0;sW za_7Oo@S-g5=#m`wfYNNw%ptw}U++2?*je3ZqH75uk+yJt(LG?c6xcEi?}c;5m5A=K zQnY6YluCdE+ixo~H?OFUyx3>^7VHZPAu2>H-V~AsY5^pjL6LCT(k8=`%k1(Q0KD|W z>tKa&`+DPcWg%?~L+E4}K8`A#%<#M+Y}~(r;rT;&`{b8sj6{rC(o z*oq9pN0!@U0q09bq`r? zKg08faP!h%v7z>RPUt^}x&4p9=1N03ZNKL_t(^{y6Km z6lV0sk`^A_&6kzmu(574N0(2hEUSbgipMjy_h>%c@d?*`bQ4GYb1r{b{~TFvKU)v( zVENuJdHR&6Ic~r)ob<+7+_&;!?wE2DKOJ>8rWuOzPl2?U(|;COZa*(x2ibRrRYYTl35RAumr?wkFp)fR^d`~W9=JRFsDpppl!mE23 znA4x@C*Hs>$6v$EEAD09zb@vKfpfWi%AI(0H(72!<9i*(jZ5#~@%2wJqjV~_9r+8S zvdJ*K49OkHG37_Gscs_~hL0Cd{s*Ib4d>WbPv+T;FY)lq1{@WKYykIDg9s3|}ZhC_!);tBkU)KGd+djITo2T8v zEt7xFZJ*!E{6*(;;^4X5cl13d+7sKPoeZhu2Qj_w<1gmw_itc-YYi8VJ)iM?#&X8! zGr45k1$?k|G2{L^iNCIXhVquc9~+o3Jcv5loY6DaZH7{2M?B^eK@{eNIc?jR-&JCsB$bch%puA)PLm@qA)LfQ zeKLD9W5`KN89JBVxr5Nq=$lnWpN!t<2y#5xj42$+yW2kCk=1{uUv@dyjK2(B_mJz! z=E{$L&X{K=vgpV6xNgD~Oz(dTf!Lm6+WD-Zu>jpbBEMqK3ToQwIJW;xwp_iDUmSBg zd7f+nt+kvs^c4Pf{Nud4_20~Vehx*Mh5UK$@0r|pIfCN83K4uC)dubq{9ZSliV;Ed|O}NZTsRu)fbD z5rj)@Gb4KP?w2IVrmHV@?-;>i%wN$?-i9{&Yv=vuyTHgo8~Q7>kq?5W7`5$T2-YIT zK8h$k3%TZe&k3b*)u;Yy~{D{19$R8dsa@94UEaHhV68C(?rqr4Qr3P{cSC2hX5u>qA*8|O_)@C3xEoX9{a^6#?Y0*)+ z87?E&=hBr@GGa$JwLr9|lAJKQcec-^>rbqxta*3I_Jbew%?(_3L|Ng?0R`DP*3{ob&k3W8v%M}|^B9`;vq=MTin82BFTcli?W`gBV@q=~ z-ri8v_~?6^>QM-!Wb_3Sya2XRj#p7SS|$@ZyNG4W^PgW+`N4{v&BX(9y_%EsU2Ump zHP`Gu5CYg*+Zy?DeMRe=0}8ySjVsNbKCr+yx;V?DX@b|*RzwA8cHcNO`|SQ&#`Zu#^$Q8xn=s@^v>wT-sXK=F#HVqW|fiU_EVl+%F2qbx%ja2 za2p;pO(VyXjR3x=_!@w{%@ur8v5Fg}{1Si?e=+Bdn2+C;NlEWw%CgHiuzv$6MPY^$ z=@zm>(E-xI$+RQH!gV6icw0NVsvXeZKHs^7t@S_R(LEhI^VFMk zlf*=^#^c!}!j^r-rV%bRYKsZbI<{}C?}y!$!gfB38yeln6&xek=gH;Lk>}DFZsyCX zZ{pz{Ck~jybL*ap?;lyXWfAXfc$JAo6PVOzB7?FA5NfMqeeHLgGkhLC!;4gsEO!>Y zeZ7!Uq6v)y!2`VcT-=x0=kHV*Wb!F~WA3t3SGt0&gBa z88DmrKs_f8p38t}xZzRdQ+aOPb0{UTZJQi#0hf$DkAuMmzOGzNY!Ewn@bSE~?j@G( zSxL|e6S9JQx@!sHri1Jm>m;&VQ@M_vRX^Z0GP!KRg}AiY6lCNBFur&!=Z!fVOIqCX z`F*V4{S`}%&nU|qh!BF3tUfF_<}MDj)pOnZH?qH}3coiOh3Y8VbYe&+TdB}&D?^Yx z+18b;w*}QgkefWYBze*pzci3`T!wwKN;!MTsaVotV()Q`E*K8L%+je;v{VA{!sb_b zcjL>ftJ%m6+0+~m2%%b+_YhG(f`jFehTx4os3e7*{_}w4}Z3!-oe;jQ-MZP-~h|F ze8`29f5y=K!7SeKDSul16ro@P7#{ALemelSetH+1syE<`hJdBwct~M;Y3Yph7o`>)eA&slD?+9I>9x$u7tA6*}FNZ&qS7-`7Quge|9r#s@DNv zNgJgUy3pBFzlA5({DtwwSV2m3Z z;5K}GSNlCDzc!yM#$U=6<1gmX*$;B&@YA^9ol7`%=m`My@fY#ak@NApGZ|kzmY*GQ zCA~9y@xaR8vvAGx;Bxl+oIUakrwZxp%QP*so$lx!tNOqJ=Du_?8}@v|l)IlN>7lgf_Z@X`rLCHdgTkD~2Hbl+amh((~lmIzxGsQ`r} zcpF7T)k>W@lwJrHX^p1@NXdUkr+E!uL*qIplnzieAHnXY5dE)m?sxtfS@AyP9)?zQ z0+@}6!egB9Hb9iji-yrzs4c%n)va;7McE@9SDK3PG!`CB7no%_$BZl4t z?tEz5g;w@cC!9{tK;#^TYFOtOP)SC86qeAT>3h`HClL8Z!myj2a612BMEMzDHX%1H zfW{wD`#*!c@s25A1<>*)AhL#{surWR{tcB`iZPP%s&4 zmpLfx{}i?LMaR=rKF*>O&IB3Aj`G;PeI3Up+RY3}GF# zjJ6t#mVTK2Fp1|qb)T|at7{Hh)lFfuG{@_mG9V{&&G%KU=+Sf{ril?XtRj|D=t9V7 z{)m8S+u^W<7Hw%?>^|6rfp8g)*G3mY4D6NZjaar?w4tiu`>NKUvnyPHOVfVbc_8@n zZS|G+E#6YU@REt;vxgRCpEjX1Cmc1*@_dFqu#eySU3GJ4<<`2khL9xzBDPdWDbNjp zWy#oR9W<39V&c*hLg!FI7eX`!OndF#0}(uWG-HIbdDE@wBGapDF*)IN8*gu@3~Z}u z37>yt-<;-n4Cgtd*3ytPb1N&Ml8CfulBa6nfa_2{cMbu?(h0v6#Nq`HN4Se6bYN56L_Mbk?Ha~8>4{?!$(U?Ew5~RmAj9=gFBD< zB|evz=hwf4ZChx%Hw~Oa=+qNsB^46Ym%U*xqc8!~tmU@v$Nsy79gP7!gvpq+LX0aK z&&d3t_zWN4U+@KP-PtI7Z23$E6&^;wa#ktBb{Je*JPAO+3^1Z-Ja3=kcpW#_Z^5m( zoXy3mop)Z{!#msl&9A54#`P1fB+H$}XM2{hwrVxFy*xhWVa635#xFj-la*UOX6o=c zfWoD_7@j|bh;6cP(;KX=T7w=-U}A?ETQ-Sd`9ts+9=^Zon|OHDoPo0#ReTt`8~4U# zWS|o^1YW~gS+k{$Co_jv=ReQD`~j@oy%N7CGd>yAH9eaAz>J69$moV`75(RPXHcBk zJL(u#hb-G9x!QolXQPq~Da$1qg+(h#}E!hvvui0rzzaR#=1?QyW%?I)x8YKA4Y4Wjel-> zot;g)IlAvr1VbTbu|en%Y31aRXYu-J|KR(&%~ZG6pb4Fb9l@=+@kRGI3Iv*F5KGqH zFQ=T=NE@$iT0}*2CC+r*Sr};yH4?VNWEehY@)c=M`(EF60L(}{i)O@*IBhlBe|QWJ zZ>)Qn3p|%`-k7twYv%2obJ$rtwd!deoO?f8>$g(fydPa?MC=GI&4t%+^wzDr@w)x- zBqV)v%V`a_^4i8XsBEfo=tz^oJymZlWPd*1=H)nNFO52Li<$Aae!GN>PTV@{lDjdY z{+ov(Lnp>Y!rw1`w~%{R{1%t)qM~6pQ%fcR(Y`f;6G|2PC=%kZev|mau@A8A;0`YT z*R_NK4Inh`nQ<4#4?d1Zzy1@?uXzT|m5CPBuf#gj8$UfWcDgm7lAir1daFRH3`@$S zy)+(4V@OaT1pQJ|i1!5F_PWxPS588d6%}7{<;OP>krC?JYB;=jVh8XcJA$SeWEf6z zkgydYL-X+WpFF_{gO20VT}#RJINl3e+UR<6jxmVosGHThSFn1|7d-mSpLy-{=b2JA ziKF_>Bw{)JNAJu+1cHxueojqm4en@P8_#qpG_Wl+&8Z_~hQN}z^u+0@!mS(ZJh+P; z2X{G%#o})i7+xo;glOhf1K!^JE;miPf$Jt+OIgq2LPSM*0I>H3)b_W)4Y;E;n#~EHMm=eEo$T_30C4BAtzTqhQHlQBLs+OQV>@TNUM(h>Vng>ehH_ zzjPr&tr7c)l{@QRJa>H7{XZF6))qG9S3lIY_ASZr=D39Z;g;H#TW1aC#F4#oUK!l0 z;j{^*IVHJ1_dnO}s}HpVEl*UDUAm^>c4^yc+9F%)T0;}db2A?PWNY0Qo9kMqjOd;D z!~SLyDHReX49N2xGjveq`)jJ2Bf7wdDr!x0$lh4l7~=R5{8-x-zU=ummBOWIhnMDf zHq|tl7adWacjBnx?0GW=Li}cTPyIRAR0+>ClFmv6Mep!?I=lSBaO5s@50(2*v zpa7iEEg_IniI}X%mgRW+_RsU|t!*)%|9W@x1E(HV2=LfvTMx80wApwJ9XmN|k>hnr z@ji9tc>+3|s}=jm@=C&4xhkBMl#~F&U4a#8LQs(UN%DR216}BZ%m7b*`*&uS&*V2# z?%-gskrjKEP@2=9LSF&f8+QVrX-?L!FdAQ0eFMOr=6zhg_}un~Spu^D$W@(kEMH8a{tQTQRFYCJiC|l=uZY+tuWVe%z`t5wVXBE2UO76_l@;gPW=?30tM;!HDlz1a9KhTo!(H>_xUg;ga>qNFH z8p?V0(9`f4KA!pRMLyg88B$8l9d$OR4L*t4eP<-K0}yd1vuRsQE}cZKH;0G5d5jNs ze9R|jz2i(kRdk>OJi3R1|Cy|>-r!`IlaAN%tdaBZ7#^Nl`z%X$EkP>D1!FJZ zcV<2eT8_NP8@ zfE9bbWOCV&+%WlS9$x+jMi-BwCDe)#f|}M^9$x-?o;dlBJbL0ItgT#6U0WR)t_(U% zntCi-1w!dSQfObnKC`L5RNL!J9Miy#uDWIz84SrCi1L^6_%RRDH>-??RzJbwt?w{z z(1{#gG>+#tE#&PV-ehF&vD5`>nOf>hfKMEF9M6|d;)2oV;x)Xito)it^auhWz$J9h zU3^=!fdip~n9}5yC3jQRypJhmQ~0KOEk~72VOHOxxMsrTys_mi4l5kRxucww#RV&V zM{}fwS^bW3jBq96e412pIPY$Lo3AU^GO}<4FKm2;Mc=>9sN!*ituW1j20ShwE*-WW z*v6`g)y(KOor}hv$LBjf<%;o_0I+n=aPsW*Q#X_O-kV4r|nU;o&LL|XWdM&7&sX3H&^}DhK@3@i z_%Fyd3Ex;kXhFaV@?*nxXQRKeRpxo_En z6le9Jz?X+qiYvxn%*Er*W67?i*h=Eny)*P;K~D+6ODwo7qmn(3C7aj$H>+^s9-g! zeifqcS!hG9!QSxDbL zbiQiA-BgPnGSVhFfKJXg!kO56HSMKUdmFBPef_SckYzu6_PBwY?w&Jx@fDMXP99j8 zxpZA+^R4e~+Bd8)!?*dKIinvuX=M4QKh`zg`~DC6Q5srw(#Wa@P8fd1#FCs{dz(U+zr41pEo90?mrv=p@y^*pP8d_> zf9>nNjTE$lrSY;wQmDW(PC`D(0w51Tr*~{c}X=26qHNj04jiJ-W zmuA0q^^{U{DPCH&r=_krY?`)|udm({AXVdHXIu$Q#2bZ8*WRZNhZ76ud@5TLD4{U3 zHQUNb>fA-9w*pNxiiEb*!DX8gFC2>>cj-Rf-|-RWesDRJtyTPE?w{Ct#Rit0{V%4J z97!-5N~Gaz!W6oPmHWQp#?S9yX8CmXUA>vgt2cA;=<`^*dns%7f6HA{Z)VZFS1^R` zY&h24{8;lHAMX5=DWylU{QQr2ck91+eDzBwuT|HWRmT)CRVi^ij@2uexkTifL3 zPwwEUwa;?Vm~+{A!)BIV_#xlbZsL@M^Z07-m#o~ok}vkH;^d(x@b0;b;^})cbRXaB z{fe*mt>&gF*Yoaqi|`sACta)(@qs1Q2Ea+J90)YcD)BTe8oiezmlvB1svsD&N!6ez*hQ1p?gmkhcLAG&&46Oe{ z-g}41Q5=uopPsPsa?qVl;gll^AOu20nVdw<$wXre*w{E>Y``RAY-7NH4aNkMb2b>T zNFpPU0OhO;(&fBiX1afW%guYl?yj!tDkn)z(P)mH za0GED!5v@R%i~KQtpaQ~CUycUgDwm+U)gPrm)k zw`q@eviRF?&~$kne>mVqG@)ZlhoqgPwz!sKrW{Gkj&bKFck}pX5A)<_kMg(A9|Yj^ z8K+qM)=_LH~GojOL=?C``q#A z9T-AK)3o%)5n6x^otrr4mG2QY!Yn&yF-_m!z}0*GoStMaKltb6eBAgMzuE6<)?T=j zAMJiA4}bjxjXhg=;@AiH&3;#taNN-3K|R3h>)vEd+d9sjeJ1xVyqjwlUBm0^7je(w zx6|^I2L5^K^HfDEkCOaToTA zYu~tzH`o4)yN>=7%~x&XpXa>H@PaC&V`a;29=TRhp*gD9N_1xhiqQlc5h}B-olh~y zk=wz~^W@Z@??0Kc0|ue+^|90fH#Kh9lCbXX zJ;v=gr_VZ_y++Lg;HrIo&Zh6L;IMt<=9o?$KL2we{WMo#-xCMmZ{-F3YKHgs<0-erGhUd>#-ICnAADyDkx<;-92?XiM5xmVCnfEFurswH!l7iA8h%MrNJI&i%-uw8hNo6W0ndP>5 z?X^mQwmGwBnQ__kznfQS_HK%)*P|V{7Hz>2#I)TwAR;3@%T$i#M{_Mv^2@7G+ZG`v{}AKQr7F!?OD{Lb%qcmXA=apCD=uM&IXg zFZ{bdS$*zuS|NlgkF_kVVThL))V!Q?h5s_;hsmZ>E|Q&lwj(@W%k8<8rE!z48((kI zsTolctSt?h8bT-q>sxxQt!;f4mQ>TnmWE3rrY@CGA8l?=$e8UAG_=VT(Liz7)K_fn zPIkvFi4YL8WJP7voKzVN2!UviSm4C zP#LYDzO$az-WCi!!1Q6$Fm!_@^`Fz%*Ur=5evV_N9mV{+_T{539}zJld1;xU^#GG} z-h0Z8CK?U4$cpfJv2!;*pL!C0V8SjkX1xH;2<$Y&2IZ?#lCTkGa_I!(cAT~C>#>!4 z&?=w@m|W^w@j4Qnlm<)K*4MR0# z#`cYjEggdpf>q6{iJB3{mW?H#2Uy;;f?h8n^pJU*HEAmdX~=@mV!N{7^u!sfH>Ms1 z@2R~A%efVlkvdX|QfdB;D;|R>j5Ph)V(qMM{u(_H!O#p6$v#TLrA#iJfF?9zR)VEl zmvG_E7jWl+zvGXe{h520-cL9XWo`Rl$onXU=UP=u31{Sy07GLm+Z$rY0*kCd^cvyPHbF}l!M z-Li(#a0w%eM$**VL}OPY2|Gz?xP-}-lhDzK+i_MmuffW~F_*s{lXZa;4Kz^_J-hEa z>t9I~2|X}wuIjU2K*;K$%56W`gN_-#{>2cjPkG>`#>5eYHMI7%Qs3Q>?(1*y`c^58)@urWPI5;hD9rB?sez?vT!+T+t%Soo5>ZE=u7sozI_8y z+C}2tmnD&!@Ifo`AZ0y5qA^F zN528R0S2Rg*u*Xk-yHwmSwB@=n||8&=ZTj_N|Luy)QZei)cRd1Wm=&^BM^Zy&%I3p zB+7{)j3ThRQQa#+7>L5DZp6CoRgh?c$Y?}(lso@fUC^_^b8&N{*CBLpV($A&B8ql$ z-|yXo2#-KHap>LPDo9$;gKwa^Rzji$QM!xg8YfVFn;_BZy4Xnvf|ZEy2*Ar(6>Ee@ zEyy^kXC3HKM8P<)dfa!d9te~niYB`-tZr0a9im`7NDI}y*3GF^Jk3=IV~uV*v>>Wy zJy_jtP>JGc9uBsPryfQ`$3U_J)w>CT6^O_PRH6-H4X$N2T#bl~0GUK}ttHE)FpDJ$ z1A};Hutz!a;P8c;-yev3*{|(@A{DxK(n(g+k-wBJ``ajC_mg&a+r&FNG{7PsAmJz+ zsnV7$QwU7MU419K#JdOx=psFOCLM__A!xWhM5!}cmZPv$YHI>a-HSiz?bgI?=_(fK z?Q)TIax!6M8WGS0x+YKp61H+DFaf3}2xuCXlvolB0SbYm6sFM7G(o~WTSdTdp(_uz zP!QDJq`e7S5x10C5;5*Nap&@Vr&dL)3PZ+GcP*}8w6s1(B#;?ccT{;wwNH7Ijl1=h zop(;^5UGm>#y$7yu%q8Of6Ewm$5T9UtY&sExmDQC#aK?(PFU8JJD6ns6eOHDIKIhH z4`6CKNvjWpM$ian3?oXBuwv;6MAHIpQcfq~W?$F5oiynXFv4h>j%6otymK32GlHWW zl2$y8ifN?IU#Tn5igw$iRaQaXgpFqV_Vacn|H2uHd}dxJ(0Q#Y|4o46GNJIR^5oy+O7PvO7` z`*ZvIck#oQFV9IL>tpSZC+a-(7a*f%QdUMTi=Dse&eY@JBei4cjmoW)inzDCI>%)AY1&e45wE7zjbw z2z#OB!BLLe-w=e&u-7Nt=tDs>gf4V9GL>{NbQ4VolD3-wQWF}sV-qw&n3{p*SR_14 zs}LF?JxJV+qZC8}VQk0t&Ibr0X2`R={TsYBKo$nq%i)E`$4+1SdFpZauj7u8R`PyO z<>|$?%NaNPxg94<7KBF7bFWO5w45X|mEaHoPJ$oqaXG)=?>g@M;$FV@;ss!Y(2Y=f zapcM^1kJE-w_3S`1tR-GbQXej$;u>^&va%%C8whDn-)H7=OZEe~(!) zH#xT+NC%XO7!fRKle80Zp@%n&khGI7?==k#4JmC*J&06} z*C+g!hmlmI=TN}V-SH($hQ4u|25Hy!6sJMo$ph0A$imSR9rNTU;y&}eV>>pslK?a{ zO-DKwX1b3j&~?*2bE-0RCcUxHbwf_cu}IhLpQ8gt2tzYaN)q#p7Xc%Pp&7*OIMQ*@ zG1NGGQINH2g$-`nWUIf_Kt`N8;`YM+w7vIxwt5m%?VC5a|87mP}+qpr^_S z-KCGfRc4fO6V)Qzu;%D)81J-2M)&eOc|j!{kM2TqljJG|ju(AV3%KM`7Uq~+36GraRs?!4xsKpY^F9rhrneHP+AsM!yh|t`#QaSyFP7%$mA}nK}&T z>z$@9FumR>rSLMQr9Ogy?^I%{DnHI)BLhnbaJ&&9UM(vJ5G5hpg`n-&-0;?Kx#_K&-GzCM z5;gQeec(w|IG_mvQe(LPet@F(Bwh8XO}L@$bSg9iK|kM8_k~8#ocwec-SuT#IW?%-4EZ&-W=6pzhS`Vy{cyb#wkXf#Mrf#;`nrskC z?xIwlz0?1O0yPx4S-b_5#1uw`ek!|cK=&`cRAxLt_uWtJ`{k*~*Dr?Dra^GtUYq>a zzqP5Ag5f9-s?u?C4FgmQy1<-QZrLz!_wDbRyy-bQ`nwNma}6!oH36=g8zO0ItxWQB)VUk^ho~xhH@=e zT4DBW-8ZME;ra10-H_-0%SgTBxkBnWYr5Qa<-VTg{o3@yO)E) z3<>B{{gN&ZbnTELrHY#BXzPrjC!#1La~@|f>(hYYxYG`lnR`P??(4sDquQy#U`Ww_ zHo_&eR3Zxx;aPHgbM^L>oSXqwNs+e$1_D}Jk0sB#{he*Da-|D`h8v0{_gLFt)~7V{ z#lXrFxOu1i_iRI{SaDHeb)s`>b#SE z&I^u$gc>ehsST*ZHYEXiR(#cIjvG_2*)qE?ZwGe2#b~O|e*<4XKZ1IQ4ec8_;qen) z_-2@}k!R2zB5$|bU-RPgpX;xw>pwA3_g`EouvAFKWR_2UJg7GW60##ZXU>k{>)umo zZ+_i~@W#ePyuRjT&_je%vY~u04+3*Qxg9EBeYXbW?e_Ysul^w`4MTwWA6bNvM{cFU zvE*>^=`M!ab%_now`O&FU~FxJa70$o?ZN(U%WW>)?c?$PW4VKdSIKYa3( z8vtjOTlU|8l~s0oG#V;>hEO)ck3s08NpwRWGt?@F9Bcw0S&(c;kF_IuQ*jFEr$nVD zbw`Q*N|YcSK*5c=BD_vHK#&S0`Y8xfc^{dvTuCy?XMI(rPibnN5*4#0eM#wBax^yx zgA{JqH34W!peccriteOC(ov`Zk`Lp-7EVTqQp#0aq+f|jnLRZSdJ2X{IH(Z~>KRLx zk9fI3BNT4uaPWdgXk_8+r;#V*>BPNR^mGJ5ccfidAd(eX2kE5AR)pwGw*y7iE@19r zE&baqmz7kOJY|*229)zRO-@piT2B4Bc%)#e9OQETikz}Sxw}@8P$`j68DS%wSt$D3 zM0T6{DN(sN^n(EkMZ|~@4VMxP7P(O))picD4n%+a^zqZ#SGOaT0`2og)esY^z&Xx$9ku>%cr@>vT6hhCI+kE3p zR{a^;{-@;Dl{b}^+ad9G5V=j$LkS$mp)cOyx@;k~E4Lz-xB1HcujRHsZ%s|gT7OFt z)q!?&u`Nq(bLpCCw(oxqZ}ZYA2j9WQWOC+Of7!wM%XVpyDeITptlUjG{MzCEn$x$k z%1MciMnR~Af^bQe>-RuoVZZ(Y1JAW6a1@#?OYE4Ftt9_oW2chZRvazum6rF)mk2g* zxzuNna{e;eR2;b7x#jZlJ^iXkfBs!q>2moJ$@|MV2}pK=og~ZSDsTI@Ps@y$4S_yh zUz1XfU39hRXYb2*?U-v{EpfTl+Jf0VjbvqZf(*p~78~J?ngd#%a^CSP1+K%qBI(Gq z!scgQ$kfqEQ73)7zpJ79HGf)lBx-8<>&sjEvaC45gP{Q1p|mh;>^r+WysW-6xxTS0 ziJ@nDh)DGSf4lQoj#3JvU&se-_fTB-1X*~aa^UB~!w*}4V@To!g)$M&asktVMhm*r zfTRMyMcO}ZD(@_T9nTse^pvF~?_}Wqh+BOi9fE;^j4{$TV0jhftvC0-0Bq%uOmu^0 z5)QbQ41qu@hj^j~(hER92y`Rlx@Y<7%{u|5$d<4ERNc}c9`7bI00TlNV1_YuGYh`R zZPQ@iITKV?y?G}f-z7lU3Z$&Tv5SGG)FX+$MU$deXevrh)ZOjUAa9vL@ErtinL4NB zKO3P3T-Okl=jH9dlFDJhxCK;1DyZ+O=kvy;Zn=CrU0%DkztcIu1fA!de!R`Yw|@NU z2ZR1sE^nn*mn~}r`{;^yTrQq?V1mCryg^BKxanun9t8G4{d*wZ3fwaZ$+T>Furz~E zAPV_t-tT`Ng!+vEnIADLhH@-|fha*e$lenVrq}A@le*8maOpX1%2!RlcINP5D7?*u zI~2K1!|~&huK=zKnB$BfNfEvTpVH7aYcXO%sPJ}q`(Kb-fxvc>SYG1e-13?cCS-&% zgcDN4H|j&g zcf0*N>)rso^~+hlw)x7(l0Dv8=hRJsW`qd(U8?=O9YDUMk_7Ys`%F5N?szw!G%QJ{ z5cs$I>i{$pL+&rxxb|xkdCK`OM#0k90DwI)_efiy*cN?aL+gi1Bxai3MN3$I#l;M$fwT? zftDH8ZAV$nLRENkoH2eu&6p_AmFKOjYsXysCaR?I?)=RdT>>QppwbFRHYPdBlh|>$ zJ%GN1Jb%H2va@y{UFtYWb;d0xplPBYWau%=krzLd76D(iS%X_^fSt+dWXky?n}(PvJ|KBcnLw>%6(Hj8eEkG;BjkD_SU&Uga-t zIZmsgQLk%aW)}TYuPgWP`t*uvTruxQ)D*fd{XK~uu6plAmTp^$sfUncT*y+@J5G{A z#~;Feqxa&v#WxeT;}~8PpHz}XzjBp<;fo96LntXN%0gw_c-Sq}bv1DF;y++12PqvY zBNhDY!0Q=NIGmDD3665u(6*7^zke$m+Bc$mK`c@S!Ic-;$PEdbsb6^u38j>0{Byf| z+)gmDd;&k&=SP%;ODGAIkZ=-wx%Dgl_}*=_^t57Vy0^G+TbDW$m1=J)d21S~Qt8D= zs;(go=ILkNw=KbTs}fqkk&bi9&*MAZ{h!yz}Jl;Ykc5AbRI z5=g;-bl>sQSmE+D6@)_J-WTL3VENieo(1;yCjUHTc9^#cgj6W$j9_Uf$Sf~$E7vN+ zcz82$UmZKL2+O)RFuo{A$|S=gm0a!~TMrZ`xPE;QD(t>Y(e{*s<#4~8((hs>pv zX`^|D#;M^-d5Ly2ds6tDyCITrX*C1 zK(M)U3pXvkg|%(#GG~EPK@do7V7lY8f3Axs`X{|tH*wpO zNeI`VP5wOuhq?Khlm#8jkgNXyR;R0QxD%rLEqoT4wDl0uiEQ0Pjc>fqwalnYv$JUJ z)#1PA$$1)9dP6w{Go_4>QwQ#SArR9pM=RR}%p$if@n+=8TT$EILrgy&eW#xxzy2+1 z=~X#Nb$xiJcM(%<_F2xpsdA}YORCV+NK94Ae_D|Oka~Lqdau9{nQU%;gi7K+7B1z5RWDN#Ea8G(&td-Pc^r8E5p3;lK+_C@dcfOp zwNOfV6NJdPnFxXM7K6Ib-7M=0Y{#N3QpUIEoQWeHp85JYCYDd&;Jq(nM%8qV`}>K+ ztr%Kbpk4BYbT_)6EuHiLlZx=Cyg|y%%VoF`$ui^{+G5Q6uh}x9Syt9AnPUX%3_aeB z<9o-qc+R^JOV^$AV8Df1YC_7Htb{wMT27KH_xdT+HG(;5ar>Bh2YLokU5fm{->RldeP;9q~?-aupvX zTsd<2)<##n6D1`H8Arp5(IXuU%^+X|-RNb~M&{HPGD0X6aVw4{ba#;}1OeS-z@610 z(yITi`gRuC{!1#bWkic7hXY@vZX1T&qI9h%9Z59@_J3P$1p>>lY3gYvY=${@ikma$ zl{K%?mF#vStSQGG@4PWf1a5vo001BWNkl)1w|;O3pVWU!(oP~##2wom$22#kg{c`Bx`}05SYDsPQ?xWRHv+1+`I2Ae z{A|B_cqa! z=tfCNJT15G>LX+Xv1}_Xi?+0Iq!&CxGf3J=49#$@&_0~Ac$?d%yaemtZqbhpLzP>F zCM61G3iHW#WRr~o$7`Y z#~~eULOGy?+;^2EZOHINKz7S(USlOn3nGN>hA;QOBOTZ3r3Kt*e#%?72=85`T(I zv|&cNxOq{7)0?b#^cIE}NFxvJvu@>CpQmsZ3MEuH)+cJiuqi*&GS?0(QiMAiF=8=< zrGw`LCUSBXeG}`G-?}1j&pZW8{gK5RIv;sydF#xbYYLYB;(&?ou50c+>c-bMAz;$f z>gbYRA2xnzeMdZ&l(MEcWS)B8$BkDloK}AFt|N=3Qfg^^SNuDVEoo}+wdAfNOF{s} z0Ym%qxjWa4DUX^TZ)}SlJ*%d$D`ClBzVLO+%kQu2nJ_GDP8?Pk_-JEmVvosH;X6*5 zQ~Alp)_6rhNS{_+82qBHBYxgPpS1LLCY-{;p#F!GcPanY z{?NEO&G8c5smwr}O!jfW*aNs_!3}Ka+{n>SpT<`kKLibmiboO+ghA-cAF&&E9{dLi z0tIv@y19Pw&Ahke1D-qnQK}1uk#sD+yx=2_e&Qsy^)_+Gp?_rO>X~fp*u>?pU%}^F zKIHhBr*g%fms1ihVO!5O&VBKFtZZ3HPNe#M>4ErG@E|7iZLal32Fv+9(fzPj+n#gPo7O(M;(ux@BqUKhH=5O7qM#F zau!THfZrT^9hK1vKB@bZ5k)opYwcTH|JF_3?x*Y9Z%c=dw|vZrcO1{2Gxy=Wi{7TT zw3eiuWZ|?Ux%u#$(1pgf-e#`(=dXEf`9HYk&}%qk@*zCA>?sbLawvB!zJq0rU-HKQ z#Xvg0qi$hh>K~bjS153771SKEqs@#dXqBCbZMtI0 z(04jBum_!}{pIq(QQ$ZZQL}(!rYr>DN3UPO^Y1+l|j(^BGqwf<-R*qrPx-M%_+~EO;>9J7%--4IxnC66ph`Dobt@KnOrf6 z`xgG0Wm~`Ef|oAkyj{-Xyj{-X&Gm0FZ{%*2go=4_)yrJ>&P~`>obrN7ezEsYIBe3v zXhP$Km9H>s_zY@GM&n3_B^SNVb&GCf%CN~ab~R#4o1#DgHy(T)2Tb@D3V34KliafS zHd?!yxNP4aa`Ma*d2`*r*sFF=3W8Cd{_=TZ=ivV7}uE_mi5 zntPhlyY1PuQv=heUw`-py!HNSjuX`4POZO)RS{^_dSXqwV8Z`GZi7aImCdU-{jrlE z7-9K$moU0yB&R)lE*uWTIEzM zY4O6!mpNk6App!BF^6}*`#yjE_--awOk`c#dS+D5;I4(Y@zu8F7@E%95xcUyc_lx5 z%(zet_gCiX-eCblwHLqal#a}S9YA2>vOk#Dz zQcjt37FX{3GlF`6C%%4$+djOLJCFDym5~a*`_lLMs^JT+J@8r%n{)_&{p@c{ubRq+ zwg|SgDG8PE+e5Brzp?w$+SkgZFZ~EpGq~mOn|WcyOI-W)PkUP_Zq@4~~cMDD*?VMhx2@5gdj}bR(wz6fx#3P!hHF zPSl#)puwnNsL%yI4selpvf<}0e?xYu-0Wv`+Qb8(|f`G135->{& zbOXRNG(mC5AR5xkqo%&|$dbsncOO&s-Mz zXriAIC4BJR-;fMTlF=H#ADa?oYMZ1YAyPXv%5~8JjbkSrfhIKWTJkr(s{fecveA^4 zjzKDi_E;yHFquDMcV1ch8ozu0_ZXVaUk<&MNoC`CV)@hbCj01!cX0pGhY$!}IptaA zjo6jHe0nd#qt!fg^j|q{#>qT*^xc$%i@D{4+gZBxD@uYzu4Tw;f6`7cqiP0+OgNBd zSG>r|=2dRk^%Tt%#O);Ik#e3m?P;Dp70%dVs5aNVKTvhVnPm|QuTznye1 z2TwkTzkl*~UikV&3Ifq=3!L(O()Sdo{s*s>0?n2twv(+$&56a(#Rio&bmqWJ|Mxxc zwb%d2I;5QX|`(Me;hulbgXC3!{_8?6?%}gIQm6y+Yj)@f$`O61)Gkw@J z9y|FVh8GMYX(tf*+MkbB{&F5|2R(qEC2+a0eSB3p2g+^0a!RGGvVHP{W}DPRgV2;O zn85(}W__~DWCwZ}n70arAq;AZM-eTpA`~qrWCq!D)I4?{F&8NnQ8UWinmOz;d^So+ z#+1}Dw`LCK?0g0vZuyAX;!*r^-=DKv%^U)n!K26B&!zJ&V)3RAcGIBwd}>@#+6N<$?)cJf1fXSefsW6hf^TDOQR_WLRK9CH@|5umnY z6mv(;;f&d*@!rP8Oeh=AuMfJ4=~YuXZ0cd$y6_M5S$+Ke?OWK~xrM?&VU~R7<*oY9 z@HWF=AFm{6mJIfj+h|W8#{W)km68~mju|PTG*p&OoLe3$MT82_g~1I6T+6Ta`5Diy zc%CmBm-3e*Z|C%#&*IL*|H#70hx6F7CwX@H^K>VAcxCl#0MvCh@WdC7P!ufWkckH| zr)D;VW+A(coXa_L&Y~yLOKYr+9Pm)kt}_V1JbW;2$=+l3Bx*!>=!E+?X~qfM_v!s4og~kk_BgdAqnS~?6NgSZnDT-u zj+lHHb4SkM&`Ad~x_Bh}k6%DvvX^)=Hb|dU1JY{nKt4Oj+cd8P!j=ff8HsIW#Q>K{ zeVb#^EL6_9p6vyfNY|YzlX6fpAX1B{+z0e9s^vXY&jz&VSD@{5Ei}FctskQ8{71yN z^U-Gi4l(jLWc>@sO^>-2slv&KvN7QD|e&M%(F1=&eJoybWSo5hXjJ@B1ti zj6tor2TEq5@9`iaG_3!bD1h)VM9Bz5)EoYKHfQ)E6Ns|eVE3ZFx*65-DcYn95EIWw zp(85hqK!Khl#PltqK!NZed4*U6)l|+S@=GA`cBs6mXml!Ey=|E%*wuY*dk@C?quH@|9zRNDvvv_&UtE|}iB^$?V=FkZTvS7?Ug!B*r zJ-~*Jjl8t_A2f6|X7biZg>o#8o_r*l(0K5Rhh3K^M3z8E<>tp2T|5#gC8gm~j+k;d zA8h`R?nFcd#lO8L5zVob^% zu(o70NhisK^6?xp`CvZT@)>u3cn>pbW?!HN8T{zApYiINf6|@oq1fs}DTP#$ z?qs){)K-yBvbwHq9j82T7VF#A(H`sM;@vM~SV1K>z5RO{TQ{<;dmAH)YKWK->bmL~ zS2m6X6TiiIbI)OI>pD((>`a(RquezD+ZOstr|6U&}rdBfM#b=I-xnEA}Cp24dt zUroEK3`nay^7-#tDDt{$rC>V}%~54i$zfR!q-wzs_1I#Uw5w0Q_tgM(dawt=H_tmU zE5^8zF?@8+A|#53zI>b;-@BPUD@L#7_HXI9u`p7R6jRA=@A>S0u6+Kd6o-oW?%ea4 zST>QuKoQ>>w;#`~c#&^Ec@`*1BwT`&iVJr;56iZ=`t_@sT0H}$pgq>kK4bRcpos_Y z+M3t7@W~4hfgp26?84F07BaSK0$qu20PgzeZmxg+8fprwIdje#OskxlPOPm7jTKF+ zc<$>LXzgkB0?`aC2meXyQ@=9O8&@1P%I_wm_Nb4GwYC2OxAxr2w?W+IVyQzgX6=l(FUG`SD(tvAlT&x4&^a$M10p0C78k zquf68Y5fwu_soSHHvK4GKI=KAR8C>cu<@L@)3G%5G;_|A7tq+giMb zoBz4o+7iuHWm1wYx0>FJCK}Mi)ckTgFuwl{-lp9Em77Fa*K}Sx;{^=OpsBZsV;()3 z=H3=ApZ^0iq4QDwr)=rmLc&gRz_KkUHBqf_Nfp9TiK&w}rx@4q;Y7a$v1;&Reu%<}kj`5sQEi{2)<1|g`C>%DSk$H`QSDzL`WjqoQt@pMM{z z^Ime*U8pTDA*Oxbg{y~AO&_4NkbC4KSng7(Y-dE%doG-g6*wPWf~eXDt$IHw*$K=- zPif0haRy+2F5Q((wlVlm{t{e?!x(_3PXn0lXRS*sf&aym8PeRTuQhB^}x0z zUA>kH1q|J?9h5RKvfG33aNpJ)m*|?%Jf*c zz(Hho76u3!F;wLVyxj^X$yu9W$mNYKq>ivGfi>Exrs+KjJ`t-M1+V}-QBTUjx zP*pgBQ)isWhjkzG(Uy-1q?L}$4pYbo($d??5f2_sOIrhrzV{Xv&OML!H@@#K&Vhs# z$95c-6u1kk(vUm(Z|!OX1KRppy*Bi>5QWV!pErELUU%$E&p0l(nGO&@W= zyz^K%eId=>*@C2Fxkf?H0Q}sS&(qLaPlI01xsRX6?-t(79moBN?nE~iKXnNYfBF!S zKs3`Xd=p*n<)2K_J97QyS_sd4>Emto`?>JG$wZw8LGM;T3)0ZGk&B=G4tIWZC*Rri z0xq3*5!dg36(4T?2&p6rH;9A~TG|KSe=S=7HlJhv< zyzTm?i|f2J+s@)Tw|=GEe2lr_i%LU|=t#(PIN3q)_21iJ-YU0jKo8In@8DN&U(dFl zZEWh;LQo4}XgZE`kaoi7vyL0N%=_8e+X^N)()9?JN-```0l?;tO&}$KU?F|6E~<(~ zVh96U*o1?Hn3{<~f`pQg8%w3Js}VE}N@K(Q9b$3EW%)ja+}(45PHARRGOwsf&Yxu|E=8iv#_Kd zN{6ygDTby~7B1zs!+sA!u(D+}UpKAbH}Cw8JCD4T-yL!zaXZ0<&tJ@^^{z!)7diyV zku$e~*1lHo&c=Xy2B$bsMA!_|+}lFT>H|%%t$SSwCn*b zD3qpYG8^~7c{?PR%zpm|?gQCvNH0V%G#yLY-1zRz95?MKstc-!m|+51z#BIem(RZx zp=oUH+{~7aExfhSm-`jpBk+QQU&M4S90FiQ}ciP8(bGfW}0nKywD(7hVERv|Y>p6V zXw!cM(|(Eb`42#PIfMHe+#^+vmqtS9h(NjbtkLyRv-(iUE`(V`mL(_I0Y=abgaM$L z$Q8Fi;drzWN1-41FVv=|(u$X;-XFbsf$N^wxx%Y2wGYlmI??2htE z%_=U(3EJsio6mJGb@|=)6s{F2ci`f9TsiKe^5)meLu zEgn`BGLFCJ!}^17d$-QArP4JaRKLI&?qz5~XkIEQ1t=jzD%84CN+>V1x~>TjZdm|R z*ID1(-=rQ4eHP@?-cH6ps8%v zJ-<7kpB92l{;Sk~g)f&>D$kY5lno|?5wf;wA+6g_3sY*N44Wbxl^#@d+z_~rEq?|} zT6}NL`Fv~Kfh_v!HC|o!2H-A?rc_Sl>{(~6L?qa;+s z(x$Hfcyr_1jK6g{Q}5V?@4R>k4V?|Vx9NQ*|8W`*FMEv16%*NO)E+oi9EEF{ICSDc zj47?<-p?MOH{OXMbW*#5ndZBT;etQ`<;B(M-BH`IvAjWGLiulW%7EWKt?eG4HX*W(| zS>rMS-o)a+gsxFrHiphvC%gWBE*C#_35CHzj+=EXj&$6pNGTVfRDa36QWK!hl|i^+ z*y~c(C;;*G38pDUZB`B&KTLnye01#R2Bvb}$-*nogsn1g1aSD&g$ygLW%;J1{Bzx# z02spXf)QAR^bq6A#xc2kBIV&SkM5Z~M^Z{OJ&37gpJhqd2@acjI8!PnamfppvB#bJ z&>m|i8i=yKbpx9_>X=bIoqfmdjR0nj+L;5r>L9f-v6JI~glb=1r$D7_mN{KCPhD9qGSu&bwl~V!tJfr{01p9Embs_k= zX*mD~PdteK$KIF6+fh{cf2(@$ySydI%kr`V0og$|LDm6eRYrjkl|@is1OZXRWl+)4 zk>8A?;s)Z51H+=SBeF*VBtRgL4MO(3U;aXybxxF{(O>m zyX(}cQ_DG3r_QNUv&QcULpJdKX@`Rn3W>^S*W1vcwFk->0i_hnwk!wZ42MrU40)py z`%c~;hfg~cE4IFk4gKqaXnsL?ycS6e9N2y0?)d3*KgZrT?Spx1=HY|0j>6s(_lD!x zwe}J9ZPMa3(!MpgI=-#rwHV)mLQ&KWkwfcij?rXKs_|`np}mv&Hf*Jcz;OUn!OHEc z(O(+Ch&_T6e}6ireSap-zxQH1uKr|z)!zJay< zYy60g32uvZu6qd8EB@5+1h4gNyy=AFh5Ozy5&@N!jmVFStfPiXq>B?wsk@INQf{QQ z`t-^_A_Hy-e8o?|7Jn0H+Xv*}n}O0MptKQS7QA^Mg?IlncrRW6Z{0lrRp34IA$Tu* z5}*p`^z&*8OxH1hqJT_3!!L61O|XF_e%iRheMM>f5g_?Jz_-5!l((W5NJ0u|4&*73 zL2|o;ExHlzBZq;HtOA*FHn{6I2U~w1-23)``^XVsFJBA3^(8>cqPBhwlzS zSnphL$pj~%;6JhfI_I+hp>Q8P8s00{2aOdvCs(nIRCOL+&%2SQW>*mMIec3KTnZ3r zRU=H5r)7(jsb)KijyZw3st3ww9Tj2g6Gzl-kH?fPDvDkQfFm0I8y-=DgCjXj4#G46 zN-#0!O@&h5uaUgCdRzIjqi5reiw~c?exT@@nk;2i*`okyGZd;w5~Um@r%RHmNRTNA z2qA5TLOV=VqD^7HX8-^o07*naR3K0TEmT(|qEO!wmenK*?h#G$)7nghZr?WI-um3C zp?^7TpU!39I(2IAV9E7I3E{pwc}&5qbXroxJ;ba}NkJokgrF20^_TD>YAIwgs8Xh~ zVfS=R4E)@JN1@6zMu@>#5VkL1cug_!=-ZFsi;sU5Up?wec=D4EV$+!$kvDu3@`~*% zv1PayFKt|i56?Lb^FR9>CYb&%hau}2E^fusYv$sk@B1*`x^fZD`tN_jPZ!*ZD-XL2 zM^8TzE_3nps=0Xhtw-^@kKTsO!<#TEHyMjJFU8!o&wZz7?$5;wLTu2mmU%il(d$e{Kg+1>_O~%>^^wzGf!gq);B>3MPAE; za#9Tfkkzu_)kP9Vo8AVA`hD^GrZ-S>O8Ae{zK_cf|12iwCd2Yz)RPvM!jpM|05b#2~ok`AYd1bCyJ z&PX|2(AU9lNsUMB55Jt|pFJ{y^N6~v0Sw3}{(GC2$1CgR>@%1pqkJ&W*-zkM6uKKUD1 z{gtoFIn?0E{lfBN^(JJgHm9nHl{FOYBJNytH+lxw;pLu% z_`vkTvEa%Vao6kj001&drfPx8X*q!LAd(``VYH)fWD9P2;THV+8UGJ+KlcpQ4{U%Y z8(@qDidTYyfp-Vr5>?)+Xy)cH>a3)Wvl*FE<=Z&jB6@{oqrSgluZ{aQ^veAOWSf?U zOl5TECgYi9kKu>U-;C=%_yzpz%pc zdOos_g077xD(m71ZNU1aiRnwCkw}2r4uAn_7x>$^flv7e$mG*N_P7FU@i##a`wgVy z9tSV?0pMT@uL9lYUqH-h;Gh7r!Pndlx z-Th+F?$dnGO;5t>{W}oM1pojgIHIq%gDW~9SB~s+KO!IiPzij?bHJ2;fPC`f;MVq_ z?Twm(r}|dXiWRGhx7Lu&+d2kII05q{Fe0sN1YLPrR-}~Dgvr#+Wx(VSNWsmmtYSF{ zfRbGI65aNQuVjU9Fb*&NRf?s(L-tj7zqV=3_JRwE5Kxe}HV?a>zw6cBO+%K;I0tk} zfA_-b;lZ-iv-^ac^2*w6*5sTadyHZ8V9C4cu7!P+QqntAVqbq?$+ig@Ro*aA^2#pw zHFv+ZRhK2wKWy=*-s~%1dFLxz7OdH3ZyG3iSKj$@-7@RZrrS-A;lk zsc=0P>xX*q@QS~}am%>q{>yN}tYa})9>n^g9_%%K4(9i~1c}JF=CLp1$yHCoPzc!mhtPCeuv(nUUav0 zWBKM~$m=<@>22sQ^`n1e8$NNz`FMZ#!2tL0zDfJwU;g217$^_G^K8hn23^vycKcd< z=I%>jDh3SMsNPle@Y09jcn;3{!zXa~jKi^Ua3hATVay&k3v0Hm#&72T7V}om!-BO7 zpz8)U5B1_3k9-3Yvg6?~4==BK8S_@ngQ=LcE^D*^ilqB}Ms>}iy16b4qHh}LWQb2o$Q|&AvCWad0Cp|I-zC=Iv+E7EI7jzx@mp zDuYyoX}ldqF;OSMBrRw}Fr0%(5~!{ZI3(X222m}w%VrqQyjpaqREw}AI%2OCTq;#D zQ0m9!4_^fiU|Y$*4@M#q9M{Gd|N2!tyZSlgwH#jVS%^I+%)z$8HfU7AUzXmFHT`R_ zV8ct$v>--o_JA9Ps*Pt(6~x4njK8oV^+TLP+S zmSkiid~0k~I&F_kws#TVRvt&1HrsO8WV;)}Hv5OVDLbfXh8xcib1T-{gI^b2L65S53qXs8pu?_vMtN;;oCoo)8?E4MN%|>v6?>S7FOY9~kp+J`#@u z#WIJ>IaHaz_5AHLQ==%_44{CiN+>xDE(0>E1WJGr%Ri)%RV8?gqhxbv5`|2Gg3X}F z1iCE2VGIR_LzV~(nf~CsgF1_r$5yTHw?FcMnc0sVFg5dy`(NMwoqHDzLXkV^nJno@X9tuTl@!LSxa*(ME#yu1(>9XSA;LbT9$vAA2*Fj6X1cdaCuBBNz$IKw}hEXD}ufCMPrU0c4+ovr(pydY0IVG~YJutxybLUnN|YcSOeXwar*YuFF@Dr28QE;YPHfi(Z69wt#z3!j+@4jj<#%u3Q7Gq5m6485wZ{_ZZTQUdk ze(KueA6r;S>wf5i#}<0~?zDymClfb3Ufwyrt$pSwl?DOsLD$`M)b?ma5-I;NK+$e;oz_df08Cvo8c&a5>nrTYVFXoC`vPbAU6z z4e_jO`oS##|Gp~E_LU;4`ZO`ezetxm)iCA&2`<-F{PLZlT0d3s@xU>S`*@jC!&?k`>*e#G!g1jC& zjO!6d0NNDUhYeYMOf95fC!U4`bs8oS! zbVhKQMn~NsR*cTrq~>3gs>&vQG5?qN`TSe4Y|HY%8Wo-V{YzCTGFp3mYXriAg7_{1 zm2!O#5?HQfEU-!#|?k|CKmN9@?A~>w=$VX$eC?IVa~blrdPom zN`S1IAeG}ifg57psF=yaP1?dDEQFs(GN__%&Sdm~FdQpm8gbn=f6>WN$7{kenoQI! zPCgvmx3no{-K56BArUFsZ%VBVRH{NX)S#L*q#3QP)&`s-t7ZYwJ$yk(?kdgzk3=M7 zjkfx*xZ%I?Ct;!nD*GOd@+9=D;9Hyr36-I$TF=Ds=T{eFH{b>W7qbZClrV9BiQm&M z!fNz#_?AU82*~2|H4lDrC`5vychqoHA~RK7`+|FZIOD!+pHh1#Ajs(X=y+iqiljg_ zLSsS-A0`H}T0Yvg+`p*RA7`kRpHngse$=FBL`I&}FD+T0M%lLk-^!}mE9=@|7*2M{ zG~#%95<0Wmyo|Bs+bWF!G8NaV7)(aVhT7Lp$Y}XGoSbt%BB`v`+Q6*!X*TF<&i%eu zjCNmvb4u7Uycu6T;d)$f$fsbr7QXWES8?;)pF*m0gMPR1tpr6@drqJ7%W~!0F?d>{ z9-m1#YdF^mX%M81#`;uy56`uJdbsa6^RGLQjZRbqfh1|rjA-<{id%ig=&03+`Qh^` z{R-}Tw?yV&_+j=5N6mE){&Fd&)!zN%1_@7!Iwj{xH`n?!g+59IgvupZQG4s)2;B{o zfs?>Xpbl3W3l;Y*H)==d69q6RN3Lt{E|^qubTJCd`w(P!KLw8kL)7yo&lO>1o!t zN&ObaE9%om<29Uz1Cp#lQT26maeS3QU*Z!KiSZenc@>h<_w8u-HjXNd8&rIJi|A;^ zw=K5qnD%WLuCA&9y=# z_(P;UKm$*gD&HpYuc#)?VACjKm4^aS25i}nfMq}Q^M)0aYJLIEL;{<`)|xp1R!DE! zHfp8*q)B=ue+;K2gA;kxhVfRRO`Ie0w4_L}O?$U-H!}gY&QbB{Ab`+yFRqAGl!Y+G z;mV2bk^&DD1|In&4%Sfl6u8LoIL^2dB?@#AC>xQpS`aHZ0IC<|hMCilgXno)El=3; z6rmx&9Zm`hns`0q0Va|Zr|?t7QIW!~teVz{mban;z~Pf9;~m_M-OJQSs3SI{MH9B@ zZxt*g)OjpjP<|%t%9k*4`M46w7tt9im!J|G#Qz{uxfatg-%q0(yKir|{j-Dr_r*Vhde0ih?lli%cT!os5A&Gzx9 zj^@~S9Yy&f*rwwZfTXCdrkiWS-v*Yh$;gaM|_^erEo zz6C`6(pujVVR;GV$6-e)izHcwZkRpx0kb2PWXkANLb&g)9`^kHKghQfB)I#}e>W8) zSkpF;i&dI;A>XR1t(%z$-}Y_nZ<9Ps_Rlq<*4Rn?8hjFu&6M=EWL*v5Q^j_sD?0=biwjo(f~-S_Bm&n;0EFPrzJ&-Z=5-W*%^~@ z>Q%#)#~%i9(1Ixhh?C_;1zo9TsgOf8*S%HzwZv6es8?8#phnHWR zh3!sZt{2NMSlpn6zD=0aT55wh%#OA}0?e2mQf@Z3Qt&`SrC5X$46?3S*|yI0VGw8I z`fld2aoh_>{%WuY6XF(U5iWp`W)YTN7PQQ_!toJ@Z!l}N+P5NpX;l_A%v0lA&CG9F zj2o+y_KB}tn&-AVIU3b1xxN1P^DTh{n!G-HH}WmvkTuORa-AC@Fx&gPndjww4}kD3V%K zo*Lk4SRNq=4sB!CTc1X$5T%7}*hUc6sV)oE03xrg159{Yvq*X7G;U=~aOy=AlZw%Z zhpbPPgzzpY57N?DpLhVAWPKtb%M(w+S%FWmK84R}RgF6_JQdemAsrm`?LeaLfECK*EPOr)|9uZr$ui72=UxmoH?}7ge?@v%>-bD z6w$6=oZK+Z@OvC*@SBA3#&M*fGssi#4v<2qhhRzMJ)usb1w%rfM4_HEsSp5^K&Gmz zYuSjUab!E`0_M>sB~VWCtcqJ8)mP5m|RU}Szcq}SI(#a3LJP7uV>RmAq{$|M7lezJ zW{V+F9noStG-%tXb)muRnZP$K@ohsMM3iq^!AS{ZsyMnD4Qp>PcN}-!ZszNrB$L*Di8ot zD^X*iKmh`pMxhusg(WFqD(Ur0@c0Kx6nM4-F3W40V5>eYDN-_wsmwA=c+v={SAWk@ z(wV2oT~e|1N`Qw5e9R&R60{W|RoA3A-a4Fur%uTs3HLFf{ywJgLql$R6`YA)cLM7Z z2mFh2Lywd+auY01Kx6AuyrDfx;8CjSF4uK${SOJMR*MOIg+f4PddvxgMXgKf7f=Gh zTL)8lj|skp695+r=4OJgVIDE9Bo5n5m`2`X6Lq8VQ@S+)u|-(JJOWx72bCx^O&^jq z5>ce6gHF!b6y~~h6G^mhd5W^b-xB&ZO&=t*TWc0Lad|t_;P6kfv`_w(U-J0cte18sLra zZL6|?b5Kcws+xlml_H9iWGkIu-W1Puf(@fknUONym$ z%`q?PMlYOeoAy(b1~Ko);Zw*0o}gs3A`7@+t_{)J@_20|XOhON;BPC|rz9MTtU=S% zwKw8;JDiO%X+}0fWzKEXFWQ?e_(!2+G=!<(c?XrJI(h_fi8Q}6^{>kkN#~Fx8AY2G zC4%*F(4?m|*S@ma?OM7DSK^Q>Zf7B@Q&`|9T8KF6&OKEWf_M#yujzmge^ZDFL!bn( z4U{J!7Br%PYn_meinXZ1tRaOgUd@VPR;N5wn3C7phKA3Ug)<~X+-s;f)qNJxM|8ts zhUxT#S>mOQ_hz}nyFJhKjcj4M!#|n{zFp-46rUsnINwoMf~GXKBFsZS>TuM^qf~;b zXNI#%dqk099wue>0M>gw}D@W2Jn$@joToaCuQG`h3iY~TWhW_ z$#`qAbvPtdg=Uz&le)%jkL2Wh8Y4{Q9s{jhPB@CO*t8v5U4)_4c1UhpVMImIGZuW? z>Ud3qQveg;TZuw5%)xA1E;4Cz%kE+>8^>I)#J*}(4k-TN-EMViRBsL`G>S#<+@4C8hq8nvoGfrfHY<+v(bY{Dq@M5>Dr=74{QlNsD6pMhdR5ohx zDJSa?>`q;TG|ZE}PJ|L@MrL^YxLJ|Db<5@1+;KHhaZzn`!jAXt7))$Hi@Sn}IO6bQ z*tcV`2#LdtViCd_hpZ?tGHsjhnEr3oo$aRqiMebFm?v12w$`^hv>@G~MN2Z?cm5{} zDgXc=07*naR2$#!ELlV;g>Gbr#!cQkx&cxu@5UWhB^4LuG#hmd zVJh^DJ>Pt6i+ zD^3B9sOw%xF{v9n9R4T_ThHpORB`Lm4k%ClXR&oGOd|&%dy=Yq1KB*?5(aU&+wHnm zn;(#XM=gutdPUxM^&)I1Ow=LRcT|{Hza>wmjVCD%NmiliW^aDqu1E-FkJ&R^W=o0g z6rykM#IE32EJT5pC+e{ruRcvJPSgUJM&p%G0*PwS^-N@;{j*oU*Wo$#bhmQJa9W!G zFD$~wV7&S?waB-v$|4@{tzq_NXLLr+S}^WTce!0Vv-%$2Hh^hd{x0KNqA^v=M9;o) ztKIdS$)4k&x)4f1@BfT|AV}_4A^sM}>uBa$VY#s%t?+H&j;pA8zhY)0>nPlFP6i;; zz^nwkX_bOqZGCD0+o(>$^wGeMzW%~2EwqvE1gC*W@){hn&~2W{e^M(_#BJ~3o;uOC z6c6D$p6Zk+9<)OxQXD5BgeO{`NXQDqg4ojygHgmklOP~O)%q0JvEnTpFrtu-7;Z)g z2zZ@k$H$*w*$TR_cD~E6ck+Et0tJfupQ|_+@rg^ScLIF~(^#oDARCTkWY}gyk|Hib zGAG^4@fE4Mg-G4+&}0#iTm4iwiUop7l!r7C>LQ^g#1V&25UPT_@1BFKQ5c~J2rETF z9!)c0sK&Z|`SImYCQ3MFIGzp8IqJ0jgf{SL9|gVfddB-Up`9W)>*|VheVa7N2K6G5 z_k=o$77VS9*Mvn-!|@u1i{m2%x@s0x#fa>F%8uQ^9H-l{ttihXwsC0D(kkCJXxo+p zEC^^##kcX#BED@n9(f8L6x1o{N#cW6`WAqynb1^y^>i}3deQRBfDDEit{daqCbA27 zk8gK5-v;lLQfOMHs4IG8SDQM84(7U39Vd2%Cb8cdjBg&x(6pUuPvRJFHeQ0iVx>;d zwn916L>8qPuZZRuT_B%&TAKyK;G9EIRp@%A*HClY!fD%z#Wqc+GvJkD^rlq|NOPEK zdJ5&B39MM>ZBf~22or-Hi~3jbkYto;+eio}0Z;)>-%deE^+|t5iWw6;TOG&Bstw8r zA{R|pxGTYRFRXYG0ECh{<`TiiaYk?p0$o(U#H?N->k|R$?!StheL{?8k?PCqaYta| zW~{XLJq5JIafs?&txKf-0c?mik3iKtDVJeedESaf5pvjckGKl+JV;a)2-lF{3)52h z8yDz^e~Z2I1SKOej{s+7$i?%f+3AeIzS|D6HlL`Yzd7g7bQ8LnS$7rLqk8!DE359w z!tgPys!01+rnk@y2a{3jMLZZI~xvyu@i5?M`R2@*6EEV!wANAPA53YXA~K z?Y`1@4QJ(k5D`6_9nrE;MT)9UJNLZFuH%5jC!qNFPO4KQdK2E8_N{2KQimg%*1D$w zFQmD9PKZMQ+j8HIMi#|iIft&BFwNZhZ-p*e{?ocUvhcj=j%Pu*C=B6#xAARV-;O2U zrWjlA4!#8_r7$zuf|<*%3xiR|?&8etavj@u!V!+mguYGF2MPVQ%L0P5EQ>;T6YE`} zM^JuZn~h?;3d-e-L)J8yncSB4{P@T^N;j1WfIW$E3&DC%SZ0iZ6fl*-Qz%a<;hI{X zg!GI;$!Z7}f*nQug;{o}jW|FgaB2V&U6Brv|D;x=EX$ngluZhRRH*oUPeQjnpw4ZN zLu?tU!y9`Phs2nQ>RTboAdwug|_i*tZ;A{20( zLQ}bv$$8s8I@_)afNw6jM{(`)6xVf84Pzgwn^5pY-UWgu;r-omkQE3`)`@viOw?#1 z%+umTi^@~v8wWUprkTiP$43_1ecN82MOrOs>$G?~Yv9TDHp5 zT+7zMqVPb2HmH6}-v)ji8o)=s?LZqO(lhqs^&LHbnSj@~NNLDq+qaxN`|9Y1G^eu^ z#iN|Z?`(`eX)P})m4Xzo(JH1@o&<1-bngV^X{ReraTpE|3PyA=rmjqf*nd(hQeH`$ zVV5)lFhm0|0RG}#kcp6*62*gmtte2!hOM^^E-**42x&F}@*rZLY7AvE`ORUlqT_U1met|8P6YS6Z9)3Z1Qtjxe@v8z zv0RANW^E|43QaS&<~q6~A(SnvJj=GqDrY=W)~FYxqiF*n&2b!}JgxEVSoZC%-}nfA za1Ke5ple3Iq2(iIEsCx))hd_UJvX?E2Ji8$5awOYw;FWK+|t(372#XQvS&GtEpry# z@EEI&J)lLeh(sK5_?_< z0PsSV9Fg)=DVwnbIt2K=gs|fAyQISSE`6 zLUTE{tV$%Z`{~+phv&G{9jgqA1cAOY7GceBVkhrn$7vYN;zL+&?8jIv!W!XZ463Qa zG%|g=wo31=YJ())A=r0RDXxBNVY~v-dbPSx;v9yNfuR}e zXN?~hz4(!PGi=YIV7!5gPy^fv^t>Yr(Iot%S%keqd^;A4u*x3-fHMx&Fkl$D&4#W= zHb7*LOn01eJA03Bo8o+T^R2!H-G+w{rg8bZYz@&& zzJ$MV4oV3OJ!5OKwl0m|CAIKce0o zl41fxURSp0_H4S+0Hjo;mTuWk=bqGUl_mddR6LrVZ+WUw)hK90%~v6v^(oOhB*0P8 z0&1>qzAIp2yoVV63T{AbeM-J{x4r=8SEf>_dIBnCR*h1Ey2R<@m4Ef^ANdiqf0$mv zq-=(jawd%k07h8{_ne82V@0bc5_}}|J^l`W)Crz=T`PISI9nFx5qc69VTm+zVI3m) zks!<);SBw$(j%f(R4$MGj<*%!g9KoKtAT0ew`zJeva?OVrg+@ZJp`X=zKzS7c-ij;zKvG$|1RI^Sr~fzx*Ks^Rgt=z zuh$6Y(`+|%W;G?f@p=mRHZczuwtecp74oK_Z=21FaeS?gS1$ONMiz<2i;&i6-`4Rg z075A;W?RY3&nKi=i3;q|5y1| z*E7hsw?{5)ePQvvlP$Y6uI6eTqoZNj75Za++XB5&JYgIO{VK{Eo@+(rk7B&~^oV(} zK96{8w;B*6N^AXi5%w*w1QE%V+S@xL>!|*FF3n2{>jJaH<1&J4>=cBZYkg`(fePT8 z)g2JlsV>{jwmu2dIiP01Ev0AXMZdSw5#T?m6e+iqon{yHoa;$0C?}wysC%Oh8UdhU z>Jce8Rs2b=djalBp3w%4;Gqvmik6>9LO`Lqi0U{Baxk>IP4u_LYzNZNr;IZ?Od0+c+NgulHT4zi}6 zsAC^>)r6+!doRWNt09!XzwY5Sr)*8P$|Xd0I-2zDdjUaGEIz8BP1>sZtsZByzUABx zp=_ubE2rinchQU#My8ala)%o}`_^Q9`}C)!S4^{yLzJgAz9mU8DaO{A^sNw2JkRL) zpef%5JMWreK-aSy&%r*G%fO(`8ECT>mZw|R|4hD3l*f^8V^pU!II%1ER)Vf(EK|<+ zhSR)qX_{3kb-Io2kP_g0FCfSc$fD8CwSv5yGpLFQ(`eh?)*iJYbHb-`ur9bI@VJY> z|Ku}IXTgzyKt5b$Vj_CzT?_IqkMACFgpw0|ZJ?s|pk+ zL7rfcRSi2L*F7`{8WGCFNuZRaR8BZ*iw+)B#1gGfX+xG1w4^}A%dOCrXnm?`oH68a zns}{lRWKlv1JMn-L6^Ld2xg9%Ww$^%V*rsNdEz*HQ$CNpH=KkLaYWzKTPSKDn%`lC z>VgGzhUR# zRUGfyHtIs3$8qwCz>e1;={>n^ca(3d<1o$GLJTI3zfs?|APZ8}Y0UYSgAfWs%Xzx2 zNBEX_r8dvCryN+*#xGL}e7xnN4k?Hgr^@4n?>!>*fgQqwR;WY(pt0|aq;QLi;g4H*L;)sh ziQ=?|)~B$LCSun@5sgWfCjcOEIvQA?;>uIyp_IS_F-<0AbZk66uT}-X5-d>|-05Yn z+&~b=CZD>AH2h64QA4C;AS(DENJkCMWiG%u6iE@6+hn02qIpMM349#Uch7UdID<^( z`TziRbVSQTP-qXyJcw6`$}BL>F_*fiodf>8&7D$@(^uJc zn5bjvE^~dCMJl6q8L42wB%~*~ztWCZA5T0_i{mAfE?i(n-s}5;GX_=Fk;}GiYs;IF z1sP|UVtaPZacoGCoAYhF%w}~RU2qR3|3N*Ob^CJbIKmO4FVPqu6U-^OK^sLWl!x1Q&LaR!M>poB*A>}0-W zoWW!Mi36ERpb(TV#F31%MpI*&g?#IAsH%pn*}ly%qd`O%ce`EKrt7-?*|%7~wdRtE z`nHYFOG$Jl)h7fifaW|Ylzm-tV>e&Z3q|V42GG5Y34S} z&UHjKq&Xwq*^H!k10{eB`q70d&JPCtFB!nwZy6>rizmlh+TU_uloWv1g1di%?EfK8$A^0NFlTt?9 zYkKaf0u;g-7cg~hd!al@bcx;n5IH}^ft<-`TaNeagBz=EBoD24v&$+LCOUSxLcgC~ zG(mu)V2uD??USJIYX~a)*)JXpy(NjfuZscBuFv5(MhtY;uON2m=1st zihQ=i>CASn34bpRZkt{z6|rgO_3}LKZW}6(gTqh_C{%&v zT5vokYDtTe$$^pb2zZFCO-+R=se*E2FEJVIG7p?FbeJ6=0Lo6eR(|TXLUP}ZhHp88 zrs~LNJNtL*+C9Rz)<|KxWtaVWCe5`i&|7(S#3ggMJOsoC22nE7 zDo<$@r&eG`XLS;Sk8xm)rpl9$-p2JN;GmKQE@wu#p}yUm$mr8lk^1GT>vLsGn_MbO z9wanYpeo8!MR7=S+XLzql*(H?Xha&fxCnk;A8}7;eX1fEh4m>!pZ~cYHeUaVLMIe* zF~ui>JY0N5=)~KuvPzCBPvC*|kb!1QZs$xI+1V}?wofUQi=B>b2jq$cmB&1koDxpi z>lDoDmWK!Jb-VsR}uf#c_I}9^VafTnFPa@$Em+K6)SpI z;OIS$24fyxS@%j^*-1jZ

p0_klQU=3(F*cxBzocy--En5tPP)IH|GP)vO2kW1dQ3d;528E0@^4?jHrCphPjkK_E?K8{BhJq$xNqC}0MQ1=gU zGbpkKQ_l`%^l_1heYRuIER_o?_ZSFB>l0g2na$`-#P5G_JqH~|2hKbAJm|6x%Pqs> z47#j?fMC&vS8?$NF2U*ho`H*QzYtF>d%V_;b@YsG5n_2Zx^i83|BOTN_cxz`+m)# zT>BbsI{W*${Fu+-syna1ALri=GjV(*)0$YH27EA9e9Jk5s+us3?6%IfNfExaEPGa| zR8YCcgZ;1E7=L?wK9-;ZEiW*nCFF2k!muU3^6kGVK=?=!G++bXQuwhA8eaPZWF z&}Ovb`Bl$DqG2mTec#rSIEr==-#q1;IRCHMpkvk3otSO!u0Sq#33^+|-A^MDSX3|mVO zTc6Sfjc7(=Txm-kG@^o7@HDbukq{1!dMh6TsK(@c7K551MFaq&d~(?-bvlj(n!r4s z=RuWKeCI>o#??n(36FUgv4+uZcHsOwF2tR$ybV*$pjaOEceW^CY8l9q48|D>Rsr1c zcWJ2NyMDNq16fmGswPIt!(a}Brm4_m4MPQgmsyf1Je$E%Ev((X7K8dAHVAQ&hO z;KJX25`SI%1mFUiMq#K1IOlL&7nAaB_{n)c$He?Z43-9wQBBB_f}cHgGj6>92J{X4 zJ9(-C*bX4cz~;eTtm=Ck1BC%tBY>rq&~EAg=NKsZJ9l|g!HDI61sl$?1mp}21iqza zxa1)4RDmP|o&yjHw3{jjAs8%J@EFi$${?J<%;b^Lvm0`qxuI~sxs1&$yG5BZ20F_7 zN_Iv-5XW`UX>{VtCti>7nQ`baI{^6B!jeeMpaT5?^jW!sHwjQB~eb(k>ImfoAmaKxmaBJ!oH};FLFsx{S z4FDy(jJ>+{!jI1WF;19s0tQM0AOQMCw&M679g6{P5O-aCH%!&U-Z$_d3+t*7wBtB=EMGf^xTtCk8P134|{ z%P8()q+IaRf>GI-=|oqq3t24-&*2!heQUF6=uoHv1nzgLtm0e$cq6Vp;R|5g!%%qy zotX|?{QC>>`<_1n+ya$>ypciKDWP0ukQE@SWiVJOfV+UA0*(W~1rFQeK-_TVjac0C zIS?5ZV9R{>MgQL@V@mHlsu0%SFP6nz`wTSAaA z+F+_i#MRo#l=H6RO!N7cK)4nXjFp|SnFS!|4+Y;k?OQlx+94_`640FIwUx477rSM3f?5kP6Z%LSb(Dz@PX7|MMyyEm8Z(?0gH_!k)vmV z^{LJ}7EpE{Tc5ZeLtc16aRifY$WT^|-quVUHr4g4ylq?l zJwsK+6jecQxfYI`c?7@`@|zYa&-d=xhIZ@>q4KL$ms;O|~?j;oHn8oQ0#4eR>X z;n(wjje=Ex$32|B_vtuckK-Xz8PBeqi~eFij^E>WJo)D1cwxnhICK9qap<%|@X+Fi zuzd4!eEH<-;4&9WH!Z~h-3Q>|#Sh`{Z_kCxTpT?85PbbZUqfEc+!;^}dCRkGcepFL?~}SHA>ZR{W|n4$Cd0Z@3S~-t+;0b3FT%7jVT1SK*=8?nhS3 z;h-4@l#K!HLkTvqinE8#}9Ww^PeM=diRdzuR_*!<6xpapB1qVM4A8!{s6T?z!J!eg6iilIRX5Q61~~Afg~P>RS;$ z9v>gke&CEDW40q_bZk62dt_LVB80P|p=Y26N8WT8)@|L0qvsrn!O|f1ow^r3e%L3lq~{I%<)!;@ z@a#iy+J0x?Z6J0RRub_5hxE{Tb{(^L;q~s82(p5*~l! zuXyZ@$C1&r8gI42x10l@$eQi0rbo}dc~+sFF?VXQG=hj5t4Pj7`Wk}qRQIEPEJS|S z%j8N}`m*C|k!Rj=2A1_M!?V}S#m5dj8+W{P2mZX^FW7VH9=Q0(OQ6X*=B{`ae_rqx zxSp?Ad7cZ`b0Jd+*PM72W{;nZwcFO>H}igl;bH+FoO2XDdeGSbI5rOS;Pw}OkIjR9 znAF~dFP-!mOvrV?c5U4L!te0<>LoaF|KoAm{%3$OhX0=bUs$;IwVHKNRKFMxCT;3e zzcrG{aoHF~!u|Dts%pq(ItDUIKC+HlGttVl6Js{_M*MYKgZO0iVq+&LJE<*7Bn3r%Po4EDpG?5Woo%78?Hqia8e62K@e6R zqAl!+6aWAaSfA3k#Z_?!6G+5$FUj%*_#-+Yk;Q{Vh$8L*V1mFCb;=V^=TaCYLqJEY z?ULN~s^t+9VbE|p@EG!Na1IXWDriSe8k(&u8^U1a^2oHZQ}ico2{8f8s{(w)^3PRv zWxMdv{m#Mziyy*sOXh+Y60&L*zx=0P;A8urjpbXGW6p#*II#NwTz1E0xc2xj;Cp9$ z58Dgd(O2k$E^F9c>c{o}a6KH?!ZWWui?jAS3l|-J5jG8N!ip^`@RgIkiVm{_MY{-7 zHL{{}3(jA!3`9=faq zb@%rM7-!fvycI*GK@_b5kON%L#RW%RgfkC13!gdWGIZr9;_5$s4kzvVA)ImGNAT5q zzJ#k!z812i;EBbLq0MZ^4?gh|yxsd27O!7~%TKrxMZ1id6K3Fw6R*Z6e)cgu`0~T} z)n&iN`5*i=)^1%5k9ioE8HZC3JQHnZJN~}>8EhNciXUHi3)c0m#?SuxBQOsz%{*EKco%> z@2&?=_FaGg;L77Z57%?CN7o)WXzGEuImF+ z!LPAq+iG-X#^Ka`Psdq5IRj@Md=}0=_#E^X2k`zG@5ib8o`%c+@LB9LWgjrkU?@6{ z-s4!@@!}uhdJLM3dL9VTE@bX-{Tdw>ui$91U;+Tne94v1j&nOQ9jn8|4UcT^wyaWz ze}`0xzU4d6w=uZ1cLEXku2(}PUq?7-+QB&UfHU#r@+a`*%THm>tleSDkPTa(WIOW(Tf5;R`Ti1H6Au;0}EvAE|Af)S_Au7;Tg_ERUqwWZP+wlpHDj+~>eFX4Yw0YW zy5K1;9P=Z#?B9%S+w5uGgPAzbWtwqrJn<%eI{s(OUNMt>ZF^HrgM{RqjS_e9l)jaH0q9xOlM@C{pgq>cf)k?9G+OU(3`#pTV4^b9v^n=}bHF zd^Ydhgaqt5u#-J4`*{6^nfN_HTB9vocHEU*`qTxyy5tpnnwH`4bW3jq$TAd#%FTj6 z$>wx9wZ@ujqVaIZG+iQX=2><5kAIDuuL?`%U{oXnllbLi#5AeGoWf9!>Sv(<&~SbX56*(uNr_PNi^0B zXJC&(-173x{O!W&e1GT!zTEOTWuY=YT=zbGO8fELk6&PS%Ps<*0H+;t2IoBSLzaH? zIX=~wS&6i|bgH-6Jj?FCvSr)J>b?*HP4!V+P=27ipd!PLDhyQAVn&M4W8~hBo=rw~ z9S9fLP921UbjZ5pK)IOUUBGk~mpe@IOCH#+_~Qzb3G3EHr}Djp2t)Z+j+DF9(~_=h z4eeo%j3p&DZ3_uG@jpqBWlI^K4Ek&d*_KjU_-skSmLx1$%3a-Y!JWi!Cve-glu1Vx zGms=F>YkkGyx6vcop5$+TXGzy^iNt!(wOZ;C7rfp`AO%=vZPEWN^+bhNydr1C*icD z^iMinwuDH0GRjLhPm=8XPx8P_{7>>nO5<~OghL@oexD>26-awe>!t5cKHd!8NIY8K zF+-L>CXycq&Zl@;wrv^r%>Na(uzB?KKk?CZA8_Nun@}W~QyWiV>Zo)0$LG&;+#il- z=Binocj$RseAFe}cH(WU+p~^Q_m86SH^cb#yx(9X_U=UE&i0GsY^H9+0KvZSJ^*H| zoXMGgIg<^0))O;g2x0T=$Io)ZjOzh-{JlSO;=L#G*t?GcFtBP6M>HHkWkDr>``2ID zvUeMrqG8(>vLtbA|FKxMO=Up^eJc90r)>}W+V)Xb(hGpEcdtcF&R8YtuA4d~ffD|C z<*R)9%cazpH}LA`FZ0QUPl*~1{om}{!XP(Mq+K{aXr={+jP06 z4Is&n(^f?0C!-ya@otB+DH1A?1(WefZ(GjmimaeYYHDFskrZSJ6guV$9)IsKM&8@V z=6#zvrr)vDm-eQq)!DxM!MgW3=ZUG9mc;{SJ;=7^t(^Gqcy4*+CWclI<=pR`%WGe} z&S{TMVeD_m^5lDuGpuGf{VMwNgFl_j?v`C_*|&wG?mLW6)_+XM>+PVEWZhDWx|s$^ zcHPqX%D&L(O^x#Z|e`0M+B<2Q5e1K{qNcXH$On>uF1ZIho*x|zn>;r#TU*U@)%>$ zWAO;b^&7|F9)o%5%a@q(#SHd^_c3|MWJ-%lx%>6I`1_~N0&wli*D~>eiCi<|Y5-nc z_6nyxb{b!7`GSl7aS>zxIF=h;xgL+=Vd9X9oIG+07moQ6b5_k^;9Ub5ao=#BU-BG& z%~>^=G;|7=AALC=Z~T}aO}~Hxkprl*v&!pLye!+coO@>7iDjGoaq6S|>*kNS`P7@x zJPJ|W2^-xOYXb>%!|^Y}y0h}y5_J~b*Eg->lBX}^H?!{J=P&*YfQ4TzVA5|Vv2fKq zF8$jD9QT{C-1N^I@M%6KG*09Phn~W;BhP2n(l;1#^8iNPKA2fwyv}`R|CYM4dMIplw(EQ`6MM`bpZWv~uX~&N(t2)u^=EwX&F9>8^4$!o8pPEvT*;(IPa+&|=j!9G zp~znhfNsV(bM)y*7^XZUlw`2!~YJW+@eZtlesf|MEpA3rg$PY4W zCgs9pq%2rBK4ilRDNlYnO&unxE6O}(Y*)D4^V2`w;8A*A-1w8H-XgIACGx=ukQ5&V zK4jD_oma{|b-lIERQj|=Bozreqn=5ET)Iq>D&Jj zgk+YNhrSf*v~oqlfysB@6OeXl+PxKZy84u;OKSHY9p$ArfK&%LS9|=D%uYT-$T@hGH2y%6xoTy z7LDtibND$tGW9WLFQ3Wy2gh;zpm98U?i19N)=^tr%aTo>@c!C&@g=u*C3zu%Kp=$8 z+Ffh;%iDiu`iIY8n1&PW3i#9f-}Co{FQNvWEhgZc1A2AIOPqV;g-jlC3S|Z5MB`EB zES*V3K`BpNGM#}v2V*7buE+|b8x93v(aQORBPMb{V)L#Y%vm~ocT#s8BdF0zko$~bwbXBLsZ?EcM>;A2r^5-c`96FK9kGX(hZ@XHdu!W5*$^4-4R3sz@Rt@5u(dS^<7DIXr;i!fqd2`>)6hA$R1{$fpOhyJ7 z%0lHlbMvY`fy#LC^D)#S1{eh{rjFexid=6!eOVaIAxSY9_I;i?!R(mC6^Qm5%gxp#&3zo3Jk-n4M*Ej zhhN<~b6ePy21*eAVwQisj4QwTG0NpKmmP5#4P^~%-0R$3Hha}<9$fSQimXx|ETc3~ z%9$h2WI)9L0v;ccNQ{EQ0@TES=+%5+k=kY=5`QE~A{LJlHx1+dn|Loz1GPYw@WP9?eTZu&m9a`7`!x%a+|kH)2JxSTtpT z{9nA;J}1JHjk89cc&y5*L%#$fVW>!wMBIuyE0_h)9Nvd5Y<3>l&NctIl0B_^DK97` z;0-bT;^+8!_gb!e_Q(8m!cRG8%(>2r05Y1Q;Z?mv;}PP9g}2M_%eeC_?U7qxfi4GX z7o4_j6ABa&@)hm&C}qu=;C4gAXp=3=LQ@V>ww;upSGF0?M7NAeNeFD)qM@vwT`jwK z=s{eaU)4XYlS=%Wlu3JX(x=8Vr@dY~Ak%LI+ZGpdNXIW8Imfni`Nb=08 zqWnh!`MAH+Nm~`9&d*-;!jBnQHNO8@^p5!?1b8p+&%M77Oh@HX|Mz# z1Pv7pfaAFDZgHCMtmSX=(ENw+$O}$O}*vg#(cTXiAu?p1q8%`?gbETt#cF6_27JcT6gG&9km1Ji6%= zXaAOvC_*0tCVZSW434hAfM&?gWhhQp?MBo@wT6 z{-+3+I$DuPbJm=Ha!HXQ3Il3J6rr{QO*MKvTogB)?O!?jgcB)d#u#032#=oeD2ul& z#;bTaeZ=X+j2Itn{D|e-m$GipIwlOBKyze22#6XnemVP>%w9R0$-^cy_v-m<-Tw{W zG=IbLZOZ|;>4cv%wC7MJ4V?slCoz~8`icm80(fLKaaKg4$Y12lwj#5$)oJIK9(@@x zBgWk`@8RhW|H=s)g5rTl#2ZSo9fNzV3@*7`a*yA7a7cl#anOu3|DlQs#IpqZv z2qE}n{YU(I#zRbh?f=A)#rqP--Pc^6GgZ||jBQQ5X^)YO6d zE{to5tjn@+rl;|3njnjLGY zEvuovtezFympj{a<59LB*hXXR2>$1?zhfuDshu=*0&z1=&=Vx+4I%;Cnw{qTvk5m7 zH|?BDX6rVisSGy@nqhaWSRAGHl!C?X`RMqjqhkvIvqEqPixX8L|y)6h8Q(REC(b z6@6%rwK1x0B=?>ETb6Hi0x1E^T``9>J6Ch_|w~ z51rI0gGUF`CudI*rSV7z$HFQqD7OnjMHv&)4vg6g5$T{U2X_u-oxmI{?Ek;&)Hz%l z-n=k2lCKC#n=IsfG3S&8y&q?7}i!Q(WpWb(uLBsbz_ zIBX7_tjfxvjha5RL49gu>F`a--1m1c9k*`#s?#<#tx>V_&l5N+0WhY14E@UcQ5Gy? z?e4Yw-k0L3&_T?Ld^%kZcK8=_W<@Q%^AslNu%mf93s%jex~Q7^@&-x+ zWjwO*VSe(DpRn`5Hb&JSLdY9p{>ry#i?urUMW|k?OKMoRdoA-<%%MHjmYT^G2x?2~ zh{mJLUH%q3n|GkdGIgbOg!QoVY~L=TW-C=iReZI5B~QKmXPVpFSi55x#VU}$Cgt<%SvtaowiUTFomDLmSg?N3*4Ay+J0mE+N++!|c`~Gd*Gvihq=NC#! zDi|^3*bU=GOnJN-fAY|}GH>(0&R?@**{G)d+mPj~i?lO@>niY6>v4r~>$y5JEFraL zKLaK)xb-Tor!CgPtmQM=AKs5D%hZJ@K-}E(Q!7|E&W&CN;A8CoT(7&=D%eH>WH~Y4*ddDi>|N324 z?^undsQ5j8qDDKbcdSMT!8@xLF>mR7R_<6vZAl%qCAA!g9AL($FA&z-I-*r}B?s3w zo0ZX(Y_suZ8Fop2+qO+vSrx+v9=-ak;b%To049gRzk2`xAOJ~3K~%sh(7xFG!3Aq} zEF00(ygd~S)ivcQTLzBpa||&v#?y&jeEtUeqI(H>Luj(bg9{!YPK0qoUeDS<;EAU zXVI#KG)G$4)U=+EuKdNW~dV|dT;x%6R z_%(L6Y-LF8F#7fAgJH&*vG@gA!p*31?xpK)GDz23%d+XydniK&95Lt8s>X%MtWS5X zZP>VT<;APFFRh41+Yhc!&emC1n5-||X{)x4BFhP#X=d)qxomIV!OES>sVnJ4d8nM} zA3e<{n-(*?b_D$^`yop*|6KAsmSxhTum_)P{Ft{^%;WvFZ_}ruF9WIu(zCdlMPDu8 zmCs&A2%BDI_3Uik&XUcavU%?&-d(+j5p|FSc2x7{ zPZpxLUgI~`SKF~&;Cf|2md)9v(SH!I-FBdIMypO?x{J#lCXK#t>qK?KG0N_u-Ql|C zkt764$v~oNk5B8T-1$Q1(0Os>FJ=0M=Z=48sd)OI3uR9{CdE;@xpgnOa+2+xr_TAL z_dv~VSMUDt>$emBasGyE z+g2(lMA86OWd*Jw>8NRq-euBJl{e-Qf;eHUvB# zG+Cof4h`Bd520&iMQ`LYBduO~ITDukdt=J+N-uLnhv6Yo0HQxQFeVL{NNpeZUs zKt$IuEeLv@XS$&ijXU)WdSz5aMK|Ka60DLXux-#3@OwSz@i@Af6fG3`WJ*FkIp?Ue zxo_G--0{MV-2eJRgnSB?Wig=tC?=k8(W`eKb?sEZ0C@Mn=A!w_UY;@Yi|0?=uybwK z7ZxAv)-G2ZxvzBVl32+JHey;3@_G|1P|hWvh6SNSn`qa=ST+Q`UZQaw+jig;*^!B9 znnVpFp@NQFgB~w2Lnm%Jy9H$lECB&c#-n+N>M``h)k8s#nvh}F&QnfC7fxhn19j#* zA_49k2srAnlg$&3pLXMQgU|Y765{E#bB_9G?SdJzm%iAuwY?=btbJFqb%n|L(uMKS z-HSveNpjl1VWea&0X|j1qdMWGqwy$l({aSSs!ZIpu>~lS)15jx=}+88r>As9k|1tE zP*YG8l~`QINF1q=N$9JrWXkiuvIQuCE9Y4UoN1a29dtM+9e4iUe|gk37m>J3WS-bs z^6tAYyz<7E&mXsW*Sc?|w~{0!cxvF)JkDwk0%6;P<6&$Yf?hue2q#uYJgSOM^*Ps7 z*aBGskD{U*CIUwmmhEg^_G^B0Lq|8wRMi8TiY07x!zSo)BHe}KaTFln@pi~Tk`ng~ z=^1R(6z80x1VrLapPD`{_*7?wKcdGl?4+(bXITx)Agr5ciqkjfhEB|Icp=MRTcD{9 z9lD{T8yzAGcu3rJWMU@o%K`!(02e{%zPZ!BAg|uqHj*rH^qA9(@yDL^lWT|m@UbMs z-`39__pjyiUYfmpMnxprmfCK8FtW`L-@QILpWcS`FsAL?pQXwwx~UV58>q4)mzWVt z>6QcpJYPPg97+t&|*88T=k+TXj@7 zuoBN@$tg>g)0`;RapvIo&^@O(^NVGf6cv{-`GiY0jX8AE=@-SW-uiIA#cEWKLHc+1kg>L>f&nN zymk<A{dw)f^t4_aGic>2RWw9i))(X?}dFQJsU|I2?X;jM7y*b2SL-_E-sPay5Lqt}1~Hy_HS1 zXWWjLMD=#0^!>Pb+Eq$Ny3$)Z%kRJ;<ycEl$)*h~NEri}SJ7yV9N_ZlKf&mCB2RVa%?)Qv=y0ZZ-56;XpdTI1!I|M1{bl7a(XV2xN z^B_~FTn*NY^7GT&SsTm2mGh2^p_Xd$0!{N!R#XuQ27;T@i`1j7y>u(;i5qb|vd2}n zoz>}JWh=QElzHFjhHSHFP3C9nex5d)FwoL_jm+|rPFg24cSpAQcy=(WPkD4JX`mMu zR#4>6JlELV-r6&wx0OcY5vNb+OtxLuqMgoujirj%k%O)@Re|8f7+b|CUQ{ zxBFz5dfSP!ZzTn#yBkXzGaM-!skdLVRAEI)9a?qcU1q7dbmfE1o1c9DJ9M171M4=H zc1gg&*W0bxyTW$GALyb^0!i^=C?OPCUE2+8uBj78>LocAlY6za*=DB3xLAJ44$cXZ z&=H)$)k;hul3X)vJ2BtTMbL=OR-UqhRirMib>Vu>Wx3yK>mI4F<>}?w*>L%`?WK^U zmFGrtV#Xsmt(cQUChvqL6$BKDLuylhX;Lcm`7U#NkM_uc%5bF3nIY?H3y^Th=tgHQ z67;A1N|$%iBl6`MVcB$KcI1X>@Y$x%umyM%TU0W)WTYEmE~&GQ*DarJ7}y7ax3kV% zmOzh3`E=bE*aCc-Q%8X_Xe+Wp$X{X=`ie3lf5r81pSH+;zhxSU5XxN`Hs7K?U2fa! z2HtK(BkN{+$&qaWuH#5%!dQ^faOS0_`vyx6-5G{O_Onj-n^lC@8=xpu*4C@MUq&d_ zNW8tFHPW2pFmzkCox&t=btQ*x^abBmw%HlUl@K@ic7{I{=`F)3@0{i?bv6y=Tgx`# zBp3RMV?lrB9a6D)Tc6hOexGHU&QS3Gs@`@JXL1!JL%Ln*SEuy+FYB!UpC?FBptP;N zxPN-&FFB@%d$)$0Gs?|7)^?|C*Kw%}Idp?h|Bh@$VtYW=0r#}LY*}~RC;Vr}+Ai>> zLrD+{6jK-~Y3eUY@r+DG>W|rqWLvIP${C$HE$jbL=jq?7x0DOg6>L}hfo|7d5&~2| z27#z4>~Fe$!#(A7q}GXeFm8Bz?Qg?M+V442M2=Ml>1TCPfhF>W#mnQUWUMyjccO&U z$=1TOaz!eTg-c-)-QTvCz?Fj{3x`OSNv5EsL_OS{rz9~69ElfmR-fc#nNr$&?zATZ zT-X9+dsHc7(2mBVJ;L#DWjNY~oQ>@uJN393Pu*r{FRCnKmdi13JHsgfrfp{I-*-zA5HocQQ{dB_^BKBfqbivZ zzcTBURq(+YVrekn)(}fiB?T4uJ%MdK1EFy8+19OFeQ`tY)f#C|s#!OT>`u!6ma@&s zNU5AaH*{=aJ7LY0#FpM}8+aW*B%FRFZrFHK8L#R|;L3hCmuAbdh{jE1$vJz`5d!@` zXpD7JwgN#gP((0L*yQ(mGH13ev!P9I^_WIHF%OuBwv1>0LD`DTJl%|??v!%+Z>OKn zyTvpQP6_9(sA$|s$jIw{*WGt9srBE~TM0@E%kg^yTZ=++B>A`r{JI^lZ%OK{Ygu{9 z&W3U2LDziBQJ%D~5{}O3rj7)7RiAVA^dKBFAp{XUah}-I(I%We+ajtPDSedO0!QQ> zYtu5jlI?$B;=@5J&@`DsUy1Eiy<2kuw0@G+jt~Z!liMyGi4)vbO_ZaL_e6Ul8^1AwM|1tHT=>i4$_3t6N&C^!y=X-im^l-j~4 z2`S^#L8g@XNlUgZr9RFBDf5#^N$1IurQAz>h2%utOMKFCW^64?M9E7<-Af`)eq87h zwv^*U$+DD+x(CkIz2wKHL)elnb$l`iPVgiZbuUq#mBkAQBt>#QX%YT1n36`josdT| z{J8+xE6HU=O3bUNn=^SP_lU)#}gP*YUH@ajfJ){J0O z?I?y$+N7e1xq z6vC#qq?X2-;WX9^$D?>ta<^@pzU6&stZAfgMc>4^G26A=>^2yU>kO-DWd2PHx&7oj zv4sSyE+!T?J7z}(Y4z%w4{q{um#s+A zoP)C)NeCz@s=((h*wSArOBrPCa#6sx?1tv{eTnY4bAENFPF>12yS-%NOw$h`1br&{ z&{)$*d9V!AvfOpcjn)LulKhLr;+%EZRObJDA?F-%9?^K*ITw>Hhb-K2!=P7bJu`nc zn+K=;9vRiS*!5fLZAL$mhvtKkt!)bmLd6vLi}sZJD)waNiiY-ht8AK1aNNB7`VZ-? z8_uLWWJyZt?Z~>3jI0~UfT{sRjhJ(RZu(ZlJnbdPN8OB5SK5m=e=>`Qru_j~Qn9UM zACOMaSq)k0f_QklB#Y;)7*kZGE|547)dCM~V`LyPo`;7>@ViUt7h=et6roeSc+*no0xRNpr*Kn*KT-& zKc4>>imYK-mMhIUV{LbM(b-s=_W5^YD};?l^H5Y!uB)V8@!)f`+fh^~~C%3ng53?Polm@s=V`Z;)rF^U0 z5+phtyCh9{j7|<_^+|}_yzKj)gy?7i*+q8uz9$mzcQ~6M_i0RBreXAc=G+faNDc5QWmP< z*#2YLuxCRmqEs>h5OL^PRLyaNj;Afwifvnt!6d+^$%%+l9p$&jVoV+}kr%Ig1)t{U z-Z$^!m#^MUaln^wKw{{I!#yX8lP~p*#Iu0chp=th^*FZeL<|agy-1QXz{lcFiHZav zpNF^+Cz^-?r7BKjv9NAC2bysrhbc1nJqqENm7pDbnsYkWFbyKQ^S)ODzehti4Whae z*~k)3)Ig5{0iQ~9*yOOj!}$C4FZ1MrKk?v<$0#e!RZ%-}&rnIId~ZOjPhXKzOecMAR{7*8%)M;k(dv#v22q&r`*G|G3Nnr!Qam1g->2UlVyh1 z4CSpG7En=G$>*DvaO$5X(Hd<*2#6#?=qWO3Q5PNOt34LSjyZS995;A8aYIMgA`!h! zCz_C(PX)trE;SxEcsw%}zd+Q8am>JRe7Wfh4AVl_ExejTvSEQHL%`c{ZXptjV^|Iy zDPH>&Cu(CBFLP!(^Y%dpmr4pNDGU~D1(MprPIi>*@n}^z+L}i%Mb~mlr#;>H==2@; zz97AG3hO!}dkyEU8|G6Us^Hm=p5fA`FDB^qV%viDSR7Sx^h!6JC|)727g=(`q=#ei z6zhB*3BwZftL)FX!Q=UK!(yWCHo8Zrz^|dmGErSeH=T%?wy;xrYZ*{fSHw{RkD(}7 zj8FBlKODhGESNh{09E9aEc3T<*8nX4rhIK1ib5rn7FIRYw)APDB$cHahEW~S+nmXP ze0rPlo9|3--P?!r-?U5$eFgmWN7EV8=ZHiBi0(w- z40Tc*;&N`isHt)y-0Zwl|Oip3)3kytw!T9d9{ zIkLu8ZU+^}Cohh4SV35i@zd|$$epL$i(wg@@z^QMUN)B^pWhijO@U99h+85RVbQcK zN7llLjM$?{Wy0{u2w`*M^Ec2IHc>SbMTSCOAx955mQ8y$B5a%1c7vc_!l!zOn+6fx z#-loYa4a5AMO_SdrLcK+LI^a~Ls@ZE)aUVK*iqucH$n)zhh(-V zOYdAZ&`oD2`9;e7nJ52XaCHuo2QF`&q%QJ1;IfCRPSba>Qg$#YP=-*oEnIPh*)_0x z%Iiq!F{O7)yXi6GmW5@@8EaSB0VV*lx2dHk*T{Hzw(U7tS7w5Ab7l3CZZ0n2g*-mu<|Ei8`eH-?@?)oj|kku^J3r@}is zm+?ycVASdOG(T}O&e?~b!!z$c#qO3}7^cm@p8Xh7GZa};*xj;|55NAH0X>q>WOg?1 z;PcH(uq>MshaFFmzliP4+gP$;3Brb&(kezbj6qctS|SH{|EqVXEUecBmH|0q_NjXjv79OueN@c zShvg+c_>suQDIrrxZ>i}a`gLqwp6r+n|riJT02&wvJK(%@7YFJCj(T@tWox$o@Rim zikfPM7asW|-u&`aTBACrj699X!YTk%MMDx2;iyS>PboY6!X zlSh0XMfOlpP=;X{MB))7pe<_9ySyid_Bk8`e6s!{w(Q!2Za4;6hD(g*4w1v14Bj^qB`Nkzg z^azUUHl}VEH{DDEfh*RnGv;(tk}Ae%EEF^7&3-k2X+uMb^2BGV}E!*OExaXM8d0T z96xG2evco+H28GmCw#NJiMZ(;MUW(!6Gx51tEw#7_zB@yjQ&0PGoZ&HKHvB$Lf9PM z_XreOVNY8Vo0~Rr=Zss}zJD7{t<6*ymoldRk*KmpTeOwWHhey>Gm`Z(UVOWPeqAvP^u_%po!>KFl z#kT!h`NfQz+1av#wrC4c-Qv(bBWS4TLs$>9XyttBN_#P^u93}qHnL{>I)?XZq^6{n zFE@WqTeOvlBgbM{7K_(?n3zn2$!*NYS6J3s zLKpc5gUcNz`6b_+z1zd=HHm!4U7Wyw*CG3sD^8st1W7@7OR$Bu<=?@S*O9X0YC}uA z?uo~(h-1m+U48oZoG0gTg6r8nMpm$j?;>bK5>H+nbU0G!j#Iasr(|Z@D4jQG1PSXn zU(kqjdWG{WAI)xySGJH!3l)N1b$dfmLCV+`LU>F=Z#WR%OUANz3c#fZH<-l77S80` z@@>oceA$<5n6RFab)ztCld%Ji;ej)M&m#*TCLD?I{1yMCzN{X@Hh5?CB3}ONB>=*) zb`GsSjQKx%7hBkz_1I}Fx0d5ioUJj8I5owUOdLL$cUCWAL(_UL9eV|1`i$Ylk6z=L z!ACIt^5>{6t;4ho{3@*YD(*{Y?Jp^zsuA|Pvf4`@8SB1H)2`_F(bwe zf4_Ws^aViPeE1Wv;|RtqC#xDP<~sqSB3Sq9xah(_e%`(IK`dHzZ-@}$3m==FN8ohb#@-u!4Z9rVsMWkEZe$* zlZH;<>s@Oo3>2eCGO>7+fj#>1%w^B=y}m~hGn~6^9$WMX_q=`wvaIl{Gk?d`CtQzV z#o61o7a;_uZ4%ZEM$`@CA6Na8!8Jnx_;}sFIQNfJ(Tx}Yv3P`&hEL%BX@B63mwwKc zJ)8LZ)ic=9yq#z~Oy8;j>}%W0!CAlIq4OW(?Uf5ywq*s6U-}f| zhKwhyhuPo0mnpv;&$^u(@N1fj5tg49|85e(M$;q;eWiHGJZoXZV?82zdu3br!2gQg zCJ1!Lnf5VEgOAsL#Png;Ln77K@?f#_p^V? z=bM)B!nLpQ+L9Sed*p2HIqP?PfA~ahec`9P`pHYYdD8;kS+#&u?w^1vgGA=#%Xtm# z|AgKOn^3TTptqpSr)n7iVkFCMXpQXi$BkIx_LYN_?ZG-vbbnPQtQ(9Sa5zJ2hVkga zKXPcp;Y?_pM15HutG90AqGK-QniFo|vrV6JXv5(=GXMAd>h*j1>!p9=ltWG@W<+U? zwsOt0m(v<;p{BH!M=yMeK|KcpaNc8Qv3A!Q9zOriy!+Kc*6v)x72~hrk+~0Y{oiil z`bigZ?+<^+12gZVH5}o^pS(i9ssTun#5=1NaQR;@Vt30<=c4qqD*QKPD+Cl5loRj< zx0e<6$T&kI3#DGNW5pugf^a(@)g5~NSDdHru1>kYc3P(_=cya8|9$5v9k&gh0@`#1 z+2`5x@1V+iMoN|C-YxCIgDGt13{rY-(piwZaH5i2$~yA|4udS&Iro&lzfnqjl4T~B za+A(awnLIU_tcpa<=kcEggv*c?6Xtp=blI{&nC}2Wt@A$30dxb?upd7rzD-pvP1>~ zXZ1;vU7V=&Gf!zW3%d)NldmVb6?SQ-{{KNRr=z-uv5|a%ZnxI`ytX zsV2`ZOg(HG_grunlZH*^?KKOTvvdyLM5tHGwz%Nv3+P+fkNaldOXc-t-2KMgsmpJR z10~!#`3`)VkE{QFIdhiJ$FF)*1saxM+~D!_DC)^epFGc-U%U#y_lHeH02dv5F%1=c z_|@xoQh8M=zk2;nt{8t6y({`~=gYTIb!8d%y!s2yKk7&PWYW)hWZpycy1FMDcdzH} zGk?PklWyR!zTe}2K6r*6SCnwsUoPad!_H((za#nE+fUHr@)E9l=IT@s1=;IG=6!grf(Iqp{auZaw1{j2$|jvmThl_ih3-yvyM80N8WsbdtSU1fcsv)gQ*Wq#iObzJ~=EGXsSj@u-x=%zRl_K zvQ4=%9@i^d+V_#Mgq%mV8OcSq9kZwT2kcy9OrS_IZP8Zdu6T=}H^}$;9?9V9fefx5 z!r~2!v27b$2t2Bn2c|y2_xc{mRnJ~Z-3>kYaQz4TY~szFFy#9jJ8&FVpKv|zt$Bw& z*Y{%j`+vowdN3`MkT<}?=l_AeRsA{g&QYBD(Dyl_|Iu7_;$@h2>RK)5j0}!*XCwk( zMB@=oxqlK*%zuQkf^sH~oI;P{Vjei}PiTt93HKbq)Q3;OwryhZ2tp)x>Ihd}epg8d zK`2l}QLuDhK=EaqeUoH*w;OGmu19kZ_#dp^CZBa7+brTT``*N>x?yl=@532UcL;BO z`5G^M`cHIIXTtEwXkIWa1Jg24WrZ7_yNauyy$n@RnR@s%f_{zlyVh~^y@ye9c?nOx z{TSaLHi2V?9GP;4ceU)|FN^*Jz{vX1)K!%-cJOh`{_;&~OY1mlz_C2@?vwQVaS7Kx zb0tP%B`an`nR3Wv#tj+IE1$eb%@rkF_~_Y0^#~qW?pT2mSrz&Z$yW%_G!G>O6}r#s z+nAAQQKiRYl`Y}@o$76lTwP$kz20UMocZ0fOjJeX`V)V`pD%ojhVni<`OcsDV$%}t zKJy+<7sf4mHoJM+?CAw@(lonR1alX?I1?>I)r)4-(vB)kC0`Vm>y$z z-Ebbe=t(y0UPt}aHT-GrL)A2!+)U5}DsqjXoc*}v0e>#F-X#JS?I zZ5vHiICa!%7?#1`KYW_ES1+VEP{J_-#)08XU;+&6F^K0roX&!kbGhx*+c@Qr(|Ksl zZ|QY?52pUf7;dPDsB^}9Ij;Yk3TbL4sWQ;~Ef-uUblgb*Ck`%ubD{7e`z znXn#a{<63D)5VX`v$%%Qw+!OkM^5Lsp(k?jahEz5{U+*=l5IEm@Li_TqAG&k;8wp> z7*2mKWT~#uk1FCVIQwza?8ojn2rlQIa$vfXx^q4#RX``JPZ;Q+Y+{Al5t8?jzU_Hgk(w&@Q@KWLgYG7 zN#`kh`<|Q?G$QGUqzAMhK}XUNNv%S4a^fuIh;$J&!cGesVWnM~n{=L%4pb(Rbbd&w zfDbuABcw#o2)P?UBSiOUhJ@3X;FFasS4aq?9%Vj?g4$L|>YobPxw&b5c}x#iwMAMx z8na7>-t|FN=SR}W{Qi)WxMT92gyUiEc4Y=TytDcp;-=0mlWynbt6oO} z4n&#}2&RlYg~=mMX6Dj2c7@^3t`hW7;OKe)~oI3h+=HK={!|O*;SJsOy zdp5KCz)mhW_7djYx`-adJ$dbumuQW)aM}2)n0?DaN`fWqX>CGPR90_a#p1Oq*wVBK zfDcx`!|E+t*s*^*0E23V@xA^>W7!t>oO3__bNwp-46YqU&=&&W?G+1HyJ-twZCe3A zS*U_|+#swweRVk2PHQ9;YoJ5ii9OquCDn1ClDQ%kiM7}2R>U7m8rx}dOP6c64k?o` zoYP=(4)H>Vft`j^k|eyEmw7AR;+y?jIA!DyIQy`3&<&kMtLEa79@(a>0i}{##(3P^T|u6^M~^v z2ViJzBdV-*)F;Kbj_r{jtbUiTHf&&3g7+bB0fTD?QBzvWlJ$%EVAW#2+_;3*+gIYz zyqSFX52pXGy*H1Og{12}v9R2}uanLP!XKk&SGFkZoWw ztOdeC(hq|%-nG{s4ll;P&yQvC!ma=r%q<%bM(9A21+wmAq|wauO!rLRRb6*g9udDk z@~F(L%&O{{o}*{#`}xdtRYv5?sCfAz;>COMp22`rB7^?)P&O^aJUiREu8x=00(3)f zxCn*u*3H)--txoet!I7CIT#17d)4oPQi@zTi$o-jmEtlk-2OW396cSHra}}XJU#m) z?%VYsb{%>i0Fa9HfD!|R${POe_x=Ho|JTQH^?BC<0D5D6&gOwE$hhzM`;aYX@w(}Y z@z(RMMJk%cU61_$zj*o=DAtPj!^=K^yFT8KQ2-FAfM4(aH5T&=c*m=M2S2_2m)JTm zg~i-51ZrD-0^akZ1P%sCR4~vxsz#$Jk0MpmDqCtsMX9N^mU8PNc2wjx_@DW~;07q6 zxZ$Ed#QQG&Af7+;EdHN=z7;Vgj@O@l85n2y)U|(wZ+-B)pj5!=BWK{j7w$t{tKqVp zZ^T8XT?$E*@a;#wg=~2h0H8As7f!zxiAWOTeUtdft@q#$F1`@}kccGk_`XLmk{QFr zXIutKC|)@9JWd}w3$H)(G8C%?JihNyD}aL?DA?6z|9gHEVHiL0|1Ku`z_ zZf-(-_5Ls855DkTJiPlsy!quthxDXfAUZG z>+3%cz?=gFxPKdh-|?de#({y%2olkrxvglp;{pKZWKt4Tz^J1m<-oVp^Rs1LffG6o z8e!E9Q;a+f@YM@?AK|SV7&L-6*E9R4O&@JQ;D~jBGmuCRn4HY(x^&o~&w&uvzNbrX z8OWE`hSo|<1EoNa?^vh#p2FPrfW`=DgEP_yNa3ky@z%2y8}hsm_dmbe9$@CZ3L0pM z+3*&wdrqxjH$l=^wRPmWw~jX3FqoMut6}}~Dp%m7KP{j)K|Pvwt)AbWD=o+CY7G?h z@LdV4exuamIGmsTCXHr#D@$xNaZ5LdHk6m>;&fc;U zkL~*n0N{z4$ME2;2f?935+r=*;cw#SPyQ5FzT#@!`nFHvyC3~AF8stfxaboX;+j`p zjoYvN6u$G(AK>41kO0~&^v1}iv+B1e!(57aZs9-ksr*s)q#cFvF!KQsNj_475L z&bo2}xdu{2j9|~wOSt>#pW@xGyAkJ1yaErra4%k5coC8yfe?baR!2>*ArVPJ5+pza z`VxHrfce}UGI8^BGLi&TGuVXvoSIsN!F1Hr8t!`Rhgd1B0EA=D!alry=j%g$BX{}` z0vd`wW2n`u=FV~?3C;mZC}K+7WsN%e;M`QCdJ=uv^ZF;8o$V*q*3yMaeq^nb1+m7H z=J4v{wcyrxz$m>R;@KX50a zQWRhK$>;IrbFRQh&!`pI%Y0BoieUHLEPnjx_i+71@4;}-2o9{w;GSph#{T66yy-I+ z;Y~05E!=kPr|_MR{t&m`aT9byM^uX9u|1FCKmFy!xZ>Qm;Fh<20{{5IZ($*O2=_dF zKN69ax#%|>oSSDYdK3Mn{`j!RZL?AVLe*6$qKtc=xewKP4cETvo%rK7{AcW5cmWUXx*s38 z>NZ?`{a<)wfmQ6fCwN_5#@Rb z0u_;tq`_-|7zHAtVr{Azkf;cOQgfbU+_5G}f`pa)8ov3fuj7mF{h#>o6*r?V(T}_S zus`FP=RklZP{#E z&>F3s+g?DO@Wymd&!Z5vs}oYMWjA*kG=j7#chfiq3R5T;h|&WhCRRsZ_0$~j&cmh@ zXpt(Z^}%Y5^ykW4Z#w1fv9{P2rvSG-+jY;cT@tvgPk_e_&Z9(G3QNQCM7+e^ZQ`!* z-`qQ}*luuc5>B{sml9>`M@_DKP62Vb?h()Py!Fs<+iT;x=XN!;>DcY`x7k)+bb~;* z?y;>;0TL_5MVgGDCK8{|wvLHHITx#`Rd4Hpb_$$p)(2M|VqKO6bN4@?Byh*CzJ(t> z{(bz`*>A=N-}FHz?+7IVZhF&)aPIiIc>KU)$d*?ji84egfDnSm5Bvu{{ew?nEVBil zzy9x$iX@>K1{mkyjNt7TT!(?wAijF4T|K6w{(Lq|HA#;!xpVky6frTii;*?Bpx zI{$5W>cDe2n4JX&@V?9c1aExV<#>AkGdPr+gCr`TRDeiDD3Tc|&{muz(Tpx+D?zKp z75wz^yC91)I5?i#|17{c_Ac&1sb)sllttO(lVH*i1qtAA%CC9#J8{LUE``Aia2I22 zpY5m;Uq~Xd=HeDLm^QIiTCo;nzC~6i6SiAyc;{{+-tQc;AX|OG@sp?Sf-FktOZ4F< zPu+#8T0u;XBN<8HVD=z>^2A-}iS^*m-f}zs_^KQ5p*MX5%f)5<^4WXv*uLLDXF9Hb z?Yr^5x7~o--}*@afFdc_ySNYcKKF0vP4uEtui)wZ&m$^DvFqS7&U+^i!3kI*QW1i6 z=1#HtUafCFvB{L4dREW$`)a*-21@t8bFqYYZY&na4OS_SbrT_o}r4WcETb5k>pZmWG z0^scNm*bbu{u>S~FW`M|yb+h5{U$tl;8`5Z%|R9v2tby;dxoIM@ws#=T5uH!s!^ZJl~(}9y>D8ee7V0g*Ewvt^%rpO9=0MX zh{`cgQ2fo0{{}D4zkrWjc^fX8z69U<&3BvtGfy9Q7K}6OUztHZui{@G{}D3rUYt95 z9v*!0KI~s!ge;nKMqEkYp!JG|$O@4~0v@kyLHdKNh6h)PiqVs3Iqr6^=k0R@FX z1t_8dMI^ZIxnCex&f=moECKYsiNxc+tT#(4h(F4%ej-uSXB z0M0SHx*xZG>!Y~ztjqEF-~S>Q=a^aAi`(wJ89#sO9uN@x<#m6HJOA{1;GE-@Z~Q4V zUBjPUeLDyt$dz;WqyP7M^e6lA>EHQp0Dx>Mi}(KhbvUrH9|u=waVR?rN=(Hz$(Q#M3JH|ISh%) zGwve2mhZ2r)!|%m1%iDZB#;NzmjFH;Id2<(2+RZavMAvE$qR5WH;3;$awm4p?Smi! z<$4akc;;?w8`^<0Ms{NN;)|GFJpckT1;Si*7TMwocF(_nzxw_s@!{XP8Grq|pT+YB zpT%5u7NuGl5|uEQokgyc1r>nD_C1P!-~A9SI^z<2|JUD!S_dLx3?IMd&p`-5wzP`( ze(85Gv%C*;*;yP|nE@dbAGzul5JFL`6>#&{K8SyR;St0XA%qD>51a#iJ;R7c6SLDK z>EtU};XKN8eOtD;j6m;*V-^w5qe@hxbc$r;oTSAh_&(>Zus)MK&crtVArANkc_18-ADcjOgDp8%w=b>Tv)>X z9(ewj*giCk2cN$W&(1!DNB8_1TL-4_ z;Pdxd$>d4!?>k1|;1ERteaS({f->VNW9nc{t&ZeNtBrG9-kZH2+R5#@ELvW=ZoX=U zf$5=XjP{J-@tH^QlPB-O-lap}9QgJl-^9hIUxHU}zYx0@UNqKZ5^kVOH1|I;r* zq!K=G`G@eO8@`N}7GA{NPyQ=rR`x*=WH82{>pJ!>y@W&AIn=Zo_OH%hE_(oqDC5QX zz4+J1euPWUdL!<6`e)cPzZU`sKKzyU;q&kP2i*4dPeY&rUO4zX?!5o&!B)Iu1T$Y_ z20ih<9Hm}Gs;(`iA_Uu5b;Z1JqFJAs8n7Pg6Y&!KKZ~oAV^?J9|)zpkCYr~ z%3uxP{sRxb=U*N#eD!a?v$P5d=2|^B_k`*9NP=DW&`_f6#seYwlh9BmJj8uy6~T@Y zI4elI*jAtd9@l*4$tm!*nfqzDH1Ce`JpnDktT#v90{T8 zJa^&Fraps1kG17pWNx!8GMF zXoiM}6hTCcfN>6k>89HnH!T1JX7Gtpt%R5og+wJV&QRCt&d!x2NS0-WgAi)^Su?Ya zts^tWAPEv=(Hy+Fz1zlgl&V$4BT;8Z&0so8wJKy$gsSOC$KtU0S5vEysAyV*0C3Jw zs8kS>B}kU#f^&vKwTg%=SU%qzx}ia!rp3cx1`K9E6dHX|S5#ItlTU8l zyRh4Iq4MyS2k_eb-ZDB{$UUtVVj>kmDTStMFgSxuC2(-4S{5~m3jqHIcgcOHPkc}BBh8bF@QG$8%UxIfe7Y#BC9$TihBr)}bBA4a-+`xp``#Dt{>~TvtRz zL<*78W4`vTsXE^IrWj7&Ki&Rn-tz6lV-pwHi1#omlNLwXW5`Idf#&4v&Al!I%L_Qt7j3E_G03cx8fUfJ#T&Wo<2uw?|J^xEo0t1JkYhav1 zpcIlIneziPAP|bGszDYgB61XfNylJDvnB5sqOR&VedmSMtMarL1|j$vsiG z+YPhpxgG-mb=^!k+Re@Y03ZNKL_t)JN+|^;6cUwC*XpQS2d6nV6F3q8s@6EG8I>Yn zjG>}cKnO9F2}4KOGJ*=WGXgVtr4UrBAX#tEA>WuHA6$)S}>TCecg2RpaLXO1mny( zzzbq7=ym%ZLQQ4EM?(@sD;Z_uIezq~N05p4A9P7sIJ~^ICs+R@ z+-euwQkqjswRMfm|@Lf{(i;`RCLwqdl8B#!Qc$lnt4`&5aJ}rr7#!W zmAc6pph>#o=Iz_7n<7TCV$RqADM&P+?0wdkQRm1tE{t>m}Nku_81RfmU!S~6wbSE-jF zPyw8CR15=AQO4K*4@riHVf^xNrgd&+T&T39`B9d1|ZGPKOB-54nSSwLx zelVavIgH*|pEsvpRh`I|vhixY0zz8LZL?C04VBx#1-XTqS~WLusQ>~3k(zQ@tydsY z0kR;OW1ThLn&US>Kv7f8aaf=fW=tl-^A1EM37W1tQQ|0}mJ29HU9C075+az%xb1cv zFF#EeILtGv{i$Is<&)d8R-4R~%#;m{&i2Ze{kbJ?Llvf`4_2SIs%w^;^N=Y!A{AZl z1Zl_*%nb^AZsOcjs71=nF`2_Ug&?3>uK?f>sR$14(4d5(qE$dGUQ-b0x(?0eKQU!J zBH8nvHI|3Wea8~^*|)yb;MxVLanBJ6g9+OsyiCDr;Ka8vvymaoJ%qc~r;P&#L zfk4DPM@lVdbwG5EsinNmoYQsyT3epD8Th~nN5awU24~l`Mo16g0EAhd8djW!k{6cm z2|#nGau1HKww)=jk6|}>nxP`jzh2)HK1)eZhg=C;d zK_nv10b3mnAy+62ma4_k)xxs1*ly;}dfh|>2#v0>>WV~wW>86?3sh;pMIKY&VbnGJG7s7(+Z7LsUv?k|=pxgmg`t z%9WPm)mj-8$5(D!(H4m4v6K)Hmn_1|3*S84co$6iZke{}i5C4vo6W!eu}}!$_wfW{ zKyPXQiCE8)6iF?+%j&i2_LbryIAb8R`90jQfFS5VZkw#j#O!l74SRm1BAhXS`eZv` zOonG3H>pc5K2djFz_aP%#_?91+~Ayp3P68q2oWVQO9-iX$|3KNPy{!s;GjoIc{(~) zr_Pn9lSy&%f^Y^z`%%_}vPy;d_II>Kz^F7MGe)*AODVKH08oow@Ci zmI_oSZg3pLqd+yaE6Dm}FYRp_Ry@YQHWOEygPQ7AohQHJKH$Y#aNp`{V)~-B!qVB_5{-;0oPj6 zJwd^^m9He)QxXBs&NijORJop4O4WjMP~XPkpP}GQb=JKQ3#ikUx9fOc{2RSNZEgp1 zVL)*Ivk&5Dk3VQ$BS10=B&_I>M;nX-13e>%O0k24MsltqLD#j@mJ9QydyV6&X0`oj zF2;@qZ#$vuEZ!-=IKKJ7x1s7lLPn%4EYJh{r20^HDfPtStg*_h3!a#MmRK@2*9g6`4JE_ zB20O5D|~Kr8Z^SB6JmYx_qQ*=2jd_D#Yjd$LX!8pZ&hpRu*%d_v6=^^)aOpH9>vM^ z6ZIw=%-vuNNXF6_Opg@gNWyE8(%5)eFG1BbBxGL@krPcRZu$HWy6%a; z>DrO=mIH_>B4SGWW*rSM4h&{Sk%{%q?~KKq1zA3iq@f#QS<6LeLpD6DkH<}JTeLZd zx5-F=wQ>`IF(4JsU?4r3Pm11rC5EAom$V{OO@}PYt>w0*QhI{OZ3~(w<(O>CZ9H>m zI+=8$sJ^sNN~x+gwpLyRI+5Frl*E32IU$%3SrHmn z0mv-~9ijCpu>U%>K9S}s?do>IuT85wxxg7{Y!HSJnJ>xX0ihSyhbBd;RL9h6$w-u{ z+-O*LV4K|=Rv1qXBR7JSk&vJfoClY=EjgSwGJZAbKDH!>9@cWbN!>{p=dHaEHLx$|#%?r&kia?`Nf5_v$B3c?}E48y%L6j_*YmzL}K9l6pHm|=i& z0%tYVY7p&oFb}*pVBmE#02DyXQ|}--h&4Ti&)A6GE*{ zt=_dTnrOk>lZ3C}9HJm%AU%qN9G`I)%|85aMvT;k&CuroVeJ95Tp@Y-X#EzY)^+US z&g*W7tKnt?=OBp@Fe!fUth3Gv$k@3)G$~SshN;z(9xK!g10pD>OJWSyV%||mi0K>C z)X8BH_kbqXy)Y#rENDddxu*s(d!h+*HSE;-)cUMexZ-2@pX=@qI~@FalqdTJV)sX5 z3xS|vk<&T)QgI}s(yAhf3+}rOu5Vk)FMt`kYQ*Nw|rYufoYPs9PWe=8F-EonZ^@ zpoN%S(DwQ5X@&;HIEi@6I739H=!s+yl@wowb+R>AT1plwYvy77BRPQX$2#RU(1P7c zZv8Y}Z6?0&o)0GxZviXNM0x~@sLZ;Rk?&`R6wOL)S4cI&BFV6B;yv+7tXP23ns^O5SqxCi@VN zB(o7I;aNu^#z(19A7s@fz;mv~l}igT= zT;8-J79_+S(j)=bPR>PG173XROb^-J^hwLZ13ZCPHk7i9jM1HN=JQ8ymm zvizvHWIESQZoUF$FoIM(g;bgY;-p)=mP6_ut3g*?1PdDoTt$iNswI+;N#(pQt2=yA0cC269fmLes~ zjlS)M$9j0X-nllAMjM*0I;SFU4F(Kk#*ma!^Aw<Duw&Q-k;O>Iwj%wX(s1&aG1c zbzAmvfSut;m8X+Yaq@w121I&LW)W~hoY@GP%@!%0PUOl=L{(>q_(N>3)A|%1G{S3z z;b@WXDM*2GtV%A$gLe=#A_zX~Q>SgVpKG^0jHZ`H3nk3sy4QH9N2juWCvjN=&3_He zkTHz)$B>Cjhe#yq9HLw0JgG8u%Sv$(%;11v(e{|`y%TRs1|hDjTZl<=$Lrr4dA=O+U5W>2&k9={<4Lu$7&l zi8_$i!IN;Ha(s&LmT@2v>%nl(XjvkB#$BeX^{FZ=(@L#^n3ZECRBpp~>naPCTOa?u z{5TA`_0u{<<<<_}J<>AM%5f;KgWng@#7E!rPhuDh80p=DbUZVkPAi@$ zs-R>`Dhh$uatKX@d9BV{?!Gvg|v#d=|4CBNX~2M_N{c&|6UuTyUQ<%c7; zO*BqDxdrEtBpHM0QKX{19=WY)m2KJbGBjNSx^lbez!;E7ayom5~;1dqA_m z188!CvqOFdDNlixC%ce1wL;wA5bm}Y(DuWPxaSG55$d)VPQ$#HyUv$2EK5y&V&#`= zD3vrk5wK041G0$zq==X(d0Y()1CwjTT&h@Ev#b^kKCEjI7Ep(HzIQNDx1rh5M16{Z zF^1mM0OC@r8k6Flya&|4ww1ynbVKv_yXz8HBK2(l22k~^%!?(XudeYe^SQd_WVAFh@itp=7&k3Kb~HR2 zW~yrfN{JK9z+eOhBc}Dou4nzDj5MErA~3BplmLW)b2DdD)AOukkc1NFvj?uW``hep zuia+9;>S6l8w9#_kDW8BRiwcn8lJY>u8~$6QR`ThnGKJd)+cHZ^E)G^^@+Auq5yyc zk(h+OC^aOXs{!F;vZ5B^`Eu6G&%#|Qs_Xuy9ps<^*uR6teFf`Xj9Irj?eRS0RG+X- z7z`Nh-GZc&T9g?)i60qfJC=(J&~+`CuRwd=`pXf(+jfhwu=fSN3ENNe6y_}l2PME* z-y~!r%@9JI1lsv}J)`OBmigSA$BKN|a_fS3F&4mwAii`gw=KqkQw#F$Vi27{RkvQ#Xy*dxZ> zQG_G|#?*3g9)vBmCGHz3G~2X2lGBfaBLi-f^VkeG8*exX)TBI@hO`3-e$GK)Q0fxxmdW&f(s1M3mS*xO%5l zs|;$aHn^Oh2c<&iavM;7Oal3Y(K$uI7!Zpj(U%&ki;^_sF5A2JKN5;SCP`%xW~a5X z1|3D~Qz!iDDo)Md04EeAJ_JsLy`TBaXEx-`_b5^ooo-tx=t527jWG1BBiJ>RD65eG znnQov-cTqwI*#5% z?{X?d95<5vYqha_DVxccSK&C~`uNr^Ac%*zVL!2!aFSA!scJL293U?>woQkGVeTyoq<)__!9El(_D=ggM52UA}Y zz0Gxf301%X8WDC#Ic!qz4(2VvIfpC)1IZD@q{KnEdQ1Q&*UHP8TyYhG?f$jV0YMrK z322;aqUHg0TP@nV0OJNyu^uGk9zzk7gYGg8WBXEZ9$Huskw!%ijyNZfkC)v8=!XZ! z85Efy6CXgtx7aT0#UHJoQo zgn%Gn?@Je65MZEZ1PLXz%DC4Zmy*~Hs^(*;uK}>b+6ONSLy5!7mX-}^TgRr;Rh~Kn z1LR&*SQMNH2in)~3?4;_aAA5rTLJ#j~Y3JV%x{s~c@ zxU~nzThMSGM;ecHfmuNuSO?apRym{G&tF&2hz+njg@F)E4kRH;(o5;|MA^Pv&!e}l zYZC`oXRXOIV8XUZtYtqI>EY&NCY;gqw z5jK{$UDvLo4#NP3Gh>KK@thQmdKP2^m|iR_qOR2;2~tZ1rYpB69vEXtMw7_I`WYvJ zCuIR8!emJ;$8ue{-IOpGFx0yRF*&hJJ@=`5@vZsP5Y>P{Eiu#%vXrd!aQP=8pqJS_1NQ|JQ(L9evn*xa( zE?kP#w<+hZoLtP;85p=_#UZY9Pd??vZkf}<0M7a?PjCfoXsTygY}#3$oacwQ?uEJB zF}Hi7W627pVgB`&H7QR{yPK^~<|%!*^@$t}>yx*A=AX&I1Y(MC0Dxu}F-_}L_1f^# z+M!Svp$$1h;oik=y4D@k4;PG^KHCF{A%k-6*+t<@AFrb#@`($B0mD6`=!x~LDqguIj2n}tMT$ca0+vNM4BmE? z<6{Q`j1Np9Dn@3f3GoCY;NX){S_9V#fZ)pO7e)xpY-v@uYkfM}FhJr%fRtLHlrFTd z-x(Z5s=_ZH$(3{c%SF{NL!Y}WM~?pCyF1kS6p%BjX~)G@o`_E|vC(13av<1p#KWGu zPU{mheA3Wq&)}I}T5+|&Esl*40)%@UU zVX3MAkBRlE%hw|Y<3KW+#zva{U zV++D`ki;0clv#TCp@-(LyY9LTq3bA8rIN8VTT;`@Mb!WyrqW{gIOqgP@N?ENOL<-Y z09Vc=8@5+lkk(?uZG9rV$@LDg!Yw%2x;y8(xH=exxLb<%WCcQ8L1-~jql!$?L` zIY|zxQJKB&y6af`n>vG| zND;=ilT3gO|E;s`|Qu_a@(_S za4b)*cJKgKM(S3aj;#^}0E}Ze6GL1;S>UqAWJwIRZMC=vRZ}5Q+E6&%2%5N$an7a$HqXotpqOyRY)CdT?R%D_Y zW93?*XEnbFk&w=K%i&#&b$NRnVRq`|;5I0dydP+swU}G2^r)&jKA&Bu+;(|;LVz)b zs3Kw@IRe7Tes>ws`Id6EkjfR7t>8brSw`J|o$J9$l%p8)fVy4YZa55sW3XogQ6XB9 z2=yesuh;Xv5za<=c^+tNU3RTcn+6OJ<4~o3P$KSaU%zuS6e&(8RYQ`BYxN35+E5gl z`08?PbK2J~-&0uN2p7U!_riikv{jxupwaYPV*MB7w#U(&|B4))pb>`ygJDa50{zLz zs!ZWIv`#^$m-2^DQyG#GvGc*)uQ++`=?><{0^I80?ZeZE$+4MC21UEfsMRw}*C*$e z_jz}sTPaTP*6F(c96vD5kyH{GO^-t+-XJ2BlLP5-LnEK^ImED-Z>t^SRbl zr|WKe{GeNDM*8Ces}MxbI!X}aKAF$~R+Wl&b;U0E8gzAi(+*7Bm7lOzV?PCd_ga_S|&@jRa@*zYv4hp!lY={uh$K9_p9bUG)@rMAv6}D7?IwgRw*#pW2%LKs zWaWB!+d}>zbe%yKEcY+B+`3)h0Z)0T+ijP(#|#Do2788)NeyK6GM`1#wd9qA?TS_q zpcc&&D}g-eTAxl>a0ZAm)TIFsfxfVjq-{k?Qgux3UoHUD&0SYQSsR8CpgaK}fhX_K zY)r`uc?tptKq$w{8WxE4RlDj064YA@s!i@-mIMtrn7MsFQOm2P}EC7u5ku z@p>$aUEUrOaLz#~Fw!%QxRP2N?j;p>xk$wwLUkF0soNnCXT`0sHMZn)#lHWeEy0UKz~HUFBGgTD*m!5%>Hw?1zT9 z?%83>%?rmi;@**fb3hR>-W!9+sV7@Am9eE*vX#`cS>f%viJZ7#9N0QEji?xzWdh0D z*YkO#bXDJRU}>*q5C?)5SY6(pxG)T0sAm*$DPH25*VS6&!t`SPAS(4rS8g{UI0vQ% zrxBsbfi!K%ZLx@yp{rB-7k4)Y5b^WYKi4*0>*830afXOYG1fByfs;M{at>))tjz;P z6(Ax4*O5&(ZG!dVDFY6YngS7&nP_@&Z6hg*08rz#jHY37W~HKmlZNG{$%W3=Ejn@A zJIs7f+(Dy4J<d~cY$RO~03<4n7i!hmTCrXO7=b4!AaMna2zog>blq!bee&$O9%;}B zr>!B@C*#Bo8gV$_9C2C1_Q4bgB_5w`o$<-l@*--gj))|7qdRRfXoi`uWH>!qpa$Fv zvS_7V8eUwR2WLKy+%9i71sDT%jP67_nwll9#E)Fi#tW5PI#*mVQ9L(iD2Z7Bx>F`#yr|~mYvrsN(=BYS z^?mH(!~kPJOpal4URjqM|AbvOD(y(e(P%uDPdCtpbLjdk?g7bPuwg zz~CIv>cBv12uUTqoJ?Z1QO3t|<<XlHjp4%2eF3 zkUxlpwS%bE0A19AdD`Xk2?@>tO*8X@#iiH*T-KPh>qS1XT3YGbv(S~>%?QQ-5MVGl zf|x9L@(c-_OwX^)VsY&tDm6e8eZ1|?wI?*{8Za@CKw8PDQHdXLuMJb2Ptba58x~;HS{tWq-}9IiA#3A4zg$`k>lL~U=x6I27`0Fa@)nw41EtEIc4R1eOxz;fyv%&xb!Rn z$>uG$XY4LcWEjjqI^KgmWdN$K%|y^}6{**aX-SrF!PIM^8yYC-@^&+Ub5n0Rck(r; z>)K0j@m6QX7S37kw!UeIXDg6|E^jvz3`0jI*^9K)2hCvnqY#|3nyQ{Ai4tBpbrB3h z2c-hKbM5AVsvCIKX%~V(SX60kHIArLCe+mlN|3I_rhs7uoJcJwb#bDBa2<&DqsWqs z5@QA~x!nke0FW(fr(L>p9IxBn7uiti8-oqYK75quoe+pbV{|o_pFOme6cV&IkH{;o9q4; zBZQ*M+sy_7NfK$HTqx&C`F*KWuTxT}6i>VGv^U^_@rzE%HO9#gf=Dz%vui7}i~Gyj z%oz{#(h_AHx~#bS%g+8lu=)q0fsh|`u`8_GD;Mn?nO=j0000< KMNUMnLSTaMT%>XU literal 218369 zcmY(qcR1Vc|2 zSI7*hDS<1;mDjd_Co;dMdOBAshj=!DH`iRW4YjXase#d6I8p%bX}tBV{jOYLXa4sf zbAgWn|AJKb=)Si3Tl<|Him;p56Xd4xp2y=-)A!93`r*_90$uvlGIEX0&5wP8g7AwB zWIDGRLrb|IJhwG?ymo;Kc3#h!2~y;y_SoBl;vu=JS*bG_!Ej{)*jPkvjDG<_KoMYk z63~;2v%`hUQ*sEA7!-x&?Dit9gZMCwTW=%qWkb%_ki<)>3nNL=`8HN_{#-^QC1q~0 zeV<=*o=`(Xp`e!scuh#u0+d7#A?!|B_EZ6X&5W_S%pvn9omHXWYGD`Ns}bZ>myb7a z-h_iqGq?*1oAvF+4J)DSxi{`%s{?nYl7ipT1%QLJU$o5hYW`bEd>1GGL3_e|5 z600DhHq{XU&bJXO=U$hW8$Eybu21Z14m!Nxk9+i3B63D{MXzwUTg~r z8hS|>gXiMZz~?{5&?%Xj=R+y)@Rp>@IVltwioMNmap58h>H+CgminU(C+=f{WOR;^ zy}RYxL7D0o6pNDupvC4;|s=VF1IEGb%Hy=2s>nG3&9wv8KY_peOU)WRzf>Rnl1!4CW&76 zl5D)O2aNkW$|1zncg<6+P0wsLj1)UbQmxJF@m1jc(3nFrA| z3?F`Q96mgB99}uhj}-Xru#xn~vvKGBn~OkhTO@%s%x{lY34feH6CWS{qp#mHOTi2C47P zKOO+rtL#dKV1>72f_ndbnA0ppm%wP1;D2u zE;!@G%azuw-e`XD36dk|VCCW|j%8yIZbzuYwcd^06I<7?$q8g{ITZVw?vhPVx-=rD z)h(>ImJnYzEl|1t@VDR7XvY-KE}YdySiS3Qui1kwMH5uQAcPctW00!7;eTFeNk~BD ztV=^xJ602N)emXE{4w+!;ni-?8i}-vE(lN*s(x#nPH+!UQQyb`W(UJddI!m=C*Z~* z?wB;3DoP!UyibZDxMB8$ePJypDFi!B67@Fe#`Mu{;D9=)b1FSl65{s?z1dVuvT;Ru z(oRVZgzWaDqCC}G8ElYqWG&r631~`t!q|4}1e6M2bJDz`kss2=1oSlV2!wTeSa7T$ zB%N)!L@4L`aFicp|CKK&2!onN3k{K#5i43}iI#4fI>Bf=yfyBO#}73{yHsn#-}zm1 zYH2Hoosm~5NNb(1pzrADWbJI9V0gMR#QF9F!*jYh7ysKl=5^$z!Yk=qu1mXQ-@}lLQnB>{In(%dG7O}c9aCc{y6~Y;#?x2LVl{oP(MaPX`zrN2 zRUu-s(IX`FCi-UkOXv77**;1{e|p`suyiS4g5z5Y5?>9gUq8;Eu0w^d4vYnFB|uic6$H;mj5{`&Qn|972bVd}@f z=$5)vjG}M(s{6#4a>ffP*hYwPeN{B5)JaIRQq8K=$&NjhE7_t%;5UcCt=ByYC@_%! zrtxPF@>g8G@>wR~rXRb$aZPZoxE*$JYBiev?5TrO((ow@o7Be}w>iK9zqx%&uAblj zXh|0BowN@MAiJ=%5BH7ZuUWo&DyR{M|9hD5LqEegdo+%Hx#@`K^K)N@_YxYkb>7IS zoHK?b@WGYg1OBOE$eXj;CUSO$RRiKnQZc({cI+r z()fl(UemK%zj2a_SwmpE0NF$wHoxoE8^k_EEm9oS?=wU83gp zRYN+&b%adjtgDFYrFBpYUjiE(Nv)32!ngY0sz<#?5R-lrf9?f^n8I=x4&SoaOmF8rEdkRt+*yr1I5A z>_ISI9<}My+NQ3qF47aCT=0C%T(Q9M;Y*H#gST;n#yedgcM&x9ax8E}VYI&ABWSI4 z6FCoFM|v;Vk=D|m+sWjNBCyOk+kyUjkE!}kGD_yE^a3n#|JR!abkG(6O5ZP={YhMB zdtF5LXLt)zAJM7;wc5G`y%}Qsk-%iRrM>p&*zu_Dk@wD_uJ^$@r_$-crEYv_{9n}i z^vjjS)K!(<)+aG$ApV#KQ(ts)U~}4Zl{UFhb9^D8;zV_vSl}QOUax#& zR0{*74E9G+d@u&moyX2GI8RU&E9Zte`MWK>JZV5 zUlrjs4#^@|M3Yt_w-NjyO$t8=jf^{I{_M8rmvpb-pXY3h-Xu7$f0%23-0W8jsV9}w zDjK!d8`tZEhJlZI6BE%wn6%5Wlm6Wx3&Prg_iif&3P9<4V_Bs){3ot3eke#4fp4Pm zNLy;A$BF|AMiJs~}Rw+@6be(bwojjNf2jDaK3jCy!? zI}eIKnrltit|`6CX{Zk>E;>4zbaSf~?RPpx{&;9XC8h~`h0djk3MC)iY}_Q8gJY4z z?7a*tM)+!~*MYX}GdFA-3PM3D-uoIJc$x`-VWJo_caU7E1%4R?;A$Y74eUY7msDel{3~JhrN^&vf*3`Zk|geu+4e=y%IuR!Int; zCC9J-++@@9`TU}L!auGEWc_;66tTFX$6;tC)A~iE!aLmdmf%gjm*iinUmNMS7 zKD(J{NhyEIRB(p)d$kkVP4VA5lav*f2*Z0R4cZB2srHIhlmn(Ot9oNN zZA#Qj6=Yq4^0XPMEJrL2%!YIF56dGlz3sl|<;LK-2q zPIe~0CMH^2d8vl*4D73pA=)g5KW72ee}9h($hF_ta(N!?>l|T-WntWFt!GupF^rC2 zk3D=uL8%?kyjnkc;+K88*H82(cqNr@#SclSs#x;M@IohWEL$2%9T=!GDWG?lX(Cim z7ag<@LR6ijFv*h2ewq=GgT;Puc6bS{7t~G@x1a0NBy-=c5|vq@E13{2;lk{Qs@ttT zS?yQ%3rzeiIgT0+@!TfOdxs2md88>;A3Dv>Y?_b^R7--tr;g3;je$(_F8|jKFhYd>LGP3=WFcYJhyt% z4>rL7P?OVST!LdsT6vlD{ofF<=9CXD;cSQv$cM21o331BKhZKPbmy`hSAIDMto9&p zP$_Y>weX~XpoSlhc%Ej{QQ=qXfDIl{XP<2U(Md}wDw1h9nR-W@)=Q~&{S;Sj<8U}r z_Yjv)`=6_gZBx~`SI`14Y3<;PQy#ada($qsKcsZScA~(KR8>Mm6OkPxIv>yhfX0@@ zhABu60fE-VWi`3nT+a=t#;$l&pG^P72q~mDiOTrwlhm5ND6zI;uI?W{J3Sr?-akET z)o1*cmIv!&KSi?>Z=TEMhRL*bxptYRB%SIzR>zNAq$ED5Gkxunp18!>J0+xaLf}jS z^JnMJkrH|y=vwj$#i~G}c`R*Mp805nw3~tjpueTMOHrY;-@Kw{{p;jGnkj=*l?i(A zKy4Lqf1Q%eSxU(H8|jP78Lsec)x`#>Nf6X~G&A(_QdIUu`P?XLwhc%AQ)@ zy1YV-F-p-cvM;nXnu%Kqyx{)Gpu_}@d9{;a?v87}6ZC~Qhjxs?DEt|=Strpw?5iC? zjIy%)G$xKCV%v$%hVJ6(1Fl>2n)OEY+@Q|k0D5FXvPfjn)aT*C;R}|Fuk1fhuaSrA zJmxiMb9E-u{SZ4T72ydMIYD7d=0qDzoB0)X2)P;?)0?I+35nfa(1TbpE^%c~!~IsC z#~PJ4E8Z+!?}guD|Hi(muO1<6oBtRsjb{3{w1$pHOUc!@1K92=$*tf^n|tYQ%+}5|CU(*e zJ;{CRzZu^oz1JqU5&RYIvlcr9ZYGU_RVa%{NjO=OJdVXTY?b4Yf6{czy^*uNk>FiP z#Ier~9A(;IjCr`*I&FeiCtCf}3}1$Mq48S)O9}ZWiITiYhC$zqSHHO9n@B~3!3@Gg zG+`9l3C?!V$H(`lZE3F-B8Cs&f~>q9RPL%OGrq#{A`2EeAl5PG8O)TT7pQ@6kIdNl zGH5<94n{KR#p<^F`PwH|5A&!}nW=AD(AsI90OOF|V6|L?Q)N=3O0J4#c2oC=a#_%< zo&WaAv}Tsmf<{x~EVw2g7kch<1PBU{jv{5WEU=YBm0MLv+(lzRS5@%4bqg5;w_O-> z9dagvL0a8e@UE%`<9gAP77gFyyjuXK3{K0oPX3BA+mleg$6mz8!zh6Y@)-b_$4|{s zpbgVronTpfNiRwrPon`e!{0t*gJ*5yS0EJz@ni??g;AhIfNLBBlv}L8mZmVNd~Wji zd1x;>rJhhmT21f(GzrYoM@!^Y{6oDMZ5+U(S>V0TEMj)qQ^$|JM8e7QsNLA07xOJ zsm>iU{t(_hDq4mYIBlfMF1$KmzrTHt_E?tJ3cbp2JT#O}Ikiq^n?Z$=N{kYP_ldAe za{i!sXkwO-`SKGaL9}8-EO}7D?bjp9JJVT#Cq?r&*y#c~q*MIm7ZK(1?zw;6fZgS9@6AtuTpKxp`F>P@$zYM_5uHD*x(Jx{H;AaAiD1yvRH7DIj>T&J@SVw$bgpmH4FXCAC_xcxFQ{#T~Ft;wBa zmWba)+)TpOUQZu5C_Mk(CDyfcqQ8vMnnT|-As@F}-QL|c8399{mk^vB=3Ih?c@=}= z?7i$0-4x6QWlVeH1$t1BfU@Wwo1_;1h+B$QW~m?NKk9Y}&zK8~RUq1^Z$GmSzY?6f z)qj}Hip}R)Za{ajA6P>eex>=8)VL{Fq9W7sR+no{-Yi+iS%t8LRB4cRDuALO?nB^N z@JRBN^_Ip&TSZ{Y#R%~YXh@Uw;J7IVQ2{TY9onGqzqH9<)Auw~;NX5KGugMMi}#ZA z|780IDd?u1KAi$DJ>DVH=D+s@;PQ3L9Fa#QRdrQS1%xo{zDL6z?0&;u)pemK@mj*Y zx`MrZbmp(BU*sEbg6ygVc{*4Hd7nn5GF9H@sHE1YSzqd>vr@C2A!o}slBCXbFpDbv z+Z}Qvq?Ey2eU2k`hd*4~UG2%d`qosk%{zaV*;<>bHM{plXxZhBY~2)x{@jt_wYSFe zFInf(>q!?JCA~eVg!|7g=Xibm``-_likB_C765sH-o<-zA1N_jFk>!}*LQGp0R0v< z2XN&X-jHO0_b?RBBE4=xiLwvo}p3IzWV6RG@dyR*m zpzH}2c$&@DEo4XqX&zUc=*exHkAv}IE?wka|Btu?k|quU09C1p7d9kG0K_FIHT0#^ z#8zuYXvZ+PUtJeZA8AbxY5Ue91m&v>_I5F!Pj|rEpj)Q9FrCIj8giz6>JmBYe0umf zKRl^pw(4-~{g9u_@2R;d$FFmgSS!1Rf;qfpL^t^Uajr>ky#62X7}N#VY)yzEAZFpu z)-BzU{_qKiKXUXzzj}Z*E+eAJ<)l4c+H-E$0$dyd3mP&{95-+xde)ahfs`)w87sq}&W{NZVA2x73QfA1f|@fBP+ zIDxt@*&y91>y>V*1gpzkdW%OYT;+e^)TdoJJ#MPnHuEoA##t_vWEmE>{7;W}PRoPL zV!yC&k%UR+ZO~y-cRk-lNb!SGv(U=cE8u7FsCDrnEe>~xUG#f>X~C?QpQ`24Ze?4A z(umOre$+=~vXiv z;am*jxbowm_f%NYwWDn~MvlOtn?}xY<1XGX6V&P;Oqif~!(nMEvz;ET7TKJqtMuJh%6F65xn&`27dmVfzJ;|o2tLjE^`(xlw{i=Azn zt*lB>yH8~)X|2-YL~aBnw|RHFUaMJd zn3TEsLvrypc|0PV3^0bIw{&hZ`?N}$tAMC%Xn^>K^@iZzuMR;aCyoKHl z-jD~QdsB~o|G+=r<{iD|rOm$%ir|Gk{2|2@P=3waq)Wfi6^(WxcI6HROV4V155S)! z03$L8=CbspCIX$4?-Ck}gR;cA;8w2b`hdUQ~FdBYXRrRV#e(t|(q8d7rjU;ONCwIgMGahkF;)MIx}+kvS^Jq=%!P z6hL|C?dO^=r*m}ojM~w%Z%|sU51Xhk#pq7FHlk`0(hW`o0N1$035RCszVk&!?($9& z*W${iP6GpX2x)Lvw%#m4vuI9AT?IK7i8RKx4ycFVY0B};W8h9GJC0=lyo7usmT_6U z3kk>~RQfWO6RiMmY5=;_Dv!UdRX3LCIGo!mtsL)*`Urnlxjpv`u#|~xfqyw_b_-JO z;r-P{Q=R!Dogp3V;8s#BX@?`D_d`++fSJFJGZr$0ip-)XR3ny)$ux33{kKiM*C7ul zAvtre+ZTFa#RViDmrKF--amj+wlYC4lIk24EvzKnuNuYEwrq)F;!wXn8P->Wj$5{TfY z*y5mhl55FwFkypBLRE15NoritR_~{JeQs^{uu9eo{~FZ`AGh0WYc%^8r~4>Lj|~w& z6v&rVoHVRsN}3BX>OUG1AJR=LEY2VKWOhR*vD$*&S~nrnsa-!VI`g&uG*^oEeUJJd zvE_Nbf};Jgvvi+-Kg>@`KMr{Tl0l#n@^@=I;Nt#-^B>c&V)0cD{ncsx)$~UR54WCc z)NfghP5&t>Te_x`bi++{!nNe9&HeB^wHF>Gx#XH;^5znT6T&W>&LtU$X#nUr_wO4> zEPuB8ePH!A)AUXI>;Ke9a?w&s6uWFW;ka_irN7fNlq-s%(tF)foFP>k&!E32TN!(B z=hT!Qd-R4zb)9_=AD;-nrnm7(h_C0Yzv1>PUdmb4yOf1t`(@N(etE6%f76}sRDZV} z8tA)NjppOv?>XNOI3@G#^o}vj$tZT*WHe_E_(jcEIV*eG_}4+WhVt$hZO5Ct87Z{q z4eeHKFMc|VOLIMT`+ZMzO6_HQU(Bub7rJo|$7up@8dVoaI{elVOs1x@OdXn1pl&r` zSvHz{*Qy%2cz;=lqrMQe()w6c{>A!-*@ahbvM_8Cb*4 z{CpLo?U>VKiCxsRdkAiqGC*oET7ME!1A^+|X}&jblI2)RZ6d)W^Gj!R!x_9DP)JkF zUXu_UM1H+hwQj*5`F;>wMl2&ZVp*zBrov-OB^)*;Tcthm4jjLlrZy#IZEmt})y^)s z1Y=`6>raB8EYRP>bKpLp3(k!RUI!o^p%wr?S$yd%`28=xbtBz&6){j5zlFmgLpx0ZN~w`F*`J7xX1G_RS`tWbd!! zar&9yA>L}bCu)f1OK827AIu+w=|!6Dk}Lz@r`v8wRUEQ^b^)D#(wq`ng0t~s!~@PT z(%cNA=x0pD5tH%iNOC~ky&0A8j~@;|e$^!%Lx_$B$Qf@>j<&x1{q4=m{ZlSG$N#vU z{1@h3Ex6sU$y;w~`oC1bRv4;w%#X7SYOeG@GCUl!1$B~#m(>Au-kcnbSe&|Q&n(qqpZ+FsTA<88wt{`48Qr8};*i`T}r zBQ3LC25a(CvH60`zqZt(rAzuk$aH)jMSo{nbXtm=dD%kE8Jm! zu=;WuM!%=-k2$@r(a71DjNq6{WjlI4dGsqmb9+QyBhhJz^6x3<;z8ogX?O}O%Zj^% z$^D6#z|Q-ZlUm&}H&-|fobKiwC{#V^CTx&5-MIVfmgabo+v4>Zb9E}RF5lL>RdN=@ zG*hSJyQef(P64H^6+eo$I3I3yQ`_XmjD8r3occPJ@U*LA%w*KHBKIncqBu|K=^G6n zuJ;3~^f4b7gM0J4e>n~FY1Yo{=!%xp+uKFYNO`t=32>8k)olpvY&eO~ut8|Auy{;+ z@y@(lVUCf!&|w{Sc39LImvTIpa3QCJycU;3B!IRoPuW$$n|}XY@y?ufEgRkuqm=Gr zZMUGiS2-Nbm$oq}kPI&!Hh(eqtfN(mIRGmB>U1f+w?};^zb`zgj+ZAYHqA$kV>hv8 zX{Fl~Y9^5{QyD}P#VXK~%d@Dl@9@A-c+yJ8m|5~g8)EvZn_Y)@42zqQA3$x`Wo+%V zBo&;^o&O`-4ik!N4qtjda^nRD$B!YWHl43SORHB)6WR@!gDV;CXLp7Nu(dm%Ha$;} zzP(`^5U2i(J><>qH6iaG>fU~+W=vXrxzJA+mR+OTtYA8;x!v)7Ua;eE4{rF}AynwL zFW!b5_n1VFmulW?RqlDlXl`ttb_uLEG<3V3c?&XKvv>FhVXX94%4f4RAdCmoa0Z+A zBjq%qh>94!VdC>xV8v}h0{oF%6fQW$SC@XkQhX7qeF^XEqd40uBD8NnPB$}$Uj=b< zAWGTkW@fq1D>l{Y`W8hVrpSMF?BWJb`De+z5H?r+r3WS}4{wT+BAWS$7^z(G{pkVl|@B^|$~-w~(_ z7r+iiZnf5(D4JdvcY>`6sH{4;$kYHh>RKo9qn~^R>6lS2CckS_cF8g{o z$BGEhA4joX*r7%54n0QufKK-+0fHiPGD6n;1tEEW=??^z?^g%_;ese9Sg#TENoceKs@h-aWO$|au%KP48Tf7 zH_iNU00_U4eAxeKVFuisA1c@#XG+926|?=c@HJkL&k-qYa(Pn~KETL$luj;6d6kFz z3d;B-R&=UFV3M28qR#JZ#b!u%52y-A&ZC6Ow76GY~}tO#1|> z?pCpEoXp+%YgHH%V!JyHLkdlbl#S|J^rj}(-sgqtgb1kBgkMVUSe6P-A*fZv|1+F` z3G-eXH%T?LSaq|}=8kw%c3rww4KaH4b&{rHl#7dM8^7K;SvD^nis4u#B-n$X^KX_& zJKO|-n&ezI46T04FkFX6i`2q&5}Wh{-kvF!R4=Pt6R7Cx=W@Sz|A5B*N2Nl(h`9UD z_v>ZX<)2&YnrM6coE=e+9g8niE=NO6{pU960yHh|4jKpBzL|z$KIp8Nyq4EXO1#gj z82=`Ft~aC7?G?R6w7hu?JM-UYyFx_vqT$5ft{;AjUY%Z>*0EJ>E`8SX=5}E{d35s6 z*fZV=tfv%l&mH;LxoczT5<6HLc7q(&#fmJ@S6W(G6o zZmqdh3p!o!ar_Xg&Z4TpQC%bMzYq@U5#4{BVyMvdl3SD~;O2CiREJJlwl^);Vw$oe zeWTo_iO9VEiZ}cV!4({5<_ZWZq`{ruET{wt z8fZQ1<_Qg}guZaus4n0gSAIwM{BU=w$@rHTo+hVUW%Zife1qoRbqqH1-$1fF!&;0x zE%6WzWOF9f_0oqPo8#>W@W5S5OwiH7R_k-Zm_J-(ToRL32XB@FfCnO+NVvbB;kE&_ zD5*s<9kpi~)wN8O1-`Q}a!&`9NckH7>1kn6RpWA9&7J%QptAs(3b@=xiw@MR@oi+A zjwqM-O|Wh$FG?a%!v1p`bmey++;GXsR%VNqED;GDN5B6Z@!_&HtpY0d|%Eu6U6__Hf^|%uk%3Bp+^S=@cYC%gmI%Uycz~m zu1AyS$cm|u{3{WHE%Pi0RO-G*C;)QR{F=C*IG^|lpw0$-k<~E>zKAQ%0r-@}-OIxP zz>`MI8qaV08QXmzBrD)cPh|1(O`<#I^g?)(`pueO$5!T-nth=N2|k_+*t-PWUOnBjH# zFy(7{Se5>B0SQCN2CYnSxz64!>D(MQ+K;p3i~gE#1FPM)db4I%S++<4hLdlY=od<4 zeD)F$vPs&Q($X7>htlS@foxZ;b$59Rmfs)lY(1NKQ&7&S8*d@vm_U0Y$^7}QJ`lV~ zj8eCf^lsF}47n7zNX z67ugSl}GnvDVm<0T7JB%Nfi+p?mVuq?%oc)Q=A>S_eqwH{{^6O*go6&Q}*9g@h}Nl zdcFU2-`1PUKthQ^m_m3Rew8sgv#cAN6a7Meq>0C^j5!9I9j+63QERNFaoeGXNk9G5 zRr>YpSgsVar)3P&pR;D9F1!?xKAn~2HkiHCX*Ly+`snlC{SPe0FU|!G+qA3+f{>AW z`yVW|Kpk&J1t2TNW860l;r1Yf8jK?{L)KrOsts1N`{PAG;SaecK zq*@@ZfG;RXMIkGL>X4bie?$* z)W~ePc@R&*XeEOMl#u>Ul~N@eMlpD|cg+3VLhr&Sl0)P7sP$I6A}K1y?gvn7*d;Rg zmx+DWWTCQP5Y{5p4d$Z|C&M0w*aUhl<%SK6@8566Hx-U=MciBGZ> zCTJbmjLQO`#B0F&Xki3ALF$hs0VzIcp{!Dk3EDEtAP_H}TX~(Vctv3Kt-Nb}lg!a` z44bzOJ?|Gez#itg00Dv^`1adhGd`~mt<|UMV))9R>u!JFxR{Yc>#h2j!@dV!fLaLA zL%TnRzxS$F%)MCv1{4VlXli7^-0S@R4XBv!z!Or=zasA_v>AAWVuE%dD()mscK~+) z>4&KbzxI_x)4Z+Skor9j6?-xqY<>9o%OTe)^FKM|W>g?z_pAXjOp8iPivONB?=#i( zj<;6M7v`D0n`;FgJzM7joQ`}O7$JSmeStmR6KSW@YtTNj`_lxbs>jR1>Vi`}2ZUS> zVaOLYV&c1`k^F^FL^9ZQ!EL)ED}bxUR0HZQckmUSiA}{3!gx8jMf2_T+}eA1xpuTr zmCk1@GKvtVmb7)S)(eMy00Xxzk=(TNOC0hD8vg$0|KIHikDzJ^F zlUsnfa$~jCX*Vc0bf*pk4_$tXn;GW_`GFpzRJrSMPwj1WM(BpYBvt6_P?V6}6^6h_ z5G*jVm_G=pGreEW7%@qqSExICnD{Kd#i!W)?`CEMQ7fphP~6|pBxvNjl;P;a?TOu> zhfbQ4f#W`=-m~|G$3?{Q<(|g>%q&e9;u$en`yE?0Ywm$^95iR0F?mpV<71LH8L4n0W(mq5RJk`nlu{6gyPyvv{M zx*3-lLLK=fH|Dx{u$hFugWPip0c!W3vnJf&A7oa2LvCQ%r_4>~FEW1@xjf&Pckewo z>;^lBa&Bo*uWHPi!lEb!Wm1OyRQ#(9X}S1$eJ@Aripm8r7((L{(zPe~j&BzB~5P*9WJ7Sg7 zc}I?Lt>D&E2R2d7PwaiN+e)9aK3%uyZ>~XS2?%ka#swy5RY`fGWpQ zAxfc~OSeU6&}zCYfRB7C_+s>d8@yL)iB=>)(qWN#yg5AoasDO6#VAtWfkTUn!=cf{ zbtC#A9i4n-|KxO ztVGN2MH=Hp); zEZZ=|n#J|=_-A5ZD_g9=rY5h@apQzzqc_|nd-$yC@PqdsFc3{+#f0)ydqoj&W8eTy zOZn-dKo4uO0q1I>F~9j%5@Y1eC)Y5K=dADR`d^HEn>~wE1h!#uLz_ z*$&dRZqiRo)qfXNx2U!7QLrBEg5%@7vA?f|AHvyFN$Y$3Naj4J3!Syt}ILR<>r*GVr|0GuUp{%{t?;@%0}Y^?yy zojN-F=5^t}AOycJv*`4D!jBUwK{EYBUYcPt_Ylj9U5_+{*(uMr7VfwVvj#_kGd+KR z{S41@CtPXyDqqJwNI7r_1C*zpxcEaJ9VN{U2UqIi?P)KXdl2+Vmp1rzG-Ia+Z5d%% zi38Wr>9pGadLr1es&*L-wkNEm_YvrpG=o6ve1|;4QD>hu8@{9&0+6u|=z43*$sfQn_NpR&KGRL=sYQ=*`We5oNDpNj=kFO{Z*X1_ znt$8aviU}7oZ(gzy_zPPE!Tecy0J#Gp}br5qmchf=v6|=s~QqDBsaF>>VseFO@PN6S)!%+8g^_hq%s$S18@rmgasMsGkgX6Y`c7q}K( z^-i6QKeQ}VdSsiGkct(pH_2z-y`pD;)Q%4G`jsVUQd>OSdsp3e$HcMk_52%~z%K$> z-q(m`R})yVx9;CSEdQdY)8>%0b}sy6b~N~e%HPmfG|>bLkUOxd@Ro*hCxmCTqlU(f z&&*}mXR1BdtVb^??M-gkZ=cj_*ROtgUZY@!(o*hQmR%J6IB34`ptzmtfUP=qONRkK zIwcDGPiMt#W3DB+s{^Vu!Z#Sdo!T@fZL zjNV&&2~Hom^9%Q)Z^m)8u)h%DjW7@j#9ha={ssT#^BN$I|o?6@f|yF&BYm;j>&n;Giol4VrKc)6!&uc0Is-sYobL3 zeWC0)Do(&&a%$tpRHbv#9$N})%?Z=ztu2Q@<#JPo;Tck%WMmIy6?1I-JhRs5^Nzos z55IK+mjrOZC=TJx|MGW#-;SjdNoyMUxPtf)Iwfc!q3dy@)P?B(QYe@z6p*2wsyhXi z_7J8RaEyT4Mibf@aJ^i0$cuQ6|DbAIWnQHb_EVj+3)Go|-|GtIqeCXqvV|eFY>&6q zU7LTlKVIeY8!+Ur7_!P4Z7L2rvdAZdZ7cZh5c1DG_0$=7@I*^>2vfy8i|@em=fKH> zOXOQzsoNiQpAMi(m4<6BBg*H0N)Fw@{h8&LazlE9PK|+=UaPsRiFs#VLl)%HZRMjg zq|jCBGCk#IzYy5Dr9%n!DS1Ce`MEBcA6PyeK0hwSx|1wPs~n#r18na6m}ShrU(pzX zpC>@m5V$kcc^9RGFGq$G9^$6XVNH7fVup1<%n*TgI;}zgy)PrQr-yP?tT$0%>yU~W zcIAq)AT(vr-_Y&$`q)E(LW;KeqJ6bGVYMb5OW`s@1;hg8{fK{^;*ojC%tnsFY|pB= z4*rae5I8ro>mE|0sD^pK7fOF3^Fzz2B&n2_=dk>~3;np(?#Ay_hJ;?r*}0E~=Izd3 z>2(avSqn2l9*yec$(c(TWC|MIeIUxv@M_X-)fkd1vx)t1 zbVK+06dcsD+_LVt;}w-zT9N;r;Rd8jkU{>bwQRuBo&9J3efTWEmi=PTJbvmTh0gfJ z{Gx`b{nnWaPgGdsFWDrW+)a_D zWZSNv1tza{AV(pL=3IU^BB}QDD~4aYJ$r?0oXBMxYaIFI#+WJfBs}(myH1BTQ{#|= z%kYF@9nFPrC71!(MiDTyl&1F7(qu22&i>h!8MR*&B~}LgOUEC+Nr!<*yYeR^==>IF zg4O&>dUw~D$gF(7=t8&LJ9-V1^1rQH(^({}a}*7jI7gSu8gfhwIW+2&-Q(iyg7H|s*=K9T zRos$jBu2cA>c$4sZVw-t1nH@>Y21l6z-N$p4%VIWlD;ps_CRxNhK7~1k~cKW-huh= za{Q~N!rn2IBc(p@&_-n8Sc*uit%D?4G!P=ORQEXd0#e0Nn1*v8(z}WD2LU@ea9RT1 z$}|K#Q;A)s>EVgP#Jta9AFF?f$$>szF~m-t7PcRqN)Cki9D42&L!vk>TomohX*0hP zj;AJLpNnSwjjva-9{{Tr0mUL7OXW)vveE0@3#XcosMJ*tlzO+^G704LwtjUv@3P~X z%?K+$0Y`^l2%UDxjT`HFZbsO}vBVN$Nt3huFUx@?_v=J2f;9499EhLM5IY&YZbjf8 zsLbV1RkBjBp7}mBKK;;e-4Z$-<|yIX7>(r%6oxC=|46zZEo(R~Fh)TI@MC{T&c3jJ z0Y!EEGzR9o+9LmYzHC5r2h{6&y1xKpjW%<(dRrRnR|c>M z4tHoyPI~CjiVt(sI|tl~jNuqGQA(vDJKs-1Xarm&>rd!7{euy`iLV1n=o)y^M5EL{ zis_ErY^|N$OAjr34&W#~DQA_h|AN)*YyQco+g-fea}#1PW^*J52uOTUnqC=v$L%&0 zL!>7QoO*}7W4N@rHuUSDC)4v9X0JykGa&lS;<2~3F?S1EcMk2(f;rEAv7iy}2^!V$ zaO+=r0Zpjp*HcV(%8TjIe*k`xRPf$4&t5=fCXcc#TJdRO?AF>zWFXf|Sqtydy1dlL zS(68n^;(&8u9Pq-ISbcFxmRj0`N+xmi`vhuO= z7SVCic4oy)OA83U+u-QASlx0%+Liq?e=Xxxww%beLKgw=K2Az`YwH3F6Vo3%cdv;@ z-}t)uo2$}@+AocDQwtBFN9@+<&Uwv<`hdFUPvw&0Bh~D8;Go|QR%7M~u=fBT;V>NU zes+=U`@y?uLr!w=RoOzv*y4v%j<{D_S6SRjfEra8jaNy?;EIV^>VL{B$;00>E>j_d=o0Lph<WZMES{3 z$)N)K1-v)p!Zbf`BZJN6MWPm7ozRlX6XRW)j4f}~5Ouf11CFIF4uHli%g|ZUF;ynLXnf(&$oyH8xqIKmJk~dE zuSTDG;Tgr&KvGN(ZJGA2at){}F@gH!I(JIq`$FbdUD+N#tHs8g>DsUnD$w$BsnFzJS9TrYNXP&G9H5NS@0Bc?Y zKkp!%hLL16X$VsV9Q|QLfE=ODB~AZPat(dI9`LGLqe@x0j9V5o4u&mOcul4=t0R{p z-d8aGb7E0|$xFBsq+wFHo_bgiL^4ntD?SkPhI3&n{e!xKdT|^;$Qfjtii`jqggN zJFHL_Kfk(`8{+pLe*Bf?y~&$Ry<31D*~Ux(5_P|-t<{e11HP&QEa*fG^0)t_jT8D8 zRo>FTg91QVp>J?NEa>E)r~EI%l!_L*XmEiD;RoW2{T7ucA&*l6yhCA%{BO!yZ+zOi zvQt8VO5tuBd+cBM!qUO=C)Y44PS?+P6hj~Kjq#mG5v~88F$+ck5#>puQPGeJSF88T zPm1TAkqd||N)E9ujLK_?7%^`dHyVBx!By%8U_wo5cxDN+ThaU2EeaZWGY|TSL&J|f z*As8p=pOT!g0u$B=S|keBlKLDp68a5BX_C>f5n0WmS%d~wl@}TvHhRHOW%t$MNFM5 zYeb!d2O)PCWnVCU2EF}6>N{PQrTh_ZNk$|1<#}nzjW^z31h`Y7!WGJ5_3xZ8uUHAK zoN>ekA=rmsUV7?DQa!I}*LLqNo79eTuCW;y$z0q3QNSrg=4p*|X3nzjMUEa;RKMCn z1LuFfeb(ty9yd{E;Hy>crs#fk@K6lPaZ}(GU(`PYNYd8sG5t?ECk2)sc=PYQB(2<1 zy;}`Bm3Q6=h<5`C?PC*GlP>==zDd~`uMjE801nKT>5EvaJWT3>r0s9`lKkvB4 z58i9+JdWfV>F-i&P)H%As?@S9m3*vbsl-eS3IOq-y--iQRgE5&R5)o& zA=UlEuMkX4RTDQL|7;5jgSV)M7|%pSz>+CQrGV*F0Hd;(s)~xLD$)SY1S4@H;)*1K zg~`L6buOJ6+Y>tYwBa2wWdVlqDexU2m)~A>MSrt@{@tT^qK#X}9i!ueh9<@H7cPba z+?sIg{=jT^NjVF)7RLmWo5f>X7Ju-N3Tn`*EFRkwA*yZz1>qO>D5;IR9Nj7*xIMgB zpb?RGYH z_&4Rvq%_&R>N@05QfQiLE9Vol2fSeT>eQ*|h9zWcc$5a0G}b!Z@WeVkT-_9x)q z%_72Su-m_f55PR%@1$CCI{!o1Zj8w_l z+5dkWqP1+hA}fAc4&gZOsJM9nld8Tw@XFm~*aJ3!!;X$iTsXbGoL6VCB23T$nBP-< z<4T(`9sb1(aZIy>&#3gwz4ymj)S3$VgJ>h%x{MNs zyD|@V1-Kmbs_3t2$4;Id!MyFl*K$VH!CH@N#GW5-q?>=KUwr+pz}(;+3uq>y-xitc zykpY&S~hfTizT9K_#S`W9k_Hcl!Y%Ui*oX+P(<_{R#ZPl^p&A`r-qt4SK!o?NJ2DX za#p_^J=TC-|8Txh{NdYaUVvDZ$hrL>UuJHWcRsbc(Ye9eiQ_i?4)=F1@l$Sq;EI

%F^uf!-YdA%?x=IK6bpwj@QLKNQ(>&h)jUGN`4ik8*G( zj!+QE>it>Se#s|GD27zWR49$*Ynig5=Y(s>m(aJxLbmiFTdIQc(;4h@I($OgoMaSa z3OHI&vh)w3iHyS$I*KAE25Sc6!WRNN8E#Z=xNchPdQ5|?S|3uPBB&U(dUiv}I3?d= zdS5Q%fZGpNY3y5Kz>Y%pwo%?0Gf+%DvDF*ew%1o=anKrYH^*pWtFB&?h&hxHG~Z_uMD(xGxtP!+KX4jwW4Q9J5H=sqLztQ0N$3z~x% z(->9aN@h?aBuztz1L|ACYFI$2uxyefnZ!z^8*uRyPbCgD5Rci6R{b7qIn?v!dX5tn zsVLqp9!mNST`tRjwn*udvpU!KDJanmi-V}XSG2Z2lwi<5{o%F>z_E#>E8(=lWMCfXLZTew( z2jA9qDZ5{mupIv6{PlB*9=>`3Koo`T2C01+FXfLnKx8_9YqHnzKfGeG-SG|9T6#O< zAF+J00npZ+0P;P+IX5E~ma9FHmTadQ1QC(_RyvM)oCetp7={CAnrEt~H9I*&y5yPt z+5`dI?%JLsGUq2GTfcyWg|dhP*dKlqWI7$b(&FFycV3#y2mZes%^cPc4xy3zkAtNg z{sB3=9gx{P7>0Pa%iv~VhM4yEhix{j)5AyU>k$^%e$)QWtllzv8C*>1zTEP^i#A9T z{cmvv&z`}sXW-J5bfOiqYgs zrG;ulK^u2Vef*>2+EQ}|CQCUmuS-;?}N zCu3z)`bWJE@Hs&sc4Q~KWrIqA*^yCdGf%oKg zvSA*GPifAYagR4U&9vT%O3w6;(bdcE<0Wt?onVav zXf?z?6tP2o-#KZ9L6Y>D(jGxswFst_MABV!n8Ji*(PjJI#MKV#ZyFSX;0BZVBI81H;JXTi&pZwOTFJE zg{Buvvaieqt9L%1JElufm&jWH2Zg{W{BNY37P~mH4nZ%Oe9*|o17d;>@mixl-GjkK zn2K|K4985zWWNvnz;jG4BD?W?Yz{}~&Fe>fjxk~(LUFYd`14Hjg4v$~ zMGr62r#_gja(Ez=f5|N7U%Yy@Et3yybLB$j5a17_fRlp;-H;Bzks4sEUvEZ4BPSp# zGe;f$$lLt@b@AkN8k|IZRHhGZL`s@iZKRTQFY#?Vu*||}$Uaugs3M!E^`~zCJS6%d zPEyY37)k0l`>>U^T&~<&k`noT?pRPQ7dVWXh3h9O+Frx65tCr>z&*)sKKXDDRhS`$ z??ICFd~o!JkimJVVB3Am_iCADaAOC4syGofKJr8|Ohg47#-G%!Z#h1)+SEaF_JrU{ z`miPAuTTcTfe-u!fxmMO{BDG6o#Uf`tggd?yL@|M>R;8DARxBe>Dc<87hhRzT)2yI zSvNdxY;j)j{|uaw#EdA6xTd6dhU}*hQi&=*`%_B?SlO?3zl@P>)X7>%NVRoy#9_yf zOz0~9LHw#7?hr=uH4nPv zwk_^5K<}g$0?c4cAkzh#v^fIu7^%1~-~cR915%?QDOR{v4rpBiE>~~7487et=xZ=o zUQK_jWs%Mgl z2_mP93d4rwlw!l<3?uBM3Z{3BozM7*=W?IDMy)iN5%6@#6DH@3%-{JS@t$Z zhFyPJ*Wl8Oqn3alY3)w^yD$a0LErN-bPvs;G(k?0=G(nsHbWt;*^?2k@cXtT#bK4-T)B!ia`FjS* zkrTB(aky~EtzI6f8jDNX z>RnKUGjjBm(Bi4TBeIjvP-SEjP?BK!S32`t@{1*t`qTVqOz!SYniwqkZ@pxdV=m;W z>VOCir6I+|GmKy*t9t#S<~3cPOBfmhxa6zr$)fj?Z{-GW;%sh~lPGF&`|*KVu=#^= zsiel37apOo;g)3?|0k?;_>M?u8LE?U*?%T<_9m%8`(1U-^cs{~n|silvi))9Z8JIU zJdFz09{93PsE}vR0xy#m`Mg(3An@$ApM9x^c#;_2j|4b52lATa*QGp0BZ%PvDXQhkdfA&Rl=v5a5jX8jc! z&B;B@4DOtv470xBpO=ve_w9|>`aOGF42;~bz|-{&`2qe0XxbQWKkUi2GUAYP!t)R* zg7DBd?yn@j2BipvErw`z{Qg@~~<@nUQ4HrJubnEjW{q*AY+`>HyhSw`t#RFUP9A0F^vDRt;jY^kLo58!nlBia?0dOEPEuqL`!DJqa9lq(q$#gVJp85O?^n#wTbo}lYFKuE zap);bqFXcg{*X|6?h|G(V$h*WX3NBL;MEQRAE9xWomub01x(cUctH_7D9VHk(k6R3 zojU`v(he>NG52~?QGUA!{DdFJrkrzLJXaGE12hSDXIjBXKP?~mPd42ap)L5YrFMQU zC9X`Qd!dX-bWdW}{W*|I+fKq*bB`|>r&Aeek*7vq;(P9dw4wd}G(HxBD$(*i;^i?3lW~M+Lg9RL zVg?DxuTB*%=Uq%+(Q5ITBl)4y8KP(lt=iV|9~CAq^2C>k${G7lgXR*Za+6!oP@jkA zn|0#XzB>Fcf}mT*BseC-L`{6!ZgKI}Kg2tQh5G_;3+*!Z`*p7N>mPF z45}is0)oZhQUk3w7#Lg_;au`)g_25iJ(iwWs44P>%2X^2Jp^tFgah(eEEK_PTvU~M zuYUz@3P0!AtsZ$Y;DkG${0QltLen5&0{BreSTh@jNPtc$yz)X#0nlr4ijK~Yj9xp5LH82_^jV1 zq{`;Iz?g&lkcmfN6Qx0>1#x-tf;Fil?C$ebwfohx>F?{|zaD!^?fS<#04b;$gd?lT z8Tlf9%_nNjH@Nj=1F6w8dF!<)yAS{c+VNb3vpZuM=S>@gAb#{! zj#I&P$8H^~a>CFUUexZwksD%xK6mfpjpu*UMt@UGbsCIrBz|M0Zno0~V$GX%pkzmY zTR*?jZi_*LuK6?j!;Szgumr>(g75^mU)iY4JTGjt1z;QX?(tilTfkoff>|(;J}|D% z8fgO?Fxn$^Cfn6vR_<$c?a?XU1q#mlb;@s9G!%CmbO#L6?T?WwE!vTeNmWw+fI7Yy zdEkkBbF=8n?{mFeeNRVB1n$XJ+|Kg?(Op{epoiQsgp{qVdaP}+6*T>^2K_)a&jFt; zzvYD+bV2kn6u96qr!6l6671gCg03RUzwL*#39OS!6zxIfMMSQbK~M?Q6jg*iH^L- zStdD-BNDTH%GMJvOhttxR(0|p>aF)|>t7_a7?nnSj4s8G*K%XXeNHsjv-qf9`UNRN zZfUo7U+ILmcblZNr9lW{P#hjvIKT1O4XSE5Va3|Oed9vKIOu-1G+_Cu@9(ME>n=uZ z<5b$<5wn2i8@siA)awY_cz+p(*=M+Q4Q7}x%&LO@+QotM)RPPO5Q zz8#(5DG?c^ra?-wkZE6uLW3{jg^51gP`<7r^6}8l9ipX9-U`$o1W?0v;7ng2O@Y7@jA-QwLy|AbxOj2*)`hbIy ztdhX0^!1#jlH{k&!$(1zBYE7RxIKDUSti0;kI1mQpFTrlOz6WZ$lrRHWx|8TZr!Cm z0Bm@VB);ed$Z1spbdqWlPY%x@03l$rIYZg|<;1)>IY`|~41;I*G3iM*ifboC+5(Hp z6h$$O0}YR-xzz>PBav~v^?9(`%!(h$)IVuV^(s0iVrZUtPYKokx^qL;=W$?wE<77x z>Nx`R3yAm3xyH2};jPthkQp))7(lQO85|BbAY|m1^)y-o-rx-Wz~3Ytk+au*KSGQ<5$YU{G|5XoZndZ+A=t+Ce|H zYPrt@d;)jm|QXi=fnp(-uycWUjKo`v7_3ghF(VQ(`fr?R#yqwF7LmSSWo zmj}%}m$7y(RtHWunYeFdrYbsL3q|$mH}DO$JVR6lD+C!Bwx#n14s|EmSqzs9%Sr6Z z-L^JWx*h*fPmbChp*~!=>N%;nz4NYX`mIvh#s}N|K=60t2X&tg{RH_>_>P9_)jVgyaI5{hCymEM&IF2f+3?k=F!K)cj{ktn&pWmZRghZBsnu^5_?}(SMSX~UCyB7tnNSQ z0qMfA{GV~7fsv6@GDY9Up4$$`HJuNaG>K3cN3*#2kV!dc7yu7$1oE=>#ahx>K4{Gx zbgy@q2N;#~P6Kdu0KnkdCqESDCoURh^+bP=6MudhXw*vmPlIfB%$1(#y_0xNXt(1u zfz>@Eli+zu;N5u4?cFFb^M3xsS>)wh1c;scUBt6eVX3js)X#8@&xLYFH3CG9yGi(X z%pPw@b@|9qKPz1HQaL@Do67UeMy=OEM?i_)%w7^}|5DI@$&JCnYVHv2SBC3r+cn>y(Hg!RrmHQn+S8%D3o0GUGnDxuINfZrm zwDKGcdWMC!A7GTD{=u-q+@i_{r0H;0!VZ7 zi+6)T84_ujazzdy8zZm&{n!*j{wo`Kv|6GTJRj&LbNhcD!B`;Poha0>Y49T)xW@32 z7JWc1>9PI|xeroB4g=D+IyU7r*@teQfNlWQ5r(M>cO71ZY8=RYeJ3P!TLWBeyXl9%I1=%3PHSUsL{NS#ZYn?4bZqJ z&LgfuJeTI>cJxIyQ&yj01`@X-4y_N5>Zc^pFDJj0=1BD(2AYC4qy#~|DZ2>?EP)ly z^6zwR$?|2loYY^QeG5SpT(&}Gt8Z`U1ROejL1BFXR9CbBdwFr}HS3RJvE45Fz;7@$ z)Gg#QitX3+kxL#(NJcfJ&6o1+wp9I)^@z-_3h?J=2sW$SF5O9DzRgBK*r^!|W^Z!C z1wxM|?)xcs_$zBTByPgD$9w#9Q+&c%)lGG>GHmlAw+#w?+On$R0Xu^zu6>22C26wu z`}%_t^&zN3| z>@ie=T!Z+2voHXuWFQZJiYr1p`oRDR>_DJy26#DivPhn={T7J^rovd@cJyy_=uCoG zw>Vea3c=q(yo?a{v~Y&++`R}4;$NHGtYQq_A^^d^vZFFr<{7>Mv-&WumDU6~VT+xd zK3ViSh{a9=*+OcNoRN3;q*>4AK}KpYo0r3S_(H;PamR+<+pq4i zv~18QX@kV2@*#G&tAb+@^I!#TdH1&U(4X?AN}Tw}Lc`7OY44`MBJSYP-mKP$?F}b; zI*5c)-`N{`=^Gb;RM)SnOj{eGIfIP^TMn0oL3R#)4~6OMm?aKDzAYbpxg%MJT(CAmVpz}q1FSxntC z*@`n(KP6+LR!mLCj>xufHtxM&2Pa#}5to(SGVy6m7j0QTd9>y(SwlB%SyoTdcOBt| zjUB}pl%(f>asO)W=qLg|ABT=2xmB!zme%W+I3Z#N5=+k%FBI*IaAY4TbMX8Yqb=Ji zpQ~hvVjYrHs8gw-ts`jsfm=tw^1i9dI%vSIWlC{ZT!ZgMjU1Dtr?mqaGZEwm{yIY{af}|HqK3MQMajIq5v(_zHJR?bIZxTTr&_QX>)skn)DrvGsFJ# zKvaI%`G>>lz+?T?0tzw=KCUu5b0T!*PpS3NQ*%>)8*-*+IN!Kkw~v|o0q5uQ%?P9CbUI$QS2p2pmk)7U`qdZ?LZD9u~jXnqR=z*_6 z;NmXG!$Ts?VVkg4V+8UeJnFm^$?Zni3<%em6M%XY-amnSaO}nN)B)@xTnEO5X2sJZ0M`k*I7#z0FTPy4PoET?08~tCw%nw@ z|M6nW2`gM@4+`)m4diVSHy5n+tFO{=8Yp;$XRtkndH-PZ#v#lzEvD0FjiY$HSFUBU z*W5y9VF+u}&ZJ$~4asLKPp&Kfci2}x?pV??tHEM&j+&#LaYkA`ujSvRn!fFJZG2&$ z=kS4~CEQLq|A{93+uta5ng-LV4LTOx3(sZLG!4|~C$JTs=u=~(0KI1cyR@v94yoa@ zCkAC1pvx&&iSix@VWC?xXiuXVY#PlhXP0AOeZ7fkU&>Gu1byPlBZ1+xH7Unx7@ljC zf^MRVlf%z|mJO{sJ3+srg7{fmcH_vmwDa4xNUeOecJ%=XexT1|2s&gmLxlySWI@0wN14wz>bhcg~R}v zcobJcAj;!Jpz++6@EIr(aEssGp>z0R{rlldH@BEg8x>hPP1at_LM76a)WXt4ZYnk7 zZzDYViNqd;+(OdWbp-3EFCv)cr0JE1Fv=}CYxQeT>j;>BnspDZA9Yf%z3m{on|>>C z^P_tPTFo(LKb~dm)ZeoA?qHt(#Cr11CvWVuK*z@cuQfBI%061V4A;>09lBy->=jus z;HEnwzH2bS9)&Z>x5bL%J=0PXjB5Dwa72MG9OdQ0(E_JM5*bSw~MDh#e9D&>7p1`q|*-7(x*?NsGdx-pON^p()%E%k~XD3XVB zrTq2n>CPn{;Eb?}K3&la6?n_M`5FAEo6i#$NiU!JbhjNpko~8TrFbY;rjo#Evt|$$ zpXSJWrPF31T9j^w0>DC#qJE1Y`$W=yRyDLButKZg3(Pa!Mm{5{`$_OGiz+_dKLX9M z%qhmIo!mn$ZdkleXjlG5<4jg%iR5A zx%U~O|7bItm(6$Y#ny$cEa$wK*p)WlXlCV;X%aK(OLQ)N2s|KUf?fKl@UtgEk->)pR^b!6k%hg^Mf7W1~qs#H} z6|lmy84!w)VR*M8Q7Pb!KZI+3dv>Q+pi)IK=C`{y&1XSd9psY>9(*Z0_sLX~OI(b- zvaM?J`M{6a!0tA9>v3J}oeONxg;quPufp8$BF2h)A6_AVPC9Y^!7497TtjXWWP1at z#c}8COAP?O}gm zxC`qcIfKMIW@sDh=Y+r72UX;O=veb77#53yBy)4HnV2-n`2A$EW%47;XHT-w6u{2KlP z=cmoy8Et3jxpo_M=kx?w*6Cj0LQca~CoOLXvhv4+wUZhOb#09|3aJ`OH+iiEWeM8hk@qzxE3ZmW1S8!y^j7|535$< z6He)aM|R952`CN)TH;vfRG=)ismaQlgMMR2Q2YUqo?A;u44MoJvQxXoXodequ`db` z=ccX`EcLPf;<+OW8jm;pHuPFLEc5S+JLKMr*>Tq5E@7V#*8T_)_HMPLZ9^uy*AXmX zoLnwpAy>QwZ;ad7PS+ctayKV5vxfpua^&ZWv88hFlb6~u|MnhKGle~RtxtZ*A?}JP zFlU2>eZXuKOd6o}TnK|BY~Kb?gQlF-+C*<@GHTi4l?DKMnZs1^&Jz(c?5{1PA8YPI z&-LChhO^;s`bL?QgbE6%a)rWT_gK}+pJI{lmZpaWMgLMXuthtL3dO+*@@0PHA{Ji0 z3X0Pv#;zB!)kb{s3Lttm8gWC&w?30%VdLsk6&bWOT1PU+42M1lNfgr}pmHPW?ny?` zEE0QN(}RsBPl}Cu)hIOCbE4&b4bn>cMdmj)#$kC=r9}sja31x%$S0KX? zJ^w>3@;&}uw}CI<{=aM#ysJU_2$(GLeGK9FeYfq~mU^ua z75~>tQ>78H(`3=6|8sfFPXz8UzLvS0Bb)9U{u;JKG9J)f48M9d+VH|Npf5a|_ShM4RuoAK(^GfIwaBrm?kib{fF3+N1Zh&N@-rk2~pK z%5;j6Y|uXg_JPw2jQ=dhI}Hi~wK#*;iMus;Y+YbX=T$4N9=U}rxsQ<`xamx;9hTGy zq^AndHrDUUCt9%S=EU);yB#^^}oVBFoA7hVj-tjKV3eV@+xO>iK6|BVJ9tW{dWx@SH#AT-^HiovZ$&vck0K(o6wf|O-3HarrM~4;X2~T6 zH*;o5e0*O9U0jGtgtbIj?J1E@0u3sh5Sw72ONN<^2FC0ai8_7Cl1PUy$7&q3f^hs@ zfzlY+uIr+YKKX7d9BuOC$OP5NnJ^?b_2UCxK9orciViRTk9TOccNQLndHvNk7Y?Tj z4kEU^|KeLdGwF}}oN6INHbgFnrsj*@6qhhZKLKQz#g>A((CljB^sbszcZ31 zpBpHPwnn`m>g~mTC#u5X8m%Rn{y4g6R7u5Vw*It_3=>CFfQyql7X_W{Z@gUBkXT&O zqH<0x<|8o{YPVRyVJ_aK7iSSq7j(~yJqw^7q=gkv;( z_^#As^1Y6|j%;Z?SF~omHQf4_ZsZTEz%>bRE22J=u1`hQ7Wg6DT4fWUIWddXT~gjL z$5WvYc*I1^t@cG+8B_^1st*uWUTnpw&ovRGEtrZ)soXI{VV1l#-K`Sj)KtX@kCcn# z!(I_%1Oe0q4^Ll8@cA*G@Tr|;-g5V!m7t(#;;~b5oyaXqOTFG?;&K7b+I4l@7=f^S zHRfP4bXJGRo+;KBln=fcl8`T?Hf~OuZ#T5iB~!h?ioUoZiiVFr3~ROfnk6P){l4xm z&kM7TlUGH95ow>{w?xqwBLw6W=rpAGFkY`;unxpMMRX+B0@mR4ja~zmB<;fDsG(H= z>A6OF0MwQMfW-PgAb(IT%%wAH6G*FDPAUNI*w`BX_C7Rz(BBwje+;ULwinOUlk5k4 zINi@ho%&THF9%LQz8H#0E$|Ihy&|2fXQ{{);PgeXw1K_+dt9QC5&apg zdwGp-rAR?H%qA&iH%Gy7onODm?vf|jcc1dTd@98HV;1pU$)Nutkj`3EUY2BEd)`Gj z+SGq79D z-?sWfo3mW{*FY{_9;{BjAws$DXAvBOUmvvAC5s4u70!{Amvt@>RXX0!%zrGdw((Q^ zX{@gCTbg2ynP8f1l2?UEr4fUBhB}Mrm&Ik-%cnc(tnxu(I-2%9NrhR1DrK(a%wJ0j z5f#m04F=XY z7j)WF`Vzuwfr5UdYEfN6MyzynO1(qD^G7t&jBXf92#}aT0Oltf0;P*yRHAq z4y2Kzv5lL-yz?j?j8P~ z;BX!gl2v%ANTBqXZAk?dLN^o<{GR1`U0pF3)PJ~!l}8aCS)q%rSQ^Dm)t2;!!5Xs- zKK+3w*S_DbRUxlmi5u(5c9Lv6ftP)JN{NZdIN+<~BxzIy1_DaNlBEyR4EU?cm_9m6(cE@g^^{$rlo@j z%FpNBi|1n)po%=D)2iFP+*Fd^ZdZcJ$; zch2I&-wAbty1{>=!n;-hK+o@~eN3zr$%QR3n$rJ2sc<82V z{vSwO1565ze70I$FI8yYx#nuOPv?cLRdx|9^)M zcwn}z0rHW7*lAbNNAShYp3enbKpP%zNKE2JpO43RB2hUZd`Inm$Lkd%W5$`4*DH38 z#!XO!oG$E7p2cJ5n15;GGFrD@z5ai148bfSy=di{Thn|GZr;}02YyO|^xl*}wu>$u zRsnwV7r0aa8mqF14}Z0jYwR*Wk)glw z+5=f6RKM;MNou~4B4^!lr(`(Xv=bT9egC})>5-9D2y-1(bvAewQ(Qhj%vSGuRY9V0Hj{9lSb$*uS7ewRsfac>;P?}oREFaDwHjDxmh zpRh_XZRaoN}W+lum{udmFno(l0|*Wrw@gETiiwgp>mhtdEg zVBuYUZb-$MS&sTU61! z(US(QU$^Zg=&hZ&{g^x9r=E$G(_~2oy?sN^4d(SSh@FX=%}DH+ zdK4<Z{(pU}cnjN#<#mSSddF{46zZBiBqS3DKedV~7}m<|cZ@igBB zGmR*)VJ*j5jVNzix+p(j!9#H|L;V>hG(sEtNlqc@-GEWt`a(3``gi#(J~~D`T@q(J zU5c7?(!c7`)WyF-gS#H|cL^A#1}6h#Hi&8DK?q4czWx(e%jE4!kGMq~biZmS2_vVZ zI3d~L9RnFGgZ!^oK;Uzr_dv4M+a<+8#@Ek=*LQDu!ajD!S0f&v>|JjwDL&_XvPN2d z!c7eYXyrl2JTTqT-gPD*CT=;NLoLQ`arW7LI4AS#T_^obs}BIFdNT6AtgRT~bOm^1 z1b`)8T{*ilt}7Y~lQUX`ifH3*E44gL^U`;#_vHZQ^LKT7C+By1Zk7r|P6HU{<4IH+7(A+4;z{4O zB21BU9t61*fbX( zhDCX{ulP2ed3{`Ag6}xq%C9KMtRaTK_+BD4-QvvvLY(HgUJE9uTxk}sQVB)#l}Xf8 z-zlCwf`41_kJaQdtP4_0dg1a=Y z%3D#mg(%zv*!bF$eWU%9KnC_8L_hD$w=fyfYcIE(gYs&<)3kKaSEqCklc-7HlZEF$ z%3X#Y(91Bxq{d}bO+9lT*_9QiQciiPx7c@%-=1Fs+cT`w`WWg7Bzh3w-T|=CliM^f z_XX0xaFN1K&bECcx3&e~9=pvPfs1fL&SsUD!|Iv~5FSf4^D9rM$KILyxY}_dp&T4v zxyH4a=A)}} z>h@s~$=R+;jIO~bZ%DLvslnOSjUMhr)jfUclB>E0Sz$!?f*XfR^~p}e`||V>swKv( ze38jAtIVKzDCXtr#Oc?WN!+pRzf!aAX>VLME zEL}Tx(|J08O8IJ-M$U8CK?JH;T>fL@*oY@@ClvMfp}zg6kCNSMoNt~Bj6%z zrYPsz!Y-r`#x^EDA4EBqM)WZLS8bY^=&-@kKo}LpR%4z2p9h{&izD zpieoegVrT#N^d5@3j}TOmp2|C-Z*`yLC~A2qxSe_vYVc7}^sHzxUWcgbxcah& zp2P$Vy`suNBkt3})0EmJ=}kh%)5Vy6Pu+p4NXne{#L6~lk3K7bo+|m5|4XOA;Xfbn zlu7Vp@Y)z-R#@^KS@vZec^m^*ci468EUZgwQZB<32#;x*+0UGq7W(5O=y$K)_iwOT z!v6?rQOSnOM+0roqtH$MrQjr{B0AKNN=TM3abT$h7b+~*O*ZM{2i zQ?}>MZ#)Ij^du_{8sri9?V$DEFzjLe+I`*KM?$%FI;^xAC+uT8p^sE&qnPiJ*Ixmk zM;2ipmAaPd_)%#&31sGGg@$YV2O%qC53(Js{@aIkktD= znVz{i0L)Q=-#2V5J8k;#arZ}>AjA)bX@)6n$~2e*Ob=L%I2L z{s(>^SM35;bXF~tk4_^9%SDWr_gDv#sq9@Zoo&3uaeWU%pmGu^!1PRM!Fo zSt2yUS6mW4EV7(4z{SVp{#`c}d2 z26TKaSo|2h=DNMe&!uIWBT|cjAv``|kf~|BUNgmOK-kL%NRGvTlVIMz7x@GtcGw}+ zta1SikuPA0n#>>8&tDzM@fq^MwvXuCCVe}hCx0i1@}*Zzjwk1@_&WWv*V~^%F*`6u zCc)yRSOdF;^+dc;nb0ke!&2e7ekkX|?U4QAZ0w_o)0D&h%Y=rtQUsPv$?NY3X~Zm4 zM0$#jhVgAIRGsI%g8N_O<0I)s`D*ee4@RqwR*&_=b`f}Kh6NpJ8jR*80wC+%FL?xfZAjtjoG8|NCf;pV|+=IOaAJ#7Oy$&LzhHyd^$`vO zJ88=1!`e?&u%h$9o+jwDO^D~h!BnHh2u?T+q`?zoe^xqG|lCdsrp<0GC&mvayy z_|*82Y~Vty?9}_Z0ZsEu(~IT=E+>q(RX6Hns=!YcuH{cO#|OBCraiZl6JqtT9rA<- z1Wabh z@2nov#c1pMS0$b8n8ZKyUy#neEr|Q&&^@D+qOqX5i~q*7WLfpiI5-+An_@{mkaIf} z{H@S=ftn(s%cjnfQXA5nS?VFeJ@~f3l&0)5y!?F;Gf;f*x9aAJ>b`oS<-4NhG3@KV zD8F|(x+!Nr7W#Z1+U+oJYd&f4<~f?XdG`DIfD%5fy4;t$Z&+or?)J>b17b0^Nr*y ztCEg)58SnYFVvZ%T%dio zVwt*eD@eR19dyh;n`Pl`p;;>1G%(GyfTk#$r#yp{=HY990}kgeI329<;L!pEp= z#y-}0J>Y!c#?!&W)BYwXP2K5Zn?Hi5O=oe*$o;41Q=iGmpZXt4TSr;_eriWtBGpgG z4%6u0l4N%tNhMVGt}y1qQrR7HQmcKT$2XTLH>(FCC&5TMi^wH?`ho*WymAojGO=nL z)rXA|0b>!D_=a7MbIoAo{eLUA>i-#zbxq&cN^vf}ke2N$6My;UoM^O4<)ead7N^p2 z>4@JWFYbb)%BUg`L%|W;r}vo_mK6UaNc;MZ=;r)L`0D%)I>p}1a#czAbkdb1sG8{| z*cA?iNfoqI{{jBbOr3O?*^P0V9jqFJSfFNmHPNU&#s|~A!;SI%zLu{i+&i+}=0~{C zRQBw~XHjI8e=+pZfkdhJm0Rum{Y``Ss}m0WAN&*CnZxq_ zcci_)tbKaX>zp?+5pGh=L*x0sNAn~HNFJ~qV!gsaI>o$yJJR+T{tP;NBt(0w319)I zmg*~Q(u0|!nxES{KMV@^zpAEb_2n*JbtNRRY%I*KoSvpd)a?J&Hs_C_^;4$U`{|w2iDD4U1TJOQoYOjQMgUsdWZ#yK+b0%jjd`5AIU<|? zAfUqe8vJg^l`eT>SJ{oKg%@<^z2+ee!Jmv0-)lOQzNQb!UB7+noSN}3mkLia$xQKd zL3K>j=mg&cmY-EPDq{p6uAou#+`Kv_J^kI7ySd!1op;^wbEAp+Mi}H5u3rM{{^gyB1Lso;b4oK(j%4R&F%Vz7V>!h7y+(xhQ)eP1Hp(xP7Tq!^02(ywFMPIg1f0M?RmKPV zeE;pZjyE60CcY-6s(gHg+J(+y31^hTNz^|QJB zpmK+za?LqT9?Zy*n8Be!n~C1rL@ei0*CS&6xi>mPmI(l z-qtC<45Mx-@0?F|Aj{No2EkvYxVvMI>FkRGI{C8X@eQ#>3=B=q$c{pHXrB(C$#XO29dy~Wq;k4Ft0AKOG{U^q9LU@&Zd zd7^98!E+b27_lvVVOHmwWkF zN}+L=qr+yr9mG;9n7_mffw2G~Ejh1TysFSplnr$gsV(De^mpU6kB;K#&gW}=IbN3D zBs(=sjJ~*w^In7GwG;tg6Fjij_8T775pGux%f62fBNVZrRsS7M7|GPiR1piubl)K_ zJyDls{$NV|9{@!`y1qp0;0&Y&szf$Xc_Z~5N&hV-{WdFX;`H5UrOyUrJ*PLZ&PuOD z!CE~%Ro1}UY49$-=Z)4&;kByM;k9aW;I)`3-)9ON8N{47n@yQ=wR*cfei=Q@({^gB8TDsBviu&q%Lz6}EvBMQP4Lh-rKtvG=&z=?x~U<^#bTR0UlSeb;gC55dZ zyic%jgxkr%K%@|e#ftFR5D0NQYrywUz87W!+4nR^N4>BjueRyT9Gyq(^22~79?_b9KO3aatsa@fh-+p1|+3&yqhVXNbc>ddSHYvVz_X@1|WHr=JY6?E< z0?@Y*%XuLEcZIv|mrC@80mlc6vxna{UE2aBmX_t-Gxt^how-j-;XiY~g4KW3eda&9 zkGSPNYoJQdZ-PxA6jb+Dq1(7DO-pi}mh!%IpG~CEbJc$~nGpO5?z8vcvdGZ9khfzN z$k*c?$kXwy&4rr1nU$F@+@~gM?zUN0k^6Z%WQJ0sia_OUG3dYPKJ$2MG#vUqm5rfv zilE#4^NS#8eK<4FVcSEudr$8}!iM_bvnIev?YGwb zbh%Gxe77RqCY;rM!tQ=rwcqMKQF@&plw9l0))}=uj=hI@@63P2eM{{Z?iXL_1tnIM zg`f@i-Mq0f^S8C0qFMnQ0 z*gPks`^J*i?+e8z6oq_UaFX2(Yk!9<-(~OkW*{@)l6&6jh`HyP%snA8_n`aft^KO| zs{iD7@a72E_w503T0iV?YPW+d-rxL@O zeH?R-H`YaJlB>7n7gvJM%JR%vs+%(|%@)s?wx*m!z^+NZ_e<$uM zIMjZs^Y;3$)_%3#t99S*zpVT698hzQaG%wF)o~Tof4a~77k;bQ-ABBZ;Q2a>=N`If zB46ise$Ue`b5Ef>-FWV4{FYzt&RIUD^8;T4{&Rdp?upMZ_np;#v+g_A{S|liRbr&KjW3GXEyW+E3?6qrJ`Hr|0H* z*key0D7DO6b^k?c zzbp4ur2qJyQn)NUBoE6y`Fmil>G;-`?5*E?pP4V*-`nS%EO(}SxC$2JfakM5gr8QI zg{Oz>0&B2Rv(+j18hV`;YLq&owiBpHiX5r|Pf}~c^B+&*Oc{jFV&2T=&gl8`NAT;z z&)}!em&1dDb>K-#Jif0cd+*aj)s>~Bnue_;4h3p(zCCaUv|M!xzj%IS>;CcKQ;30kRL> zlP=yKxD#UM9fmuPpRsj4{rMMYJTD2}?7kL09K0Jo9Ky*amc$46xSgyBHBhsDv2j8`U?8+zuF%j0m!jUZ` zSy+z~W+(V5upqUbLya+?b$B14`xK%mOtEl9VG2W&0Si(XlI#IWgs9ROo>*|QBLmb* zYMPo*cq+N9EL7c63nrhL24`-cg~Q(+fq-Qp;IY`toJ3H7l2DMcgeeL_0t`kJh_oyq z%9_kiKQt*XF{2dZ@0k^YR%Xc4Da&tp+h*=6l&2f>pRVZ0+3~H*c{*o?yq(?#zggb= zN)4P~IJ!@m{!91yl20VUw<22zoIGdOMo`zVx5GCr3J@bYT+=cW(4c zj*pHGg|chPGl%W|m&b{J09~CVezy3oqH$hAjh}kE8yl1IUw``*hU^^%9t*tC@ASBj zSll=LXYMoqh5IylVD9t#4(==Wnfp5bUAXTsfl$c^_tnQ<(tURR%qt6pKFS5TJD}HH zvq0{4Z*6=x>fN`P`NI7y6|%gOyUkn6^K`-I+rJ5=MizpI%~9-^Yvew;9JZ+noV<0K zjiddx==4$uSP_g~i^(&&&-_=NH-DDy(=XPf`)1vj{+sUe+K;Xa|5f)ZqWe_m$%SDj zMv5&0_~G%7P-9JPD7&(pQu{;9+K++NS?zb*eL~|sVX6DN+AloUp}J3vBxkjseD_-G z3$Z(Dz@+n2;n>aNaOKWbsF+v@JXia$^T1i{*SYVt8XaEc15J}!!h*|-;qwPyz^W^2 zpvZ!fP+~dOQuKS-r4`}`1DyEkB$S;|4m=i?*1IqLH{2%__g&V0@>fCUcN$RbFE*|S zn`r0l@)qRkl=;hS%`%r`=Bv4<OY8-8ds_^t{R&U5_M1;L7ItHmn-?moQ>wbwKN-<5$5?pt#YLd_$}JT7vN4?5E% zsRi8m=?+`}FTef*eRlQ-uSLGhr>Jf5@a04E0*XsFEoM8vpI?yYOFipZSh;z2$*+u=wL;%*WLquZ5D!%YZk2W{EXrp!UuN zaO3e!wmr{(eGdJ14}_xgOLFJeAsY9c`OnbQelNB5JFENYsr`SF`;>d~vE1_(}phMil(|lZ3TRe7b8>Kdqqik3kr%#e2Ir}9MjK`9FoJadA!9&4=y(agQ zkUf>)-kxx{mlO_nad~$)=guyZA9jXWxJ^(qb$cjh8|Nl+V=L!-VhiW`mJs-EGv`|Z zYY_1bfi;NudSfu-E37{+%9qF&xUQQkO2gAxIRNHoho{rCfART<4}F;Vf8mXHcfDI@ z$y8d!;_%kh$I-a?L4eLb`4e>z6^^}F2ae=Z-~>5Cb7T4&aa+Jj-^9ZZF=hk2(|IXm8@P=<_x>RM?~>Aze*TcI6vg$t)qgu=>AwTl&mSi~z;(aV zZ!1Jj-2;6Rk3ig{&G265CGdW~&FpjOeeWQ&9q$do&!ug{?RvfMHU@1Y|2I%&<5V_H z@jc>o|J!>jyxwOkyp5m#cK>aVx$joSTgW@2flAw8Vr`(lZLkU6?jzX{<_qZxR(Oq?tkILtW(po$ zj5)7NHgYt3vt7;(nV;os|2h=t`2hss#F_qWzKAUtqBct~OeuupWLy%kz9Mu;?hKE9 zc`S?s*mZd~4A}k=jM_UE4t#b{Jj!opZk&ZmYoZ`fZw!Y(oRIiom?)Q6 zflW?=@G-jDm6mj6P0)rgMuiQb;J>Z{_^d6@f_{1Y{6H)+{y0%7hmRBV7_EaI^Ggim z;JW?samKoetf5N5jn+ZSa`;*bWpu^rpnXGN;I6?CJU0xy7WlCD(`&rf`ZMT0t&e`w z>$%#SJw~5Pj}i2<7fyIftu6~*Ykb*f&^mkt^fM1Xerz4yY+nM{YfG#u4JB8VVb9S% z(z?pxYiV5`bfwYC(ioO}*<)-S@;A-`&sE+~e1#_zTV4u0R(P?WS%4BDio#PVoIIBl zc&)&ogp^oT8j3D1$tbzB42CEQQ}kyz-jIJ@VOV%^u^2&s%Qvrp_snuoc&-POT8!ad zgem&>z>3ZHgd+GjJy&#YN${BOWerdcA*u}f6E_QUO-iN{_Pzz);4!rX2CesiCegV& zyzwY|vwzeR%F~V2{%j31m&@7yt*f~@(`()WpP6OY6*FuyVYqMgUv)nmCkK+SO(vn6 zA`L<;pzjjHeVj-jz4)xvvxz68FP zJomu!fgYFsTPG31dllS11Drq*Ud#D8z?OtMiBKjJUU)8eE#Y_)asnYH5ey9b9GdhB z-(9(H_g^|Jd`=Ja9#33v$vLH=;D8*Et37(%IWy#J{rb#I!I}QS%onvkZ`CYs=WO-n zs@yoy&e`@2@EBGADs8F)k=x?9=Nqd)w|%`J<%<+y4{y#So>>Qt)-;6*E3kgc#t-^S zu7{)hbf0Q3K@OAm{5*)jI!(1Z2+CvqC8yc@h5td+6j~o*KtI!K$WL;H>L;y}+z;Fk zf^PW3&|~J6c|Sb<0jjS`U{}(!W+}dwz6a=ie3HrCA%FRIg@nEb_;(5UMz5#Gq~qk4 ztoICBA9^O;r}veU&#B<+$SBnd^jdI6rEENO5r$%uZn^p`-egQodco5oM2YlXq~F-v~A=pof8EA{;*~q z@|ygl98+>N)qS3u=yeiuo!mWn>lE7_x^29?2@1?Aisz6w%S0uXmw}q=>%z$WqoHMD z8z?aiJz7$h*M5Zj=kC*A+?3+(FUK6T0=J7@d1|fwEDK@YDS^;0k}30)T8cSlQ7I_0 zs3a6$cCGc>iI{C8gW3G&qjIV{lm?FxF2r;&T!#XR#SNc7A0f}_`C^!VC=3-e#peuvy6owvDf$vpP#Lm0USk?!05cW|H216=!$`<8*Z zhmg6aK!2Wl=)#GdZQh)bDX%s69H9U3)s$?jVBUxD^Ng(UbfqV6e$thyhiVHFoZzZq zYNv*V>Lw}i@c2Lt_~i%lyZ7n+Z{b?@%wLZE43%w+Z_&1 z55yTfNsbmx#!9^5NDWNZAk{QG>G^%(@OWPsTe6>%si}$2(Qtm;JqGOYx$SBc3rRB)I779zKd5X(IBRB=^;JONo;N%}J z!29`d$r#4TD;d5A@(knT9=aQH4cH7hdai;GyDo#*+b)1!YmbW44&d>#Um$!`BD~dh zK77!1DP%*k_goFR2X2Kt_+DzHX6e5jKXVUMn064u=U(_=&`x-(-*(oBq{qD{CPTo~ zgHRTi*#_=_*L!b;tOIvKwvTo(J{YtEGWS>qZ**D)nLDq5tke+2$3FOICwz#{XU8S+ z9=`XVy|&`M?16HVQ=sgGWO#qTc6hVTHnu+EeI#?w4e)xW<&1axY=rmlHPoQ}U=V&D zTk@++|EK2`*081RD z<8}_feL>#uw*}s%#%UkXNW~?iw`ii$ve!lvYNAr(w5J05c^$ls$AULck?s=NNJYA> zF`t5gnu@f2d`C`1h2)+fY&Nd zJf5k-V26_~N3%CNWN-WC&pF!h$wq}`LF{UdN*J1ma12U1!Zt>Ne_{}{+t<+&OhzP) zf&vqYK*?F9A#_m$T)25rJj1WhsIevi{8j}(Fovf9ED+u}$&A_(3w3ulWFaSVV>Fb- zpin-s0t8{5AQ%S(YDzCM0ib*QnUHttImb_E8# z-Uovs?JG40=<^u(T6$lxp{Wc`Aj&TH zpIk5iGkI7yye41$)0K+M{Bh*=X4q01|Q=e)8|Vvd&*qHsc_f}x0@a8z=3#!+f6 z9=A!wA$R9@ASX^XvbTTZZjKgj)Dg;4-Dm#OpUvfHm-$N0PH*rg>+~`Zxiy+y(dWv4 za$gdPlLko$P8h6&qbHnTMi`@_4VrWZtq+9?40M@!FWt97o{&dv_jRx|SbJ^h1Np`j z#0j(y_|7g5^;S28w&> zPQX`qF=xqlf+nvtX{GZZc55}Lf#+WwzBUNYJ9@v5cwMO_82)FKgrYM`LYc+*IDVFN zpVmoE)A?Rwdjf=Qhy;)2p6nc;bAh1s(9Z-rUuYXv<3t3viJC-3mzIRk4G~anYfXsU zPz5}edO?Y0UQmWj9?)|;!hMO?GBIJ6h{=NiI?usL(IOMpSi*^eBNXsC#^ga_nLsGs zEABJ@H4eWp=zfWrUXZ_UcGf)2)gd$FX!YjgyiKf=jm+Vh-^ri4? zK?uk3h}?>kYV_V~Nm&?~I$D^6S>xx&&}d~7@S5!nVe2CCHBqb<(~{ixL!an=gWZjx z-tI;af;EfR@K9DmtKgW^bG3KYg9=!u%i$zc`cLNu)l-6M9XUpIJqDeuhu;a+x7C7j zs{>e_rSFWgxEykHnAkFaA0GVx)mGF5&!uHqZTG{;EB%=}IbL;J4M;$*XMVa|Z?#bTbjm|mR$=s6-f|gfwJNKkj_gOt( z8v?t&*e#AMj@85Oq4J603-={aQ^$}*vNTqXd*) z$-fWiH69B+q3{gM8`FzHDXhI^mYa3I*piY^WU&W3_OY9)GWRPbMnQ?i=&^90H;=Hs zBW0HQg7-4qPCO=MmiR)k`6a<)fhR<+tpf4ut3!q5!B7~pO-Z_H+o<;{)Yx=U`&r#5 zl)A6f{tVAOczzbc^OxnG_E^_3_k7sm%>bh zN9R4Eb6@Ab%sp!6ag}>`_R;4as(rl<_7z6(Tf-GiAosZZ=sL66BFjA3IYk+azU%0F zBM|2;p7^~(>y}XNFS4`*`wpV-hgh5|lv@=Dg|Xh#yugxqB<|)OLS`Q|^SH`A&fF)` zaG&|Fari}{x?hrVPoEEY?&(Oi|MiI;37P(foW~n;e`ANt@BKI_>l&Dw4W3PZAD&Q? zHKiu7t5R8Ww3b-vnxujhYLe1Y-mj*h{#;dn_YdHb5f4w3W8v}sYVgZ#^Sk%{_h;ZF z?!%`m{ozv_(;v>y6VLG5jS~~$*4AJ!8k^K;+>gs6P2kC~mhd>W0c$WmP6`Fy$Q10w z$Myul6Z~xU+M~_k3BLBx{up@78lBYetc*nA`lu0$>)cxj9`CLIPjFw@>kl`?b>m~S z9;4Z*G(C3*z~jAmKeZlyMl*bUV_a7}JlYk&w$pqq|GdZhE8}P5axX&ru{#hyt0vpN z$0@bp(e5DpEPNkrdr}yK*2Oqb4IZU7WIRl+0rz)>!h>DGxTL0P7~I?ahAh@=Av8HlRi*LCsXwP#t0=$Do~%ZNN6hKf7;)o}12zQ;s)S zL&t1}H@dEccl&LH5BhI~QAt-}-?dw??~~i?wbkYyhSV>9gximvLBB2MaUJU+cHR+K zaO^95{0@A5?eF!e%R3nSe}XUXJc0H2df)N;;GexV z!<&7#v8L;mOE+N8$G2eT)tgXhMhg6Qw+&Eu*w2`%l_`L^^5IrFN98JKc*8XUfU1X8~{3^UHof>KLLvkB4CE6X7j*GA)vskqvAT8NH9Vf)QptKNpS@X z(gX!+lZp)aO8|0Eg&IYzliI;^wZXc*H{_pQ7`#`MW8M_O$wBy%%5e3z`R^$H^86QQ zxup$wEb?R%kdn(wL-VATu>H%O@Wq2K;VwG+&BJe)M;-QcW^NfxDLmIlog9Pb%wg`> zvpdZ5Q@2h-kK|rZcp*-9HpQ}Y@erOr2fs^&wn-hB_cS^1Smp_}(fuu7Y{k#|0?(Zv z;PQ``VeE7^A=VPy#0C)PMpClR)Z1T~^O*;UtwI)PA;lLs+@C?&B^AXxJhgFPW85A;h1 zhQs6;ebl)Bs{AiGy9{_tD+T#_WrG|z*~r-`GknehT~+qGWf0zfC;B233GUZwblAIPvdjJ}2Zw&r8Sr~t264rREmpEqR%$~23pw6}itZ80uO#s%v zo^a&GQ8;?z7}n!WtR~L9FdII;`!W28HTJ8AU$eSZds}@rf%IDG4IdpIDz=PY$w}WU zo{P({2{pOh>rh`f@LdXg`{+AXi$A~rIs3k7u%i)_Sn36(R+M2)t36-uWlocSw7um0 zQQVfBPp}^1w(iFLjN6FoURD;yoE!&d@%xGP@mo9xwtc<>Vm4NVlFM+?%>H8^-t3%e zpWG3WzS#?3<95?$fBE1m*!|@mXu7incr5W`uL)UK2{wPe#rR%nwW}>O-`xsQaa-s= zw(|Ys8|*x4vZFcVUr-q8?`X)j^^5yoioFJS_WT(f{^|&%U@h;Q)C~&HD-O+fwPb%< zee&ihw*5cicfnWq`TM_4hIYFopXhT5P@z1!>zmeT_M|UW@l>b858?(*$Qxn;9bfaGq z#4V}@B^Q)tzc?OrbTF%Z^zTbjUH@}EjdOEAU^a}#YMD+b~ z>CR=$Ft^$HOs`r0=|-r&xfT>(T8f=N!;g<-pLOrqeYQPxyMbOLe|Z45<9SAzCv0s5 zY{T!DgWny3gWn#4<~v$J@r9*WS0p0xZA00yE@!Jb%7tPJVj#Q`q^%ZfL)! z6L`$`gc1wz++S3NEytgjgy&c)I}auun+%m#M#K7R8{o_TN8Ve2M{%z2|Dor!ND?Rz zA?|JjcP~_F3lw*EcXvVv5#sIycPX@#LZQXo-QBHz?*H?=GqW?Z*+A&&Ip_Pk{%`xa zW_MH7=y`^D({O=L}JDH;$riY6H@*w4bQItT7^~Zs3v8ivEt#_K|ih z15K8-5cNPH`SLdF+vBOGjv2gm7`zhwXkSuO1e-kYBaOBT-nMuhw@K^V$A<5VK+XKR zVju+{+~93@@{d!6=Gmw4XY#hl`!a1Uz}rzE?SuHB1#6$Tb-r1n)>n-rU&Xo($*n5R zE^D#!V`Lo9qVIoPtdsW>Ki%Ae*+0$`2eSh*LR1f=^*mbNW6JwzLsKOc*8`3@b`9b7+dKr8VH_`X+9dB9jL8Mjwt61xQy^N`V7rB9W`5m8f z-x^XtS_IoUC{<7bQ)61He5df4%%>9DJ`w@suXlfv)kbyI?ISq5qye68`4CSwHNc~v zM$1d2c5Qb!uCJ;mhm_6m^O2eO{qAo3`RXSA_3I=2@$3?Qx&Aet?&^!Dn;Xz;KER8u zjqqZ}SNP>ZHhzD2gkF1Fy!Ou**YVrEeR%RiUp(1R6EF7;66^Z?-X8pV^BX+g(F3ne zEW{s=PvFm=@8ge`H}LE2@A34<0eHHpF2qPx9)Y^00iJ(D-{sgmdjAjj;EBt&e4Szg6D}C0pi+Fh< z9}l;DM8AVasWukxf3~|1e!aF1zdt#RKYzJLJfO$t@$&Lo+}-ps9;~m2hwE$O;nyGH z#mNNxdjAlu?=HRWK7M_898XVW;MT@ZaC>zv+!KLn1KeTON^pp(<<{!@f}5-A{XGpkA zS8+B>Hw&DmNjMteFjc}{ut}hd5Vf1K3Fc$hV(glu@+K#bU=3f3vZI!x;-rnRo4gU< zpO#(Tq8;N4Mc&^1>*qWs(M zzoU87W|$3FjE|Fc;a~ENwf;rs@!OL(#AD<3&8eHPpRfx57_kx!7pbQla_gM>9nAXW zA!yzf`Ypf7bAj(p-=u<04G)xd;^rgxOkIsq!rr7v)B+Py^JFj1r&{BRD+O1gOImOa!RIv}i`58U?B4hDaE~&%sP~5oDq4 zAX8+@Xdf%jHSqhj>l>0y-ysL3IwqpThYJN}jb^l#_0G+3WW%5Gr&V^TkFB$Mqe6;FQGT-OrCBW{BKcY@j zJu(4R!J{m-rzaY>Ef=?<9({*UDyVBw=d$eV3VDgX@y)2jmBQsVZp#EQnvx4+rTuhu z52~a{M{#|!{HXv~BrgH(Kf8}+*)8Cm>W^(#zmw-e6t3R!eyF{;9!@_vBhLkXyz-MU z?n;~f?F@Ltdn4mSR*~1lJooTCzF5&3j!CZQv!%a0m$#dL;rmPa%P1&q>&0(SaB`{q zOy5?XT!mmVI$T@?WCUXo6*St>jM~N{XF9Ix0{cbIXuYZ}e);_uc?q!Xy!v~!?bz+( z2#yQIgl{Ivb4<5UYsa8@`iHox31D@N{v02tdVYxS?yz5z1u3Jqkq@D(hTruCLmF+tQ_N(F?VzQhs<9Yxbm&7xZ7td^YoS_xO?V{xVD1lLI$h4+u>fuf zUI-wQ&mq*~U(|wD+xW&SW51(qDU}Z%RKw!aOXMYmTlT>m*hM?y3o4kkmkZ(3OFa{P z;F}eI_8U8ig9oM>7qd#c^5BXHXIzrpsc=xQv-#-dBm8ttJ>suznTN9ApG1XvdSxmY zs5r`0@1^NvrXP6N>H+pWQ^~ zb=}~S?2fkUJJ9R?ke86}xVT;1WWu=Zxv>`+N3!H+`o;lc)yx{=V1$2G5N7=}N7u({ z+v8V{(Qng0xF&m|`En|xG-1+?OFOB+SG}6j_~t^jGU{T`mLc*S(=B30B-~@Xv4;xo zq8i`CW#ERvaEWolsxxckxu#poj4zP3FI|2nU7xdZbX9oJXH-k8i8W`|%1cbQ12+z! zMaD;Pif~2ajAnSO`K{Z}eXlzxtF$W*ub^>KGk7laQMJsP*P_+ASZ?&3w<)>ccAx4D z`vI1)?`MHZ-3=r8RP9r%)U(WFyZ(~zaUE%c`uT76J;r^%((h~ge%^k*SlLE|&PvNW zlrQ$%wU*Qoef{^>)P4Vk6B`i}9U?|krXSBV+*HoEU3qc^9oKY*e`X*WENLX3EA7Xt zKjGFh)!R?nIt9&hKh&*j;QGO6nA=3$DZQw6_TD+_wP)=nm zIv87|&JSEa2)~3tF>?CF?=R%Jg&Q9r`*6u8aHH*E{e=zkT+{92oKNvl!6&-w{ZHI7 z86I&y@J{hV|IGt&LvvFuS_uoeQ46T>@e(x|Z@;&8+@2S+=JYAMMH-rAI z+F8`M?`wHa_#X29lJAkUUtHf~O8Z6o9@+cIzK0*b&iAnAVXck)P9HXPUeXoL@$T@< z^g-)&ZNL2G->{0c&Gb`dL;Lh>HQ-&_Ej!1 z?(k0Y69*$s+}GbETHA7t#0{J&NZs_B{-}-r#-y6TXKvu1q!hESB~aiqd}( z+7BS@`$Y%Bd9)4r9zL*ae!k3CWh$}Wsj=>b|F2WW%<@5`)wjPVTH#sL`*@KT1QDDn zK`IBX0&P&LMF~x1wsCN34E0xnkM(@ZBRD_R1*}iV^PI`4f~T8mi_xP$UtBCN0si>y zSDann7dKbb#Ph99@$2~v^7N{2(YD`dTX?vmAD*nMffwI>iQn(5ms~M!w|7m&-Q@vz zaZs)E{`mb@yt-}rJ-@%ajR)I%;OU0ic*&zow>HPG*IwUm|N8JG9&YQ5C+lnD+4`z@ zby~ft;_u{lUfkF%Khw7-r?PQ-WlcO@R};^E9E3k!sWrE@{r=l8xUlL=+*%fj2b({^ zFSmEfOA5CaH+SLM>K3>~>%FtOzTo!idbqVpW@SCxl)1sIkhs30F0L=Hi)%7hmq}ca zxxBQFflIV+XD-TIpnA=i^W+T_&gB=)Sq-L^YuCeEkVDwpX}GyFF0rR!2ajJ@g zj*YONB4H;}X|k3LuqDKF(gu_swHl*W=|`|O30nh;5zA11!Ui#db<+v;8m)i)DH*FP z_nzR&-N%@?>_=D*$-$OWx3KU0P0U=e3*8epqgTone0y9qYI`o;L8Y9=U{sEeCP!fm$f=k^7dhTSbssFY;Tw zkb_g6-#-3pnDwUOc=jgTdLrGyQ3(U~oV|fXoA%@M4e0{?O6!-k110+BiqWVEJI~2; zrMBb56-2H73A<103wgddSKaAL@LvB+l;csX+R>+l0#u^N@YFa!CFB5AB1d8{lPxGa zNFfWBG9nBem?@L-A3$FBU}9(v%5+P{J1rLQWddNnjXh zK8$vZfvA;NM;Cxzx_=2XHqOHIO*3)nfjUBG&dz!8Nc6&_AEdj8D(%9(3&{E@8{5uo zljlf{H8o=0NO;70Va++UfaGhNg~V4ua26R)GB)9R7RXDaqOMVD6A{YtNC~BFJ@XAb zqkK>+w+;?zj*#EEd-j@F+it zI)a)^K2zI3jr>}I>O@F(DEe&fs|#4itmhG|o~W8v166aY)3iGLG6K04&NDbfWkS9~ExLW@T7nz(TiT%z4jBeymc>uO)Xr=xB;xfSWV({b_sMR~5&PTo3+ zdWj9-66c0#JJk@4*Z12WzhUj+wOD>&1?~IPfbahEduW{2l!|6QwRoVSK?fHTR4fFi zPys>&CCkXgLm{Ym2oi;ZR4j<80zW4+Z?D|`<_Agm~QPxA2yrEh3uxMDRcbRjQ`kKSOe>pLNn~Upec{QP@&G?X#vIypw$~=cl>y zT(#{yw-XsZX5z?oedv*WI7fu`lXs|h6u^7E}nBcdG{2mrPe^B{KmSwv~xRr?FelX8904g9d*ua!q*eg zGXG0#KD}A&`;^8bSa+WL0pFe8j=oF!i9mhN^}RTF4PqK1>8E6Q3B*mV0_O+AEz%RI2h-%aQrmZN zKT@`*V$;#h;#$2*`}WMY@DBGy{p5zY@kDbGcNc%nwr*G-3E?;5OHTG_BS9 z+v=aU$I9@U7K7|9*<@*_+&WbOWQ-k4Cf1=6I?(0N!`S08~qk?`{~$0 z?|t+_GoqUG$o^;Tk+rBBUmqXkeWE)UH+t*7qyAe;e(~z9)iw&rmDa4djCd7J0Jdb&ckax9w-~(uO?0>nQd;wMF0mR@x`c z8}u)0|8>4c@jOgzgYT&;c^)I*!+wW@(vjOn%Ks8li}@iIeK+>Q)ZNo?{Qe1ft~6Mp zO=eqh`G|nbVC0-sZ_;=B$!*NtJQw5EjK{H?>SfE~_a?$6-W{!0x6vKo8nj9}5LGRw zh8Qiav=cW^V8WV-nEmx^+;}YYX}s->*)kRmvCe3}t|R%T8~FOf*O*B)&5-3oF=xvh zTz#l|=!89qaE)_E=k;CihrAt0`->$QymSaAuA79_N7i8Krs;59=#FYxHFO8gj$S*8 zF)PMmHvJwx>wp^%avHpTDAhjFWm^oshdqz%dxEsSNAW)Fb4>akIVdfr?-AN(otx6X zR_lsRwfZfRVrZXH*2x%rk3IGMJc8Bya{1=vl>^I$c6)xs#?NCaod0D}1w4zj#mkko z@#?$JiI#Y^jrq(3pQ?QOi3vW|^UX&FUJ5>x;M485euQ7|sQcxY4=>`z_R)B8U=n`4 zv>5;TL-G;aZc$BrBC9SQuBjnLuF^lYnEwZPk81~WapvpscyNBJn8)qqt)Fm*f6sB% zzy0>}6I}i&5ob1!!Q~&qai3m)dCOqjUJ`^Cd&kl$^?~i<>j!b|Ko%Zd)gQ2ZcI6wf z?q}<3;g_=+@?5Dsrv2O11KGHDb_@Q{9DI9u^GDoS-3X6Y1>?nW^%6(iI3T@!ay_w@ zevkT_e|~%oS66?AyDO^U*IVj=$Y=M?;pErTadOjmT;7|4TPN1wRKdr%v7{KLP@bu0pc`k5ge;h95SHbNSb#Y7P=5nTd)E1o2tAz{1Ib(A5oRv`?8!tDYSqHCMz@I~X z?2XJIyo$BP^XQ7WFtdDnS@QqG)^t{*63xP{nKh5VJ1xScaCO#JxK00>*lfU6#%0^L-?q=y4k!Nm0jY&2L;SdWq;R$4VTe*uo|@#b>?q^)u42keH8_>j`1+-oQM_?8_3W} zMfBqrzo5aqbujCbiw+q-k};7sXc4f^TLrV;+4vxKyCGoZR

?EPKSjtV1-~#cei( zvfPH}?}S;;4AhO-stZ`##crbc>F}Sq(Gak5+jjI49Qwz>tZf7u&s`}#S7}k34x&VF zde4mYR0OF<;n(arO-3S`ep5J^ie!9!^s>A}3Rvq*Ta0)6rlahzB}4(SSkKUWl_7aX z@Ca05Fr$n@l`#aUQixi1pdQPCnKBs?15A;wr+-@U(Y@Dby@NARrh5|J`7j(MK8!+% zX0tDvRUf2WhgBTKuGGWAx>E158!8R3gmq7I_)K$0gT;+RxWplAVaQA^mZ*|l4ShDL z*YV=UhJi;5D2)rQ)3?rG{OXAaT);Q72u8oJ`{QQ-96{s0c?1OqcJ0#Iq1>eMczshTNa?^ zg4(FJs6Lt`HN`0^nz?a-6ZZ9dn2)i*yOT+Gw4>n0zq3htGqhXL!4R-=TYg|U z+^2b<(lmR7eK+6mTexjJwh_KF{ZVPE9j0!cCeM{x_ky1AjP}Nl*VW)EZD%?xMwG?7 zV@kp|%pYg(NyP;h;;ph*ONaZ-E~ihg-w850BupM8)>zorUr>Bbd0zsMOo?Pn%w4;4(rA zSGmA`llJQ^rXs=!4oyXHnok9Uj=HGLM8^_A}5JZ(=p92Ynv>sYothYEHos$HhJ zq2#2}u$fZ{o6oA(4jj5}IL2*NuYtzFX4mX)FrQ?J3bQN1E5aL9;;O?d-Ult0eXa{w zCv2DqoA65Lv$-GXTHPNcexC%->0Yp(;eZw?ABoXJO5=dFZhSpB$GBqZ_p0WV?apzs zGaRQoA?o{Rd5N^FLvBa0J(vznsox<26E$cH2c>urkV%g-LMa+d6%V3-V7-yI1dZILZk-N~I4{iJt&UXYmig60LoWv(0QCpN^s>*|P#Gk4FTN@6vP z-KJ`i1J)MlAHhE<5PRjbBDfdjeyiO03Me(TjQDprcV9Z2;?=J&(Yl~5TI7AG3s^by z_n#dAo9UG>Ve>@YcinwqH$vuBhRw7}7`1Mc?l+FxI8Ge2*myw=aXE0Zo?wfT6HCK+ zo-6iVlfIV-mRI><>7OP-yR^{iqpU8&;ET&?>79?mk!lz6FPtz;l5Y+`~PwV4GSr zaR60&eqH#{cMez(gwTX)Xp{F90_Fvw?6~()esV=roJM_neh)Evl^X}DUu1kK4tfQL zSH>>-T}oTAe+AseyTf;uKRoAoBXhqxYIpCYeejv>hbC!FrL#ulw(ih+1WgWx?HD__ zOmaiyx6y{6kN5o@vpS(#R1ICgy6?h1RG(G@?++`FFA}~G;fK-+_7=c-x-043U#I<| z^{>}HZ)dzsdd>2n0{eZiud(T2e%|`CvYsS)*1qa{`k1e;L`Ap_`5xaH(n00o_@1Ks zeSP0wIkO5TemBXmPv?Ua-In)&YrF?0?VMuxJ8>A=B%vv4q}IftJF3@M^xYy@O|pi? zbW2o=uYrqHgmZiG%L{y-|0SxVSHr3MYVpY0V*gQVVI8r)(AcVIS@4A}I2yQe5Imwi z;k(EWT?)F25#!ug>w}gKhWA`w1Vqw)oBBe&goDzSA6@~kg+8d7Q3EILsiD^SyBE+Z zxfNVzxWRdjD=J4-!3U`=MDS8CyFR|mZ%y028_G?s0IS(Hu$g6t*j;h*yMaU34N&3 z7ka;4->>xhMfUxs^epk0v`iw)i!WEV7MIH6 z#(j0){C+4st_(^}DUGl4+Zk>G%KMX`xDer8blb^_L9k!wfB{L zt%X~-I|7B@k$jKN^Zd7c5A&A3hbf-+8U6Yc-{Z=@r?&+v4YY(+ck^tLyP@Cbc0ame z)8|oE*ME2dBooIXqSQP{+%yEo7SO*}~UFZJ`TTNo4rfpTFsX&R?G0 z!S%xhIGouS*9xlR+2*GB@ zf3L3k7!Nmnf`9#@`hdICukKB5h=cLIIG!4UTYDGLPm=a;f6}^dem4TQ@;veUm>RJ1 zL4ot%N8rb3UmQvd#GS)xV9Vk0#q~XKeQ9m{_E_z|@0|V`yJ*`vyvPwp6TNXfvkuN? zSHayao$#;Uq(K)P?jBs)7vIgUfIZ>mac*sInkVHA&+eSSsoeUwzN7|jF0X?d9HP=^ zXt_pQU7~WOK+omHwQx!1V!jFosLc7inu2rGhZ%D=N6(q;w?q5hLhGjf^lC;h9>>@M z308O%S>f!80p;9f+5eAP;{^>$G!4IO_CW;x(L4;+1M|fwRS~96-2_)2l{$5!z*)u+ zrcRM?oU#E9ll9m$eA@n`4T4G&*XyvIz-%Da32Zc2kC(6-zg|#r+&WYs-W|FEBUh*f z?D?x-(QwWxlpL}ImZR68!r0Z=cw9B@$FANbgP91k9?5ujU>-^jU4k;hm*bs*i%}Y|efaDp8qHn>v!0n~7QM|7 zu=49W#H@o^r+EC6{(dgwR^ak|HFTS}^aq%APeGmVuXO=y+eI5_eyRvdZ)r~HAC>(L z%-Tiaz5cnVIBYR?ol^~X@;8U+dnKYx;&w8q()a!C_doDu_%fKajfDB299o`&Ug_V_ zXGqKMKYfAPQ}gi8-l?!0vY5yx@+1Z;F;CpFYFS`7uxH=aH$Bshd|Hp;SQh-q^?F>3&Lk z_Uai177P+$U6mBR>u?}q_N%Apb8$6#^=ORUIu2vL8;hu)q79?v*cf*z=!EM}u8Zf~ zVz+z2W5Jt;4 zoQjO0*0AX%g{xK_En?05%`6n{bF=PcF@cJV->s?0a2{@pT4}YU0(&tP6&n4U(th1M zDjm8hLdMMZ8M12uD~n9xvzc8&_wvumIR?Kqk0L^XQO^Q!R;IEX4))o5A`RkEuJ zLbIyEFD(E)HuTg7tZPQYd7%qJvO*D($u}Sig;%lOZ5Tk z_;nLdX`USx{G^6L51&6oM3De`IH z%@?(R(_Cjb(eLcIw6o#&a{<&VuQxm*Jmtb6NP>z6rFali9&I6`77k?0nMInZf_7wt zGEzbm4rK1N(BJcQ#{VyA-_(3lXxBpoaG^oCj;A7{mnCfbi6Y~t3Ln1bPm(tj8MfWb z8(H_YxMI`S9F_W(LuC$Em2iplUL~^{!hclzNe(W0F6kvsvF*6Fvo7eEy?Kr(2rH*n z!N>WZ=&tKIf9re^lm;dTp+)Y8;<}1ToBPc?5%$dbVYWPngN{dNnfy82BHU3qtqNQg zxglb={#unSGCst}uhmgacc0!xr!*doRB0ylm9buEoJswzCIFqdVIrz?0H(P< zYTn*F3|vK@P21Ga&BMhh^GciZ&0JKCtELNBXKk7dyJ-&ait#}p>2lW<^`PRKqif+h z&kgnw4w(DBdgHO{RBVUNuLAc49#jwq!Y9@b?h8H8Dz7zWZ=Wkh`))e7SzPi(35&Uq z@0!z1^y^*`KG=Eb2Qi=9lD$jFo7#yW*K2_{vJPkh){A@LG2Ih`R}VIf?c>qAU6Q-N zdaMogw|=x=c15Gu#=5|i1HYiTA-aHd=IU9n9aRZ#v)$o6$487@RN9(@Yv44=8NLhr zOzYhkjrRR%`{KTz!_`Xt%E5+5uJ$s2P`-^hkK$nMi?bJOdYRi2lJDsuA5qP|WWu;I2G{y?84ec`l#_Un9!r{oaqxT206T7GB+oaeiu{i+UlE*G-= zJ*KUn2Ae6i@Qd{q!H#ddKfL({R7oN5O7IrJX`i)y5lOyo$;qYohKltoPt?(Te89X) zR8@E`@`hiWzfSi{_Ai0`3`cm!_zHg{0#?m-H+=aBxXt$vm+(;9))VC0rh18>%{Rs$ zj$uwn(1cq&lCWufGdP7gW8En=VEy6j4{)344v%@BaGB?dux(-T684B!(J-bYCv}_WGtF&#v#f0xsJkP(Qebx8Wl08o?8PmRp zpDVtHVc)}k$0yYn!?q5S|0PVfYY(sCi{vk1JJU{tiXP zzj+)r<7|hyU#j$`5H~H%p+39sx_+WR z=aJTYHeU7-^s5hFK^!q82_kg_jTcr9*xrbuu^h&Xs+@I4yOW779%{m&x<6lhO3bkn>>xS zy7s3WuD)1a3u46TH=p9w)=xBiY{W+rTNFOj&_eKX3x}t~*9spP(M)1q0e-!0 z`t*3wsBgV-xB&a(LvS^}3ZAa5iI+RO;m@C?`i;ZO8wWCQYx@|yI4~8@_D;dCkLAnp zkshvZ8;`r1%P4XC`N3&CJDG|n+k4{v@+x?^vN|5Gu8yZaj={g=nw!JP<172(WU@Ez zudI#Ri~Vtb*JKffa{HZX&`ayPHtsE}f*Y$o#&0jw zvw&_NNW!HIcRW23CC>p~J-vei87*)=D+o6WLU4O)AO6{*{rShAIJdqZE@TGa)eY4j z{7E(Qvui)#!M^#pweE9V%?-l!ykI=qtKRhVXYz<=znO_^+s5Gj594ree-!?ZxA&jP z(;dtE6qjYpb@s=7?w1eYlr;XHW*oQ!asv;hv2)(h+>7RHXKG+~`Ugs0>6*o>2~ z9=BG9)mVv&M1?VHbd)FFAH4?e3|fW}%hj-l1J(w!R^r`(`7j^33h$3viH*lqBb)!j z37GdzMwy{YQI?jM8McDV@M^^GIEM!>)FXi0_y~q_q)r5^;cH;lIR))gcd7yF^OtBe zYdOrirJ-5Ww@?DsUw-`^ts>W=M9*}T9J~~66ISE&E%o%%35$1%QL=UBZPEv<(d%e_ z68xvG!L7$?z&bE}E6lnipwyrOSdS!Arn$ar(w2iT>lBNji+_^m(8l}d8LE%Z#yj1U zMR;n~CktQ1ZlwZ1`YaK!PRhkUd!)c}P%bP7=4g(GUr zN&wnNAw@>}SRvUo^lxXt)N+CGx`=*hDBU#y?=+uBx}MM4er{G{a6eK!k6>cVEc#kl zQE{R}$Jky-->HP-}8-<1x}xg6vKQUT$GVVj2;iq|)_J_UX7RbE>|z{+7NA9Z(M;0~WS zAG9iHr3+E}=J$m&75tuyJkc`0C2enN7|=bZJKAJ_rMnj5>)NJe0#TLqqBp5pJ*A-e-^KGu(#=f>B5 z4d1o^eqnwhWc4HC??**=A?E)Zm{^}b87|-XzHl67L&dWN71?6sYMNOkGi#FlKUw?S zXxVrwH2&ZM+i9o`YNgafBQCIo_GSIk_E1lt=wH=-9m7D<&bb4}8ZTX?)aG&Fj!@C8gMMER+K$}9+!08{f(|Me6r>RsRETP!LP1BA5!7#pz9W*1 zyq1L;gvr-H1ps3x22AMGfGJ%U2UF|f&!u9+ZM+i|8B}2RqrSbH#evdwN>?Mvv&jc)M136VNERkuG2zv~&XJ zVm0I)$t(0dc)zIh0U}_{>>>{8`A7L<*JU-(TDET)oTfOzXQ2~xp9lvkguTP)bLM)B zQH4rdy?-^FNWZ>ezNU4rU_$>KuzJn#M5TW3!=^X&{oT!i6}1KlksUX;rZNq}q3GIkN>#)0*ML-Q)5cVA%3u zaG2+Sp6h$bbKcy>Zx|2%7=N6+r(TyaX=f7L=D8s#IS9ej|9jK6^X0NH#f>SIHelHR zvCVnJQy;prqhT2bto@hvhexCb0+Is|oD_^5mo)+F!R2t6?SK)R)k_lb$iWU79mJ@) zkmL{qCkGqwiI=vaAE+2s4nQl7^{BLq_bwoGK`6Xqyb+ubjNMn&&|%sBW#muX5D*_A zJkS^UU+4nXVatZWW3C4-Ke{Z>A%C_r9gb6-;Lq3Lq&~@Gp$8^!nJh1r`;WxWU_Z+q z>rScx>$a2I;6BA2z7f9gSm1$~TUDK3zIPe*BkIF#uG?Go{iby)Fs13@Vq$%~{qZ*A zNM43LjW}bcqj{=XSu?)LiQf10w*14odl@(nvqkOHT7`U%*7HdE|4;dz>TmQttl^Pap}UOB?#n--erf~wB>KQJ(Gv@PRL{P6UE_m9pQU|<=9w+@0qfEM zu$gUxjpx(>1g~q{7gvj{h88(3u>1OM-3VK5+8W{f-SY^X9|%9v=(3}Q@3X*X_wly( zNzNzmi1NgSGq1nSrP4S6<}*pWBfSmYM;T>W$oCj~pW^r)t?o@}|9_-^@tO45ZsX)| zRrWn)8kea`k~bV!yT71flc!Nu*Zx>k5l^CQ@M2j_y!!Sth(Oh3a7ujL!ieSu48iH< zW<}6cVp9{D#u6JF;Q7X;`1Q8B?|t#$5>9O#hkK_r16Ii2-rF0F`zxyA#hOsO+&u*U z`cto~qT00`vvH2L&6k?NK}!4cm&bT{aTV^bYmSG@g7IY6Xp#SL`}x^joGfUA>v@&& zWNjThTwWQEb`Hazav#pugT1i6A8zfKD4uis_2pw6U(yy=bAs@AO&vU5T@!a#HNdZr zRUdHs=wh5n_P~=v>cR4tkFVosR#V(4sD}H?tK!}_J=6^9kKb{6O+TDV^~9}j2IAKj z_r-i|`~CS%JlGeGtGSi&_^5iY<8_Tk#vaaXg>xApxVpF|uH+MW5|?Ez<<-EYT#1WJ zj>H9-^GtRPoD)>XIqJ`tvodF>Ut>-)8HG8OQB8u+K+$kggYh!yJ*L-pn)=wwsX=%Y zRSAE@TH#4##V0?Euuyyt=RN;}fVJ7QdL^39y}&oLdZ*bORP2)@f>q}!8{sr*J;7n> zdJ(89I2c0Ib+DU2QyJqx)kZ-MQw@Qt9HJ^gs&SagL2CKY5*(;9 zN~S^^u>OMjGgsiB1M*R3_)3%;u>u=30c-a6$5EzFD#{F53X5SY@a~``7^}I4>!sTd zF@4GRXdAH#onzMG@e67690#l)&!^Apn27c%JJm}BJbQ_TvzEcEYYLi1Zq)^>ts~dM ztVbH&8(2UE-b$RgtqEB3cZkugwdZcs1*~61(R(^3z<0`O+|&fDgEPK?S?2_l9GC~| z5e4}6lv;=+a=_Xl2Ez-~fc5U<=cq9u8zs6Y!(wnAeUEf>NZN+qWh2J{YpqE+_(%67 zSPaM^vWYAWnXu@uB}1a00*^d3LKmhIh9FhKyibZmZ-rzHNv7##ibNUBJX7yg*4;N1 zrMtxAAI;~YM3Z?a(P+-ocWMkCOo}fLxh6c~Jdkr# z4P4ly^XM2p#fRaeuzN4<6{jS!sqeR>pJ9Y5w=rwRz-hjd_-r;)pDg|a_vGtxv8INu z917?8&RBg)4OqW9{SEDeX-6DSJK-2N%-x}$k}3k$*apIgYmLm-lUqfwR6VJ>E?`aG zkqobSo(PDOO#k2wgAL}1N2DIVeq0oz2QJZXA^5lPbH3K;7fD~BU9LKUmCaqx+#YbB z?=A|A){9%~0@nVE`@?y*vnYB#&;49iD0R#1hF0mV3^y3#qUZFD)7W!<5B6WA&%Q{1 zNB&%T&eKk5ozXN_KZ140;vsOI=_-nf;K*Pczoiy^so$qkALs<9*-l9LNex&JUp|b` znW6BU<0;GyzyH&?Pm#YnUlbz7ZPbcUaGCBR70k>$GDXEH;b`0JuH9Y0^4b@4QeLUK*PmUVCPU_q0v8UzbO6J z&Z;e_l|@AbQ8SZ@3Yi+2R8TM(64hxZs8Ee|luXt1s)8!%R8Yups3k}XMdh^0Dyfx) z-W6E)-B;@a*5NBhz#+^5fk}blK!RJW8yaLc(2d%A@caQ9MmI#QxLUe^=o04?fvl`(b0RQz=DC;a@YI?9^c?#sIo6di;Qvp>`YtYcS= z6+sS%K1$;NwMuvuct=qY5FZH7XiqHsK{Z_>V2!K;r!Xf>{YDK~xqxXA*FtP7ZVTPe zaY;wRX?|?Vx@UD4Aygn06M|@oLWM(=zl2;s=vYVvMNx%A1RHtT%!e1jdnv=S8s>?Bb#V{)F7ic(l^t;Bxf-xe*)TWU&oFQmd)6qp61BKXT$i0@Qd>k+kso0o9=)ZUk;#YLQ@Q1 zKU|(81+4XB>!WQ!TSLIg{o$#br*!+4eY8(uUGubSPFFNbZl()Z`TBPr;U4gc^}=U) zpQ&1=Heu}qaj?lZ))!4Po9e<*)_LRj#=4Qa=Wd@9+Z1n4$~MK%c{*a*2vm)%s$0jD zbyMIx%Nc%){1CJ#2;W~+N0IYEOYUd+Zx!~v`nTX~fLEPY6<&P#0Qwtiwesy54n3E%KJ`T}mF;0Y3A6;1%YD%zc^i5;f= z)%#Y%X{-}`=M-~aA?sg!{&aU#>RVnMT(Ie8{-olkr3aGa%?aUq_*(PA_t3T>!d3P? zq<8i`hQ7ZTzDL{l>-&9u-_QNMZ=x?oeLcz$N?v_*6;n1%G3@90;AH*i`f!eLM$dIU z#XP0)!6??NqF?q!doJyvd3(`4ue<2yPTo}m*0}9)a1C=6`v49(z2m&`-_p~o9U+S@3olh`;~sbm|AB3itnM%^Ob#% zb$8Of!OU-dn_5Auxn#E?z;8~n9PZHMXr2wzTobMhNBTGR+1Wf+ZMrR~Ie zrZv`|QSW8I;k?!-DIS~Q(f@p4c*{BU-V(dd?Z(vAQ^|XGLi~1B^SqA>nI9tU7s+=| zUN;%L&+iu3T-G-BRaK&@VAb(e@*L?5Aj#wJ7YMH=d;Gi~^AI{O6g~@lOoXQFdHz?v zr?uBwd(E2`n{>c;r(sag+S-=BdK@h*6LP(7PX3Rs)rMt&9CT~Zl$ zw{XBJ?OUXPwJ$ED`{PP>2+pnSB(6pKg5INTJfijLmf^Ugx$NKXzrMi3Ylm_F$^ksM zdJqq;9HhtliG8?zdK>nqx4@b75M0Tvfy*LDCC`#0aZymsz=iDUIIoZ;AqA?{1ZOj= z64h{q`ZngY5vQoH({eJ6sZxj&GSc$Gui<6d^@w#7C#i3}kP?K4QI+r;X`3|u_=ize zeM$04-oqiQ=>PwFt-+M~C7R5>BEr=svr(Z>wjo$`oG3G4Jsf20$FCFE$y8#-ahSRm zw&T{qM$1@Y%vx9r*1$?(^cqy8X$6{A7_}PZHN4M^T#a&qRbsTMV1$I_$d#}du@Ywe z3&>Qc*CP`F>-1&#XWtx@8L}MZhAqQ}qpARNIAHCSf--{^i;&fF=o0KWs~+|1pSS^L z&8NZa^92Z*xP*!*sbJ@T^`kKQy!P>Em-M|lf|Uc-=}TbNDG5y@zE%U)-+o8yg==8e zEgA3j&x7mOynJfuaC-0<$!fU7XHyC0T%tT z2st?ItH6P&79})Q(1)jj-YEt|fZ8kBh$KBd6N^EDN)OFr9j4wV(NqL=TJd8Pu#E!++3Ppf8X%ZV*;o8g9Pan*3}h8nP@>_`#e zBAb4%C@*}O`=vPI%#BBZ49gz|hcONaoEeCqnL+TI?g#Iw-Uyi;BG%Wnpo?MT9S5vE zvU`YN$ZMe&TIXs4RuXr=ynb+);UJ2hmRT)zg;LL~o~RpH*AN2m&U419>98MR5C5tD z2%HuGzsbJvoZx}rX+dzC?21p5KNZ&+QyLfET#R_n_eM~-egtdE_7pgdcNB$q%8zQm zdhF^^1WpNr{Sn5W9(38R&5N+9fk{c)Elv^KfE69licAw+glXP#bUOJ zd2fPDm(Lt3GKSdl(Q6T|R%laZajEiVe1UsqM`LE))nXhOvETW?g5yAI)QGPpMsL*3 zDnk1@{j1uqnNEd-4k{!R(x{lwK}AI>6%zs~Bn(g?k)pz*fK=4cKs=gA3m4AaR(90| ztb>;hLWLO>;I+sL0dfBLH2+h4e_0J_xaIE7h2vyLREs4|YYrOZ?9PVgL=X7Q@I%n- zAOy?|fcJDS@i=&1Fnr0dJB2&JX1X}T7FkyJiZSZhb?oxE`pwIXW4VU7c)Y*9xp-gtNe&10I2 zQAAuccU)`~ux4}@1+Y{^kl}ybC<}%Q1{pT!I+Q{|i=k*RLN@%qb4i1yFs0Qu@wWP> z&*AT22vI}bC$FC@M!~a&o98yy1+3FIP8a`Pfk^?h>;v5h)>)fp z!Ev6W{&Pql?Q`10KHOd$jN`C#v*t!Yr*EA`z`OvA+Mr&Sjsw<)u?^8Ur7?XkDS%;3 zOkXn%&f}dBI6DBrb4b^-{NX*r3zg@Fz=Qg&mRXaeb%||y8I;%45X4;8ubl8-n2<*I$F;55cb1g|EwZUWv8z4$ujeaediYgXOOU%daZ`4E!)Ykf~W(!1XG)G_G) zb-w3q`hKDN><@7Hp;T=0{(V0cdP-ZoXR!#Hc~pL@C9QM^t4A&!375&v2$~m!5bB2m z=J<=hOGsFV=%=d0Q}LwL;EG|)qs^p zu+lOf0m~sjhqv00fBF99aGK_Xw)yHAINVZprNCjPgXqiI5AoDxfeXIO`vMPNO8o%$ z9rfnagZVIXlp0kMGrv|xhw|ytmFHF#2MPFq*pFA#>k=;AzXY}uZQ(}!2Zy-qfpnJ$ zC>Rc>sZL^4u+k1)IfRfo!El`A0M~i+KKiZNAeAq16fz@31h;EXtd-|VBUs%gx``3h zZnNDm>uY_$T5n!Gxbn4ujr#sV{k;|wT74~l)%TDl9EaF|`gXqNDy-UD6eNR!^FVgqaEVlNmrb@m?@;+MM6RPt)l~aoLJ$xX52Qg?{ zx16rx0IWxZI~E^S@3zjD7UN5pSk1A*=*^?$xw7Yo`4n!GToFY30roY%Gw5$eh<(8v z+81P#zt+?-ye(KyvqI8d_3~JJz^>NpTJV_cA^P;dS%L7G?gM}J_|v`7GOeY-lkg3< z>d&o@($xQ&k2S}ft!l`B?#?;dACZq+;4OX!d!)eGf#Q191$!48`q$rn{|z6NSf`Tswi#DWSsG2Tlt_z|;VEP4a@@6h8#d2!0VaSeiw`5@lZXkQ#jsez*@wQwY<8V)Cf;z(+3 zoXM<-+l#BvSBC zw!`BC`Vp+hGMeIgPAG2Yhv3fU?zAqcrudWgM<-YI!MRj_+{_KZ`6M?SiSxz5^yWCd zX(C=}g4UY{b8vo>dda9?ogiNNtZayP;IAhO6DZ>cM2y`ipOyi^NPZ-Zt7#trv%}CWF`Dc z+I|#K;pL8@WtG8n?0eYz^Pr;tV!+yHM$Hn9W?V9BJO}SIo`Lc`GsLO?B1|2>PGAUB z$E`&r4Yp&MHLy__qawo8(W_BWVU&ajQ%9~c@V-pB5fWubtQ1%dS6BfHEyE*zrWe4hLp+)+*n}r9)qu6tg4HnV zk|@GnmoZCqmk1C6Yr7cKoV89Du(sh)w%sE5OjvFdux=5fRNw2H1*;)>`hfN811Qlx z3V!1YaPO&l#P8UZduS218g3)=(K}-Y9=%XcOX7gF=J-s!(>WIAebR|E4XH5it)Lxo zT8!Y7{I2rCzHpdo5BD%Pw9NQSS19$%?hEHBPWb-3S_E-8)jqWy0_XaZ0r5ed$l4gNq#xR( zwT9gkTYQ%CnJ!=*oI4oKlborj@Ip{npgv&TmJG+S_Ef+)B4MX`^!@RR#~7M71P!Aa zqDfq1j94`sZPMF_fZS?yMe0jju;H*e5_s+YwQw8j3hx=7@SR0Pv%<{3h;|(^eq^?M zs8DwrY)eIkC8&@<#r9>El(aQ-CE2sdlCHhiz0^orF2Yr(fmWy^j_8r-3z+GoeJ&_i`!wu`r)XTP=|_hXIM|Jh~D|V@QZxM za4rN|ENYHMaSipM)XH(FIH3aiF6%A!DN5UZ_B+}hK11W=Mp(2v#t_tUJ9+&CYR#`n zMY}zwY*t6h-FSE%&7(dL-=715j(Hu_K7<3-v~FpDkCvWD{BYTxghCceJQ$ z)7|`n7}?#u9D?Thp*{zzM%u5%S|{CiUD+AyPpbh0j}%JWnTQsd&C$A`wLV~7HwnHA zy@i%P$Zlo`R=7>uFcmITMEWQA(z2%dfOXSMIL@)hG|iPi6)tiv2b^U z;Q$u5oL$+ln{0zIo752$9I$>6+YBD0)t#5r>vf&Hc>*1?J0O^^0~g_kdhvBIVC4X` z$!-k?`rOZ{sMcO~W$@xbLSLQ{9{4ot6C*8;hw}_ReclUAk{gTbdCO3XpL3J zR?2gv{YtOAo(Ne$MelrH)QYKre#`rzLv9D5-$scIXdSAr;dMApb)bEx4+5wd)&;Bw zR*9g^X_f=#eyg5+!TYs|t0thqqWbtSr3DUMSFg_>_e~u9XZWJtqPn^O>gCTb(K)#@ z>?YZZ(f&KmtD_Y8`hIN^TccTAQ*od(eYbiba_{*)5 z^q%4lI}TU7TfnND#jA>+mSNvxNpPWIX4%EEqE$D`H9WGG0_l9~F<)lB(h- zO~82M`Vq9vZj0dPAOuDSpk7j4jM+FEpJjat*9Fd~or58}Eb>Rtq5ybB zdf?S*Lw+`oNb8-mmh$BG0CdIOTvfWL7Xd z=X<~}!dKkbRB5cOuTtBfMM`r7(Kh^P+Q(u9yV5vdDs`g8O}6@?DO?_fWr1zQ>w;PboVyXOca8e&KtpyOtSk)7|n9KCs|4&|306n!ca4 zZ_4**wQsEd*ZCer`^EJ=g}jf(_jp9RVbJ^Bp-xmS;VVKG2BB5v7Z|>JIDEpqg@0FG%Lf(uWcP;8Ja2R;=zvR))KUE$u=-Ko z+?rm`XJYVviMPoL6W&LU-0p@^xxbOW`e0!*bkFH#STB3NMcWpk#)9fXd%^RA@OkRz z7`bYM@clmXyo%|2G~TDUzUP0Tea6(f=yUw&^V#=^k*nOdcPewbTy2Bzk;B#Z>pxpq z@zSr+96(v)`Qj>4uquL7ZJ62=uQn<)5$HnH4ezyxZ~y@R^hrcPR0`TKwEht!&j+xK2F@^PRd8A%RpOM42t29ZWBBt< zBL)(?=@cMv1Iy=iGjEmSqZ;HS>efo3eR^AuP}ln&%THIe&vR?|HW{% z;j~&M8cw@pCIToaT;j#;!r7F%q^iQi!@5Hlro1WvoPqx{9W& zP;ulcRFEk@f?0|875MahnXYP6rk*&d~7(P30SuuMd|JdDBUj?Wd`Pnz%pl-YHoh{?GGHhd>>aHybuMj zawz~2u+CWqv(_B)v*0pni9TS>*#@((B2jb3 zYJI@U?`abapK(iZ^RZMca~qtpS-Qzp?+jQC%E7lM)E#Kz=Kc6*$0+=xYXV|6s|5wO zXRm(6g*&og)cl_NPhOzbxOBYJVG+!Gr4k&R%He5GQzXH>ha8^vNHmEdIHkX@F7)iC zB~DM**uNKLy*=VlszWs1X*LTb8WIhr|7uos@OV;uIYNZ1b{#CNY`R*mwCzDVqR!^< z9P5nQsWqje)@fv@7<#TyE0xTZOwE*Pf*LZ_$xKzJ4LpE~f^I9j=#0snO|#)eW;vA1 zly|fzhO8N+3xd|4Tu)}i3pxAM3%7H-_4Fo=+&+wBcaGt~%lqP{I(6e}!#T_Wqc^HY zr?~Nv>MM_~7;c88Oj%RImkvdR$?v20@?N5VQJV4|UN0LMel0g~`d4^eDy*I9yQw1` zwjAFAS1M|&MupZgX&Jh}DH?g#5} zR^n7w?J3)Q1f5UyKXl^|F3C68TDUa=6~~sxXUU)7;S2Qu%i!!maGu~uMTIAV<_6%{ zO?A|_2v|qi!)1yS1~1VYTpkg?r>BlxK3d!*{L#xt*n4>|zCQIe4qZDWPRUZ*;Iu(- z8bJl~bT7jDZ^M@haE8p54;AT-18rd4l}F}TqGFpeD@r<>@!b;*;i`4#GNY}#TmH&L zhGTy#R9_S-4lJr#Ed`ntxakhNIw0h}j03C()WcgKgx&BYBrl*al!bMFie-8_Ud z_s@s}A1e>9gxypd%-kxS!hM#OZ@aLK3h(W>r3s(DKeZj+lfCdkVl&)Uu3JeyY25O$ zu%BEBl_P?&QxoKHdq6r=ZeGU+8k8nRu+FOqhiP`0vPl!LKDbWBMpL-XaE8k)Cv?bG z?*uFY*3_SR&hs*Cw$4xspTK~yA(gKAV%8*88S&iel0vTFXd zEow(3KFj3rQN2Ftq%{-Z9Zr2nd;pqdHm3et4OpkHp8}^j4)BZhM$?QYx`1`&h8b{} zSqam=QAa8(2AhMQYfn@!!|l%F+h`H_0cp|}<2Q|!=Sl%<^F=g&hAnz6QSX?~jSps> zxN{tbZ&82vNa_z4d>aniY1a5W^D}+Gnl}(`GhE;i?v78=KgR8+nt*l1I5ZH~(_#UBuO~22G zem_;}_tn0i`h2(Rz(jbV*8z;hUmMyBsR>euum(t?4#lnS8sgLqQV6;Cx7r5bbqcdOn z=k$Zi3@0%vw0&MX@)T;o$_I2gp!HqIA-^BK*M$7b_AV8pgk5G!8Z`d5zC-(iOAjxJ zYftVvzYFyv>*<1czRc4R@{m|RK8X+F znxR>I6J5YMV)1a;PpE{DupnJX&+YcpTewPoPwa@~cJ%TQRG(apJdYDRX1ZbRQO$Mw zk8gw97#DFM*ln5%EL~+(TMg4J?(XjHPATs06nA$h#R(KBQrz9$DOyS)!QH(;3GQye z`SQHy`<0WNoZRFlcQU&>Gi&Fj%Vpe0*>qkf;<1(6_-cOiOaSH^K@>awxc115-G;MC# zrkmo+1fe`{9{C4#WE5i@TT$>U^WwBlfn}l!PNF?K$gTNTiADqO|R*NjFm}ohAXD3)uJzWqf+|1NS}q?^VG9pZZOn@`J$?@$MEV5<8RW!}mwV5v z?ni3>!#r%iNuQ8U;Qkj=VAQNbAy4@hD8{n;<>PI>iNeR8c4tGS=ltb~PKE-iv9?ml@`{XynMJEyG9;vcHkaI})9jWe3^m|DwM$hwi?Ivii3J2T*Pt(|uE za*SAOYquVcS0C;okADur8a%U&ziQb>j0AOeM6szz^i8UDUmjf4 zfF76Kxh~iGbso-owO+1NuRr^Spbn?=b9Hq=!)i<39+r`qE^qEGF2~QrI)C0?Ymf-z z?}e^`(TfR2?`rF2LuTz??r%xOpnG~iuP@}#J$##fc~}j0@S8(RTMsfjZ4V;#AhF+d z&**MULeoPV5oR4}#}Nw8x0%SoX>-V#d|@7RpFRi)edTeX3p#$kDmV3HEk_Loe5DL| zc|mS;JL?~3Te}?ZwuV}Ul@o4}FuBOS|GUZaaBkcff4Sf0H2WtOQ+Po!OvQCE3qB*t zGh4!8+UfQbr^7#(V-Ow?%VqV9q%2gbkDDJV)2+CWrq>@*%ElYgr1Hyq5|6O{L5eHw zam!U?8r8ZnCY+%P7TBQjr4u$`aOJ9cxVcZx2-3`Uw;KVxzgz4&_5UDmDB#0`S

8 z$>2=XPKR5Zt+iw;g|8MY&C>gs(L~Ck2&z-^XsxFdpJr7^4W{doA^HxpK$#XkGTa~2hdf^oaLBO;{5-lY*p`Y27jUWa6Z~E)Xx9lH zL$>T8=W=F%ZbA`;fdpCttg>2@+hiPFMdXJeitk7SQ~xr3Qs3t)*1YD(3o%LB-6*9i zziVn8eRzM=-kP{nEKeXg^SsRw>09rRb1|Zpera-EoIi_O!_tN4M{`D9V?^7k>$|y&*hJaIa9pKi>Lcn@ICF`6C$)$4^attKEkhP z{FE#0Kn-2}siyyTSMi(G$CI2Xxu&{0O6PpbAD`$Lq;-NU@xsS6Of&?R0Xx3g`;x zk$(uE>8VbfEujssQL)+v;Ykt&50@w*Efr2W-7aSY)}Wp!BH1K`4-+(>1I&VMNLhwchu4>D4ne9z`w^k67T8YZt(Hb@n4zM_M=0_ zYXVGSP=E_fi0|b#%L26+LgeYc=a*SKkyuu_a{+g2(^MfZKPqtIXW1*7 z&NoN1!e*^N`+}1sZT(I^;BdMCWJ325VDi5)jC^FhmftDvCZQVO{V12 zlxOs(%IuD+Bd>|-oAps%i62kap&eY^{(AI<_DT!Q$W`mZHG>kvw*xya-p8!6ucT~q z6ZT78I$43ksCuPrME7E?Vv4Jox9&4QXlu<0JOW{+ak>I%NX`~0+>15bv81|*DII_L6eQu)^Xg0qb=6YMS<^HnhRjEFj)WF-rHW{haxA0&5CJBs31*z58)9AzBD)qm%s;PKp6s;)cHD%yRfMcrxq{q14Wk;kr4b}Cj%!WjD!hJ68?ZO%K^YN(2Mfh>C!02 z!a<>No(IoRBF;+vq53>c6UD3Hy~g3~J-B)CO$7hnc)4~vQ63?AN~nE{ z_*kMM*mPWb(*a@OqwyX*0@%xQub$T7z>1H+R-^SQ@DoVTwtV8Ys0<^Sh_nooiYvl(?i%u%eJlMH<$^=Xd_lhIp{hF!Eac~H>j0; zWg(LNuxNog=B<`4U;Cv<#3>yHQ^!?a*&xw`4q z$QOf{*-F+bqOx36MN*Qf*ArNAW*>A*N7X(7$0&6rORp}g=``gZfvOn@PSVh>Dqpv&q)$d zM7ELWCQ!anc5{Y4hbmlKOvm!?CjzQzV}?d&gyVP>nQC=y&9P-tF-(NvxD^1l#wcY zxoYL%GW4WXn5i(IludK~WrV%p&lxKHtX1;1n`x)_bjXR;Q#q`a+%(ZnMzpzqNvtF% zZ{@w9RO`sh{=K(k>PIzAOblyP0kf8xBx39&f$O>|!Lcr}pnAOaiS@!Ujurn-R(a`_ z=V{a>8ia71_(BnjU&SeohfTryc20}Ag9HJ!)4X(0Ytcs|_Lm-RCq?+W z*eLB}7o@_+0^|ZR>H_r}~wlUs_Hq``#>D z%;7I`+z5HXbe{wcok&oHe+=YvHer}&>@fAoAJyH9k^UFG8!dMy*C6r@*!c`Kx#J~W z{8JOvd3;qvQIf)mH{=Ak(=CxzLwvXm6K=Ai16>0mw13Yw6}UF-U5vl`i#6m{G_O=6 z;91)_TguA3lsI_}o`YiG2}m;N>OL92xTrOHp32C{+e8chyfiu+e+tQmdOxuT<${u^ zWhEoz$O#Bw=Ro8Iq|h8>DOTDCBVWeorJmAcWKKp{S`zbB$}TOg226PlCN)k*gIrQX zTZ|t4CRa^cCuDMkzdw@JB_@zyborm7QtePSZG!1|U);7^Oe?fOe2t8Z9EHp=@pTt`Jc1$UXXc{G*ZBdz!}2SAsV!2t)+;`h z`kU~@m7FF2ig! zV;%oL#Q>>(fA1}^)TeFk^VnJ|k6uYf635?;9c8v)ZZ2Iz?2`FMq%F0rQG0=jo3ImI zrUk6pa2|xxq!-tel?vWp_7?YJhKJ-}l-^XhL1&qM8E)o~5At&d2@@2Y!G**4j)jK` z2s{^bk1f9&-N@!iDN{`bgSei8Y53rHXhVc~+bgZFupVh8T?K!koXW3m%dApyu3#sG zQ4!Jw$ncA!J;Mi=cJm0w2BXzGI}BMYPmq%c3d?Q)D-EjabF+*vM9 zBc8XuZ)$S-$x|cR+!H;g;~e$R*vQkZatZf3^SX|g-KhVd;L$c)Vk{w8m!A{g5qPpc z`;+J?U+%UC%}%F2%LOsNJ60#t`~Mr!!_@Z&S^U!yugbGoh5Wp41ArEw68Vcp)xpFg zp!v1fD$xA)W+Bse@+5Ay%QWde+YT+aFZTYdq!60n@*c6_QFun%&VqS2@0*lK4N7en zBjEe2CbQPjh~2XsL|>1@g)Rvm1kg{XNZ=OAh0s1Jh+mTRAcgdIe;e#lsLNlb^KWRnP?QN&2S;+iDDFTDYz*znEcg@XeT31 z?zr8C{WZD0$+fxAVQtRW5w-{Ks0m(xruCD}Lq>`y~LlRs1r4 zo8u)PY~t>x>MNHTEuZzvjq^HWLN)7w z=+tHQVZ;;)1y9JC=Yz_SVDv-pivKL|yDuw}h4XS@k znX+@E54;zfYukT}%b&^s8Tj%pKNhUA1e_6_1=7E=t?J*tx33DF1x7FXQ_A0qoxVQC zh4Qe;tC&Sq;eA$#^TRY4LBb6hlxj=F6EAaBUZslTfG+GsF^`6dIon)ujVz~D4M#Sz z)m}ZtaodNirF(^gWH%Olc^xeUA5Rn~eWc&dt&FKbl#*+q!>U9NYB%z~7C0AvO%ZjP zs1CTqFkbMW$J+^E14yVo+!P#zo*$Ve-@4KgUW^T&>hWn=D+^p-?=FAeS18gj;<|D- zunrbLpQMs*Q>Cxx)33{XzJ99)X!!?W=gF_dim!$=V69h(^t;Dkbu#%5hTUy#x7A%# zVI-GmG)m-mz4)yXuFT^PL$Et%7B&HjYwnk#6Ypb?pKqp-&_u;{GRQ08@c1IjUxOv! zrI=8E-N`?!TE8D~RY+S)ei?XSg+lxhP|sKRLK_CZM^cR@R^yV#x0;B4T`OP};Cs(bx9%19}>Y9kd? zq&@jShz%~}v>AnF5|{^qaYGSxogGQL5quvDH~TUiw{IWFqB3^I3fS}B0t7MlzYZ05 zuy*7TMmvv-_m*?$c=-GBHc**F)G8~0!7Tpz5c0S{fYu^a4Xea9QZPO@o)@h;-6gG?7N@D9D^ zJmSR<<`T1ofx)OgOhMoCZ$v$KX|VPAWIQ?YE5?C6zvFj2zup;;n+XylS=Vk`86h{= z!tZ=>qcd3%#T;IW8=TcEZIUP!?_Q=l$nfs@TkqwWycD?C!QaVdR* zc%XMj_Rq?OkQV`WG}RUIHgF?V0>5}Vf^qX6#c`1I)qCzcG!A`{wq>QUr@kcR;Ja+5 zO^goocu%9O`391z5W5_Eo zjT5eUFR;>?g}#!EVHid>qlRbpru^ha)fh)ND&bA46vfpejW@FU7Wwwb>(Ba{Ws*(K zBf#YMz3Q(%54UsMx9FZga^m|@Nk{1K<0OrGKNo<5*wUWN{ErTyJaGO?gxT$z`c-Q} z1oK}v80FTAIab)EJ9)^(|L? zRK=P>dp#s+P6BugpX60aRsS%LSXK)PFGiHRlV!;le^vOQ9TEMKTjYIp@HIhR>B%>+ za#lC3N&>A2xO)05CZ-D|_y`2#Q6zOOST^eb}(neLXu5Xk`^3O5JG6_1YC|!1cXrkk^u(KY9tCdM@xB- zDOrw17bzQ3tGMY(#|PW*4zC~b+}G(7V{l=dH!Orzn+XtLiMZ79&Njt+4dZ+~iEYt* zdAHB!^DKpyP}}L)`rOh4y6pXueiZiw)xfdFS3J_O_Bqy3yx95cXq_NbD*4s{Zinic?#dJ}!j` zz!kU>Uj#ZsR_M?PJ?5RjNk=s7cdHT*Wz^)E9LjqeN|#UKq0)u<3^(3y+e#NS(uLeF zi#U`3tR&zf)1*wGt0KFJo0* zMct8wY(`JRKkW;1P>opaaJfj=;KhVjEyYO+JJ3dq0;FTNzFm)sixoTSnj>aInX9)* zOP@*F@%w}`)za{Cpw&xW5n4FzH{p@o{;MegsTa~OJya`k#{yJX3Y(YoVa8Zk4kHX_@A?U$ zf=W66!fTP8gKK+XtOoj4cVzu?=LS-@Q;S8QYL%M8%}u-Mk$`U8!|X*(e=jT1V)HrL z-79KYASTa0dy#%`QrC;`HwPw%=)SOy~`Nau>Bc<0l1YkjR0h zF;{p%KexJ~T;gtfhWK6O2~tv$v)sG-i_BRDKuxgTmG=a|424!AsFTf{qQk%YT;upo z73O?P-m;(PJ}jNMtVRy4{l^^6y4)?gZ+y1+jOUu0RS!+hPX?P&>b#Ca{7BAP3=YP` zLm{U3)>T{;Z|TpHzh-a$_B*~Sti>MS>q9-we_IY)hW`>j1uS2+V$LqBTn5KVWVT%h zuO_sz-`#aJUS>(JojR=ADa-=no&ts~Zy_XS)VJf$Fbc=1{}kqYR3obTxs6%7OdXz+ zp8&a1w*bfY-P&1kD(a@n<=+^UuZVXSKH)Bhfq!Q1-89xd`y1SGB`SwIK9|Cp9VWKJ zZ0O%G*!Tg|!yQ4QE7?!M0UM39r$}pa;5;)n=Zt5kHJYWWm0zN)_bgbImYA0X)Ew62 zhwlA_z2grp-NU2ft*iEjE&d^U>d$&>4SNHJVwn2%;_UU^_gTAvB1*vF&TxcvM+rSX zsgpqdRU!ar^@8jvm}l|!RT)IZboWfNe!&Ki@F$=B@5a&e>=`h4^I?_KWR&Tz1|ybi zr|r7EFkMnt{2as!H2n&axVs4&rKRLKQ}5idNc2ACjuc&bP?rAHMe$Q&+x6$1f%A$s z_(J5b)&ucTPb2?bwv0%wA}N)e2xE7%4}H8>Nd2q?SFY-K2Z-^tWhvh=x260QtEHWZ9zpuc%l?l)Z;0#RC6PPIRH+wh8HySq8=wK~7?H^yCqIZ1Dw zBHecF^~HSsq|qKeFT9#jg}4a_9cMn?sp9e>9fql3f{puyF!u-P@yiCG!ATdT_~pLj zTEV_f55o|>{|@X7nlae3%G0KK(ggux4#;x zKcmQ5Ekk{5iVpVSx$osDG z_XA7(e71t9t%E-B2y-LPguYk;%v|erN77RKtkdV&*05@SqcjLhBVRCQNaSu{S@_t} z*;pRCev1uVN>?w$B;Qf*ZtDg0z+BE~>n+GxbR4s<);s>ni6g2yN77pjK!U05&l*)# zOCYS6-oK!y${~%S^&>rwyrQ9wvq^fJ;mS%*K-8SGrH-^<_LfAgkXNO43&r!(Jki0< zKM$v5wkZa`7_DL~BK>scs+d3i>7Fd3cuZC%p6p`;OoYF8lmock4kEXeYq-=ouX~b- z&B0G1)zaXPJFXR8eqY4i|ML^5Q&)X|7G5>0X->+ZzElNB-Z*rWg@7jpUgd zW&_S$wBVM^&Bc1R^4eD<8gVga1v`CG#x#kpj1rsbIBW&mIZuO<*Q!VM6*<l>lo6MOWV-2{gt zWL(Y8TJ*$}@*{~=F6p%@HO04k;+!cXnBg~;pJ(~ejC>iEi)OFYD*1iamiI?r)6NIB zsyx3bUj|Xg_p%_hATD6HwF*9*YT~1*VTWp;#eT~~i367!+E+4nL2QYY7Yb!N8C{pN zFW2jwB!Gc=#Uq>ZJ9Q!kHh+C8D6|5he&N5R@-9`#nNA}J-gm;)S)Z{H$cfFc-sFxv*c>Ki0yU%n%@&m8|lmkB5QSDK`1f7E8f?GJjqiZ);2SBFU} zuA`}iaFn^Xt3=4?Fhrje?PDGUP*cqki3mQL)U{~c5o??j_S~#T936aE1F%mr-5e=J zbS(QB4UPL7A)CF4@Hg&xJJ7TYN)-X7QMG$ypBgUxkGiz)?bPW51r6s$7VimPT}5&v z@Z{vDV~{bhBwfW35?ama5^gnC8yjYUX76ZHy0(*QumWV zc=Ek>*4#T;JIqq2Qk+0d(P9&fPQbF&ZNS;n?z9)F1)F0bs!Od8;V_5Odkc)xh9>lU z>vTry1&&*9-)gbSzZ^nX2ip#xV@mOI_g<@j0zj4hC7Xmy#kRsE!Z_U=xUARzM>%mxzla>U$M zbv6rq; z=g4bQ+8s{wQ`?Rai7J>hqioBRd|oa(?P1W}8yj5EzJ}B-q)k|t_n}}+1p42G_FDTI z%zR|N3}Jg(zI%oCy&cVKLsDPGsrW0Zaj6LwA$Y--W&OWzFVxn)xqV7XhVCcJH)C=% z^XHWKJmX*%EA<@nhEOJ^lOre}oImr?F%NOo96m;iCI1WY0J{rUxvY)8{O*OYBjcCqMO^Sy1IjP-TdCMv8;}1R z`vO39?|q&2it}>E=KaPGlpBO;!RBYrO8tnhe9fR`C$r!QqrIfG*Z50LX^_$6c(iM1 z21%(y{ykj{Qb4Lc?JM(IILqYt^kWZ%lBYK#{!XExvU8Gp@pzu4W~FXto`7y2)9V8kU=$YnN^6s_l~(D0e)>Sl zt-yxqD$N@+gTb9fTGnl|EP?_%ge`m9v>M#1h6X02DtW0IWG#WZy7I^>)GyyywJ;hp zRJu&e^e(MPq~;Hx3E<7Fe(k#3ELS!^2COS2w`Z*|b!D!oCGa6Awqxt#sU5k-B)(aB zV;ySqYy5k|+x|Yb>m%qxcX8AvDp-B-aTWpUHxCtB1Mw5sm&`h5J`4ibnL3U+gsRhy z!H7}iG#x3Y@y5AG&YU=x@CsgQTe@*key`E6)rqIIB^Gdx7l#qLlghTRTDji|PG|+MBoJfM} zJVa=anRZ}3MVGLK;opQQiN2*?g@)m^s%~}oIa1_WM@j9|n|nyTP)MUtOnIj=^J?2S0O5Kw6$sV}Aut@rMcGEd zvlvhS$v^kgvtsT^dXuPS7Q^<2Iz7^mS8)zLhi8_M)4(oDP2h$`2cV!EbTC#0ji>t<&sCy!!B(ukG*_CG|Cjg^ z<^@0;i{V&}UU98$7{rZsI<{5wktPN`Gt#cyMI>#q>8uZ-5G|XG$N|Ca6Y#EO%hY$YVx_;Co`7dp0>7d28)<^}UTpEm$ zhgY)A6Iuc|)8d|=j;!#xEMaQtI4-U5gFNab9)e+L&KM>RC)|#4szn?n1XaR*Y^rtr zxf2-&CJ&}e=*l6rMptt+os7wvAk(GBbdBk$Hj=lR}iAs~Gu0CHVLzR!hvdfX)E z2u^$ZXrkTbJ`>W^=3W+}vnqs-U3T(o0Vs)&Wul8+=gUF*@1%7)Ye8H_NBZ(J@$Cxn%E)i~_=9@X5CytzuhhEoap9)aMuSBtqEe@kC|IWS>lQR@ zbL-(%#Zc?TlGo&*>(r9^{jQ4%C7PIH^#k(bPiK7JX3?R(`tH|du&pKDTkI5U+Z!&L z{yfla^5f4()#%LxX&+=a`|5QoUIsV2FF#4+a>;+;_|>Q)w7yH=?znGq--T2Nmu*o$!cio@Q%2rt zn+F9HBe_kt48@{z{jCtca0X1jZ#REPl~G=x^!+LOPl?td{Kr9PINN}`OzAi$!L+`P>>=(33FCCMxRRVkGrS|f`|;d9+2n3_M#R5Rjm zi*UuV(bFl9!n9%4zO9CIxd&dD#})K8VS#^hfNI)yyp%Os4+#X^nEq4 zDWbQ$--Er4Sq2+wtu?F%e^YWiv3z`_@4ESmp5{dLh)7tX`w0P4UTx;Hr4)^FJ4T3@ zIl|4O!f?_~ z=s}^2vPc^qF8t;4lt9oALd30jn;*19YezNbHe&{EaJByx(gQLm|>0E8-tB z+bDB3H$U$AW&Ssj4%Z>F! z)-tzI;(*SrMmKcKcSGNTYKKW5xG}4^vt7szTp)sJcTXKs(9)#H=@9=v=RMubX;_}ygn!xLBgJqcdtdx-3_nRWFF zF;v-LUOj?s&(O*Xb|!h6UZwY!>2Lx=JB8kXvEkb}183uXnZdpodqrXD??z{AfRI_J zVD2KEnzbNy0qFT3D%3$05fN`s`+A-F*(k zQV+t>dF>8s0NZaA0V-CWmYv_*o`lN1b%>qKVv{4)9RCsTK#&KX4xe?v7lH#Y?GztP z+P>+18V}sdO+Qjg5sEY6Se`ruoM2|K)Lb;lv{jV^X(TmV*q^C9F+qhHP}DN3eO0 zmkdE&FN?=)vEsXdlq^6dn}$N-rYF0zS^%g7paWE>gd!i}D^d9?sOlY>YByZg4*t&4 z?d%_Zk9Gt$cy62r$wNfW_(J5~hXRD;OU-qRgd*<65dBPJE{Z_ z>^V}pXiT~#=4+16{t{q{nQLl&uhp1)y}CJm(oX73kg^Z(f%F>};zfVX^OvTB&5P+1v2QcI zn|;lCO1}Clvc7L zSzHBv@`P))6dClphzTicLc+;VE34z~FvSpZYIV*{k45?KwUB+?jz6A~zbWY--?v5< zMf!uFxD+xG*T1-GZMh*xND$c|89_6?AgTAg8g~zo6DL~J`$JTXip4BQvL}?a6hlYl zPM}1CGC5YeyKQ&Grc{@UQKj6zB90d|{jiuis`}r&=G=$EDXw`AxpKBt_SCXUm6AyK zv{RQDKf1EyVunwzp9X;038>ndM*KX?e|zy~!+h7|imfsofyTAB=DRcu z-Txr?LFWH5Yx%M(FVMIylRr+dS9zIhi@H0MjBqB*ST<0hCl(c}xQ!d2R5O^HD(xt8YDZ?$AY@a6`$em9gHQns%e;U>vu;X$<)&o1T0 zxZxjRR2GR>lP6~3RcH}#Ku_DMY7XPpu=&F8r|vEP?@<7|Js8tUXo&iYE4+B#GJ1pc zX)L#}&1cnO{Fd(!a6}VJ07V6Q>Niy!x~Nh!)FFAL-W6^~5*2y*p;QtbRaN2=T9Wc% z>$DbB0+dF%;QT8QVnJidehSOwh!}K1BZ{$-ZKi$4GC$)mwG3qadQkJJ+hXr^y7wn9 zX!=oN(O+?^g-Gb$8eI?PHfUzD_}NI@9aro0@-SP&ecRKrllfAJm$ld#UC#LA4hv&33PkRjBh`#mcmhT{+a7_W4=9G(C=|6S*<(Dc=BM&xHiOA<#W z=g-}C9ns_R>`x-7O}SRw){p$U`J}Lkqf>)(z?l%O)eyAT+=VOiLB)4D?JAJIU;O<$ zCUmn_C(nQHNIu6FeU&TWEp|q{G50xmIn?K;tNCY>^RTD;VS=2rBe@iPfQEUCuOldl zEiQN z8?drt6>HAv-Th9C^xu2_Dzqg)+U-nJ{|25HFLio)lt`tYr{|ia0 zzIN05{~C0v6$8qpj(5kQG$Y$NV%Ra*>1StHzpiW1m{d&|v_h(7EJe}HR1U3?we2#Y zy$WNgiaUTljEN&Undv7jI+f}-u#31;JQ1E}v2NcS?wQz;TmFS96$N+Qj+fr8TxC7& zcQRr0iE7P&Kz1z)uCiYZ?l%=BRw7$Y`Z?W5s=~yZ-iY-?&&OwnyjM<4CZQ;64OKYu z#OuBYc%wJcv~LUe_B#v%UXM-RL7{w}tU<@1Py-Z9Z31=96l@x&I4X5)(Zw(9M%&DI z40ICWv|hp~SBsv}Pu()2=~Ptgj7U|D{C4kQpvddsCbLi~bq?5GNNe3Ywlh5Xu`p)qftXj^u1-RafMY8og%=30QtmtNusL+|eNf-nPzbFq{7czhP zc4+=VCBS7i@i13oJ}3)f8pnHU5T{H4Q={shZT4F>L003V?4F|rrlxIxP0iN>M?|&% z=$6|xvu=Tpiri=edC|2lipCGlQBq;y^#1uNR21gFN|>ttt1MMs+Y<^7gTmO!Co9Me#5 z9fH`K4e5rffIcR(0F5IV0s}TfYp9(whb3<3-nD4zgv{vYp&4I4=QPN*$PwSsC!h+b zMV10npQ*2Izbe;G>g-SQHU^#WIta=)_G@{s+I3Bge-+b~7IH`v!55Jd5s@=;(0jEd z#Ssw97vsEDu~U1=k$H2wZknjF!AGVxZR_~U(ri_i5VM45Uu$O9S|KN)X0!OFXX66n zxHTwoN#XX!eO(I}w@Q0_r-U{!8UyjC$zl0cFXh>;jfma$5 z{6t~Xy#6@EmR~(WU1~eObUhtYnD&Fe)?n3a=}p4meW`x@Yw7kg3=yqK68zL{hP>-x zs|K;7`5Y7hmJdN$s}Q2CG}@G~6#p2s$xtK)Mt-(ZA3|IxQ?I_p2i(#iZrc?NS!hj%1}&;yp^-(O-^&1$fZdM~s4U0*6j7@^j>L|ZVQ7v88P3pLk&x6? zd$ZDzR49i8y#E78ID?}>>yX?zahdm}5EZaSPB6tg@ZNm>fKUE{2zmr?c?iQwI~$vN ze7l>g|ITZLZD-0ZMkWHY25`8h-k&z{yv5BLCKF~ikX9EO4hLib-`qo6Y=PFVsrP!X zWR4;2j%V+CK=Z?YuV?=i-rZp=-E1@0pfGvJd&Yfsh(5HS{>L^VA~b0147HYCm2h7L zFG9MooUd;M&)DCq9vrioADchaL4C{6bh&FWtiNPU7brPLH}X(Js=yi95y$`ll80Js z-#MU%?^1t8KLV$nlR!Tolml8Hdb^K@82@(&z6$XR`}1>Qr1920Ih&~ZRXXhA-as=nXyM9Enq!!l`=a9%Mi9JCgK-9nAmI6H{j?Kq`-MbD4`D6!XQ<>b)+$SYVAvhjrm9T z{qTZid9YC*e6RqE5}jt9f2ZKf^ZfP#u7+|lvIG5SJ~r(HNkJZ>aT*5S) z*y$CsP|L%a^CmGKgQqUd9FYRQB2CSNG^QFrmo~^lQ(m+Js6jpbNivb7pi=bnipHD4 zIPg*aQk3p~3L^LsG!tkm?D9_`FYhAK*h|=?Z7AOG^K$0>&r{VD{cB1FlUJ_xW4dmY z1yZk8*|RHVEoc0()`S%Knrr06Hw5PK&>BPmT~qWMAbHKcO0g4_t*#TL^8FM;8p|x3 zLWzC5Y6kyVGD|9r+MoFa$xhi{{3IV07bB{#6?N5;o(eLie#pXZoD2+%>+JE&@=Qe= z{J@-`#T!s;UB=~@RS)N#&hpU;flHQ~_p!7D#&E0UBKZAM6W(wYD@4ZYQb+`s`m?^| zIn?{J7u-0j@o2~gZ^TfZWIdaQf%-*XZu%XWwF1%2-3b_Ku>M%?&!4kti(c5sCR^U8 z|COjS&aJ${apUAQdHzfN6(~_7ryZ&`C{Muqxfl(9!~%zA3-}!?%r>lw&H}c-3whK4 zWki?d5Ix`Re*w2o^#|=LGOw1%h$K${9RuGF8aTe$2y~1c_6qSB zPhQ)AR%S$p^)<=D8^SDp1vx3iQTkHzM5XyM>fAEvpUEtY5$Ll&x21<_46*{ac={0B z!YMSXcb@wk41cw~luD!B_?JDzG~W-7EXLGNell)r^Bb&;T=lJ>wT>jJ@$Ar5Jv+I( zU}+ESTNQ%NJlZs%*F?qb`_ig?SxMiwb`R)ffgtznULG<}$`#W`$|M%=N!#D3eJJ2w z4Ml}zE9K`nl>FRniAKQC!1JK}$KIwuxs@P>L^CJHror{sf08L(Tg@K`j13=*0Jfge zCW1R`Dt|`N8Qkaq9U8>g1vZd7)HtZ7M;M#FZj82HJkimh2HKGHTC&c@ z%lscx-yN6a`@LW8v>dsz;i_D@N4ark!yE~&9Hp75r74aaNUkg`M{ZNm+_KVb6pqb25Xq&e>kQorp+doyQm_SWzsA= z#~y3wr5S=b?*%*pPMZmw9R_E4a-WnLapE)!mQmz1D=dTL67YBJ$M zW}!YMtl?cCipP0)d*acm&by1Xw89>+?>D`tE#H&8=r8C-Ep=ITH@-BK{r>Bc%$9He zu?v-WMh3fM3{kc#m&NEj?bpAM?K6fLlFA7-_Gt$+nX<0_b*Rv!R3Nf8V z$@*ud5`Ux=2$4)T!LQFGyu%zMB`cYJWm8#@owfA$`F=Z5LiVR&joQuYAgA3XZf)m? z!6c<;N!>h7c`}Is!|uvm??vmkHGePH7D#swcfOQ5EzNEs6x*m5ocKiNSZMc>1MB_d zk%%q`zY~@{{iN#t3UK+Uk5Xp+%?mhEM$HQqvm$z~m zKqr-SJsI(6TAH}QFQ5@YeDOA*ytAgDRrogQmjJwAaHVSBSgc?~H}iY$L+^Y zkvXPP@&bUS6I+-R4V;uW&>YGc{I6(0^T*Z&mPGO{H9=yO=<(|i7BmH1D{t9f<4rZTZ@pdEwcL0GK(DqD|L)U zK78AwA8BJ6&h50sJRdU%owrNqwwk{kC@SpE%qHBYJ$U+C)al3)vQS8vLYGL;sN2tD zUz4RkB*yyvIxG^V!$TjoCV<+{G8Dr-;Ya(##;`RAi28D}1 zU%Wu)G2UFi(V-io7zkrVeTG)6 zHm!JhwV}=J?uXV7UUsu-05L|;UEJ}E4ib^uGU1plJf?T zPhbTNi?rYx_k=r%&%`-M0TUnIlAD!;lvmC=W~qwvlL9PniGA2|a+kaPvL=Or73o*@ zH+e3(Z0n^BcWjWBRQLSUK70IQmn(lg-hOX+o+ZU=bSLab7e5gQ%0_$Gr5*$ z_%BGGd0cW_R>nP;`iQqUW-wK~IF{#0+~8Ri2%tTRFw5uj8|fEBm=t)<@sxMo@=(l_ zR2Fr;r+2fA`)0{^D4)=~dF5@;yI-On7UqTUGhMy;tqBDsj~K14M8)@s#?mjghATT( zQ`arZrzqm;pFN%*h8}VamZr?3dVzzYlPj#{h9)0;t$W#5n6a*j=A!oz0qRuk7T{sv z@Nh1qi+?o-5>Va0C%=GZ>)tB8<|z;x?lNa@4FDt90X$_DLe)|#2xU$IoF#Wi_NL1~ zO9&8G?*(I|hiHzQM~5xLt`rP^S#K@iYUS5eo7v2xhE4+{eDb5izEG#@RkEC$d)6M5 z{PvH94h~k2sz$;s|4~&1@XH&5rKB6c<>)S+Gts~n+I!K6FZ7vZ%Dt66Qg<`}o>r&M zSpne9fMO~(sncIGhjpxOk?g-5 zg!(%S&(ll7-Z0Ixl>>!t!%bnw#i=ic%`#L4N z&d)Xki|Gb`Zxql!eE~*X(m(9eok!aL86t{<U(@=syAK!C3RN^$D*+s z#&t+h1CD(RcXoj8ed~=wH$H)=?>^Rb&iKim$P0|aJzFLK*#F&R?mj{SpSFH`ESja) zQK5Z`rxKU~7o5fU3xHQ{ki*I z)`i>QO?k`lUgxVNZaE}Jfn)Cao)vU~`R6!a5sMr%Un zFc@i^vyIM3D7<;m&LXpGPA2y8J4SE}ipyL5J z6eK?wO6X`6y!Tew$m0{({B=z(lBxVo<{f|c&x_m;-jYB_Qq-6{yI0_&>1vaA$E4hmqEGNm+S`8}=(j^m2Y`4EL8JubZUdZJ9 zerX>x^XIVo$&;BhYdq1PkV`n!ZosdR|BPtW+$^kO6@I!tn_v24{E|JY)=Ac=+oj8c z26?~p)h-HOIH6_HbXHKVzOCs^qoANlT`rsThCR*>ddg;$FaFxx$G2eW zoTj*`Qb_*!>l#@%iQT*>@8~M$a$2!0eAHRAqWq9HN>b()yW_sOERkV(f+s2L+bct@ z@XvZJk#P}hx>>zfrBL}MQT%Xa599n-yy>7XJVyj>XV(E=m*lM|bb>#n47ta+FOLv^ zM=*Zf616Zpec3Cq%-%7y$oBEYYXU;N_gx}3n$6>%Pf|CMDASlLqf|XQ^u^3nT7gtL z#Wflm(zUYf)L#SA)(qnGq{)AH(MkmOz(J2RYz#5kLu~BhKQrud@?JT_K3@oH% zl~bWTp5~lh@#98W&sSU9Ng_utEcgr?`42qE=EF^S;sqLEIXsURO1w;G#F0KgLEFwR zN2RAE4_rqPE(KEu1NJMbC`Xmg^LS)#qsA>M1V-m_^K+}vmxz?LL~FcfI*xY{twdfU zV!0FCH)s5vcbtPjDfHkb1**awqF8ijmYy&n>V*ccF;wJ$Yf91|0qxmuIQLWpf%fj# z*;6Kin^EqF?c1F%`*jxE2X(%(LWHmSVJQKrq2a%=Lb`Q513C?qmGy;Y(vc6U<`6MN zjU>>vj7|}R8BjS~odi+8AOv@Uza9BP?ijrsceynkzZxM<{^G4-D@DTRtekk%_({3Rot%I+s43)7H-Exj&#pEh#T1ih~%_pCBs&cVw6 z{&fgWLo%fy2V)6mf^^j<g6pM11cu1A0o0Ep)i}Pva zhPfGLcXz}E%S$u08^`4CBkWwZcU@d+?Q-(o^;y4qGG7;iN-5V)V_ppd-Hg!mNm`6R zoh#JlhlD6j&}2{VDlyOR=x9{jPOm@=Rs=ZZI8ggnKxLX1!RAmn z>$(H=Na4W%dMjhHKTu~xnzH1a^PJOBlmmh?Ok*E+c9dGV=eDY#;2&~l*@Na#gj9wI zAdz6IPys&@q+?USK8~=+Lb8vG@PbQ_274wg zdmUnfyEu)P_O$#&ld>AGHBzFWnMh6lI7oZud2h$=Ef&XTMDfB0ja6Qp6}A>|ut>;J z&gkyly53Bs;Xla+=}ixTK&}5_%2WBIf!(MndqgH*aeQ7pk}ri5e4D3;5145G2>D0o zy3)|_sq-?o&hVe?cYT(^W^rCzJ^0Ou;uKEH_u{H{IZr=mTv0315EhM$PY_(>V2&ve zH9FCG<>#@|y=(JaLfms#-NO-CW26PtR?F@TOvD_9i4cEw6>dcu6PdChK15!!Lp}O7 zjpvOf!I&1&xDHF$3w-b2%l%Wv-<4dFmE>2}Rn40eh-D6>(TP_C^npq*tc$KaCGr~A zczgplLFMvy9!@9nc0yP}a=3c8MDxj}x5%d!bqcgD2~3)Ebgd~q_Cw@jr3EhS2EG;9 z4;mOR#EUOv=e?g|IfeHiW@xD&36Ir(CBE6#TEuv71xC?6B<;{Rztp~l!v6v;j%UP4 zT0NziuF>o>NIhyrjKJ|>uP9N^$!F*>qZ&=-dKo(>gA-n1R4y&+(oZS2a^7t~Im6oC zgKBPrYF|93d1wo~wG|t?b zGe}q0r)ekoapuk(sw;TZo!6I_orXfKd;#``x%R-q9 zCTa%7&dMt#E)7h%2>$}5Q-aI=p9kdSj4Zb*wS7N)=~T7TKbGx|)osA)8U$yPgNG(D z3QxaMea-_p;m73SXlXl5(jDLfwD9fd-&4hRidPjNb~4xCv~Sz{4%}9>3BbiErHGLE3j0OiO>%bqle}+-G)5MjmvO+b7GYXUB~dn~@7M ziZndy`jU6!4b?2rY^zR<|Y@=^8^eki|Gt6}^w@FnNfCov02Spq7bp_~5k9x=Wa zd7G5KBG@kKQNy%XrPcm>P>TuU`ff``^H*U#yv$TzQ~c?WN3n(#OC!0KRkn{+-x~J? zjR$$Y`K$6<~MF@FL!J^NiI5Lgx{yV|4T?;j9LoTb3 z{Ie(fyU5G+0-ubYDs#`h-Rd0MIxoI>!2RgEL}>3wzKQK5JC8g|oFbo5*|+FO4uj~- z+FoOQ?jQJ5N45;4owypMLofTsyFB_8Kg)&eP}MU|pB*+Ta5LGvHK3-|q`#Mu(}j%% zj@4b!?qK=nAS+pAWt7ih4XIy`Cb%9x>|zk)oRmn(11g|-^uCD31KA=9Qy@Z00|@)T z>%%`Rd$HHh-^YBFBz-GwAHUJaWiQHRl&L2E!Bs(|NOHmAwJ zdB5ol{C!ShV(&cd1%kpbL|vzGGzI|mdjJL{3OW%sbj5J;B|xM!*glgc@-DlcYQ@T- zG2ao^cT3m0kDXz+4&!0yKTu~pIz3cI@E0pycn-Y*cOnXg5(&XG`=DN`ERBN809G|T zn6bl2#?7}c1zt}=u=K7e<|kg=)NMS_Olb!`KbN?^mNcn$x#HLUOiNg$VxBN~-_Lxi zAT4%6*y-zEL})bm@JaYSsPNw=9|=wQC{ImLC#D38rW%j2v*_I!g09%{|Lyc?-sL+O z7z64O%WfUhHZ;CQWp6T*w-g6eC*=9{>qr-9y9sB7dQ%-|(lbh}XZrA~v8AQpa+zU{ z@pv|Qu!;Jbynn%ch(N_>@FilU2E6G(W%Wg381i6I8&a94WxCy=Ax}bVd=BYRB+Y0G`oZClz#`W@Cn)hbr6z{ybI21R(~%G zF&AD>FOPR8q=liaDr>7XE~-E!w6L*W4&W~=l#O_+R47tv@Av8L(=TGIlF>eD?R%ecriinjDW< zmL7J>o16lhv9BA9x_TZ`@3*HmAyyBZXFn!m$Qm)Q(ww?c~z1bw700{`VUz6iZ=cZQ?fQ|rxV{GC`2 zs|$mH%G;ybJL&Q;T$tp=;|w40=@wsLrC!|57WgyHnoh5Bhnd?y9>$sb$8Y>mu+#dy zZ5?vtKlKP=w#uaht`cH5Srl&V}wt5J0(`*7xfWafopk9^QbOc>x;4A%)h3xV`sh^xYXqz@0;AGEU>jPg{Vks@8pP3ad~te091RQ-)W|w?wLCy8iu)CSmD($(U)gK^gGOgPSp{+=Qw6*Xks0 zcTV4Fam`-`ORft1c#vqT;og##lerADt3AuGGb3{`5czc7HEVE8x5N6=t*=>-uXtK z0$t0bJSqM;sEW$SdgRA-c}Z*D`&A7tCw<9G=?07MkFj}Ic*5?)-1fm2mX+ODsAq15 z1Oyatq{KfX*bkjC#CvK9RH!ykjjjG*+FPpDFTnk}5oU>ugqKj*w=O!I^XpOWurnjOW~nf{t4}40nFTe|UuoQXfgBj=mX7;ZYuTzS zbUyThfyYS2pki;BdYzstx_-O8>RE&7PpNu#aR+PxgXtGFp6Qbd?!?PR@}(r*w`>y^1EP(k*(j`(!;2`74I*3 z8@=kgz;k;0>RyYj;*S_Tru51;!=DVrN*))~*n~L`focL)O`7B1{WX-)-Dn9V@kRrx zx(_R>obsxPHTs&M5V$(Q^Mlrn$93JbYh)d|9Pss={G9$i#yEkvMsp8v=3YcEfgEoA zrg2~mQO$}}*#u8#h1neX6}mLtd0cC&@JIs)l{haw+0W$irdk`i(-45A zD0uNg`gB|N8fSTPlz>=3thGity&{M}H6^kRQT_CDTPV7~Rbf#0Ir1K=otqqWtN>Kt zP0iE8!QTV5*%q76XcX(A)A&}sypJD!_5bVm&_>(-aL=jb8hOeuEwEbHqV5&@Z_TVw zAgM~0=4`C!tKrc^I0j`xo(Tj!CAyP0P>3lmeEX(WC4lbpC`JiHUZ5PGsOe$=VwIr3 zoOe0eDz^`Ql$Q-p$LIvag2R52T6E~L?`{Ak`DEHQ?4&tZk zS?*42Kx=mzW~)>jrnOw@JIJYp|56Nyh8T3}e z{D-_UsmRYNBF;RQe(!d}seMASbK=2YBKPpb@xfU14)Vp3&fLD$0;_iO;+y`dRI)00 z2QwacagyFt_lz)ubJ*XT(Q?zGeqTY;O@YD-25z_L=nmMfXw?m=m;PT@++U`=XM2+$ z`6H*iAKbyk1}PD~_aaM1eU%SVB$H4i4!LIK_O@TvuUW)wxEc&8NpMJ7QiK!h2!x$f(rg`aUBrs}DCbPIipEoBW7<&-Ps#}PQ`3EF%sWZpznQW%7X092%+@fLV5=OQoTQTP- z*P}u*W|sPVzCG96rQ1C{3}7>QA^paA>Ew~RSia&dF1|4l2>~In{3ZLt82iUywu6L{ z2SYRn>#vLV(b)p?bzKy7LnB*Ba$~VEGex8yhHqb@DTbdo*#sKfpZ1#p*dqkh2I!?* zI9sr^HR9TD;^<5aVVGV^tZ2XB4ZYRqL*{O;NC-sep(jsZ4We)umLv5?+{7F7&zQF& zBUri2r>vv8X&JlK#B>Ydfbq?CozSaZT*zYuM-dmAAV+;jqiz2ZTJOl)fswfxORMk_ z1(8qTbqr~j$pQ3YO7x~+ffgd3V)Ot*T~|B;MbbfxLQ|3%yX^!HKdlSP3(<2EUxurL z&L;?o=1P!(l|zu*UTx@#Rx%KI`uxzf9&zp5(CjXP@FXlXbk|F-*<5PElBfhQ0tDP; zS~QV23nz(9rbPRJ7I26@n8EQRA<$$=7#}22M2RM9GX$q|^pc+CC-SmjbYe@O*b_;i ztK@RcqWxK!tk8Lr-L&cFH!jEGQXUb>IjltYL7jQ?WnGHMci?KjVKl9N9XL1VB#~F2 z#sLo?ub6jjRH9P#UyvlrQ}X za{r~SaIZXY8gx~fV|))>lxKdL_jFpN!jQn*T+n{H?;;Fi4yL0Tqs4ghOdee)aFwo{?+evPJbus z)-T=om>zj70w)t}wz)2z;V#guE%(whVjzX%J|<ewj z@D@DGZyN!%M;!cJUW57j;evzjysr-ltlH`Ry((Ek{IfRMADTy*3?{7Z$KFWa*c|vc z5U7EXo;M8Qzmc%PfrjQtEoWon@ z7^avCrD!(Wz}lYz0%v)u**L*x?QOZmZz+8*{K=#sqwc_S@zbti@nu1QXtrB{ne)cc z32esKosvG+b(&i86i6yqNS$JcK`0(~mdKkA|2UhE^|*|tm59U}e;0E}7K^mr(B~J~ zpM3stA!ZB0&|H|TrS7>e2WleDA{#x(_n$o$S+W1vgr#v1bm(0`2>vX!Wz=v@PIam;xE%F%K0YlIME-oG* z0Xp&8e&#oU*56x6&pY-T;iW{9&Hvre!OLan-#0bwD<()#b;+<|FCl0m5xv{~hPZ|@xprTN9zY5pM=inhA2cgaO)x4zBXFXXGv>u7DwHdt zm6P$n_P<3DfzMO0s^p1FI6_5us7=mj1^h<%ch0KNmZ|*y@kaMwnhK`XzS9qWu2;6d zVuy6}7YKXVaQgnryU~4UPg5%}$CfJzT~tHPo|vM3KZ((8Lrdd7d6uhn-|j}QQax_5c=m+{~j+n=kgvM+CM z&bwp?Hd#0t73H`KmgKnenJe7VFqbYfO^aD=73f=t{IS%mt@#7b)6-S&__zRhXN=YT zYA)-OW*m0#7IelRFQ<5h6+gDn7AgMMmE{yB=(yylSLSZ%xHciK0-evbgYc&(STHa+kODdpz-@7tM0kmHm=m1r~drGe*u@$lMo#lnEOcBW0|(B%1UB z?v7QxiOLj`U^TNbRnd5e>`8sNKarJ_OO@cydYcK$Iwf|F6es~QR z{#;F7iO}RLq47ZvU9+u2RI}$q-I$Oex8n|SSwNpIZua_dh;=4Juqk;M>D3-WE?gE! zWs;Mv7iTbaI&QTclNqM-pMdA?0;iOm(oy?Ddsx@Y&GF_hW5qOZ6r>YK0R0izr#z^3 z=~aKwN(A%Y4W;FSOcfWIK!m{AKe!C7lzgE4f}F{J=%z$3nmeHD=r+buqBp#hc-l$B zv^8AO#FtdL6W7MW&LY-U*bLKuu!#eqH}P(Y$j)= z--q^c2*=tpV7)aWM;H{IKpb_^9L0%zr@o_k5%1Df0P;>@3i|^-IpHFn;|*khMF&hR z<+(OF9>i<1pFykZUF7v!F_lQlb9&wPzV1Hq;%k&|))UmRirES@BkdRg-jTTE{hi2eTsYgZL#AyaUd-@y5zNcOt#H*CpU~e{gW! zz}-keb2AMEsXXUYzq|*xiap~OvzX;DqdSfO9o`qSiYpq(DcZ@Lwd}ZD?Yz~9z?ei6i!7gvqg<~7JBzOQI;X-&9SFq-y-~cBcpf9Rrl-%l1;dh z7xby8FXB7Vxpi~|y{fRiE&dR-SEEk|+)_IWZv9E#?JdgO`FW+$q0I+Oe*oXv*uIoT z2|@i$a3yptxH(f+;QfKLs~bdU!{5*k^?Qk!fCgHfXszj2c8I){kUZEe3z>#Au>?}l z_~ldo8u0x45Yc~yzWm>x{G$u^EGkTOqT|5e63>`b{V%-ZR~_?LuOh9BgumG`dzO6~ zlUEn2!VNOlu#J!0>1iEizvEn9E?DsA+?qS-;$|D@=;HO&wXt^Aw-i_!wVe(HQcyWA z*|CAD)EMCP+n4oUaQpf*Wh42Loh-V49@~i;@KL1=Q~ArT&}~Q~{beym6>JtP z;(9#ZNyxi97dUv5uFR7nB5p?uz9p0Xs;pBR%+Ui|JjkPC(^EXp+t{{%m59-xl?#FgFwLTp;6 z$2h$(MgO*pcZ#WBT|DNQ@l#vc4IV|Yp^Xz@@Y%)$n_>y72HMhZplS2?#+7B*^MjqW z{F*Ej%%yN=vpa+kb6X8_Vbm*^)x>6IH)HBr18+Z+Sb#zVRy8bO#!C!&-Lz<%-#_Pu z6H_-fUEM3%Buj#j!l4b39FPvB0e%N0d-%hR`*?#rDH-rrKz=|1uRJc0QO{wARDmzu z)&h^qk9U=sj{i#zo-s(95*g0C!nE?ps4`QxCz=mL)JJ{e|1o*5P8hG!n56ELFI#xX zuswK1x%U=xBwK0-D(}`%~SXVm3+~_ny2IaJR8pY)RbE z;ptZj_+EupKGx`<^JE$+ic{O?7l@B_m{F^oQUj{;A1~$vIxqDQqxj%92Dfj)*b**c9VZ$oq_7k z!z5i1|5B!2jnjU%-2DL;cDIx^Lmzfyi&tXR{Ky|19*xiI~9 zN|-1@HOZ&rL}DK`XDN&U_UzrU<_KB87jgGJZ)xdkqC%^H_e5CxcKf8NkBWhmIVv{a z@;e?msAEFT5WaviQ5Shaj3tKBINC>WSm1lCKS%^Ni!-9rcQ1x_Tvgh$lH)*LA6il$RNP&EJ2i%BA@oD!7V`BHwd&(i+S8M!gkQQ|VbG_92ZRFFZmBMK}8{MK{q;&%@c0Z`AvSvUwNID>0UpwWhI~ z8aIzUdqKOl)bb4HaAo)hr+C@RfcAEYLxLgiYA!+YmwJtPMF3HwfIbAG+)R9)Ms@(; zJZ3zX^Iq!4i$Nq1!}9<}wso%{B?dKU?mx?LP5*fOFl)Y2)dW$l-i0q4j4>gpmzwIDb25-S4+}kAZuIp`g@K%SB~#*XsK54yfuAtp}I72hUo(?JpCD zq?g$zH-jFfl~I%&KFRE#kurOv-ybclvU4&mUSNicf$w9)yZw3_MYquR>}NvYjJv3- z%WGG@kdgzx5_P^yQ-1m6e!i3t&>whIZq=|cawDih#7yv`Q?)mw#k@zgu8D>WoRN|A zeGKABn8$3MI>l4%@UuXMsBG_=%F&j1lKC2c_3L9b34^qrE%v%H(Vrbi-60W27MgxX z#GM$VYJfP{<6sj~qaiS`L9tS@#Yc3R{z zE>qQpCz4K*C}2?O>q3^MmW-!@u`Rvo_6L~w(?Nt)@&H+oPA&=4;^}9h6__=dbHtyZ zM*tl7AJ|I!_9Yae4~_@W?mzUd6;FSJ!}h_4sDXRVPz{l!8wL6a=S6?0MCiU|fYDB$ zn<+iWx^d~jMmHyzc@z!#$Qm}`Tx|_+3HtPe)K4F4VXm}29)Dx}^+jIq5_$<<`)|!& zdSEu?3;?Q~w~4$*Bn^}QTebb)sw_w685GgxTPmL>&&KWrNMVO@&O6k8`tH+>0@7@L z9b{t~qB6c$APfeyFl|4P1LrczzZ0o}AN(0foyEU?U<;LqkTd3bftE>KGD5j zrpv{%L;AM-H@yq1w zFrA8VV9>FeD9dj_Hz7FN@U$#gME@SY=KFa|c4ga{I?+iV^7FvR6Y-(Ho z*#5yRV`JB~bn;E|jerV~n}7r5N|gNd^KJp5ds+64J_rS4Zs_@hWreQfFimdeYvIx7 znJNk*;@NvnMYCB3Hr?;=tQD-}yI5(I@A57tM!0sdaLhjcb5t6eRrG~2)o^1brfcVl zRJ(I;BrEBy1nsl2Gui2hiThZ*jIceq9DDU1f8fUdda3^iOipDrBF;K$sVAe|I-$(WNkYQ}w}Gi+tJ#>E|fdhV;9tg_6L zQ&S$StV0yPL zY7~-Boq%Gk$3txfQ@LaYaHHm$rd+aoUDRh#_`~wlaq2p>-A+Q99Z;r0lcu!E>d9e} z1jjzvT}Y^yL`RVp~S&V%-S} zxXn?4DB?079(j@DV`vzWk#2~>0!Uzz=I-ab<8<~rHHWJ3f>=6pPhfq|IR@>@h6}g#-QcvhAxMKla;)Zhxw%s{BUp36yb3%%Hd)b$;tDZ7Od2j!?&8`Wcy9?w;J}| z|JoBA>Jh*5>w~~QdOUJMuu;7xxAM-o@oj=z$6XFbCx;||CvI&JXhr*m!iu(5&7a^v z@A{p0vnv`y7^^r*_ZwQ~gPwuH1cQJlDLZBJ$wK!qU6HXRE!yfs_=xg*7^>BUTuP?& zdrVtos6-3yo~frl@qUXXDb>xxF#FUQ3_Wv8zR}B~LsE#~cTG=08+wxe9g7Q5+?%uG zo=dplu_VWh1euGwzC8OAC2;CK+3f0im3Sjay&5BDQ#z&@Bn+B;4R|Mdb-omoU5baC zzs&hA4YpAR&)9fbY1Kfr#8`(W1U6_siK!pwVr#R&UqXV*?2A{Et;<803Ima=#WFy` zD%&=L$V1u;_*0Pu91sYSSd)Pa%#zV_L*m}Y^@H2=jIVmW{xo)twtipn0$AoXBmV~v zivpoYoo8mxLWd_#*1=i+V&8|;c46=Z!OoRJpsK=`Q_qN?kdv?U0hg%{Z$_fa*oK`3 z%A15#@FG|HoxM!yvoJD0c}cu8HQrV>=dtf6wmVEZnpF!N*5ZmhaLZ%60s($T{^)&bRy+@IjT_W&Fi$DD&pkLa>PV{%hWFec;_I48 zHq*DJ;~RamyGb8fOLOno0k)NisSJP;|3f#xxzqnp7oum3{bn}XnQ#it^xoVsr5s~3 zLge1oFoC1*5Q3s@~OSLVM1T@9yOTAyQ{(nz{P$YN;$6H zXS{?qQ=KX1PjEf?n20*8VLUH<;X&JKao<Sno(2K{T5$%C3YPy2&K+F@1h2TvsYPw+moC;RJL*dHeR2?YRgFYb zpH%IlmoKsh7_BZ$83e@1SV`WvMYP1}ly{)wGk?$G%Jq$9QsnRRVm21eVxFIGRCb{? z^+a-*UuwIOYT;W}%h9vm4Ldd&bbQn_vUDW{auWBDs&o2?a=8^-ffm@^Q$B9n!M=l+ zG_nyz9!LhcwoBpAYX>Lkx=$nv9q_po8|s0-+noRGn;cg>`{A1Nc_Y!kfB#%@U`4e> zF%o?jVghs;w&VSf8t`}!66q3fg=C9&fuvO&c|%aH5G@A1^orGTdPvo#rJ^?Yi?BG0tyT-Xht zrhLL)Q$(}A_;~b3ExsN4TRg*K&Y|5$r1S|kE~BDhX365eA}(hWRC6rPU$f_;be6Y3 z_Ugr*{;OC(_6EWX^bIxvp9{WDj-cxT9+JkXiM9+PD}{veQIP!&J465UsiN6@cv5V5 zGTWloq|rTkDuWcSTl4Ke_}lZp*n}w`%{#Kn(d5N|4RXaVu7kisz5=a{*;(V8cF*Yj zf17o#`IME$^pYzUNhyIceawNn09K&jCXTuA;qp*;gYj29dKcl)IK@g^Kp|*g+v>@4 z-m&`hwzJKws9B17f8)FVUA&f};mFub0qG%Z9)@wvUf&={5W}`;@QZwTAvqN1m*!;p14L$RLI7&DpZRqlI7NO@wU5at^J;*P zpSefx!9tpS9-$Hx0U@7mCNvf0umzLFJKS8};9h<{`sGin`MH^>fRFpoQK)%TdMJ`y z`Lfva$8%0@^aWJu5rseWO=EDqH$qpLoa73S<>$zAI79{IxemDyS4f%RA@UxFUiD|) z?l`dRN9m1G^oAz|BMhb_$FTQ;+D8U;F0h1^hJ6@rL-;u_<+Ye0%R(Rf@10RFLk0l3 zV4+nvqkr7muD0I=k}p^h?NoVQ%i0_|0BNy>nFv(KVIIVf;#b$^Nnj+p;Z6Mb6GED? zclpuJu&vVB;LdB-A8{@Lfz7rs1JS#XhzH2)cZ7MgO^a8*_}3l1nx#q0lUHI^uQXbu z70YCl^E&J*k5fnGtjfV{&nq9~pEs6C3ju#(x3IfI-;XnwVNtX2y|v8juKy-6CT3IW#vZg7p#?jmMemlLB(jx0W1ZXIjG~WM z$>_(Q2F5g8f7sYR_cas}25t`$IV>a30t`Wc>w-&xoWO-{sR%Z^<5KkRq&KyAvFQvz zls4+!=GKp&`*xK_-z$mD?kvw|HlZe?-Vbk*ib4EfF1xB|{x7?=cwOeQn=b!MHLW0^ z|9&%@f0fw!^+np1?pzI5rfbcGtmisTh#E$|XXE>$$Z%WgOH#@y*vaAae1PQKFF?ER zLd6dVvO=?0IQipG+dquYht!+&+@%KoUJ}K(HTEuF|1^0W*fZ^cu8uby-C1W(_84iV ztb-l_tauFy6piEBoFSm`?Q`gDgrHC}eH{qZDFQPKMM2=aE*ZSP10igO)`BrA=*1G+Zz*D{R#_^VB79;;au+l9cy}2yd|&(d4}3P9-3X-R`W_w zX!{{0yA7F8+E|EcKa^zbW_X}3kNsWWie1%Bo&r9{BKpsT);d9;Eu>QV>G{TiH_6aV z&=*Sde&}YnNc6!aHwK#7VUX~NeJ$SKYHZu89P8m`6DN*vk*xszMd{{TUK`smhQdWk z0~_Pu-d3aU1%!?`6TJ6YY@XRPy7!bW!n@|Eqo~-{Mrh)TDFUd)XNanS7Y2HA-C&WQ z0GbG2t;f$63d_;=NuYHm>74mBXf{GKig$7mMCl&;Q7I7l8XdmJP?#3~83B3(cB%c5n zbu6?UA6`qJC!C)}W8oX*{QBZSYH);ZqbP8{G^jv3YcOACdML}fj0kuipT~N0;&=~` z)iAsZp1BhQiB`XW_cAu9hxiYByoC+wKj{}gg}m+tZYLw+uD+KM*L zIi8l3@9N+yrpiWBN#21u&v`$TKh-590+gD? zVc8r`EJlGVFZFe2^O~PM zqerro(Mg!MxcHX9t0lym?U(3UyeqhqXW_vbk-34FDl>Y{Y?T|{4au0s#sr^Ic2Eke zmB?4W)1iU)Sv}y_x3Ctz;qU`(>3ycj#km>L=01xEx~N%aDh%SGt3S_z;>K6WC1CF} z@=2r6w!KWU%*#7jaI!=Ec^X_cau9l&VXOT7_2&K$_~opI{ft2hI}bE5n5Xbij(K^v z6mth2y&N21eSaylzDbZF)s?@TY3oy-Cj*@4Ltrwt9!Cxu&Kh`Dlt42TS1qyZ(SCV& zuu_MLXS>f;x$Xx2mLpkDpRDZTD|aP5%v>U1j1-Zseig@B$w0JmP+4yIGi)sDs$$r5 zg#(b-0(qG~D6Un&c_gr;3jILfDSU8j=u*^%w$E$d{IG-SrA0&-w{8hP5nH-nbhzF` z6fneG{sR_{1|)0y=%eZKi%su-Cr>61s`V1jbNx;nI~e1bU!r18jcVUL{M`$BX*mW4 zUdj#hx%t0+SN@L0Hxuj=s2wk-b2{_9yt1~tf6ynAu=|CkXoB`jIR>4Vn%wEHmz19b zefPgTPjKJuhlT~FRf%FvkbN&TJ;xkUmrJ2c5 zqsDBYQ!Dl}_@n)0M?4b4waD$gxnIYz+=<#%avgYUshK0YocT(~c#$o5=8@eb7g{kT zU{X~pqP?xkqWJo!r00mepxFfbkTVDcp24nf%$x2jWZ@f;BdU8AKg$~BuL>8^#&h>w z7p*}wV4aJ9HElrx(qGfr2a-En8cxxp{2X0ZW~qUEdm4q)@VZq6E&1SB6;s6VbDem) z548C|_ERpIBniDH^R`q3-xWQML^CbiHSQq%DxSQIl@t3in2mbWY#~Sx7UsvSA{D?F zJVQ2~L6q{;rBX__un0c?fpH}zce8Og3X5RmI)k^g!R_UQt~_Hi4bBYM z$vIn=uwBo*$+mi({b{A#_F3f37N~C8QjkZMw4onCNuppcRp(WScV?F1@?e(EtLp5@ zPnV|A*Hn(0%KX#W7-ongM5U3*<<^_*-FrmFjV@27wGW`RKt>wx-jZMa1id=rk#-ZR9|jj9xx86 zJ)-QvPK3v@Zrjwxf~)XIhSg8?W>x$u+gb`n{f539e9ywZpqN?`MXYYXvKwNXVz(WA zDuT2Re}O(vl!z}rx}1e`#@nPc%Smlj70px~XgIB8J+^gP#Z@-&CAbE!>MIM*z_|6t zDt+9{*t^n`Nc`RhT3<~k+W`QYG*->#i#wgQD#spDG;g1Q_P1D$Y28sT; zq35rf94K*o@pg0^3Pmf4Drqc6J!o1j_3uA=0*Bq1!$DMG*leW1s3P3ncTvf!dK}2c zt?}lUWvK$t#UNsvgHCrs13@3JueLmgW`bEYuJ5m z4dRtS%P}I+i12T|YtkRP#_AzHCCng+4$@Fn7IND`)fh9utt7uVI&`$ex-^90c0S)$ z%8MyKjYr_lh@z@oKk@hBztjOG0kWF@&SLhr3D_(oya&38WpqRnIksxgeoI;$9I3hJ z5z?ztFIJ@e?54JW#idGCcE7I;DS>eNyNlN)v8+>2a{mb5B~Af}G`L*4grw+& zK*8S!-RujBefVK~%{yEN{@m6Vkr*WE(`!&W4Cq)G$-RcXPM}Juu3Cvsk<>~k;*hs( zhUFyfm0wT{&Whc*1Fh{EBh=d`aK-i%xu#-nIb!!_zfOJgHUUfc?Fin-x(nWBc@AxTy7D?M4?hwbaWVN;X=2 zq?aY3R!lM)!Fa$k6!~I_5F?WE5fa8-w&kPG(N2+RP?*gY{pW=hs&U;^%ZU9S;uapZ;{YTV~R% zSZ$N>(fe1u_tT%{P8J9sktEZ-NR8e!tDqr|C612eon?;A!Ygp+zU8Ni#Kwc~l39{j z2k?)pr2|U$w|^Dhw-4HT(OZ}$k@+BK&ZCo`r|{s~N=MiGsCc9@ z3A0r3g&`OHh~ZHNN`B3=Kd@vaD4h>`gtf0vOGZ9?I#fu-PRC`{A5QHTW8lKjTvhZbx!>;>({G|Jo+usFJ*Y@akT;TZpW{?5vStnz8ilrdEA2r#WUduX zqE4x+-I^*NW`DPIFX={x&ny8`P%d+!(PnBwoy@9(QLUBqHG=F>*eXa2dnCpb*|@{~SxV zlSwj{pkFG;!m3B=YaD{Ph$COuE_j)lT0~Eo-GO^tzmfmuXoz>snSnktx%cJh5}Kbs zB=7AGvxPs1&5~dE`ZZN`NeuT*z^F+-C2rIv8Mba+oNiikN64s8e^l7$a|$eLUO$Ce z0Mcgz5rZfRJScWNUlLHfCT28}zh*Y8HOg1P(cxHcxM;(i0wcF7K0GH1VMSP<}~Jp>_HVfnC!rKb5XNU47Dgws;H=x6SrFPI-G10xhv;Tj!0hG12A5kHQn;&pW9 z-MG9ZGW)v`I6fhA7$3+wI>n7rk?tRG>cV$)YyioU92v(BwhW>V49U9amC{4DnaIiqoOBf`SlZ)_g;6-x8S0r~m|RLT?6hY=G?Qk4}`qQejW3 z(#s6*V~iy4L2PSb5EvLd&SV(O#M^&n$kM>oKd8GXs^U}@8&10z%~_7C>f4P=|C8aS zHr7FHq83UPcY8Kgc{cV$Yiww1Y!&(22UyUh@p{Oe-$RM~9GnNiqlt1{~=^1$np!&zg0*BV! z&4N~pj~9B=T*&Jg)n{~L z`0;|MU-A2AWOAJtZ&)9wu+SLMkq%=zYGXP&&(Ci}?qOf?6mNR(&YiJuf9>9I z%b^yg2fMQjixPn3c|t}=l{Rq4WhSHdAXZgtDX?sljDwkWZI2yaMgCf<_*hJdmox|q z_^6+!PX{eu7?NE1emv9SDn@Y{BR@{D*YIL%-NHZvQvxz!#baR}7(74l6CRml{Wk|m zbA7T-=L-Le$eKTaD=S}h^Bcu^iM409HhD<13%mtIqkT4(ZY%TjAEk8Mi7 z#`irKu&&9-wD_eehS()!S>Vlle@$55ndAz?8-eB0d1Wg1-;BbY+*1W5grQ_Cgh;aV6m5PqwCLGf7V5$+S%mw{yK(aTde_&uxd*Gg znXEN)avL%I;f$3rQgkLKX-I}iM@KT%myDIv7e3Y058AcNUA3Pn8ZYR^i$rwe!E4HE zpeZ0Vmi+tXKuiF+odD5^MM|~}A0OV;`9S|TAh7a&1Y#GkLyPkC&F(;QaL1&%X8K8V zK%;KF03skL$BxQvLp7-Pyj0zXxRu82VF}JV#rJ0BB$&WtuQ@lunuSePBax)Lj(S<% zZ2jlmQeSZr5h1QkT9rd^7(5jQUT5!(QnjbTOsnoW-`t(1!reFj)7B#XB0gNBs~kd_ zW+ew_XV1l0mLMu_y@?1q6U6JtFy?S@v@uhFqn$Z4jG0Nwno;mEqZuvifvd-<_!lm( zkeD_#bi=|r!tZ@I{(<)2b?INPvtul1stG@Fxb>ww-C2%Eb7JKeGdgKDde z5Z-h_bMLQ$a0kK@Sfqz>qvvFe!A=&DDX{#2a>p8d$vz7PqX#mWp3uB>DSDY=^wZ-x z{W59WQmh$d&#jk!l2TacvHxuB?bcZ3EB6-}-}cv%0uU7?Qwhq&4?4!mTQC5_LvqcSTfRANN8@rv<-{S7h&kRRN#vl`rD1C7x|HL53*>p}Uv#-d5 zEd%I4_h)^)hvIvjT0%-+8*$ti*p;R3v5E8ZcH?XQ05|rpW!?r%0rUA_z%wNIpn*CO zr|zBAIkDJdYu6g^kV_Q9dymQRT~y9WzT=q=L1BY5bnA0+=8?;N@snAc8S&JVmDJ^Z$LfuVJWbLIsNLSjFR+6wT^+{M;Tb$O}OAxIkYQ#L;FN% z-h5Wl{5@aWI&{}hiGJr6-#?68asOW0Ao862_tIuAayG2|#!_kihFip7?t!DBut)Rf z{|e8*07&5(7=Q^Ffu;c{ZwtPxLq$$fe3rUd$%$*Sx#Bp{;CpcQFE|8V?ik8ECmF?6 z@I=hb+oThoXs}k&adIMwIF}{GczU5Xa{8y$E9%e0HO35+rxg6Ueh)&|u$SFs~=$*Ml{`4Y?G z04(0@e#17RtYGSr=1Uaz^1)2&_;}*q!BD(^|G|tLE@qGaam!Yu@cB}MZpzp+-vJb$hp=X6!Pq?KI)wigE$gBs{C0^XVr(64_kV$JwFHZhlSZC7Au zCYM#v%rj31PzL)AnLTXSf&thi3+5#fZ ztx;sEaJE!?FNyDmjHdaDx|e*B1ih*T*h5a(@CCZHg`=5tQi?#8huNOeUWC;1bbKd z3sd_Y+2WfZVjz^!wXfnr;JbEnXD&<~XnbK%ChMhnXnDLMz*_jvx~Q|6xMBV9Qe5%F zK>?Ou)lPsrBum64;>-jO>U01MTOcime+51NI?T3`2KGh0KYbf9V2h}6&leSQB*ysP zQN5=fj0mp=aSCo#4}xI+gN5LR1|3^`><>9ZH9fLZw1}8JD&~Sm0zLXEE8KL#x{M0L z&s9dBY%^DzSH3a;iKPP1B zaeTAE2maTNa4#I>=&&!Oyh!HI;(tn(;oUxf1?PA@lsrPT_&x%)Zz2iu0X)ChfxkG02Q7i*0RRf7RT5~sC`czF zdj0oxJe5)khmck(YUtFLAdHCVWT>nESPC(mofFG-Q3jYlRu^`T&kDArS9tPNqxR(=#k30QRdb!%REY-g=h9%t~|htDyrB?_;2E zNz$j3^weqwXdg{dh}fDsAOOFr)4FvRlnh||N*NgO;V zr0mt;_kTeI*Y*E$9wdlW@!FGEx1XxFgt0!pT>b*EmEJe}-C?^hNAnYR&hr?iN9E)J z56S{l!&+O1a;POp0H@L(Kj|0b4;2IO;?s{VQfQs)e^T+Y>V8&10Wm14f&`TN8VsxB zM!kx^bvQoCckIb55sVvcyEl4W<3zT8wey^a@A{Q4y6Hh#**)cTO=fT4PG94St2T9P zx8J+z#&l;LC&6O>%7Fi!1PhppyRcVo(LV$^&d7}ymiL>aJen{64X!<1q{s>u&w@O~ z2m5T2z4Ww$gfI#h@u&7IQ1sx@%TjX1r`-#^wejzdJ&LR9|H-3tkxK=f4>g1G$5n&Q>^DOt#G zOUjMP@;Fa1Tu9xo^j<@}AIT?$*TZ0ds|5gwaGV>BKJY1r>6I=S!$1zGSvw7pT4m8} zufqi0aMPa43r(7D5SWUet+ygRnlC+dfsNPWa@KS8Y`2bVH}!1mj_1}LE!G|2%>rX( z(4}5#lL%_f$dkftG!M1sy$)>nc{I?qOo_ORPJAd6(|v#$zPe>OsFHFFvVX>i6j;`! zz8!#FEgaG_-MU@V=To*ifrsH`S_n4VPxyyy0XX{+_#~EVqgf8ym5Us)R73l6fCR%T z^THjzA5q(!?&55TN=4V{!}Vb2>TdN#JcKRjmbTqUS^evFwRNAS)9V)SN|9RI#Eh=^ zLh4gH@5aYB4ao*iR&eM9S_v8H6;C8C!w^gvC2K-PwWXer_GFk{(zE)K$*=D*SJt|C z_8zQ{M3Y9cKuo`P^G0MWheg)VQ82t`vYfb4z^92(5i(4 z9qsOaQC^*m0~M2=Qf=!~ZYH9amah^Mr4_66i(1xx&an>3NjPva;Vi5al-Au5~)pA?#DWoX2_a4!qgUIXQ45`NEVEcJYg6N(f3c567=?!wex3|5Qg<1cu}8 z_AiJ70d(Wj4_U$7$MERbwisk3Eue^U4EgGviw}9sbD!9Z@QFXHd}f|_)T9rxn_7);2SGa(h%T@)jH;3%XU9a*`$5TAbsA12gjln>o!7Q}0y`Ptp72li7zX(EE&CDU_oK!$w^Ex3I=0gT3kZf| z>{AN2>;fClY-RSe;?0+UlGUV=m&8tmBl#Vdq-90s=dx(K62Ro&(EvE-b^(ruW7z&r z@M>dwOcqzSLjGDvZ#7DMY5i$}2>o%U$e6kOTWMgM`grPJiDMC@k&Z^ig(A^ibeMs;-- zVY5;^7;^t&;XDXQGX z(yK51Pd;E1j>*#MN_|OLV@d7eZw&xQtceqpd?E1}N7}vPZwGo@LAp6e%)k2eXG+%l zw$|Jev5+gPi%&F|OTFZf#Z)RR(IsTRXpGKQ%9rYT54W$*M4nY>lH{?jKJm$s5T7HML*LyWel7vuYv%hh_#jB! z&DjP4BJ;gp#G0#St>4;(GK7ir5z9X4o|V6J?qAL}9fRO1_1_0;_#~WXrkQFh^8}#0 z0z2R1Y%_e&t_&W6CUG-}!~_Cp=X;Hfa5En`xYJ5Qa_cXb5Dc?Hy`!sCT*xqQw^X03 z&M4+$r=pm{Evv;k`IjyKo6tp;oG9Jxgd<(k*sMmdrB}|d zQD##elqQ_D&u*tR+BIAmB#S%SD)^^(5OCZV3WVPf_sg;PkxJi^%$-4De=|igp|Org zvB&J-W0$UVJzo?u8Q`I&U?FQ~&H;Hf<|b!G=ZmU%uEpT1vVGo9*2YatvxIOIksj(EwBrx9jZrNqWe;P0^y5*As%W)gQ*2e>keK{MFWZ-X_ zHzJP+R_(1D=L2wJr3l`9p1PhmgkkV|*{Ef1^}&~I*1rJBM7@;>NLLbYCBe|^0J!38 za6Hr`UY;omheo2zbK!-_-S1jk8c~*LPD&v^BaUNswK;W5=^7$ z>Ij~Y&DqT>_+>k0CkF9UG9DEHK^J&zP}Hc+_5@pun*xs4q(kuYXhbt=Qa-r*@W=R! z@ee+b>Dclx+{*t&$F6=cmG|0;o}HH*J=|$!Vq-S<`JKVGP@0S;BKGDybVaJkTt#kI z7yh-C1{(imriS(>^clW*-?x5elY6K}{Ix-kXzncWYbv7|n0%!@#@ZvJsFL(vWZ}WczRif~GU!&j z+c<^aLVbB%4*z;cT>naJUMDmwtPoLzIfY%ZE}5+*6vu2VDq$MUId-8)#VDyuN{Az4 z;p4t>FmFVqL3oC4{969TdN7-ptA~h5czLR}>%0Qrgoz20 zqh6UvsZNkY(+S1d#Iy>F%{g7$DzY+5o$;r2xo;ne2dw-7wp z$<_FMC7-G3G8YuX;H{&Y`Hw`kUFN3=PcH?_bt}UQ}rI8ni#GxqkF9o{pPyS z@H1agL%Hc-e{M1~lR~OwBJsUh*H5KfP$YSkj?)Tl!SO6M1w&ttRfV9};M((l8iHNV zYaQ(kPfiYFFAe|Vj7**AnxEY9xVEx#xyhR2kMyP#8Divhtwl)8h)29X-HEBxKMx?m zf)exxdqlkzfVCa3cQp1uranv-L=fZDP2 zI27j`?r{9;$z+YI@%@n96On?sPmlVYOuM>J91>MN*~3$83&Fi#_t(ac?y#xRT+&WF zZ+LPj8(YQNE?;+dSSeaz-}A}g1$luZaJwdzPp+l@zC>#zVopgf2o10l|6%5Q_lvIj zl?uslHhE)x&{}8tcttfN*)(Klg4?jN;CI+)Ak7ze-CN2MYJ;Fxg7h?=#6Ya#fiFj; zb@jI^&{9imsONzeQI~iQ^?6^8s`O{C?=C{rzk%gbeO5-nQ`5GmTugxtmyrW%%MGH) z4A_eHqc2)!O5`ov9z%(g&wSStq=oe~_jza-(a>sU>s#uRHpN3<)hI5U`P0nc+iO^2Xy>5Zmu03%{Rg|z81fnC(JI0+_-HBkKoRyh zWlZh4ll(_p=@`mSf2KuETtmbZ#n6o~J(XEm4T z_I(R3K52fdyXnj`77Wg=Zv7%QQZjUkKfREK*wr=7A>nBB}7#Gvt%^gdZjfw&`UXt)2- z@TEJg91@TH1AbAjLJPtmDD9yXV1*T*9`OC>q-ClzN9qGA;U7l&o)^O@mLkv@M)KU* zZzPO$b71@Ww(W4u+Q$}|7Ye*E`{E8krEl*Qz3mBf{ssqymQj5f9II9vvRmQ}DV$N|?0ve5vI3^oc$$rP@${)|(NRdBEUSi^TpZ84M%6#^9!z<6L zif|Kx!iYi6s^?0a8{P%({D~D6B-gCOaB$E;PO)L6F1NcwvHH}#HO`4fCy86>S8eyw z4M@m>X|OPjg=ykrRWjNQl{ss>)O&}M+`*HWg}J$pRQAPY4rGY0td)Mt++r|(rB8tC zY;Ss=Qf6HpZCq*Euq$AaUw)Uh09z6K^_rE8ZWPRD!{_0R3?=PTrFz(cESrFZ`_1B@ zgzM}RJ|fI=j%zmf>b<4lw+jOT7fLMhkdqxUOlt8G;+SrcBYw+WiS zwMTjGzUI+N(F~;?qo6ga)`Fm_)xv$ztLW`lO?nfODzxi*3?GRiTKtQO%tc8&mMej` zLurg~95bK?NSsX~jK*jWZ1dQeD2+F&$Cz24z`Q6$>u?Q5BVE&n5a{SjSz(gjcWoN8 zg4RAC1fx|Ztzb8LLelKc^YnTx|C*Pm>zy}j>;=CM=QunM^zAJurK6rOp? ziV8s~IWIFn-TWEUF`vXn?tR^FuzAIklPrA<^q&V4=VdB#lwRKn_bFXNYo$VZJ`U_g zqc-J2mU1$tjFxhgU4>|kW)&?MqKP_3W{X_-;O7+-4b~}Rq3@P=sRkYXeD>Ozgd1)# zml9=7>Rp#FioQkq2PaBn0$1$b#9Ii6w;ewkf}1dc)S+}NUd()>{2jN#0Z{NN8WqKk z9=UbYj|!wL3C^0c6I^SCPy{}jy`@EasX4Eiz;84x$Z zQdq|#f(tT_j*MMd4~qv6=Tt;xODTSDbVSt_on;HvG&8?`q0~#a=UzA~=U!O*6ns_` zw)gzPkS$~Gvd^EZ1Srx(Z_w&T z`YHj(a&FH%TizaIx`IZ(0#PGb9djzaC^KE!9jfyyK26psgc4Re+aStyZz}eNJ$d4& zO_bZ13bs>|cyz3D-p{$WNFJV$*GSai)}E&lUD55nJ>su& zRzcGPU$o-utIt^D9HE5NT3YO`J|vfABp~fuoHLaFjrnUU8HsgdMe6;n!#aI)Gow~m zLj}e%x3;iQe!j!&a6eAfb#%$MdhqR7#2=(_foVha6cz0mDIbT=#6z?*=I#mc=5>aP zgBzXR7ngRXC*Tu%-qymfwCqUlyTtXSs~;Bj53!NNXn`qc-eo{-tJ`s#R1Oc^ex!6W z+F}f&VlfEz~WCDNuse%GaX6HGb$}^9mY7ZN2 zRy7lQ7cm)mUMs?bo2-c+6xn9I&Y*kYAwkfd#mqD6@PTatyyBz9hr^F`r@ju5DO5gR z3ihA&iGpWA`N3GbJyhC?<1v4Ng=%oWm^{;Tzjw#<=U7(GZGXO%*2gMJgfJe%&o>iR zo84;T>UC^^T&BxVt>+U1bAkmsAOTwiAg4nB+4Y$ussV-ek-rxHj#Pp!y3&^dsng}t z%~^8~@9orDp9=GSxOI{QN`6EfI_WdjSdCTwsYw{=Af?ND`rcX!#|0V6x3H6fx{TR| zyKJ>6YU33iJzb+2rj)X%bkMBg&G7Y-?cXWnGc=cO0t3f2S+V zU@!U3zi?{tUFZPjFLxjsa=;Ts%tMd(92DDVikU1*&SvmyQ?4&=`EY!)9%Vf*8(F8s zSA$TPVo+72bn0AJ7l!SUOF8^`#n)tL=Y@r9e~L3){X|F(!TErvR5Tx%7(b&LFkEy} z5ldXz&};qHaV}3z6vO$|CjGSRVaIeCEGrA_WP$b_%$5n73*R1X{=WYFgT`2Bh`We< zzdK;4L-fK&aN_Gt`y z16Ruf&W7F|F#Mxnpy6L0PGf|REZt{6{ay2Cx#724hc3$Du@hfWh}mYAA0IG*SHtS! zmx7>7k!F==*0unv-7M_Qz^rHZp!M7*p|E=+&i_z-_p);(j3c6z_rZ>{DX^yjGVjYT zWcySW^y`DF*;!@hN4*~zvm{08W*RI;99A$G z4*oGAWJ2M)_O!OReQkq_Q(nLg*k~M0o;3h0Y$du|XX9w`#V%iT3kq8!MG~&Ig+WeU zadFQPtBeQluHkb zd#at}+VI-Ro!+4X%x8p?0dHXE_%2M7XD8WVCyeiRLxnZq)5K|i?u=x!Lu)gS%)bSq^(Od>G>{^tu!wpdHiqAt8nB!)l*t|YD~BqOuwzZgsMw1>Ni#nvg@ z>tYYy%?8M9R_)|UIdq3X0&@hpptbr1t+X53p3N4O6FQ-9MfE~I24R^?Q(x2$Y=tTK zw0>*&vRTgOt5>F!eJ6O`PEeNSqQgFo(Z-Q8%KM`4lkK+jvxFNp7}*y8g08JQvmtp& zA1+uWrJt39tfD!&#Id!s?6G{`b1uDJjKx%i6)*6NPL{Pc!6^Y%A<^CodG3)u~c*P zQ`S#)1KC`~0@z+BmAWkBR>!{GAcZext%4s4JyMo}h%J~d?S6v z>Vx`w=68IUb)RxXy%L0+HYqx;pE#aX7$%WY|MHJOz+nPVz)}fFAOcDN%Y0`&VjN?3 z^~_=R)4fv3Csh;u%djWoBs4(dQxZTbrGT1s#;iGn#|VgD`o=xEpK>cbzVBgvqCvo8ILyran!~5l#-b^^QkmYV%r|W)&_8VJ?y5K}z9C5Hikj?B`Ypdf)V+ck)gWbl~+UcIC-3_@#YE-{2V!ej(4q82AJE>HKw5|A}CbLDE6w3P32 zT$;nkx{9#i%k{9#y$Tk#LvKc}-;}10w?|OAX=`S>+pqW*Wgc0v_BbJ2L{GM{l&0g% zudwSt=ffbk`jJnwD(vBy>8nAtNbIG?v0lD6KWD7Al#Qnbc zNgAWxKn}}R$Aj__b|gbMx&jJa;S;o?nkG8YIyLF$*WzZI`2Cta1(6@JFmZ(Q1K{rH0i8`GDY=Rdv!v6BcdFE=2X3Zl z$sU47ZlpO{QAv!U5EIZxk_Qs@yDAx5gy&5kapA&%@8@3a=hQf<+nV0~0J6oiVN?eH zE^5MX<5eTI@VmOZpU9?f{+9g;eC(_nBOdrkz3+Ig!~?mPuhH8dcwp9xFJ1eHM|6_& zF((kGlGo`1uCwY*+Wquxs-E8`%DAf%bSyqHet2p)_4c;{}P~-yn89(jMX8M+n z$M&cG7dgTI%WTuWJr;m?uaHrI68hbyV-gkAV)2G!V7C`W`dtSsiq|4u>&&*@_4R_HF zSLuzS7wTWQKRH}*Uw5}GzGse~px?Tdb9fLSv41W5q=@Wq*3Fz&v2ojGSufqzZ@_(; zS4y!{mIMaYKjz)BCG*n`(G~u#-16yZ<{LMC+xZQ2@YRXm^|~5XD>`J0o{$aWC_rK? z$B;K!|Kbv9wqA4zD-5y)zBKB?Pi2iU3s(a=}oM(QN9(IsR)c6 zUp)9*Vc;Mln0_$(#;B-CQ{T18-jO%RiSx!*}O9&ZkQ4By;H=p3FkJ6TW5CIeQ7iqnq;)&7iw9 z8^*kNu}SyMGva%&Qn7TDB^%9+7Ma(aQA;6uDq>W{A8sDxL}uc+(=k#3)8Y>EHa&Ox z@$*_j*z+0k$W-dFa9X29DtHNN>0vm9;P&LUVzc!n<>k_0+JM|VtKSxr-GLnFM2#g; z7mmYUFbR}FK}Ee+M6)$>zb6`m97n{MwB8@d*=-9dlA!X%InS(9P1I+Bz)-ZTi_gxU z0$BcEK~>sytkS4!t*Q{xFgjLjJb+C8-8%Sgl7{G7lt420(9h z_dzVZD?92aVEfDEvAijgw9==FR4OzmzL!nT9Qw`h)cK;<;?l_8uU#S7q=krrv2J(3 zZ>;PsM2vG*9o)awz3>9Tb|;+W>)|uLz!l0Q%l*OZKNXmJD&Z>Uz<8$FICOWM6sc5y zr_ulkr}>$!OiR79B5CRjxErCjMb_1!WxxA`vy9NgY8txY?) zVsGjtud9d%Z#9YjwiOGDs_m{}IUhuy&879LJWg9DTB@AZzx;{?g`@bR%jRROXO!DL zEhmf9d!W-*(ci9e@0=%QQ=Q-83Q%qrG7+N_Fp1n2%IcsL^2*$VTk)(AW{SPbhVlLz z%fTi$4s^mBOY5EldUMg8cg<>*F})oZS&a~y^-k*DXSA(h^r)nv;*Kv<~ zM-onu4IBh*&cB=-)8P3x{YN9U2GM7f93|a`OIY7(#5F|PO&ydoO9y)pggV45qZJ;Yrhi7GIPztdYD-)i4ljV=}n`jPRNF;oh2<&e3 zSf$?2Cb#F#vxeAr-#lEuHaK%+pj&(|xd>JxTyr#-?SLybSc!d zPzxQMcd*oro+wVu0aX|6FWI*fEPFemEUvh>g6*6Gsvawal`#ag3Lfm}IJuYcSXMB| znNwzn_bkKC`SgJ86N66)VTNgC$)8gg6-)&L45_t?nrM_C=GPWA&vk@6rZbVP_EaBF zKOfT2G&P{6JQg`o+y{{GJ}n0zc?0B@KWf~Ue%h7kZsA8+atQ5Sw?X(@nAp7m{JLTu zmzHuI)t>wcr55#P>ro%a73!`uXUY;}PT@TWClni{=%>eJSQ+Ji`_Yf4CETz~@*Zu? zuj$?d_v*T<$=g1yYo3{8(@gm*!J^}G5B=*HuD_#QXA(jAkIO-lh}szEQ7X*vo^C%= z=PLu3+RRso!2;C0A`$;$cE3*JXw0ZWYea{>I*VKZJ?l@XZGK$24ArelzH>{o(zkT$ zx=;C*ifPWkh6Do^?)J|0kqbt5@zMaxPnMsE_1oX4R%8W!&Y2cIlRDrDyeTO|Pym$g zy{Qn2JVRb>B1JD>9~4wlVa;1gD!vw|YK@amGM|T~R1U-!`e*sN^d>OsR_gz3&3^+o zm~5ItmVK+O+TN?ukpIm!@zR+0k_1teRqNz&J+37%_wxY$l)6_IwMC`lfMI1q?O+B& z!1eg82L)6~8z0nkh+`F$IPC+Ljo;4DKWVTPWy;L?T{=t|896eQQs~__5cZCoMjlHs z-^k(npS5<_UHjkE%tv|;usvU`vW#C!Q>$(18lFF zuJWbAywfx$M%`O&%w%mT(TI07Lo7^+U##ugX-~({K+fvIRDR5*U#EeP3zsYSU5eMe z)Jt_N)F-L*8Q;X7t=##v+RYh~A^BLd-_h%ou(Mk_|CQ+kEOpJ{guOsU|8wOCudL2P=3?Wb znB1^4ENS`wgO9ZGKUTV3r>79q^t59ZH9QRh-9a+!B!G5O7M6uRl{LpbiFY4pf0&YA zb;^HAJ5 zBkN)3&&Y8pEB>py38?BxdirBwea~gk-}Cl(B4|#VoILLDQR4*lA1%b9f=383FyR*S zTt7vWkcvpT1;+=)IL;4WllS=(Nn0+2{zpt}frQG+je^}wf-@ZlX}^fq;}l7A(0u75 zuF3cn@x3#e#&i1LGqMhIzX%y-KMwsy^9rB=*lFhwSQ%tJHziD4`iC%_^8#*1fc=+ zOr_mP;aqwOmeAwA4zh4kkB99^VHHY2PUg~kvet~sWI_hrx# zkep>`MlbkY_=rUHGnWO$6EZ-~fBIPaUvm+=dt;P)Z-`YH%{h)(f9&0?Sc1DhGSB0~ zf`t+;lZ1>UO*E<1afrkS5FhY_hc+?<(0El6+osNW@$?_OTx>kE1A1VX*pV3bC*cOy z@H(YAyqaKYGF;FY0phMjiNwdei4meV7Rt7*IE%I7y@2`cskCz}B_XxhJpO~qz}Z>| zV!e`a5#l5@T3R=B<)7}1Q1r;Sn~&pZfB-92!)g0pktFp3D#iD_eu2SL2MU9>e3JLd z6#zm6TFCqRZT1fPGC;=nE4 zDscCh%Lpz6Nw?Z-+*@KsA2g&Drm%>*bL-52Vc$Y9=RUA^5@jsrhKgQnI3C`c%3$lx zte-Pi3Oc2)@^?HVWv&ufAuu)mkv?#Kh{T8R>Aa>~hm6*(IP3i1>5wnB#rGO2)B46Bb@pJ4%Z|0{ z8EnL7+Y8DSQvJ7{#W$NwdGtfP<3=lwjhw--=o~O>a^|9#=lYNv0i$?rn>p#RnA^MG zUl(t308rD7FX*AKfQY$th8BrXlj6jh7g?M`@ADK_k|6^xBu>t9Nk!j`QkXna=&D-F zC(Z8;Zt0z)3Y>5Tk`{^7ey4_3{im5_%Nr2v*|_4Kc%Y1TVo9z0+n@D6I?|G&fsz}v zZOpn}LNgr;Vv_4|4*}3jbThrmpIN}VtM`rbaym|Ykkt6IFxxz<$hZ)UAW)G00_cRI zj@Ie}`_!mAc~`oWYvv^?K&@A8SZx1^Ni4ygqg{5+Ru$mdoJGmv{mWO&an z**thfCFNKqu)Q!&Tjd{ri;X!hh@9jrfQ%b7fZ0Y0alcGG8-QLctC0AwU$(7YK=QBI^M6>nw#k}gFyEehEbo;#9%HbvmF|Bz>@Xz5 zs!|_5J}D15Pm)TJq}0dmS`p<9T6Q>rK6L6~4~t-qR7}=s;oFns{}esUKRjs@hIk4X zJxcp_TFGqty|ZQ8uo{cJj&?{t2j_pfu#ZXebC+|Mbq&0QlJ8}tbvh-BMPS{HkCI@_HcP?#@m zai2ZY*WaRNu$RX@4nvd=ruU}j3g{f*XE{;MZM`bQL9t`orc7Gw*tdb6nqR#w#YE>b zg+JW%2n7~e-2h?j5nxVlLu53*yPn6dKTC-SkIUoj4(OLK>K23Uu z-%HHrW_#^p&OVT!^K(6S%j>(X3L9ZR*x`@>-aP7Cg@vy}Q9mmn!Qv3Hmg?VFBO6t83 zp1u5v{=Vly?nMg|)GI1FYnc;qxgcahVxNT2G)01S`Ju3za9$5sE3dpMym@?*h!|iW zK1`%XCgCT~k`@iRs?dyypQ#Y)6`c}9+Gmgl_HM3zSOBiqs|H3)pAXy|H`xEE?-Djm ztv0P}ohf+Ed^gE(cpZhmC#L!1g(H`+E$5aixM+eAq*2Kj%yU$_ciQ0O1%Xlto9=a> zXd(E$cVk6LYb5!Cy~wb0ZL+KhheQjOJ+gK&KtlH^vm8L|M{ih)R%Rpf-YsF-d)?2= z&ijt?O$cBoS4K4%14;(bZcCq`qnNmTicFLQ5t1)iAh}7#)D|u@%^c?d2hz`W0ry=9 zq68)x*=PrF#wLI>v|qlt_;S;K3AqmPk&NlE^&0rCe7%}FrhNlqK%ir_!QySq4uf`4 z%VfqrTVZ##?tej_D`oX&9t*i;UOQ3MG46SWaML!{@`=<%`>Fof2y95VMTA}Er<)N) z7C+n8?2O>%5hxBGQwVeiQ-SE?HdameJbz7x2p%%pxjy;Axy2?B$GV;BFFhEU zv}dr|v`Y4dDmsBaUx0yT^xWM}4NsH!7I5y@W!LWxoZ@Py4AaqTUUuQ?TbD3_bJoFh-2Y7hfid>46{WYj z4Nv3jeCTv3xaeV@l&=7_j{x-@fdr9t89NkolROi(N=19WsJ$?NJO(AHQ-NAzLPY_! z(5Ebl-W&a;cdT&_I)hHXXc%_4x%QpN(6oi1yT5j#`8mUiP7BDKYk%vs0<$}+>0$n1 zu!m?N)YauQm)ANVw%53s#7T3J5V4CmH4TTj3)6JX8s39Vy)j(NzTb@Z?5h?g*AbMH z)@7TPErdvsQg39Vj@$5u z|M{bof-Hu2sQ}0SUMpInh49yUr{hH)b5+eWc1MZk*Y!Ug3csInT8~(XNER2^s8Ra5 z8R>UMBW)1mO8;I?t6`wYDc0oeb9#|=t)UMU=#kf!T~c**93F zu}r%LlM~-bXw(c_5=FI%iF~1LzS>};!F1Ox&VfqF-7Ou|NuJLPSA_{^p zA9x<`@f@H(3)&vtYzg9kz`#x^Hsk9?V?T07g9EtesRgL11gb#LLZ?m3oO#3~acRlY zv~zG~G~F(0BuHrFtLO1`R2iyVDh8@w%S{qf3~(scB#KM9 zBYY=6s=Brvc~#m}&~Ukg`o^YKIlqF2=Sz1oDSE9~9b={M!Usj&2X;>=r{aWjSieZD zhHpW9_e2+E&G5&*B_gN2v$3fD?2WpG2&7RjcPcU=RlSNcsRP*&is0L0hAi**fPZ7{ z)Gp^}{>50P?hdK_H;WL_+a4dj+F^my#4#(#!{gd^f(26#a9w2e{{do_E8b>i%M4?Y;w$YiDz`sl zx%!2)neSFk^xLxx`4v!#7f_|LImhNKHj-rSw@<=Y!_pZyN$3 z8EVsPihq6oS-10qVKy7e)~{_Kn2OUzB9reZ;rAfKl|8HyQ%$^e@l3)wKC1xD=moBo zo3kF4+*?H!r3i!aq?Bl@zty;LVioVY0%4{=Q}~9ehjosf49u#c zOeOplL`(G_c7!RXJYd~x?RV|}fH|dyriIW2F7*-|eneT;-oyKwK!oc^YlwcMCmY$Le?s^QEhfmpH&V9wYEWg66ISIg<% zol_s)7GG0Er~76ggjV$@b2jb%%Lm15x18zw@^vb@((M+58U2O@wv@t)-`-Nf~sj>d1C>%4a2OZS*v zh`x>aNbH~hnazh~b3fA*Rm~dqXWB#Vj7Xvms`G#WkJ{$Jyp6Y1UF`fC+=964NuWT1 zNqAK;xgqJ7+P#Bun$wA6opo7WKZkLP9{yQ|@pU34Qy}I=zkHJKuhhh`p}-6@yckFcpP~7P(g!%0iuiE<1k0@T03O0hTkw{ zbGGW0Nj@Dv^5Fc?$i-%u99*|{%n?!x)CM`7SxlsU^O3$HW9(Pvh9Pv=A@T=dpa^;$&m^xg;K>qyt*U;ryFZy5U++Y7Qc+l7k@3C=Sl1ai)9WxqczRMO@Qqk$pf2;krv{xaVPVZOs_Z;V+G-t~4Xlf7G4}Bx18Z=$1BJImR zTRwS23||^K{iU!~(tlxduXB%>wZZ&I)Mq{t+onJoBg*#g6-L?%nG~-Iex0Xmk4P)E zkQ3x~Exn7Qeo5s^V7qndRw~QZ6n*d3@+;fnTiJ50<;>sNdVF63YF-Ne|3wXrVX?;7 z_}07DWfz`-I={@iI0aSiCqSd!Fe3vBkrTGv#|>1!(Gq&UpL5FMyxnWGdS7(k`s$_|UU-im_fZ=}7&0q8hQIG|1tSvDDY8vccS) zuC_&Z@$RIBtOnBjcy5q&m(1kFZXMalrPFVJ#qMz~YJ40}H`p z_M@}AT|VBDGZd+rE1Wt3w&|z4gu01oqz4_lt%_`xL##0{))Bzi$(#bRs>SZUrdT&v zYdt@D`}a&SO|(Hba+*Vt$z5vYQAQbOQLE)(X9taPdS@E z;(8y%X^J)7(D7Iitmo?Q&xW~>*L^wgzoF9xO5JVVm+(P+4V0fZzn5`-PTeN?YhbpY z$x2jBO%*KbsBxUJt+P%+{x7YsPzf5pR{&_X_kIqNvFP#IX{3Cv<#8h#)rws;PYYU* zx%Fkl{=+6*L3RV%vD>vg#ae#HbS3&P3x;QOZeMm0-+7q#h(?O?`3rY;xOJ4xGbOtY z$X(Ki9_yLhO2zN?{=B1Ua)2kZXv)h`$6uS6(hh~Iq|%r57Eh+K7yOVP2w}>$S&!-^ zumYQwJ}a1Oy0>dg5HIpetel>{Tg(~(({8IR-01bX7{CA0PO+G@Um`zL$IED)=AMqQR$bY1@WgkCwtKD}38VVjp z^9|LM!L>T!f#Y<0#NY1tfy-jekbhgm@r9BWG<_Vbx2YRQploozz|Yoo`+9{NiQ;l$ z$*+VBU0QFhNq0s7>Fuz~Eh>S@7(QKZA&RM20aq`;>8+_juTkLAQ#IL`f_!Fk`^_F7(I+ig&kBaFt z5I!Y4cIS?u{wwYIi_9l-zet1m#CjT) zzqoYe38G5x2>WP_BWkuLYV$bXr36UZ2^CnLhr;HPKP1&&>)4r5t0@o$C3a+zSiou3 z?ztDEZKfq4hF)bjUBE0l0^$yZ$y4!H@axz+$GjYFn+@IBWf{pLsh5gp?{{}~cLBR-pdb4O$!Sv&zlTW_}>wXes}qWELCLH!}NCx>AuIuj(1Nlsg;s)S+*CP z=nh-@swd^~BES5|Vt1K!Qio(&9WXY)C)A*dQ%$kx$?>%4c^%xk=4-0*ZR0ow ze9JQnx!H|b6bmCUm4(!1IRTjzwf1aXV%hu+5Xf12#Ig+yDOsruDJy1L=qWS3B@FEbxz+}kL2V9txGt8BfI;jtfwPVGz4 z)?7OF#kJv<|FyM{{V^y`TFp-~Y~Q}9uhUs%EZsz*e%sM zGoot4@BdwGSZg&p@|E{~jR>5PJ7yaJuz#kTjcIRH?kGU)z z7%9ciJzSo9(CwllltWB0X&!PWou%JxHJd0hur$X707^p}66jOSf$g6sF(7IoIousD zPbKhizQ)bCg|#boIylDmF&j?FvrrJx;e8!tkc8k^cvzoROX4#KVVG1Kk_p=k!AxU>j| zbZ{Dwr@FQ&1-R8-Y=|oz9S1X^YhQeWs*_wvkE&7`#4%B7P~DANCD+d8zGY<{DtWT; zyxDMNNU1k;D3Jx@8WCHJX9qUnZoADg=W zH7Io@L(Rs;$}`_u?0R=2(J+fbVw8KFt&v0Oy(@$0J&T@0_UQ%G!+cBf5a{)x%bDBt z<0$4Y6=B$E6%~2p@WG;9one5`p~>ixdW%06Iu^V`nP;biG1P-T27;$Tr+l(ZN=_PX zNmJ+ESajC#Qq4h^Qdw2o^LUAKM;pgut#&Uvd08%Y<6bN!OB+z7FPW@;8*@xO{#}Yw zY^S(-*D)Vrwl;V05Lsq!w_F?kE_!}@&Z`GaY?;W%im#ru2?LydMFEwn`V@h2LAXGqs+;rLM{VSV$!$HHHe zaK@LIGk(Z;9SR~u!d8PCw@anT%S9%^PjA0mw0>7NLbH9kvu)8N67(BE1C(@joV%o0 z;3rMfY@Y55o~CKBGYf3>{}RU~5@>DIATt^H5HteY3mVjx9lLLMB;$AFnMjY$8@u4M zT+h{>Cho65Z7BSy`bT9LoatT(>Sv`@9Zx&+iOiWwS>a4!h9MMT&jGh(1>9CE!WDXM zvfGL(6?JGTt#i3&u~EL@Ob(*I_I<4CWJ_XjDZDYrDXT!X9euS8gI_54)o#oAuGBM3 zfUw&EGsbf>v(0B&&a0#Q2=h)&0aY#*$t}A47y{EaZdlgzlpcd#c9|TUzsRkHyBz!K z`Q6kwd9|I9rB8y)_+TGaHS~l52ZhzXb^OW3+ zZ{gnrd&Gh-=)*m^l)$#-RH?bShS9CYF|ihp;n(somY?TJ`o8%eanQax?-vVi`B&Xc1% zEUWTG2;LW#I#t>$&UplTsqlyn(d=}gXb9c&gZor9Zy0T>i=WL-Zo|8Yo4urz0ILJr zg<{k1naf_1N0o2li6Gy00wg~xT=nxM`$c*Qm6&3shQZd{!Vg8HPQ zDc38TnN=yerkdhDIZgg*N^p8l6X3Q)A4@-j+C!8e5I`Z)9}|^Z`dUlOOudEE`6tI$ z`Wmsv3z>a(TRpAYCSye!QWj>8p6}mlS=t(OJN{^-!(S{19G$D2(%oN=m3D?*eWRT3Hg=yRm7m9wflVO+g};t( ziesfn0K>e*87|BkEn;|U;7IR?p`d zT>hXeJczW4pALyUz8>}1`G`y(O)M4Wm56+Ao7bXYL<+5T(xDW&<8f=n?kS)T(#S*h z<7SCzXX@VFmbo4kA#6#ol)& z?(5PGcEmm3pW!yJ`P@lc+#UrT6WnEAeo3=W-rl!aKIy{8`dbZ!{EjP{;GTz_bjB%u ziIv_FQ@bZtsPhhmO754$KqDQy6N@?ZJ*A4X97}8mj8pcQHRA94d9})E8d93G&hc4C z)a>aN+r{$5?1Fs$_Q3Ym@)9Q_%I){R#8u7=7un*dKhsk=G4Qs!wR&1ddA54mNREkl zt`IFgd?H0wo(7bTY;TC5gD>9gclCG=rYS0#@3PYDqF7l=A~z*`^Lq*=vuB1(Wy9Q9c{ej z5a{xB{OoL&%Ne{{u}92e5#IGM!Hr09)+k%)@o6Vy7PG6B2|O3Efz*znr9eAbi~3I- zsvC1tSoGR%Tc(j+bIJJK&wiJ3r;2G4g%od{ z%Nr$RyPl4Txi(1E9w0trO{>w){2Z6R&=R&FIfGldka9y2!AO51bu>UZg<(jXa(FF$AY46{;#q3l<#S~(xSt%X1ImSsUr->;zH(Vk}@(OX%0A^&-Iz1!$F6Dti% zDQO86+;d@3v++!j48%`W7E|TVY*lx;`QlOS867(96vG6Os#)8%pmV15`o(dy#zH(z z^t2B?Ii7iBb?lhTdFQrWJ2GiEVc-{Yw&BH)rKu6VV+;-U)Wq%R9&U@zqNsHvur;zY zcQwh*v1P{&p7pUFtMoqu>$=WD6N9o9-(v1araF3H_q%Ai_EU51YC zm&btZjf0B$%Y>guAR(6EFnUnFD_LkRi6B$%U@W^YrXj?qOQdGO8^hg^jm8?H2}IXJoWEu97z4$Jlw_4?QmXd2NtY2CvW~xv>ZKJ6>9|HqZ@cC>_TFI}lt6!uq~% zbqDi+?}=jYN*s*aZOn2Jmm*h zc1ePOz9iu0^);7;`Q!V~l>IN=3VG;dpbsLHi3%SV)$;rO!l8Inw(wQ|@uU~7QWi}-XFV(YClB~m2aN4Fn+Z!8n6HV;vYFigJriByI!&RJ5 z7Rr+7h9Qy?-oCju9o-a=OvzB(!#-jIT_xF*9EQIg!8~U-+s^ObQ(lyhE~WlFu!+G4s#Cdw8?32aVsZQVp{Dg@VR-{_)Ns=%+Yv@%%0~NA zYSHe2pAe0mZ{Dm^K}cK*#MptuC29cZxkG7yMwO~e9ac|TvO|FG^l+T{FO1)l$YB(( zm~vcH;Rr`T!C_?{1;K~>|0BN6kDvSv6xwCg|poo$nC>5}ImH*oN5XN)qZ5&$-D%u+*TNQ2AI zk>y;IlCQ?unrB0WBG`KTXD-`x56MnSLG_FgEr4ZrVZM924I{t)hq>&t#*W5=Q7TGD zp1oTrtlojcf2($TWq5@pBUe;sC~dUi3=dW}l{v+e6G7Dp}K%xlY$jf3EL zlXD!7k8bBrNa;TYRBAH)4(b3h{qEsvb9OJ*ViVwR?Rm&+S2^@94SaPp5A)>(y%nsI(>5&kcK~j*ee|(jScbiPg3jmYm zX%5M;%6W6i(oaW34k}^rM(5%?r4rrOFAd5Sp2XL>z490gBxWR^@;9+hc`ez@u{CAZ zHRnLl;Un5i^A%iX{YFB#$`C~#z6G7e8TnqiFcq)k{GHIR@rMupde~|@Yk2MELoFyP zIA%Xx=a`;I>dsdu)ymRsJbM;kiROxeEwK^$o!dKxj@xIpdX^sh#sRQGM+vpUk?1k8 zO$FI;7Q1@*;)QorNA&Dv5Lz0KE%5~Ch$ZF8G1E1YBCob706 z^1!%%#R`6>Bnij%XE@z_pu$tJKWxuAzy4!$8#Rt^zQCGc7s!vxdPdMb{o1sF-buVBw~( zg8IVU4Yr+n*=vE`C9QE8nF&5D^tzuSoR#hgj*42LX>;JMxu@=~jx-lsHeiIRBX+-0 z+U9{?;C^Z`AwSn%L~_y7P4^bFf3VUh$?m&~UsRrnO0Pw31HYM7E^rdM$+Y8p{e#T%BvZeoepV;^{a^|$q+)ck2rs7k2=@@5mfgFWD zD@#NT&qCCxvqGKzwTaJ`NCGhM+Lrkw&XY=kMeC-`$JE$}*$j~a!e;<)UpiKa?J~5= zF&ye-`z2(_@!5R9<4mjPIm4|E4C@H$bS@0*m{lf!dD3h_iJ!?kqt(;xvA%&JvgoZWjD&we|WvM^3}Qm&U@CJkCheGQ=iw7WL`RT-L>i7Yw;${fxk^s7ufqR zx4Q+l(v(QED$CotH?~#$%G-Kqe}=SA9~G;Lv)^UR@C*VI*JAy58I7Eiv$DIFPPsa} zMxe>IC7u!d3NcsJvh5wM#?PDTB?F9jADS*?&Oan_oNL=j(0j9skFrIwb_V^-9I)q z^kM9FY|f=JlW(&$L))piV_`)CX?hoB)H9tWd0SbR`Y9;>;3U%GXkPISs$lLV44xIpjgq2 z@D=Z=T^6E+Ylxm}j$k1{m;l75DB>)0nz_a>b1jo?tz(DxFJ?vW{ML9tgsI@sC6(9(X^dO6-lmLpX)MbV&wS=R z3Jxo@E7pElK==>`79L>mk`k_3!3i&k_cqFAz)H}=cAVbD`@n0~2F5*A%pbb7z|Cy3 z{revt)&F_knWA0yQ8vvm^XG2*mRGf!V+aS_oVQu>@W*ZQCx2!byWdm(%|4h1D8!5I z%Pu(h;p;F-qSK*1@InQP2zGltx^eIJoZL64_>`YIa$F0k>R2o*jY2}DBK-+L`u)9k3 zLSO3?xat=NJmG{J8|PvR@*J*NCW0lp!F)&1>Z98sl)F41C_TqNa`BD6D0x3l!|hcU zX`q8v^sa?%0YT-H(oIekiQf@V2xy!LMM?g>-Qx(8`v2x|y)?zRK)j5Mg4z*u5OHtw zUQE4~)7$Y}@NBEF+D0VqGmC0J5_jS1Wc}A4$7IFOltPCSb^i)zP=U~ZXNY5n-i8Pm zw29HK{u?tWU!N{*3A!bF(5;8^K^|LKDr^I>^Kf{3zF8#_2!($*>I3~=VOvduy2BbDY>|(^3 z?RNVBj`J&-%@-zYh=Vh&8OF?h!O#KQ9H>;HtQ=B40zt0#)I-5s_K~C!KnCnlPt)F9} zhREX&p7QQu7DudDF71MAL7s`id+#+4Xu?ewx%>uegAp$_J~fY8kek=!3LTm|@|zqi zSw|YIj-HRm8R90MCPrkm%Js`QkXNxJy#rsFgy{+it7U(Tx4oBqP!n^R7aT^FMC4%%;HZGlR2kj-+aR})(Xw_+Sju52 zB?@UEmix>~(Cyb*Pv%x&`(NmUbo{!o(t=|nNPd{XHJ|yRkj|8luDoBQA5dvKVMZ6S zj~AxQd#>{6zPsv1D3Qs_axX0yN}~huU>?krA@WHMKy}``=t!jQF%QY13~z z>^Vpoz5-R?aq2%BEyI1ix$aCc8_sHNv?(_+XXSW#hD&G5nk-mFT_f`s6qRtlwLVDW zV5Nl2MS;6K;3`k%A|uW*T;zgpu&?j)@{?&;9Morp_RiFiSb%4nkEA{0N1rbEOqQ;^ z2wq(vj{pL$27WzIeHHPS5PS;$mCCSd3fsYAx#VbNm~tpvod+HJmtB8(Jz+fCLt!5P zhDgv96N!^zcw41n(ac1VnukI>xp_1;1-j2&kRLub}YMjweJa3 z`Bp@keQkqq#l>MHR|JwD82w4)!FhEJ$sllaV+19Bufb`pw?{ZPXnBAdPc%8aIw> z4%obEJn`oKUvjqKc1WZL3=c*hUGcZ~s@Mwmc!i`(N%{E9T!nM8gTuws{qAcXE_}r{ z8WH?px5Gt;?_cMs{8()q!I2ek)acJ7DH169u z;$yRpxsPFC0+PHlgL3oJV|13XX>0Z&YzYa|^R>rVX!SU_FCT=p3lA4y3lI4W zha%1lyI;Ke{oBkG8|P2k6QKP2Q@McZ!QUqY+6BTCCzK*s+LS<=rWL`$2`7RrT2>Lc zP?ESjAq-U%X5~TFW@0kJV4^A$y8ppr6gu$N3sPq7ZODz`~}q}`x)WG0Ut zf3L&Tr|99rUW~kHXG7c~vgP!QEgOE={&PGAXud%0%SV+X6KxOjLxz-{ zE`gkc8mq`b>F{3zGxl=avk6jKz1dDlkASA~_I`h$wt}Tp*(bgm0J8tKrCd=~J^~K7 zV&b){$dfNl{Z-qp!Q(bhvDG;##`?xgPos-d9qPSesWDv?I^qgmSYF5c=jex4JB2(1 z!eT{eN^oD6oAA)}Fz`9r}5D zWLE?dori5u9TMFJY+H1Xp%7Wwk!U##>}^o}^p_4Uuj%!0J@egbHem2PCYN%jUtxo) z%3y0mlwxRL51l7k(uQeQj!%Qs0;+cTrMpoJyNUa;Uy(;C;;Yk%BVA1RCTrcj3m>B0 zP4jyc!n{`ZMf^Gb{UwOGAr16;!Pvvg3%Cr?$-rQMeRP8Q=HahD!w~rTneQQyI2Vsb zi>m!W5eP%Rb^=UfDE;mTB#F=nD)&4x77C(0FHjw>x8aFGf`nXrFln7LBMfkFiuON=ad0hrI<0wU(G{R}uCWAUU(R2SisOPcI=IXC*MfqzOQ`H z5G*{A!QqO57q)?It6|#alD8DFUI^oA@_WOz=RTh{cpfQEIAI;g0}Iu|M!I0EWG|o@ zj;NdJo6?`=jpZ?mgqNBSbel1{+opA4X}GQFeHB82XOQR2 zO0`!o(QIUz?)w^B0)a_IkQNB$C;yk4`h;)#FIwc%#Xr<4DK^C>bFV{>eBUtu0|>g4 zrCU3L8Z2flXFf0p6K@EhgQi?<%~wzr+i_XpzkS|eiG2?`mNQG$@0Xh^CPvUAnn8C~ zq?E^;Ds2PtLqGq(QD6leCMd2Lit2=Bo&wwS`rd`xrkm<$11~`ZQxYfFqnUoQn~qbY z-+yF`BOB~!kNj(qr5sN)GaTq!uB0lVYd<8Rr1}1k5S{1Wk`utcV7cm8U0aN z516Cj)ZaTxIfniQJ=s&&?H7F;HavO#jV8y5AspjZWu5&xez`Jt@H-|NhMI0IH74Vs zJ+*VSw@Ee8QHR)4z)jwnhYA?aFS=OG&3C|rsf2le`#QsuEe4#ppj8=~WCLxr>9Y&LF8C8^t+VC zk}wl_eUxf2hzd_QS)s0S<=Dx0AN!-g&M1|bU5?pC8tKfb8mWiVhYG>ddJ{watf5Ct%-=~(CTefCoZ znN~61I*idm!m_IxO(i;}_sc0M{|^B??AZJ7o;(qHV_e2Mc1GXtfGQK4N34YKJcu~m z#kQT^RYmhrTv9(&{~>;JxeC2=tC*BMTsC1mogjl1BxTenRF{d6chArxeKG4`**H#p zc|Y-4$0KaN83?w2NIi=psFJ7uA@@PEQVlbEa^%+6F(a#lK?>pb$Jjqp8%(A2o7=1% z`~iB3iV5KBlyn#UXknHSE8d?(kr(7H>zeAkPYAXcu&E=5hb>Sz8jy`s|ICZ>f8kQ< zDb9-%1T`kNy*n4=fBukPei7SQ5REChe=b%n|B}>Mm!Qe0?{r7-w~Uxu)V^hxIDEu20SeiVHDpH?5E!b}Z*9-K+LD8n6Q_;~s zJ){j*p)?#t4`dBIf-N`#6OO<>7QXMU#`;(CN6rGpg6ydAzZe&hj#ySj_DYkyIy`zs z*Nhuwg{_RN>qMJ%%TF%Xh!27IpIL0<{+K@9pxd^)}+Ct$?zChLf51s0P;t z4gJyHd_v2|wqG${y{kx=GYZkTeesGTo!SMo-8g_b%?=u!`(XY+_JiPFhiLd0=s;Fa ziPeIS$cy*13-~KN2M*@9j40jhYB(*m318Y`x<_4?9FboQGPZo81UFXCt2qQ17)BYpKw+LF#HULp^>OyVJ0doYrB;Gv*EhOmW0mgjJ4 zw6PG0vD;lWQ`ReHV~8Cnd@PxVP!Q|}1ZF45+x!Ad-CH>C zZs%f^7G_BRfnxePVSt+DfPwUVl0fHg=aWyDFKXVemSEiv2pEuOPqQMs5KXAAd(nZO;wXBx@QU zjr)1OSqEm4;EnswrS)MU9fr(|$5aA88+Fm$HTd#UZKn7)C&P|%m*L5tsEj<1}j}L8jB9uL!h`*mFSHOP`x^#8^UH=S;GZ(8gG)Uvr-T<$DzgE|$zYvb3?DN>_5MdK zy>W@P+pS`z%usHrRoJXho7_oy{u@HQf)Wl5yMIHSWDrz8{Zh}+?~69afH(2T=lOal zlve_9b151HP}1oP63pLQD8M$oY~| z<#KNyt)i5 z7eOKv?P*g3sj?Zq6$az;K~gAOV0{f5(Rlc;+(L|Lhe35yutOCV((w|_0Bjy`?RTdx z3?>VWb?_!7aTKhHxa<}B`oG{8&@~vqE~#>buuu23cfJ55!}^TBL9P&aVi>ncH!o#? z;5NijDv^RHK~#U63zGY6Fb4f|R;aA~o^xqw!zY)|S$f3SvQCe5*2C_{pa^ayC8aM! zv0xR#|0SBH&r`z#jThUjpEc>o? ziUw~Dz(Xn~06?+RfI{G?^!8_)uf2tx&5?KhDXwZoxW54}C)2lcr(t_BQv9YEeQ`DF z#x0cPHNP7p{QLrLF#iTD|A+n!Dgp!xH5}YmDs9pwcON5!Ek1y8LPHAP>|8-`l4w_lESLN(ZfsS7i*~82CJf$=-D~$b>wdfRKlB@ z(BCX`xG;67cd3wLD3acC#lh+SBcy_DRLt_!*X6+yvV%$DXqmNmz<;W50ZYZ;4&GL# z*9#i>H?-Bei6Ys)m?;!m(%@!)OcU@;px#9jLrr1?KpzJGj{4F--Jm-dx?^1$bFrXR)4wE`(5 z7%yzOWb!mmCz!4RZFE(p`b`a?#eyiHa;q*0{aY}|lsU6q65IlzUfuxaF)ca3yj zE>~2U?j};z%)KYAd96rf-B&#$EjH(njQn^0SH0WgG0_P&JN7<(UP}!&q%5Pa<90tk zoR&q)Cq;=vJ^vA%*wJalz8p42i)JbEp)R7KQ_Ha>Q)}|lj&v7n08T||Dv#8jzC?=z5Bjh^&X|Tspy5eD93us zq95mrr=-gESv$7z%ogPlicRaIycal1?}8_dRND2U;ONr=kKycnOed^*7{)R>WM8^W zPW`y~uh9=f%@1I_&b9U99kzhsc=b zEC0Xb3U=;2R8Ow~jwLSWx*uE?$DPlujNHSLWdH~?6eG%-PY~Ozc-9~Mory82mc)p)Ew1c2a{}lY0(c*zF1-~&ROE10tO|IH?=}~K0dcoxcL!@Aa z>qB=k44Xf~t+!h3&Ie*!UM-5uDn#R;H?jdka1T z9xxa6{4REy`sK)VyP$xIj#%oIspj@tH-)*Uz!!3A*hbim=EGG(@a#1LT}aU2K=`94 z?p`v$v)ZV=aRXR(jsr@?rYE^0Ab#c3Ihx3SLAgo$GBh+W`5k?Z=p%*O^ke2{Ij|{Y z#EEU{ar4&xI#(Z={D*sI7bsKXP7G~LSgG<9rsyh}18#@%nnlr1XmPg2^}y!&=Xx7Ep~ zt)l__Gd_aMA!%CW+^Pll(IlPEhdpD@F2jQd44J~vBY^(CiZ%NX?OA5dY}zd;oAw%3 zQe~_=Eo$Fft^IXAsmJ||o4@yhvuIKB^fZY&yi`+(B}0ZN@D|#TOE@*&*!1)Tp9T`$ zq^u;27;S~H0Xx{*jml7Tm@czV>nwE}NR$tAZ1=@=Q)1d6U|QP5s^fLz7TOlFTa;c-51bnw!=WNXDru#~)tp^JY&>>rY zkR1zDzd%owA$W{s0|X}M<)PDwOtUEGcBK#yLL7%DCSeBU+}dU}P!*AFCzzor+LW!} zyyt6{M{V3hT*wF&v1!eUtD}~6_uilmE17~H_egllDaB5vAJPaPT|)pK2uQYU>}0>o zPVQKBKLtWbXjv*+1s^aW^BvXK*cYG`?Gia#z&X)v6ML^Pi$wTlrI z#nQ{%0i*<*tjhr6Iv$o5@fY@;Mz(Y$v!}5qpzbwFNq!~D4>5bzXzzUhSHALxqo0JM z(d>XbamSIeHt83V+d5x>-zAOzr8i-X!ReW31$U@&Sp%9^5i;})Gt*u zXKqBl-A#|IOY z0L!|f@U&*Xj$ayit%yCTd~I_z{-wdIKi&aI0&(i6KkMgRarG0@7Z2c*?i!Avxio!n z;c#jG&(Qf2kL5CDK3%|LAu}ic#Y$&Nk%D8#sD!JW9vEtBasCFzzt`Zb?!F64yIGmW zr^6#=Rkk>F!Y#=C<%D#Mc$7m~-52V&+WKG~vEuIAdw+r|qagT-x6T;~f9u;}>&Q6y zzh!}1^oiy{3W4V?kKQ#sCzz8izj331Ne`Mds6t^rhc9J2jW-u5U2?O0T`iR9g+`K4 zV73*gkz+OnC?ZZKoN5%RnU3OT;EkE>XejrnMWG!E`&ze(g1`e^N*()L@zrx#9jr^T zEp{d!4xVsyfrrA2L1O4hc57ov;1(x_CBV>W^~Lz>eNs0{wu$BK=a7X~85tNxcrR#7 zcDjjquTOk6eWonO@@52VcKLg1PH+1S zpH+w1KC0w@bP80m7sJ|!gHL5GzY+_E*cgS5R;O@mZzsjSD9e=Z<>RDexlp0A2O^Uy zSBE+eMelvD-uo&2p3ImFN2zC+{QI<7&*M+zd=K=daZ^54l-02_N!O#p3y`^OT_RLO z%e07v2X{lKQ^hm-YuPR-Unl0F<431C)cNT@C5K*HS^8!6&Zf!ABx2ZN3zi>@DagTy zoDc$txVe8#50g7kdf*MuvnvaB*|36Bz~LWm{^-W`v^w-f9QQTJush5^o`2Ou32Ke# zX=rYrEiKR83r&^@NxasAG@v3>%t<3AVQGqQ(XTeWXXI690=gVL5=BVV7EUVXvu|u~ zdL4x7rY5dLanWto?N4DV!Hjcac$!a^cHMLRO;clR}}g8Tq@I9ua(F>hI+xMTp+v+<=QHM}tpkuG`b+@SDRkLL?V z?K6Ou$F+gGg=LhZ6e^l!dUYqZ;~$-QS@TFE-7!mi>-JtTO}1qkMGx^3yIoo77Lzhv;lQ zwhl}8*~-?#H=pew&i{^EP#HnR1f4fL>neL6lz`yT)`NSW)_duL*dOiD12ot^P|w;C z&gM?RFw*N_QNVOGCsh9%PgU>rhY#Y|aG|Kta6nS`2H~`b6P>p!b>{ zO~%O;E1c9cB=u&talCZ8ljHR5JCx_#jjX%ZL?N*j#HS)Jbp4~wqn~;0fne$p;(Anw z#)hH4IR%PKVsTJ`8vMeVWqMpS1;#js;Nw6^G{3&xz(JT<06a*PnknSx%2GXNA z`8h+65Ja(>4je?_iE!vR?_}06NPbn$lcoY48*&jpGY@D{>KF}3d zIAG91uq{ydUh_G7dNU)A?dHvNYpK#4z{{T<(;6@D}*;--HdbGAYukJ*v9BVP%n zEdx}Yh{M8QWZ#anfNVOKhXyu z)8qDK()?=+v(Wq#7x0eb=(u69H6bIu9M*tCQ3w8O;BRlv6`b1hqeRvYN8SRfJa*KZ zrF?Emz1MyS#{(-3(zSW6B_pU_Vgyk%P^ZlO&uKvP*X{e-C%4o+zG+z})bjcD31S-O z%-z@5KaZD^YAt4@2~8QwIu&|pS2Z&d6vA-pQQNUfo>}{6y|n7PFEw+MhgUm-A7+YT zg!x)l2I`$ML4X-{vaKhoBrCGC0|cduI)wI}l)A4`+uX61C0;>G2%`(gLp}zE*z8(e zLlllQaX=^tpUVERh zw`L?n@r^{mE_NOvA@$ofY3s7Cye+v6(@w|#iAhkkt;R5CDh@}x?m`F+^Xr9pAZ zBj+VSN)#JgE7sy(WbQ&@XKid+5E0PLS_ksEPh>VP1SB`f?(uGCQqcK!YyA(YCuZL7 zB91Xw=9Qc>@R;p*n*LbzTwN_+`^|doXo`? zIWs9k`-=P_hX?Y1Q#`Jnu;)brHc;1SWfW9*>pz#q4^&FN6w%Xn=>&BgGovy}HXhE> z@ko9=`s&2tgd?33S>LwArdI{#&+BvEhPea0lsV|7OaQ#9_FYS%N#dmg0i$yV*%${IJN7^MH}RSw$Q-a1NG{_3|Ksc31DWps`0q}mEV(MIlvI+) zp#zn(4kCw$jX9r^Q;~BcRt^wEw1 z`}bc~N}t2~b$UJ@uWz)eD%FBPnj?{V5j&3u&(K#2pX_>8Q|<+cEAc$KGoe!Zv4#-r z`FM-NcL$5VY?^585l+7DS3eqY_Hi2oXoNVm&rzEhgVisXAB{vS-dR$A(;m2tq?Usa z?j$oHc^#d682ZT`$d{1)v>m`-rw2@r0X1QThn^h%M2R< ziY5>}w=L=p_x}=vb!;2Q;$dd2o9{=GsXlcNaGqw;p;jAk1;vcGNmY8GTAy{`a}w0X zV=L&3!49<1;+N{pfL2CvN+`o0xP_Udp}Hm-M~QY3+T=?##H5A44dZ=2Xz!xEJfS_i&?U z`k6w}=d``FU8HK+O}}=8kV^V&LKld+AgisgE}sh;U_A*js~NiQG;{DettA&T^lINf z@-+5Qr#H&{bn(r>u%}G?*>$;}s)S|bDW zp9l+Bavz|rUpZH>U1-%=qPoZm^ls%aKjkH}KFDI9Lg6CpCL!{t#rf7vXmD}hRor;e z{*boQ#;5b(fw(CD{n*{UL93p)K#%>K3j5%RJibATDeK%fqJ`aQdrCmTZ-99srJ~EI z60hmYcK&=50mn4}oo$$8=eHR1G?}}wpB6>Tz`BPTfnSc3$8!uI;HA<*70V!JF1xWa zY2GJsR;GSGWUao>MQ5`5G+Z=5J!6EuFt_$AU!-U-akGd5+|pV9aXs9^obyv%=n$VO z;?{g?qXCkX-zV>*D+0&-aD6qlqe}3Mc%OiUKpCro;5Z$4g7+UODQG~bhgqCm-hPKV z$6c5=Oop+X&y>!~b532vH~+dRt^FTLb|FFb@Dd2){_3^+Nw94Vc>?x;0mX}y6x%ht zdzI6*i>x;KDHNr-*C>Y_2X|$<3F^1O^^wA=?@sK$QMT^YS{oK3t zxMYN}8yK6o=18cS#rai#Io?@br?TVeL*i+S6$pdcDw+W00pnJWAz7iMiU;afWe?;8 z2luX8+NBVC7wNYB)_=r!L&QJXyC)FHH~cZdahfz3HN1if^oyJ-XuKlbg~A6O zyCyoELRFjMZm2Q|;R-PW4ed!k9-2Hr+Kj~T=Z*!czm-CI`2YyB38m>XgL}m9_AlyR zwHME^Lp3O}8dwy)kjjvVk$3CEplU{(9i@!rQd$&C_>@C0&w8m#;_rQDS~< z$bgRCfBR8Gs}=5`b;x0&IJ!Y=gy`senKS_^KuIqR$%wXc@k)4>S5Iq&ehVh7#t4*^kOM+g`afYMu7 z>kh=#QVplBaYCmT8;O9&o{Kqrc!$!3nYy661fB@E$Rfn`3KbR4j+pWAl6Ii+S zKr;dJ(hl*O-9@~a*XBJY4M2RBkCOQToaVfLy!%RM!S_n+R#>edKEmSs%yNQrNd zqQk5uU-h!{FCor$B(~FVD@5`dvh>TuPUy^sc zd@MXvGF;Xsd#9;zlRuBKz}qfM3-iRVM&_GWP&c6xtzq=*ngBRj7n1j!vxMnbLmb%5 z3>tL=0*{o;7)L6`V>rTY5RC6aCRgpAT^3q#FS}qpByPb%d82JJR*&RL(NKODqO=IJ zQZiSbFMqF0zqXz-HDMo7uRcrc2fc zO1?%*(d-^sRIQ-O&lB5e4g_s6Njk}H=-5lBqodj{*e}(c9;tvh30iQR*7Ng3vMA^j z|86G~Jrl$hbor8$Xs7#YAo+{Jf>=As)8BO%yHrYe=~eUb@zq$c;MhKwb58^u+Z|5Ew%M3#f>m| zzcli6Fu?-+xe`gFqu=l)7HB;or4h=0X-+dqXnm`OWN@32JAsFj;=nQ5$04r8{=x~l z#k%fIkU1Xq9B4ySJElnKSEvSkt#al~n z0)n{_3C3tf>bm`C#r=VNk+ySXt*Lx__X=*3ANIw89m~Cu8c)rSFRl zim9X5t@+6YCPWftYmG>>rZ9I8=Z%Jlq6^dd@bS%X*@B$@WM8YzJ;PJ_MV&0xehO+# zl&P$^=TXd7brC=Az|A_+-Jv@{hf*#w!(tr5H^wxr-QM=kEJx4LK52tVB`yMSG6bwp z0GU7O&cljk2O~91FXMBO&>nXsyO_@ApRV5J08-)pU`DiT#>Mx^@9xY#-3O-+W>{@f zT`$+{&F;)_Xn;p{uFZe;UiJSj9zKkw+`GJ~7?VWpDBl(@6+bauY$1I_H^XeLm?8gQ zI)8!|7Y2=V5E)dO^FAiIJ)sPDG}#=@HE$Rvb~;Y3SzlTDlKN|1f7*yjwr%dxJUq6X z)eiD3rfuSwIn((*!R%+6r~>n~&36|%OPp`xmm`VMzbUg*v7@qu$E4j@w!i49gHgnb zI7_gMp*}X3==`wu)Xbr~*MI|?iPmsmjk`+Xk@lS>(89+9pP60LQdILuSU0+SzuUfC z{9}#RjzPV&tF!fL!`MM1tSzjCSNM8 zx+*Jnz^Sj4!JM|`gJ$2Mk+oy(47tq&uZofE*$P=dC)XlP$s!ezcbPFQXT0j>7&FUp z=?%{P^y#FAF~`t_v}c>oA80b3+w?=6Xh-67SnlUb|Z^IUADQxmSDhdwV(J8co#P&qd> z@s&u(J_T0WiIxz`dyv7hb`|izU*m26HqwKPhGIpKhLCOk_$Uf2L9Nwa|_c`mY$pF>Q zjP+SnNu(vIGbJWkHDW@HY*#XrD*3cJV++)HyzbgaY7Tjw;F6|49=vVi;G-#Kxcdp; zxVFo%zb7HLQ(d_*^1+L$8}GN=M!#H^pk*viC=jbcRF9Z)@9YN}>iUv=eplz!cJgZIlJMKi&xh1slF$Q(4kFDzRMhMo6UV~XGpA)+t# z$_!?Tw^civysZQjOmWy*05$Ph}Y%x{CW)J%6moyX$eaO?-_VvABO(F&TSq>;`Tgv2!Ul&GN>1+W%8tC64#2Wj7dA?!Sq#Tz)b(G@L2$F{OHi_ z5k4D>f&1isUnN@i9`c?3)MT$%dZE(%YL!~n?d!sdF}uP}H|)r_*cLxjqiH)?aj-7< zSfmGRkoYhqbaxy8)tL%njB3SQ}DU5nR?9=ZTgQ zhKk=>!ydOEVvAl9b+-w6IRz5mM%=f`qI0zUzu8HksR~-jfS_qgTg0kSB8cCFOpOWj#KuRAnoeD2QX{a zdX-;Cy`XMam?ky~Vi`IO=A&P=_-}+amQ{cGE?gUosO587d5Ccz!Rr_GANua=B0K;# z#)H)HXDtHP)#2Lgg=)gB`QNcib649-9m!c7LtBG!D z_0Tb@;q+hU>%1OEbP%TqRq=)bSc)*z^DF($X#E6a2aHr*bi@AE{Gk=U@xjZJNez^* zRH!_W-ex59u-3(burYpCoSU0hwSh%lSUgP#8jcL5C(*6-*RB1o4btbLrCn`bmp2ur z(QBT47WIe}iv%O-h}iq#p=ThHpFY#Cy|wY-5o-Xzv3r&{4Bq0U9zi=v(+YXjzR!I5 zE?LYL=qUE}YA8^ojSB#P37=g8WEfx8b@x!n=9I;;OR`X7(sxX*Zk(pb`jZZwtAk;+ z@67gBz>QujTX=ksH;6FbiR zP)1o3v`Mlhd(LzW&OO4TCV}wPUOT2AG8cMbD`;1~yA<_tAazy{TjQN6G&*WLD}oAJ zms&;1`b6;OZYGapZzP_&o?7fR+)h{%i`qYlkupdv9#0+VbL-)eK#Hh-V$rgO3nP=w zvN1zZ$t5fygETB4DRxxqgulN6?z0QE?k7jp)9}XXeZ#so)1M^=!2%9j`RE zF6=>=AzL&)$mntZ{q)r-tj5P+wYmP=GZRYoH&n4tVc&C+$-jzjk6t}Cx6s-AeKfrA z=HHFiZfD*T6od>T`bVmfNEEh@uH}^f6`oSvQVYQULTUj zV`=gBU`Ye6_nn4;pH^!F#y9;1{i#Au45*mv<{uUQDdUm!8EGC#g`MD-_a%B^#-WRoSA40eeake;vJA> z^0fqAY7;lPPx{PKXW+o-Es)23g;T1S?@m{Mx#S)x|?m;KDaJt+G8(C@LYs+;W>ue#Oq4V$}hLDv(7b-K(eGwRdQ;7DAG}tFz$lWNR`hteh5F{+!VG^CZj_=Q?%o9kvRR% zyy~qY_gf>M8GAn~$J~dCMQQ^n|46or0Jd7me9Vh9ab)HgYqt&S;EXZ@h1!}lvstmM zaC|$SBChqB{?~b`NxPx^RTjt=t^rh%XLJldwu!DqP+Wz*RO)%)74~^uZbC?%IJpuq z9&}rC?ZvsdOvK82OBnVJML)yhLI%{e7TWeQeQWgG=6Us?wCalceLtZgZu+YqN@9Z0 z3q~w~KAM4-5=!=cozgzYX;sRpl0DPeeOueSNY$jt(Fx@d=bYrh<(5DpLTK0Z%21)f z3oVsMA8kaq6jIdQ(zATF14g_d_;7YLRo41w5UXUPx+&ZfVH=k&>)Yip8-3ATz9_ff z$xm|LA`T)w?Z z#_}!gw0^qx%{2I znp+?3lLt`AD!p>GcYUj~Wy0Xk-b_K!@G8VG^j1(P<;S{=*F{fXJCL!#&}{R(cj*58SK)z1!6k zzcz}lU|xxh*n_8Y8+zt`OSiUcCd*i|&Qcjz9mEYt9D6q5$F!b*tQJ^0I$hGu8J6}R zv?|GLde#>wh?}rW_LIVI)#1WuwO-3~b_(BRra?%GWbz9p_>)sj4O;A4{SKWXJl1+D z=k+0Wx9QRhv9x81+NiX;6W_96Sr$JTyT_vR>Wwg|a%Ak*({F+ivTqrYP^JZsZmGFI zTwbksCY{Ha$7K4{mY^uX?k_!diY4{xgowP1M`C%Te3SwDe*U}sfxs*Ac@}3z@D$Fghnw;y3;b1J-6*V-d@EisPz z-9?rY4${OxWx6k1kbl!>bq}ASW3LqEyae*&(^5jCPmi-?Tm!Y8xqN)!halEZ+1Kxv zV}qfD{;>O*l9jb&QJp%^;h0~tn>S5y(cyyFr7@wnH_D`T@hjbPd#Szj(3%9l)6-)< z6?mI1f_(#M`Q~(d{rW-MsUXxXaPBMAnd>wB&N9Uf+#q!C zS5ur@X>qFi>MPJ+GbYG${Ty3So}cEMP!{b2Dr>Z*>s1uxWpVygP?X1!V_y0@#?jj* z-3x(w>h%E`gnZL-Me4u+`Eo%oaZAY_*fL-_Gv{ zuWR#%B)TO_^b`@yj4yfBg{@d_tLD2^tHXoW1TuuTb0s!Dn#Wn?#WI+69^-tiIMj_H zX3S9elxJKBXgmOJYdF{skm6U9aP`g+y5pmyxmG{25%eyAk?2rsial{-S4wm<9XKnE9 zXXVFm{R)@S^?A8*rQ}&z^p3x(5Hmh=%Mbb9Xjj?jz0UT4%te!xPS%MC@2anYCt!#q zH&rxm%@JvnUHLY>`fDadN|1cS+sbrzZTK8(d2`B^(1vutNFXOE2uqg^SKA2qD(Q}f zXUMfIn|p`vTKfhqEzf9e@eY!#q3~lXwdDEoOKK^9Gh(xy**%#&)ekpa3ZQ*aZ*-~- z0EI)(5ljETf`A|vwT5zlbse<5g^ZHhf_tk%dVd07lT0ApetCw_z}lppR#l60UnRfU zzK^fXf10=4W>OgQd?;`BkiW^SUSxrAo=mROl9I@nL%%+0`@O>;a8_sOmU#0rQkP%t!V$hlK%@dF-{r`-Y?qUb zvku*=c5Ahx6n)nxE@Z4z>)R`@kQObL zTD64oN0lZelUna=^n3#3c;{T?-)xJMLi+67rhi5JcJZ~X(6pl4+l;+4Q+FcH-N#?$ zK8nOKmGf=H{PMf*WqOu(-Nm~Sfh6)Y;1ivgJb-iZ5YA$zt#Xz77hr}Hl$PJpyFBJI z6|B!KZIoJvj?j7fD$Fxi`!j-jm%no1&EtHfOq;hqgYr~Y{0Q60Yx*{)lJ_-NjsAoJ zCU%U_x_mr)dFih0(sC$WKdj@`n@Sr*L;>y{re&t$&V7@)WO8h_; z8Wy!T`OHuqsM2cXyAF4m#4G+uH$wpLSBlV7KhCU}P; zF8LNN_MG)ri2Ygp`4Z);7i!)4 za;E_t7x6I0AX>){wE&UFzihZT?O1QAzbaQ}gkDqYV!fSv8C-_GF&zXB+m5Q{I`5Rg zmy@+rWt0NRd~VAmKBYZCrMJH_H-1C;-j(&LNYI!^0oA!BuEYI+w4o*77@q(!XX4ow zqns-fN%?mc+dn7pvH^plK220CAGwe`_R7Tn|pk#k1HL>m>`h4<7u2wdMb7+>d1^7m$HQ~J7(X(?krHAqQ)HP!Jv`_hfzKg|&L z58>w(PWfC2BE1Xn$bsG4TXl~6xqhW}IchBhUpaa;iS;lWa7)wMq4O1rVV4x zAoJ=4OmJ;>;esD6MW}^nJ+zf9ZrDaF@AD(EnVg2cjQG>bt&ED76{`v(fpA=trFuqY z9oKxzf^z9)O3#b1{fzS6Faa+A<1&1-tSkPIxznA&Ad*fNMpe8--oFMrSZO2Qyya`K z*$7twWB%1CWT4nSz97C&f>;-i%cVd2JN&6F+-kR1>W}=!snD(oQTh)V`CtFiSzukz zN_jVm1_g6?nfNmON|YpHqo3o@4`k8yEsA2V7_qmKJ4L|!J&fG{glI+;OJx4>(M)HcUx zicg`DI7#Z{tu3{-0$4D`s?^V=rt^8#?U)ii31mB=v?>fdPIoim*THdxjZ=oWJuZjt z966nyXr6J9c2n5RkUo&$9wYlFC@0gG zI~n2bC($3K?`|JTP~(2k@l=ib^?0byP?!XAybU4bFQW;`e;5?}=>c(}amTvq*MrQo zt`%sX_;7GPhDCyseT`#u%0lm>h#UUVp@+_ z;F7z%$q_veS0v^R_~I!%6A;}_Lgol~81}t+!;+lvhnubh$Q;KyQu#*vW`X>#32qvt zbDj|)gAk)6VJhVyjgkqu(+9S!oUI*J`(RV!)_ExPWKHSu&GQfWw@B&-CJr(Vq7H9? zVf*%OWof773)!`Gdo@X0e@RccbliquUSg5mP>LN4p}q<3EjJRN7}WT8DCv&>eNGk` zo+pcCCaYf0o?R9R%8cR8AP&-!6{utjb_EUQW*G)P-BC&xJYvCx3pG?`cGEn|(4N&zjdg7dJkLABw=FrWB|2DPV=P@3;i|1Xlr zFE@G3;3@L@Lw%yYKi99sm)T!E79u!Me5@V5K{wbnr)1r#Vie;JncqZ~?2aveY!>N8 zbnAUyXpwKwxM2Ef#WBqiugfx%eICI79U58jD9)iJcr*e(oS|CO@o3B)GZ2VURv+5w z9vJPR=Gp$Yr=`{17vzYr=`K0nzZ_j$rqbhh5-7~=@%Lc*3gq8UipGg&S7Caykv-1oT8Vu|4 ze0&*AsXhn`BfWYu(wO{?(l27^X*Yi>JH~OW*2fJeg^ZdbMx57QzqDoUQbHn%q+*0f zlaL|@)Sf4p3e@xM*3WPd^0K7&=)Mxlos-gE&5Hh_EtvK_<+x-xaWn4R5V{V*UJ+Ct$)c!ljqi!Yz32 z9BrD2XYtRe*c{s=+l7;Z4o!O2#$gc3?2uSn<#ocTBc?jXlefxU06V2@i?_X!mUpjU zSC<4*k8(MQluGrvgMZgk`Rwre!J|`wbI-N}zC4Cn*;^(1J|=BB&xV)0IT7%}53_N> z5J#U@M)_NUPX2OD+vP6CjUxZPt$iUpadoIMRo==lGZ?np46c0MaP{if@4ZHroNgmw?Nb`QG#6FNYs7&3Ro2qy#6-0|r!4~=Yu|>E&!u=H7z{i`3W%|@PlRF4(@Hqj`H-UwcQ44nw zMk!tQm_$rL2ePqvhDAhMgJQh{fi~I@`No(bC2t8-hRZ-8c{=iDnK1!|U~$n;u8J zE$U@tfi&gq6{ey+&T~H0HDU++9d#gUyQRhif{!xT? zdX3Xg*f&Y7z0eWM*y>g59a7i1q=l9)t58hsA1WCvW=!1clmq=MNdEgf);59Cl>)B? z1(uXmYV88oK2MNm>nFY!B;O=ptS>rBc~o4{5ANd=&wJYl+4@o7BQQ(jF6ExDT&cx) zTB{~%2Ygm4|I%=UVw`r)^kjYEZ=O$zj^SKoeGYY&{Kd)V@Z;{A%yIk?F1wmlzi%l|DdWpah&TAKH!?>)<~*RmW1F zXxPSEEB(4UfiK^VIxg53TAiW(F%UTjW>#k_KAUNEzkqd4XI<`p7hs;fKmD|X>?tQl zfTK$Lc>G3#GqZh_~T0dYAw zw`);W`Pa_fs2s^UZl{g}N6ZuI_Q?nNst$yRqF8GF&F-H5y%gC^Vpax-3H$-#F_*N2g`uL+=OJw8%~=Xi zEHwGZk?GN@$D3~vTnctgiSroa!-J>JNE$gzjrLz!ZW+1?>oGmUwkt?auTZ3R2k9RB`}KdvS&J%%8q9dxzdvb+rX-7AI7sQy<%p#fovCKNZ? zWK_~OO|vffr2VQJN3A+u%d1>|r7;@-GtYJjzAl8sZKVAYkwDU~gPJnauQ+*-k#}u) z@s2(c=N9l4HO;S5+9qKLrqx1zA0*@6DydneJeWnFgq%)zlV#J3o_cBYb4hNG5mtM8 z^xnkUhHbV6yTR|HS?X%#Iy0#Zz1xBK`#Q_`KGX+Q7x_ev55o|C3D6USG6 zx2#=7Vd5jko3JtIZ|PP@s+Kpz8QS_&KEaGPYQZp}msaD^`gh4Sv0R&B94em%nhMo) zYh+^;Tq)YRwvDEu%DOYYwsEnepD$lA;HOu9V0u5RxZEd6kC>4@^xF{~4_G36tHYjoP zQXH%JqtE1%592jYd;9>M&uwNSG+DL5da;joqB zM&sX&yTdfdb2DEjhL|^6o+eg=)b0_$mN;Fx$}R43s8rcH_Q^=9hr7A!+4((zKFK`B zdkZbP@bWD+0$L;cW)D@HBjWR%?q>u;^2u%TVfhYY&P2JPkh#h344+>@aY&1g5H4U^ z-)X#??GQzNz84Xsae4S0dV%zjDpg zGAq6nAA=1$E!_XM>>7S!(+`mp!hhq^l{MZTC}c}^$fI$0X&dbPw1sv^3LbnhJRulV0C|w zl5R&d)l{71PF@bYil%(^-KhCti3DwQH)g+A6>0--VN(^Nol~)%&c!HCXs&B%l;`zT zqa4`HP#C)`R>%q+YK(Z|O{&Vh&=^|;#!ia%`rv|`AZ@2ZxOo+aWRL+Td5p(W@>(si zl&|T7Zv=eV_Pq&JI+(RyQJqMuuxpi!wfGD=T4^5*ST8*^Wz zi&e#UfKi<^XH;jaJF|G5rhGs@tyF*B;~qCfX(3pDt-_)8G#G*c`TTut1oXZ6Y9r!T z-lo6FoE~4O)lT3h*3gkSDR<;oW=f~4OYp#eYi&wKF1wZP3(mPekXv;SO( zdnQ#s#ILYYb4w|8<43@BzzTY0p14X*9LCUxs~3iQtslZDhLfG0Df!w;M(?UqDm2oY zQR7y>kb-FvP-CO43$<>e+@K*7^!y3PR^&JE`W3s=ShKTKU~7bX=SDVV@ zpB@G+|B86=1B3InLq#f>FBbxjyyCdk_X5ihFi89qzTvr0n634~6KY)c?C8Y)%*h}5 zy`ce5BrVH)-MPmgPpXXcWgEV%+b!KyQCM-?{T}z>$G#gsWU8I(ueAP%$HH^7mg9D= z?{E_0#|{mqb%Pjm6M=%tfkt1WeyH)WJV_Yr7;gw0N#OIe+{^$$F;}9-^Yu`wBB3by zc|3CtPxc=M^C~NYDzaXen@YQf*|T3q25g4P-4@A~58DF#%J&H^89R}JMTg2x_};~l zmjd@vEY4-`^IDVg)AY3~$5itsKaolL+)d1;%B?hSl!o))5O&1SB1}(w?T-hAkV<`s z?*foWP(&At*871d%XA4DrKO^5tb|yjMQ1E{LVv z6sx(P6A5iYp$?TEekmN#5NImdYB}h6!uL#GW67!5F~MG6!hi{Jy_VacmHPuez1w*s zY;EsW3*5-KEV6YugzKc5jAl_Y-G~0m83<$3~4s*8x?%Fq;feVh*}H#`oML5kdW+dM@yMbIUxd1ytZy(3LLc6 zPbZA>c!r4YKBu=aS{m(ts3tEL^!IG;x5h~(2rNmVguG3XQ`+-%eS8yzUiG+ z?+HX+p=z(*FDkW;C#Tc5-supJNVUW$$KtKOjE_m(6FNuh{!!&UcERv33TkP|lxOM6 zxv2ZXHbeSz-(c)zQvh+L{3?&`vSYut>#bcH({}sxb3}f35PR zY?i-vEHon*7!rQ<=r_dnR@PYWHvQz10{*Fqdn~tBZISmKHgQ$Ab~%U{1r^Og=SIP%=eLr{=j4Hl|y1ae>M045 znh)C5B$0Y&E63kV5Vgx~hA-5GY=oLZl*X6AUeiuAi( zt&j!0zgI7R+s1Jax1O*0HvgQQKI_iRPdV|IV4lqQOX7o!W;MSK1=`}!m`hC1M%+n&4 zW5R6hWt(gMW5B<^hqC`Gu(1NmrG7W7VTh0869@b~4i4d8;^_il*XO9Fby%6pyE(rL zI2HWty(?{t5#A&-?uD1KsGq7)QTA;kImfk0$J6ce+V0;<-dl3`i=a`;9o-6@xV_mf zhhGjd#VX*viNm>hKMVyLvL)XZix^>Yn)opmm^&d-`tKpH-_770>`wp7jGVeCme6-# zB|1ZNn@PZrcbxV@W3pR{%_M?vpR39=?8=A#@7lDH=>u;vWbr3pg z3aKpTsGvGjao@KOutOXHvqI%WP4Y)`lbiKz7j7s0fmUFEFBuq+A8d;c=!mWMzXy?O zfZ_f}i7dJ;UfEt>#D%CIc%4JhX1kR?L9phKS*nGrK|2~Ybnz%zU@22<^cC@RCu3*Z z;_O7wwnt z53KK7Um~7Lhf>7Pc9@jXmu^B_g*oKQ%O?z+1LeDL9>eo1!qH-4M3X`*$lAqx=F0lCMm#g1~9zvm!)^9CXCc|f$)P{Dmcz!=t}O^zKe zsc*UCaT&OI#sg*8aZ#2-{69)g(!O6ud0W!$@?08)IjN#2RH3iVrY>B;{~bclwbA2T zeje6ozY+20K)oGU&Gxcw8zzpRC*7mjn{R#tW$MO<#GkX|Deis+Z09*%{6-^P*23@X z$h$Rbyg7mCNCr%e4#MvZ7l8Mp3XIU)O2h+XC?!DaBk1=$@~Pihw&x$rI6Rmx_u;v8 zRYJrm$?W?tXAPr3$BGZwR0KKe$eY*<87I3CV2oB5bIy6xB`18lxYEaed52M?H$hve zlye^w%2f)d7L3UA!!?6X*$!L|9sNIy7|zZ6&-Q0vB6ykYq9KqEuo>#bZNN!TrDyJY zghYKQ-`q(r*byB;=1BZrurP z8#irnEZBfDl|;`Z@8m2~0qLw*RUP$HiRf!O)FrwUYWy#Izj&95k^CoMe!dAP7k@F$ zm)T627qrkxRa*;94sYXs&DG#f?lB2tJE1+5ENM_LwLkQY|8HX{fN@NOu#rLDo3a%m zjhC$Nt3BC06ocKaj^{}Q{$B8d>4$XW_CNr>>Q+|e!{7HxS9JF&{XpQH1|qKR1Aw9- zq8FRdAScXr8)lr*<3?f>0Wtvo{UlpfFZ8NyPwv^JZ^Z#LysuB(A5y?S@7V7p-E308 z@feU9PdrRx)lSx9LYM)?%~$<{UujYe(zngY2=vOC5InP8u&e0x@$4> zBA9-Ihq4_IzWS4fN-LUveHeGWJr@L7PfrEWO5rNtPKmNnZ?FDMSo&9_idn2v9bK)P z&v;^_vv$7C{LL9!^BuUW%!-`%J|7JVNOl|-ci6dVJL;sLrIJ)6p4x=-~l9E z1;?8Z!oN}mDPAfVhOxxl;lS&S3~ZD480Trr{g*1XwH?kCpQmfjcJ;{J2C;}g|`ePrRLj?bOD=MH102=C_ zHEQ22IqtD%I*!<{w+%7-B(xE&BjwgKji_5{hfVBVsu)r8Ye#9~alD0L4e_!z4!{PD zYm)}!YdHic4ghk~lNT8(YtzWt53?WZ2?a@n_J21HZrg6GMdrFZJn|((=#9=v!6ESc zjnXO1&@MB1@%Ytz1;sdUaW2CCL5%$ejgj&nG{(Op4Y)CU9P9cZh%_P)6!G>baM*I_ z7ykpvxR2m?tII)bIaL8z+0U0DG{{UvQ4_lZ19p=fv^G2Ye~BqS4drX>5a$a}xJl+d z0Ep4p0W?m#SGT_#RNXFXRo1Nc-kO$xiFE-N?0=$*faUKGKsV=~_(90Vybabtv|3rZ zSymAP-$~~pMwr*$_yb(Gyk^+|Ke&24H$XsW2+h~xpz8thl=Gwms+F!F`=JJwJph*l zVWan)&0YX-;IK>J^|3wky;8aI*e@Xx!y?0#KWbxw>0o(hxb};x8iJ-jh-#fjyR$KQ z==8JMBK_4x4!vBzQ>pk}#_J$z3%rm7CkOyz^j_kCW^cCG&5jJ8$UR%yTM|qMq;;eF zB8q=%6GsYF3IEZ0?TGotE9~YsWsTFOfF6*$j5B z2SomnW~yZX}gpL&E#0PNL{$0Y0I6n0u%n0-}4_ck-NH>~BxnaW2-yDNBK?8Hy!t;edj?=%>7U(I2!5Pg`H2jw`SM7-E0oe~&`Qzw zmtOy5Dx|{tUi71u8$8F#nzw&2RbMF`u9H>K^M8<^%SOALWn;nsni>w-r%rH&AV8wo2{)q(3pFt#$J^RPCo=%Tu71!$g#>KFS8HWpbI4_qk zfw6;RM3a6!K0*ujsQpp91r^;=&wiH@e7cp8?*vBK?n37rHbpPYP~ht)uDF~$b+MVv zJ%oL&fY&_zP*BC*gh<%VbAk||d6xLEZDY%;E6gdy# zh^6rcm{s{5_>F341nFmnZ|e zewg^-#jj77TvyCDI$)#Cw=%UemU^E4=3o6;ziE_om&2>v4a*O%@wZ%=95HII>CGV2 z8((6-aR5K__8_h!+2=CuUh@S8E1TTSsNU+@HRt8ON_T0Qo%oCwx2J=id8nGxBB{e_$l{J2I~`XZ zR;qccUQ?i0+U%qSMncOivOAY0R*zg6+22Hu@D(|3;m3KIa*}~+(q-l{T~{i#gbJi~ z8h?;N>{phH`D%GTOTIUeU--}mx7{}r?_*SmRmkPvY4Z56`0J`@x^DZ{`Chua!$OyM z(T*s80aqg5Vb8a#%Z7E}ga(AO%`ctkfvr1g#5rV}%*~sl>|Kg4K%TC;cY`%?gMMJL zpt!1o!Db|Uju4r+{V_<|s8WPlw>V<6K4QLJII^94g!`fFX9n1QhoXpfFsROy$B7E) zu{nvLC(qTyPSb|*q=pA+E);Nrt4GsY8Ulq5X(sq~DIwd<=erDj$QaLM>m$$S4}}Qp zGv!*|ad;je)B6qPNdA`5#g7|*lUP=0o|R*c3kDUE?~S}RT|FC~zN3i-11)T{ps{o3 z$o?QX@1olN!lp2c4$w5Sm;QPBxqN_}2EVwO=i&i`&^fhIzUfwKEERz3$b$P6`{JxF z(zpL+cfiXH<0^KrQ91w~0OmHmtI0)cwXEr56BWh7M`l+8#S@~iXSKtmL8dM6_IACb zP}(W=@g|-08X>s@Jwn{r#200(mNy@dUIDi9#|4s7HV!4YsWUl67ih9)36er3z;PsZ zr$&Kj1wV7rLW6^tdUd&88#tK~8AbR@oa5j04}(}@$4=z2i~W4Fr>xgf4HQeWhV@-N zE(1`;S&B)|Sl05mUlOb2!BbSW_8;T-_}T;-`UUXPiD{d zWQtPRUG=E5GgTbm4hM?|AcM11-eD8nhoV3c6p81AXueH9(sm#ekF84Vr{cF{a2M4+k!oLXR_e%%~R-%HA~iTWkuJ1;>5P+NALRYgbr zV9^w4$VVu(LYqn3dpTMk1D|=28dK>|$|3NOfsh|fce#7e$e%yXV8!4lk{tq!_5$hO zLEvQ$X@~CuksB~<(>5N3Np6QCa?WxI=Bg&2*a~rxw1XO-_pSaedn=_$01IlcrvQos zs_Iaqx7xY@cz3Q44#Q4VbgJ+*fdo51UjawAVz4$OWZ;nh=BWT^(K4JHv1TdaALAEh z=xoZWgt$AF8nNM4$J|-O`{kHFxYm~c?LvauddLve5^N#u?o)=x&`C>+Y2_oElOu1? z{;b;W0TGwGg6U7=U)yi7SHF!X)q&m+nvB8YS8Gp{E+Tr10kYBV5wfG-;XR(B0q}w653Q zTXLH)Fc)5HTQ7-rC_y0@jJ_h?WIy*L4Zw1G)b{F8qg)2AH{aC2UUzOO!n@8;5Ekm8 zR#L%U?BQwUQNJ)je+oS4Wy|({1Cadjpu$K{jlS`83o~No%+y*KXki;ep`K~qEr(3( z(_6F4^N8P#mq*5szX4i~Y`W8El@u~S^-T&F<>~FS)Mk3okRI6bXi>|J4esT1Jv}dR z)4+CNkOqQ`droa>h#P>*dRW8Wl>P%$z60@_3hK-EySIvc0MROlorXWBd%*aw{O4@q zWO{5ysV^Jt>jfI3AlLYm3~0TTz*w)i{UA*|yx-@}jQBI<`#)L5Sd%!V9QH%c>s5{xevK*LQ(2lHL$qmev^T}2kS-+0Btv^tsbC! zf3optCvT`bCky5r7+$=!6nI!LuVc&WA*?*xq7LU}9_XmEa>UzxX zLb?&!9?zyoq{gDvWRQqNm*MyKa7+1d8$JsDDt+R+kp%&-pQK-{Y7RQL;z;m1y$_9M zpibH>x_YhzmFj2jklJIaYq?6YA-yaR(VbyV_c>Sb-2ms*lFE1^qupY&!ZPrgd6PTO5cp%EUwnCUR!>>tjg!l zw?HQd%aKGLP)GadgTk^bQ}jUA z@k{lqmWEY`~ zMuFIz^?mHpnI+kjWfjVtQdbZ0Q9R=n>e=lGC(D5f42a)yL{wA7zRgN zD4o4D@KWy9L!6zmFPMORBk6rRu(D;d@{qOiRAuj&m3sQzTy>guN6vwHSw#QE^ZuC8 zH_7jN3Td+^)iUYfE}tbZUt3#z5_X^OXlToEjhwNUR1+%na%%q>^Nk=x{&1P{0Xqra zqO)p+k`)11lG<~eWBEXWa^8(0tCISL@&@&(A1S*r62h5ZS;ZpuUk5Ll^wwXTyhOR_ z1>V_gr)h({eAHImQ<^(Sqa@d*J)lp}oliijm{p9B8F-(zCEm2}r#4S=;r2l0GxjVWgK7VxY3#W2;b(x0ruu&=5Nje35o*iT+Hb>PFbl4NF`>m`TNWZuiG1$??; z`_Aj9O7-y%^1T@AoZ>GpE+zIInV)(n2<(p&QJ-8cDcxaBT5X{irP)mDgG zN*g{7l$44Rxu$xKvMAe65|YVYA-vz%bGlkmUjcFTefFE-N5`sv?A1(DqI{L6TJvj1 zXXeP0?VaKEJjjWW1V}>IFo!9rVm$WzPE5%ee``Xe)!@%> zhsJ<9>MbR_?23+T8@g~ktF7(6(hBP>fMKxnvb=;qFTqSh*$dU=UyoIJGRO=~7Ap}zH$KS>nO>ZuazTgO}qn|&Ki=A`^51BavzHdo)z`KDV5Xu zPb#aqgUXJdU=l+4-%hRK4p*!y{b&)%c{?V@4hhWvZ< zK=W~2RNqB+*xNU$H7!u)mIwI^xIAcl1P0Fx-Ku?|<>6KwN4uLcuv|m83{h$GZVfh8 zAXfxQfF;eGH}Q>W#;v@=mnlUQHrG&`xSspvDc+Knwi_&lanceCP;xalzPHd!0&mB- z>$za3T+!*+9#uF{_2D_uexP7%0J07lu6;~GqMtSIZM@iIdf|D3YT3JWdUkujYql++v0Qh2s`B;goh z9SC6b&a;@K#8Z#KZV=rPs9Q+xGu*fEL6PmIt9z>4R!Ld3_O{*wX)K#o4fK%<{>j@K z&F$K!!TwKEJ1uhm*w4MDTek%;f8kj6L3PG+U3II;{4|*K(RIuc-rw5(nH&d%8+@`U?&;z3jZa{2S7q%4nF0@jWUvpc$Qec;-{ciEc@Zqx_TA zT8SJwZdvQsnB;8C%6@W^DO**_oOt1vp+$n}s7#+1d|NzSeWqZ&^5D#Xvjpcw=Rh%a z%JMA9oX-mveDYfd?lBGHA8z#~aye(IhAf92JBsoi1C%kT2>W^a@iCoe6n?_b9X^z& zM(No{ctHjpZF{zs$}$EP8yRWQK%H z09IKkFOl9-eO{CzRPV9UTeFN~nuYh&kyK(P>bStgb3_et zIuns!IBa_6<$~o|ot1y=RHQRlHHc|2ntfmwHK)`-U7atlQb%2$d-iqh&T5EBJ4x%D zbYDSEnS3^%;k0W7xl;>L+lL*6lvSfG?F8H@X5 zkoMA1yTdDlz3wIb1>FYch#~7>wd3Xy*33gIsdw`g`CF!4=0>GR+1KYOpt+2wkfc0n zzySDIWBa+*EXcJ#p_kYks*6o`i4wbl{Unch*Pw<;1G`=oAJO23SW!oNvWVM)%R;={ zGF3!e_ z1J}ZYz2(Q(vT{|*)yHKEB!MDk?#sbZDlYjHzA!<(yyTSB znNRgX#(LSGxRVvKwSgg4bEzFj3q~o)Ja>ZV>&Gv)Eo6r&{XKazF|Q{`f0qM%MQ@VENleL7dr z_|(}f)8;~Xj+@vega;O^?GK0mj`|sGm8* z&l!-N=GaO?VcX>k;A*FUf0F_LU=39<{$l}_5Om=?*u#HS$nLA|wb5X2KTo`oqzWd9 ziq4(oX4y~WbvjhcJfoP`aOiL+_g=sdqK}Vt?+o-I_@?TKsGC*q(fRswhvBJhbw5jU zHE#qkM?=ecXyiyN4{zaCH=>PDXTkPVbH|`hZ!-+kw%d|Jv+hM|MdmlYEBl@nHDo6Q z%t=*jr@ONM7A8AmG8v}f?1t^**7qt|0JToo*0)9YjpS=fOdDr%!2uD%ipAJ7<-HIoJmkiwjRm@+Y0P{B)Sfyj!5<&9YD(#K|8#4xN6yatD$~h=@DX?D>h-KWMJN}il%rx_UIP`kq&7KV zD^0GrNRYbleQ#w`0EWi5YzlI<6b}SSQg?z=zHmlGtkvPS8n`n**>yl+lXPfiwfni^ zvdZNSmAeAB+Ri-YN!H$>Bpkr}M6ij~dc?GHv-2*G)DxF<#X@3NX@h|#|=W8tD(46-O-Ds zul;CBuIV>QpZi=?-}^D!u8ceM^gZ$OPUGuYwZK_{TT;@rpF43TU9=O# zH<+X}eovqo;o-0Rp|T@;)Mp+xd~#UYJ9Hc+%r<9IG>KpSpaP z36PqeJL2F%db>!hBX!@@6V+?ytPbW>JUC$b*N_L}Sgrex?p$$j4dLb=YjZagJx(P> zfNF99XvGR+lXebF(v0-Wx;uCt&@{QaoIH#e2L>XEhW(Jrsgvx+qoOv?gB z>bUPSsjIZjw(g-5x{5^r&V8K&{Y5vG73t2T9A)AhZmDV;@92y3u8?6(=C+OU4^ol0aniC{pq9L@3by-GVxwc_uV~kcXo3x-|nLD{_h;D|e0mt;l z`v<1?@ee%4(l)q0P77E${!0gh@CBFpp-C3yP8MtRh<}y$3@Hvuhpj&~(K7;8W?$=P zm(=SUAi0dcbCLtu#+_}LEsG&|7NWs6iSq-eqom!8_bn8;am_W!Q|b=?0{JsSRHv;}?JuaTBJ z@Mz*j6wvwEFW#)s%zm*VFJx`Yn|6h_e)b$K27;$Le-NzRgX*MfCo?=t&*BTcWRI~X z8t}@WT!Giv2zh!NQ(#Y!s}fD?bn^YEZ=^vq*fd~760@;a*`2knf_xJn3c7;Y&7dk| zP0FD*f$};cQN&#&*$ZQG?9{Ku=l-h-J&)*}T>j{g+)o9_WQPLq>1`AyDgJ=-(z$4R$%EiQlDzlp!Fa~dO_1)iIuAy zAz8Nm6m^2=Ih6JMh@wANl-EGDcNSS&Xb>&&Y|4fh)VI#$$drk?9lK6nUftn^mo)w8 zJBYBJYta8nnEAF!D&#J1BE;i&Mj)7py-Tg~n!*?2f|?da=XMr{H^|-Z|E8<#qPQTd zoV>;*uwKW>thFydCbi&I<*k*O z=fp~n<97LKV%AIOje=|I;0K-0d^pg%_h(`scD^3&65vZ4y<3(n?MQLt6}}bgYD3Pl z`8u$^d1G=*<=}!g={07ECwcYgp%9Gl6X-&WH7@ zg_XnhquwdzWo!o$%6(Q}l*u-oQOrKZb57-Bw4!T%J6yjq{rwH`QEuP)GK6p4j-7Q6 zL-w;sR$SO>JZOA+3&-vXIoQO%22+ci>8J$`_;;?8rI+0N@p&~>0?i5^ztfE9k#E_n z7+r8cX#GWVO1*Z7JjQAq4=T-aIk&Glg+Y-6eLk`-pKf|rpOUuo}9DL=d9pS5GKT&ghxL%EibvjLS{zJF@vOzPFa)@?Qc;x5K;MjQn_9$vFCV^=9 zL66#T*39Y*jK!1ZnvazXAT4^@)0UxuW&Ce6LFQ)O3RfI&}>V1gKKYzqH zn1JRP@CZ0ryz34vDj0aI)#)XK<3J-j=f9MTvOv1zGaQms8~>|*a0A_)RgC+EO^Il& zwoIuP_p`)KuNl8E!E^2!zl3AGW*kKIVk~f3rcPk`wja|sQV6#kXb6c=_zojNQg=WH zt6u{t!CkdM>e}POZuVt9%7@BP-u>t*3f6ceat8ng2rXfF;n?t$x>d9^_Zs#shHuvs zwZ2&0J;Eg}=cePpnBHNv^$dqz-Hcxfq>#msu)9JiPSQ7(-+``1 zQgl~HcJ>qSUS7%D#GW%azQ)+_SpB#CYNa7_x2*Db*WtJGwi8*G%YAnOCF#jacQul! z4e>~u1_QBZ8+D!|pztm69%qs@!QfGW$YRWu1H@dpGb=LjlcNF}x`TLaN)Gq;+I42Z zy3o=~!JvKXLyqg$B6X|sc&|PQX6tm^Bp%u;sVGzGzq-cFB~RJ?F`NWbin%ZPjZX!8 zE3vsYY-?Qygtx_X#kM&$A~tZqQJn7|dvCvW@EiU42 z9V=_SqE8N;GNN>h4CP3+bwlmFqWsIUHYu%qWm~Yl{Q?4aw)62MTh&qL-ClTw^xr;M zJ0*!BE3oo^aBht;0ap1-5Hjs0MrR#-EWbNFxXB0CJdK?vSrb}& zC0nYZC!evm99%fLYOqmTfTe5mbjF|pCQXZb4SAaWh`lAOJ^*7mK5!k|@AZOCFfrFo zJ8=f{VJC(KhIBQ5Y3|3`tRvreN&>jRyTX5=n3+3hH%3*Mm+h6v$2CxuGc|ESJJQj+V8x;0(o$V4tx+BgYndiX?uaKmCB?< zg&oCE9rj}q4P&Kc9o*<(qW(gsY1eKC#?7tb~GXNCiGr=Ur&(j0>>S z!{F@&^%f(rFfm$F_B7d2)+W#0$a|tl%=R!n`!d6IP>^8rst{AP0g{1h@9oLikKtrr zdnZnGXW*)6dt$h9+sWk*yfVJasbZwo)`9%;Mzq7YjS!*j^m}cGAhnV;&em(MXsiLg z4W>j?^?8N)Ha#ou>d| z4Y@7<_+)&0cwn?b!wsk}p<>lkDi3wMfBrJpckOm30uq{gq;mtzB8w?BDU`2}b1{OkkbxUZ6JL$)OEH<_E=GHZF0j~y=D5ai|b!nNT=4k(vITiscc ztaIGL1xCjJbXrF>O{C; zPG6Mq!Oq%zRaMJqHvHsm|+t+u1hp~~NiUv{9j&fG#!wrJj#b)q>#g7G+9o-Q3rEZN?q&LEHiS*T z=2|;+?hXpDJc)kjK2o%)yS^Fhku+|_?bhpvz_rxt?9+@$5-l2-1%EMsbf=<4UCu3g zJgR201$(Ucz|_kxi3WB?3tC4lL{-&jp~#1&02)*o(1hZSxYJ^!N}aD%2GuGB zqJbcx7mOp`K0Vuwr1Dih3B|&$% zN?TG`FP0Oy@aKRI#<3w~C8zP>xi32m#N&3pxYR81{I=Peeg0RMOG$3qVVI-m^Xu7E z(?!FzdkyzNf+`S*7IU`6;+P>&*q(ksrD^D7fOt07TB0xShE2e@5+RC639m)ESDr+? z?SYZEuAc`4+v7{-Sh{}xK;s61D7=-?yn|vba|!K%oyV zj&$Na(n;yHXaFK`b^h>JOQ>Fy^$1#&)lW6rM}naAzS~ZAU|O}xck4&1h1VthtJs!v z>*Cf|OUrtRYhCWzxoq2lo#?5{=X&?hMdU4TZ%?n+e{;o4{PYLbjqyWZx$u&G$_}?% zV&NWK`i*2D)0b|<0d4Pkq@C#z8{18eUqF(M6D;??a44be+y08yAuQ=7+(-TtW}j0(>R6fIe|! zVj*fKnl%H0^L|jRD$iN%#j$WAiiG7LP{>_W<2*RCT5rqy-W=D-a|It4+1nMXFdxOL z6~VewyOFJf(6$-~-SCgk9{3+0v1@Ykr@ddTza}+lbK_0*yy)AsRf@om^Q6d0NZz_j z;b{SepUqf+zrRtJhd)^)O z*#I8}N!dea-$!VnN-mlbG5NCWjz!B5-DyK37U5bQ99-Rtj|EJ@`PlxoAZ=hQrxY$D ziK6=Rfq1E20dM=l++5oRL~a%85_N>}75TZ~(pi>WM#~3Y@0zT%mE`KPY?}QT8P4`n*y7MVvQ-K72I9svF^4?LeeG8{0kM;!jb1SrMBM z-;I17Ngf~dZ#JsEypU^WJR0e)1F=&_7;#Vu+97j(i}^T!U#YO-0u31(W6d%ljYZbn+rWv+woY@4+AEZ^sExaP;BG1ZZ%tU!%DdGL*wk` z)lz4rP(efpU)uXM`oel-=I8mW^@poE5q0n%VULgDsccn(@bXCJf+g0zwq5ZK^Qy*# z)Q;t0HLxm|8{ujtbAJRjWFe3pJr8)>*hxZTRm@I03Ac1vB^8?PeCw^%Q*}R$>)_oXO zCZNb$M23u@Bgge1)@EZ;B0JLP=4C@~>)7`tXqPyV^ciF3W%z5cLC+ zhYqz9+(OVOSA=){Teba9iiQnM3@g?|x8`sxYDL%}2+fwjNM$c}C&-nC-$nSd2>)?k zr{x&r!-1BYo0a6OOi~RequL33K?Hm>=>S^O1a0R@n{YerG>a>*R{J%d@Hhg3lO@Th zI+Vwa$;!H^-lZ}|r~(nRMIBk%LVm%Xh+E$|QE2rZ_XHZ+Agvy)L`%wAsUO!$8j_wZ z5S74);ZRhKT^pd|ztt-+VDZ2N^eAxIxZMQ2BUy${=oo^g>O$|SEtq}m@p$}0y2Z85 zFZ5cTo%G3b6ruPCYgFIT_Gzb1i{Q7zRZ55qG3SM8$YD^%ZNmT;6-|x4yCg$2UzfIW zQ_7}|acf~$vBZS_z`?>JkrF2CoU!s^fc&tJHt}H8O>?Ade1~YH!n_=l+2X_j__Jww zi0#|pq`Z^b_#72)x&K7k%ZK{{aJqa-kyszem_9iM@`E+UX|r{|O4asx|V-G&Za!l{|YU8_XT zF@#)*{0N80kIsA?M`WVM5rOaS3(V|IA9vgGy?4>1c;*``Pp~y1!d^~22iMRmJ8kqb zS~Hpm_aV3p$&P+q1DVv1ZY5pR)=3lvKRZ#aFvzw03GKsiPiF4zFcd}@xVksH;-dt< zW2>b+uAtZdYN-aHdFz)Q32BSTp~sfua;t?+*KIRIEKC+-UOkbRS5#GWV!8O~DS>z1 zjSrPw-*y%HE?#c=JZu+ByipRK{)Slm^B#qd3<_w_y;Dg!CMt{|V(rBxlp_%3IrRwTgO|x6@@u{>rLXyxucB{|)46#1J-C!eAEt{0pmSiT4e<5l@TLR+ zv#Ms|Q3sMLIs__Frp^sM_!#&@R#G|;BknlgimIr1coLgw|8rkSX3lx9Yg)MV|E2&1 zouc<8ZU}zkKuZYH61@42C|A}Z(VlNvSSDSm_b%sdYEJU_vVD$Cf=2bcqAHK&IM)bIIPATz70YZPZX_=Luj#6mJmOPyoX>sD!dSQ)y^`@_Q!LRy)#eP z)RaFVA;$FL@}m6sKI+MCyK?O-f4La^r3q?Y)HI%BWfNzDI0~X_M5HB{v%himZEM>yd~t1ipFY|C_CHhgiA9&yP%8 zOqv$nyhtzU-0zb^2t;}UMy`4^3GozI!B7^pWveY4<3sq_BJ4!U9)> zw(QMn8Wbkoq9k90US3q253bp7KP<*|MR>)4Pe5f5mI5)nMzZu{%1s)v*u|1de(?2v zzsIO}Ckp#x?oGO{?x|wGd&z##4x>?x;Ox+Q7Cljf%}YS5v$v1M2VoNZVu8G3O$?$P zOo zF|(k2wOh*f$pHAwfqIeEA(9ESj0^{lzzNVvZbNwkJ?^uARRIu(YHY--d4|LBLf{3} z^Crh%6Prc0@?L-Guu)QrPdyruIV?$E5V2y&qF51{++T&@>l%*87q|Io^GfQJc{w$5 zF*~?X?+I?TxS2X{KkZ#4e~CU6T7Ugp)>vhTCQe5iqGPoYi5wa>0y3DzfclWcN8*_M z5U&m^Ka`e!;yKP9$n5IwaK6B|uK-uqau(b9{wiPEmw~q;YCkIB=^mwpM@d~(8eY2= zq)wn2O@vF%j9zlok7LnX3=!)3dv^P&n6U#nxy7urI(@TcvHE#oBU*hOj3c<@;o z0a%j`<>3;7phI!ERzJ^UIhpwK3{<}ScgXYKkL<+KBaW0%bvTSb7`Lb+EjmF~UU*Q7 z5B%>ZdGHuf47}>!EJ$SA#%!S%=BoANP4*nVv0GW`yTa&~a6b$hfNsHm+0r;%QsxWG44a-{tE=`WJsXQ z;68J1u!Cb9=nG1^=p)|&`X*Sgg3w4WPC8pX9$0)`2 z>w`4WW3ek2AAIdg@E$A*Mwv>vH4a^_?&8qXzc0Qic@wBXK)JiaJh5E%>s-YN6^cgX z0;mg@$u%584$(DvVU$XRn=RFB^$X<7pYIF4#n;zCj4h;|S22jINUPGl1uudg4L}}y zN3U`eta3Zy5}A(LD*UD4V4-8vrt3CCtboP~3Tv_3o4usXi|01X2 zfZDaqPg)7*mF#^GB4?n09A$wsI0c(d+!~|gg(m9=3&LsAy0pJu4P_I=fj=9ob5H{Y zK7Aa`s!?Qn2=u66p@QIvMa}7yP&YBW zWso}n{9EYHJ2!-M)5O(BjFBUe8JS2F6$i z^a#f2oo^{x213s=tEjPIG zycC_uR*P$e{qY^qj(#e$8H6r=kc_^fuMMR9pMyD9R*kF)R=ZOLis+s>UwI>f8D3(n zIp3nu4WolwuUr2K36t%9p*x4+6==#rwNU7{GhHDNY6XJ?M6l)HViRVb6k#3)v zg0cCzUlng$Cv8P!uu%}>yaFMD79cJcQIwEw#$xdq0V)IXA|O01h79T5IeO3(f^s10 zNOxIQ+AnM<%c5NG5HNCdLynz0iVJzyS5(AVObFj_i!&f7-R*@=zhyL+|VMZhBRZ9G-;V%3;?!?a~?sb$$t1(a2 zZu*glIJkTu*9*DW8}Yu2AN>*~h29$e;W7DeWMoFnPdo*=Bb2uJ)IVLi9qf7UhJ;kaiMTt^zo*bYl|MgM$Oau}Ax6 z2DNS$j=C8Em|^9^23jm_)mce_ueZK;SeqrD(RNJ~Jpx_m4n(4iSO`diYEU#+8v!7; zGg_ffA-MHPdgmcj04=;Lpem@x?YKBIOzYU^NITH?Hg;gE`OU2Rx9E2RVt%L{5?~X5 zvwqPTzE$c^Dbf$O5a~Vo6gr1eUaUHoy*v_!2nhM(9 z0?&{eRbZTy1ti@k+WKgOL-iB_Ucdmxy@fIUraXYk@iNKUnp0rDtSg=?0xZCmp$0@H z?t=;}@Db@4cP@RZlCJ5x@WxRjE06wt6X-&0|07t0EDF>;2ErIOuDW9JeIeCJjz`t( zV!(VXpuBWMOnnBzuKz)g@`|BgpJx8I?+jScM=doI<NnFaAS7+msXC11)$yzZEE+PwVmySI@8^d;q30fw2hqQ1&GLWA2XYq9=14T(n zz!d41=)O}}`t9n3vh!)U;>GC~K-ptXEA{qmPqM3c$^A@g$fw$5%;3A27^QVk6B>R zFGhgGkrUrl2v5EF^%u8(IE}@Pxh{Q#ZOM~b5d<=TWh+i_KJp8`)FK(6^v z>jSXk``!K@hq0D{YcCFL<=Q=H({yONztyeF!Ch7M%Jk$eCFoB7l!M*~N+^x^LXJ+- zOzQSM*3r;{MaEo)Bb%>Q&eD)-dFQ{ZALdM2jM{Sr3U__w&z_gJ$#D#JIK!xOlX z3cpB20!?~I7j`>ox3fEHodV|&3~OK$1dZzaP*Jw-y6cfn>a#Ensk#5tV(PspW);i` z5_|tkJvjYx-v$HU>yh8KZ%ZwT@EEp6igl6ep~as7V8tJksXp%3IF|^ z*8;uuf0z;AoQGlUICL@RgSp_9m}&Bm>p)(KtU!~t(W-|=x-GdLlWZ6;smeoaUl!K~ z3DOv_0D@@%L3NN49VZQz-5WcU#@l=1Iu;rTN*?87s0oaqB9+%fcDQ{#@^mA)ym)2= zaIj!S{!_SNu_Pn+;LnV3TpNM|K90B?8Sml48tQ=0+>$HR*u!f-X||EsZ>G57sFPFF z`HTuEe!p1>h`k-){l81(n8Fmg58nUh6JW0Jkggo&Qqff8K3UWB2pz|SYDN_tmk4tI zSP{7V^ngbmXb695i>!TAh4cOkCa+g!)=P4VzSI7ksdrpx3GtU*Q!|wW>$Gr(b4QG^ z2YYng9}Q!a1NhwA3hAUz%{v3O5PHO5bqYQSV4(JU5J21z&_45uW-_96VK9k}0ab&C zoU!|70u!*0mPKP1BHhZ~m?+uz?K|OYeU%iId*_oz(}nZOfF3WpV`yw;*2&z?vDElu zYEetVb5&j?e$aa|f#{^>M~MnGaODO4FB5mYD4a`!R{j2F2%N;;9`;i?d0x@UtwZ4R zdk45KlaUiSCVWu;fWiBh7~?-Q`G^Gy0+VUbK!s8TzykCvi$ie*!^}17{h~k{Rac@5 z0v~)&e3#Nqh7D32e~#MD7j~NO#;(wW=WO~@?ZH{#|K0AZYk;31Sn8Vn2n=bh8Rd(2 zM!4UHdaA82M$yJ+`g{X^kyypiX$zdSpTyz}lHUM?1K2!*RDz+kucmB@o)2^@zkB<| zPaX*x?(w`^aB#u3dPa+uws3Lon4AOsAeV{s%=l!ms0iw(#{2%rlBFXU+^qYTg)%hu z2x1At7^~O`R`Kd}s(~CHQ(Zz@9DuF-w&lVlQm}WXhlPt=rY9+ZFCESdmuLLdvj16J z?N?e7zyWZ)0bQ@4Z4BqYD>}o|69MrrlTE~?qxx?%dKe}Kv@ZwlBB&E2Y^n(zsjJcX z3?6a4KP5$5i)57?HS;Q_@YM{qWL`g>=S=fC*bE{F@oIp&(53O4LkMvHdJ8XN#>s~o zP^mSUQ6FisI8a{k70GuF8qf4Rs-%1LN`>Nc?dU2b>cLdTdXdr2;{fYde|_dHRA)e> z8Soj>#UqZY;8?=0T}L&MKFK+jK2#@?y4h*gv9%S=_@;OHa0$o|=bkNEH6q4#D|J_| zMmEWhxM9MLo)l+z-#r4OLB974n@#WrNmzzqG?eK_b>2O>Tp7MToZKsmG%~8_u-mo< zuS^-T<|H?J^GYe*#y|WH?y`c2ckKq~#3z40wo7>Z;@%Ny^%o&~)Ls}4{Y87>Ep)oe z=y~z-wwPW71$DS>2KE zq0{C%k_oJvE$N5+FJ=4#W-|@N@oh|k$?D?VU6`7xxWv`hl_Ra@aXE;lhIx5$V_bf3 zmv+k2_K|-2>!7bNcZI1LQj)a#JIM`CJ9jE4e$fp1jv6@v`mBZ!=Mq84fWWHAI|AJe ztfE;(cj)7!DaO*XNrI2_C|FBH7k6bqBCe8nBk6bY)}7Ra^{w`)Md#sPng4RCdwa&_ zywUkG{c=UgstwqJl&(UDysko46yX7=&5}Nqt98NXHtjuUjK_KfJAWKlnR(_&7QThk|f}kgAc-IeEh^{GQpW_Gb`wI z{sVTKU(+GPH%W#YF4+q8mvL{@ad9dxGZL5$A2m`#S$k&=exQ%TidFeUJht=pMD>26 z$2*tS^dvKs1lBEvg2T{{pxP(~hybH2960bN!J*K#AaDX4=;th;7C(57J6(Zo?i%hU zgda+8_Z?7lx@?K!I?Auyi1Ih?Z~4iEa3qj+ybV0>;_d)^_QDP$!Gc)*?prjs1JiBc zn{YOVpEP!|{1qILuT&Y^^{=3(o#S|cb^Ia}!%2ZGsim|266 z6;#c*Amh@G8p7F(mT2^u{HK6pscd!v6i6C4G@nw(lyTb_90#4fTD|5Xw>;JvRT0^k#`AC{^31@ zH1RmqM1I}mQs!p1Kg}b;hX7>a2;wYzWkL6xzX6dl`)tU$@K&d?ZDBE*DyVNsOVy`0 zPNSFJemloxT@|$ZCYSz~KJyjNJ0#*{_S6^uK$N|J|wI<4Bk=$yNJBxPhId zXIyB&-%df?n4zPGbzvtMF+4y3ifU()SQ+CTF(ny+5pyNifBK=2{xTwGp@R>HnWrYdvB4e;Q8k9uAmNw#ttBJa{Y4{Myh8PI~}$O5UK)iXANU;Xp+I#8UpDae{qM!V*Rv1SGATzT)yB(8L{?ZT+BHA*q6jdK9{}K`;I*i7 zxuTm(pR}MDPoEp0H1F8#237M9=KvX;il*w&Rm|U?P}JJGplfW|L(e%&FB~rwu~n?w zZTq+s4<1`=|8)5MgOna~vLhht$G7q%I6uKs6CWmN^SuV_98WUSvb-*L^5WiSE&;{Ch*hvJJ236h%I2Ob-dyth*i z7>$1#)k<}JZ5@Qt>Q2(r2YrJtBzYiv7oR0U56D^PEKToqN!B){N%<;j#V>~*r#4FJ9ne$HY={WGXeC>^AS6om}^3;GZ1n*AZY zbhXOJ6sq!A_2!rSeeVGJ*YZTTAqejkD~5X9!Hq=My@-9h)@fjia4lP;6(J6H==xy? zbUyn@_@1JO)_r=)V>b<7GFFSv;)c>F&vD1>k!7Q*oFob_r0xE^R{Ld~DrYRNH&3pJ z3%&ZzPmo3@wgK-k8RqY%lvV#azBq(0xZGP0_i@X zN+X~2L~DaI97f>>Z*Be1N{(rbP?Q?Sk^K$_QGOdpUlfAbh)r{@#_?i>VOZldv(5&4hGQ^La~3H(HUDElfWj@B zpnbmaz_!$frlsW>j{r)hn-XbW-Loob8C(B?# zG9gcYJVNn-Ei&Mo$fy8f<6+v3ZwHHBd?OWM4O-rXqF9?heYS#075ha0|6CDLnEaP@ zi}t>M`BJC#Acu!yPERN+sR^JkhA|%UOtys()gC(2CoS`6{g2or-N@1FD*0hAh6c#r zU9<#VBp)IX3V$12FIC)4r2P}naBU*B(Fx~C*1>S*{btKO{}Zi{#du|U zhmnnf^b6Dja_W&i;y^2hVsH*o6$hsp#$r|;s3&iigemtQ9MS)GRcJ%$<6-MR$DL+l z>z&CZ4;0-13Y>kLqhbnq6wfp!Q{-Oyvg18EvoY#2dYc%?J`Bppl8jNPkx`Bv6MChU zlQK)cGVKz`khJ}Bo|4jU?vG>24}sM>k8*$kdpBC zubS^fCyIF#4L%M0!KoxO1hF8CDHaGcL5{FwkgTBjT>8XV*l<_TWbXR~TdbS@xG!HX zy#wNQkhazBZ!Sa#W%)R4Qoz&s&Ef2^ITUpHgDL8ANz2i3~0Yt+8u_gfimayQ-J(=~g|pIzaU`d6FEg3)UoU?KV2Hlu)&dmzis`m zl>tipFISS*XV5yp7oiv|tV6Y7CQg2Z?QSQC&uOJu+zMml9>6l5GtV~h%tjH!QR`U` zI=*^?XE|iP9RB5{DQkY`G_nt4o}6!I#pbp`U#co`pdv!aX}s0Vh!bgd&>;Zo>^U$f z?*VEH@Z90bqua105)gNSF&snin8RcLiQH58e9I5(!HTKSX_w)b18!72s`gLqH%=?? z$ck%5p7wvL3;qU!gg<+RI8_}j@zY>BI~j9VWI3XA)vwhI|}AuUs>4Z`WORP{F>r$yv}6 zJ!?`IX%pvUZ!x^g!Q2VP>+jTLgdY?@AxF4@!{QPO!46s#rN>TFQa`3Ym->6(`0%P5 z8prI4k70h6SaJEN0@Y@3nHNR!zHdEQ9r(K>tKNa2Kl|Um zK%pXO#ETqIBzxrz40wpCbASA!g^XD`Zot)fFPZ?t+wZ~Ai`cz7I05Da=g^AVY8xHY zR#%X{D9nt`>@}P{MmHx^Or&ym&0R4QF?=4!0lx1gl9>IwbcCE0`2J%>i;_m39vf=hLGwE1l%L9`5Ue34t}z_%w|ibe4t)w^!kCaI~xLT zdi?yfD!$Bakp%Q_&=5KeFc?`t%37Q9q5^w~KdB=ZiXg`ohF>%R&s!o2ltj>!k- z-&t_RMk)tag`lDH1M^WHUsXwx%D*D*=}GT3WrLT}Cjgib1@}s%`$VzN-xv{+l>kKm zeco%d4?ZO^ut4ooURa^evA4edN7k`hu%KXU5nIm1`*V>{KZ~ba?Znt*ub%t6%wh|?94ntCQM=~ zkE6-lGhWK)^6a!q+ZvOOC_>I3Idwd8G%0EJwfDQ?y*=I=A%=f})7= z`(bPgECGAtKB*U^vo_9?UlfO_O!*=xwwt(&B!P|;ZIAKs={6H4sT9`<6Yn)s*Z^dW z_@C%Q=sSZXkBDJ5JX`T<%vSJ8s~@W2IH;uD)i}k=cyhIXC7yt(}JerVu4F00rb56+a#gjrBR(oxu+;?yD8AkTGQ=1oN@NXnK*_a! zq4lv~FO_E0PT|n$0woj|_)tGx-63*DK5Mm(NBWN2E`4WJrmQ!|78Tp!v(k8Yz$=i@ z5#?f)Pm$ux9?WM;aT)kxRyjIZF8g;;yHp<--S4I^o)bfAG;RrR@V`!V>=vGJ+|EHi zYkMQa?pE_zl@FU|n^L#_7>za!4tEp$751FIjv$11nE@Q&jONN99|KW4igGOP)kU_g zmeiT1&Cf|iO@jh_7+F%({=}G>DUaC^$9!7Wkj~R_>zP`W;P#h41V==bZY9mXsAPZ( z4=yF{kV**Yd~Ubpu@cwJ`vLbI{yA_=$DA|gPDaJ1#YD?dn1q4MoJq-~TYaVyKH$qX zi+uT>?R0s($!+N8-Dwjt2S^ZbUd=BDj0_1vkev4*d<23JuN-uO_T67fkUaCV*6Xoj zU?nnw{;y}N_j{1}cfAm-cZXwS%(cktm|UncrM1TU!O0?f$VbKK@MpnU4gYo#_tpLo zDgw-M#z78GCivT~g0>wwc+jzTG0l4DDja9EJLtnYEe#y>H1_=VYlT7EO;F z%bpunYoAr#JL2gy!jd%--M#s}sShj~Q5rKO46fE65|^wo*(*yp@OhGsogg*@Iu}iGknrEFCYr5(tWnrC>~Vr7mNoSSx#M%G z>o`W*c{*^^i8cCZ0*xKyoNeq7wYKw4=y9B+-prj;rMRvfg>>%>zUjzSyp1b+72)rN zV$$OwjI2p}6`*)XPh!8yj^QU46hrx8;K23M26V(*=|(PJI;16t;(oV1?4nekdf1m- zQ&7&%n%XC-hdNf19*vvuoP`A5eT1`y1Y3iyhC^U|(2N{yw_Z9Hak&J&pecucBi$2U zIM`|V6X`r)dZb5Nnm|KbhZ~d9`FX*LHh9b!791Sr)ts}2-*Mr2!0nie6ZU^v2%m35GK9Aw zw_p3V12d1fUc_;q<@d!ZR_W9#pWA4-@ry?bz4EYOTWZ8gZ|sN?nVEMFUs4CxMn1^A(YY4L!glZk7J)ZUv` zHWH$ZIYOL=8x9eDwZHt_p_xXDd0miT3S2x=4b_b;;=}l)?ZxTq5Yu#T(oL8AM<;ce zY}+s;gYUp)N#x5;ytMC-(0kR9EjSx_q*E*z;w3n)8Ke93336(FiYWaCwDor>pX{j@ zzR;ZYmF5ltbu+;)hu&3qOXufT%Gb_y13ST>CKe2z@?@&5h$nMIqzRRV>N}s1d^_JQ z@X)ax9k`o!a~iydGqwzPa3F46GsiC}^{?!Py#b=WSbTQ#iEax3L;LhVOhK@7oX|n- zFGs>EODEvx!yZuYa~>CXQfQzT=BsX_8%hmQFqGJ#G5@&YQkw&alge8=4SXDw7O$mAMa{^(FtJLL^4 ziLul}dix4JW1nQ@f3A?+sx_`RT_8o&yn>+1d=&7nhpIkq zHQn7jPbuo+xcMIFRAKOpupSbJi>oZZ>u@%fbQNR7m4rxG*9uBn;rdCiyc4t)AC3?# zw0T?GL1}zWdOU)h<5;blyuDI&lB%X9Q=_$!A{HdF8p7h-R{j;M9`7JPbVhWII9jtf zZ@{}|23M(b!8T_f(sM4mwI$edSZMuR{n6%S4@AK;sBCUH9xKZ;ZOdL@x$i($ig7Hv z?!yLd;R9I7jhY4OxsN54=LWaituIY`PHWZ|*Qh70drNrQy}2tdv;GO;>x6wqohwqG zqVz3ozSckQAg}ObrV7oaM79?i(|R^+SL-^d%A>#|O6X^U?@V+4S6`9wo~GBb_%+)q zfw7<1#U3oM{wO+$TtisSC~U7e3M%kTF z9g+QkB7KjnVU#7Ga-%0pHWG;U#KS5D=>oUNMj4a-&6&0Wyo!HKb)Eka^=nIaEKEs! z6`nCK|23Uwg_@1ecL+A2u)m2I?@k{kvB@!7b$)PGX*c6Kju{Y}W!t$1ld-N0u@u^< z;hZK5SUc#Ee&sfq=;A35IvE(@rLm}W1+7R5oJW^mAAUz7)vBp)9oqZ#LK#fxM_Lqo z&f>mER~MHWKTucM6j-|P8u3kx65NSPb{yGAE1d+C8#`N&adhCyN59587r}o$u+__C zuJa+9Cd&NHT-+wpvQu7jF!#7!>-Ea}06_5JDo4)owdB|m@*Obc)Z@L;`bkAgIdHn< zL>x_R_Ev=&5V720>oE~Kupg31zS!XeLlD8E5c@Edh9JSl6)T>Ww}Uv^_+YM=F^ zEz&|%t9y3M`H!@&HTd{oui6JNZNqJR1SnZ|5fb;Qni*y_zQny5;rEwIJ#CE7 z=TOn^tu)0mS4WYh8l!4567ux*z-o0qOH1d^w}3nMc_g85g6k$~lOz4uSJJib-H(D2 z0!tR-q^mM~q6i(nw#Vj!aitHnvdYpp!`h(BF#1pxuNIdMJ&&$fQ+j z4wm%!StH06CM8)q)HnkBU>Y+5h-y+U5`m;dZrEq$3 z&U3Mq^SCf*`n#e@|ElZ5;?KkSz3oQ-xNRok2c#UeWXBPPype!kh=vM46_As`3V)v} z=`P*11+V@^dr1oxt(LGx6-O&tjy;M>s?@2eYtLNXi)ObX|NM}tc+f5XPK#C*ClQQQ%2&`#LoZj+f&)8lXQ$B@QG4v~0pym6Z~VWd#mtN) zOHk;;Zjel880x2<_aC2Bw?C)_Uun;#p0BnB6*=uCKArJ{j_o)Ft0Kkpbc1C89a2DC zO`=my+a7zu*T>lZTIRK2!rb7!D3)2=9ufyW*++oioyR<22D``Hyg_Y5L%eL9AL{#g zehB5te&cZg>dFMgRe0b43Mhh+;%8r3K74)Y{8bNdW4y}lg6vuU31#?20XI z{%1x%@$f9r%MI#|6X3Tb31}XhQe`Lz&1xy7fi zj`)}224O^8^yA(U{qsk!pO`;8Zww{3M_j(+&;Xen4g1y1)_4 zOi3E8+4x-BkkpKIp74>_+|hVAl+LIR;;=OyTZR@%eSO2&XxuGw9fE4BVssaOr9Md` zcHp_oATLCO#*1BSx!#09g>M8zy?8@af2JlkRhnnr=Nk4R(Lrk zNT=#7{-kLqo!ErCEmY|BE!M+!GDvjO`=xi`YWR;#`L6vRczEiA^5O;s%<#=Mk3!-gGQZHZt^AZk^X`#0B$$a)e^;x_Dd*PcXzHFNe_>+yfjN^BXR zf=47_&t*%m_wxcUoVgpK9t?5r%=Fwk47#mZ|3Ls`@&OyKL$f|J`DbaMfqhr@7M>L$ z(CYFt$AuYzRwtg5>^53o4wwABS?R5EemV-h+Aa_=fv4NQdCbSFsd;f-ZcUT~A z{)W631vC&4tCT0zvk3MEMcRnTR&QH-F{REO#C;;3urW}2%&1cpmiZzvvUZh$i~c&s z);I`#4V0q-=(s&!yF5ii#8BgA46verU9JW;|6VuA8Wl;(Pia2?vsA~S-2$~=?1OQA zRstl@%u^f%ue8uOzB5(TP$(y5`|o=Sciw7G0v%;m&AOC z?R6G~vkEKft)$Pp2fA%{E5D4GH&Eozx9AH$+OEd^i#+D_dUVihI$$C=I>GyEUCLhw zS5cdDvoo%~i8SF_zbl-+CJizzp7u6-quC?B`0=}Iob;`N-5mrHmWmqRF8#EEJe@sI zMZZDD0gX?6cK_ocUbc!d-*#IcvmxoTZ)8Z?jGq1gw8tu$@n+ywBRkmbGF=_(Mr^J@ z1KeeAY&2IRUArUBm(eM5InBLa(AHl2(Mo z-&5yiHG+V;6Zza=cdNSR%B&qDv1XdNOdGUGvGG-$;^9Z5PFqaxW@S*H;@;dNczzTd z#$1nD!fNb4R%)&OoH~J5Bk#NNcviJ*qYT!+of7-iF!%XY?TP2R&hqr=vp5r|Xo2U& zH49?#dy8v;^31sbO)r;9Zvk78hn5TNm-1skz9mzV1sd2n_hk!B6P;d40LcB?j)L52 z=&@#58Dk}v^I%wAB4MzNva{fm9DKiz4-w>q>s}UySy{!|8O!vBizbP{a%wak3n%2Em6sL2bsanjVL(ti+MrF zKoIVv7yNK?zDF+7wL2_xI2`|t0y*OE@)z$-bD;3pT_oQaa#yI3>ihj@JLXoAy|2iD z&Nx05K!+~4X=rKjL2~AGLV5 z30X&9&i=|W{>{Y<+W_(*q(m%SLk!2BFAcQ`7?*3V_R0A zQ4cX!J|AkKdrfXrZj*rwTn=L#!+aa8HFI-RR|mTfN-HE5_<~9|sxK!|$iGyH$w7Wm zpSIroIvjnvFJrTV1~jyRXr$<@M72Y;)X)X0fl~8>5!Tomi_+& zM*ckKflVnlF#4WbiKr=s+sj4hLnZ?L+rTS)EomUIvSq z>oaR*XODNI$|`2DEZLNPF4B=T4vjb;8n-LqD9^lk&XEaWq(`Xx$bzR=MvR=r{i%{c z`h^;p5UHS=r2tQ~evA;YD)dVCjM}c)R>Q|Vdt4;xqppUY%v2{7$x@GH=(A@F?>nTZ zz(pJl1D^S4qp!%c|9hCX&0w%+15&teNkd82?0U@*`#zCttq5WUwO0wxZ!~QJ0MceJ zblw8m_4mrVF$J09one=5DJrD0N6yyhDV(qoBT7%BiS%YA`gZkrl4AR&#K9VLB;d_4 zMF=i2Y39Fqy(3_0X+8Xe7hXrWXfw#chkTP=PCmuE;Q__`lCC;WCj@L=IN#Ea_upLZ zJ!Pq1dZ&ZQ8vXwXL zv`@+dV%?=a+Ql|GItnIakj9Q<;5s+b1SHes(=X@8By3z3Nmn`7o)7D%JSWVMLdF;l zmBW>EvxaMFEr|u^re^iI%}dpxFK#vmsJQ=cl6jtXr=TCe?+o9qENPZe^G!`56 z$Zx(NM}_09qof#ffjJ;nSiz(w?u-3V8v0#F11t&D!vD1o{n{(Qt4GGiC_<%)9T(&Q z-PkIi=}LA$@KXuJxHkb`YZr-g@cxg`=f4-4@9fA1)xrPGX9X1lpvnA;&k7P5@OP$5 z|AWE1Wg=C5`vNA{>#{%DFs6nE1M1GM`2s@65vrn{7kz+EerP_za$SP6p1r`vsnrvT zPv~FV_H5coYKo;CV@(>6jR$b~*Gk}VyB6eSyc%W{-rsF_AS`U7(35_1O=nbxC!k?I zRq0E22c;f&$(HWhQ^g1E}C{RlD{j#>9`Q)8_9#-L)1(RMkS5w>nt0J-FF?JIC zU*8j12bQSKMcepzo=z;~=>oRg?y-%Xq9~Gg3nfRVY>|662RFO6iXQE#X?V8Pn}r{i zoZkq5R+Z?)a(@8}1DKoPZk|>+mv!aEx#Le6pnR=jKWB8|M3zN@u+j%fz4G{4_CJNu;zo$k(iO_U1Q;syD02GQ-F6`E|(@0RSoY==g2IWM(!gI$H48--h z2i%fnWh^^P3@YUfg>zHkt)8<_b|u2cUAonJpWKcg3i7SP!nXVeB3QNT&jMaEDcEqIl48{K-4pgIaHEZ%>HITB;Hc-;t0? zR}@FMf7h(j?Lc?wO$J1#&f1RKP^2aUuGZD;+ygsm|M$1y^2*liHN;2#|7#*2@-L0Z zKy}i$klO8A(>DeW0X3)<|9hWGnelfZYcn|4M1YSP#ZAvf5>4Pzpeg1$YK9t z6$Aaj)W5t|lGM`xqbJV#_`75?1qN!_uC04?!nE~2Vv%xmq+h0mqu-EKFgmO zztyM@y#HhB8?^SX@}+8gy5z>Mh~*M~e90N+M8}_1Y&+^Q9_dFIgMk%lqZnL6ij1kC z0ZXgDcA$1%6(LA5fl_Atg2JgfI6K%-EKLtc7nIUByQTB)HBJ551yCEKW~n~z9b`dA zB*JqEON<@kKi6h`+oFrU6zH$Taj}|mPyAi`z1D#t7SziWW(|F}zv36dQgE5Mh|AqgKlM7@GgEabr~K1okNUn}ieUH6l^}A+ zli;EvPffKsUs0EizT4Ei1il;m9t3tO2^TKCKBizfoe4G9GVwRKcSJPRolDjn-boRC zW$TRido--fV-U5TxG@s0D%TV=&74#Q>VOICa^e%so^`mQwl@X=M!J$w`zGnt4OxRC zPLv*7wYqHV!Oij&yC>sJyoDQP^~ko1L^+JKMc#lB1og z`_B=TZx#D40(@#`ZUYQ+`K3qG&TUtYf5JQ&W*Cr=)b0!npHam^HU#Tso_O1)J!5o4oY60&7G$Kc5B+uX)tZ8wt<1 za5KKrA0*z==cZDUJHb^rb8(!%u)6YM4gZgiR{SDMNWN9VEscly;fb8i8B5Ed5GQuR z_BRW~n^Akdh^F<`|8zA`B*B_n9j^KE?D`^T3BQR|M0HH;T1yUaISU;7@pmkzEUk_4hT-+ zTu(B*+v}vDb$P!C)cem}87b=*{T%OJk?tGPi>+&c+G0lnx4T`=6w=c!A<6J4xK78v zayG$4rc952*Aoz#JsdqQnhqZ)i^Z zVi=2?>Xu&kTYLpBa3lCkAzXus(;V2i^s#!*=qi z34e1Jb_z_7r?WmHiiai=9F_}L%j-RCpXEFCP{%}G^~*u<1;jABPt=(x@9Jdw(NuDM z46|eX*h}jb?H+mYQgH$Gi3Mu`{1ZveyuZK_ADiYVZeP2%?s`x(A^wR4*l;}bb9&(P926uKRt3JD{{1T zsWS}s$ZC5g(UiJg60ClL@bj+AWZc`xdlHdKi8|nmMJV)^Z1&}TV+WxxX5vRcLlTJE z03KWjl9e608@wcwcNV;A3|@NOmS=JvVi~ar;p9T{@*)k76z)&Q_|8Q~-HX%KgtdHD zHTCY2qT1VOXRIet8GGpoclk_bIM1V#gC=ApWe)TeDEIX{>Py~5Z-$X%p?31Fh;lar z^G(ebP0I;ugjeM*ShvvO2K0E~-IS=)T97B+Dr1t6eSRDqgu>4cv|O2TL}=j}?+_wrlUSX@s{?)(@>t{TO$qb{d+$ptT|5mhXpKY-<8{2L<)ndEE z8*+0jx{LVm(dxsbkw))&H%S>tU(@5ms~1PUc!)_TJmJDq-fAy?P*7!EMkp_?P2o=h zS%nGJ6;R$>z@0oD)$~W_Vr+>RH1VRk&w3YX`7tdmLw`9`_uVsC3uFUi!$s19)U-dI}LNDm>lE8j<@aWDl-1N$*E_ca2s+8@FOSG=9bh~%n zPVRT~m*Z&fxMv zSY>y!LD-(=^K#{>F>gplTYX5(MWsX*aI1DB`42$$U`-N3ScF(^$+F&-6?}?J-+j)bZTu5- z&R;pAP$e+%2p4))^UlIWc6V_Fu_4X}Uqn9~RJF`!O%gt5qvV9XRqv+%8D5|ALJ%z= zSA-R)(mhnRogLAhK7Az3X1#6S7*lUWZ@R9@TV-b^@E{dzU*{KjL`}C_e{hA$DSSt3 z!NVtgMwlwN>h>(v(WbNDBC{En?TM9VvVQrgd!~a6ncsl|{LmKT9w|15AxL;$4Nv+( zV*&5B&wtvHj(3@6)-8aVbQVo8R_Q*->iGdUj3V&mO)lYHnhDcT@~FgiJD6^W>H zYFjq-?K%s`UdpPWEd2)?<|8?33HTZ&&Dgz&p@n1EvB9zK#73r4o@qyrRg{I#TVFq@ zue-EW`WQuohgIEnHbK%^BGIiKbmp40@-G|Z%5(A?po{+$atJ?F%( zLBMuq@A4xhUtRM9ZWa12mw(ZyIbN`_)%lXzkZ~b;iMc>Pa1KG8!%HT+^i~=#PCZX_1xl8=!PW7fG zRyq2JE)`$K^V{{N8|hjq(F)F-Nr$Pr-Pfp^J0zmpIDzT9Wj7tmxEkhlvF91v&Je%Z zlxDs0rRQ&qLeuXh9X3qlwWo?m*j5LQ9NYA79M3aFN&cU1Q`6G16Pl+>zir6e+ZF289IoAQPPji4z{v5gHNhVDm9b^F%G{4YyC5?^XsGex!qf{c-*mgqL zeV#O{pQ~o^v>xV|zZh9CscGaNc{62`KQmAO7-worgET1^+@3^w8;$l<~>R!Zf)eZyfv6VS(py)V`4GCG{(G$6M!Mhj5oh;>67n4 z+RSUT^b<`vVhhqXzmB(I>wZ=S%!4uV_F}rY#!XixlYZ?pdHdh3)Q2FCsb(SDO4$X5 z>{Lp~iy;urZD$x^{W_tuy={Z`G+$Ex0Cdj*Nc5d}BsdqY1CT=pjrWlgkh^!z1>|M_ z3PGPC9A6+OfQNjl^%bWXJbIGuS^gKsB9&d+Bn~Hu@@|Yod<&AzVrf^tli3gxeXm}s z-mSTQB<3O@4IV^sIfulwgy?^q2+_|NiD79HdVYX4DgJ2eM$7xC<`8+xVI~iB*DuZI zkH`WFX#qXz!zYRmehsmUsx~`Mf|V(f^RyG>8^05n_q0-`d)Y;K^L|0nuXrr?6DXOMjw|#lO?0RT2T^*T_&eZ?;&#m5Y{%@`&9pyjAa|Z@OgA%}L-a21Jzz-R zHJUG}WixOyVYovMPCVir&k#*hnLin%(t+E~E$xkOd@{oU;(;9q)H=Tdx9sj_2)J3m z@0*O7wTM7ztaq>H}!w8cKw!917xhu-Tr!Ywe~s0fBgJAoK>k?CSsm`T!30ND8m5~NbV*&N$bZ~^%fr@GXKz^iO} zk=V_QZU#HM`iZ$QFi87&`b(cy4_@Yjesbp^>JsnGNr~(Gf2Tj)Zu+eavRmLR!cFBk zPEU>+bc(za!EBVe6M=iBvF!+7f&>vQsY12q9ot@Lyje-bU8o(c9CID4rZD%YfI8Kc zAr9QfaM4ca1=pJte3t1`fR(S*Y0|NC`TV1a&6?VxKz+FuWYpgX6tA|JFaOjUUC*jvi_3e$e-PxHUc6yp`I2Ydf$s&Q zV#l8yIBJObEB%7EpABi1dsccYJD0$nt;`@M z=kGZP{VNj%Ar)Bcwfdbr=eJV_IL4v#$VhHx61+<%F;pipItT)tUimf^UvoMgtip2J zG|sPfd``m;@;yLrW6}*&VEd|BH1SmVAF;>+Q^bW$}@cz;kSUg-U!oAGu`W#-2dp_WP5{5v{Gzvlj4?+ zN_F93SnyvsSLT$o7B2CPAdm`z1Naw>xik|RII)oBr@cYRzZHH#T%E?W1Z8RB1j?z0 zsi72E;9&sonaXMzce0H3F=cQ~{6{L@BJdo;Vs{JV!*3_^@7Vf}lhG4ork2rv2LKa( zZe;?U$S!=#<{#vABi)9X^E{6zkHS=YnDTHI2}-U zsH_D|VgJL429_v8CGt{&v4iEDe<5-i6{YI`vo}Zmd6HB^({+I@7kQP{&HMF?tT#s2 z@S5#&K=6<0#J&Ew?BC-lz?Eb9wy0I$DdYbnPe!sJd$H=(u2ikTUQnfRW_4sg_~>w+ ziCX--1_LfYZzrcbw^K7c-^T`AdWekZ^|-F}@FOK40I297(+)Zt_N4wOIsGgYQke&Z*eO#IF;x)MFjLvF^G{Ke3tfz3FoZh zs)23gmFQ&^zV$s4g$I8pF8hH})JInHJm&d;yK>Mu;XD7$`3tc8Er)K3K6W)5Y1$AZ z;D9r@$Yi94r#c3riQa42dD4-h;Mf5D@$H;<>QAaa{PJ8E!MLI@>1FO&bj#k-6N^M6 z#1Ay3F`jlimUKg!%BZ0=yQ|vhGJgv2HK?t>&oSgnptw%^&9L^_%F`vGj5NAk^MrxGzE7J#kA6UhsWw%x6nof{`g_e z)1RmBCr3YyLF%1|L$dKA*<#-Jgk;^nAZC(?{w#Us!&zp|6T@{GYGfI~BJ_NOO~2PI zWbaRNv9}295inrE>Gd4hg5Z;Tv$649ebQyB7S@^n>Dm8p;5Y)#JnIr!)H?-zdwjf{ z@-W5vT(KLu>peM6$PKX;DUwtd8YP$YjN>%_2d5u8EA#1}c+D*^?l~8{Ctq#Z9^F(3 zYFCAY9&H!5WaMgd6@skPMz>${7-esI;AS+P?$q()FEg-)BDnth?#KdRoNglb!NS*h zp!VRi;1w;R3;*z%Ruq9ls63`AU%waZW7vRORaB%r!+;A}S;+w9_*~uL_+@VD zQ;&JlT(I7@9NBrxz-BY>Nj-9%(ojJxK+y)bhgY{Oy9MFQv3I7C7~Nq+jo%Y~D*qae z0SSevH^n!+wz5<#y;gOvM|T-1r%ol(J^cwT$YU$T0z2aMDp=ujeNZ_yib#7#OR5xh zWBAgF_vg@_*S_|-A#!H;AT>y^Gsw!IjPo7wV{nF3C;1tu@L7>@aXQ9lR&`JCGi`-8 z=KXVKpfmjox&M%k@wru2t_+us=Q&;69yLnvUoK4W(p`EPt9%a8u!gvi?%lW#dRy3B z2kaDk-S&@1<>lSUlK;su`tn3&3mZWgWP@^WKu^>GU;X@4Z)aSqJ?iemuVHe)CiKYy z!&)va*`D@X%6D$+zDPgH!)yK&p2sa@>Az}w`Dh}C-0bY#3uPs+py@^wtN9nKE}Oa5 zm1Es*cSqt(e9!^p-CZFOk*7HUT)+hRz;>NZmiF_^JR5)lpuoJ$Z;{3l`=lqt8^4@f z!JE>*on%^@~y5Ct{i+)KTB7UBBTS1P*@u7{!|&#WP-a5_S2P7I)!z zZ2ieS1rFM@LU$4;=odr@`1U)eg@XqPYYoc1?Ev##KesQ`a+Jb^Z?M%~-(f7v~Kp@Pv; zPfrLHx*$o$t9}X61ix?pYkDW&jaj0QWFh%`4C<#67x#zY*3UYL3y&c}%wiR|`2P&3 znbE);@}4|pg4!&4U2EeD$VXu~t=F2rYM3^#D9!W8-?4q``!F#*=-jDn*-%gm{a3QS zllrU!w*hQnFNgwWZ=AAZS;D{vk^FnjqZw$&m1%`o$Dp&pq{daR<`;eV(%odE(~Q}1 z&Ma_ofsDNyy3ClhK-_e~Ek{e@Nxql*E>Ix3)i1FP1giu@77F)ewmmyqpVec%GaOf_^xE3|JSQu4^^{DP0fK;y+jeK%DV z^zVOd8-q;FKjtJ2UOFZo({{(Mc?kPvqy4%L>9)o_TrU%U1 z4A4;KZ3gM=AJ3on+w-3R*ROBLm1`*_uOn?iH6Ok;`1wV1JO<<7FyBEj)c&sUzf@ok zfL;rT^BFUfVNorCxZ4w{w*`F_(xjl&(;kTW52f&6&6#+QdJn#vz-iZmJ!2y=&sl|d z3kP7{)Ymmu#f90SkIC<1$hmE-Nwh>KtDxkS0gi!UPrFjdF>m4&mP4TbsWSkB8fVWg z=fJiK@Fx@kHW~hr1vps>;-zTvFG>x8e|$Sd)nED5i0m2Igt^Nr>|vW3>r0+;4U{g* zDFyhZ6seo~Wi_s(LUPs}gI;TfO}+0AoJ&BDmo87hfabf0Tq+~2s;bwTLo&EPTYj^S z2|A6{Bow(uR1^#WEPW+rP7m#RxXXJiHF_&ns_R3K-^G5pj@OifQn!UemgQRyadMcqZ@@3J5r5Qo7C3w@w|9NJ z2ZK!yzU(CRa;9cp22;N)kd)J@g``piu!5axRDp7d%0LT}80`W1WL;kw)wvWD4e7tg zv>zZ&1+O96yO^-8DKblOihc!!VXqa2kQL>wq4GKxYX~PkY zGT|SZIWu8*z_>rW0=|ejj;FqcSZtFudPWwz)Fb7n9+G8vxxJQHB%SW&Oinr^uRGwa zc!4#sdcDo;JZdIM)adp;OGMwQRgX6Oj%QXiF^ufCZ=R(|O>d#$4KDTLsReTfE97jT zw!>zM$|P2T7xc1(wo}p71epN<(9~C(yBa=^s12^E z!pAhpw%g?X{g(1wbn)Un?GV*nL zh8+6oqi?F`(%FsZ+EFwgzeGiuEtjErd7?7*FQdTOoWCU)^iHjkF29>v`xoAYy?`@F z8D8_(lR4AXR}MxUSNXni$5;CuNkYCpsAZdxdXG_=+U179Aj~E>XoDXwpzOw~(^1up z9b2`21RX`0<#{`&AByK%p9E0gh&@`lQ&o#YB=NeMWcvB|)Z_tj?}MKUgpVKibep5A z7;?vCvu-o-u>@wvCH!~C#c3w$)iWd$H@iXK)p#$? zir{qvi&}qniDE90J-GoC7^v8XCkB+X)?J4WH}wzJT*%I+qt9Dr3KY($RmRf0KK2R7 zWWuknS*=H^pw=)w?s*G#MFwoyvi7C!6&|Qx1?T(1_1Y7!3eOB@&X*)AMe`rTkf?iY z9c8g4Hu;W>?OKVolKujfscR?H?$ihf&1esEa!OQ3Zt1V24cpdg;a6!(iOwjp(|ZcV?D~gy zb&qNreOwb}!A?`<7CR#s_sj+x3Wz-R$S`J|rQaq$+JJv7>C6~rv*hI677du|*uc-* z_j0qDlN!R30xBYBPS${CXhX1=USCo@w?=MDAISjAj&XyrTNG3a46QkgnovT=KsS4+ zi?xywm^0&DEca=?K7}ocN63SLN0Ai|-yqxnpbZZ(G47oPo?ryPP%gU@!)IYP@)XM! zdAMID(rYQBzg+BbU97<-4dQS63Rb5a!|7cf6pM7$KJ%j9I`K_BRc19MH z5yLbSnD>@O2F6aJ_&zo_o%3rj+I)jvZ{7ThPjL1G#cDeNz+s?bpzhkL)amT4qXg)L zJ_>!j7BuWSt3;i*?-ThU^WJV{Tx5!x8}ZSR30yyG=%W5e`oE-u#hBS zh@mTlF|Fs1$+Tfw?{LtnkG%%vLK;s}OD$uT@a$r&qh$ZhbIUcXaxD;VtiU&=b-XH- ze>D=~VaHdp7JFylDFqz^pL+LcY=%Jbs|=g)16zp;?$hDyHx5Ten<pbW&f3od44O1Q!yg8BF8Q;Nd{eDq`sj|vhiCNrF zxFl%_S|+r_DH3+{AgZrYr#IcCq;JfkSkojip-D(5itGG`rG`=0HmF44YNR@9$svVP z;S%4K8S8K^?tCggpWXC6KkHO)zfb73yQIW}Gnq|`11iyKkRMpa`bI-TTO+^WwUsRz z+;=Fvf5NCrB6sROpLw$ObkJL@sBORX?mYKb626?~=imQ*Q&MdIsV`ZSeK%nA*@c?s z)*`cl{r&V$8a8>MiFOb-n|BU$&o8kJBzEz_{$cwePX2b+RoN3=iOBjOd_#(xWbs$; z)tC<++=Y)0@w%LbuSVK7&=pJK!uUqbIYP-NLdOkS^BJN;V&1_Z|(3a)o~&h4SXtuA_>`tFnPy zl|l2~thJ`mTfTwsCe-HXfli;Oi=g!Jp@18$QcT^}@cXvu535R(jdD)J#`|A<`t7Zq zgX;Em(2UEOA-DoiYtH{<$fm}{b|2BX4Ie$JLHS~nVnTL{ro}z#CmRciu{WF>0*>hj ze@97g1}UK}n4)Fr!mzKTZgs77v9&Kg!5i&o^!k%a0eDgm|Hvp3wTLs^9Ojpd2DShBMy_iVWJWCO#+U6^st57-)f{~aoFN4NyHJ(CrY zYrWGG|4#^>N$FwYW}wT*jWk4FhBEtopw+b3ESy)nN#m^lS}uiRX{Ukln&8`McbpVf z>_oWu69<0xIXXgwWKlmYl4W&;s?#5!5BC>@_GA1|-}RxF#ZhyWVOod%Yu-LuNQb_d3mN%MvfYENdE35FWNFZ5L73Yt}p$R8rC zsj_~?ff1a3SR*vC)*wDpw;~AkDNQg@HYgtln=R-CRf#VW~cab>uYvWg#`zLjS6s{Kyk6*|@V9eW$ZXod2b*CsEul zBGOl>T|?wAx< z`G>fMI{3f311yi^SSR&G|-tt+xmSg3^=bsLz(-Z~ zhJT*~Xze$NfsyVHCRwVEu-UBtivtjM{0TA*#SJ`W)1H_Q4hT9qdb_e@Xw`V2Ha-h<9ex9`JNP%~doqb-p8>IKrxA2Z0=j1}Xpu4-6qom#>i~f_ z@VOl@SLz@XTCI@k`>3sRV%RC~MYXzc6=OTD>aIXnpfG^H#dhG=YL@GV$}}puP!eMW z^G^BCh44m+k#ei<-aYBw_6=>4>$jg}g5FyxCYC?g@1Onr<`HYK_`mEA(o20d1x>&C{+D(UF#20O{9{PuaoS&3q3K#8A)A->|)?6(*D*ROuhuccQ0a!comgr@oT)wfv`1Q5ul zZR3xFp=KmlHzpsSzw#gwy{%(w)U2U^j@aZ+f%XAP&zj`u)zY&2bY<~jA+*i#@IuJp{f=@fpO-L~i&4Wpii++HqH4CEX@yvy}V*CO|3 zt$R830y^1h`-POqWB(I(@l49*uFq|E-rsN9s{`spE++Uhol`(L^rq5-DxN(l77o(S z+kYquOo}3t-UCz~n5M%dV3}k;_|_=v(rd=GR z!L<$Ne@hTRV1V_&Mr`Pkqx19NxRxLne@F<&MiV;9dA zs7)p98qf(d3Ez*`UHwTa3V)&=V8trToqw)2qs6EB zHKq#5W0GqXsMaX{1A%TIu+H1{99|XsC6OQxt6RO{4?=sM8x}*P9~2Lpmbkqo=Jr^| zKj%|`eW`F4OK^#KzrJ*%pkkFmN8Q4V*cZ`NqJTSsO#s% z2+oWY*U$q`uRWeH#XiugY*}GM3Vwdqi;QtFIb}o))yWFKVrwj{i)Oe z(SwOe{==qup|#W7li8`{fzgJCBj5gQ6sM`~Mt?C@etpm|2?-aj()O?(2({;@*-kN= zNKbFqOBJ%TkwPMN%Z>2oc)3DXLZK_(GbghPR7wQc2INu^UsipbHbrT@=|v3%>@inf zIKPrx?RJYG7wK_6)Osj5qbYsgX}0Fq4O&sU1}xu|r9z-Z(SC9(%}ep>1gumBk)~; zSL*^k4h5|q(TU|35qoW=ff&8MeM?sRgW3l@X;)aqR>09I5qTdAzLJl?@xGvi2UatN zpChiNF!I>x_wV&=h-pn6Lx?i3ot?&Vx(iRa%yU74tKcK0mveB_U+J0fMx33o zIW>rCO39xIjtZk^h3$umxKvKM2OO2ZfzR##=suUB`<5uuB20+8E&KAnxR9K`iFbf@ zz0)MUB?isrD>!2Kf&1hMhGD{>FuUpMXUp>T@+e+BdS=15`iASHa#YNJg3Z zFo&A~+dJy~5JFm6XSV)!a* z>D6fOv#{NYIWPLjuSdrUbLlH)s_w;e9QTpFG4hcd1ue9Jpk*{Jre1EXb}KT(er4;; z!Rq^_mue^%7YVFtkTWUFCdrHCg(lIda50;-f-cV08Qza`a&N{%Q@AFy6xC5}O%Vaj zFW^7YXncj5g)Qf(2Tr7h_InsgC_t!QazA#*KA?=w#qv&1XPpp)sE#xN+;?LCmTTB9t>E1u(YvHM8P9>(TX zV%$pZcxoKL2F%`5@@W5f*%?8R@}>e34$Yf<%quj}?c0@)UDlmZpv;IG$_=M!lgEup2+?Ke=eC;m@kUmj0o z{=PqIN`<77q>@r(sU)Go^pPl)EXSICD5R5wBuf+`(t_+IAv;;lvG0Uvv*jF1mWmu( z969GWzx(|hO*J#0-}f_r&1IInYg5voB2s39!ZQ_Do8WG#)u21EHh_;^LB70lO(Y2t_P}WRE{?Cb$tv1BP zskFsuz8Rap6mFP4YG+mn&WbsW#bMAHP-rPvx2AF?4-5H>W%Jn*;yqQZo3GH?DK&l^ z#%4~Y={yvl6Ysb`Yx0%ZrgNlSduoy(B%>pY%iNFS6C^>Z8jgE1=<-ML+c~BKDgX2G z(bC~U_RGm;Xx8FJfH}_9(AcY2PAjEV@aPYkM>?1itJU3U(iQA>)KK-W44sdl=RY!a zT|qQ)n6mQ(yRE93ll)NWojv5?|F}zZe$XywLTcf26iyr)cDykQE4kSxSs$5e*xSXZ=BmVIR?6nnqN z^JRdv+ycbMgriUZm;5BfkV&bPNb|4mbbu+ zq;ZJeq>$ISM$zSBqp*Xh%SITQ{g|7@qai3u3p4zSlCjdVaJ-^HZwb+Ti%X>f!o=HU z*A^4J9R|CXw}=lJ#^{=lX1K zd5wBZ98afBHC&QTG%DjJQ)lr+5Uhi&u4Ca9xg{#l^?FtuU+D}EoaaTgAcqcz;d3tt$u!Qx=N##6+u5T)aLPH? zJ$~WdQQU{so*+=Z{01P{)>=)O_b?{0Jn*LYg4dP;fr1mIhe4m1mn=r*)8=SvKeXTK z#V!9Tv0vX9hT*)$?uTf~z>vio8?pc?f>}J4tpJZ&L&hd>$En`c==hy6+J@cP)A zrJsHBNOsHGF~VqAM9Jj-JfB->C36*=6!?Bmj#B_r;L=*O4b7!T`(F3f6c7EVcFz&d zDc#vP+sjwRm1?q_?kgJW=Q{*qO2kaK8SxyM8%dL)I-ALNZ+7z(`*3zlma-Vca1KiH z%RVZm*Gd``Y$8Q&SJa=foy`hh>H2@|={IkH1bJ&2Dpmqx+o)qPvyZ-Rp5=zCWYAFtDc}L>{nzLm7N3=9X)Pc2 zPqiQLOmS$P3J;JHcz$YE25Fx$Ci2$%tyx+V-B$&#+FZW7+s!kj54|*Tn6meKTGun)J(q!l z0<#2Rhx1oY9TIP15|s#WS^#2$fb&l|?CUu<`f-Q*fdeitvv2Z7)nOWY!Ejkx{YxK@ z*17K%hRTm#ywiv{UJA+;$A$4Xa-qQZyDIc-`PL>cULM)v83iei#>@SRSj^Qj2DbOk zH-%7kr*(|a-JpMaS+@C7>RZOD|CSNEDm{@|1SCZxo|gTdY94Kjs}u8WovM6c_>B@y zREg(Q;Osy^fcZ)m#AfTM+bWTRp&jIgCP*gc(Dilsx(^-RN+K?pz!;I2I6u^OJ=zL( z1v9WKtmQftticT0k||JdswE6sEyFW+4_cAhoa%OYx(@dxSBZft8|i!&w8Y3ZqBe(( zMiFWB*HHxxZ26<(oJ^g;A=$*(D1uCq&9QHZ7r>whmfgKm)iQV!F7^d!D`;A!3Xy83 z0#rMgEo3RD-VrTMee3!aje_iSlM|%9?SwnOA>Y9}FH%cW)L0{9Y$h-;fKjvxkgSqH3<##i6nrv-hb z&$g7+;jjyd}nYCZ2DXS{Ga3 ztG}z$<(EoSZrBX5BE@~j{YaDO84D89&pIgOEhCgk(;g$c7&7I784D}0v*5uWyNO!xcCzUDMMaZlm#1+mucpkI4 z5P@eYzCm^O!{igh996zUEUBRzkJyH_4Va3Dy1*Gx?PD#tzHzym(4+W}Shq+HZcfq; zzX*0ktvzG(TDts))7@(~o~*k5Lk)+Li?46JT=9(L;R~`C;@qQvVYPFu2^(4Wg=9#Z zE0#$z2hli7VEpU+_2Et2DzJ^{M99Ig3(f{8?O2v8NY7P1nleZ98BM0XvD=nr=!=Ji z4dT*7cNgmnQ}hSs=^v(@$b8f))^UL6Z($Q3#!@saDf)=4Z!Du5oR@8W;w@e(57|;* zuFtueHaNedztr17Nddw}K7q!ezW)m)@5?5KQu#CNteZewLD{5?us|F0LM`*5)FHQc zeXUrdQ&Pvo#`LYnTv#>*xSr~6w;M_1HqG7_sp#=UJCcSx)cjNjTC~8*ftEEV1(xS0M68ECeiK_FeZ%ED>0Qkht}kuf3iDRM{rEf+j+y9G;}XUeB0_vc5^8>gk@Rk)vZeX|WOCa@rZ^ z7%l`2GwPEWNT9#LE%lyP9X|J)@~kOn{`RK|&LkKs?s#xeg8u4KZ1zT3N*y<5H$p~n zqz1N>zd*Vp=s`-#Q}UeeXLoMm6HFWR2D0fNIxK$&ouK_`-h0lSQ%I`y&<<(8fjpEc zDRe&TwL|-v=JoNG%VAQ4Y#GUWm-8bx#?L&#!n_C~X^Hl7@P@&b(E|$mXGjC-Q5xwf zO{Oe4mTq54l}m8p!9ftF|7wdI4H-n9BhfvJb)y_cIl=?e?5A$iY8koPdgr~fC@m6a z$fOT{1q)_?d_~05@oP$%lLa*o>;q3_q;>CSm2LKgN6(n_n=8 z#rqk_x_Ue~D_)PCY%z7FCwj={T`J#t?+S9mp$Z-16Uv{pI?!}xPEbnHljzVxh;t61 zNmmw@^&4MehFvc(L%HRNqf#q!dcJY%_q3R(V=G(pe1+ad18v;6FAMc~6+`!el1iNZ zY!~R8B+-je5Q>qdh^&K{aN6QIQM`CbV9kVU8QxfD`-03CC6?>H`F)?h99-gh(nB45 zCF#$0>F>9vwQ2LWXwbG4W(E9e14Noz$TQ%tMb@;_JWy&_y8%F!bb1dCYB5NdmLI`| zDt(QU9HMkMU$Mu%w!^jpBwa9?o4}DvNAdNO@@9E2khA1py?@r_0S8^UOVyhiP3=fn z=>ToIey{*_4PO_-`xWJ^9$)jFdiP4q6#~(Zc6xy;qy(KHeWu%bW>*aRQN=AoyqR`} zMkW1mtU|O5j8CjS?9M?CC_WzO9}E&4lpH2d1zMusuyXA#9uaGj{}UUz|Js0khjWtv73cZ z;E2>-A`#*?J|wELu0#v#2Uu7R$7P03LO!qTVuW0b>&}(Q%l?&joaKKXUS;RDe6sNI z#TWfr)3cde(>3AgX`*QYghL;j&YG#=V7mkxY7USnJL1Oel)E=jF+zFe(bhvkxFx^q zU@zvhmFUCcV9ka%bn&#)+q35R`kIB7c;}k7vEzspFx8CJQ#v>OFo8d7*{Bzdbt$d@l~ z&M}&9P^8 zwSAYfvoY@2W9(c!-5wPs*m&(Ie@6U9%#RP6dyx6cu|x4i?GLivEEvHnIrWcKJ-uTp zIy8{E7nmTpuM7pZ$ZBd_^Hq}x#oX@`ub*>=XG<;f#^AvgD}Ula-B<(DJjYNhyN+SD z%smtlE^EqbFSr<`E{OKxjv&=$RNS!B)pNpjqGH&y0ERs9R55$@Jo=Th@s1U8kdv7x z@-FT+EuQp8wKkEwy@ZdKcQa$u>t>z9PwQ5;eun-JwCXGd7Mm#nJKxIYBX&4jhYcZI z+)~xIYJ_3p38_r8x@SQ$+a0k!diT!m%U@c?$drv)XO!2m=Hjev5DyEkZ!m1sFkzJH zpU!HArJAfvVcS>7;3`rtx=VB6D(jjgZ_Ef{KC5DuPB>;0&XI2g$rK$$@>?FNM6D|Zbj?rvB0~{s33+&JA4B)B$ygWhfF5dL zES+8?sHmujlriU`pJ+l}1S|@Qlm8rTRl}yVC`UjwK^!6i@9@A2r4#^+vP~|%uw5cM zH+j4xaoAXy^}wP{@{B1(rIVxu=HRxBnvI_Xa>FT=!!?9Dr1_b+nw$?WYu&N37&+_Y z>EO`(VjcBm--cN{!+ituez4n8^3E_m{DDYqrc#d-eId?o+a+t=`i5~N z(BkuFX+ z6?yF+&SNL$ynm3gi*_G#XN2!->daovjqFv(efoFPsV>WO3JV9CLPFmaOVK2=Gvdn$ zcmTv2yFUyovK61rU9dxqj5QPDR&(m_>zFM2)SLLeVGK4%fs1jVC}5guP1ji7MB0Y1 zbrK(>Ih;`xgXms#sd_%f?ji*|(LAavZvhLg=&Uy?RW0lW+dS}y=$SGMMef(Eq6j6V`yZ)$Mvz=|%W-@pz z9L%#j47J<-$TY+Vep6F}i-ayx?5L8N%0c9jf;B0ueqh8e2g3N?O78h^eZvQqB-j*V zqby9J8op}Tm{HO5Sjd$)aCfREr!rbYlBv!@Fw19Y(!#r~DcN*gDM}I-;M~^Jg`Z>H zpGK)n`CcF0j8ib@1;4s4td(K>79TAnBR4%S3qbc3?meo|>3O`nGbDSQzL;9-#h&ykj>8(4CG$f{arHtA8YvN9Q!T31n zh2b;#ryexjq5Gvth9W?HyHbhru@$EfY8>l%VuZC7=R^}469AeoyZ+4~+^(kK-pjL- z&f&Z7VQx&WXZ{gx9WJ~hW3`01NyHtM8WZtf#9#8N>bmgU+Jts{A$wG{obs@P#iYg( zS28>|tdEe=H96T@pZC;C#N)MHx9XnwLV#c_C5%6iW+^BBzi01qZJ>Z@%r4zgl9L$T z1s8_ZT$!ieL_C$oU4Rt%o3(A}g0<}x7r@cu93F3{tg{RMEW$dN+*`<-_PUU@2qmp- zO}~fXgr8y=kDc>i9Ldl~MjuN!vI$$QDduTq-0-gv#Y$_)KV>J{B^JDkp!&PF?L$zQ zrK~&&)D5hcVF8SCeyyk{j`L#mBff7W8_@(ae>B6OBr%uXKUOTqSPxw(lohT23cM|z zEkg8R3g^n`i6M#$->vCEUctfEwy)rsfIM3$!EBl)m)-FLE>-U~e-`JhTIDLiRr0(l zweI~M@1bVW=Td4UDN$8MkL@N0_=UThiKK+&FChMyq((oaNK-S^?#^} zPpr32kY;ff+Ez8$baLw*Rxsjnrb#s|*S7CptedO6?z<5=7?v1$bVRa=kAB`eh|4DC zbP(`r2MtF(a?vgm%)y;N-Ar8`L#t)xCboZ3w9syCe&U+fTEH@S`|4CTDfnKlL7jBN zWbnQRc)p~)Wt;9N55rb1U~Z$aMKfKTpH&^51)=Iowv0&N?l8sDGUkV8B8P|MT@SX@ zilDIoO7h>w0$4i@5csi~7=-C{sn7}`X-)q8^Qj$LIM+YjjHe|r$!P&jZ*y#sy~;Jr zVhg#x$;-MFhKipO)$UuJy{8ZSU0RJ5;=V6H)k*@$)*kI_n6t}3Z@lUhnFpImU+U{4*Dp!Hq z4i<$>r8EYwH2S8vF=N@!?3vF3dj<@W^q>4^np%vkh^AH~*@R7fq}>^rOg3m;PVV^n z<18_if@n**QUe@of+HiX$tc11groqI7?N?rF|MsU$J=zD&RTyT*ZWrcrhR^))>}E3 zS~Hu^13DKKuMa7#^W=Tkt{7ru%y`{sAfKe{i(|Rw!9fj`9xX(JnFPXV-zSD3VDdT~ z`ba;;3pfrRF`p+^Ipg2Tf>w7HHMH=)qjZa4Mm%+=Z>pIuzihUy&si!Ax$xeNQ+KW% zOY6$3LP2LSQaaHSa^@N>;*^EEO-0g@X(!@Oheya5b>njlm336zb+@WUXgmKBHw(Qq zyXbg{-U>L{$mHU2K$WRx8e}6Qv6NHfsqV@9w*)Yz3e;TR6)k^bs?dNnIP^umOKi;6 z{b9Ih$>dby-PljI8_dvVZv58r>Yt~^Ka#Dn_r8EBBep|F_dNP8cL~h;4przQL$v6_ zK~dF-4fmvPPESj-YLc>;#n5KuLJTtEYJ6sN*9C5CjMcPAk^O0F3OHN$`5dlOed{S+ zKQh-4zX%PBD#=Aj=QGmer<6*DVrEY?VXjqp&0r)$i)ns?rHiaDu_AFb`cT^Z8%6KO zFh`|~26Wr5odEVmA<$!YLCV*ru{q`rXNBi6 z?vG5M3}IgyR2xlu)(sBpF~J-Pp8un_6OA~2Na|{6hlzn>3gLnVH@0_# zIJiB|gf@n+g?ZKG#bNw8oSKs#Zt$si;BGqfgg66wx2wr`zH-6LHQj?J$>y$}6aKuZ zHB=;!`o;D1kAfnVAdY2UTfNTiVJ!!XVGXp+=C2YG#?N_ovLZ4TRPxDUBjUjJ;k3%A zRisJs$9pi4`IYMYCrI0-eV1+Ol8X6B@~wLcZWN3PF3ZbV%Z=@QfNcDZ_04>NThT*UYiNK_k2|Fe~9#zAMwg71Tw%N z(UjDKCTFxA?_!IF@M<{h$0JHUKcC*9Aj50HY;J{Lw|rGCr?39SN9UexDX>` znr1hvJV7ZD=`ncVveZvU_UB^oGX?OS3c7qkWPj-By6w|$cUs?F8&|;qaeG_rHGF6N z_)pO-yofkh1HGx?>QL6G3Bf8Mo=@YiTrJ$3Zg${$vh)^$L(G~2!GRczq!fC-f(-6M zZ`-lG(Z1Ujd_PTQ{xWW<&dV${_gA$-;!+k55y>Y0W@$D)~i??7oR-s?fGGfr}3vAk(E2XDEbGmDa zvq7n)l+^Qf{K4q_*HuVeR6Ds5TXHiGVBgpI!Y$QFYK=WHW)=hh1>=PCfV2b7*EWQ0--qVzo z(2FeO7-&lP-$uk;j@TKHLXDQp>~MGBb$gd$}r; zR#RlBG(o`AWrgKkR?a?uU>xSsKkoM`;Rw8Po2c6j4cyVKlukXXpMgvv=lmK{E*qj$up8Zss5HbG?k}!Y0 zs<+f7{MNnqz8Vc9)G}0>x)_n~H9Xr!uO32&^y#J?nD3c0%B2^F2?ZZIKsRq>Tn^i|_jH~z?CyElV>GMxjXxeES zHnY5F8jDJ{RpXCz?B*G8vbVSA19y<#Vf#_I6rEkM`;3-LGsMDoQvYA$n(g(fNKJK) zBd&~jX{+fVPvpiZD$C2Q?!o3?fL>PnPl$^cQO2Yx0&jwoL4<;hdtCseEw4|DzM0SD zEuxx;U~^CbEnZY>LZKOr=Vm_3>=K{R4ex{HlB@DLeUChHpaDv0Z=(=T0*8omeDrOu zK_TdDqP?g>AZ$^Ej^O`_+Lc`M^*b}x3^*Gozb(L4zc9-q3RQUSek!Ny!YI zI36N?WxMZMOC#53$?x69El2h+AsVV-BfH=C-V4z3DE3UtN5AJ44(Mn`A5m!ZsWHpk9aOJ%R9{j zRoxb7tZD$dYKsmiUXC4{hhaHHW-S9kvZs9(ueQ2$;$8cq`F2@K=#Q3>^K$@@lC5p~ zN!oaK^5gUfxx^GNf2%#hTUpy|Z=IempuH!*`l@TisL&7;3}raHL3{GPEA=oY<~z1n z&h>g~H0k*f6>^26j2m|-D~WI3DP7K84*|D7s1J9>8)6t z;Mx@I zJEvM}Oa(`lysR`+lSvtgY975HN6&z!co9X`z|?L}!n)RJKXeMK0al$o&m4)0yAR(2 z&~3^?faC~`>l(XjAC8&MTdE9qZ0=J-M5s#@yNJt}jpEro3BqpNN;}|$!>4^J1;3aV z{wApN`B+sC`kC;NZJN6AYI^?x-AqQ`_)ZS;r6 From 5b80aaacb10bf8171a2d229ac9ac3c0e1f0784bb Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 1 Sep 2021 16:23:36 -0700 Subject: [PATCH 030/458] adding SDL asset to library --- windows/security/TOC.yml | 2 ++ .../msft-security-dev-lifecycle.md | 14 ++++++++++++++ 2 files changed, 16 insertions(+) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 51021a5be7..2fb9e585d4 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -8,6 +8,8 @@ href: threat-protection/fips-140-validation.md - name: Common Criteria Certifications href: threat-protection/windows-platform-common-criteria.md + - name: Microsoft Security Development Lifecycle + href: msft-security-dev-lifecycle.md - name: Hardware security items: - name: Trusted Platform Module diff --git a/windows/security/threat-protection/msft-security-dev-lifecycle.md b/windows/security/threat-protection/msft-security-dev-lifecycle.md index 18ce55f174..6c23e09a9e 100644 --- a/windows/security/threat-protection/msft-security-dev-lifecycle.md +++ b/windows/security/threat-protection/msft-security-dev-lifecycle.md @@ -15,3 +15,17 @@ ms.technology: other # Microsoft Security Development Lifecycle +The Security Development Lifecycle (SDL) is a security assurance process that is focused on software development. As a Microsoft-wide initiative and a mandatory policy since 2004, the SDL has played a critical role in embedding security and privacy in software and culture at Microsoft. + +[:::image type="content" source="images/simplified-sdl.png" alt-text="Simplified secure development lifecycle":::](https://www.microsoft.com/en-us/securityengineering/sdl) + +Combining a holistic and practical approach, the SDL aims to reduce the number and severity of vulnerabilities in software. The SDL introduces security and privacy throughout all phases of the development process. + +The Microsoft SDL is based on three core concepts: +- Education +- Continuous process improvement +- Accountability + +To learn more about the SDL, visit the [Security Engineering site](https://www.microsoft.com/en-us/securityengineering/sdl). + +And, download the [Simplified Implementation of the Microsoft SDL whitepaper](http://go.microsoft.com/?linkid=9708425). \ No newline at end of file From 94a899aeea133898a0ed2c02bc4799fbb13d1d29 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 1 Sep 2021 16:24:14 -0700 Subject: [PATCH 031/458] Update TOC.yml --- windows/security/TOC.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 2fb9e585d4..c0d8371997 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -9,7 +9,7 @@ - name: Common Criteria Certifications href: threat-protection/windows-platform-common-criteria.md - name: Microsoft Security Development Lifecycle - href: msft-security-dev-lifecycle.md + href: /threat-protection/msft-security-dev-lifecycle.md - name: Hardware security items: - name: Trusted Platform Module From dd1f7282b404281e943296ff770b59ad3fd48081 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 1 Sep 2021 16:32:41 -0700 Subject: [PATCH 032/458] bug bounty --- windows/security/TOC.yml | 4 +++- .../microsoft-bug-bounty-program.md | 22 +++++++++++++++++++ 2 files changed, 25 insertions(+), 1 deletion(-) create mode 100644 windows/security/threat-protection/microsoft-bug-bounty-program.md diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index c0d8371997..9228a4398d 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -9,7 +9,9 @@ - name: Common Criteria Certifications href: threat-protection/windows-platform-common-criteria.md - name: Microsoft Security Development Lifecycle - href: /threat-protection/msft-security-dev-lifecycle.md + href: threat-protection/msft-security-dev-lifecycle.md + - name: Microsoft Bug Bounty Program + href: threat-protection/microsoft-bug-bounty-program.md - name: Hardware security items: - name: Trusted Platform Module diff --git a/windows/security/threat-protection/microsoft-bug-bounty-program.md b/windows/security/threat-protection/microsoft-bug-bounty-program.md new file mode 100644 index 0000000000..7dcc6cdd7f --- /dev/null +++ b/windows/security/threat-protection/microsoft-bug-bounty-program.md @@ -0,0 +1,22 @@ +--- +title: About the Microsoft Bug Bounty Program +description: If you are a security researcher, you can get a reward for reporting a vulnerability in a Microsoft product, service, or device. +ms.prod: m365-security +audience: ITPro +author: dansimp +ms.author: dansimp +manager: dansimp +ms.collection: M365-identity-device-management +ms.topic: article +ms.localizationpriority: medium +ms.reviewer: +ms.technology: other +--- + +# About the Microsoft Bug Bounty Program + +Are you a security researcher? Did you find a vulnerability in a Microsoft product, service, or device? If so, we want to hear from you! + +If your vulnerability report affects a product or service that is within scope of one of our bounty programs below, you could receive a bounty award according to the program descriptions. + +Visit the [Microsoft Bug Bounty Program site](https://www.microsoft.com/en-us/msrc/bounty?rtc=1) for all the details! \ No newline at end of file From 13fdb77a7dd40853652c47be8cea6827d9e49271 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 1 Sep 2021 16:34:39 -0700 Subject: [PATCH 033/458] Update index.yml --- windows/security/index.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index 7cb9f7653b..0223f04598 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -12,7 +12,7 @@ metadata: ms.collection: m365-security-compliance author: dansimp #Required; your GitHub user alias, with correct capitalization. ms.author: dansimp #Required; microsoft alias of author; optional team alias. - ms.date: 09/30/2021 #Required; mm/dd/yyyy format. + ms.date: 09/01/2021 localization_priority: Priority # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new @@ -30,9 +30,9 @@ landingContent: - text: Common Criteria Certifications url: /windows/security/threat-protection/windows-platform-common-criteria.md - text: Microsoft Security Development Lifecycle (SDL) - url: /previous-versions/windows/desktop/cc307891(v=msdn.10) + url: /windows/security/threat-protection/msft-security-dev-lifecycle.md - text: Microsoft bounty program - url: https://www.microsoft.com/msrc/bounty + url: /windows/security/threat-protection/microsoft-bug-bounty-program.md # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) From df4d59c47eb1e38f7e057bdf3cb893d8ca3599da Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 1 Sep 2021 16:36:59 -0700 Subject: [PATCH 034/458] Update index.yml --- windows/security/index.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index 0223f04598..75ffc66f93 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -29,9 +29,9 @@ landingContent: url: /windows/security/threat-protection/fips-140-validation.md - text: Common Criteria Certifications url: /windows/security/threat-protection/windows-platform-common-criteria.md - - text: Microsoft Security Development Lifecycle (SDL) + - text: Microsoft Security Development Lifecycle url: /windows/security/threat-protection/msft-security-dev-lifecycle.md - - text: Microsoft bounty program + - text: Microsoft Bug Bounty url: /windows/security/threat-protection/microsoft-bug-bounty-program.md # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb From 15b3ecd41db69af3267ced632a248586478b2834 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 1 Sep 2021 16:38:28 -0700 Subject: [PATCH 035/458] Update index.yml --- windows/security/index.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index 75ffc66f93..71a5f7717b 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -23,7 +23,7 @@ landingContent: # Card (optional) - title: Security foundations linkLists: - - linkListType: overview + - linkListType: concept links: - text: Federal Information Processing Standard (FIPS) 140 Validation url: /windows/security/threat-protection/fips-140-validation.md @@ -38,7 +38,7 @@ landingContent: # Card (optional) - title: Hardware security linkLists: - - linkListType: overview + - linkListType: concept links: - text: Trusted Platform Module url: /windows/security/information-protection/tpm/trusted-platform-module-top-node.md @@ -49,7 +49,7 @@ landingContent: # Card (optional) - title: Operating system security linkLists: - - linkListType: overview + - linkListType: concept links: - text: Secure the Windows boot process url: /windows/security/information-protection/secure-the-windows-10-boot-process.md From 25e017370fff019a2d98ff5e8e3df6ce02fd201a Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 1 Sep 2021 16:40:05 -0700 Subject: [PATCH 036/458] Update index.yml --- windows/security/index.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/index.yml b/windows/security/index.yml index 71a5f7717b..f4a69ddf4d 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -44,6 +44,8 @@ landingContent: url: /windows/security/information-protection/tpm/trusted-platform-module-top-node.md - text: Kernel DMA Protection url: /windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md + - text: Protect domain credentials + url: /windows/security/identity-protection/credential-guard/credential-guard.md # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) From c0f1ac7e36465bdbc3f3e7c306812d2dc32f2e76 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 1 Sep 2021 16:40:43 -0700 Subject: [PATCH 037/458] Update index.yml --- windows/security/index.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index f4a69ddf4d..e11b7d5819 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -42,10 +42,10 @@ landingContent: links: - text: Trusted Platform Module url: /windows/security/information-protection/tpm/trusted-platform-module-top-node.md - - text: Kernel DMA Protection - url: /windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md - text: Protect domain credentials url: /windows/security/identity-protection/credential-guard/credential-guard.md + - text: Kernel DMA Protection + url: /windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) From 6f00a1a1bc6bb6ce2a470f784bf4afbf647a2272 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 1 Sep 2021 16:43:26 -0700 Subject: [PATCH 038/458] Update index.yml --- windows/security/index.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index e11b7d5819..d4679c7821 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -7,7 +7,6 @@ metadata: title: Windows security # Required; page title displayed in search results. Include the brand. < 60 chars. description: Learn about Windows security # Required; article description that is displayed in search results. < 160 chars. ms.topic: landing-page # Required - ms.topic: hub-page # Required ms.prod: windows ms.collection: m365-security-compliance author: dansimp #Required; your GitHub user alias, with correct capitalization. @@ -51,6 +50,12 @@ landingContent: # Card (optional) - title: Operating system security linkLists: + - linkListType: overview + links: + - text: Secure the Windows boot process + url: /windows/security/information-protection/secure-the-windows-10-boot-process.md + - text: Configure S/MIME for Windows 10 + url: /windows/security/identity-protection/configure-s-mime.md - linkListType: concept links: - text: Secure the Windows boot process From 9dc5919c15d4c393f12fc2ae322fa5cd8c8359a3 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 1 Sep 2021 16:53:55 -0700 Subject: [PATCH 039/458] Update index.yml --- windows/security/index.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index d4679c7821..154f648ccc 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -52,13 +52,13 @@ landingContent: linkLists: - linkListType: overview links: - - text: Secure the Windows boot process - url: /windows/security/information-protection/secure-the-windows-10-boot-process.md - - text: Configure S/MIME for Windows 10 - url: /windows/security/identity-protection/configure-s-mime.md + - text: Overview of operating system security + url: /windows/security/information-protection/index.md - linkListType: concept links: - text: Secure the Windows boot process url: /windows/security/information-protection/secure-the-windows-10-boot-process.md - text: Configure S/MIME for Windows 10 - url: /windows/security/identity-protection/configure-s-mime.md \ No newline at end of file + url: /windows/security/identity-protection/configure-s-mime.md + - text: Encrypted hard drive + url: /windows/security/information-protection/encrypted-hard-drive.md \ No newline at end of file From e5775301938e210dcb2fe11f12a485b484e3f742 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 1 Sep 2021 18:46:44 -0700 Subject: [PATCH 040/458] Update index.yml --- windows/security/index.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index 154f648ccc..4933ec3a76 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -61,4 +61,13 @@ landingContent: - text: Configure S/MIME for Windows 10 url: /windows/security/identity-protection/configure-s-mime.md - text: Encrypted hard drive - url: /windows/security/information-protection/encrypted-hard-drive.md \ No newline at end of file + url: /windows/security/information-protection/encrypted-hard-drive.md +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Threat protection + linkLists: + - linkListType: overview + links: + - text: Security baselines + url: /windows/security/threat-protection/windows-security-baselines.md From f2c63b041463f8d7025a8c5884a1f04fce842680 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 1 Sep 2021 18:50:49 -0700 Subject: [PATCH 041/458] Update index.yml --- windows/security/index.yml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/windows/security/index.yml b/windows/security/index.yml index 4933ec3a76..ebdbef87cd 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -71,3 +71,31 @@ landingContent: links: - text: Security baselines url: /windows/security/threat-protection/windows-security-baselines.md +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Application protection + linkLists: + - linkListType: overview + links: + - text: Security baselines + url: /windows/security/threat-protection/windows-security-baselines.md +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: User protection + linkLists: + - linkListType: overview + links: + - text: article (change link later) + url: /windows/security/threat-protection/windows-security-baselines.md +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Privacy controls + linkLists: + - linkListType: overview + links: + - text: Windows and Privacy Compliance + url: /windows/privacy/windows-10-and-privacy-compliance.md + From d2a171bcf97a391d5987bb71ceb511b1b26d96d1 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 1 Sep 2021 18:55:05 -0700 Subject: [PATCH 042/458] Update index.yml --- windows/security/index.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index ebdbef87cd..df688f1247 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -56,12 +56,13 @@ landingContent: url: /windows/security/information-protection/index.md - linkListType: concept links: - - text: Secure the Windows boot process + - text: System security url: /windows/security/information-protection/secure-the-windows-10-boot-process.md - - text: Configure S/MIME for Windows 10 - url: /windows/security/identity-protection/configure-s-mime.md - - text: Encrypted hard drive + - text: Encryption and data protection url: /windows/security/information-protection/encrypted-hard-drive.md + - text: Network security + url: /windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md + # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) From c78dfba57f50f6021aeb825c791664a3db05749f Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 1 Sep 2021 18:56:49 -0700 Subject: [PATCH 043/458] Update index.yml --- windows/security/index.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index df688f1247..1dcca94f77 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -62,7 +62,6 @@ landingContent: url: /windows/security/information-protection/encrypted-hard-drive.md - text: Network security url: /windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md - # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) @@ -70,7 +69,7 @@ landingContent: linkLists: - linkListType: overview links: - - text: Security baselines + - text: Security baselines (more to follow) url: /windows/security/threat-protection/windows-security-baselines.md # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb @@ -79,7 +78,7 @@ landingContent: linkLists: - linkListType: overview links: - - text: Security baselines + - text: article (change link later, add more) url: /windows/security/threat-protection/windows-security-baselines.md # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb From 1599a3b2dad42fe8ac6b5cb7b9dc59848abb0f6e Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Thu, 2 Sep 2021 09:37:51 +0530 Subject: [PATCH 044/458] Updated --- .../mdm/policy-csp-admx-datacollection.md | 22 +- .../mdm/policy-csp-admx-desktop.md | 640 +++++++++++------- .../mdm/policy-csp-admx-deviceinstallation.md | 176 +++-- .../mdm/policy-csp-admx-devicesetup.md | 44 +- .../mdm/policy-csp-admx-digitallocker.md | 44 +- ...policy-csp-admx-distributedlinktracking.md | 22 +- .../mdm/policy-csp-admx-dnsclient.md | 240 ++++--- 7 files changed, 755 insertions(+), 433 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-datacollection.md b/windows/client-management/mdm/policy-csp-admx-datacollection.md index c2de3fdc86..e86a85cc6a 100644 --- a/windows/client-management/mdm/policy-csp-admx-datacollection.md +++ b/windows/client-management/mdm/policy-csp-admx-datacollection.md @@ -36,28 +36,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -74,7 +80,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting defines the identifier used to uniquely associate this device’s telemetry data as belonging to a given organization. +This policy setting defines the identifier used to uniquely associate this device’s telemetry data as belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. diff --git a/windows/client-management/mdm/policy-csp-admx-desktop.md b/windows/client-management/mdm/policy-csp-admx-desktop.md index 4baa5a5da4..4fb236ccc9 100644 --- a/windows/client-management/mdm/policy-csp-admx-desktop.md +++ b/windows/client-management/mdm/policy-csp-admx-desktop.md @@ -120,28 +120,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -158,7 +164,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. Displays the filter bar above the results of an Active Directory search. The filter bar consists of buttons for applying additional filters to search results. +Displays the filter bar above the results of an Active Directory search. The filter bar consists of buttons for applying additional filters to search results. If you enable this setting, the filter bar appears when the Active Directory Find dialog box opens, but users can hide it. @@ -191,28 +197,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -229,7 +241,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Hides the Active Directory folder in Network Locations. +Hides the Active Directory folder in Network Locations. The Active Directory folder displays Active Directory objects in a browse window. @@ -264,28 +276,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -302,7 +320,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Specifies the maximum number of objects the system displays in response to a command to browse or search Active Directory. This setting affects all browse displays associated with Active Directory, such as those in Local Users and Groups, Active Directory Users and Computers, and dialog boxes used to set permissions for user or group objects in Active Directory. +Specifies the maximum number of objects the system displays in response to a command to browse or search Active Directory. This setting affects all browse displays associated with Active Directory, such as those in Local Users and Groups, Active Directory Users and Computers, and dialog boxes used to set permissions for user or group objects in Active Directory. If you enable this setting, you can use the "Number of objects returned" box to limit returns from an Active Directory search. @@ -335,28 +353,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -373,7 +397,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Enables Active Desktop and prevents users from disabling it. +Enables Active Desktop and prevents users from disabling it. This setting prevents users from trying to enable or disable Active Desktop while a policy controls it. @@ -407,28 +431,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -445,7 +475,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Disables Active Desktop and prevents users from enabling it. +Disables Active Desktop and prevents users from enabling it. This setting prevents users from trying to enable or disable Active Desktop while a policy controls it. @@ -479,28 +509,33 @@ ADMX Info: - - + + + - + + - + + - + + - - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck mark
YesYes
Educationcross markNoNo
@@ -517,7 +552,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents the user from enabling or disabling Active Desktop or changing the Active Desktop configuration. +Prevents the user from enabling or disabling Active Desktop or changing the Active Desktop configuration. This is a comprehensive setting that locks down the configuration you establish by using other policies in this folder. This setting removes the Web tab from Display in Control Panel. As a result, users cannot enable or disable Active Desktop. If Active Desktop is already enabled, users cannot add, remove, or edit Web content or disable, lock, or synchronize Active Desktop components. @@ -546,28 +581,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -584,7 +625,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Removes icons, shortcuts, and other default and user-defined items from the desktop, including Briefcase, Recycle Bin, Computer, and Network Locations. +Removes icons, shortcuts, and other default and user-defined items from the desktop, including Briefcase, Recycle Bin, Computer, and Network Locations. Removing icons and shortcuts does not prevent the user from using another method to start the programs or opening the items they represent. @@ -615,28 +656,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -653,7 +700,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from using the Desktop Cleanup Wizard. +Prevents users from using the Desktop Cleanup Wizard. If you enable this setting, the Desktop Cleanup wizard does not automatically run on a users workstation every 60 days. The user will also not be able to access the Desktop Cleanup Wizard. @@ -687,28 +734,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -725,7 +778,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Removes the Internet Explorer icon from the desktop and from the Quick Launch bar on the taskbar. +Removes the Internet Explorer icon from the desktop and from the Quick Launch bar on the taskbar. This setting does not prevent the user from starting Internet Explorer by using other methods. @@ -754,28 +807,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -792,7 +851,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting hides Computer from the desktop and from the new Start menu. It also hides links to Computer in the Web view of all Explorer windows, and it hides Computer in the Explorer folder tree pane. If the user navigates into Computer via the "Up" button while this setting is enabled, they view an empty Computer folder. This setting allows administrators to restrict their users from seeing Computer in the shell namespace, allowing them to present their users with a simpler desktop environment. +This setting hides Computer from the desktop and from the new Start menu. It also hides links to Computer in the Web view of all Explorer windows, and it hides Computer in the Explorer folder tree pane. If the user navigates into Computer via the "Up" button while this setting is enabled, they view an empty Computer folder. This setting allows administrators to restrict their users from seeing Computer in the shell namespace, allowing them to present their users with a simpler desktop environment. If you enable this setting, Computer is hidden on the desktop, the new Start menu, the Explorer folder tree pane, and the Explorer Web views. If the user manages to navigate to Computer, the folder will be empty. @@ -828,29 +887,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross mark
NoNo
@@ -866,7 +930,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Removes most occurrences of the My Documents icon. +Removes most occurrences of the My Documents icon. This setting removes the My Documents icon from the desktop, from File Explorer, from programs that use the File Explorer windows, and from the standard Open dialog box. @@ -902,28 +966,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -940,7 +1010,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Removes the Network Locations icon from the desktop. +Removes the Network Locations icon from the desktop. This setting only affects the desktop icon. It does not prevent users from connecting to the network or browsing for shared computers on the network. @@ -972,28 +1042,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1010,7 +1086,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting hides Properties on the context menu for Computer. +This setting hides Properties on the context menu for Computer. If you enable this setting, the Properties option will not be present when the user right-clicks My Computer or clicks Computer and then goes to the File menu. Likewise, Alt-Enter does nothing when Computer is selected. @@ -1041,28 +1117,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1079,7 +1161,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting hides the Properties menu command on the shortcut menu for the My Documents icon. +This policy setting hides the Properties menu command on the shortcut menu for the My Documents icon. If you enable this policy setting, the Properties menu command will not be displayed when the user does any of the following: @@ -1114,28 +1196,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1152,7 +1240,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Remote shared folders are not added to Network Locations whenever you open a document in the shared folder. +Remote shared folders are not added to Network Locations whenever you open a document in the shared folder. If you disable this setting or do not configure it, when you open a document in a remote shared folder, the system adds a connection to the shared folder to Network Locations. @@ -1183,28 +1271,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1221,7 +1315,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Removes most occurrences of the Recycle Bin icon. +Removes most occurrences of the Recycle Bin icon. This setting removes the Recycle Bin icon from the desktop, from File Explorer, from programs that use the File Explorer windows, and from the standard Open dialog box. @@ -1255,28 +1349,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1293,7 +1393,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Removes the Properties option from the Recycle Bin context menu. +Removes the Properties option from the Recycle Bin context menu. If you enable this setting, the Properties option will not be present when the user right-clicks on Recycle Bin or opens Recycle Bin and then clicks File. Likewise, Alt-Enter does nothing when Recycle Bin is selected. @@ -1324,28 +1424,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markNoNo
Educationcross markNoNo
@@ -1362,7 +1468,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from saving certain changes to the desktop. +Prevents users from saving certain changes to the desktop. If you enable this setting, users can change the desktop, but some changes, such as the position of open windows or the size and position of the taskbar, are not saved when users log off. However, shortcuts placed on the desktop are always saved. @@ -1391,28 +1497,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1429,7 +1541,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents windows from being minimized or restored when the active window is shaken back and forth with the mouse. +Prevents windows from being minimized or restored when the active window is shaken back and forth with the mouse. If you enable this policy, application windows will not be minimized or restored when the active window is shaken back and forth with the mouse. @@ -1460,28 +1572,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1498,7 +1616,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Specifies the desktop background ("wallpaper") displayed on all users' desktops. +Specifies the desktop background ("wallpaper") displayed on all users' desktops. This setting lets you specify the wallpaper on users' desktops and prevents users from changing the image or its presentation. The wallpaper you specify can be stored in a bitmap (*.bmp) or JPEG (*.jpg) file. @@ -1536,28 +1654,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1574,7 +1698,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from adding Web content to their Active Desktop. +Prevents users from adding Web content to their Active Desktop. This setting removes the "New" button from Web tab in Display in Control Panel. As a result, users cannot add Web pages or pictures from the Internet or an intranet to the desktop. This setting does not remove existing Web content from their Active Desktop, or prevent users from removing existing Web content. @@ -1605,28 +1729,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1643,7 +1773,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from removing Web content from their Active Desktop. +Prevents users from removing Web content from their Active Desktop. In Active Desktop, you can add items to the desktop but close them so they are not displayed. @@ -1677,28 +1807,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1715,7 +1851,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from deleting Web content from their Active Desktop. +Prevents users from deleting Web content from their Active Desktop. This setting removes the Delete button from the Web tab in Display in Control Panel. As a result, users can temporarily remove, but not delete, Web content from their Active Desktop. @@ -1748,28 +1884,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1786,7 +1928,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the properties of Web content items on their Active Desktop. +Prevents users from changing the properties of Web content items on their Active Desktop. This setting disables the Properties button on the Web tab in Display in Control Panel. Also, it removes the Properties item from the menu for each item on the Active Desktop. As a result, users cannot change the properties of an item, such as its synchronization schedule, password, or display characteristics. @@ -1815,28 +1957,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1853,7 +2001,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Removes Active Desktop content and prevents users from adding Active Desktop content. +Removes Active Desktop content and prevents users from adding Active Desktop content. This setting removes all Active Desktop items from the desktop. It also removes the Web tab from Display in Control Panel. As a result, users cannot add Web pages or pictures from the Internet or an intranet to the desktop. @@ -1885,28 +2033,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1923,7 +2077,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Adds and deletes specified Web content items. +Adds and deletes specified Web content items. You can use the "Add" box in this setting to add particular Web-based items or shortcuts to users' desktops. Users can close or delete the items (if settings allow), but the items are added again each time the setting is refreshed. @@ -1960,28 +2114,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1998,7 +2158,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from manipulating desktop toolbars. +Prevents users from manipulating desktop toolbars. If you enable this setting, users cannot add or remove toolbars from the desktop. Also, users cannot drag toolbars on to or off of docked toolbars. @@ -2035,28 +2195,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -2073,7 +2239,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from adjusting the length of desktop toolbars. Also, users cannot reposition items or toolbars on docked toolbars. +Prevents users from adjusting the length of desktop toolbars. Also, users cannot reposition items or toolbars on docked toolbars. This setting does not prevent users from adding or removing toolbars on the desktop. @@ -2107,28 +2273,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -2145,7 +2317,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Permits only bitmap images for wallpaper. This setting limits the desktop background ("wallpaper") to bitmap (.bmp) files. If users select files with other image formats, such as JPEG, GIF, PNG, or HTML, through the Browse button on the Desktop tab, the wallpaper does not load. Files that are autoconverted to a .bmp format, such as JPEG, GIF, and PNG, can be set as Wallpaper by right-clicking the image and selecting "Set as Wallpaper". +Permits only bitmap images for wallpaper. This setting limits the desktop background ("wallpaper") to bitmap (.bmp) files. If users select files with other image formats, such as JPEG, GIF, PNG, or HTML, through the Browse button on the Desktop tab, the wallpaper does not load. Files that are autoconverted to a .bmp format, such as JPEG, GIF, and PNG, can be set as Wallpaper by right-clicking the image and selecting "Set as Wallpaper". Also, see the "Desktop Wallpaper" and the "Prevent changing wallpaper" (in User Configuration\Administrative Templates\Control Panel\Display) settings. diff --git a/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md index 470b11eb3f..9be53d2bcc 100644 --- a/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md @@ -57,28 +57,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markNoNo
Educationcross markNoNo
@@ -95,7 +101,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to determine whether members of the Administrators group can install and update the drivers for any device, regardless of other policy settings. +This policy setting allows you to determine whether members of the Administrators group can install and update the drivers for any device, regardless of other policy settings. If you enable this policy setting, members of the Administrators group can use the Add Hardware wizard or the Update Driver wizard to install and update the drivers for any device. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. @@ -126,28 +132,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -164,7 +176,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to display a custom message to users in a notification when a device installation is attempted and a policy setting prevents the installation. +This policy setting allows you to display a custom message to users in a notification when a device installation is attempted and a policy setting prevents the installation. If you enable this policy setting, Windows displays the text you type in the Detail Text box when a policy setting prevents device installation. @@ -195,28 +207,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -233,7 +251,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to display a custom message title in a notification when a device installation is attempted and a policy setting prevents the installation. +This policy setting allows you to display a custom message title in a notification when a device installation is attempted and a policy setting prevents the installation. If you enable this policy setting, Windows displays the text you type in the Main Text box as the title text of a notification when a policy setting prevents device installation. @@ -264,28 +282,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -302,7 +326,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the number of seconds Windows waits for a device installation task to complete. +This policy setting allows you to configure the number of seconds Windows waits for a device installation task to complete. If you enable this policy setting, Windows waits for the number of seconds you specify before terminating the installation. @@ -333,28 +357,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -371,7 +401,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting establishes the amount of time (in seconds) that the system will wait to reboot in order to enforce a change in device installation restriction policies. +This policy setting establishes the amount of time (in seconds) that the system will wait to reboot in order to enforce a change in device installation restriction policies. If you enable this policy setting, set the amount of seconds you want the system to wait until a reboot. @@ -404,28 +434,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -442,7 +478,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it is connected indicates that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is connected. This policy setting takes precedence over any other policy setting that allows Windows to install a device. +This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it is connected indicates that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is connected. This policy setting takes precedence over any other policy setting that allows Windows to install a device. If you enable this policy setting, Windows is prevented from installing removable devices and existing removable devices cannot have their drivers updated. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of removable devices from a remote desktop client to the remote desktop server. @@ -472,28 +508,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -510,7 +552,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent Windows from creating a system restore point during device activity that would normally prompt Windows to create a system restore point. Windows normally creates restore points for certain driver activity, such as the installation of an unsigned driver. A system restore point enables you to more easily restore your system to its state before the activity. +This policy setting allows you to prevent Windows from creating a system restore point during device activity that would normally prompt Windows to create a system restore point. Windows normally creates restore points for certain driver activity, such as the installation of an unsigned driver. A system restore point enables you to more easily restore your system to its state before the activity. If you enable this policy setting, Windows does not create a system restore point when one would normally be created. @@ -541,28 +583,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -579,7 +627,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies a list of device setup class GUIDs describing device drivers that non-administrator members of the built-in Users group may install on the system. +This policy setting specifies a list of device setup class GUIDs describing device drivers that non-administrator members of the built-in Users group may install on the system. If you enable this policy setting, members of the Users group may install new drivers for the specified device setup classes. The drivers must be signed according to Windows Driver Signing Policy, or be signed by publishers already in the TrustedPublisher store. diff --git a/windows/client-management/mdm/policy-csp-admx-devicesetup.md b/windows/client-management/mdm/policy-csp-admx-devicesetup.md index 8816d46b2e..83ee93d63c 100644 --- a/windows/client-management/mdm/policy-csp-admx-devicesetup.md +++ b/windows/client-management/mdm/policy-csp-admx-devicesetup.md @@ -39,28 +39,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -77,7 +83,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off "Found New Hardware" balloons during device installation. +This policy setting allows you to turn off "Found New Hardware" balloons during device installation. If you enable this policy setting, "Found New Hardware" balloons do not appear while a device is being installed. @@ -108,28 +114,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -146,7 +158,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the order in which Windows searches source locations for device drivers. +This policy setting allows you to specify the order in which Windows searches source locations for device drivers. If you enable this policy setting, you can select whether Windows searches for drivers on Windows Update unconditionally, only if necessary, or not at all. diff --git a/windows/client-management/mdm/policy-csp-admx-digitallocker.md b/windows/client-management/mdm/policy-csp-admx-digitallocker.md index b41032d0f8..62334a7178 100644 --- a/windows/client-management/mdm/policy-csp-admx-digitallocker.md +++ b/windows/client-management/mdm/policy-csp-admx-digitallocker.md @@ -39,28 +39,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -77,7 +83,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Digital Locker can run. +This policy setting specifies whether Digital Locker can run. Digital Locker is a dedicated download manager associated with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the user's Windows Marketplace Digital Locker. @@ -110,28 +116,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?Editionwindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -148,7 +160,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Digital Locker can run. +This policy setting specifies whether Digital Locker can run. Digital Locker is a dedicated download manager associated with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the user's Windows Marketplace Digital Locker. diff --git a/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md b/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md index 1151c3fbae..a15f2e874e 100644 --- a/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md +++ b/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md @@ -36,28 +36,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -74,7 +80,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy specifies that Distributed Link Tracking clients in this domain may use the Distributed Link Tracking (DLT) server, which runs on domain controllers. +This policy specifies that Distributed Link Tracking clients in this domain may use the Distributed Link Tracking (DLT) server, which runs on domain controllers. The DLT client enables programs to track linked files that are moved within an NTFS volume, to another NTFS volume on the same computer, or to an NTFS volume on another computer. The DLT client can more reliably track links when allowed to use the DLT server. This policy should not be set unless the DLT server is running on all domain controllers in the domain. diff --git a/windows/client-management/mdm/policy-csp-admx-dnsclient.md b/windows/client-management/mdm/policy-csp-admx-dnsclient.md index 6d020b3a32..fe4bf81f52 100644 --- a/windows/client-management/mdm/policy-csp-admx-dnsclient.md +++ b/windows/client-management/mdm/policy-csp-admx-dnsclient.md @@ -99,28 +99,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -137,7 +143,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualified domain names. +This policy setting specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualified domain names. If you enable this policy setting, NetBT queries will be issued for multi-label and fully qualified domain names, such as "www.example.com" in addition to single-label names. @@ -167,28 +173,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -205,7 +217,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that computers may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails. +This policy setting specifies that computers may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails. A name containing dots, but not dot-terminated, is called an unqualified multi-label name, for example "server.corp" is an unqualified multi-label name. The name "server.corp.contoso.com." is an example of a fully qualified name because it contains a terminating dot. @@ -244,28 +256,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -282,7 +300,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies a connection-specific DNS suffix. This policy setting supersedes local connection-specific DNS suffixes, and those configured using DHCP. To use this policy setting, click Enabled, and then enter a string value representing the DNS suffix. +This policy setting specifies a connection-specific DNS suffix. This policy setting supersedes local connection-specific DNS suffixes, and those configured using DHCP. To use this policy setting, click Enabled, and then enter a string value representing the DNS suffix. If you enable this policy setting, the DNS suffix that you enter will be applied to all network connections used by computers that receive this policy setting. @@ -313,28 +331,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -351,7 +375,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if the devolution level that DNS clients will use if they perform primary DNS suffix devolution during the name resolution process. +This policy setting specifies if the devolution level that DNS clients will use if they perform primary DNS suffix devolution during the name resolution process. With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name. @@ -400,28 +424,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -438,7 +468,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured. +This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured. If this policy setting is enabled, IDNs are not converted to Punycode. @@ -469,28 +499,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -507,7 +543,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to the Nameprep form, a canonical Unicode representation of the string. +This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to the Nameprep form, a canonical Unicode representation of the string. If this policy setting is enabled, IDNs are converted to the Nameprep form. @@ -538,28 +574,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -576,7 +618,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting defines the DNS servers to which a computer sends queries when it attempts to resolve names. This policy setting supersedes the list of DNS servers configured locally and those configured using DHCP. +This policy setting defines the DNS servers to which a computer sends queries when it attempts to resolve names. This policy setting supersedes the list of DNS servers configured locally and those configured using DHCP. To use this policy setting, click Enabled, and then enter a space-delimited list of IP addresses in the available field. To use this policy setting, you must enter at least one IP address. @@ -609,28 +651,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -647,7 +695,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that responses from link local name resolution protocols received over a network interface that is higher in the binding order are preferred over DNS responses from network interfaces lower in the binding order. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). +This policy setting specifies that responses from link local name resolution protocols received over a network interface that is higher in the binding order are preferred over DNS responses from network interfaces lower in the binding order. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). If you enable this policy setting, responses from link local protocols will be preferred over DNS responses if the local responses are from a network with a higher binding order. @@ -682,28 +730,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -720,7 +774,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the primary DNS suffix used by computers in DNS name registration and DNS name resolution. +This policy setting specifies the primary DNS suffix used by computers in DNS name registration and DNS name resolution. To use this policy setting, click Enabled and enter the entire primary DNS suffix you want to assign. For example: microsoft.com. @@ -757,28 +811,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -795,7 +855,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if a computer performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix. +This policy setting specifies if a computer performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix. By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: mycomputer.microsoft.com. @@ -831,28 +891,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
From f97bbc28f8e619901d2be7985665fd0041d6ee54 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 2 Sep 2021 12:39:35 -0700 Subject: [PATCH 045/458] adding additional hw links --- windows/security/TOC.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 9228a4398d..be0bcbec13 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -33,6 +33,10 @@ href: information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md - name: TPM recommendations href: information-protection/tpm/tpm-recommendations.md + - name: Hardware-based root of trust + href: threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md + - name: System Guard Secure Launch and SMM protection + href: threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md - name: Protect derived domain credentials with Windows Defender Credential Guard href: identity-protection/credential-guard/credential-guard.md - name: Kernel DMA Protection From eef32723531d6e1b659cd5734e54f2fe18490522 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Mon, 6 Sep 2021 16:23:30 +0530 Subject: [PATCH 046/458] Updated --- .../mdm/policy-csp-admx-dnsclient.md | 245 ++++++++++------ .../mdm/policy-csp-admx-dwm.md | 133 +++++---- .../mdm/policy-csp-admx-eaime.md | 266 +++++++++++------- .../mdm/policy-csp-admx-encryptfilesonmove.md | 22 +- .../mdm/policy-csp-admx-enhancedstorage.md | 132 +++++---- 5 files changed, 504 insertions(+), 294 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-dnsclient.md b/windows/client-management/mdm/policy-csp-admx-dnsclient.md index fe4bf81f52..41090af7c8 100644 --- a/windows/client-management/mdm/policy-csp-admx-dnsclient.md +++ b/windows/client-management/mdm/policy-csp-admx-dnsclient.md @@ -935,7 +935,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if DNS client computers will register PTR resource records. +This policy setting specifies if DNS client computers will register PTR resource records. By default, DNS clients configured to perform dynamic DNS registration will attempt to register PTR resource record only if they successfully registered the corresponding A resource record. @@ -973,28 +973,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1011,7 +1017,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server. +This policy setting specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server. If you enable this policy setting, or you do not configure this policy setting, computers will attempt to use dynamic DNS registration on all network connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network connection, the connection-specific configuration must allow dynamic DNS registration, and this policy setting must not be disabled. @@ -1042,28 +1048,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1080,7 +1092,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses. +This policy setting specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses. This policy setting is designed for computers that register address (A) resource records in DNS zones that do not use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and does not allow a DNS client to overwrite records that are registered by other computers. @@ -1115,28 +1127,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1153,7 +1171,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies to computers performing dynamic DNS updates. +This policy setting specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies to computers performing dynamic DNS updates. Computers configured to perform dynamic DNS registration of A and PTR resource records periodically reregister their records with DNS servers, even if the record has not changed. This reregistration is required to indicate to DNS servers that records are current and should not be automatically removed (scavenged) when a DNS server is configured to delete stale records. @@ -1191,28 +1209,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1229,7 +1253,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by computers to which this policy setting is applied. +This policy setting specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by computers to which this policy setting is applied. To specify the TTL, click Enabled and then enter a value in seconds (for example, 900 is 15 minutes). @@ -1262,28 +1286,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1300,7 +1330,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the DNS suffixes to attach to an unqualified single-label name before submission of a DNS query for that name. +This policy setting specifies the DNS suffixes to attach to an unqualified single-label name before submission of a DNS query for that name. An unqualified single-label name contains no dots. The name "example" is a single-label name. This is different from a fully qualified domain name such as "example.microsoft.com." @@ -1338,28 +1368,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1376,7 +1412,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. In the event that multiple positive responses are received, the network binding order is used to determine which response to accept. +This policy setting specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. In the event that multiple positive responses are received, the network binding order is used to determine which response to accept. If you enable this policy setting, the DNS client will not perform any optimizations. DNS queries will be issued across all networks first. LLMNR queries will be issued if the DNS queries fail, followed by NetBT queries if LLMNR queries fail. @@ -1407,28 +1443,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1445,7 +1487,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that the DNS client should prefer responses from link local name resolution protocols on non-domain networks over DNS responses when issuing queries for flat names. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). +This policy setting specifies that the DNS client should prefer responses from link local name resolution protocols on non-domain networks over DNS responses when issuing queries for flat names. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). If you enable this policy setting, the DNS client will prefer DNS responses, followed by LLMNR, followed by NetBT for all networks. @@ -1479,28 +1521,33 @@ ADMX Info: - - + + + - - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross mark
NoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1517,7 +1564,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security level for dynamic DNS updates. +This policy setting specifies the security level for dynamic DNS updates. To use this policy setting, click Enabled and then select one of the following values: @@ -1554,28 +1601,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1592,7 +1645,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if computers may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com." +This policy setting specifies if computers may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com." By default, a DNS client that is configured to perform dynamic DNS update will update the DNS zone that is authoritative for its DNS resource records unless the authoritative zone is a top-level domain or root zone. @@ -1625,28 +1678,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1663,7 +1722,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if the DNS client performs primary DNS suffix devolution during the name resolution process. +This policy setting specifies if the DNS client performs primary DNS suffix devolution during the name resolution process. With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name. @@ -1712,28 +1771,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1750,7 +1815,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that link local multicast name resolution (LLMNR) is disabled on client computers. +This policy setting specifies that link local multicast name resolution (LLMNR) is disabled on client computers. LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible. diff --git a/windows/client-management/mdm/policy-csp-admx-dwm.md b/windows/client-management/mdm/policy-csp-admx-dwm.md index ad2161edfc..37070921de 100644 --- a/windows/client-management/mdm/policy-csp-admx-dwm.md +++ b/windows/client-management/mdm/policy-csp-admx-dwm.md @@ -51,28 +51,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -89,7 +95,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the default color for window frames when the user does not specify a color. +This policy setting controls the default color for window frames when the user does not specify a color. If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user does not specify a color. @@ -124,28 +130,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -162,7 +174,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the default color for window frames when the user does not specify a color. +This policy setting controls the default color for window frames when the user does not specify a color. If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user does not specify a color. @@ -196,28 +208,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -234,7 +252,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows. +This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows. If you enable this policy setting, window animations are turned off. @@ -267,28 +285,33 @@ ADMX Info: - - + + + - + + - + + - - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross mark
NoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -305,7 +328,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows. +This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows. If you enable this policy setting, window animations are turned off. @@ -338,28 +361,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -376,7 +405,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability to change the color of window frames. +This policy setting controls the ability to change the color of window frames. If you enable this policy setting, you prevent users from changing the default window frame color. @@ -410,28 +439,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -448,7 +483,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability to change the color of window frames. +This policy setting controls the ability to change the color of window frames. If you enable this policy setting, you prevent users from changing the default window frame color. diff --git a/windows/client-management/mdm/policy-csp-admx-eaime.md b/windows/client-management/mdm/policy-csp-admx-eaime.md index 454bd47f86..36cb590d5c 100644 --- a/windows/client-management/mdm/policy-csp-admx-eaime.md +++ b/windows/client-management/mdm/policy-csp-admx-eaime.md @@ -69,29 +69,33 @@ manager: dansimp - - + + + - + + - + + - - + + - + + - - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross mark
NoNo
Enterprisecheck markYesYes
Educationcross mark
NoNo
@@ -107,7 +111,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to include the Non-Publishing Standard Glyph in the candidate list when Publishing Standard Glyph for the word exists. +This policy setting allows you to include the Non-Publishing Standard Glyph in the candidate list when Publishing Standard Glyph for the word exists. If you enable this policy setting, Non-Publishing Standard Glyph is not included in the candidate list when Publishing Standard Glyph for the word exists. @@ -143,28 +147,33 @@ ADMX Info: - - + + + - + + - + + - - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross mark
NoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -181,7 +190,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to restrict character code range of conversion by setting character filter. +This policy setting allows you to restrict character code range of conversion by setting character filter. If you enable this policy setting, then only the character code ranges specified by this policy setting are used for conversion of IME. You can specify multiple ranges by setting a value combined with a bitwise OR of following values: @@ -229,28 +238,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -267,7 +282,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off the ability to use a custom dictionary. +This policy setting allows you to turn off the ability to use a custom dictionary. If you enable this policy setting, you cannot add, edit, and delete words in the custom dictionary either with GUI tools or APIs. A word registered in the custom dictionary before enabling this policy setting can continue to be used for conversion. @@ -305,28 +320,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -343,7 +364,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off history-based predictive input. +This policy setting allows you to turn off history-based predictive input. If you enable this policy setting, history-based predictive input is turned off. @@ -379,28 +400,33 @@ ADMX Info: - - + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionSupp
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -417,7 +443,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off Internet search integration. +This policy setting allows you to turn off Internet search integration. Search integration includes both using Search Provider (Japanese Microsoft IME) and performing Bing search from predictive input for Japanese Microsoft IME. @@ -455,28 +481,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -493,7 +525,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off Open Extended Dictionary. +This policy setting allows you to turn off Open Extended Dictionary. If you enable this policy setting, Open Extended Dictionary is turned off. You cannot add a new Open Extended Dictionary. @@ -528,28 +560,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -566,7 +604,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off saving the auto-tuning result to file. +This policy setting allows you to turn off saving the auto-tuning result to file. If you enable this policy setting, the auto-tuning data is not saved to file. @@ -599,28 +637,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -637,7 +681,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the cloud candidates feature, which uses an online service to provide input suggestions that don't exist in a PC's local dictionary. +This policy setting controls the cloud candidates feature, which uses an online service to provide input suggestions that don't exist in a PC's local dictionary. If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the suggestions, and the user won't be able to turn it off. @@ -672,28 +716,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -710,7 +760,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the cloud candidates feature, which uses an online service to provide input suggestions that don't exist in a PC's local dictionary. +This policy setting controls the cloud candidates feature, which uses an online service to provide input suggestions that don't exist in a PC's local dictionary. If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the suggestions, and the user won't be able to turn it off. @@ -745,28 +795,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -783,7 +839,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the lexicon update feature, which downloads hot and popular words lexicon to local PC. +This policy setting controls the lexicon update feature, which downloads hot and popular words lexicon to local PC. If you enable this policy setting, the functionality associated with this feature is turned on, hot and popular words lexicon can be downloaded to local PC, the user is able to turn it on or off in settings. @@ -818,28 +874,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markNoNo
Educationcross markNoNo
@@ -856,7 +918,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the live sticker feature, which uses an online service to provide stickers online. +This policy setting controls the live sticker feature, which uses an online service to provide stickers online. If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the live stickers, and the user won't be able to turn it off. @@ -891,28 +953,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -929,7 +997,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn on logging of misconversion for the misconversion report. +This policy setting allows you to turn on logging of misconversion for the misconversion report. If you enable this policy setting, misconversion logging is turned on. diff --git a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md index d5cdf442da..b063efc3d2 100644 --- a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md +++ b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md @@ -36,28 +36,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -74,7 +80,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents File Explorer from encrypting files that are moved to an encrypted folder. +This policy setting prevents File Explorer from encrypting files that are moved to an encrypted folder. If you enable this policy setting, File Explorer will not automatically encrypt files that are moved to an encrypted folder. diff --git a/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md index a77d1438d2..950fe416fa 100644 --- a/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md +++ b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md @@ -51,28 +51,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markNoNo
Educationcross markNoNo
@@ -89,7 +95,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure a list of Enhanced Storage devices by manufacturer and product ID that are usable on your computer. +This policy setting allows you to configure a list of Enhanced Storage devices by manufacturer and product ID that are usable on your computer. If you enable this policy setting, only Enhanced Storage devices that contain a manufacturer and product ID specified in this policy are usable on your computer. @@ -120,28 +126,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -158,7 +170,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to create a list of IEEE 1667 silos, compliant with the Institute of Electrical and Electronics Engineers, Inc. (IEEE) 1667 specification, that are usable on your computer. +This policy setting allows you to create a list of IEEE 1667 silos, compliant with the Institute of Electrical and Electronics Engineers, Inc. (IEEE) 1667 specification, that are usable on your computer. If you enable this policy setting, only IEEE 1667 silos that match a silo type identifier specified in this policy are usable on your computer. @@ -189,28 +201,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -227,7 +245,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether or not a password can be used to unlock an Enhanced Storage device. +This policy setting configures whether or not a password can be used to unlock an Enhanced Storage device. If you enable this policy setting, a password cannot be used to unlock an Enhanced Storage device. @@ -258,28 +276,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -296,7 +320,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether or not non-Enhanced Storage removable devices are allowed on your computer. +This policy setting configures whether or not non-Enhanced Storage removable devices are allowed on your computer. If you enable this policy setting, non-Enhanced Storage removable devices are not allowed on your computer. @@ -327,28 +351,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -365,7 +395,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting locks Enhanced Storage devices when the computer is locked. +This policy setting locks Enhanced Storage devices when the computer is locked. This policy setting is supported in Windows Server SKUs only. @@ -398,28 +428,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -436,7 +472,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether or not only USB root hub connected Enhanced Storage devices are allowed. Allowing only root hub connected Enhanced Storage devices minimizes the risk of an unauthorized USB device reading data on an Enhanced Storage device. +This policy setting configures whether or not only USB root hub connected Enhanced Storage devices are allowed. Allowing only root hub connected Enhanced Storage devices minimizes the risk of an unauthorized USB device reading data on an Enhanced Storage device. If you enable this policy setting, only USB root hub connected Enhanced Storage devices are allowed. From cdc77db37ad061e9f98acdcc851e096b2b3a8c02 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Tue, 7 Sep 2021 20:49:41 +0530 Subject: [PATCH 047/458] Updated --- .../mdm/policy-csp-admx-errorreporting.md | 641 +++++++++++------- .../mdm/policy-csp-admx-eventforwarding.md | 45 +- .../mdm/policy-csp-admx-eventlog.md | 460 ++++++++----- .../mdm/policy-csp-admx-explorer.md | 109 +-- .../mdm/policy-csp-admx-filerecovery.md | 20 +- .../policy-csp-admx-fileservervssprovider.md | 22 +- .../mdm/policy-csp-admx-filesys.md | 177 +++-- .../mdm/policy-csp-admx-folderredirection.md | 155 +++-- .../mdm/policy-csp-admx-globalization.md | 395 +++++++---- 9 files changed, 1283 insertions(+), 741 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-errorreporting.md b/windows/client-management/mdm/policy-csp-admx-errorreporting.md index f54ecfc994..5db935cf84 100644 --- a/windows/client-management/mdm/policy-csp-admx-errorreporting.md +++ b/windows/client-management/mdm/policy-csp-admx-errorreporting.md @@ -120,28 +120,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -158,7 +164,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether errors in general applications are included in reports when Windows Error Reporting is enabled. +This policy setting controls whether errors in general applications are included in reports when Windows Error Reporting is enabled. If you enable this policy setting, you can instruct Windows Error Reporting in the Default pull-down menu to report either all application errors (the default setting), or no application errors. @@ -195,28 +201,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -233,7 +245,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on. +This policy setting controls Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on. If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show under the Exclude errors for applications on this list setting, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. Errors that are generated by applications in this list are not reported, even if the Default Application Reporting Settings policy setting is configured to report all application errors. @@ -266,28 +278,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -304,7 +322,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies applications for which Windows Error Reporting should always report errors. +This policy setting specifies applications for which Windows Error Reporting should always report errors. To create a list of applications for which Windows Error Reporting never reports errors, click Show under the Exclude errors for applications on this list setting, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). Errors that are generated by applications in this list are not reported, even if the Default Application Reporting Settings policy setting is configured to report all application errors. @@ -343,28 +361,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -381,7 +405,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures how errors are reported to Microsoft, and what information is sent when Windows Error Reporting is enabled. +This policy setting configures how errors are reported to Microsoft, and what information is sent when Windows Error Reporting is enabled. This policy setting does not enable or disable Windows Error Reporting. To turn Windows Error Reporting on or off, see the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings. @@ -433,28 +457,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -471,7 +501,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether errors in the operating system are included Windows Error Reporting is enabled. +This policy setting controls whether errors in the operating system are included Windows Error Reporting is enabled. If you enable this policy setting, Windows Error Reporting includes operating system errors. @@ -506,28 +536,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -544,7 +580,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the behavior of the Windows Error Reporting archive. +This policy setting controls the behavior of the Windows Error Reporting archive. If you enable this policy setting, you can configure Windows Error Reporting archiving behavior. If Archive behavior is set to Store all, all data collected for each error report is stored in the appropriate location. If Archive behavior is set to Store parameters only, only the minimum information required to check for an existing solution is stored. The Maximum number of reports to store setting determines how many reports are stored before older reports are automatically deleted. @@ -575,28 +611,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -613,7 +655,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the behavior of the Windows Error Reporting archive. +This policy setting controls the behavior of the Windows Error Reporting archive. If you enable this policy setting, you can configure Windows Error Reporting archiving behavior. If Archive behavior is set to Store all, all data collected for each error report is stored in the appropriate location. If Archive behavior is set to Store parameters only, only the minimum information required to check for an existing solution is stored. The Maximum number of reports to store setting determines how many reports are stored before older reports are automatically deleted. @@ -644,28 +686,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -682,7 +730,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. +This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. If you enable or do not configure this policy setting, any memory dumps generated for error reports by Microsoft Windows are automatically uploaded, without notification to the user. @@ -713,28 +761,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -751,7 +805,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. +This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. If you enable or do not configure this policy setting, any memory dumps generated for error reports by Microsoft Windows are automatically uploaded, without notification to the user. @@ -782,28 +836,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -820,7 +880,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) sends additional, second-level report data even if a CAB file containing data about the same event types has already been uploaded to the server. +This policy setting determines whether Windows Error Reporting (WER) sends additional, second-level report data even if a CAB file containing data about the same event types has already been uploaded to the server. If you enable this policy setting, WER does not throttle data; that is, WER uploads additional CAB files that can contain data about the same event types as an earlier uploaded report. @@ -851,28 +911,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -889,7 +955,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) sends additional, second-level report data even if a CAB file containing data about the same event types has already been uploaded to the server. +This policy setting determines whether Windows Error Reporting (WER) sends additional, second-level report data even if a CAB file containing data about the same event types has already been uploaded to the server. If you enable this policy setting, WER does not throttle data; that is, WER uploads additional CAB files that can contain data about the same event types as an earlier uploaded report. @@ -920,28 +986,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -958,7 +1030,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amount of data that is sent over the network. +This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amount of data that is sent over the network. If you enable this policy setting, WER does not check for network cost policy restrictions, and transmits data even if network cost is restricted. @@ -989,28 +1061,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1027,7 +1105,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amount of data that is sent over the network. +This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amount of data that is sent over the network. If you enable this policy setting, WER does not check for network cost policy restrictions, and transmits data even if network cost is restricted. @@ -1058,28 +1136,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1096,7 +1180,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but does not upload additional report data until the computer is connected to a more permanent power source. +This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but does not upload additional report data until the computer is connected to a more permanent power source. If you enable this policy setting, WER does not determine whether the computer is running on battery power, but checks for solutions and uploads report data normally. @@ -1127,28 +1211,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1165,7 +1255,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but does not upload additional report data until the computer is connected to a more permanent power source. +This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but does not upload additional report data until the computer is connected to a more permanent power source. If you enable this policy setting, WER does not determine whether the computer is running on battery power, but checks for solutions and uploads report data normally. @@ -1196,28 +1286,34 @@ ADMX Info: - - + + + - +` - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1234,7 +1330,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies a corporate server to which Windows Error Reporting sends reports (if you do not want to send error reports to Microsoft). +This policy setting specifies a corporate server to which Windows Error Reporting sends reports (if you do not want to send error reports to Microsoft). If you enable this policy setting, you can specify the name or IP address of an error report destination server on your organization’s network. You can also select Connect using SSL to transmit error reports over a Secure Sockets Layer (SSL) connection, and specify a port number on the destination server for transmission. @@ -1265,28 +1361,33 @@ ADMX Info: - - + + + - + + - + + - + + - - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck mark
YesYes
Educationcross markNoNo
@@ -1303,7 +1404,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the consent behavior of Windows Error Reporting for specific event types. +This policy setting determines the consent behavior of Windows Error Reporting for specific event types. If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4. @@ -1344,28 +1445,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markNoNo
Educationcross markNoNo
@@ -1382,7 +1489,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the behavior of the Configure Default Consent setting in relation to custom consent settings. +This policy setting determines the behavior of the Configure Default Consent setting in relation to custom consent settings. If you enable this policy setting, the default consent levels of Windows Error Reporting always override any other consent policy setting. @@ -1413,28 +1520,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1451,7 +1564,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the behavior of the Configure Default Consent setting in relation to custom consent settings. +This policy setting determines the behavior of the Configure Default Consent setting in relation to custom consent settings. If you enable this policy setting, the default consent levels of Windows Error Reporting always override any other consent policy setting. @@ -1482,28 +1595,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1520,7 +1639,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the default consent behavior of Windows Error Reporting. +This policy setting determines the default consent behavior of Windows Error Reporting. If you enable this policy setting, you can set the default consent handling for error reports. The following list describes the Consent level settings that are available in the pull-down menu in this policy setting: @@ -1559,28 +1678,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1597,7 +1722,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the default consent behavior of Windows Error Reporting. +This policy setting determines the default consent behavior of Windows Error Reporting. If you enable this policy setting, you can set the default consent handling for error reports. The following list describes the Consent level settings that are available in the pull-down menu in this policy setting: @@ -1636,28 +1761,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1674,7 +1805,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails. +This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails. If you enable this policy setting, Windows Error Reporting does not send any problem information to Microsoft. Additionally, solution information is not available in Security and Maintenance in Control Panel. @@ -1705,28 +1836,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1743,7 +1880,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on. +This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on. If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an application from the list, click the name, and then press DELETE. If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence. @@ -1775,28 +1912,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1813,7 +1956,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on. +This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on. If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an application from the list, click the name, and then press DELETE. If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence. @@ -1844,28 +1987,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1882,7 +2031,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event log. +This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event log. If you enable this policy setting, Windows Error Reporting events are not recorded in the system event log. @@ -1913,28 +2062,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1951,7 +2106,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event log. +This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event log. If you enable this policy setting, Windows Error Reporting events are not recorded in the system event log. @@ -1982,28 +2137,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -2020,7 +2181,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically. +This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically. If you enable this policy setting, any additional data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user. @@ -2051,28 +2212,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -2089,7 +2256,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the behavior of the Windows Error Reporting report queue. +This policy setting determines the behavior of the Windows Error Reporting report queue. If you enable this policy setting, you can configure report queue behavior by using the controls in the policy setting. When the Queuing behavior pull-down list is set to Default, Windows determines, when a problem occurs, whether the report should be placed in the reporting queue, or the user should be prompted to send it immediately. When Queuing behavior is set to Always queue, all reports are added to the queue until the user is prompted to send the reports, or until the user sends problem reports by using the Solutions to Problems page in Control Panel. @@ -2122,28 +2289,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -2160,7 +2333,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the behavior of the Windows Error Reporting report queue. +This policy setting determines the behavior of the Windows Error Reporting report queue. If you enable this policy setting, you can configure report queue behavior by using the controls in the policy setting. When the Queuing behavior pull-down list is set to Default, Windows determines, when a problem occurs, whether the report should be placed in the reporting queue, or the user should be prompted to send it immediately. When Queuing behavior is set to Always queue, all reports are added to the queue until the user is prompted to send the reports, or until the user sends problem reports by using the Solutions to Problems page in Control Panel. If Queuing behavior is set to Always queue for administrator, reports are queued until an administrator is prompted to send them, or until the administrator sends them by using the Solutions to Problems page in Control Panel. diff --git a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md index bd419345c7..dc00ad7337 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md +++ b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md @@ -40,28 +40,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -78,7 +84,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting controls resource usage for the forwarder (source computer) by controlling the events/per second sent to the Event Collector. +This policy setting controls resource usage for the forwarder (source computer) by controlling the events/per second sent to the Event Collector. If you enable this policy setting, you can control the volume of events sent to the Event Collector by the source computer. This may be required in high volume environments. @@ -113,29 +119,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross mark
NoNo
@@ -151,7 +162,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the server address, refresh interval, and issuer certificate authority (CA) of a target Subscription Manager. +This policy setting allows you to configure the server address, refresh interval, and issuer certificate authority (CA) of a target Subscription Manager. If you enable this policy setting, you can configure the Source Computer to contact a specific FQDN (Fully Qualified Domain Name) or IP Address and request subscription specifics. diff --git a/windows/client-management/mdm/policy-csp-admx-eventlog.md b/windows/client-management/mdm/policy-csp-admx-eventlog.md index 7c171edf2e..1dda6c7ce0 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventlog.md +++ b/windows/client-management/mdm/policy-csp-admx-eventlog.md @@ -96,28 +96,33 @@ manager: dansimp - - + + + - - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross mark
NoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -134,7 +139,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting turns on logging. +This policy setting turns on logging. If you enable or do not configure this policy setting, then events can be written to this log. @@ -165,28 +170,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -203,7 +214,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. +This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. If you enable this policy setting, the Event Log uses the path specified in this policy setting. @@ -234,28 +245,33 @@ ADMX Info: - - + + + - + + - - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross mark
NoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -272,7 +288,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. +This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. If you enable this policy setting, the Event Log uses the path specified in this policy setting. @@ -303,28 +319,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -341,7 +363,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. +This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. If you enable this policy setting, the Event Log uses the path specified in this policy setting. @@ -372,28 +394,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -410,7 +438,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. +This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. If you enable this policy setting, the Event Log uses the path specified in this policy setting. @@ -441,28 +469,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -479,7 +513,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the maximum size of the log file in kilobytes. +This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes), in kilobyte increments. @@ -510,28 +544,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -548,7 +588,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. +This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started. @@ -581,28 +621,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -619,7 +665,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. +This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started. @@ -652,28 +698,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -690,7 +742,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. +This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started. @@ -723,28 +775,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -761,7 +819,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. +This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started. @@ -799,23 +857,28 @@ ADMX Info: Home - cross mark + No + No Pro - cross mark + No + No Business - cross mark + No + No Enterprise - check mark + Yes + Yes Education - cross mark + No + No @@ -832,7 +895,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. +This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. If you enable this policy setting, only those users matching the security descriptor can access the log. @@ -866,28 +929,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -904,7 +973,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You cannot configure write permissions for this log. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. +This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You cannot configure write permissions for this log. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. If you enable this policy setting, only those users whose security descriptor matches the configured specified value can access the log. @@ -938,28 +1007,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -976,7 +1051,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. +This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. If you enable this policy setting, only those users matching the security descriptor can access the log. @@ -1010,28 +1085,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1048,7 +1129,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. +This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. If you enable this policy setting, only users whose security descriptor matches the configured value can access the log. @@ -1082,28 +1163,33 @@ ADMX Info: - - + + + - - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross mark
NoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1120,7 +1206,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. +This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. If you enable this policy setting, only those users matching the security descriptor can access the log. @@ -1153,28 +1239,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1191,7 +1283,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You cannot configure write permissions for this log. +This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You cannot configure write permissions for this log. If you enable this policy setting, only those users whose security descriptor matches the configured specified value can access the log. @@ -1224,28 +1316,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1262,7 +1360,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. +This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. If you enable this policy setting, only those users matching the security descriptor can access the log. @@ -1295,28 +1393,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1333,7 +1437,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. +This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. If you enable this policy setting, only users whose security descriptor matches the configured value can access the log. @@ -1366,28 +1470,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markNoNo
Educationcross markNoNo
@@ -1404,7 +1514,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size. +This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. @@ -1437,28 +1547,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1475,7 +1591,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size. +This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. @@ -1508,28 +1624,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + > - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1546,7 +1668,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size. +This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. diff --git a/windows/client-management/mdm/policy-csp-admx-explorer.md b/windows/client-management/mdm/policy-csp-admx-explorer.md index be619c2c3b..a74f3183f5 100644 --- a/windows/client-management/mdm/policy-csp-admx-explorer.md +++ b/windows/client-management/mdm/policy-csp-admx-explorer.md @@ -48,28 +48,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -86,7 +92,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. Sets the target of the More Information link that will be displayed when the user attempts to run a program that is blocked by policy. +Sets the target of the More Information link that will be displayed when the user attempts to run a program that is blocked by policy. > [!TIP] @@ -113,28 +119,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -188,28 +200,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -226,7 +244,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows administrators who have configured roaming profile in conjunction with Delete Cached Roaming Profile Group Policy setting to ensure that Explorer will not reinitialize default program associations and other settings to default values. +This policy setting allows administrators who have configured roaming profile in conjunction with Delete Cached Roaming Profile Group Policy setting to ensure that Explorer will not reinitialize default program associations and other settings to default values. If you enable this policy setting on a machine that does not contain all programs installed in the same manner as it was on the machine on which the user had last logged on, unexpected behavior could occur. @@ -255,28 +273,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -293,7 +317,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows administrators to prevent users from adding new items such as files or folders to the root of their Users Files folder in File Explorer. +This policy setting allows administrators to prevent users from adding new items such as files or folders to the root of their Users Files folder in File Explorer. If you enable this policy setting, users will no longer be able to add new items such as files or folders to the root of their Users Files folder in File Explorer. @@ -327,28 +351,33 @@ ADMX Info: - - + + + - + + - - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross mark
NoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -365,7 +394,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy is similar to settings directly available to computer users. Disabling animations can improve usability for users with some visual disabilities as well as improving performance and battery life in some scenarios. +This policy is similar to settings directly available to computer users. Disabling animations can improve usability for users with some visual disabilities as well as improving performance and battery life in some scenarios. > [!TIP] diff --git a/windows/client-management/mdm/policy-csp-admx-filerecovery.md b/windows/client-management/mdm/policy-csp-admx-filerecovery.md index 7f2635d2ab..5b451adc45 100644 --- a/windows/client-management/mdm/policy-csp-admx-filerecovery.md +++ b/windows/client-management/mdm/policy-csp-admx-filerecovery.md @@ -34,28 +34,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
diff --git a/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md b/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md index 2896e4cc5a..2d631edea5 100644 --- a/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md +++ b/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md @@ -36,28 +36,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -74,7 +80,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the RPC protocol messages used by VSS for SMB2 File Shares feature is enabled. +This policy setting determines whether the RPC protocol messages used by VSS for SMB2 File Shares feature is enabled. VSS for SMB2 File Shares feature enables VSS aware backup applications to perform application consistent backup and restore of VSS aware applications storing data on SMB2 File Shares. diff --git a/windows/client-management/mdm/policy-csp-admx-filesys.md b/windows/client-management/mdm/policy-csp-admx-filesys.md index 079c55e92e..010a794280 100644 --- a/windows/client-management/mdm/policy-csp-admx-filesys.md +++ b/windows/client-management/mdm/policy-csp-admx-filesys.md @@ -55,28 +55,33 @@ manager: dansimp **ADMX_FileSys/DisableCompression** - - + + + - + + - + + - + + - - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck mark
YesYes
Educationcross markNoNo
@@ -93,7 +98,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. Compression can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of compressed files. +Compression can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of compressed files. > [!TIP] @@ -119,28 +124,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -157,7 +168,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Delete notification is a feature that notifies the underlying storage device of clusters that are freed due to a file delete operation. +Delete notification is a feature that notifies the underlying storage device of clusters that are freed due to a file delete operation. A value of 0, the default, will enable delete notifications for all volumes. @@ -186,28 +197,34 @@ ADMX Info: **ADMX_FileSys/DisableEncryption** - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -224,7 +241,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Encryption can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of encrypted files. +Encryption can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of encrypted files. > [!TIP] @@ -249,28 +266,34 @@ ADMX Info: **ADMX_FileSys/EnablePagefileEncryption** - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -287,7 +310,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Encrypting the page file prevents malicious users from reading data that has been paged to disk, but also adds processing overhead for filesystem operations. Enabling this setting will cause the page files to be encrypted. +Encrypting the page file prevents malicious users from reading data that has been paged to disk, but also adds processing overhead for filesystem operations. Enabling this setting will cause the page files to be encrypted. > [!TIP] @@ -312,28 +335,34 @@ ADMX Info: **ADMX_FileSys/LongPathsEnabled** - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -350,7 +379,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Enabling Win32 long paths will allow manifested win32 applications and Windows Store applications to access paths beyond the normal 260 character limit per node on file systems that support it. Enabling this setting will cause the long paths to be accessible within the process. +Enabling Win32 long paths will allow manifested win32 applications and Windows Store applications to access paths beyond the normal 260 character limit per node on file systems that support it. Enabling this setting will cause the long paths to be accessible within the process. > [!TIP] @@ -375,28 +404,34 @@ ADMX Info: **ADMX_FileSys/ShortNameCreationSettings** - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -413,7 +448,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting provides control over whether or not short names are generated during file creation. Some applications require short names for compatibility, but short names have a negative performance impact on the system. +This policy setting provides control over whether or not short names are generated during file creation. Some applications require short names for compatibility, but short names have a negative performance impact on the system. If you enable short names on all volumes then short names will always be generated. If you disable them on all volumes then they will never be generated. If you set short name creation to be configurable on a per volume basis then an on-disk flag will determine whether or not short names are created on a given volume. If you disable short name creation on all data volumes then short names will only be generated for files created on the system volume. @@ -441,28 +476,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markNoNo
Educationcross markNoNo
@@ -479,7 +520,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Symbolic links can introduce vulnerabilities in certain applications. To mitigate this issue, you can selectively enable or disable the evaluation of these types of symbolic links: +Symbolic links can introduce vulnerabilities in certain applications. To mitigate this issue, you can selectively enable or disable the evaluation of these types of symbolic links: - Local Link to a Local Target - Local Link to a Remote Target @@ -514,28 +555,34 @@ ADMX Info: **ADMX_FileSys/TxfDeprecatedFunctionality** - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -552,7 +599,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. TXF deprecated features included savepoints, secondary RM, miniversion and roll forward. Enable it if you want to use the APIs. +TXF deprecated features included savepoints, secondary RM, miniversion and roll forward. Enable it if you want to use the APIs. > [!TIP] diff --git a/windows/client-management/mdm/policy-csp-admx-folderredirection.md b/windows/client-management/mdm/policy-csp-admx-folderredirection.md index ed28fb4638..9f945c9f33 100644 --- a/windows/client-management/mdm/policy-csp-admx-folderredirection.md +++ b/windows/client-management/mdm/policy-csp-admx-folderredirection.md @@ -53,28 +53,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -91,7 +97,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether all redirected shell folders, such as Contacts, Documents, Desktop, Favorites, Music, Pictures, Videos, Start Menu, and AppData\Roaming, are available offline by default. +This policy setting allows you to control whether all redirected shell folders, such as Contacts, Documents, Desktop, Favorites, Music, Pictures, Videos, Start Menu, and AppData\Roaming, are available offline by default. If you enable this policy setting, users must manually select the files they wish to make available offline. @@ -128,28 +134,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -166,7 +178,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether individual redirected shell folders are available offline by default. +This policy setting allows you to control whether individual redirected shell folders are available offline by default. For the folders affected by this setting, users must manually select the files they wish to make available offline. @@ -202,28 +214,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -240,7 +258,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the contents of redirected folders is copied from the old location to the new location or simply renamed in the Offline Files cache when a folder is redirected to a new location. +This policy setting controls whether the contents of redirected folders is copied from the old location to the new location or simply renamed in the Offline Files cache when a folder is redirected to a new location. If you enable this policy setting, when the path to a redirected folder is changed from one network location to another and Folder Redirection is configured to move the content to the new location, instead of copying the content to the new location, the cached content is renamed in the local cache and not copied to the new location. To use this policy setting, you must move or restore the server content to the new network location using a method that preserves the state of the files, including their timestamps, before updating the Folder Redirection location. @@ -271,28 +289,33 @@ ADMX Info: - - + + + - + + - + + - + + - - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck mark
YesYes
Educationcross markNoNo
@@ -309,7 +332,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively. +This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively. If you enable this policy setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use localized folder names for these subfolders when redirecting the Start Menu or legacy My Documents folder. @@ -343,28 +366,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -381,7 +410,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively. +This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively. If you enable this policy setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use localized folder names for these subfolders when redirecting the Start Menu or legacy My Documents folder. @@ -414,28 +443,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -452,7 +487,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office. +This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office. To designate a user's primary computers, an administrator must use management software or a script to add primary computer attributes to the user's account in Active Directory Domain Services (AD DS). This policy setting also requires the Windows Server 2012 version of the Active Directory schema to function. @@ -487,28 +522,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -525,7 +566,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office. +This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office. To designate a user's primary computers, an administrator must use management software or a script to add primary computer attributes to the user's account in Active Directory Domain Services (AD DS). This policy setting also requires the Windows Server 2012 version of the Active Directory schema to function. diff --git a/windows/client-management/mdm/policy-csp-admx-globalization.md b/windows/client-management/mdm/policy-csp-admx-globalization.md index 857ff5d89f..69442d3b5d 100644 --- a/windows/client-management/mdm/policy-csp-admx-globalization.md +++ b/windows/client-management/mdm/policy-csp-admx-globalization.md @@ -105,28 +105,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -143,7 +149,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. +This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. Note this does not affect the availability of user input methods on the lock screen or with the UAC prompt. @@ -176,28 +182,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -214,7 +226,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to the set of locales that are installed with the operating system. +This policy setting prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to the set of locales that are installed with the operating system. This does not affect the selection of replacement locales. To prevent the selection of replacement locales, adjust the permissions of the %windir%\Globalization directory to prevent the installation of locales by unauthorized users. @@ -253,28 +265,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markNoNo
Educationcross markNoNo
@@ -291,7 +309,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to the set of locales that are installed with the operating system. +This policy setting prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to the set of locales that are installed with the operating system. This does not affect the selection of replacement locales. To prevent the selection of replacement locales, adjust the permissions of the %windir%\Globalization directory to prevent the installation of locales by unauthorized users. @@ -330,28 +348,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -368,7 +392,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes the Administrative options from the Region settings control panel. +This policy setting removes the Administrative options from the Region settings control panel. Administrative options include interfaces for setting system locale and copying settings to the default user. This policy setting does not, however, prevent an administrator or another application from changing these values programmatically. @@ -407,28 +431,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -445,7 +475,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes the option to change the user's geographical location (GeoID) from the Region settings control panel. +This policy setting removes the option to change the user's geographical location (GeoID) from the Region settings control panel. This policy setting is used only to simplify the Regional Options control panel. @@ -481,28 +511,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -519,7 +555,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes the option to change the user's menus and dialogs (UI) language from the Language and Regional Options control panel. +This policy setting removes the option to change the user's menus and dialogs (UI) language from the Language and Regional Options control panel. This policy setting is used only to simplify the Regional Options control panel. @@ -554,28 +590,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -592,7 +634,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes the regional formats interface from the Region settings control panel. +This policy setting removes the regional formats interface from the Region settings control panel. This policy setting is used only to simplify the Regional and Language Options control panel. @@ -625,28 +667,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -663,7 +711,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting turns off the automatic learning component of handwriting recognition personalization. +This policy setting turns off the automatic learning component of handwriting recognition personalization. Automatic learning enables the collection and storage of text and ink written by the user in order to help adapt handwriting recognition to the vocabulary and handwriting style of the user. Text that is collected includes all outgoing messages in Windows Mail, and MAPI enabled email clients, as well as URLs from the Internet Explorer browser history. The information that is stored includes word frequency and new words not already known to the handwriting recognition engines (for example, proper names and acronyms). Deleting email content or the browser history does not delete the stored personalization data. Ink entered through Input Panel is collected and stored. @@ -708,28 +756,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -746,7 +800,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting turns off the automatic learning component of handwriting recognition personalization. +This policy setting turns off the automatic learning component of handwriting recognition personalization. Automatic learning enables the collection and storage of text and ink written by the user in order to help adapt handwriting recognition to the vocabulary and handwriting style of the user. Text that is collected includes all outgoing messages in Windows Mail, and MAPI enabled email clients, as well as URLs from the Internet Explorer browser history. The information that is stored includes word frequency and new words not already known to the handwriting recognition engines (for example, proper names and acronyms). Deleting email content or the browser history does not delete the stored personalization data. Ink entered through Input Panel is collected and stored. @@ -791,28 +845,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -829,7 +889,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting restricts the permitted system locales to the specified list. If the list is empty, it locks the system locale to its current value. This policy setting does not change the existing system locale; however, the next time that an administrator attempts to change the computer's system locale, they will be restricted to the specified list. +This policy setting restricts the permitted system locales to the specified list. If the list is empty, it locks the system locale to its current value. This policy setting does not change the existing system locale; however, the next time that an administrator attempts to change the computer's system locale, they will be restricted to the specified list. The locale list is specified using language names, separated by a semicolon (;). For example, en-US is English (United States). Specifying "en-US;en-CA" would restrict the system locale to English (United States) and English (Canada). @@ -862,28 +922,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -900,7 +966,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting restricts users on a computer to the specified list of user locales. If the list is empty, it locks all user locales to their current values. This policy setting does not change existing user locale settings; however, the next time a user attempts to change their user locale, their choices will be restricted to locales in this list. +This policy setting restricts users on a computer to the specified list of user locales. If the list is empty, it locks all user locales to their current values. This policy setting does not change existing user locale settings; however, the next time a user attempts to change their user locale, their choices will be restricted to locales in this list. To set this policy setting on a per-user basis, make sure that you do not configure the per-computer policy setting. @@ -935,28 +1001,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -973,7 +1045,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting restricts users on a computer to the specified list of user locales. If the list is empty, it locks all user locales to their current values. This policy setting does not change existing user locale settings; however, the next time a user attempts to change their user locale, their choices will be restricted to locales in this list. +This policy setting restricts users on a computer to the specified list of user locales. If the list is empty, it locks all user locales to their current values. This policy setting does not change existing user locale settings; however, the next time a user attempts to change their user locale, their choices will be restricted to locales in this list. To set this policy setting on a per-user basis, make sure that you do not configure the per-computer policy setting. @@ -1010,28 +1082,33 @@ ADMX Info: - - + + + - + + - + + - - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross mark
NoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1048,7 +1125,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting restricts the Windows UI language for all users. +This policy setting restricts the Windows UI language for all users. This is a policy setting for computers with more than one UI language installed. @@ -1081,28 +1158,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1119,7 +1202,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting restricts the Windows UI language for specific users. +This policy setting restricts the Windows UI language for specific users. This policy setting applies to computers with more than one UI language installed. @@ -1154,28 +1237,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1192,7 +1281,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from changing their user geographical location (GeoID). +This policy setting prevents users from changing their user geographical location (GeoID). If you enable this policy setting, users cannot change their GeoID. @@ -1227,28 +1316,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1265,7 +1360,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from changing their user geographical location (GeoID). +This policy setting prevents users from changing their user geographical location (GeoID). If you enable this policy setting, users cannot change their GeoID. @@ -1300,28 +1395,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + + >
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -1338,7 +1439,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents the user from customizing their locale by changing their user overrides. +This policy setting prevents the user from customizing their locale by changing their user overrides. Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides, first reset the user(s) values to the defaults and then apply this policy. @@ -1377,28 +1478,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
From f3ae7d10856bed5bca7bd46238c0388b038dec25 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Tue, 7 Sep 2021 20:57:11 +0530 Subject: [PATCH 048/458] Updated --- .../mdm/policy-csp-abovelock.md | 10 --- .../mdm/policy-csp-admx-addremoveprograms.md | 67 +++++++++---------- 2 files changed, 33 insertions(+), 44 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md index ce57cf318f..36f429b833 100644 --- a/windows/client-management/mdm/policy-csp-abovelock.md +++ b/windows/client-management/mdm/policy-csp-abovelock.md @@ -152,16 +152,6 @@ The following list shows the supported values:

-Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md index 478ce5c0d7..6e80fa4b4b 100644 --- a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md +++ b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md @@ -92,8 +92,8 @@ manager: dansimp Yes Education - No - No + Yes + Yes @@ -111,7 +111,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. The policy setting specifies the category of programs that appears when users open the "Add New Programs" page. If you enable this setting, only the programs in the category you specify are displayed when the "Add New Programs" page opens. You can use the Category box on the "Add New Programs" page to display programs in other categories. +The policy setting specifies the category of programs that appears when users open the "Add New Programs" page. If you enable this setting, only the programs in the category you specify are displayed when the "Add New Programs" page opens. You can use the Category box on the "Add New Programs" page to display programs in other categories. To use this setting, type the name of a category in the Category box for this setting. You must enter a category that is already defined in Add or Remove Programs. To define a category, use Software Installation. @@ -181,8 +181,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -200,7 +200,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes the "Add a program from CD-ROM or floppy disk" section from the Add New Programs page. This prevents users from using Add or Remove Programs to install programs from removable media. +This policy setting removes the "Add a program from CD-ROM or floppy disk" section from the Add New Programs page. This prevents users from using Add or Remove Programs to install programs from removable media. If you disable this setting or do not configure it, the "Add a program from CD-ROM or floppy disk" option is available to all users. This setting does not prevent users from using other tools and methods to add or remove program components. @@ -268,8 +268,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -287,7 +287,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes the "Add programs from Microsoft" section from the Add New Programs page. This setting prevents users from using Add or Remove Programs to connect to Windows Update. +This policy setting removes the "Add programs from Microsoft" section from the Add New Programs page. This setting prevents users from using Add or Remove Programs to connect to Windows Update. If you disable this setting or do not configure it, "Add programs from Microsoft" is available to all users. This setting does not prevent users from using other tools and methods to connect to Windows Update. @@ -355,8 +355,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -374,7 +374,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from viewing or installing published programs. This setting removes the "Add programs from your network" section from the Add New Programs page. The "Add programs from your network" section lists published programs and provides an easy way to install them. Published programs are those programs that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically, system administrators publish programs to notify users that the programs are available, to recommend their use, or to enable users to install them without having to search for installation files. +This policy setting prevents users from viewing or installing published programs. This setting removes the "Add programs from your network" section from the Add New Programs page. The "Add programs from your network" section lists published programs and provides an easy way to install them. Published programs are those programs that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically, system administrators publish programs to notify users that the programs are available, to recommend their use, or to enable users to install them without having to search for installation files. If you enable this setting, users cannot tell which programs have been published by the system administrator, and they cannot use Add or Remove Programs to install published programs. However, they can still install programs by using other methods, and they can view and install assigned (partially installed) programs that are offered on the desktop or on the Start menu. @@ -443,8 +443,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -462,7 +462,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes the Add New Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Add New Programs button lets users install programs published or assigned by a system administrator. +This policy setting removes the Add New Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Add New Programs button lets users install programs published or assigned by a system administrator. If you disable this setting or do not configure it, the Add New Programs button is available to all users. This setting does not prevent users from using other tools and methods to install programs. @@ -527,8 +527,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -546,7 +546,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from using Add or Remove Programs. This setting removes Add or Remove Programs from Control Panel and removes the Add or Remove Programs item from menus. Add or Remove Programs lets users install, uninstall, repair, add, and remove features and components of Windows 2000 Professional and a wide variety of Windows programs. Programs published or assigned to the user appear in Add or Remove Programs. +This policy setting prevents users from using Add or Remove Programs. This setting removes Add or Remove Programs from Control Panel and removes the Add or Remove Programs item from menus. Add or Remove Programs lets users install, uninstall, repair, add, and remove features and components of Windows 2000 Professional and a wide variety of Windows programs. Programs published or assigned to the user appear in Add or Remove Programs. If you disable this setting or do not configure it, Add or Remove Programs is available to all users. When enabled, this setting takes precedence over the other settings in this folder. This setting does not prevent users from using other tools and methods to install or uninstall programs. @@ -611,8 +611,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -630,7 +630,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes the Set Program Access and Defaults button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Set Program Access and Defaults button lets administrators specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations. +This policy setting removes the Set Program Access and Defaults button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Set Program Access and Defaults button lets administrators specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations. If you disable this setting or do not configure it, the Set Program Access and Defaults button is available to all users. This setting does not prevent users from using other tools and methods to change program access or defaults. This setting does not prevent the Set Program Access and Defaults icon from appearing on the Start menu. See the "Remove Set Program Access and Defaults from Start menu" setting. @@ -696,9 +696,8 @@ ADMX Info: Education - No - No - + Yes + Yes @@ -715,7 +714,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes the Change or Remove Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Change or Remove Programs button lets users uninstall, repair, add, or remove features of installed programs. +This policy setting removes the Change or Remove Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Change or Remove Programs button lets users uninstall, repair, add, or remove features of installed programs. If you disable this setting or do not configure it, the Change or Remove Programs page is available to all users. This setting does not prevent users from using other tools and methods to delete or uninstall programs. @@ -780,8 +779,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -799,7 +798,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from using Add or Remove Programs to configure installed services. This setting removes the "Set up services" section of the Add/Remove Windows Components page. The "Set up services" section lists system services that have not been configured and offers users easy access to the configuration tools. +This policy setting prevents users from using Add or Remove Programs to configure installed services. This setting removes the "Set up services" section of the Add/Remove Windows Components page. The "Set up services" section lists system services that have not been configured and offers users easy access to the configuration tools. If you disable this setting or do not configure it, "Set up services" appears only when there are unconfigured system services. If you enable this setting, "Set up services" never appears. This setting does not prevent users from using other methods to configure services. @@ -867,8 +866,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -886,7 +885,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes links to the Support Info dialog box from programs on the Change or Remove Programs page. Programs listed on the Change or Remove Programs page can include a "Click here for support information" hyperlink. When clicked, the hyperlink opens a dialog box that displays troubleshooting information, including a link to the installation files and data that users need to obtain product support, such as the Product ID and version number of the program. The dialog box also includes a hyperlink to support information on the Internet, such as the Microsoft Product Support Services Web page. +This policy setting removes links to the Support Info dialog box from programs on the Change or Remove Programs page. Programs listed on the Change or Remove Programs page can include a "Click here for support information" hyperlink. When clicked, the hyperlink opens a dialog box that displays troubleshooting information, including a link to the installation files and data that users need to obtain product support, such as the Product ID and version number of the program. The dialog box also includes a hyperlink to support information on the Internet, such as the Microsoft Product Support Services Web page. If you disable this setting or do not configure it, the Support Info hyperlink appears. @@ -954,8 +953,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -973,7 +972,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes the Add/Remove Windows Components button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Add/Remove Windows Components button lets users configure installed services and use the Windows Component Wizard to add, remove, and configure components of Windows from the installation files. +This policy setting removes the Add/Remove Windows Components button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Add/Remove Windows Components button lets users configure installed services and use the Windows Component Wizard to add, remove, and configure components of Windows from the installation files. If you disable this setting or do not configure it, the Add/Remove Windows Components button is available to all users. This setting does not prevent users from using other tools and methods to configure services or add or remove program components. However, this setting blocks user access to the Windows Component Wizard. From 7249c9c21dfbeb36659694d5ba096d4d1c0c9dc1 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Tue, 7 Sep 2021 21:48:34 +0530 Subject: [PATCH 049/458] Updated --- .../mdm/policy-csp-accounts.md | 57 +++++++++---------- .../mdm/policy-csp-activexcontrols.md | 10 ---- .../policy-csp-admx-activexinstallservice.md | 2 +- .../mdm/policy-csp-admx-appcompat.md | 54 +++++++++--------- 4 files changed, 54 insertions(+), 69 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md index 2d31514b75..2416669864 100644 --- a/windows/client-management/mdm/policy-csp-accounts.md +++ b/windows/client-management/mdm/policy-csp-accounts.md @@ -56,19 +56,19 @@ manager: dansimp Enterprise - check mark + Yes, starting in Windows 10, version 1607Yes Education - check mark + Yes, starting in Windows 10, version 1607Yes Mobile - check mark + Yes, starting in Windows 10, version 1607Yes Mobile Enterprise - check mark + Yes, starting in Windows 10, version 1607Yes @@ -110,36 +110,38 @@ The following list shows the supported values: - - + + + - + + - + - + - + - + - + - +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYes, starting in Windows 10, version 1607Yes
Businesscheck markYes, starting in Windows 10, version 1607Yes
Enterprisecheck markYes, starting in Windows 10, version 1607Yes
Educationcheck markYes, starting in Windows 10, version 1607Yes
Mobilecheck markYes, starting in Windows 10, version 1607Yes
Mobile Enterprisecheck markYes, starting in Windows 10, version 1607Yes
@@ -178,36 +180,38 @@ The following list shows the supported values: - - + + + - + + - + - + - + - + - + - +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark2Yes, starting in Windows 10, version 1607Yes
Businesscheck mark2Yes, starting in Windows 10, version 1607Yes
Enterprisecheck mark2Yes, starting in Windows 10, version 1607Yes
Educationcheck mark2Yes, starting in Windows 10, version 1607Yes
Mobilecheck mark2Yes, starting in Windows 10, version 1607Yes
Mobile Enterprisecheck mark2Yes, starting in Windows 10, version 1607Yes
@@ -243,15 +247,6 @@ The following list shows the supported values:
-Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md index 218006e1a3..05a023f63f 100644 --- a/windows/client-management/mdm/policy-csp-activexcontrols.md +++ b/windows/client-management/mdm/policy-csp-activexcontrols.md @@ -97,16 +97,6 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md index b4cea8e9e5..6194474bad 100644 --- a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md +++ b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md @@ -69,7 +69,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the installation of ActiveX controls for sites in Trusted zone. +This policy setting controls the installation of ActiveX controls for sites in Trusted zone. If you enable this policy setting, ActiveX controls are installed according to the settings defined by this policy setting. diff --git a/windows/client-management/mdm/policy-csp-admx-appcompat.md b/windows/client-management/mdm/policy-csp-admx-appcompat.md index 901a7a04b6..d3ca0e63c5 100644 --- a/windows/client-management/mdm/policy-csp-admx-appcompat.md +++ b/windows/client-management/mdm/policy-csp-admx-appcompat.md @@ -96,8 +96,8 @@ manager: dansimp Education - No - No + Yes + Yes @@ -114,7 +114,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to prevent the MS-DOS subsystem (**ntvdm.exe**) from running on this computer. This setting affects the launching of 16-bit applications in the operating system. +This policy setting specifies whether to prevent the MS-DOS subsystem (**ntvdm.exe**) from running on this computer. This setting affects the launching of 16-bit applications in the operating system. You can use this setting to turn off the MS-DOS subsystem, which will reduce resource usage and prevent users from running 16-bit applications. To run any 16-bit application or any application with 16-bit components, **ntvdm.exe** must be allowed to run. The MS-DOS subsystem starts when the first 16-bit application is launched. While the MS-DOS subsystem is running, any subsequent 16-bit applications launch faster, but overall resource usage on the system is increased. @@ -179,8 +179,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -197,7 +197,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the visibility of the Program Compatibility property page shell extension. This shell extension is visible on the property context-menu of any program shortcut or executable file. +This policy setting controls the visibility of the Program Compatibility property page shell extension. This shell extension is visible on the property context-menu of any program shortcut or executable file. The compatibility property page displays a list of options that can be selected and applied to the application to resolve the most common issues affecting legacy applications. @@ -256,8 +256,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -274,7 +274,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. The policy setting controls the state of the Application Telemetry engine in the system. +The policy setting controls the state of the Application Telemetry engine in the system. Application Telemetry is a mechanism that tracks anonymous usage of specific Windows system components by applications. @@ -337,8 +337,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -355,7 +355,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. The policy setting controls the state of the Switchback compatibility engine in the system. +The policy setting controls the state of the Switchback compatibility engine in the system. Switchback is a mechanism that provides generic compatibility mitigations to older applications by providing older behavior to old applications and new behavior to new applications. @@ -419,8 +419,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -436,7 +436,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the state of the application compatibility engine in the system. +This policy setting controls the state of the application compatibility engine in the system. The engine is part of the loader and looks through a compatibility database every time an application is started on the system. If a match for the application is found it provides either run-time solutions or compatibility fixes, or displays an Application Help message if the application has a know problem. @@ -502,8 +502,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -520,7 +520,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. +This policy setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. @@ -575,8 +575,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -593,7 +593,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the state of the Program Compatibility Assistant (PCA). The PCA monitors applications run by the user. When a potential compatibility issue with an application is detected, the PCA will prompt the user with recommended solutions. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics. +This policy setting controls the state of the Program Compatibility Assistant (PCA). The PCA monitors applications run by the user. When a potential compatibility issue with an application is detected, the PCA will prompt the user with recommended solutions. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics. If you enable this policy setting, the PCA will be turned off. The user will not be presented with solutions to known compatibility issues when running applications. Turning off the PCA can be useful for system administrators who require better performance and are already aware of application compatibility issues. @@ -655,8 +655,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -673,7 +673,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the state of Steps Recorder. +This policy setting controls the state of Steps Recorder. Steps Recorder keeps a record of steps taken by the user. The data generated by Steps Recorder can be used in feedback systems such as Windows Error Reporting to help developers understand and fix problems. The data includes user actions such as keyboard input and mouse input, user interface data, and screenshots. Steps Recorder includes an option to turn on and off data collection. @@ -734,8 +734,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -752,7 +752,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the state of the Inventory Collector. +This policy setting controls the state of the Inventory Collector. The Inventory Collector inventories applications, files, devices, and drivers on the system and sends the information to Microsoft. This information is used to help diagnose compatibility problems. From 94674fe3f67a16787b8c99beb96b881c82ef32dd Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 7 Sep 2021 09:36:19 -0700 Subject: [PATCH 050/458] YAML updates --- windows/security/TOC.yml | 20 ++++++++++---------- windows/security/index.yml | 30 +++++++++++++++--------------- 2 files changed, 25 insertions(+), 25 deletions(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index be0bcbec13..dd76035b25 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -2,16 +2,6 @@ - name: Windows security href: index.yml expanded: true -- name: Security foundations - items: - - name: FIPS 140-2 Validation - href: threat-protection/fips-140-validation.md - - name: Common Criteria Certifications - href: threat-protection/windows-platform-common-criteria.md - - name: Microsoft Security Development Lifecycle - href: threat-protection/msft-security-dev-lifecycle.md - - name: Microsoft Bug Bounty Program - href: threat-protection/microsoft-bug-bounty-program.md - name: Hardware security items: - name: Trusted Platform Module @@ -313,6 +303,16 @@ href: identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md - name: Tpmvscmgr href: identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md +- name: Security foundations + items: + - name: FIPS 140-2 Validation + href: threat-protection/fips-140-validation.md + - name: Common Criteria Certifications + href: threat-protection/windows-platform-common-criteria.md + - name: Microsoft Security Development Lifecycle + href: threat-protection/msft-security-dev-lifecycle.md + - name: Microsoft Bug Bounty Program + href: threat-protection/microsoft-bug-bounty-program.md - name: Privacy controls items: - name: Windows Privacy controls diff --git a/windows/security/index.yml b/windows/security/index.yml index 1dcca94f77..e59fa8c210 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -18,21 +18,6 @@ metadata: landingContent: # Cards and links should be based on top customer tasks or top subjects -# Start card title with a verb - # Card (optional) - - title: Security foundations - linkLists: - - linkListType: concept - links: - - text: Federal Information Processing Standard (FIPS) 140 Validation - url: /windows/security/threat-protection/fips-140-validation.md - - text: Common Criteria Certifications - url: /windows/security/threat-protection/windows-platform-common-criteria.md - - text: Microsoft Security Development Lifecycle - url: /windows/security/threat-protection/msft-security-dev-lifecycle.md - - text: Microsoft Bug Bounty - url: /windows/security/threat-protection/microsoft-bug-bounty-program.md -# Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) - title: Hardware security @@ -90,6 +75,21 @@ landingContent: - text: article (change link later) url: /windows/security/threat-protection/windows-security-baselines.md # Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Security foundations + linkLists: + - linkListType: concept + links: + - text: Federal Information Processing Standard (FIPS) 140 Validation + url: /windows/security/threat-protection/fips-140-validation.md + - text: Common Criteria Certifications + url: /windows/security/threat-protection/windows-platform-common-criteria.md + - text: Microsoft Security Development Lifecycle + url: /windows/security/threat-protection/msft-security-dev-lifecycle.md + - text: Microsoft Bug Bounty + url: /windows/security/threat-protection/microsoft-bug-bounty-program.md +# Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) - title: Privacy controls From b00fca0c5e783a3961fb7288666eee455893b685 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 7 Sep 2021 09:44:47 -0700 Subject: [PATCH 051/458] adding new landing pages --- windows/security/apps.md | 16 ++++++++++++++++ windows/security/cloud.md | 17 +++++++++++++++++ windows/security/hardware.md | 19 +++++++++++++++++++ windows/security/identity.md | 19 +++++++++++++++++++ windows/security/operating-system.md | 17 +++++++++++++++++ 5 files changed, 88 insertions(+) create mode 100644 windows/security/apps.md create mode 100644 windows/security/cloud.md create mode 100644 windows/security/hardware.md create mode 100644 windows/security/identity.md create mode 100644 windows/security/operating-system.md diff --git a/windows/security/apps.md b/windows/security/apps.md new file mode 100644 index 0000000000..08542e1f22 --- /dev/null +++ b/windows/security/apps.md @@ -0,0 +1,16 @@ +--- +title: Windows application security +description: +ms.reviewer: +manager: dansimp +ms.author: dansimp +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: dansimp +--- + +# Windows application security + +Cybercriminals regularly gain access to valuable data by hacking poorly secured applications. Common security failures include “code injection” attacks, in which attackers insert malicious code that can tamper with data, or even destroy it. An application may have its security misconfigured, leaving open doors for hackers. Or vital customer and corporate information may leave sensitive data exposed. Windows 11 protects your valuable data with layers of application security. A rich application platform, isolation, and code integrity enables developers to build-in security from the ground up to protect against breaches and malware. \ No newline at end of file diff --git a/windows/security/cloud.md b/windows/security/cloud.md new file mode 100644 index 0000000000..cbce8d9341 --- /dev/null +++ b/windows/security/cloud.md @@ -0,0 +1,17 @@ +--- +title: Windows and cloud security +description: +ms.reviewer: +manager: dansimp +ms.author: dansimp +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: dansimp +--- + +# Windows and cloud security + +Today’s workforce has more freedom and mobility than ever before. With the growth of enterprise cloud adoption, increased personal app usage, and increased 3rd party apps, the risk of data exposure is at its highest. Enabling Zero-Trust protection, Windows 11 works with Microsoft cloud services to help organizations strengthen their multi-cloud security infrastructure, protect hybrid cloud workloads and safeguard sensitive information while controlling access and mitigating threats. + diff --git a/windows/security/hardware.md b/windows/security/hardware.md new file mode 100644 index 0000000000..34c5329f7f --- /dev/null +++ b/windows/security/hardware.md @@ -0,0 +1,19 @@ +--- +title: Windows hardware security +description: +ms.reviewer: +manager: dansimp +ms.author: dansimp +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: dansimp +--- + +# Windows hardware security + +Modern threats require modern security with a strong alignment between hardware security and software security techniques to keep users, data and devices protected. The operating system alone cannot protect from the wide range of tools and techniques cybercriminals use to compromise a computer deep inside its silicon. Once inside, intruders can be difficult to detect while engaging in multiple nefarious activities from stealing important data to capturing email addresses and other sensitive pieces of information. +These new threats call for computing hardware that is secure down to the very core, including hardware chips and processors. Microsoft and our partners, including chip and device manufacturers, have worked together to integrate powerful security capabilities across software, firmware, and hardware. +With Windows 11, we have raised the hardware security baseline to design the most secure version of Windows ever. We have carefully chosen the hardware requirements and default security features based on threat intelligence and input from leading experts around the globe, including our own Microsoft Cybersecurity team. +Though a powerful combination of hardware root-of-trust and silicon-assisted security, Windows 11 delivers built-in hardware protection out-of-the box. diff --git a/windows/security/identity.md b/windows/security/identity.md new file mode 100644 index 0000000000..61afd163d1 --- /dev/null +++ b/windows/security/identity.md @@ -0,0 +1,19 @@ +--- +title: Windows identity security +description: +ms.reviewer: +manager: dansimp +ms.author: dansimp +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: dansimp +--- + +# Windows identity security + +Malicious actors launch an average of 50 million password attacks every day—579 per second. And Identity is the battleground for attacks of the future. Knowing that the right user is accessing the right device and the right data is critical to keeping your business, family, and self, safe and secure. Windows 11 correctly identifies users while delivering a high-quality user experience, which helps hybrid and remote workers stay productive without sacrificing security. + +New Windows 11 devices protect users by removing vulnerable passwords by default, from day one. Weak passwords, password spraying, and phishing are the entry point for many attacks. Windows Hello, Windows Hello for Business, and Credential Guard enable customers to move to passwordless multifactor authentication (MFA). MFA can reduce the risk of compromise in organizations by more than 99.9 percent. As remote and hybrid work becomes the new normal, Windows 11 gives IT teams a variety of MFA options to meet business and consumer needs while complying with ever-evolving regulations. + diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md new file mode 100644 index 0000000000..1c7d101129 --- /dev/null +++ b/windows/security/operating-system.md @@ -0,0 +1,17 @@ +--- +title: Windows operating system security +description: +ms.reviewer: +manager: dansimp +ms.author: dansimp +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: dansimp +--- + +# Windows operating system security + +Security and privacy depend on an operating system that guards your system and information from the moment it starts up, providing fundamental chip-to-cloud protection. Windows 11 is the most secure Windows yet with extensive security measures designed to help keep you safe. These measures include built-in advanced encryption and data protection, robust network and system security, and intelligent safeguards against ever-evolving threats. + From 63dde9b95d4f0a8d1bec621788e8b29df1e563b2 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 7 Sep 2021 10:36:04 -0700 Subject: [PATCH 052/458] Update msft-security-dev-lifecycle.md --- .../security/threat-protection/msft-security-dev-lifecycle.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/msft-security-dev-lifecycle.md b/windows/security/threat-protection/msft-security-dev-lifecycle.md index 6c23e09a9e..c16994d574 100644 --- a/windows/security/threat-protection/msft-security-dev-lifecycle.md +++ b/windows/security/threat-protection/msft-security-dev-lifecycle.md @@ -28,4 +28,4 @@ The Microsoft SDL is based on three core concepts: To learn more about the SDL, visit the [Security Engineering site](https://www.microsoft.com/en-us/securityengineering/sdl). -And, download the [Simplified Implementation of the Microsoft SDL whitepaper](http://go.microsoft.com/?linkid=9708425). \ No newline at end of file +And, download the [Simplified Implementation of the Microsoft SDL whitepaper](https://go.microsoft.com/?linkid=9708425). \ No newline at end of file From aaaa6bda21c54d2a28e4543260522631d057a81b Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 7 Sep 2021 10:38:30 -0700 Subject: [PATCH 053/458] Update TOC.yml --- windows/security/TOC.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index dd76035b25..2f550f7437 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -116,7 +116,7 @@ - name: Decode Measured Boot logs to track PCR changes href: information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md - name: Configure S/MIME for Windows 10 - href: configure-s-mime.md + href: access-protection/configure-s-mime.md - name: Windows Information Protection (WIP) href: information-protection/windows-information-protection/protect-enterprise-data-using-wip.md items: From 5563ecf4194b45bb8fb0586d94bec06491e5c91d Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 7 Sep 2021 10:43:41 -0700 Subject: [PATCH 054/458] Update TOC.yml --- windows/security/TOC.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 2f550f7437..d92cd2c7d5 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -116,7 +116,7 @@ - name: Decode Measured Boot logs to track PCR changes href: information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md - name: Configure S/MIME for Windows 10 - href: access-protection/configure-s-mime.md + href: identity-protection/configure-s-mime.md - name: Windows Information Protection (WIP) href: information-protection/windows-information-protection/protect-enterprise-data-using-wip.md items: From 4b5e8bec4d74391f3523b1feed3b48cc0c36c56a Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 7 Sep 2021 10:58:37 -0700 Subject: [PATCH 055/458] Update TOC.yml --- windows/security/TOC.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index d92cd2c7d5..cef0b7006c 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -34,6 +34,7 @@ - name: Operating system security items: - name: System security + href: operating-system.md items: - name: Secure the Windows 10 boot process href: information-protection/secure-the-windows-10-boot-process.md From b032c4d1b971e9622e263f9f6be99004e1fed4fd Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 7 Sep 2021 11:11:10 -0700 Subject: [PATCH 056/458] Update operating-system.md --- windows/security/operating-system.md | 33 +++++++++++++++++++++++++--- 1 file changed, 30 insertions(+), 3 deletions(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 1c7d101129..c380a6bc2b 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -1,17 +1,44 @@ --- title: Windows operating system security -description: +description: Securing the operating system includes system security, encryption, network security, and threat protection. ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: deniseb ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: dansimp +author: denisebmsft --- # Windows operating system security Security and privacy depend on an operating system that guards your system and information from the moment it starts up, providing fundamental chip-to-cloud protection. Windows 11 is the most secure Windows yet with extensive security measures designed to help keep you safe. These measures include built-in advanced encryption and data protection, robust network and system security, and intelligent safeguards against ever-evolving threats. +The operating system security features in Windows 11 include: + +- System security + - Trusted Boot (includes Secure Boot and Measured Boot) + - Cryptography and certificate management + - Windows Security app +- Encryption and data protection + - BitLocker + - Encryption +- Network security + - Virtual Private Networks (VPNs) + - Windows Defender Firewall + - Bluetooth + - DSN security + - Windows Wi-Fi + - Transport Layer Security (TLS) +- Protection from viruses and threats + - Microsoft Defender Antivirus + - Attack surface reduction + - Tamper protection + - Network protection + - Controlled folder access + - Exploit protection + - Microsoft Defender for Endpoint + + + From 87874b50833102561dbc8d331190d83e3ea1ff43 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 7 Sep 2021 11:21:05 -0700 Subject: [PATCH 057/458] Update operating-system.md --- windows/security/operating-system.md | 30 ++++++++-------------------- 1 file changed, 8 insertions(+), 22 deletions(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index c380a6bc2b..ad52554062 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -17,28 +17,14 @@ Security and privacy depend on an operating system that guards your system and i The operating system security features in Windows 11 include: -- System security - - Trusted Boot (includes Secure Boot and Measured Boot) - - Cryptography and certificate management - - Windows Security app -- Encryption and data protection - - BitLocker - - Encryption -- Network security - - Virtual Private Networks (VPNs) - - Windows Defender Firewall - - Bluetooth - - DSN security - - Windows Wi-Fi - - Transport Layer Security (TLS) -- Protection from viruses and threats - - Microsoft Defender Antivirus - - Attack surface reduction - - Tamper protection - - Network protection - - Controlled folder access - - Exploit protection - - Microsoft Defender for Endpoint +| Area | Features & Capabilities | +|:---|:---| +| System security | Trusted Boot (includes Secure Boot and Measured Boot)
Cryptography and certificate management
Windows Security app | +| Encryption and data protection | BitLocker
Encryption | +| Network security | Virtual Private Networks (VPNs)
Windows Defender Firewall
Bluetooth
DSN security
Windows Wi-Fi
Transport Layer Security (TLS) | +| Protection from viruses and threats | Microsoft Defender Antivirus
Attack surface reduction
Tamper protection
Network protection
Controlled folder access
Exploit protection
Microsoft Defender for Endpoint | + + From 5879c32fea2095b3ff861639a0f103fd21ff44cd Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 7 Sep 2021 11:23:04 -0700 Subject: [PATCH 058/458] Update operating-system.md --- windows/security/operating-system.md | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index ad52554062..da4a9933bf 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -15,16 +15,12 @@ author: denisebmsft Security and privacy depend on an operating system that guards your system and information from the moment it starts up, providing fundamental chip-to-cloud protection. Windows 11 is the most secure Windows yet with extensive security measures designed to help keep you safe. These measures include built-in advanced encryption and data protection, robust network and system security, and intelligent safeguards against ever-evolving threats. -The operating system security features in Windows 11 include: +The following table summarizes the operating system security features and capabilities in Windows 11: | Area | Features & Capabilities | |:---|:---| | System security | Trusted Boot (includes Secure Boot and Measured Boot)
Cryptography and certificate management
Windows Security app | | Encryption and data protection | BitLocker
Encryption | | Network security | Virtual Private Networks (VPNs)
Windows Defender Firewall
Bluetooth
DSN security
Windows Wi-Fi
Transport Layer Security (TLS) | -| Protection from viruses and threats | Microsoft Defender Antivirus
Attack surface reduction
Tamper protection
Network protection
Controlled folder access
Exploit protection
Microsoft Defender for Endpoint | - - - - +| Protection from viruses and threats | Microsoft Defender Antivirus
Attack surface reduction
Tamper protection
Network protection
Controlled folder access
Exploit protection
Additional protection with Microsoft Defender for Endpoint | From cc9cccaa6b3e21f1a42f9050db8a80aca9d69075 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 7 Sep 2021 11:23:43 -0700 Subject: [PATCH 059/458] Update TOC.yml --- windows/security/TOC.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index cef0b7006c..d13521f976 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -32,9 +32,9 @@ - name: Kernel DMA Protection href: information-protection/kernel-dma-protection-for-thunderbolt.md - name: Operating system security + href: operating-system.md items: - - name: System security - href: operating-system.md + - name: System security items: - name: Secure the Windows 10 boot process href: information-protection/secure-the-windows-10-boot-process.md From 35cdaa49a3bcd33df8311a28151d767b37632b9b Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 7 Sep 2021 13:18:41 -0700 Subject: [PATCH 060/458] Update operating-system.md --- windows/security/operating-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index da4a9933bf..75e756f7c9 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -15,7 +15,7 @@ author: denisebmsft Security and privacy depend on an operating system that guards your system and information from the moment it starts up, providing fundamental chip-to-cloud protection. Windows 11 is the most secure Windows yet with extensive security measures designed to help keep you safe. These measures include built-in advanced encryption and data protection, robust network and system security, and intelligent safeguards against ever-evolving threats. -The following table summarizes the operating system security features and capabilities in Windows 11: +The following table summarizes the operating system security features and capabilities in Windows 11:

| Area | Features & Capabilities | |:---|:---| From 5a6830db7d83d950f72d6c6ef8b02faf9861fd62 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 7 Sep 2021 13:19:05 -0700 Subject: [PATCH 061/458] Update operating-system.md --- windows/security/operating-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 75e756f7c9..107e6ed663 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -17,7 +17,7 @@ Security and privacy depend on an operating system that guards your system and i The following table summarizes the operating system security features and capabilities in Windows 11:

-| Area | Features & Capabilities | +| Security Measures | Features & Capabilities | |:---|:---| | System security | Trusted Boot (includes Secure Boot and Measured Boot)
Cryptography and certificate management
Windows Security app | | Encryption and data protection | BitLocker
Encryption | From f80cbae66310823530cd74481d8b5c0f99e2e31f Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 7 Sep 2021 14:03:40 -0700 Subject: [PATCH 062/458] Update TOC.yml --- windows/security/TOC.yml | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index d13521f976..29c0a6f1a6 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -194,10 +194,22 @@ href: identity-protection/vpn/vpn-office-365-optimization.md - name: Windows Defender Firewall href: threat-protection/windows-firewall/windows-firewall-with-advanced-security.md -- name: Threat protection - items: + - name: Threat protection + items: - name: Microsoft Defender Antivirus href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows.md + - name: Attack surface reduction + href: + - name: Tamper protection + href: + - name: Network protection + href: + - name: Controlled folder access + href: + - name: Exploit protection + href: + - name: Microsoft Defender for Endpoint + href: - name: Application protection items: - name: User protection From a953782f5cc0392510052a5048d6960e5d0f6117 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 7 Sep 2021 14:18:46 -0700 Subject: [PATCH 063/458] testing table --- windows/security/apps.md | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/windows/security/apps.md b/windows/security/apps.md index 08542e1f22..4b15230a76 100644 --- a/windows/security/apps.md +++ b/windows/security/apps.md @@ -13,4 +13,24 @@ author: dansimp # Windows application security -Cybercriminals regularly gain access to valuable data by hacking poorly secured applications. Common security failures include “code injection” attacks, in which attackers insert malicious code that can tamper with data, or even destroy it. An application may have its security misconfigured, leaving open doors for hackers. Or vital customer and corporate information may leave sensitive data exposed. Windows 11 protects your valuable data with layers of application security. A rich application platform, isolation, and code integrity enables developers to build-in security from the ground up to protect against breaches and malware. \ No newline at end of file +Cybercriminals regularly gain access to valuable data by hacking poorly secured applications. Common security failures include “code injection” attacks, in which attackers insert malicious code that can tamper with data, or even destroy it. An application may have its security misconfigured, leaving open doors for hackers. Or vital customer and corporate information may leave sensitive data exposed. Windows 11 protects your valuable data with layers of application security. A rich application platform, isolation, and code integrity enables developers to build-in security from the ground up to protect against breaches and malware. + +The following table summarizes the Windows security features and capabilities for apps:

+ +| Security Measures | Features & Capabilities | +|:---|:---| +| Application Security |[Application Control for Windows](/threat-protection/windows-defender-application-control/windows-defender-application-control.md)
[Microsoft Defender Application Guard](/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md)
[Email security for Windows](/identity-protection/configure-s-mime.md)
[Microsoft Defender SmartScreen ](/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) | +| Privacy Controls |[Windows privacy and compliance](/windows/privacy/windows-10-and-privacy-compliance)
[Windows privacy controls and transparency](/privacy/changes-to-windows-diagnostic-data-collection.md)
| + + + +## TEST + +| Security Measures | Features & Capabilities | +|:---|:---| +| Windows Defender Application Control | Application control is one of the most effective security controls to prevent unwanted or malicious code from running. It moves away from an application trust model where all code is assumed trustworthy to one where apps must earn trust to run. Learn more: [Application Control for Windows](/threat-protection/windows-defender-application-control/windows-defender-application-control.md) | +| Microsoft Defender Application Guard | Application Guard leverages chip based hardware isolation to isolate untrusted websites and untrusted Office files, seamlessly running these in an isolated Hyper-V based container, separate from the desktop operating system, and making sure that anything that happens within the container remains isolated from the desktop. Learn more [Microsoft Defender Application Guard overview](/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md). | +| Email Security | With Windows S/MIME email security, users can encrypt outgoing messages and attachments, so only intended recipients with digital identification (ID)—also called a certificate—can read them. Users can digitally sign a message, which verifies the identity of the sender and ensures the message has not been tampered with.[Configure S/MIME for Windows 10](/identity-protection/configure-s-mime.md) | +| Microsoft Defender SmartScreen | Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. Learn more: [Microsoft Defender SmartScreen overview](/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) | +| Isolating UWP apps | TBD | +| Developer security | TBD | \ No newline at end of file From 5dfdfa641ff110549d6dfd46750121c547e79647 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 7 Sep 2021 15:53:53 -0700 Subject: [PATCH 064/458] simple table --- windows/security/operating-system.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 107e6ed663..6c6b8529f3 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -2,6 +2,7 @@ title: Windows operating system security description: Securing the operating system includes system security, encryption, network security, and threat protection. ms.reviewer: +ms.topic: article manager: dansimp ms.author: deniseb ms.prod: w10 From 119222a9e3020880a781ecea97b359c5a48a6c45 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 7 Sep 2021 16:21:39 -0700 Subject: [PATCH 065/458] Update TOC.yml --- windows/security/TOC.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 29c0a6f1a6..ac2bff22dc 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -32,8 +32,9 @@ - name: Kernel DMA Protection href: information-protection/kernel-dma-protection-for-thunderbolt.md - name: Operating system security - href: operating-system.md items: + - name: Overview + href: operating-system.md - name: System security items: - name: Secure the Windows 10 boot process From ae3045451972d9fe90e2f132de4a24c1b72070ed Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 7 Sep 2021 16:32:59 -0700 Subject: [PATCH 066/458] Create trusted-boot.md --- windows/security/os-security/trusted-boot.md | 33 ++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 windows/security/os-security/trusted-boot.md diff --git a/windows/security/os-security/trusted-boot.md b/windows/security/os-security/trusted-boot.md new file mode 100644 index 0000000000..2ab20d1e02 --- /dev/null +++ b/windows/security/os-security/trusted-boot.md @@ -0,0 +1,33 @@ +--- +title: Trusted Boot +description: Trusted Boot prevents corrupted components from loading during the boot-up process in Windows 11 +search.appverid: MET150 +author: denisebmsft +ms.author: deniseb +manager: dansimp +audience: ITPro +ms.topic: conceptual +ms.date: 09/07/2021 +ms.prod: w11 +ms.localizationpriority: medium +ms.collection: +ms.custom: +ms.reviewer: jsuther +f1.keywords: NOCSH +--- + +# Trusted Boot + +This article describes Trusted Boot, a security measure built into Windows 11 to prevent malware and corrupted components from loading when a Windows 11 device is starting. + +## Secure Boot + +The first step in protecting the operating system is to ensure that it boots securely after the initial hardware and firmware boot sequences have safely finished their early boot sequences. Secure Boot makes a safe and trusted path from the Unified Extensible Firmware Interface (UEFI) through the Windows kernel's Trusted Boot sequence. Malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes throughout the boot sequence between the UEFI, bootloader, kernel, and application environments. + +As the PC begins the boot process, it will first verify that the firmware is digitally signed, reducing the risk of firmware rootkits. Secure Boot then checks all code that runs before the operating system and checks the OS bootloader’s digital signature to ensure that it is trusted by the Secure Boot policy and hasn’t been tampered with. + +## Trusted Boot + +Trusted Boot takes over where Secure Boot leaves off. The Windows bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including boot drivers, startup files, and your antimalware product’s early-launch antimalware (ELAM) driver. If any of these files were tampered, the bootloader detects the problem and refuses to load the corrupted component. Tampering or malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes between the UEFI, bootloader, kernel, and application environments. + +Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the Windows 11 device to start normally. \ No newline at end of file From a2fbdfe3bb73182057ee1d80d9c0db15e8449f2b Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 7 Sep 2021 16:35:05 -0700 Subject: [PATCH 067/458] Update trusted-boot.md --- windows/security/os-security/trusted-boot.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/windows/security/os-security/trusted-boot.md b/windows/security/os-security/trusted-boot.md index 2ab20d1e02..5770dab09b 100644 --- a/windows/security/os-security/trusted-boot.md +++ b/windows/security/os-security/trusted-boot.md @@ -18,7 +18,7 @@ f1.keywords: NOCSH # Trusted Boot -This article describes Trusted Boot, a security measure built into Windows 11 to prevent malware and corrupted components from loading when a Windows 11 device is starting. +This article describes Trusted Boot, a security measure built into Windows 11 to prevent malware and corrupted components from loading when a Windows 11 device is starting. Trusted Boot picks up where Secure Boot leaves off, helping to ensure your Windows 11 system boots up safely and securely. ## Secure Boot @@ -30,4 +30,8 @@ As the PC begins the boot process, it will first verify that the firmware is dig Trusted Boot takes over where Secure Boot leaves off. The Windows bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including boot drivers, startup files, and your antimalware product’s early-launch antimalware (ELAM) driver. If any of these files were tampered, the bootloader detects the problem and refuses to load the corrupted component. Tampering or malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes between the UEFI, bootloader, kernel, and application environments. -Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the Windows 11 device to start normally. \ No newline at end of file +Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the Windows 11 device to start normally. + +## See also + +[Secure the Windows boot process](../information-protection/secure-the-windows-10-boot-process.md) \ No newline at end of file From c8967bccca8fe623d7fa09ba332686ca3a66752e Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 7 Sep 2021 16:35:53 -0700 Subject: [PATCH 068/458] Update TOC.yml --- windows/security/TOC.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index ac2bff22dc..eaabe3d79f 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -37,6 +37,8 @@ href: operating-system.md - name: System security items: + - name: Trusted Boot + href: os-security/trusted-boot.md - name: Secure the Windows 10 boot process href: information-protection/secure-the-windows-10-boot-process.md - name: Encryption and data protection From 2bbebaac8a662c43d1c27119078b73c189a6a44e Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 7 Sep 2021 16:43:46 -0700 Subject: [PATCH 069/458] Create cryptography-certificate-mgmt.md --- .../cryptography-certificate-mgmt.md | 43 +++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 windows/security/os-security/cryptography-certificate-mgmt.md diff --git a/windows/security/os-security/cryptography-certificate-mgmt.md b/windows/security/os-security/cryptography-certificate-mgmt.md new file mode 100644 index 0000000000..712d4806dc --- /dev/null +++ b/windows/security/os-security/cryptography-certificate-mgmt.md @@ -0,0 +1,43 @@ +--- +title: Cryptography and Certificate Management +description: Get an overview of cryptography and certificate management in Windows 11 +search.appverid: MET150 +author: denisebmsft +ms.author: deniseb +manager: dansimp +audience: ITPro +ms.topic: conceptual +ms.date: 09/07/2021 +ms.prod: w11 +ms.localizationpriority: medium +ms.collection: +ms.custom: +ms.reviewer: skhadeer, raverma +f1.keywords: NOCSH +--- + +# Cryptography and Certificate Management + +This article describes cryptography and certificate management in Windows 11. + +## Cryptography + +Cryptography uses code to convert data so that only a specific recipient can read it by using a key. Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure. The cryptography stack in Windows extends from the chip to the cloud enabling Windows, applications, and services protect system and user secrets. + +All cryptography on Windows 11 is Federal Information Processing Standards (FIPS) 140 certified. FIPS 140 certification ensures that US government approved algorithms are being used (RSA for signing, ECDH with NIST curves for key agreement, AES for symmetric encryption, and SHA2 for hashing), tests module integrity to prove that no tampering has occurred and proves the randomness for entropy sources. + +Windows cryptographic modules provide low-level primitives such as: + +- Random number generators (RNG) +- Symmetric and asymmetric encryption (support for AES 128/256 and RSA 512 to 16384, in 64-bit increments and ECDSA over NIST-standard prime curves P-256, P-384, P-521) +- Hashing (support for SHA-256, SHA-384, and SHA-512) +- Signing and verification (padding support for OAEP, PSS, PKCS1) +- Key agreement and key derivation (support for ECDH over NIST-standard prime curves P-256, P-384, P-521 and HKDF) + +These are natively exposed on Windows through the Crypto API (CAPI) and the Cryptography Next Generation API (CNG) which is powered by Microsoft's open-source cryptographic library SymCrypt. Application developers can leverage these APIs to perform low-level cryptographic operations (BCrypt), key storage operations (NCrypt), protect static data (DPAPI), and securely share secrets (DPAPI-NG). + +## Certificate management + +Windows offers several APIs to operate and manage certificates. Certificates are crucial to public key infrastructure (PKI) as they provide the means for safeguarding and authenticating information. Certificates are electronic documents used to claim ownership of a public key. Public keys are used to prove server and client identity, validate code integrity, and used in secure emails. Windows offers users the ability to auto-enroll and renew certificates in Active Directory with Group Policy to reduce the risk of potential outages due to certificate expiration or misconfiguration. Windows validates certificates through an automatic update mechanism that downloads certificate trust lists (CTL) daily. Trusted root certificates are used by applications as a reference for trustworthy PKI hierarchies and digital certificates. The list of trusted and untrusted certificates are stored in the CTL and can be updated by administrators. In the case of certificate revocation, a certificate is added as an untrusted certificate in the CTL causing it to be revoked globally across user devices immediately. + +Windows also offers enterprise certificate pinning to help reduce man-in-the-middle attacks by enabling users to protect their internal domain names from chaining to unwanted certificates. A web application's server authentication certificate chain is checked to ensure it matches a restricted set of certificates. Any web application triggering a name mismatch will start event logging and prevent user access from Edge or Internet Explorer. From 0183e07657c000345c700d8565d55993d6759891 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 7 Sep 2021 16:45:10 -0700 Subject: [PATCH 070/458] Update cryptography-certificate-mgmt.md --- windows/security/os-security/cryptography-certificate-mgmt.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/os-security/cryptography-certificate-mgmt.md b/windows/security/os-security/cryptography-certificate-mgmt.md index 712d4806dc..282fac4632 100644 --- a/windows/security/os-security/cryptography-certificate-mgmt.md +++ b/windows/security/os-security/cryptography-certificate-mgmt.md @@ -32,9 +32,9 @@ Windows cryptographic modules provide low-level primitives such as: - Symmetric and asymmetric encryption (support for AES 128/256 and RSA 512 to 16384, in 64-bit increments and ECDSA over NIST-standard prime curves P-256, P-384, P-521) - Hashing (support for SHA-256, SHA-384, and SHA-512) - Signing and verification (padding support for OAEP, PSS, PKCS1) -- Key agreement and key derivation (support for ECDH over NIST-standard prime curves P-256, P-384, P-521 and HKDF) +- Key agreement and key derivation (support for ECDH over NIST-standard prime curves P-256, P-384, P-521, and HKDF) -These are natively exposed on Windows through the Crypto API (CAPI) and the Cryptography Next Generation API (CNG) which is powered by Microsoft's open-source cryptographic library SymCrypt. Application developers can leverage these APIs to perform low-level cryptographic operations (BCrypt), key storage operations (NCrypt), protect static data (DPAPI), and securely share secrets (DPAPI-NG). +These modules are natively exposed on Windows through the Crypto API (CAPI) and the Cryptography Next Generation API (CNG) which is powered by Microsoft's open-source cryptographic library SymCrypt. Application developers can use these APIs to perform low-level cryptographic operations (BCrypt), key storage operations (NCrypt), protect static data (DPAPI), and securely share secrets (DPAPI-NG). ## Certificate management From 54483578098ba7e62c5519863d304d5e4d347300 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 7 Sep 2021 16:46:46 -0700 Subject: [PATCH 071/458] Update TOC.yml --- windows/security/TOC.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index eaabe3d79f..b7e9b9d4b0 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -200,7 +200,7 @@ - name: Threat protection items: - name: Microsoft Defender Antivirus - href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows.md + href: microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows.md - name: Attack surface reduction href: - name: Tamper protection From 0dd024ba903616a80cb1451b13d9c16199a91bdf Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 7 Sep 2021 16:48:15 -0700 Subject: [PATCH 072/458] Update TOC.yml --- windows/security/TOC.yml | 22 ++++++++-------------- 1 file changed, 8 insertions(+), 14 deletions(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index b7e9b9d4b0..2e167de1fd 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -199,20 +199,14 @@ href: threat-protection/windows-firewall/windows-firewall-with-advanced-security.md - name: Threat protection items: - - name: Microsoft Defender Antivirus - href: microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows.md - - name: Attack surface reduction - href: - - name: Tamper protection - href: - - name: Network protection - href: - - name: Controlled folder access - href: - - name: Exploit protection - href: - - name: Microsoft Defender for Endpoint - href: + - name: Microsoft Defender Antivirus + href: microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows.md + - name: Attack surface reduction + - name: Tamper protection + - name: Network protection + - name: Controlled folder access + - name: Exploit protection + - name: Microsoft Defender for Endpoint - name: Application protection items: - name: User protection From 05f28657b0c54c27281c27e804323c4af0052b09 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 7 Sep 2021 16:55:45 -0700 Subject: [PATCH 073/458] Update operating-system.md --- windows/security/operating-system.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 107e6ed663..584a85b7bd 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -13,14 +13,19 @@ author: denisebmsft # Windows operating system security +This article provides an overview of security measures built into Windows 11. + +## Operating system security + Security and privacy depend on an operating system that guards your system and information from the moment it starts up, providing fundamental chip-to-cloud protection. Windows 11 is the most secure Windows yet with extensive security measures designed to help keep you safe. These measures include built-in advanced encryption and data protection, robust network and system security, and intelligent safeguards against ever-evolving threats. -The following table summarizes the operating system security features and capabilities in Windows 11:

+Use the links in the following table to learn more about the operating system security features and capabilities in Windows 11:

| Security Measures | Features & Capabilities | |:---|:---| -| System security | Trusted Boot (includes Secure Boot and Measured Boot)
Cryptography and certificate management
Windows Security app | +| System security | [Trusted Boot](os-security/trusted-boot.md) (includes Secure Boot and Measured Boot)
[Cryptography and certificate management](os-security/cryptography-certificate-mgmt.md)
Windows Security app | | Encryption and data protection | BitLocker
Encryption | | Network security | Virtual Private Networks (VPNs)
Windows Defender Firewall
Bluetooth
DSN security
Windows Wi-Fi
Transport Layer Security (TLS) | | Protection from viruses and threats | Microsoft Defender Antivirus
Attack surface reduction
Tamper protection
Network protection
Controlled folder access
Exploit protection
Additional protection with Microsoft Defender for Endpoint | + From 56fdc9752e95139409d66077f640a71a22ee1286 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 7 Sep 2021 16:59:28 -0700 Subject: [PATCH 074/458] Update TOC.yml --- windows/security/TOC.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 2e167de1fd..eb58b0f6cd 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -200,7 +200,6 @@ - name: Threat protection items: - name: Microsoft Defender Antivirus - href: microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows.md - name: Attack surface reduction - name: Tamper protection - name: Network protection From e741bf1cb5bb53dacc48639b2bb656e17b21773c Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 7 Sep 2021 17:05:35 -0700 Subject: [PATCH 075/458] Update trusted-boot.md --- windows/security/os-security/trusted-boot.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/os-security/trusted-boot.md b/windows/security/os-security/trusted-boot.md index 5770dab09b..4a2e241a83 100644 --- a/windows/security/os-security/trusted-boot.md +++ b/windows/security/os-security/trusted-boot.md @@ -16,9 +16,9 @@ ms.reviewer: jsuther f1.keywords: NOCSH --- -# Trusted Boot +# Secure Boot and Trusted Boot -This article describes Trusted Boot, a security measure built into Windows 11 to prevent malware and corrupted components from loading when a Windows 11 device is starting. Trusted Boot picks up where Secure Boot leaves off, helping to ensure your Windows 11 system boots up safely and securely. +This article describes Secure Boot and Trusted Boot, security measures built into Windows 11 to prevent malware and corrupted components from loading when a Windows 11 device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up where Secure Boot leaves off. Together, Secure Boot and Trusted Boot help to ensure your Windows 11 system boots up safely and securely. ## Secure Boot From 5b674360a60e630512905866afdf6f162b2bc760 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 7 Sep 2021 17:14:58 -0700 Subject: [PATCH 076/458] Windows security app --- .../images/windows-security-app-w11.png | Bin 0 -> 54380 bytes .../os-security/windows-security-app.md | 37 ++++++++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 windows/security/images/windows-security-app-w11.png create mode 100644 windows/security/os-security/windows-security-app.md diff --git a/windows/security/images/windows-security-app-w11.png b/windows/security/images/windows-security-app-w11.png new file mode 100644 index 0000000000000000000000000000000000000000..e062b0d292ab01d85235ee266d0c143dc5760b1e GIT binary patch literal 54380 zcmZU5c|25o*uGYhDA_8Jk|ZI7Y!i_dd-gR#$i8oxB7{&0A$#`h*|%hwWKS9zOo$=t z*v2qse)o9Z_w)PX{iDw_&YW}Rd+zVOT-SBq=Ly$TS2;$1nx2M+=GfgkO4>9u`y*&* z_L1lg!x24PbPxRJh|3*AcN!XI59+^t<2KwraFEvHu9`CK^btB5Mq%$lzu~<@$_5?^ zo*uT&ZZ!GD-FM&+g9jW^vUY#uX6NEz=j=pt@(9lbI8IMJe#_a#*Uj#+tq08~rfz9C z%D8vb&Dw%`>NyWPM{Anv1g0bK%@OK151eg0ye-_UX-r)x)YFgd-Q3Rok%I-C>PA!j z<#P-irlTI#w{UZ^b9zkk<;+YN9Hag3dQZ1U)-)TG;Q9YO?Uu8nqqUO<&1QFeGaNfi zJx#~X!@-&+Z|TP+8k%!7ca;=$d_F9U*}XEIdx|40k1RC}HC8Vb#eJI8=1n%PHY!@G z`uWyjM6pZMp*24Co95diK?;0FL}EwA4~j*+Zg`1Ouz9B7@Fj4fg?FFqY2&x7cL&{! z<46BFZJaMi-Z2t(aK2oM zbUZJPD>|eH{=9S!KG5-0UD`F{;#F3m9)6jkq4jRZk7OF0iSzYIW#=?doEp48?$7gL zn7kxO_cAv)lYd?wwY-5-8gYouq-2l3-uf8&LdF!WM@DUa97n)SEbHsXaKx$aG#F*) z)CVjVYdU01pJ-|=G#WN4ocQ87hGO&JBAl73TXJl^q@V?>876Y^@)!IIzB)DBn?`7y zaH&`uU67w62TRIZJkrIxj;Kre$b9JXlA@*F{fgXDW`A%%y!58m}qM+)aFF6ATsm#|FKE5tM=OP5;xeiE#vMBJC>H}p>VqqF%VRwE-a zOC-;2x0c6S56pR#I{IS{CoKAzS?;_}JHgYYq8v03YkjFHEh6(ceaOq(S++@DU5_Vi z(0_foBIfJHZQ^br_$89njEa8s=;Y5=%MIJmB0q3_PO6T>5&6v?Um}Y*=`*v09Oq^w zRtGeutSsZzefyTK$NHv*Ib!k(?wx;g?sU}QKI~R*LX+Y30rQ3*PSti2$x7!>OyYfx z!-cRnZM_q|T=CXgC1^YG(+VM4TJIiC^mgbDl-}iTAD@`9skkeC`eJfVrrqzUIyUMC z(v`KJe?u2)p(zk&E0N3*dg9ZV%!UtgtTa%bn= zi1zb|s<#EQsm|_WWnX#v{{8y~@yfi+E#hh>XzPa$pEWf#(T)?_A1Cp3b#?Jad@VMu zFBOcON0-E^@?B<&H1=RU6ExXzZ!)DIB1Ju{8XK6*ZXWQ)8~cY2WLaz|gFRtccigM-rJ}pWE z7ui&FCObEEc6T$NVz@7{MQRo4!S*sRF-_G8J$Uc{JfM6;Fhi3+&&f;r?7t1^MXzLc zT(6cu90w=o-&$PitwC`(iuW;@v80C`(m2vpZYzGeMMtJ@O@!gm{kjI9RF#Smr9pAH z&4BGYr|SFJ+8IOkZ|-GtN%My)@=W5T3JVKW)zl{HgpzXJ+~HlSkFr>{Ek~Luu&yg; z^qXIH$4@GQMM81DRuzVVU5Z*PIk~xssi`?eMWPZCw}lcOd3nXRw=2u`P5sP&@IL3% z=r^VF3ZjWtaCofV`$3W34gXC+f5OuAS{g;Rt~iUIe%dY3tG)-GIaec%Y9~1DWDF`_ zN8sb2osEqRKU?GrMIIruhCBH>=M%bMWk-)5?e6Py-`)0wkCn6dJn`{HVF*&{=?$GsnTxMJKF zhOaS)x3PWj?VAtSC^X+qq9lwf*38fNvi#-D}I#3hus+`e4BP_n{q8SZ|;45 zfVR{zd1S;;PhYq+ zf=xQg1veKlsHiiNB5JV#@)`nhmUedGk?g{6JFPg*oM{z#b+xgU>d(VX;%Z0r_Nkmd zVOhp8;j)!c_|(O{AjR77MXSZv2@&vC`%3zo=idy!y?(OND9WfPw4eaK0&B3)k8KRY z_v*Q~c$tsf_KFQo%2%bX4WX(%+2dwO)W#oKlZ5tWTPH+{^djTpSbr~it>l)JIN#5yGmKZRHR-5w zWIQXaR6l0p>UxbX$GDPhDr3??C}D~axJ=+Ud$!%v6cR$c_j1mNgQ%?Rs~o#F%WKhG za^F{0MAp{Ue$IQE`ORH~Mcizv#*LlXl6$6nVq$E@ic zQf{wWd|2`r?di%%i}nm&+&N53dnByYc-1nHn+I`s=j0t{{mHT6AQUpt`N>(Nq2wp$ zdiUH%{;85Zs1HMXy)eTm_5))9z%Xc}h0(XvuOLFE?wn_+GD zpUc`hClOjz-?OjA`b?r47j~y|Tze@cx`>}XD=X`-+l}q*?W*=`RnvQp*sOd;iR&B}P2c~9Qd2jz@uQchIN|obnH-4yNnIcvkHp12gaKakFC#cJlYh2O=+^hW zb2Q$c8>; z47^yTR|xg^E??~W#zuyn(Q!6Ybew$n-c4nOpVBHTYk`|<=eLnavQWOPMDJE(+Fd{V zaZSp}nD<-p+1v86icxRPpPngB)m@{boY~q()COHRX$Qrho3G#RwyA)mtD|eme(rxT zfD2Xu%%`J!aW9?WeLgfb$;-&rf!^K#C6$4RmF2nTgr;KV z-qyuVRmoJ0_8nghcA#9^+YBy5b7}RpddGO2mAlPokBp+_CKP0ED zCBkq(cdX&uoG(|EgbP;yu6-PL3DWPi`ewj-*8e^(};vRyv%k!q}( z_5->srs(!^!Md@f9EAbb4=P-Y{(X?5giPz&o|H7gYTEa(MxtscEMiP_eN1N5uYSUP zOZob$S4^2;B()r6sl-rAd9BH9Ef&$l?yD$GmWxs`>(zsKl!0I@hWc&yR1`de;dj%Pni^c~bWeKMQ`n9(+?eu?xfBay^k~gcvZ)XJ%yUaU87@({Uh+p+FsWr(NoO|7A7397a zHh}*1%f&Q7M}Sr5oPS9dx23)=tFo4DHAXyHO<;hNg=!t8z<~ zBNXl&yB}z@3NLf5<9oq`E&z$5i6-8QkfdS&lflvzGmeiqc#XY#4lt@n?*eo9>wDS1 z4z=9NR?HpbfxqtX_IsX1dtQ#aS5thSFZM{UX+b>IrFvJt6sD>THaIG4p*K){REEFrxnqjGdNu0hYxM8oQ&M^s3SjLR(f>MF9pw*19Gt$~;;)H)p4wDoaJ7P#I?`(sl(?ad>Ye!Mg$9 zaRwe7>fxy~XAU?WZh#*QIm%w+GO-^(Tx%H9+K>CfW6W$WlE8SumxS57K4Ix5_-@-2skn)@dQv?RT7OS>Z2 zPxK!P1d8VmPdHQ{0ERnN*E`j0Xq`TNdh!wX4hLeZg=uRW-P{Yn!bMC6q9F=FSwrON z2wW2vZ;L^a9+5YlDe(YIWtJOSC7bZaJWMYobOB|#@pM}pxr;{jz?0Jem1@}h{X|tm zLrhWiIg8@GUSyb8~L0M_?&rLNEbE zafckxMBXT=C@)v!i=Bv)9RI^aSz!V=&c_u)i}RcQ&PugrhUP)*e;NIW~T1uD<(?yf;RD?@uTJe^eZE!dDswAoaT zB=+Or+^Fk&bE>Vm8>2>+o1i2X*dXcLrap)_XAaA}*x|1&zAu{icSzqHZofv}SzfCw zc^YNDQ)xbh2E$QNhkmii#PV)qGYW7P@EQ}a{&FCp{@uNcss2khI(c#G|Um z{UYyW2U#1oY*b+!Aqkt6Ji%j~JWk904^RWR+QLs!Z(%F`9fcsf0t)92+~R?- z`42a~x$|ORVBk-~t&HPo-E16U;KT^H;!iuSrSOESb%? z-Duis7oMyWx^m^pha2vpYq-8Os1ekGH_ZyFhtIOQLG5x9RvMFnXk3_;EAkW&#q(hgB;ibK&3V?^}SLyp4`w$gIfCXSjv>`Rqv*xkgK)VST=L$6_Eu!y~H1a2*S+i{VD}wgl6LE1j2$KDpj%Vr)EBR6U-FS^Qxu z{w!HR;&c=hDN{+&`8N--O-~!vdS$x1yEO}k0KFdzDxo9+Odqc5$$yX=Zc@(B{6oa0bf|kzAP*(Tzx)jer$Ya!>H&sV8C%GdhOlas{I1E;j%{xto_Zo zWLMIYbqx1NRpZ=bqOJHniDYZS(ilsmvixRQ%$q*k-28m(4Jw3cV_dsw%?12lZ7rIc z6etz&)18G?8PE)VB8;1vJ_N8`mWj}ygT#%1EfGk#s_N>@;Yu7_TtJC33k0aKwmRJv zu!F%evU!3pgK`jRu>#iuU+UhNM^jT;Nz=AKhUQDJ`m+ZwAq{?ut1+~uV;0?j|3V1B zt!BQxxj;>IRQI8ZCC{HfKPOdRe81Aj+Q}&zN`r`~=-2w?rmo+=jWp+s&CF)Nr9jn5 zx3tAbK$!qub^G@1JAAS4?qwSg?I+ zRwjg%r|0$e?!yie!Ma%Ty?Ib|9=<0pR%7`Rx-63TfU$5&d%U!%2)Ez>UY69uS7zWa zM(;rlvjv9V`pw%zB}61X?CtK=t>23hp%$ZF!~NX!V+(zY5Hq~YBR@ip_1MG`u*ftj zWCAHlJw+O}m@YI9hr>}NAn;2F#OIKc-23DJMNBM=RDd!da{YQpCO@Zq00&e9$b>+r z;bMRN>>5~*TI|XUUI8}*7EjIp5t%EAeF34CWi`df zN8+cgJw4;Hvo8YmG%zu-0vtfK@g3f;iDHl80D~Emlb#e%WJ#ydhpw(~YHM!*xKWAb zoB&^Hk%KG?;k~dR$S!R5am+~!fzT+@qpqd}Sj7Iq0s#<7EPQ0pPqV7V9P`t# zPYSg*)F~YL<5xH&K>Zp7P6)a2Mt{hbP{71(5PVO6;@} zHRvw1`#ocUzk4Kte4YtYHQ@Pl3@^E3wruZ+Lk+`a3VGT6@3%L`L2r@cNDOO0&FZ7J8xA5&?>3=++o2mdXNPZ8^XNJY0ohL`gE z$C9=)ihKY5ea+OGU)ZL9A11AE*x#%X_f(i?0n!xd?CC z=@}E8nyXoHUe(J))S0tqF9Q1X*CY@KB^cHjCtNB13E{`Ps-Q&kFOlIt)1 zp^s8m4Ex0Sd5p*}V4sRR5!uec&HXqaAYhE}@hg?@%8vQ5ix7Ul-${KRG3ixqDqzn{ zM-7OwME{=4<-}qt+kG+o?w~R?8PS#feoZ}jyQ6tV`-kwc%>BsYk7ochyO# zO|szFqHm+j+Gzgeo!}Zw-&;x&GaEd!tU$GM%+&Loo88aEx)`0+lS#jnUf%MJDn5|v zzoszZA~n3(C-Umy{c6+@a)3!I?p}ynttzxf()wuY;~o6$s);v+cC0QwzSZ$+02 zimPP}*gj0+qe^7g&O{vschnJ3mf{>wI!dbjkEa25jcj+?sfofY5>3!Rz91x_v;d!n zZbJ0b>#pfva_FkXKhiQOjBuO59nX4nojLHM7PFxYP1`~DX7oR^MzdUy&HHe8*_i2R zYwi4>XO~ai%pJ_o&IgurmzO!O;QPOS0(c+UVfF@ZbgCIhMt~j;A3ppNHAQfrn_oA} zb;Llhg3J=z>9D;8au1x}Zs}^eh4rC|f0GJhl`)x_H^){Doa#P1GO6JU1?dNDS-Q%p zQ2@7t^2KkvP-RY{Fmc_g1v0Fd=(uH z8QiWK^FHUUEEj4`7V1buCP=W)lUqQfhVn3AD=xJRIvrJjzYhB5nrz*e5M*f3m8&rq zO~~H*|I3sX-40TFlRK9-t=f z@AB0#r|SG6dpI4``{;s#S5Z;07FSdDu5!8%MX*-Z04x?ngDOYRbv0Q+OoYPb>jZ^` zp&rH*6ewtZNJ^p)6oN-Ap4ToMdZ~22WoMouD|q!PNZHX-A|fJRK-CMi5RsQx7l;Fl z$f68=6|H=optNjI>VG&$0Oj_mAM^CLF^*S;ha0j#<@T7c34 z3xH8?-MR%UH7e3uF`*>92A8iN>+m$am(3h+eF&jX-kHGGFZQD!P_+bibo%T*9@b3h zS^Ao#9(xmhmandy>S^*l?UC%k_oz=A9lgJqE;1&9dzB<$lc9Mowo_9mq1J2hG{gpw z0w}-GH}gqF0Sv#JI|#xiJYT=~F;J8H;lzBsLfCC!kbZtix3gNleWL^J26YTS>fUF; zaag~^EPKGV)EO%e^{}7-8kL4dMgZTb0#d$?CD2aGvX=z~U`PnMAjb`OIM^A>vO9uo zk3jQAxl)0qSqYSH(0-s2g2%xggYd69_|ZTR8XTZ1fsr%jr2&ZYy}2VIBNJ)C0jL4w z%M^9ksyn>Qzy}_3bkv=mCsw=Ip;yK;sBa)I>&!TD@dbngAB&=Wes`g(e$j%NnN0o@zKw?mOH6}%!PiTKON z!0^YH3$Ro=ESsMNTm_I34e-7YoG;+Jep_)s)JJEQJ?l-O=)>0z68Av_w6J&%Fbm*E zWMm}xKR8ld@dJUlpq(iM8i{y~_%ZpvvjBis<~*dK2M68*d8tMCV&KZBA$tYZ!8KW^ z?NyG0a~?tFY@nHdnxbIs2iOddAs7yzBrFB+V!wD4=oUcc_vB-U5`fZw9s`~#tE>C| z_3QqmoI}fxL0Qw}7rA!r1SykRXGTkCeuPkeEeFLp>3z+B2pSu(4N$z`hXC_| zVA^i^#z(dnq(bP+f}#eD$Ik9DU0#lz8#Dl+87kd?R3gj8 zv|p=!jIsC<3q5oXpFVwRRWXwO)|%rmq)~-$|K{f}#N7j52J8nk3+|8WO#wKlk@Z~_%=+gE-E=ndwAOrK*1y<*Th z;R#zP8ho)pKElKv_iBPm+25vk%O90s9!QE#aQpPm+$Z;L8lEZk5!g%JpbhjhwAgE}CB zKCL|kzM7WiSaF$5u0`jKG0)3aDKffF#42_MAtNT$R z3?8PrV@|ZUh5_Ag`L3}$5g!~Rtx=!z_wg81u)quq7JyOd{()dKG^A_u_;GM)5){x0 zD^v6}H8BpoU!G@8sog2iZc3k^g`k{(M^8*l{7JZojG%dD!9f*(<>k2;p5MO%4Ho>l zrTWag7mDwv1t8^vQC$igD>!`|5 z49d{J;EU^rhf;pf1oe^S5_E&o0^b}&!Cpf*ACfH~<8URQKP|_{`}>c>pp8>?aDk~5 zXO4lOsEEi-sN7sJS$3x(D4|UZ-E&AWu!-%FAp4dYFRk%7M8rUv7$gkOtxnF-6mBQ$bxwALLkQ;?h3PH!GpFxWYnz zOE&D%9R_Pw)D`Rkfno_#ekKAatv+# zR~8%!{jb_BSt8rd@jgikgeE|##o$k|7psc_O0dN%z*&qM8`%oVA z_HK-f*MdRm9bS-Zb)^xna<%jSjKfUJA?T;VM2?FTCxiJibi-j!A#4EK&9gZZEkwCu zV!Ng}I5f`6d8XMDDw|dl?`4DV2uL84 zU!ff(-jgo<3yal|Ph%=@#QOw{6`-N(0iy-cQwQB=z%?L;D}mfcR|zVmt}11`-LmXl z4Nc3}BM{;W%B$djkp4kOFl+XXH&+x&dfZ($$eSwpxVV+<{aJNC>Dsh)4tC z$NJWwz1iYFnHG!qP%tkI9%^3+X!`ExFg$PstC}HNg6U5N(ZpG` zV{>LZxatvtU(6ULMhw`PZqqoMY;sBku(fozVSlH<{sTcf!#fq_BiD3wk1d%lyYDuI zoGGz;L_tB_|1syWVz%CtOU6pB#w_Yr_%AmX&(HVP5;pvT9hM0@+uOfVVyR8Tb4v*R zI-xp?;~Kp0laef=DWUbmB2@Y_?t@p!i^A;h5hkRp}$cKE4&H0c11@|KH1kaW7@TY_p#SPWmnaZdE2=k;Itn^U|HvDNMf!XWaK&M_*5rS~@P zo_szZv>1eY{@944t|cRw7DP2rZb74hF)o!saY&NGfC9j;TOxW(1-e_=+1U@Jo=y>VbsJ-nk!mv6Nek<1>|jBU-=At+385I0>^VP4 z%8ax`w0nhj3PKBOenJ+&-=~8c?1{3`O!txcKrMqT!=d4OxaL;XV#s z@2W-5LN{)-tTKYPr?*#BMy3l2;+Ru{cD@o+6~GCghyuL?umquaC@SwU;8QbS;PpVv zSBbKad|-Zbz_x$Z7wQI#AF)4!F*X=(12zwXXz}s!P^>`a2W|=F+17KCNqIXeiI$cY zCR2b}h$gC*Ug!pT1Y6s<2GmWY#MRF3NZ(pe2oGcx21driI5AKQVeAHQGLW*vPq!h} z{WtRmuno%5@U;%}L^GiT&`Mj&1pyVpgc(pSz+@v1dYjB_V1ZQa>SGb~e|-8yKJ=;9MZ)(3Aq8@&*2YeA-nGTRH62!}PJ;@*15B`JXWoI}3>k^48^qt`;Xw zkcb(6uK`U1NgO&~&|U-53*PtU%?Z#lLEy9iC3;{$%d*U%^Z@N~ab|)(CTGwNWRLf$ zsnijyVfJlMM}hwUt_Pk6bcH%>1!(boN{Th;!_Yg2`8W`%p|MQf-3gYsLe;r^q{o<9 zB!$kEn#MHcDasdE)N;kUyHjwBUzj4`*W26M(;YPciwRhe{|&*WQL)t_-U*lYkSt)w z0V@K~d+5!Id{PCV=aY?k?jR&N4^yTp)iuJc!$A|KNLmi$nJ+Mu2LndGyvg)tpl=pf zJ9FP`_EZHxx4i}ifsF@bH9b9@Zd41s(*AzU{&&BZg=+xkiJ$7T5`ED+k?vc8P0fKB zx1P?df!Vs0M*zZr57V=usRWolB*-El(SJ_@Jhk+BMO*8ge{z)jC}N30N^qz10<009>$3 zdiCnn!Cex_0MP7*$qSgpG8%+dbD05ySHcJkB|LicsO8@p>?+_9s8>));bNd*!&PU+ zKbjdCf!IL>LyK6_jnwKL9%gEw#;TPGcCE<@8|1?nW%N`(V7s$|e*SB6{1hTp)hn|u z3<^VB`jI9%Qor&w%^c+Z;4ed%e=rX9a3CBT-$7}j!1Nao+?H`vVDhO!@!+#EeubqF zNrFN`hi`R}Zy3dgKt*F~TX#yt35V_jcAmHC=uN`PD+qyGC~wY7wq1j^ z;vx*eR2*fz6Nz-dFjl==^LE3ZiP~vhJAC>svAD9$^4Fx&n z3Ys)ry+1WQy~gy;m;X#}X{!0|b;b3+^3<;;@0MOjskpfGUB}P>CbRE#gn8=?7+O2Vst_*}5CT z3i|flJw1nZw?Q_gCRIj8YWLz{mu$Y!-kjEgEa=qV@ObmSs- z?I4!i-Q7RP`o87fomBy<%E!kS^z_}{TH1Quu+-60Xxc#bgDxr&M17cM2R(3gp`uS) zkc|jZ#1+sEKn+vN`JZbt$9H*>*Q#6Bs#Djh$q!f#wTf63N>WYx^6XL*^`!;yX}HPW z06{^)q%Rk^rF|vjbWj<@)#~S?FYi5|rGH&XdLBQ0jvbY{S3G6{g^SwJfzB|DR@zk> z1+28tg1QS+s&&OvQoUKy-qatV!_&=q|E~5Ct8#qAaTt0*)TuA(r~tq@n3aWbUYJ;3 zTkR4CCK@&+r66;5@2aw=j`6!(c`=!e82ADCwZy)aUYTX85KEOAq&R0n*vhunSqtDaXsR$}L7k!o8NtTUF$!`y^idTHhv?a=sCz~2Z#=JBSv&9$D8H^Q zn7Cj3s%`RxV^#m{c~jW$`BPu^rY{Aen5hksJ^wh%^8DPn@0u0VKihg;a@)HjGDjW4 zYjlPAc>a4eptIasVegZotl|G1%6pr>H!sN}Q7Obf?j%Ef@dM0bRrg@ie|A#};sPoE zT|T1x-}cZ!RtYe!o-|0Kw$q0)cqzr@a2MT?j4> zT4KMCwBzP;p5@)aTjYA=_MJPU@?28<0uhS*ESB*6pl_6dJki#65M~QN%Hl+gd|&%- zQZQyDM*;72*G!8=M;D}5JoJtK%L?}sgg{|HMV~$JrOJ`mqd~Qs<(WCtShwnKZ?tY- z@*z2-`Xton*w|QT+PVD9~h6h1`-p%7;!b2=v46}?>YVCi6b-o$)xiVf_OJ4C&$3ha39EJK={Ax39*k+j5qr9 zuBvxe)z;Z-FV^r2u$+_*qqmTkKYj7k+g}Kc(@a|~#XX53Lg+%is>L@9g|BjsMKh`R z<{WRDzeaWWOFjQPXsezJN-!rPkW*I|FUtfW!x`pPA2nYWGa100-(J^)d7#$xw5r2c z%<*5&{X2(H4@ym9T3&QGtMd{k2gLi1g@vDD=14mzDZqx6Hk~f%{aIrodQFZl|6zT) zfJ?*inXbNU;@1iB_L@ztwBqBFTvx9<=p{?UABd(k9tvwcAbv@jYtP6dg8Am!$S^kh8w21$z6r`~nUU8*p zuxw&MJB-`Re&v#L5uRfDX${-Zk9xd$k)Q86Gf!M;ae6*|XhHft{q(a_-wQe^o52^! zQ{nVGs}_L-pNPj{mR9ElB9A4fnK^xereo`F(mnNC1-E9XHEHUi~L1V{fZl6SR1#p$SJ=7dt?xDMLRwLWvS$G z$h6T=VfUOV&H+6|@p}?Q@u~ZcAUaSE9BQ{mO=Bsa+X#Kvx6tONCnLk&5}Kbp_i-3+82B4? zMU9d1HvdPRs(*v`bXnN0NF>Bd^F9)wY$doE>ld?FCf7P@j@s>8F*7w2BO;Kc-8-?K z-8wJxibdZ3AQnBkERQ_b5?OD_kQ=o@>A6CmM4x3B+zgLtK9c+grJqb%@rym$Wjdbh zG-bee8$FGnSVbeYzS5kye8uSr3|C%Sjwcqbc{Y*C+}^y=Y<#qDUlOY-?H$Pb;m?m$`~Jy+$TkMZs_* zeIHBfLQiPbrd50V$}=1Eqve|~DAQ}ZvIx$x@<&(rNgh@0=)h9N!BrREXO6uuhHab@ zc2euEeYQbQ2aH&`ocoH{8QNd_UY)1-+B*pj)$v`gHio#YTPOG;EX#Ck+O6hm^`pJc^ z(=l@n?X3dUoaFUO7fnnjxEtQ$V7~`93>>BTZ^{>2jLsy;phD&f?n)HAiMAzezF~TwH!6>QS&($99!OzxNn_?ThI1*-H2q{{Mn93!X7+`#Q;X z=%;qcuDF8Bj+?w}tWBnDaSDa{E^43E)v}_qOcpyEBUw^iqg6pnlTXHtWcZ&6A`QE| z(>SZT(lNxQuUE&+;!W4J;q$1VeMi!W^qBkpT6^ndmP5sYiKJzOk%iQw6%Dh_F)xL$ zmF1n3?KHL%sZ#O|A}zx)nqdY21Z z^SXFt)%I0$I@wN>l}ww zaK}3+Pm_eJM*YwFOT#(saay)oXid32SjqYCHOU(R_x z)Xlt5@0c17_s{^Vt#SEOzq;09%?G1dk#TOz1>6N1Tta=oj%9G`ffHo%(Wh3(CMmld zd;D(KF>RhGVMOxbhoAcXEH}TMN_+bF`Ep7Te*WZLZHqW_u1Gxh_*GY@{8si)EJtpU zr?5_SRVo4nc+#DBEw9S1Up{g3IkCLGUd*v>vqvDiVQ2F0#?M2_F-1GonF)wVQeL!h zRdkMkRpx2O!R(<%f_ImzMdhO@{^N06Niw$^r%Hc#_}J;c3s|r@*U<1|`u5P|eU$dX zzr=bk&z?#1=GqQh={6+ZL3(Qi>3P1hxhtWj{HJxXeTC%XQkgU7IfrV^D)_4%nC%iH zN>hApR!)^(VxKV&C{ELO)ls#+wcPWWsDd^8_{$al@yrZl}!=v+0h8~@<-IwDW$f`D3A>*r~7>*Ae#CbC@0 zyVwmUE@N^dyG9)?V?;z|y2I*~pNmaRrV!CD_b*1@!u+lqd-UtK#Pu$oPgtx=jt_}J zZ6d)-<&^4N08TN=JJ*=7-Y~f4I9{WPYoDOoS^dFmox4K0QO+s6Wv#CNE_v~Rp!XQv zv&?510xcw^v^k&Q=*W(q2=UPmO_McTN#}EDoj5IoTxn&ki|#@aO+roWjzq{PpZ~;sjfL%uL}hP}Ib-DA zsM6wM?Hb72~MbsXMb4<1Rb9Y_cW)}!8^D)cJS6GKt6!g zhv7wBW=5<7lPe4%z(l>4E~_cJ+SGtkb?%kbEt6scl0#F4HA+s7UGd`gH_vyliwd%V zb(t&JrhZgHYS+q``*ku=66fn**VA#jV$KJOd=zpk>PDbnR%`PX$tiFx@#ocBv6egc zLd0(m9%k25V+(9D+TGH8r@?UB2d9`)U3`7S;qNfzX^CAO32`Y&@cK#8@8=fVQ<7Lx zekK26RZEkDlmWwqR4z$emUBs;Bo9}JXQUzN`@?0dB>moON8n~f8c5gh>Jhw`_uqS@ z9}q~G2;CaR$*aH|M^&}{nKz|5EBG=FY~znV&O*P4DUaVWd3?zKC(f=XtW{ZHP}Pey ziNb&FKN09?j%7%S>ZJ%ky4U zuRfwVjPmbL!pW{>*Gk#2sX7K;dQM@kY{dEH9j~~EyZ|@-SJVQMz$O!5BirF){t_$q zb~2@t4=bxbHAO-A6V6(r;<&xY#uL*YWN@#X(oY--IymT}r1taP=JzUIlqqcynkz=% z>?}s6{H>$mud=I8u8x>>%2$0h>-l~mGHYO=|5opDUY_H;H-lym*FAUgU@Y0$h}>QE z*R4c8EI24~jOP4QVDH?m{j-`S^SVRJtpE@H99F9Se`$&7wn+nIq5s zcNU=Gth~&^^poWo;%2wd1LMkMf%xQ-1Rv`;-6r|9ore0SsSb}4{2o|eIb)HxQ6awN zeiNM{<1qa18Gv&HRjPkR_aU zAMy0?_&s(l+Ec!lDP~thqY4o!7_Kw5+u<0yHTp6JD<3yA&rTm;6BDD}9EA&g8bBO8 zZ5Bo1(im-z5J`|#8PH{ieZ!A1i|O& zoNl~#toX4gMvZqGOk5Wq?wlX8L7YG@j;URxBP1u&vsfGE4A?@0+C@6$&RZ&lX=gWY zn{c5{OAB^E*9A-!uC!lQce(zitN6?xm5!&R(fh`vjx%;-BD?X*=$F%3_bNKLO}3?* zx3-0^HG6Vd9b%E0y{_p=b|JD9IbR~~XpojYe2tgCUO6Ejo~RQ=aS`Z=WRKjE74VNy znT?b_QqRIkuak5b)6RF)F3!p>A}x?;UZF>n(0OuBh9+gB=YGR=%Hd1D)baPzww2|F zJUNvQMiN->z8%Ic{Uy30nhENu6d!@Egw*ICGY^P!xmnyhl}Q7CE2BzcB?3b>{u%!2 z5_nke*E7%lzNfjxSuHo*H!$M)L&BJ^!dFvQFaIQSpQ!{N*X_b|yL9O=dq1|8k@3738c3CKvvJ-2z872>T~rvLp^E7EJ7cH`+< zeOi5cV7>MTqU7p3qVwZ&&gHe0tk```SexkwXC4!)ACs@HJ;Ak19d17~n_jrCw4Fb+ z8sNE2cv*9jv~Uv1q{}uRzoeh5_dQ@b`EIY-W&H571PamMMefe1(kOQWuX;(zntMrL zN`erDCy#zOSfBPtk7$Mut$bKm?N7nxfPdx#+_O1|VRwT0>y@$(1#KE!N5wp|+nk%@ ztjjU&>?-mBBjNk<-UeCBny8xpP20tnh*tWsIWU&)+;o2SH+={jtrkStX)O6MwK%hU zb{8YXQr0B$rruxxxMF0f{(3~tL|$;Sr)&f& zcU6pnWh*he9Jqix!x7*gKIvP6wHmy`BNgy7vdZ1Aw7|&O?jq?6mb7&$EpYeQB#d_bx zyD$y%s2W3kApqLV3=9kgo+o9brQwZ>X?P(83TC$ zqxSZmLlcd#(<}YHV8s&NhxjNmi1+r`2C*6`< zD!J^v@7JnY;6xnDgH8d;3hg8*Wm!$3fP0NMam>(?r}5?!tJlJEWb0^xY)D`1pJgth zF{$SOGQ_CjyIWx5m|yBz{?Wfr>b>!-M-lZV)Sh(zsakjANS93WM+Bbtj`?BT{>F0njUXqW(Tx%a++kHCES~EfUs`AA1 zO|5HbM1thl*FFZak+Cs!jzGmS5n>0W&_jA|d0FKxFAQ-E*p5~|KW}oift2OH`?v5k zVl9dnIsfDgsX~}{Yc!8?Ag%C}r+C(Wwb^5vs}EF~+t|b8BTdW1*iKC(U`e`xYm3*@X#PICvmU`K{Gv_0qI?3h@|u7efhEyb#kjotqJ^y1J{h-|AF3YgDB1by=@dYLfC* zR}#(_LZTl@*_?nSa85BXh8w!PSE`N^g|kkXVeClFqPrUxbjX?WtIiYkwAR5Be{3kv2@EMxY>vI zRUi41f>YaER{O~Vr_`?ohBVlF}>89yV){Y7K(iFoAbAV%P*%FTnytADi=5_mb6OO? zBU=8cf5x%J(S2+J0{t4ca3THFX~uT-+!9vZc&SR4AW3QNDQ8vk#ea3Z2;`dis<8Sl zeWEtK$V;gMTMN~C_V;VtO$ypbx8u?%zu2^z{VHR>tH>uYSan9{U~050wa{{(*w~02 z3uq!Dnj(%6T~#(SA_*aO{`I-oY>0n5JnQuRdf(9UWhcVdTmRzsE7#PS!Q1Bhjz^h| z-7qK|${VuRW5Wmb@|ktz-y!`iD}3IH*jc_DxD@lY+j(f~s7foRt+%$_*J|O;h6<_u zM(-1&E(gw3BEQ_FzWhvx#cxg%81xH%^h*Iq<+Qft6 zm4^fU-{bt#CJG;zPpxht6KI}`T6*$Dmw^=SJ;a0+A>XRlM zyUdtav@iK`OLyLzGC)di%HPMXf34y12& z_$T?^rg34B?aVKwy=~u*jeVUbV#$@zUroLzD z+{T~JV_Q2O8dfixrSQ1-n5Hl4PQet?ObI@XRp!p&JOOd~nzI&x9we0;qkhMgnd`^6 zbzsuQ@ifc)G0uqK$MtD5ArrzYJC&5Ls~v{|199BXG6S7)75gjCr{J{$J^IpY_k}zCVAeEwSMcn+ARByV^UcbLX ztkuj!CAW-wBCR#kQP>F9qtz2O5B;l2$?OF%6f-v z*?VMfNeD?1LMW0l<7Dq7l~si75JL8z{jOJiKR=K6AKv1e*SYWexv%TG-*!zlyx|fm zq|o{(#KBdyYh;dcSK`L(z!zK>#4T6fm$D2cGq32F&b_yuOWH1cHuQxUKS>LJJZP~e z{(4^n%l1AMiCO>UkEcGrxDxX%M%n)SB^8TBI*zreTb?7|BbR!gHv}|_IDM*n>ZTT| zV6bD3U6O8TWO?rEWhtTNPkOg}T@$aI&-Br&KF;-C;^g{lX<2!X+}raa z*<=8a$EXSThD>S^kJvsfXD$_ttaQxppjmjeYArAAl2Bde<&k-&Gj&pb+nw3F zN(QD<66-oYoU5Cjs!GUY7YA$H;%7e8yYqZ}|IHeQYuq z?4f%hGh7X8M|#FxB5p+J7$&|A)^Iqv=TI+sQ+%(&D4X0KHc9(;^{hIgv#qBa3*)7t zSLg+zP778(t7(0g>>4*v5NCWj|LDRp-t1*_aQ?F+yB{B^meOfKhu@o!ID44J+JTU zrJFv?G$UnS_~}s+Z>}Eep3a)FRP@^_b|qwW=}c~PVq=;f<5oD%a;9>gpu6REDl>ZMtkPDn<-Yr)QF6Xaf_(-}vTj z`S&WRR-%a}jD9&DqVWwtenUP&CKL>Rq~8GD58Ee<7JlUZzqfd1#i<}jwJD~~4`6f* z{xH;gmcqH)-v@+4?i%P7pyh#~6CitEErg`sknmXB?@VsUrl>lwYY_hiHa$rAJev7X z>nR_afjj`JB48GB^YVtr#*Q7_4cVkRqnQUK8~#4p=H9TSS0a-ULS%?40?x^jL#xB0w6(_68YlhXe_Wj@);G&mt+6uF$JsOS^u1oTg#^ujr@u(SmD zLXl2-bKu|A+D`pO<1h)LFI)~%U;CB*<)T6CAR z$kiBa(|E1)rp@Bj$fZA5K)~_Sy_wfxJ#5^$6Yz9Eaad^M~+NhIY@bqArZJwHG!tI>Z7{QD>wN zF{3LX=l)>7xi^KNd4g^ORG!9i0d*qY2VxEc zBEHKC=zbiDGpyzKI^op=svi1Np=^ra@A#g3o0FqUZUd|s5KsICunvF6jvr+`yk?3; zW9v0UOL3UM3qsYCH#iZO8Y`uaYAgPNO< zj!DjTd@jzs96Fn|PzvQ5kV=roa_rw%Qs=Aj)Kx`!Ut~=c9z`yBFOEfydewj}w8Xx5 zb>(E=FU;r(=r1+QEL#@^ZiW{ObwD?!F#@0Y877Yj=p(iOC{SgLk^-@_Ds3$J%Qmnk z|4Q9p=FvIP%;IUvj*bp=0tz$-K~ybo?rFvw5xNloqyRPdrnFQJL;~c9Fu=sGZ|(?J z^5GN`F-{GP5)G!0TsJbnwygr^0$hNWiQF~|^|QVmW2IJtCd?shGWnW35s{GueHmQX z=P(&O%}Z1K)Icql!b>KU;90?9fo;MFH-}uJ%B@FkvnlEV$p|LaX3=L`FuwA;YJ8l> zYxa`YdqO6HAaxcN7JhMvwJm^_lnSdRXE=b|ku}o5fkHpVM&wP$m`OA!11cXn`KU&p zTanuy8b;mFcG(i&K!E09+M_dd$Br1$r)y^>ri`4}#zLKdBPd+9 zBwMV_3moG2F-N$W-Tsw@abu1}4$PT#R98YT{3TD>YvpAKD=UL80(i$^8Cnnmy1TVO z*b<5f#t{Iim|(KT)E$wb?X~&7UnFJ%AP4URQfmoI?Lza?%urizNXb)MltZz>>o2d=VUbuq$xf32gGdAl__1sv^r)4PD*bzzJ(9?<`TgJufaL#Wwt|_5qXo%=P`1$qqrMMgj*wia z1ot(lY53<tyU^u}G!@m_3)qupjV>87O1-jcYRCIMQQ7I{)ci0ZrGG%BM z+^I7no3Ve+u7&zwY;0_KGk5(Ol<|P?YqN*|KM>gFP_{i(TfqS- z4!$&GV$Nx397vXn#i{z*(qh!bSofN&m-P{g1iah3{;A3D`XP!ukuC$_Hzr+6;Gw4Q zfc*`$1mgoLb@ zmlV8JT4p9tsWPCzsHbORM}SGd=Y&%P(}_?Z2u%3W(((bo9Qcjm*+v4_2{+du^+$X| zX36~i6DLl9^>=Ijw;Ir%Fac0boXS?T?o_a1CkXSYtCPj)gK$EBUsVtR*bBJuB%VMc z?tuaGFMC?|}Hf@cJx z0RY?p-{V6OqC^N?fTj?1eGtsy(|IC;6iC?FUT9wQ;RV>Du3=}>3_0;cEglnVKDufV zp9X9R9Rb)3&i#OG8|SfzI-{iz!ll3!;gJYMxm8aoLKVPImnQh)X=n-{_<*l8`EDn# zs!tUnoVfykm8x1=RaSZAzg&p{NS^4~*w7Sp$w3Pbi2kZEM-89WOLYhzY3BMsl><2m z=_%}`o|99g&o*j+3Ze92=;3ilE#kD}Z$`KI-&tErv5{cT0WNQ9YMOP&-R@0%%>cm_ z0!)t}B+bt|YJ1EnL-Y#JPHZJWDA;7sKj2J|4FKZUFjP4@2h#_Cx1!gEAaYPu{($xa z9NYXvPeV%!J>l};@WoetlRswH0zK=pHrEQ~5@s3Xl9DQKOaKv`33S8E%!$I=D$dSbCJZGp^$_XuW0S!#Buwb~ zYo!foUjq_INM?RJu6W#_N6UtI5-i42y;JFVappXpXD}^5Oz{vlBG*9nj4*5mSWr!^ zf{zL(*91%PGUAl1zJtTQl+8ZCy9+|_4Uc@Zh99vI;n~&I6+|qMJOQe7Ug&a) z0=gY`3P#07eE3>dV)!6>vp3fduXjY$N;%A@7iv$ACBk?Mf&Uz`5_C^qpK;Be;Hu z4a>`-d-v|ev7doN6o@xqu>+L@gT|7TT5qa?(gQ>ykST#RV+Unb>>&_Sy_REk`c&?@TTC`!AvtUcs3BAFVKjyrK4Zo0@n=~ zMmVJnE$s#~73$pdPyyXcv2j#8v|%W{VhC9QtWbRF{azyJfwl|CsDkU*OTRd-^L>Axw*wy2$^fu zV1*Dn2_J53oV@QXH8r&W7DORAUTaCXP6La7oGl$_kbX4HdleP2u=!t0qGwcArv>DL5e5DIl_)(gZ_K{ z_*70YG8P0>8;96%Fp?b|kgr~ z+iURD``P(<5V(myKuTL*FDE1{3@R-Sg+@|5DjX>P z!5^TG1P>oh&t~$+S!9I3xFg0Pq=S={?^^OtX$-Xp2(3``g&GaYNxTqT9+b_@DGQU5 zh%zus6_hF>fx$z8l!&uK#7~&>qsyurJ43nm{^z&!9>H*6k0O; zQ5X=ufuGo79)6`t{o;l<*k!Dx)a-ewySj|4%b9;fLFOfIRjf0Dq;Mr(c5G}6=MMNu zFld2%$2{mFM&SKZ#6keq4zb>HL?pmSkt1buBOX9j0D#Yy)>fD#@f=tHkl0~iAQ8*I zH61#e3mZmULOPBiB>k1U%X&gO#$J|`#Ky%j=jP^aNXw}+nqT#F_uRSQHysZ2t8uUVe-8(%bIi%z zWiH5`%_V#bGRE4e?M}4#CuP)~`Y*4@qCWWLCqp#|`w~{{<|ZaDF-M0a=)cznTH=Orn$ zu79Vx|2e!71RVJo(X{x|(-YD({6c{QCH6GMUZjK&Q9$K^&xphcZ6$C|(iD@J6k0|d z3X6(%Z1q7d3Q3mlZEXZsMK8;wiw+NSzq%jZ7`Ym369EIM8Q}~0nUKMw{IL)UN=bQ@ zVisJQmz#@LJ4_5DN945#b~qSBMNA*m)iSfZ*7?h&3@SpXP8hVEy|IQkDpq+N(Fp=n zoANrKoM~id*QB1RM4|)XWeXwLwz%erT%rI;6S$-(x=C~i_;|1y5HfPq19)$I`5zV_ z7?Kn{6DW2NVW30wH0SNJ%*+sQy<10fD83=RK|n&J!uF%wAR>x`gW9Pp3u7IZumvzN z)Xb_;-pJSB;9)){f`J`lMxf_HpIn?dIVq_sdcM7@t7_PupP%2BL%!zFg5pBt0+_L2 zKM`3b{5U|t2%Z)~2k@-p<5mz0iIu}->$LqZ8Z9j?#P-8A{0-tWRNxEi!omL@AI}EA z6ja`WyPMkE13{4aY696fq(~J;WJMAkXzz${uoWqXM`4oaPdR;hK*fB_W^x81WHknvkdzrkX zwf@;TT3C;^1xl~q9eE*8fQJ_cqZ(B_dzh}3Rehmf)36`{9=rn13iPze{CRB_E$TyV zi1Em%2nr0W3f&lF0_NuCSPk?89GKPB)lq_}_$jtJfD0{$WW3b@B&alp_b8swcI6Wg zfNEj_ObLGA(xq+4m=uS=XhuRPg zO1jK7U6#2i#c_vc+kZF~p>Jr2ED8*d1X4?-E+Jf*R#I^8G z*aQ?2qqy9f>uLa(a3?3yI}ca@Q{xVQY7S z2TepDC2Q-|I17E+CbTY+RS)*`gY z8x~<6YYAZ!m^JbqbOCX0kjpf-wD|Q*EK@K(QiH7NY>{(}eE=z}0bYOw2mdwV;MWMXuk9oOI66k?M;H=S2FU+#^Z^%$ z*TlBBI84|UWb9n6U6BK^2mOn`Vu`vCqJs~FLwI!g=cD$;c~U{!8Ab5z{nYl>b~Y!Q z?uW4;z@`hYzA*h|ZqB=v!h6*5LHF(uJ>3aHgcJg`kitPC!YIt)C`>jguQSxnsIq-kG#jo_57}JHxJUC$;&e< zYvOCOO)71q{6eA3)YPk;m$vjCy?176*ha>-BLxqOVu+2y+ulR#ooy)-tn zbm65AjpT=~h zp}dY9C@wB;TWM8ytRUKosA-Ax1i3CEBlZs|E|P+9-aDydO|?B_wWscAfWU(b#U!bx zC#0n0oCRM6dJr(TmIqhtD(@8RsdZO4eQ-DN=K7sRWRG7fkS8PO=bMC|IXN0$sL5k~ zJ3A)_4W#!I3sN-Zr&#C^MSc}pHUGCtLIr>;0$>5?jOs}=d%WkPqGw>h0}f_YGyfBG z0H^p~vm-93P)+(!yHZ%$`=(GX%7@SHOawxO@1Mc4sMxD;SA`j{yEHcssEnv`AF0Vc zwE~%E%r8{@kC9_vEJ>gEK{8OcK{=1#X*p;;TYS^=t2WvUkA=>p zs`4CkU(!Vb(LGQ(zJsigT|hn=b&cW%*%?t9+kXrzH>x@v6V5Gul ztU~+fi(p;5Rsp(*$e-ae;RaBOKQwG>56DG>6+d(=ibVl}Pnk|DX4HGLsB7JW#q3@4 z*G1&e=%YdP2|Y;fm!`xZ>M|Q4a4~ETQaSW;L8M0thdf)Q^)8yFNUcy9gEoi!Nliy5 zZ{#tK09*%_5~;I>ju%*Tqi#g<{8|Yzm~TJtG~{PWC6NnKUChmEQicjJKtLluJ$;v2 zM0!0fPvq$HGApSaWDYwprj$6HjHU^O&B9=t<-`<{(ld}(19np7ymMe#6ABTc+ zvzc;xPmeqbT1Q8Ew9_!GK-o?hEg}F~Bxq1#_JR=;d?32LL~{qOq~fN+Y(q&o<6_Nv@BMKTfLXIl8(UxbZa}bE(a6qvl5@xiAuo0Lfyv@r)cL&xT9K0**zI6Ur zY0rn}mpBull$x&B2s>5LNQYQvQ**Q7zW;Xnp2N>kE#l*6^UR|`g325I1aXT*mp$_K zRE#WAWRxywI;kGgMu~_*PUYE?D@n+|j4}5@PZh;-xQw8{6Qdel*`_q+1f-__M8?w2 zrDIi8#7HOC7N<~cV@iW|5{PrCw(%)bTfVoqM=NKOV&xzzpC03Ycf7(p_WQT0VIVqr z=?ixnhV;$MKBv5f(@LKvmYP`2l78rNe>5UPOZwdNhsw2`+)6r`#1%s*(UFbbY`&>P zM@&levYs?&$Uj{OiL5g^eX9>T>KhS9=cMD~ix-%8~6ri~OsJ zs_$amgG+cPB~HUS3cLk0>6)6F;9Lj|4kji-y{K`fBS(bRlzL_P_v8)y%sETCj_(8}9?5b7SpB1rj%W zK9nOs-$vH>a@VLFNVXBNXqJWC4PrUOe$xF5Qc`fb3Gq8VMnFz58p8Qg={hH%dNKsA z8Z|~JWv^{U9hTz)&$Z`d6{S>(v( zhae~OVRTMCXQXx^V5$3La+DSi1C9yoJ253i*k~sy9T=g3k)sTGN~fO>OOqtqy1l zHas6KZ0?&1;D~$EuGelML?_(~t0u-RNIs{~S0|*9i1ru~1$YSP&)T8?0yn-`Yb;rb z284Cl8gZWwAtj4FgbF~_DOZLkyAIcm>mvIgj_KCtE}24+Oknn7_Uj-k^LOBv;bM2C zjgQJe4P65yq>6M^Df(i_1NRLIncp18a0JQQ$Xwy6ux}k5L9L@8Ny8bNT3cU=FhnY# z9F~Qtq+?OKdXdqZZb4PN21o*2E73N_ae)9AzHxG5kXA&RPXrG0{ZLSc`v!I$EiTla|HOY$ z-%|cW4=MWPp6#2F-Vk&4!`8V!1VTI0Bh*ECfMIG}T^&Cpgm@cDQyFz$qltKtZEz8Hq5`CED;_cB0LO%Xn;bXhV zx27hao(aOwz<28C#5-j4j#v%du5)d^*sl{%v$fwG?~UxHg2x#)v{-{`jyK?~kp5>sQKVbSrD z<_td)enrjlMBO#Z*Gk#0aZXN7cIY6X9!dJ|(?|hkozSa6zz9bVEAi_YMLMwQks@Q~ z&36ssb70j`l|Y2ty@&eMgt4&g_^wJ!h}As4oRY1y%0t_dXp-95g`rGB&`amxz;VJ1 z05W4}kQ(rt?)nf^bp)#cr7Kh%_(iM$ssXfcV(N^V6N-d-Q6#3_Zn8McgzoR~a8_KH z(c#}{Vj?8`n}~Fbw1amG*)P=XYCdvWtpG*&S595-n(*!D$5Dx4VbQQzX%7kE%(r~- zicKa#fut&NxXzT1JmX#2n{U;<;z`Q4+*%%(z$$~@XC`XUij*Ob(_j=jJ z^R?EQ(QoR@ww-zEHXW;7F+-ngDOyJzQa6R1p2T6o0G&++VF_BVDyg^%&atTLGe4|! z)O+)dhA5X4PpVDg7-X9=#3lw;YC36}fd}d5qpBP^Wv=~x&b2FAP9UUuReh$=?TJr_ z#)-nG*VvcZTT3q@sT{T^8tkfSQE2iZw_KXfD?`tQXou-nKOklf$QB8$Yb-Y;UtoKL zoD(5rAn6f}wh=oAhf9C3FlH)vIxf3eC`SW)_iJp7C|e-`CNCe7qdg80c&}Ft&0~(K zL*2DhoPl~;Gx!9B*4l1$!ZEV&_u1S!PIVm?xuZr~YmNO~Jfa&Yv|7{k`5V$thuM#< zm0zQOvcNp!LUCgo*-uxsfpsQYSom91Yq3kMk?v3ba8ka;j-Zdp6Pe!Ki6e~R143OW+oPHR+$;o*yQKdPhhOQn7e%vD zr3WG^>GyA8K-MIPcgf*ttmTU;QuRH+Q8+Cgec_q&kh|tH6G!8v3$bdy9mR@@iqI$k z#0WF4N}!R_Rgl_43Eu_-TjUk#w-vZc_igUgCTdV9x1;BSf^u%bNM-9{IgdePje}Oh zbVLOG=$|etVWbr;@jX4F*CPzkT9BGtyJj?hnPzkE*;`HC38%HxUn>!@8txs2X?`Ug zI+$ow!j6SD1BlhR6SyGsi5|JoZ$6tZEqtg-t7!Mhn7Zuz{Cf>UgfQgHQrdo7=8$Uj zpkvz!j?d`Bjpj~^{+3^g6!9rq>RZLCG*c}yv^=HAzls>|?Yv`?+%>BOUOk<3#h4?Z z0@T!o%+DwJRc z4je$r=zeoV11sT3ut+-7^fFF!LxUo?DvBss&5Y<>l-)Es+Wkq%`K zgn>S06W8v!yLVE4#tjYr=tIIF;eX+-(J_TC9a`!r^N@ESQzxchD046jK${TlEqFfo zapcc{L%?qnS$shOA#x7`KvQOp6751Ln50@<0Sd{?Jp+rmYh&%%LbbxHSZKMTq}Rqk zC;_UJlHz%Dtu|*%QC$NAP8LJ$v6Glqq3?(fns%oRVGa{+G*(U}SE2T3>98(=^7u)}|Ei9`*6elKu>`OZ^EP~xJm!Y0!PMRa@; zbnGyBy&U=;*~&&hJpkZ9g^bz|)}<=(2^nCzYaGCSPK_rlw>)MWKJRm3rl(d^{5Inp z)?GfzqZKMwUmXr%LIhDoQ`1i)Uvx9bJoG_$e-tcO94L==c0O%>UH!YF8_h2Cl_AE6 z9;~S;)TC*swxU_rQg{igz)Hi)NJYDSGchFpJcW#$Uqs|ymlY;BrFMz4d4WjrNgm79U{#oe3oYXl}0u}Pfxj)z?S0N zr)5%&Gt>-nOG>&pOS{ne5@$x=T-`wz9W5YjFcnLcMr!#|m0R6>i%-R~If1%54xyMj zvl>$?1Dr@C_85ntp^SbfDoQlVRGvY@5YmnCh1WA%G3-KGjhqLb0&$m>1~sZ)UWfEB z3m%U2T0MQg5pTP>7#Zd~y;R)%U?R-w@}5|=yB%lkja&pFE_OPjtBqT8LRV_xo&Vlg zwehDhW3@-(vatyZPqw?`aCAso3C!eNc=it&%IZ!cY=A(oZfCjjKV;@Re_HQ^zdyS( z`8@5+SIuIQE@-?rlahpQ65s;ErBI{+9#4h$d~ zGR4160A3R9WtYAH4&-$h>}3u9L)`Xmw7=@D2ebe*hB1hNKFCK@DVP->6nCaUZGFJH zxPrKZAWU8o+kk#~XMld$gY6etWc!Mx3f~ua33gr{+Kxqj3c_IB+&vU+(u%~*S(x%w zB6|BsE&3q#qCh5W#nUqmu+g50vg_5Jhi>&d3kJ-ro6rueeLYrR!rH0bs#3DVhtRm+ z&-*XI5PwDBgaAsy^cVRWd^ze-KqnxLR@C(%V>EtM`7clxrqU(5uT#jJ8&{?x>jy>? z1vtP3NChC$2k!>gfK>gd9LJoimW2`A5@5H^8@guq14aQz2vIgs`r^+R{k+i!#ZZLO zmq2YZr=EM-ch2#%aE?$D}-yh!-SqRyBYn(+^FQ8(rKVpPLf#VL%En>n& zRzsqKCN#upQuKVF7?4|g}qKdz0+ z*)e1_UmF_{ZVsNdy^D~C#5_lR%#kJa->I^RDUl+T<;Ko%nDw^)716@%+!mz|h8LPV zK}S0N?`U}w2;tN=iz7As$Yhqu|92*TtXyD{zK$pQYH}~<=>PrhBl)L_f&m-;?>O|@ zc2G$FAB4HrR_hrlH(}?$Uu1uzNcVTyXe7T`w$&aX7M_~Fa>JM#*({swaFF4`oelTS z5HI6=VR$Ru=zjA8cJn1s-$HNQ+dVvA_q}b}^R_pu=7`8u$r95znVvOQ3;e)KPSX4+G+2vbdGr+ z)kl@+G{cx{$!4n`Momkntl}Evw=P}{@g1ga8=t#MbGK+DVv{uaz||6MOfqoCj>^iP zHn$m@)AdE&GuM?%Cfwr3$rJ6zc(b|HA_kVq6rav)@AWIU zk;&H`FBjm`JjWyKd@oES$nrN^u7!El{J_EC-z%rPJY0JsQ=+AQW~k;Gp2$tJd$BAo zFO@52t-PjEGBL4sqDM!$>H0T^eGV#|m*_cHdw7qzEL+3{QhNH|WxIDUnro)(x|*lR z&mUn$6rJ6=TYiKO(|WDFOX(8@G^Hf1&*E2eWQI-dz7a)%}nCgNgY1tcR~>#1^(Z^5*^H z_VoJ9zWFq}Y~wF7{?+%=UOkol=4?f(7T*2xNlo*T{6q*Jjo@f&1?NkJ>&}DM;;fnL zZA6t5pWp7`o-SACD05GZl4+Bg_Q1T}h(=D933i@A5w z=9CVs+)p_3&5(7()7lTz^kYwf*{~d4Q)wfo}6g znNYOG2wiT3rgVoM+~;-;b&rXl*@vH3*wxG?-(3j!r0SbM5m;_`Vmg7+D(vF}X0ezA zquQ+!tNEb;`wZ6y!|9|Tm=dWlGKw`P*1?oZ8aGA-@9I$gD`axuM8!=t30GMPQqebhNZ z%1ub_`4MtKt9LUSU!g+p)rJpI4MK~RE9c)9%w^o- zR5P!;JS`$m>R1P=E=oz!Ja01od9_EUPd@I!)DX)(o2D&PvWH?v1Gu86HlM{6%(%0o ztqG8XIwtG5wm@+mYYxOPA&5C9y=}aUwOaaO~IY7BA=KYzo&5g zGu>y(co>Iv?+<=}4&v^2*b>^eH{)I?%aVT~sej8zWM8q^zJRq>^)*L7qo%@0Rt+ z=k%USMhzOCMjx$yggI@CI`K)|#Jn=aGF@Jx^VSpQa$ z4NpFQTdHJvzxbh7Fx_fXe2MVAv%Ef9Q`vup&@$ilC*WZ*^g?1#)4o>A(8XMnD^;bjMoah$U#RzYD8kv{h_)19WO7^>({^311fyoUQl00u+ zRir5=1s;5QeCkredy-(i4Ck*j%@oRmu_q2U8%nwc#k}cXy{e=5m5q;WqvsSmwVX`3 zRYd-uQ$D@tW|w5$oyjo_)q%z0T74}-Ts-7)Ep1D8Ymo*enZYnIck%2NnI@HAGf|5^ zD?azRm7RMnymj)c&Sy5*TT-hGh1#gHT{Px;Md3c{$WrFw&$4Huw1jYo@Qs((qz75F z>n0nO9!a^q@;z0N$E=gcHmOlWaWI-^X6(6m(ek0y#w|jRL`72{<)z#ywK)IvCLiwW zbOt~f*XOCGs}L|=CZ-A#!M=qR%s0@!$DDerk8YL9h18Tl(vG(xRKI^`?RC)ZZqR+a z`M1h&w!i_0Za4mYQN#9!k`)c~zq@zaU1H#*s^aQwu}bXmvhwDWpi`>DKECvMRPWzRpA5$(C0 zCa9DWoX2c^c7rm_!)Ci~nb>CkF7D7wPHu+%)~-A^u78X)JQ#ZWx-g~6E~}usVkRGk z1#N6HY8m3?C&L*cT&&V2*?kn~&OYWzCrx>8+@>LBaZv4*jX|lq!*1lZ6}4kWra>gj0Vq1iNG3-;d0{lVMsywMAO-r*-jjx8d)L zk9tbD&eR+zZm^5mUv(~4GILLec5OCiL1sgR0EeCXjDlaRgyXW#%>I^r;c#?)AKjy< zEp5LJG?xUV`s#G{8EF)4k@mJdpQIXol4A5o#7yyRilN6`pqac_)k~K7`EoZGZ(aCz z;p=*N+8fjD4%xN&>47ygu|S3tKjDLbp(AcEL+2H^K0Q9h@7absG4XkFjh!?6bIM7^ zOscNb{QZ1aDPj`o{q&UML}L>vS8JXN^6na1N;>2@-t()k=Yi3pzsGR{>46z)zv0=Z z0`wf$PnE7FZvHdTZO9k!qK3ai)bh!$p+XV5RLUO7s7liI&Njo!=Rww)CQ3I++5@wC zzW>P{{w-)@7ZXlxX=CfyT`e^xKaH^SJ*VEcij|K(bGok5)N1_gRI1qO@?ypjEAu>C zjgh~fG^YJ$SZ^ngkRhYWM%|5J zfK|Z&nkx;vTJqJF|ELv*Q{a88g5+@o~Z5U3o z+1ujzgU;I!11Fz0YtFp8?^?#oNuQ?E>%+~0=Retr2JB8OFIn5|IUvNlW=X%kTr9)b9M?X@4L&53KP8&i5}5dOAJ?h| z7e?wP?ae*#y~}(kAkp;V#h}hIu5ym?*`|4Q#?vGG(@B>!Xrvb>E@dl?a)$f86F9oX zvzMJ($J1+Pj^F1p=9(-e^f#}PIDgjgAC7r{bX3dP()GJbQlo-WoJhn#O~ZRQ@$v2- zY(MyHT%Ug~J6LaH@e)P2QNSg~Wk#x~lQISe%9mXkqJ1Ch!mFkF*&*k%{Bl}A4M2a4Yb$Y*#>(42T`KUUhT#L4ZwUVzUY2P`A zg!Mw}9aLlnM-N8vHjN43x+T)2&GgT!SwB8+~)p2LNf1c(I<7Q8f8@C^>B_G&u z_BMz7z+wzTL|da-FE#V_{w9e4uKj9?@TeazysqG|T9}%QjvrxD-$ff=Tv;7b|MRj6 zot0%yUv6>t2D<#5y3dD796jCH8(P;T>Sy$&$H(lZ0}g4oce-knH9x2$O_DV_YhR?U zE<|2`RzAc`*)&u%`MrMVfB`4}*_c=Uu?`vL-H)Ds=l%~J;h{ClQsYB zm~=?eBEs(Q-JOTGQ_!l!#k=|K4f5LM*MIYI1zWbNlFRh_)Pu3#Ylb`iFnF4ea!jgq zPIP_xrAeQ#VPURqsc9i+vZF`+2f0V<0?m)ey!CIY_eFNCuCEucwJY zJ}Hx4;*IAfwxo1&gere_2+uiOqb%xrC^p>txmxkGTuSJTpj+R6a_p6soGCfRzE@dt z<>pS7_Mh)`X%)LKZjh(hEXUz5qP5KORMnHImYpW{8ReIc{n^`8Q<9c4Fa3#ocJw`m z_41;d^F`6fpbg@M9|9&TNW=l~n(UJP;jTXwOe+#diHm8fSR`^Tzc>9E!V)|=={htJ z@MuJH?}f9hH-!~Axwv19TDz8ZDg-2tFluwzx=PHnZS`_v4X)&#=Aia#Ycw+C(dv(< zHePC9XLEAwSWJqMc(N+Da8vTQIyVeJN4PW*tug`v^ zU(XYBe=E8xzwU^3s(poj^$}ar)Wks@*Bx}vtZv&f2bvaoY;x}{<((8Ok~&`++OHGx zhuUanXX~<(1CRHm7Llc(>ICOB+OmaM>Gdgv~z!xq2M>iT>0u3x)*$>Hd& zX4Zf=$vtxK*{7_l1&Rfg8{=w}4A<9h2KLV!b9~$Joo4;D;^=~m-_#HpFFRTGXY}AiSyfO6`^iGp!I(?gR2R72Es8?Q4;0IVl30&C zOn(|56Z-n&$5*OU6omq}4EwU~x!V_oL=Jvl9Sf2fA9naMR^S|cCb_13Lh7IqNkzZh z%k!5D|Mj5>?JIhxuCD%0XXal1F{(M#Y2&B&?f9+M{T%Y~^)n1oYA+qXdYT`(V|I~V z&p>VK*};tYj-`;iRZ)5Q)$OTY-&IO1Oj#S3*6B?Ap=@)fh_5_f72K%5O`rwCr=5*k#-E%*S5FFR114_Ir%4k6&ExXrsxLEBAgK$u!bg_osM? z0n@L{_~jexeMwUKM~eppxoH&&E2%P)QGi4fm=r$ zkLoNd+;y`*dP_MWW%BpsINsGCno<*gY@BXubfkZ;J#ziEDDQ)P&eIp@eKwbsaa;%) zO4feyrn1~C|5KfDY03LciIWW;qp`I~BL|;wPmzTS3KE+fcQsra(qoifoK)c@yxW@D z{vx%Xd5+tLr}y)^_^EhDU5ov*+P}HS^Hg1f#jTm3j$%gpOSkKHmG3epQBqJX%G$dH zTXXr&TvW1PdmO{0?dq2pwrw$CcIZW_%jXGak1zsUYk{;W{^nZc7rU+DVK47Kl4L7i3F z#XWmo9p@~|Zmx-6cYA7G99>~byEMI$Ab5;6@+!Z7a?RrrN)_^Z+p{lKZ)7oUfqO-p z<-$|pPNl+>Uvo@LvvD+YexIev9vg_N^-FahGBA!DOIS`mr8Y3|npS6Nil2A)fU`|l zP(vq6i>vqOFU^U|#Lcmi)KbkCEL6@26E`q%(g&gWKbfoiRrXNT)ry;ZH?vfEmgXWq z52$Egy>t6)aq*=ug9AUO!D#YVOXIe+>E)A(^7M{+cjWTLS9B(G_LEaFUf~j2PDdzR zUspB{c4g!hGjP9To|)A^_|5COE1MR_ZQ_jO2Sgsd zN}#+c5THtx(DFRBU4dvlO*ua*b3Ob?M~cOmO}U>TcWJR?iid|VMKTcur>4$uXiOMN9O=BNIls@Ej}c%~uqjx#g98b2 z5we>nbw=p!gNiJk*)ubT2DJEh4{FKONZi`c|E=*>N{VY3sH;I^w<(*eX`|+x=!@(7nntInP5$Lit`_Dl)sq#TqVK z*y@z|$XhH3#HBqVeV$#(Y?S#`Y<_oatLKsmuUOGov7p+|$!k$r7s9JFeTJ_cQrr+m zqRGC}*=aQ}xch*Zn?>4=U)mR95A1!e$&;Fra-?S3B?M^SzYtk{p%@5uK>A$dAo_iA zt|Q06PyjpuW1agKkK%GNW#zWFrhCm>Gnxx?1;z3=;1dHWAIes8^wEUyw3UB0@5S@s zr^5~!7Ce1_BzkztaZmP^?k4^GJuZnNt8NnGqOE?y4^{^5ve+s6Hf2$s*nRX6^U=l* zO@7~$cdFTbpIE>23!Ho;n*6+V?37-~Z4TSRJvR^E;2064ExBu^9$V8Ndw(s7KQ==k zK0Pe;`1adP+_Vl%v-Wq)KZ;pyPO#Ixpvd<3(%4%f2k~fBTQ`NW#WMJn_IwjOGLXmwrC29Gwq(Fe7@SH$8S2Mfazr^D4 z7_chvPH;02rlEjWfEEm?h>B+uZ=u5Z_e45gf@M%Wq!TtM~ExmD?s5s;XmuKvc2a~SLT?K*(A3$9;G zb@&Zi`1f_=Q4K%cmb1Vs=?d;|%fEFL143wufX4%D(q9y}MNergz!(N<7ZvFwR@1MD2Q8Saab`{{)ae&AVY*<*X3`xJdOBLOVZ4J{#|et!?;j3 z&?BpHqtoQ|quHw5Bfi}Kdz#dzPA{}TtZp`&6Zd(eHuk@FOC%S%R3GuT7Nm0EO#s=B z_^O|)C`#~4Kj8nrKW=3a*6etUTX%p!xS03|lsw4Ebd;8UH6b7&&lR2l9-P;)7I!c? zB?S#*@aPF*QA6p1YZ6c+Vq#Z;c!7vdd%Nq`1#mV2YsOq1lTEE~{phGD>=|&hzHBlR z%TAiRL3syD>w@Bo#Kit+=9(fvDdB3s=-Uib?Sk}#%WX_qx#^F_)b&j{gF>O2-r^*F z5ySk~uaDOn2>?;a80_lRn<@>wC}05pXhm|#Gg^NhV0H(*0xno7Gw_!=@(92mG%ukK z1E32tGjZ?WZvUP+{cm4gxRjJVIs_{Q?SS!6_0xN;)CblDu90IZ>Z%97ysgwj475Q8 z_mGO4#QnCfm1wH$f-QJ*6u=N1lZd=}J@A!!Ix&#{WN?ILJ1~lwzh#pr3;V zpf9)|iX%YRX->@*{f9ZS`;b`ASvqOZta#df2=5QZTp1V+3yb^U;|N)GI#>Di;S!oQ z3wjt*(ti*Xt1+`)mKzK`fP(zA^CTL;E9K`#8R+D}shZG3REG&tjBVRcN8v~vOOl$z9;3Ucc z@RN`TX59_|1hyJ+2WT=vZm2*L_yT~PaeF2!&Gs+t?N>O%_1xWol<}@JI(l$7m|p08 zDk}rd0jgV?3Kt-SmHyPYZvGk=W_g{qJK@Sf=};iiVK0W5_(iQRDk}pijD~jSt?EM{ zyiVc@9a^fbz>5HFwecpo4ec?EssWP(ycfbt&1OKdN8mi+0O7>_<1yi50SIHc3VsA; z&Wu!B@sV*ri93q9>A`1f60ZV0k)S+YW3SvMIk^$@wNn#)uvYvSS6X9+4v^U2OHKb` zL0cZ(YTdjJXd_U3$xu5>LnHkN zV0;31i(w7c0D^95Dx)dd_V7I5F%3Kr8-JFZyiHjdA^{wcHL%J+0DIisHH&%xt1}`; zf%Dij45k&97<|Bc2_Nx%n>h<)4B_HK~FhDK8p?4`3l8AIwTSF1>nT~lAHRo@7ElN!W~8+(c=Em*auIpp*9?%OZF{-2)c#cIwprU_cPCvA`O{{7G%*MC%x?{>PjvZaoM28~#xx zH5}u6eo4vtOOn%jaCmT_A#`3|e%nzF7!U|Kwda^a#Q^CaaPLOsC3R}=dWZMBPC=pR zoXA0=nZY`Xj@)2?#rMjKS3s@4oo1y zY4Sty0HcV7@h;G!B+vyVnEtp^5UNhwa6X6weDdU3d^k}0qaQJB-;B#FjX|OWdaUjV zE@6FVmebhX{Q%t8@GGW=C(UvKaY%8gv?5(wu4RlBN&D_g?`BZr9~=_PABfOcoRRut zM|9M2Pvny)PrejxcM)gq{eUSMfYXJ?9zw}qomsFu{U|?_;xRqEC&k(Bs zWrOu^J_{QLcM_y7SUz4v4VPmZH^dRQr^4dEF^2V`*MCGN)X0We%#jLFG2(k`$Ud3IBp8gpDE1(COb(Y#V*z(w4JlLfIfrG67s4 zh%z{yklKMavFOZy1hNgx50nLumHDqGg1EsHHUyC>d=shd8UQs0+zC$~1iBib_Y3+6 zNcwQJpzg!*;TuHgzlbbW+=&}fjr;=c5`@K%D?D>OAr~8SEqYEC?;Uef)SZ2a$&bbfYr2F3_?EZaAeIC>=05nN?R zzSKquK)DRxRBU5mgD4d|#Z6?0Ipz#`-L71Oi~dnT@JrzDA6x6K*{##HEvXb{vYM zA>wyhM-443uDKEUJw)KZH?6^EMDb^U3S$*l&=IozSj8$mz|y{$2+ltJPy;%hY%(}2=kEl`C(h|MwOc&0|D-~iCX-b z^Z}eggl!38B&bUJoey5kZ1v0jM0^S|4CDtmtr1X-xi0gGKgqp|uwEPxUx zarK_#m^#em140cD@<>2+bJXGaF+H>@9A*cGk3B2^oGQG~d0a<_SA~B8E_CUOzvO#Z zL<4xx5F3HN*pu4qn(pNqJ9_^B=WtSi`P1m=zVI8`y~MT8b{tRKO#-n!sOlUWZ7(!2 ze?k}sw=vsd4dD(^B_R(Y!aICz0tuNBl9+o5mm$Gszz@v^D7yT=%Dx1g%Kd9w=adv_ zI5?WRv|_~!%|4uP#B!+dg9HE`6J!RkIqS`viZ4J@ zHlG%VI-(FBLc1s54z<3RfvTy)j+Th+F|W?y2A~5|h4YJoV`jKoTx46WRYZ7Cj7Ab3 z*fXOdjP0G0Dtu(Q~E3%RYPf5=0qrF`#L# zxA^85XY_t?9sH@Ogre;{+s+iXeY;h50#k{J-R2`|fU(CQ3LM#xG<2%5fzSq$2aH8uvkF+UZk^>aIfHq@OQu=2E+16roIF=6@ zVJL$%AGb3;iAlf;8*)Bf@4sF9@yae^6io^cOKXaWwadXD19g75CY1D zI9cEbI&AZu@1Y$79lx1gOAA)ts_D;kNv#70>@R+jecc|DGr@_KX_B!e20PmsZ>$I? zpG@CtX5#L^~s4%V8_awF3R4On8)*AD^-xx=>E^765mm zp$E1WNCBlH2RT^=bWT@XIEc~Cca-A^`+~YtY!4VHtP&o6&Z9_JC^X?>oNqju)1jaP z`-KWm25f(n(YI_uPw$oK!Bb*3?Qel+?Y=%rP!oMX_N)r6Li_(Mz<^*>apQTQ$Q954 zP!+%rdvv=?N35F_G^#*~piSVsaAaGtTQ-NXHE{S^9#rh3QT>S~FJxB>mS$TFC@&x)Xkw-yXM*WPSMsRK^h! z1e}~7)<$Eu!TXTyN+W-2sS%xqNa`cthfPdMI;LiT?k})|z_gkAX_%`PiBK)Be$c~h<-jz&4Xmb(WhFY zO?F4MFm^D2B*Irn|NXXCgV2MlN7((wjjj7kgLiUoSIvxtyC3PcD+m;*zinXkLz6iG zB4yCdHXO(|d>8xy1}Gp#!m)uY)pZD*c}?8leh%A&Qhz88f*pX@z&3(tQN8(5HYISH zz;4wsH3L)dL+FU)V9aQxx4%Yc24C2&-tlew{xJW%$D$c!W~R2NzCj%RqwyyWEKhv> zJ6L~)SLY^V-o!^*%`7}JEb2^mYfIm4w{1>Ml!L^tMBeuYqD3@vq4fp@|2X4|Xsv&B+WTc>%lzu0(uch!Pnuwhjj2wnCaqT7E{pIM98oJR!|6F@HF zhI2y4ON{s4KaTK|A*UEsYyN!IaAqI~F!CF4x4;m{+k9&PPAbMu=T%wh9tns8w0vco zzso;P_aoRqEXlxj2dOA!HYMz6O!rhx0Hy}+#g6!sMAue?3coM>^q zDWkzYsn%9KAWCx`M#%GI83$AX0M>X=Q9 z?+~W7Ep6IuJZhrC;WV34==DPFUyp`E%(bFfqS)nDzvA}=x8bNP{g$Iqb3s!q<>Fhk zTFIi_4~_wGy_8%r2A9pR^3@(Np#AOC0(p4mw+7mFwb1;9sP3=%j#3neTJ_n_+jP%W z)Oq#NyM|@OU*Cj^AO%=YaDIlezY-x7P!NbKurI)@z)5;vjyrX!!`L9k*T0XVD@gP~ zjB9=Iyq9aywZ02nL6?N9IyySY_i_U|O(NX6O$JNQuIWx1a$JaWI17Ri00Gyv>F!&l zvR*qMl{>nSy&7eXWC&jcz}|+{%~4p5hQj6BD$wZ zY8H_#HNj;ctVjc=`8Yrm=zH-MFLiW(n=@Ea4<{5Hz#OADyi@RZ_oc1D#|9R96k7+@ z=?JH$><51bzXW^&3k<7{Qv>S6S}c`)gGeZa-0q5#p31tPZ7m`kbrpF|mIib`#MggV z%T35nqCXj0m-)0belA3m)qUWwfo+gYAX5-pfV#pqhj9lZ3olo14tHtJ?jjJOrsjMy zsgX3GsG|cb2pm*g{LIM{*NvupY*4Vzp&)+i6{0n`ZIgdA3;Fx64YNn!rWLd zcZaW9X0F2lxCYIViD;?P2h|2L(NG{FQ5&%mdZ?IuUrtVDwZ#8k%f5`0$sa~Y@rsHn zp+z+}SLcA%d$VjrF1XMvzFjIIx<1VEVRoC8;3AGfmYhuqmIFu&?965{`~s72V(OrM zL5`aZEc9`nIMG$e5x`*(2?kZm#BU-2Bs5rtvo`USnsb2!(`PwuR-N0%okdz zJ8k!J1s{@+%DE!gi{x0iTRc?aTKK1v>RMUz}!f@FceOKs)reFm!_qjC|`{2R> z4n5@RAeV(0fuMP_C>T!$>I&vPi?6Z1-Upc)4C@B%3?2z_0%`Umx|_22tU^^BF1K0V z4X?U{vx(>dknf55B)CtoNa#U~)jUprLa>#HbhY;%l$VD)YqIV6InVm2TudcW)7jLV zS$jwy0H(&(KTWJ_ZD>$LPa)Llz+<2j8DJ1D1s4fY!Cd4$z8B8|z!l6;Azj%E;lvea zRhNDVv;#17>+x9)Nfe?B3v3R&>3!2kIBC2BMr|v$IW$WM@&%FnSkbr{0$=X$6MhJ( z#$NQYf&z6(JE=ZkBeW$DKLQ<-dn<=Z5(-l#$O7OvU_!)k2m=ww>d#CIs*Set1GU9^xY5= zpBw=eaY=}RfQKpBngS8IcY*qUJsXa=2B|8`_A>~1ph6(T3H54AW@T(wMC(i|LB0{( zFU%8SLvs;?RG_2*%Luh-u$d5jNY+MsbMxD9XnOqUN<_2|13|ec2~755paQs(93`+V zkPO5V$9c9nZ+^Q6c^BpQQ;oev58f_WRVCd16Z;7fBN1=lD8Q-S_zaN$e#q}&>*H2(1AFM@^}SzSm|Y@rc>wO^7tVtxX*bK5kD{#8 zN0Ty^4swRD8b73DGysW_;!rvz;WqiCe+7t)hI_t8pXsChpfY^O>z4oMrTw)0Kca4M6ZRK&@=7w zCJcbH%*~I}^E<4m;!;we%+c+HJhiA>4oo0JnwqM^jrGrqi)(-`U|D}8Yg^Kj%~mE2 ztxNyW>JN?>1S0l596g~n2+JfVm#)H9-g^}`3$_rSgNPYV6$X!BguBNPm89J|2O*9< zfgt2h%5Ysq3I!Q&0|WA&5nGWhgilF!f)Z$TN@o}>7T*1nNf5axWIF)U-SPO6g zvIssKq=7}(2j~jy4{MO2se884%agC{nsAo#&uBf}v{t_-&EYpat|uWFlwdwvWHhAwsSivcnw`%hd4dfC`xA+*Fw|xjNAuz72qj#! zq0|kCj)x+_$H`*(QN{1gtBSy_qMkKs`?x+7I3uJ&DmEkIBs~ruLKULAKxTlP76$Gz zT$ILWiWz(|&N(<|#O$gGaW;E!S@4PgHnh=}(v0NnA&3M^MZs|Z*o&;N0~`ROhIut9 z`>{|~)fjUF0!=^ZDU3E^O4u#LskM(JkMME8djpL0e*uU{YIHNsd2+VEJfBua-bLEt z1GRl~5gb|lm`O7|P6otEYu45uzPARWH{0ia%VtEV&@Trj}%*xrl5a;9H2$dlu zg%gelWdQ2ODk58;WW(Q_IOMr9N5tonaI%Hff`^<3a%awZ4+&5B1_;Y)W;5`j1!4=Vy`2urH{A)Ixu*wV18> z?Wm82u7z$MVq|rLLumI4FKiOw0=jCs)@7Fc@rx^51g;M;B&**M`blreTfS0g6Qf>B zN$ENhds*VL%6e8-n6@NonneQCaPRWK7*Lh{8eN8bbLb>CjI4K)x2(4L z2t1=@wqU=(5U-f5g}8svh3vjo+GZ7s(Ny`K^28?;dhQG<>{7&`*!}+YX9rx8GoS?l zcZJ#$jCKK2tV zql|cjA?;~gRf46XaZvc>Tzw*ac_H&@?(d$db(XjD$&3n(yQm|^jSnmewiu>mmNmH* zSKUevGkdS=Fy?V_*G;om@8J93aofL^-e(TP-e^?3LCGzg-=5)J7iQ^FdR2X4nO2k? zE!Mag*c&mrdaK~b-Lv<8dna`1lyq9djl7g5@s`kK@{rY2?c~+6oXM7~W>SL z#70@L$Ua)`u@rZUTj8oinCkA)@o`%AX9XsiCF3hwORmzCA}Fl-jj4-L^WXhiY(|}F zwq7sxnMuiV1W-%6m-_R#7wPBPS7RRwCm0sT6K}b(sC`b}sZkE2xvo>* zxv{g%+xw}>a=$}t#NPM7`g)cHmW<|wvX?1)63=^m`*7`u=r-uO=0Z7rXlHh=zIx;d zi+4jq)vQ-p)(bCC04_3x!@^Kdug|?n{r*$!HxNoqzPf_k6X<_md0V%sm1Tl@_`B z?(>rgP$(Gn?Nf|>jL*iQg*(L@f@7&zpmJE ziE4*=Hl31-X+><93IQxg*QnXRtoPYVMm>7;Zc3)a^@}0|UP7QVX~ulA)lw8-*}$=- zY4f3?gK7yOqid*w0*im>@v>RF?Q|$3{V|)`Mx&iBFw_;P zO|#`%q;Y*IwTM_J(f@hEWO)JOcfwg&SszsQu?3Wmq&Gnzsi*)to{$6?o|w>tXql}g zWQ?2Vy1g@SIx%jHy8T(2ZuQtBIa%4}FJCe@-MuMO*H}?;8>@`)8zpPd3b+1a91Es4 z*)wH0n`xJ;k2v2ssgSxsn~y_OOw3G;RN^tO1!XJS9;8v<4@_b1`~HaPJRgPB<_7Ep zd=$hEXJ=<0R9zamc41FwW}nT8-ON+ViQ5{!e=qG6GVKZlf+cvuygY5#ZooVM35@!I zB&b^EnG?9ca5wj<{y^hm*YhryVNs~Ru{lu9dc)>jptl#R`8;NT(>7**a3d9|`NU{S z6oBT;Sf{k~@a%B&f$iJ2@p7`Xi_Zd{v#(tRz*sfs32~KVs&#w$d$Y7ETq6QLAPuY@ zQs&x-F*N%_kTYn zgB@k=?%wWYPVT&GHgFBsWF&RMd`_m0qewI%2%e&SG>>25lIqjr%c%pGTL$xJHmHX) z2!V_`deF@(zu`Gs=90#`%j~MHAFdC?Ey5aEA>~#(s#&H{I!>F^f-`m&5$-d|qCPXa zX0F-}7v4;FT0+(v%hZ4m0AFJhW1-(2X}KD|+Y){tOcmS_coSsHP-?m`loT^^r}^{e zC!LQ#8hVmlC{eAp`A)8`Pw{mIRj-RC#P|zwrV{s=_boOu5)#kLFL`$BAv%W^Q5U?$=XO< zB`z&_if&n#_Usw3m`a$cQie%c9{&g6bK*sp@veRMkGJXCmtUw4Ka6x%)~ZM9!R@ua z^!}s7pn+KV7$!pmm*89^cx}ydO?%~_U%}twi8*tguTOAps z*PkgVBa^fH213l7($e(M(BGEui_KUU4Gj$*Pfi~>Ny++8pWM0>u{d9>!25!*0jCFzO<0*X@c5~-0`j8LsUV4K>c@bqMx5% z-eT=@%Hf`Bmgc7HHO51Z`Uvn~EKy~e*E)_Pz$NSc#8oCeJNrQ(Wz%qf(yt}3%Q3T1|L#%6TZ#(x=GwtrvRO_=CoZ!!&hvnz0?C404n|Mrz46~1 zD}@F4`t=3D1QZwZ)lI>C+IXfT154~-OOY)o#PKqfZ^DVdWWEvBBAAt1ihqobjqTsY zii56&s;TT(&G)WDfg9T#298$kbm`JjtON-dC&y5>Z+3!f17=>K8mBp z{LxvjbIK1O z$VdKZ=l*PLWQ6eD#u*356y$iQEyjttkA~PFYHf2}eCES#o1&=6WoRfF z$@OMyG1woFVvkXyP{e{gPo4Gex3aWU1vTQ_c>40P`RNG{N5`hwH5quc>|Ni!74uk_ znkqH;4Md*Zbg3&JE)VE|DD4v!HI1M=q?v_lJgjSl#X@`tFF~oPX$vw+l-|7e;hWK{ z({)D*=+r40EWg3X0!CgrKez(1IF5FB8(mZiT)vn%2w|hVTUUR(dlOz6o8S5%9gDJi z(;8Xt?}p>uWqKG4#@%Da1GV&aUBeLTlS8nsMH-3CmQ?YLzu6Lr-iQdB%c~ousvMR7 zyj0zRY=I@7Kh;|IAwyO8?Vz8Zluc6IlUg=r2Z4zP@kX{E@)gI`X$Jnlw0s1y)aZ7t!Z;j#dJ5E(x> zv1gR;3<$PBLP-2U-N4LX{jO_@mhIJ~&=`b7@Fs;SAG23sd)eK7@0S_$Nl8gnUWe4< zVUrOcF!!x4df98h$#dA9vU3EU5@BRIT|+A4jgw6OGNrqylQDuuaxS%m@X)9Yq_bgu zO1zfzj~zSa{&gZYD#UxD$7eLHC@;_K%>}8byrmZqVkf}Z+<13tr!5>i0V6w$T;Ks! zlNwW6>4o0QrO1_&D2d2N;aLDhfvf{!WMg4;0*Jww1KI%+MG59)f0$}}Tic)Gi+KaH z06E*)0Tof%p@n^`w&R3dd(p6()sW|~)A!_R>19&!3F@=j?yDsn((4+8gUGYHgO`&0 zHBI_uOQ){NEkE>98OjL=8ui$hZyU2WYI)3=@5X{he9(n)kCdQKg326zvb?OQ;k%Ud z%5NyoM3k45d)}dakZ>?f3w(mXxroBJ(iEebU7E*L1$nW( zq|8LNMo6v^@+PrL^h*E~Zm&vdwwzpAzf?xyO)t=JkO7buU_K}~Rx~WYW>nEU(YAiC zFTUMYa~qhUqPNd3zwL9>sCJLOd?fa)?T6&4#SrU8Nht1QU>Fqj#or8%nEdhg6?;Y{j{CnbFkIiLg#Sux zWLv?&&~sFCC4Tao!bS#$b9an#1aCcN!i#%-cQP_ce_6rs;;c*JE$%-)jXB6x$c(-5 zsq}J<@_yvj;X_u^e0#X}Dz^rH8d%BwLh^*{uM7+??-Fkp`dsMLw~H5F_4EJ4$Nl$Z z?ELY5omjh?N=i{XaL2|NLvQeqQCz+qqd&+aIvM zXTx8w@2_9+VDOJf?78gAX73CgIRxlu7=7y39uk z_oM2FtDu>tbPC1&YcJvlfAd&A7us0<@y~mrAol<6=fC}o|F}B74SwPL>3RHkH>dG` zcyfQUtUn(Xu`^Hq^UnOA+vZH^I1FX=oac{I)A950{@Y{!>v8(G@3zK%TaFjRHFwy= zy#Kl3SYoSLST_A{J9rgEvEuNKE7g94d7wGU{Vx2EOaC92?f?Ip|K~ffUbulh!7wNc zp11$Hss6QC3PW!y*jxMA#d7d_EP{VyKK^n%p&*!MedK@J&p&J-=gv;CtQX&7{@ElP z#Q{z54*$nrVn|9?IJkky&|MFu-I_wj`(bH0S4L1=yPOQ+{ukvYB?@&pAA5a5XRR3~2O_F1&YxF6y81LIrflj+ zb0*&R*iY`-Fvh>6BDh5dNHYi`976S$Jk`+kXwnw=n?`#Ks2AA7Hn+P0VYs8 z05UlQa=Jj;qQb%r0lkb242Od~XYa&~FM>VV0<=jMw|j7$CnqZ_4uKd*G8=1aWLXh$ z3xyDl>ZRNPUdCTmAdb5A=KRvoN$&<=DNGmv$AlONp9^qjV&U$tzn)v}!T6%H>@Hjv zV|7>yFRD-hd?x^3l#~YAb=HQ3(;!WG&XW_&tI47H@d$?cuB`(pVL! zd<1+bK+mMiNw5G|F+4YfSNL=DC=T8V=ROWEj0D1K@J#^5_#jXP1PgY6`43_zTrra5 zRb6KGh1&7#vU%rfcy)0{b*B+s+&QN$%QDvbUoJPPN9lCU33)u*4q0ruS5wlV6hRa~ z8VE^mV0wN7R{PxbNIvMHHreL)xpmHoES3s(&vh0>1Axoag$}skTXC87=F@e%D6BzFMn@N-ZtDK97Euou3W(s^TeY&G2D$_K`;KZmYa3uF9a&& z*+gt3uv;Z@se_LiL zw3_RSs@}l}nn&a98Ry=Ju}MEq@g+y{xGHA>g+5$9Gjm$Ac=)R0_vpxdK}UCT^RM{U z^z_rQUH*xw{%2nzp^oDL&Mzux?Aw(BO9pzxMmY!RjHyZ62BWf4+l4*}0b!;}*ZT_c zUf;CjSH+Ws2Nn8K#wM?JI9{PgJa%pFrhhXQ;(RcG?6Kln#vAxk``GpSWO1$Ci&80r z$;jC1YL7dPK{8&ofeQ`EqvVAWW0UZ!^`1`ko*m3fo4C>!CEUL#e-PYzZf;zEcnWH1p}M)5ca)V@DQ9 z+C|KF?O0h}BqJ;LEY=*Kx8nspwyG~h!BkWE^+MmllJ|^FUWF9#%{#Acbj;{29eK1* zj(dY(iE_P1 Date: Tue, 7 Sep 2021 17:16:07 -0700 Subject: [PATCH 077/458] Update windows-security-app.md --- .../os-security/windows-security-app.md | 25 ++++++------------- 1 file changed, 7 insertions(+), 18 deletions(-) diff --git a/windows/security/os-security/windows-security-app.md b/windows/security/os-security/windows-security-app.md index 4a2e241a83..ed9e40c74b 100644 --- a/windows/security/os-security/windows-security-app.md +++ b/windows/security/os-security/windows-security-app.md @@ -1,6 +1,6 @@ --- -title: Trusted Boot -description: Trusted Boot prevents corrupted components from loading during the boot-up process in Windows 11 +title: The Windows Security app in Windows 11 +description: Get an overview of the Windows Security app in Windows 11 search.appverid: MET150 author: denisebmsft ms.author: deniseb @@ -12,26 +12,15 @@ ms.prod: w11 ms.localizationpriority: medium ms.collection: ms.custom: -ms.reviewer: jsuther +ms.reviewer: kaeladawson, bmcneil f1.keywords: NOCSH --- -# Secure Boot and Trusted Boot +# The Windows Security app -This article describes Secure Boot and Trusted Boot, security measures built into Windows 11 to prevent malware and corrupted components from loading when a Windows 11 device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up where Secure Boot leaves off. Together, Secure Boot and Trusted Boot help to ensure your Windows 11 system boots up safely and securely. +This article provides an overview of the Windows Security app in Windows 11. -## Secure Boot +:::image type="content" source="../images/windows-security-app-w11.png" alt-text="Windows Security app in Windows 11"::: -The first step in protecting the operating system is to ensure that it boots securely after the initial hardware and firmware boot sequences have safely finished their early boot sequences. Secure Boot makes a safe and trusted path from the Unified Extensible Firmware Interface (UEFI) through the Windows kernel's Trusted Boot sequence. Malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes throughout the boot sequence between the UEFI, bootloader, kernel, and application environments. +Visibility and awareness of device security and health is key to any action taken. The Windows built-in security app provides an at-a-glance view of the security status and health of your device. These insights help you identify issues and take action to make sure you’re protected. You can quickly see the status of your virus and threat protection, firewall and network security, device security controls, and more. -As the PC begins the boot process, it will first verify that the firmware is digitally signed, reducing the risk of firmware rootkits. Secure Boot then checks all code that runs before the operating system and checks the OS bootloader’s digital signature to ensure that it is trusted by the Secure Boot policy and hasn’t been tampered with. - -## Trusted Boot - -Trusted Boot takes over where Secure Boot leaves off. The Windows bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including boot drivers, startup files, and your antimalware product’s early-launch antimalware (ELAM) driver. If any of these files were tampered, the bootloader detects the problem and refuses to load the corrupted component. Tampering or malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes between the UEFI, bootloader, kernel, and application environments. - -Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the Windows 11 device to start normally. - -## See also - -[Secure the Windows boot process](../information-protection/secure-the-windows-10-boot-process.md) \ No newline at end of file From d3f655731dc0b0efd4330198ff02b50f43d18e8f Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 7 Sep 2021 17:18:25 -0700 Subject: [PATCH 078/458] Update TOC.yml --- windows/security/TOC.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index eb58b0f6cd..b6657d8439 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -39,8 +39,10 @@ items: - name: Trusted Boot href: os-security/trusted-boot.md - - name: Secure the Windows 10 boot process - href: information-protection/secure-the-windows-10-boot-process.md + - name: Cryptography and certificate management + href: os-security/cryptography-certificate-mgmt.md + - name: Windows Security app + href: os-security/windows-security-app.md - name: Encryption and data protection items: - name: Encrypted Hard Drive From eb5a94b43c84b24af498681d00247a197da48df9 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 7 Sep 2021 17:19:28 -0700 Subject: [PATCH 079/458] Update TOC.yml --- windows/security/TOC.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index b6657d8439..777720a45b 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -45,6 +45,7 @@ href: os-security/windows-security-app.md - name: Encryption and data protection items: + - name: Overview - name: Encrypted Hard Drive href: information-protection/encrypted-hard-drive.md - name: Bitlocker From 400771de27f8bb1e85e70dfcdb6b5fe16971ef4b Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 7 Sep 2021 17:21:02 -0700 Subject: [PATCH 080/458] Update TOC.yml --- windows/security/TOC.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 777720a45b..337dc58743 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -41,7 +41,7 @@ href: os-security/trusted-boot.md - name: Cryptography and certificate management href: os-security/cryptography-certificate-mgmt.md - - name: Windows Security app + - name: Windows Security app in Windows 11 href: os-security/windows-security-app.md - name: Encryption and data protection items: From c4af22af36fe1d7fee6386989430caddc2667a13 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 7 Sep 2021 17:31:02 -0700 Subject: [PATCH 081/458] operating system articles --- windows/security/operating-system.md | 4 +-- .../os-security/encryption-data-protection.md | 29 +++++++++++++++++++ windows/security/os-security/trusted-boot.md | 4 ++- .../os-security/windows-security-app.md | 2 +- 4 files changed, 34 insertions(+), 5 deletions(-) create mode 100644 windows/security/os-security/encryption-data-protection.md diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 584a85b7bd..e16ff2bd56 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -13,9 +13,7 @@ author: denisebmsft # Windows operating system security -This article provides an overview of security measures built into Windows 11. - -## Operating system security +This article provides an overview of operating system security in Windows 11. Security and privacy depend on an operating system that guards your system and information from the moment it starts up, providing fundamental chip-to-cloud protection. Windows 11 is the most secure Windows yet with extensive security measures designed to help keep you safe. These measures include built-in advanced encryption and data protection, robust network and system security, and intelligent safeguards against ever-evolving threats. diff --git a/windows/security/os-security/encryption-data-protection.md b/windows/security/os-security/encryption-data-protection.md new file mode 100644 index 0000000000..ea4eab560f --- /dev/null +++ b/windows/security/os-security/encryption-data-protection.md @@ -0,0 +1,29 @@ +--- +title: Encryption and data protection in Windows 11 +description: Get an overview encryption and data protection in Windows 11 +search.appverid: MET150 +author: denisebmsft +ms.author: deniseb +manager: dansimp +audience: ITPro +ms.topic: conceptual +ms.date: 09/07/2021 +ms.prod: w11 +ms.localizationpriority: medium +ms.collection: +ms.custom: +ms.reviewer: deepakm, rafals +f1.keywords: NOCSH +--- + +# Encryption and data protection in Windows 11 + +This article provides a brief overview of encryption and data protection built into Windows 11. + +When people travel with their computers and devices, their confidential information travels with them. Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, starting with the Encrypting File System (EFS) in the Windows 2000 operating system. + +In Windows 11, encryption and data protection features include: + +- [Encrypted Hard Drive](../information-protection/encrypted-hard-drive.md) +- [BitLocker](../information-protection/bitlocker/bitlocker-overview.md) + diff --git a/windows/security/os-security/trusted-boot.md b/windows/security/os-security/trusted-boot.md index 4a2e241a83..7728813615 100644 --- a/windows/security/os-security/trusted-boot.md +++ b/windows/security/os-security/trusted-boot.md @@ -18,7 +18,9 @@ f1.keywords: NOCSH # Secure Boot and Trusted Boot -This article describes Secure Boot and Trusted Boot, security measures built into Windows 11 to prevent malware and corrupted components from loading when a Windows 11 device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up where Secure Boot leaves off. Together, Secure Boot and Trusted Boot help to ensure your Windows 11 system boots up safely and securely. +*This article describes Secure Boot and Trusted Boot, security measures built into Windows 11.* + +Secure Boot and Trusted Boot help prevent malware and corrupted components from loading when a Windows 11 device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up where Secure Boot leaves off. Together, Secure Boot and Trusted Boot help to ensure your Windows 11 system boots up safely and securely. ## Secure Boot diff --git a/windows/security/os-security/windows-security-app.md b/windows/security/os-security/windows-security-app.md index ed9e40c74b..b02306f0dc 100644 --- a/windows/security/os-security/windows-security-app.md +++ b/windows/security/os-security/windows-security-app.md @@ -18,7 +18,7 @@ f1.keywords: NOCSH # The Windows Security app -This article provides an overview of the Windows Security app in Windows 11. +*This article provides an overview of the Windows Security app in Windows 11.* :::image type="content" source="../images/windows-security-app-w11.png" alt-text="Windows Security app in Windows 11"::: From 7652f00c5d8b8d162f7d392c112b98042cce3da6 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 7 Sep 2021 17:35:08 -0700 Subject: [PATCH 082/458] Update encryption-data-protection.md --- .../os-security/encryption-data-protection.md | 30 ++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/windows/security/os-security/encryption-data-protection.md b/windows/security/os-security/encryption-data-protection.md index ea4eab560f..e0af5c0142 100644 --- a/windows/security/os-security/encryption-data-protection.md +++ b/windows/security/os-security/encryption-data-protection.md @@ -18,12 +18,40 @@ f1.keywords: NOCSH # Encryption and data protection in Windows 11 -This article provides a brief overview of encryption and data protection built into Windows 11. +*This article provides a brief overview of encryption and data protection built into Windows 11.* When people travel with their computers and devices, their confidential information travels with them. Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, starting with the Encrypting File System (EFS) in the Windows 2000 operating system. In Windows 11, encryption and data protection features include: +- Encrypted Hard Drive +- BitLocker + +## Encrypted Hard Drive + +Encrypted Hard Drive uses the rapid encryption provided by BitLocker Drive Encryption to enhance data security and management. +By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity. + +Encrypted hard drives provide: + +- Better performance: Encryption hardware, integrated into the drive controller, allows the drive to operate at full data rate with no performance degradation. +- Strong security based in hardware: Encryption is always "on" and the keys for encryption never leave the hard drive. User authentication is performed by the drive before it will unlock, independently of the operating system. +- Ease of use: Encryption is transparent to the user, and the user does not need to enable it. Encrypted hard drives are easily erased using on-board encryption key; there is no need to re-encrypt data on the drive. +- Lower cost of ownership: There is no need for new infrastructure to manage encryption keys, since BitLocker uses your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles do not need to be used for the encryption process. + +Encrypted hard drives are a new class of hard drives that are self-encrypted at a hardware level and allow for full disk hardware encryption. + +## BitLocker + +BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. + +BitLocker provides encryption for the operating system, fixed data, and removable data drives, using technologies like hardware security test interface (HSTI), Modern Standby, UEFI Secure Boot, and TPM. + +Windows consistently improves data protection by improving existing options and providing new strategies. + + +## See also + - [Encrypted Hard Drive](../information-protection/encrypted-hard-drive.md) - [BitLocker](../information-protection/bitlocker/bitlocker-overview.md) From 8e2bd89a94fdae5ee9a8593bcc969c7b4d46487c Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 7 Sep 2021 17:35:54 -0700 Subject: [PATCH 083/458] Update cryptography-certificate-mgmt.md --- windows/security/os-security/cryptography-certificate-mgmt.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/os-security/cryptography-certificate-mgmt.md b/windows/security/os-security/cryptography-certificate-mgmt.md index 282fac4632..f5d63c9686 100644 --- a/windows/security/os-security/cryptography-certificate-mgmt.md +++ b/windows/security/os-security/cryptography-certificate-mgmt.md @@ -18,7 +18,7 @@ f1.keywords: NOCSH # Cryptography and Certificate Management -This article describes cryptography and certificate management in Windows 11. +*This article describes cryptography and certificate management in Windows 11.* ## Cryptography From 1a79447f23963a9932132ddc7a1e028d8eb68b37 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 7 Sep 2021 17:36:29 -0700 Subject: [PATCH 084/458] Update TOC.yml --- windows/security/TOC.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 337dc58743..98852424f3 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -46,6 +46,7 @@ - name: Encryption and data protection items: - name: Overview + href: encryption-data-protection.md - name: Encrypted Hard Drive href: information-protection/encrypted-hard-drive.md - name: Bitlocker From e8c5a8a2212ca57da171d49a516812f17c36853f Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 7 Sep 2021 18:10:41 -0700 Subject: [PATCH 085/458] Update windows-security-app.md --- .../security/os-security/windows-security-app.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/windows/security/os-security/windows-security-app.md b/windows/security/os-security/windows-security-app.md index b02306f0dc..c9d1cbea97 100644 --- a/windows/security/os-security/windows-security-app.md +++ b/windows/security/os-security/windows-security-app.md @@ -24,3 +24,17 @@ f1.keywords: NOCSH Visibility and awareness of device security and health is key to any action taken. The Windows built-in security app provides an at-a-glance view of the security status and health of your device. These insights help you identify issues and take action to make sure you’re protected. You can quickly see the status of your virus and threat protection, firewall and network security, device security controls, and more. +The Windows Security app in Windows 11 looks a lot like what you see in Windows 10, with the addition of the new **Protection history** button and increased security features and capabilities. + +The following table describes the various sections of the Windows Security app.

+ +| Section | Description | +|:---|:---| +| Virus & threat protection | Description goes here | +| Account protection | Description goes here | +| Firewall & network protection | Description goes here | +| App & browser control | Description goes here | +| Device security | Description goes here | +| Device performance & health | Description goes here | +| Family options | Description goes here | +| Protection history | Description goes here | \ No newline at end of file From 214b98612bcbc32918cbb526307a8d7adbb78936 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 7 Sep 2021 18:12:18 -0700 Subject: [PATCH 086/458] Update TOC.yml --- windows/security/TOC.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 98852424f3..9165264ba7 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -43,10 +43,10 @@ href: os-security/cryptography-certificate-mgmt.md - name: Windows Security app in Windows 11 href: os-security/windows-security-app.md - - name: Encryption and data protection + - name: Encryption and data protection + href: os-security/encryption-data-protection.md items: - - name: Overview - href: encryption-data-protection.md + - name: Encrypted Hard Drive href: information-protection/encrypted-hard-drive.md - name: Bitlocker From f352c6ab3e43cb11e1b190a50e880abc99473bb5 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 7 Sep 2021 18:15:07 -0700 Subject: [PATCH 087/458] Update TOC.yml --- windows/security/TOC.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 9165264ba7..bb79e0aa9b 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -210,7 +210,11 @@ - name: Controlled folder access - name: Exploit protection - name: Microsoft Defender for Endpoint -- name: Application protection +- name: Application security + items: +- name: Secured identity + items: +- name: Cloud services items: - name: User protection items: From 98ee58a1db3e93067737b8caa451109cd8b86e9f Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 7 Sep 2021 18:19:13 -0700 Subject: [PATCH 088/458] Update index.yml --- windows/security/index.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index e59fa8c210..873666b38f 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -11,7 +11,7 @@ metadata: ms.collection: m365-security-compliance author: dansimp #Required; your GitHub user alias, with correct capitalization. ms.author: dansimp #Required; microsoft alias of author; optional team alias. - ms.date: 09/01/2021 + ms.date: 09/07/2021 localization_priority: Priority # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new @@ -38,13 +38,13 @@ landingContent: - linkListType: overview links: - text: Overview of operating system security - url: /windows/security/information-protection/index.md + url: operating-system.md - linkListType: concept links: - text: System security - url: /windows/security/information-protection/secure-the-windows-10-boot-process.md + url: os-security/trusted-boot.md - text: Encryption and data protection - url: /windows/security/information-protection/encrypted-hard-drive.md + url: os-security/encryption-data-protection.md - text: Network security url: /windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md # Cards and links should be based on top customer tasks or top subjects From 7ad9e9098631945d052681a1e91902c1ce873123 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 7 Sep 2021 18:22:17 -0700 Subject: [PATCH 089/458] Update index.yml --- windows/security/index.yml | 32 ++++++++++++++++++++++---------- 1 file changed, 22 insertions(+), 10 deletions(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index 873666b38f..320651ac37 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -47,25 +47,37 @@ landingContent: url: os-security/encryption-data-protection.md - text: Network security url: /windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md + - text: Network security + - text: Virus & threat protection # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) - - title: Threat protection - linkLists: - - linkListType: overview - links: - - text: Security baselines (more to follow) - url: /windows/security/threat-protection/windows-security-baselines.md -# Cards and links should be based on top customer tasks or top subjects -# Start card title with a verb - # Card (optional) - - title: Application protection + - title: Application security linkLists: - linkListType: overview links: - text: article (change link later, add more) url: /windows/security/threat-protection/windows-security-baselines.md # Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Secured identity + linkLists: + - linkListType: overview + links: + - text: article (change link later, add more) + url: /windows/security/threat-protection/windows-security-baselines.md +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Cloud services + linkLists: + - linkListType: overview + links: + - text: article (change link later, add more) + url: /windows/security/threat-protection/windows-security-baselines.md + +# Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) - title: User protection From 856adceb6508bef347176b6849d79dc2c4fcc27f Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 7 Sep 2021 18:43:57 -0700 Subject: [PATCH 090/458] cards --- windows/security/index.yml | 2 ++ windows/security/operating-system.md | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index 320651ac37..6e0ba8210f 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -48,7 +48,9 @@ landingContent: - text: Network security url: /windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md - text: Network security + url: operating-system.md - text: Virus & threat protection + url: operating-system.md # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index e16ff2bd56..e3bb60f6e1 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -21,7 +21,7 @@ Use the links in the following table to learn more about the operating system se | Security Measures | Features & Capabilities | |:---|:---| -| System security | [Trusted Boot](os-security/trusted-boot.md) (includes Secure Boot and Measured Boot)
[Cryptography and certificate management](os-security/cryptography-certificate-mgmt.md)
Windows Security app | +| System security | [Trusted Boot](os-security/trusted-boot.md) (includes Secure Boot and Measured Boot)
[Cryptography and certificate management](os-security/cryptography-certificate-mgmt.md)
[Windows Security app](os-security/windows-security-app.md) | | Encryption and data protection | BitLocker
Encryption | | Network security | Virtual Private Networks (VPNs)
Windows Defender Firewall
Bluetooth
DSN security
Windows Wi-Fi
Transport Layer Security (TLS) | | Protection from viruses and threats | Microsoft Defender Antivirus
Attack surface reduction
Tamper protection
Network protection
Controlled folder access
Exploit protection
Additional protection with Microsoft Defender for Endpoint | From e60dc2dbb8f47576c316021e4bf071a7a499e655 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 08:29:57 -0700 Subject: [PATCH 091/458] Update operating-system.md --- windows/security/operating-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index e3bb60f6e1..484406779a 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -13,7 +13,7 @@ author: denisebmsft # Windows operating system security -This article provides an overview of operating system security in Windows 11. +*This article provides an overview of operating system security in Windows 11.* Security and privacy depend on an operating system that guards your system and information from the moment it starts up, providing fundamental chip-to-cloud protection. Windows 11 is the most secure Windows yet with extensive security measures designed to help keep you safe. These measures include built-in advanced encryption and data protection, robust network and system security, and intelligent safeguards against ever-evolving threats. From 37e9d38bf4d64d855e6f664804939fb402bbd24d Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 09:38:52 -0700 Subject: [PATCH 092/458] Update cloud.md --- windows/security/cloud.md | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/windows/security/cloud.md b/windows/security/cloud.md index cbce8d9341..b3ad85903d 100644 --- a/windows/security/cloud.md +++ b/windows/security/cloud.md @@ -13,5 +13,17 @@ author: dansimp # Windows and cloud security -Today’s workforce has more freedom and mobility than ever before. With the growth of enterprise cloud adoption, increased personal app usage, and increased 3rd party apps, the risk of data exposure is at its highest. Enabling Zero-Trust protection, Windows 11 works with Microsoft cloud services to help organizations strengthen their multi-cloud security infrastructure, protect hybrid cloud workloads and safeguard sensitive information while controlling access and mitigating threats. +*This article provides an overview of cloud services built into Windows 11.* + +Today’s workforce has more freedom and mobility than ever before. With the growth of enterprise cloud adoption, increased personal app usage, and increased use of third-party apps, the risk of data exposure is at its highest. Enabling Zero-Trust protection, Windows 11 works with Microsoft cloud services to help organizations strengthen their multi-cloud security infrastructure, protect hybrid cloud workloads, and safeguard sensitive information while controlling access and mitigating threats. + +Windows 11 includes the cloud services that are listed in the following table: + +| Service type | Description | +|:---|:---| +| Access to Azure Active Directory | Microsoft Azure Active Directory (Azure AD) is a complete cloud identity and access management solution for managing identities and directories, enabling access to applications, and protecting identities from security threats.
With Azure AD, you can manage and secure identities for your employees, partners, and customers to access the applications and services they need.
Windows 11 works seamlessly with Azure Active Directory to provide secure access, identity management, and single sign-on to apps and services from anywhere. | +| Modern device management (MDM) and Microsoft Endpoint Manager | Remote wipe
Work or school account
Config Lock
Remote device attestation
(other stuff coming soon):Device Installation
DMA Guard
Endpoint Detection and Response
Microsoft Defender Security Center
Smartscreen
System Guard
Windows Hello for Business | +| Microsoft account | | +| OneDrive | | +| Family safety | | From be096b1448be32c391c57c9027868278505f4401 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 10:20:21 -0700 Subject: [PATCH 093/458] Update operating-system.md --- windows/security/operating-system.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 484406779a..d70e3a6e9f 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -21,8 +21,8 @@ Use the links in the following table to learn more about the operating system se | Security Measures | Features & Capabilities | |:---|:---| -| System security | [Trusted Boot](os-security/trusted-boot.md) (includes Secure Boot and Measured Boot)
[Cryptography and certificate management](os-security/cryptography-certificate-mgmt.md)
[Windows Security app](os-security/windows-security-app.md) | -| Encryption and data protection | BitLocker
Encryption | +| System security | [Trusted Boot](os-security/trusted-boot.md) (includes Secure Boot and Measured Boot)

[Cryptography and certificate management](os-security/cryptography-certificate-mgmt.md)

[Windows Security app](os-security/windows-security-app.md) | +| Encryption and data protection | [Encryption](os-security/encryption-data-protection.md)

[BitLocker](information-protection/bitlocker/bitlocker-overview.md) | | Network security | Virtual Private Networks (VPNs)
Windows Defender Firewall
Bluetooth
DSN security
Windows Wi-Fi
Transport Layer Security (TLS) | | Protection from viruses and threats | Microsoft Defender Antivirus
Attack surface reduction
Tamper protection
Network protection
Controlled folder access
Exploit protection
Additional protection with Microsoft Defender for Endpoint | From 3c93913c6cf390e1b769061fdaa3c72711d3dfb1 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 10:34:56 -0700 Subject: [PATCH 094/458] Update operating-system.md --- windows/security/operating-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index d70e3a6e9f..4508d05be3 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -23,7 +23,7 @@ Use the links in the following table to learn more about the operating system se |:---|:---| | System security | [Trusted Boot](os-security/trusted-boot.md) (includes Secure Boot and Measured Boot)

[Cryptography and certificate management](os-security/cryptography-certificate-mgmt.md)

[Windows Security app](os-security/windows-security-app.md) | | Encryption and data protection | [Encryption](os-security/encryption-data-protection.md)

[BitLocker](information-protection/bitlocker/bitlocker-overview.md) | -| Network security | Virtual Private Networks (VPNs)
Windows Defender Firewall
Bluetooth
DSN security
Windows Wi-Fi
Transport Layer Security (TLS) | +| Network security | Virtual Private Networks (VPNs)

Windows Defender Firewall

Bluetooth

DSN security

Windows Wi-Fi

Transport Layer Security (TLS) | | Protection from viruses and threats | Microsoft Defender Antivirus
Attack surface reduction
Tamper protection
Network protection
Controlled folder access
Exploit protection
Additional protection with Microsoft Defender for Endpoint | From 8c007085172d52a1ba8a9e066768a6d7023a4ba6 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 10:40:36 -0700 Subject: [PATCH 095/458] Update operating-system.md --- windows/security/operating-system.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 4508d05be3..8e129805a2 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -22,8 +22,8 @@ Use the links in the following table to learn more about the operating system se | Security Measures | Features & Capabilities | |:---|:---| | System security | [Trusted Boot](os-security/trusted-boot.md) (includes Secure Boot and Measured Boot)

[Cryptography and certificate management](os-security/cryptography-certificate-mgmt.md)

[Windows Security app](os-security/windows-security-app.md) | -| Encryption and data protection | [Encryption](os-security/encryption-data-protection.md)

[BitLocker](information-protection/bitlocker/bitlocker-overview.md) | +| Encryption and data protection | [Encryption and data protection in Windows 11](os-security/encryption-data-protection.md)

[Encryption](os-security/encryption-data-protection.md)

[BitLocker](information-protection/bitlocker/bitlocker-overview.md) | | Network security | Virtual Private Networks (VPNs)

Windows Defender Firewall

Bluetooth

DSN security

Windows Wi-Fi

Transport Layer Security (TLS) | -| Protection from viruses and threats | Microsoft Defender Antivirus
Attack surface reduction
Tamper protection
Network protection
Controlled folder access
Exploit protection
Additional protection with Microsoft Defender for Endpoint | +| Protection from viruses and threats | Microsoft Defender Antivirus

Attack surface reduction

Tamper protection

Network protection

Controlled folder access

Exploit protection

Additional protection with Microsoft Defender for Endpoint | From ea1c1c8a622485f1d266fa843ebf1da7ad25178d Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 10:48:25 -0700 Subject: [PATCH 096/458] Update operating-system.md --- windows/security/operating-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 8e129805a2..28b535a905 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -24,6 +24,6 @@ Use the links in the following table to learn more about the operating system se | System security | [Trusted Boot](os-security/trusted-boot.md) (includes Secure Boot and Measured Boot)

[Cryptography and certificate management](os-security/cryptography-certificate-mgmt.md)

[Windows Security app](os-security/windows-security-app.md) | | Encryption and data protection | [Encryption and data protection in Windows 11](os-security/encryption-data-protection.md)

[Encryption](os-security/encryption-data-protection.md)

[BitLocker](information-protection/bitlocker/bitlocker-overview.md) | | Network security | Virtual Private Networks (VPNs)

Windows Defender Firewall

Bluetooth

DSN security

Windows Wi-Fi

Transport Layer Security (TLS) | -| Protection from viruses and threats | Microsoft Defender Antivirus

Attack surface reduction

Tamper protection

Network protection

Controlled folder access

Exploit protection

Additional protection with Microsoft Defender for Endpoint | +| Protection from viruses and threats | [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide)

[Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide)

[Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide)

[Network protection](/microsoft-365/security/defender-endpoint/network-protection?view=o365-worldwide)

Controlled folder access

[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection?view=o365-worldwide)

Integration with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/?view=o365-worldwide) for additional threat protection | From 0c26c82991db73d4f55b56ca783c9702867f53de Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 10:48:58 -0700 Subject: [PATCH 097/458] Update operating-system.md --- windows/security/operating-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 28b535a905..c6f0d3d41b 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -24,6 +24,6 @@ Use the links in the following table to learn more about the operating system se | System security | [Trusted Boot](os-security/trusted-boot.md) (includes Secure Boot and Measured Boot)

[Cryptography and certificate management](os-security/cryptography-certificate-mgmt.md)

[Windows Security app](os-security/windows-security-app.md) | | Encryption and data protection | [Encryption and data protection in Windows 11](os-security/encryption-data-protection.md)

[Encryption](os-security/encryption-data-protection.md)

[BitLocker](information-protection/bitlocker/bitlocker-overview.md) | | Network security | Virtual Private Networks (VPNs)

Windows Defender Firewall

Bluetooth

DSN security

Windows Wi-Fi

Transport Layer Security (TLS) | -| Protection from viruses and threats | [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide)

[Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide)

[Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide)

[Network protection](/microsoft-365/security/defender-endpoint/network-protection?view=o365-worldwide)

Controlled folder access

[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection?view=o365-worldwide)

Integration with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/?view=o365-worldwide) for additional threat protection | +| Protection from viruses and threats | [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)

[Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction)

[Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)

[Network protection](/microsoft-365/security/defender-endpoint/network-protection)

Controlled folder access

[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)

Integration with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint) for additional threat protection | From d6d5837699b6fcbeacda7f7378c568060a7d0293 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 10:52:32 -0700 Subject: [PATCH 098/458] Update operating-system.md --- windows/security/operating-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index c6f0d3d41b..7db88749a3 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -23,7 +23,7 @@ Use the links in the following table to learn more about the operating system se |:---|:---| | System security | [Trusted Boot](os-security/trusted-boot.md) (includes Secure Boot and Measured Boot)

[Cryptography and certificate management](os-security/cryptography-certificate-mgmt.md)

[Windows Security app](os-security/windows-security-app.md) | | Encryption and data protection | [Encryption and data protection in Windows 11](os-security/encryption-data-protection.md)

[Encryption](os-security/encryption-data-protection.md)

[BitLocker](information-protection/bitlocker/bitlocker-overview.md) | -| Network security | Virtual Private Networks (VPNs)

Windows Defender Firewall

Bluetooth

DSN security

Windows Wi-Fi

Transport Layer Security (TLS) | +| Network security | [Virtual Private Networks](identity-protection/vpn/vpn-guide.md) (VPNs)

[Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md)

Bluetooth

DSN security

Windows Wi-Fi

Transport Layer Security (TLS) | | Protection from viruses and threats | [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)

[Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction)

[Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)

[Network protection](/microsoft-365/security/defender-endpoint/network-protection)

Controlled folder access

[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)

Integration with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint) for additional threat protection | From b03e7ddaddd87b9a2a2e190baace89ab3988fddf Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 10:58:37 -0700 Subject: [PATCH 099/458] moved a few articles --- .../security/{os-security => }/cryptography-certificate-mgmt.md | 0 windows/security/{os-security => }/encryption-data-protection.md | 0 windows/security/{os-security => }/trusted-boot.md | 0 windows/security/{os-security => }/windows-security-app.md | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename windows/security/{os-security => }/cryptography-certificate-mgmt.md (100%) rename windows/security/{os-security => }/encryption-data-protection.md (100%) rename windows/security/{os-security => }/trusted-boot.md (100%) rename windows/security/{os-security => }/windows-security-app.md (100%) diff --git a/windows/security/os-security/cryptography-certificate-mgmt.md b/windows/security/cryptography-certificate-mgmt.md similarity index 100% rename from windows/security/os-security/cryptography-certificate-mgmt.md rename to windows/security/cryptography-certificate-mgmt.md diff --git a/windows/security/os-security/encryption-data-protection.md b/windows/security/encryption-data-protection.md similarity index 100% rename from windows/security/os-security/encryption-data-protection.md rename to windows/security/encryption-data-protection.md diff --git a/windows/security/os-security/trusted-boot.md b/windows/security/trusted-boot.md similarity index 100% rename from windows/security/os-security/trusted-boot.md rename to windows/security/trusted-boot.md diff --git a/windows/security/os-security/windows-security-app.md b/windows/security/windows-security-app.md similarity index 100% rename from windows/security/os-security/windows-security-app.md rename to windows/security/windows-security-app.md From e74a3a6714c853db6539c9b62e13efe43a69646f Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 11:00:36 -0700 Subject: [PATCH 100/458] fixed links --- windows/security/TOC.yml | 8 ++++---- windows/security/index.yml | 4 ++-- windows/security/operating-system.md | 6 +++--- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index bb79e0aa9b..4d66d47a1e 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -38,13 +38,13 @@ - name: System security items: - name: Trusted Boot - href: os-security/trusted-boot.md + href: trusted-boot.md - name: Cryptography and certificate management - href: os-security/cryptography-certificate-mgmt.md + href: cryptography-certificate-mgmt.md - name: Windows Security app in Windows 11 - href: os-security/windows-security-app.md + href: windows-security-app.md - name: Encryption and data protection - href: os-security/encryption-data-protection.md + href: encryption-data-protection.md items: - name: Encrypted Hard Drive diff --git a/windows/security/index.yml b/windows/security/index.yml index 6e0ba8210f..6f614b438e 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -42,9 +42,9 @@ landingContent: - linkListType: concept links: - text: System security - url: os-security/trusted-boot.md + url: trusted-boot.md - text: Encryption and data protection - url: os-security/encryption-data-protection.md + url: encryption-data-protection.md - text: Network security url: /windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md - text: Network security diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 7db88749a3..7b815fda53 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -21,9 +21,9 @@ Use the links in the following table to learn more about the operating system se | Security Measures | Features & Capabilities | |:---|:---| -| System security | [Trusted Boot](os-security/trusted-boot.md) (includes Secure Boot and Measured Boot)

[Cryptography and certificate management](os-security/cryptography-certificate-mgmt.md)

[Windows Security app](os-security/windows-security-app.md) | -| Encryption and data protection | [Encryption and data protection in Windows 11](os-security/encryption-data-protection.md)

[Encryption](os-security/encryption-data-protection.md)

[BitLocker](information-protection/bitlocker/bitlocker-overview.md) | -| Network security | [Virtual Private Networks](identity-protection/vpn/vpn-guide.md) (VPNs)

[Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md)

Bluetooth

DSN security

Windows Wi-Fi

Transport Layer Security (TLS) | +| System security | [Trusted Boot](trusted-boot.md) (includes Secure Boot and Measured Boot)

[Cryptography and certificate management](cryptography-certificate-mgmt.md)

[Windows Security app](windows-security-app.md) | +| Encryption and data protection | [Encryption and data protection in Windows 11](encryption-data-protection.md)

[Encryption](encryption-data-protection.md)

[BitLocker](information-protection/bitlocker/bitlocker-overview.md) | +| Network security | [Virtual Private Networks](identity-protection/vpn/vpn-guide.md) (VPNs)

[Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md)

Bluetooth

Domain Name System (DNS) security

Windows Wi-Fi

Transport Layer Security (TLS) | | Protection from viruses and threats | [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)

[Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction)

[Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)

[Network protection](/microsoft-365/security/defender-endpoint/network-protection)

Controlled folder access

[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)

Integration with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint) for additional threat protection | From 958d49a159316362fcd050f164d0bb2ea7cf87e7 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 11:02:23 -0700 Subject: [PATCH 101/458] Update trusted-boot.md --- windows/security/trusted-boot.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/trusted-boot.md b/windows/security/trusted-boot.md index 7728813615..ca4a7577b1 100644 --- a/windows/security/trusted-boot.md +++ b/windows/security/trusted-boot.md @@ -7,7 +7,7 @@ ms.author: deniseb manager: dansimp audience: ITPro ms.topic: conceptual -ms.date: 09/07/2021 +ms.date: 09/08/2021 ms.prod: w11 ms.localizationpriority: medium ms.collection: @@ -20,7 +20,7 @@ f1.keywords: NOCSH *This article describes Secure Boot and Trusted Boot, security measures built into Windows 11.* -Secure Boot and Trusted Boot help prevent malware and corrupted components from loading when a Windows 11 device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up where Secure Boot leaves off. Together, Secure Boot and Trusted Boot help to ensure your Windows 11 system boots up safely and securely. +Secure Boot and Trusted Boot help prevent malware and corrupted components from loading when a Windows 11 device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure your Windows 11 system boots up safely and securely. ## Secure Boot @@ -30,7 +30,7 @@ As the PC begins the boot process, it will first verify that the firmware is dig ## Trusted Boot -Trusted Boot takes over where Secure Boot leaves off. The Windows bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including boot drivers, startup files, and your antimalware product’s early-launch antimalware (ELAM) driver. If any of these files were tampered, the bootloader detects the problem and refuses to load the corrupted component. Tampering or malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes between the UEFI, bootloader, kernel, and application environments. +Trusted Boot picks up the process that started with Secure Boot. The Windows bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including boot drivers, startup files, and your antimalware product’s early-launch antimalware (ELAM) driver. If any of these files were tampered, the bootloader detects the problem and refuses to load the corrupted component. Tampering or malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes between the UEFI, bootloader, kernel, and application environments. Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the Windows 11 device to start normally. From f4867fcc93433ade866641696b1225959fc87da0 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 11:04:40 -0700 Subject: [PATCH 102/458] Update encryption-data-protection.md --- windows/security/encryption-data-protection.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/encryption-data-protection.md b/windows/security/encryption-data-protection.md index e0af5c0142..1841a48867 100644 --- a/windows/security/encryption-data-protection.md +++ b/windows/security/encryption-data-protection.md @@ -7,7 +7,7 @@ ms.author: deniseb manager: dansimp audience: ITPro ms.topic: conceptual -ms.date: 09/07/2021 +ms.date: 09/08/2021 ms.prod: w11 ms.localizationpriority: medium ms.collection: @@ -52,6 +52,6 @@ Windows consistently improves data protection by improving existing options and ## See also -- [Encrypted Hard Drive](../information-protection/encrypted-hard-drive.md) -- [BitLocker](../information-protection/bitlocker/bitlocker-overview.md) +- [Encrypted Hard Drive](information-protection/encrypted-hard-drive.md) +- [BitLocker](information-protection/bitlocker/bitlocker-overview.md) From 758dee50b9bfb9ea794bc1e0d67dc80ac8bef76a Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 11:04:59 -0700 Subject: [PATCH 103/458] Update trusted-boot.md --- windows/security/trusted-boot.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/trusted-boot.md b/windows/security/trusted-boot.md index ca4a7577b1..35a581f3af 100644 --- a/windows/security/trusted-boot.md +++ b/windows/security/trusted-boot.md @@ -36,4 +36,4 @@ Often, Windows can automatically repair the corrupted component, restoring the i ## See also -[Secure the Windows boot process](../information-protection/secure-the-windows-10-boot-process.md) \ No newline at end of file +[Secure the Windows boot process](information-protection/secure-the-windows-10-boot-process.md) \ No newline at end of file From 4ea8e32cae85514e11a1bd5385c569d6eec8fca7 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 11:05:37 -0700 Subject: [PATCH 104/458] Update windows-security-app.md --- windows/security/windows-security-app.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/windows-security-app.md b/windows/security/windows-security-app.md index c9d1cbea97..83aff40683 100644 --- a/windows/security/windows-security-app.md +++ b/windows/security/windows-security-app.md @@ -7,7 +7,7 @@ ms.author: deniseb manager: dansimp audience: ITPro ms.topic: conceptual -ms.date: 09/07/2021 +ms.date: 09/08/2021 ms.prod: w11 ms.localizationpriority: medium ms.collection: @@ -16,11 +16,11 @@ ms.reviewer: kaeladawson, bmcneil f1.keywords: NOCSH --- -# The Windows Security app +# The Windows Security app in Windows 11 *This article provides an overview of the Windows Security app in Windows 11.* -:::image type="content" source="../images/windows-security-app-w11.png" alt-text="Windows Security app in Windows 11"::: +:::image type="content" source="images/windows-security-app-w11.png" alt-text="Windows Security app in Windows 11"::: Visibility and awareness of device security and health is key to any action taken. The Windows built-in security app provides an at-a-glance view of the security status and health of your device. These insights help you identify issues and take action to make sure you’re protected. You can quickly see the status of your virus and threat protection, firewall and network security, device security controls, and more. From 0b52366967172cd91f198299250382c99e2f26c2 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 11:06:00 -0700 Subject: [PATCH 105/458] Update hardware.md --- windows/security/hardware.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/hardware.md b/windows/security/hardware.md index 34c5329f7f..cd1daa5805 100644 --- a/windows/security/hardware.md +++ b/windows/security/hardware.md @@ -1,6 +1,6 @@ --- title: Windows hardware security -description: +description: Get an overview of hardware security in Windows 11 ms.reviewer: manager: dansimp ms.author: dansimp From 40e02ed7bcdf46463747e10b4e04da844e5f409c Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 11:06:22 -0700 Subject: [PATCH 106/458] Update identity.md --- windows/security/identity.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity.md b/windows/security/identity.md index 61afd163d1..f943325f1d 100644 --- a/windows/security/identity.md +++ b/windows/security/identity.md @@ -1,6 +1,6 @@ --- title: Windows identity security -description: +description: Get an overview of identity security in Windows 11 ms.reviewer: manager: dansimp ms.author: dansimp From 0c236a233e37c46b142c3ba8e6ceb4272249eeb9 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 11:08:48 -0700 Subject: [PATCH 107/458] Update operating-system.md --- windows/security/operating-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 7b815fda53..09c512c94c 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -24,6 +24,6 @@ Use the links in the following table to learn more about the operating system se | System security | [Trusted Boot](trusted-boot.md) (includes Secure Boot and Measured Boot)

[Cryptography and certificate management](cryptography-certificate-mgmt.md)

[Windows Security app](windows-security-app.md) | | Encryption and data protection | [Encryption and data protection in Windows 11](encryption-data-protection.md)

[Encryption](encryption-data-protection.md)

[BitLocker](information-protection/bitlocker/bitlocker-overview.md) | | Network security | [Virtual Private Networks](identity-protection/vpn/vpn-guide.md) (VPNs)

[Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md)

Bluetooth

Domain Name System (DNS) security

Windows Wi-Fi

Transport Layer Security (TLS) | -| Protection from viruses and threats | [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)

[Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction)

[Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)

[Network protection](/microsoft-365/security/defender-endpoint/network-protection)

Controlled folder access

[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)

Integration with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint) for additional threat protection | +| Protection from viruses and threats | [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)

[Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction)

[Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)

[Network protection](/microsoft-365/security/defender-endpoint/network-protection)

[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)

[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)

Integration with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint) for additional threat protection | From fd6ed9b974c276dc0a12acf2ba51f23e23cc536f Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 11:13:17 -0700 Subject: [PATCH 108/458] Update operating-system.md --- windows/security/operating-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 09c512c94c..5aa13cb32d 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -23,7 +23,7 @@ Use the links in the following table to learn more about the operating system se |:---|:---| | System security | [Trusted Boot](trusted-boot.md) (includes Secure Boot and Measured Boot)

[Cryptography and certificate management](cryptography-certificate-mgmt.md)

[Windows Security app](windows-security-app.md) | | Encryption and data protection | [Encryption and data protection in Windows 11](encryption-data-protection.md)

[Encryption](encryption-data-protection.md)

[BitLocker](information-protection/bitlocker/bitlocker-overview.md) | -| Network security | [Virtual Private Networks](identity-protection/vpn/vpn-guide.md) (VPNs)

[Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md)

Bluetooth

Domain Name System (DNS) security

Windows Wi-Fi

Transport Layer Security (TLS) | +| Network security | [Virtual Private Networks](identity-protection/vpn/vpn-guide.md) (VPNs)

[Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md)

Bluetooth (NEEDED)

Domain Name System (DNS) security (NEEDED)

Windows Wi-Fi (NEEDED)

Transport Layer Security (TLS) (NEEDED) | | Protection from viruses and threats | [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)

[Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction)

[Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)

[Network protection](/microsoft-365/security/defender-endpoint/network-protection)

[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)

[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)

Integration with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint) for additional threat protection | From 8eb0bac74a41652574a39041ed5866cd1ac1f191 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 11:13:55 -0700 Subject: [PATCH 109/458] Update cloud.md --- windows/security/cloud.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/cloud.md b/windows/security/cloud.md index b3ad85903d..3fb7c8e46f 100644 --- a/windows/security/cloud.md +++ b/windows/security/cloud.md @@ -1,6 +1,6 @@ --- title: Windows and cloud security -description: +description: Get an overview of cloud services supported in Windows 11 ms.reviewer: manager: dansimp ms.author: dansimp From 7c204a4116ef72cb02ea33dc4a59d431980ae7c2 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 11:14:28 -0700 Subject: [PATCH 110/458] Update apps.md --- windows/security/apps.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/apps.md b/windows/security/apps.md index 4b15230a76..098f9524ea 100644 --- a/windows/security/apps.md +++ b/windows/security/apps.md @@ -1,6 +1,6 @@ --- title: Windows application security -description: +description: Get an overview of application security in Windows 11 ms.reviewer: manager: dansimp ms.author: dansimp From eeb6d8acea2795196c16b40fa5822a554ee4af94 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 11:26:27 -0700 Subject: [PATCH 111/458] Update TOC.yml --- windows/security/TOC.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 4d66d47a1e..b67c377e07 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -204,12 +204,19 @@ - name: Threat protection items: - name: Microsoft Defender Antivirus - - name: Attack surface reduction + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows + - name: Attack surface reduction rules + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction - name: Tamper protection + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection - name: Network protection + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/network-protection - name: Controlled folder access + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/controlled-folders - name: Exploit protection + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/exploit-protection - name: Microsoft Defender for Endpoint + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint - name: Application security items: - name: Secured identity From a3ac9aebf1fdba2601525390ace41dcb80ac27e9 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 11:27:04 -0700 Subject: [PATCH 112/458] Update TOC.yml --- windows/security/TOC.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index b67c377e07..34265c2950 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -222,6 +222,7 @@ - name: Secured identity items: - name: Cloud services + href: cloud.md items: - name: User protection items: From 9826ff95917bbda169367be141d560814c832079 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 11:27:35 -0700 Subject: [PATCH 113/458] Update TOC.yml --- windows/security/TOC.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 34265c2950..fde9174fb8 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -218,8 +218,10 @@ - name: Microsoft Defender for Endpoint href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint - name: Application security + href: apps.md items: - name: Secured identity + href: identity.md items: - name: Cloud services href: cloud.md From 28dea0ab7000b00cd5b615d0899faa149ed330bb Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 11:32:01 -0700 Subject: [PATCH 114/458] nixed an article --- windows/security/operating-system.md | 2 +- windows/security/windows-security-app.md | 40 ------------------------ 2 files changed, 1 insertion(+), 41 deletions(-) delete mode 100644 windows/security/windows-security-app.md diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 5aa13cb32d..c78b9821e0 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -21,7 +21,7 @@ Use the links in the following table to learn more about the operating system se | Security Measures | Features & Capabilities | |:---|:---| -| System security | [Trusted Boot](trusted-boot.md) (includes Secure Boot and Measured Boot)

[Cryptography and certificate management](cryptography-certificate-mgmt.md)

[Windows Security app](windows-security-app.md) | +| System security | [Trusted Boot](trusted-boot.md) (includes Secure Boot and Measured Boot)

[Cryptography and certificate management](cryptography-certificate-mgmt.md)

[Windows Security app](threat-protection/windows-defender-security-center/windows-defender-security-center.md) | | Encryption and data protection | [Encryption and data protection in Windows 11](encryption-data-protection.md)

[Encryption](encryption-data-protection.md)

[BitLocker](information-protection/bitlocker/bitlocker-overview.md) | | Network security | [Virtual Private Networks](identity-protection/vpn/vpn-guide.md) (VPNs)

[Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md)

Bluetooth (NEEDED)

Domain Name System (DNS) security (NEEDED)

Windows Wi-Fi (NEEDED)

Transport Layer Security (TLS) (NEEDED) | | Protection from viruses and threats | [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)

[Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction)

[Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)

[Network protection](/microsoft-365/security/defender-endpoint/network-protection)

[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)

[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)

Integration with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint) for additional threat protection | diff --git a/windows/security/windows-security-app.md b/windows/security/windows-security-app.md deleted file mode 100644 index 83aff40683..0000000000 --- a/windows/security/windows-security-app.md +++ /dev/null @@ -1,40 +0,0 @@ ---- -title: The Windows Security app in Windows 11 -description: Get an overview of the Windows Security app in Windows 11 -search.appverid: MET150 -author: denisebmsft -ms.author: deniseb -manager: dansimp -audience: ITPro -ms.topic: conceptual -ms.date: 09/08/2021 -ms.prod: w11 -ms.localizationpriority: medium -ms.collection: -ms.custom: -ms.reviewer: kaeladawson, bmcneil -f1.keywords: NOCSH ---- - -# The Windows Security app in Windows 11 - -*This article provides an overview of the Windows Security app in Windows 11.* - -:::image type="content" source="images/windows-security-app-w11.png" alt-text="Windows Security app in Windows 11"::: - -Visibility and awareness of device security and health is key to any action taken. The Windows built-in security app provides an at-a-glance view of the security status and health of your device. These insights help you identify issues and take action to make sure you’re protected. You can quickly see the status of your virus and threat protection, firewall and network security, device security controls, and more. - -The Windows Security app in Windows 11 looks a lot like what you see in Windows 10, with the addition of the new **Protection history** button and increased security features and capabilities. - -The following table describes the various sections of the Windows Security app.

- -| Section | Description | -|:---|:---| -| Virus & threat protection | Description goes here | -| Account protection | Description goes here | -| Firewall & network protection | Description goes here | -| App & browser control | Description goes here | -| Device security | Description goes here | -| Device performance & health | Description goes here | -| Family options | Description goes here | -| Protection history | Description goes here | \ No newline at end of file From ec7fa14aa1c5e5f73171846dd387a7b66e4f233c Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 11:33:16 -0700 Subject: [PATCH 115/458] Update TOC.yml --- windows/security/TOC.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index fde9174fb8..ecd6997651 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -42,7 +42,7 @@ - name: Cryptography and certificate management href: cryptography-certificate-mgmt.md - name: Windows Security app in Windows 11 - href: windows-security-app.md + href: threat-protection/windows-defender-security-center/windows-defender-security-center.md - name: Encryption and data protection href: encryption-data-protection.md items: From b16515b38100d8beb75e3c9eb2d0a133985498b6 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 11:33:39 -0700 Subject: [PATCH 116/458] Update TOC.yml --- windows/security/TOC.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index ecd6997651..d3d682fb40 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -41,7 +41,7 @@ href: trusted-boot.md - name: Cryptography and certificate management href: cryptography-certificate-mgmt.md - - name: Windows Security app in Windows 11 + - name: The Windows Security app href: threat-protection/windows-defender-security-center/windows-defender-security-center.md - name: Encryption and data protection href: encryption-data-protection.md From 211c955061b510daa07e5a5d0fdec6e3ee84ac3e Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 11:38:04 -0700 Subject: [PATCH 117/458] Update cloud.md --- windows/security/cloud.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/cloud.md b/windows/security/cloud.md index 3fb7c8e46f..efd9e32f1d 100644 --- a/windows/security/cloud.md +++ b/windows/security/cloud.md @@ -21,8 +21,8 @@ Windows 11 includes the cloud services that are listed in the following table: | Service type | Description | |:---|:---| -| Access to Azure Active Directory | Microsoft Azure Active Directory (Azure AD) is a complete cloud identity and access management solution for managing identities and directories, enabling access to applications, and protecting identities from security threats.
With Azure AD, you can manage and secure identities for your employees, partners, and customers to access the applications and services they need.
Windows 11 works seamlessly with Azure Active Directory to provide secure access, identity management, and single sign-on to apps and services from anywhere. | -| Modern device management (MDM) and Microsoft Endpoint Manager | Remote wipe
Work or school account
Config Lock
Remote device attestation
(other stuff coming soon):Device Installation
DMA Guard
Endpoint Detection and Response
Microsoft Defender Security Center
Smartscreen
System Guard
Windows Hello for Business | +| Access to Azure Active Directory | Microsoft Azure Active Directory (Azure AD) is a complete cloud identity and access management solution for managing identities and directories, enabling access to applications, and protecting identities from security threats.

With Azure AD, you can manage and secure identities for your employees, partners, and customers to access the applications and services they need.

Windows 11 works seamlessly with Azure Active Directory to provide secure access, identity management, and single sign-on to apps and services from anywhere.

To learn more, see [What is Azure AD?](/azure/active-directory/fundamentals/active-directory-whatis) | +| Modern device management (MDM) and Microsoft Endpoint Manager | Remote wipe

Work or school account

Config Lock

Remote device attestation

(other stuff coming soon):Device Installation

DMA Guard

Endpoint Detection and Response

Microsoft Defender Security Center

Smartscreen

System Guard

Windows Hello for Business | | Microsoft account | | | OneDrive | | | Family safety | | From af13a6cdbf90491a21cead19c3604d52532cdf57 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 11:47:17 -0700 Subject: [PATCH 118/458] Update cloud.md --- windows/security/cloud.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/cloud.md b/windows/security/cloud.md index efd9e32f1d..0fbd68985f 100644 --- a/windows/security/cloud.md +++ b/windows/security/cloud.md @@ -22,7 +22,7 @@ Windows 11 includes the cloud services that are listed in the following table: | Service type | Description | |:---|:---| | Access to Azure Active Directory | Microsoft Azure Active Directory (Azure AD) is a complete cloud identity and access management solution for managing identities and directories, enabling access to applications, and protecting identities from security threats.

With Azure AD, you can manage and secure identities for your employees, partners, and customers to access the applications and services they need.

Windows 11 works seamlessly with Azure Active Directory to provide secure access, identity management, and single sign-on to apps and services from anywhere.

To learn more, see [What is Azure AD?](/azure/active-directory/fundamentals/active-directory-whatis) | -| Modern device management (MDM) and Microsoft Endpoint Manager | Remote wipe

Work or school account

Config Lock

Remote device attestation

(other stuff coming soon):Device Installation

DMA Guard

Endpoint Detection and Response

Microsoft Defender Security Center

Smartscreen

System Guard

Windows Hello for Business | +| Modern device management (MDM) and Microsoft Endpoint Manager | Windows 11 supports MDM, an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices.

Windows 11 includes a management component that includes:
- The enrollment client, which enrolls and configures the endpoint to communicate with the enterprise management server; and
- The management client, which periodically synchronizes with the management server to check for updates and apply your security team's latest policies.

MDM includes several security features & capabilites. These include:
- Remote wipe
- Support for your work or school account
- Config Lock
- Remote device attestation
- (other stuff coming soon): Device Installation, DMA Guard, Endpoint Detection and Response, the Microsoft Defender Security Center, Smartscreen, System Guard, and Windows Hello for Business

Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.

Learn more about MDM and Windows 11 | | Microsoft account | | | OneDrive | | | Family safety | | From 39b49673a5d565cc24f799367d3214ff982530a3 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 11:52:05 -0700 Subject: [PATCH 119/458] Update cloud.md --- windows/security/cloud.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/cloud.md b/windows/security/cloud.md index 0fbd68985f..ba9d3e8118 100644 --- a/windows/security/cloud.md +++ b/windows/security/cloud.md @@ -22,7 +22,7 @@ Windows 11 includes the cloud services that are listed in the following table: | Service type | Description | |:---|:---| | Access to Azure Active Directory | Microsoft Azure Active Directory (Azure AD) is a complete cloud identity and access management solution for managing identities and directories, enabling access to applications, and protecting identities from security threats.

With Azure AD, you can manage and secure identities for your employees, partners, and customers to access the applications and services they need.

Windows 11 works seamlessly with Azure Active Directory to provide secure access, identity management, and single sign-on to apps and services from anywhere.

To learn more, see [What is Azure AD?](/azure/active-directory/fundamentals/active-directory-whatis) | -| Modern device management (MDM) and Microsoft Endpoint Manager | Windows 11 supports MDM, an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices.

Windows 11 includes a management component that includes:
- The enrollment client, which enrolls and configures the endpoint to communicate with the enterprise management server; and
- The management client, which periodically synchronizes with the management server to check for updates and apply your security team's latest policies.

MDM includes several security features & capabilites. These include:
- Remote wipe
- Support for your work or school account
- Config Lock
- Remote device attestation
- (other stuff coming soon): Device Installation, DMA Guard, Endpoint Detection and Response, the Microsoft Defender Security Center, Smartscreen, System Guard, and Windows Hello for Business

Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.

Learn more about MDM and Windows 11 | +| Modern device management (MDM) and Microsoft Endpoint Manager | Windows 11 supports MDM, an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices.

Windows 11 includes a management component that includes:
- The enrollment client, which enrolls and configures the endpoint to communicate with the enterprise management server; and
- The management client, which periodically synchronizes with the management server to check for updates and apply your security team's latest policies.

Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.

Learn more about MDM and Windows 11 | | Microsoft account | | | OneDrive | | | Family safety | | From 1c273319af990ac6be11227c9d7c50572e5f2800 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 11:57:17 -0700 Subject: [PATCH 120/458] Create mdm-windows.md --- windows/security/mdm-windows.md | 34 +++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 windows/security/mdm-windows.md diff --git a/windows/security/mdm-windows.md b/windows/security/mdm-windows.md new file mode 100644 index 0000000000..6b5de3479e --- /dev/null +++ b/windows/security/mdm-windows.md @@ -0,0 +1,34 @@ +--- +title: Modern device management and Windows 11 +description: Get an overview of modern device management with Microsoft Endpoint Manager and Windows 11 +search.appverid: MET150 +author: denisebmsft +ms.author: deniseb +manager: dansimp +audience: ITPro +ms.topic: conceptual +ms.date: 09/08/2021 +ms.prod: w11 +ms.localizationpriority: medium +ms.collection: +ms.custom: +ms.reviewer: +f1.keywords: NOCSH +--- + +# Modern device management and Windows 11 + +Windows 11 supports MDM, an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices. + +Windows 11 includes a management component that includes: +- The enrollment client, which enrolls and configures the endpoint to communicate with the enterprise management server; and +- The management client, which periodically synchronizes with the management server to check for updates and apply your security team's latest policies. + +MDM includes several security features & capabilities. These include: +- Remote wipe +- Support for your work or school account +- Config Lock +- Remote device attestation +- (other stuff coming soon): Device Installation, DMA Guard, Endpoint Detection and Response, the Microsoft Defender Security Center, Smartscreen, System Guard, and Windows Hello for Business + +Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols. \ No newline at end of file From 88f6194aa4c98271565d671ce388cf33d8c1ddc8 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 11:58:12 -0700 Subject: [PATCH 121/458] Update TOC.yml --- windows/security/TOC.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index d3d682fb40..5e5d767e80 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -226,6 +226,8 @@ - name: Cloud services href: cloud.md items: + - name: MDM and Windows 11 + href: mdm-windows.md - name: User protection items: - name: Technical support policy for lost or forgotten passwords From 29b5c1f904cdae60dd14f0febfa764765039a223 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 11:58:50 -0700 Subject: [PATCH 122/458] Update cloud.md --- windows/security/cloud.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/cloud.md b/windows/security/cloud.md index ba9d3e8118..a52fd1128b 100644 --- a/windows/security/cloud.md +++ b/windows/security/cloud.md @@ -22,7 +22,7 @@ Windows 11 includes the cloud services that are listed in the following table: | Service type | Description | |:---|:---| | Access to Azure Active Directory | Microsoft Azure Active Directory (Azure AD) is a complete cloud identity and access management solution for managing identities and directories, enabling access to applications, and protecting identities from security threats.

With Azure AD, you can manage and secure identities for your employees, partners, and customers to access the applications and services they need.

Windows 11 works seamlessly with Azure Active Directory to provide secure access, identity management, and single sign-on to apps and services from anywhere.

To learn more, see [What is Azure AD?](/azure/active-directory/fundamentals/active-directory-whatis) | -| Modern device management (MDM) and Microsoft Endpoint Manager | Windows 11 supports MDM, an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices.

Windows 11 includes a management component that includes:
- The enrollment client, which enrolls and configures the endpoint to communicate with the enterprise management server; and
- The management client, which periodically synchronizes with the management server to check for updates and apply your security team's latest policies.

Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.

Learn more about MDM and Windows 11 | +| Modern device management (MDM) and Microsoft Endpoint Manager | Windows 11 supports MDM, an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices.

Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.

Learn more about MDM and Windows 11 | | Microsoft account | | | OneDrive | | | Family safety | | From 12aad635d46094612054cce4afe32498a958277d Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 12:03:19 -0700 Subject: [PATCH 123/458] Update cloud.md --- windows/security/cloud.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/cloud.md b/windows/security/cloud.md index a52fd1128b..51c4a4e806 100644 --- a/windows/security/cloud.md +++ b/windows/security/cloud.md @@ -22,7 +22,7 @@ Windows 11 includes the cloud services that are listed in the following table: | Service type | Description | |:---|:---| | Access to Azure Active Directory | Microsoft Azure Active Directory (Azure AD) is a complete cloud identity and access management solution for managing identities and directories, enabling access to applications, and protecting identities from security threats.

With Azure AD, you can manage and secure identities for your employees, partners, and customers to access the applications and services they need.

Windows 11 works seamlessly with Azure Active Directory to provide secure access, identity management, and single sign-on to apps and services from anywhere.

To learn more, see [What is Azure AD?](/azure/active-directory/fundamentals/active-directory-whatis) | -| Modern device management (MDM) and Microsoft Endpoint Manager | Windows 11 supports MDM, an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices.

Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.

Learn more about MDM and Windows 11 | +| Modern device management (MDM) and Microsoft Endpoint Manager | Windows 11 supports MDM, an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices.

Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.

To learn more, see [MDM and Windows 11](mdm-windows.md). | | Microsoft account | | | OneDrive | | | Family safety | | From a44f2fa06e52571abaa6d80709778aeece845c8b Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 12:06:40 -0700 Subject: [PATCH 124/458] Update cloud.md --- windows/security/cloud.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/cloud.md b/windows/security/cloud.md index 51c4a4e806..0dd25f1585 100644 --- a/windows/security/cloud.md +++ b/windows/security/cloud.md @@ -23,7 +23,7 @@ Windows 11 includes the cloud services that are listed in the following table: |:---|:---| | Access to Azure Active Directory | Microsoft Azure Active Directory (Azure AD) is a complete cloud identity and access management solution for managing identities and directories, enabling access to applications, and protecting identities from security threats.

With Azure AD, you can manage and secure identities for your employees, partners, and customers to access the applications and services they need.

Windows 11 works seamlessly with Azure Active Directory to provide secure access, identity management, and single sign-on to apps and services from anywhere.

To learn more, see [What is Azure AD?](/azure/active-directory/fundamentals/active-directory-whatis) | | Modern device management (MDM) and Microsoft Endpoint Manager | Windows 11 supports MDM, an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices.

Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.

To learn more, see [MDM and Windows 11](mdm-windows.md). | -| Microsoft account | | -| OneDrive | | -| Family safety | | +| Microsoft account | When you add your Microsoft Account to Windows 11, you can bring your Windows, Microsoft Edge, and Xbox settings, web page favorites, files, photos, and more across your different devices. Your Microsoft account lets you manage everything all in one place. Keep tabs on your subscriptions and order history, organize your family's digital life, update your privacy and security settings, track the health and safety of your devices, and get rewards. Everything stays with you in the cloud and across devices, including iOS and Android. | +| OneDrive | OneDrive provides additional security, backup, and restore options for your important files and photos. With options for both personal and business, OneDrive stores and protects your files in the cloud, allowing you to access them from your laptop, desktop, and mobile devices. Plus, OneDrive provides an excellent backup and restore solution. If your device is lost or stolen, you can quickly recover all your important files, photos, and data.

OneDrive also provides protection for your most sensitive files without losing the convenience of anywhere access. Protect digital copies of your passport, driver’s license, and other important documents in OneDrive Personal Vault. Your files will be secured by identity verification, yet easily accessible to you across your devices.

Learn how to set up your Personal Vault with a strong authentication method or a second step of identity verification, such as your fingerprint, face, PIN, or a code sent to you via email or SMS.

In the event of a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have additional options to mitigate and recover from a ransomware attack. Learn more about how to recover from a ransomware attack using Office 365 | +| Family safety | Microsoft Family Safety empowers you and your family to create healthy habits and protect your loved ones, both online and offline. Get peace of mind that your family is safer while giving your kids independence.

Use your Microsoft account to create a family group on Windows, Xbox, or your mobile devices. Then customize your family settings as your needs change, from the family.microsoft.com website or the Microsoft Family Safety app on Android and iOS.

Develop healthy digital habits with transparency into your family's activities. View your kids’ weekly activity, including web, search, apps and games, and screen time. Balance their time online by setting screen time limits across Windows and Xbox, or set time limits on specific apps or games on Windows, Xbox, or Android to enable kids to be connected for online learning but stay focused.

Create a safe space for your kids to explore online. Use the content filtering settings to block inappropriate apps and games, and limit browsing to kid-friendly websites using Microsoft Edge on Windows, Xbox, and Android. To avoid surprises, get notified when your kids want to download a more mature app or game from the Microsoft Store on Windows and Xbox with age limits.

Stay connected even when you’re apart with family location sharing and tracking. Share your location with loved ones, spot them on a map, and save places they visit the most.

Learn more about Microsoft Family Safety. | From 60dd25515980b4a4f18f7cd1c8f82f4fef2221d6 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 12:08:43 -0700 Subject: [PATCH 125/458] Update cloud.md --- windows/security/cloud.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/cloud.md b/windows/security/cloud.md index 0dd25f1585..dcaa0a7cb0 100644 --- a/windows/security/cloud.md +++ b/windows/security/cloud.md @@ -24,6 +24,6 @@ Windows 11 includes the cloud services that are listed in the following table: | Access to Azure Active Directory | Microsoft Azure Active Directory (Azure AD) is a complete cloud identity and access management solution for managing identities and directories, enabling access to applications, and protecting identities from security threats.

With Azure AD, you can manage and secure identities for your employees, partners, and customers to access the applications and services they need.

Windows 11 works seamlessly with Azure Active Directory to provide secure access, identity management, and single sign-on to apps and services from anywhere.

To learn more, see [What is Azure AD?](/azure/active-directory/fundamentals/active-directory-whatis) | | Modern device management (MDM) and Microsoft Endpoint Manager | Windows 11 supports MDM, an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices.

Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.

To learn more, see [MDM and Windows 11](mdm-windows.md). | | Microsoft account | When you add your Microsoft Account to Windows 11, you can bring your Windows, Microsoft Edge, and Xbox settings, web page favorites, files, photos, and more across your different devices. Your Microsoft account lets you manage everything all in one place. Keep tabs on your subscriptions and order history, organize your family's digital life, update your privacy and security settings, track the health and safety of your devices, and get rewards. Everything stays with you in the cloud and across devices, including iOS and Android. | -| OneDrive | OneDrive provides additional security, backup, and restore options for your important files and photos. With options for both personal and business, OneDrive stores and protects your files in the cloud, allowing you to access them from your laptop, desktop, and mobile devices. Plus, OneDrive provides an excellent backup and restore solution. If your device is lost or stolen, you can quickly recover all your important files, photos, and data.

OneDrive also provides protection for your most sensitive files without losing the convenience of anywhere access. Protect digital copies of your passport, driver’s license, and other important documents in OneDrive Personal Vault. Your files will be secured by identity verification, yet easily accessible to you across your devices.

Learn how to set up your Personal Vault with a strong authentication method or a second step of identity verification, such as your fingerprint, face, PIN, or a code sent to you via email or SMS.

In the event of a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have additional options to mitigate and recover from a ransomware attack. Learn more about how to recover from a ransomware attack using Office 365 | +| OneDrive | OneDrive provides extra security, backup, and restore options for your important files and photos. With options for both personal and business, OneDrive stores and protects your files in the cloud, allowing you to access them from your laptop, desktop, and mobile devices. Plus, OneDrive provides an excellent backup and restore solution. If your device is lost or stolen, you can quickly recover all your important files, photos, and data.

OneDrive also provides protection for your most sensitive files without losing the convenience of anywhere access. Protect digital copies of your passport, driver’s license, and other important documents in OneDrive Personal Vault. Your files will be secured by identity verification, yet easily accessible to you across your devices.

Learn how to set up your Personal Vault with a strong authentication method or a second step of identity verification, such as your fingerprint, face, PIN, or a code sent to you via email or SMS.

In the event of a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have more options to mitigate and recover from a ransomware attack. Learn more about how to recover from a ransomware attack using Office 365 | | Family safety | Microsoft Family Safety empowers you and your family to create healthy habits and protect your loved ones, both online and offline. Get peace of mind that your family is safer while giving your kids independence.

Use your Microsoft account to create a family group on Windows, Xbox, or your mobile devices. Then customize your family settings as your needs change, from the family.microsoft.com website or the Microsoft Family Safety app on Android and iOS.

Develop healthy digital habits with transparency into your family's activities. View your kids’ weekly activity, including web, search, apps and games, and screen time. Balance their time online by setting screen time limits across Windows and Xbox, or set time limits on specific apps or games on Windows, Xbox, or Android to enable kids to be connected for online learning but stay focused.

Create a safe space for your kids to explore online. Use the content filtering settings to block inappropriate apps and games, and limit browsing to kid-friendly websites using Microsoft Edge on Windows, Xbox, and Android. To avoid surprises, get notified when your kids want to download a more mature app or game from the Microsoft Store on Windows and Xbox with age limits.

Stay connected even when you’re apart with family location sharing and tracking. Share your location with loved ones, spot them on a map, and save places they visit the most.

Learn more about Microsoft Family Safety. | From 71bb8c02d02813d43ae0a7095dc93632e4da762a Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 12:18:27 -0700 Subject: [PATCH 126/458] Update cloud.md --- windows/security/cloud.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/cloud.md b/windows/security/cloud.md index dcaa0a7cb0..4e2e6d3131 100644 --- a/windows/security/cloud.md +++ b/windows/security/cloud.md @@ -24,6 +24,6 @@ Windows 11 includes the cloud services that are listed in the following table: | Access to Azure Active Directory | Microsoft Azure Active Directory (Azure AD) is a complete cloud identity and access management solution for managing identities and directories, enabling access to applications, and protecting identities from security threats.

With Azure AD, you can manage and secure identities for your employees, partners, and customers to access the applications and services they need.

Windows 11 works seamlessly with Azure Active Directory to provide secure access, identity management, and single sign-on to apps and services from anywhere.

To learn more, see [What is Azure AD?](/azure/active-directory/fundamentals/active-directory-whatis) | | Modern device management (MDM) and Microsoft Endpoint Manager | Windows 11 supports MDM, an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices.

Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.

To learn more, see [MDM and Windows 11](mdm-windows.md). | | Microsoft account | When you add your Microsoft Account to Windows 11, you can bring your Windows, Microsoft Edge, and Xbox settings, web page favorites, files, photos, and more across your different devices. Your Microsoft account lets you manage everything all in one place. Keep tabs on your subscriptions and order history, organize your family's digital life, update your privacy and security settings, track the health and safety of your devices, and get rewards. Everything stays with you in the cloud and across devices, including iOS and Android. | -| OneDrive | OneDrive provides extra security, backup, and restore options for your important files and photos. With options for both personal and business, OneDrive stores and protects your files in the cloud, allowing you to access them from your laptop, desktop, and mobile devices. Plus, OneDrive provides an excellent backup and restore solution. If your device is lost or stolen, you can quickly recover all your important files, photos, and data.

OneDrive also provides protection for your most sensitive files without losing the convenience of anywhere access. Protect digital copies of your passport, driver’s license, and other important documents in OneDrive Personal Vault. Your files will be secured by identity verification, yet easily accessible to you across your devices.

Learn how to set up your Personal Vault with a strong authentication method or a second step of identity verification, such as your fingerprint, face, PIN, or a code sent to you via email or SMS.

In the event of a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have more options to mitigate and recover from a ransomware attack. Learn more about how to recover from a ransomware attack using Office 365 | +| OneDrive | OneDrive is your online storage for your files, photos, and data. OneDrive provides extra security, backup, and restore options for important files and photos. With options for both personal and business, people can use OneDrive to store and protect files in the cloud, allowing users to them on their laptops, desktops, and mobile devices. If a device is lost or stolen, people can quickly recover all their important files, photos, and data.

The OneDrive Personal Vault also provides protection for your most sensitive files without losing the convenience of anywhere access. Files are secured by identity verification, yet easily accessible to users across their devices. [Learn how to set up your Personal Vault](https://support.microsoft.com/en-us/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4?ui=en-us&rs=en-us&ad=us) with a strong authentication method or a second step of identity verification, such as your fingerprint, face, PIN, or a code sent to you via email or SMS.

In the event of a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have more options to mitigate and recover from a ransomware attack. [Learn more about how to recover from a ransomware attack using Office 365](/microsoft-365/security/office-365-security/recover-from-ransomware?view=o365-worldwide) | | Family safety | Microsoft Family Safety empowers you and your family to create healthy habits and protect your loved ones, both online and offline. Get peace of mind that your family is safer while giving your kids independence.

Use your Microsoft account to create a family group on Windows, Xbox, or your mobile devices. Then customize your family settings as your needs change, from the family.microsoft.com website or the Microsoft Family Safety app on Android and iOS.

Develop healthy digital habits with transparency into your family's activities. View your kids’ weekly activity, including web, search, apps and games, and screen time. Balance their time online by setting screen time limits across Windows and Xbox, or set time limits on specific apps or games on Windows, Xbox, or Android to enable kids to be connected for online learning but stay focused.

Create a safe space for your kids to explore online. Use the content filtering settings to block inappropriate apps and games, and limit browsing to kid-friendly websites using Microsoft Edge on Windows, Xbox, and Android. To avoid surprises, get notified when your kids want to download a more mature app or game from the Microsoft Store on Windows and Xbox with age limits.

Stay connected even when you’re apart with family location sharing and tracking. Share your location with loved ones, spot them on a map, and save places they visit the most.

Learn more about Microsoft Family Safety. | From ce5eba5952585143d2100dea98b5fa903f1386bd Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 12:19:17 -0700 Subject: [PATCH 127/458] Update cloud.md --- windows/security/cloud.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/cloud.md b/windows/security/cloud.md index 4e2e6d3131..51ac9dadd3 100644 --- a/windows/security/cloud.md +++ b/windows/security/cloud.md @@ -25,5 +25,5 @@ Windows 11 includes the cloud services that are listed in the following table: | Modern device management (MDM) and Microsoft Endpoint Manager | Windows 11 supports MDM, an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices.

Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.

To learn more, see [MDM and Windows 11](mdm-windows.md). | | Microsoft account | When you add your Microsoft Account to Windows 11, you can bring your Windows, Microsoft Edge, and Xbox settings, web page favorites, files, photos, and more across your different devices. Your Microsoft account lets you manage everything all in one place. Keep tabs on your subscriptions and order history, organize your family's digital life, update your privacy and security settings, track the health and safety of your devices, and get rewards. Everything stays with you in the cloud and across devices, including iOS and Android. | | OneDrive | OneDrive is your online storage for your files, photos, and data. OneDrive provides extra security, backup, and restore options for important files and photos. With options for both personal and business, people can use OneDrive to store and protect files in the cloud, allowing users to them on their laptops, desktops, and mobile devices. If a device is lost or stolen, people can quickly recover all their important files, photos, and data.

The OneDrive Personal Vault also provides protection for your most sensitive files without losing the convenience of anywhere access. Files are secured by identity verification, yet easily accessible to users across their devices. [Learn how to set up your Personal Vault](https://support.microsoft.com/en-us/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4?ui=en-us&rs=en-us&ad=us) with a strong authentication method or a second step of identity verification, such as your fingerprint, face, PIN, or a code sent to you via email or SMS.

In the event of a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have more options to mitigate and recover from a ransomware attack. [Learn more about how to recover from a ransomware attack using Office 365](/microsoft-365/security/office-365-security/recover-from-ransomware?view=o365-worldwide) | -| Family safety | Microsoft Family Safety empowers you and your family to create healthy habits and protect your loved ones, both online and offline. Get peace of mind that your family is safer while giving your kids independence.

Use your Microsoft account to create a family group on Windows, Xbox, or your mobile devices. Then customize your family settings as your needs change, from the family.microsoft.com website or the Microsoft Family Safety app on Android and iOS.

Develop healthy digital habits with transparency into your family's activities. View your kids’ weekly activity, including web, search, apps and games, and screen time. Balance their time online by setting screen time limits across Windows and Xbox, or set time limits on specific apps or games on Windows, Xbox, or Android to enable kids to be connected for online learning but stay focused.

Create a safe space for your kids to explore online. Use the content filtering settings to block inappropriate apps and games, and limit browsing to kid-friendly websites using Microsoft Edge on Windows, Xbox, and Android. To avoid surprises, get notified when your kids want to download a more mature app or game from the Microsoft Store on Windows and Xbox with age limits.

Stay connected even when you’re apart with family location sharing and tracking. Share your location with loved ones, spot them on a map, and save places they visit the most.

Learn more about Microsoft Family Safety. | +| Family safety | Microsoft Family Safety empowers you and your family to create healthy habits and protect your loved ones, both online and offline. Get peace of mind that your family is safer while giving your kids independence.

Use your Microsoft account to create a family group on Windows, Xbox, or your mobile devices. Then customize your family settings as your needs change, from the family.microsoft.com website or the Microsoft Family Safety app on Android and iOS.

Develop healthy digital habits with transparency into your family's activities. View your kids’ weekly activity, including web, search, apps and games, and screen time. Balance their time online by setting screen time limits across Windows and Xbox, or set time limits on specific apps or games on Windows, Xbox, or Android to enable kids to be connected for online learning but stay focused.

Create a safe space for your kids to explore online. Use the content filtering settings to block inappropriate apps and games, and limit browsing to kid-friendly websites using Microsoft Edge on Windows, Xbox, and Android. To avoid surprises, get notified when your kids want to download a more mature app or game from the Microsoft Store on Windows and Xbox with age limits.

Stay connected even when you’re apart with family location sharing and tracking. Share your location with loved ones, spot them on a map, and save places they visit the most.

[Learn more about Microsoft Family Safety](https://www.microsoft.com/en-us/microsoft-365/family-safety). | From a19534b1b5ac35d33bbb9054176eab6727d6217c Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 12:21:50 -0700 Subject: [PATCH 128/458] Update cloud.md --- windows/security/cloud.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/cloud.md b/windows/security/cloud.md index 51ac9dadd3..773394f619 100644 --- a/windows/security/cloud.md +++ b/windows/security/cloud.md @@ -23,7 +23,7 @@ Windows 11 includes the cloud services that are listed in the following table: |:---|:---| | Access to Azure Active Directory | Microsoft Azure Active Directory (Azure AD) is a complete cloud identity and access management solution for managing identities and directories, enabling access to applications, and protecting identities from security threats.

With Azure AD, you can manage and secure identities for your employees, partners, and customers to access the applications and services they need.

Windows 11 works seamlessly with Azure Active Directory to provide secure access, identity management, and single sign-on to apps and services from anywhere.

To learn more, see [What is Azure AD?](/azure/active-directory/fundamentals/active-directory-whatis) | | Modern device management (MDM) and Microsoft Endpoint Manager | Windows 11 supports MDM, an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices.

Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.

To learn more, see [MDM and Windows 11](mdm-windows.md). | -| Microsoft account | When you add your Microsoft Account to Windows 11, you can bring your Windows, Microsoft Edge, and Xbox settings, web page favorites, files, photos, and more across your different devices. Your Microsoft account lets you manage everything all in one place. Keep tabs on your subscriptions and order history, organize your family's digital life, update your privacy and security settings, track the health and safety of your devices, and get rewards. Everything stays with you in the cloud and across devices, including iOS and Android. | +| Microsoft account | When users add their Microsoft account to Windows 11, they can bring their Windows, Microsoft Edge, Xbox settings, web page favorites, files, photos, and more across their devices.

The Microsoft account enables people to manage everything in one place. They can keep tabs on their subscriptions and order history, organize your family's digital life, update your privacy and security settings, track the health and safety of their devices, and even get rewards. | | OneDrive | OneDrive is your online storage for your files, photos, and data. OneDrive provides extra security, backup, and restore options for important files and photos. With options for both personal and business, people can use OneDrive to store and protect files in the cloud, allowing users to them on their laptops, desktops, and mobile devices. If a device is lost or stolen, people can quickly recover all their important files, photos, and data.

The OneDrive Personal Vault also provides protection for your most sensitive files without losing the convenience of anywhere access. Files are secured by identity verification, yet easily accessible to users across their devices. [Learn how to set up your Personal Vault](https://support.microsoft.com/en-us/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4?ui=en-us&rs=en-us&ad=us) with a strong authentication method or a second step of identity verification, such as your fingerprint, face, PIN, or a code sent to you via email or SMS.

In the event of a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have more options to mitigate and recover from a ransomware attack. [Learn more about how to recover from a ransomware attack using Office 365](/microsoft-365/security/office-365-security/recover-from-ransomware?view=o365-worldwide) | | Family safety | Microsoft Family Safety empowers you and your family to create healthy habits and protect your loved ones, both online and offline. Get peace of mind that your family is safer while giving your kids independence.

Use your Microsoft account to create a family group on Windows, Xbox, or your mobile devices. Then customize your family settings as your needs change, from the family.microsoft.com website or the Microsoft Family Safety app on Android and iOS.

Develop healthy digital habits with transparency into your family's activities. View your kids’ weekly activity, including web, search, apps and games, and screen time. Balance their time online by setting screen time limits across Windows and Xbox, or set time limits on specific apps or games on Windows, Xbox, or Android to enable kids to be connected for online learning but stay focused.

Create a safe space for your kids to explore online. Use the content filtering settings to block inappropriate apps and games, and limit browsing to kid-friendly websites using Microsoft Edge on Windows, Xbox, and Android. To avoid surprises, get notified when your kids want to download a more mature app or game from the Microsoft Store on Windows and Xbox with age limits.

Stay connected even when you’re apart with family location sharing and tracking. Share your location with loved ones, spot them on a map, and save places they visit the most.

[Learn more about Microsoft Family Safety](https://www.microsoft.com/en-us/microsoft-365/family-safety). | From 489a499500abf23e82cb54644eb5c3df700ab865 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 12:27:52 -0700 Subject: [PATCH 129/458] Update cloud.md --- windows/security/cloud.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/cloud.md b/windows/security/cloud.md index 773394f619..a8ccd0ff3c 100644 --- a/windows/security/cloud.md +++ b/windows/security/cloud.md @@ -25,5 +25,5 @@ Windows 11 includes the cloud services that are listed in the following table: | Modern device management (MDM) and Microsoft Endpoint Manager | Windows 11 supports MDM, an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices.

Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.

To learn more, see [MDM and Windows 11](mdm-windows.md). | | Microsoft account | When users add their Microsoft account to Windows 11, they can bring their Windows, Microsoft Edge, Xbox settings, web page favorites, files, photos, and more across their devices.

The Microsoft account enables people to manage everything in one place. They can keep tabs on their subscriptions and order history, organize your family's digital life, update your privacy and security settings, track the health and safety of their devices, and even get rewards. | | OneDrive | OneDrive is your online storage for your files, photos, and data. OneDrive provides extra security, backup, and restore options for important files and photos. With options for both personal and business, people can use OneDrive to store and protect files in the cloud, allowing users to them on their laptops, desktops, and mobile devices. If a device is lost or stolen, people can quickly recover all their important files, photos, and data.

The OneDrive Personal Vault also provides protection for your most sensitive files without losing the convenience of anywhere access. Files are secured by identity verification, yet easily accessible to users across their devices. [Learn how to set up your Personal Vault](https://support.microsoft.com/en-us/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4?ui=en-us&rs=en-us&ad=us) with a strong authentication method or a second step of identity verification, such as your fingerprint, face, PIN, or a code sent to you via email or SMS.

In the event of a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have more options to mitigate and recover from a ransomware attack. [Learn more about how to recover from a ransomware attack using Office 365](/microsoft-365/security/office-365-security/recover-from-ransomware?view=o365-worldwide) | -| Family safety | Microsoft Family Safety empowers you and your family to create healthy habits and protect your loved ones, both online and offline. Get peace of mind that your family is safer while giving your kids independence.

Use your Microsoft account to create a family group on Windows, Xbox, or your mobile devices. Then customize your family settings as your needs change, from the family.microsoft.com website or the Microsoft Family Safety app on Android and iOS.

Develop healthy digital habits with transparency into your family's activities. View your kids’ weekly activity, including web, search, apps and games, and screen time. Balance their time online by setting screen time limits across Windows and Xbox, or set time limits on specific apps or games on Windows, Xbox, or Android to enable kids to be connected for online learning but stay focused.

Create a safe space for your kids to explore online. Use the content filtering settings to block inappropriate apps and games, and limit browsing to kid-friendly websites using Microsoft Edge on Windows, Xbox, and Android. To avoid surprises, get notified when your kids want to download a more mature app or game from the Microsoft Store on Windows and Xbox with age limits.

Stay connected even when you’re apart with family location sharing and tracking. Share your location with loved ones, spot them on a map, and save places they visit the most.

[Learn more about Microsoft Family Safety](https://www.microsoft.com/en-us/microsoft-365/family-safety). | +| Family safety | Microsoft Family Safety empowers people and their family members to create healthy habits and protect their loved ones, both online and offline. People can use their Microsoft account to create a family group on Windows, Xbox, or your mobile devices, and then customize their your family settings by using the `family.microsoft.com` website or the Microsoft Family Safety app on Android and iOS.

[Learn more about Microsoft Family Safety](https://www.microsoft.com/en-us/microsoft-365/family-safety). | From ea8ddca8fa3ec811b1f7e5eeb6f8585cbbc420c1 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 12:31:03 -0700 Subject: [PATCH 130/458] Update cloud.md --- windows/security/cloud.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/cloud.md b/windows/security/cloud.md index a8ccd0ff3c..8f692a5af0 100644 --- a/windows/security/cloud.md +++ b/windows/security/cloud.md @@ -15,9 +15,9 @@ author: dansimp *This article provides an overview of cloud services built into Windows 11.* -Today’s workforce has more freedom and mobility than ever before. With the growth of enterprise cloud adoption, increased personal app usage, and increased use of third-party apps, the risk of data exposure is at its highest. Enabling Zero-Trust protection, Windows 11 works with Microsoft cloud services to help organizations strengthen their multi-cloud security infrastructure, protect hybrid cloud workloads, and safeguard sensitive information while controlling access and mitigating threats. +Today’s workforce has more freedom and mobility than ever before. With the growth of enterprise cloud adoption, increased personal app usage, and increased use of third-party apps, the risk of data exposure is at its highest. Enabling Zero-Trust protection, Windows 11 works with Microsoft cloud services. Windows and cloud services together help organizations strengthen their multi-cloud security infrastructure, protect hybrid cloud workloads, and safeguard sensitive information while controlling access and mitigating threats. -Windows 11 includes the cloud services that are listed in the following table: +Windows 11 includes the cloud services that are listed in the following table:

| Service type | Description | |:---|:---| @@ -25,5 +25,5 @@ Windows 11 includes the cloud services that are listed in the following table: | Modern device management (MDM) and Microsoft Endpoint Manager | Windows 11 supports MDM, an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices.

Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.

To learn more, see [MDM and Windows 11](mdm-windows.md). | | Microsoft account | When users add their Microsoft account to Windows 11, they can bring their Windows, Microsoft Edge, Xbox settings, web page favorites, files, photos, and more across their devices.

The Microsoft account enables people to manage everything in one place. They can keep tabs on their subscriptions and order history, organize your family's digital life, update your privacy and security settings, track the health and safety of their devices, and even get rewards. | | OneDrive | OneDrive is your online storage for your files, photos, and data. OneDrive provides extra security, backup, and restore options for important files and photos. With options for both personal and business, people can use OneDrive to store and protect files in the cloud, allowing users to them on their laptops, desktops, and mobile devices. If a device is lost or stolen, people can quickly recover all their important files, photos, and data.

The OneDrive Personal Vault also provides protection for your most sensitive files without losing the convenience of anywhere access. Files are secured by identity verification, yet easily accessible to users across their devices. [Learn how to set up your Personal Vault](https://support.microsoft.com/en-us/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4?ui=en-us&rs=en-us&ad=us) with a strong authentication method or a second step of identity verification, such as your fingerprint, face, PIN, or a code sent to you via email or SMS.

In the event of a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have more options to mitigate and recover from a ransomware attack. [Learn more about how to recover from a ransomware attack using Office 365](/microsoft-365/security/office-365-security/recover-from-ransomware?view=o365-worldwide) | -| Family safety | Microsoft Family Safety empowers people and their family members to create healthy habits and protect their loved ones, both online and offline. People can use their Microsoft account to create a family group on Windows, Xbox, or your mobile devices, and then customize their your family settings by using the `family.microsoft.com` website or the Microsoft Family Safety app on Android and iOS.

[Learn more about Microsoft Family Safety](https://www.microsoft.com/en-us/microsoft-365/family-safety). | +| Family safety | Microsoft Family Safety empowers people and their family members to create healthy habits and protect their loved ones, both online and offline. People can use their Microsoft account to create a family group on Windows, Xbox, or your mobile devices, and then customize their family settings by using the `family.microsoft.com` website or the Microsoft Family Safety app on Android and iOS.

[Learn more about Microsoft Family Safety](https://www.microsoft.com/en-us/microsoft-365/family-safety). | From 0023bfa72ec58e4223624377419efd9003efa46d Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 12:32:47 -0700 Subject: [PATCH 131/458] Update cloud.md --- windows/security/cloud.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/cloud.md b/windows/security/cloud.md index 8f692a5af0..879368adf1 100644 --- a/windows/security/cloud.md +++ b/windows/security/cloud.md @@ -23,7 +23,7 @@ Windows 11 includes the cloud services that are listed in the following table:
With Azure AD, you can manage and secure identities for your employees, partners, and customers to access the applications and services they need.

Windows 11 works seamlessly with Azure Active Directory to provide secure access, identity management, and single sign-on to apps and services from anywhere.

To learn more, see [What is Azure AD?](/azure/active-directory/fundamentals/active-directory-whatis) | | Modern device management (MDM) and Microsoft Endpoint Manager | Windows 11 supports MDM, an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices.

Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.

To learn more, see [MDM and Windows 11](mdm-windows.md). | -| Microsoft account | When users add their Microsoft account to Windows 11, they can bring their Windows, Microsoft Edge, Xbox settings, web page favorites, files, photos, and more across their devices.

The Microsoft account enables people to manage everything in one place. They can keep tabs on their subscriptions and order history, organize your family's digital life, update your privacy and security settings, track the health and safety of their devices, and even get rewards. | +| Microsoft account | When users add their Microsoft account to Windows 11, they can bring their Windows, Microsoft Edge, Xbox settings, web page favorites, files, photos, and more across their devices.

The Microsoft account enables people to manage everything in one place. They can keep tabs on their subscriptions and order history, organize their family's digital life, update their privacy and security settings, track the health and safety of their devices, and even get rewards.

To learn more, see [Microsoft Accounts](identity-protection/access-control/microsoft-accounts.md).| | OneDrive | OneDrive is your online storage for your files, photos, and data. OneDrive provides extra security, backup, and restore options for important files and photos. With options for both personal and business, people can use OneDrive to store and protect files in the cloud, allowing users to them on their laptops, desktops, and mobile devices. If a device is lost or stolen, people can quickly recover all their important files, photos, and data.

The OneDrive Personal Vault also provides protection for your most sensitive files without losing the convenience of anywhere access. Files are secured by identity verification, yet easily accessible to users across their devices. [Learn how to set up your Personal Vault](https://support.microsoft.com/en-us/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4?ui=en-us&rs=en-us&ad=us) with a strong authentication method or a second step of identity verification, such as your fingerprint, face, PIN, or a code sent to you via email or SMS.

In the event of a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have more options to mitigate and recover from a ransomware attack. [Learn more about how to recover from a ransomware attack using Office 365](/microsoft-365/security/office-365-security/recover-from-ransomware?view=o365-worldwide) | | Family safety | Microsoft Family Safety empowers people and their family members to create healthy habits and protect their loved ones, both online and offline. People can use their Microsoft account to create a family group on Windows, Xbox, or your mobile devices, and then customize their family settings by using the `family.microsoft.com` website or the Microsoft Family Safety app on Android and iOS.

[Learn more about Microsoft Family Safety](https://www.microsoft.com/en-us/microsoft-365/family-safety). | From 06c3a2d37d7e6709f75f62b4d2985cebdd7e52f3 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 12:33:33 -0700 Subject: [PATCH 132/458] Update cloud.md --- windows/security/cloud.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/cloud.md b/windows/security/cloud.md index 879368adf1..c48b1c6ba0 100644 --- a/windows/security/cloud.md +++ b/windows/security/cloud.md @@ -24,6 +24,6 @@ Windows 11 includes the cloud services that are listed in the following table:
With Azure AD, you can manage and secure identities for your employees, partners, and customers to access the applications and services they need.

Windows 11 works seamlessly with Azure Active Directory to provide secure access, identity management, and single sign-on to apps and services from anywhere.

To learn more, see [What is Azure AD?](/azure/active-directory/fundamentals/active-directory-whatis) | | Modern device management (MDM) and Microsoft Endpoint Manager | Windows 11 supports MDM, an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices.

Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.

To learn more, see [MDM and Windows 11](mdm-windows.md). | | Microsoft account | When users add their Microsoft account to Windows 11, they can bring their Windows, Microsoft Edge, Xbox settings, web page favorites, files, photos, and more across their devices.

The Microsoft account enables people to manage everything in one place. They can keep tabs on their subscriptions and order history, organize their family's digital life, update their privacy and security settings, track the health and safety of their devices, and even get rewards.

To learn more, see [Microsoft Accounts](identity-protection/access-control/microsoft-accounts.md).| -| OneDrive | OneDrive is your online storage for your files, photos, and data. OneDrive provides extra security, backup, and restore options for important files and photos. With options for both personal and business, people can use OneDrive to store and protect files in the cloud, allowing users to them on their laptops, desktops, and mobile devices. If a device is lost or stolen, people can quickly recover all their important files, photos, and data.

The OneDrive Personal Vault also provides protection for your most sensitive files without losing the convenience of anywhere access. Files are secured by identity verification, yet easily accessible to users across their devices. [Learn how to set up your Personal Vault](https://support.microsoft.com/en-us/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4?ui=en-us&rs=en-us&ad=us) with a strong authentication method or a second step of identity verification, such as your fingerprint, face, PIN, or a code sent to you via email or SMS.

In the event of a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have more options to mitigate and recover from a ransomware attack. [Learn more about how to recover from a ransomware attack using Office 365](/microsoft-365/security/office-365-security/recover-from-ransomware?view=o365-worldwide) | +| OneDrive | OneDrive is your online storage for your files, photos, and data. OneDrive provides extra security, backup, and restore options for important files and photos. With options for both personal and business, people can use OneDrive to store and protect files in the cloud, allowing users to them on their laptops, desktops, and mobile devices. If a device is lost or stolen, people can quickly recover all their important files, photos, and data.

The OneDrive Personal Vault also provides protection for your most sensitive files without losing the convenience of anywhere access. Files are secured by identity verification, yet easily accessible to users across their devices. [Learn how to set up your Personal Vault](https://support.microsoft.com/en-us/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4?ui=en-us&rs=en-us&ad=us) with a strong authentication method or a second step of identity verification, such as your fingerprint, face, PIN, or a code sent to you via email or SMS.

In the event of a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have more options to mitigate and recover from a ransomware attack. [Learn more about how to recover from a ransomware attack using Office 365](/microsoft-365/security/office-365-security/recover-from-ransomware) | | Family safety | Microsoft Family Safety empowers people and their family members to create healthy habits and protect their loved ones, both online and offline. People can use their Microsoft account to create a family group on Windows, Xbox, or your mobile devices, and then customize their family settings by using the `family.microsoft.com` website or the Microsoft Family Safety app on Android and iOS.

[Learn more about Microsoft Family Safety](https://www.microsoft.com/en-us/microsoft-365/family-safety). | From f54e646cfb25353a509615b8c32a8949935ab372 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 12:33:54 -0700 Subject: [PATCH 133/458] Update cloud.md --- windows/security/cloud.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/cloud.md b/windows/security/cloud.md index c48b1c6ba0..0b40946517 100644 --- a/windows/security/cloud.md +++ b/windows/security/cloud.md @@ -24,6 +24,6 @@ Windows 11 includes the cloud services that are listed in the following table:
With Azure AD, you can manage and secure identities for your employees, partners, and customers to access the applications and services they need.

Windows 11 works seamlessly with Azure Active Directory to provide secure access, identity management, and single sign-on to apps and services from anywhere.

To learn more, see [What is Azure AD?](/azure/active-directory/fundamentals/active-directory-whatis) | | Modern device management (MDM) and Microsoft Endpoint Manager | Windows 11 supports MDM, an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices.

Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.

To learn more, see [MDM and Windows 11](mdm-windows.md). | | Microsoft account | When users add their Microsoft account to Windows 11, they can bring their Windows, Microsoft Edge, Xbox settings, web page favorites, files, photos, and more across their devices.

The Microsoft account enables people to manage everything in one place. They can keep tabs on their subscriptions and order history, organize their family's digital life, update their privacy and security settings, track the health and safety of their devices, and even get rewards.

To learn more, see [Microsoft Accounts](identity-protection/access-control/microsoft-accounts.md).| -| OneDrive | OneDrive is your online storage for your files, photos, and data. OneDrive provides extra security, backup, and restore options for important files and photos. With options for both personal and business, people can use OneDrive to store and protect files in the cloud, allowing users to them on their laptops, desktops, and mobile devices. If a device is lost or stolen, people can quickly recover all their important files, photos, and data.

The OneDrive Personal Vault also provides protection for your most sensitive files without losing the convenience of anywhere access. Files are secured by identity verification, yet easily accessible to users across their devices. [Learn how to set up your Personal Vault](https://support.microsoft.com/en-us/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4?ui=en-us&rs=en-us&ad=us) with a strong authentication method or a second step of identity verification, such as your fingerprint, face, PIN, or a code sent to you via email or SMS.

In the event of a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have more options to mitigate and recover from a ransomware attack. [Learn more about how to recover from a ransomware attack using Office 365](/microsoft-365/security/office-365-security/recover-from-ransomware) | +| OneDrive | OneDrive is your online storage for your files, photos, and data. OneDrive provides extra security, backup, and restore options for important files and photos. With options for both personal and business, people can use OneDrive to store and protect files in the cloud, allowing users to them on their laptops, desktops, and mobile devices. If a device is lost or stolen, people can quickly recover all their important files, photos, and data.

The OneDrive Personal Vault also provides protection for your most sensitive files without losing the convenience of anywhere access. Files are secured by identity verification, yet easily accessible to users across their devices. [Learn how to set up your Personal Vault](https://support.microsoft.com/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4) with a strong authentication method or a second step of identity verification, such as your fingerprint, face, PIN, or a code sent to you via email or SMS.

In the event of a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have more options to mitigate and recover from a ransomware attack. [Learn more about how to recover from a ransomware attack using Office 365](/microsoft-365/security/office-365-security/recover-from-ransomware) | | Family safety | Microsoft Family Safety empowers people and their family members to create healthy habits and protect their loved ones, both online and offline. People can use their Microsoft account to create a family group on Windows, Xbox, or your mobile devices, and then customize their family settings by using the `family.microsoft.com` website or the Microsoft Family Safety app on Android and iOS.

[Learn more about Microsoft Family Safety](https://www.microsoft.com/en-us/microsoft-365/family-safety). | From 69635a233af330c1ec58cbfd84e088841b72474d Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 12:34:36 -0700 Subject: [PATCH 134/458] Update cloud.md --- windows/security/cloud.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/cloud.md b/windows/security/cloud.md index 0b40946517..389cae3460 100644 --- a/windows/security/cloud.md +++ b/windows/security/cloud.md @@ -24,6 +24,6 @@ Windows 11 includes the cloud services that are listed in the following table:
With Azure AD, you can manage and secure identities for your employees, partners, and customers to access the applications and services they need.

Windows 11 works seamlessly with Azure Active Directory to provide secure access, identity management, and single sign-on to apps and services from anywhere.

To learn more, see [What is Azure AD?](/azure/active-directory/fundamentals/active-directory-whatis) | | Modern device management (MDM) and Microsoft Endpoint Manager | Windows 11 supports MDM, an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices.

Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.

To learn more, see [MDM and Windows 11](mdm-windows.md). | | Microsoft account | When users add their Microsoft account to Windows 11, they can bring their Windows, Microsoft Edge, Xbox settings, web page favorites, files, photos, and more across their devices.

The Microsoft account enables people to manage everything in one place. They can keep tabs on their subscriptions and order history, organize their family's digital life, update their privacy and security settings, track the health and safety of their devices, and even get rewards.

To learn more, see [Microsoft Accounts](identity-protection/access-control/microsoft-accounts.md).| -| OneDrive | OneDrive is your online storage for your files, photos, and data. OneDrive provides extra security, backup, and restore options for important files and photos. With options for both personal and business, people can use OneDrive to store and protect files in the cloud, allowing users to them on their laptops, desktops, and mobile devices. If a device is lost or stolen, people can quickly recover all their important files, photos, and data.

The OneDrive Personal Vault also provides protection for your most sensitive files without losing the convenience of anywhere access. Files are secured by identity verification, yet easily accessible to users across their devices. [Learn how to set up your Personal Vault](https://support.microsoft.com/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4) with a strong authentication method or a second step of identity verification, such as your fingerprint, face, PIN, or a code sent to you via email or SMS.

In the event of a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have more options to mitigate and recover from a ransomware attack. [Learn more about how to recover from a ransomware attack using Office 365](/microsoft-365/security/office-365-security/recover-from-ransomware) | +| OneDrive | OneDrive is your online storage for your files, photos, and data. OneDrive provides extra security, backup, and restore options for important files and photos. With options for both personal and business, people can use OneDrive to store and protect files in the cloud, allowing users to them on their laptops, desktops, and mobile devices. If a device is lost or stolen, people can quickly recover all their important files, photos, and data.

The OneDrive Personal Vault also provides protection for your most sensitive files without losing the convenience of anywhere access. Files are secured by identity verification, yet easily accessible to users across their devices. [Learn how to set up your Personal Vault](https://support.microsoft.com/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4).

In the event of a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have more options to mitigate and recover from a ransomware attack. [Learn more about how to recover from a ransomware attack using Office 365](/microsoft-365/security/office-365-security/recover-from-ransomware). | | Family safety | Microsoft Family Safety empowers people and their family members to create healthy habits and protect their loved ones, both online and offline. People can use their Microsoft account to create a family group on Windows, Xbox, or your mobile devices, and then customize their family settings by using the `family.microsoft.com` website or the Microsoft Family Safety app on Android and iOS.

[Learn more about Microsoft Family Safety](https://www.microsoft.com/en-us/microsoft-365/family-safety). | From e9f4f576784d0b9eb2285aa9edb0b907266b0f84 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 12:36:56 -0700 Subject: [PATCH 135/458] Update cloud.md --- windows/security/cloud.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/cloud.md b/windows/security/cloud.md index 389cae3460..f167df48d7 100644 --- a/windows/security/cloud.md +++ b/windows/security/cloud.md @@ -21,7 +21,7 @@ Windows 11 includes the cloud services that are listed in the following table:
With Azure AD, you can manage and secure identities for your employees, partners, and customers to access the applications and services they need.

Windows 11 works seamlessly with Azure Active Directory to provide secure access, identity management, and single sign-on to apps and services from anywhere.

To learn more, see [What is Azure AD?](/azure/active-directory/fundamentals/active-directory-whatis) | +| Access to Azure Active Directory | Microsoft Azure Active Directory (Azure AD) is a complete cloud identity and access management solution for managing identities and directories, enabling access to applications, and protecting identities from security threats.

With Azure AD, you can manage and secure identities for your employees, partners, and customers to access the applications and services they need. Windows 11 works seamlessly with Azure Active Directory to provide secure access, identity management, and single sign-on to apps and services from anywhere.

To learn more, see [What is Azure AD?](/azure/active-directory/fundamentals/active-directory-whatis) | | Modern device management (MDM) and Microsoft Endpoint Manager | Windows 11 supports MDM, an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices.

Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.

To learn more, see [MDM and Windows 11](mdm-windows.md). | | Microsoft account | When users add their Microsoft account to Windows 11, they can bring their Windows, Microsoft Edge, Xbox settings, web page favorites, files, photos, and more across their devices.

The Microsoft account enables people to manage everything in one place. They can keep tabs on their subscriptions and order history, organize their family's digital life, update their privacy and security settings, track the health and safety of their devices, and even get rewards.

To learn more, see [Microsoft Accounts](identity-protection/access-control/microsoft-accounts.md).| | OneDrive | OneDrive is your online storage for your files, photos, and data. OneDrive provides extra security, backup, and restore options for important files and photos. With options for both personal and business, people can use OneDrive to store and protect files in the cloud, allowing users to them on their laptops, desktops, and mobile devices. If a device is lost or stolen, people can quickly recover all their important files, photos, and data.

The OneDrive Personal Vault also provides protection for your most sensitive files without losing the convenience of anywhere access. Files are secured by identity verification, yet easily accessible to users across their devices. [Learn how to set up your Personal Vault](https://support.microsoft.com/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4).

In the event of a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have more options to mitigate and recover from a ransomware attack. [Learn more about how to recover from a ransomware attack using Office 365](/microsoft-365/security/office-365-security/recover-from-ransomware). | From 9dd3cadae71f5a6f6a5c6aeee936d1d3e8367499 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 12:47:28 -0700 Subject: [PATCH 136/458] Update mdm-windows.md --- windows/security/mdm-windows.md | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/windows/security/mdm-windows.md b/windows/security/mdm-windows.md index 6b5de3479e..6668d62e59 100644 --- a/windows/security/mdm-windows.md +++ b/windows/security/mdm-windows.md @@ -21,9 +21,12 @@ f1.keywords: NOCSH Windows 11 supports MDM, an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices. Windows 11 includes a management component that includes: + - The enrollment client, which enrolls and configures the endpoint to communicate with the enterprise management server; and - The management client, which periodically synchronizes with the management server to check for updates and apply your security team's latest policies. +## MDM features and capabilities + MDM includes several security features & capabilities. These include: - Remote wipe - Support for your work or school account @@ -31,4 +34,23 @@ MDM includes several security features & capabilities. These include: - Remote device attestation - (other stuff coming soon): Device Installation, DMA Guard, Endpoint Detection and Response, the Microsoft Defender Security Center, Smartscreen, System Guard, and Windows Hello for Business -Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols. \ No newline at end of file +## Support for non-Microsoft MDM servers + +Non-Microsoft MDM servers can be used to manage Windows 11 by using industry standard protocols. The built-in management client can communicate with a third-party server proxy that supports the MDM protocols to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 11 users. MDM servers do not need to create or download a client to manage Windows 11. + +For details about the MDM protocols, the following resources: + +- [MS-MDM: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) +- [MS-MDE2: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692) + +## Security baselines + +Windows 11 can be configured with the Microsoft MDM security baseline backed by ADMX policies, which functions like the Microsoft GP-based security baseline. Security baseline enables IT admins to easily integrate this baseline into any MDM, addressing security concerns and compliance needs for modern cloud-managed devices. + +The MDM security baseline includes policies that cover the following areas: + +- Microsoft inbox security technology (not deprecated) such as BitLocker, Windows Defender SmartScreen, and Virtual-based security, Exploit Guard, Defender, and Firewall +- Restricting remote access to devices +- Setting credential requirements for passwords and PINs +- Restricting use of legacy technology +- Legacy technology policies that offer alternative solutions with modern technology From 806a912dea4d76b854392b1baedd81af33a33191 Mon Sep 17 00:00:00 2001 From: Nick Bassett Date: Wed, 8 Sep 2021 12:57:15 -0700 Subject: [PATCH 137/458] Update virus-initiative-criteria.md Update to membership requirements, follow-up link for application, and high-level program summary. --- .../intelligence/virus-initiative-criteria.md | 29 +++++++------------ 1 file changed, 11 insertions(+), 18 deletions(-) diff --git a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md index 83ca25908d..360a4bde38 100644 --- a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md +++ b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md @@ -18,34 +18,27 @@ ms.technology: mde # Microsoft Virus Initiative -The Microsoft Virus Initiative (MVI) helps organizations to get their products working and integrated with Windows. - -MVI members receive access to Windows APIs and other technologies including IOAV, AMSI, and Cloud files. Members also get malware telemetry and samples and invitations to security-related events and conferences. +The Microsoft Virus Initiative (MVI) helps organizations develop better-together security solutions that are performant, reliable, and aligned with Microsoft technology & strategy. ## Become a member -You can request membership if you're a representative for an organization that develops and produces antimalware or antivirus technology. Your organization must meet the following requirements to qualify for the MVI program: +You can request membership if you're a representative for an organization that develops and produces antimalware or antivirus technology. -1. Offer an antimalware or antivirus product that meets one of the following criteria: +To qualify for the MVI program, your organization must meet all the following requirements. - * Your organization's own creation. - * Developed by using an SDK (engine and other components) from another MVI Partner company and your organization adds a custom UI and/or other functionality. +1) Your security solution either replaces or compliments Microsoft Defender Antivirus. -2. Have your own malware research team unless you build a product based on an SDK. +2) Your organization is responsible for both developing and distributing app updates to end-customers that address compatibility with Windows. -3. Be active and have a positive reputation in the antimalware industry. +3) Your organization must be active in the antimalware industry and have a positive reputation, as evidenced by participation in industry conferences or being reviewed in an industry standard report such as AV Comparatives, OPSWAT, or Gartner. - * Activity can include participation in industry conferences or being reviewed in an industry standard report such as AV Comparatives, OPSWAT, or Gartner. +4) Your organization must sign a non-disclosure agreement (NDA) with Microsoft. -4. Be willing to sign a non-disclosure agreement (NDA) with Microsoft. +5) Your organization must sign a program license agreement. Maintaining this license agreement requires that you adhere to all program requirements for antimalware apps. These requirements define the behavior of antimalware apps necessary to ensure proper interaction with Windows. -5. Be willing to sign a program license agreement. +6) You must submit your app to Microsoft for periodic performance testing and feature review. -6. Be willing to adhere to program requirements for antimalware apps. These requirements define the behavior of antimalware apps necessary to ensure proper interaction with Windows. - -7. Submit your app to Microsoft for periodic performance testing. - -8. Certified through independent testing by at least one industry standard organization. +7) Your solution must be certified through independent testing by at least one industry standard organization, and yearly certification must be maintained. Test Provider | Lab Test Type | Minimum Level / Score ------------- |---------------|---------------------- @@ -60,4 +53,4 @@ West Coast Labs | Checkmark Certified
http://www.checkmarkcertified.com/sm ## Apply now -If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). For questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry). +If your organization meets these criteria and is interested in joining, [apply for membership now](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbRxusDUkejalGp0OAgRTWC7BUQVRYUEVMNlFZUjFaUDY2T1U1UDVVU1NKVi4u). From 9d97e27242884a64c7a1e4d250c417f6eb4d36f4 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 13:03:26 -0700 Subject: [PATCH 138/458] Update mdm-windows.md --- windows/security/mdm-windows.md | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/windows/security/mdm-windows.md b/windows/security/mdm-windows.md index 6668d62e59..c19ab3a22a 100644 --- a/windows/security/mdm-windows.md +++ b/windows/security/mdm-windows.md @@ -27,12 +27,15 @@ Windows 11 includes a management component that includes: ## MDM features and capabilities -MDM includes several security features & capabilities. These include: -- Remote wipe -- Support for your work or school account -- Config Lock -- Remote device attestation -- (other stuff coming soon): Device Installation, DMA Guard, Endpoint Detection and Response, the Microsoft Defender Security Center, Smartscreen, System Guard, and Windows Hello for Business +MDM includes several security features & capabilities, as described in the following table: + +| Feature/capability | Description | +|:---|:---| +| Remote wipe | When a device is lost or stolen, IT admins can attempt to wipe it remotely and make the data stored in memory and hard disks difficult to recover. A help desk agent might also want to reset devices to fix issues encountered by remote workers. Windows 10 and Windows 11 supports the Remote Wipe configuration service provider (CSP) so that MDM solutions can remotely initiate any of the following operations:
- Reset the device and remove user accounts and data
- Reset the device and clean the drive
- Reset the device but persist user accounts and data | +| Support for your work or school account | Adding a work or school account enables devices to connect to your work environment. You can join the device to an Active Directory domain, an Azure Active Directory (Azure AD) domain, or by quickly provisioning corporate owned devices so they meet the policy and security guidelines for the company. Easily configure the devices with the apps and settings the person needs to do their work through management solutions such as Microsoft Endpoint Manager (MEM).

When a device is joined to Azure AD and managed with MDM, it will bring the following security values:
- Default fully managed user and device settings and policies
- Single Sign On to all Microsoft Online Services
- Full suite of password management capabilities, using Windows Hello For Business
- Authentication uses Tokens
- No use of consumer Microsoft Account identity | +| Config Lock | | +| Remote device attestation | | +| (other stuff coming soon) | Device Installation, DMA Guard, Endpoint Detection and Response, the Microsoft Defender Security Center, Smartscreen, System Guard, and Windows Hello for Business | ## Support for non-Microsoft MDM servers @@ -45,12 +48,12 @@ For details about the MDM protocols, the following resources: ## Security baselines -Windows 11 can be configured with the Microsoft MDM security baseline backed by ADMX policies, which functions like the Microsoft GP-based security baseline. Security baseline enables IT admins to easily integrate this baseline into any MDM, addressing security concerns and compliance needs for modern cloud-managed devices. +Windows 11 can be configured with the [Microsoft MDM security baseline](/mem/intune/protect/security-baseline-settings-mdm-all?pivots=mdm-december-2020) backed by ADMX policies, which functions like the Microsoft Group Policy security baseline. Security baselines enable security teams and IT admins to easily integrate this baseline into any MDM, addressing security concerns and compliance needs for modern cloud-managed devices. The MDM security baseline includes policies that cover the following areas: -- Microsoft inbox security technology (not deprecated) such as BitLocker, Windows Defender SmartScreen, and Virtual-based security, Exploit Guard, Defender, and Firewall +- Microsoft inbox security technology (such as BitLocker and Windows Defender SmartScreen), and Virtual-based security ( exploit protection, Microsoft Defender Antivirus, and Windows Defender Firewall) - Restricting remote access to devices - Setting credential requirements for passwords and PINs -- Restricting use of legacy technology +- Restricting the use of legacy technology - Legacy technology policies that offer alternative solutions with modern technology From 95cdc814fd5685b3b6ab5d1930b43d74aa590c4a Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 13:05:05 -0700 Subject: [PATCH 139/458] Update mdm-windows.md --- windows/security/mdm-windows.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/mdm-windows.md b/windows/security/mdm-windows.md index c19ab3a22a..546c0c4aeb 100644 --- a/windows/security/mdm-windows.md +++ b/windows/security/mdm-windows.md @@ -18,7 +18,7 @@ f1.keywords: NOCSH # Modern device management and Windows 11 -Windows 11 supports MDM, an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices. +Windows 11 supports modern device management (MDM), an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices. Windows 11 includes a management component that includes: From 2d859018a2c817774e710ae88ac9b821753710ed Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 13:07:40 -0700 Subject: [PATCH 140/458] Update mdm-windows.md --- windows/security/mdm-windows.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/mdm-windows.md b/windows/security/mdm-windows.md index 546c0c4aeb..da333c0c9c 100644 --- a/windows/security/mdm-windows.md +++ b/windows/security/mdm-windows.md @@ -27,11 +27,11 @@ Windows 11 includes a management component that includes: ## MDM features and capabilities -MDM includes several security features & capabilities, as described in the following table: +MDM includes several security features & capabilities, as described in the following table:

| Feature/capability | Description | |:---|:---| -| Remote wipe | When a device is lost or stolen, IT admins can attempt to wipe it remotely and make the data stored in memory and hard disks difficult to recover. A help desk agent might also want to reset devices to fix issues encountered by remote workers. Windows 10 and Windows 11 supports the Remote Wipe configuration service provider (CSP) so that MDM solutions can remotely initiate any of the following operations:
- Reset the device and remove user accounts and data
- Reset the device and clean the drive
- Reset the device but persist user accounts and data | +| Remote wipe | When a device is lost or stolen, IT admins can attempt to wipe it remotely and make the data stored in memory and hard disks difficult to recover. Help desk agents can also reset devices to fix issues that are encountered by remote workers.

Windows 10 and Windows 11 supports the remote wipe configuration service provider (CSP) so that MDM solutions can remotely initiate any of the following operations:
- Reset the device and remove user accounts and data
- Reset the device and clean the drive
- Reset the device but persist user accounts and data | | Support for your work or school account | Adding a work or school account enables devices to connect to your work environment. You can join the device to an Active Directory domain, an Azure Active Directory (Azure AD) domain, or by quickly provisioning corporate owned devices so they meet the policy and security guidelines for the company. Easily configure the devices with the apps and settings the person needs to do their work through management solutions such as Microsoft Endpoint Manager (MEM).

When a device is joined to Azure AD and managed with MDM, it will bring the following security values:
- Default fully managed user and device settings and policies
- Single Sign On to all Microsoft Online Services
- Full suite of password management capabilities, using Windows Hello For Business
- Authentication uses Tokens
- No use of consumer Microsoft Account identity | | Config Lock | | | Remote device attestation | | From 2a36d93435fe4029f01203358e541c695f3fab1f Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 13:40:57 -0700 Subject: [PATCH 141/458] Update mdm-windows.md --- windows/security/mdm-windows.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/mdm-windows.md b/windows/security/mdm-windows.md index da333c0c9c..1ba8b1ff88 100644 --- a/windows/security/mdm-windows.md +++ b/windows/security/mdm-windows.md @@ -32,7 +32,7 @@ MDM includes several security features & capabilities, as described in the follo | Feature/capability | Description | |:---|:---| | Remote wipe | When a device is lost or stolen, IT admins can attempt to wipe it remotely and make the data stored in memory and hard disks difficult to recover. Help desk agents can also reset devices to fix issues that are encountered by remote workers.

Windows 10 and Windows 11 supports the remote wipe configuration service provider (CSP) so that MDM solutions can remotely initiate any of the following operations:
- Reset the device and remove user accounts and data
- Reset the device and clean the drive
- Reset the device but persist user accounts and data | -| Support for your work or school account | Adding a work or school account enables devices to connect to your work environment. You can join the device to an Active Directory domain, an Azure Active Directory (Azure AD) domain, or by quickly provisioning corporate owned devices so they meet the policy and security guidelines for the company. Easily configure the devices with the apps and settings the person needs to do their work through management solutions such as Microsoft Endpoint Manager (MEM).

When a device is joined to Azure AD and managed with MDM, it will bring the following security values:
- Default fully managed user and device settings and policies
- Single Sign On to all Microsoft Online Services
- Full suite of password management capabilities, using Windows Hello For Business
- Authentication uses Tokens
- No use of consumer Microsoft Account identity | +| Support for your work or school account | Adding a work or school account enables people to connect their devices to your work environment. Devices can be joined to an Active Directory domain, an Azure Active Directory (Azure AD) domain, or by quickly provisioning corporate-owned devices so they meet your security and policy guidelines.

When a device is joined to Azure AD and managed with MDM, you get teh following security benefits:
- Fully managed user/device settings and policies by default
- Single Sign On to all Microsoft online services
- Password management capabilities (Windows Hello for Business)
- Authentication using tokens
- No use of consumer Microsoft Account identities | | Config Lock | | | Remote device attestation | | | (other stuff coming soon) | Device Installation, DMA Guard, Endpoint Detection and Response, the Microsoft Defender Security Center, Smartscreen, System Guard, and Windows Hello for Business | From ef784279f138ee03a4121ad42707d7d566e4a633 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 13:53:04 -0700 Subject: [PATCH 142/458] Update mdm-windows.md --- windows/security/mdm-windows.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/mdm-windows.md b/windows/security/mdm-windows.md index 1ba8b1ff88..e938581f41 100644 --- a/windows/security/mdm-windows.md +++ b/windows/security/mdm-windows.md @@ -33,8 +33,8 @@ MDM includes several security features & capabilities, as described in the follo |:---|:---| | Remote wipe | When a device is lost or stolen, IT admins can attempt to wipe it remotely and make the data stored in memory and hard disks difficult to recover. Help desk agents can also reset devices to fix issues that are encountered by remote workers.

Windows 10 and Windows 11 supports the remote wipe configuration service provider (CSP) so that MDM solutions can remotely initiate any of the following operations:
- Reset the device and remove user accounts and data
- Reset the device and clean the drive
- Reset the device but persist user accounts and data | | Support for your work or school account | Adding a work or school account enables people to connect their devices to your work environment. Devices can be joined to an Active Directory domain, an Azure Active Directory (Azure AD) domain, or by quickly provisioning corporate-owned devices so they meet your security and policy guidelines.

When a device is joined to Azure AD and managed with MDM, you get teh following security benefits:
- Fully managed user/device settings and policies by default
- Single Sign On to all Microsoft online services
- Password management capabilities (Windows Hello for Business)
- Authentication using tokens
- No use of consumer Microsoft Account identities | -| Config Lock | | -| Remote device attestation | | +| Config Lock | In enterprise organizations, security teams and IT admins typically enforce policies on corporate devices to keep the devices in a compliant state and protect the operating system from changes made by users.

When users who have local admin rights attempt to work around security policies, they run the risk of leaving the device in a non-compliant state. We call this *config drift*. Config drift can introduce security risks until the next time the device syncs with MDM and the configuration is reset. In a worst-case scenario, correcting config drift could take up to eight hours. Many organizations consider config drift a security risk.

Windows 11 with Config Lock enables IT admins to remediate config drift and keep the operating system configuration to the IT desired state on the following feature sets. The operating system monitors the registry keys that configures each feature and when a drift is detected, it will revert back to the IT desired state in seconds.

Config Lock works with Application Control, Application Guard, and BitLocker. | +| Remote device attestation | Attestation relies on the Trusted Platform Module (TPM) and measured boot capabilities to enhance the security provided by trusted boot. IT Administrators of the attestation service can leverage the information available in the boot to protect themselves from boot level attacks and misconfigurations. An enterprise’s device management operators can rely on Microsoft Azure Attestation service to securely report on the device boot health, firmware security and other low level security features usually used for device compliance. Microsoft Azure Attestation is designed to be policy-configured, giving control of your enterprises device health to the administrator, allowing them to deal with low level threats with confidence. One of the fundamental device management verticals of any enterprise is the security stature of its devices. Windows 11 comes with MDM integration with Microsoft Azure Attestation allowing MDM providers to also leverage the attestation capabilities to trust and enhance the security of a device. | | (other stuff coming soon) | Device Installation, DMA Guard, Endpoint Detection and Response, the Microsoft Defender Security Center, Smartscreen, System Guard, and Windows Hello for Business | ## Support for non-Microsoft MDM servers From 4923e4027c6858b3b08cf3a3dea3c650ecc2523a Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 14:00:52 -0700 Subject: [PATCH 143/458] Update mdm-windows.md --- windows/security/mdm-windows.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/mdm-windows.md b/windows/security/mdm-windows.md index e938581f41..3d2d701333 100644 --- a/windows/security/mdm-windows.md +++ b/windows/security/mdm-windows.md @@ -33,8 +33,8 @@ MDM includes several security features & capabilities, as described in the follo |:---|:---| | Remote wipe | When a device is lost or stolen, IT admins can attempt to wipe it remotely and make the data stored in memory and hard disks difficult to recover. Help desk agents can also reset devices to fix issues that are encountered by remote workers.

Windows 10 and Windows 11 supports the remote wipe configuration service provider (CSP) so that MDM solutions can remotely initiate any of the following operations:
- Reset the device and remove user accounts and data
- Reset the device and clean the drive
- Reset the device but persist user accounts and data | | Support for your work or school account | Adding a work or school account enables people to connect their devices to your work environment. Devices can be joined to an Active Directory domain, an Azure Active Directory (Azure AD) domain, or by quickly provisioning corporate-owned devices so they meet your security and policy guidelines.

When a device is joined to Azure AD and managed with MDM, you get teh following security benefits:
- Fully managed user/device settings and policies by default
- Single Sign On to all Microsoft online services
- Password management capabilities (Windows Hello for Business)
- Authentication using tokens
- No use of consumer Microsoft Account identities | -| Config Lock | In enterprise organizations, security teams and IT admins typically enforce policies on corporate devices to keep the devices in a compliant state and protect the operating system from changes made by users.

When users who have local admin rights attempt to work around security policies, they run the risk of leaving the device in a non-compliant state. We call this *config drift*. Config drift can introduce security risks until the next time the device syncs with MDM and the configuration is reset. In a worst-case scenario, correcting config drift could take up to eight hours. Many organizations consider config drift a security risk.

Windows 11 with Config Lock enables IT admins to remediate config drift and keep the operating system configuration to the IT desired state on the following feature sets. The operating system monitors the registry keys that configures each feature and when a drift is detected, it will revert back to the IT desired state in seconds.

Config Lock works with Application Control, Application Guard, and BitLocker. | -| Remote device attestation | Attestation relies on the Trusted Platform Module (TPM) and measured boot capabilities to enhance the security provided by trusted boot. IT Administrators of the attestation service can leverage the information available in the boot to protect themselves from boot level attacks and misconfigurations. An enterprise’s device management operators can rely on Microsoft Azure Attestation service to securely report on the device boot health, firmware security and other low level security features usually used for device compliance. Microsoft Azure Attestation is designed to be policy-configured, giving control of your enterprises device health to the administrator, allowing them to deal with low level threats with confidence. One of the fundamental device management verticals of any enterprise is the security stature of its devices. Windows 11 comes with MDM integration with Microsoft Azure Attestation allowing MDM providers to also leverage the attestation capabilities to trust and enhance the security of a device. | +| Config Lock | Security teams and IT admins typically enforce policies on corporate devices to keep those devices in a compliant state, and protect the operating system from changes made by users.

When users who have local admin rights attempt to work around security policies, they run the risk of leaving the device in a non-compliant state called *config drift*. Config drift can introduce security risks until the next time the device syncs with MDM and the configuration is reset. In a worst-case scenario, correcting config drift could take up to eight hours. Many organizations consider config drift a security risk.

Windows 11 with Config Lock enables IT admins to remediate config drift and keep the operating system configuration to its proper state. The operating system monitors the registry keys that configures each feature and when a drift is detected, it will revert back to the IT desired state in seconds.

Config Lock works with Application Control, Application Guard, and BitLocker. | +| Remote device attestation | Attestation relies on the Trusted Platform Module (TPM) and measured boot capabilities to enhance the security provided by trusted boot. IT administrators can use available boot information to protect against boot-level attacks and misconfigurations. The Microsoft Azure Attestation service securely reports on device boot health, firmware security, and other low-level security features usually used for device compliance. Microsoft Azure Attestation is designed to be policy-configured, giving control of your enterprise's device health to the administrator, allowing them to deal with low-level threats with confidence. Windows 11 comes with MDM integration with Microsoft Azure Attestation, allowing MDM providers to use the attestation capabilities to trust and enhance device security.

Learn more about [Microsoft Azure Attestation](/azure/attestation). | | (other stuff coming soon) | Device Installation, DMA Guard, Endpoint Detection and Response, the Microsoft Defender Security Center, Smartscreen, System Guard, and Windows Hello for Business | ## Support for non-Microsoft MDM servers From c71125c86601deb5278bbdc2172e0c6e97cb165d Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 14:05:36 -0700 Subject: [PATCH 144/458] Update mdm-windows.md --- windows/security/mdm-windows.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/mdm-windows.md b/windows/security/mdm-windows.md index 3d2d701333..356249fc2e 100644 --- a/windows/security/mdm-windows.md +++ b/windows/security/mdm-windows.md @@ -32,9 +32,9 @@ MDM includes several security features & capabilities, as described in the follo | Feature/capability | Description | |:---|:---| | Remote wipe | When a device is lost or stolen, IT admins can attempt to wipe it remotely and make the data stored in memory and hard disks difficult to recover. Help desk agents can also reset devices to fix issues that are encountered by remote workers.

Windows 10 and Windows 11 supports the remote wipe configuration service provider (CSP) so that MDM solutions can remotely initiate any of the following operations:
- Reset the device and remove user accounts and data
- Reset the device and clean the drive
- Reset the device but persist user accounts and data | -| Support for your work or school account | Adding a work or school account enables people to connect their devices to your work environment. Devices can be joined to an Active Directory domain, an Azure Active Directory (Azure AD) domain, or by quickly provisioning corporate-owned devices so they meet your security and policy guidelines.

When a device is joined to Azure AD and managed with MDM, you get teh following security benefits:
- Fully managed user/device settings and policies by default
- Single Sign On to all Microsoft online services
- Password management capabilities (Windows Hello for Business)
- Authentication using tokens
- No use of consumer Microsoft Account identities | +| Support for your work or school account | Adding a work or school account enables people to connect their devices to your work environment. Devices can be joined to an Active Directory domain, an Azure Active Directory (Azure AD) domain, or by quickly provisioning corporate-owned devices so they meet your security and policy guidelines.

When a device is joined to Azure AD and managed with MDM, you get the following security benefits:
- Fully managed user/device settings and policies by default
- Single Sign On to all Microsoft online services
- Password management capabilities (Windows Hello for Business)
- Authentication using tokens
- No use of consumer Microsoft Account identities | | Config Lock | Security teams and IT admins typically enforce policies on corporate devices to keep those devices in a compliant state, and protect the operating system from changes made by users.

When users who have local admin rights attempt to work around security policies, they run the risk of leaving the device in a non-compliant state called *config drift*. Config drift can introduce security risks until the next time the device syncs with MDM and the configuration is reset. In a worst-case scenario, correcting config drift could take up to eight hours. Many organizations consider config drift a security risk.

Windows 11 with Config Lock enables IT admins to remediate config drift and keep the operating system configuration to its proper state. The operating system monitors the registry keys that configures each feature and when a drift is detected, it will revert back to the IT desired state in seconds.

Config Lock works with Application Control, Application Guard, and BitLocker. | -| Remote device attestation | Attestation relies on the Trusted Platform Module (TPM) and measured boot capabilities to enhance the security provided by trusted boot. IT administrators can use available boot information to protect against boot-level attacks and misconfigurations. The Microsoft Azure Attestation service securely reports on device boot health, firmware security, and other low-level security features usually used for device compliance. Microsoft Azure Attestation is designed to be policy-configured, giving control of your enterprise's device health to the administrator, allowing them to deal with low-level threats with confidence. Windows 11 comes with MDM integration with Microsoft Azure Attestation, allowing MDM providers to use the attestation capabilities to trust and enhance device security.

Learn more about [Microsoft Azure Attestation](/azure/attestation). | +| Remote device attestation | Attestation relies on the Trusted Platform Module (TPM) and measured boot capabilities to enhance the security provided by trusted boot. IT administrators can use available boot information to protect against boot-level attacks and misconfigurations. The Microsoft Azure Attestation service securely reports on device boot health, firmware security, and other low-level security features used for device compliance. Microsoft Azure Attestation is designed to be policy-configured, giving control of your enterprise's device health to the administrator, allowing them to deal with low-level threats with confidence. Windows 11 comes with MDM integration with Microsoft Azure Attestation, allowing MDM providers to use the attestation capabilities to trust and enhance device security.

Learn more about [Microsoft Azure Attestation](/azure/attestation). | | (other stuff coming soon) | Device Installation, DMA Guard, Endpoint Detection and Response, the Microsoft Defender Security Center, Smartscreen, System Guard, and Windows Hello for Business | ## Support for non-Microsoft MDM servers @@ -52,7 +52,7 @@ Windows 11 can be configured with the [Microsoft MDM security baseline](/mem/int The MDM security baseline includes policies that cover the following areas: -- Microsoft inbox security technology (such as BitLocker and Windows Defender SmartScreen), and Virtual-based security ( exploit protection, Microsoft Defender Antivirus, and Windows Defender Firewall) +- Microsoft inbox security technology (such as BitLocker and Windows Defender SmartScreen), and Virtual-based security (exploit protection, Microsoft Defender Antivirus, and Windows Defender Firewall) - Restricting remote access to devices - Setting credential requirements for passwords and PINs - Restricting the use of legacy technology From bb962e51002acb34a1c996a78fca520a1c2729c9 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 14:06:19 -0700 Subject: [PATCH 145/458] Update mdm-windows.md --- windows/security/mdm-windows.md | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/windows/security/mdm-windows.md b/windows/security/mdm-windows.md index 356249fc2e..2456527534 100644 --- a/windows/security/mdm-windows.md +++ b/windows/security/mdm-windows.md @@ -37,15 +37,6 @@ MDM includes several security features & capabilities, as described in the follo | Remote device attestation | Attestation relies on the Trusted Platform Module (TPM) and measured boot capabilities to enhance the security provided by trusted boot. IT administrators can use available boot information to protect against boot-level attacks and misconfigurations. The Microsoft Azure Attestation service securely reports on device boot health, firmware security, and other low-level security features used for device compliance. Microsoft Azure Attestation is designed to be policy-configured, giving control of your enterprise's device health to the administrator, allowing them to deal with low-level threats with confidence. Windows 11 comes with MDM integration with Microsoft Azure Attestation, allowing MDM providers to use the attestation capabilities to trust and enhance device security.

Learn more about [Microsoft Azure Attestation](/azure/attestation). | | (other stuff coming soon) | Device Installation, DMA Guard, Endpoint Detection and Response, the Microsoft Defender Security Center, Smartscreen, System Guard, and Windows Hello for Business | -## Support for non-Microsoft MDM servers - -Non-Microsoft MDM servers can be used to manage Windows 11 by using industry standard protocols. The built-in management client can communicate with a third-party server proxy that supports the MDM protocols to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 11 users. MDM servers do not need to create or download a client to manage Windows 11. - -For details about the MDM protocols, the following resources: - -- [MS-MDM: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) -- [MS-MDE2: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692) - ## Security baselines Windows 11 can be configured with the [Microsoft MDM security baseline](/mem/intune/protect/security-baseline-settings-mdm-all?pivots=mdm-december-2020) backed by ADMX policies, which functions like the Microsoft Group Policy security baseline. Security baselines enable security teams and IT admins to easily integrate this baseline into any MDM, addressing security concerns and compliance needs for modern cloud-managed devices. @@ -57,3 +48,14 @@ The MDM security baseline includes policies that cover the following areas: - Setting credential requirements for passwords and PINs - Restricting the use of legacy technology - Legacy technology policies that offer alternative solutions with modern technology + + +## Support for non-Microsoft MDM servers + +Non-Microsoft MDM servers can be used to manage Windows 11 by using industry standard protocols. The built-in management client can communicate with a third-party server proxy that supports the MDM protocols to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 11 users. MDM servers do not need to create or download a client to manage Windows 11. + +For details about the MDM protocols, the following resources: + +- [MS-MDM: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) +- [MS-MDE2: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692) + From 333565c8e8d8968889dabc4d37ccddd5ca4912fa Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 15:45:05 -0700 Subject: [PATCH 146/458] Update mdm-windows.md --- windows/security/mdm-windows.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/windows/security/mdm-windows.md b/windows/security/mdm-windows.md index 2456527534..f86e30a938 100644 --- a/windows/security/mdm-windows.md +++ b/windows/security/mdm-windows.md @@ -18,6 +18,8 @@ f1.keywords: NOCSH # Modern device management and Windows 11 +*This article provides an overview of modern device management and Windows 11.* + Windows 11 supports modern device management (MDM), an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices. Windows 11 includes a management component that includes: @@ -25,6 +27,8 @@ Windows 11 includes a management component that includes: - The enrollment client, which enrolls and configures the endpoint to communicate with the enterprise management server; and - The management client, which periodically synchronizes with the management server to check for updates and apply your security team's latest policies. +Read this article to learn more about how Windows 11 works with MDM. + ## MDM features and capabilities MDM includes several security features & capabilities, as described in the following table:

@@ -33,7 +37,7 @@ MDM includes several security features & capabilities, as described in the follo |:---|:---| | Remote wipe | When a device is lost or stolen, IT admins can attempt to wipe it remotely and make the data stored in memory and hard disks difficult to recover. Help desk agents can also reset devices to fix issues that are encountered by remote workers.

Windows 10 and Windows 11 supports the remote wipe configuration service provider (CSP) so that MDM solutions can remotely initiate any of the following operations:
- Reset the device and remove user accounts and data
- Reset the device and clean the drive
- Reset the device but persist user accounts and data | | Support for your work or school account | Adding a work or school account enables people to connect their devices to your work environment. Devices can be joined to an Active Directory domain, an Azure Active Directory (Azure AD) domain, or by quickly provisioning corporate-owned devices so they meet your security and policy guidelines.

When a device is joined to Azure AD and managed with MDM, you get the following security benefits:
- Fully managed user/device settings and policies by default
- Single Sign On to all Microsoft online services
- Password management capabilities (Windows Hello for Business)
- Authentication using tokens
- No use of consumer Microsoft Account identities | -| Config Lock | Security teams and IT admins typically enforce policies on corporate devices to keep those devices in a compliant state, and protect the operating system from changes made by users.

When users who have local admin rights attempt to work around security policies, they run the risk of leaving the device in a non-compliant state called *config drift*. Config drift can introduce security risks until the next time the device syncs with MDM and the configuration is reset. In a worst-case scenario, correcting config drift could take up to eight hours. Many organizations consider config drift a security risk.

Windows 11 with Config Lock enables IT admins to remediate config drift and keep the operating system configuration to its proper state. The operating system monitors the registry keys that configures each feature and when a drift is detected, it will revert back to the IT desired state in seconds.

Config Lock works with Application Control, Application Guard, and BitLocker. | +| Config Lock | Security teams and IT admins typically enforce policies on corporate devices to keep those devices in a compliant state, and protect the operating system from changes made by users.

When users who have local admin rights attempt to work around security policies, they run the risk of leaving the device in a non-compliant state called *config drift*. Config drift can introduce security risks until the next time the device syncs with MDM and the configuration is reset. In a worst-case scenario, correcting config drift could take up to eight hours. Many organizations consider config drift a security risk.

Windows 11 with Config Lock enables IT admins to remediate config drift and keep the operating system configuration to its proper state. The operating system monitors registry keys, and when a drift is detected, the operating system reverts back to the IT-configured state within seconds.

Config Lock works with Application Control, Application Guard, and BitLocker. | | Remote device attestation | Attestation relies on the Trusted Platform Module (TPM) and measured boot capabilities to enhance the security provided by trusted boot. IT administrators can use available boot information to protect against boot-level attacks and misconfigurations. The Microsoft Azure Attestation service securely reports on device boot health, firmware security, and other low-level security features used for device compliance. Microsoft Azure Attestation is designed to be policy-configured, giving control of your enterprise's device health to the administrator, allowing them to deal with low-level threats with confidence. Windows 11 comes with MDM integration with Microsoft Azure Attestation, allowing MDM providers to use the attestation capabilities to trust and enhance device security.

Learn more about [Microsoft Azure Attestation](/azure/attestation). | | (other stuff coming soon) | Device Installation, DMA Guard, Endpoint Detection and Response, the Microsoft Defender Security Center, Smartscreen, System Guard, and Windows Hello for Business | @@ -49,7 +53,6 @@ The MDM security baseline includes policies that cover the following areas: - Restricting the use of legacy technology - Legacy technology policies that offer alternative solutions with modern technology - ## Support for non-Microsoft MDM servers Non-Microsoft MDM servers can be used to manage Windows 11 by using industry standard protocols. The built-in management client can communicate with a third-party server proxy that supports the MDM protocols to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 11 users. MDM servers do not need to create or download a client to manage Windows 11. From 32c9b1cf0952b95d266dae9457357517ab6ab1d7 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 15:46:27 -0700 Subject: [PATCH 147/458] Update mdm-windows.md --- windows/security/mdm-windows.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/windows/security/mdm-windows.md b/windows/security/mdm-windows.md index f86e30a938..93de42d94e 100644 --- a/windows/security/mdm-windows.md +++ b/windows/security/mdm-windows.md @@ -47,7 +47,13 @@ Windows 11 can be configured with the [Microsoft MDM security baseline](/mem/int The MDM security baseline includes policies that cover the following areas: -- Microsoft inbox security technology (such as BitLocker and Windows Defender SmartScreen), and Virtual-based security (exploit protection, Microsoft Defender Antivirus, and Windows Defender Firewall) +- Microsoft inbox security technology + - BitLocker + - Windows Defender SmartScreen +- Virtual-based security + - Exploit protection + - Microsoft Defender Antivirus + - Windows Defender Firewall - Restricting remote access to devices - Setting credential requirements for passwords and PINs - Restricting the use of legacy technology From 4e9176935966009f25f40131f31e535bc469913c Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 15:51:30 -0700 Subject: [PATCH 148/458] Update index.yml --- windows/security/index.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index 6f614b438e..0fcb21c951 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -45,8 +45,6 @@ landingContent: url: trusted-boot.md - text: Encryption and data protection url: encryption-data-protection.md - - text: Network security - url: /windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md - text: Network security url: operating-system.md - text: Virus & threat protection From a076ee6a6fa411bdab66426befbace6796b882d5 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 15:57:48 -0700 Subject: [PATCH 149/458] Update index.yml --- windows/security/index.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index 0fcb21c951..3b306dfcc8 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -37,7 +37,7 @@ landingContent: linkLists: - linkListType: overview links: - - text: Overview of operating system security + - text: Operating system security url: operating-system.md - linkListType: concept links: @@ -46,9 +46,9 @@ landingContent: - text: Encryption and data protection url: encryption-data-protection.md - text: Network security - url: operating-system.md + url: identity-protection/vpn/vpn-guide.md - text: Virus & threat protection - url: operating-system.md + url: https://docs.microsoft.com/microsoft-365/security/defender-endpoint # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) From 07360076eea9869d8df4e31fd0a92b195e0d0b9f Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 16:00:47 -0700 Subject: [PATCH 150/458] Update index.yml --- windows/security/index.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index 3b306dfcc8..71c6da2416 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -74,8 +74,13 @@ landingContent: linkLists: - linkListType: overview links: - - text: article (change link later, add more) - url: /windows/security/threat-protection/windows-security-baselines.md + - text: Azure Active Directory + url: https://www.microsoft.com/security/business/identity-access-management/azure-active-directory + - text: MDM and Windows 11 + url: mdm-windows.md + - text: Your Microsoft Account + - text: OneDrive + - text: Family safety # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb From 5209b0a013b7814956338394874cabeaf97b93a0 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 16:04:50 -0700 Subject: [PATCH 151/458] cards --- windows/security/cloud.md | 18 ++++++++++++++---- windows/security/index.yml | 10 +++++++--- 2 files changed, 21 insertions(+), 7 deletions(-) diff --git a/windows/security/cloud.md b/windows/security/cloud.md index f167df48d7..c7194406ef 100644 --- a/windows/security/cloud.md +++ b/windows/security/cloud.md @@ -2,13 +2,23 @@ title: Windows and cloud security description: Get an overview of cloud services supported in Windows 11 ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.prod: w10 +author: denisebmsft +ms.author: deniseb +manager: dansimp +ms.prod: w11 +audience: ITPro +ms.topic: conceptual +ms.date: 09/08/2021 +ms.prod: w11 +ms.localizationpriority: medium +ms.collection: +ms.custom: +ms.reviewer: +f1.keywords: NOCSH ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: dansimp +search.appverid: MET150 --- # Windows and cloud security diff --git a/windows/security/index.yml b/windows/security/index.yml index 71c6da2416..e121d5124b 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -85,12 +85,16 @@ landingContent: # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) - - title: User protection + - title: Secured-core and cloud devices linkLists: - linkListType: overview links: - - text: article (change link later) - url: /windows/security/threat-protection/windows-security-baselines.md + - text: Windows 11 secured-core devices + - text: Windows 365 Cloud PCs + - text: Windows 365 for Business + - text: Windows 365 for Enterprise + - text: Azure Virtual Desktop + # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) From d6617cb1d320cf60c787500d355b7b0bfd311163 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 16:08:42 -0700 Subject: [PATCH 152/458] Update TOC.yml --- windows/security/TOC.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 5e5d767e80..c3103245fe 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -201,7 +201,7 @@ href: identity-protection/vpn/vpn-office-365-optimization.md - name: Windows Defender Firewall href: threat-protection/windows-firewall/windows-firewall-with-advanced-security.md - - name: Threat protection + - name: Virus & threat protection items: - name: Microsoft Defender Antivirus href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows From 8cd576544c44d60bba7c7f37a5357ffa7b6c93ac Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 16:11:43 -0700 Subject: [PATCH 153/458] more fixes --- windows/security/cloud.md | 1 - windows/security/index.yml | 3 +++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/security/cloud.md b/windows/security/cloud.md index c7194406ef..45b41e1e1f 100644 --- a/windows/security/cloud.md +++ b/windows/security/cloud.md @@ -9,7 +9,6 @@ ms.prod: w11 audience: ITPro ms.topic: conceptual ms.date: 09/08/2021 -ms.prod: w11 ms.localizationpriority: medium ms.collection: ms.custom: diff --git a/windows/security/index.yml b/windows/security/index.yml index e121d5124b..3f5829169f 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -79,8 +79,11 @@ landingContent: - text: MDM and Windows 11 url: mdm-windows.md - text: Your Microsoft Account + url: - text: OneDrive + url: - text: Family safety + url: # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb From 2ad69061f52fa21ec75cb49b46ac65d9d578863c Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 16:12:14 -0700 Subject: [PATCH 154/458] Update cloud.md --- windows/security/cloud.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/cloud.md b/windows/security/cloud.md index 45b41e1e1f..c8ff9dc957 100644 --- a/windows/security/cloud.md +++ b/windows/security/cloud.md @@ -12,7 +12,6 @@ ms.date: 09/08/2021 ms.localizationpriority: medium ms.collection: ms.custom: -ms.reviewer: f1.keywords: NOCSH ms.mktglfcycl: deploy ms.sitesec: library From 546f8850d8cd87e3949b0f801e2e004ae085818f Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 16:16:10 -0700 Subject: [PATCH 155/458] Update index.yml --- windows/security/index.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index 3f5829169f..182f6bf688 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -79,11 +79,11 @@ landingContent: - text: MDM and Windows 11 url: mdm-windows.md - text: Your Microsoft Account - url: + url: identity-protection/access-control/microsoft-accounts.md - text: OneDrive - url: + url: https://docs.microsoft.com/onedrive/onedrive - text: Family safety - url: + url: threat-protection/windows-defender-security-center/wdsc-family-options.md # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb From 90dd8080b6c32dc8531e3df3779171a68bdc772d Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 8 Sep 2021 16:18:24 -0700 Subject: [PATCH 156/458] Update index.yml --- windows/security/index.yml | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index 182f6bf688..a2b6354f5b 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -92,11 +92,17 @@ landingContent: linkLists: - linkListType: overview links: - - text: Windows 11 secured-core devices - - text: Windows 365 Cloud PCs - - text: Windows 365 for Business - - text: Windows 365 for Enterprise - - text: Azure Virtual Desktop + - text: Windows 11 secured-core devices (change link later) + url: https://docs.microsoft.com/windows/whats-new/windows-11 + - text: Windows 365 Cloud PCs (change link later) + url: https://docs.microsoft.com/windows/whats-new/windows-11 + - text: Windows 365 for Business (change link later) + url: https://docs.microsoft.com/windows/whats-new/windows-11 + - text: Windows 365 for Enterprise (change link later) + url: https://docs.microsoft.com/windows/whats-new/windows-11 + - text: Azure Virtual Desktop (change link later) + url: https://docs.microsoft.com/windows/whats-new/windows-11 + # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb From b9c4cd036cc0009537576dfd86d60f83f7ba42bd Mon Sep 17 00:00:00 2001 From: Ashok Lobo Date: Thu, 9 Sep 2021 17:09:15 +0530 Subject: [PATCH 157/458] Updated as per 5358858 --- .../configure-md-app-guard.md | 3 ++- .../install-md-app-guard.md | 6 ++++-- .../md-app-guard-browser-extension.md | 3 ++- .../md-app-guard-overview.md | 4 +++- .../reqs-md-app-guard.md | 6 ++++-- .../test-scenarios-md-app-guard.md | 3 ++- 6 files changed, 17 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md index d2ee8b1f7a..1c874086ab 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 05/24/2021 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.custom: asr @@ -20,6 +20,7 @@ ms.technology: mde **Applies to:** - Windows 10 +- Windows 11 Microsoft Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a Group Policy Object, which is linked to a domain, and then apply all those settings to every endpoint in the domain. diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md index 3b18ab25d3..6c2db12e7d 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 10/21/2020 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.custom: asr @@ -18,7 +18,9 @@ ms.technology: mde # Prepare to install Microsoft Defender Application Guard **Applies to:** -- - Windows 10 + +- Windows 10 +- Windows 11 ## Review system requirements diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md index d507e47abf..a3a578cd53 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: martyav ms.author: v-maave -ms.date: 06/12/2020 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.custom: asr @@ -20,6 +20,7 @@ ms.technology: mde **Applies to:** - Windows 10 +- Windows 11 [Microsoft Defender Application Guard Extension](https://www.microsoft.com/security/blog/2019/05/23/new-browser-extensions-for-integrating-microsofts-hardware-based-isolation/) is a web browser add-on available for [Chrome](https://chrome.google.com/webstore/detail/application-guard-extensi/mfjnknhkkiafjajicegabkbimfhplplj/) and [Firefox](https://addons.mozilla.org/en-US/firefox/addon/application-guard-extension/). diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md index 4ad66674a9..010f230e70 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 01/27/2021 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.custom: asr @@ -18,7 +18,9 @@ ms.technology: mde # Microsoft Defender Application Guard overview **Applies to** + - Windows 10 +- Windows 11 Microsoft Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete. diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md index fb162b5632..b429e0e44f 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 07/01/2021 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.custom: asr @@ -18,7 +18,9 @@ ms.technology: mde # System requirements for Microsoft Defender Application Guard **Applies to** + - Windows 10 +- Windows 11 The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Microsoft Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive. @@ -43,6 +45,6 @@ Your environment must have the following hardware to run Microsoft Defender Appl | Software | Description | |--------|-----------| -| Operating system | Windows 10 Enterprise edition, version 1809 or higher
Windows 10 Professional edition, version 1809 or higher
Windows 10 Professional for Workstations edition, version 1809 or higher
Windows 10 Professional Education edition, version 1809 or higher
Windows 10 Education edition, version 1809 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions. | +| Operating system | Windows 10 Enterprise edition, version 1809 or higher
Windows 10 Professional edition, version 1809 or higher
Windows 10 Professional for Workstations edition, version 1809 or higher
Windows 10 Professional Education edition, version 1809 or higher
Windows 10 Education edition, version 1809 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions.
Windows 11 | | Browser | Microsoft Edge | | Management system
(only for managed devices)| [Microsoft Intune](/intune/)

**OR**

[Microsoft Endpoint Configuration Manager](/configmgr/)

**OR**

[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))

**OR**

Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. | diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md index d8ff39f397..3e07e70fdc 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md @@ -10,7 +10,7 @@ author: denisebmsft ms.author: deniseb ms.reviewer: manager: dansimp -ms.date: 09/14/2020 +ms.date: 09/09/2021 ms.custom: asr ms.technology: mde --- @@ -20,6 +20,7 @@ ms.technology: mde **Applies to:** - Windows 10 +- Windows 11 We've come up with a list of scenarios that you can use to test hardware-based isolation in your organization. From 5c9fc1c94735a72644fd102d1987f05ca65cd365 Mon Sep 17 00:00:00 2001 From: Fojonx <90415493+Fojonx@users.noreply.github.com> Date: Thu, 9 Sep 2021 14:21:38 -0400 Subject: [PATCH 158/458] Update security-compliance-toolkit-10.md Adding Windows Server 2022 entry --- .../security/threat-protection/security-compliance-toolkit-10.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md index 2ec5067168..3fe631aa97 100644 --- a/windows/security/threat-protection/security-compliance-toolkit-10.md +++ b/windows/security/threat-protection/security-compliance-toolkit-10.md @@ -37,6 +37,7 @@ The Security Compliance Toolkit consists of: - Windows 10, Version 1507 - Windows Server security baselines + - Windows Server 2022 - Windows Server 2019 - Windows Server 2016 - Windows Server 2012 R2 From 23bf32ee87fa34a401b839092887a746b17839db Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Fri, 10 Sep 2021 09:54:54 -0700 Subject: [PATCH 159/458] Update TOC.yml --- windows/security/TOC.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index c3103245fe..d6aa4bd0b5 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -4,6 +4,8 @@ expanded: true - name: Hardware security items: + - name: Overview + href: hardware.md - name: Trusted Platform Module href: information-protection/tpm/trusted-platform-module-top-node.md items: From 70e73dbe10b174b5c07e72e4d8997494f874268e Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Fri, 10 Sep 2021 10:03:14 -0700 Subject: [PATCH 160/458] Update cloud.md --- windows/security/cloud.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/security/cloud.md b/windows/security/cloud.md index c8ff9dc957..807a9bdc7e 100644 --- a/windows/security/cloud.md +++ b/windows/security/cloud.md @@ -8,7 +8,7 @@ manager: dansimp ms.prod: w11 audience: ITPro ms.topic: conceptual -ms.date: 09/08/2021 +ms.date: 09/10/2021 ms.localizationpriority: medium ms.collection: ms.custom: @@ -35,3 +35,7 @@ Windows 11 includes the cloud services that are listed in the following table:
The OneDrive Personal Vault also provides protection for your most sensitive files without losing the convenience of anywhere access. Files are secured by identity verification, yet easily accessible to users across their devices. [Learn how to set up your Personal Vault](https://support.microsoft.com/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4).

In the event of a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have more options to mitigate and recover from a ransomware attack. [Learn more about how to recover from a ransomware attack using Office 365](/microsoft-365/security/office-365-security/recover-from-ransomware). | | Family safety | Microsoft Family Safety empowers people and their family members to create healthy habits and protect their loved ones, both online and offline. People can use their Microsoft account to create a family group on Windows, Xbox, or your mobile devices, and then customize their family settings by using the `family.microsoft.com` website or the Microsoft Family Safety app on Android and iOS.

[Learn more about Microsoft Family Safety](https://www.microsoft.com/en-us/microsoft-365/family-safety). | +## Next steps + +- [Learn more about MDM and Windows 11](mdm-windows.md) +- [Learn more about Windows security](index.yml) \ No newline at end of file From 61008f0d0e2111c3f606626cff1a935c03071920 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Fri, 10 Sep 2021 10:07:21 -0700 Subject: [PATCH 161/458] Update apps.md --- windows/security/apps.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/apps.md b/windows/security/apps.md index 098f9524ea..033e42b863 100644 --- a/windows/security/apps.md +++ b/windows/security/apps.md @@ -13,7 +13,7 @@ author: dansimp # Windows application security -Cybercriminals regularly gain access to valuable data by hacking poorly secured applications. Common security failures include “code injection” attacks, in which attackers insert malicious code that can tamper with data, or even destroy it. An application may have its security misconfigured, leaving open doors for hackers. Or vital customer and corporate information may leave sensitive data exposed. Windows 11 protects your valuable data with layers of application security. A rich application platform, isolation, and code integrity enables developers to build-in security from the ground up to protect against breaches and malware. +Cybercriminals regularly gain access to valuable data by hacking poorly secured applications. Common security failures include “code injection” attacks, in which attackers insert malicious code that can tamper with data, or even destroy it. An application may have its security misconfigured, leaving open doors for hackers. Or vital customer and corporate information may leave sensitive data exposed. Windows 11 protects your valuable data with layers of application security. A rich application platform, isolation, and code integrity enable developers to build in security from the ground up to protect against breaches and malware. The following table summarizes the Windows security features and capabilities for apps:

@@ -29,7 +29,7 @@ The following table summarizes the Windows security features and capabilities fo | Security Measures | Features & Capabilities | |:---|:---| | Windows Defender Application Control | Application control is one of the most effective security controls to prevent unwanted or malicious code from running. It moves away from an application trust model where all code is assumed trustworthy to one where apps must earn trust to run. Learn more: [Application Control for Windows](/threat-protection/windows-defender-application-control/windows-defender-application-control.md) | -| Microsoft Defender Application Guard | Application Guard leverages chip based hardware isolation to isolate untrusted websites and untrusted Office files, seamlessly running these in an isolated Hyper-V based container, separate from the desktop operating system, and making sure that anything that happens within the container remains isolated from the desktop. Learn more [Microsoft Defender Application Guard overview](/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md). | +| Microsoft Defender Application Guard | Application Guard uses chip-based hardware isolation to isolate untrusted websites and untrusted Office files, seamlessly running untrusted websites and files in an isolated Hyper-V-based container, separate from the desktop operating system, and making sure that anything that happens within the container remains isolated from the desktop. Learn more [Microsoft Defender Application Guard overview](/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md). | | Email Security | With Windows S/MIME email security, users can encrypt outgoing messages and attachments, so only intended recipients with digital identification (ID)—also called a certificate—can read them. Users can digitally sign a message, which verifies the identity of the sender and ensures the message has not been tampered with.[Configure S/MIME for Windows 10](/identity-protection/configure-s-mime.md) | | Microsoft Defender SmartScreen | Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. Learn more: [Microsoft Defender SmartScreen overview](/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) | | Isolating UWP apps | TBD | From de068b493555aaaaf80a7f38e153cdf408839a24 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Fri, 10 Sep 2021 16:09:36 -0700 Subject: [PATCH 162/458] tweaks --- windows/security/TOC.yml | 6 ++---- windows/security/index.yml | 2 +- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index d6aa4bd0b5..2ef62a440f 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -344,7 +344,5 @@ href: threat-protection/msft-security-dev-lifecycle.md - name: Microsoft Bug Bounty Program href: threat-protection/microsoft-bug-bounty-program.md -- name: Privacy controls - items: - - name: Windows Privacy controls - href: https://docs.microsoft.com/windows/privacy/windows-10-and-privacy-compliance \ No newline at end of file +- name: Windows Privacy + href: /windows/privacy/windows-10-and-privacy-compliance.md diff --git a/windows/security/index.yml b/windows/security/index.yml index a2b6354f5b..09d23443f6 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -1,7 +1,7 @@ ### YamlMime:Landing title: Windows security # < 60 chars -summary: Learn about Windows security from chip to cloud. # < 160 chars +summary: Windows is a Zero Trust-ready operating system that provides security from chip to cloud. # < 160 chars metadata: title: Windows security # Required; page title displayed in search results. Include the brand. < 60 chars. From 929d168ce509613966e31bf727b2b9abbae593f4 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 13 Sep 2021 07:35:04 -0700 Subject: [PATCH 163/458] Update windows/security/threat-protection/intelligence/virus-initiative-criteria.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../threat-protection/intelligence/virus-initiative-criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md index 360a4bde38..844c34033a 100644 --- a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md +++ b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md @@ -18,7 +18,7 @@ ms.technology: mde # Microsoft Virus Initiative -The Microsoft Virus Initiative (MVI) helps organizations develop better-together security solutions that are performant, reliable, and aligned with Microsoft technology & strategy. +The Microsoft Virus Initiative (MVI) helps organizations develop better-together security solutions that are performant, reliable, and aligned with Microsoft technology and strategy. ## Become a member From 5a4970ecca38d013c176fd6d135cbef365ae91ad Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Mon, 13 Sep 2021 13:56:38 -0700 Subject: [PATCH 164/458] Update TOC.yml --- windows/security/TOC.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 2ef62a440f..a3470a1c0f 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -228,7 +228,7 @@ - name: Cloud services href: cloud.md items: - - name: MDM and Windows 11 + - name: Modern device management with Windows 11 href: mdm-windows.md - name: User protection items: From 0724a68bec65409a5d2a1653a16ef5abe5e68789 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Mon, 13 Sep 2021 13:57:31 -0700 Subject: [PATCH 165/458] Update TOC.yml --- windows/security/TOC.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index a3470a1c0f..5bfdf80bd2 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -204,6 +204,7 @@ - name: Windows Defender Firewall href: threat-protection/windows-firewall/windows-firewall-with-advanced-security.md - name: Virus & threat protection + href: threat-protection/index.md items: - name: Microsoft Defender Antivirus href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows From 35db7b8a2b27e85d113321379171537609f2544c Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Mon, 13 Sep 2021 14:12:29 -0700 Subject: [PATCH 166/458] Update TOC.yml --- windows/security/TOC.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 5bfdf80bd2..05b9de9c14 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -231,6 +231,16 @@ items: - name: Modern device management with Windows 11 href: mdm-windows.md + - name: Windows 11 secured-core devices (need link) + href: https://docs.microsoft.com/windows/whats-new/windows-11 + - name: Windows 365 Cloud PCs (need link) + href: https://docs.microsoft.com/windows/whats-new/windows-11 + - name: Windows 365 for Enterprise (need link) + href: https://docs.microsoft.com/windows/whats-new/windows-11 + - name: Windows 365 for Business (need link) + href: https://docs.microsoft.com/windows/whats-new/windows-11 + - name: Azure Virtual Desktop (need link) + href: https://docs.microsoft.com/windows/whats-new/windows-11 - name: User protection items: - name: Technical support policy for lost or forgotten passwords From 103916b96d52904c6cb6781098470008890c1ba0 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Mon, 13 Sep 2021 14:12:53 -0700 Subject: [PATCH 167/458] Update index.yml --- windows/security/index.yml | 21 +-------------------- 1 file changed, 1 insertion(+), 20 deletions(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index 09d23443f6..5b1feb7f15 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -11,7 +11,7 @@ metadata: ms.collection: m365-security-compliance author: dansimp #Required; your GitHub user alias, with correct capitalization. ms.author: dansimp #Required; microsoft alias of author; optional team alias. - ms.date: 09/07/2021 + ms.date: 09/13/2021 localization_priority: Priority # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new @@ -85,25 +85,6 @@ landingContent: - text: Family safety url: threat-protection/windows-defender-security-center/wdsc-family-options.md -# Cards and links should be based on top customer tasks or top subjects -# Start card title with a verb - # Card (optional) - - title: Secured-core and cloud devices - linkLists: - - linkListType: overview - links: - - text: Windows 11 secured-core devices (change link later) - url: https://docs.microsoft.com/windows/whats-new/windows-11 - - text: Windows 365 Cloud PCs (change link later) - url: https://docs.microsoft.com/windows/whats-new/windows-11 - - text: Windows 365 for Business (change link later) - url: https://docs.microsoft.com/windows/whats-new/windows-11 - - text: Windows 365 for Enterprise (change link later) - url: https://docs.microsoft.com/windows/whats-new/windows-11 - - text: Azure Virtual Desktop (change link later) - url: https://docs.microsoft.com/windows/whats-new/windows-11 - - # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) From 726b5b8b5f6b276f6debedd923b186976a39b9ee Mon Sep 17 00:00:00 2001 From: Rob Truxal <55893679+rotruxal@users.noreply.github.com> Date: Tue, 14 Sep 2021 08:50:53 -0700 Subject: [PATCH 168/458] removed Device Guard references replaced references to Device Guard with references to HVCI and/or WDAC where appropriate. --- ...tualization-based-protection-of-code-integrity.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md index 4065b2122a..59657cc8ed 100644 --- a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md @@ -1,6 +1,6 @@ --- title: Deployment guidelines for Windows Defender Device Guard (Windows 10) -description: Plan your deployment of Windows Defender Device Guard. Learn about hardware requirements, deployment approaches, code signing and code integrity policies. +description: Plan your deployment of Hypervisor Protected Code Integrity (aka Memory Integrity). Learn about hardware requirements, deployment approaches, code signing and code integrity policies. keywords: virtualization, security, malware ms.prod: m365-security ms.mktglfcycl: deploy @@ -21,14 +21,14 @@ ms.technology: mde **Applies to** - Windows 10 -Computers must meet certain hardware, firmware, and software requirements in order to take advantage of all of the virtualization-based security (VBS) features in [Windows Defender Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md). Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats. +Computers must meet certain hardware, firmware, and software requirements in order to take advantage of Hypervisor Protected Code Integrity (HVCI,) a virtualization-based security (VBS) feature in Windows. HVCI is referred to as Memory Integrity under the Core Isolation section of the Windows security settings. Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats. For example, hardware that includes CPU virtualization extensions and SLAT will be hardened against malware that attempts to gain access to the kernel, but without protected BIOS options such as “Boot only from internal hard drive,” the computer could be booted (by a malicious person who has physical access) into an operating system on bootable media. > [!WARNING] > Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error). -The following tables provide more information about the hardware, firmware, and software required for deployment of various Windows Defender Device Guard features. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017. +The following tables provide more information about the hardware, firmware, and software required for deployment of WDAC and HVCI. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017. > [!NOTE] > Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers. @@ -42,9 +42,9 @@ The following tables provide more information about the hardware, firmware, and | Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | | Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | | Software: **HVCI compatible drivers** | See the Filter.Driver.DeviceGuard.DriverCompatibility requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Filter driver download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. | -| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Pro, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise

Important:
Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.

| Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. | +| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Pro, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise

Important:
Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.

| Support for VBS and for management features. | -> **Important**  The following tables list additional qualifications for improved security. You can use Windows Defender Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that Windows Defender Device Guard can provide. +> **Important**  The following tables list additional qualifications for improved security. You can use WDAC and HVCI with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that WDAC and HVCI can provide. ## Additional qualifications for improved security @@ -76,4 +76,4 @@ The following tables describe additional hardware and firmware qualifications, a | Protections for Improved Security | Description | Security benefits | |---------------------------------------------|----------------------------------------------------|------| | Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.
• UEFI runtime service must meet these requirements:
    • Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
    • PE sections need to be page-aligned in memory (not required for in non-volitile storage).
    • The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
        • All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
        • No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.

Notes:
• This only applies to UEFI runtime service memory, and not UEFI boot service memory.
• This protection is applied by VBS on OS page tables.


Please also note the following:
• Do not use sections that are both writeable and executable
• Do not attempt to directly modify executable system memory
• Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware. | -| Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware.
• Blocks additional security attacks against SMM. | \ No newline at end of file +| Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware.
• Blocks additional security attacks against SMM. | From 07c9915cdd722664bdf93a01a3fe1a45b100147d Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 14 Sep 2021 11:18:31 -0700 Subject: [PATCH 169/458] updating metadata --- windows/security/apps.md | 3 +++ windows/security/cloud.md | 5 ++++- windows/security/hardware.md | 3 +++ windows/security/identity.md | 3 +++ windows/security/operating-system.md | 3 +++ 5 files changed, 16 insertions(+), 1 deletion(-) diff --git a/windows/security/apps.md b/windows/security/apps.md index 033e42b863..dfbf8d5711 100644 --- a/windows/security/apps.md +++ b/windows/security/apps.md @@ -9,6 +9,9 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: dansimp +ms.collection: M365-security-compliance +ms.prod: m365-security +ms.technology: windows-sec --- # Windows application security diff --git a/windows/security/cloud.md b/windows/security/cloud.md index 807a9bdc7e..04dc44e601 100644 --- a/windows/security/cloud.md +++ b/windows/security/cloud.md @@ -5,7 +5,7 @@ ms.reviewer: author: denisebmsft ms.author: deniseb manager: dansimp -ms.prod: w11 +ms.prod: w10 audience: ITPro ms.topic: conceptual ms.date: 09/10/2021 @@ -17,6 +17,9 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security search.appverid: MET150 +ms.collection: M365-security-compliance +ms.prod: m365-security +ms.technology: windows-sec --- # Windows and cloud security diff --git a/windows/security/hardware.md b/windows/security/hardware.md index cd1daa5805..3d619b9226 100644 --- a/windows/security/hardware.md +++ b/windows/security/hardware.md @@ -9,6 +9,9 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: dansimp +ms.collection: M365-security-compliance +ms.prod: m365-security +ms.technology: windows-sec --- # Windows hardware security diff --git a/windows/security/identity.md b/windows/security/identity.md index f943325f1d..e7927861b9 100644 --- a/windows/security/identity.md +++ b/windows/security/identity.md @@ -9,6 +9,9 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: dansimp +ms.collection: M365-security-compliance +ms.prod: m365-security +ms.technology: windows-sec --- # Windows identity security diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index ee5fa0eda4..892b507022 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -10,6 +10,9 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: denisebmsft +ms.collection: M365-security-compliance +ms.prod: m365-security +ms.technology: windows-sec --- # Windows operating system security From 1c2500bd8480998fada680b5257f6f873efdc457 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 14 Sep 2021 12:21:39 -0700 Subject: [PATCH 170/458] spelling out modern device management --- windows/security/TOC.yml | 28 +++++++++++++++------------- windows/security/mdm-windows.md | 28 ++++++++++++++-------------- 2 files changed, 29 insertions(+), 27 deletions(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 05b9de9c14..d58e115f79 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -227,20 +227,22 @@ href: identity.md items: - name: Cloud services - href: cloud.md items: - - name: Modern device management with Windows 11 - href: mdm-windows.md - - name: Windows 11 secured-core devices (need link) - href: https://docs.microsoft.com/windows/whats-new/windows-11 - - name: Windows 365 Cloud PCs (need link) - href: https://docs.microsoft.com/windows/whats-new/windows-11 - - name: Windows 365 for Enterprise (need link) - href: https://docs.microsoft.com/windows/whats-new/windows-11 - - name: Windows 365 for Business (need link) - href: https://docs.microsoft.com/windows/whats-new/windows-11 - - name: Azure Virtual Desktop (need link) - href: https://docs.microsoft.com/windows/whats-new/windows-11 + - name: Overview + href: cloud.md + items: + - name: Modern device management with Windows 11 + href: mdm-windows.md + - name: Windows 11 secured-core devices (need link) + href: https://docs.microsoft.com/windows/whats-new/windows-11 + - name: Windows 365 Cloud PCs (need link) + href: https://docs.microsoft.com/windows/whats-new/windows-11 + - name: Windows 365 for Enterprise (need link) + href: https://docs.microsoft.com/windows/whats-new/windows-11 + - name: Windows 365 for Business (need link) + href: https://docs.microsoft.com/windows/whats-new/windows-11 + - name: Azure Virtual Desktop (need link) + href: https://docs.microsoft.com/windows/whats-new/windows-11 - name: User protection items: - name: Technical support policy for lost or forgotten passwords diff --git a/windows/security/mdm-windows.md b/windows/security/mdm-windows.md index 93de42d94e..db735842c5 100644 --- a/windows/security/mdm-windows.md +++ b/windows/security/mdm-windows.md @@ -7,7 +7,7 @@ ms.author: deniseb manager: dansimp audience: ITPro ms.topic: conceptual -ms.date: 09/08/2021 +ms.date: 09/14/2021 ms.prod: w11 ms.localizationpriority: medium ms.collection: @@ -20,32 +20,32 @@ f1.keywords: NOCSH *This article provides an overview of modern device management and Windows 11.* -Windows 11 supports modern device management (MDM), an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices. +Windows 11 supports modern device management, an enterprise management solution to help you manage your organization's security policies and business applications. Modern device management enables your security team to manage devices without compromising people's privacy on their personal devices. Windows 11 includes a management component that includes: - The enrollment client, which enrolls and configures the endpoint to communicate with the enterprise management server; and - The management client, which periodically synchronizes with the management server to check for updates and apply your security team's latest policies. -Read this article to learn more about how Windows 11 works with MDM. +Read this article to learn more about how Windows 11 works with modern device management. -## MDM features and capabilities +## Modern device management features and capabilities -MDM includes several security features & capabilities, as described in the following table:

+Modern device management includes several security features & capabilities, as described in the following table:

| Feature/capability | Description | |:---|:---| -| Remote wipe | When a device is lost or stolen, IT admins can attempt to wipe it remotely and make the data stored in memory and hard disks difficult to recover. Help desk agents can also reset devices to fix issues that are encountered by remote workers.

Windows 10 and Windows 11 supports the remote wipe configuration service provider (CSP) so that MDM solutions can remotely initiate any of the following operations:
- Reset the device and remove user accounts and data
- Reset the device and clean the drive
- Reset the device but persist user accounts and data | -| Support for your work or school account | Adding a work or school account enables people to connect their devices to your work environment. Devices can be joined to an Active Directory domain, an Azure Active Directory (Azure AD) domain, or by quickly provisioning corporate-owned devices so they meet your security and policy guidelines.

When a device is joined to Azure AD and managed with MDM, you get the following security benefits:
- Fully managed user/device settings and policies by default
- Single Sign On to all Microsoft online services
- Password management capabilities (Windows Hello for Business)
- Authentication using tokens
- No use of consumer Microsoft Account identities | -| Config Lock | Security teams and IT admins typically enforce policies on corporate devices to keep those devices in a compliant state, and protect the operating system from changes made by users.

When users who have local admin rights attempt to work around security policies, they run the risk of leaving the device in a non-compliant state called *config drift*. Config drift can introduce security risks until the next time the device syncs with MDM and the configuration is reset. In a worst-case scenario, correcting config drift could take up to eight hours. Many organizations consider config drift a security risk.

Windows 11 with Config Lock enables IT admins to remediate config drift and keep the operating system configuration to its proper state. The operating system monitors registry keys, and when a drift is detected, the operating system reverts back to the IT-configured state within seconds.

Config Lock works with Application Control, Application Guard, and BitLocker. | -| Remote device attestation | Attestation relies on the Trusted Platform Module (TPM) and measured boot capabilities to enhance the security provided by trusted boot. IT administrators can use available boot information to protect against boot-level attacks and misconfigurations. The Microsoft Azure Attestation service securely reports on device boot health, firmware security, and other low-level security features used for device compliance. Microsoft Azure Attestation is designed to be policy-configured, giving control of your enterprise's device health to the administrator, allowing them to deal with low-level threats with confidence. Windows 11 comes with MDM integration with Microsoft Azure Attestation, allowing MDM providers to use the attestation capabilities to trust and enhance device security.

Learn more about [Microsoft Azure Attestation](/azure/attestation). | +| Remote wipe | When a device is lost or stolen, IT admins can attempt to wipe it remotely and make the data stored in memory and hard disks difficult to recover. Help desk agents can also reset devices to fix issues that are encountered by remote workers.

Windows 10 and Windows 11 supports the remote wipe configuration service provider (CSP) so that modern device management solutions can remotely initiate any of the following operations:
- Reset the device and remove user accounts and data
- Reset the device and clean the drive
- Reset the device but persist user accounts and data | +| Support for your work or school account | Adding a work or school account enables people to connect their devices to your work environment. Devices can be joined to an Active Directory domain, an Azure Active Directory (Azure AD) domain, or by quickly provisioning corporate-owned devices so they meet your security and policy guidelines.

When a device is joined to Azure AD and managed with modern device management, you get the following security benefits:
- Fully managed user/device settings and policies by default
- Single Sign On to all Microsoft online services
- Password management capabilities (Windows Hello for Business)
- Authentication using tokens
- No use of consumer Microsoft Account identities | +| Config Lock | Security teams and IT admins typically enforce policies on corporate devices to keep those devices in a compliant state, and protect the operating system from changes made by users.

When users who have local admin rights attempt to work around security policies, they run the risk of leaving the device in a non-compliant state called *config drift*. Config drift can introduce security risks until the next time the device syncs with modern device management and the configuration is reset. In a worst-case scenario, correcting config drift could take up to eight hours. Many organizations consider config drift a security risk.

Windows 11 with Config Lock enables IT admins to remediate config drift and keep the operating system configuration to its proper state. The operating system monitors registry keys, and when a drift is detected, the operating system reverts back to the IT-configured state within seconds.

Config Lock works with Application Control, Application Guard, and BitLocker. | +| Remote device attestation | Attestation relies on the Trusted Platform Module (TPM) and measured boot capabilities to enhance the security provided by trusted boot. IT administrators can use available boot information to protect against boot-level attacks and misconfigurations. The Microsoft Azure Attestation service securely reports on device boot health, firmware security, and other low-level security features used for device compliance. Microsoft Azure Attestation is designed to be policy-configured, giving control of your enterprise's device health to the administrator, allowing them to deal with low-level threats with confidence. Windows 11 comes with modern device management integration with Microsoft Azure Attestation, allowing modern device management providers to use the attestation capabilities to trust and enhance device security.

Learn more about [Microsoft Azure Attestation](/azure/attestation). | | (other stuff coming soon) | Device Installation, DMA Guard, Endpoint Detection and Response, the Microsoft Defender Security Center, Smartscreen, System Guard, and Windows Hello for Business | ## Security baselines -Windows 11 can be configured with the [Microsoft MDM security baseline](/mem/intune/protect/security-baseline-settings-mdm-all?pivots=mdm-december-2020) backed by ADMX policies, which functions like the Microsoft Group Policy security baseline. Security baselines enable security teams and IT admins to easily integrate this baseline into any MDM, addressing security concerns and compliance needs for modern cloud-managed devices. +Windows 11 can be configured with the [Microsoft modern device management security baseline](/mem/intune/protect/security-baseline-settings-modern device management-all?pivots=mdm-december-2020) backed by ADMX policies, which functions like the Microsoft Group Policy security baseline. Security baselines enable security teams and IT admins to easily integrate this baseline into any modern device management, addressing security concerns and compliance needs for modern cloud-managed devices. -The MDM security baseline includes policies that cover the following areas: +The modern device management security baseline includes policies that cover the following areas: - Microsoft inbox security technology - BitLocker @@ -59,11 +59,11 @@ The MDM security baseline includes policies that cover the following areas: - Restricting the use of legacy technology - Legacy technology policies that offer alternative solutions with modern technology -## Support for non-Microsoft MDM servers +## Support for non-Microsoft modern device management servers -Non-Microsoft MDM servers can be used to manage Windows 11 by using industry standard protocols. The built-in management client can communicate with a third-party server proxy that supports the MDM protocols to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 11 users. MDM servers do not need to create or download a client to manage Windows 11. +Non-Microsoft modern device management servers can be used to manage Windows 11 by using industry standard protocols. The built-in management client can communicate with a third-party server proxy that supports the modern device management protocols to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 11 users. Modern device management servers do not need to create or download a client to manage Windows 11. -For details about the MDM protocols, the following resources: +For details about the modern device management protocols, the following resources: - [MS-MDM: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) - [MS-MDE2: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692) From 79043da03237363a7378fdb886519f44c0fef574 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 14 Sep 2021 12:23:30 -0700 Subject: [PATCH 171/458] Update index.yml --- windows/security/index.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index 5b1feb7f15..0dc418be7d 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -11,7 +11,7 @@ metadata: ms.collection: m365-security-compliance author: dansimp #Required; your GitHub user alias, with correct capitalization. ms.author: dansimp #Required; microsoft alias of author; optional team alias. - ms.date: 09/13/2021 + ms.date: 09/14/2021 localization_priority: Priority # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new @@ -76,7 +76,7 @@ landingContent: links: - text: Azure Active Directory url: https://www.microsoft.com/security/business/identity-access-management/azure-active-directory - - text: MDM and Windows 11 + - text: Modern device management with Windows 11 url: mdm-windows.md - text: Your Microsoft Account url: identity-protection/access-control/microsoft-accounts.md From 10569c19b0a066af09c0fa9b96f944fc7de3a4ab Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 14 Sep 2021 13:44:00 -0700 Subject: [PATCH 172/458] finalizing apps page --- windows/security/apps.md | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/windows/security/apps.md b/windows/security/apps.md index dfbf8d5711..a76c2d05d5 100644 --- a/windows/security/apps.md +++ b/windows/security/apps.md @@ -16,24 +16,13 @@ ms.technology: windows-sec # Windows application security -Cybercriminals regularly gain access to valuable data by hacking poorly secured applications. Common security failures include “code injection” attacks, in which attackers insert malicious code that can tamper with data, or even destroy it. An application may have its security misconfigured, leaving open doors for hackers. Or vital customer and corporate information may leave sensitive data exposed. Windows 11 protects your valuable data with layers of application security. A rich application platform, isolation, and code integrity enable developers to build in security from the ground up to protect against breaches and malware. +Cyber-criminals regularly gain access to valuable data by hacking applications. This can include “code injection” attacks, in which attackers insert malicious code that can tamper with data, or even destroy it. An application may have its security misconfigured, leaving open doors for hackers. Or vital customer and corporate information may leave sensitive data exposed. Windows protects your valuable data with layers of application security. The following table summarizes the Windows security features and capabilities for apps:

-| Security Measures | Features & Capabilities | -|:---|:---| -| Application Security |[Application Control for Windows](/threat-protection/windows-defender-application-control/windows-defender-application-control.md)
[Microsoft Defender Application Guard](/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md)
[Email security for Windows](/identity-protection/configure-s-mime.md)
[Microsoft Defender SmartScreen ](/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) | -| Privacy Controls |[Windows privacy and compliance](/windows/privacy/windows-10-and-privacy-compliance)
[Windows privacy controls and transparency](/privacy/changes-to-windows-diagnostic-data-collection.md)
| - - - -## TEST - | Security Measures | Features & Capabilities | |:---|:---| | Windows Defender Application Control | Application control is one of the most effective security controls to prevent unwanted or malicious code from running. It moves away from an application trust model where all code is assumed trustworthy to one where apps must earn trust to run. Learn more: [Application Control for Windows](/threat-protection/windows-defender-application-control/windows-defender-application-control.md) | | Microsoft Defender Application Guard | Application Guard uses chip-based hardware isolation to isolate untrusted websites and untrusted Office files, seamlessly running untrusted websites and files in an isolated Hyper-V-based container, separate from the desktop operating system, and making sure that anything that happens within the container remains isolated from the desktop. Learn more [Microsoft Defender Application Guard overview](/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md). | | Email Security | With Windows S/MIME email security, users can encrypt outgoing messages and attachments, so only intended recipients with digital identification (ID)—also called a certificate—can read them. Users can digitally sign a message, which verifies the identity of the sender and ensures the message has not been tampered with.[Configure S/MIME for Windows 10](/identity-protection/configure-s-mime.md) | | Microsoft Defender SmartScreen | Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. Learn more: [Microsoft Defender SmartScreen overview](/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) | -| Isolating UWP apps | TBD | -| Developer security | TBD | \ No newline at end of file From 59cc0285743adb0db84c370bd3d0e55d68cd2c84 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 14 Sep 2021 14:01:32 -0700 Subject: [PATCH 173/458] identity --- windows/security/identity.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/windows/security/identity.md b/windows/security/identity.md index e7927861b9..e7f014671d 100644 --- a/windows/security/identity.md +++ b/windows/security/identity.md @@ -20,3 +20,11 @@ Malicious actors launch an average of 50 million password attacks every day—57 New Windows 11 devices protect users by removing vulnerable passwords by default, from day one. Weak passwords, password spraying, and phishing are the entry point for many attacks. Windows Hello, Windows Hello for Business, and Credential Guard enable customers to move to passwordless multifactor authentication (MFA). MFA can reduce the risk of compromise in organizations by more than 99.9 percent. As remote and hybrid work becomes the new normal, Windows 11 gives IT teams a variety of MFA options to meet business and consumer needs while complying with ever-evolving regulations. +| Security capabilities | Description | +|:---|:---| +| Securing user identity with Windows Hello | Windows Hello and Windows Hello for Business replace password-based authentication with a stronger authentication model to sign into your device using a passcode (PIN) or other biometric based authentication. This PIN or biometric based authentication is only valid on the device that you registered it for and cannot be used on another deviceLearn more: [Windows Hello for Business](identity-protection\hello-for-business\hello-overview.md) | +| Credential Guard | Credential Guard helps protects your systems from credential theft attack techniques (pass-the-hash or pass-the-ticket) as well as helping prevent malware from accessing system secrets even if the process is running with admin privileges. Learn more: [Credential Guard](identity-protection/credential-guard/credential-guard-how-it-works.md)| +| FIDO Alliance | Fast Identity Online (FIDO) defined protocols are becoming the open standard for providing strong authentication that helps prevent phishing and are user-friendly and privacy-respecting. Windows 11 supports the use of device sign-in with FIDO 2 security keys, and with Microsoft Edge or other modern browsers, supports the use of secure FIDO-backed credentials to keep user accounts protected. Learn more about the [FIDO Alliance](https://fidoalliance.org/). | +| Microsoft Authenticator | The Microsoft Authenticator app is a perfect companion to help keep secure with Windows 11. It allows easy, secure sign-ins for all your online accounts using multi-factor authentication, passwordless phone sign-in, or password autofill. You also have additional account management options for your Microsoft personal, work, or school accounts. Microsoft Authenticator can be used to set up multi-factor authentication for your users. Learn more: [Enable passwordless sign-in with the Microsoft Authenticator app](/azure/active-directory/authentication/howto-authentication-passwordless-phone.md). | +| Smart Cards | Smart cards are tamper-resistant portable storage devices that can enhance the security of tasks in Windows, such as authenticating clients, signing code, securing e-mail, and signing in with Windows domain accounts. Learn more about [Smart Cards](identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md).| +| Access Control | Access control is the process of authorizing users, groups, and computers to access objects and assets on a network or computer. Computers can control the use of system and network resources through the interrelated mechanisms of authentication and authorization. Learn more: [Access Control](identity-protection/access-control/access-control.md).| \ No newline at end of file From 9ef28a8dafb78f6a221d22816d8ad4b41a56ea77 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 14 Sep 2021 14:58:53 -0700 Subject: [PATCH 174/458] Update TOC.yml --- windows/security/TOC.yml | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index d58e115f79..6d271597fd 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -230,19 +230,18 @@ items: - name: Overview href: cloud.md - items: - - name: Modern device management with Windows 11 - href: mdm-windows.md - - name: Windows 11 secured-core devices (need link) - href: https://docs.microsoft.com/windows/whats-new/windows-11 - - name: Windows 365 Cloud PCs (need link) - href: https://docs.microsoft.com/windows/whats-new/windows-11 - - name: Windows 365 for Enterprise (need link) - href: https://docs.microsoft.com/windows/whats-new/windows-11 - - name: Windows 365 for Business (need link) - href: https://docs.microsoft.com/windows/whats-new/windows-11 - - name: Azure Virtual Desktop (need link) - href: https://docs.microsoft.com/windows/whats-new/windows-11 + - name: Modern device management with Windows 11 + href: mdm-windows.md + - name: Windows 11 secured-core devices (need link) + href: https://docs.microsoft.com/windows/whats-new/windows-11 + - name: Windows 365 Cloud PCs (need link) + href: https://docs.microsoft.com/windows/whats-new/windows-11 + - name: Windows 365 for Enterprise (need link) + href: https://docs.microsoft.com/windows/whats-new/windows-11 + - name: Windows 365 for Business (need link) + href: https://docs.microsoft.com/windows/whats-new/windows-11 + - name: Azure Virtual Desktop (need link) + href: https://docs.microsoft.com/windows/whats-new/windows-11 - name: User protection items: - name: Technical support policy for lost or forgotten passwords From 1e404ac27d46dc6927777c25e11060793854c0a9 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 14 Sep 2021 15:03:38 -0700 Subject: [PATCH 175/458] Update index.md --- windows/security/threat-protection/index.md | 140 +++----------------- 1 file changed, 21 insertions(+), 119 deletions(-) diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index f299d99657..7baa36b1a0 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -1,149 +1,51 @@ --- -title: Threat Protection (Windows 10) -description: Microsoft Defender for Endpoint is a unified platform for preventative protection, post-breach detection, automated investigation, and response. -keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next-generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, Microsoft Secure Score for Devices, advanced hunting, cyber threat hunting, web threat protection +title: Windows threat protection +description: Describes the security capabilities in Windows client focused on threat protection +keywords: threat protection, Microsoft Defender Antivirus, attack surface reduction, next-generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, Microsoft Secure Score for Devices, advanced hunting, cyber threat hunting, web threat protection search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: macapara -author: mjcaparas +ms.author: dansimp +author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.technology: mde +ms.technology: windows-sec --- -# Threat Protection +# Windows threat protection **Applies to:** -- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/) -- [Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender) +- Windows 10 +- Windows 11 -[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Defender for Endpoint protects endpoints from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves security posture. +In Windows client, hardware and software work together to help protect you from new and emerging threats. Expanded security protections in Windows 11 help boost security from the chip, to the cloud. -**Applies to:** -- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/) +## Windows threat protection -> [!TIP] -> Enable your users to access cloud services and on-premises applications with ease and enable modern management capabilities for all devices. For more information, see [Secure your remote workforce](/enterprise-mobility-security/remote-work/). +See the following articles to learn more about the different areas of Windows threat protection: -

Microsoft Defender for Endpoint

- - - - - - - - - - - - - - - -
threat and vulnerability icon
Threat & vulnerability management
attack surface reduction icon
Attack surface reduction
next generation protection icon
Next-generation protection
endpoint detection and response icon
Endpoint detection and response
automated investigation and remediation icon
Automated investigation and remediation
microsoft threat experts icon
Microsoft Threat Experts
-
Centralized configuration and administration, APIs
Microsoft 365 Defender
-
- - - - ->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4obJq] - -**[Threat & vulnerability management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt)**
-This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. - -- [Threat & vulnerability management overview](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) -- [Get started](/microsoft-365/security/defender-endpoint/tvm-prerequisites) -- [Access your security posture](/microsoft-365/security/defender-endpoint/tvm-dashboard-insights) -- [Improve your security posture and reduce risk](/microsoft-365/security/defender-endpoint/tvm-security-recommendation) -- [Understand vulnerabilities on your devices](/microsoft-365/security/defender-endpoint/tvm-software-inventory) - - - -**[Attack surface reduction](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**
-The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitation. - -- [Hardware based isolation](/microsoft-365/security/defender-endpoint/overview-hardware-based-isolation) -- [Application control](windows-defender-application-control/windows-defender-application-control.md) -- [Device control](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) +- [Microsoft Defender Application Guard](\windows\security\threat-protection\microsoft-defender-application-guard\md-app-guard-overview.md) +- [Virtualization-based protection of code integrity](\windows\security\threat-protection\device-guard\enable-virtualization-based-protection-of-code-integrity.md) +- [Application control](/windows-defender-application-control/windows-defender-application-control.md) +- [Microsoft Defender Device Guard](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) - [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection) - [Network protection](/microsoft-365/security/defender-endpoint/network-protection), [web protection](/microsoft-365/security/defender-endpoint/web-protection-overview) +- [Microsoft Defender SmartScreen](\windows\security\threat-protection\microsoft-defender-smartscreen\microsoft-defender-smartscreen-overview.md) - [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders) - [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md) - [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) +- [Windows Sandbox](\windows\security\threat-protection\windows-sandbox\windows-sandbox-overview.md) - - -**[Next-generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10)**
-To further reinforce the security perimeter of your network, Microsoft Defender for Endpoint uses next-generation protection designed to catch all types of emerging threats. +### Next-generation protection +Next-generation protection is designed to identify and block new and emerging threats. Powered by the cloud and machine learning, Microsoft Defender Antivirus can help stop attacks in real-time. - [Behavior monitoring](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus) - [Cloud-based protection](/microsoft-365/security/defender-endpoint/configure-protection-features-microsoft-defender-antivirus) - [Machine learning](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus) - [URL Protection](/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus) -- [Automated sandbox service](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus) - - - -**[Endpoint detection and response](/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response)**
-Endpoint detection and response capabilities are put in place to detect, investigate, and respond to intrusion attempts and active breaches. With Advanced hunting, you have a query-based threat-hunting tool that lets your proactively find breaches and create custom detections. - -- [Alerts](/microsoft-365/security/defender-endpoint/alerts-queue) -- [Historical endpoint data](/microsoft-365/security/defender-endpoint/investigate-machines#timeline) -- [Response orchestration](/microsoft-365/security/defender-endpoint/respond-machine-alerts) -- [Forensic collection](/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices) -- [Threat intelligence](/microsoft-365/security/defender-endpoint/threat-indicator-concepts) -- [Advanced detonation and analysis service](/microsoft-365/security/defender-endpoint/respond-file-alerts#deep-analysis) -- [Advanced hunting](/microsoft-365/security/defender-endpoint/advanced-hunting-overview) - - [Custom detections](/microsoft-365/security/defender-endpoint/overview-custom-detections) - - - -**[Automated investigation and remediation](/microsoft-365/security/defender-endpoint/automated-investigations)**
-In addition to quickly responding to advanced attacks, Microsoft Defender for Endpoint offers automated investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. - -- [Get an overview of automated investigation and remediation](/microsoft-365/security/defender-endpoint/automated-investigations) -- [Learn about automation levels](/microsoft-365/security/defender-endpoint/automation-levels) -- [Configure automated investigation and remediation in Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-automated-investigations-remediation) -- [Visit the Action center to see remediation actions](/microsoft-365/security/defender-endpoint/auto-investigation-action-center) -- [Review remediation actions following an automated investigation](/microsoft-365/security/defender-endpoint/manage-auto-investigation) - - - -**[Microsoft Threat Experts](/microsoft-365/security/defender-endpoint/microsoft-threat-experts)**
-Microsoft Defender for Endpoint's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights. Microsoft Threat Experts further empowers Security Operation Centers (SOCs) to identify and respond to threats quickly and accurately. - -- [Targeted attack notification](/microsoft-365/security/defender-endpoint/microsoft-threat-experts) -- [Experts-on-demand](/microsoft-365/security/defender-endpoint/microsoft-threat-experts) -- [Configure your Microsoft 365 Defender managed hunting service](/microsoft-365/security/defender-endpoint/configure-microsoft-threat-experts) - - - -**[Centralized configuration and administration, APIs](/microsoft-365/security/defender-endpoint/management-apis)**
-Integrate Microsoft Defender for Endpoint into your existing workflows. -- [Onboarding](/microsoft-365/security/defender-endpoint/onboard-configure) -- [API and SIEM integration](/microsoft-365/security/defender-endpoint/configure-siem) -- [Exposed APIs](/microsoft-365/security/defender-endpoint/apis-intro) -- [Role-based access control (RBAC)](/microsoft-365/security/defender-endpoint/rbac) -- [Reporting and trends](/microsoft-365/security/defender-endpoint/threat-protection-reports) - - -**[Integration with Microsoft solutions](/microsoft-365/security/defender-endpoint/threat-protection-integration)**
- Microsoft Defender for Endpoint directly integrates with various Microsoft solutions, including: -- Intune -- Microsoft Defender for Office 365 -- Microsoft Defender for Identity -- Azure Defender -- Skype for Business -- Microsoft Cloud App Security - - -**[Microsoft 365 Defender](/microsoft-365/security/mtp/microsoft-threat-protection)**
- With Microsoft 365 Defender, Microsoft Defender for Endpoint and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks. \ No newline at end of file +- [Automated sandbox service](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus) \ No newline at end of file From f8663351ba22d54de97664cfda1c037530a9a6fa Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 14 Sep 2021 15:05:51 -0700 Subject: [PATCH 176/458] Update TOC.yml --- windows/security/TOC.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 6d271597fd..a50131a114 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -48,7 +48,6 @@ - name: Encryption and data protection href: encryption-data-protection.md items: - - name: Encrypted Hard Drive href: information-protection/encrypted-hard-drive.md - name: Bitlocker From 93f6b8cfbf06297ad14e0162241c017eba5a7890 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 14 Sep 2021 15:08:29 -0700 Subject: [PATCH 177/458] Update TOC.yml --- windows/security/TOC.yml | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index a50131a114..812098c2f6 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -203,22 +203,23 @@ - name: Windows Defender Firewall href: threat-protection/windows-firewall/windows-firewall-with-advanced-security.md - name: Virus & threat protection - href: threat-protection/index.md items: - - name: Microsoft Defender Antivirus - href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows - - name: Attack surface reduction rules - href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction - - name: Tamper protection - href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection - - name: Network protection - href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/network-protection - - name: Controlled folder access - href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/controlled-folders - - name: Exploit protection - href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/exploit-protection - - name: Microsoft Defender for Endpoint - href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint + - name: Overview + href: threat-protection/index.md + - name: Microsoft Defender Antivirus + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows + - name: Attack surface reduction rules + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction + - name: Tamper protection + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection + - name: Network protection + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/network-protection + - name: Controlled folder access + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/controlled-folders + - name: Exploit protection + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/exploit-protection + - name: Microsoft Defender for Endpoint + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint - name: Application security href: apps.md items: From 43e344af4ca08da6f79c66851d560fd128ba4807 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 14 Sep 2021 15:18:32 -0700 Subject: [PATCH 178/458] Update TOC.yml --- windows/security/threat-protection/TOC.yml | 1423 +------------------- 1 file changed, 17 insertions(+), 1406 deletions(-) diff --git a/windows/security/threat-protection/TOC.yml b/windows/security/threat-protection/TOC.yml index ae12fde723..dcf41c2615 100644 --- a/windows/security/threat-protection/TOC.yml +++ b/windows/security/threat-protection/TOC.yml @@ -1,1410 +1,21 @@ - name: Threat protection href: index.md items: - - name: Next-generation protection with Microsoft Defender Antivirus + - name: Windows threat protection items: - - name: Microsoft Defender Antivirus overview - href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10 - - name: Evaluate Microsoft Defender Antivirus - href: /microsoft-365/security/defender-endpoint/evaluate-microsoft-defender-antivirus - - name: Configure Microsoft Defender Antivirus - items: - - name: Configure Microsoft Defender Antivirus features - href: /microsoft-365/security/defender-endpoint/configure-microsoft-defender-antivirus-features - - name: Use Microsoft cloud-delivered protection - href: /microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus - items: - - name: Prevent security settings changes with tamper protection - href: /microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection - - name: Enable Block at first sight - href: /microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus - - name: Configure the cloud block timeout period - href: /microsoft-365/security/defender-endpoint/configure-cloud-block-timeout-period-microsoft-defender-antivirus - - name: Configure behavioral, heuristic, and real-time protection - items: - - name: Configuration overview - href: /microsoft-365/security/defender-endpoint/configure-protection-features-microsoft-defender-antivirus - - name: Detect and block Potentially Unwanted Applications - href: /microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus - - name: Enable and configure always-on protection and monitoring - href: /microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus - - name: Antivirus on Windows Server - href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server - - name: Antivirus compatibility - items: - - name: Compatibility charts - href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility - - name: Use limited periodic antivirus scanning - href: /microsoft-365/security/defender-endpoint/limited-periodic-scanning-microsoft-defender-antivirus - - name: Manage Microsoft Defender Antivirus in your business - items: - - name: Management overview - href: /microsoft-365/security/defender-endpoint/configuration-management-reference-microsoft-defender-antivirus - - name: Use Microsoft Intune and Microsoft Endpoint Manager to manage Microsoft Defender Antivirus - href: /microsoft-365/security/defender-endpoint/use-intune-config-manager-microsoft-defender-antivirus - - name: Use Group Policy settings to manage Microsoft Defender Antivirus - href: /microsoft-365/security/defender-endpoint/use-group-policy-microsoft-defender-antivirus - - name: Use PowerShell cmdlets to manage Microsoft Defender Antivirus - href: /microsoft-365/security/defender-endpoint/use-powershell-cmdlets-microsoft-defender-antivirus - - name: Use Windows Management Instrumentation (WMI) to manage Microsoft Defender Antivirus - href: /microsoft-365/security/defender-endpoint/use-wmi-microsoft-defender-antivirus - - name: Use the mpcmdrun.exe command line tool to manage Microsoft Defender Antivirus - href: /microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus - - name: Deploy, manage updates, and report on Microsoft Defender Antivirus - items: - - name: Preparing to deploy - href: /microsoft-365/security/defender-endpoint/deploy-manage-report-microsoft-defender-antivirus - - name: Deploy and enable Microsoft Defender Antivirus - href: /microsoft-365/security/defender-endpoint/deploy-microsoft-defender-antivirus - - name: Deployment guide for VDI environments - href: /microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus - - name: Report on antivirus protection - - name: Review protection status and alerts - href: /microsoft-365/security/defender-endpoint/report-monitor-microsoft-defender-antivirus - - name: Troubleshoot antivirus reporting in Update Compliance - href: /microsoft-365/security/defender-endpoint/troubleshoot-reporting - - name: Learn about the recent updates - href: /microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus - - name: Manage protection and security intelligence updates - href: /microsoft-365/security/defender-endpoint/manage-protection-updates-microsoft-defender-antivirus - - name: Manage when protection updates should be downloaded and applied - href: /microsoft-365/security/defender-endpoint/manage-protection-update-schedule-microsoft-defender-antivirus - - name: Manage updates for endpoints that are out of date - href: /microsoft-365/security/defender-endpoint/manage-outdated-endpoints-microsoft-defender-antivirus - - name: Manage event-based forced updates - href: /microsoft-365/security/defender-endpoint/manage-event-based-updates-microsoft-defender-antivirus - - name: Manage updates for mobile devices and VMs - href: /microsoft-365/security/defender-endpoint/manage-updates-mobile-devices-vms-microsoft-defender-antivirus - - name: Customize, initiate, and review the results of scans and remediation - items: - - name: Configuration overview - href: /microsoft-365/security/defender-endpoint/customize-run-review-remediate-scans-microsoft-defender-antivirus - - name: Configure and validate exclusions in antivirus scans - href: /microsoft-365/security/defender-endpoint/configure-exclusions-microsoft-defender-antivirus - - name: Configure and validate exclusions based on file name, extension, and folder location - href: /microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus - - name: Configure and validate exclusions for files opened by processes - href: /microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus - - name: Configure antivirus exclusions Windows Server - href: /microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus - - name: Common mistakes when defining exclusions - href: /microsoft-365/security/defender-endpoint/common-exclusion-mistakes-microsoft-defender-antivirus - - name: Configure scanning antivirus options - href: /microsoft-365/security/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus - - name: Configure remediation for scans - href: /microsoft-365/security/defender-endpoint/configure-remediation-microsoft-defender-antivirus - - name: Configure scheduled scans - href: /microsoft-365/security/defender-endpoint/scheduled-catch-up-scans-microsoft-defender-antivirus - - name: Configure and run scans - href: /microsoft-365/security/defender-endpoint/run-scan-microsoft-defender-antivirus - - name: Review scan results - href: /microsoft-365/security/defender-endpoint/review-scan-results-microsoft-defender-antivirus - - name: Run and review the results of an offline scan - href: /microsoft-365/security/defender-endpoint//microsoft-defender-offline - - name: Restore quarantined files - href: /microsoft-365/security/defender-endpoint/restore-quarantined-files-microsoft-defender-antivirus - - name: Manage scans and remediation - items: - - name: Management overview - href: /microsoft-365/security/defender-endpoint/customize-run-review-remediate-scans-microsoft-defender-antivirus - - name: Configure and validate exclusions in antivirus scans - - name: Exclusions overview - href: /microsoft-365/security/defender-endpoint/configure-exclusions-microsoft-defender-antivirus - - name: Configure and validate exclusions based on file name, extension, and folder location - href: /microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus - - name: Configure and validate exclusions for files opened by processes - href: /microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus - - name: Configure antivirus exclusions on Windows Server - href: /microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus - - name: Configure scanning options - href: /microsoft-365/security/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus - - name: Configure remediation for scans - href: /microsoft-365/security/defender-endpoint/configure-remediation-microsoft-defender-antivirus - items: - - name: Configure scheduled scans - href: /microsoft-365/security/defender-endpoint/scheduled-catch-up-scans-microsoft-defender-antivirus - - name: Configure and run scans - href: /microsoft-365/security/defender-endpoint/run-scan-microsoft-defender-antivirus - - name: Review scan results - href: /microsoft-365/security/defender-endpoint/review-scan-results-microsoft-defender-antivirus - - name: Run and review the results of an offline scan - href: /microsoft-365/security/defender-endpoint/microsoft-defender-offline - - name: Restore quarantined files - href: /microsoft-365/security/defender-endpoint/restore-quarantined-files-microsoft-defender-antivirus - - name: Troubleshoot Microsoft Defender Antivirus - items: - - name: Troubleshoot Microsoft Defender Antivirus issues - href: /microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus - - name: Troubleshoot Microsoft Defender Antivirus migration issues - href: /microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus-when-migrating - - name: "Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint" - href: /microsoft-365/security/defender-endpoint/why-use-microsoft-defender-antivirus - - name: "Better together: Microsoft Defender Antivirus and Office 365" - href: /microsoft-365/security/defender-endpoint/office-365-microsoft-defender-antivirus - - name: Hardware-based isolation - items: - - name: Hardware-based isolation evaluation - href: microsoft-defender-application-guard/test-scenarios-md-app-guard.md - - name: Application isolation - items: - - name: Application guard overview - href: microsoft-defender-application-guard/md-app-guard-overview.md - - name: System requirements - href: microsoft-defender-application-guard/reqs-md-app-guard.md - - name: Install Microsoft Defender Application Guard - href: microsoft-defender-application-guard/install-md-app-guard.md - - name: Install Microsoft Defender Application Guard Extension - href: microsoft-defender-application-guard/md-app-guard-browser-extension.md - - name: Application control - href: windows-defender-application-control/windows-defender-application-control.md - items: - - name: Audit Application control policies - href: windows-defender-application-control/audit-windows-defender-application-control-policies.md - - name: System isolation - href: windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md - - name: System integrity - href: windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md - - name: Code integrity - href: device-guard/enable-virtualization-based-protection-of-code-integrity.md - - name: Network firewall - items: - - name: Network firewall overview - href: windows-firewall/windows-firewall-with-advanced-security.md - - name: Network firewall evaluation - href: windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md - - name: Security intelligence - href: intelligence/index.md - items: - - name: Understand malware & other threats - href: intelligence/understanding-malware.md - items: - - name: Prevent malware infection - href: intelligence/prevent-malware-infection.md - - name: Malware names - href: intelligence/malware-naming.md - - name: Coin miners - href: intelligence/coinminer-malware.md - - name: Exploits and exploit kits - href: intelligence/exploits-malware.md - - name: Fileless threats - href: intelligence/fileless-threats.md - - name: Macro malware - href: intelligence/macro-malware.md - - name: Phishing - href: intelligence/phishing.md - - name: Ransomware - href: /security/compass/human-operated-ransomware - - name: Rootkits - href: intelligence/rootkits-malware.md - - name: Supply chain attacks - href: intelligence/supply-chain-malware.md - - name: Tech support scams - href: intelligence/support-scams.md - - name: Trojans - href: intelligence/trojans-malware.md - - name: Unwanted software - href: intelligence/unwanted-software.md - - name: Worms - href: intelligence/worms-malware.md - - name: How Microsoft identifies malware and PUA - href: intelligence/criteria.md - - name: Submit files for analysis - href: intelligence/submission-guide.md - - name: Safety Scanner download - href: intelligence/safety-scanner-download.md - - name: Industry collaboration programs - href: intelligence/cybersecurity-industry-partners.md - items: - - name: Virus information alliance - href: intelligence/virus-information-alliance-criteria.md - - name: Microsoft virus initiative - href: intelligence/virus-initiative-criteria.md - - name: Coordinated malware eradication - href: intelligence/coordinated-malware-eradication.md - - name: Information for developers - items: - - name: Software developer FAQ - href: intelligence/developer-faq.yml - - name: Software developer resources - href: intelligence/developer-resources.md - - name: The Windows Security app - href: windows-defender-security-center/windows-defender-security-center.md - items: - - name: Customize the Windows Security app for your organization - href: windows-defender-security-center/wdsc-customize-contact-information.md - - name: Hide Windows Security app notifications - href: windows-defender-security-center/wdsc-hide-notifications.md - - name: Manage Windows Security app in Windows 10 in S mode - href: windows-defender-security-center/wdsc-windows-10-in-s-mode.md - - name: Virus and threat protection - href: windows-defender-security-center/wdsc-virus-threat-protection.md - - name: Account protection - href: windows-defender-security-center/wdsc-account-protection.md - - name: Firewall and network protection - href: windows-defender-security-center/wdsc-firewall-network-protection.md - - name: App and browser control - href: windows-defender-security-center/wdsc-app-browser-control.md - - name: Device security - href: windows-defender-security-center/wdsc-device-security.md - - name: Device performance and health - href: windows-defender-security-center/wdsc-device-performance-health.md - items: - - name: Family options - href: windows-defender-security-center/wdsc-family-options.md - - name: Microsoft Defender SmartScreen - href: microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md - items: - - name: Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings - href: microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md - - name: Set up and use Microsoft Defender SmartScreen on individual devices - href: microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md - - name: Windows Sandbox - href: windows-sandbox/windows-sandbox-overview.md - items: - - name: Windows Sandbox architecture - href: windows-sandbox/windows-sandbox-architecture.md - - name: Windows Sandbox configuration - href: windows-sandbox/windows-sandbox-configure-using-wsb-file.md - - name: "Windows Defender Application Control and virtualization-based protection of code integrity" - href: device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md - - name: Windows Certifications - items: - - name: FIPS 140 Validations - href: fips-140-validation.md - - name: Common Criteria Certifications - href: windows-platform-common-criteria.md - - name: More Windows 10 security - items: - - name: Control the health of Windows 10-based devices - href: protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md - - name: Mitigate threats by using Windows 10 security features - href: overview-of-threat-mitigations-in-windows-10.md - - name: Override Process Mitigation Options to help enforce app-related security policies - href: override-mitigation-options-for-app-related-security-policies.md - - name: Use Windows Event Forwarding to help with intrusion detection - href: use-windows-event-forwarding-to-assist-in-intrusion-detection.md - - name: Block untrusted fonts in an enterprise - href: block-untrusted-fonts-in-enterprise.md - - name: Security auditing - href: auditing/security-auditing-overview.md - items: - - name: Basic security audit policies - href: auditing/basic-security-audit-policies.md - items: - - name: Create a basic audit policy for an event category - href: auditing/create-a-basic-audit-policy-settings-for-an-event-category.md - - name: Apply a basic audit policy on a file or folder - href: auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md - - name: View the security event log - href: auditing/view-the-security-event-log.md - - name: Basic security audit policy settings - href: auditing/basic-security-audit-policy-settings.md - items: - - name: Audit account logon events - href: auditing/basic-audit-account-logon-events.md - - name: Audit account management - href: auditing/basic-audit-account-management.md - - name: Audit directory service access - href: auditing/basic-audit-directory-service-access.md - - name: Audit logon events - href: auditing/basic-audit-logon-events.md - - name: Audit object access - href: auditing/basic-audit-object-access.md - - name: Audit policy change - href: auditing/basic-audit-policy-change.md - - name: Audit privilege use - href: auditing/basic-audit-privilege-use.md - - name: Audit process tracking - href: auditing/basic-audit-process-tracking.md - - name: Audit system events - href: auditing/basic-audit-system-events.md - - name: Advanced security audit policies - href: auditing/advanced-security-auditing.md - items: - - name: Planning and deploying advanced security audit policies - href: auditing/planning-and-deploying-advanced-security-audit-policies.md - - name: Advanced security auditing FAQ - href: auditing/advanced-security-auditing-faq.yml - items: - - name: Which editions of Windows support advanced audit policy configuration - href: auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md - - name: How to list XML elements in \ - href: auditing/how-to-list-xml-elements-in-eventdata.md - - name: Using advanced security auditing options to monitor dynamic access control objects - href: auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md - items: - - name: Monitor the central access policies that apply on a file server - href: auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md - - name: Monitor the use of removable storage devices - href: auditing/monitor-the-use-of-removable-storage-devices.md - - name: Monitor resource attribute definitions - href: auditing/monitor-resource-attribute-definitions.md - - name: Monitor central access policy and rule definitions - href: auditing/monitor-central-access-policy-and-rule-definitions.md - - name: Monitor user and device claims during sign-in - href: auditing/monitor-user-and-device-claims-during-sign-in.md - - name: Monitor the resource attributes on files and folders - href: auditing/monitor-the-resource-attributes-on-files-and-folders.md - - name: Monitor the central access policies associated with files and folders - href: auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md - - name: Monitor claim types - href: auditing/monitor-claim-types.md - - name: Advanced security audit policy settings - href: auditing/advanced-security-audit-policy-settings.md - items: - - name: Audit Credential Validation - href: auditing/audit-credential-validation.md - - name: "Event 4774 S, F: An account was mapped for logon." - href: auditing/event-4774.md - - name: "Event 4775 F: An account could not be mapped for logon." - href: auditing/event-4775.md - - name: "Event 4776 S, F: The computer attempted to validate the credentials for an account." - href: auditing/event-4776.md - - name: "Event 4777 F: The domain controller failed to validate the credentials for an account." - href: auditing/event-4777.md - - name: Audit Kerberos Authentication Service - href: auditing/audit-kerberos-authentication-service.md - items: - - name: "Event 4768 S, F: A Kerberos authentication ticket, TGT, was requested." - href: auditing/event-4768.md - - name: "Event 4771 F: Kerberos pre-authentication failed." - href: auditing/event-4771.md - - name: "Event 4772 F: A Kerberos authentication ticket request failed." - href: auditing/event-4772.md - - name: Audit Kerberos Service Ticket Operations - href: auditing/audit-kerberos-service-ticket-operations.md - items: - - name: "Event 4769 S, F: A Kerberos service ticket was requested." - href: auditing/event-4769.md - - name: "Event 4770 S: A Kerberos service ticket was renewed." - href: auditing/event-4770.md - - name: "Event 4773 F: A Kerberos service ticket request failed." - href: auditing/event-4773.md - - name: Audit Other Account Logon Events - href: auditing/audit-other-account-logon-events.md - - name: Audit Application Group Management - href: auditing/audit-application-group-management.md - - name: Audit Computer Account Management - href: auditing/audit-computer-account-management.md - items: - - name: "Event 4741 S: A computer account was created." - href: auditing/event-4741.md - - name: "Event 4742 S: A computer account was changed." - href: auditing/event-4742.md - - name: "Event 4743 S: A computer account was deleted." - href: auditing/event-4743.md - - name: Audit Distribution Group Management - href: auditing/audit-distribution-group-management.md - items: - - name: "Event 4749 S: A security-disabled global group was created." - href: auditing/event-4749.md - - name: "Event 4750 S: A security-disabled global group was changed." - href: auditing/event-4750.md - - name: "Event 4751 S: A member was added to a security-disabled global group." - href: auditing/event-4751.md - - name: "Event 4752 S: A member was removed from a security-disabled global group." - href: auditing/event-4752.md - - name: "Event 4753 S: A security-disabled global group was deleted." - href: auditing/event-4753.md - - name: Audit Other Account Management Events - href: auditing/audit-other-account-management-events.md - items: - - name: "Event 4782 S: The password hash of an account was accessed." - href: auditing/event-4782.md - - name: "Event 4793 S: The Password Policy Checking API was called." - href: auditing/event-4793.md - - name: Audit Security Group Management - href: auditing/audit-security-group-management.md - items: - - name: "Event 4731 S: A security-enabled local group was created." - href: auditing/event-4731.md - - name: "Event 4732 S: A member was added to a security-enabled local group." - href: auditing/event-4732.md - - name: "Event 4733 S: A member was removed from a security-enabled local group." - href: auditing/event-4733.md - - name: "Event 4734 S: A security-enabled local group was deleted." - href: auditing/event-4734.md - - name: "Event 4735 S: A security-enabled local group was changed." - href: auditing/event-4735.md - - name: "Event 4764 S: A group�s type was changed." - href: auditing/event-4764.md - - name: "Event 4799 S: A security-enabled local group membership was enumerated." - href: auditing/event-4799.md - - name: Audit User Account Management - href: auditing/audit-user-account-management.md - items: - - name: "Event 4720 S: A user account was created." - href: auditing/event-4720.md - - name: "Event 4722 S: A user account was enabled." - href: auditing/event-4722.md - - name: "Event 4723 S, F: An attempt was made to change an account's password." - href: auditing/event-4723.md - - name: "Event 4724 S, F: An attempt was made to reset an account's password." - href: auditing/event-4724.md - - name: "Event 4725 S: A user account was disabled." - href: auditing/event-4725.md - - name: "Event 4726 S: A user account was deleted." - href: auditing/event-4726.md - - name: "Event 4738 S: A user account was changed." - href: auditing/event-4738.md - - name: "Event 4740 S: A user account was locked out." - href: auditing/event-4740.md - - name: "Event 4765 S: SID History was added to an account." - href: auditing/event-4765.md - - name: "Event 4766 F: An attempt to add SID History to an account failed." - href: auditing/event-4766.md - - name: "Event 4767 S: A user account was unlocked." - href: auditing/event-4767.md - - name: "Event 4780 S: The ACL was set on accounts that are members of administrators groups." - href: auditing/event-4780.md - - name: "Event 4781 S: The name of an account was changed." - href: auditing/event-4781.md - - name: "Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password." - href: auditing/event-4794.md - - name: "Event 4798 S: A user's local group membership was enumerated." - href: auditing/event-4798.md - - name: "Event 5376 S: Credential Manager credentials were backed up." - href: auditing/event-5376.md - - name: "Event 5377 S: Credential Manager credentials were restored from a backup." - href: auditing/event-5377.md - - name: Audit DPAPI Activity - href: auditing/audit-dpapi-activity.md - items: - - name: "Event 4692 S, F: Backup of data protection master key was attempted." - href: auditing/event-4692.md - - name: "Event 4693 S, F: Recovery of data protection master key was attempted." - href: auditing/event-4693.md - - name: "Event 4694 S, F: Protection of auditable protected data was attempted." - href: auditing/event-4694.md - - name: "Event 4695 S, F: Unprotection of auditable protected data was attempted." - href: auditing/event-4695.md - - name: Audit PNP Activity - href: auditing/audit-pnp-activity.md - items: - - name: "Event 6416 S: A new external device was recognized by the System." - href: auditing/event-6416.md - - name: "Event 6419 S: A request was made to disable a device." - href: auditing/event-6419.md - - name: "Event 6420 S: A device was disabled." - href: auditing/event-6420.md - - name: "Event 6421 S: A request was made to enable a device." - href: auditing/event-6421.md - - name: "Event 6422 S: A device was enabled." - href: auditing/event-6422.md - - name: "Event 6423 S: The installation of this device is forbidden by system policy." - href: auditing/event-6423.md - - name: "Event 6424 S: The installation of this device was allowed, after having previously been forbidden by policy." - href: auditing/event-6424.md - - name: Audit Process Creation - href: auditing/audit-process-creation.md - items: - - name: "Event 4688 S: A new process has been created." - href: auditing/event-4688.md - - name: "Event 4696 S: A primary token was assigned to process." - href: auditing/event-4696.md - - name: Audit Process Termination - href: auditing/audit-process-termination.md - items: - - name: "Event 4689 S: A process has exited." - href: auditing/event-4689.md - - name: Audit RPC Events - href: auditing/audit-rpc-events.md - items: - - name: "Event 5712 S: A Remote Procedure Call, RPC, was attempted." - href: auditing/event-5712.md - - name: Audit Token Right Adjusted - href: auditing/audit-token-right-adjusted.md - items: - - name: "Event 4703 S: A user right was adjusted." - href: auditing/event-4703.md - - name: Audit Detailed Directory Service Replication - href: auditing/audit-detailed-directory-service-replication.md - items: - - name: "Event 4928 S, F: An Active Directory replica source naming context was established." - href: auditing/event-4928.md - - name: "Event 4929 S, F: An Active Directory replica source naming context was removed." - href: auditing/event-4929.md - - name: "Event 4930 S, F: An Active Directory replica source naming context was modified." - href: auditing/event-4930.md - - name: "Event 4931 S, F: An Active Directory replica destination naming context was modified." - href: auditing/event-4931.md - - name: "Event 4934 S: Attributes of an Active Directory object were replicated." - href: auditing/event-4934.md - - name: "Event 4935 F: Replication failure begins." - href: auditing/event-4935.md - - name: "Event 4936 S: Replication failure ends." - href: auditing/event-4936.md - - name: "Event 4937 S: A lingering object was removed from a replica." - href: auditing/event-4937.md - - name: Audit Directory Service Access - href: auditing/audit-directory-service-access.md - items: - - name: "Event 4662 S, F: An operation was performed on an object." - href: auditing/event-4662.md - - name: "Event 4661 S, F: A handle to an object was requested." - href: auditing/event-4661.md - - name: Audit Directory Service Changes - href: auditing/audit-directory-service-changes.md - items: - - name: "Event 5136 S: A directory service object was modified." - href: auditing/event-5136.md - - name: "Event 5137 S: A directory service object was created." - href: auditing/event-5137.md - - name: "Event 5138 S: A directory service object was undeleted." - href: auditing/event-5138.md - - name: "Event 5139 S: A directory service object was moved." - href: auditing/event-5139.md - - name: "Event 5141 S: A directory service object was deleted." - href: auditing/event-5141.md - - name: Audit Directory Service Replication - href: auditing/audit-directory-service-replication.md - items: - - name: "Event 4932 S: Synchronization of a replica of an Active Directory naming context has begun." - href: auditing/event-4932.md - - name: "Event 4933 S, F: Synchronization of a replica of an Active Directory naming context has ended." - href: auditing/event-4933.md - - name: Audit Account Lockout - href: auditing/audit-account-lockout.md - items: - - name: "Event 4625 F: An account failed to log on." - href: auditing/event-4625.md - - name: Audit User/Device Claims - href: auditing/audit-user-device-claims.md - items: - - name: "Event 4626 S: User/Device claims information." - href: auditing/event-4626.md - - name: Audit Group Membership - href: auditing/audit-group-membership.md - items: - - name: "Event 4627 S: Group membership information." - href: auditing/event-4627.md - - name: Audit IPsec Extended Mode - href: auditing/audit-ipsec-extended-mode.md - - name: Audit IPsec Main Mode - href: auditing/audit-ipsec-main-mode.md - - name: Audit IPsec Quick Mode - href: auditing/audit-ipsec-quick-mode.md - - name: Audit Logoff - href: auditing/audit-logoff.md - items: - - name: "Event 4634 S: An account was logged off." - href: auditing/event-4634.md - - name: "Event 4647 S: User initiated logoff." - href: auditing/event-4647.md - - name: Audit Logon - href: auditing/audit-logon.md - items: - - name: "Event 4624 S: An account was successfully logged on." - href: auditing/event-4624.md - - name: "Event 4625 F: An account failed to log on." - href: auditing/event-4625.md - - name: "Event 4648 S: A logon was attempted using explicit credentials." - href: auditing/event-4648.md - - name: "Event 4675 S: SIDs were filtered." - href: auditing/event-4675.md - - name: Audit Network Policy Server - href: auditing/audit-network-policy-server.md - - name: Audit Other Logon/Logoff Events - href: auditing/audit-other-logonlogoff-events.md - items: - - name: "Event 4649 S: A replay attack was detected." - href: auditing/event-4649.md - - name: "Event 4778 S: A session was reconnected to a Window Station." - href: auditing/event-4778.md - - name: "Event 4779 S: A session was disconnected from a Window Station." - href: auditing/event-4779.md - - name: "Event 4800 S: The workstation was locked." - href: auditing/event-4800.md - - name: "Event 4801 S: The workstation was unlocked." - href: auditing/event-4801.md - - name: "Event 4802 S: The screen saver was invoked." - href: auditing/event-4802.md - - name: "Event 4803 S: The screen saver was dismissed." - href: auditing/event-4803.md - - name: "Event 5378 F: The requested credentials delegation was disallowed by policy." - href: auditing/event-5378.md - - name: "Event 5632 S, F: A request was made to authenticate to a wireless network." - href: auditing/event-5632.md - - name: "Event 5633 S, F: A request was made to authenticate to a wired network." - href: auditing/event-5633.md - - name: Audit Special Logon - href: auditing/audit-special-logon.md - items: - - name: "Event 4964 S: Special groups have been assigned to a new logon." - href: auditing/event-4964.md - - name: "Event 4672 S: Special privileges assigned to new logon." - href: auditing/event-4672.md - - name: Audit Application Generated - href: auditing/audit-application-generated.md - - name: Audit Certification Services - href: auditing/audit-certification-services.md - - name: Audit Detailed File Share - href: auditing/audit-detailed-file-share.md - items: - - name: "Event 5145 S, F: A network share object was checked to see whether client can be granted desired access." - href: auditing/event-5145.md - - name: Audit File Share - href: auditing/audit-file-share.md - items: - - name: "Event 5140 S, F: A network share object was accessed." - href: auditing/event-5140.md - - name: "Event 5142 S: A network share object was added." - href: auditing/event-5142.md - - name: "Event 5143 S: A network share object was modified." - href: auditing/event-5143.md - - name: "Event 5144 S: A network share object was deleted." - href: auditing/event-5144.md - - name: "Event 5168 F: SPN check for SMB/SMB2 failed." - href: auditing/event-5168.md - - name: Audit File System - href: auditing/audit-file-system.md - items: - - name: "Event 4656 S, F: A handle to an object was requested." - href: auditing/event-4656.md - - name: "Event 4658 S: The handle to an object was closed." - href: auditing/event-4658.md - - name: "Event 4660 S: An object was deleted." - href: auditing/event-4660.md - - name: "Event 4663 S: An attempt was made to access an object." - href: auditing/event-4663.md - - name: "Event 4664 S: An attempt was made to create a hard link." - href: auditing/event-4664.md - - name: "Event 4985 S: The state of a transaction has changed." - href: auditing/event-4985.md - - name: "Event 5051: A file was virtualized." - href: auditing/event-5051.md - - name: "Event 4670 S: Permissions on an object were changed." - href: auditing/event-4670.md - - name: Audit Filtering Platform Connection - href: auditing/audit-filtering-platform-connection.md - items: - - name: "Event 5031 F: The Windows Firewall Service blocked an application from accepting incoming connections on the network." - href: auditing/event-5031.md - - name: "Event 5150: The Windows Filtering Platform blocked a packet." - href: auditing/event-5150.md - - name: "Event 5151: A more restrictive Windows Filtering Platform filter has blocked a packet." - href: auditing/event-5151.md - - name: "Event 5154 S: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections." - href: auditing/event-5154.md - - name: "Event 5155 F: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections." - href: auditing/event-5155.md - - name: "Event 5156 S: The Windows Filtering Platform has permitted a connection." - href: auditing/event-5156.md - - name: "Event 5157 F: The Windows Filtering Platform has blocked a connection." - href: auditing/event-5157.md - - name: "Event 5158 S: The Windows Filtering Platform has permitted a bind to a local port." - href: auditing/event-5158.md - - name: "Event 5159 F: The Windows Filtering Platform has blocked a bind to a local port." - href: auditing/event-5159.md - - name: Audit Filtering Platform Packet Drop - href: auditing/audit-filtering-platform-packet-drop.md - items: - - name: "Event 5152 F: The Windows Filtering Platform blocked a packet." - href: auditing/event-5152.md - - name: "Event 5153 S: A more restrictive Windows Filtering Platform filter has blocked a packet." - href: auditing/event-5153.md - - name: Audit Handle Manipulation - href: auditing/audit-handle-manipulation.md - items: - - name: "Event 4690 S: An attempt was made to duplicate a handle to an object." - href: auditing/event-4690.md - - name: Audit Kernel Object - href: auditing/audit-kernel-object.md - items: - - name: "Event 4656 S, F: A handle to an object was requested." - href: auditing/event-4656.md - - name: "Event 4658 S: The handle to an object was closed." - href: auditing/event-4658.md - - name: "Event 4660 S: An object was deleted." - href: auditing/event-4660.md - - name: "Event 4663 S: An attempt was made to access an object." - href: auditing/event-4663.md - - name: Audit Other Object Access Events - href: auditing/audit-other-object-access-events.md - items: - - name: "Event 4671: An application attempted to access a blocked ordinal through the TBS." - href: auditing/event-4671.md - - name: "Event 4691 S: Indirect access to an object was requested." - href: auditing/event-4691.md - - name: "Event 5148 F: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded." - href: auditing/event-5148.md - - name: "Event 5149 F: The DoS attack has subsided and normal processing is being resumed." - href: auditing/event-5149.md - - name: "Event 4698 S: A scheduled task was created." - href: auditing/event-4698.md - - name: "Event 4699 S: A scheduled task was deleted." - href: auditing/event-4699.md - - name: "Event 4700 S: A scheduled task was enabled." - href: auditing/event-4700.md - - name: "Event 4701 S: A scheduled task was disabled." - href: auditing/event-4701.md - - name: "Event 4702 S: A scheduled task was updated." - href: auditing/event-4702.md - - name: "Event 5888 S: An object in the COM+ Catalog was modified." - href: auditing/event-5888.md - - name: "Event 5889 S: An object was deleted from the COM+ Catalog." - href: auditing/event-5889.md - - name: "Event 5890 S: An object was added to the COM+ Catalog." - href: auditing/event-5890.md - - name: Audit Registry - href: auditing/audit-registry.md - items: - - name: "Event 4663 S: An attempt was made to access an object." - href: auditing/event-4663.md - - name: "Event 4656 S, F: A handle to an object was requested." - href: auditing/event-4656.md - - name: "Event 4658 S: The handle to an object was closed." - href: auditing/event-4658.md - - name: "Event 4660 S: An object was deleted." - href: auditing/event-4660.md - - name: "Event 4657 S: A registry value was modified." - href: auditing/event-4657.md - - name: "Event 5039: A registry key was virtualized." - href: auditing/event-5039.md - - name: "Event 4670 S: Permissions on an object were changed." - href: auditing/event-4670.md - - name: Audit Removable Storage - href: auditing/audit-removable-storage.md - - name: Audit SAM - href: auditing/audit-sam.md - items: - - name: "Event 4661 S, F: A handle to an object was requested." - href: auditing/event-4661.md - - name: Audit Central Access Policy Staging - href: auditing/audit-central-access-policy-staging.md - items: - - name: "Event 4818 S: Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy." - href: auditing/event-4818.md - - name: Audit Audit Policy Change - href: auditing/audit-audit-policy-change.md - items: - - name: "Event 4670 S: Permissions on an object were changed." - href: auditing/event-4670.md - - name: "Event 4715 S: The audit policy, SACL, on an object was changed." - href: auditing/event-4715.md - - name: "Event 4719 S: System audit policy was changed." - href: auditing/event-4719.md - - name: "Event 4817 S: Auditing settings on object were changed." - href: auditing/event-4817.md - - name: "Event 4902 S: The Per-user audit policy table was created." - href: auditing/event-4902.md - - name: "Event 4906 S: The CrashOnAuditFail value has changed." - href: auditing/event-4906.md - - name: "Event 4907 S: Auditing settings on object were changed." - href: auditing/event-4907.md - - name: "Event 4908 S: Special Groups Logon table modified." - href: auditing/event-4908.md - - name: "Event 4912 S: Per User Audit Policy was changed." - href: auditing/event-4912.md - - name: "Event 4904 S: An attempt was made to register a security event source." - href: auditing/event-4904.md - - name: "Event 4905 S: An attempt was made to unregister a security event source." - href: auditing/event-4905.md - - name: Audit Authentication Policy Change - href: auditing/audit-authentication-policy-change.md - items: - - name: "Event 4706 S: A new trust was created to a domain." - href: auditing/event-4706.md - - name: "Event 4707 S: A trust to a domain was removed." - href: auditing/event-4707.md - - name: "Event 4716 S: Trusted domain information was modified." - href: auditing/event-4716.md - - name: "Event 4713 S: Kerberos policy was changed." - href: auditing/event-4713.md - - name: "Event 4717 S: System security access was granted to an account." - href: auditing/event-4717.md - - name: "Event 4718 S: System security access was removed from an account." - href: auditing/event-4718.md - - name: "Event 4739 S: Domain Policy was changed." - href: auditing/event-4739.md - - name: "Event 4864 S: A namespace collision was detected." - href: auditing/event-4864.md - - name: "Event 4865 S: A trusted forest information entry was added." - href: auditing/event-4865.md - - name: "Event 4866 S: A trusted forest information entry was removed." - href: auditing/event-4866.md - - name: "Event 4867 S: A trusted forest information entry was modified." - href: auditing/event-4867.md - - name: Audit Authorization Policy Change - href: auditing/audit-authorization-policy-change.md - items: - - name: "Event 4703 S: A user right was adjusted." - href: auditing/event-4703.md - - name: "Event 4704 S: A user right was assigned." - href: auditing/event-4704.md - - name: "Event 4705 S: A user right was removed." - href: auditing/event-4705.md - - name: "Event 4670 S: Permissions on an object were changed." - href: auditing/event-4670.md - - name: "Event 4911 S: Resource attributes of the object were changed." - href: auditing/event-4911.md - - name: "Event 4913 S: Central Access Policy on the object was changed." - href: auditing/event-4913.md - - name: Audit Filtering Platform Policy Change - href: auditing/audit-filtering-platform-policy-change.md - - name: Audit MPSSVC Rule-Level Policy Change - href: auditing/audit-mpssvc-rule-level-policy-change.md - items: - - name: "Event 4944 S: The following policy was active when the Windows Firewall started." - href: auditing/event-4944.md - - name: "Event 4945 S: A rule was listed when the Windows Firewall started." - href: auditing/event-4945.md - - name: "Event 4946 S: A change has been made to Windows Firewall exception list. A rule was added." - href: auditing/event-4946.md - - name: "Event 4947 S: A change has been made to Windows Firewall exception list. A rule was modified." - href: auditing/event-4947.md - - name: "Event 4948 S: A change has been made to Windows Firewall exception list. A rule was deleted." - href: auditing/event-4948.md - - name: "Event 4949 S: Windows Firewall settings were restored to the default values." - href: auditing/event-4949.md - - name: "Event 4950 S: A Windows Firewall setting has changed." - href: auditing/event-4950.md - - name: "Event 4951 F: A rule has been ignored because its major version number was not recognized by Windows Firewall." - href: auditing/event-4951.md - - name: "Event 4952 F: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced." - href: auditing/event-4952.md - - name: "Event 4953 F: Windows Firewall ignored a rule because it could not be parsed." - href: auditing/event-4953.md - - name: "Event 4954 S: Windows Firewall Group Policy settings have changed. The new settings have been applied." - href: auditing/event-4954.md - - name: "Event 4956 S: Windows Firewall has changed the active profile." - href: auditing/event-4956.md - - name: "Event 4957 F: Windows Firewall did not apply the following rule." - href: auditing/event-4957.md - - name: "Event 4958 F: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer." - href: auditing/event-4958.md - - name: Audit Other Policy Change Events - href: auditing/audit-other-policy-change-events.md - items: - - name: "Event 4714 S: Encrypted data recovery policy was changed." - href: auditing/event-4714.md - - name: "Event 4819 S: Central Access Policies on the machine have been changed." - href: auditing/event-4819.md - - name: "Event 4826 S: Boot Configuration Data loaded." - href: auditing/event-4826.md - - name: "Event 4909: The local policy settings for the TBS were changed." - href: auditing/event-4909.md - - name: "Event 4910: The group policy settings for the TBS were changed." - href: auditing/event-4910.md - - name: "Event 5063 S, F: A cryptographic provider operation was attempted." - href: auditing/event-5063.md - - name: "Event 5064 S, F: A cryptographic context operation was attempted." - href: auditing/event-5064.md - - name: "Event 5065 S, F: A cryptographic context modification was attempted." - href: auditing/event-5065.md - - name: "Event 5066 S, F: A cryptographic function operation was attempted." - href: auditing/event-5066.md - - name: "Event 5067 S, F: A cryptographic function modification was attempted." - href: auditing/event-5067.md - - name: "Event 5068 S, F: A cryptographic function provider operation was attempted." - href: auditing/event-5068.md - - name: "Event 5069 S, F: A cryptographic function property operation was attempted." - href: auditing/event-5069.md - - name: "Event 5070 S, F: A cryptographic function property modification was attempted." - href: auditing/event-5070.md - - name: "Event 5447 S: A Windows Filtering Platform filter has been changed." - href: auditing/event-5447.md - - name: "Event 6144 S: Security policy in the group policy objects has been applied successfully." - href: auditing/event-6144.md - - name: "Event 6145 F: One or more errors occurred while processing security policy in the group policy objects." - href: auditing/event-6145.md - - name: Audit Sensitive Privilege Use - href: auditing/audit-sensitive-privilege-use.md - items: - - name: "Event 4673 S, F: A privileged service was called." - href: auditing/event-4673.md - - name: "Event 4674 S, F: An operation was attempted on a privileged object." - href: auditing/event-4674.md - - name: "Event 4985 S: The state of a transaction has changed." - href: auditing/event-4985.md - - name: Audit Non Sensitive Privilege Use - href: auditing/audit-non-sensitive-privilege-use.md - items: - - name: "Event 4673 S, F: A privileged service was called." - href: auditing/event-4673.md - - name: "Event 4674 S, F: An operation was attempted on a privileged object." - href: auditing/event-4674.md - - name: "Event 4985 S: The state of a transaction has changed." - href: auditing/event-4985.md - - name: Audit Other Privilege Use Events - href: auditing/audit-other-privilege-use-events.md - items: - - name: "Event 4985 S: The state of a transaction has changed." - href: auditing/event-4985.md - - name: Audit IPsec Driver - href: auditing/audit-ipsec-driver.md - - name: Audit Other System Events - href: auditing/audit-other-system-events.md - items: - - name: "Event 5024 S: The Windows Firewall Service has started successfully." - href: auditing/event-5024.md - - name: "Event 5025 S: The Windows Firewall Service has been stopped." - href: auditing/event-5025.md - - name: "Event 5027 F: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy." - href: auditing/event-5027.md - - name: "Event 5028 F: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy." - href: auditing/event-5028.md - - name: "Event 5029 F: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy." - href: auditing/event-5029.md - - name: "Event 5030 F: The Windows Firewall Service failed to start." - href: auditing/event-5030.md - - name: "Event 5032 F: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network." - href: auditing/event-5032.md - - name: "Event 5033 S: The Windows Firewall Driver has started successfully." - href: auditing/event-5033.md - - name: "Event 5034 S: The Windows Firewall Driver was stopped." - href: auditing/event-5034.md - - name: "Event 5035 F: The Windows Firewall Driver failed to start." - href: auditing/event-5035.md - - name: "Event 5037 F: The Windows Firewall Driver detected critical runtime error. Terminating." - href: auditing/event-5037.md - - name: "Event 5058 S, F: Key file operation." - href: auditing/event-5058.md - - name: "Event 5059 S, F: Key migration operation." - href: auditing/event-5059.md - - name: "Event 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content." - href: auditing/event-6400.md - - name: "Event 6401: BranchCache: Received invalid data from a peer. Data discarded." - href: auditing/event-6401.md - - name: "Event 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted." - href: auditing/event-6402.md - - name: "Event 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client." - href: auditing/event-6403.md - - name: "Event 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate." - href: auditing/event-6404.md - - name: "Event 6405: BranchCache: %2 instances of event id %1 occurred." - href: auditing/event-6405.md - - name: "Event 6406: %1 registered to Windows Firewall to control filtering for the following: %2." - href: auditing/event-6406.md - - name: "Event 6407: 1%." - href: auditing/event-6407.md - - name: "Event 6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2." - href: auditing/event-6408.md - - name: "Event 6409: BranchCache: A service connection point object could not be parsed." - href: auditing/event-6409.md - - name: Audit Security State Change - href: auditing/audit-security-state-change.md - items: - - name: "Event 4608 S: Windows is starting up." - href: auditing/event-4608.md - - name: "Event 4616 S: The system time was changed." - href: auditing/event-4616.md - - name: "Event 4621 S: Administrator recovered system from CrashOnAuditFail." - href: auditing/event-4621.md - - name: Audit Security System Extension - href: auditing/audit-security-system-extension.md - items: - - name: "Event 4610 S: An authentication package has been loaded by the Local Security Authority." - href: auditing/event-4610.md - - name: "Event 4611 S: A trusted logon process has been registered with the Local Security Authority." - href: auditing/event-4611.md - - name: "Event 4614 S: A notification package has been loaded by the Security Account Manager." - href: auditing/event-4614.md - - name: "Event 4622 S: A security package has been loaded by the Local Security Authority." - href: auditing/event-4622.md - - name: "Event 4697 S: A service was installed in the system." - href: auditing/event-4697.md - - name: Audit System Integrity - href: auditing/audit-system-integrity.md - items: - - name: "Event 4612 S: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits." - href: auditing/event-4612.md - - name: "Event 4615 S: Invalid use of LPC port." - href: auditing/event-4615.md - - name: "Event 4618 S: A monitored security event pattern has occurred." - href: auditing/event-4618.md - - name: "Event 4816 S: RPC detected an integrity violation while decrypting an incoming message." - href: auditing/event-4816.md - - name: "Event 5038 F: Code integrity determined that the image hash of a file is not valid." - href: auditing/event-5038.md - - name: "Event 5056 S: A cryptographic self-test was performed." - href: auditing/event-5056.md - - name: "Event 5062 S: A kernel-mode cryptographic self-test was performed." - href: auditing/event-5062.md - - name: "Event 5057 F: A cryptographic primitive operation failed." - href: auditing/event-5057.md - - name: "Event 5060 F: Verification operation failed." - href: auditing/event-5060.md - - name: "Event 5061 S, F: Cryptographic operation." - href: auditing/event-5061.md - - name: "Event 6281 F: Code Integrity determined that the page hashes of an image file are not valid." - href: auditing/event-6281.md - - name: "Event 6410 F: Code integrity determined that a file does not meet the security requirements to load into a process." - href: auditing/event-6410.md - - name: Other Events - href: auditing/other-events.md - items: - - name: "Event 1100 S: The event logging service has shut down." - href: auditing/event-1100.md - - name: "Event 1102 S: The audit log was cleared." - href: auditing/event-1102.md - - name: "Event 1104 S: The security log is now full." - href: auditing/event-1104.md - - name: "Event 1105 S: Event log automatic backup." - href: auditing/event-1105.md - - name: "Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1." - href: auditing/event-1108.md - - name: "Appendix A: Security monitoring recommendations for many audit events" - href: auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md - - name: Registry (Global Object Access Auditing) - href: auditing/registry-global-object-access-auditing.md - - name: File System (Global Object Access Auditing) - href: auditing/file-system-global-object-access-auditing.md - - name: Security policy settings - href: security-policy-settings/security-policy-settings.md - items: - - name: Administer security policy settings - href: security-policy-settings/administer-security-policy-settings.md - items: - - name: Network List Manager policies - href: security-policy-settings/network-list-manager-policies.md - - name: Configure security policy settings - href: security-policy-settings/how-to-configure-security-policy-settings.md - - name: Security policy settings reference - href: security-policy-settings/security-policy-settings-reference.md - items: - - name: Account Policies - href: security-policy-settings/account-policies.md - items: - - name: Password Policy - href: security-policy-settings/password-policy.md - items: - - name: Enforce password history - href: security-policy-settings/enforce-password-history.md - - name: Maximum password age - href: security-policy-settings/maximum-password-age.md - - name: Minimum password age - href: security-policy-settings/minimum-password-age.md - - name: Minimum password length - href: security-policy-settings/minimum-password-length.md - - name: Password must meet complexity requirements - href: security-policy-settings/password-must-meet-complexity-requirements.md - - name: Store passwords using reversible encryption - href: security-policy-settings/store-passwords-using-reversible-encryption.md - - name: Account Lockout Policy - href: security-policy-settings/account-lockout-policy.md - items: - - name: Account lockout duration - href: security-policy-settings/account-lockout-duration.md - - name: Account lockout threshold - href: security-policy-settings/account-lockout-threshold.md - - name: Reset account lockout counter after - href: security-policy-settings/reset-account-lockout-counter-after.md - - name: Kerberos Policy - href: security-policy-settings/kerberos-policy.md - items: - - name: Enforce user logon restrictions - href: security-policy-settings/enforce-user-logon-restrictions.md - - name: Maximum lifetime for service ticket - href: security-policy-settings/maximum-lifetime-for-service-ticket.md - - name: Maximum lifetime for user ticket - href: security-policy-settings/maximum-lifetime-for-user-ticket.md - - name: Maximum lifetime for user ticket renewal - href: security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md - - name: Maximum tolerance for computer clock synchronization - href: security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md - - name: Audit Policy - href: security-policy-settings/audit-policy.md - - name: Security Options - href: security-policy-settings/security-options.md - items: - - name: "Accounts: Administrator account status" - href: security-policy-settings/accounts-administrator-account-status.md - - name: "Accounts: Block Microsoft accounts" - href: security-policy-settings/accounts-block-microsoft-accounts.md - - name: "Accounts: Guest account status" - href: security-policy-settings/accounts-guest-account-status.md - - name: "Accounts: Limit local account use of blank passwords to console logon only" - href: security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md - - name: "Accounts: Rename administrator account" - href: security-policy-settings/accounts-rename-administrator-account.md - - name: "Accounts: Rename guest account" - href: security-policy-settings/accounts-rename-guest-account.md - - name: "Audit: Audit the access of global system objects" - href: security-policy-settings/audit-audit-the-access-of-global-system-objects.md - - name: "Audit: Audit the use of Backup and Restore privilege" - href: security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md - - name: "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" - href: security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md - - name: "Audit: Shut down system immediately if unable to log security audits" - href: security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md - - name: "DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax" - href: security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md - - name: "DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax" - href: security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md - - name: "Devices: Allow undock without having to log on" - href: security-policy-settings/devices-allow-undock-without-having-to-log-on.md - - name: "Devices: Allowed to format and eject removable media" - href: security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md - - name: "Devices: Prevent users from installing printer drivers" - href: security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md - - name: "Devices: Restrict CD-ROM access to locally logged-on user only" - href: security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md - - name: "Devices: Restrict floppy access to locally logged-on user only" - href: security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md - - name: "Domain controller: Allow server operators to schedule tasks" - href: security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md - - name: "Domain controller: LDAP server signing requirements" - href: security-policy-settings/domain-controller-ldap-server-signing-requirements.md - - name: "Domain controller: Refuse machine account password changes" - href: security-policy-settings/domain-controller-refuse-machine-account-password-changes.md - - name: "Domain member: Digitally encrypt or sign secure channel data (always)" - href: security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md - - name: "Domain member: Digitally encrypt secure channel data (when possible)" - href: security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md - - name: "Domain member: Digitally sign secure channel data (when possible)" - href: security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md - - name: "Domain member: Disable machine account password changes" - href: security-policy-settings/domain-member-disable-machine-account-password-changes.md - - name: "Domain member: Maximum machine account password age" - href: security-policy-settings/domain-member-maximum-machine-account-password-age.md - - name: "Domain member: Require strong (Windows 2000 or later) session key" - href: security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md - - name: "Interactive logon: Display user information when the session is locked" - href: security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md - - name: "Interactive logon: Don't display last signed-in" - href: security-policy-settings/interactive-logon-do-not-display-last-user-name.md - - name: "Interactive logon: Don't display username at sign-in" - href: security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md - - name: "Interactive logon: Do not require CTRL+ALT+DEL" - href: security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md - - name: "Interactive logon: Machine account lockout threshold" - href: security-policy-settings/interactive-logon-machine-account-lockout-threshold.md - - name: "Interactive logon: Machine inactivity limit" - href: security-policy-settings/interactive-logon-machine-inactivity-limit.md - - name: "Interactive logon: Message text for users attempting to log on" - href: security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md - - name: "Interactive logon: Message title for users attempting to log on" - href: security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md - - name: "Interactive logon: Number of previous logons to cache (in case domain controller is not available)" - href: security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md - - name: "Interactive logon: Prompt user to change password before expiration" - href: security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md - - name: "Interactive logon: Require Domain Controller authentication to unlock workstation" - href: security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md - - name: "Interactive logon: Require smart card" - href: security-policy-settings/interactive-logon-require-smart-card.md - - name: "Interactive logon: Smart card removal behavior" - href: security-policy-settings/interactive-logon-smart-card-removal-behavior.md - - name: "Microsoft network client: Digitally sign communications (always)" - href: security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md - - name: "SMBv1 Microsoft network client: Digitally sign communications (always)" - href: security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md - - name: "SMBv1 Microsoft network client: Digitally sign communications (if server agrees)" - href: security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md - - name: "Microsoft network client: Send unencrypted password to third-party SMB servers" - href: security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md - - name: "Microsoft network server: Amount of idle time required before suspending session" - href: security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md - - name: "Microsoft network server: Attempt S4U2Self to obtain claim information" - href: security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md - - name: "Microsoft network server: Digitally sign communications (always)" - href: security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md - - name: "SMBv1 Microsoft network server: Digitally sign communications (always)" - href: security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md - - name: "SMBv1 Microsoft network server: Digitally sign communications (if client agrees)" - href: security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md - - name: "Microsoft network server: Disconnect clients when logon hours expire" - href: security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md - - name: "Microsoft network server: Server SPN target name validation level" - href: security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md - - name: "Network access: Allow anonymous SID/Name translation" - href: security-policy-settings/network-access-allow-anonymous-sidname-translation.md - - name: "Network access: Do not allow anonymous enumeration of SAM accounts" - href: security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md - - name: "Network access: Do not allow anonymous enumeration of SAM accounts and shares" - href: security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md - - name: "Network access: Do not allow storage of passwords and credentials for network authentication" - href: security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md - - name: "Network access: Let Everyone permissions apply to anonymous users" - href: security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md - - name: "Network access: Named Pipes that can be accessed anonymously" - href: security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md - - name: "Network access: Remotely accessible registry paths" - href: security-policy-settings/network-access-remotely-accessible-registry-paths.md - - name: "Network access: Remotely accessible registry paths and subpaths" - href: security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md - - name: "Network access: Restrict anonymous access to Named Pipes and Shares" - href: security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md - - name: "Network access: Restrict clients allowed to make remote calls to SAM" - href: security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md - - name: "Network access: Shares that can be accessed anonymously" - href: security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md - - name: "Network access: Sharing and security model for local accounts" - href: security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md - - name: "Network security: Allow Local System to use computer identity for NTLM" - href: security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md - - name: "Network security: Allow LocalSystem NULL session fallback" - href: security-policy-settings/network-security-allow-localsystem-null-session-fallback.md - - name: "Network security: Allow PKU2U authentication requests to this computer to use online identities" - href: security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md - - name: "Network security: Configure encryption types allowed for Kerberos" - href: security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md - - name: "Network security: Do not store LAN Manager hash value on next password change" - href: security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md - - name: "Network security: Force logoff when logon hours expire" - href: security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md - - name: "Network security: LAN Manager authentication level" - href: security-policy-settings/network-security-lan-manager-authentication-level.md - - name: "Network security: LDAP client signing requirements" - href: security-policy-settings/network-security-ldap-client-signing-requirements.md - - name: "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" - href: security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md - - name: "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" - href: security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md - - name: "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" - href: security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md - - name: "Network security: Restrict NTLM: Add server exceptions in this domain" - href: security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md - - name: "Network security: Restrict NTLM: Audit incoming NTLM traffic" - href: security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md - - name: "Network security: Restrict NTLM: Audit NTLM authentication in this domain" - href: security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md - - name: "Network security: Restrict NTLM: Incoming NTLM traffic" - href: security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md - - name: "Network security: Restrict NTLM: NTLM authentication in this domain" - href: security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md - - name: "Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers" - href: security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md - - name: "Recovery console: Allow automatic administrative logon" - href: security-policy-settings/recovery-console-allow-automatic-administrative-logon.md - - name: "Recovery console: Allow floppy copy and access to all drives and folders" - href: security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md - - name: "Shutdown: Allow system to be shut down without having to log on" - href: security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md - - name: "Shutdown: Clear virtual memory pagefile" - href: security-policy-settings/shutdown-clear-virtual-memory-pagefile.md - - name: "System cryptography: Force strong key protection for user keys stored on the computer" - href: security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md - - name: "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" - href: security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md - - name: "System objects: Require case insensitivity for non-Windows subsystems" - href: security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md - - name: "System objects: Strengthen default permissions of internal system objects (Symbolic Links)" - href: security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md - - name: "System settings: Optional subsystems" - href: security-policy-settings/system-settings-optional-subsystems.md - - name: "System settings: Use certificate rules on Windows executables for Software Restriction Policies" - href: security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md - - name: "User Account Control: Admin Approval Mode for the Built-in Administrator account" - href: security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md - - name: "User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" - href: security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md - - name: "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" - href: security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md - - name: "User Account Control: Behavior of the elevation prompt for standard users" - href: security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md - - name: "User Account Control: Detect application installations and prompt for elevation" - href: security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md - - name: "User Account Control: Only elevate executables that are signed and validated" - href: security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md - - name: "User Account Control: Only elevate UIAccess applications that are installed in secure locations" - href: security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md - - name: "User Account Control: Run all administrators in Admin Approval Mode" - href: security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md - - name: "User Account Control: Switch to the secure desktop when prompting for elevation" - href: security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md - - name: "User Account Control: Virtualize file and registry write failures to per-user locations" - href: security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md - - name: Advanced security audit policy settings - href: security-policy-settings/secpol-advanced-security-audit-policy-settings.md - - name: User Rights Assignment - href: security-policy-settings/user-rights-assignment.md - items: - - name: Access Credential Manager as a trusted caller - href: security-policy-settings/access-credential-manager-as-a-trusted-caller.md - - name: Access this computer from the network - href: security-policy-settings/access-this-computer-from-the-network.md - - name: Act as part of the operating system - href: security-policy-settings/act-as-part-of-the-operating-system.md - - name: Add workstations to domain - href: security-policy-settings/add-workstations-to-domain.md - - name: Adjust memory quotas for a process - href: security-policy-settings/adjust-memory-quotas-for-a-process.md - - name: Allow log on locally - href: security-policy-settings/allow-log-on-locally.md - - name: Allow log on through Remote Desktop Services - href: security-policy-settings/allow-log-on-through-remote-desktop-services.md - - name: Back up files and directories - href: security-policy-settings/back-up-files-and-directories.md - - name: Bypass traverse checking - href: security-policy-settings/bypass-traverse-checking.md - - name: Change the system time - href: security-policy-settings/change-the-system-time.md - - name: Change the time zone - href: security-policy-settings/change-the-time-zone.md - - name: Create a pagefile - href: security-policy-settings/create-a-pagefile.md - - name: Create a token object - href: security-policy-settings/create-a-token-object.md - - name: Create global objects - href: security-policy-settings/create-global-objects.md - - name: Create permanent shared objects - href: security-policy-settings/create-permanent-shared-objects.md - - name: Create symbolic links - href: security-policy-settings/create-symbolic-links.md - - name: Debug programs - href: security-policy-settings/debug-programs.md - - name: Deny access to this computer from the network - href: security-policy-settings/deny-access-to-this-computer-from-the-network.md - - name: Deny log on as a batch job - href: security-policy-settings/deny-log-on-as-a-batch-job.md - - name: Deny log on as a service - href: security-policy-settings/deny-log-on-as-a-service.md - - name: Deny log on locally - href: security-policy-settings/deny-log-on-locally.md - - name: Deny log on through Remote Desktop Services - href: security-policy-settings/deny-log-on-through-remote-desktop-services.md - - name: Enable computer and user accounts to be trusted for delegation - href: security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md - - name: Force shutdown from a remote system - href: security-policy-settings/force-shutdown-from-a-remote-system.md - - name: Generate security audits - href: security-policy-settings/generate-security-audits.md - - name: Impersonate a client after authentication - href: security-policy-settings/impersonate-a-client-after-authentication.md - - name: Increase a process working set - href: security-policy-settings/increase-a-process-working-set.md - - name: Increase scheduling priority - href: security-policy-settings/increase-scheduling-priority.md - - name: Load and unload device drivers - href: security-policy-settings/load-and-unload-device-drivers.md - - name: Lock pages in memory - href: security-policy-settings/lock-pages-in-memory.md - - name: Log on as a batch job - href: security-policy-settings/log-on-as-a-batch-job.md - - name: Log on as a service - href: security-policy-settings/log-on-as-a-service.md - - name: Manage auditing and security log - href: security-policy-settings/manage-auditing-and-security-log.md - - name: Modify an object label - href: security-policy-settings/modify-an-object-label.md - - name: Modify firmware environment values - href: security-policy-settings/modify-firmware-environment-values.md - - name: Perform volume maintenance tasks - href: security-policy-settings/perform-volume-maintenance-tasks.md - - name: Profile single process - href: security-policy-settings/profile-single-process.md - - name: Profile system performance - href: security-policy-settings/profile-system-performance.md - - name: Remove computer from docking station - href: security-policy-settings/remove-computer-from-docking-station.md - - name: Replace a process level token - href: security-policy-settings/replace-a-process-level-token.md - - name: Restore files and directories - href: security-policy-settings/restore-files-and-directories.md - - name: Shut down the system - href: security-policy-settings/shut-down-the-system.md - - name: Synchronize directory service data - href: security-policy-settings/synchronize-directory-service-data.md - - name: Take ownership of files or other objects - href: security-policy-settings/take-ownership-of-files-or-other-objects.md - - name: Windows security guidance for enterprises - items: - - name: Windows security baselines - href: windows-security-configuration-framework/windows-security-baselines.md - items: - - name: Security Compliance Toolkit - href: windows-security-configuration-framework/security-compliance-toolkit-10.md - - name: Get support - href: windows-security-configuration-framework/get-support-for-security-baselines.md + - name: Overview + href: threat-protection/index.md + - name: Microsoft Defender Antivirus + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows + - name: Attack surface reduction rules + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction + - name: Tamper protection + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection + - name: Network protection + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/network-protection + - name: Controlled folder access + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/controlled-folders + - name: Exploit protection + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/exploit-protection + - name: Microsoft Defender for Endpoint + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint From dffdcc71290fdb82401776ef2b8faeaa086e1338 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 14 Sep 2021 15:21:16 -0700 Subject: [PATCH 179/458] Update TOC.yml --- windows/security/threat-protection/TOC.yml | 37 ++++++++++------------ 1 file changed, 17 insertions(+), 20 deletions(-) diff --git a/windows/security/threat-protection/TOC.yml b/windows/security/threat-protection/TOC.yml index dcf41c2615..960b757d3d 100644 --- a/windows/security/threat-protection/TOC.yml +++ b/windows/security/threat-protection/TOC.yml @@ -1,21 +1,18 @@ -- name: Threat protection - href: index.md +- name: Windows threat protection items: - - name: Windows threat protection - items: - - name: Overview - href: threat-protection/index.md - - name: Microsoft Defender Antivirus - href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows - - name: Attack surface reduction rules - href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction - - name: Tamper protection - href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection - - name: Network protection - href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/network-protection - - name: Controlled folder access - href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/controlled-folders - - name: Exploit protection - href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/exploit-protection - - name: Microsoft Defender for Endpoint - href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint + - name: Overview + href: threat-protection/index.md + - name: Microsoft Defender Antivirus + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows + - name: Attack surface reduction rules + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction + - name: Tamper protection + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection + - name: Network protection + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/network-protection + - name: Controlled folder access + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/controlled-folders + - name: Exploit protection + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/exploit-protection + - name: Microsoft Defender for Endpoint + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint From 9c3e97b747b67f97f9bf802521de32a169a1c462 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 14 Sep 2021 15:29:33 -0700 Subject: [PATCH 180/458] Update TOC.yml --- windows/security/threat-protection/TOC.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/TOC.yml b/windows/security/threat-protection/TOC.yml index 960b757d3d..4a98f2c7e0 100644 --- a/windows/security/threat-protection/TOC.yml +++ b/windows/security/threat-protection/TOC.yml @@ -1,7 +1,7 @@ - name: Windows threat protection items: - name: Overview - href: threat-protection/index.md + href: index.md - name: Microsoft Defender Antivirus href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows - name: Attack surface reduction rules From 35c79d481912ea9c45e80f547ee6a18d041f4326 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 14 Sep 2021 16:10:50 -0700 Subject: [PATCH 181/458] edits! --- windows/security/TOC.yml | 27 ++++++++++++++++--- windows/security/apps.md | 9 ++++--- ...dential-theft-mitigation-guide-abstract.md | 8 +++--- 3 files changed, 32 insertions(+), 12 deletions(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index d58e115f79..5df7b605f9 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -13,7 +13,7 @@ href: information-protection/tpm/trusted-platform-module-overview.md - name: TPM fundamentals href: information-protection/tpm/tpm-fundamentals.md - - name: How Windows 10 uses the TPM + - name: How Windows uses the TPM href: information-protection/tpm/how-windows-uses-the-tpm.md - name: TPM Group Policy settings href: information-protection/tpm/trusted-platform-module-services-group-policy-settings.md @@ -54,7 +54,7 @@ - name: Bitlocker href: information-protection/bitlocker/bitlocker-overview.md items: - - name: Overview of BitLocker Device Encryption in Windows 10 + - name: Overview of BitLocker Device Encryption in Windows href: information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md - name: BitLocker frequently asked questions (FAQ) href: information-protection/bitlocker/bitlocker-frequently-asked-questions.yml @@ -125,7 +125,7 @@ href: information-protection/bitlocker/ts-bitlocker-tpm-issues.md - name: Decode Measured Boot logs to track PCR changes href: information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md - - name: Configure S/MIME for Windows 10 + - name: Configure S/MIME for Windows href: identity-protection/configure-s-mime.md - name: Windows Information Protection (WIP) href: information-protection/windows-information-protection/protect-enterprise-data-using-wip.md @@ -199,7 +199,7 @@ href: identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md - name: How to use single sign-on (SSO) over VPN and Wi-Fi connections href: identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md - - name: Optimizing Office 365 traffic with the Windows 10 VPN client + - name: Optimizing Office 365 traffic with the Windows VPN client href: identity-protection/vpn/vpn-office-365-optimization.md - name: Windows Defender Firewall href: threat-protection/windows-firewall/windows-firewall-with-advanced-security.md @@ -223,6 +223,25 @@ - name: Application security href: apps.md items: + - name: Windows Defender Application Control and virtualization-based protection of code integrity + href: device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md + - name: Windows Defender Application Control + href: threat-protection\windows-defender-application-control\windows-defender-application-control.md + - name: Microsoft Defender Application Guard + href: threat-protection\microsoft-defender-application-guard\md-app-guard-overview.md + - name: Windows Sandbox + href: windows-sandbox/windows-sandbox-overview.md + items: + - name: Windows Sandbox architecture + href: windows-sandbox/windows-sandbox-architecture.md + - name: Windows Sandbox configuration + href: windows-sandbox/windows-sandbox-configure-using-wsb-file.md + - name: Microsoft Defender SmartScreen overview + href: threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md + - name: Configure S/MIME for Windows + href: identity-protection\configure-s-mime.md + - name: Windows Credential Theft Mitigation Guide Abstract + href: identity-protection\windows-credential-theft-mitigation-guide-abstract.md - name: Secured identity href: identity.md items: diff --git a/windows/security/apps.md b/windows/security/apps.md index a76c2d05d5..a216c26a2c 100644 --- a/windows/security/apps.md +++ b/windows/security/apps.md @@ -22,7 +22,8 @@ The following table summarizes the Windows security features and capabilities fo | Security Measures | Features & Capabilities | |:---|:---| -| Windows Defender Application Control | Application control is one of the most effective security controls to prevent unwanted or malicious code from running. It moves away from an application trust model where all code is assumed trustworthy to one where apps must earn trust to run. Learn more: [Application Control for Windows](/threat-protection/windows-defender-application-control/windows-defender-application-control.md) | -| Microsoft Defender Application Guard | Application Guard uses chip-based hardware isolation to isolate untrusted websites and untrusted Office files, seamlessly running untrusted websites and files in an isolated Hyper-V-based container, separate from the desktop operating system, and making sure that anything that happens within the container remains isolated from the desktop. Learn more [Microsoft Defender Application Guard overview](/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md). | -| Email Security | With Windows S/MIME email security, users can encrypt outgoing messages and attachments, so only intended recipients with digital identification (ID)—also called a certificate—can read them. Users can digitally sign a message, which verifies the identity of the sender and ensures the message has not been tampered with.[Configure S/MIME for Windows 10](/identity-protection/configure-s-mime.md) | -| Microsoft Defender SmartScreen | Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. Learn more: [Microsoft Defender SmartScreen overview](/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) | +| Windows Defender Application Control | Application control is one of the most effective security controls to prevent unwanted or malicious code from running. It moves away from an application trust model where all code is assumed trustworthy to one where apps must earn trust to run. Learn more: [Application Control for Windows](threat-protection/windows-defender-application-control/windows-defender-application-control.md) | +| Microsoft Defender Application Guard | Application Guard uses chip-based hardware isolation to isolate untrusted websites and untrusted Office files, seamlessly running untrusted websites and files in an isolated Hyper-V-based container, separate from the desktop operating system, and making sure that anything that happens within the container remains isolated from the desktop. Learn more [Microsoft Defender Application Guard overview](threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md). | +| Windows Sandbox | Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host machine. A sandbox is temporary. When it's closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open the application. Learn more: [Windows Sandbox](threat-protection\windows-sandbox\windows-sandbox-overview.md) +| Email Security | With Windows S/MIME email security, users can encrypt outgoing messages and attachments, so only intended recipients with digital identification (ID)—also called a certificate—can read them. Users can digitally sign a message, which verifies the identity of the sender and ensures the message has not been tampered with.[Configure S/MIME for Windows 10](identity-protection/configure-s-mime.md) | +| Microsoft Defender SmartScreen | Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. Learn more: [Microsoft Defender SmartScreen overview](threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) | diff --git a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md index 62a4cf6cf0..3a8d6e6ed0 100644 --- a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md +++ b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md @@ -1,6 +1,6 @@ --- -title: Windows 10 Credential Theft Mitigation Guide Abstract (Windows 10) -description: Provides a summary of the Windows 10 credential theft mitigation guide. +title: Windows Credential Theft Mitigation Guide Abstract +description: Provides a summary of the Windows credential theft mitigation guide. ms.assetid: 821ddc1a-f401-4732-82a7-40d1fff5a78a ms.reviewer: ms.prod: w10 @@ -17,12 +17,12 @@ ms.localizationpriority: medium ms.date: 04/19/2017 --- -# Windows 10 Credential Theft Mitigation Guide Abstract +# Windows Credential Theft Mitigation Guide Abstract **Applies to** - Windows 10 -This topic provides a summary of the Windows 10 credential theft mitigation guide, which can be downloaded from the [Microsoft Download Center](https://download.microsoft.com/download/C/1/4/C14579CA-E564-4743-8B51-61C0882662AC/Windows%2010%20credential%20theft%20mitigation%20guide.docx). +This topic provides a summary of the Windows credential theft mitigation guide, which can be downloaded from the [Microsoft Download Center](https://download.microsoft.com/download/C/1/4/C14579CA-E564-4743-8B51-61C0882662AC/Windows%2010%20credential%20theft%20mitigation%20guide.docx). This guide explains how credential theft attacks occur and the strategies and countermeasures you can implement to mitigate them, following these security stages: - Identify high-value assets From 6d49e0655f0b6c1869f20a7822a439bcca97486c Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 14 Sep 2021 16:33:17 -0700 Subject: [PATCH 182/458] fixing TOC, reordering --- windows/security/TOC.yml | 58 ++++++++++++++-------------- windows/security/apps.md | 1 - windows/security/cloud.md | 2 - windows/security/hardware.md | 6 ++- windows/security/identity.md | 3 +- windows/security/operating-system.md | 1 - windows/security/trusted-boot.md | 2 +- 7 files changed, 35 insertions(+), 38 deletions(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 5df7b605f9..fc3319a432 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -242,9 +242,6 @@ href: identity-protection\configure-s-mime.md - name: Windows Credential Theft Mitigation Guide Abstract href: identity-protection\windows-credential-theft-mitigation-guide-abstract.md -- name: Secured identity - href: identity.md - items: - name: Cloud services items: - name: Overview @@ -263,7 +260,35 @@ - name: Azure Virtual Desktop (need link) href: https://docs.microsoft.com/windows/whats-new/windows-11 - name: User protection + href: identity.md items: + - name: Windows Hello for Business + href: identity-protection/hello-for-business/index.yml + - name: Windows credential theft mitigation guide + href: identity-protection/windows-credential-theft-mitigation-guide-abstract.md + - name: Enterprise Certificate Pinning + href: identity-protection/enterprise-certificate-pinning.md + - name: Protect derived domain credentials with Credential Guard + href: identity-protection/credential-guard/credential-guard.md + items: + - name: How Credential Guard works + href: identity-protection/credential-guard/credential-guard-how-it-works.md + - name: Credential Guard Requirements + href: identity-protection/credential-guard/credential-guard-requirements.md + - name: Manage Credential Guard + href: identity-protection/credential-guard/credential-guard-manage.md + - name: Hardware readiness tool + href: identity-protection/credential-guard/dg-readiness-tool.md + - name: Credential Guard protection limits + href: identity-protection/credential-guard/credential-guard-protection-limits.md + - name: Considerations when using Credential Guard + href: identity-protection/credential-guard/credential-guard-considerations.md + - name: "Credential Guard: Additional mitigations" + href: identity-protection/credential-guard/additional-mitigations.md + - name: "Credential Guard: Known issues" + href: identity-protection/credential-guard/credential-guard-known-issues.md + - name: Protect Remote Desktop credentials with Remote Credential Guard + href: identity-protection/remote-credential-guard.md - name: Technical support policy for lost or forgotten passwords href: identity-protection/password-support-policy.md - name: Access Control Overview @@ -296,33 +321,6 @@ href: identity-protection/user-account-control/user-account-control-security-policy-settings.md - name: User Account Control Group Policy and registry key settings href: identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md - - name: Windows Hello for Business - href: identity-protection/hello-for-business/index.yml - - name: Windows credential theft mitigation guide - href: identity-protection/windows-credential-theft-mitigation-guide-abstract.md - - name: Enterprise Certificate Pinning - href: identity-protection/enterprise-certificate-pinning.md - - name: Protect derived domain credentials with Credential Guard - href: identity-protection/credential-guard/credential-guard.md - items: - - name: How Credential Guard works - href: identity-protection/credential-guard/credential-guard-how-it-works.md - - name: Credential Guard Requirements - href: identity-protection/credential-guard/credential-guard-requirements.md - - name: Manage Credential Guard - href: identity-protection/credential-guard/credential-guard-manage.md - - name: Hardware readiness tool - href: identity-protection/credential-guard/dg-readiness-tool.md - - name: Credential Guard protection limits - href: identity-protection/credential-guard/credential-guard-protection-limits.md - - name: Considerations when using Credential Guard - href: identity-protection/credential-guard/credential-guard-considerations.md - - name: "Credential Guard: Additional mitigations" - href: identity-protection/credential-guard/additional-mitigations.md - - name: "Credential Guard: Known issues" - href: identity-protection/credential-guard/credential-guard-known-issues.md - - name: Protect Remote Desktop credentials with Remote Credential Guard - href: identity-protection/remote-credential-guard.md - name: Smart Cards href: identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md items: diff --git a/windows/security/apps.md b/windows/security/apps.md index a216c26a2c..4acb890ee6 100644 --- a/windows/security/apps.md +++ b/windows/security/apps.md @@ -4,7 +4,6 @@ description: Get an overview of application security in Windows 11 ms.reviewer: manager: dansimp ms.author: dansimp -ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/security/cloud.md b/windows/security/cloud.md index 04dc44e601..f83dc607ac 100644 --- a/windows/security/cloud.md +++ b/windows/security/cloud.md @@ -5,12 +5,10 @@ ms.reviewer: author: denisebmsft ms.author: deniseb manager: dansimp -ms.prod: w10 audience: ITPro ms.topic: conceptual ms.date: 09/10/2021 ms.localizationpriority: medium -ms.collection: ms.custom: f1.keywords: NOCSH ms.mktglfcycl: deploy diff --git a/windows/security/hardware.md b/windows/security/hardware.md index 3d619b9226..1a0e0d64e2 100644 --- a/windows/security/hardware.md +++ b/windows/security/hardware.md @@ -4,7 +4,6 @@ description: Get an overview of hardware security in Windows 11 ms.reviewer: manager: dansimp ms.author: dansimp -ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -20,3 +19,8 @@ Modern threats require modern security with a strong alignment between hardware These new threats call for computing hardware that is secure down to the very core, including hardware chips and processors. Microsoft and our partners, including chip and device manufacturers, have worked together to integrate powerful security capabilities across software, firmware, and hardware. With Windows 11, we have raised the hardware security baseline to design the most secure version of Windows ever. We have carefully chosen the hardware requirements and default security features based on threat intelligence and input from leading experts around the globe, including our own Microsoft Cybersecurity team. Though a powerful combination of hardware root-of-trust and silicon-assisted security, Windows 11 delivers built-in hardware protection out-of-the box. + + +| Security Measures | Features & Capabilities | +|:---|:---| +| Windows Defender Application Control | Application control is one of the most effective security controls to prevent unwanted or malicious code from running. It moves away from an application trust model where all code is assumed trustworthy to one where apps must earn trust to run. Learn more: [Application Control for Windows](/threat-protection/windows-defender-application-control/windows-defender-application-control.md) | \ No newline at end of file diff --git a/windows/security/identity.md b/windows/security/identity.md index e7f014671d..3c8edb7851 100644 --- a/windows/security/identity.md +++ b/windows/security/identity.md @@ -4,7 +4,6 @@ description: Get an overview of identity security in Windows 11 ms.reviewer: manager: dansimp ms.author: dansimp -ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -23,7 +22,7 @@ New Windows 11 devices protect users by removing vulnerable passwords by default | Security capabilities | Description | |:---|:---| | Securing user identity with Windows Hello | Windows Hello and Windows Hello for Business replace password-based authentication with a stronger authentication model to sign into your device using a passcode (PIN) or other biometric based authentication. This PIN or biometric based authentication is only valid on the device that you registered it for and cannot be used on another deviceLearn more: [Windows Hello for Business](identity-protection\hello-for-business\hello-overview.md) | -| Credential Guard | Credential Guard helps protects your systems from credential theft attack techniques (pass-the-hash or pass-the-ticket) as well as helping prevent malware from accessing system secrets even if the process is running with admin privileges. Learn more: [Credential Guard](identity-protection/credential-guard/credential-guard-how-it-works.md)| +| Windows Defender Credential Guard and Remote Credential Guard | Windows Defender Credential Guard helps protects your systems from credential theft attack techniques (pass-the-hash or pass-the-ticket) as well as helping prevent malware from accessing system secrets even if the process is running with admin privileges. Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that's requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions.Learn more: [Protect derived domain credentials with Windows Defender Credential Guard](identity-protection/credential-guard/credential-guard-how-it-works.md) and [Protect Remote Desktop credentials with Windows Defender Remote Credential Guard](identity-protection/remote-credential-guard.md)| | FIDO Alliance | Fast Identity Online (FIDO) defined protocols are becoming the open standard for providing strong authentication that helps prevent phishing and are user-friendly and privacy-respecting. Windows 11 supports the use of device sign-in with FIDO 2 security keys, and with Microsoft Edge or other modern browsers, supports the use of secure FIDO-backed credentials to keep user accounts protected. Learn more about the [FIDO Alliance](https://fidoalliance.org/). | | Microsoft Authenticator | The Microsoft Authenticator app is a perfect companion to help keep secure with Windows 11. It allows easy, secure sign-ins for all your online accounts using multi-factor authentication, passwordless phone sign-in, or password autofill. You also have additional account management options for your Microsoft personal, work, or school accounts. Microsoft Authenticator can be used to set up multi-factor authentication for your users. Learn more: [Enable passwordless sign-in with the Microsoft Authenticator app](/azure/active-directory/authentication/howto-authentication-passwordless-phone.md). | | Smart Cards | Smart cards are tamper-resistant portable storage devices that can enhance the security of tasks in Windows, such as authenticating clients, signing code, securing e-mail, and signing in with Windows domain accounts. Learn more about [Smart Cards](identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md).| diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 892b507022..561540525e 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -5,7 +5,6 @@ ms.reviewer: ms.topic: article manager: dansimp ms.author: deniseb -ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/security/trusted-boot.md b/windows/security/trusted-boot.md index 35a581f3af..69631d8340 100644 --- a/windows/security/trusted-boot.md +++ b/windows/security/trusted-boot.md @@ -8,7 +8,7 @@ manager: dansimp audience: ITPro ms.topic: conceptual ms.date: 09/08/2021 -ms.prod: w11 +ms.prod: w10 ms.localizationpriority: medium ms.collection: ms.custom: From 6771460c570457edf6a14cd3d06ccdcf4ab09528 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 14 Sep 2021 16:40:42 -0700 Subject: [PATCH 183/458] TOC fixes --- windows/security/TOC.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 8a7d808e9b..3c93924299 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -230,12 +230,12 @@ - name: Microsoft Defender Application Guard href: threat-protection\microsoft-defender-application-guard\md-app-guard-overview.md - name: Windows Sandbox - href: windows-sandbox/windows-sandbox-overview.md + href: threat-protection/windows-sandbox/windows-sandbox-overview.md items: - name: Windows Sandbox architecture - href: windows-sandbox/windows-sandbox-architecture.md + href: threat-protection/windows-sandbox/windows-sandbox-architecture.md - name: Windows Sandbox configuration - href: windows-sandbox/windows-sandbox-configure-using-wsb-file.md + href: threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md - name: Microsoft Defender SmartScreen overview href: threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md - name: Configure S/MIME for Windows From cd6397d4af697073515bd02390ec05239846f410 Mon Sep 17 00:00:00 2001 From: Rob Truxal <55893679+rotruxal@users.noreply.github.com> Date: Wed, 15 Sep 2021 09:41:25 -0700 Subject: [PATCH 184/458] Update windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...nes-for-virtualization-based-protection-of-code-integrity.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md index 59657cc8ed..f8ce091fab 100644 --- a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md @@ -1,6 +1,6 @@ --- title: Deployment guidelines for Windows Defender Device Guard (Windows 10) -description: Plan your deployment of Hypervisor Protected Code Integrity (aka Memory Integrity). Learn about hardware requirements, deployment approaches, code signing and code integrity policies. +description: Plan your deployment of Hypervisor-Protected Code Integrity (aka Memory Integrity). Learn about hardware requirements, deployment approaches, code signing and code integrity policies. keywords: virtualization, security, malware ms.prod: m365-security ms.mktglfcycl: deploy From b8eb11081ba758c0262ee35d1c6f3afcc31aebde Mon Sep 17 00:00:00 2001 From: Rob Truxal <55893679+rotruxal@users.noreply.github.com> Date: Wed, 15 Sep 2021 09:46:20 -0700 Subject: [PATCH 185/458] Update windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...nes-for-virtualization-based-protection-of-code-integrity.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md index f8ce091fab..3112632b29 100644 --- a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md @@ -21,7 +21,7 @@ ms.technology: mde **Applies to** - Windows 10 -Computers must meet certain hardware, firmware, and software requirements in order to take advantage of Hypervisor Protected Code Integrity (HVCI,) a virtualization-based security (VBS) feature in Windows. HVCI is referred to as Memory Integrity under the Core Isolation section of the Windows security settings. Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats. +Computers must meet certain hardware, firmware, and software requirements in order to take advantage of Hypervisor-Protected Code Integrity (HVCI), a virtualization-based security (VBS) feature in Windows. HVCI is referred to as Memory Integrity under the Core Isolation section of the Windows security settings. Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats. For example, hardware that includes CPU virtualization extensions and SLAT will be hardened against malware that attempts to gain access to the kernel, but without protected BIOS options such as “Boot only from internal hard drive,” the computer could be booted (by a malicious person who has physical access) into an operating system on bootable media. From 0a36cb78d845a5a3f7d5fd1c159fbcff2ff58f42 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 11:26:21 -0700 Subject: [PATCH 186/458] TOCs --- windows/security/TOC.yml | 2 +- windows/security/threat-protection/TOC.yml | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 3c93924299..d3a7f0f24d 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -374,4 +374,4 @@ - name: Microsoft Bug Bounty Program href: threat-protection/microsoft-bug-bounty-program.md - name: Windows Privacy - href: /windows/privacy/windows-10-and-privacy-compliance.md + href: windows/privacy/windows-10-and-privacy-compliance.md diff --git a/windows/security/threat-protection/TOC.yml b/windows/security/threat-protection/TOC.yml index 4a98f2c7e0..5342060e01 100644 --- a/windows/security/threat-protection/TOC.yml +++ b/windows/security/threat-protection/TOC.yml @@ -16,3 +16,23 @@ href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/exploit-protection - name: Microsoft Defender for Endpoint href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint + +- name: Hardware security + href: ../hardware.md + +- name: Operating system security + href: ../operating-system.md + +- name: Application security + href: ../apps.md + +- name: Cloud services + href: ../cloud.md + +- name: User protection + href: ../identity.md + +- name: Security foundations + +- name: Windows Privacy + href: windows/privacy/windows-10-and-privacy-compliance.md \ No newline at end of file From 411d1016234f3e029b03a80611da36882674d028 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 16 Sep 2021 12:32:02 -0700 Subject: [PATCH 187/458] hardware --- windows/security/TOC.yml | 4 ++-- windows/security/hardware.md | 10 +++++++--- .../security/identity-protection/configure-s-mime.md | 7 ++++--- 3 files changed, 13 insertions(+), 8 deletions(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 3c93924299..24c534a52c 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -29,8 +29,8 @@ href: threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md - name: System Guard Secure Launch and SMM protection href: threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md - - name: Protect derived domain credentials with Windows Defender Credential Guard - href: identity-protection/credential-guard/credential-guard.md + - name: Enable virtualization-based protection of code integrity + href: threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md - name: Kernel DMA Protection href: information-protection/kernel-dma-protection-for-thunderbolt.md - name: Operating system security diff --git a/windows/security/hardware.md b/windows/security/hardware.md index 1a0e0d64e2..cd3279e414 100644 --- a/windows/security/hardware.md +++ b/windows/security/hardware.md @@ -1,6 +1,6 @@ --- title: Windows hardware security -description: Get an overview of hardware security in Windows 11 +description: Get an overview of hardware security in Windows ms.reviewer: manager: dansimp ms.author: dansimp @@ -17,10 +17,14 @@ ms.technology: windows-sec Modern threats require modern security with a strong alignment between hardware security and software security techniques to keep users, data and devices protected. The operating system alone cannot protect from the wide range of tools and techniques cybercriminals use to compromise a computer deep inside its silicon. Once inside, intruders can be difficult to detect while engaging in multiple nefarious activities from stealing important data to capturing email addresses and other sensitive pieces of information. These new threats call for computing hardware that is secure down to the very core, including hardware chips and processors. Microsoft and our partners, including chip and device manufacturers, have worked together to integrate powerful security capabilities across software, firmware, and hardware. + With Windows 11, we have raised the hardware security baseline to design the most secure version of Windows ever. We have carefully chosen the hardware requirements and default security features based on threat intelligence and input from leading experts around the globe, including our own Microsoft Cybersecurity team. -Though a powerful combination of hardware root-of-trust and silicon-assisted security, Windows 11 delivers built-in hardware protection out-of-the box. + | Security Measures | Features & Capabilities | |:---|:---| -| Windows Defender Application Control | Application control is one of the most effective security controls to prevent unwanted or malicious code from running. It moves away from an application trust model where all code is assumed trustworthy to one where apps must earn trust to run. Learn more: [Application Control for Windows](/threat-protection/windows-defender-application-control/windows-defender-application-control.md) | \ No newline at end of file +| Trusted Platform Module (TPM) | A Trusted Platform Module (TPM) is designed to provide hardware-based security-related functions and help prevent unwanted tampering. TPMs provide security and privacy benefits for system hardware, platform owners, and users.
A TPM chip is a secure crypto-processor that helps with actions such as generating, storing, and limiting the use of cryptographic keys. Many TPMs include multiple physical security mechanisms to make it tamper resistant and prevent malicious software from tampering with the security functions of the TPM.
Learn more about the [Trusted Platform Module](information-protection/tpm/trusted-platform-module-top-node.md). | +| Hardware-based root of trust with Windows Defender System Guard | To protect critical resources such as Windows authentication, single sign-on tokens, Windows Hello, and the Virtual Trusted Platform Module, a system's firmware and hardware must be trustworthy.
Windows Defender System Guard helps protect and maintain the integrity of the system as it starts up and validate that system integrity has truly been maintained through local and remote attestation.
Learn more about [How a hardware-based root of trust helps protect Windows](threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md) and [System Guard Secure Launch and SMM protection](threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md). | +| Enable virtualization-based protection of code integrity | Hypervisor-protected Code Integrity (HVCI) is a virtualization based security (VBS) feature available in Windows. In the Windows Device Security settings, HVCI is referred to as Memory Integrity.
HVCI and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows Kernel. VBS leverages the Windows Hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. HVCI is a critical component that protects and hardens this virtual environment by running kernel mode code integrity within it and restricting kernel memory allocations that could be used to compromise the system.
Learn more: [Enable virtualization-based protection of code integrity](threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md). +| Kernel Direct Memory Access (DMA) Protection | PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with an experience identical to USB. Because PCI hot plug ports are external and easily-accessible, PCs are susceptible to drive-by Direct Memory Access (DMA) attacks. Memory access protection (also known as Kernel DMA Protection) protects PCs against drive-by DMA attacks that use PCIe hot plug devices by limiting these external peripherals from being able to directly copy memory when the user has locked their PC.
Learn more about [Kernel DMA Protection](information-protection/kernel-dma-protection-for-thunderbolt.md). | diff --git a/windows/security/identity-protection/configure-s-mime.md b/windows/security/identity-protection/configure-s-mime.md index 9423de2923..0d04b78646 100644 --- a/windows/security/identity-protection/configure-s-mime.md +++ b/windows/security/identity-protection/configure-s-mime.md @@ -1,5 +1,5 @@ --- -title: Configure S/MIME for Windows 10 +title: Configure S/MIME for Windows description: S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients with a digital ID, also known as a certificate, can read them. ms.assetid: 7F9C2A99-42EB-4BCC-BB53-41C04FBBBF05 ms.reviewer: @@ -19,10 +19,11 @@ ms.date: 07/27/2017 --- -# Configure S/MIME for Windows 10 +# Configure S/MIME for Windows **Applies to** -- Windows 10 +- Windows 10 +- Windows 11 S/MIME stands for Secure/Multipurpose Internet Mail Extensions, and provides an added layer of security for email sent to and from an Exchange ActiveSync (EAS) account. In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. From 2d10cc83a774c4100071b7790014b200487b4a44 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 13:02:17 -0700 Subject: [PATCH 188/458] Update operating-system.md --- windows/security/operating-system.md | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 561540525e..56f2e3ec2e 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -20,13 +20,28 @@ ms.technology: windows-sec Security and privacy depend on an operating system that guards your system and information from the moment it starts up, providing fundamental chip-to-cloud protection. Windows 11 is the most secure Windows yet with extensive security measures designed to help keep you safe. These measures include built-in advanced encryption and data protection, robust network and system security, and intelligent safeguards against ever-evolving threats. -Use the links in the following table to learn more about the operating system security features and capabilities in Windows 11:

+Use the links in the following table to learn more about the operating system security features and capabilities in Windows 11: | | -| Security Measures | Features & Capabilities | +| Security Measures | Features & Capabilities | Description | |:---|:---| -| System security | [Trusted Boot](trusted-boot.md) (includes Secure Boot and Measured Boot)

[Cryptography and certificate management](cryptography-certificate-mgmt.md)

[Windows Security app](threat-protection/windows-defender-security-center/windows-defender-security-center.md) | -| Encryption and data protection | [Encryption and data protection in Windows 11](encryption-data-protection.md)

[Encryption](encryption-data-protection.md)

[BitLocker](information-protection/bitlocker/bitlocker-overview.md) | -| Network security | [Virtual Private Networks](identity-protection/vpn/vpn-guide.md) (VPNs)

[Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md)

Bluetooth (NEEDED)

Domain Name System (DNS) security (NEEDED)

Windows Wi-Fi (NEEDED)

Transport Layer Security (TLS) (NEEDED) | -| Protection from viruses and threats | [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)

[Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction)

[Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)

[Network protection](/microsoft-365/security/defender-endpoint/network-protection)

[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)

[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)

Integration with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint) for additional threat protection | +| System security | [Trusted Boot](trusted-boot.md) (includes Secure Boot and Measured Boot) | | +| | [Cryptography and certificate management](cryptography-certificate-mgmt.md) | | +| | [Windows Security app](threat-protection/windows-defender-security-center/windows-defender-security-center.md) | | +| Encryption and data protection | [Encryption and data protection in Windows 11](encryption-data-protection.md) | | +| | [Encryption](encryption-data-protection.md) | | +| | [BitLocker](information-protection/bitlocker/bitlocker-overview.md) | | +| Network security | [Virtual Private Networks](identity-protection/vpn/vpn-guide.md) (VPNs) | | +| | [Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md) | | +| | Bluetooth (NEEDED) | | +| | Domain Name System (DNS) security (NEEDED) | | +| | Windows Wi-Fi (NEEDED) | | +| | Transport Layer Security (TLS) (NEEDED) | | +| Protection from viruses and threats | [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows) | | +| | [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) | | +| | [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) | | +| | [Network protection](/microsoft-365/security/defender-endpoint/network-protection) | | +| | [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders) | | +| | [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection) | | +| | Integration with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint) for additional threat protection | From a5c83f988ef16c18f1eea3a610d2bad7c21f214c Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 13:05:12 -0700 Subject: [PATCH 189/458] Update operating-system.md --- windows/security/operating-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 56f2e3ec2e..7fdd6c2b63 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -24,7 +24,7 @@ Use the links in the following table to learn more about the operating system se | Security Measures | Features & Capabilities | Description | |:---|:---| -| System security | [Trusted Boot](trusted-boot.md) (includes Secure Boot and Measured Boot) | | +| System security | Secure Boot and Trusted Boot | Secure Boot and Trusted Boot help prevent malware and corrupted components from loading when a Windows 11 device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure your Windows 11 system boots up safely and securely.

To learn more, see [Secure Boot and Trusted Boot](trusted-boot.md). | | | [Cryptography and certificate management](cryptography-certificate-mgmt.md) | | | | [Windows Security app](threat-protection/windows-defender-security-center/windows-defender-security-center.md) | | | Encryption and data protection | [Encryption and data protection in Windows 11](encryption-data-protection.md) | | From 04161d9b11718d5b6ffdfeaef4a1fda6508e0d01 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 13:07:59 -0700 Subject: [PATCH 190/458] Update operating-system.md --- windows/security/operating-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 7fdd6c2b63..53dda92727 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -25,7 +25,7 @@ Use the links in the following table to learn more about the operating system se | Security Measures | Features & Capabilities | Description | |:---|:---| | System security | Secure Boot and Trusted Boot | Secure Boot and Trusted Boot help prevent malware and corrupted components from loading when a Windows 11 device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure your Windows 11 system boots up safely and securely.

To learn more, see [Secure Boot and Trusted Boot](trusted-boot.md). | -| | [Cryptography and certificate management](cryptography-certificate-mgmt.md) | | +| | Cryptography and certificate management | Cryptography uses code to convert data so that only a specific recipient can read it by using a key. Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure. The cryptography stack in Windows extends from the chip to the cloud enabling Windows, applications, and services protect system and user secrets.

Certificates are crucial to public key infrastructure (PKI) as they provide the means for safeguarding and authenticating information. Windows offers several APIs to operate and manage certificates.

To learn more, see [Cryptography and Certificate Management](cryptography-certificate-mgmt.md). | | | [Windows Security app](threat-protection/windows-defender-security-center/windows-defender-security-center.md) | | | Encryption and data protection | [Encryption and data protection in Windows 11](encryption-data-protection.md) | | | | [Encryption](encryption-data-protection.md) | | From ec519eb0a2d0d7b069cd8504751ca9070d2803c2 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 13:08:27 -0700 Subject: [PATCH 191/458] Update operating-system.md --- windows/security/operating-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 53dda92727..9df0d0b533 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -20,7 +20,7 @@ ms.technology: windows-sec Security and privacy depend on an operating system that guards your system and information from the moment it starts up, providing fundamental chip-to-cloud protection. Windows 11 is the most secure Windows yet with extensive security measures designed to help keep you safe. These measures include built-in advanced encryption and data protection, robust network and system security, and intelligent safeguards against ever-evolving threats. -Use the links in the following table to learn more about the operating system security features and capabilities in Windows 11: | | +Use the links in the following table to learn more about the operating system security features and capabilities in Windows 11:

| Security Measures | Features & Capabilities | Description | |:---|:---| From 55f7844dce17e078f556878b01f01f5d2cd4cf36 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 13:20:48 -0700 Subject: [PATCH 192/458] Update operating-system.md --- windows/security/operating-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 9df0d0b533..28b76003fc 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -26,7 +26,7 @@ Use the links in the following table to learn more about the operating system se |:---|:---| | System security | Secure Boot and Trusted Boot | Secure Boot and Trusted Boot help prevent malware and corrupted components from loading when a Windows 11 device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure your Windows 11 system boots up safely and securely.

To learn more, see [Secure Boot and Trusted Boot](trusted-boot.md). | | | Cryptography and certificate management | Cryptography uses code to convert data so that only a specific recipient can read it by using a key. Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure. The cryptography stack in Windows extends from the chip to the cloud enabling Windows, applications, and services protect system and user secrets.

Certificates are crucial to public key infrastructure (PKI) as they provide the means for safeguarding and authenticating information. Windows offers several APIs to operate and manage certificates.

To learn more, see [Cryptography and Certificate Management](cryptography-certificate-mgmt.md). | -| | [Windows Security app](threat-protection/windows-defender-security-center/windows-defender-security-center.md) | | +| | The Windows Security app is a client interface that is built into Windows, beginning with Windows 10, version 1703, and continuing through Windows 11. The Windows Security app enables users to view their security settings, including virus & threat protection settings, firewall & network protection, device security, and more.

The Windows Security app uses the Windows Security Service (SecurityHealthService or Windows Security Health Service), which in turn uses the Security Center service (wscsvc) to ensure the app provides the most up-to-date information about the protection status on the endpoint.

To learn more, see [Windows Security app](threat-protection/windows-defender-security-center/windows-defender-security-center.md). | | Encryption and data protection | [Encryption and data protection in Windows 11](encryption-data-protection.md) | | | | [Encryption](encryption-data-protection.md) | | | | [BitLocker](information-protection/bitlocker/bitlocker-overview.md) | | From fde3de7f2788223872335b3756eff0880d268e30 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 13:25:08 -0700 Subject: [PATCH 193/458] Update operating-system.md --- windows/security/operating-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 28b76003fc..baf6cd5cac 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -27,7 +27,7 @@ Use the links in the following table to learn more about the operating system se | System security | Secure Boot and Trusted Boot | Secure Boot and Trusted Boot help prevent malware and corrupted components from loading when a Windows 11 device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure your Windows 11 system boots up safely and securely.

To learn more, see [Secure Boot and Trusted Boot](trusted-boot.md). | | | Cryptography and certificate management | Cryptography uses code to convert data so that only a specific recipient can read it by using a key. Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure. The cryptography stack in Windows extends from the chip to the cloud enabling Windows, applications, and services protect system and user secrets.

Certificates are crucial to public key infrastructure (PKI) as they provide the means for safeguarding and authenticating information. Windows offers several APIs to operate and manage certificates.

To learn more, see [Cryptography and Certificate Management](cryptography-certificate-mgmt.md). | | | The Windows Security app is a client interface that is built into Windows, beginning with Windows 10, version 1703, and continuing through Windows 11. The Windows Security app enables users to view their security settings, including virus & threat protection settings, firewall & network protection, device security, and more.

The Windows Security app uses the Windows Security Service (SecurityHealthService or Windows Security Health Service), which in turn uses the Security Center service (wscsvc) to ensure the app provides the most up-to-date information about the protection status on the endpoint.

To learn more, see [Windows Security app](threat-protection/windows-defender-security-center/windows-defender-security-center.md). | -| Encryption and data protection | [Encryption and data protection in Windows 11](encryption-data-protection.md) | | +| Encryption and data protection | | In Windows 11, encryption and data protection features include Encrypted Hard Drive and BitLocker.

To learn more, see [Encryption and data protection in Windows 11](encryption-data-protection.md). | | | [Encryption](encryption-data-protection.md) | | | | [BitLocker](information-protection/bitlocker/bitlocker-overview.md) | | | Network security | [Virtual Private Networks](identity-protection/vpn/vpn-guide.md) (VPNs) | | From 1cde7c3e2caaf57e4a3d2be45682102e75ba17f7 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 13:27:05 -0700 Subject: [PATCH 194/458] Update operating-system.md --- windows/security/operating-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index baf6cd5cac..992c45d18b 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -27,7 +27,7 @@ Use the links in the following table to learn more about the operating system se | System security | Secure Boot and Trusted Boot | Secure Boot and Trusted Boot help prevent malware and corrupted components from loading when a Windows 11 device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure your Windows 11 system boots up safely and securely.

To learn more, see [Secure Boot and Trusted Boot](trusted-boot.md). | | | Cryptography and certificate management | Cryptography uses code to convert data so that only a specific recipient can read it by using a key. Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure. The cryptography stack in Windows extends from the chip to the cloud enabling Windows, applications, and services protect system and user secrets.

Certificates are crucial to public key infrastructure (PKI) as they provide the means for safeguarding and authenticating information. Windows offers several APIs to operate and manage certificates.

To learn more, see [Cryptography and Certificate Management](cryptography-certificate-mgmt.md). | | | The Windows Security app is a client interface that is built into Windows, beginning with Windows 10, version 1703, and continuing through Windows 11. The Windows Security app enables users to view their security settings, including virus & threat protection settings, firewall & network protection, device security, and more.

The Windows Security app uses the Windows Security Service (SecurityHealthService or Windows Security Health Service), which in turn uses the Security Center service (wscsvc) to ensure the app provides the most up-to-date information about the protection status on the endpoint.

To learn more, see [Windows Security app](threat-protection/windows-defender-security-center/windows-defender-security-center.md). | -| Encryption and data protection | | In Windows 11, encryption and data protection features include Encrypted Hard Drive and BitLocker.

To learn more, see [Encryption and data protection in Windows 11](encryption-data-protection.md). | +| Encryption and data protection | | In Windows 11, encryption and data protection features include encrypted hard drives and BitLocker. Encrypted hard drives are a new class of hard drives that are self-encrypted at a hardware level and allow for full disk hardware encryption. BitLocker provides encryption for the operating system, fixed data, and removable data drives.

To learn more, see [Encryption and data protection in Windows 11](encryption-data-protection.md). | | | [Encryption](encryption-data-protection.md) | | | | [BitLocker](information-protection/bitlocker/bitlocker-overview.md) | | | Network security | [Virtual Private Networks](identity-protection/vpn/vpn-guide.md) (VPNs) | | From 2a6a6d9b1c94d0e659afa6bc1682298f321930f5 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 13:27:37 -0700 Subject: [PATCH 195/458] Update operating-system.md --- windows/security/operating-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 992c45d18b..c9c4040e93 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -26,7 +26,7 @@ Use the links in the following table to learn more about the operating system se |:---|:---| | System security | Secure Boot and Trusted Boot | Secure Boot and Trusted Boot help prevent malware and corrupted components from loading when a Windows 11 device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure your Windows 11 system boots up safely and securely.

To learn more, see [Secure Boot and Trusted Boot](trusted-boot.md). | | | Cryptography and certificate management | Cryptography uses code to convert data so that only a specific recipient can read it by using a key. Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure. The cryptography stack in Windows extends from the chip to the cloud enabling Windows, applications, and services protect system and user secrets.

Certificates are crucial to public key infrastructure (PKI) as they provide the means for safeguarding and authenticating information. Windows offers several APIs to operate and manage certificates.

To learn more, see [Cryptography and Certificate Management](cryptography-certificate-mgmt.md). | -| | The Windows Security app is a client interface that is built into Windows, beginning with Windows 10, version 1703, and continuing through Windows 11. The Windows Security app enables users to view their security settings, including virus & threat protection settings, firewall & network protection, device security, and more.

The Windows Security app uses the Windows Security Service (SecurityHealthService or Windows Security Health Service), which in turn uses the Security Center service (wscsvc) to ensure the app provides the most up-to-date information about the protection status on the endpoint.

To learn more, see [Windows Security app](threat-protection/windows-defender-security-center/windows-defender-security-center.md). | +| | The Windows Security app is a client interface that is built into Windows, beginning with Windows 10, version 1703, and continuing through Windows 11. The Windows Security app enables users to view their security settings, including virus & threat protection settings, firewall & network protection, device security, and more on their device.

The Windows Security app uses the Windows Security Service (SecurityHealthService or Windows Security Health Service), which in turn uses the Security Center service (wscsvc) to ensure the app provides the most up-to-date information about the protection status on the endpoint.

To learn more, see [Windows Security app](threat-protection/windows-defender-security-center/windows-defender-security-center.md). | | Encryption and data protection | | In Windows 11, encryption and data protection features include encrypted hard drives and BitLocker. Encrypted hard drives are a new class of hard drives that are self-encrypted at a hardware level and allow for full disk hardware encryption. BitLocker provides encryption for the operating system, fixed data, and removable data drives.

To learn more, see [Encryption and data protection in Windows 11](encryption-data-protection.md). | | | [Encryption](encryption-data-protection.md) | | | | [BitLocker](information-protection/bitlocker/bitlocker-overview.md) | | From f7721855a9da8b77503c8fc4ecc4804aa7b1be9a Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 13:35:17 -0700 Subject: [PATCH 196/458] Update operating-system.md --- windows/security/operating-system.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index c9c4040e93..07898bd0fd 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -27,9 +27,7 @@ Use the links in the following table to learn more about the operating system se | System security | Secure Boot and Trusted Boot | Secure Boot and Trusted Boot help prevent malware and corrupted components from loading when a Windows 11 device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure your Windows 11 system boots up safely and securely.

To learn more, see [Secure Boot and Trusted Boot](trusted-boot.md). | | | Cryptography and certificate management | Cryptography uses code to convert data so that only a specific recipient can read it by using a key. Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure. The cryptography stack in Windows extends from the chip to the cloud enabling Windows, applications, and services protect system and user secrets.

Certificates are crucial to public key infrastructure (PKI) as they provide the means for safeguarding and authenticating information. Windows offers several APIs to operate and manage certificates.

To learn more, see [Cryptography and Certificate Management](cryptography-certificate-mgmt.md). | | | The Windows Security app is a client interface that is built into Windows, beginning with Windows 10, version 1703, and continuing through Windows 11. The Windows Security app enables users to view their security settings, including virus & threat protection settings, firewall & network protection, device security, and more on their device.

The Windows Security app uses the Windows Security Service (SecurityHealthService or Windows Security Health Service), which in turn uses the Security Center service (wscsvc) to ensure the app provides the most up-to-date information about the protection status on the endpoint.

To learn more, see [Windows Security app](threat-protection/windows-defender-security-center/windows-defender-security-center.md). | -| Encryption and data protection | | In Windows 11, encryption and data protection features include encrypted hard drives and BitLocker. Encrypted hard drives are a new class of hard drives that are self-encrypted at a hardware level and allow for full disk hardware encryption. BitLocker provides encryption for the operating system, fixed data, and removable data drives.

To learn more, see [Encryption and data protection in Windows 11](encryption-data-protection.md). | -| | [Encryption](encryption-data-protection.md) | | -| | [BitLocker](information-protection/bitlocker/bitlocker-overview.md) | | +| Encryption and data protection | In Windows 11, encryption and data protection features include encrypted hard drives and BitLocker. Encrypted hard drives are a new class of hard drives that are self-encrypted at a hardware level and allow for full disk hardware encryption. BitLocker provides encryption for the operating system, fixed data, and removable data drives.

To learn more, see [Encryption and data protection in Windows 11](encryption-data-protection.md). | | Network security | [Virtual Private Networks](identity-protection/vpn/vpn-guide.md) (VPNs) | | | | [Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md) | | | | Bluetooth (NEEDED) | | From 9d3add4009ed5ea41a067e6d1b9db0562dc1b89f Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 16 Sep 2021 13:40:59 -0700 Subject: [PATCH 197/458] sync changes --- windows/security/TOC.yml | 4 +-- .../security/cryptography-certificate-mgmt.md | 5 ++- windows/security/hardware.md | 6 +--- windows/security/operating-system.md | 33 ++++++++----------- windows/security/threat-protection/TOC.yml | 2 +- 5 files changed, 20 insertions(+), 30 deletions(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 2dbd89eb75..91e70fb5b7 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -224,7 +224,7 @@ href: apps.md items: - name: Windows Defender Application Control and virtualization-based protection of code integrity - href: device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md + href: threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md - name: Windows Defender Application Control href: threat-protection\windows-defender-application-control\windows-defender-application-control.md - name: Microsoft Defender Application Guard @@ -374,4 +374,4 @@ - name: Microsoft Bug Bounty Program href: threat-protection/microsoft-bug-bounty-program.md - name: Windows Privacy - href: windows/privacy/windows-10-and-privacy-compliance.md + href: /windows/privacy/windows-10-and-privacy-compliance.md diff --git a/windows/security/cryptography-certificate-mgmt.md b/windows/security/cryptography-certificate-mgmt.md index f5d63c9686..dbc385fefd 100644 --- a/windows/security/cryptography-certificate-mgmt.md +++ b/windows/security/cryptography-certificate-mgmt.md @@ -1,6 +1,6 @@ --- title: Cryptography and Certificate Management -description: Get an overview of cryptography and certificate management in Windows 11 +description: Get an overview of cryptography and certificate management in Windows search.appverid: MET150 author: denisebmsft ms.author: deniseb @@ -18,13 +18,12 @@ f1.keywords: NOCSH # Cryptography and Certificate Management -*This article describes cryptography and certificate management in Windows 11.* ## Cryptography Cryptography uses code to convert data so that only a specific recipient can read it by using a key. Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure. The cryptography stack in Windows extends from the chip to the cloud enabling Windows, applications, and services protect system and user secrets. -All cryptography on Windows 11 is Federal Information Processing Standards (FIPS) 140 certified. FIPS 140 certification ensures that US government approved algorithms are being used (RSA for signing, ECDH with NIST curves for key agreement, AES for symmetric encryption, and SHA2 for hashing), tests module integrity to prove that no tampering has occurred and proves the randomness for entropy sources. +Cryptography in Windows is Federal Information Processing Standards (FIPS) 140 certified. FIPS 140 certification ensures that US government approved algorithms are being used (RSA for signing, ECDH with NIST curves for key agreement, AES for symmetric encryption, and SHA2 for hashing), tests module integrity to prove that no tampering has occurred and proves the randomness for entropy sources. Windows cryptographic modules provide low-level primitives such as: diff --git a/windows/security/hardware.md b/windows/security/hardware.md index cd3279e414..95ff8377ea 100644 --- a/windows/security/hardware.md +++ b/windows/security/hardware.md @@ -16,11 +16,7 @@ ms.technology: windows-sec # Windows hardware security Modern threats require modern security with a strong alignment between hardware security and software security techniques to keep users, data and devices protected. The operating system alone cannot protect from the wide range of tools and techniques cybercriminals use to compromise a computer deep inside its silicon. Once inside, intruders can be difficult to detect while engaging in multiple nefarious activities from stealing important data to capturing email addresses and other sensitive pieces of information. -These new threats call for computing hardware that is secure down to the very core, including hardware chips and processors. Microsoft and our partners, including chip and device manufacturers, have worked together to integrate powerful security capabilities across software, firmware, and hardware. - -With Windows 11, we have raised the hardware security baseline to design the most secure version of Windows ever. We have carefully chosen the hardware requirements and default security features based on threat intelligence and input from leading experts around the globe, including our own Microsoft Cybersecurity team. - - +These new threats call for computing hardware that is secure down to the very core, including hardware chips and processors. Microsoft and our partners, including chip and device manufacturers, have worked together to integrate powerful security capabilities across software, firmware, and hardware. | Security Measures | Features & Capabilities | |:---|:---| diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 07898bd0fd..c5141ef796 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -20,26 +20,21 @@ ms.technology: windows-sec Security and privacy depend on an operating system that guards your system and information from the moment it starts up, providing fundamental chip-to-cloud protection. Windows 11 is the most secure Windows yet with extensive security measures designed to help keep you safe. These measures include built-in advanced encryption and data protection, robust network and system security, and intelligent safeguards against ever-evolving threats. -Use the links in the following table to learn more about the operating system security features and capabilities in Windows 11:

+Use the links in the following table to learn more about the operating system security features and capabilities in Windows 11:

-| Security Measures | Features & Capabilities | Description | +| Security Measures | Features & Capabilities | |:---|:---| -| System security | Secure Boot and Trusted Boot | Secure Boot and Trusted Boot help prevent malware and corrupted components from loading when a Windows 11 device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure your Windows 11 system boots up safely and securely.

To learn more, see [Secure Boot and Trusted Boot](trusted-boot.md). | -| | Cryptography and certificate management | Cryptography uses code to convert data so that only a specific recipient can read it by using a key. Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure. The cryptography stack in Windows extends from the chip to the cloud enabling Windows, applications, and services protect system and user secrets.

Certificates are crucial to public key infrastructure (PKI) as they provide the means for safeguarding and authenticating information. Windows offers several APIs to operate and manage certificates.

To learn more, see [Cryptography and Certificate Management](cryptography-certificate-mgmt.md). | -| | The Windows Security app is a client interface that is built into Windows, beginning with Windows 10, version 1703, and continuing through Windows 11. The Windows Security app enables users to view their security settings, including virus & threat protection settings, firewall & network protection, device security, and more on their device.

The Windows Security app uses the Windows Security Service (SecurityHealthService or Windows Security Health Service), which in turn uses the Security Center service (wscsvc) to ensure the app provides the most up-to-date information about the protection status on the endpoint.

To learn more, see [Windows Security app](threat-protection/windows-defender-security-center/windows-defender-security-center.md). | -| Encryption and data protection | In Windows 11, encryption and data protection features include encrypted hard drives and BitLocker. Encrypted hard drives are a new class of hard drives that are self-encrypted at a hardware level and allow for full disk hardware encryption. BitLocker provides encryption for the operating system, fixed data, and removable data drives.

To learn more, see [Encryption and data protection in Windows 11](encryption-data-protection.md). | -| Network security | [Virtual Private Networks](identity-protection/vpn/vpn-guide.md) (VPNs) | | -| | [Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md) | | -| | Bluetooth (NEEDED) | | -| | Domain Name System (DNS) security (NEEDED) | | -| | Windows Wi-Fi (NEEDED) | | -| | Transport Layer Security (TLS) (NEEDED) | | -| Protection from viruses and threats | [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows) | | -| | [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) | | -| | [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) | | -| | [Network protection](/microsoft-365/security/defender-endpoint/network-protection) | | -| | [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders) | | -| | [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection) | | -| | Integration with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint) for additional threat protection | +| Secure Boot and Trusted Boot | Secure Boot and Trusted Boot help prevent malware and corrupted components from loading when a Windows device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure your Windows system boots up safely and securely.

Learn more [Secure Boot and Trusted Boot](trusted-boot.md).
|| +Cryptography and certificate management|Cryptography uses code to convert data so that only a specific recipient can read it by using a key. Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure.

Learn more about [Cryptography and certificate management](cryptography-certificate-mgmt.md).

| +Windows Security app | The Windows built-in security application found in setitngs provides an at-a-glance view of the security status and health of your device. These insights help you identify issues and take action to make sure you’re protected. You can quickly see the status of your virus and threat protection, firewall and network security, device security controls, and more.

Learn more about the [Windows Security app](threat-protection/windows-defender-security-center/windows-defender-security-center.md).| +| Encryption and data protection | Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications. Windows provides strong at-rest data-protection solutions that guard against nefarious attackers.

Learn more about [Encryption](encryption-data-protection.md). +| BitLocker | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later.

Learn more about [BitLocker](information-protection/bitlocker/bitlocker-overview.md). | +| Encrypted Hard Drive |

Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.

Learn more about [Encrypted Hard Drives](information-protection/encrypted-hard-drive.md).

| +| Virtual Private Network | Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called tunneling protocols, to make a virtual call to a virtual port on a VPN server.

Learn more about [Virtual Private Networks](identity-protection/vpn/vpn-guide.md) (VPNs).

| +| Windows Defender Firewall | Windows Defender Firewall is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device.

Learn more about [Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md).

+| Protection from viruses and threats | The next-generation protection capabilities in Windows helps identify and block new and emerging threats. By reducing your attack surface, you can reduce the risk of malware getting onto a device. Powered by the cloud and machine learning, Microsoft Defender Antivirus can help stop attacks in real-time. These capabilities can help security teams prevent malware from infecting a device.

[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)

[Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction)

[Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)

[Network protection](/microsoft-365/security/defender-endpoint/network-protection)

[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)

[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)

Integration with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint) for additional threat protection | + + +Bluetooth (NEEDED)

Domain Name System (DNS) security (NEEDED)

Windows Wi-Fi (NEEDED)

Transport Layer Security (TLS) (NEEDED) | diff --git a/windows/security/threat-protection/TOC.yml b/windows/security/threat-protection/TOC.yml index 5342060e01..c4a518650a 100644 --- a/windows/security/threat-protection/TOC.yml +++ b/windows/security/threat-protection/TOC.yml @@ -35,4 +35,4 @@ - name: Security foundations - name: Windows Privacy - href: windows/privacy/windows-10-and-privacy-compliance.md \ No newline at end of file + href: /windows/privacy/windows-10-and-privacy-compliance.md \ No newline at end of file From 4ca86379d0f4c23baa03c0e69b9fd34c8a9c9aae Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 14:29:33 -0700 Subject: [PATCH 198/458] Update operating-system.md --- windows/security/operating-system.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index c5141ef796..6863bd1951 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -34,7 +34,4 @@ Windows Security app | The Windows built-in security application found in setitn | Windows Defender Firewall | Windows Defender Firewall is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device.

Learn more about [Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md).

| Protection from viruses and threats | The next-generation protection capabilities in Windows helps identify and block new and emerging threats. By reducing your attack surface, you can reduce the risk of malware getting onto a device. Powered by the cloud and machine learning, Microsoft Defender Antivirus can help stop attacks in real-time. These capabilities can help security teams prevent malware from infecting a device.

[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)

[Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction)

[Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)

[Network protection](/microsoft-365/security/defender-endpoint/network-protection)

[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)

[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)

Integration with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint) for additional threat protection | - - - -Bluetooth (NEEDED)

Domain Name System (DNS) security (NEEDED)

Windows Wi-Fi (NEEDED)

Transport Layer Security (TLS) (NEEDED) | + From 5c451f27247a6f82e5668ac29eb93f772f6acf89 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 16 Sep 2021 14:49:07 -0700 Subject: [PATCH 199/458] TOC palooza --- windows/security/TOC.yml | 76 +- windows/security/operating-system.md | 3 - .../threat-protection/auditing/TOC.yml | 765 ++++++++++++++++++ .../security-policy-settings/TOC.yml | 349 ++++++++ 4 files changed, 1189 insertions(+), 4 deletions(-) create mode 100644 windows/security/threat-protection/auditing/TOC.yml create mode 100644 windows/security/threat-protection/security-policy-settings/TOC.yml diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 91e70fb5b7..3c0315e244 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -125,7 +125,11 @@ - name: Decode Measured Boot logs to track PCR changes href: information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md - name: Configure S/MIME for Windows - href: identity-protection/configure-s-mime.md + href: identity-protection/configure-s-mime.md + - name: Security policy settings + href: threat-protection/security-policy-settings/security-policy-settings.md + - name: Security auditing + href: threat-protection/auditing/security-auditing-overview.md - name: Windows Information Protection (WIP) href: information-protection/windows-information-protection/protect-enterprise-data-using-wip.md items: @@ -173,6 +177,21 @@ href: information-protection/windows-information-protection/using-owa-with-wip.md - name: Fine-tune WIP Learning href: information-protection/windows-information-protection/wip-learning.md + - name: Windows security baselines + href: threat-protection/windows-security-configuration-framework/windows-security-baselines.md + items: + - name: Security Compliance Toolkit + href: threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md + - name: Get support + href: threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md + - name: More Windows security + items: + - name: Override Process Mitigation Options to help enforce app-related security policies + href: threat-protection/override-mitigation-options-for-app-related-security-policies.md + - name: Use Windows Event Forwarding to help with intrusion detection + href: threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md + - name: Block untrusted fonts in an enterprise + href: threat-protection/block-untrusted-fonts-in-enterprise.md - name: Network security items: - name: VPN technical guide @@ -220,6 +239,61 @@ href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/exploit-protection - name: Microsoft Defender for Endpoint href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint + - name: Security intelligence + href: threat-protection/intelligence/index.md + items: + - name: Understand malware & other threats + href: threat-protection/intelligence/understanding-malware.md + items: + - name: Prevent malware infection + href: threat-protection/intelligence/prevent-malware-infection.md + - name: Malware names + href: threat-protection/intelligence/malware-naming.md + - name: Coin miners + href: threat-protection/intelligence/coinminer-malware.md + - name: Exploits and exploit kits + href: threat-protection/intelligence/exploits-malware.md + - name: Fileless threats + href: threat-protection/intelligence/fileless-threats.md + - name: Macro malware + href: threat-protection/intelligence/macro-malware.md + - name: Phishing + href: threat-protection/intelligence/phishing.md + - name: Ransomware + href: /security/compass/human-operated-ransomware + - name: Rootkits + href: threat-protection/intelligence/rootkits-malware.md + - name: Supply chain attacks + href: threat-protection/intelligence/supply-chain-malware.md + - name: Tech support scams + href: threat-protection/intelligence/support-scams.md + - name: Trojans + href: threat-protection/intelligence/trojans-malware.md + - name: Unwanted software + href: threat-protection/intelligence/unwanted-software.md + - name: Worms + href: threat-protection/intelligence/worms-malware.md + - name: How Microsoft identifies malware and PUA + href: threat-protection/intelligence/criteria.md + - name: Submit files for analysis + href: threat-protection/intelligence/submission-guide.md + - name: Safety Scanner download + href: threat-protection/intelligence/safety-scanner-download.md + - name: Industry collaboration programs + href: threat-protection/intelligence/cybersecurity-industry-partners.md + items: + - name: Virus information alliance + href: threat-protection/intelligence/virus-information-alliance-criteria.md + - name: Microsoft virus initiative + href: threat-protection/intelligence/virus-initiative-criteria.md + - name: Coordinated malware eradication + href: threat-protection/intelligence/coordinated-malware-eradication.md + - name: Information for developers + items: + - name: Software developer FAQ + href: threat-protection/intelligence/developer-faq.yml + - name: Software developer resources + href: threat-protection/intelligence/developer-resources.md - name: Application security href: apps.md items: diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index c5141ef796..859d7ec1d9 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -35,6 +35,3 @@ Windows Security app | The Windows built-in security application found in setitn | Protection from viruses and threats | The next-generation protection capabilities in Windows helps identify and block new and emerging threats. By reducing your attack surface, you can reduce the risk of malware getting onto a device. Powered by the cloud and machine learning, Microsoft Defender Antivirus can help stop attacks in real-time. These capabilities can help security teams prevent malware from infecting a device.

[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)

[Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction)

[Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)

[Network protection](/microsoft-365/security/defender-endpoint/network-protection)

[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)

[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)

Integration with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint) for additional threat protection | - - -Bluetooth (NEEDED)

Domain Name System (DNS) security (NEEDED)

Windows Wi-Fi (NEEDED)

Transport Layer Security (TLS) (NEEDED) | diff --git a/windows/security/threat-protection/auditing/TOC.yml b/windows/security/threat-protection/auditing/TOC.yml new file mode 100644 index 0000000000..88646f01b0 --- /dev/null +++ b/windows/security/threat-protection/auditing/TOC.yml @@ -0,0 +1,765 @@ + - name: Security auditing + href: security-auditing-overview.md + items: + - name: Basic security audit policies + href: basic-security-audit-policies.md + items: + - name: Create a basic audit policy for an event category + href: create-a-basic-audit-policy-settings-for-an-event-category.md + - name: Apply a basic audit policy on a file or folder + href: apply-a-basic-audit-policy-on-a-file-or-folder.md + - name: View the security event log + href: view-the-security-event-log.md + - name: Basic security audit policy settings + href: basic-security-audit-policy-settings.md + items: + - name: Audit account logon events + href: basic-audit-account-logon-events.md + - name: Audit account management + href: basic-audit-account-management.md + - name: Audit directory service access + href: basic-audit-directory-service-access.md + - name: Audit logon events + href: basic-audit-logon-events.md + - name: Audit object access + href: basic-audit-object-access.md + - name: Audit policy change + href: basic-audit-policy-change.md + - name: Audit privilege use + href: basic-audit-privilege-use.md + - name: Audit process tracking + href: basic-audit-process-tracking.md + - name: Audit system events + href: basic-audit-system-events.md + - name: Advanced security audit policies + href: advanced-security-auditing.md + items: + - name: Planning and deploying advanced security audit policies + href: planning-and-deploying-advanced-security-audit-policies.md + - name: Advanced security auditing FAQ + href: advanced-security-auditing-faq.yml + items: + - name: Which editions of Windows support advanced audit policy configuration + href: which-editions-of-windows-support-advanced-audit-policy-configuration.md + - name: How to list XML elements in \ + href: how-to-list-xml-elements-in-eventdata.md + - name: Using advanced security auditing options to monitor dynamic access control objects + href: using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md + items: + - name: Monitor the central access policies that apply on a file server + href: monitor-the-central-access-policies-that-apply-on-a-file-server.md + - name: Monitor the use of removable storage devices + href: monitor-the-use-of-removable-storage-devices.md + - name: Monitor resource attribute definitions + href: monitor-resource-attribute-definitions.md + - name: Monitor central access policy and rule definitions + href: monitor-central-access-policy-and-rule-definitions.md + - name: Monitor user and device claims during sign-in + href: monitor-user-and-device-claims-during-sign-in.md + - name: Monitor the resource attributes on files and folders + href: monitor-the-resource-attributes-on-files-and-folders.md + - name: Monitor the central access policies associated with files and folders + href: monitor-the-central-access-policies-associated-with-files-and-folders.md + - name: Monitor claim types + href: monitor-claim-types.md + - name: Advanced security audit policy settings + href: advanced-security-audit-policy-settings.md + items: + - name: Audit Credential Validation + href: audit-credential-validation.md + - name: "Event 4774 S, F: An account was mapped for logon." + href: event-4774.md + - name: "Event 4775 F: An account could not be mapped for logon." + href: event-4775.md + - name: "Event 4776 S, F: The computer attempted to validate the credentials for an account." + href: event-4776.md + - name: "Event 4777 F: The domain controller failed to validate the credentials for an account." + href: event-4777.md + - name: Audit Kerberos Authentication Service + href: audit-kerberos-authentication-service.md + items: + - name: "Event 4768 S, F: A Kerberos authentication ticket, TGT, was requested." + href: event-4768.md + - name: "Event 4771 F: Kerberos pre-authentication failed." + href: event-4771.md + - name: "Event 4772 F: A Kerberos authentication ticket request failed." + href: event-4772.md + - name: Audit Kerberos Service Ticket Operations + href: audit-kerberos-service-ticket-operations.md + items: + - name: "Event 4769 S, F: A Kerberos service ticket was requested." + href: event-4769.md + - name: "Event 4770 S: A Kerberos service ticket was renewed." + href: event-4770.md + - name: "Event 4773 F: A Kerberos service ticket request failed." + href: event-4773.md + - name: Audit Other Account Logon Events + href: audit-other-account-logon-events.md + - name: Audit Application Group Management + href: audit-application-group-management.md + - name: Audit Computer Account Management + href: audit-computer-account-management.md + items: + - name: "Event 4741 S: A computer account was created." + href: event-4741.md + - name: "Event 4742 S: A computer account was changed." + href: event-4742.md + - name: "Event 4743 S: A computer account was deleted." + href: event-4743.md + - name: Audit Distribution Group Management + href: audit-distribution-group-management.md + items: + - name: "Event 4749 S: A security-disabled global group was created." + href: event-4749.md + - name: "Event 4750 S: A security-disabled global group was changed." + href: event-4750.md + - name: "Event 4751 S: A member was added to a security-disabled global group." + href: event-4751.md + - name: "Event 4752 S: A member was removed from a security-disabled global group." + href: event-4752.md + - name: "Event 4753 S: A security-disabled global group was deleted." + href: event-4753.md + - name: Audit Other Account Management Events + href: audit-other-account-management-events.md + items: + - name: "Event 4782 S: The password hash of an account was accessed." + href: event-4782.md + - name: "Event 4793 S: The Password Policy Checking API was called." + href: event-4793.md + - name: Audit Security Group Management + href: audit-security-group-management.md + items: + - name: "Event 4731 S: A security-enabled local group was created." + href: event-4731.md + - name: "Event 4732 S: A member was added to a security-enabled local group." + href: event-4732.md + - name: "Event 4733 S: A member was removed from a security-enabled local group." + href: event-4733.md + - name: "Event 4734 S: A security-enabled local group was deleted." + href: event-4734.md + - name: "Event 4735 S: A security-enabled local group was changed." + href: event-4735.md + - name: "Event 4764 S: A group�s type was changed." + href: event-4764.md + - name: "Event 4799 S: A security-enabled local group membership was enumerated." + href: event-4799.md + - name: Audit User Account Management + href: audit-user-account-management.md + items: + - name: "Event 4720 S: A user account was created." + href: event-4720.md + - name: "Event 4722 S: A user account was enabled." + href: event-4722.md + - name: "Event 4723 S, F: An attempt was made to change an account's password." + href: event-4723.md + - name: "Event 4724 S, F: An attempt was made to reset an account's password." + href: event-4724.md + - name: "Event 4725 S: A user account was disabled." + href: event-4725.md + - name: "Event 4726 S: A user account was deleted." + href: event-4726.md + - name: "Event 4738 S: A user account was changed." + href: event-4738.md + - name: "Event 4740 S: A user account was locked out." + href: event-4740.md + - name: "Event 4765 S: SID History was added to an account." + href: event-4765.md + - name: "Event 4766 F: An attempt to add SID History to an account failed." + href: event-4766.md + - name: "Event 4767 S: A user account was unlocked." + href: event-4767.md + - name: "Event 4780 S: The ACL was set on accounts that are members of administrators groups." + href: event-4780.md + - name: "Event 4781 S: The name of an account was changed." + href: event-4781.md + - name: "Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password." + href: event-4794.md + - name: "Event 4798 S: A user's local group membership was enumerated." + href: event-4798.md + - name: "Event 5376 S: Credential Manager credentials were backed up." + href: event-5376.md + - name: "Event 5377 S: Credential Manager credentials were restored from a backup." + href: event-5377.md + - name: Audit DPAPI Activity + href: audit-dpapi-activity.md + items: + - name: "Event 4692 S, F: Backup of data protection master key was attempted." + href: event-4692.md + - name: "Event 4693 S, F: Recovery of data protection master key was attempted." + href: event-4693.md + - name: "Event 4694 S, F: Protection of auditable protected data was attempted." + href: event-4694.md + - name: "Event 4695 S, F: Unprotection of auditable protected data was attempted." + href: event-4695.md + - name: Audit PNP Activity + href: audit-pnp-activity.md + items: + - name: "Event 6416 S: A new external device was recognized by the System." + href: event-6416.md + - name: "Event 6419 S: A request was made to disable a device." + href: event-6419.md + - name: "Event 6420 S: A device was disabled." + href: event-6420.md + - name: "Event 6421 S: A request was made to enable a device." + href: event-6421.md + - name: "Event 6422 S: A device was enabled." + href: event-6422.md + - name: "Event 6423 S: The installation of this device is forbidden by system policy." + href: event-6423.md + - name: "Event 6424 S: The installation of this device was allowed, after having previously been forbidden by policy." + href: event-6424.md + - name: Audit Process Creation + href: audit-process-creation.md + items: + - name: "Event 4688 S: A new process has been created." + href: event-4688.md + - name: "Event 4696 S: A primary token was assigned to process." + href: event-4696.md + - name: Audit Process Termination + href: audit-process-termination.md + items: + - name: "Event 4689 S: A process has exited." + href: event-4689.md + - name: Audit RPC Events + href: audit-rpc-events.md + items: + - name: "Event 5712 S: A Remote Procedure Call, RPC, was attempted." + href: event-5712.md + - name: Audit Token Right Adjusted + href: audit-token-right-adjusted.md + items: + - name: "Event 4703 S: A user right was adjusted." + href: event-4703.md + - name: Audit Detailed Directory Service Replication + href: audit-detailed-directory-service-replication.md + items: + - name: "Event 4928 S, F: An Active Directory replica source naming context was established." + href: event-4928.md + - name: "Event 4929 S, F: An Active Directory replica source naming context was removed." + href: event-4929.md + - name: "Event 4930 S, F: An Active Directory replica source naming context was modified." + href: event-4930.md + - name: "Event 4931 S, F: An Active Directory replica destination naming context was modified." + href: event-4931.md + - name: "Event 4934 S: Attributes of an Active Directory object were replicated." + href: event-4934.md + - name: "Event 4935 F: Replication failure begins." + href: event-4935.md + - name: "Event 4936 S: Replication failure ends." + href: event-4936.md + - name: "Event 4937 S: A lingering object was removed from a replica." + href: event-4937.md + - name: Audit Directory Service Access + href: audit-directory-service-access.md + items: + - name: "Event 4662 S, F: An operation was performed on an object." + href: event-4662.md + - name: "Event 4661 S, F: A handle to an object was requested." + href: event-4661.md + - name: Audit Directory Service Changes + href: audit-directory-service-changes.md + items: + - name: "Event 5136 S: A directory service object was modified." + href: event-5136.md + - name: "Event 5137 S: A directory service object was created." + href: event-5137.md + - name: "Event 5138 S: A directory service object was undeleted." + href: event-5138.md + - name: "Event 5139 S: A directory service object was moved." + href: event-5139.md + - name: "Event 5141 S: A directory service object was deleted." + href: event-5141.md + - name: Audit Directory Service Replication + href: audit-directory-service-replication.md + items: + - name: "Event 4932 S: Synchronization of a replica of an Active Directory naming context has begun." + href: event-4932.md + - name: "Event 4933 S, F: Synchronization of a replica of an Active Directory naming context has ended." + href: event-4933.md + - name: Audit Account Lockout + href: audit-account-lockout.md + items: + - name: "Event 4625 F: An account failed to log on." + href: event-4625.md + - name: Audit User/Device Claims + href: audit-user-device-claims.md + items: + - name: "Event 4626 S: User/Device claims information." + href: event-4626.md + - name: Audit Group Membership + href: audit-group-membership.md + items: + - name: "Event 4627 S: Group membership information." + href: event-4627.md + - name: Audit IPsec Extended Mode + href: audit-ipsec-extended-mode.md + - name: Audit IPsec Main Mode + href: audit-ipsec-main-mode.md + - name: Audit IPsec Quick Mode + href: audit-ipsec-quick-mode.md + - name: Audit Logoff + href: audit-logoff.md + items: + - name: "Event 4634 S: An account was logged off." + href: event-4634.md + - name: "Event 4647 S: User initiated logoff." + href: event-4647.md + - name: Audit Logon + href: audit-logon.md + items: + - name: "Event 4624 S: An account was successfully logged on." + href: event-4624.md + - name: "Event 4625 F: An account failed to log on." + href: event-4625.md + - name: "Event 4648 S: A logon was attempted using explicit credentials." + href: event-4648.md + - name: "Event 4675 S: SIDs were filtered." + href: event-4675.md + - name: Audit Network Policy Server + href: audit-network-policy-server.md + - name: Audit Other Logon/Logoff Events + href: audit-other-logonlogoff-events.md + items: + - name: "Event 4649 S: A replay attack was detected." + href: event-4649.md + - name: "Event 4778 S: A session was reconnected to a Window Station." + href: event-4778.md + - name: "Event 4779 S: A session was disconnected from a Window Station." + href: event-4779.md + - name: "Event 4800 S: The workstation was locked." + href: event-4800.md + - name: "Event 4801 S: The workstation was unlocked." + href: event-4801.md + - name: "Event 4802 S: The screen saver was invoked." + href: event-4802.md + - name: "Event 4803 S: The screen saver was dismissed." + href: event-4803.md + - name: "Event 5378 F: The requested credentials delegation was disallowed by policy." + href: event-5378.md + - name: "Event 5632 S, F: A request was made to authenticate to a wireless network." + href: event-5632.md + - name: "Event 5633 S, F: A request was made to authenticate to a wired network." + href: event-5633.md + - name: Audit Special Logon + href: audit-special-logon.md + items: + - name: "Event 4964 S: Special groups have been assigned to a new logon." + href: event-4964.md + - name: "Event 4672 S: Special privileges assigned to new logon." + href: event-4672.md + - name: Audit Application Generated + href: audit-application-generated.md + - name: Audit Certification Services + href: audit-certification-services.md + - name: Audit Detailed File Share + href: audit-detailed-file-share.md + items: + - name: "Event 5145 S, F: A network share object was checked to see whether client can be granted desired access." + href: event-5145.md + - name: Audit File Share + href: audit-file-share.md + items: + - name: "Event 5140 S, F: A network share object was accessed." + href: event-5140.md + - name: "Event 5142 S: A network share object was added." + href: event-5142.md + - name: "Event 5143 S: A network share object was modified." + href: event-5143.md + - name: "Event 5144 S: A network share object was deleted." + href: event-5144.md + - name: "Event 5168 F: SPN check for SMB/SMB2 failed." + href: event-5168.md + - name: Audit File System + href: audit-file-system.md + items: + - name: "Event 4656 S, F: A handle to an object was requested." + href: event-4656.md + - name: "Event 4658 S: The handle to an object was closed." + href: event-4658.md + - name: "Event 4660 S: An object was deleted." + href: event-4660.md + - name: "Event 4663 S: An attempt was made to access an object." + href: event-4663.md + - name: "Event 4664 S: An attempt was made to create a hard link." + href: event-4664.md + - name: "Event 4985 S: The state of a transaction has changed." + href: event-4985.md + - name: "Event 5051: A file was virtualized." + href: event-5051.md + - name: "Event 4670 S: Permissions on an object were changed." + href: event-4670.md + - name: Audit Filtering Platform Connection + href: audit-filtering-platform-connection.md + items: + - name: "Event 5031 F: The Windows Firewall Service blocked an application from accepting incoming connections on the network." + href: event-5031.md + - name: "Event 5150: The Windows Filtering Platform blocked a packet." + href: event-5150.md + - name: "Event 5151: A more restrictive Windows Filtering Platform filter has blocked a packet." + href: event-5151.md + - name: "Event 5154 S: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections." + href: event-5154.md + - name: "Event 5155 F: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections." + href: event-5155.md + - name: "Event 5156 S: The Windows Filtering Platform has permitted a connection." + href: event-5156.md + - name: "Event 5157 F: The Windows Filtering Platform has blocked a connection." + href: event-5157.md + - name: "Event 5158 S: The Windows Filtering Platform has permitted a bind to a local port." + href: event-5158.md + - name: "Event 5159 F: The Windows Filtering Platform has blocked a bind to a local port." + href: event-5159.md + - name: Audit Filtering Platform Packet Drop + href: audit-filtering-platform-packet-drop.md + items: + - name: "Event 5152 F: The Windows Filtering Platform blocked a packet." + href: event-5152.md + - name: "Event 5153 S: A more restrictive Windows Filtering Platform filter has blocked a packet." + href: event-5153.md + - name: Audit Handle Manipulation + href: audit-handle-manipulation.md + items: + - name: "Event 4690 S: An attempt was made to duplicate a handle to an object." + href: event-4690.md + - name: Audit Kernel Object + href: audit-kernel-object.md + items: + - name: "Event 4656 S, F: A handle to an object was requested." + href: event-4656.md + - name: "Event 4658 S: The handle to an object was closed." + href: event-4658.md + - name: "Event 4660 S: An object was deleted." + href: event-4660.md + - name: "Event 4663 S: An attempt was made to access an object." + href: event-4663.md + - name: Audit Other Object Access Events + href: audit-other-object-access-events.md + items: + - name: "Event 4671: An application attempted to access a blocked ordinal through the TBS." + href: event-4671.md + - name: "Event 4691 S: Indirect access to an object was requested." + href: event-4691.md + - name: "Event 5148 F: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded." + href: event-5148.md + - name: "Event 5149 F: The DoS attack has subsided and normal processing is being resumed." + href: event-5149.md + - name: "Event 4698 S: A scheduled task was created." + href: event-4698.md + - name: "Event 4699 S: A scheduled task was deleted." + href: event-4699.md + - name: "Event 4700 S: A scheduled task was enabled." + href: event-4700.md + - name: "Event 4701 S: A scheduled task was disabled." + href: event-4701.md + - name: "Event 4702 S: A scheduled task was updated." + href: event-4702.md + - name: "Event 5888 S: An object in the COM+ Catalog was modified." + href: event-5888.md + - name: "Event 5889 S: An object was deleted from the COM+ Catalog." + href: event-5889.md + - name: "Event 5890 S: An object was added to the COM+ Catalog." + href: event-5890.md + - name: Audit Registry + href: audit-registry.md + items: + - name: "Event 4663 S: An attempt was made to access an object." + href: event-4663.md + - name: "Event 4656 S, F: A handle to an object was requested." + href: event-4656.md + - name: "Event 4658 S: The handle to an object was closed." + href: event-4658.md + - name: "Event 4660 S: An object was deleted." + href: event-4660.md + - name: "Event 4657 S: A registry value was modified." + href: event-4657.md + - name: "Event 5039: A registry key was virtualized." + href: event-5039.md + - name: "Event 4670 S: Permissions on an object were changed." + href: event-4670.md + - name: Audit Removable Storage + href: audit-removable-storage.md + - name: Audit SAM + href: audit-sam.md + items: + - name: "Event 4661 S, F: A handle to an object was requested." + href: event-4661.md + - name: Audit Central Access Policy Staging + href: audit-central-access-policy-staging.md + items: + - name: "Event 4818 S: Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy." + href: event-4818.md + - name: Audit Audit Policy Change + href: audit-audit-policy-change.md + items: + - name: "Event 4670 S: Permissions on an object were changed." + href: event-4670.md + - name: "Event 4715 S: The audit policy, SACL, on an object was changed." + href: event-4715.md + - name: "Event 4719 S: System audit policy was changed." + href: event-4719.md + - name: "Event 4817 S: Auditing settings on object were changed." + href: event-4817.md + - name: "Event 4902 S: The Per-user audit policy table was created." + href: event-4902.md + - name: "Event 4906 S: The CrashOnAuditFail value has changed." + href: event-4906.md + - name: "Event 4907 S: Auditing settings on object were changed." + href: event-4907.md + - name: "Event 4908 S: Special Groups Logon table modified." + href: event-4908.md + - name: "Event 4912 S: Per User Audit Policy was changed." + href: event-4912.md + - name: "Event 4904 S: An attempt was made to register a security event source." + href: event-4904.md + - name: "Event 4905 S: An attempt was made to unregister a security event source." + href: event-4905.md + - name: Audit Authentication Policy Change + href: audit-authentication-policy-change.md + items: + - name: "Event 4706 S: A new trust was created to a domain." + href: event-4706.md + - name: "Event 4707 S: A trust to a domain was removed." + href: event-4707.md + - name: "Event 4716 S: Trusted domain information was modified." + href: event-4716.md + - name: "Event 4713 S: Kerberos policy was changed." + href: event-4713.md + - name: "Event 4717 S: System security access was granted to an account." + href: event-4717.md + - name: "Event 4718 S: System security access was removed from an account." + href: event-4718.md + - name: "Event 4739 S: Domain Policy was changed." + href: event-4739.md + - name: "Event 4864 S: A namespace collision was detected." + href: event-4864.md + - name: "Event 4865 S: A trusted forest information entry was added." + href: event-4865.md + - name: "Event 4866 S: A trusted forest information entry was removed." + href: event-4866.md + - name: "Event 4867 S: A trusted forest information entry was modified." + href: event-4867.md + - name: Audit Authorization Policy Change + href: audit-authorization-policy-change.md + items: + - name: "Event 4703 S: A user right was adjusted." + href: event-4703.md + - name: "Event 4704 S: A user right was assigned." + href: event-4704.md + - name: "Event 4705 S: A user right was removed." + href: event-4705.md + - name: "Event 4670 S: Permissions on an object were changed." + href: event-4670.md + - name: "Event 4911 S: Resource attributes of the object were changed." + href: event-4911.md + - name: "Event 4913 S: Central Access Policy on the object was changed." + href: event-4913.md + - name: Audit Filtering Platform Policy Change + href: audit-filtering-platform-policy-change.md + - name: Audit MPSSVC Rule-Level Policy Change + href: audit-mpssvc-rule-level-policy-change.md + items: + - name: "Event 4944 S: The following policy was active when the Windows Firewall started." + href: event-4944.md + - name: "Event 4945 S: A rule was listed when the Windows Firewall started." + href: event-4945.md + - name: "Event 4946 S: A change has been made to Windows Firewall exception list. A rule was added." + href: event-4946.md + - name: "Event 4947 S: A change has been made to Windows Firewall exception list. A rule was modified." + href: event-4947.md + - name: "Event 4948 S: A change has been made to Windows Firewall exception list. A rule was deleted." + href: event-4948.md + - name: "Event 4949 S: Windows Firewall settings were restored to the default values." + href: event-4949.md + - name: "Event 4950 S: A Windows Firewall setting has changed." + href: event-4950.md + - name: "Event 4951 F: A rule has been ignored because its major version number was not recognized by Windows Firewall." + href: event-4951.md + - name: "Event 4952 F: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced." + href: event-4952.md + - name: "Event 4953 F: Windows Firewall ignored a rule because it could not be parsed." + href: event-4953.md + - name: "Event 4954 S: Windows Firewall Group Policy settings have changed. The new settings have been applied." + href: event-4954.md + - name: "Event 4956 S: Windows Firewall has changed the active profile." + href: event-4956.md + - name: "Event 4957 F: Windows Firewall did not apply the following rule." + href: event-4957.md + - name: "Event 4958 F: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer." + href: event-4958.md + - name: Audit Other Policy Change Events + href: audit-other-policy-change-events.md + items: + - name: "Event 4714 S: Encrypted data recovery policy was changed." + href: event-4714.md + - name: "Event 4819 S: Central Access Policies on the machine have been changed." + href: event-4819.md + - name: "Event 4826 S: Boot Configuration Data loaded." + href: event-4826.md + - name: "Event 4909: The local policy settings for the TBS were changed." + href: event-4909.md + - name: "Event 4910: The group policy settings for the TBS were changed." + href: event-4910.md + - name: "Event 5063 S, F: A cryptographic provider operation was attempted." + href: event-5063.md + - name: "Event 5064 S, F: A cryptographic context operation was attempted." + href: event-5064.md + - name: "Event 5065 S, F: A cryptographic context modification was attempted." + href: event-5065.md + - name: "Event 5066 S, F: A cryptographic function operation was attempted." + href: event-5066.md + - name: "Event 5067 S, F: A cryptographic function modification was attempted." + href: event-5067.md + - name: "Event 5068 S, F: A cryptographic function provider operation was attempted." + href: event-5068.md + - name: "Event 5069 S, F: A cryptographic function property operation was attempted." + href: event-5069.md + - name: "Event 5070 S, F: A cryptographic function property modification was attempted." + href: event-5070.md + - name: "Event 5447 S: A Windows Filtering Platform filter has been changed." + href: event-5447.md + - name: "Event 6144 S: Security policy in the group policy objects has been applied successfully." + href: event-6144.md + - name: "Event 6145 F: One or more errors occurred while processing security policy in the group policy objects." + href: event-6145.md + - name: Audit Sensitive Privilege Use + href: audit-sensitive-privilege-use.md + items: + - name: "Event 4673 S, F: A privileged service was called." + href: event-4673.md + - name: "Event 4674 S, F: An operation was attempted on a privileged object." + href: event-4674.md + - name: "Event 4985 S: The state of a transaction has changed." + href: event-4985.md + - name: Audit Non Sensitive Privilege Use + href: audit-non-sensitive-privilege-use.md + items: + - name: "Event 4673 S, F: A privileged service was called." + href: event-4673.md + - name: "Event 4674 S, F: An operation was attempted on a privileged object." + href: event-4674.md + - name: "Event 4985 S: The state of a transaction has changed." + href: event-4985.md + - name: Audit Other Privilege Use Events + href: audit-other-privilege-use-events.md + items: + - name: "Event 4985 S: The state of a transaction has changed." + href: event-4985.md + - name: Audit IPsec Driver + href: audit-ipsec-driver.md + - name: Audit Other System Events + href: audit-other-system-events.md + items: + - name: "Event 5024 S: The Windows Firewall Service has started successfully." + href: event-5024.md + - name: "Event 5025 S: The Windows Firewall Service has been stopped." + href: event-5025.md + - name: "Event 5027 F: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy." + href: event-5027.md + - name: "Event 5028 F: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy." + href: event-5028.md + - name: "Event 5029 F: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy." + href: event-5029.md + - name: "Event 5030 F: The Windows Firewall Service failed to start." + href: event-5030.md + - name: "Event 5032 F: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network." + href: event-5032.md + - name: "Event 5033 S: The Windows Firewall Driver has started successfully." + href: event-5033.md + - name: "Event 5034 S: The Windows Firewall Driver was stopped." + href: event-5034.md + - name: "Event 5035 F: The Windows Firewall Driver failed to start." + href: event-5035.md + - name: "Event 5037 F: The Windows Firewall Driver detected critical runtime error. Terminating." + href: event-5037.md + - name: "Event 5058 S, F: Key file operation." + href: event-5058.md + - name: "Event 5059 S, F: Key migration operation." + href: event-5059.md + - name: "Event 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content." + href: event-6400.md + - name: "Event 6401: BranchCache: Received invalid data from a peer. Data discarded." + href: event-6401.md + - name: "Event 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted." + href: event-6402.md + - name: "Event 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client." + href: event-6403.md + - name: "Event 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate." + href: event-6404.md + - name: "Event 6405: BranchCache: %2 instances of event id %1 occurred." + href: event-6405.md + - name: "Event 6406: %1 registered to Windows Firewall to control filtering for the following: %2." + href: event-6406.md + - name: "Event 6407: 1%." + href: event-6407.md + - name: "Event 6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2." + href: event-6408.md + - name: "Event 6409: BranchCache: A service connection point object could not be parsed." + href: event-6409.md + - name: Audit Security State Change + href: audit-security-state-change.md + items: + - name: "Event 4608 S: Windows is starting up." + href: event-4608.md + - name: "Event 4616 S: The system time was changed." + href: event-4616.md + - name: "Event 4621 S: Administrator recovered system from CrashOnAuditFail." + href: event-4621.md + - name: Audit Security System Extension + href: audit-security-system-extension.md + items: + - name: "Event 4610 S: An authentication package has been loaded by the Local Security Authority." + href: event-4610.md + - name: "Event 4611 S: A trusted logon process has been registered with the Local Security Authority." + href: event-4611.md + - name: "Event 4614 S: A notification package has been loaded by the Security Account Manager." + href: event-4614.md + - name: "Event 4622 S: A security package has been loaded by the Local Security Authority." + href: event-4622.md + - name: "Event 4697 S: A service was installed in the system." + href: event-4697.md + - name: Audit System Integrity + href: audit-system-integrity.md + items: + - name: "Event 4612 S: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits." + href: event-4612.md + - name: "Event 4615 S: Invalid use of LPC port." + href: event-4615.md + - name: "Event 4618 S: A monitored security event pattern has occurred." + href: event-4618.md + - name: "Event 4816 S: RPC detected an integrity violation while decrypting an incoming message." + href: event-4816.md + - name: "Event 5038 F: Code integrity determined that the image hash of a file is not valid." + href: event-5038.md + - name: "Event 5056 S: A cryptographic self-test was performed." + href: event-5056.md + - name: "Event 5062 S: A kernel-mode cryptographic self-test was performed." + href: event-5062.md + - name: "Event 5057 F: A cryptographic primitive operation failed." + href: event-5057.md + - name: "Event 5060 F: Verification operation failed." + href: event-5060.md + - name: "Event 5061 S, F: Cryptographic operation." + href: event-5061.md + - name: "Event 6281 F: Code Integrity determined that the page hashes of an image file are not valid." + href: event-6281.md + - name: "Event 6410 F: Code integrity determined that a file does not meet the security requirements to load into a process." + href: event-6410.md + - name: Other Events + href: other-events.md + items: + - name: "Event 1100 S: The event logging service has shut down." + href: event-1100.md + - name: "Event 1102 S: The audit log was cleared." + href: event-1102.md + - name: "Event 1104 S: The security log is now full." + href: event-1104.md + - name: "Event 1105 S: Event log automatic backup." + href: event-1105.md + - name: "Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1." + href: event-1108.md + - name: "Appendix A: Security monitoring recommendations for many audit events" + href: appendix-a-security-monitoring-recommendations-for-many-audit-events.md + - name: Registry (Global Object Access Auditing) + href: registry-global-object-access-auditing.md + - name: File System (Global Object Access Auditing) + href: file-system-global-object-access-auditing.md \ No newline at end of file diff --git a/windows/security/threat-protection/security-policy-settings/TOC.yml b/windows/security/threat-protection/security-policy-settings/TOC.yml new file mode 100644 index 0000000000..8e8f9f630c --- /dev/null +++ b/windows/security/threat-protection/security-policy-settings/TOC.yml @@ -0,0 +1,349 @@ + - name: Security policy settings + href: security-policy-settings.md + items: + - name: Administer security policy settings + href: administer-security-policy-settings.md + items: + - name: Network List Manager policies + href: network-list-manager-policies.md + - name: Configure security policy settings + href: how-to-configure-security-policy-settings.md + - name: Security policy settings reference + href: security-policy-settings-reference.md + items: + - name: Account Policies + href: account-policies.md + items: + - name: Password Policy + href: password-policy.md + items: + - name: Enforce password history + href: enforce-password-history.md + - name: Maximum password age + href: maximum-password-age.md + - name: Minimum password age + href: minimum-password-age.md + - name: Minimum password length + href: minimum-password-length.md + - name: Password must meet complexity requirements + href: password-must-meet-complexity-requirements.md + - name: Store passwords using reversible encryption + href: store-passwords-using-reversible-encryption.md + - name: Account Lockout Policy + href: account-lockout-policy.md + items: + - name: Account lockout duration + href: account-lockout-duration.md + - name: Account lockout threshold + href: account-lockout-threshold.md + - name: Reset account lockout counter after + href: reset-account-lockout-counter-after.md + - name: Kerberos Policy + href: kerberos-policy.md + items: + - name: Enforce user logon restrictions + href: enforce-user-logon-restrictions.md + - name: Maximum lifetime for service ticket + href: maximum-lifetime-for-service-ticket.md + - name: Maximum lifetime for user ticket + href: maximum-lifetime-for-user-ticket.md + - name: Maximum lifetime for user ticket renewal + href: maximum-lifetime-for-user-ticket-renewal.md + - name: Maximum tolerance for computer clock synchronization + href: maximum-tolerance-for-computer-clock-synchronization.md + - name: Audit Policy + href: audit-policy.md + - name: Security Options + href: security-options.md + items: + - name: "Accounts: Administrator account status" + href: accounts-administrator-account-status.md + - name: "Accounts: Block Microsoft accounts" + href: accounts-block-microsoft-accounts.md + - name: "Accounts: Guest account status" + href: accounts-guest-account-status.md + - name: "Accounts: Limit local account use of blank passwords to console logon only" + href: accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md + - name: "Accounts: Rename administrator account" + href: accounts-rename-administrator-account.md + - name: "Accounts: Rename guest account" + href: accounts-rename-guest-account.md + - name: "Audit: Audit the access of global system objects" + href: audit-audit-the-access-of-global-system-objects.md + - name: "Audit: Audit the use of Backup and Restore privilege" + href: audit-audit-the-use-of-backup-and-restore-privilege.md + - name: "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" + href: audit-force-audit-policy-subcategory-settings-to-override.md + - name: "Audit: Shut down system immediately if unable to log security audits" + href: audit-shut-down-system-immediately-if-unable-to-log-security-audits.md + - name: "DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax" + href: dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md + - name: "DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax" + href: dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md + - name: "Devices: Allow undock without having to log on" + href: devices-allow-undock-without-having-to-log-on.md + - name: "Devices: Allowed to format and eject removable media" + href: devices-allowed-to-format-and-eject-removable-media.md + - name: "Devices: Prevent users from installing printer drivers" + href: devices-prevent-users-from-installing-printer-drivers.md + - name: "Devices: Restrict CD-ROM access to locally logged-on user only" + href: devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md + - name: "Devices: Restrict floppy access to locally logged-on user only" + href: devices-restrict-floppy-access-to-locally-logged-on-user-only.md + - name: "Domain controller: Allow server operators to schedule tasks" + href: domain-controller-allow-server-operators-to-schedule-tasks.md + - name: "Domain controller: LDAP server signing requirements" + href: domain-controller-ldap-server-signing-requirements.md + - name: "Domain controller: Refuse machine account password changes" + href: domain-controller-refuse-machine-account-password-changes.md + - name: "Domain member: Digitally encrypt or sign secure channel data (always)" + href: domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md + - name: "Domain member: Digitally encrypt secure channel data (when possible)" + href: domain-member-digitally-encrypt-secure-channel-data-when-possible.md + - name: "Domain member: Digitally sign secure channel data (when possible)" + href: domain-member-digitally-sign-secure-channel-data-when-possible.md + - name: "Domain member: Disable machine account password changes" + href: domain-member-disable-machine-account-password-changes.md + - name: "Domain member: Maximum machine account password age" + href: domain-member-maximum-machine-account-password-age.md + - name: "Domain member: Require strong (Windows 2000 or later) session key" + href: domain-member-require-strong-windows-2000-or-later-session-key.md + - name: "Interactive logon: Display user information when the session is locked" + href: interactive-logon-display-user-information-when-the-session-is-locked.md + - name: "Interactive logon: Don't display last signed-in" + href: interactive-logon-do-not-display-last-user-name.md + - name: "Interactive logon: Don't display username at sign-in" + href: interactive-logon-dont-display-username-at-sign-in.md + - name: "Interactive logon: Do not require CTRL+ALT+DEL" + href: interactive-logon-do-not-require-ctrl-alt-del.md + - name: "Interactive logon: Machine account lockout threshold" + href: interactive-logon-machine-account-lockout-threshold.md + - name: "Interactive logon: Machine inactivity limit" + href: interactive-logon-machine-inactivity-limit.md + - name: "Interactive logon: Message text for users attempting to log on" + href: interactive-logon-message-text-for-users-attempting-to-log-on.md + - name: "Interactive logon: Message title for users attempting to log on" + href: interactive-logon-message-title-for-users-attempting-to-log-on.md + - name: "Interactive logon: Number of previous logons to cache (in case domain controller is not available)" + href: interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md + - name: "Interactive logon: Prompt user to change password before expiration" + href: interactive-logon-prompt-user-to-change-password-before-expiration.md + - name: "Interactive logon: Require Domain Controller authentication to unlock workstation" + href: interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md + - name: "Interactive logon: Require smart card" + href: interactive-logon-require-smart-card.md + - name: "Interactive logon: Smart card removal behavior" + href: interactive-logon-smart-card-removal-behavior.md + - name: "Microsoft network client: Digitally sign communications (always)" + href: microsoft-network-client-digitally-sign-communications-always.md + - name: "SMBv1 Microsoft network client: Digitally sign communications (always)" + href: smbv1-microsoft-network-client-digitally-sign-communications-always.md + - name: "SMBv1 Microsoft network client: Digitally sign communications (if server agrees)" + href: smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md + - name: "Microsoft network client: Send unencrypted password to third-party SMB servers" + href: microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md + - name: "Microsoft network server: Amount of idle time required before suspending session" + href: microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md + - name: "Microsoft network server: Attempt S4U2Self to obtain claim information" + href: microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md + - name: "Microsoft network server: Digitally sign communications (always)" + href: microsoft-network-server-digitally-sign-communications-always.md + - name: "SMBv1 Microsoft network server: Digitally sign communications (always)" + href: smbv1-microsoft-network-server-digitally-sign-communications-always.md + - name: "SMBv1 Microsoft network server: Digitally sign communications (if client agrees)" + href: smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md + - name: "Microsoft network server: Disconnect clients when logon hours expire" + href: microsoft-network-server-disconnect-clients-when-logon-hours-expire.md + - name: "Microsoft network server: Server SPN target name validation level" + href: microsoft-network-server-server-spn-target-name-validation-level.md + - name: "Network access: Allow anonymous SID/Name translation" + href: network-access-allow-anonymous-sidname-translation.md + - name: "Network access: Do not allow anonymous enumeration of SAM accounts" + href: network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md + - name: "Network access: Do not allow anonymous enumeration of SAM accounts and shares" + href: network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md + - name: "Network access: Do not allow storage of passwords and credentials for network authentication" + href: network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md + - name: "Network access: Let Everyone permissions apply to anonymous users" + href: network-access-let-everyone-permissions-apply-to-anonymous-users.md + - name: "Network access: Named Pipes that can be accessed anonymously" + href: network-access-named-pipes-that-can-be-accessed-anonymously.md + - name: "Network access: Remotely accessible registry paths" + href: network-access-remotely-accessible-registry-paths.md + - name: "Network access: Remotely accessible registry paths and subpaths" + href: network-access-remotely-accessible-registry-paths-and-subpaths.md + - name: "Network access: Restrict anonymous access to Named Pipes and Shares" + href: network-access-restrict-anonymous-access-to-named-pipes-and-shares.md + - name: "Network access: Restrict clients allowed to make remote calls to SAM" + href: network-access-restrict-clients-allowed-to-make-remote-sam-calls.md + - name: "Network access: Shares that can be accessed anonymously" + href: network-access-shares-that-can-be-accessed-anonymously.md + - name: "Network access: Sharing and security model for local accounts" + href: network-access-sharing-and-security-model-for-local-accounts.md + - name: "Network security: Allow Local System to use computer identity for NTLM" + href: network-security-allow-local-system-to-use-computer-identity-for-ntlm.md + - name: "Network security: Allow LocalSystem NULL session fallback" + href: network-security-allow-localsystem-null-session-fallback.md + - name: "Network security: Allow PKU2U authentication requests to this computer to use online identities" + href: network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md + - name: "Network security: Configure encryption types allowed for Kerberos" + href: network-security-configure-encryption-types-allowed-for-kerberos.md + - name: "Network security: Do not store LAN Manager hash value on next password change" + href: network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md + - name: "Network security: Force logoff when logon hours expire" + href: network-security-force-logoff-when-logon-hours-expire.md + - name: "Network security: LAN Manager authentication level" + href: network-security-lan-manager-authentication-level.md + - name: "Network security: LDAP client signing requirements" + href: network-security-ldap-client-signing-requirements.md + - name: "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" + href: network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md + - name: "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" + href: network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md + - name: "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" + href: network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md + - name: "Network security: Restrict NTLM: Add server exceptions in this domain" + href: network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md + - name: "Network security: Restrict NTLM: Audit incoming NTLM traffic" + href: network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md + - name: "Network security: Restrict NTLM: Audit NTLM authentication in this domain" + href: network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md + - name: "Network security: Restrict NTLM: Incoming NTLM traffic" + href: network-security-restrict-ntlm-incoming-ntlm-traffic.md + - name: "Network security: Restrict NTLM: NTLM authentication in this domain" + href: network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md + - name: "Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers" + href: network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md + - name: "Recovery console: Allow automatic administrative logon" + href: recovery-console-allow-automatic-administrative-logon.md + - name: "Recovery console: Allow floppy copy and access to all drives and folders" + href: recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md + - name: "Shutdown: Allow system to be shut down without having to log on" + href: shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md + - name: "Shutdown: Clear virtual memory pagefile" + href: shutdown-clear-virtual-memory-pagefile.md + - name: "System cryptography: Force strong key protection for user keys stored on the computer" + href: system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md + - name: "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" + href: system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md + - name: "System objects: Require case insensitivity for non-Windows subsystems" + href: system-objects-require-case-insensitivity-for-non-windows-subsystems.md + - name: "System objects: Strengthen default permissions of internal system objects (Symbolic Links)" + href: system-objects-strengthen-default-permissions-of-internal-system-objects.md + - name: "System settings: Optional subsystems" + href: system-settings-optional-subsystems.md + - name: "System settings: Use certificate rules on Windows executables for Software Restriction Policies" + href: system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md + - name: "User Account Control: Admin Approval Mode for the Built-in Administrator account" + href: user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md + - name: "User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" + href: user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md + - name: "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" + href: user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md + - name: "User Account Control: Behavior of the elevation prompt for standard users" + href: user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md + - name: "User Account Control: Detect application installations and prompt for elevation" + href: user-account-control-detect-application-installations-and-prompt-for-elevation.md + - name: "User Account Control: Only elevate executables that are signed and validated" + href: user-account-control-only-elevate-executables-that-are-signed-and-validated.md + - name: "User Account Control: Only elevate UIAccess applications that are installed in secure locations" + href: user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md + - name: "User Account Control: Run all administrators in Admin Approval Mode" + href: user-account-control-run-all-administrators-in-admin-approval-mode.md + - name: "User Account Control: Switch to the secure desktop when prompting for elevation" + href: user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md + - name: "User Account Control: Virtualize file and registry write failures to per-user locations" + href: user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md + - name: Advanced security audit policy settings + href: secpol-advanced-security-audit-policy-settings.md + - name: User Rights Assignment + href: user-rights-assignment.md + items: + - name: Access Credential Manager as a trusted caller + href: access-credential-manager-as-a-trusted-caller.md + - name: Access this computer from the network + href: access-this-computer-from-the-network.md + - name: Act as part of the operating system + href: act-as-part-of-the-operating-system.md + - name: Add workstations to domain + href: add-workstations-to-domain.md + - name: Adjust memory quotas for a process + href: adjust-memory-quotas-for-a-process.md + - name: Allow log on locally + href: allow-log-on-locally.md + - name: Allow log on through Remote Desktop Services + href: allow-log-on-through-remote-desktop-services.md + - name: Back up files and directories + href: back-up-files-and-directories.md + - name: Bypass traverse checking + href: bypass-traverse-checking.md + - name: Change the system time + href: change-the-system-time.md + - name: Change the time zone + href: change-the-time-zone.md + - name: Create a pagefile + href: create-a-pagefile.md + - name: Create a token object + href: create-a-token-object.md + - name: Create global objects + href: create-global-objects.md + - name: Create permanent shared objects + href: create-permanent-shared-objects.md + - name: Create symbolic links + href: create-symbolic-links.md + - name: Debug programs + href: debug-programs.md + - name: Deny access to this computer from the network + href: deny-access-to-this-computer-from-the-network.md + - name: Deny log on as a batch job + href: deny-log-on-as-a-batch-job.md + - name: Deny log on as a service + href: deny-log-on-as-a-service.md + - name: Deny log on locally + href: deny-log-on-locally.md + - name: Deny log on through Remote Desktop Services + href: deny-log-on-through-remote-desktop-services.md + - name: Enable computer and user accounts to be trusted for delegation + href: enable-computer-and-user-accounts-to-be-trusted-for-delegation.md + - name: Force shutdown from a remote system + href: force-shutdown-from-a-remote-system.md + - name: Generate security audits + href: generate-security-audits.md + - name: Impersonate a client after authentication + href: impersonate-a-client-after-authentication.md + - name: Increase a process working set + href: increase-a-process-working-set.md + - name: Increase scheduling priority + href: increase-scheduling-priority.md + - name: Load and unload device drivers + href: load-and-unload-device-drivers.md + - name: Lock pages in memory + href: lock-pages-in-memory.md + - name: Log on as a batch job + href: log-on-as-a-batch-job.md + - name: Log on as a service + href: log-on-as-a-service.md + - name: Manage auditing and security log + href: manage-auditing-and-security-log.md + - name: Modify an object label + href: modify-an-object-label.md + - name: Modify firmware environment values + href: modify-firmware-environment-values.md + - name: Perform volume maintenance tasks + href: perform-volume-maintenance-tasks.md + - name: Profile single process + href: profile-single-process.md + - name: Profile system performance + href: profile-system-performance.md + - name: Remove computer from docking station + href: remove-computer-from-docking-station.md + - name: Replace a process level token + href: replace-a-process-level-token.md + - name: Restore files and directories + href: restore-files-and-directories.md + - name: Shut down the system + href: shut-down-the-system.md + - name: Synchronize directory service data + href: synchronize-directory-service-data.md + - name: Take ownership of files or other objects + href: take-ownership-of-files-or-other-objects.md \ No newline at end of file From f6dc9933fcdc84c0241de0f65dcb9495e55a195c Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 15:14:35 -0700 Subject: [PATCH 200/458] Update operating-system.md --- windows/security/operating-system.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 6863bd1951..8f5ab571d6 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -32,6 +32,13 @@ Windows Security app | The Windows built-in security application found in setitn | Encrypted Hard Drive |

Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.

Learn more about [Encrypted Hard Drives](information-protection/encrypted-hard-drive.md).

| | Virtual Private Network | Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called tunneling protocols, to make a virtual call to a virtual port on a VPN server.

Learn more about [Virtual Private Networks](identity-protection/vpn/vpn-guide.md) (VPNs).

| | Windows Defender Firewall | Windows Defender Firewall is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device.

Learn more about [Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md).

-| Protection from viruses and threats | The next-generation protection capabilities in Windows helps identify and block new and emerging threats. By reducing your attack surface, you can reduce the risk of malware getting onto a device. Powered by the cloud and machine learning, Microsoft Defender Antivirus can help stop attacks in real-time. These capabilities can help security teams prevent malware from infecting a device.

[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)

[Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction)

[Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)

[Network protection](/microsoft-365/security/defender-endpoint/network-protection)

[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)

[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)

Integration with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint) for additional threat protection | +| Protection from viruses and threats | The next-generation protection capabilities in Windows helps identify and block new and emerging threats. By reducing your attack surface, you can reduce the risk of malware getting onto a device. Powered by the cloud and machine learning, Microsoft Defender Antivirus can help stop attacks in real-time. These capabilities can help security teams prevent malware from infecting a device. | +| Antivirus & antimalware protection | [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)| +| Attack surface reduction rules | Learn more about [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) | +| Anti-tampering protection | Learn more about [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection). | +| Network protection | Learn more about [Network protection](/microsoft-365/security/defender-endpoint/network-protection). | +| Controlled folder access | Learn more about [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). | +| Exploit protection | Learn more about [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection). | +| Microsoft Defender for Endpoint | Learn more about [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint). | From 2b0e4f98d39b98ad8b64c1183c2a5afebcc45b8d Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 16 Sep 2021 15:28:43 -0700 Subject: [PATCH 201/458] so many updates --- windows/security/TOC.yml | 132 +++++++++--------- windows/security/apps.md | 2 +- windows/security/cloud.md | 4 +- windows/security/hardware.md | 2 +- windows/security/identity.md | 2 +- windows/security/operating-system.md | 2 - .../threat-protection/fips-140-validation.md | 2 +- .../wdsc-account-protection.md | 8 +- .../wdsc-app-browser-control.md | 7 +- .../wdsc-customize-contact-information.md | 15 +- .../wdsc-device-performance-health.md | 7 +- .../wdsc-device-security.md | 7 +- .../wdsc-family-options.md | 8 +- .../wdsc-firewall-network-protection.md | 8 +- .../wdsc-hide-notifications.md | 15 +- .../wdsc-virus-threat-protection.md | 7 +- .../windows-defender-security-center.md | 5 +- .../TOC.yml | 9 -- 18 files changed, 109 insertions(+), 133 deletions(-) delete mode 100644 windows/security/threat-protection/windows-security-configuration-framework/TOC.yml diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 3c0315e244..340d3c91b4 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -45,6 +45,10 @@ href: cryptography-certificate-mgmt.md - name: The Windows Security app href: threat-protection/windows-defender-security-center/windows-defender-security-center.md + - name: Security policy settings + href: threat-protection/security-policy-settings/security-policy-settings.md + - name: Security auditing + href: threat-protection/auditing/security-auditing-overview.md - name: Encryption and data protection href: encryption-data-protection.md items: @@ -126,72 +130,13 @@ href: information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md - name: Configure S/MIME for Windows href: identity-protection/configure-s-mime.md - - name: Security policy settings - href: threat-protection/security-policy-settings/security-policy-settings.md - - name: Security auditing - href: threat-protection/auditing/security-auditing-overview.md - - name: Windows Information Protection (WIP) - href: information-protection/windows-information-protection/protect-enterprise-data-using-wip.md - items: - - name: Create a WIP policy using Microsoft Intune - href: information-protection/windows-information-protection/overview-create-wip-policy.md - items: - - name: Create a WIP policy with MDM using the Azure portal for Microsoft Intune - href: information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md - items: - - name: Deploy your WIP policy using the Azure portal for Microsoft Intune - href: information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md - - name: Associate and deploy a VPN policy for WIP using the Azure portal for Microsoft Intune - href: information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md - - name: Create and verify an EFS Data Recovery Agent (DRA) certificate - href: information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md - - name: Determine the Enterprise Context of an app running in WIP - href: information-protection/windows-information-protection/wip-app-enterprise-context.md - - name: Create a WIP policy using Microsoft Endpoint Configuration Manager - href: information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md - items: - - name: Create and deploy a WIP policy using Microsoft Endpoint Configuration Manager - href: information-protection/windows-information-protection/create-wip-policy-using-configmgr.md - - name: Create and verify an EFS Data Recovery Agent (DRA) certificate - href: information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md - - name: Determine the Enterprise Context of an app running in WIP - href: information-protection/windows-information-protection/wip-app-enterprise-context.md - - name: Mandatory tasks and settings required to turn on WIP - href: information-protection/windows-information-protection/mandatory-settings-for-wip.md - - name: Testing scenarios for WIP - href: information-protection/windows-information-protection/testing-scenarios-for-wip.md - - name: Limitations while using WIP - href: information-protection/windows-information-protection/limitations-with-wip.md - - name: How to collect WIP audit event logs - href: information-protection/windows-information-protection/collect-wip-audit-event-logs.md - - name: General guidance and best practices for WIP - href: information-protection/windows-information-protection/guidance-and-best-practices-wip.md - items: - - name: Enlightened apps for use with WIP - href: information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md - - name: Unenlightened and enlightened app behavior while using WIP - href: information-protection/windows-information-protection/app-behavior-with-wip.md - - name: Recommended Enterprise Cloud Resources and Neutral Resources network settings with WIP - href: information-protection/windows-information-protection/recommended-network-definitions-for-wip.md - - name: Using Outlook Web Access with WIP - href: information-protection/windows-information-protection/using-owa-with-wip.md - - name: Fine-tune WIP Learning - href: information-protection/windows-information-protection/wip-learning.md - - name: Windows security baselines - href: threat-protection/windows-security-configuration-framework/windows-security-baselines.md - items: - - name: Security Compliance Toolkit - href: threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md - - name: Get support - href: threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md - - name: More Windows security - items: - - name: Override Process Mitigation Options to help enforce app-related security policies - href: threat-protection/override-mitigation-options-for-app-related-security-policies.md - - name: Use Windows Event Forwarding to help with intrusion detection - href: threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md - - name: Block untrusted fonts in an enterprise - href: threat-protection/block-untrusted-fonts-in-enterprise.md + - name: Windows security baselines + href: threat-protection/windows-security-configuration-framework/windows-security-baselines.md + items: + - name: Security Compliance Toolkit + href: threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md + - name: Get support + href: threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md - name: Network security items: - name: VPN technical guide @@ -294,6 +239,61 @@ href: threat-protection/intelligence/developer-faq.yml - name: Software developer resources href: threat-protection/intelligence/developer-resources.md + - name: More Windows security + items: + - name: Override Process Mitigation Options to help enforce app-related security policies + href: threat-protection/override-mitigation-options-for-app-related-security-policies.md + - name: Use Windows Event Forwarding to help with intrusion detection + href: threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md + - name: Block untrusted fonts in an enterprise + href: threat-protection/block-untrusted-fonts-in-enterprise.md + - name: Windows Information Protection (WIP) + href: information-protection/windows-information-protection/protect-enterprise-data-using-wip.md + items: + - name: Create a WIP policy using Microsoft Intune + href: information-protection/windows-information-protection/overview-create-wip-policy.md + items: + - name: Create a WIP policy with MDM using the Azure portal for Microsoft Intune + href: information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md + items: + - name: Deploy your WIP policy using the Azure portal for Microsoft Intune + href: information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md + - name: Associate and deploy a VPN policy for WIP using the Azure portal for Microsoft Intune + href: information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md + - name: Create and verify an EFS Data Recovery Agent (DRA) certificate + href: information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md + - name: Determine the Enterprise Context of an app running in WIP + href: information-protection/windows-information-protection/wip-app-enterprise-context.md + - name: Create a WIP policy using Microsoft Endpoint Configuration Manager + href: information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md + items: + - name: Create and deploy a WIP policy using Microsoft Endpoint Configuration Manager + href: information-protection/windows-information-protection/create-wip-policy-using-configmgr.md + - name: Create and verify an EFS Data Recovery Agent (DRA) certificate + href: information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md + - name: Determine the Enterprise Context of an app running in WIP + href: information-protection/windows-information-protection/wip-app-enterprise-context.md + - name: Mandatory tasks and settings required to turn on WIP + href: information-protection/windows-information-protection/mandatory-settings-for-wip.md + - name: Testing scenarios for WIP + href: information-protection/windows-information-protection/testing-scenarios-for-wip.md + - name: Limitations while using WIP + href: information-protection/windows-information-protection/limitations-with-wip.md + - name: How to collect WIP audit event logs + href: information-protection/windows-information-protection/collect-wip-audit-event-logs.md + - name: General guidance and best practices for WIP + href: information-protection/windows-information-protection/guidance-and-best-practices-wip.md + items: + - name: Enlightened apps for use with WIP + href: information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md + - name: Unenlightened and enlightened app behavior while using WIP + href: information-protection/windows-information-protection/app-behavior-with-wip.md + - name: Recommended Enterprise Cloud Resources and Neutral Resources network settings with WIP + href: information-protection/windows-information-protection/recommended-network-definitions-for-wip.md + - name: Using Outlook Web Access with WIP + href: information-protection/windows-information-protection/using-owa-with-wip.md + - name: Fine-tune WIP Learning + href: information-protection/windows-information-protection/wip-learning.md - name: Application security href: apps.md items: diff --git a/windows/security/apps.md b/windows/security/apps.md index 4acb890ee6..e376d06d98 100644 --- a/windows/security/apps.md +++ b/windows/security/apps.md @@ -1,6 +1,6 @@ --- title: Windows application security -description: Get an overview of application security in Windows 11 +description: Get an overview of application security in Windows 10 and Windows 11 ms.reviewer: manager: dansimp ms.author: dansimp diff --git a/windows/security/cloud.md b/windows/security/cloud.md index f83dc607ac..f65cdf002c 100644 --- a/windows/security/cloud.md +++ b/windows/security/cloud.md @@ -1,6 +1,6 @@ --- title: Windows and cloud security -description: Get an overview of cloud services supported in Windows 11 +description: Get an overview of cloud services supported in Windows 11 and Windows 10 ms.reviewer: author: denisebmsft ms.author: deniseb @@ -22,8 +22,6 @@ ms.technology: windows-sec # Windows and cloud security -*This article provides an overview of cloud services built into Windows 11.* - Today’s workforce has more freedom and mobility than ever before. With the growth of enterprise cloud adoption, increased personal app usage, and increased use of third-party apps, the risk of data exposure is at its highest. Enabling Zero-Trust protection, Windows 11 works with Microsoft cloud services. Windows and cloud services together help organizations strengthen their multi-cloud security infrastructure, protect hybrid cloud workloads, and safeguard sensitive information while controlling access and mitigating threats. Windows 11 includes the cloud services that are listed in the following table:

diff --git a/windows/security/hardware.md b/windows/security/hardware.md index 95ff8377ea..3233f71e48 100644 --- a/windows/security/hardware.md +++ b/windows/security/hardware.md @@ -1,6 +1,6 @@ --- title: Windows hardware security -description: Get an overview of hardware security in Windows +description: Get an overview of hardware security in Windows 11 and Windows 10 ms.reviewer: manager: dansimp ms.author: dansimp diff --git a/windows/security/identity.md b/windows/security/identity.md index 3c8edb7851..5a1dd59008 100644 --- a/windows/security/identity.md +++ b/windows/security/identity.md @@ -1,6 +1,6 @@ --- title: Windows identity security -description: Get an overview of identity security in Windows 11 +description: Get an overview of identity security in Windows 11 and Windows 10 ms.reviewer: manager: dansimp ms.author: dansimp diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 326b25099b..bd3b4d7082 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -16,8 +16,6 @@ ms.technology: windows-sec # Windows operating system security -*This article provides an overview of operating system security in Windows 11.* - Security and privacy depend on an operating system that guards your system and information from the moment it starts up, providing fundamental chip-to-cloud protection. Windows 11 is the most secure Windows yet with extensive security measures designed to help keep you safe. These measures include built-in advanced encryption and data protection, robust network and system security, and intelligent safeguards against ever-evolving threats. Use the links in the following table to learn more about the operating system security features and capabilities in Windows 11:

diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md index b7e5fddec5..fc40dc48df 100644 --- a/windows/security/threat-protection/fips-140-validation.md +++ b/windows/security/threat-protection/fips-140-validation.md @@ -6780,7 +6780,7 @@ Version 6.3.9600 #### SP 800-132 Password-Based Key Derivation Function (PBKDF) - +
- - + +
Modes / States / Key Sizes diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md index ed1a7fe460..7669a41a8b 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md @@ -10,10 +10,10 @@ ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp -ms.date: 04/30/2018 +ms.date: ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: windows-sec --- @@ -21,8 +21,8 @@ ms.technology: mde **Applies to** -- Windows 10, version 1803 and later - +- Windows 10 +- Windows 11 The **Account protection** section contains information and settings for account protection and sign in. IT administrators and IT pros can get more information and documentation about configuration from the following: diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md index 544e90142e..acfa2cee01 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md @@ -11,17 +11,18 @@ ms.localizationpriority: medium audience: ITPro author: dansimp ms.author: dansimp -ms.date: 04/30/2018 +ms.date: ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: windows-sec --- # App and browser control **Applies to** -- Windows 10, version 1703 and later +- Windows 10 +- Windows 11 The **App and browser control** section contains information and settings for Windows Defender SmartScreen. IT administrators and IT pros can get configuration guidance from the [Windows Defender SmartScreen documentation library](/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview). diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md index 33a2c7d531..9f9932bc80 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md @@ -10,25 +10,18 @@ ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp -ms.date: 09/13/2021 +ms.date: ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: windows-sec --- # Customize the Windows Security app for your organization **Applies to** -- Windows 10, version 1709 and later - -**Audience** - -- Enterprise security administrators - -**Manageability available with** - -- Group Policy +- Windows 10 +- Windows 11 You can add information about your organization in a contact card to the Windows Security app. You can include a link to a support site, a phone number for a help desk, and an email address for email-based support. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md index 13fce0f2d5..3672d5c25a 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md @@ -10,10 +10,10 @@ ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp -ms.date: 04/30/2018 +ms.date: ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: windows-sec --- @@ -21,7 +21,8 @@ ms.technology: mde **Applies to** -- Windows 10, version 1703 and later +- Windows 10 +- Windows 11 The **Device performance & health** section contains information about hardware, devices, and drivers related to the machine. IT administrators and IT pros should reference the appropriate documentation library for the issues they are seeing, such as the [configure the Load and unload device drivers security policy setting](/windows/device-security/security-policy-settings/load-and-unload-device-drivers) and how to [deploy drivers during Windows 10 deployment using Microsoft Endpoint Configuration Manager](/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager). diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md index f4d3053cd9..dfa866ecb4 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md @@ -10,17 +10,18 @@ ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp -ms.date: 10/02/2018 +ms.date: ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: windows-sec --- # Device security **Applies to** -- Windows 10, version 1803 and later +- Windows 10 +- Windows 11 The **Device security** section contains information and settings for built-in device security. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md index 274c66bd66..a719854982 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md @@ -10,10 +10,10 @@ ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp -ms.date: 04/30/2018 +ms.date: ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: windows-sec --- @@ -21,8 +21,8 @@ ms.technology: mde **Applies to** -- Windows 10, version 1703 and later - +- Windows 10 +- Windows 11 The **Family options** section contains links to settings and further information for parents of a Windows 10 PC. It is not generally intended for enterprise or business environments. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md index 3a14dc7c26..924bcd1150 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md @@ -9,10 +9,10 @@ ms.sitesec: library ms.localizationpriority: medium author: dansimp ms.author: dansimp -ms.date: 04/30/2018 +ms.date: ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: windows-sec --- @@ -20,8 +20,8 @@ ms.technology: mde **Applies to** -- Windows 10, version 1703 and later - +- Windows 10 +- Windows 11 The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](../windows-firewall/windows-firewall-with-advanced-security.md). diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md index 0a1389c07b..a58b61c3b1 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md @@ -10,25 +10,18 @@ ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp -ms.date: 07/23/2020 +ms.date: ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: windows-sec --- # Hide Windows Security app notifications **Applies to** -- Windows 10, version 1809 and above - -**Audience** - -- Enterprise security administrators - -**Manageability available with** - -- Group Policy +- Windows 10 +- Windows 11 The Windows Security app is used by a number of Windows security features to provide notifications about the health and security of the machine. These include notifications about firewalls, antivirus products, Windows Defender SmartScreen, and others. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md index 87960171d1..2d43e965ba 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md @@ -12,16 +12,15 @@ author: dansimp ms.author: dansimp ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: windows-sec --- - # Virus and threat protection **Applies to** -- Windows 10, version 1703 and later - +- Windows 10 +- Windows 11 The **Virus & threat protection** section contains information and settings for antivirus protection from Microsoft Defender Antivirus and third-party AV products. diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md index fe03727f33..fa3600fc6a 100644 --- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md +++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md @@ -11,14 +11,15 @@ author: dansimp ms.author: dansimp ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: windows-sec --- # The Windows Security app **Applies to** -- Windows 10, version 1703 and later +- Windows 10 +- Windows 11 This library describes the Windows Security app, and provides information on configuring certain features, including: diff --git a/windows/security/threat-protection/windows-security-configuration-framework/TOC.yml b/windows/security/threat-protection/windows-security-configuration-framework/TOC.yml deleted file mode 100644 index f7e0955409..0000000000 --- a/windows/security/threat-protection/windows-security-configuration-framework/TOC.yml +++ /dev/null @@ -1,9 +0,0 @@ -- name: Windows security guidance for enterprises - items: - - name: Windows security baselines - href: windows-security-baselines.md - items: - - name: Security Compliance Toolkit - href: security-compliance-toolkit-10.md - - name: Get support - href: get-support-for-security-baselines.md From 5c4cc1cd9bb7aa0dff914829090dd4a9cf3976d6 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 16 Sep 2021 15:36:05 -0700 Subject: [PATCH 202/458] acrolinx --- .../wdsc-account-protection.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md index 7669a41a8b..203ac733d5 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md @@ -24,33 +24,33 @@ ms.technology: windows-sec - Windows 10 - Windows 11 -The **Account protection** section contains information and settings for account protection and sign in. IT administrators and IT pros can get more information and documentation about configuration from the following: +The **Account protection** section contains information and settings for account protection and sign-in. You can get more information about these capabilities from the following list: - [Microsoft Account](https://account.microsoft.com/account/faq) - [Windows Hello for Business](../../identity-protection/hello-for-business/hello-identity-verification.md) - [Lock your Windows 10 PC automatically when you step away from it](https://support.microsoft.com/help/4028111/windows-lock-your-windows-10-pc-automatically-when-you-step-away-from) -You can also choose to hide the section from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section. +You can also choose to hide the section from users of the device. This is useful if you don't want your employees to access or view user-configured options for these features. ## Hide the Account protection section -You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app. +You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app. -This can only be done in Group Policy. +You can only configure these settings by using Group Policy. >[!IMPORTANT] >### Requirements > >You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. -1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and select **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +3. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**. 5. Expand the tree to **Windows components > Windows Security > Account protection**. -6. Open the **Hide the Account protection area** setting and set it to **Enabled**. Click **OK**. +6. Open the **Hide the Account protection area** setting and set it to **Enabled**. Select **OK**. 7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy). From 577051d2605c702e2d6f5e30e44a3097ef72191b Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 15:52:47 -0700 Subject: [PATCH 203/458] Update operating-system.md --- windows/security/operating-system.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index e6acec62fc..9b4dea2c7c 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -30,8 +30,7 @@ Windows Security app | The Windows built-in security application found in setitn | Encrypted Hard Drive |

Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.

Learn more about [Encrypted Hard Drives](information-protection/encrypted-hard-drive.md).

| | Virtual Private Network | Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called tunneling protocols, to make a virtual call to a virtual port on a VPN server.

Learn more about [Virtual Private Networks](identity-protection/vpn/vpn-guide.md) (VPNs).

| | Windows Defender Firewall | Windows Defender Firewall is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device.

Learn more about [Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md).

-| Protection from viruses and threats | The next-generation protection capabilities in Windows helps identify and block new and emerging threats. By reducing your attack surface, you can reduce the risk of malware getting onto a device. Powered by the cloud and machine learning, Microsoft Defender Antivirus can help stop attacks in real-time. These capabilities can help security teams prevent malware from infecting a device. | -| Antivirus & antimalware protection | [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)| +| Antivirus & antimalware protection | Microsoft Defender Antivirus is included in all versions of Windows 10, Windows Server 2016 and later, and Windows 11. From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help protect your device from threats. Microsoft Defender Antivirus continually scans for malware and threats, and also detects and blocks potentially unwanted applications (applications that can negatively impact your device even though they are not considered malware).

If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on.

Microsoft Defender Antivirus integrates with cloud-delivered protection, which helps ensure near-instant detection and blocking of new and emerging threats.

Learn more about [next-generation protection and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).| | Attack surface reduction rules | Learn more about [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) | | Anti-tampering protection | Learn more about [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection). | | Network protection | Learn more about [Network protection](/microsoft-365/security/defender-endpoint/network-protection). | From 689307f9830b9db4f8650dab86830eb4e333978d Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 15:58:18 -0700 Subject: [PATCH 204/458] Update operating-system.md --- windows/security/operating-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 9b4dea2c7c..c30a88ed3e 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -31,7 +31,7 @@ Windows Security app | The Windows built-in security application found in setitn | Virtual Private Network | Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called tunneling protocols, to make a virtual call to a virtual port on a VPN server.

Learn more about [Virtual Private Networks](identity-protection/vpn/vpn-guide.md) (VPNs).

| | Windows Defender Firewall | Windows Defender Firewall is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device.

Learn more about [Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md).

| Antivirus & antimalware protection | Microsoft Defender Antivirus is included in all versions of Windows 10, Windows Server 2016 and later, and Windows 11. From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help protect your device from threats. Microsoft Defender Antivirus continually scans for malware and threats, and also detects and blocks potentially unwanted applications (applications that can negatively impact your device even though they are not considered malware).

If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on.

Microsoft Defender Antivirus integrates with cloud-delivered protection, which helps ensure near-instant detection and blocking of new and emerging threats.

Learn more about [next-generation protection and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).| -| Attack surface reduction rules | Learn more about [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) | +| Attack surface reduction rules | Your attack surfaces are the places and ways you are vulnerable to a cyber attack. Attack surface reduction rules are built into Windows and Windows Server. These rules block certain behaviors that are often abused to compromise your device or network. Such behaviors can include launching scripts or executables that attempt to download or run other files, running suspicious scripts, or performing other behaviors that apps don't typically initiate during normal work. You can configure rules to protect against risky behaviors.

Learn more about [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) | | Anti-tampering protection | Learn more about [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection). | | Network protection | Learn more about [Network protection](/microsoft-365/security/defender-endpoint/network-protection). | | Controlled folder access | Learn more about [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). | From 3b6d0e1a9efa8f6647b0e9f47ec97df1039273bb Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 15:59:09 -0700 Subject: [PATCH 205/458] Update operating-system.md --- windows/security/operating-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index c30a88ed3e..4b1e910a63 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -30,7 +30,7 @@ Windows Security app | The Windows built-in security application found in setitn | Encrypted Hard Drive |

Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.

Learn more about [Encrypted Hard Drives](information-protection/encrypted-hard-drive.md).

| | Virtual Private Network | Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called tunneling protocols, to make a virtual call to a virtual port on a VPN server.

Learn more about [Virtual Private Networks](identity-protection/vpn/vpn-guide.md) (VPNs).

| | Windows Defender Firewall | Windows Defender Firewall is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device.

Learn more about [Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md).

-| Antivirus & antimalware protection | Microsoft Defender Antivirus is included in all versions of Windows 10, Windows Server 2016 and later, and Windows 11. From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help protect your device from threats. Microsoft Defender Antivirus continually scans for malware and threats, and also detects and blocks potentially unwanted applications (applications that can negatively impact your device even though they are not considered malware).

If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on.

Microsoft Defender Antivirus integrates with cloud-delivered protection, which helps ensure near-instant detection and blocking of new and emerging threats.

Learn more about [next-generation protection and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).| +| Antivirus & antimalware protection | Microsoft Defender Antivirus is included in all versions of Windows 10, Windows Server 2016 and later, and Windows 11.

From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help protect your device from threats. Microsoft Defender Antivirus continually scans for malware and threats, and also detects and blocks potentially unwanted applications (applications that can negatively impact your device even though they are not considered malware).

If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on.

Microsoft Defender Antivirus integrates with cloud-delivered protection, which helps ensure near-instant detection and blocking of new and emerging threats.

Learn more about [next-generation protection and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).| | Attack surface reduction rules | Your attack surfaces are the places and ways you are vulnerable to a cyber attack. Attack surface reduction rules are built into Windows and Windows Server. These rules block certain behaviors that are often abused to compromise your device or network. Such behaviors can include launching scripts or executables that attempt to download or run other files, running suspicious scripts, or performing other behaviors that apps don't typically initiate during normal work. You can configure rules to protect against risky behaviors.

Learn more about [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) | | Anti-tampering protection | Learn more about [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection). | | Network protection | Learn more about [Network protection](/microsoft-365/security/defender-endpoint/network-protection). | From f70e467f3e957b8b28079e60388edf9cce336f2b Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 16:01:51 -0700 Subject: [PATCH 206/458] Update operating-system.md --- windows/security/operating-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 4b1e910a63..15aca579bc 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -32,7 +32,7 @@ Windows Security app | The Windows built-in security application found in setitn | Windows Defender Firewall | Windows Defender Firewall is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device.

Learn more about [Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md).

| Antivirus & antimalware protection | Microsoft Defender Antivirus is included in all versions of Windows 10, Windows Server 2016 and later, and Windows 11.

From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help protect your device from threats. Microsoft Defender Antivirus continually scans for malware and threats, and also detects and blocks potentially unwanted applications (applications that can negatively impact your device even though they are not considered malware).

If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on.

Microsoft Defender Antivirus integrates with cloud-delivered protection, which helps ensure near-instant detection and blocking of new and emerging threats.

Learn more about [next-generation protection and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).| | Attack surface reduction rules | Your attack surfaces are the places and ways you are vulnerable to a cyber attack. Attack surface reduction rules are built into Windows and Windows Server. These rules block certain behaviors that are often abused to compromise your device or network. Such behaviors can include launching scripts or executables that attempt to download or run other files, running suspicious scripts, or performing other behaviors that apps don't typically initiate during normal work. You can configure rules to protect against risky behaviors.

Learn more about [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) | -| Anti-tampering protection | Learn more about [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection). | +| Anti-tampering protection | Attacks like ransomware attempt to disable security features, such as anti-virus protection, on targeted devices. Bad actors like to disable security features to get easier access to user’s data, to install malware, or to otherwise exploit user’s data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.

With tamper protection, malware is prevented from taking actions such as:
- Disabling virus and threat protection
- Disabling real-time protection
- Turning off behavior monitoring
- Disabling antivirus (such as IOfficeAntivirus (IOAV))
- Disabling cloud-delivered protection
- Removing security intelligence updates

Learn more about [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection). | | Network protection | Learn more about [Network protection](/microsoft-365/security/defender-endpoint/network-protection). | | Controlled folder access | Learn more about [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). | | Exploit protection | Learn more about [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection). | From 71126292d1bc6fd9676af65f60bbca548f35a130 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 16:03:25 -0700 Subject: [PATCH 207/458] Update operating-system.md --- windows/security/operating-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 15aca579bc..9e7ed088cc 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -33,7 +33,7 @@ Windows Security app | The Windows built-in security application found in setitn | Antivirus & antimalware protection | Microsoft Defender Antivirus is included in all versions of Windows 10, Windows Server 2016 and later, and Windows 11.

From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help protect your device from threats. Microsoft Defender Antivirus continually scans for malware and threats, and also detects and blocks potentially unwanted applications (applications that can negatively impact your device even though they are not considered malware).

If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on.

Microsoft Defender Antivirus integrates with cloud-delivered protection, which helps ensure near-instant detection and blocking of new and emerging threats.

Learn more about [next-generation protection and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).| | Attack surface reduction rules | Your attack surfaces are the places and ways you are vulnerable to a cyber attack. Attack surface reduction rules are built into Windows and Windows Server. These rules block certain behaviors that are often abused to compromise your device or network. Such behaviors can include launching scripts or executables that attempt to download or run other files, running suspicious scripts, or performing other behaviors that apps don't typically initiate during normal work. You can configure rules to protect against risky behaviors.

Learn more about [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) | | Anti-tampering protection | Attacks like ransomware attempt to disable security features, such as anti-virus protection, on targeted devices. Bad actors like to disable security features to get easier access to user’s data, to install malware, or to otherwise exploit user’s data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.

With tamper protection, malware is prevented from taking actions such as:
- Disabling virus and threat protection
- Disabling real-time protection
- Turning off behavior monitoring
- Disabling antivirus (such as IOfficeAntivirus (IOAV))
- Disabling cloud-delivered protection
- Removing security intelligence updates

Learn more about [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection). | -| Network protection | Learn more about [Network protection](/microsoft-365/security/defender-endpoint/network-protection). | +| Network protection | Network protection in Windows helps prevent users from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content on the Internet. Network protection is part of attack surface reduction and helps provide an additional layer of protection for a user.

Using reputation-based services, network protection blocks access to potentially harmful, low-reputation based domains and IP addresses.

In enterprise environments, network protection works best with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/?view=o365-worldwide), which provides detailed reporting into protection events as part of larger investigation scenarios.

Learn more about [Network protection](/microsoft-365/security/defender-endpoint/network-protection). | | Controlled folder access | Learn more about [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). | | Exploit protection | Learn more about [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection). | | Microsoft Defender for Endpoint | Learn more about [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint). | From 5ba75a719df664b22ca93e7df7007c0254f634bc Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 16 Sep 2021 16:09:44 -0700 Subject: [PATCH 208/458] adding new ZT landing page --- windows/security/TOC.yml | 2 + .../zero-trust-windows-device-health.md | 52 +++++++++++++++++++ 2 files changed, 54 insertions(+) create mode 100644 windows/security/zero-trust-windows-device-health.md diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 340d3c91b4..4dd99c673d 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -1,6 +1,8 @@ - name: Windows security href: index.yml +- name: Windows and Zero Trust + href: zero-trust-windows-device-health.md expanded: true - name: Hardware security items: diff --git a/windows/security/zero-trust-windows-device-health.md b/windows/security/zero-trust-windows-device-health.md new file mode 100644 index 0000000000..c8c7cf6ef5 --- /dev/null +++ b/windows/security/zero-trust-windows-device-health.md @@ -0,0 +1,52 @@ +--- +title: Zero Trust and Windows device health +description: Describes the process of Windows device health attestation +ms.reviewer: +ms.topic: article +manager: dansimp +ms.author: dansimp +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: dansimp +ms.collection: M365-security-compliance +ms.prod: m365-security +ms.technology: windows-sec +--- + +# Zero Trust and Windows device health +Today’s organizations need a new security model that more effectively adapts to the complexity of the modern environment, embraces the hybrid workplace, and protects people, devices, apps, and data wherever they’re located. Implementing a Zero Trust model for security addresses today's complex work environments. + +The [Zero Trust Principles](https://www.microsoft.com/security/business/zero-trust) are threefold. + +**Verify explicitly**. Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and monitor anomalies. + +**Use least-privileged access**. Limit user access with just-in-time and just-enough-access, risk-based adaptive polices, and data protection to help secure data and maintain productivity. + +**Assume breach**. Assume breach operates in a manner that minimizes blast radius and segments access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses. + +For Windows 11, the Zero Trust concept of verify explicitly applies to the risks introduced by both devices and users. Windows 11 provides IT administrators the attestation and measurements to determine whether a device meets requirements and can be trusted. And Windows 11 works out of the box with Microsoft Intune and Azure Active Directory, so access decisions and enforcement are seamless. Plus, IT Administrators can easily customize Windows 11 to meet specific user and policy requirements for access, privacy, compliance, and more. + +## Device health attestation on Windows +Zero Trust principles state that all endpoints are untrusted unless they are verified. The verification process uses remote attestation as the secure channel to determine and present the device’s health. Remote attestation determines: + +- If the device can be trusted. This is determined with the help of a secure root of trust (Trusted Platform Module). Devices can attest that the TPM is enabled and in the attestation flow. +- If the OS booted correctly. Many security risks can emerge during the boot process as this process can be the most privileged component of the whole system. +- If the OS has the right set of security features enabled. +Windows includes many security features to help protect users from malware and attacks. However, trusting the Windows security components can only be achieved if the platform boots as expected and was not tampered with. Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, ELAM, DRTM, Trusted Boot and other low-level hardware and firmware security features to protect your PC from attacks. When you power on your PC until your anti-malware starts, Windows is backed with the appropriate hardware configurations helps keep you safe. [Measured and Trusted boot](information-protection/secure-the-windows-10-boot-process.md), implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to a security coprocessor (TPM) that acts as the Root of Trust. Remote Attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper resilient report. Remote attestation is the trusted auditor of your systems boot, allowing relying parties to bind trust to the device and its security. + +A summary of the steps involved in attestation and Zero Trust on the device side are as follows: + +1. During each step of the boot process, such as a file load, update of special variables, and more, information such as file hashes and signature are measured in the TPM PCRs. The measurements are bound by a [Trusted Computing Group specification](https://trustedcomputinggroup.org/resource/pc-client-platform-tpm-profile-ptp-specification/) (TCG) that dictates what events can be recorded and the format of each event. +2. Once Windows has booted, the attestor/verifier requests the TPM to fetch the measurements stored in its Platform Configuration Register (PCR) alongside a TCG log. Both of these together form the attestation evidence that’s sent to the attestation service (learn more about the attestation service below). +3. The TPM is verified by using the keys/cryptographic material available on the chipset with an [Azure Certificate Service](/windows-server/identity/ad-ds/manage/component-updates/tpm-key-attestation). +4. This information is then sent to the attestation service in the cloud to verify that the device is safe. Microsoft Endpoint Manger (MEM) integrates with Microsoft Azure Attestation to review device health comprehensively and connect this information with AAD conditional access. This integration is key for Zero Trust solutions that help bind trust to an untrusted device. +5. The attestation service does the following: + + - Verify the integrity of the evidence. This is done by validating the PCRs that match the values recomputed by replaying the TCG log. + - Verify that the TPM has a valid Attestation Identity Key issued by the authenticated TPM. + - Verify that the security features are in the expected states. + +6. The attestation service returns an attestation report that contains information about the security features based on the policy configured in the attestation service. +7. The device then sends the report to the MEM cloud to assess the trustworthiness of the platform according to the admin-configured device compliance rules. +8. Conditional access, along with device-compliance state then decides to grant access to protected resource or not. From 2b6c78b87fadb73235bce209282d6d2ea9e7a82e Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 16:14:07 -0700 Subject: [PATCH 209/458] Update operating-system.md --- windows/security/operating-system.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 9e7ed088cc..d072a0acb2 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -34,7 +34,7 @@ Windows Security app | The Windows built-in security application found in setitn | Attack surface reduction rules | Your attack surfaces are the places and ways you are vulnerable to a cyber attack. Attack surface reduction rules are built into Windows and Windows Server. These rules block certain behaviors that are often abused to compromise your device or network. Such behaviors can include launching scripts or executables that attempt to download or run other files, running suspicious scripts, or performing other behaviors that apps don't typically initiate during normal work. You can configure rules to protect against risky behaviors.

Learn more about [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) | | Anti-tampering protection | Attacks like ransomware attempt to disable security features, such as anti-virus protection, on targeted devices. Bad actors like to disable security features to get easier access to user’s data, to install malware, or to otherwise exploit user’s data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.

With tamper protection, malware is prevented from taking actions such as:
- Disabling virus and threat protection
- Disabling real-time protection
- Turning off behavior monitoring
- Disabling antivirus (such as IOfficeAntivirus (IOAV))
- Disabling cloud-delivered protection
- Removing security intelligence updates

Learn more about [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection). | | Network protection | Network protection in Windows helps prevent users from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content on the Internet. Network protection is part of attack surface reduction and helps provide an additional layer of protection for a user.

Using reputation-based services, network protection blocks access to potentially harmful, low-reputation based domains and IP addresses.

In enterprise environments, network protection works best with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/?view=o365-worldwide), which provides detailed reporting into protection events as part of larger investigation scenarios.

Learn more about [Network protection](/microsoft-365/security/defender-endpoint/network-protection). | -| Controlled folder access | Learn more about [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). | -| Exploit protection | Learn more about [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection). | -| Microsoft Defender for Endpoint | Learn more about [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint). | +| Controlled folder access | With controlled folder access, you can protect your valuable information in specific folders by managing apps’ access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, are included in the list of controlled folders.

Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that are not included in the trusted list are prevented from making any changes to files inside protected folders.

Controlled folder access helps protect valuable data from malicious apps and threats, such as ransomware. Learn more about [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). | +| Exploit protection | Exploit protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios.

You can enable exploit protection on an individual device, and then use Group Policy to distribute the XML file to multiple devices simultaneously.When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors.

You can use audit mode to evaluate how exploit protection would impact your organization if it were enabled.

In Windows 10, version 1709 and later provides configuration options for Exploit protection. You can prevent users from modifying these specific options with Group Policy.

Learn more about [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection). | +| Microsoft Defender for Endpoint | Windows E5 customers benefit from [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide), an enterprise endpoint detection and response capability that helps enterprise security teams detect, investigate, and respond to advanced threats. With rich event data and attack insights, Defender for Endpoint enables your security team to investigate incidents and take remediation actions effectively and efficiently.

Defender for Endpoint brings together the following elements to provide a more complete picture of security incidents:

- Endpoint behavioral sensors: Embedded in Windows, these sensors collect and process behavioral signals from the operating system and send this sensor data to your private, isolated, cloud instance of Microsoft Defender for Endpoint.

- Cloud security analytics: Leveraging big-data, device-learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products such as Microsoft 365, and online assets, behavioral signals are translated into insights, detections, and recommended responses to advanced threats.

- Threat intelligence: Microsoft’s threat intelligence is informed by trillions of security signals every day. Combined with our global team of security experts, and cutting-edge artificial intelligence and machine learning, we can see threats that others miss. Our threat intelligence helps provide unparalleled protection for our customers.

Defender for Endpoint also is part of [Microsoft 365 Defender](/microsoft-365/security/defender/?view=o365-worldwide), a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.

Learn more about [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint). | From 22533381f80c153986cc4295b2372c4d147a1751 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 16:15:20 -0700 Subject: [PATCH 210/458] Update operating-system.md --- windows/security/operating-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index d072a0acb2..31fcfaae14 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -36,5 +36,5 @@ Windows Security app | The Windows built-in security application found in setitn | Network protection | Network protection in Windows helps prevent users from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content on the Internet. Network protection is part of attack surface reduction and helps provide an additional layer of protection for a user.

Using reputation-based services, network protection blocks access to potentially harmful, low-reputation based domains and IP addresses.

In enterprise environments, network protection works best with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/?view=o365-worldwide), which provides detailed reporting into protection events as part of larger investigation scenarios.

Learn more about [Network protection](/microsoft-365/security/defender-endpoint/network-protection). | | Controlled folder access | With controlled folder access, you can protect your valuable information in specific folders by managing apps’ access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, are included in the list of controlled folders.

Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that are not included in the trusted list are prevented from making any changes to files inside protected folders.

Controlled folder access helps protect valuable data from malicious apps and threats, such as ransomware. Learn more about [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). | | Exploit protection | Exploit protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios.

You can enable exploit protection on an individual device, and then use Group Policy to distribute the XML file to multiple devices simultaneously.When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors.

You can use audit mode to evaluate how exploit protection would impact your organization if it were enabled.

In Windows 10, version 1709 and later provides configuration options for Exploit protection. You can prevent users from modifying these specific options with Group Policy.

Learn more about [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection). | -| Microsoft Defender for Endpoint | Windows E5 customers benefit from [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide), an enterprise endpoint detection and response capability that helps enterprise security teams detect, investigate, and respond to advanced threats. With rich event data and attack insights, Defender for Endpoint enables your security team to investigate incidents and take remediation actions effectively and efficiently.

Defender for Endpoint brings together the following elements to provide a more complete picture of security incidents:

- Endpoint behavioral sensors: Embedded in Windows, these sensors collect and process behavioral signals from the operating system and send this sensor data to your private, isolated, cloud instance of Microsoft Defender for Endpoint.

- Cloud security analytics: Leveraging big-data, device-learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products such as Microsoft 365, and online assets, behavioral signals are translated into insights, detections, and recommended responses to advanced threats.

- Threat intelligence: Microsoft’s threat intelligence is informed by trillions of security signals every day. Combined with our global team of security experts, and cutting-edge artificial intelligence and machine learning, we can see threats that others miss. Our threat intelligence helps provide unparalleled protection for our customers.

Defender for Endpoint also is part of [Microsoft 365 Defender](/microsoft-365/security/defender/?view=o365-worldwide), a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.

Learn more about [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint). | +| Microsoft Defender for Endpoint | Windows E5 customers benefit from [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide), an enterprise endpoint detection and response capability that helps enterprise security teams detect, investigate, and respond to advanced threats. With rich event data and attack insights, Defender for Endpoint enables your security team to investigate incidents and take remediation actions effectively and efficiently.

Defender for Endpoint also is part of [Microsoft 365 Defender](/microsoft-365/security/defender/?view=o365-worldwide), a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.

Learn more about [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint). | From 11fcd75a488dac5b7abb0821ffc0708261e17c22 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 16:18:33 -0700 Subject: [PATCH 211/458] Update operating-system.md --- windows/security/operating-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 31fcfaae14..49c1b14910 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -34,7 +34,7 @@ Windows Security app | The Windows built-in security application found in setitn | Attack surface reduction rules | Your attack surfaces are the places and ways you are vulnerable to a cyber attack. Attack surface reduction rules are built into Windows and Windows Server. These rules block certain behaviors that are often abused to compromise your device or network. Such behaviors can include launching scripts or executables that attempt to download or run other files, running suspicious scripts, or performing other behaviors that apps don't typically initiate during normal work. You can configure rules to protect against risky behaviors.

Learn more about [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) | | Anti-tampering protection | Attacks like ransomware attempt to disable security features, such as anti-virus protection, on targeted devices. Bad actors like to disable security features to get easier access to user’s data, to install malware, or to otherwise exploit user’s data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.

With tamper protection, malware is prevented from taking actions such as:
- Disabling virus and threat protection
- Disabling real-time protection
- Turning off behavior monitoring
- Disabling antivirus (such as IOfficeAntivirus (IOAV))
- Disabling cloud-delivered protection
- Removing security intelligence updates

Learn more about [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection). | | Network protection | Network protection in Windows helps prevent users from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content on the Internet. Network protection is part of attack surface reduction and helps provide an additional layer of protection for a user.

Using reputation-based services, network protection blocks access to potentially harmful, low-reputation based domains and IP addresses.

In enterprise environments, network protection works best with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/?view=o365-worldwide), which provides detailed reporting into protection events as part of larger investigation scenarios.

Learn more about [Network protection](/microsoft-365/security/defender-endpoint/network-protection). | -| Controlled folder access | With controlled folder access, you can protect your valuable information in specific folders by managing apps’ access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, are included in the list of controlled folders.

Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that are not included in the trusted list are prevented from making any changes to files inside protected folders.

Controlled folder access helps protect valuable data from malicious apps and threats, such as ransomware. Learn more about [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). | +| Controlled folder access | With controlled folder access, you can protect your valuable information in specific folders by managing apps’ access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, are included in the list of controlled folders.

Controlled folder access helps protect valuable data from malicious apps and threats, such as ransomware. Learn more about [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). | | Exploit protection | Exploit protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios.

You can enable exploit protection on an individual device, and then use Group Policy to distribute the XML file to multiple devices simultaneously.When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors.

You can use audit mode to evaluate how exploit protection would impact your organization if it were enabled.

In Windows 10, version 1709 and later provides configuration options for Exploit protection. You can prevent users from modifying these specific options with Group Policy.

Learn more about [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection). | | Microsoft Defender for Endpoint | Windows E5 customers benefit from [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide), an enterprise endpoint detection and response capability that helps enterprise security teams detect, investigate, and respond to advanced threats. With rich event data and attack insights, Defender for Endpoint enables your security team to investigate incidents and take remediation actions effectively and efficiently.

Defender for Endpoint also is part of [Microsoft 365 Defender](/microsoft-365/security/defender/?view=o365-worldwide), a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.

Learn more about [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint). | From 397251695439ee621e40277c49152c3314c25215 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 16:19:01 -0700 Subject: [PATCH 212/458] Update operating-system.md --- windows/security/operating-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 49c1b14910..3889734f8f 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -33,7 +33,7 @@ Windows Security app | The Windows built-in security application found in setitn | Antivirus & antimalware protection | Microsoft Defender Antivirus is included in all versions of Windows 10, Windows Server 2016 and later, and Windows 11.

From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help protect your device from threats. Microsoft Defender Antivirus continually scans for malware and threats, and also detects and blocks potentially unwanted applications (applications that can negatively impact your device even though they are not considered malware).

If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on.

Microsoft Defender Antivirus integrates with cloud-delivered protection, which helps ensure near-instant detection and blocking of new and emerging threats.

Learn more about [next-generation protection and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).| | Attack surface reduction rules | Your attack surfaces are the places and ways you are vulnerable to a cyber attack. Attack surface reduction rules are built into Windows and Windows Server. These rules block certain behaviors that are often abused to compromise your device or network. Such behaviors can include launching scripts or executables that attempt to download or run other files, running suspicious scripts, or performing other behaviors that apps don't typically initiate during normal work. You can configure rules to protect against risky behaviors.

Learn more about [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) | | Anti-tampering protection | Attacks like ransomware attempt to disable security features, such as anti-virus protection, on targeted devices. Bad actors like to disable security features to get easier access to user’s data, to install malware, or to otherwise exploit user’s data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.

With tamper protection, malware is prevented from taking actions such as:
- Disabling virus and threat protection
- Disabling real-time protection
- Turning off behavior monitoring
- Disabling antivirus (such as IOfficeAntivirus (IOAV))
- Disabling cloud-delivered protection
- Removing security intelligence updates

Learn more about [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection). | -| Network protection | Network protection in Windows helps prevent users from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content on the Internet. Network protection is part of attack surface reduction and helps provide an additional layer of protection for a user.

Using reputation-based services, network protection blocks access to potentially harmful, low-reputation based domains and IP addresses.

In enterprise environments, network protection works best with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/?view=o365-worldwide), which provides detailed reporting into protection events as part of larger investigation scenarios.

Learn more about [Network protection](/microsoft-365/security/defender-endpoint/network-protection). | +| Network protection | Network protection in Windows helps prevent users from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content on the Internet. Network protection is part of attack surface reduction and helps provide an additional layer of protection for a user. Using reputation-based services, network protection blocks access to potentially harmful, low-reputation based domains and IP addresses.

In enterprise environments, network protection works best with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/?view=o365-worldwide), which provides detailed reporting into protection events as part of larger investigation scenarios.

Learn more about [Network protection](/microsoft-365/security/defender-endpoint/network-protection). | | Controlled folder access | With controlled folder access, you can protect your valuable information in specific folders by managing apps’ access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, are included in the list of controlled folders.

Controlled folder access helps protect valuable data from malicious apps and threats, such as ransomware. Learn more about [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). | | Exploit protection | Exploit protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios.

You can enable exploit protection on an individual device, and then use Group Policy to distribute the XML file to multiple devices simultaneously.When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors.

You can use audit mode to evaluate how exploit protection would impact your organization if it were enabled.

In Windows 10, version 1709 and later provides configuration options for Exploit protection. You can prevent users from modifying these specific options with Group Policy.

Learn more about [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection). | | Microsoft Defender for Endpoint | Windows E5 customers benefit from [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide), an enterprise endpoint detection and response capability that helps enterprise security teams detect, investigate, and respond to advanced threats. With rich event data and attack insights, Defender for Endpoint enables your security team to investigate incidents and take remediation actions effectively and efficiently.

Defender for Endpoint also is part of [Microsoft 365 Defender](/microsoft-365/security/defender/?view=o365-worldwide), a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.

Learn more about [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint). | From 5f83cad73f11915d5eeffa17809a51fafc1f1066 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 16:21:08 -0700 Subject: [PATCH 213/458] Update operating-system.md --- windows/security/operating-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 3889734f8f..82c9994bc3 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -35,6 +35,6 @@ Windows Security app | The Windows built-in security application found in setitn | Anti-tampering protection | Attacks like ransomware attempt to disable security features, such as anti-virus protection, on targeted devices. Bad actors like to disable security features to get easier access to user’s data, to install malware, or to otherwise exploit user’s data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.

With tamper protection, malware is prevented from taking actions such as:
- Disabling virus and threat protection
- Disabling real-time protection
- Turning off behavior monitoring
- Disabling antivirus (such as IOfficeAntivirus (IOAV))
- Disabling cloud-delivered protection
- Removing security intelligence updates

Learn more about [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection). | | Network protection | Network protection in Windows helps prevent users from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content on the Internet. Network protection is part of attack surface reduction and helps provide an additional layer of protection for a user. Using reputation-based services, network protection blocks access to potentially harmful, low-reputation based domains and IP addresses.

In enterprise environments, network protection works best with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/?view=o365-worldwide), which provides detailed reporting into protection events as part of larger investigation scenarios.

Learn more about [Network protection](/microsoft-365/security/defender-endpoint/network-protection). | | Controlled folder access | With controlled folder access, you can protect your valuable information in specific folders by managing apps’ access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, are included in the list of controlled folders.

Controlled folder access helps protect valuable data from malicious apps and threats, such as ransomware. Learn more about [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). | -| Exploit protection | Exploit protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios.

You can enable exploit protection on an individual device, and then use Group Policy to distribute the XML file to multiple devices simultaneously.When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors.

You can use audit mode to evaluate how exploit protection would impact your organization if it were enabled.

In Windows 10, version 1709 and later provides configuration options for Exploit protection. You can prevent users from modifying these specific options with Group Policy.

Learn more about [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection). | +| Exploit protection | Exploit protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios.

You can enable exploit protection on an individual device, and then use Group Policy to distribute the XML file to multiple devices simultaneously. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors.

Exploit protection is available in Windows 10, version 1709 and later.

Learn more about [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection). | | Microsoft Defender for Endpoint | Windows E5 customers benefit from [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide), an enterprise endpoint detection and response capability that helps enterprise security teams detect, investigate, and respond to advanced threats. With rich event data and attack insights, Defender for Endpoint enables your security team to investigate incidents and take remediation actions effectively and efficiently.

Defender for Endpoint also is part of [Microsoft 365 Defender](/microsoft-365/security/defender/?view=o365-worldwide), a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.

Learn more about [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint). | From 0e58601b434b7b4cc8110dd79eb0a462593b7ed4 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 16 Sep 2021 16:24:10 -0700 Subject: [PATCH 214/458] cross linking TOCs --- windows/security/TOC.yml | 2 +- windows/security/threat-protection/auditing/TOC.yml | 4 +++- .../threat-protection/security-policy-settings/TOC.yml | 4 +++- .../security/threat-protection/windows-firewall/TOC.yml | 2 ++ windows/security/zero-trust-windows-device-health.md | 8 ++++++-- 5 files changed, 15 insertions(+), 5 deletions(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 4dd99c673d..1e359ee788 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -1,7 +1,7 @@ - name: Windows security href: index.yml -- name: Windows and Zero Trust +- name: Zero Trust and Windows href: zero-trust-windows-device-health.md expanded: true - name: Hardware security diff --git a/windows/security/threat-protection/auditing/TOC.yml b/windows/security/threat-protection/auditing/TOC.yml index 88646f01b0..00e500f989 100644 --- a/windows/security/threat-protection/auditing/TOC.yml +++ b/windows/security/threat-protection/auditing/TOC.yml @@ -762,4 +762,6 @@ - name: Registry (Global Object Access Auditing) href: registry-global-object-access-auditing.md - name: File System (Global Object Access Auditing) - href: file-system-global-object-access-auditing.md \ No newline at end of file + href: file-system-global-object-access-auditing.md + - name: Windows security + href: /windows/security/index.yml \ No newline at end of file diff --git a/windows/security/threat-protection/security-policy-settings/TOC.yml b/windows/security/threat-protection/security-policy-settings/TOC.yml index 8e8f9f630c..5afa3d271b 100644 --- a/windows/security/threat-protection/security-policy-settings/TOC.yml +++ b/windows/security/threat-protection/security-policy-settings/TOC.yml @@ -346,4 +346,6 @@ - name: Synchronize directory service data href: synchronize-directory-service-data.md - name: Take ownership of files or other objects - href: take-ownership-of-files-or-other-objects.md \ No newline at end of file + href: take-ownership-of-files-or-other-objects.md + - name: Windows security + href: /windows/security/index.yml \ No newline at end of file diff --git a/windows/security/threat-protection/windows-firewall/TOC.yml b/windows/security/threat-protection/windows-firewall/TOC.yml index efaa07fa4e..55e911297b 100644 --- a/windows/security/threat-protection/windows-firewall/TOC.yml +++ b/windows/security/threat-protection/windows-firewall/TOC.yml @@ -250,3 +250,5 @@ href: quarantine.md - name: Firewall settings lost on upgrade href: firewall-settings-lost-on-upgrade.md +- name: Windows security + href: /windows/security/index.yml diff --git a/windows/security/zero-trust-windows-device-health.md b/windows/security/zero-trust-windows-device-health.md index c8c7cf6ef5..41ad5cd387 100644 --- a/windows/security/zero-trust-windows-device-health.md +++ b/windows/security/zero-trust-windows-device-health.md @@ -23,7 +23,7 @@ The [Zero Trust Principles](https://www.microsoft.com/security/business/zero-tru **Use least-privileged access**. Limit user access with just-in-time and just-enough-access, risk-based adaptive polices, and data protection to help secure data and maintain productivity. -**Assume breach**. Assume breach operates in a manner that minimizes blast radius and segments access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses. +**Assume breach**. Prevent attackers from obtaining access to minimize potential damage to data and systems. Protect privileged roles, verify end-to-end encryption, use analytics to get visibility, and drive threat detection to improve defenses. For Windows 11, the Zero Trust concept of verify explicitly applies to the risks introduced by both devices and users. Windows 11 provides IT administrators the attestation and measurements to determine whether a device meets requirements and can be trusted. And Windows 11 works out of the box with Microsoft Intune and Azure Active Directory, so access decisions and enforcement are seamless. Plus, IT Administrators can easily customize Windows 11 to meet specific user and policy requirements for access, privacy, compliance, and more. @@ -39,7 +39,7 @@ A summary of the steps involved in attestation and Zero Trust on the device side 1. During each step of the boot process, such as a file load, update of special variables, and more, information such as file hashes and signature are measured in the TPM PCRs. The measurements are bound by a [Trusted Computing Group specification](https://trustedcomputinggroup.org/resource/pc-client-platform-tpm-profile-ptp-specification/) (TCG) that dictates what events can be recorded and the format of each event. 2. Once Windows has booted, the attestor/verifier requests the TPM to fetch the measurements stored in its Platform Configuration Register (PCR) alongside a TCG log. Both of these together form the attestation evidence that’s sent to the attestation service (learn more about the attestation service below). -3. The TPM is verified by using the keys/cryptographic material available on the chipset with an [Azure Certificate Service](/windows-server/identity/ad-ds/manage/component-updates/tpm-key-attestation). +3. The TPM is verified by using the keys/cryptographic material available on the chipset with an [Azure Certificate Service](/windows-server/identity/ad-ds/manage/component-updates/tpm-key-attestation). 4. This information is then sent to the attestation service in the cloud to verify that the device is safe. Microsoft Endpoint Manger (MEM) integrates with Microsoft Azure Attestation to review device health comprehensively and connect this information with AAD conditional access. This integration is key for Zero Trust solutions that help bind trust to an untrusted device. 5. The attestation service does the following: @@ -50,3 +50,7 @@ A summary of the steps involved in attestation and Zero Trust on the device side 6. The attestation service returns an attestation report that contains information about the security features based on the policy configured in the attestation service. 7. The device then sends the report to the MEM cloud to assess the trustworthiness of the platform according to the admin-configured device compliance rules. 8. Conditional access, along with device-compliance state then decides to grant access to protected resource or not. + +## Additional Resources + +Learn more about Microsoft Zero Trust solutions in the [Zero Trust Guidance Center](/security/zero-trust/) From 2cf1f97af68fde3a9b37e04119a0bd1ab949a663 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 16:30:17 -0700 Subject: [PATCH 215/458] Update operating-system.md --- windows/security/operating-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 82c9994bc3..c4926b7add 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -35,6 +35,6 @@ Windows Security app | The Windows built-in security application found in setitn | Anti-tampering protection | Attacks like ransomware attempt to disable security features, such as anti-virus protection, on targeted devices. Bad actors like to disable security features to get easier access to user’s data, to install malware, or to otherwise exploit user’s data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.

With tamper protection, malware is prevented from taking actions such as:
- Disabling virus and threat protection
- Disabling real-time protection
- Turning off behavior monitoring
- Disabling antivirus (such as IOfficeAntivirus (IOAV))
- Disabling cloud-delivered protection
- Removing security intelligence updates

Learn more about [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection). | | Network protection | Network protection in Windows helps prevent users from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content on the Internet. Network protection is part of attack surface reduction and helps provide an additional layer of protection for a user. Using reputation-based services, network protection blocks access to potentially harmful, low-reputation based domains and IP addresses.

In enterprise environments, network protection works best with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/?view=o365-worldwide), which provides detailed reporting into protection events as part of larger investigation scenarios.

Learn more about [Network protection](/microsoft-365/security/defender-endpoint/network-protection). | | Controlled folder access | With controlled folder access, you can protect your valuable information in specific folders by managing apps’ access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, are included in the list of controlled folders.

Controlled folder access helps protect valuable data from malicious apps and threats, such as ransomware. Learn more about [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). | -| Exploit protection | Exploit protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios.

You can enable exploit protection on an individual device, and then use Group Policy to distribute the XML file to multiple devices simultaneously. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors.

Exploit protection is available in Windows 10, version 1709 and later.

Learn more about [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection). | +| Exploit protection | Exploit protection, available in Windows 10, version 1709 and later, automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios.

You can enable exploit protection on an individual device, and then use Group Policy to distribute the XML file to multiple devices simultaneously. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors.

Learn more about [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection). | | Microsoft Defender for Endpoint | Windows E5 customers benefit from [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide), an enterprise endpoint detection and response capability that helps enterprise security teams detect, investigate, and respond to advanced threats. With rich event data and attack insights, Defender for Endpoint enables your security team to investigate incidents and take remediation actions effectively and efficiently.

Defender for Endpoint also is part of [Microsoft 365 Defender](/microsoft-365/security/defender/?view=o365-worldwide), a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.

Learn more about [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint). | From 59f4417c1b72b8dc93083e386d30c02413b85684 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 16:44:50 -0700 Subject: [PATCH 216/458] Update operating-system.md --- windows/security/operating-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index c4926b7add..9e6018c19d 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -30,7 +30,7 @@ Windows Security app | The Windows built-in security application found in setitn | Encrypted Hard Drive |

Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.

Learn more about [Encrypted Hard Drives](information-protection/encrypted-hard-drive.md).

| | Virtual Private Network | Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called tunneling protocols, to make a virtual call to a virtual port on a VPN server.

Learn more about [Virtual Private Networks](identity-protection/vpn/vpn-guide.md) (VPNs).

| | Windows Defender Firewall | Windows Defender Firewall is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device.

Learn more about [Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md).

-| Antivirus & antimalware protection | Microsoft Defender Antivirus is included in all versions of Windows 10, Windows Server 2016 and later, and Windows 11.

From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help protect your device from threats. Microsoft Defender Antivirus continually scans for malware and threats, and also detects and blocks potentially unwanted applications (applications that can negatively impact your device even though they are not considered malware).

If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on.

Microsoft Defender Antivirus integrates with cloud-delivered protection, which helps ensure near-instant detection and blocking of new and emerging threats.

Learn more about [next-generation protection and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).| +| Antivirus & antimalware protection | Microsoft Defender Antivirus is included in all versions of Windows 10, Windows Server 2016 and later, and Windows 11. If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on.

From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help protect your device from threats. Microsoft Defender Antivirus continually scans for malware and threats, and also detects and blocks potentially unwanted applications (applications that can negatively impact your device even though they are not considered malware).

Microsoft Defender Antivirus integrates with cloud-delivered protection, which helps ensure near-instant detection and blocking of new and emerging threats.

Learn more about [next-generation protection and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).| | Attack surface reduction rules | Your attack surfaces are the places and ways you are vulnerable to a cyber attack. Attack surface reduction rules are built into Windows and Windows Server. These rules block certain behaviors that are often abused to compromise your device or network. Such behaviors can include launching scripts or executables that attempt to download or run other files, running suspicious scripts, or performing other behaviors that apps don't typically initiate during normal work. You can configure rules to protect against risky behaviors.

Learn more about [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) | | Anti-tampering protection | Attacks like ransomware attempt to disable security features, such as anti-virus protection, on targeted devices. Bad actors like to disable security features to get easier access to user’s data, to install malware, or to otherwise exploit user’s data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.

With tamper protection, malware is prevented from taking actions such as:
- Disabling virus and threat protection
- Disabling real-time protection
- Turning off behavior monitoring
- Disabling antivirus (such as IOfficeAntivirus (IOAV))
- Disabling cloud-delivered protection
- Removing security intelligence updates

Learn more about [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection). | | Network protection | Network protection in Windows helps prevent users from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content on the Internet. Network protection is part of attack surface reduction and helps provide an additional layer of protection for a user. Using reputation-based services, network protection blocks access to potentially harmful, low-reputation based domains and IP addresses.

In enterprise environments, network protection works best with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/?view=o365-worldwide), which provides detailed reporting into protection events as part of larger investigation scenarios.

Learn more about [Network protection](/microsoft-365/security/defender-endpoint/network-protection). | From c6a3ad498cd9d6b15025034d5498a5a4218e5eb8 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 16:45:55 -0700 Subject: [PATCH 217/458] Update operating-system.md --- windows/security/operating-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 9e6018c19d..a16171bae0 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -34,7 +34,7 @@ Windows Security app | The Windows built-in security application found in setitn | Attack surface reduction rules | Your attack surfaces are the places and ways you are vulnerable to a cyber attack. Attack surface reduction rules are built into Windows and Windows Server. These rules block certain behaviors that are often abused to compromise your device or network. Such behaviors can include launching scripts or executables that attempt to download or run other files, running suspicious scripts, or performing other behaviors that apps don't typically initiate during normal work. You can configure rules to protect against risky behaviors.

Learn more about [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) | | Anti-tampering protection | Attacks like ransomware attempt to disable security features, such as anti-virus protection, on targeted devices. Bad actors like to disable security features to get easier access to user’s data, to install malware, or to otherwise exploit user’s data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.

With tamper protection, malware is prevented from taking actions such as:
- Disabling virus and threat protection
- Disabling real-time protection
- Turning off behavior monitoring
- Disabling antivirus (such as IOfficeAntivirus (IOAV))
- Disabling cloud-delivered protection
- Removing security intelligence updates

Learn more about [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection). | | Network protection | Network protection in Windows helps prevent users from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content on the Internet. Network protection is part of attack surface reduction and helps provide an additional layer of protection for a user. Using reputation-based services, network protection blocks access to potentially harmful, low-reputation based domains and IP addresses.

In enterprise environments, network protection works best with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/?view=o365-worldwide), which provides detailed reporting into protection events as part of larger investigation scenarios.

Learn more about [Network protection](/microsoft-365/security/defender-endpoint/network-protection). | -| Controlled folder access | With controlled folder access, you can protect your valuable information in specific folders by managing apps’ access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, are included in the list of controlled folders.

Controlled folder access helps protect valuable data from malicious apps and threats, such as ransomware. Learn more about [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). | +| Controlled folder access | With controlled folder access, you can protect your valuable information in specific folders by managing apps’ access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, are included in the list of controlled folders. Controlled folder access helps protect valuable data from malicious apps and threats, such as ransomware.

Learn more about [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). | | Exploit protection | Exploit protection, available in Windows 10, version 1709 and later, automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios.

You can enable exploit protection on an individual device, and then use Group Policy to distribute the XML file to multiple devices simultaneously. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors.

Learn more about [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection). | | Microsoft Defender for Endpoint | Windows E5 customers benefit from [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide), an enterprise endpoint detection and response capability that helps enterprise security teams detect, investigate, and respond to advanced threats. With rich event data and attack insights, Defender for Endpoint enables your security team to investigate incidents and take remediation actions effectively and efficiently.

Defender for Endpoint also is part of [Microsoft 365 Defender](/microsoft-365/security/defender/?view=o365-worldwide), a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.

Learn more about [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint). | From 5e418b87cbbed64ea18a99fcefaba8ea2fe489cb Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 16:46:35 -0700 Subject: [PATCH 218/458] Update operating-system.md --- windows/security/operating-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index a16171bae0..0541c53a89 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -28,7 +28,7 @@ Windows Security app | The Windows built-in security application found in setitn | Encryption and data protection | Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications. Windows provides strong at-rest data-protection solutions that guard against nefarious attackers.

Learn more about [Encryption](encryption-data-protection.md). | BitLocker | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later.

Learn more about [BitLocker](information-protection/bitlocker/bitlocker-overview.md). | | Encrypted Hard Drive |

Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.

Learn more about [Encrypted Hard Drives](information-protection/encrypted-hard-drive.md).

| -| Virtual Private Network | Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called tunneling protocols, to make a virtual call to a virtual port on a VPN server.

Learn more about [Virtual Private Networks](identity-protection/vpn/vpn-guide.md) (VPNs).

| +| Virtual Private Network | Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called tunneling protocols, to make a virtual call to a virtual port on a VPN server.

Learn more about [Virtual Private Networks](identity-protection/vpn/vpn-guide.md).

| | Windows Defender Firewall | Windows Defender Firewall is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device.

Learn more about [Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md).

| Antivirus & antimalware protection | Microsoft Defender Antivirus is included in all versions of Windows 10, Windows Server 2016 and later, and Windows 11. If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on.

From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help protect your device from threats. Microsoft Defender Antivirus continually scans for malware and threats, and also detects and blocks potentially unwanted applications (applications that can negatively impact your device even though they are not considered malware).

Microsoft Defender Antivirus integrates with cloud-delivered protection, which helps ensure near-instant detection and blocking of new and emerging threats.

Learn more about [next-generation protection and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).| | Attack surface reduction rules | Your attack surfaces are the places and ways you are vulnerable to a cyber attack. Attack surface reduction rules are built into Windows and Windows Server. These rules block certain behaviors that are often abused to compromise your device or network. Such behaviors can include launching scripts or executables that attempt to download or run other files, running suspicious scripts, or performing other behaviors that apps don't typically initiate during normal work. You can configure rules to protect against risky behaviors.

Learn more about [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) | From a117b862955c39a4edbcac27139bc978e80618a1 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 16:52:42 -0700 Subject: [PATCH 219/458] Update operating-system.md --- windows/security/operating-system.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 0541c53a89..7b23896865 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -28,6 +28,7 @@ Windows Security app | The Windows built-in security application found in setitn | Encryption and data protection | Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications. Windows provides strong at-rest data-protection solutions that guard against nefarious attackers.

Learn more about [Encryption](encryption-data-protection.md). | BitLocker | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later.

Learn more about [BitLocker](information-protection/bitlocker/bitlocker-overview.md). | | Encrypted Hard Drive |

Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.

Learn more about [Encrypted Hard Drives](information-protection/encrypted-hard-drive.md).

| +| Security baselines | A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.

Security baselines are included in the [Security Compliance Toolkit](threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md) that you can download from the Microsoft Download Center.

| | Virtual Private Network | Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called tunneling protocols, to make a virtual call to a virtual port on a VPN server.

Learn more about [Virtual Private Networks](identity-protection/vpn/vpn-guide.md).

| | Windows Defender Firewall | Windows Defender Firewall is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device.

Learn more about [Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md).

| Antivirus & antimalware protection | Microsoft Defender Antivirus is included in all versions of Windows 10, Windows Server 2016 and later, and Windows 11. If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on.

From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help protect your device from threats. Microsoft Defender Antivirus continually scans for malware and threats, and also detects and blocks potentially unwanted applications (applications that can negatively impact your device even though they are not considered malware).

Microsoft Defender Antivirus integrates with cloud-delivered protection, which helps ensure near-instant detection and blocking of new and emerging threats.

Learn more about [next-generation protection and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).| From f0daf1250b579f998aba11f8696d1b5475df3d6c Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 16:54:00 -0700 Subject: [PATCH 220/458] Update operating-system.md --- windows/security/operating-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 7b23896865..46f1b7f35e 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -28,7 +28,7 @@ Windows Security app | The Windows built-in security application found in setitn | Encryption and data protection | Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications. Windows provides strong at-rest data-protection solutions that guard against nefarious attackers.

Learn more about [Encryption](encryption-data-protection.md). | BitLocker | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later.

Learn more about [BitLocker](information-protection/bitlocker/bitlocker-overview.md). | | Encrypted Hard Drive |

Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.

Learn more about [Encrypted Hard Drives](information-protection/encrypted-hard-drive.md).

| -| Security baselines | A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.

Security baselines are included in the [Security Compliance Toolkit](threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md) that you can download from the Microsoft Download Center.

| +| Security baselines | A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.

Security baselines are included in the [Security Compliance Toolkit](threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md) that you can download from the Microsoft Download Center.

Learn more about [security baselines](threat-protection/windows-security-configuration-framework/windows-security-baselines.md). | | Virtual Private Network | Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called tunneling protocols, to make a virtual call to a virtual port on a VPN server.

Learn more about [Virtual Private Networks](identity-protection/vpn/vpn-guide.md).

| | Windows Defender Firewall | Windows Defender Firewall is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device.

Learn more about [Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md).

| Antivirus & antimalware protection | Microsoft Defender Antivirus is included in all versions of Windows 10, Windows Server 2016 and later, and Windows 11. If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on.

From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help protect your device from threats. Microsoft Defender Antivirus continually scans for malware and threats, and also detects and blocks potentially unwanted applications (applications that can negatively impact your device even though they are not considered malware).

Microsoft Defender Antivirus integrates with cloud-delivered protection, which helps ensure near-instant detection and blocking of new and emerging threats.

Learn more about [next-generation protection and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).| From 6078ad66a337f975bd74fb024c203cc7f5d14ead Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 16:55:25 -0700 Subject: [PATCH 221/458] Update operating-system.md --- windows/security/operating-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 46f1b7f35e..21eeae82fb 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -31,7 +31,7 @@ Windows Security app | The Windows built-in security application found in setitn | Security baselines | A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.

Security baselines are included in the [Security Compliance Toolkit](threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md) that you can download from the Microsoft Download Center.

Learn more about [security baselines](threat-protection/windows-security-configuration-framework/windows-security-baselines.md). | | Virtual Private Network | Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called tunneling protocols, to make a virtual call to a virtual port on a VPN server.

Learn more about [Virtual Private Networks](identity-protection/vpn/vpn-guide.md).

| | Windows Defender Firewall | Windows Defender Firewall is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device.

Learn more about [Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md).

-| Antivirus & antimalware protection | Microsoft Defender Antivirus is included in all versions of Windows 10, Windows Server 2016 and later, and Windows 11. If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on.

From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help protect your device from threats. Microsoft Defender Antivirus continually scans for malware and threats, and also detects and blocks potentially unwanted applications (applications that can negatively impact your device even though they are not considered malware).

Microsoft Defender Antivirus integrates with cloud-delivered protection, which helps ensure near-instant detection and blocking of new and emerging threats.

Learn more about [next-generation protection and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).| +| Antivirus & antimalware protection | Microsoft Defender Antivirus is included in all versions of Windows 10, Windows Server 2016 and later, and Windows 11. If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on.

From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help protect your device from threats. Microsoft Defender Antivirus continually scans for malware and threats, and also detects and blocks potentially unwanted applications (applications that can negatively impact your device even though they are not considered malware).

Microsoft Defender Antivirus integrates with [cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus?view=o365-worldwide), which helps ensure near-instant detection and blocking of new and emerging threats.

Learn more about [next-generation protection and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).| | Attack surface reduction rules | Your attack surfaces are the places and ways you are vulnerable to a cyber attack. Attack surface reduction rules are built into Windows and Windows Server. These rules block certain behaviors that are often abused to compromise your device or network. Such behaviors can include launching scripts or executables that attempt to download or run other files, running suspicious scripts, or performing other behaviors that apps don't typically initiate during normal work. You can configure rules to protect against risky behaviors.

Learn more about [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) | | Anti-tampering protection | Attacks like ransomware attempt to disable security features, such as anti-virus protection, on targeted devices. Bad actors like to disable security features to get easier access to user’s data, to install malware, or to otherwise exploit user’s data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.

With tamper protection, malware is prevented from taking actions such as:
- Disabling virus and threat protection
- Disabling real-time protection
- Turning off behavior monitoring
- Disabling antivirus (such as IOfficeAntivirus (IOAV))
- Disabling cloud-delivered protection
- Removing security intelligence updates

Learn more about [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection). | | Network protection | Network protection in Windows helps prevent users from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content on the Internet. Network protection is part of attack surface reduction and helps provide an additional layer of protection for a user. Using reputation-based services, network protection blocks access to potentially harmful, low-reputation based domains and IP addresses.

In enterprise environments, network protection works best with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/?view=o365-worldwide), which provides detailed reporting into protection events as part of larger investigation scenarios.

Learn more about [Network protection](/microsoft-365/security/defender-endpoint/network-protection). | From d4286878b4d61dd8e5c2d812b0a15c13f41b853a Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 16:59:04 -0700 Subject: [PATCH 222/458] Update operating-system.md --- windows/security/operating-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 21eeae82fb..97a88f9cc3 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -31,7 +31,7 @@ Windows Security app | The Windows built-in security application found in setitn | Security baselines | A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.

Security baselines are included in the [Security Compliance Toolkit](threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md) that you can download from the Microsoft Download Center.

Learn more about [security baselines](threat-protection/windows-security-configuration-framework/windows-security-baselines.md). | | Virtual Private Network | Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called tunneling protocols, to make a virtual call to a virtual port on a VPN server.

Learn more about [Virtual Private Networks](identity-protection/vpn/vpn-guide.md).

| | Windows Defender Firewall | Windows Defender Firewall is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device.

Learn more about [Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md).

-| Antivirus & antimalware protection | Microsoft Defender Antivirus is included in all versions of Windows 10, Windows Server 2016 and later, and Windows 11. If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on.

From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help protect your device from threats. Microsoft Defender Antivirus continually scans for malware and threats, and also detects and blocks potentially unwanted applications (applications that can negatively impact your device even though they are not considered malware).

Microsoft Defender Antivirus integrates with [cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus?view=o365-worldwide), which helps ensure near-instant detection and blocking of new and emerging threats.

Learn more about [next-generation protection and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).| +| Antivirus & antimalware protection | Microsoft Defender Antivirus is included in all versions of Windows 10, Windows Server 2016 and later, and Windows 11. If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on.

From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help protect your device from threats. Microsoft Defender Antivirus continually scans for malware and threats, and also detects and blocks [potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus?view=o365-worldwide) (applications that can negatively impact your device even though they are not considered malware).

Microsoft Defender Antivirus integrates with [cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus?view=o365-worldwide), which helps ensure near-instant detection and blocking of new and emerging threats.

Learn more about [next-generation protection and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).| | Attack surface reduction rules | Your attack surfaces are the places and ways you are vulnerable to a cyber attack. Attack surface reduction rules are built into Windows and Windows Server. These rules block certain behaviors that are often abused to compromise your device or network. Such behaviors can include launching scripts or executables that attempt to download or run other files, running suspicious scripts, or performing other behaviors that apps don't typically initiate during normal work. You can configure rules to protect against risky behaviors.

Learn more about [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) | | Anti-tampering protection | Attacks like ransomware attempt to disable security features, such as anti-virus protection, on targeted devices. Bad actors like to disable security features to get easier access to user’s data, to install malware, or to otherwise exploit user’s data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.

With tamper protection, malware is prevented from taking actions such as:
- Disabling virus and threat protection
- Disabling real-time protection
- Turning off behavior monitoring
- Disabling antivirus (such as IOfficeAntivirus (IOAV))
- Disabling cloud-delivered protection
- Removing security intelligence updates

Learn more about [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection). | | Network protection | Network protection in Windows helps prevent users from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content on the Internet. Network protection is part of attack surface reduction and helps provide an additional layer of protection for a user. Using reputation-based services, network protection blocks access to potentially harmful, low-reputation based domains and IP addresses.

In enterprise environments, network protection works best with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/?view=o365-worldwide), which provides detailed reporting into protection events as part of larger investigation scenarios.

Learn more about [Network protection](/microsoft-365/security/defender-endpoint/network-protection). | From 2375afe19d14d1f3991bb56d4a8d2b498072492e Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 17:01:15 -0700 Subject: [PATCH 223/458] Update operating-system.md --- windows/security/operating-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 97a88f9cc3..fbc384e66c 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -32,7 +32,7 @@ Windows Security app | The Windows built-in security application found in setitn | Virtual Private Network | Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called tunneling protocols, to make a virtual call to a virtual port on a VPN server.

Learn more about [Virtual Private Networks](identity-protection/vpn/vpn-guide.md).

| | Windows Defender Firewall | Windows Defender Firewall is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device.

Learn more about [Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md).

| Antivirus & antimalware protection | Microsoft Defender Antivirus is included in all versions of Windows 10, Windows Server 2016 and later, and Windows 11. If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on.

From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help protect your device from threats. Microsoft Defender Antivirus continually scans for malware and threats, and also detects and blocks [potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus?view=o365-worldwide) (applications that can negatively impact your device even though they are not considered malware).

Microsoft Defender Antivirus integrates with [cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus?view=o365-worldwide), which helps ensure near-instant detection and blocking of new and emerging threats.

Learn more about [next-generation protection and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).| -| Attack surface reduction rules | Your attack surfaces are the places and ways you are vulnerable to a cyber attack. Attack surface reduction rules are built into Windows and Windows Server. These rules block certain behaviors that are often abused to compromise your device or network. Such behaviors can include launching scripts or executables that attempt to download or run other files, running suspicious scripts, or performing other behaviors that apps don't typically initiate during normal work. You can configure rules to protect against risky behaviors.

Learn more about [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) | +| Attack surface reduction rules | Your attack surfaces are the places and ways you are vulnerable to a cyber attack. Attack surface reduction rules are built into Windows and Windows Server to prevent and block certain behaviors that are often abused to compromise your device or network. Such behaviors can include launching scripts or executables that attempt to download or run other files, running suspicious scripts, or performing other behaviors that apps don't typically initiate during normal work. You can configure your attack surface reduction rules to protect against risky behaviors.

Learn more about [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) | | Anti-tampering protection | Attacks like ransomware attempt to disable security features, such as anti-virus protection, on targeted devices. Bad actors like to disable security features to get easier access to user’s data, to install malware, or to otherwise exploit user’s data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.

With tamper protection, malware is prevented from taking actions such as:
- Disabling virus and threat protection
- Disabling real-time protection
- Turning off behavior monitoring
- Disabling antivirus (such as IOfficeAntivirus (IOAV))
- Disabling cloud-delivered protection
- Removing security intelligence updates

Learn more about [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection). | | Network protection | Network protection in Windows helps prevent users from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content on the Internet. Network protection is part of attack surface reduction and helps provide an additional layer of protection for a user. Using reputation-based services, network protection blocks access to potentially harmful, low-reputation based domains and IP addresses.

In enterprise environments, network protection works best with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/?view=o365-worldwide), which provides detailed reporting into protection events as part of larger investigation scenarios.

Learn more about [Network protection](/microsoft-365/security/defender-endpoint/network-protection). | | Controlled folder access | With controlled folder access, you can protect your valuable information in specific folders by managing apps’ access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, are included in the list of controlled folders. Controlled folder access helps protect valuable data from malicious apps and threats, such as ransomware.

Learn more about [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). | From 07060fa8b9396c9048e6b6d34d47e49d3b5ae5d4 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 16 Sep 2021 17:01:31 -0700 Subject: [PATCH 224/458] removing TP TOC fixing home link --- windows/security/threat-protection/TOC.yml | 38 ------------------- .../threat-protection/auditing/TOC.yml | 2 +- .../security-policy-settings/TOC.yml | 2 +- .../windows-firewall/TOC.yml | 2 +- 4 files changed, 3 insertions(+), 41 deletions(-) delete mode 100644 windows/security/threat-protection/TOC.yml diff --git a/windows/security/threat-protection/TOC.yml b/windows/security/threat-protection/TOC.yml deleted file mode 100644 index c4a518650a..0000000000 --- a/windows/security/threat-protection/TOC.yml +++ /dev/null @@ -1,38 +0,0 @@ -- name: Windows threat protection - items: - - name: Overview - href: index.md - - name: Microsoft Defender Antivirus - href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows - - name: Attack surface reduction rules - href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction - - name: Tamper protection - href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection - - name: Network protection - href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/network-protection - - name: Controlled folder access - href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/controlled-folders - - name: Exploit protection - href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/exploit-protection - - name: Microsoft Defender for Endpoint - href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint - -- name: Hardware security - href: ../hardware.md - -- name: Operating system security - href: ../operating-system.md - -- name: Application security - href: ../apps.md - -- name: Cloud services - href: ../cloud.md - -- name: User protection - href: ../identity.md - -- name: Security foundations - -- name: Windows Privacy - href: /windows/privacy/windows-10-and-privacy-compliance.md \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/TOC.yml b/windows/security/threat-protection/auditing/TOC.yml index 00e500f989..4f122c5d8e 100644 --- a/windows/security/threat-protection/auditing/TOC.yml +++ b/windows/security/threat-protection/auditing/TOC.yml @@ -764,4 +764,4 @@ - name: File System (Global Object Access Auditing) href: file-system-global-object-access-auditing.md - name: Windows security - href: /windows/security/index.yml \ No newline at end of file + href: /windows/security/ \ No newline at end of file diff --git a/windows/security/threat-protection/security-policy-settings/TOC.yml b/windows/security/threat-protection/security-policy-settings/TOC.yml index 5afa3d271b..1ddc477ef1 100644 --- a/windows/security/threat-protection/security-policy-settings/TOC.yml +++ b/windows/security/threat-protection/security-policy-settings/TOC.yml @@ -348,4 +348,4 @@ - name: Take ownership of files or other objects href: take-ownership-of-files-or-other-objects.md - name: Windows security - href: /windows/security/index.yml \ No newline at end of file + href: /windows/security/ \ No newline at end of file diff --git a/windows/security/threat-protection/windows-firewall/TOC.yml b/windows/security/threat-protection/windows-firewall/TOC.yml index 55e911297b..ca84e461a5 100644 --- a/windows/security/threat-protection/windows-firewall/TOC.yml +++ b/windows/security/threat-protection/windows-firewall/TOC.yml @@ -251,4 +251,4 @@ - name: Firewall settings lost on upgrade href: firewall-settings-lost-on-upgrade.md - name: Windows security - href: /windows/security/index.yml + href: /windows/security/ From be4b27ae24edbc97eb2c358bcb050255602c8e5a Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 17:02:07 -0700 Subject: [PATCH 225/458] Update operating-system.md --- windows/security/operating-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index fbc384e66c..578efaf296 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -37,5 +37,5 @@ Windows Security app | The Windows built-in security application found in setitn | Network protection | Network protection in Windows helps prevent users from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content on the Internet. Network protection is part of attack surface reduction and helps provide an additional layer of protection for a user. Using reputation-based services, network protection blocks access to potentially harmful, low-reputation based domains and IP addresses.

In enterprise environments, network protection works best with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/?view=o365-worldwide), which provides detailed reporting into protection events as part of larger investigation scenarios.

Learn more about [Network protection](/microsoft-365/security/defender-endpoint/network-protection). | | Controlled folder access | With controlled folder access, you can protect your valuable information in specific folders by managing apps’ access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, are included in the list of controlled folders. Controlled folder access helps protect valuable data from malicious apps and threats, such as ransomware.

Learn more about [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). | | Exploit protection | Exploit protection, available in Windows 10, version 1709 and later, automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios.

You can enable exploit protection on an individual device, and then use Group Policy to distribute the XML file to multiple devices simultaneously. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors.

Learn more about [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection). | -| Microsoft Defender for Endpoint | Windows E5 customers benefit from [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide), an enterprise endpoint detection and response capability that helps enterprise security teams detect, investigate, and respond to advanced threats. With rich event data and attack insights, Defender for Endpoint enables your security team to investigate incidents and take remediation actions effectively and efficiently.

Defender for Endpoint also is part of [Microsoft 365 Defender](/microsoft-365/security/defender/?view=o365-worldwide), a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.

Learn more about [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint). | +| Microsoft Defender for Endpoint | Windows E5 customers benefit from [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide), an enterprise endpoint detection and response capability that helps enterprise security teams detect, investigate, and respond to advanced threats. With rich event data and attack insights, Defender for Endpoint enables your security team to investigate incidents and take remediation actions effectively and efficiently.

Defender for Endpoint also is part of [Microsoft 365 Defender](/microsoft-365/security/defender/?view=o365-worldwide), a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.

Learn more about [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint) and [Microsoft 365 Defender](/microsoft-365/security/defender/?view=o365-worldwide). | From 76cdce8dc15a23416cb2604d44427bbf6bb0d3ea Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 17:11:11 -0700 Subject: [PATCH 226/458] Create security-foundations.md --- windows/security/security-foundations.md | 27 ++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 windows/security/security-foundations.md diff --git a/windows/security/security-foundations.md b/windows/security/security-foundations.md new file mode 100644 index 0000000000..1c9ec3e3dc --- /dev/null +++ b/windows/security/security-foundations.md @@ -0,0 +1,27 @@ +--- +title: Windows security foundations +description: Get an overview of security foundations, including the security development lifecycle, common criteria, and the bug bounty program. +ms.reviewer: +ms.topic: article +manager: dansimp +ms.author: deniseb +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: denisebmsft +ms.collection: M365-security-compliance +ms.prod: m365-security +ms.technology: windows-sec +--- + +# Windows security foundations + +Microsoft is committed to continuously invest in improving our software development process, building highly secure-by-design software, and addressing security compliance requirements. At Microsoft, we embed security and privacy considerations from the earliest life-cycle phases of all our software development processes. We build in security from the ground for powerful defense in today’s threat environment. + +Our strong security foundation leverages Microsoft Security Development Lifecycle (SDL) Bug Bounty, support for product security standards and certifications, and Azure Code signing. As a result, we improve security by producing software with fewer defects and vulnerabilities instead of relying on applying updates after vulnerabilities have been identified. + +Use the links in the following table to learn more about the security foundations:

+ +| Concept | Description | +|:---|:---| +| FIBS 140-2 Validation | The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard. FIPS is based on Section 5131 of the Information Technology Management Reform Act of 1996. It defines the minimum security requirements for cryptographic modules in IT products. Microsoft maintains an active commitment to meeting the requirements of the FIPS 140-2 standard, having validated cryptographic modules against it since it was first established in 2001.

Learn more about [FIPS 140-2 Validation](threat-protection/fips-140-validation.md). | \ No newline at end of file From 964f5da205df9a897d929b2d4df0aefaaf1bb68b Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 17:12:12 -0700 Subject: [PATCH 227/458] Update TOC.yml --- windows/security/TOC.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 1e359ee788..41b9403668 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -441,6 +441,8 @@ href: identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md - name: Security foundations items: + - name: Overview + href: security-foundations.md - name: FIPS 140-2 Validation href: threat-protection/fips-140-validation.md - name: Common Criteria Certifications From f48a3e4ed72db368c8e787238e9aee9841fb8685 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 17:17:36 -0700 Subject: [PATCH 228/458] Update security-foundations.md --- windows/security/security-foundations.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/windows/security/security-foundations.md b/windows/security/security-foundations.md index 1c9ec3e3dc..2e2f94b61b 100644 --- a/windows/security/security-foundations.md +++ b/windows/security/security-foundations.md @@ -24,4 +24,10 @@ Use the links in the following table to learn more about the security foundation | Concept | Description | |:---|:---| -| FIBS 140-2 Validation | The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard. FIPS is based on Section 5131 of the Information Technology Management Reform Act of 1996. It defines the minimum security requirements for cryptographic modules in IT products. Microsoft maintains an active commitment to meeting the requirements of the FIPS 140-2 standard, having validated cryptographic modules against it since it was first established in 2001.

Learn more about [FIPS 140-2 Validation](threat-protection/fips-140-validation.md). | \ No newline at end of file +| FIBS 140-2 Validation | The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard. FIPS is based on Section 5131 of the Information Technology Management Reform Act of 1996. It defines the minimum security requirements for cryptographic modules in IT products. Microsoft maintains an active commitment to meeting the requirements of the FIPS 140-2 standard, having validated cryptographic modules against it since it was first established in 2001.

Learn more about [FIPS 140-2 Validation](threat-protection/fips-140-validation.md). | +| Common Criteria Certifications | Microsoft supports the Common Criteria certification program, ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles, and completes Common Criteria certifications of Microsoft Windows products.

Learn more about [Common Criteria Certifications](threat-protection/windows-platform-common-criteria.md). | +| Microsoft Security Development Lifecycle | The Security Development Lifecycle (SDL) is a security assurance process that is focused on software development. The SDL has played a critical role in embedding security and privacy in software and culture at Microsoft.

Learn more about [Microsoft SDL](threat-protection/msft-security-dev-lifecycle.md).| +| Microsoft Bug Bounty Program | If you find a vulnerability in a Microsoft product, service, or device, we want to hear from you! If your vulnerability report affects a product or service that is within scope of one of our bounty programs below, you could receive a bounty award according to the program descriptions.

Learn more about the [Microsoft Bug Bounty Program](https://www.microsoft.com/en-us/msrc/bounty?rtc=1). | + + + From 804a7e8151928b5c2f5a17485bdc729c997f7ecc Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 17:19:24 -0700 Subject: [PATCH 229/458] Update TOC.yml --- windows/security/TOC.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 41b9403668..bb4ea7332b 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -443,13 +443,13 @@ items: - name: Overview href: security-foundations.md - - name: FIPS 140-2 Validation - href: threat-protection/fips-140-validation.md - - name: Common Criteria Certifications - href: threat-protection/windows-platform-common-criteria.md - name: Microsoft Security Development Lifecycle href: threat-protection/msft-security-dev-lifecycle.md - name: Microsoft Bug Bounty Program href: threat-protection/microsoft-bug-bounty-program.md + - name: FIPS 140-2 Validation + href: threat-protection/fips-140-validation.md + - name: Common Criteria Certifications + href: threat-protection/windows-platform-common-criteria.md - name: Windows Privacy href: /windows/privacy/windows-10-and-privacy-compliance.md From 997d731f3ee906bdb9592e32e910017d27cd9e94 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 17:21:38 -0700 Subject: [PATCH 230/458] Update index.yml --- windows/security/index.yml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index 0dc418be7d..30b34d27ab 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -11,7 +11,7 @@ metadata: ms.collection: m365-security-compliance author: dansimp #Required; your GitHub user alias, with correct capitalization. ms.author: dansimp #Required; microsoft alias of author; optional team alias. - ms.date: 09/14/2021 + ms.date: 09/16/2021 localization_priority: Priority # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new @@ -90,16 +90,20 @@ landingContent: # Card (optional) - title: Security foundations linkLists: + - linkListType: overview + links: + - text: Security foundations + url: security-foundations.md - linkListType: concept links: - - text: Federal Information Processing Standard (FIPS) 140 Validation - url: /windows/security/threat-protection/fips-140-validation.md - - text: Common Criteria Certifications - url: /windows/security/threat-protection/windows-platform-common-criteria.md - text: Microsoft Security Development Lifecycle url: /windows/security/threat-protection/msft-security-dev-lifecycle.md - text: Microsoft Bug Bounty url: /windows/security/threat-protection/microsoft-bug-bounty-program.md + - text: Common Criteria Certifications + url: /windows/security/threat-protection/windows-platform-common-criteria.md + - text: Federal Information Processing Standard (FIPS) 140 Validation + url: /windows/security/threat-protection/fips-140-validation.md # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) From 6d1f805d7698668aa71cb2e38c2105fc4ce1b59b Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 17:26:27 -0700 Subject: [PATCH 231/458] Update index.yml --- windows/security/index.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/index.yml b/windows/security/index.yml index 30b34d27ab..fa6bce4547 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -26,6 +26,8 @@ landingContent: links: - text: Trusted Platform Module url: /windows/security/information-protection/tpm/trusted-platform-module-top-node.md + - text: Hardware-based root of trust + url: threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md - text: Protect domain credentials url: /windows/security/identity-protection/credential-guard/credential-guard.md - text: Kernel DMA Protection From c46601ff9968cdc9d76e8af24480f514ac81a901 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 16 Sep 2021 17:28:05 -0700 Subject: [PATCH 232/458] adding links back to WinSecurity --- .../microsoft-defender-application-guard/TOC.yml | 9 ++++++--- .../windows-defender-application-control/TOC.yml | 3 +++ 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml b/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml index ee887e168a..e235cf65ec 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml @@ -3,13 +3,16 @@ items: - name: System requirements href: reqs-md-app-guard.md - - name: Install WDAG + - name: Install Application Guard href: install-md-app-guard.md - - name: Configure WDAG policies + - name: Configure Application Guard policies href: configure-md-app-guard.md - name: Test scenarios href: test-scenarios-md-app-guard.md - name: Microsoft Defender Application Guard Extension href: md-app-guard-browser-extension.md - - name: FAQ + - name: Application Guard FAQ href: faq-md-app-guard.yml +- name: Windows security + href: /windows/security/ + diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml index 2a9d13497a..c867f6aee4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml @@ -292,3 +292,6 @@ href: applocker\using-event-viewer-with-applocker.md - name: AppLocker Settings href: applocker\applocker-settings.md +- name: Windows security + href: /windows/security/ + From 2b7947cef7e377a1cb565ff8dea7da708eb79190 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 17:28:43 -0700 Subject: [PATCH 233/458] Update index.yml --- windows/security/index.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/security/index.yml b/windows/security/index.yml index fa6bce4547..7736e62226 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -28,6 +28,10 @@ landingContent: url: /windows/security/information-protection/tpm/trusted-platform-module-top-node.md - text: Hardware-based root of trust url: threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md + - text: System Guard Secure Launch and SMM protection + url: threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md + - text: Virtualization-based protection of code integrity + url: threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md - text: Protect domain credentials url: /windows/security/identity-protection/credential-guard/credential-guard.md - text: Kernel DMA Protection From 8a74cbf4e52bf88b65e1f1779b37892d7aea7333 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 17:30:01 -0700 Subject: [PATCH 234/458] Update index.yml --- windows/security/index.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/security/index.yml b/windows/security/index.yml index 7736e62226..ff58a9aa81 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -22,6 +22,10 @@ landingContent: # Card (optional) - title: Hardware security linkLists: + - linkListType: overview + links: + - text: Overview + url: hardware.md - linkListType: concept links: - text: Trusted Platform Module From f3a337b0b0f65f005c8ed26e86b9104a6573314f Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 17:31:51 -0700 Subject: [PATCH 235/458] Update index.yml --- windows/security/index.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/windows/security/index.yml b/windows/security/index.yml index ff58a9aa81..7f20751de7 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -18,6 +18,15 @@ metadata: landingContent: # Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Zero Trust and Windows + linkLists: + - linkListType: overview + links: + - text: Overview + url: zero-trust-windows-device-health.md +# Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) - title: Hardware security From f9492e2bdd50d6e1ae4258248789b51905f07272 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 17:33:51 -0700 Subject: [PATCH 236/458] Update index.yml --- windows/security/index.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/index.yml b/windows/security/index.yml index 7f20751de7..26d8ea6d19 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -64,6 +64,8 @@ landingContent: url: trusted-boot.md - text: Encryption and data protection url: encryption-data-protection.md + - text: Windows security baselines + url: threat-protection/windows-security-configuration-framework/windows-security-baselines.md - text: Network security url: identity-protection/vpn/vpn-guide.md - text: Virus & threat protection From e8feeab903790d9debfbd59a883b260d55054333 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 17:36:00 -0700 Subject: [PATCH 237/458] Update index.yml --- windows/security/index.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index 26d8ea6d19..18071b80dd 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -66,8 +66,10 @@ landingContent: url: encryption-data-protection.md - text: Windows security baselines url: threat-protection/windows-security-configuration-framework/windows-security-baselines.md - - text: Network security + - text: Virtual private network guide url: identity-protection/vpn/vpn-guide.md + - text: Windows Defender Firewall + url: threat-protection/windows-firewall/windows-firewall-with-advanced-security.md - text: Virus & threat protection url: https://docs.microsoft.com/microsoft-365/security/defender-endpoint # Cards and links should be based on top customer tasks or top subjects From 8bc6bf5ae977985c9780a5bf4538fbcd80589f16 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 16 Sep 2021 17:36:10 -0700 Subject: [PATCH 238/458] fixing links --- windows/security/TOC.yml | 2 +- windows/security/identity-protection/configure-s-mime.md | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index bb4ea7332b..74fe21d3ec 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -452,4 +452,4 @@ - name: Common Criteria Certifications href: threat-protection/windows-platform-common-criteria.md - name: Windows Privacy - href: /windows/privacy/windows-10-and-privacy-compliance.md + href: /windows/privacy/windows-10-and-privacy-compliance diff --git a/windows/security/identity-protection/configure-s-mime.md b/windows/security/identity-protection/configure-s-mime.md index 0d04b78646..2f95950f32 100644 --- a/windows/security/identity-protection/configure-s-mime.md +++ b/windows/security/identity-protection/configure-s-mime.md @@ -25,11 +25,11 @@ ms.date: 07/27/2017 - Windows 10 - Windows 11 -S/MIME stands for Secure/Multipurpose Internet Mail Extensions, and provides an added layer of security for email sent to and from an Exchange ActiveSync (EAS) account. In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. +S/MIME stands for Secure/Multipurpose Internet Mail Extensions, and provides an added layer of security for email sent to and from an Exchange ActiveSync (EAS) account. S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. ## About message encryption -Users can send encrypted message to people in their organization and people outside their organization if they have their encryption certificates. However, users using Windows 10 Mail app can only read encrypted messages if the message is received on their Exchange account and they have corresponding decryption keys. +Users can send encrypted message to people in their organization and people outside their organization if they have their encryption certificates. However, users using Windows Mail app can only read encrypted messages if the message is received on their Exchange account and they have corresponding decryption keys. Encrypted messages can be read only by recipients who have a certificate. If you try to send an encrypted message to recipient(s) whose encryption certificate are not available, the app will prompt you to remove these recipients before sending the email. @@ -49,7 +49,7 @@ A digitally signed message reassures the recipient that the message hasn't been On the device, perform the following steps: (add select certificate) -1. Open the Mail app. (In Windows 10 Mobile, the app is Outlook Mail.) +1. Open the Mail app. 2. Open **Settings** by tapping the gear icon on a PC, or the ellipsis (...) and then the gear icon on a phone. From 053ad959407f22f24d23454397b8500cfe341655 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 17:37:03 -0700 Subject: [PATCH 239/458] Update index.yml --- windows/security/index.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index 18071b80dd..8b49a21d68 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -71,7 +71,7 @@ landingContent: - text: Windows Defender Firewall url: threat-protection/windows-firewall/windows-firewall-with-advanced-security.md - text: Virus & threat protection - url: https://docs.microsoft.com/microsoft-365/security/defender-endpoint + url: threat-protection/index.md # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) From 9e3806b78b98bd4e181b05f99ab4a777d9dba2ad Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 17:38:12 -0700 Subject: [PATCH 240/458] Update index.yml --- windows/security/index.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index 8b49a21d68..d5a96c4a6b 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -79,8 +79,8 @@ landingContent: linkLists: - linkListType: overview links: - - text: article (change link later, add more) - url: /windows/security/threat-protection/windows-security-baselines.md + - text: Overview + url: apps.md # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) From 067617a1914141f92a601499a99f2d8688d6af56 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 17:41:21 -0700 Subject: [PATCH 241/458] Update index.yml --- windows/security/index.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/windows/security/index.yml b/windows/security/index.yml index d5a96c4a6b..277579de26 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -81,6 +81,14 @@ landingContent: links: - text: Overview url: apps.md + - linkListType: concept + links: + - text: Application Control and virtualization-based protection + url: threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md + - text: Application Control + url: threat-protection/windows-defender-application-control/windows-defender-application-control.md + - text: Application Guard + url: threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) From 4ac25a67946185430e01b8d2d17cd1621a93504c Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 16 Sep 2021 17:41:31 -0700 Subject: [PATCH 242/458] removing ?view=o365-worldwide --- windows/security/operating-system.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 578efaf296..bf8710c480 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -31,10 +31,10 @@ Windows Security app | The Windows built-in security application found in setitn | Security baselines | A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.

Security baselines are included in the [Security Compliance Toolkit](threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md) that you can download from the Microsoft Download Center.

Learn more about [security baselines](threat-protection/windows-security-configuration-framework/windows-security-baselines.md). | | Virtual Private Network | Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called tunneling protocols, to make a virtual call to a virtual port on a VPN server.

Learn more about [Virtual Private Networks](identity-protection/vpn/vpn-guide.md).

| | Windows Defender Firewall | Windows Defender Firewall is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device.

Learn more about [Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md).

-| Antivirus & antimalware protection | Microsoft Defender Antivirus is included in all versions of Windows 10, Windows Server 2016 and later, and Windows 11. If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on.

From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help protect your device from threats. Microsoft Defender Antivirus continually scans for malware and threats, and also detects and blocks [potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus?view=o365-worldwide) (applications that can negatively impact your device even though they are not considered malware).

Microsoft Defender Antivirus integrates with [cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus?view=o365-worldwide), which helps ensure near-instant detection and blocking of new and emerging threats.

Learn more about [next-generation protection and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).| +| Antivirus & antimalware protection | Microsoft Defender Antivirus is included in all versions of Windows 10, Windows Server 2016 and later, and Windows 11. If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on.

From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help protect your device from threats. Microsoft Defender Antivirus continually scans for malware and threats, and also detects and blocks [potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) (applications that can negatively impact your device even though they are not considered malware).

Microsoft Defender Antivirus integrates with [cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus), which helps ensure near-instant detection and blocking of new and emerging threats.

Learn more about [next-generation protection and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).| | Attack surface reduction rules | Your attack surfaces are the places and ways you are vulnerable to a cyber attack. Attack surface reduction rules are built into Windows and Windows Server to prevent and block certain behaviors that are often abused to compromise your device or network. Such behaviors can include launching scripts or executables that attempt to download or run other files, running suspicious scripts, or performing other behaviors that apps don't typically initiate during normal work. You can configure your attack surface reduction rules to protect against risky behaviors.

Learn more about [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) | | Anti-tampering protection | Attacks like ransomware attempt to disable security features, such as anti-virus protection, on targeted devices. Bad actors like to disable security features to get easier access to user’s data, to install malware, or to otherwise exploit user’s data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.

With tamper protection, malware is prevented from taking actions such as:
- Disabling virus and threat protection
- Disabling real-time protection
- Turning off behavior monitoring
- Disabling antivirus (such as IOfficeAntivirus (IOAV))
- Disabling cloud-delivered protection
- Removing security intelligence updates

Learn more about [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection). | -| Network protection | Network protection in Windows helps prevent users from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content on the Internet. Network protection is part of attack surface reduction and helps provide an additional layer of protection for a user. Using reputation-based services, network protection blocks access to potentially harmful, low-reputation based domains and IP addresses.

In enterprise environments, network protection works best with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/?view=o365-worldwide), which provides detailed reporting into protection events as part of larger investigation scenarios.

Learn more about [Network protection](/microsoft-365/security/defender-endpoint/network-protection). | +| Network protection | Network protection in Windows helps prevent users from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content on the Internet. Network protection is part of attack surface reduction and helps provide an additional layer of protection for a user. Using reputation-based services, network protection blocks access to potentially harmful, low-reputation based domains and IP addresses.

In enterprise environments, network protection works best with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/), which provides detailed reporting into protection events as part of larger investigation scenarios.

Learn more about [Network protection](/microsoft-365/security/defender-endpoint/network-protection). | | Controlled folder access | With controlled folder access, you can protect your valuable information in specific folders by managing apps’ access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, are included in the list of controlled folders. Controlled folder access helps protect valuable data from malicious apps and threats, such as ransomware.

Learn more about [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). | | Exploit protection | Exploit protection, available in Windows 10, version 1709 and later, automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios.

You can enable exploit protection on an individual device, and then use Group Policy to distribute the XML file to multiple devices simultaneously. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors.

Learn more about [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection). | | Microsoft Defender for Endpoint | Windows E5 customers benefit from [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide), an enterprise endpoint detection and response capability that helps enterprise security teams detect, investigate, and respond to advanced threats. With rich event data and attack insights, Defender for Endpoint enables your security team to investigate incidents and take remediation actions effectively and efficiently.

Defender for Endpoint also is part of [Microsoft 365 Defender](/microsoft-365/security/defender/?view=o365-worldwide), a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.

Learn more about [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint) and [Microsoft 365 Defender](/microsoft-365/security/defender/?view=o365-worldwide). | From 54c28083a0aebcbf62d62e20ac94542bc7e0ddbe Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 17:42:25 -0700 Subject: [PATCH 243/458] Update index.yml --- windows/security/index.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/index.yml b/windows/security/index.yml index 277579de26..438fc44278 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -89,6 +89,8 @@ landingContent: url: threat-protection/windows-defender-application-control/windows-defender-application-control.md - text: Application Guard url: threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md + - text: Windows Sandbox + url: threat-protection/windows-sandbox/windows-sandbox-overview.md # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) From 2df3d9ada5af85fea316f7062979db769c9136e1 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 17:43:31 -0700 Subject: [PATCH 244/458] Update index.yml --- windows/security/index.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/index.yml b/windows/security/index.yml index 438fc44278..2c221e552d 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -91,6 +91,8 @@ landingContent: url: threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md - text: Windows Sandbox url: threat-protection/windows-sandbox/windows-sandbox-overview.md + - text: Microsoft Defender SmartScreen + url: threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) From 55ebf6f33c1397d87f211468c2b7c95ac363d5ce Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 17:44:14 -0700 Subject: [PATCH 245/458] Update index.yml --- windows/security/index.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/index.yml b/windows/security/index.yml index 2c221e552d..6f641ae252 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -93,6 +93,8 @@ landingContent: url: threat-protection/windows-sandbox/windows-sandbox-overview.md - text: Microsoft Defender SmartScreen url: threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md + - text: S/MIME for Windows + url: identity-protection/configure-s-mime.md # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) From d456a08f2d920b32c64816bdd16d69bf6fb50ac0 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 17:45:06 -0700 Subject: [PATCH 246/458] Update index.yml --- windows/security/index.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/index.yml b/windows/security/index.yml index 6f641ae252..2ac8196845 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -95,6 +95,8 @@ landingContent: url: threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md - text: S/MIME for Windows url: identity-protection/configure-s-mime.md + - text: Windows Credential Theft Mitigation + url: identity-protection/windows-credential-theft-mitigation-guide-abstract.md # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) From 96ff6aaaa060a4ec9d62158a71dde9ed1cd84342 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 17:45:43 -0700 Subject: [PATCH 247/458] Update index.yml --- windows/security/index.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index 2ac8196845..cce8b931e2 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -98,15 +98,6 @@ landingContent: - text: Windows Credential Theft Mitigation url: identity-protection/windows-credential-theft-mitigation-guide-abstract.md # Cards and links should be based on top customer tasks or top subjects -# Start card title with a verb - # Card (optional) - - title: Secured identity - linkLists: - - linkListType: overview - links: - - text: article (change link later, add more) - url: /windows/security/threat-protection/windows-security-baselines.md -# Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) - title: Cloud services From aab9a577441e50dff0fbd81bb91031dc5080e6e7 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 17:47:12 -0700 Subject: [PATCH 248/458] Update index.yml --- windows/security/index.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index cce8b931e2..80627b4e1a 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -104,10 +104,10 @@ landingContent: linkLists: - linkListType: overview links: - - text: Azure Active Directory - url: https://www.microsoft.com/security/business/identity-access-management/azure-active-directory - text: Modern device management with Windows 11 url: mdm-windows.md + - text: Azure Active Directory + url: https://www.microsoft.com/security/business/identity-access-management/azure-active-directory - text: Your Microsoft Account url: identity-protection/access-control/microsoft-accounts.md - text: OneDrive From 6e0c627228265cd0c264a481add4b6a9d2bf0ced Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 17:48:55 -0700 Subject: [PATCH 249/458] Update index.yml --- windows/security/index.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index 80627b4e1a..74c809b0f3 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -114,7 +114,15 @@ landingContent: url: https://docs.microsoft.com/onedrive/onedrive - text: Family safety url: threat-protection/windows-defender-security-center/wdsc-family-options.md - +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: User protection + linkLists: + - linkListType: overview + links: + - text: Windows identity security + url: identity.md # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) From 9c41f693705675150ed691228868aa27df4a5540 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 17:54:04 -0700 Subject: [PATCH 250/458] Update index.yml --- windows/security/index.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index 74c809b0f3..244760c0e0 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -95,8 +95,6 @@ landingContent: url: threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md - text: S/MIME for Windows url: identity-protection/configure-s-mime.md - - text: Windows Credential Theft Mitigation - url: identity-protection/windows-credential-theft-mitigation-guide-abstract.md # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) @@ -123,6 +121,14 @@ landingContent: links: - text: Windows identity security url: identity.md + - linkListType: concept + links: + - text: Windows Hello for Business + url: identity-protection/hello-for-business/hello-overview.md + - text: Windows Credential Theft Mitigation + url: identity-protection/windows-credential-theft-mitigation-guide-abstract.md + - text: Windows Defender Credential Guard + url: identity-protection/credential-guard/credential-guard.md # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) From 6c61feef73fb24997484c2a7c443056a46c07679 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 17:54:43 -0700 Subject: [PATCH 251/458] Update index.yml --- windows/security/index.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index 244760c0e0..201bedcb02 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -102,7 +102,7 @@ landingContent: linkLists: - linkListType: overview links: - - text: Modern device management with Windows 11 + - text: Modern device management url: mdm-windows.md - text: Azure Active Directory url: https://www.microsoft.com/security/business/identity-access-management/azure-active-directory From 7c0e6255c33072436feada8aa3d985be39aabe71 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 17:55:46 -0700 Subject: [PATCH 252/458] Update index.yml --- windows/security/index.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/index.yml b/windows/security/index.yml index 201bedcb02..8b31a20285 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -129,6 +129,8 @@ landingContent: url: identity-protection/windows-credential-theft-mitigation-guide-abstract.md - text: Windows Defender Credential Guard url: identity-protection/credential-guard/credential-guard.md + - text: Lost or forgotten passwords + url: identity-protection/password-support-policy.md # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) From 15065dc15b44f03449a1695425b953905b87c658 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 17:56:46 -0700 Subject: [PATCH 253/458] Update index.yml --- windows/security/index.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/index.yml b/windows/security/index.yml index 8b31a20285..e467ac1649 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -131,6 +131,8 @@ landingContent: url: identity-protection/credential-guard/credential-guard.md - text: Lost or forgotten passwords url: identity-protection/password-support-policy.md + - text: Access control + url: identity-protection/access-control/access-control.md # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) From 2433569099608808da36ab1e34a7205357aadc84 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 17:57:45 -0700 Subject: [PATCH 254/458] Update index.yml --- windows/security/index.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/index.yml b/windows/security/index.yml index e467ac1649..25c5bee6eb 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -133,6 +133,8 @@ landingContent: url: identity-protection/password-support-policy.md - text: Access control url: identity-protection/access-control/access-control.md + - text: Smart cards + url: identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) From 302174e41a0e92cdc8e02578ea56491fbbf2259a Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 18:25:02 -0700 Subject: [PATCH 255/458] Update hardware.md --- windows/security/hardware.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/hardware.md b/windows/security/hardware.md index 3233f71e48..2201c1ec64 100644 --- a/windows/security/hardware.md +++ b/windows/security/hardware.md @@ -16,7 +16,7 @@ ms.technology: windows-sec # Windows hardware security Modern threats require modern security with a strong alignment between hardware security and software security techniques to keep users, data and devices protected. The operating system alone cannot protect from the wide range of tools and techniques cybercriminals use to compromise a computer deep inside its silicon. Once inside, intruders can be difficult to detect while engaging in multiple nefarious activities from stealing important data to capturing email addresses and other sensitive pieces of information. -These new threats call for computing hardware that is secure down to the very core, including hardware chips and processors. Microsoft and our partners, including chip and device manufacturers, have worked together to integrate powerful security capabilities across software, firmware, and hardware. +These new threats call for computing hardware that is secure down to the very core, including hardware chips and processors. Microsoft and our partners, including chip and device manufacturers, have worked together to integrate powerful security capabilities across software, firmware, and hardware.

| Security Measures | Features & Capabilities | |:---|:---| From 038241ba330a2ad6741179ca084b6cc440a55dba Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 18:26:01 -0700 Subject: [PATCH 256/458] Update operating-system.md --- windows/security/operating-system.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index bf8710c480..bbd4cc590f 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -22,9 +22,9 @@ Use the links in the following table to learn more about the operating system se | Security Measures | Features & Capabilities | |:---|:---| -| Secure Boot and Trusted Boot | Secure Boot and Trusted Boot help prevent malware and corrupted components from loading when a Windows device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure your Windows system boots up safely and securely.

Learn more [Secure Boot and Trusted Boot](trusted-boot.md).
|| +| Secure Boot and Trusted Boot | Secure Boot and Trusted Boot help prevent malware and corrupted components from loading when a Windows device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure your Windows system boots up safely and securely.

Learn more [Secure Boot and Trusted Boot](trusted-boot.md). | Cryptography and certificate management|Cryptography uses code to convert data so that only a specific recipient can read it by using a key. Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure.

Learn more about [Cryptography and certificate management](cryptography-certificate-mgmt.md).

| -Windows Security app | The Windows built-in security application found in setitngs provides an at-a-glance view of the security status and health of your device. These insights help you identify issues and take action to make sure you’re protected. You can quickly see the status of your virus and threat protection, firewall and network security, device security controls, and more.

Learn more about the [Windows Security app](threat-protection/windows-defender-security-center/windows-defender-security-center.md).| +Windows Security app | The Windows built-in security application found in settings provides an at-a-glance view of the security status and health of your device. These insights help you identify issues and take action to make sure you’re protected. You can quickly see the status of your virus and threat protection, firewall and network security, device security controls, and more.

Learn more about the [Windows Security app](threat-protection/windows-defender-security-center/windows-defender-security-center.md).| | Encryption and data protection | Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications. Windows provides strong at-rest data-protection solutions that guard against nefarious attackers.

Learn more about [Encryption](encryption-data-protection.md). | BitLocker | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later.

Learn more about [BitLocker](information-protection/bitlocker/bitlocker-overview.md). | | Encrypted Hard Drive |

Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.

Learn more about [Encrypted Hard Drives](information-protection/encrypted-hard-drive.md).

| From 378ff8ba125715639256ffc03086244fde062d0b Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 18:26:40 -0700 Subject: [PATCH 257/458] Update operating-system.md --- windows/security/operating-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index bbd4cc590f..5e6d6d553a 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -18,7 +18,7 @@ ms.technology: windows-sec Security and privacy depend on an operating system that guards your system and information from the moment it starts up, providing fundamental chip-to-cloud protection. Windows 11 is the most secure Windows yet with extensive security measures designed to help keep you safe. These measures include built-in advanced encryption and data protection, robust network and system security, and intelligent safeguards against ever-evolving threats. -Use the links in the following table to learn more about the operating system security features and capabilities in Windows 11:

+Use the links in the following table to learn more about the operating system security features and capabilities in Windows 11.

| Security Measures | Features & Capabilities | |:---|:---| From 6732eff1ad97157404c6b8d4c2df83e47288f00e Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 18:29:01 -0700 Subject: [PATCH 258/458] Update index.yml --- windows/security/index.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index 25c5bee6eb..31bb07f3e7 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -45,8 +45,6 @@ landingContent: url: threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md - text: Virtualization-based protection of code integrity url: threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md - - text: Protect domain credentials - url: /windows/security/identity-protection/credential-guard/credential-guard.md - text: Kernel DMA Protection url: /windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md # Cards and links should be based on top customer tasks or top subjects @@ -127,6 +125,8 @@ landingContent: url: identity-protection/hello-for-business/hello-overview.md - text: Windows Credential Theft Mitigation url: identity-protection/windows-credential-theft-mitigation-guide-abstract.md + - text: Protect domain credentials + url: /windows/security/identity-protection/credential-guard/credential-guard.md - text: Windows Defender Credential Guard url: identity-protection/credential-guard/credential-guard.md - text: Lost or forgotten passwords From 06e76d7ce41a1d28c9db0e4df265d4671f833d40 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 18:37:59 -0700 Subject: [PATCH 259/458] Update operating-system.md --- windows/security/operating-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 5e6d6d553a..6563a1a785 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -27,7 +27,7 @@ Cryptography and certificate management|Cryptography uses code to convert data s Windows Security app | The Windows built-in security application found in settings provides an at-a-glance view of the security status and health of your device. These insights help you identify issues and take action to make sure you’re protected. You can quickly see the status of your virus and threat protection, firewall and network security, device security controls, and more.

Learn more about the [Windows Security app](threat-protection/windows-defender-security-center/windows-defender-security-center.md).| | Encryption and data protection | Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications. Windows provides strong at-rest data-protection solutions that guard against nefarious attackers.

Learn more about [Encryption](encryption-data-protection.md). | BitLocker | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later.

Learn more about [BitLocker](information-protection/bitlocker/bitlocker-overview.md). | -| Encrypted Hard Drive |

Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.

Learn more about [Encrypted Hard Drives](information-protection/encrypted-hard-drive.md).

| +| Encrypted Hard Drive | Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.

Learn more about [Encrypted Hard Drives](information-protection/encrypted-hard-drive.md).

| | Security baselines | A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.

Security baselines are included in the [Security Compliance Toolkit](threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md) that you can download from the Microsoft Download Center.

Learn more about [security baselines](threat-protection/windows-security-configuration-framework/windows-security-baselines.md). | | Virtual Private Network | Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called tunneling protocols, to make a virtual call to a virtual port on a VPN server.

Learn more about [Virtual Private Networks](identity-protection/vpn/vpn-guide.md).

| | Windows Defender Firewall | Windows Defender Firewall is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device.

Learn more about [Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md).

From 8c4bc8e4ead9fb38085ab146b9c563766ba1809c Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 18:39:14 -0700 Subject: [PATCH 260/458] Update operating-system.md --- windows/security/operating-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 6563a1a785..17e431c6b0 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -32,7 +32,7 @@ Windows Security app | The Windows built-in security application found in settin | Virtual Private Network | Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called tunneling protocols, to make a virtual call to a virtual port on a VPN server.

Learn more about [Virtual Private Networks](identity-protection/vpn/vpn-guide.md).

| | Windows Defender Firewall | Windows Defender Firewall is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device.

Learn more about [Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md).

| Antivirus & antimalware protection | Microsoft Defender Antivirus is included in all versions of Windows 10, Windows Server 2016 and later, and Windows 11. If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on.

From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help protect your device from threats. Microsoft Defender Antivirus continually scans for malware and threats, and also detects and blocks [potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) (applications that can negatively impact your device even though they are not considered malware).

Microsoft Defender Antivirus integrates with [cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus), which helps ensure near-instant detection and blocking of new and emerging threats.

Learn more about [next-generation protection and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).| -| Attack surface reduction rules | Your attack surfaces are the places and ways you are vulnerable to a cyber attack. Attack surface reduction rules are built into Windows and Windows Server to prevent and block certain behaviors that are often abused to compromise your device or network. Such behaviors can include launching scripts or executables that attempt to download or run other files, running suspicious scripts, or performing other behaviors that apps don't typically initiate during normal work. You can configure your attack surface reduction rules to protect against risky behaviors.

Learn more about [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) | +| Attack surface reduction rules | Your attack surfaces are the places and ways you are vulnerable to a cyber attack. Attack surface reduction rules are built into Windows and Windows Server to prevent and block certain behaviors that are often abused to compromise your device or network. Such behaviors can include launching scripts or executables that attempt to download or run other files, running suspicious scripts, or performing other behaviors that apps don't typically initiate during normal work. You can configure your attack surface reduction rules to protect against these risky behaviors.

Learn more about [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) | | Anti-tampering protection | Attacks like ransomware attempt to disable security features, such as anti-virus protection, on targeted devices. Bad actors like to disable security features to get easier access to user’s data, to install malware, or to otherwise exploit user’s data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.

With tamper protection, malware is prevented from taking actions such as:
- Disabling virus and threat protection
- Disabling real-time protection
- Turning off behavior monitoring
- Disabling antivirus (such as IOfficeAntivirus (IOAV))
- Disabling cloud-delivered protection
- Removing security intelligence updates

Learn more about [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection). | | Network protection | Network protection in Windows helps prevent users from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content on the Internet. Network protection is part of attack surface reduction and helps provide an additional layer of protection for a user. Using reputation-based services, network protection blocks access to potentially harmful, low-reputation based domains and IP addresses.

In enterprise environments, network protection works best with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/), which provides detailed reporting into protection events as part of larger investigation scenarios.

Learn more about [Network protection](/microsoft-365/security/defender-endpoint/network-protection). | | Controlled folder access | With controlled folder access, you can protect your valuable information in specific folders by managing apps’ access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, are included in the list of controlled folders. Controlled folder access helps protect valuable data from malicious apps and threats, such as ransomware.

Learn more about [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). | From 141a815406e9d9567b8808ed49e8f9054bfb66ba Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 18:39:38 -0700 Subject: [PATCH 261/458] Update operating-system.md --- windows/security/operating-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 17e431c6b0..cc3ad4f461 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -33,7 +33,7 @@ Windows Security app | The Windows built-in security application found in settin | Windows Defender Firewall | Windows Defender Firewall is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device.

Learn more about [Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md).

| Antivirus & antimalware protection | Microsoft Defender Antivirus is included in all versions of Windows 10, Windows Server 2016 and later, and Windows 11. If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on.

From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help protect your device from threats. Microsoft Defender Antivirus continually scans for malware and threats, and also detects and blocks [potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) (applications that can negatively impact your device even though they are not considered malware).

Microsoft Defender Antivirus integrates with [cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus), which helps ensure near-instant detection and blocking of new and emerging threats.

Learn more about [next-generation protection and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).| | Attack surface reduction rules | Your attack surfaces are the places and ways you are vulnerable to a cyber attack. Attack surface reduction rules are built into Windows and Windows Server to prevent and block certain behaviors that are often abused to compromise your device or network. Such behaviors can include launching scripts or executables that attempt to download or run other files, running suspicious scripts, or performing other behaviors that apps don't typically initiate during normal work. You can configure your attack surface reduction rules to protect against these risky behaviors.

Learn more about [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) | -| Anti-tampering protection | Attacks like ransomware attempt to disable security features, such as anti-virus protection, on targeted devices. Bad actors like to disable security features to get easier access to user’s data, to install malware, or to otherwise exploit user’s data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.

With tamper protection, malware is prevented from taking actions such as:
- Disabling virus and threat protection
- Disabling real-time protection
- Turning off behavior monitoring
- Disabling antivirus (such as IOfficeAntivirus (IOAV))
- Disabling cloud-delivered protection
- Removing security intelligence updates

Learn more about [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection). | +| Anti-tampering protection | Attacks (like ransomware) attempt to disable security features, such as anti-virus protection, on targeted devices. Bad actors like to disable security features to get easier access to user’s data, to install malware, or to otherwise exploit user’s data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.

With tamper protection, malware is prevented from taking actions such as:
- Disabling virus and threat protection
- Disabling real-time protection
- Turning off behavior monitoring
- Disabling antivirus (such as IOfficeAntivirus (IOAV))
- Disabling cloud-delivered protection
- Removing security intelligence updates

Learn more about [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection). | | Network protection | Network protection in Windows helps prevent users from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content on the Internet. Network protection is part of attack surface reduction and helps provide an additional layer of protection for a user. Using reputation-based services, network protection blocks access to potentially harmful, low-reputation based domains and IP addresses.

In enterprise environments, network protection works best with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/), which provides detailed reporting into protection events as part of larger investigation scenarios.

Learn more about [Network protection](/microsoft-365/security/defender-endpoint/network-protection). | | Controlled folder access | With controlled folder access, you can protect your valuable information in specific folders by managing apps’ access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, are included in the list of controlled folders. Controlled folder access helps protect valuable data from malicious apps and threats, such as ransomware.

Learn more about [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). | | Exploit protection | Exploit protection, available in Windows 10, version 1709 and later, automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios.

You can enable exploit protection on an individual device, and then use Group Policy to distribute the XML file to multiple devices simultaneously. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors.

Learn more about [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection). | From c010502e191ea5e5990c8d29f3bd9bcc2138ce54 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 18:40:22 -0700 Subject: [PATCH 262/458] Update operating-system.md --- windows/security/operating-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index cc3ad4f461..75e536d9cf 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -33,7 +33,7 @@ Windows Security app | The Windows built-in security application found in settin | Windows Defender Firewall | Windows Defender Firewall is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device.

Learn more about [Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md).

| Antivirus & antimalware protection | Microsoft Defender Antivirus is included in all versions of Windows 10, Windows Server 2016 and later, and Windows 11. If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on.

From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help protect your device from threats. Microsoft Defender Antivirus continually scans for malware and threats, and also detects and blocks [potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) (applications that can negatively impact your device even though they are not considered malware).

Microsoft Defender Antivirus integrates with [cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus), which helps ensure near-instant detection and blocking of new and emerging threats.

Learn more about [next-generation protection and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).| | Attack surface reduction rules | Your attack surfaces are the places and ways you are vulnerable to a cyber attack. Attack surface reduction rules are built into Windows and Windows Server to prevent and block certain behaviors that are often abused to compromise your device or network. Such behaviors can include launching scripts or executables that attempt to download or run other files, running suspicious scripts, or performing other behaviors that apps don't typically initiate during normal work. You can configure your attack surface reduction rules to protect against these risky behaviors.

Learn more about [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) | -| Anti-tampering protection | Attacks (like ransomware) attempt to disable security features, such as anti-virus protection, on targeted devices. Bad actors like to disable security features to get easier access to user’s data, to install malware, or to otherwise exploit user’s data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.

With tamper protection, malware is prevented from taking actions such as:
- Disabling virus and threat protection
- Disabling real-time protection
- Turning off behavior monitoring
- Disabling antivirus (such as IOfficeAntivirus (IOAV))
- Disabling cloud-delivered protection
- Removing security intelligence updates

Learn more about [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection). | +| Anti-tampering protection | During cyber attacks (like ransomware attempts), bad actors attempt to disable security features, such as antivirus protection on targeted devices. Bad actors like to disable security features to get easier access to user’s data, to install malware, or to otherwise exploit user’s data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.

With tamper protection, malware is prevented from taking actions such as:
- Disabling virus and threat protection
- Disabling real-time protection
- Turning off behavior monitoring
- Disabling antivirus (such as IOfficeAntivirus (IOAV))
- Disabling cloud-delivered protection
- Removing security intelligence updates

Learn more about [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection). | | Network protection | Network protection in Windows helps prevent users from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content on the Internet. Network protection is part of attack surface reduction and helps provide an additional layer of protection for a user. Using reputation-based services, network protection blocks access to potentially harmful, low-reputation based domains and IP addresses.

In enterprise environments, network protection works best with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/), which provides detailed reporting into protection events as part of larger investigation scenarios.

Learn more about [Network protection](/microsoft-365/security/defender-endpoint/network-protection). | | Controlled folder access | With controlled folder access, you can protect your valuable information in specific folders by managing apps’ access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, are included in the list of controlled folders. Controlled folder access helps protect valuable data from malicious apps and threats, such as ransomware.

Learn more about [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). | | Exploit protection | Exploit protection, available in Windows 10, version 1709 and later, automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios.

You can enable exploit protection on an individual device, and then use Group Policy to distribute the XML file to multiple devices simultaneously. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors.

Learn more about [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection). | From 231a176b905c17270c20767c6fd0fc96b7b29a44 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 18:42:44 -0700 Subject: [PATCH 263/458] Update TOC.yml --- windows/security/TOC.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 74fe21d3ec..f9175c9dc3 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -297,8 +297,9 @@ - name: Fine-tune WIP Learning href: information-protection/windows-information-protection/wip-learning.md - name: Application security - href: apps.md items: + - name: Overview + href: apps.md - name: Windows Defender Application Control and virtualization-based protection of code integrity href: threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md - name: Windows Defender Application Control From d22e6cea58842e7417d0eaf1ea3fd1d8a8d527f0 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 18:43:36 -0700 Subject: [PATCH 264/458] Update TOC.yml --- windows/security/TOC.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index f9175c9dc3..e10a8415d9 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -336,8 +336,9 @@ - name: Azure Virtual Desktop (need link) href: https://docs.microsoft.com/windows/whats-new/windows-11 - name: User protection - href: identity.md items: + - name: Overview + href: identity.md - name: Windows Hello for Business href: identity-protection/hello-for-business/index.yml - name: Windows credential theft mitigation guide From b3d8a1227acd79a5224f6eb0a92c6967bf08b5c1 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 18:46:53 -0700 Subject: [PATCH 265/458] Update index.yml --- windows/security/index.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/security/index.yml b/windows/security/index.yml index 31bb07f3e7..b935d3fc7c 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -99,6 +99,10 @@ landingContent: - title: Cloud services linkLists: - linkListType: overview + links: + - text: Overview + url: cloud.md + - linkListType: concept links: - text: Modern device management url: mdm-windows.md From 6cac5f5e5ab345507823e912b3166d9f22e20811 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 18:48:07 -0700 Subject: [PATCH 266/458] Update index.yml --- windows/security/index.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index b935d3fc7c..a75d4258bd 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -148,7 +148,7 @@ landingContent: links: - text: Security foundations url: security-foundations.md - - linkListType: concept + - linkListType: reference links: - text: Microsoft Security Development Lifecycle url: /windows/security/threat-protection/msft-security-dev-lifecycle.md From 996dfb556af5b1be0baa80a6e12a907f03e65c33 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Thu, 16 Sep 2021 18:53:59 -0700 Subject: [PATCH 267/458] Update index.yml --- windows/security/index.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index a75d4258bd..5a22246777 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -163,7 +163,7 @@ landingContent: # Card (optional) - title: Privacy controls linkLists: - - linkListType: overview + - linkListType: reference links: - text: Windows and Privacy Compliance url: /windows/privacy/windows-10-and-privacy-compliance.md From d460e188234d33761241b543a9b87e1470aec810 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 16 Sep 2021 19:37:18 -0700 Subject: [PATCH 268/458] adding security app topics to TOC --- windows/security/TOC.yml | 15 +++++++++++++++ .../wdsc-windows-10-in-s-mode.md | 8 -------- 2 files changed, 15 insertions(+), 8 deletions(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 74fe21d3ec..f03d8c0fdf 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -47,6 +47,21 @@ href: cryptography-certificate-mgmt.md - name: The Windows Security app href: threat-protection/windows-defender-security-center/windows-defender-security-center.md + items: + - name: Virus & threat protection + href: threat-protection\windows-defender-security-center\wdsc-virus-threat-protection.md + - name: Account protection + href: threat-protection\windows-defender-security-center\wdsc-account-protection.md + - name: Firewall & network protection + href: threat-protection\windows-defender-security-center\wdsc-firewall-network-protection.md + - name: App & browser control + href: threat-protection\windows-defender-security-center\wdsc-app-browser-control.md + - name: Device security + href: threat-protection\windows-defender-security-center\wdsc-device-security.md + - name: Device performance & health + href: threat-protection\windows-defender-security-center\wdsc-device-performance-health.md + - name: Family options + href: threat-protection\windows-defender-security-center\wdsc-family-options.md - name: Security policy settings href: threat-protection/security-policy-settings/security-policy-settings.md - name: Security auditing diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md index 30cc06c3d0..3b0f4cf952 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md @@ -22,14 +22,6 @@ ms.technology: mde - Windows 10 in S mode, version 1803 -**Audience** - -- Enterprise security administrators - -**Manageability available with** - -- Microsoft Intune - Windows 10 in S mode is streamlined for tighter security and superior performance. With Windows 10 in S mode, users can only use apps from the Microsoft Store, ensuring Microsoft-verified security so you can minimize malware attacks. In addition, using Microsoft Edge provides a more secure browser experience, with extra protections against phishing and malicious software. The Windows Security interface is a little different in Windows 10 in S mode. The **Virus & threat protection** area has fewer options, because the built-in security of Windows 10 in S mode prevents viruses and other threats from running on devices in your organization. In addition, devices running Windows 10 in S mode receive security updates automatically. From 5f6256d33b33406d7431e76824dcf5a0c1746e27 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 16 Sep 2021 19:41:51 -0700 Subject: [PATCH 269/458] removing ?view=o365-worldwide --- windows/security/operating-system.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 75e536d9cf..9c4e6c86ea 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -12,6 +12,7 @@ author: denisebmsft ms.collection: M365-security-compliance ms.prod: m365-security ms.technology: windows-sec +ms.date: --- # Windows operating system security @@ -37,5 +38,5 @@ Windows Security app | The Windows built-in security application found in settin | Network protection | Network protection in Windows helps prevent users from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content on the Internet. Network protection is part of attack surface reduction and helps provide an additional layer of protection for a user. Using reputation-based services, network protection blocks access to potentially harmful, low-reputation based domains and IP addresses.

In enterprise environments, network protection works best with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/), which provides detailed reporting into protection events as part of larger investigation scenarios.

Learn more about [Network protection](/microsoft-365/security/defender-endpoint/network-protection). | | Controlled folder access | With controlled folder access, you can protect your valuable information in specific folders by managing apps’ access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, are included in the list of controlled folders. Controlled folder access helps protect valuable data from malicious apps and threats, such as ransomware.

Learn more about [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). | | Exploit protection | Exploit protection, available in Windows 10, version 1709 and later, automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios.

You can enable exploit protection on an individual device, and then use Group Policy to distribute the XML file to multiple devices simultaneously. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors.

Learn more about [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection). | -| Microsoft Defender for Endpoint | Windows E5 customers benefit from [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide), an enterprise endpoint detection and response capability that helps enterprise security teams detect, investigate, and respond to advanced threats. With rich event data and attack insights, Defender for Endpoint enables your security team to investigate incidents and take remediation actions effectively and efficiently.

Defender for Endpoint also is part of [Microsoft 365 Defender](/microsoft-365/security/defender/?view=o365-worldwide), a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.

Learn more about [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint) and [Microsoft 365 Defender](/microsoft-365/security/defender/?view=o365-worldwide). | +| Microsoft Defender for Endpoint | Windows E5 customers benefit from [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint), an enterprise endpoint detection and response capability that helps enterprise security teams detect, investigate, and respond to advanced threats. With rich event data and attack insights, Defender for Endpoint enables your security team to investigate incidents and take remediation actions effectively and efficiently.

Defender for Endpoint also is part of [Microsoft 365 Defender](/microsoft-365/security/defender/), a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.

Learn more about [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint) and [Microsoft 365 Defender](/microsoft-365/security/defender/). | From 4991b4a99d6a46d114c300ae6ab903ee72b1643f Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 16 Sep 2021 19:53:24 -0700 Subject: [PATCH 270/458] updating cloud toc --- windows/security/TOC.yml | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 05b67211e7..78af7bca44 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -341,15 +341,11 @@ - name: Modern device management with Windows 11 href: mdm-windows.md - name: Windows 11 secured-core devices (need link) - href: https://docs.microsoft.com/windows/whats-new/windows-11 - - name: Windows 365 Cloud PCs (need link) - href: https://docs.microsoft.com/windows/whats-new/windows-11 - - name: Windows 365 for Enterprise (need link) - href: https://docs.microsoft.com/windows/whats-new/windows-11 - - name: Windows 365 for Business (need link) - href: https://docs.microsoft.com/windows/whats-new/windows-11 + href: /windows-hardware/design/device-experiences/oem-highly-secure + - name: Windows 365 Cloud PCs + href: /windows-365/overview - name: Azure Virtual Desktop (need link) - href: https://docs.microsoft.com/windows/whats-new/windows-11 + href: /azure/virtual-desktop/ - name: User protection items: - name: Overview From 8d75b4f1800b988e752dc5aabc4f48d0f32cde9d Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 16 Sep 2021 19:57:07 -0700 Subject: [PATCH 271/458] Windows 10 & 11 --- windows/security/encryption-data-protection.md | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/windows/security/encryption-data-protection.md b/windows/security/encryption-data-protection.md index 1841a48867..b9967d05ac 100644 --- a/windows/security/encryption-data-protection.md +++ b/windows/security/encryption-data-protection.md @@ -1,6 +1,6 @@ --- -title: Encryption and data protection in Windows 11 -description: Get an overview encryption and data protection in Windows 11 +title: Encryption and data protection in Windows +description: Get an overview encryption and data protection in Windows 11 and Windows 10 search.appverid: MET150 author: denisebmsft ms.author: deniseb @@ -16,13 +16,10 @@ ms.reviewer: deepakm, rafals f1.keywords: NOCSH --- -# Encryption and data protection in Windows 11 +# Encryption and data protection in Windows client -*This article provides a brief overview of encryption and data protection built into Windows 11.* - -When people travel with their computers and devices, their confidential information travels with them. Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, starting with the Encrypting File System (EFS) in the Windows 2000 operating system. - -In Windows 11, encryption and data protection features include: +When people travel with their computers and devices, their confidential information travels with them. Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications. +Encryption and data protection features include: - Encrypted Hard Drive - BitLocker @@ -54,4 +51,3 @@ Windows consistently improves data protection by improving existing options and - [Encrypted Hard Drive](information-protection/encrypted-hard-drive.md) - [BitLocker](information-protection/bitlocker/bitlocker-overview.md) - From 120fd20bb612f24fa75d200a243b1c863cf9c7eb Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 16 Sep 2021 20:08:22 -0700 Subject: [PATCH 272/458] updating identity --- windows/security/TOC.yml | 6 +++--- windows/security/identity.md | 4 +--- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 78af7bca44..22300ecb09 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -340,13 +340,13 @@ href: cloud.md - name: Modern device management with Windows 11 href: mdm-windows.md - - name: Windows 11 secured-core devices (need link) + - name: Windows 11 secured-core devices href: /windows-hardware/design/device-experiences/oem-highly-secure - name: Windows 365 Cloud PCs href: /windows-365/overview - - name: Azure Virtual Desktop (need link) + - name: Azure Virtual Desktop href: /azure/virtual-desktop/ -- name: User protection +- name: identity protection items: - name: Overview href: identity.md diff --git a/windows/security/identity.md b/windows/security/identity.md index 5a1dd59008..259aebe12d 100644 --- a/windows/security/identity.md +++ b/windows/security/identity.md @@ -15,9 +15,7 @@ ms.technology: windows-sec # Windows identity security -Malicious actors launch an average of 50 million password attacks every day—579 per second. And Identity is the battleground for attacks of the future. Knowing that the right user is accessing the right device and the right data is critical to keeping your business, family, and self, safe and secure. Windows 11 correctly identifies users while delivering a high-quality user experience, which helps hybrid and remote workers stay productive without sacrificing security. - -New Windows 11 devices protect users by removing vulnerable passwords by default, from day one. Weak passwords, password spraying, and phishing are the entry point for many attacks. Windows Hello, Windows Hello for Business, and Credential Guard enable customers to move to passwordless multifactor authentication (MFA). MFA can reduce the risk of compromise in organizations by more than 99.9 percent. As remote and hybrid work becomes the new normal, Windows 11 gives IT teams a variety of MFA options to meet business and consumer needs while complying with ever-evolving regulations. +Malicious actors launch millions of password attacks every day. Weak passwords, password spraying, and phishing are the entry point for many attacks. Knowing that the right user is accessing the right device and the right data is critical to keeping your business, family, and self, safe and secure. Windows Hello, Windows Hello for Business, and Credential Guard enable customers to move to passwordless multifactor authentication (MFA). MFA can reduce the risk of compromise in organizations. | Security capabilities | Description | |:---|:---| From 6becfcb915ca5cec3499a809b03899a1f79093cf Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 16 Sep 2021 20:23:46 -0700 Subject: [PATCH 273/458] ch ch ch changes --- windows/security/TOC.yml | 26 +++++++++++++------------- windows/security/cloud.md | 3 +-- windows/security/identity.md | 4 ++-- 3 files changed, 16 insertions(+), 17 deletions(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 22300ecb09..edabc8b73e 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -35,6 +35,8 @@ href: threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md - name: Kernel DMA Protection href: information-protection/kernel-dma-protection-for-thunderbolt.md + - name: Windows 11 secured-core devices + href: /windows-hardware/design/device-experiences/oem-highly-secure - name: Operating system security items: - name: Overview @@ -334,19 +336,7 @@ href: identity-protection\configure-s-mime.md - name: Windows Credential Theft Mitigation Guide Abstract href: identity-protection\windows-credential-theft-mitigation-guide-abstract.md -- name: Cloud services - items: - - name: Overview - href: cloud.md - - name: Modern device management with Windows 11 - href: mdm-windows.md - - name: Windows 11 secured-core devices - href: /windows-hardware/design/device-experiences/oem-highly-secure - - name: Windows 365 Cloud PCs - href: /windows-365/overview - - name: Azure Virtual Desktop - href: /azure/virtual-desktop/ -- name: identity protection +- name: Identity and user security items: - name: Overview href: identity.md @@ -452,6 +442,16 @@ href: identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md - name: Tpmvscmgr href: identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md +- name: Cloud services + items: + - name: Overview + href: cloud.md + - name: Modern device management with Windows 11 + href: mdm-windows.md + - name: Windows 365 Cloud PCs + href: /windows-365/overview + - name: Azure Virtual Desktop + href: /azure/virtual-desktop/ - name: Security foundations items: - name: Overview diff --git a/windows/security/cloud.md b/windows/security/cloud.md index f65cdf002c..78bd1111d0 100644 --- a/windows/security/cloud.md +++ b/windows/security/cloud.md @@ -28,11 +28,10 @@ Windows 11 includes the cloud services that are listed in the following table:
With Azure AD, you can manage and secure identities for your employees, partners, and customers to access the applications and services they need. Windows 11 works seamlessly with Azure Active Directory to provide secure access, identity management, and single sign-on to apps and services from anywhere.

To learn more, see [What is Azure AD?](/azure/active-directory/fundamentals/active-directory-whatis) | | Modern device management (MDM) and Microsoft Endpoint Manager | Windows 11 supports MDM, an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices.

Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.

To learn more, see [MDM and Windows 11](mdm-windows.md). | | Microsoft account | When users add their Microsoft account to Windows 11, they can bring their Windows, Microsoft Edge, Xbox settings, web page favorites, files, photos, and more across their devices.

The Microsoft account enables people to manage everything in one place. They can keep tabs on their subscriptions and order history, organize their family's digital life, update their privacy and security settings, track the health and safety of their devices, and even get rewards.

To learn more, see [Microsoft Accounts](identity-protection/access-control/microsoft-accounts.md).| | OneDrive | OneDrive is your online storage for your files, photos, and data. OneDrive provides extra security, backup, and restore options for important files and photos. With options for both personal and business, people can use OneDrive to store and protect files in the cloud, allowing users to them on their laptops, desktops, and mobile devices. If a device is lost or stolen, people can quickly recover all their important files, photos, and data.

The OneDrive Personal Vault also provides protection for your most sensitive files without losing the convenience of anywhere access. Files are secured by identity verification, yet easily accessible to users across their devices. [Learn how to set up your Personal Vault](https://support.microsoft.com/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4).

In the event of a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have more options to mitigate and recover from a ransomware attack. [Learn more about how to recover from a ransomware attack using Office 365](/microsoft-365/security/office-365-security/recover-from-ransomware). | -| Family safety | Microsoft Family Safety empowers people and their family members to create healthy habits and protect their loved ones, both online and offline. People can use their Microsoft account to create a family group on Windows, Xbox, or your mobile devices, and then customize their family settings by using the `family.microsoft.com` website or the Microsoft Family Safety app on Android and iOS.

[Learn more about Microsoft Family Safety](https://www.microsoft.com/en-us/microsoft-365/family-safety). | +| Access to Azure Active Directory | Microsoft Azure Active Directory (Azure AD) is a complete cloud identity and access management solution for managing identities and directories, enabling access to applications, and protecting identities from security threats.

With Azure AD, you can manage and secure identities for your employees, partners, and customers to access the applications and services they need. Windows 11 works seamlessly with Azure Active Directory to provide secure access, identity management, and single sign-on to apps and services from anywhere.

To learn more, see [What is Azure AD?](/azure/active-directory/fundamentals/active-directory-whatis) | ## Next steps diff --git a/windows/security/identity.md b/windows/security/identity.md index 259aebe12d..b9a43f3ca6 100644 --- a/windows/security/identity.md +++ b/windows/security/identity.md @@ -1,5 +1,5 @@ --- -title: Windows identity security +title: Windows identity and user security description: Get an overview of identity security in Windows 11 and Windows 10 ms.reviewer: manager: dansimp @@ -13,7 +13,7 @@ ms.prod: m365-security ms.technology: windows-sec --- -# Windows identity security +# Windows identity and user security Malicious actors launch millions of password attacks every day. Weak passwords, password spraying, and phishing are the entry point for many attacks. Knowing that the right user is accessing the right device and the right data is critical to keeping your business, family, and self, safe and secure. Windows Hello, Windows Hello for Business, and Credential Guard enable customers to move to passwordless multifactor authentication (MFA). MFA can reduce the risk of compromise in organizations. From 50f98bd356fe7d2dad772b158484b519c57cbf83 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Fri, 17 Sep 2021 07:53:56 -0700 Subject: [PATCH 274/458] Delete mdm-windows.md --- windows/security/mdm-windows.md | 70 --------------------------------- 1 file changed, 70 deletions(-) delete mode 100644 windows/security/mdm-windows.md diff --git a/windows/security/mdm-windows.md b/windows/security/mdm-windows.md deleted file mode 100644 index db735842c5..0000000000 --- a/windows/security/mdm-windows.md +++ /dev/null @@ -1,70 +0,0 @@ ---- -title: Modern device management and Windows 11 -description: Get an overview of modern device management with Microsoft Endpoint Manager and Windows 11 -search.appverid: MET150 -author: denisebmsft -ms.author: deniseb -manager: dansimp -audience: ITPro -ms.topic: conceptual -ms.date: 09/14/2021 -ms.prod: w11 -ms.localizationpriority: medium -ms.collection: -ms.custom: -ms.reviewer: -f1.keywords: NOCSH ---- - -# Modern device management and Windows 11 - -*This article provides an overview of modern device management and Windows 11.* - -Windows 11 supports modern device management, an enterprise management solution to help you manage your organization's security policies and business applications. Modern device management enables your security team to manage devices without compromising people's privacy on their personal devices. - -Windows 11 includes a management component that includes: - -- The enrollment client, which enrolls and configures the endpoint to communicate with the enterprise management server; and -- The management client, which periodically synchronizes with the management server to check for updates and apply your security team's latest policies. - -Read this article to learn more about how Windows 11 works with modern device management. - -## Modern device management features and capabilities - -Modern device management includes several security features & capabilities, as described in the following table:

- -| Feature/capability | Description | -|:---|:---| -| Remote wipe | When a device is lost or stolen, IT admins can attempt to wipe it remotely and make the data stored in memory and hard disks difficult to recover. Help desk agents can also reset devices to fix issues that are encountered by remote workers.

Windows 10 and Windows 11 supports the remote wipe configuration service provider (CSP) so that modern device management solutions can remotely initiate any of the following operations:
- Reset the device and remove user accounts and data
- Reset the device and clean the drive
- Reset the device but persist user accounts and data | -| Support for your work or school account | Adding a work or school account enables people to connect their devices to your work environment. Devices can be joined to an Active Directory domain, an Azure Active Directory (Azure AD) domain, or by quickly provisioning corporate-owned devices so they meet your security and policy guidelines.

When a device is joined to Azure AD and managed with modern device management, you get the following security benefits:
- Fully managed user/device settings and policies by default
- Single Sign On to all Microsoft online services
- Password management capabilities (Windows Hello for Business)
- Authentication using tokens
- No use of consumer Microsoft Account identities | -| Config Lock | Security teams and IT admins typically enforce policies on corporate devices to keep those devices in a compliant state, and protect the operating system from changes made by users.

When users who have local admin rights attempt to work around security policies, they run the risk of leaving the device in a non-compliant state called *config drift*. Config drift can introduce security risks until the next time the device syncs with modern device management and the configuration is reset. In a worst-case scenario, correcting config drift could take up to eight hours. Many organizations consider config drift a security risk.

Windows 11 with Config Lock enables IT admins to remediate config drift and keep the operating system configuration to its proper state. The operating system monitors registry keys, and when a drift is detected, the operating system reverts back to the IT-configured state within seconds.

Config Lock works with Application Control, Application Guard, and BitLocker. | -| Remote device attestation | Attestation relies on the Trusted Platform Module (TPM) and measured boot capabilities to enhance the security provided by trusted boot. IT administrators can use available boot information to protect against boot-level attacks and misconfigurations. The Microsoft Azure Attestation service securely reports on device boot health, firmware security, and other low-level security features used for device compliance. Microsoft Azure Attestation is designed to be policy-configured, giving control of your enterprise's device health to the administrator, allowing them to deal with low-level threats with confidence. Windows 11 comes with modern device management integration with Microsoft Azure Attestation, allowing modern device management providers to use the attestation capabilities to trust and enhance device security.

Learn more about [Microsoft Azure Attestation](/azure/attestation). | -| (other stuff coming soon) | Device Installation, DMA Guard, Endpoint Detection and Response, the Microsoft Defender Security Center, Smartscreen, System Guard, and Windows Hello for Business | - -## Security baselines - -Windows 11 can be configured with the [Microsoft modern device management security baseline](/mem/intune/protect/security-baseline-settings-modern device management-all?pivots=mdm-december-2020) backed by ADMX policies, which functions like the Microsoft Group Policy security baseline. Security baselines enable security teams and IT admins to easily integrate this baseline into any modern device management, addressing security concerns and compliance needs for modern cloud-managed devices. - -The modern device management security baseline includes policies that cover the following areas: - -- Microsoft inbox security technology - - BitLocker - - Windows Defender SmartScreen -- Virtual-based security - - Exploit protection - - Microsoft Defender Antivirus - - Windows Defender Firewall -- Restricting remote access to devices -- Setting credential requirements for passwords and PINs -- Restricting the use of legacy technology -- Legacy technology policies that offer alternative solutions with modern technology - -## Support for non-Microsoft modern device management servers - -Non-Microsoft modern device management servers can be used to manage Windows 11 by using industry standard protocols. The built-in management client can communicate with a third-party server proxy that supports the modern device management protocols to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 11 users. Modern device management servers do not need to create or download a client to manage Windows 11. - -For details about the modern device management protocols, the following resources: - -- [MS-MDM: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) -- [MS-MDE2: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692) - From e1652f67eb24ce6dde631cceae1ce51a2bc03e35 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Fri, 17 Sep 2021 07:56:39 -0700 Subject: [PATCH 275/458] MDM --- windows/security/TOC.yml | 4 ++-- windows/security/index.yml | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index edabc8b73e..cc5c7302ed 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -446,8 +446,8 @@ items: - name: Overview href: cloud.md - - name: Modern device management with Windows 11 - href: mdm-windows.md + - name: Mobile device management + href: client-management/mdm.md - name: Windows 365 Cloud PCs href: /windows-365/overview - name: Azure Virtual Desktop diff --git a/windows/security/index.yml b/windows/security/index.yml index 5a22246777..0807b2123a 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -11,7 +11,7 @@ metadata: ms.collection: m365-security-compliance author: dansimp #Required; your GitHub user alias, with correct capitalization. ms.author: dansimp #Required; microsoft alias of author; optional team alias. - ms.date: 09/16/2021 + ms.date: 09/17/2021 localization_priority: Priority # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new @@ -104,8 +104,8 @@ landingContent: url: cloud.md - linkListType: concept links: - - text: Modern device management - url: mdm-windows.md + - text: Mobile device management + url: client-management/mdm.md - text: Azure Active Directory url: https://www.microsoft.com/security/business/identity-access-management/azure-active-directory - text: Your Microsoft Account From 65611f9f9c383ba1f1e3a708f9826b82225f4622 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Fri, 17 Sep 2021 08:31:32 -0700 Subject: [PATCH 276/458] Update cloud.md --- windows/security/cloud.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/cloud.md b/windows/security/cloud.md index 78bd1111d0..81019491b7 100644 --- a/windows/security/cloud.md +++ b/windows/security/cloud.md @@ -7,7 +7,7 @@ ms.author: deniseb manager: dansimp audience: ITPro ms.topic: conceptual -ms.date: 09/10/2021 +ms.date: 09/17/2021 ms.localizationpriority: medium ms.custom: f1.keywords: NOCSH @@ -28,7 +28,7 @@ Windows 11 includes the cloud services that are listed in the following table:
Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.

To learn more, see [MDM and Windows 11](mdm-windows.md). | +| Mobile device management (MDM) and Microsoft Endpoint Manager | Windows 11 supports MDM, an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices.

Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.

To learn more, see [MDM and Windows](../client-management/mdm/index.md). | | Microsoft account | When users add their Microsoft account to Windows 11, they can bring their Windows, Microsoft Edge, Xbox settings, web page favorites, files, photos, and more across their devices.

The Microsoft account enables people to manage everything in one place. They can keep tabs on their subscriptions and order history, organize their family's digital life, update their privacy and security settings, track the health and safety of their devices, and even get rewards.

To learn more, see [Microsoft Accounts](identity-protection/access-control/microsoft-accounts.md).| | OneDrive | OneDrive is your online storage for your files, photos, and data. OneDrive provides extra security, backup, and restore options for important files and photos. With options for both personal and business, people can use OneDrive to store and protect files in the cloud, allowing users to them on their laptops, desktops, and mobile devices. If a device is lost or stolen, people can quickly recover all their important files, photos, and data.

The OneDrive Personal Vault also provides protection for your most sensitive files without losing the convenience of anywhere access. Files are secured by identity verification, yet easily accessible to users across their devices. [Learn how to set up your Personal Vault](https://support.microsoft.com/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4).

In the event of a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have more options to mitigate and recover from a ransomware attack. [Learn more about how to recover from a ransomware attack using Office 365](/microsoft-365/security/office-365-security/recover-from-ransomware). | | Access to Azure Active Directory | Microsoft Azure Active Directory (Azure AD) is a complete cloud identity and access management solution for managing identities and directories, enabling access to applications, and protecting identities from security threats.

With Azure AD, you can manage and secure identities for your employees, partners, and customers to access the applications and services they need. Windows 11 works seamlessly with Azure Active Directory to provide secure access, identity management, and single sign-on to apps and services from anywhere.

To learn more, see [What is Azure AD?](/azure/active-directory/fundamentals/active-directory-whatis) | From 0c62ac35444a6ad7fe65cc709efe378224469ac6 Mon Sep 17 00:00:00 2001 From: Nick Bassett Date: Fri, 17 Sep 2021 10:34:20 -0700 Subject: [PATCH 277/458] Update windows/security/threat-protection/intelligence/virus-initiative-criteria.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../threat-protection/intelligence/virus-initiative-criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md index 844c34033a..e4459d2d4f 100644 --- a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md +++ b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md @@ -24,7 +24,7 @@ The Microsoft Virus Initiative (MVI) helps organizations develop better-together You can request membership if you're a representative for an organization that develops and produces antimalware or antivirus technology. -To qualify for the MVI program, your organization must meet all the following requirements. +To qualify for the MVI program, your organization must meet all the following requirements: 1) Your security solution either replaces or compliments Microsoft Defender Antivirus. From 3337a3c55206b1dc60327e2faf83846de0d833e4 Mon Sep 17 00:00:00 2001 From: Nick Bassett Date: Fri, 17 Sep 2021 10:34:27 -0700 Subject: [PATCH 278/458] Update windows/security/threat-protection/intelligence/virus-initiative-criteria.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../threat-protection/intelligence/virus-initiative-criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md index e4459d2d4f..e079bcdc67 100644 --- a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md +++ b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md @@ -30,7 +30,7 @@ To qualify for the MVI program, your organization must meet all the following re 2) Your organization is responsible for both developing and distributing app updates to end-customers that address compatibility with Windows. -3) Your organization must be active in the antimalware industry and have a positive reputation, as evidenced by participation in industry conferences or being reviewed in an industry standard report such as AV Comparatives, OPSWAT, or Gartner. +3) Your organization must be active in the antimalware industry and have a positive reputation, as evidenced by participation in industry conferences or being reviewed in an industry-standard report such as AV-Comparatives, OPSWAT, or Gartner. 4) Your organization must sign a non-disclosure agreement (NDA) with Microsoft. From 636b5f231abae09a437e40b8caf37b135447d767 Mon Sep 17 00:00:00 2001 From: Nick Bassett Date: Fri, 17 Sep 2021 10:34:34 -0700 Subject: [PATCH 279/458] Update windows/security/threat-protection/intelligence/virus-initiative-criteria.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../threat-protection/intelligence/virus-initiative-criteria.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md index e079bcdc67..ccb2eb6624 100644 --- a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md +++ b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md @@ -38,7 +38,7 @@ To qualify for the MVI program, your organization must meet all the following re 6) You must submit your app to Microsoft for periodic performance testing and feature review. -7) Your solution must be certified through independent testing by at least one industry standard organization, and yearly certification must be maintained. +7) Your solution must be certified through independent testing by at least one industry-standard organization, and yearly certification must be maintained. Test Provider | Lab Test Type | Minimum Level / Score ------------- |---------------|---------------------- From 9c87cbff083eabe36e387ed91f322b64415112de Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Fri, 17 Sep 2021 10:53:17 -0700 Subject: [PATCH 280/458] fix --- windows/security/TOC.yml | 2 +- windows/security/hardware.md | 11 ++++++----- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index cc5c7302ed..46d6c42528 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -35,7 +35,7 @@ href: threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md - name: Kernel DMA Protection href: information-protection/kernel-dma-protection-for-thunderbolt.md - - name: Windows 11 secured-core devices + - name: Windows secured-core devices href: /windows-hardware/design/device-experiences/oem-highly-secure - name: Operating system security items: diff --git a/windows/security/hardware.md b/windows/security/hardware.md index 2201c1ec64..5fbcc6156a 100644 --- a/windows/security/hardware.md +++ b/windows/security/hardware.md @@ -16,11 +16,12 @@ ms.technology: windows-sec # Windows hardware security Modern threats require modern security with a strong alignment between hardware security and software security techniques to keep users, data and devices protected. The operating system alone cannot protect from the wide range of tools and techniques cybercriminals use to compromise a computer deep inside its silicon. Once inside, intruders can be difficult to detect while engaging in multiple nefarious activities from stealing important data to capturing email addresses and other sensitive pieces of information. -These new threats call for computing hardware that is secure down to the very core, including hardware chips and processors. Microsoft and our partners, including chip and device manufacturers, have worked together to integrate powerful security capabilities across software, firmware, and hardware.

+These new threats call for computing hardware that is secure down to the very core, including hardware chips and processors. Microsoft and our partners, including chip and device manufacturers, have worked together to integrate powerful security capabilities across software, firmware, and hardware.

| Security Measures | Features & Capabilities | |:---|:---| -| Trusted Platform Module (TPM) | A Trusted Platform Module (TPM) is designed to provide hardware-based security-related functions and help prevent unwanted tampering. TPMs provide security and privacy benefits for system hardware, platform owners, and users.
A TPM chip is a secure crypto-processor that helps with actions such as generating, storing, and limiting the use of cryptographic keys. Many TPMs include multiple physical security mechanisms to make it tamper resistant and prevent malicious software from tampering with the security functions of the TPM.
Learn more about the [Trusted Platform Module](information-protection/tpm/trusted-platform-module-top-node.md). | -| Hardware-based root of trust with Windows Defender System Guard | To protect critical resources such as Windows authentication, single sign-on tokens, Windows Hello, and the Virtual Trusted Platform Module, a system's firmware and hardware must be trustworthy.
Windows Defender System Guard helps protect and maintain the integrity of the system as it starts up and validate that system integrity has truly been maintained through local and remote attestation.
Learn more about [How a hardware-based root of trust helps protect Windows](threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md) and [System Guard Secure Launch and SMM protection](threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md). | -| Enable virtualization-based protection of code integrity | Hypervisor-protected Code Integrity (HVCI) is a virtualization based security (VBS) feature available in Windows. In the Windows Device Security settings, HVCI is referred to as Memory Integrity.
HVCI and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows Kernel. VBS leverages the Windows Hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. HVCI is a critical component that protects and hardens this virtual environment by running kernel mode code integrity within it and restricting kernel memory allocations that could be used to compromise the system.
Learn more: [Enable virtualization-based protection of code integrity](threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md). -| Kernel Direct Memory Access (DMA) Protection | PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with an experience identical to USB. Because PCI hot plug ports are external and easily-accessible, PCs are susceptible to drive-by Direct Memory Access (DMA) attacks. Memory access protection (also known as Kernel DMA Protection) protects PCs against drive-by DMA attacks that use PCIe hot plug devices by limiting these external peripherals from being able to directly copy memory when the user has locked their PC.
Learn more about [Kernel DMA Protection](information-protection/kernel-dma-protection-for-thunderbolt.md). | +| Trusted Platform Module (TPM) | A Trusted Platform Module (TPM) is designed to provide hardware-based security-related functions and help prevent unwanted tampering. TPMs provide security and privacy benefits for system hardware, platform owners, and users.
A TPM chip is a secure crypto-processor that helps with actions such as generating, storing, and limiting the use of cryptographic keys. Many TPMs include multiple physical security mechanisms to make it tamper resistant and prevent malicious software from tampering with the security functions of the TPM.

Learn more about the [Trusted Platform Module](information-protection/tpm/trusted-platform-module-top-node.md). | +| Hardware-based root of trust with Windows Defender System Guard | To protect critical resources such as Windows authentication, single sign-on tokens, Windows Hello, and the Virtual Trusted Platform Module, a system's firmware and hardware must be trustworthy.
Windows Defender System Guard helps protect and maintain the integrity of the system as it starts up and validate that system integrity has truly been maintained through local and remote attestation.

Learn more about [How a hardware-based root of trust helps protect Windows](threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md) and [System Guard Secure Launch and SMM protection](threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md). | +| Enable virtualization-based protection of code integrity | Hypervisor-protected Code Integrity (HVCI) is a virtualization based security (VBS) feature available in Windows. In the Windows Device Security settings, HVCI is referred to as Memory Integrity.
HVCI and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows Kernel. VBS leverages the Windows Hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. HVCI is a critical component that protects and hardens this virtual environment by running kernel mode code integrity within it and restricting kernel memory allocations that could be used to compromise the system.

Learn more: [Enable virtualization-based protection of code integrity](threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md). +| Kernel Direct Memory Access (DMA) Protection | PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with an experience identical to USB. Because PCI hot plug ports are external and easily-accessible, PCs are susceptible to drive-by Direct Memory Access (DMA) attacks. Memory access protection (also known as Kernel DMA Protection) protects PCs against drive-by DMA attacks that use PCIe hot plug devices by limiting these external peripherals from being able to directly copy memory when the user has locked their PC.

Learn more about [Kernel DMA Protection](information-protection/kernel-dma-protection-for-thunderbolt.md). | +| Secure core devices | Microsoft is working closely with OEM partners and silicon vendors to build Secured-core PCs that features deeply integrated hardware, firmware and software to ensure enhanced security for devices, identities and data.

Secured-core PCs provide protections that are useful against sophisticated attacks and can provide increased assurance when handling mission-critical data in some of the most data-sensitive industries, such as healthcare workers that handle medical records and other personally identifiable information (PII), commercial roles that handle high business impact and highly sensitive data, such as a financial controller with earnings data.

Learn more about [Secure core PCs](/windows-hardware/design/device-experiences/oem-highly-secure).| From 08000679b99fa39a7a770c977ebbd65801e1a60d Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Fri, 17 Sep 2021 16:01:56 -0700 Subject: [PATCH 281/458] removing older TOCs --- .../threat-protection/intelligence/TOC.yml | 60 ------ .../applocker/TOC.yml | 186 ------------------ 2 files changed, 246 deletions(-) delete mode 100644 windows/security/threat-protection/intelligence/TOC.yml delete mode 100644 windows/security/threat-protection/windows-defender-application-control/applocker/TOC.yml diff --git a/windows/security/threat-protection/intelligence/TOC.yml b/windows/security/threat-protection/intelligence/TOC.yml deleted file mode 100644 index 78fea4eba3..0000000000 --- a/windows/security/threat-protection/intelligence/TOC.yml +++ /dev/null @@ -1,60 +0,0 @@ -- name: Security intelligence - href: index.md - items: - - name: Understand malware & other threats - href: understanding-malware.md - items: - - name: Coin miners - href: coinminer-malware.md - - name: Exploits and exploit kits - href: exploits-malware.md - - name: Fileless threats - href: fileless-threats.md - - name: Macro malware - href: macro-malware.md - - name: Phishing attacks - href: phishing.md - items: - - name: Phishing trends and techniques - href: phishing-trends.md - - name: Ransomware - href: /security/compass/human-operated-ransomware - - name: Rootkits - href: rootkits-malware.md - - name: Supply chain attacks - href: supply-chain-malware.md - - name: Tech support scams - href: support-scams.md - - name: Trojans - href: trojans-malware.md - - name: Unwanted software - href: unwanted-software.md - - name: Worms - href: worms-malware.md - - name: Prevent malware infection - href: prevent-malware-infection.md - - name: Malware naming convention - href: malware-naming.md - - name: How Microsoft identifies malware and PUA - href: criteria.md - - name: Submit files for analysis - href: submission-guide.md - - name: Troubleshoot malware submission - href: portal-submission-troubleshooting.md - - name: Safety Scanner download - href: safety-scanner-download.md - - name: Industry collaboration programs - href: cybersecurity-industry-partners.md - items: - - name: Virus information alliance - href: virus-information-alliance-criteria.md - - name: Microsoft virus initiative - href: virus-initiative-criteria.md - - name: Coordinated malware eradication - href: coordinated-malware-eradication.md - - name: Information for developers - items: - - name: Software developer FAQ - href: developer-faq.yml - - name: Software developer resources - href: developer-resources.md diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/applocker/TOC.yml deleted file mode 100644 index b796c0e95e..0000000000 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/TOC.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: AppLocker - href: applocker-overview.md - items: - - name: Administer AppLocker - href: administer-applocker.md - items: - - name: Maintain AppLocker policies - href: maintain-applocker-policies.md - - name: Edit an AppLocker policy - href: edit-an-applocker-policy.md - - name: Test and update an AppLocker policy - href: test-and-update-an-applocker-policy.md - - name: Deploy AppLocker policies by using the enforce rules setting - href: deploy-applocker-policies-by-using-the-enforce-rules-setting.md - - name: Use the AppLocker Windows PowerShell cmdlets - href: use-the-applocker-windows-powershell-cmdlets.md - - name: Use AppLocker and Software Restriction Policies in the same domain - href: use-applocker-and-software-restriction-policies-in-the-same-domain.md - - name: Optimize AppLocker performance - href: optimize-applocker-performance.md - - name: Monitor app usage with AppLocker - href: monitor-application-usage-with-applocker.md - - name: Manage packaged apps with AppLocker - href: manage-packaged-apps-with-applocker.md - - name: Working with AppLocker rules - href: working-with-applocker-rules.md - items: - - name: Create a rule that uses a file hash condition - href: create-a-rule-that-uses-a-file-hash-condition.md - - name: Create a rule that uses a path condition - href: create-a-rule-that-uses-a-path-condition.md - - name: Create a rule that uses a publisher condition - href: create-a-rule-that-uses-a-publisher-condition.md - - name: Create AppLocker default rules - href: create-applocker-default-rules.md - - name: Add exceptions for an AppLocker rule - href: configure-exceptions-for-an-applocker-rule.md - - name: Create a rule for packaged apps - href: create-a-rule-for-packaged-apps.md - - name: Delete an AppLocker rule - href: delete-an-applocker-rule.md - - name: Edit AppLocker rules - href: edit-applocker-rules.md - - name: Enable the DLL rule collection - href: enable-the-dll-rule-collection.md - - name: Enforce AppLocker rules - href: enforce-applocker-rules.md - - name: Run the Automatically Generate Rules wizard - href: run-the-automatically-generate-rules-wizard.md - - name: Working with AppLocker policies - href: working-with-applocker-policies.md - items: - - name: Configure the Application Identity service - href: configure-the-application-identity-service.md - - name: Configure an AppLocker policy for audit only - href: configure-an-applocker-policy-for-audit-only.md - - name: Configure an AppLocker policy for enforce rules - href: configure-an-applocker-policy-for-enforce-rules.md - - name: Display a custom URL message when users try to run a blocked app - href: display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md - - name: Export an AppLocker policy from a GPO - href: export-an-applocker-policy-from-a-gpo.md - - name: Export an AppLocker policy to an XML file - href: export-an-applocker-policy-to-an-xml-file.md - - name: Import an AppLocker policy from another computer - href: import-an-applocker-policy-from-another-computer.md - - name: Import an AppLocker policy into a GPO - href: import-an-applocker-policy-into-a-gpo.md - - name: Add rules for packaged apps to existing AppLocker rule-set - href: add-rules-for-packaged-apps-to-existing-applocker-rule-set.md - - name: Merge AppLocker policies by using Set-ApplockerPolicy - href: merge-applocker-policies-by-using-set-applockerpolicy.md - - name: Merge AppLocker policies manually - href: merge-applocker-policies-manually.md - - name: Refresh an AppLocker policy - href: refresh-an-applocker-policy.md - - name: Test an AppLocker policy by using Test-AppLockerPolicy - href: test-an-applocker-policy-by-using-test-applockerpolicy.md - - name: AppLocker design guide - href: applocker-policies-design-guide.md - items: - - name: Understand AppLocker policy design decisions - href: understand-applocker-policy-design-decisions.md - - name: Determine your application control objectives - href: determine-your-application-control-objectives.md - - name: Create a list of apps deployed to each business group - href: create-list-of-applications-deployed-to-each-business-group.md - items: - - name: Document your app list - href: document-your-application-list.md - - name: Select the types of rules to create - href: select-types-of-rules-to-create.md - items: - - name: Document your AppLocker rules - href: document-your-applocker-rules.md - - name: Determine the Group Policy structure and rule enforcement - href: determine-group-policy-structure-and-rule-enforcement.md - items: - - name: Understand AppLocker enforcement settings - href: understand-applocker-enforcement-settings.md - - name: Understand AppLocker rules and enforcement setting inheritance in Group Policy - href: understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md - - name: Document the Group Policy structure and AppLocker rule enforcement - href: document-group-policy-structure-and-applocker-rule-enforcement.md - - name: Plan for AppLocker policy management - href: plan-for-applocker-policy-management.md - - name: AppLocker deployment guide - href: applocker-policies-deployment-guide.md - items: - - name: Understand the AppLocker policy deployment process - href: understand-the-applocker-policy-deployment-process.md - - name: Requirements for Deploying AppLocker Policies - href: requirements-for-deploying-applocker-policies.md - - name: Use Software Restriction Policies and AppLocker policies - href: using-software-restriction-policies-and-applocker-policies.md - - name: Create Your AppLocker policies - href: create-your-applocker-policies.md - items: - - name: Create Your AppLocker rules - href: create-your-applocker-rules.md - - name: Deploy the AppLocker policy into production - href: deploy-the-applocker-policy-into-production.md - items: - - name: Use a reference device to create and maintain AppLocker policies - href: use-a-reference-computer-to-create-and-maintain-applocker-policies.md - - name: Determine which apps are digitally signed on a reference device - href: determine-which-applications-are-digitally-signed-on-a-reference-computer.md - - name: Configure the AppLocker reference device - href: configure-the-appLocker-reference-device.md - - name: AppLocker technical reference - href: applocker-technical-reference.md - items: - - name: What Is AppLocker? - href: what-is-applocker.md - - name: Requirements to use AppLocker - href: requirements-to-use-applocker.md - - name: AppLocker policy use scenarios - href: applocker-policy-use-scenarios.md - - name: How AppLocker works - href: how-applocker-works-techref.md - items: - - name: Understanding AppLocker rule behavior - href: understanding-applocker-rule-behavior.md - - name: Understanding AppLocker rule exceptions - href: understanding-applocker-rule-exceptions.md - - name: Understanding AppLocker rule collections - href: understanding-applocker-rule-collections.md - - name: Understanding AppLocker allow and deny actions on rules - href: understanding-applocker-allow-and-deny-actions-on-rules.md - - name: Understanding AppLocker rule condition types - href: understanding-applocker-rule-condition-types.md - items: - - name: Understanding the publisher rule condition in AppLocker - href: understanding-the-publisher-rule-condition-in-applocker.md - - name: Understanding the path rule condition in AppLocker - href: understanding-the-path-rule-condition-in-applocker.md - - name: Understanding the file hash rule condition in AppLocker - href: understanding-the-file-hash-rule-condition-in-applocker.md - - name: Understanding AppLocker default rules - href: understanding-applocker-default-rules.md - items: - - name: Executable rules in AppLocker - href: executable-rules-in-applocker.md - - name: Windows Installer rules in AppLocker - href: windows-installer-rules-in-applocker.md - - name: Script rules in AppLocker - href: script-rules-in-applocker.md - - name: DLL rules in AppLocker - href: dll-rules-in-applocker.md - - name: Packaged apps and packaged app installer rules in AppLocker - href: packaged-apps-and-packaged-app-installer-rules-in-applocker.md - - name: AppLocker architecture and components - href: applocker-architecture-and-components.md - - name: AppLocker processes and interactions - href: applocker-processes-and-interactions.md - - name: AppLocker functions - href: applocker-functions.md - - name: Security considerations for AppLocker - href: security-considerations-for-applocker.md - - name: Tools to Use with AppLocker - href: tools-to-use-with-applocker.md - items: - - name: Using Event Viewer with AppLocker - href: using-event-viewer-with-applocker.md - - name: AppLocker Settings - href: applocker-settings.md From 6b0c08eb894bb6adc41e3800dc12a48711d40b8d Mon Sep 17 00:00:00 2001 From: Asha Iyengar Date: Mon, 20 Sep 2021 14:22:46 +0530 Subject: [PATCH 282/458] Added Windows 11 to the table as per the comment in the description --- .../configure-md-app-guard.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md index a8c72499c0..1bfbbc69ae 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md @@ -53,13 +53,13 @@ These settings, located at `Computer Configuration\Administrative Templates\Wind |Name|Supported versions|Description|Options| |-----------|------------------|-----------|-------| -|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:
- Disable the clipboard functionality completely when Virtualization Security is enabled.
- Enable copying of certain content from Application Guard into Microsoft Edge.
- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.

**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.| -|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
- Enable Application Guard to print into the XPS format.
- Enable Application Guard to print into the PDF format.
- Enable Application Guard to print to locally attached printers.
- Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.

**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.| -|Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer|Windows 10 Enterprise, 1709 or higher|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.

**NOTE**: This action might also block assets cached by CDNs and references to analytics sites. Add them to the trusted enterprise resources to avoid broken pages.

**Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. | -|Allow Persistence|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

**Disabled or not configured.** All user data within Application Guard is reset between sessions.

**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

**To reset the container:**
1. Open a command-line program and navigate to `Windows/System32`.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.| -|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:
- Enable Microsoft Defender Application Guard only for Microsoft Edge
- Enable Microsoft Defender Application Guard only for Microsoft Office
- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office

**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.| -|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.

**Disabled or not configured.** Users are not able to save downloaded files from Application Guard to the host operating system.| -|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher

Windows 10 Pro, 1803 or higher|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.

**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.| -|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

Windows 10 Pro, 1809 or higher|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.

**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.| -|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher

Windows 10 Pro, 1809 or higher|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.

**Disabled or not configured.** Certificates are not shared with Microsoft Defender Application Guard.| +|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher

Windows 11|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:
- Disable the clipboard functionality completely when Virtualization Security is enabled.
- Enable copying of certain content from Application Guard into Microsoft Edge.
- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.

**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.| +|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher

Windows 11|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
- Enable Application Guard to print into the XPS format.
- Enable Application Guard to print into the PDF format.
- Enable Application Guard to print to locally attached printers.
- Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.

**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.| +|Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer|Windows 10 Enterprise, 1709 or higher

Windows 11|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.

**NOTE**: This action might also block assets cached by CDNs and references to analytics sites. Add them to the trusted enterprise resources to avoid broken pages.

**Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. | +|Allow Persistence|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher

Windows 11|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

**Disabled or not configured.** All user data within Application Guard is reset between sessions.

**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

**To reset the container:**
1. Open a command-line program and navigate to `Windows/System32`.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.| +|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher

Windows 11|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:
- Enable Microsoft Defender Application Guard only for Microsoft Edge
- Enable Microsoft Defender Application Guard only for Microsoft Office
- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office

**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.| +|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher

Windows 11|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.

**Disabled or not configured.** Users are not able to save downloaded files from Application Guard to the host operating system.| +|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher

Windows 10 Pro, 1803 or higher

Windows 11|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.

**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.| +|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

Windows 10 Pro, 1809 or higher

Windows 11|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.

**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.| +|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher

Windows 10 Pro, 1809 or higher

Windows 11|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.

**Disabled or not configured.** Certificates are not shared with Microsoft Defender Application Guard.| |Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

Windows 10 Pro, 1809 or higher|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.

**Disabled or not configured.** event logs aren't collected from your Application Guard container.| From e0fc4abc99e7c8959f8ee3ed6ac4633fc9c01728 Mon Sep 17 00:00:00 2001 From: Asha Iyengar Date: Mon, 20 Sep 2021 14:24:01 +0530 Subject: [PATCH 283/458] updated --- .../configure-md-app-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md index 1bfbbc69ae..593010cfed 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md @@ -62,4 +62,4 @@ These settings, located at `Computer Configuration\Administrative Templates\Wind |Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher

Windows 10 Pro, 1803 or higher

Windows 11|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.

**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.| |Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

Windows 10 Pro, 1809 or higher

Windows 11|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.

**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.| |Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher

Windows 10 Pro, 1809 or higher

Windows 11|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.

**Disabled or not configured.** Certificates are not shared with Microsoft Defender Application Guard.| -|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

Windows 10 Pro, 1809 or higher|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.

**Disabled or not configured.** event logs aren't collected from your Application Guard container.| +|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

Windows 10 Pro, 1809 or higher

Windows 11|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.

**Disabled or not configured.** event logs aren't collected from your Application Guard container.| From 030b57d0a4fc7af404973668d0ee84d13280ebd3 Mon Sep 17 00:00:00 2001 From: Asha Iyengar Date: Mon, 20 Sep 2021 14:28:59 +0530 Subject: [PATCH 284/458] Added Windows 11 whereever applicable. These were missed out --- .../install-md-app-guard.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md index 6c2db12e7d..f4f8a176f7 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md @@ -36,6 +36,7 @@ Before you can install and use Microsoft Defender Application Guard, you must de Applies to: - Windows 10 Enterprise edition, version 1709 or higher - Windows 10 Pro edition, version 1803 +- Windows 11 Employees can use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites. For an example of how this works, see the [Application Guard in standalone mode](test-scenarios-md-app-guard.md) testing scenario. @@ -43,6 +44,7 @@ Employees can use hardware-isolated browsing sessions without any administrator Applies to: - Windows 10 Enterprise edition, version 1709 or higher +- Windows 11 You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests to add non-enterprise domain(s) in the container. @@ -68,7 +70,7 @@ Application Guard functionality is turned off by default. However, you can quick >[!NOTE] >Ensure your devices have met all system requirements prior to this step. PowerShell will install the feature without checking system requirements. If your devices don't meet the system requirements, Application Guard may not work. This step is recommended for enterprise managed scenarios only. -1. Click the **Search** or **Cortana** icon in the Windows 10 taskbar and type **PowerShell**. +1. Click the **Search** or **Cortana** icon in the Windows 10 or Windows 11 taskbar and type **PowerShell**. 2. Right-click **Windows PowerShell**, and then click **Run as administrator**. @@ -122,4 +124,4 @@ Application Guard functionality is turned off by default. However, you can quick 1. Click **Save**. -After the profile is created, any devices to which the policy should apply will have Microsoft Defender Application Guard enabled. Users might have to restart their devices in order for protection to be in place. \ No newline at end of file +After the profile is created, any devices to which the policy should apply will have Microsoft Defender Application Guard enabled. Users might have to restart their devices in order for protection to be in place. From 5f9f95715d66acba5f6457d3063d1231e4acbbae Mon Sep 17 00:00:00 2001 From: Asha Iyengar Date: Mon, 20 Sep 2021 15:00:13 +0530 Subject: [PATCH 285/458] Updated --- .../md-app-guard-overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md index 010f230e70..640f7eae00 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md @@ -1,5 +1,5 @@ --- -title: Microsoft Defender Application Guard (Windows 10) +title: Microsoft Defender Application Guard (Windows 10 or Windows 11) description: Learn about Microsoft Defender Application Guard and how it helps to combat malicious content and malware out on the Internet. ms.prod: m365-security ms.mktglfcycl: manage @@ -56,4 +56,4 @@ Application Guard has been created to target several types of devices: | [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a troubleshooting guide | | [Microsoft Defender Application Guard for Microsoft Office](/microsoft-365/security/office-365-security/install-app-guard) | Describes Application Guard for Microsoft Office, including minimum hardware requirements, configuration, and a troubleshooting guide | |[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.yml)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.| -|[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.| \ No newline at end of file +|[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.| From 54672073b30c07dd4456d012bfb8f9181561bf1e Mon Sep 17 00:00:00 2001 From: Ashok Lobo Date: Mon, 20 Sep 2021 17:55:46 +0530 Subject: [PATCH 286/458] Updated for 5358858 --- .../configure-md-app-guard.md | 4 ++-- .../install-md-app-guard.md | 2 +- .../md-app-guard-browser-extension.md | 3 ++- .../test-scenarios-md-app-guard.md | 11 +++++++---- 4 files changed, 12 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md index 593010cfed..d3480738e7 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md @@ -1,5 +1,5 @@ --- -title: Configure the Group Policy settings for Microsoft Defender Application Guard (Windows 10) +title: Configure the Group Policy settings for Microsoft Defender Application Guard (Windows) description: Learn about the available Group Policy settings for Microsoft Defender Application Guard. ms.prod: m365-security ms.mktglfcycl: manage @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 09/16/2021 +ms.date: 09/20/2021 ms.reviewer: manager: dansimp ms.custom: asr diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md index f4f8a176f7..c16ce0700e 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md @@ -1,5 +1,5 @@ --- -title: Enable hardware-based isolation for Microsoft Edge (Windows 10) +title: Enable hardware-based isolation for Microsoft Edge (Windows) description: Learn about the Microsoft Defender Application Guard modes (Standalone or Enterprise-managed), and how to install Application Guard in your enterprise. ms.prod: m365-security ms.mktglfcycl: manage diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md index a3a578cd53..90f1d07fca 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md @@ -24,7 +24,7 @@ ms.technology: mde [Microsoft Defender Application Guard Extension](https://www.microsoft.com/security/blog/2019/05/23/new-browser-extensions-for-integrating-microsofts-hardware-based-isolation/) is a web browser add-on available for [Chrome](https://chrome.google.com/webstore/detail/application-guard-extensi/mfjnknhkkiafjajicegabkbimfhplplj/) and [Firefox](https://addons.mozilla.org/en-US/firefox/addon/application-guard-extension/). -[Microsoft Defender Application Guard](md-app-guard-overview.md) provides Hyper-V isolation on Windows 10, to protect users from potentially harmful content on the web. The extension helps Application Guard protect users running other web browsers. +[Microsoft Defender Application Guard](md-app-guard-overview.md) provides Hyper-V isolation on Windows 10 and Windows 11, to protect users from potentially harmful content on the web. The extension helps Application Guard protect users running other web browsers. > [!TIP] > Application Guard, by default, offers [native support](/deployedge/microsoft-edge-security-windows-defender-application-guard) to both Microsoft Edge and Internet Explorer. These browsers do not need the extension described here for Application Guard to protect them. @@ -38,6 +38,7 @@ Microsoft Defender Application Guard Extension works with the following editions - Windows 10 Professional - Windows 10 Enterprise - Windows 10 Education +- Windows 11 Application Guard itself is required for the extension to work. It has its own set of [requirements](reqs-md-app-guard.md). Check the Application Guard [installation guide](install-md-app-guard.md) for further steps, if you don't have it installed already. diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md index 3e07e70fdc..292813b7c0 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md @@ -1,5 +1,5 @@ --- -title: Testing scenarios with Microsoft Defender Application Guard (Windows 10) +title: Testing scenarios with Microsoft Defender Application Guard (Windows 10 or Windows 11) description: Suggested testing scenarios for Microsoft Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode. ms.prod: m365-security ms.mktglfcycl: manage @@ -51,7 +51,7 @@ How to install, set up, turn on, and configure Application Guard for Enterprise- ### Install, set up, and turn on Application Guard -Before you can use Application Guard in managed mode, you must install Windows 10 Enterprise edition, version 1709, which includes the functionality. Then, you must use Group Policy to set up the required settings. +Before you can use Application Guard in managed mode, you must install Windows 10 Enterprise edition, version 1709, and Windows 11 which includes the functionality. Then, you must use Group Policy to set up the required settings. 1. [Install Application Guard](./install-md-app-guard.md#install-application-guard). @@ -112,6 +112,7 @@ You have the option to change each of these settings to work with your enterpris - Windows 10 Enterprise edition, version 1709 or higher - Windows 10 Professional edition, version 1803 +- Windows 11 #### Copy and paste options @@ -170,7 +171,7 @@ You have the option to change each of these settings to work with your enterpris The previously added site should still appear in your **Favorites** list. > [!NOTE] - > If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10. + > If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10 and Windows 11. > > If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data. > @@ -180,6 +181,7 @@ You have the option to change each of these settings to work with your enterpris - Windows 10 Enterprise edition, version 1803 - Windows 10 Professional edition, version 1803 +- Windows 11 #### Download options @@ -211,12 +213,13 @@ You have the option to change each of these settings to work with your enterpris - Windows 10 Enterprise edition, version 1809 - Windows 10 Professional edition, version 1809 +- Windows 11 #### File trust options 1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow users to trust files that open in Microsoft Defender Application Guard** setting. -2. Click **Enabled**, set **Options** to 2, and click **OK**. +2. Click **Enabled**, set **Options** to **2**, and click **OK**. ![Group Policy editor File trust options.](images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png) From 9684f9de539514cac158435315d1c3e360233e8e Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Tue, 21 Sep 2021 00:05:11 +0530 Subject: [PATCH 287/458] u --- .../mdm/policy-csp-admx-folderredirection.md | 24 +- .../mdm/policy-csp-admx-globalization.md | 206 ++++++++++-------- 2 files changed, 133 insertions(+), 97 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-folderredirection.md b/windows/client-management/mdm/policy-csp-admx-folderredirection.md index 9f945c9f33..dd4a6ae95e 100644 --- a/windows/client-management/mdm/policy-csp-admx-folderredirection.md +++ b/windows/client-management/mdm/policy-csp-admx-folderredirection.md @@ -79,8 +79,8 @@ manager: dansimp

EducationNoNoYesYes
@@ -160,8 +160,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -240,8 +240,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -314,8 +314,8 @@ ADMX Info: Yes Education - No - No + Yes + Yes @@ -392,8 +392,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -469,8 +469,8 @@ ADMX Info: Education - No - No + Yes + Yes diff --git a/windows/client-management/mdm/policy-csp-admx-globalization.md b/windows/client-management/mdm/policy-csp-admx-globalization.md index 69442d3b5d..d558de2248 100644 --- a/windows/client-management/mdm/policy-csp-admx-globalization.md +++ b/windows/client-management/mdm/policy-csp-admx-globalization.md @@ -131,8 +131,8 @@ manager: dansimp Education - No - No + Yes + Yes @@ -208,8 +208,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -286,13 +286,13 @@ ADMX Info: Enterprise - No - No + Yes + Yes Education - No - No + Yes + Yes @@ -374,8 +374,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -457,8 +457,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -537,8 +537,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -616,8 +616,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -693,8 +693,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -782,8 +782,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -871,8 +871,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -948,8 +948,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1027,8 +1027,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1107,8 +1107,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1184,8 +1184,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1263,8 +1263,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1342,8 +1342,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1421,8 +1421,8 @@ ADMX Info: Education - No - No> + Yes + Yes> @@ -1522,7 +1522,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents the user from customizing their locale by changing their user overrides. +This policy setting prevents the user from customizing their locale by changing their user overrides. Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides, first reset the user(s) values to the defaults and then apply this policy. @@ -1561,28 +1561,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1599,7 +1605,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting restricts users to the specified language by disabling the menus and dialog box controls in the Region settings control panel. If the specified language is not installed on the target computer, the language selection defaults to English. +This policy setting restricts users to the specified language by disabling the menus and dialog box controls in the Region settings control panel. If the specified language is not installed on the target computer, the language selection defaults to English. If you enable this policy setting, the dialog box controls in the Regional and Language Options control panel are not accessible to the logged on user. This prevents users from specifying a language different than the one used. @@ -1632,28 +1638,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1670,7 +1682,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy turns off the autocorrect misspelled words option. This does not, however, prevent the user or an application from changing the setting programmatically. +This policy turns off the autocorrect misspelled words option. This does not, however, prevent the user or an application from changing the setting programmatically. The autocorrect misspelled words option controls whether or not errors in typed text will be automatically corrected. @@ -1704,28 +1716,34 @@ ADMX Info: - - + + + - + + - + + /td> - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1742,7 +1760,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy turns off the highlight misspelled words option. This does not, however, prevent the user or an application from changing the setting programmatically. +This policy turns off the highlight misspelled words option. This does not, however, prevent the user or an application from changing the setting programmatically. The highlight misspelled words option controls whether or next spelling errors in typed text will be highlighted. @@ -1777,28 +1795,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1815,7 +1839,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy turns off the insert a space after selecting a text prediction option. This does not, however, prevent the user or an application from changing the setting programmatically. +This policy turns off the insert a space after selecting a text prediction option. This does not, however, prevent the user or an application from changing the setting programmatically. The insert a space after selecting a text prediction option controls whether or not a space will be inserted after the user selects a text prediction candidate when using the on-screen keyboard. @@ -1849,28 +1873,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1887,7 +1917,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy turns off the offer text predictions as I type option. This does not, however, prevent the user or an application from changing the setting programmatically. +This policy turns off the offer text predictions as I type option. This does not, however, prevent the user or an application from changing the setting programmatically. The offer text predictions as I type option controls whether or not text prediction suggestions will be presented to the user on the on-screen keyboard. @@ -1922,28 +1952,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1960,7 +1996,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines how programs interpret two-digit years. +This policy setting determines how programs interpret two-digit years. This policy setting affects only the programs that use this Windows feature to interpret two-digit years. If a program does not interpret two-digit years correctly, consult the documentation or manufacturer of the program. From f595ca95fbca8e50be62f8285f8356353ba3bde2 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Mon, 20 Sep 2021 12:07:42 -0700 Subject: [PATCH 288/458] Update index.yml --- windows/security/index.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index 0807b2123a..287a123350 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -11,7 +11,7 @@ metadata: ms.collection: m365-security-compliance author: dansimp #Required; your GitHub user alias, with correct capitalization. ms.author: dansimp #Required; microsoft alias of author; optional team alias. - ms.date: 09/17/2021 + ms.date: 09/20/2021 localization_priority: Priority # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new @@ -54,7 +54,7 @@ landingContent: linkLists: - linkListType: overview links: - - text: Operating system security + - text: Overview url: operating-system.md - linkListType: concept links: @@ -117,11 +117,11 @@ landingContent: # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) - - title: User protection + - title: User security and secured identity linkLists: - linkListType: overview links: - - text: Windows identity security + - text: Overview url: identity.md - linkListType: concept links: @@ -146,7 +146,7 @@ landingContent: linkLists: - linkListType: overview links: - - text: Security foundations + - text: Overview url: security-foundations.md - linkListType: reference links: From dc78c5d5cb557e61a1e60bef8a7c09cc3b905147 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Mon, 20 Sep 2021 12:10:26 -0700 Subject: [PATCH 289/458] Update TOC.yml --- windows/security/TOC.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 46d6c42528..e86b164792 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -447,7 +447,7 @@ - name: Overview href: cloud.md - name: Mobile device management - href: client-management/mdm.md + href: client-management/mdm/index.md - name: Windows 365 Cloud PCs href: /windows-365/overview - name: Azure Virtual Desktop From 34aadbfc6e062f9ecd7b8dc8b460461df3243f23 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Mon, 20 Sep 2021 12:13:28 -0700 Subject: [PATCH 290/458] Update index.yml --- windows/security/index.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index 287a123350..c637b78687 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -105,7 +105,7 @@ landingContent: - linkListType: concept links: - text: Mobile device management - url: client-management/mdm.md + url: client-management/mdm/index.md - text: Azure Active Directory url: https://www.microsoft.com/security/business/identity-access-management/azure-active-directory - text: Your Microsoft Account From ff2d12f60bf9273caf78e29c07743bb392c78ac4 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Mon, 20 Sep 2021 12:17:34 -0700 Subject: [PATCH 291/458] Update cloud.md --- windows/security/cloud.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/cloud.md b/windows/security/cloud.md index 81019491b7..4e2d1d9f9e 100644 --- a/windows/security/cloud.md +++ b/windows/security/cloud.md @@ -7,7 +7,7 @@ ms.author: deniseb manager: dansimp audience: ITPro ms.topic: conceptual -ms.date: 09/17/2021 +ms.date: 09/20/2021 ms.localizationpriority: medium ms.custom: f1.keywords: NOCSH @@ -28,12 +28,12 @@ Windows 11 includes the cloud services that are listed in the following table:
Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.

To learn more, see [MDM and Windows](../client-management/mdm/index.md). | +| Mobile device management (MDM) and Microsoft Endpoint Manager | Windows 11 supports MDM, an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices.

Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.

To learn more, see [Mobile device management](../client-management/mdm/index.md). | | Microsoft account | When users add their Microsoft account to Windows 11, they can bring their Windows, Microsoft Edge, Xbox settings, web page favorites, files, photos, and more across their devices.

The Microsoft account enables people to manage everything in one place. They can keep tabs on their subscriptions and order history, organize their family's digital life, update their privacy and security settings, track the health and safety of their devices, and even get rewards.

To learn more, see [Microsoft Accounts](identity-protection/access-control/microsoft-accounts.md).| | OneDrive | OneDrive is your online storage for your files, photos, and data. OneDrive provides extra security, backup, and restore options for important files and photos. With options for both personal and business, people can use OneDrive to store and protect files in the cloud, allowing users to them on their laptops, desktops, and mobile devices. If a device is lost or stolen, people can quickly recover all their important files, photos, and data.

The OneDrive Personal Vault also provides protection for your most sensitive files without losing the convenience of anywhere access. Files are secured by identity verification, yet easily accessible to users across their devices. [Learn how to set up your Personal Vault](https://support.microsoft.com/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4).

In the event of a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have more options to mitigate and recover from a ransomware attack. [Learn more about how to recover from a ransomware attack using Office 365](/microsoft-365/security/office-365-security/recover-from-ransomware). | | Access to Azure Active Directory | Microsoft Azure Active Directory (Azure AD) is a complete cloud identity and access management solution for managing identities and directories, enabling access to applications, and protecting identities from security threats.

With Azure AD, you can manage and secure identities for your employees, partners, and customers to access the applications and services they need. Windows 11 works seamlessly with Azure Active Directory to provide secure access, identity management, and single sign-on to apps and services from anywhere.

To learn more, see [What is Azure AD?](/azure/active-directory/fundamentals/active-directory-whatis) | ## Next steps -- [Learn more about MDM and Windows 11](mdm-windows.md) +- [Learn more about MDM and Windows 11](../client-management/mdm/index.md) - [Learn more about Windows security](index.yml) \ No newline at end of file From 3a6cc4c7d4b8774fe8f079648693f8d04e51a214 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Mon, 20 Sep 2021 12:24:53 -0700 Subject: [PATCH 292/458] Update index.yml --- windows/security/index.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index c637b78687..0472ae7481 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -105,7 +105,7 @@ landingContent: - linkListType: concept links: - text: Mobile device management - url: client-management/mdm/index.md + url: windows/client-management/mdm/index.md - text: Azure Active Directory url: https://www.microsoft.com/security/business/identity-access-management/azure-active-directory - text: Your Microsoft Account From fbf07f5dfd0b72691df874be5713bb8218f0057d Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Mon, 20 Sep 2021 12:28:19 -0700 Subject: [PATCH 293/458] Update index.yml --- windows/security/index.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index 0472ae7481..faaade9a1b 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -105,7 +105,7 @@ landingContent: - linkListType: concept links: - text: Mobile device management - url: windows/client-management/mdm/index.md + url: https://docs.microsoft.com/windows/client-management/mdm/ - text: Azure Active Directory url: https://www.microsoft.com/security/business/identity-access-management/azure-active-directory - text: Your Microsoft Account From 7b4135e87a0f941598f17e0808fdc0d00683cc26 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Mon, 20 Sep 2021 12:28:47 -0700 Subject: [PATCH 294/458] Update TOC.yml --- windows/security/TOC.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index e86b164792..8eb8e35f21 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -447,7 +447,7 @@ - name: Overview href: cloud.md - name: Mobile device management - href: client-management/mdm/index.md + href: https://docs.microsoft.com/windows/client-management/mdm/ - name: Windows 365 Cloud PCs href: /windows-365/overview - name: Azure Virtual Desktop From dc7e7c88713bcb8d1afd28ae95ae51be1b27abb5 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Mon, 20 Sep 2021 12:31:55 -0700 Subject: [PATCH 295/458] Update cloud.md --- windows/security/cloud.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/cloud.md b/windows/security/cloud.md index 4e2d1d9f9e..7bccc2aa84 100644 --- a/windows/security/cloud.md +++ b/windows/security/cloud.md @@ -28,12 +28,12 @@ Windows 11 includes the cloud services that are listed in the following table:
Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.

To learn more, see [Mobile device management](../client-management/mdm/index.md). | +| Mobile device management (MDM) and Microsoft Endpoint Manager | Windows 11 supports MDM, an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices.

Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.

To learn more, see [Mobile device management](/windows/client-management/mdm/). | | Microsoft account | When users add their Microsoft account to Windows 11, they can bring their Windows, Microsoft Edge, Xbox settings, web page favorites, files, photos, and more across their devices.

The Microsoft account enables people to manage everything in one place. They can keep tabs on their subscriptions and order history, organize their family's digital life, update their privacy and security settings, track the health and safety of their devices, and even get rewards.

To learn more, see [Microsoft Accounts](identity-protection/access-control/microsoft-accounts.md).| | OneDrive | OneDrive is your online storage for your files, photos, and data. OneDrive provides extra security, backup, and restore options for important files and photos. With options for both personal and business, people can use OneDrive to store and protect files in the cloud, allowing users to them on their laptops, desktops, and mobile devices. If a device is lost or stolen, people can quickly recover all their important files, photos, and data.

The OneDrive Personal Vault also provides protection for your most sensitive files without losing the convenience of anywhere access. Files are secured by identity verification, yet easily accessible to users across their devices. [Learn how to set up your Personal Vault](https://support.microsoft.com/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4).

In the event of a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have more options to mitigate and recover from a ransomware attack. [Learn more about how to recover from a ransomware attack using Office 365](/microsoft-365/security/office-365-security/recover-from-ransomware). | | Access to Azure Active Directory | Microsoft Azure Active Directory (Azure AD) is a complete cloud identity and access management solution for managing identities and directories, enabling access to applications, and protecting identities from security threats.

With Azure AD, you can manage and secure identities for your employees, partners, and customers to access the applications and services they need. Windows 11 works seamlessly with Azure Active Directory to provide secure access, identity management, and single sign-on to apps and services from anywhere.

To learn more, see [What is Azure AD?](/azure/active-directory/fundamentals/active-directory-whatis) | ## Next steps -- [Learn more about MDM and Windows 11](../client-management/mdm/index.md) +- [Learn more about MDM and Windows 11](/windows/client-management/mdm/) - [Learn more about Windows security](index.yml) \ No newline at end of file From 18891fb08147e3ab1930cadeb82ddc2df3c03f09 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Mon, 20 Sep 2021 12:35:32 -0700 Subject: [PATCH 296/458] Update index.yml --- windows/security/index.yml | 42 +++++++++++++++++++------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index faaade9a1b..64e0ecd4fb 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -94,27 +94,6 @@ landingContent: - text: S/MIME for Windows url: identity-protection/configure-s-mime.md # Cards and links should be based on top customer tasks or top subjects -# Start card title with a verb - # Card (optional) - - title: Cloud services - linkLists: - - linkListType: overview - links: - - text: Overview - url: cloud.md - - linkListType: concept - links: - - text: Mobile device management - url: https://docs.microsoft.com/windows/client-management/mdm/ - - text: Azure Active Directory - url: https://www.microsoft.com/security/business/identity-access-management/azure-active-directory - - text: Your Microsoft Account - url: identity-protection/access-control/microsoft-accounts.md - - text: OneDrive - url: https://docs.microsoft.com/onedrive/onedrive - - text: Family safety - url: threat-protection/windows-defender-security-center/wdsc-family-options.md -# Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) - title: User security and secured identity @@ -140,6 +119,27 @@ landingContent: - text: Smart cards url: identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md # Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Cloud services + linkLists: + - linkListType: overview + links: + - text: Overview + url: cloud.md + - linkListType: concept + links: + - text: Mobile device management + url: https://docs.microsoft.com/windows/client-management/mdm/ + - text: Azure Active Directory + url: https://www.microsoft.com/security/business/identity-access-management/azure-active-directory + - text: Your Microsoft Account + url: identity-protection/access-control/microsoft-accounts.md + - text: OneDrive + url: https://docs.microsoft.com/onedrive/onedrive + - text: Family safety + url: threat-protection/windows-defender-security-center/wdsc-family-options.md +# Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) - title: Security foundations From 801a5de6667d3cf4a4f8daa7acbe43f1ee2fb2a4 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Mon, 20 Sep 2021 12:38:07 -0700 Subject: [PATCH 297/458] Update TOC.yml --- windows/security/TOC.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 8eb8e35f21..b2c47ab56b 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -336,7 +336,7 @@ href: identity-protection\configure-s-mime.md - name: Windows Credential Theft Mitigation Guide Abstract href: identity-protection\windows-credential-theft-mitigation-guide-abstract.md -- name: Identity and user security +- name: User security and secured identity items: - name: Overview href: identity.md From 3a7820f2bda13cc304fa5b87112be38219246843 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Mon, 20 Sep 2021 14:29:43 -0700 Subject: [PATCH 298/458] Update hardware.md --- windows/security/hardware.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/hardware.md b/windows/security/hardware.md index 5fbcc6156a..ae5f6ae709 100644 --- a/windows/security/hardware.md +++ b/windows/security/hardware.md @@ -15,13 +15,13 @@ ms.technology: windows-sec # Windows hardware security -Modern threats require modern security with a strong alignment between hardware security and software security techniques to keep users, data and devices protected. The operating system alone cannot protect from the wide range of tools and techniques cybercriminals use to compromise a computer deep inside its silicon. Once inside, intruders can be difficult to detect while engaging in multiple nefarious activities from stealing important data to capturing email addresses and other sensitive pieces of information. +Modern threats require modern security with a strong alignment between hardware security and software security techniques to keep users, data, and devices protected. The operating system alone cannot protect from the wide range of tools and techniques cybercriminals use to compromise a computer deep inside its silicon. Once inside, intruders can be difficult to detect while engaging in multiple nefarious activities from stealing important data to capturing email addresses and other sensitive pieces of information. These new threats call for computing hardware that is secure down to the very core, including hardware chips and processors. Microsoft and our partners, including chip and device manufacturers, have worked together to integrate powerful security capabilities across software, firmware, and hardware.

| Security Measures | Features & Capabilities | |:---|:---| | Trusted Platform Module (TPM) | A Trusted Platform Module (TPM) is designed to provide hardware-based security-related functions and help prevent unwanted tampering. TPMs provide security and privacy benefits for system hardware, platform owners, and users.
A TPM chip is a secure crypto-processor that helps with actions such as generating, storing, and limiting the use of cryptographic keys. Many TPMs include multiple physical security mechanisms to make it tamper resistant and prevent malicious software from tampering with the security functions of the TPM.

Learn more about the [Trusted Platform Module](information-protection/tpm/trusted-platform-module-top-node.md). | | Hardware-based root of trust with Windows Defender System Guard | To protect critical resources such as Windows authentication, single sign-on tokens, Windows Hello, and the Virtual Trusted Platform Module, a system's firmware and hardware must be trustworthy.
Windows Defender System Guard helps protect and maintain the integrity of the system as it starts up and validate that system integrity has truly been maintained through local and remote attestation.

Learn more about [How a hardware-based root of trust helps protect Windows](threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md) and [System Guard Secure Launch and SMM protection](threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md). | -| Enable virtualization-based protection of code integrity | Hypervisor-protected Code Integrity (HVCI) is a virtualization based security (VBS) feature available in Windows. In the Windows Device Security settings, HVCI is referred to as Memory Integrity.
HVCI and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows Kernel. VBS leverages the Windows Hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. HVCI is a critical component that protects and hardens this virtual environment by running kernel mode code integrity within it and restricting kernel memory allocations that could be used to compromise the system.

Learn more: [Enable virtualization-based protection of code integrity](threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md). -| Kernel Direct Memory Access (DMA) Protection | PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with an experience identical to USB. Because PCI hot plug ports are external and easily-accessible, PCs are susceptible to drive-by Direct Memory Access (DMA) attacks. Memory access protection (also known as Kernel DMA Protection) protects PCs against drive-by DMA attacks that use PCIe hot plug devices by limiting these external peripherals from being able to directly copy memory when the user has locked their PC.

Learn more about [Kernel DMA Protection](information-protection/kernel-dma-protection-for-thunderbolt.md). | -| Secure core devices | Microsoft is working closely with OEM partners and silicon vendors to build Secured-core PCs that features deeply integrated hardware, firmware and software to ensure enhanced security for devices, identities and data.

Secured-core PCs provide protections that are useful against sophisticated attacks and can provide increased assurance when handling mission-critical data in some of the most data-sensitive industries, such as healthcare workers that handle medical records and other personally identifiable information (PII), commercial roles that handle high business impact and highly sensitive data, such as a financial controller with earnings data.

Learn more about [Secure core PCs](/windows-hardware/design/device-experiences/oem-highly-secure).| +| Enable virtualization-based protection of code integrity | Hypervisor-protected Code Integrity (HVCI) is a virtualization based security (VBS) feature available in Windows. In the Windows Device Security settings, HVCI is referred to as Memory Integrity.
HVCI and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows Kernel. VBS uses the Windows Hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. HVCI is a critical component that protects and hardens this virtual environment by running kernel mode code integrity within it and restricting kernel memory allocations that could be used to compromise the system.

Learn more: [Enable virtualization-based protection of code integrity](threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md). +| Kernel Direct Memory Access (DMA) Protection | PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with an experience identical to USB. Because PCI hot plug ports are external and easily accessible, PCs are susceptible to drive-by Direct Memory Access (DMA) attacks. Memory access protection (also known as Kernel DMA Protection) protects PCs against drive-by DMA attacks that use PCIe hot plug devices by limiting these external peripherals from being able to directly copy memory when the user has locked their PC.

Learn more about [Kernel DMA Protection](information-protection/kernel-dma-protection-for-thunderbolt.md). | +| Secure core devices | Microsoft is working closely with OEM partners and silicon vendors to build Secured-core PCs that feature deeply integrated hardware, firmware, and software to ensure enhanced security for devices, identities, and data.

Secured-core PCs provide protections that are useful against sophisticated attacks and can provide increased assurance when handling mission-critical data in some of the most data-sensitive industries, such as healthcare workers that handle medical records and other personally identifiable information (PII), commercial roles that handle high business impact and highly sensitive data, such as a financial controller with earnings data.

Learn more about [Secure core PCs](/windows-hardware/design/device-experiences/oem-highly-secure).| From f4b6943770ad34a2fd5ee0325e3e1936ca26890b Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Mon, 20 Sep 2021 15:04:18 -0700 Subject: [PATCH 299/458] reorg --- windows/security/TOC.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index b2c47ab56b..5d2f4c0bdf 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -149,13 +149,6 @@ href: information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md - name: Configure S/MIME for Windows href: identity-protection/configure-s-mime.md - - name: Windows security baselines - href: threat-protection/windows-security-configuration-framework/windows-security-baselines.md - items: - - name: Security Compliance Toolkit - href: threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md - - name: Get support - href: threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md - name: Network security items: - name: VPN technical guide @@ -185,6 +178,13 @@ href: identity-protection/vpn/vpn-office-365-optimization.md - name: Windows Defender Firewall href: threat-protection/windows-firewall/windows-firewall-with-advanced-security.md + - name: Windows security baselines + href: threat-protection/windows-security-configuration-framework/windows-security-baselines.md + items: + - name: Security Compliance Toolkit + href: threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md + - name: Get support + href: threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md - name: Virus & threat protection items: - name: Overview From cc0caf6d2bb98bf270634c341b0ff244063d90f9 Mon Sep 17 00:00:00 2001 From: Meghana Athavale Date: Tue, 21 Sep 2021 18:24:19 +0530 Subject: [PATCH 300/458] Updated 16 to 30 --- .../mdm/policy-csp-admx-nca.md | 176 ++- .../mdm/policy-csp-admx-ncsi.md | 154 ++- .../mdm/policy-csp-admx-netlogon.md | 770 +++++++----- .../mdm/policy-csp-admx-networkconnections.md | 594 ++++++---- .../mdm/policy-csp-admx-offlinefiles.md | 1034 +++++++++++------ .../mdm/policy-csp-admx-peertopeercaching.md | 198 ++-- .../policy-csp-admx-performancediagnostics.md | 88 +- .../mdm/policy-csp-admx-power.md | 550 +++++---- ...licy-csp-admx-powershellexecutionpolicy.md | 88 +- .../mdm/policy-csp-admx-printing.md | 572 +++++---- .../mdm/policy-csp-admx-printing2.md | 198 ++-- .../mdm/policy-csp-admx-programs.md | 154 ++- .../mdm/policy-csp-admx-reliability.md | 88 +- .../mdm/policy-csp-admx-remoteassistance.md | 44 +- .../mdm/policy-csp-admx-removablestorage.md | 704 +++++++---- 15 files changed, 3444 insertions(+), 1968 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-nca.md b/windows/client-management/mdm/policy-csp-admx-nca.md index f35134f108..1148c8b887 100644 --- a/windows/client-management/mdm/policy-csp-admx-nca.md +++ b/windows/client-management/mdm/policy-csp-admx-nca.md @@ -57,28 +57,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -95,7 +101,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies resources on your intranet that are normally accessible to DirectAccess clients. Each entry is a string that identifies the type of resource and the location of the resource. +This policy setting specifies resources on your intranet that are normally accessible to DirectAccess clients. Each entry is a string that identifies the type of resource and the location of the resource. Each string can be one of the following types: @@ -136,28 +142,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -174,7 +186,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies commands configured by the administrator for custom logging. These commands will run in addition to default log commands. +This policy setting specifies commands configured by the administrator for custom logging. These commands will run in addition to default log commands. > [!TIP] @@ -201,28 +213,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -239,7 +257,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the IPv6 addresses of the endpoints of the Internet Protocol security (IPsec) tunnels that enable DirectAccess. NCA attempts to access the resources that are specified in the Corporate Resources setting through these configured tunnel endpoints. +This policy setting specifies the IPv6 addresses of the endpoints of the Internet Protocol security (IPsec) tunnels that enable DirectAccess. NCA attempts to access the resources that are specified in the Corporate Resources setting through these configured tunnel endpoints. By default, NCA uses the same DirectAccess server that the DirectAccess client computer connection is using. In default configurations of DirectAccess, there are typically two IPsec tunnel endpoints: one for the infrastructure tunnel and one for the intranet tunnel. You should configure one endpoint for each tunnel. @@ -272,28 +290,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -310,7 +334,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the string that appears for DirectAccess connectivity when the user clicks the Networking notification area icon. For example, you can specify “Contoso Intranet Access” for the DirectAccess clients of the Contoso Corporation. +This policy setting specifies the string that appears for DirectAccess connectivity when the user clicks the Networking notification area icon. For example, you can specify “Contoso Intranet Access” for the DirectAccess clients of the Contoso Corporation. If this setting is not configured, the string that appears for DirectAccess connectivity is “Corporate Connection”. @@ -339,28 +363,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -377,7 +407,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the user has Connect and Disconnect options for the DirectAccess entry when the user clicks the Networking notification area icon. +This policy setting specifies whether the user has Connect and Disconnect options for the DirectAccess entry when the user clicks the Networking notification area icon. If the user clicks the Disconnect option, NCA removes the DirectAccess rules from the Name Resolution Policy Table (NRPT) and the DirectAccess client computer uses whatever normal name resolution is available to the client computer in its current network configuration, including sending all DNS queries to the local intranet or Internet DNS servers. Note that NCA does not remove the existing IPsec tunnels and users can still access intranet resources across the DirectAccess server by specifying IPv6 addresses rather than names. @@ -415,28 +445,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -453,7 +489,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether NCA service runs in Passive Mode or not. +This policy setting specifies whether NCA service runs in Passive Mode or not. Set this to Disabled to keep NCA probing actively all the time. If this setting is not configured, NCA probing is in active mode by default. @@ -481,28 +517,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -519,7 +561,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether an entry for DirectAccess connectivity appears when the user clicks the Networking notification area icon. +This policy setting specifies whether an entry for DirectAccess connectivity appears when the user clicks the Networking notification area icon. Set this to Disabled to prevent user confusion when you are just using DirectAccess to remotely manage DirectAccess client computers from your intranet and not providing seamless intranet access. @@ -550,28 +592,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -588,7 +636,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the e-mail address to be used when sending the log files that are generated by NCA to the network administrator. +This policy setting specifies the e-mail address to be used when sending the log files that are generated by NCA to the network administrator. When the user sends the log files to the Administrator, NCA uses the default e-mail client to open a new message with the support email address in the To: field of the message, then attaches the generated log files as a .html file. The user can review the message and add additional information before sending the message. diff --git a/windows/client-management/mdm/policy-csp-admx-ncsi.md b/windows/client-management/mdm/policy-csp-admx-ncsi.md index 4981561468..a970faaac9 100644 --- a/windows/client-management/mdm/policy-csp-admx-ncsi.md +++ b/windows/client-management/mdm/policy-csp-admx-ncsi.md @@ -54,28 +54,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -92,7 +98,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting enables you to specify the expected address of the host name used for the DNS probe. Successful resolution of the host name to this address indicates corporate connectivity. +This policy setting enables you to specify the expected address of the host name used for the DNS probe. Successful resolution of the host name to this address indicates corporate connectivity. > [!TIP] @@ -119,28 +125,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -157,7 +169,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting enables you to specify the host name of a computer known to be on the corporate network. Successful resolution of this host name to the expected address indicates corporate connectivity. +This policy setting enables you to specify the host name of a computer known to be on the corporate network. Successful resolution of this host name to the expected address indicates corporate connectivity. > [!TIP] @@ -184,28 +196,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -222,7 +240,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting enables you to specify the list of IPv6 corporate site prefixes to monitor for corporate connectivity. Reachability of addresses with any of these prefixes indicates corporate connectivity. +This policy setting enables you to specify the list of IPv6 corporate site prefixes to monitor for corporate connectivity. Reachability of addresses with any of these prefixes indicates corporate connectivity. > [!TIP] @@ -249,28 +267,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -287,7 +311,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting enables you to specify the URL of the corporate website, against which an active probe is performed. +This policy setting enables you to specify the URL of the corporate website, against which an active probe is performed. > [!TIP] @@ -317,28 +341,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -355,7 +385,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting enables you to specify the HTTPS URL of the corporate website that clients use to determine the current domain location (i.e. whether the computer is inside or outside the corporate network). Reachability of the URL destination indicates that the client location is inside corporate network; otherwise it is outside the network. +This policy setting enables you to specify the HTTPS URL of the corporate website that clients use to determine the current domain location (i.e. whether the computer is inside or outside the corporate network). Reachability of the URL destination indicates that the client location is inside corporate network; otherwise it is outside the network. > [!TIP] @@ -382,28 +412,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -420,7 +456,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting enables you to specify DNS binding behavior. NCSI by default will restrict DNS lookups to the interface it is currently probing on. If you enable this setting, NCSI will allow the DNS lookups to happen on any interface. +This policy setting enables you to specify DNS binding behavior. NCSI by default will restrict DNS lookups to the interface it is currently probing on. If you enable this setting, NCSI will allow the DNS lookups to happen on any interface. > [!TIP] @@ -447,28 +483,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -485,7 +527,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This Policy setting enables you to specify passive polling behavior. NCSI polls various measurements throughout the network stack on a frequent interval to determine if network connectivity has been lost. Use the options to control the passive polling behavior. +This Policy setting enables you to specify passive polling behavior. NCSI polls various measurements throughout the network stack on a frequent interval to determine if network connectivity has been lost. Use the options to control the passive polling behavior. > [!TIP] diff --git a/windows/client-management/mdm/policy-csp-admx-netlogon.md b/windows/client-management/mdm/policy-csp-admx-netlogon.md index f8c2d7401e..4b32723dd1 100644 --- a/windows/client-management/mdm/policy-csp-admx-netlogon.md +++ b/windows/client-management/mdm/policy-csp-admx-netlogon.md @@ -138,28 +138,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -176,7 +182,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting configures how a domain controller (DC) behaves when responding to a client whose IP address does not map to any configured site. +This policy setting configures how a domain controller (DC) behaves when responding to a client whose IP address does not map to any configured site. Domain controllers use the client IP address during a DC locator ping request to compute which Active Directory site the client belongs to. If no site mapping can be computed, the DC may do an address lookup on the client network name to discover other IP addresses which may then be used to compute a matching site for the client. @@ -215,28 +221,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -253,7 +265,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the type of IP address that is returned for a domain controller. The DC Locator APIs return the IP address of the DC with the other parts of information. Before the support of IPv6, the returned DC IP address was IPv4. But with the support of IPv6, the DC Locator APIs can return IPv6 DC address. The returned IPv6 DC address may not be correctly handled by some of the existing applications. So this policy is provided to support such scenarios. +This policy setting determines the type of IP address that is returned for a domain controller. The DC Locator APIs return the IP address of the DC with the other parts of information. Before the support of IPv6, the returned DC IP address was IPv4. But with the support of IPv6, the DC Locator APIs can return IPv6 DC address. The returned IPv6 DC address may not be correctly handled by some of the existing applications. So this policy is provided to support such scenarios. By default, DC Locator APIs can return IPv4/IPv6 DC address. But if some applications are broken due to the returned IPv6 DC address, this policy can be used to disable the default behavior and enforce to return only IPv4 DC address. Once applications are fixed, this policy can be used to enable the default behavior. @@ -290,28 +302,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -328,7 +346,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the computers to which this setting is applied attempts DNS name resolution of single-label domain names, by appending different registered DNS suffixes, and uses NetBIOS name resolution only if DNS name resolution fails. This policy, including the specified default behavior, is not used if the AllowSingleLabelDnsDomain policy setting is enabled. +This policy setting specifies whether the computers to which this setting is applied attempts DNS name resolution of single-label domain names, by appending different registered DNS suffixes, and uses NetBIOS name resolution only if DNS name resolution fails. This policy, including the specified default behavior, is not used if the AllowSingleLabelDnsDomain policy setting is enabled. By default, when no setting is specified for this policy, the behavior is the same as explicitly enabling this policy, unless the AllowSingleLabelDnsDomain policy setting is enabled. @@ -363,28 +381,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -401,7 +425,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the Net Logon service will allow the use of older cryptography algorithms that are used in Windows NT 4.0. The cryptography algorithms used in Windows NT 4.0 and earlier are not as secure as newer algorithms used in Windows 2000 or later, including this version of Windows. +This policy setting controls whether the Net Logon service will allow the use of older cryptography algorithms that are used in Windows NT 4.0. The cryptography algorithms used in Windows NT 4.0 and earlier are not as secure as newer algorithms used in Windows 2000 or later, including this version of Windows. By default, Net Logon will not allow the older cryptography algorithms to be used and will not include them in the negotiation of cryptography algorithms. Therefore, computers running Windows NT 4.0 will not be able to establish a connection to this domain controller. @@ -438,28 +462,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -476,7 +506,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the computers to which this setting is applied attempt DNS name resolution of a single-label domain names. +This policy setting specifies whether the computers to which this setting is applied attempt DNS name resolution of a single-label domain names. By default, the behavior specified in the AllowDnsSuffixSearch is used. If the AllowDnsSuffixSearch policy is disabled, then NetBIOS name resolution is used exclusively, to locate a domain controller hosting an Active Directory domain specified with a single-label name. @@ -513,28 +543,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -551,7 +587,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether domain controllers (DC) will dynamically register DC Locator site-specific SRV records for the closest sites where no DC for the same domain exists (or no Global Catalog for the same forest exists). These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC. +This policy setting determines whether domain controllers (DC) will dynamically register DC Locator site-specific SRV records for the closest sites where no DC for the same domain exists (or no Global Catalog for the same forest exists). These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC. If you enable this policy setting, the DCs to which this setting is applied dynamically register DC Locator site-specific DNS SRV records for the closest sites where no DC for the same domain, or no Global Catalog for the same forest, exists. @@ -586,28 +622,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -624,7 +666,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control the domain controller (DC) location algorithm. By default, the DC location algorithm prefers DNS-based discovery if the DNS domain name is known. If DNS-based discovery fails and the NetBIOS domain name is known, the algorithm then uses NetBIOS-based discovery as a fallback mechanism. +This policy setting allows you to control the domain controller (DC) location algorithm. By default, the DC location algorithm prefers DNS-based discovery if the DNS domain name is known. If DNS-based discovery fails and the NetBIOS domain name is known, the algorithm then uses NetBIOS-based discovery as a fallback mechanism. NetBIOS-based discovery uses a WINS server and mailslot messages but does not use site information. Hence it does not ensure that clients will discover the closest DC. It also allows a hub-site client to discover a branch-site DC even if the branch-site DC only registers site-specific DNS records (as recommended). For these reasons, NetBIOS-based discovery is not recommended. @@ -662,28 +704,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -700,7 +748,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting defines whether a domain controller (DC) should attempt to verify the password provided by a client with the PDC emulator if the DC failed to validate the password. +This policy setting defines whether a domain controller (DC) should attempt to verify the password provided by a client with the PDC emulator if the DC failed to validate the password. Contacting the PDC emulator is useful in case the client’s password was recently changed and did not propagate to the DC yet. Users may want to disable this feature if the PDC emulator is located over a slow WAN connection. @@ -737,28 +785,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -775,7 +829,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the amount of time (in seconds) to wait before the first retry for applications that perform periodic searches for domain controllers (DC) that are unable to find a DC. +This policy setting determines the amount of time (in seconds) to wait before the first retry for applications that perform periodic searches for domain controllers (DC) that are unable to find a DC. The default value for this setting is 10 minutes (10*60). @@ -815,28 +869,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -853,7 +913,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the maximum retry interval allowed when applications performing periodic searches for Domain Controllers (DCs) are unable to find a DC. +This policy setting determines the maximum retry interval allowed when applications performing periodic searches for Domain Controllers (DCs) are unable to find a DC. For example, the retry intervals may be set at 10 minutes, then 20 minutes and then 40 minutes, but when the interval reaches the value set in this setting, that value becomes the retry interval for all subsequent retries until the value set in Final DC Discovery Retry Setting is reached. @@ -895,28 +955,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -933,7 +999,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines when retries are no longer allowed for applications that perform periodic searches for domain controllers (DC) are unable to find a DC. For example, retires may be set to occur according to the Use maximum DC discovery retry interval policy setting, but when the value set in this policy setting is reached, no more retries occur. If a value for this policy setting is smaller than the value in the Use maximum DC discovery retry interval policy setting, the value for Use maximum DC discovery retry interval policy setting is used. +This policy setting determines when retries are no longer allowed for applications that perform periodic searches for domain controllers (DC) are unable to find a DC. For example, retires may be set to occur according to the Use maximum DC discovery retry interval policy setting, but when the value set in this policy setting is reached, no more retries occur. If a value for this policy setting is smaller than the value in the Use maximum DC discovery retry interval policy setting, the value for Use maximum DC discovery retry interval policy setting is used. The default value for this setting is to not quit retrying (0). The maximum value for this setting is 49 days (0x49*24*60*60=4233600). The minimum value for this setting is 0. @@ -967,28 +1033,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1005,7 +1077,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that periodically attempt to locate DCs, and it is applied before returning the DC information to the caller program. The default value for this setting is infinite (4294967200). The maximum value for this setting is (4294967200), while the maximum that is not treated as infinity is 49 days (49*24*60*60=4233600). Any larger value is treated as infinity. The minimum value for this setting is to always refresh (0). +This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that periodically attempt to locate DCs, and it is applied before returning the DC information to the caller program. The default value for this setting is infinite (4294967200). The maximum value for this setting is (4294967200), while the maximum that is not treated as infinity is 49 days (49*24*60*60=4233600). Any larger value is treated as infinity. The minimum value for this setting is to always refresh (0). > [!TIP] @@ -1034,28 +1106,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1072,7 +1150,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the level of debug output for the Net Logon service. +This policy setting specifies the level of debug output for the Net Logon service. The Net Logon service outputs debug information to the log file netlogon.log in the directory %windir%\debug. By default, no debug information is logged. @@ -1109,28 +1187,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1147,7 +1231,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines which DC Locator DNS records are not registered by the Net Logon service. +This policy setting determines which DC Locator DNS records are not registered by the Net Logon service. If you enable this policy setting, select Enabled and specify a list of space-delimited mnemonics (instructions) for the DC Locator DNS records that will not be registered by the DCs to which this setting is applied. @@ -1208,28 +1292,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1246,7 +1336,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the Refresh Interval of the DC Locator DNS resource records for DCs to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used by the DC Locator algorithm to locate the DC. This setting may be applied only to DCs using dynamic update. +This policy setting specifies the Refresh Interval of the DC Locator DNS resource records for DCs to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used by the DC Locator algorithm to locate the DC. This setting may be applied only to DCs using dynamic update. DCs configured to perform dynamic registration of the DC Locator DNS resource records periodically reregister their records with DNS servers, even if their records’ data has not changed. If authoritative DNS servers are configured to perform scavenging of the stale records, this reregistration is required to instruct the DNS servers configured to automatically remove (scavenge) stale records that these records are current and should be preserved in the database. @@ -1284,28 +1374,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1322,7 +1418,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether the domain controllers to which this setting is applied will lowercase their DNS host name when registering SRV records. +This policy setting configures whether the domain controllers to which this setting is applied will lowercase their DNS host name when registering SRV records. If enabled, domain controllers will lowercase their DNS host name when registering domain controller SRV records. A best-effort attempt will be made to delete any previously registered SRV records that contain mixed-case DNS host names. For more information and potential manual cleanup procedures, see the link below. @@ -1360,28 +1456,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1398,7 +1500,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the value for the Time-To-Live (TTL) field in SRV resource records that are registered by the Net Logon service. These DNS records are dynamically registered, and they are used to locate the domain controller (DC). +This policy setting specifies the value for the Time-To-Live (TTL) field in SRV resource records that are registered by the Net Logon service. These DNS records are dynamically registered, and they are used to locate the domain controller (DC). To specify the TTL for DC Locator DNS records, click Enabled, and then enter a value in seconds (for example, the value "900" is 15 minutes). @@ -1430,28 +1532,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1468,7 +1576,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the additional time for the computer to wait for the domain controller’s (DC) response when logging on to the network. +This policy setting specifies the additional time for the computer to wait for the domain controller’s (DC) response when logging on to the network. To specify the expected dial-up delay at logon, click Enabled, and then enter the desired value in seconds (for example, the value "60" is 1 minute). @@ -1501,28 +1609,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1539,7 +1653,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the interval for when a Force Rediscovery is carried out by DC Locator. +This policy setting determines the interval for when a Force Rediscovery is carried out by DC Locator. The Domain Controller Locator (DC Locator) service is used by clients to find domain controllers for their Active Directory domain. When DC Locator finds a domain controller, it caches domain controllers to improve the efficiency of the location algorithm. As long as the cached domain controller meets the requirements and is running, DC Locator will continue to return it. If a new domain controller is introduced, existing clients will only discover it when a Force Rediscovery is carried out by DC Locator. To adapt to changes in network conditions DC Locator will by default carry out a Force Rediscovery according to a specific time interval and maintain efficient load-balancing of clients across all available domain controllers in all domains or forests. The default time interval for Force Rediscovery by DC Locator is 12 hours. Force Rediscovery can also be triggered if a call to DC Locator uses the DS_FORCE_REDISCOVERY flag. Rediscovery resets the timer on the cached domain controller entries. @@ -1576,28 +1690,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1614,7 +1734,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the sites for which the global catalogs (GC) should register site-specific GC locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the GC resides, and records registered by a GC configured to register GC Locator DNS SRV records for those sites without a GC that are closest to it. +This policy setting specifies the sites for which the global catalogs (GC) should register site-specific GC locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the GC resides, and records registered by a GC configured to register GC Locator DNS SRV records for those sites without a GC that are closest to it. The GC Locator DNS records and the site-specific SRV records are dynamically registered by the Net Logon service, and they are used to locate the GC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. A GC is a domain controller that contains a partial replica of every domain in Active Directory. @@ -1649,28 +1769,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1687,7 +1813,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control the processing of incoming mailslot messages by a local domain controller (DC). +This policy setting allows you to control the processing of incoming mailslot messages by a local domain controller (DC). > [!NOTE] > To locate a remote DC based on its NetBIOS (single-label) domain name, DC Locator first gets the list of DCs from a WINS server that is configured in its local client settings. DC Locator then sends a mailslot message to each remote DC to get more information. DC location succeeds only if a remote DC responds to the mailslot message. @@ -1725,28 +1851,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1763,7 +1895,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the Priority field in the SRV resource records registered by domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used to locate the DC. +This policy setting specifies the Priority field in the SRV resource records registered by domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used to locate the DC. The Priority field in the SRV record sets the preference for target hosts (specified in the SRV record’s Target field). DNS clients that query for SRV resource records attempt to contact the first reachable host with the lowest priority number listed. @@ -1798,28 +1930,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1836,7 +1974,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the Weight field in the SRV resource records registered by the domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC. +This policy setting specifies the Weight field in the SRV resource records registered by the domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC. The Weight field in the SRV record can be used in addition to the Priority value to provide a load-balancing mechanism where multiple servers are specified in the SRV records Target field and are all set to the same priority. The probability with which the DNS client randomly selects the target host to be contacted is proportional to the Weight field value in the SRV record. @@ -1871,28 +2009,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1909,7 +2053,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the maximum size in bytes of the log file netlogon.log in the directory %windir%\debug when logging is enabled. +This policy setting specifies the maximum size in bytes of the log file netlogon.log in the directory %windir%\debug when logging is enabled. By default, the maximum size of the log file is 20MB. If you enable this policy setting, the maximum size of the log file is set to the specified size. Once this size is reached the log file is saved to netlogon.bak and netlogon.log is truncated. A reasonable value based on available storage should be specified. @@ -1942,28 +2086,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1980,7 +2130,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the sites for which the domain controllers (DC) that host the application directory partition should register the site-specific, application directory partition-specific DC Locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the DC resides, and records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC that are closest to it. +This policy setting specifies the sites for which the domain controllers (DC) that host the application directory partition should register the site-specific, application directory partition-specific DC Locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the DC resides, and records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC that are closest to it. The application directory partition DC Locator DNS records and the site-specific SRV records are dynamically registered by the Net Logon service, and they are used to locate the application directory partition-specific DC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. @@ -2015,28 +2165,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2053,7 +2209,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the amount of time (in seconds) the DC locator remembers that a domain controller (DC) could not be found in a domain. When a subsequent attempt to locate the DC occurs within the time set in this setting, DC Discovery immediately fails, without attempting to find the DC. +This policy setting specifies the amount of time (in seconds) the DC locator remembers that a domain controller (DC) could not be found in a domain. When a subsequent attempt to locate the DC occurs within the time set in this setting, DC Discovery immediately fails, without attempting to find the DC. The default value for this setting is 45 seconds. The maximum value for this setting is 7 days (7*24*60*60). The minimum value for this setting is 0. @@ -2087,28 +2243,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2125,7 +2287,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not the Netlogon share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications. +This policy setting controls whether or not the Netlogon share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications. If you enable this policy setting, the Netlogon share will honor file sharing semantics that grant requests for exclusive read access to files on the share even when the caller has only read permission. @@ -2165,28 +2327,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2203,7 +2371,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that do not periodically attempt to locate DCs, and it is applied before the returning the DC information to the caller program. This policy setting is relevant to only those callers of DsGetDcName that have not specified the DS_BACKGROUND_ONLY flag. +This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that do not periodically attempt to locate DCs, and it is applied before the returning the DC information to the caller program. This policy setting is relevant to only those callers of DsGetDcName that have not specified the DS_BACKGROUND_ONLY flag. The default value for this setting is 30 minutes (1800). The maximum value for this setting is (4294967200), while the maximum that is not treated as infinity is 49 days (49*24*60*60=4233600). Any larger value will be treated as infinity. The minimum value for this setting is to always refresh (0). @@ -2234,28 +2402,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2272,7 +2446,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether the computers to which this setting is applied are more aggressive when trying to locate a domain controller (DC). +This policy setting configures whether the computers to which this setting is applied are more aggressive when trying to locate a domain controller (DC). When an environment has a large number of DCs running both old and new operating systems, the default DC locator discovery behavior may be insufficient to find DCs running a newer operating system. This policy setting can be enabled to configure DC locator to be more aggressive about trying to locate a DC in such an environment, by pinging DCs at a higher frequency. Enabling this setting may result in additional network traffic and increased load on DCs. You should disable this setting once all DCs are running the same OS version. @@ -2312,28 +2486,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2350,7 +2530,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the interval at which Netlogon performs the following scavenging operations: +This policy setting determines the interval at which Netlogon performs the following scavenging operations: - Checks if a password on a secure channel needs to be modified, and modifies it if necessary. @@ -2389,28 +2569,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2427,7 +2613,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the sites for which the domain controllers (DC) register the site-specific DC Locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the DC resides, and records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC that are closest to it. +This policy setting specifies the sites for which the domain controllers (DC) register the site-specific DC Locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the DC resides, and records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC that are closest to it. The DC Locator DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. @@ -2462,28 +2648,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2500,7 +2692,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the Active Directory site to which computers belong. +This policy setting specifies the Active Directory site to which computers belong. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. @@ -2535,28 +2727,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2573,7 +2771,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not the SYSVOL share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications. +This policy setting controls whether or not the SYSVOL share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications. When this setting is enabled, the SYSVOL share will honor file sharing semantics that grant requests for exclusive read access to files on the share even when the caller has only read permission. @@ -2613,28 +2811,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2651,7 +2855,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting enables DC Locator to attempt to locate a DC in the nearest site based on the site link cost if a DC in same the site is not found. In scenarios with multiple sites, failing over to the try next closest site during DC Location streamlines network traffic more effectively. +This policy setting enables DC Locator to attempt to locate a DC in the nearest site based on the site link cost if a DC in same the site is not found. In scenarios with multiple sites, failing over to the try next closest site during DC Location streamlines network traffic more effectively. The DC Locator service is used by clients to find domain controllers for their Active Directory domain. The default behavior for DC Locator is to find a DC in the same site. If none are found in the same site, a DC in another site, which might be several site-hops away, could be returned by DC Locator. Site proximity between two sites is determined by the total site-link cost between them. A site is closer if it has a lower site link cost than another site with a higher site link cost. @@ -2688,28 +2892,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2726,7 +2936,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines if dynamic registration of the domain controller (DC) locator DNS resource records is enabled. These DNS records are dynamically registered by the Net Logon service and are used by the Locator algorithm to locate the DC. +This policy setting determines if dynamic registration of the domain controller (DC) locator DNS resource records is enabled. These DNS records are dynamically registered by the Net Logon service and are used by the Locator algorithm to locate the DC. If you enable this policy setting, DCs to which this setting is applied dynamically register DC Locator DNS resource records through dynamic DNS update-enabled network connections. diff --git a/windows/client-management/mdm/policy-csp-admx-networkconnections.md b/windows/client-management/mdm/policy-csp-admx-networkconnections.md index 42d74dc6ad..22f39d543e 100644 --- a/windows/client-management/mdm/policy-csp-admx-networkconnections.md +++ b/windows/client-management/mdm/policy-csp-admx-networkconnections.md @@ -115,28 +115,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -153,7 +159,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether administrators can add and remove network components for a LAN or remote access connection. This setting has no effect on nonadministrators. +This policy setting determines whether administrators can add and remove network components for a LAN or remote access connection. This setting has no effect on nonadministrators. If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Install and Uninstall buttons for components of connections are disabled, and administrators are not permitted to access network components in the Windows Components Wizard. @@ -195,28 +201,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -233,7 +245,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the Advanced Settings item on the Advanced menu in Network Connections is enabled for administrators. +This policy setting determines whether the Advanced Settings item on the Advanced menu in Network Connections is enabled for administrators. The Advanced Settings item lets users view and change bindings and view and change the order in which the computer accesses connections, network providers, and print providers. @@ -271,28 +283,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -309,7 +327,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can configure advanced TCP/IP settings. +This policy setting determines whether users can configure advanced TCP/IP settings. If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Advanced button on the Internet Protocol (TCP/IP) Properties dialog box is disabled for all users (including administrators). As a result, users cannot open the Advanced TCP/IP Settings Properties page and modify IP settings, such as DNS and WINS server information. @@ -352,28 +370,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -390,7 +414,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting Determines whether administrators can enable and disable the components used by LAN connections. +This policy setting Determines whether administrators can enable and disable the components used by LAN connections. If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the check boxes for enabling and disabling components are disabled. As a result, administrators cannot enable or disable the components that a connection uses. @@ -428,28 +452,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -466,7 +496,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can delete all user remote access connections. +This policy setting determines whether users can delete all user remote access connections. To create an all-user remote access connection, on the Connection Availability page in the New Connection Wizard, click the "For all users" option. @@ -510,28 +540,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -548,7 +584,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can delete remote access connections. +This policy setting determines whether users can delete remote access connections. If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), users (including administrators) cannot delete any remote access connections. This setting also disables the Delete option on the context menu for a remote access connection and on the File menu in the Network Connections folder. @@ -590,28 +626,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -628,7 +670,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the Remote Access Preferences item on the Advanced menu in Network Connections folder is enabled. +This policy setting determines whether the Remote Access Preferences item on the Advanced menu in Network Connections folder is enabled. The Remote Access Preferences item lets users create and change connections before logon and configure automatic dialing and callback features. @@ -663,28 +705,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -701,7 +749,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether or not the "local access only" network icon will be shown. +This policy setting specifies whether or not the "local access only" network icon will be shown. When enabled, the icon for Internet access will be shown in the system tray even when a user is connected to a network with local access only. @@ -732,28 +780,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -770,7 +824,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether settings that existed in Windows 2000 Server family will apply to Administrators. +This policy setting determines whether settings that existed in Windows 2000 Server family will apply to Administrators. The set of Network Connections group settings that existed in Windows 2000 Professional also exists in Windows XP Professional. In Windows 2000 Professional, all of these settings had the ability to prohibit the use of certain features from Administrators. @@ -808,28 +862,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -846,7 +906,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether a remote client computer routes Internet traffic through the internal network or whether the client accesses the Internet directly. +This policy setting determines whether a remote client computer routes Internet traffic through the internal network or whether the client accesses the Internet directly. When a remote client computer connects to an internal network using DirectAccess, it can access the Internet in two ways: through the secure tunnel that DirectAccess establishes between the computer and the internal network, or directly through the local default gateway. @@ -881,28 +941,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -919,7 +985,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether notifications are shown to the user when a DHCP-configured connection is unable to retrieve an IP address from a DHCP server. This is often signified by the assignment of an automatic private IP address"(i.e. an IP address in the range 169.254.*.*). This indicates that a DHCP server could not be reached or the DHCP server was reached but unable to respond to the request with a valid IP address. By default, a notification is displayed providing the user with information on how the problem can be resolved. +This policy setting allows you to manage whether notifications are shown to the user when a DHCP-configured connection is unable to retrieve an IP address from a DHCP server. This is often signified by the assignment of an automatic private IP address"(i.e. an IP address in the range 169.254.*.*). This indicates that a DHCP server could not be reached or the DHCP server was reached but unable to respond to the request with a valid IP address. By default, a notification is displayed providing the user with information on how the problem can be resolved. If you enable this policy setting, this condition will not be reported as an error to the user. @@ -950,28 +1016,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -988,7 +1060,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Administrators and Network Configuration Operators can change the properties of components used by a LAN connection. +This policy setting determines whether Administrators and Network Configuration Operators can change the properties of components used by a LAN connection. This setting determines whether the Properties button for components of a LAN connection is enabled. @@ -1034,28 +1106,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1072,7 +1150,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can enable/disable LAN connections. +This policy setting determines whether users can enable/disable LAN connections. If you enable this setting, the Enable and Disable options for LAN connections are available to users (including nonadministrators). Users can enable/disable a LAN connection by double-clicking the icon representing the connection, by right-clicking it, or by using the File menu. @@ -1110,28 +1188,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1148,7 +1232,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can change the properties of a LAN connection. +This policy setting determines whether users can change the properties of a LAN connection. This setting determines whether the Properties menu item is enabled, and thus, whether the Local Area Connection Properties dialog box is available to users. @@ -1188,28 +1272,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1226,7 +1316,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can use the New Connection Wizard, which creates new network connections. +This policy setting determines whether users can use the New Connection Wizard, which creates new network connections. If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Make New Connection icon does not appear in the Start Menu on in the Network Connections folder. As a result, users (including administrators) cannot start the New Connection Wizard. @@ -1264,28 +1354,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1302,7 +1398,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prohibits use of Internet Connection Firewall on your DNS domain network. +This policy setting prohibits use of Internet Connection Firewall on your DNS domain network. Determines whether users can enable the Internet Connection Firewall feature on a connection, and if the Internet Connection Firewall service can run on a computer. @@ -1342,28 +1438,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1380,7 +1482,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether a user can view and change the properties of remote access connections that are available to all users of the computer. +This policy setting determines whether a user can view and change the properties of remote access connections that are available to all users of the computer. To create an all-user remote access connection, on the Connection Availability page in the New Connection Wizard, click the "For all users" option. @@ -1424,28 +1526,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1462,7 +1570,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can view and change the properties of components used by a private or all-user remote access connection. +This policy setting determines whether users can view and change the properties of components used by a private or all-user remote access connection. This setting determines whether the Properties button for components used by a private or all-user remote access connection is enabled. @@ -1506,28 +1614,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1544,7 +1658,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can connect and disconnect remote access connections. +This policy setting determines whether users can connect and disconnect remote access connections. If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), double-clicking the icon has no effect, and the Connect and Disconnect menu items are disabled for all users (including administrators). @@ -1577,28 +1691,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1615,7 +1735,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can view and change the properties of their private remote access connections. +This policy setting determines whether users can view and change the properties of their private remote access connections. Private connections are those that are available only to one user. To create a private connection, on the Connection Availability page in the New Connection Wizard, click the "Only for myself" option. @@ -1657,28 +1777,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1695,7 +1821,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether nonadministrators can rename all-user remote access connections. +This policy setting determines whether nonadministrators can rename all-user remote access connections. To create an all-user connection, on the Connection Availability page in the New Connection Wizard, click the "For all users" option. @@ -1737,28 +1863,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1775,7 +1907,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting Determines whether users can rename LAN or all user remote access connections. +This policy setting Determines whether users can rename LAN or all user remote access connections. If you enable this setting, the Rename option is enabled for all users. Users can rename connections by clicking the icon representing a connection or by using the File menu. @@ -1815,28 +1947,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1853,7 +1991,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether nonadministrators can rename a LAN connection. +This policy setting determines whether nonadministrators can rename a LAN connection. If you enable this setting, the Rename option is enabled for LAN connections. Nonadministrators can rename LAN connections by clicking an icon representing the connection or by using the File menu. @@ -1891,28 +2029,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1929,7 +2073,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can rename their private remote access connections. +This policy setting determines whether users can rename their private remote access connections. Private connections are those that are available only to one user. To create a private connection, on the Connection Availability page in the New Connection Wizard, click the "Only for myself" option. @@ -1967,28 +2111,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2005,7 +2155,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer. +This policy setting determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer. ICS lets administrators configure their system as an Internet gateway for a small network and provides network services, such as name resolution and addressing through DHCP, to the local private network. @@ -2049,28 +2199,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2087,7 +2243,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can view the status for an active connection. +This policy setting determines whether users can view the status for an active connection. Connection status is available from the connection status taskbar icon or from the Status dialog box. The Status dialog box displays information about the connection and its activity. It also provides buttons to disconnect and to configure the properties of the connection. @@ -2122,28 +2278,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2160,7 +2322,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether to require domain users to elevate when setting a network's location. +This policy setting determines whether to require domain users to elevate when setting a network's location. If you enable this policy setting, domain users must elevate when setting a network's location. diff --git a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md index fa64224da3..51ec6464ca 100644 --- a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md +++ b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md @@ -171,28 +171,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -209,7 +215,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting makes subfolders available offline whenever their parent folder is made available offline. +This policy setting makes subfolders available offline whenever their parent folder is made available offline. This setting automatically extends the "make available offline" setting to all new and existing subfolders of a folder. Users do not have the option of excluding subfolders. @@ -242,28 +248,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -280,7 +292,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files and folders are available offline to users of the computer. +This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files and folders are available offline to users of the computer. If you enable this policy setting, the files you enter are always available offline to users of the computer. To specify a file or folder, click Show. In the Show Contents dialog box in the Value Name column, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. @@ -316,28 +328,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -354,7 +372,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files and folders are available offline to users of the computer. +This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files and folders are available offline to users of the computer. If you enable this policy setting, the files you enter are always available offline to users of the computer. To specify a file or folder, click Show. In the Show Contents dialog box in the Value Name column, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. @@ -390,28 +408,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -428,7 +452,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls when background synchronization occurs while operating in slow-link mode, and applies to any user who logs onto the specified machine while this policy is in effect. To control slow-link mode, use the "Configure slow-link mode" policy setting. +This policy setting controls when background synchronization occurs while operating in slow-link mode, and applies to any user who logs onto the specified machine while this policy is in effect. To control slow-link mode, use the "Configure slow-link mode" policy setting. If you enable this policy setting, you can control when Windows synchronizes in the background while operating in slow-link mode. Use the 'Sync Interval' and 'Sync Variance' values to override the default sync interval and variance settings. Use 'Blockout Start Time' and 'Blockout Duration' to set a period of time where background sync is disabled. Use the 'Maximum Allowed Time Without A Sync' value to ensure that all network folders on the machine are synchronized with the server on a regular basis. @@ -461,28 +485,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -499,7 +529,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the amount of disk space that can be used to store offline files. This includes the space used by automatically cached files and files that are specifically made available offline. Files can be automatically cached if the user accesses a file on an automatic caching network share. +This policy setting limits the amount of disk space that can be used to store offline files. This includes the space used by automatically cached files and files that are specifically made available offline. Files can be automatically cached if the user accesses a file on an automatic caching network share. This setting also disables the ability to adjust, through the Offline Files control panel applet, the disk space limits on the Offline Files cache. This prevents users from trying to change the option while a policy setting controls it. @@ -542,28 +572,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -580,7 +616,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. +This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. This setting also disables the "When a network connection is lost" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -626,28 +662,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -664,7 +706,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. +This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. This setting also disables the "When a network connection is lost" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -710,28 +752,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -748,7 +796,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Limits the percentage of the computer's disk space that can be used to store automatically cached offline files. +Limits the percentage of the computer's disk space that can be used to store automatically cached offline files. This setting also disables the "Amount of disk space to use for temporary offline files" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -790,28 +838,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -828,7 +882,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build.This policy setting determines whether the Offline Files feature is enabled. Offline Files saves a copy of network files on the user's computer for use when the computer is not connected to the network. +This policy setting determines whether the Offline Files feature is enabled. Offline Files saves a copy of network files on the user's computer for use when the computer is not connected to the network. If you enable this policy setting, Offline Files is enabled and users cannot disable it. @@ -864,28 +918,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -902,7 +962,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are encrypted. +This policy setting determines whether offline files are encrypted. Offline files are locally cached copies of files from a network share. Encrypting this cache reduces the likelihood that a user could access files from the Offline Files cache without proper permissions. @@ -941,28 +1001,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -979,7 +1045,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines which events the Offline Files feature records in the event log. +This policy setting determines which events the Offline Files feature records in the event log. Offline Files records events in the Application log in Event Viewer when it detects errors. By default, Offline Files records an event only when the offline files storage cache is corrupted. However, you can use this setting to specify additional events you want Offline Files to record. @@ -1021,28 +1087,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1059,7 +1131,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines which events the Offline Files feature records in the event log. +This policy setting determines which events the Offline Files feature records in the event log. Offline Files records events in the Application log in Event Viewer when it detects errors. By default, Offline Files records an event only when the offline files storage cache is corrupted. However, you can use this setting to specify additional events you want Offline Files to record. @@ -1101,28 +1173,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1139,7 +1217,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting enables administrators to block certain file types from being created in the folders that have been made available offline. +This policy setting enables administrators to block certain file types from being created in the folders that have been made available offline. If you enable this policy setting, a user will be unable to create files with the specified file extensions in any of the folders that have been made available offline. @@ -1170,28 +1248,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1208,7 +1292,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Lists types of files that cannot be used offline. +Lists types of files that cannot be used offline. This setting lets you exclude certain types of files from automatic and manual caching for offline use. The system does not cache files of the type specified in this setting even when they reside on a network share configured for automatic caching. Also, if users try to make a file of this type available offline, the operation will fail and the following message will be displayed in the Synchronization Manager progress dialog box: "Files of this type cannot be made available offline." @@ -1244,28 +1328,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1282,7 +1372,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. +This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. This setting also disables the "When a network connection is lost" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -1328,28 +1418,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1366,7 +1462,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. +This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. This setting also disables the "When a network connection is lost" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -1412,28 +1508,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1450,7 +1552,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting disables the Offline Files folder. +This policy setting disables the Offline Files folder. This setting disables the "View Files" button on the Offline Files tab. As a result, users cannot use the Offline Files folder to view or open copies of network files stored on their computer. Also, they cannot use the folder to view characteristics of offline files, such as their server status, type, or location. @@ -1486,28 +1588,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1524,7 +1632,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting disables the Offline Files folder. +This policy setting disables the Offline Files folder. This setting disables the "View Files" button on the Offline Files tab. As a result, users cannot use the Offline Files folder to view or open copies of network files stored on their computer. Also, they cannot use the folder to view characteristics of offline files, such as their server status, type, or location. @@ -1560,28 +1668,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1598,7 +1712,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from enabling, disabling, or changing the configuration of Offline Files. +This policy setting prevents users from enabling, disabling, or changing the configuration of Offline Files. This setting removes the Offline Files tab from the Folder Options dialog box. It also removes the Settings item from the Offline Files context menu and disables the Settings button on the Offline Files Status dialog box. As a result, users cannot view or change the options on the Offline Files tab or Offline Files dialog box. @@ -1634,28 +1748,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1672,7 +1792,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from enabling, disabling, or changing the configuration of Offline Files. +This policy setting prevents users from enabling, disabling, or changing the configuration of Offline Files. This setting removes the Offline Files tab from the Folder Options dialog box. It also removes the Settings item from the Offline Files context menu and disables the Settings button on the Offline Files Status dialog box. As a result, users cannot view or change the options on the Offline Files tab or Offline Files dialog box. @@ -1708,28 +1828,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1746,7 +1872,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from making network files and folders available offline. +This policy setting prevents users from making network files and folders available offline. If you enable this policy setting, users cannot designate files to be saved on their computer for offline use. However, Windows will still cache local copies of files that reside on network shares designated for automatic caching. @@ -1781,28 +1907,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1819,7 +1951,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from making network files and folders available offline. +This policy setting prevents users from making network files and folders available offline. If you enable this policy setting, users cannot designate files to be saved on their computer for offline use. However, Windows will still cache local copies of files that reside on network shares designated for automatic caching. @@ -1854,28 +1986,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1892,7 +2030,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage a list of files and folders for which you want to block the "Make Available Offline" command. +This policy setting allows you to manage a list of files and folders for which you want to block the "Make Available Offline" command. If you enable this policy setting, the "Make Available Offline" command is not available for the files and folders that you list. To specify these files and folders, click Show. In the Show Contents dialog box, in the Value Name column box, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. @@ -1931,28 +2069,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1969,7 +2113,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage a list of files and folders for which you want to block the "Make Available Offline" command. +This policy setting allows you to manage a list of files and folders for which you want to block the "Make Available Offline" command. If you enable this policy setting, the "Make Available Offline" command is not available for the files and folders that you list. To specify these files and folders, click Show. In the Show Contents dialog box, in the Value Name column box, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. @@ -2008,28 +2152,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2046,7 +2196,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Hides or displays reminder balloons, and prevents users from changing the setting. +Hides or displays reminder balloons, and prevents users from changing the setting. Reminder balloons appear above the Offline Files icon in the notification area to notify users when they have lost the connection to a networked file and are working on a local copy of the file. Users can then decide how to proceed. @@ -2088,28 +2238,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2126,7 +2282,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Hides or displays reminder balloons, and prevents users from changing the setting. +Hides or displays reminder balloons, and prevents users from changing the setting. Reminder balloons appear above the Offline Files icon in the notification area to notify users when they have lost the connection to a networked file and are working on a local copy of the file. Users can then decide how to proceed. @@ -2168,28 +2324,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2206,7 +2368,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether files read from file shares over a slow network are transparently cached in the Offline Files cache for future reads. When a user tries to access a file that has been transparently cached, Windows reads from the cached copy after verifying its integrity. This improves end-user response times and decreases bandwidth consumption over WAN links. +This policy setting controls whether files read from file shares over a slow network are transparently cached in the Offline Files cache for future reads. When a user tries to access a file that has been transparently cached, Windows reads from the cached copy after verifying its integrity. This improves end-user response times and decreases bandwidth consumption over WAN links. The cached files are temporary and are not available to the user when offline. The cached files are not kept in sync with the version on the server, and the most current version from the server is always available for subsequent reads. @@ -2241,28 +2403,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2279,7 +2447,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting makes subfolders available offline whenever their parent folder is made available offline. +This policy setting makes subfolders available offline whenever their parent folder is made available offline. This setting automatically extends the "make available offline" setting to all new and existing subfolders of a folder. Users do not have the option of excluding subfolders. @@ -2312,28 +2480,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2350,7 +2524,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting deletes local copies of the user's offline files when the user logs off. +This policy setting deletes local copies of the user's offline files when the user logs off. This setting specifies that automatically and manually cached offline files are retained only while the user is logged on to the computer. When the user logs off, the system deletes all local copies of offline files. @@ -2384,28 +2558,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2422,7 +2602,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn on economical application of administratively assigned Offline Files. +This policy setting allows you to turn on economical application of administratively assigned Offline Files. If you enable or do not configure this policy setting, only new files and folders in administratively assigned folders are synchronized at logon. Files and folders that are already available offline are skipped and are synchronized later. @@ -2453,28 +2633,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2491,7 +2677,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines how often reminder balloon updates appear. +This policy setting determines how often reminder balloon updates appear. If you enable this setting, you can select how often reminder balloons updates appear and also prevent users from changing this setting. @@ -2527,28 +2713,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2565,7 +2757,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines how often reminder balloon updates appear. +This policy setting determines how often reminder balloon updates appear. If you enable this setting, you can select how often reminder balloons updates appear and also prevent users from changing this setting. @@ -2601,28 +2793,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2639,7 +2837,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines how long the first reminder balloon for a network status change is displayed. +This policy setting determines how long the first reminder balloon for a network status change is displayed. Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the first reminder. @@ -2670,28 +2868,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2708,7 +2912,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines how long the first reminder balloon for a network status change is displayed. +This policy setting determines how long the first reminder balloon for a network status change is displayed. Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the first reminder. @@ -2739,28 +2943,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2777,7 +2987,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines how long updated reminder balloons are displayed. +This policy setting determines how long updated reminder balloons are displayed. Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the update reminder. @@ -2808,28 +3018,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2846,7 +3062,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines how long updated reminder balloons are displayed. +This policy setting determines how long updated reminder balloons are displayed. Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the update reminder. @@ -2877,28 +3093,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2915,7 +3137,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the network latency and throughput thresholds that will cause a client computers to transition files and folders that are already available offline to the slow-link mode so that the user's access to this data is not degraded due to network slowness. When Offline Files is operating in the slow-link mode, all network file requests are satisfied from the Offline Files cache. This is similar to a user working offline. +This policy setting controls the network latency and throughput thresholds that will cause a client computers to transition files and folders that are already available offline to the slow-link mode so that the user's access to this data is not degraded due to network slowness. When Offline Files is operating in the slow-link mode, all network file requests are satisfied from the Offline Files cache. This is similar to a user working offline. If you enable this policy setting, Offline Files uses the slow-link mode if the network throughput between the client and the server is below (slower than) the Throughput threshold parameter, or if the round-trip network latency is above (slower than) the Latency threshold parameter. @@ -2956,28 +3178,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2994,7 +3222,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the threshold value at which Offline Files considers a network connection to be "slow". Any network speed below this value is considered to be slow. +This policy setting configures the threshold value at which Offline Files considers a network connection to be "slow". Any network speed below this value is considered to be slow. When a connection is considered slow, Offline Files automatically adjust its behavior to avoid excessive synchronization traffic and will not automatically reconnect to a server when the presence of a server is detected. @@ -3030,28 +3258,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -3068,7 +3302,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are fully synchronized when users log off. +This policy setting determines whether offline files are fully synchronized when users log off. This setting also disables the "Synchronize all offline files before logging off" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -3108,28 +3342,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -3146,7 +3386,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are fully synchronized when users log off. +This policy setting determines whether offline files are fully synchronized when users log off. This setting also disables the "Synchronize all offline files before logging off" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -3186,28 +3426,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -3224,7 +3470,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are fully synchronized when users log on. +This policy setting determines whether offline files are fully synchronized when users log on. This setting also disables the "Synchronize all offline files before logging on" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -3266,28 +3512,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -3304,7 +3556,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are fully synchronized when users log on. +This policy setting determines whether offline files are fully synchronized when users log on. This setting also disables the "Synchronize all offline files before logging on" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -3344,28 +3596,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -3382,7 +3640,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are synchronized before a computer is suspended. +This policy setting determines whether offline files are synchronized before a computer is suspended. If you enable this setting, offline files are synchronized whenever the computer is suspended. Setting the synchronization action to "Quick" ensures only that all files in the cache are complete. Setting the synchronization action to "Full" ensures that all cached files and folders are up-to-date with the most current version. @@ -3416,28 +3674,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -3454,7 +3718,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are synchronized before a computer is suspended. +This policy setting determines whether offline files are synchronized before a computer is suspended. If you enable this setting, offline files are synchronized whenever the computer is suspended. Setting the synchronization action to "Quick" ensures only that all files in the cache are complete. Setting the synchronization action to "Full" ensures that all cached files and folders are up-to-date with the most current version. @@ -3488,28 +3752,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -3526,7 +3796,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are synchronized in the background when it could result in extra charges on cell phone or broadband plans. +This policy setting determines whether offline files are synchronized in the background when it could result in extra charges on cell phone or broadband plans. If you enable this setting, synchronization can occur in the background when the user's network is roaming, near, or over the plan's data limit. This may result in extra charges on cell phone or broadband plans. @@ -3557,28 +3827,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -3595,7 +3871,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes the "Work offline" command from Explorer, preventing users from manually changing whether Offline Files is in online mode or offline mode. +This policy setting removes the "Work offline" command from Explorer, preventing users from manually changing whether Offline Files is in online mode or offline mode. If you enable this policy setting, the "Work offline" command is not displayed in File Explorer. @@ -3626,28 +3902,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -3664,7 +3946,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes the "Work offline" command from Explorer, preventing users from manually changing whether Offline Files is in online mode or offline mode. +This policy setting removes the "Work offline" command from Explorer, preventing users from manually changing whether Offline Files is in online mode or offline mode. If you enable this policy setting, the "Work offline" command is not displayed in File Explorer. diff --git a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md index 790bed78ed..06e6d88a46 100644 --- a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md +++ b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md @@ -59,28 +59,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -97,7 +103,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether BranchCache is enabled on client computers to which this policy is applied. In addition to this policy setting, you must specify whether the client computers are hosted cache mode or distributed cache mode clients. To do so, configure one of the following the policy settings: +This policy setting specifies whether BranchCache is enabled on client computers to which this policy is applied. In addition to this policy setting, you must specify whether the client computers are hosted cache mode or distributed cache mode clients. To do so, configure one of the following the policy settings: - Set BranchCache Distributed Cache mode - Set BranchCache Hosted Cache mode @@ -139,28 +145,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -177,7 +189,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether BranchCache distributed cache mode is enabled on client computers to which this policy is applied. In addition to this policy, you must use the policy "Turn on BranchCache" to enable BranchCache on client computers. +This policy setting specifies whether BranchCache distributed cache mode is enabled on client computers to which this policy is applied. In addition to this policy, you must use the policy "Turn on BranchCache" to enable BranchCache on client computers. In distributed cache mode, client computers download content from BranchCache-enabled main office content servers, cache the content locally, and serve the content to other BranchCache distributed cache mode clients in the branch office. @@ -217,28 +229,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -255,7 +273,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether BranchCache hosted cache mode is enabled on client computers to which this policy is applied. In addition to this policy, you must use the policy "Turn on BranchCache" to enable BranchCache on client computers. +This policy setting specifies whether BranchCache hosted cache mode is enabled on client computers to which this policy is applied. In addition to this policy, you must use the policy "Turn on BranchCache" to enable BranchCache on client computers. When a client computer is configured as a hosted cache mode client, it is able to download cached content from a hosted cache server that is located at the branch office. In addition, when the hosted cache client obtains content from a content server, the client can upload the content to the hosted cache server for access by other hosted cache clients at the branch office. @@ -301,28 +319,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -339,7 +363,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether client computers should attempt the automatic configuration of hosted cache mode by searching for hosted cache servers publishing service connection points that are associated with the client's current Active Directory site. If you enable this policy setting, client computers to which the policy setting is applied search for hosted cache servers using Active Directory, and will prefer both these servers and hosted cache mode rather than manual BranchCache configuration or BranchCache configuration by other group policies. +This policy setting specifies whether client computers should attempt the automatic configuration of hosted cache mode by searching for hosted cache servers publishing service connection points that are associated with the client's current Active Directory site. If you enable this policy setting, client computers to which the policy setting is applied search for hosted cache servers using Active Directory, and will prefer both these servers and hosted cache mode rather than manual BranchCache configuration or BranchCache configuration by other group policies. If you enable this policy setting in addition to the "Turn on BranchCache" policy setting, BranchCache clients attempt to discover hosted cache servers in the local branch office. If client computers detect hosted cache servers, hosted cache mode is turned on. If they do not detect hosted cache servers, hosted cache mode is not turned on, and the client uses any other configuration that is specified manually or by Group Policy. @@ -388,28 +412,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -426,7 +456,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether client computers are configured to use hosted cache mode and provides the computer name of the hosted cache servers that are available to the client computers. Hosted cache mode enables client computers in branch offices to retrieve content from one or more hosted cache servers that are installed in the same office location. You can use this setting to automatically configure client computers that are configured for hosted cache mode with the computer names of the hosted cache servers in the branch office. +This policy setting specifies whether client computers are configured to use hosted cache mode and provides the computer name of the hosted cache servers that are available to the client computers. Hosted cache mode enables client computers in branch offices to retrieve content from one or more hosted cache servers that are installed in the same office location. You can use this setting to automatically configure client computers that are configured for hosted cache mode with the computer names of the hosted cache servers in the branch office. If you enable this policy setting and specify valid computer names of hosted cache servers, hosted cache mode is enabled for all client computers to which the policy setting is applied. For this policy setting to take effect, you must also enable the "Turn on BranchCache" policy setting. @@ -471,28 +501,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -509,7 +545,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting is used only when you have deployed one or more BranchCache-enabled file servers at your main office. This policy setting specifies when client computers in branch offices start caching content from file servers based on the network latency - or delay - that occurs when the clients download content from the main office over a Wide Area Network (WAN) link. When you configure a value for this setting, which is the maximum round trip network latency allowed before caching begins, clients do not cache content until the network latency reaches the specified value; when network latency is greater than the value, clients begin caching content after they receive it from the file servers. +This policy setting is used only when you have deployed one or more BranchCache-enabled file servers at your main office. This policy setting specifies when client computers in branch offices start caching content from file servers based on the network latency - or delay - that occurs when the clients download content from the main office over a Wide Area Network (WAN) link. When you configure a value for this setting, which is the maximum round trip network latency allowed before caching begins, clients do not cache content until the network latency reaches the specified value; when network latency is greater than the value, clients begin caching content after they receive it from the file servers. Policy configuration @@ -548,28 +584,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -586,7 +628,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the default percentage of total disk space that is allocated for the BranchCache disk cache on client computers. +This policy setting specifies the default percentage of total disk space that is allocated for the BranchCache disk cache on client computers. If you enable this policy setting, you can configure the percentage of total disk space to allocate for the cache. @@ -632,28 +674,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -670,7 +718,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the default age in days for which segments are valid in the BranchCache data cache on client computers. +This policy setting specifies the default age in days for which segments are valid in the BranchCache data cache on client computers. If you enable this policy setting, you can configure the age for segments in the data cache. @@ -713,28 +761,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -751,7 +805,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether BranchCache-capable client computers operate in a downgraded mode in order to maintain compatibility with previous versions of BranchCache. If client computers do not use the same BranchCache version, cache efficiency might be reduced because client computers that are using different versions of BranchCache might store cache data in incompatible formats. +This policy setting specifies whether BranchCache-capable client computers operate in a downgraded mode in order to maintain compatibility with previous versions of BranchCache. If client computers do not use the same BranchCache version, cache efficiency might be reduced because client computers that are using different versions of BranchCache might store cache data in incompatible formats. If you enable this policy setting, all clients use the version of BranchCache that you specify in "Select from the following versions." diff --git a/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md b/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md index cd77c701e3..088f65c0dc 100644 --- a/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md +++ b/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md @@ -45,28 +45,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -83,7 +89,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the execution level for Windows Boot Performance Diagnostics. +This policy setting determines the execution level for Windows Boot Performance Diagnostics. If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Boot Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Boot Performance problems and indicate to the user that assisted resolution is available. @@ -122,28 +128,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -160,7 +172,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Determines the execution level for Windows Standby/Resume Performance Diagnostics. +Determines the execution level for Windows Standby/Resume Performance Diagnostics. If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Standby/Resume Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Standby/Resume Performance problems and indicate to the user that assisted resolution is available. @@ -199,28 +211,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -237,7 +255,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the execution level for Windows Shutdown Performance Diagnostics. +This policy setting determines the execution level for Windows Shutdown Performance Diagnostics. If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Shutdown Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Shutdown Performance problems and indicate to the user that assisted resolution is available. @@ -276,28 +294,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -314,7 +338,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Determines the execution level for Windows Standby/Resume Performance Diagnostics. +Determines the execution level for Windows Standby/Resume Performance Diagnostics. If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Standby/Resume Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Standby/Resume Performance problems and indicate to the user that assisted resolution is available. diff --git a/windows/client-management/mdm/policy-csp-admx-power.md b/windows/client-management/mdm/policy-csp-admx-power.md index 17087dd1d9..4b6fc28e8f 100644 --- a/windows/client-management/mdm/policy-csp-admx-power.md +++ b/windows/client-management/mdm/policy-csp-admx-power.md @@ -108,28 +108,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -146,7 +152,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems. +This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems. If you enable this policy setting, network connectivity will be maintained in standby. @@ -179,28 +185,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -217,7 +229,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn on the ability for applications and services to prevent the system from sleeping. +This policy setting allows you to turn on the ability for applications and services to prevent the system from sleeping. If you enable this policy setting, an application or service may prevent the system from sleeping (Hybrid Sleep, Stand By, or Hibernate). @@ -248,28 +260,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -286,7 +304,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the action that Windows takes when a user presses the Start menu Power button. +This policy setting specifies the action that Windows takes when a user presses the Start menu Power button. If you enable this policy setting, select one of the following actions: @@ -321,28 +339,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -359,7 +383,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows applications and services to prevent automatic sleep. +This policy setting allows applications and services to prevent automatic sleep. If you enable this policy setting, any application, service, or device driver prevents Windows from automatically transitioning to sleep after a period of user inactivity. @@ -390,28 +414,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -428,7 +458,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows applications and services to prevent automatic sleep. +This policy setting allows applications and services to prevent automatic sleep. If you enable this policy setting, any application, service, or device driver prevents Windows from automatically transitioning to sleep after a period of user inactivity. @@ -459,28 +489,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -497,7 +533,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage automatic sleep with open network files. +This policy setting allows you to manage automatic sleep with open network files. If you enable this policy setting, the computer automatically sleeps when network files are open. @@ -528,28 +564,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -566,7 +608,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage automatic sleep with open network files. +This policy setting allows you to manage automatic sleep with open network files. If you enable this policy setting, the computer automatically sleeps when network files are open. @@ -597,28 +639,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -635,7 +683,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the active power plan from a specified power plan’s GUID. The GUID for a custom power plan GUID can be retrieved by using powercfg, the power configuration command line tool. +This policy setting specifies the active power plan from a specified power plan’s GUID. The GUID for a custom power plan GUID can be retrieved by using powercfg, the power configuration command line tool. If you enable this policy setting, you must specify a power plan, specified as a GUID using the following format: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (For example, 103eea6e-9fcd-4544-a713-c282d8e50083), indicating the power plan to be active. @@ -666,28 +714,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -704,7 +758,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the action that Windows takes when battery capacity reaches the critical battery notification level. +This policy setting specifies the action that Windows takes when battery capacity reaches the critical battery notification level. If you enable this policy setting, select one of the following actions: @@ -740,28 +794,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -778,7 +838,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the action that Windows takes when battery capacity reaches the low battery notification level. +This policy setting specifies the action that Windows takes when battery capacity reaches the low battery notification level. If you enable this policy setting, select one of the following actions: @@ -814,28 +874,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -852,7 +918,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the percentage of battery capacity remaining that triggers the critical battery notification action. +This policy setting specifies the percentage of battery capacity remaining that triggers the critical battery notification action. If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the critical notification. @@ -885,28 +951,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -923,7 +995,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting turns off the user notification when the battery capacity remaining equals the low battery notification level. +This policy setting turns off the user notification when the battery capacity remaining equals the low battery notification level. If you enable this policy setting, Windows shows a notification when the battery capacity remaining equals the low battery notification level. @@ -958,28 +1030,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -996,7 +1074,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the percentage of battery capacity remaining that triggers the low battery notification action. +This policy setting specifies the percentage of battery capacity remaining that triggers the low battery notification action. If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the low notification. @@ -1029,28 +1107,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1067,7 +1151,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems. +This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems. If you enable this policy setting, network connectivity will be maintained in standby. @@ -1100,28 +1184,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1138,7 +1228,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn on the ability for applications and services to prevent the system from sleeping. +This policy setting allows you to turn on the ability for applications and services to prevent the system from sleeping. If you enable this policy setting, an application or service may prevent the system from sleeping (Hybrid Sleep, Stand By, or Hibernate). @@ -1169,28 +1259,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1207,7 +1303,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the action that Windows takes when a user presses the Start menu Power button. +This policy setting specifies the action that Windows takes when a user presses the Start menu Power button. If you enable this policy setting, select one of the following actions: @@ -1242,28 +1338,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1280,7 +1382,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the period of inactivity before Windows turns off the hard disk. +This policy setting specifies the period of inactivity before Windows turns off the hard disk. If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the hard disk. @@ -1311,28 +1413,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1349,7 +1457,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the period of inactivity before Windows turns off the hard disk. +This policy setting specifies the period of inactivity before Windows turns off the hard disk. If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the hard disk. @@ -1380,28 +1488,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1418,7 +1532,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure whether power is automatically turned off when Windows shutdown completes. +This policy setting allows you to configure whether power is automatically turned off when Windows shutdown completes. This setting does not affect Windows shutdown behavior when shutdown is manually selected using the Start menu or Task Manager user interfaces. @@ -1455,28 +1569,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1493,7 +1613,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify if Windows should enable the desktop background slideshow. +This policy setting allows you to specify if Windows should enable the desktop background slideshow. If you enable this policy setting, desktop background slideshow is enabled. @@ -1526,28 +1646,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1564,7 +1690,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify if Windows should enable the desktop background slideshow. +This policy setting allows you to specify if Windows should enable the desktop background slideshow. If you enable this policy setting, desktop background slideshow is enabled. @@ -1597,28 +1723,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1635,7 +1767,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the active power plan from a list of default Windows power plans. To specify a custom power plan, use the Custom Active Power Plan setting. +This policy setting specifies the active power plan from a list of default Windows power plans. To specify a custom power plan, use the Custom Active Power Plan setting. If you enable this policy setting, specify a power plan from the Active Power Plan list. @@ -1666,28 +1798,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1704,7 +1842,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure client computers to lock and prompt for a password when resuming from a hibernate or suspend state. +This policy setting allows you to configure client computers to lock and prompt for a password when resuming from a hibernate or suspend state. If you enable this policy setting, the client computer is locked and prompted for a password when it is resumed from a suspend or hibernate state. @@ -1735,28 +1873,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1773,7 +1917,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off Power Throttling. +This policy setting allows you to turn off Power Throttling. If you enable this policy setting, Power Throttling will be turned off. @@ -1804,28 +1948,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1842,7 +1992,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the percentage of battery capacity remaining that triggers the reserve power mode. +This policy setting specifies the percentage of battery capacity remaining that triggers the reserve power mode. If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the reserve power notification. diff --git a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md index dff726a8e8..e53466c621 100644 --- a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md +++ b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md @@ -45,28 +45,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -84,7 +90,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn on logging for Windows PowerShell modules. +This policy setting allows you to turn on logging for Windows PowerShell modules. If you enable this policy setting, pipeline execution events for members of the specified modules are recorded in the Windows PowerShell log in Event Viewer. Enabling this policy setting for a module is equivalent to setting the LogPipelineExecutionDetails property of the module to True. @@ -120,28 +126,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -159,7 +171,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting lets you configure the script execution policy, controlling which scripts are allowed to run. +This policy setting lets you configure the script execution policy, controlling which scripts are allowed to run. If you enable this policy setting, the scripts selected in the drop-down list are allowed to run. The "Allow only signed scripts" policy setting allows scripts to execute only if they are signed by a trusted publisher. @@ -195,28 +207,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -234,7 +252,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. +This policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. If you enable this policy setting, Windows PowerShell will enable transcripting for Windows PowerShell, the Windows PowerShell ISE, and any other applications that leverage the Windows PowerShell engine. By default, Windows PowerShell will record transcript output to each users' My Documents directory, with a file name that includes 'PowerShell_transcript', along with the computer name and time started. Enabling this policy is equivalent to calling the Start-Transcript cmdlet on each Windows PowerShell session. @@ -270,28 +288,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -309,7 +333,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to set the default value of the SourcePath parameter on the Update-Help cmdlet. +This policy setting allows you to set the default value of the SourcePath parameter on the Update-Help cmdlet. If you enable this policy setting, the Update-Help cmdlet will use the specified value as the default value for the SourcePath parameter. This default value can be overridden by specifying a different value with the SourcePath parameter on the Update-Help cmdlet. diff --git a/windows/client-management/mdm/policy-csp-admx-printing.md b/windows/client-management/mdm/policy-csp-admx-printing.md index 2376b4480e..e2d5216e21 100644 --- a/windows/client-management/mdm/policy-csp-admx-printing.md +++ b/windows/client-management/mdm/policy-csp-admx-printing.md @@ -112,28 +112,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -150,7 +156,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. Internet printing lets you display printers on Web pages so that printers can be viewed, managed, and used across the Internet or an intranet. +Internet printing lets you display printers on Web pages so that printers can be viewed, managed, and used across the Internet or an intranet. If you enable this policy setting, Internet printing is activated on this server. @@ -188,28 +194,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -226,7 +238,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Determines if print driver components are isolated from applications instead of normally loading them into applications. Isolating print drivers greatly reduces the risk of a print driver failure causing an application crash. +Determines if print driver components are isolated from applications instead of normally loading them into applications. Isolating print drivers greatly reduces the risk of a print driver failure causing an application crash. Not all applications support driver isolation. By default, Microsoft Excel 2007, Excel 2010, Word 2007, Word 2010 and certain other applications are configured to support it. Other applications may also be capable of isolating print drivers, depending on whether they are configured for it. @@ -264,28 +276,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -302,7 +320,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. By default, the Printers folder includes a link to the Microsoft Support Web page called "Get help with printing". It can also include a link to a Web page supplied by the vendor of the currently selected printer. +By default, the Printers folder includes a link to the Microsoft Support Web page called "Get help with printing". It can also include a link to a Web page supplied by the vendor of the currently selected printer. If you enable this policy setting, you replace the "Get help with printing" default link with a link to a Web page customized for your enterprise. @@ -340,28 +358,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -378,7 +402,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage where client computers search for Point and Printer drivers. +This policy setting allows you to manage where client computers search for Point and Printer drivers. If you enable this policy setting, the client computer will continue to search for compatible Point and Print drivers from Windows Update after it fails to find the compatible driver from the local driver store and the server driver cache. @@ -413,28 +437,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -451,7 +481,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. If you enable this policy setting, it sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on a managed network (when the computer is able to reach a domain controller, e.g. a domain-joined laptop on a corporate network.) +If you enable this policy setting, it sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on a managed network (when the computer is able to reach a domain controller, e.g. a domain-joined laptop on a corporate network.) If this policy setting is disabled, the network scan page will not be displayed. @@ -496,28 +526,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -534,7 +570,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Allows users to use the Add Printer Wizard to search the network for shared printers. +Allows users to use the Add Printer Wizard to search the network for shared printers. If you enable this setting or do not configure it, when users choose to add a network printer by selecting the "A network printer, or a printer attached to another computer" radio button on Add Printer Wizard's page 2, and also check the "Connect to this printer (or to browse for a printer, select this option and click Next)" radio button on Add Printer Wizard's page 3, and do not specify a printer name in the adjacent "Name" edit box, then Add Printer Wizard displays the list of shared printers on the network and invites to choose a printer from the shown list. @@ -568,28 +604,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -606,7 +648,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. When printing through a print server, determines whether the print spooler on the client will process print jobs itself, or pass them on to the server to do the work. +When printing through a print server, determines whether the print spooler on the client will process print jobs itself, or pass them on to the server to do the work. This policy setting only effects printing to a Windows print server. @@ -648,28 +690,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -686,7 +734,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Determines whether the XPS Rasterization Service or the XPS-to-GDI conversion (XGC) is forced to use a software rasterizer instead of a Graphics Processing Unit (GPU) to rasterize pages. +Determines whether the XPS Rasterization Service or the XPS-to-GDI conversion (XGC) is forced to use a software rasterizer instead of a Graphics Processing Unit (GPU) to rasterize pages. This setting may improve the performance of the XPS Rasterization Service or the XPS-to-GDI conversion (XGC) on machines that have a relatively powerful CPU as compared to the machine’s GPU. @@ -715,28 +763,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -753,7 +807,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Adds a link to an Internet or intranet Web page to the Add Printer Wizard. +Adds a link to an Internet or intranet Web page to the Add Printer Wizard. You can use this setting to direct users to a Web page from which they can install printers. @@ -788,28 +842,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -826,7 +886,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Determines whether printers using kernel-mode drivers may be installed on the local computer. Kernel-mode drivers have access to system-wide memory, and therefore poorly-written kernel-mode drivers can cause stop errors. +Determines whether printers using kernel-mode drivers may be installed on the local computer. Kernel-mode drivers have access to system-wide memory, and therefore poorly-written kernel-mode drivers can cause stop errors. If you disable this setting, or do not configure it, then printers using a kernel-mode drivers may be installed on the local computer running Windows XP Home Edition and Windows XP Professional. @@ -862,28 +922,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -900,7 +966,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This preference allows you to change default printer management. +This preference allows you to change default printer management. If you enable this setting, Windows will not manage the default printer. @@ -933,28 +999,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -971,7 +1043,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Microsoft XPS Document Writer (MXDW) generates OpenXPS (*.oxps) files by default in Windows 10, Windows 10 and Windows Server 2019. +Microsoft XPS Document Writer (MXDW) generates OpenXPS (*.oxps) files by default in Windows 10, Windows 10 and Windows Server 2019. If you enable this group policy setting, the default MXDW output format is the legacy Microsoft XPS (*.xps). @@ -1002,28 +1074,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1040,7 +1118,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. If this policy setting is enabled, it prevents users from deleting local and network printers. +If this policy setting is enabled, it prevents users from deleting local and network printers. If a user tries to delete a printer, such as by using the Delete option in Printers in Control Panel, a message appears explaining that a setting prevents the action. @@ -1073,28 +1151,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1111,7 +1195,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on an unmanaged network (when the computer is not able to reach a domain controller, e.g. a domain-joined laptop on a home network.) +This policy sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on an unmanaged network (when the computer is not able to reach a domain controller, e.g. a domain-joined laptop on a home network.) If this setting is disabled, the network scan page will not be displayed. @@ -1153,28 +1237,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1191,7 +1281,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy restricts clients computers to use package point and print only. +This policy restricts clients computers to use package point and print only. If this setting is enabled, users will only be able to point and print to printers that use package-aware drivers. When using package point and print, client computers will check the driver signature of all drivers that are downloaded from print servers. @@ -1222,28 +1312,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1260,7 +1356,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy restricts clients computers to use package point and print only. +This policy restricts clients computers to use package point and print only. If this setting is enabled, users will only be able to point and print to printers that use package-aware drivers. When using package point and print, client computers will check the driver signature of all drivers that are downloaded from print servers. @@ -1291,28 +1387,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1329,7 +1431,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Restricts package point and print to approved servers. +Restricts package point and print to approved servers. This policy setting restricts package point and print connections to approved servers. This setting only applies to Package Point and Print connections, and is completely independent from the "Point and Print Restrictions" policy that governs the behavior of non-package point and print connections. @@ -1364,28 +1466,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1402,7 +1510,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Restricts package point and print to approved servers. +Restricts package point and print to approved servers. This policy setting restricts package point and print connections to approved servers. This setting only applies to Package Point and Print connections, and is completely independent from the "Point and Print Restrictions" policy that governs the behavior of non-package point and print connections. @@ -1437,28 +1545,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1475,7 +1589,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. If this policy setting is enabled, it specifies the default location criteria used when searching for printers. +If this policy setting is enabled, it specifies the default location criteria used when searching for printers. This setting is a component of the Location Tracking feature of Windows printers. To use this setting, enable Location Tracking by enabling the "Pre-populate printer search location text" setting. @@ -1510,28 +1624,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1548,7 +1668,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Enables the physical Location Tracking setting for Windows printers. +Enables the physical Location Tracking setting for Windows printers. Use Location Tracking to design a location scheme for your enterprise and assign computers and printers to locations in the scheme. Location Tracking overrides the standard method used to locate and associate computers and printers. The standard method uses a printer's IP address and subnet mask to estimate its physical location and proximity to computers. @@ -1581,28 +1701,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1619,7 +1745,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the print spooler will execute print drivers in an isolated or separate process. When print drivers are loaded in an isolated process (or isolated processes), a print driver failure will not cause the print spooler service to fail. +This policy setting determines whether the print spooler will execute print drivers in an isolated or separate process. When print drivers are loaded in an isolated process (or isolated processes), a print driver failure will not cause the print spooler service to fail. If you enable or do not configure this policy setting, the print spooler will execute print drivers in an isolated process by default. @@ -1655,28 +1781,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1693,7 +1825,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the print spooler will override the Driver Isolation compatibility reported by the print driver. This enables executing print drivers in an isolated process, even if the driver does not report compatibility. +This policy setting determines whether the print spooler will override the Driver Isolation compatibility reported by the print driver. This enables executing print drivers in an isolated process, even if the driver does not report compatibility. If you enable this policy setting, the print spooler isolates all print drivers that do not explicitly opt out of Driver Isolation. @@ -1729,28 +1861,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1767,7 +1905,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Specifies the Active Directory location where searches for printers begin. +Specifies the Active Directory location where searches for printers begin. The Add Printer Wizard gives users the option of searching Active Directory for a shared printer. @@ -1800,28 +1938,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1838,7 +1982,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Announces the presence of shared printers to print browse main servers for the domain. +Announces the presence of shared printers to print browse main servers for the domain. On domains with Active Directory, shared printer resources are available in Active Directory and are not announced. @@ -1876,28 +2020,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1914,7 +2064,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy controls whether the print job name will be included in print event logs. +This policy controls whether the print job name will be included in print event logs. If you disable or do not configure this policy setting, the print job name will not be included. @@ -1948,28 +2098,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1986,7 +2142,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy determines if v4 printer drivers are allowed to run printer extensions. +This policy determines if v4 printer drivers are allowed to run printer extensions. V4 printer drivers may include an optional, customized user interface known as a printer extension. These extensions may provide access to more device features, but this may not be appropriate for all enterprises. diff --git a/windows/client-management/mdm/policy-csp-admx-printing2.md b/windows/client-management/mdm/policy-csp-admx-printing2.md index 55aeef679a..6dd43fb7c3 100644 --- a/windows/client-management/mdm/policy-csp-admx-printing2.md +++ b/windows/client-management/mdm/policy-csp-admx-printing2.md @@ -60,28 +60,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -98,7 +104,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. Determines whether the Add Printer Wizard automatically publishes the computer's shared printers in Active Directory. +Determines whether the Add Printer Wizard automatically publishes the computer's shared printers in Active Directory. If you enable this setting or do not configure it, the Add Printer Wizard automatically publishes all shared printers. @@ -134,28 +140,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -172,7 +184,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Determines whether the domain controller can prune (delete from Active Directory) the printers published by this computer. +Determines whether the domain controller can prune (delete from Active Directory) the printers published by this computer. By default, the pruning service on the domain controller prunes printer objects from Active Directory if the computer that published them does not respond to contact requests. When the computer that published the printers restarts, it republishes any deleted printer objects. @@ -208,28 +220,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -246,7 +264,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Determines whether the pruning service on a domain controller prunes printer objects that are not automatically republished whenever the host computer does not respond,just as it does with Windows 2000 printers. This setting applies to printers running operating systems other than Windows 2000 and to Windows 2000 printers published outside their forest. +Determines whether the pruning service on a domain controller prunes printer objects that are not automatically republished whenever the host computer does not respond,just as it does with Windows 2000 printers. This setting applies to printers running operating systems other than Windows 2000 and to Windows 2000 printers published outside their forest. The Windows pruning service prunes printer objects from Active Directory when the computer that published them does not respond to contact requests. Computers running Windows 2000 Professional detect and republish deleted printer objects when they rejoin the network. However, because non-Windows 2000 computers and computers in other domains cannot republish printers in Active Directory automatically, by default, the system never prunes their printer objects. @@ -289,28 +307,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -327,7 +351,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Specifies how often the pruning service on a domain controller contacts computers to verify that their printers are operational. +Specifies how often the pruning service on a domain controller contacts computers to verify that their printers are operational. The pruning service periodically contacts computers that have published printers. If a computer does not respond to the contact message (optionally, after repeated attempts), the pruning service "prunes" (deletes from Active Directory) printer objects the computer has published. @@ -365,28 +389,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -403,7 +433,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Sets the priority of the pruning thread. +Sets the priority of the pruning thread. The pruning thread, which runs only on domain controllers, deletes printer objects from Active Directory if the printer that published the object does not respond to contact attempts. This process keeps printer information in Active Directory current. @@ -439,28 +469,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -477,7 +513,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Specifies how many times the pruning service on a domain controller repeats its attempt to contact a computer before pruning the computer's printers. +Specifies how many times the pruning service on a domain controller repeats its attempt to contact a computer before pruning the computer's printers. The pruning service periodically contacts computers that have published printers to verify that the printers are still available for use. If a computer does not respond to the contact message, the message is repeated for the specified number of times. If the computer still fails to respond, then the pruning service "prunes" (deletes from Active Directory) printer objects the computer has published. @@ -515,28 +551,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -553,7 +595,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Specifies whether or not to log events when the pruning service on a domain controller attempts to contact a computer before pruning the computer's printers. +Specifies whether or not to log events when the pruning service on a domain controller attempts to contact a computer before pruning the computer's printers. The pruning service periodically contacts computers that have published printers to verify that the printers are still available for use. If a computer does not respond to the contact attempt, the attempt is retried a specified number of times, at a specified interval. The "Directory pruning retry" setting determines the number of times the attempt is retried; the default value is two retries. The "Directory Pruning Interval" setting determines the time interval between retries; the default value is every eight hours. If the computer has not responded by the last contact attempt, its printers are pruned from the directory. @@ -591,28 +633,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -629,7 +677,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy controls whether the print spooler will accept client connections. +This policy controls whether the print spooler will accept client connections. When the policy is not configured or enabled, the spooler will always accept client connections. @@ -662,28 +710,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -700,7 +754,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Directs the system to periodically verify that the printers published by this computer still appear in Active Directory. This setting also specifies how often the system repeats the verification. +Directs the system to periodically verify that the printers published by this computer still appear in Active Directory. This setting also specifies how often the system repeats the verification. By default, the system only verifies published printers at startup. This setting allows for periodic verification while the computer is operating. diff --git a/windows/client-management/mdm/policy-csp-admx-programs.md b/windows/client-management/mdm/policy-csp-admx-programs.md index 269ccd44c0..666626b0f5 100644 --- a/windows/client-management/mdm/policy-csp-admx-programs.md +++ b/windows/client-management/mdm/policy-csp-admx-programs.md @@ -54,28 +54,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -92,7 +98,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This setting removes the Set Program Access and Defaults page from the Programs Control Panel. As a result, users cannot view or change the associated page. +This setting removes the Set Program Access and Defaults page from the Programs Control Panel. As a result, users cannot view or change the associated page. The Set Program Access and Computer Defaults page allows administrators to specify default programs for certain activities, such as Web browsing or sending e-mail, as well as specify the programs that are accessible from the Start menu, desktop, and other locations. @@ -127,28 +133,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -165,7 +177,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from viewing or installing published programs from the network. +Prevents users from viewing or installing published programs from the network. This setting prevents users from accessing the "Get Programs" page from the Programs Control Panel in Category View, Programs and Features in Classic View and the "Install a program from the network" task. The "Get Programs" page lists published programs and provides an easy way to install them. @@ -203,28 +215,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -241,7 +259,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting prevents users from accessing "Installed Updates" page from the "View installed updates" task. +This setting prevents users from accessing "Installed Updates" page from the "View installed updates" task. "Installed Updates" allows users to view and uninstall updates currently installed on the computer. The updates are often downloaded directly from Windows Update or from various program publishers. @@ -274,28 +292,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -312,7 +336,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting prevents users from accessing "Programs and Features" to view, uninstall, change, or repair programs that are currently installed on the computer. +This setting prevents users from accessing "Programs and Features" to view, uninstall, change, or repair programs that are currently installed on the computer. If this setting is disabled or not configured, "Programs and Features" will be available to all users. @@ -343,28 +367,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -381,7 +411,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting prevents users from using the Programs Control Panel in Category View and Programs and Features in Classic View. +This setting prevents users from using the Programs Control Panel in Category View and Programs and Features in Classic View. The Programs Control Panel allows users to uninstall, change, and repair programs, enable and disable Windows Features, set program defaults, view installed updates, and purchase software from Windows Marketplace. Programs published or assigned to the user by the system administrator also appear in the Programs Control Panel. @@ -416,28 +446,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -454,7 +490,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting prevents users from accessing the "Turn Windows features on or off" task from the Programs Control Panel in Category View, Programs and Features in Classic View, and Get Programs. As a result, users cannot view, enable, or disable various Windows features and services. +This setting prevents users from accessing the "Turn Windows features on or off" task from the Programs Control Panel in Category View, Programs and Features in Classic View, and Get Programs. As a result, users cannot view, enable, or disable various Windows features and services. If this setting is disabled or is not configured, the "Turn Windows features on or off" task will be available to all users. @@ -485,28 +521,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -523,7 +565,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting prevents users from access the "Get new programs from Windows Marketplace" task from the Programs Control Panel in Category View, Programs and Features in Classic View, and Get Programs. +This setting prevents users from access the "Get new programs from Windows Marketplace" task from the Programs Control Panel in Category View, Programs and Features in Classic View, and Get Programs. Windows Marketplace allows users to purchase and/or download various programs to their computer for installation. diff --git a/windows/client-management/mdm/policy-csp-admx-reliability.md b/windows/client-management/mdm/policy-csp-admx-reliability.md index 917a3bcdc5..c5d4d1c0ef 100644 --- a/windows/client-management/mdm/policy-csp-admx-reliability.md +++ b/windows/client-management/mdm/policy-csp-admx-reliability.md @@ -45,28 +45,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -83,7 +89,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows the system to detect the time of unexpected shutdowns by writing the current time to disk on a schedule controlled by the Timestamp Interval. +This policy setting allows the system to detect the time of unexpected shutdowns by writing the current time to disk on a schedule controlled by the Timestamp Interval. If you enable this policy setting, you are able to specify how often the Persistent System Timestamp is refreshed and subsequently written to the disk. You can specify the Timestamp Interval in seconds. @@ -121,28 +127,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -159,7 +171,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not unplanned shutdown events can be reported when error reporting is enabled. +This policy setting controls whether or not unplanned shutdown events can be reported when error reporting is enabled. If you enable this policy setting, error reporting includes unplanned shutdown events. @@ -196,28 +208,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -234,7 +252,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting defines when the Shutdown Event Tracker System State Data feature is activated. +This policy setting defines when the Shutdown Event Tracker System State Data feature is activated. The system state data file contains information about the basic system state as well as the state of all running processes. @@ -274,28 +292,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -312,7 +336,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. The Shutdown Event Tracker can be displayed when you shut down a workstation or server. This is an extra set of questions that is displayed when you invoke a shutdown to collect information related to why you are shutting down the computer. +The Shutdown Event Tracker can be displayed when you shut down a workstation or server. This is an extra set of questions that is displayed when you invoke a shutdown to collect information related to why you are shutting down the computer. If you enable this setting and choose "Always" from the drop-down menu list, the Shutdown Event Tracker is displayed when the computer shuts down. diff --git a/windows/client-management/mdm/policy-csp-admx-remoteassistance.md b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md index 485d680915..f4cf7d10ed 100644 --- a/windows/client-management/mdm/policy-csp-admx-remoteassistance.md +++ b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md @@ -39,28 +39,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -77,7 +83,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting enables Remote Assistance invitations to be generated with improved encryption so that only computers running this version (or later versions) of the operating system can connect. This policy setting does not affect Remote Assistance connections that are initiated by instant messaging contacts or the unsolicited Offer Remote Assistance. +This policy setting enables Remote Assistance invitations to be generated with improved encryption so that only computers running this version (or later versions) of the operating system can connect. This policy setting does not affect Remote Assistance connections that are initiated by instant messaging contacts or the unsolicited Offer Remote Assistance. If you enable this policy setting, only computers running this version (or later versions) of the operating system can connect to this computer. @@ -110,28 +116,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -148,7 +160,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to improve performance in low bandwidth scenarios. +This policy setting allows you to improve performance in low bandwidth scenarios. This setting is incrementally scaled from "No optimization" to "Full optimization". Each incremental setting includes the previous optimization setting. diff --git a/windows/client-management/mdm/policy-csp-admx-removablestorage.md b/windows/client-management/mdm/policy-csp-admx-removablestorage.md index b839eb3de7..2f66562c7a 100644 --- a/windows/client-management/mdm/policy-csp-admx-removablestorage.md +++ b/windows/client-management/mdm/policy-csp-admx-removablestorage.md @@ -129,28 +129,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -167,7 +173,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a change in access rights to removable storage devices. +This policy setting configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a change in access rights to removable storage devices. If you enable this policy setting, you can set the number of seconds you want the system to wait until a reboot. @@ -201,28 +207,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -239,7 +251,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a change in access rights to removable storage devices. +This policy setting configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a change in access rights to removable storage devices. If you enable this policy setting, you can set the number of seconds you want the system to wait until a reboot. @@ -273,28 +285,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -311,7 +329,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies execute access to the CD and DVD removable storage class. +This policy setting denies execute access to the CD and DVD removable storage class. If you enable this policy setting, execute access is denied to this removable storage class. @@ -342,28 +360,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -380,7 +404,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to the CD and DVD removable storage class. +This policy setting denies read access to the CD and DVD removable storage class. If you enable this policy setting, read access is denied to this removable storage class. @@ -410,28 +434,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -448,7 +478,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to the CD and DVD removable storage class. +This policy setting denies read access to the CD and DVD removable storage class. If you enable this policy setting, read access is denied to this removable storage class. @@ -479,28 +509,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -517,7 +553,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to the CD and DVD removable storage class. +This policy setting denies write access to the CD and DVD removable storage class. If you enable this policy setting, write access is denied to this removable storage class. @@ -548,28 +584,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -586,7 +628,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to the CD and DVD removable storage class. +This policy setting denies write access to the CD and DVD removable storage class. If you enable this policy setting, write access is denied to this removable storage class. @@ -617,28 +659,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -655,7 +703,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to custom removable storage classes. +This policy setting denies read access to custom removable storage classes. If you enable this policy setting, read access is denied to these removable storage classes. @@ -686,28 +734,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -724,7 +778,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to custom removable storage classes. +This policy setting denies read access to custom removable storage classes. If you enable this policy setting, read access is denied to these removable storage classes. @@ -755,28 +809,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -793,7 +853,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to custom removable storage classes. +This policy setting denies write access to custom removable storage classes. If you enable this policy setting, write access is denied to these removable storage classes. @@ -823,28 +883,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -861,7 +927,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to custom removable storage classes. +This policy setting denies write access to custom removable storage classes. If you enable this policy setting, write access is denied to these removable storage classes. @@ -891,28 +957,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -929,7 +1001,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies execute access to the Floppy Drives removable storage class, including USB Floppy Drives. +This policy setting denies execute access to the Floppy Drives removable storage class, including USB Floppy Drives. If you enable this policy setting, execute access is denied to this removable storage class. @@ -959,28 +1031,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -997,7 +1075,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to the Floppy Drives removable storage class, including USB Floppy Drives. +This policy setting denies read access to the Floppy Drives removable storage class, including USB Floppy Drives. If you enable this policy setting, read access is denied to this removable storage class. @@ -1027,28 +1105,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1065,7 +1149,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to the Floppy Drives removable storage class, including USB Floppy Drives. +This policy setting denies read access to the Floppy Drives removable storage class, including USB Floppy Drives. If you enable this policy setting, read access is denied to this removable storage class. @@ -1095,28 +1179,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1133,7 +1223,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to the Floppy Drives removable storage class, including USB Floppy Drives. +This policy setting denies write access to the Floppy Drives removable storage class, including USB Floppy Drives. If you enable this policy setting, write access is denied to this removable storage class. @@ -1162,28 +1252,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1200,7 +1296,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to the Floppy Drives removable storage class, including USB Floppy Drives. +This policy setting denies write access to the Floppy Drives removable storage class, including USB Floppy Drives. If you enable this policy setting, write access is denied to this removable storage class. @@ -1230,28 +1326,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1268,7 +1370,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies execute access to removable disks. +This policy setting denies execute access to removable disks. If you enable this policy setting, execute access is denied to this removable storage class. @@ -1297,28 +1399,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1335,7 +1443,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to removable disks. +This policy setting denies read access to removable disks. If you enable this policy setting, read access is denied to this removable storage class. @@ -1365,28 +1473,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1403,7 +1517,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to removable disks. +This policy setting denies read access to removable disks. If you enable this policy setting, read access is denied to this removable storage class. @@ -1432,28 +1546,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1470,7 +1590,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to removable disks. +This policy setting denies write access to removable disks. If you enable this policy setting, write access is denied to this removable storage class. @@ -1503,28 +1623,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1541,7 +1667,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Configure access to all removable storage classes. +Configure access to all removable storage classes. This policy setting takes precedence over any individual removable storage policy settings. To manage individual classes, use the policy settings available for each class. @@ -1573,28 +1699,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1611,7 +1743,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Configure access to all removable storage classes. +Configure access to all removable storage classes. This policy setting takes precedence over any individual removable storage policy settings. To manage individual classes, use the policy settings available for each class. @@ -1643,28 +1775,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1681,7 +1819,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting grants normal users direct access to removable storage devices in remote sessions. +This policy setting grants normal users direct access to removable storage devices in remote sessions. If you enable this policy setting, remote users can open direct handles to removable storage devices in remote sessions. @@ -1711,28 +1849,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1749,7 +1893,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies execute access to the Tape Drive removable storage class. +This policy setting denies execute access to the Tape Drive removable storage class. If you enable this policy setting, execute access is denied to this removable storage class. @@ -1779,28 +1923,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1817,7 +1967,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to the Tape Drive removable storage class. +This policy setting denies read access to the Tape Drive removable storage class. If you enable this policy setting, read access is denied to this removable storage class. @@ -1846,28 +1996,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1884,7 +2040,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to the Tape Drive removable storage class. +This policy setting denies read access to the Tape Drive removable storage class. If you enable this policy setting, read access is denied to this removable storage class. @@ -1914,28 +2070,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1952,7 +2114,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to the Tape Drive removable storage class. +This policy setting denies write access to the Tape Drive removable storage class. If you enable this policy setting, write access is denied to this removable storage class. @@ -1981,28 +2143,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2019,7 +2187,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to the Tape Drive removable storage class. +This policy setting denies write access to the Tape Drive removable storage class. If you enable this policy setting, write access is denied to this removable storage class. @@ -2049,28 +2217,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2087,7 +2261,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. +This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. If you enable this policy setting, read access is denied to this removable storage class. @@ -2117,28 +2291,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2155,7 +2335,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. +This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. If you enable this policy setting, read access is denied to this removable storage class. @@ -2184,28 +2364,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2222,7 +2408,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. +This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. If you enable this policy setting, write access is denied to this removable storage class. @@ -2252,28 +2438,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2290,7 +2482,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. +This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. If you enable this policy setting, write access is denied to this removable storage class. From 9dd48686ca8452d41d2290d2a7d0199fd9b9bfce Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 21 Sep 2021 10:58:03 -0700 Subject: [PATCH 301/458] Update zero-trust-windows-device-health.md --- windows/security/zero-trust-windows-device-health.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/zero-trust-windows-device-health.md b/windows/security/zero-trust-windows-device-health.md index 41ad5cd387..6a133de741 100644 --- a/windows/security/zero-trust-windows-device-health.md +++ b/windows/security/zero-trust-windows-device-health.md @@ -19,18 +19,18 @@ Today’s organizations need a new security model that more effectively adapts t The [Zero Trust Principles](https://www.microsoft.com/security/business/zero-trust) are threefold. -**Verify explicitly**. Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and monitor anomalies. +- **Verify explicitly**. Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and monitor anomalies. -**Use least-privileged access**. Limit user access with just-in-time and just-enough-access, risk-based adaptive polices, and data protection to help secure data and maintain productivity. +- **Use least-privileged access**. Limit user access with just-in-time and just-enough-access, risk-based adaptive policies, and data protection to help secure data and maintain productivity. -**Assume breach**. Prevent attackers from obtaining access to minimize potential damage to data and systems. Protect privileged roles, verify end-to-end encryption, use analytics to get visibility, and drive threat detection to improve defenses. +- **Assume breach**. Prevent attackers from obtaining access to minimize potential damage to data and systems. Protect privileged roles, verify end-to-end encryption, use analytics to get visibility, and drive threat detection to improve defenses. For Windows 11, the Zero Trust concept of verify explicitly applies to the risks introduced by both devices and users. Windows 11 provides IT administrators the attestation and measurements to determine whether a device meets requirements and can be trusted. And Windows 11 works out of the box with Microsoft Intune and Azure Active Directory, so access decisions and enforcement are seamless. Plus, IT Administrators can easily customize Windows 11 to meet specific user and policy requirements for access, privacy, compliance, and more. ## Device health attestation on Windows Zero Trust principles state that all endpoints are untrusted unless they are verified. The verification process uses remote attestation as the secure channel to determine and present the device’s health. Remote attestation determines: -- If the device can be trusted. This is determined with the help of a secure root of trust (Trusted Platform Module). Devices can attest that the TPM is enabled and in the attestation flow. +- If the device can be trusted. The determination is made with the help of a secure root of trust (Trusted Platform Module). Devices can attest that the TPM is enabled and in the attestation flow. - If the OS booted correctly. Many security risks can emerge during the boot process as this process can be the most privileged component of the whole system. - If the OS has the right set of security features enabled. Windows includes many security features to help protect users from malware and attacks. However, trusting the Windows security components can only be achieved if the platform boots as expected and was not tampered with. Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, ELAM, DRTM, Trusted Boot and other low-level hardware and firmware security features to protect your PC from attacks. When you power on your PC until your anti-malware starts, Windows is backed with the appropriate hardware configurations helps keep you safe. [Measured and Trusted boot](information-protection/secure-the-windows-10-boot-process.md), implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to a security coprocessor (TPM) that acts as the Root of Trust. Remote Attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper resilient report. Remote attestation is the trusted auditor of your systems boot, allowing relying parties to bind trust to the device and its security. From 25071781e9f44852b2978f60abbb123e1983270f Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 21 Sep 2021 10:59:30 -0700 Subject: [PATCH 302/458] Update zero-trust-windows-device-health.md --- windows/security/zero-trust-windows-device-health.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/windows/security/zero-trust-windows-device-health.md b/windows/security/zero-trust-windows-device-health.md index 6a133de741..259a09da92 100644 --- a/windows/security/zero-trust-windows-device-health.md +++ b/windows/security/zero-trust-windows-device-health.md @@ -31,16 +31,22 @@ For Windows 11, the Zero Trust concept of verify explicitly applies to the risks Zero Trust principles state that all endpoints are untrusted unless they are verified. The verification process uses remote attestation as the secure channel to determine and present the device’s health. Remote attestation determines: - If the device can be trusted. The determination is made with the help of a secure root of trust (Trusted Platform Module). Devices can attest that the TPM is enabled and in the attestation flow. + - If the OS booted correctly. Many security risks can emerge during the boot process as this process can be the most privileged component of the whole system. + - If the OS has the right set of security features enabled. Windows includes many security features to help protect users from malware and attacks. However, trusting the Windows security components can only be achieved if the platform boots as expected and was not tampered with. Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, ELAM, DRTM, Trusted Boot and other low-level hardware and firmware security features to protect your PC from attacks. When you power on your PC until your anti-malware starts, Windows is backed with the appropriate hardware configurations helps keep you safe. [Measured and Trusted boot](information-protection/secure-the-windows-10-boot-process.md), implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to a security coprocessor (TPM) that acts as the Root of Trust. Remote Attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper resilient report. Remote attestation is the trusted auditor of your systems boot, allowing relying parties to bind trust to the device and its security. A summary of the steps involved in attestation and Zero Trust on the device side are as follows: 1. During each step of the boot process, such as a file load, update of special variables, and more, information such as file hashes and signature are measured in the TPM PCRs. The measurements are bound by a [Trusted Computing Group specification](https://trustedcomputinggroup.org/resource/pc-client-platform-tpm-profile-ptp-specification/) (TCG) that dictates what events can be recorded and the format of each event. + 2. Once Windows has booted, the attestor/verifier requests the TPM to fetch the measurements stored in its Platform Configuration Register (PCR) alongside a TCG log. Both of these together form the attestation evidence that’s sent to the attestation service (learn more about the attestation service below). + 3. The TPM is verified by using the keys/cryptographic material available on the chipset with an [Azure Certificate Service](/windows-server/identity/ad-ds/manage/component-updates/tpm-key-attestation). + 4. This information is then sent to the attestation service in the cloud to verify that the device is safe. Microsoft Endpoint Manger (MEM) integrates with Microsoft Azure Attestation to review device health comprehensively and connect this information with AAD conditional access. This integration is key for Zero Trust solutions that help bind trust to an untrusted device. + 5. The attestation service does the following: - Verify the integrity of the evidence. This is done by validating the PCRs that match the values recomputed by replaying the TCG log. @@ -48,9 +54,11 @@ A summary of the steps involved in attestation and Zero Trust on the device side - Verify that the security features are in the expected states. 6. The attestation service returns an attestation report that contains information about the security features based on the policy configured in the attestation service. + 7. The device then sends the report to the MEM cloud to assess the trustworthiness of the platform according to the admin-configured device compliance rules. + 8. Conditional access, along with device-compliance state then decides to grant access to protected resource or not. ## Additional Resources -Learn more about Microsoft Zero Trust solutions in the [Zero Trust Guidance Center](/security/zero-trust/) +Learn more about Microsoft Zero Trust solutions in the [Zero Trust Guidance Center](/security/zero-trust/). From 4fabe42624590f685149b2f86f1d13ea48083d34 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 21 Sep 2021 12:50:30 -0700 Subject: [PATCH 303/458] Update trusted-boot.md --- windows/security/trusted-boot.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/trusted-boot.md b/windows/security/trusted-boot.md index 69631d8340..8f33995589 100644 --- a/windows/security/trusted-boot.md +++ b/windows/security/trusted-boot.md @@ -1,5 +1,5 @@ --- -title: Trusted Boot +title: Secure Boot and Trusted Boot description: Trusted Boot prevents corrupted components from loading during the boot-up process in Windows 11 search.appverid: MET150 author: denisebmsft @@ -7,7 +7,7 @@ ms.author: deniseb manager: dansimp audience: ITPro ms.topic: conceptual -ms.date: 09/08/2021 +ms.date: 09/21/2021 ms.prod: w10 ms.localizationpriority: medium ms.collection: From 27ca51efc3c1876435d0a4ca0ef84c993ed848a2 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 21 Sep 2021 12:51:55 -0700 Subject: [PATCH 304/458] Update security-foundations.md --- windows/security/security-foundations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/security-foundations.md b/windows/security/security-foundations.md index 2e2f94b61b..7ec5414862 100644 --- a/windows/security/security-foundations.md +++ b/windows/security/security-foundations.md @@ -18,7 +18,7 @@ ms.technology: windows-sec Microsoft is committed to continuously invest in improving our software development process, building highly secure-by-design software, and addressing security compliance requirements. At Microsoft, we embed security and privacy considerations from the earliest life-cycle phases of all our software development processes. We build in security from the ground for powerful defense in today’s threat environment. -Our strong security foundation leverages Microsoft Security Development Lifecycle (SDL) Bug Bounty, support for product security standards and certifications, and Azure Code signing. As a result, we improve security by producing software with fewer defects and vulnerabilities instead of relying on applying updates after vulnerabilities have been identified. +Our strong security foundation uses Microsoft Security Development Lifecycle (SDL) Bug Bounty, support for product security standards and certifications, and Azure Code signing. As a result, we improve security by producing software with fewer defects and vulnerabilities instead of relying on applying updates after vulnerabilities have been identified. Use the links in the following table to learn more about the security foundations:

From 41b1eb9c09c2873bce590ef20d041b72500dd382 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 21 Sep 2021 12:52:28 -0700 Subject: [PATCH 305/458] Update operating-system.md --- windows/security/operating-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 9c4e6c86ea..c231c53e4b 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -12,7 +12,7 @@ author: denisebmsft ms.collection: M365-security-compliance ms.prod: m365-security ms.technology: windows-sec -ms.date: +ms.date: 09/21/2021 --- # Windows operating system security From f28c1928b10c6f0468da649945e64b55c0abb613 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 21 Sep 2021 12:53:08 -0700 Subject: [PATCH 306/458] Update operating-system.md --- windows/security/operating-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index c231c53e4b..66115fef04 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -35,7 +35,7 @@ Windows Security app | The Windows built-in security application found in settin | Antivirus & antimalware protection | Microsoft Defender Antivirus is included in all versions of Windows 10, Windows Server 2016 and later, and Windows 11. If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on.

From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help protect your device from threats. Microsoft Defender Antivirus continually scans for malware and threats, and also detects and blocks [potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) (applications that can negatively impact your device even though they are not considered malware).

Microsoft Defender Antivirus integrates with [cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus), which helps ensure near-instant detection and blocking of new and emerging threats.

Learn more about [next-generation protection and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).| | Attack surface reduction rules | Your attack surfaces are the places and ways you are vulnerable to a cyber attack. Attack surface reduction rules are built into Windows and Windows Server to prevent and block certain behaviors that are often abused to compromise your device or network. Such behaviors can include launching scripts or executables that attempt to download or run other files, running suspicious scripts, or performing other behaviors that apps don't typically initiate during normal work. You can configure your attack surface reduction rules to protect against these risky behaviors.

Learn more about [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) | | Anti-tampering protection | During cyber attacks (like ransomware attempts), bad actors attempt to disable security features, such as antivirus protection on targeted devices. Bad actors like to disable security features to get easier access to user’s data, to install malware, or to otherwise exploit user’s data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.

With tamper protection, malware is prevented from taking actions such as:
- Disabling virus and threat protection
- Disabling real-time protection
- Turning off behavior monitoring
- Disabling antivirus (such as IOfficeAntivirus (IOAV))
- Disabling cloud-delivered protection
- Removing security intelligence updates

Learn more about [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection). | -| Network protection | Network protection in Windows helps prevent users from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content on the Internet. Network protection is part of attack surface reduction and helps provide an additional layer of protection for a user. Using reputation-based services, network protection blocks access to potentially harmful, low-reputation based domains and IP addresses.

In enterprise environments, network protection works best with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/), which provides detailed reporting into protection events as part of larger investigation scenarios.

Learn more about [Network protection](/microsoft-365/security/defender-endpoint/network-protection). | +| Network protection | Network protection in Windows helps prevent users from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content on the Internet. Network protection is part of attack surface reduction and helps provide an extra layer of protection for a user. Using reputation-based services, network protection blocks access to potentially harmful, low-reputation based domains and IP addresses.

In enterprise environments, network protection works best with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/), which provides detailed reporting into protection events as part of larger investigation scenarios.

Learn more about [Network protection](/microsoft-365/security/defender-endpoint/network-protection). | | Controlled folder access | With controlled folder access, you can protect your valuable information in specific folders by managing apps’ access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, are included in the list of controlled folders. Controlled folder access helps protect valuable data from malicious apps and threats, such as ransomware.

Learn more about [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). | | Exploit protection | Exploit protection, available in Windows 10, version 1709 and later, automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios.

You can enable exploit protection on an individual device, and then use Group Policy to distribute the XML file to multiple devices simultaneously. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors.

Learn more about [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection). | | Microsoft Defender for Endpoint | Windows E5 customers benefit from [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint), an enterprise endpoint detection and response capability that helps enterprise security teams detect, investigate, and respond to advanced threats. With rich event data and attack insights, Defender for Endpoint enables your security team to investigate incidents and take remediation actions effectively and efficiently.

Defender for Endpoint also is part of [Microsoft 365 Defender](/microsoft-365/security/defender/), a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.

Learn more about [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint) and [Microsoft 365 Defender](/microsoft-365/security/defender/). | From 6f36336636b21df687530f325ab798d13fbdd2ae Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Tue, 21 Sep 2021 12:56:09 -0700 Subject: [PATCH 307/458] little fixes --- windows/security/cryptography-certificate-mgmt.md | 3 ++- windows/security/encryption-data-protection.md | 3 ++- windows/security/trusted-boot.md | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/windows/security/cryptography-certificate-mgmt.md b/windows/security/cryptography-certificate-mgmt.md index dbc385fefd..7c781c1bdf 100644 --- a/windows/security/cryptography-certificate-mgmt.md +++ b/windows/security/cryptography-certificate-mgmt.md @@ -8,7 +8,8 @@ manager: dansimp audience: ITPro ms.topic: conceptual ms.date: 09/07/2021 -ms.prod: w11 +ms.prod: m365-security +ms.technology: windows-sec ms.localizationpriority: medium ms.collection: ms.custom: diff --git a/windows/security/encryption-data-protection.md b/windows/security/encryption-data-protection.md index b9967d05ac..359afde71f 100644 --- a/windows/security/encryption-data-protection.md +++ b/windows/security/encryption-data-protection.md @@ -8,7 +8,8 @@ manager: dansimp audience: ITPro ms.topic: conceptual ms.date: 09/08/2021 -ms.prod: w11 +ms.prod: m365-security +ms.technology: windows-sec ms.localizationpriority: medium ms.collection: ms.custom: diff --git a/windows/security/trusted-boot.md b/windows/security/trusted-boot.md index 8f33995589..6792a8df14 100644 --- a/windows/security/trusted-boot.md +++ b/windows/security/trusted-boot.md @@ -8,7 +8,8 @@ manager: dansimp audience: ITPro ms.topic: conceptual ms.date: 09/21/2021 -ms.prod: w10 +ms.prod: m365-security +ms.technology: windows-sec ms.localizationpriority: medium ms.collection: ms.custom: From f5239fafa2bf7dd1dad76e89e71bf407b80dbe8e Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 21 Sep 2021 13:45:02 -0700 Subject: [PATCH 308/458] adding MDM baselines --- .../windows-security-baselines.md | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md index 170918a4fa..ce11769894 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md @@ -11,22 +11,17 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 06/25/2018 +ms.date: ms.reviewer: ms.technology: mde --- # Windows security baselines -**Applies to** - -- Windows 10 -- Windows Server 2016 -- Office 2016 ## Using security baselines in your organization -Microsoft is dedicated to providing its customers with secure operating systems, such as Windows 10 and Windows Server, and secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control over your environments by providing various configuration capabilities. +Microsoft is dedicated to providing its customers with secure operating systems, such as Windows and Windows Server, and secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control over your environments by providing various configuration capabilities. Even though Windows and Windows Server are designed to be secure out-of-the-box, many organizations still want more granular control over their security configurations. To navigate the large number of controls, organizations need guidance on configuring various security features. Microsoft provides this guidance in the form of security baselines. @@ -56,6 +51,10 @@ You can use security baselines to: ## Where can I get the security baselines? +[Windows MDM (Mobile Device Management) baselines](/mem/intune/protect/security-baseline-settings-mdm-all.md) are the settings that Microsoft Intune supports for devices that run Windows 10 and Windows 11. The default values for settings represent the recommended configuration for applicable devices. + +[MDM (Mobile Device Management) security baselines](/windows/client-management/mdm/#mdm-security-baseline.md) function like the Microsoft group policy-based security baselines and can easily integrate this into an existing MDM management tool. + You can download the security baselines from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319). This download page is for the Security Compliance Toolkit (SCT), which comprises tools that can assist admins in managing baselines in addition to the security baselines. The security baselines are included in the [Security Compliance Toolkit (SCT)](security-compliance-toolkit-10.md), which can be downloaded from the Microsoft Download Center. The SCT also includes tools to help admins manage the security baselines. From 6a1aca47b7e65e6d9687e4d2f124165ca727892a Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 21 Sep 2021 14:53:35 -0700 Subject: [PATCH 309/458] more updates --- windows/security/TOC.yml | 2 ++ .../secure-the-windows-10-boot-process.md | 18 +++++++++--------- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 5d2f4c0bdf..5773487419 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -43,6 +43,8 @@ href: operating-system.md - name: System security items: + - name: Secure the Windows boot process + href: information-protection/secure-the-windows-10-boot-process.md - name: Trusted Boot href: trusted-boot.md - name: Cryptography and certificate management diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md index 45659d1cac..a13435b388 100644 --- a/windows/security/information-protection/secure-the-windows-10-boot-process.md +++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md @@ -1,7 +1,7 @@ --- -title: Secure the Windows 10 boot process -description: This article describes how Windows 10 security features helps protect your PC from malware, including rootkits and other applications -keywords: trusted boot, windows 10 boot process +title: Secure the Windows boot process +description: This article describes how Windows security features helps protect your PC from malware, including rootkits and other applications +keywords: trusted boot, windows boot process ms.prod: w10 ms.mktglfcycl: Explore ms.pagetype: security @@ -12,12 +12,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 11/16/2018 +ms.date: ms.reviewer: ms.author: dansimp --- -# Secure the Windows 10 boot process +# Secure the Windows boot process **Applies to:** - Windows 11 @@ -27,11 +27,11 @@ ms.author: dansimp The Windows operating system has many features to help protect you from malware, and it does an amazingly good job. Except for apps that businesses develop and use internally, all Microsoft Store apps must meet a series of requirements to be certified and included in the Microsoft Store. This certification process examines several criteria, including security, and is an effective means of preventing malware from entering the Microsoft Store. Even if a malicious app does get through, the Windows 10 operating system includes a series of security features that can mitigate the impact. For instance, Microsoft Store apps are sandboxed and lack the privileges necessary to access user data or change system settings. -Windows has multiple levels of protection for desktop apps and data, too. Windows Defender uses signatures to detect and quarantine apps that are known to be malicious. Windows Defender SmartScreen warns users before allowing them to run an untrustworthy app, even if it’s recognized as malware. Before an app can change system settings, the user would have to grant the app administrative privileges by using User Account Control. +Windows has multiple levels of protection for desktop apps and data, too. Windows Defender Antivirus uses cloud-powered real-time detection to identify and quarantine apps that are known to be malicious. Windows Defender SmartScreen warns users before allowing them to run an untrustworthy app, even if it’s recognized as malware. Before an app can change system settings, the user would have to grant the app administrative privileges by using User Account Control. Those are just some of the ways that Windows protects you from malware. However, those security features protect you only after Windows starts. Modern malware—and bootkits specifically—are capable of starting before Windows, completely bypassing operating system security, and remaining completely hidden. -When you run Windows 10 on a PC or any PC that supports Unified Extensible Firmware Interface (UEFI), Trusted Boot protects your PC from malware from the moment you power on your PC until your anti-malware starts. In the unlikely event that malware does infect a PC, it can’t remain hidden; Trusted Boot can prove the system’s integrity to your infrastructure in a way that malware can’t disguise. Even on PCs without UEFI, Windows provides even better startup security than previous versions of Windows. +When you run Windows 10 or Windows 11 on a PC or any PC that supports Unified Extensible Firmware Interface (UEFI), Trusted Boot protects your PC from malware from the moment you power on your PC until your anti-malware starts. In the unlikely event that malware does infect a PC, it can’t remain hidden; Trusted Boot can prove the system’s integrity to your infrastructure in a way that malware can’t disguise. Even on PCs without UEFI, Windows provides even better startup security than previous versions of Windows. First, let’s examine what rootkits are and how they work. Then, we’ll show you how Windows can protect you. @@ -61,7 +61,7 @@ Figure 1 shows the Windows startup process. **Figure 1. Secure Boot, Trusted Boot, and Measured Boot block malware at every stage** -Secure Boot and Measured Boot are only possible on PCs with UEFI 2.3.1 and a TPM chip. Fortunately, all Windows 10 PCs that meet Windows Hardware Compatibility Program requirements have these components, and many PCs designed for earlier versions of Windows have them as well. +Secure Boot and Measured Boot are only possible on PCs with UEFI 2.3.1 and a TPM chip. Fortunately, all Windows 10 and Windows 11 PCs that meet Windows Hardware Compatibility Program requirements have these components, and many PCs designed for earlier versions of Windows have them as well. The sections that follow describe Secure Boot, Trusted Boot, ELAM, and Measured Boot. @@ -131,4 +131,4 @@ Measured Boot uses the power of UEFI, TPM, and Windows to give you a way to conf Secure Boot, Trusted Boot, and Measured Boot create an architecture that is fundamentally resistant to bootkits and rootkits. In Windows, these features have the potential to eliminate kernel-level malware from your network. This is the most ground-breaking anti-malware solution that Windows has ever had; it’s leaps and bounds ahead of everything else. With Windows, you can truly trust the integrity of your operating system. ## Additional resources -- [Windows 10 Enterprise LTSC 2019 or v2004 Evaluation](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) +- [Windows Enterprise Evaluation](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) From 9d66e08783cc32d6ee9da8bd6e97b55039f2034c Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 21 Sep 2021 15:02:09 -0700 Subject: [PATCH 310/458] remvoing change list --- .openpublishing.redirection.json | 6 ++-- .../change-history-for-access-protection.md | 36 ------------------- 2 files changed, 3 insertions(+), 39 deletions(-) delete mode 100644 windows/security/identity-protection/change-history-for-access-protection.md diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 1fc2ec8e56..00a95b4582 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -18956,10 +18956,10 @@ "redirect_document_id": false }, { - "source_path": "windows/privacy/data-processor-service-for-windows-enterprise-public-preview-terms.md", - "redirect_url": "/windows/privacy/windows-10-and-privacy-compliance", + "source_path": "windows/security/identity-protection/change-history-for-access-protection.md", + "redirect_url": "/windows/security/", "redirect_document_id": false - }, + } ] diff --git a/windows/security/identity-protection/change-history-for-access-protection.md b/windows/security/identity-protection/change-history-for-access-protection.md deleted file mode 100644 index 9cd9f0847d..0000000000 --- a/windows/security/identity-protection/change-history-for-access-protection.md +++ /dev/null @@ -1,36 +0,0 @@ ---- -title: Change history for access protection (Windows 10) -description: This topic lists new and updated topics in the Windows 10 access protection documentation for Windows 10. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: M365-identity-device-management -ms.topic: article -ms.localizationpriority: medium -ms.date: 08/11/2017 -ms.reviewer: ---- - -# Change history for access protection -This topic lists new and updated topics in the [Access protection](index.md) documentation. - -## August 2017 -|New or changed topic |Description | -|---------------------|------------| -|[Microsoft accounts](access-control/microsoft-accounts.md) |Revised to cover new Group Policy setting in Windows 10, version 1703, named **Block all consumer Microsoft account user authentication**.| - -## June 2017 -|New or changed topic |Description | -|---------------------|------------| -|[How hardware-based containers help protect Windows 10](/windows/security/threat-protection/windows-defender-atp/how-hardware-based-containers-help-protect-windows) | New | - - -## March 2017 -|New or changed topic |Description | -|---------------------|------------| -|[Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.| \ No newline at end of file From 48ee84838917af9a3f73b9af3ca036115adaa112 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Thu, 23 Sep 2021 12:36:56 +0530 Subject: [PATCH 311/458] Updated --- .../mdm/policies-in-policy-csp-admx-backed.md | 8 + .../policy-configuration-service-provider.md | 39 ++ .../mdm/policy-csp-admx-globalization.md | 2 - .../mdm/policy-csp-admx-touchinput.md | 333 ++++++++++++++++++ .../mdm/policy-csp-admx-wdi.md | 185 ++++++++++ .../mdm/policy-csp-admx-windowscolorsystem.md | 182 ++++++++++ windows/client-management/mdm/toc.yml | 6 + 7 files changed, 753 insertions(+), 2 deletions(-) create mode 100644 windows/client-management/mdm/policy-csp-admx-touchinput.md create mode 100644 windows/client-management/mdm/policy-csp-admx-wdi.md create mode 100644 windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 6c81fd4df2..914708f36d 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -1070,6 +1070,10 @@ ms.date: 10/08/2020 - [ADMX_Thumbnails/DisableThumbnails](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbnails) - [ADMX_Thumbnails/DisableThumbnailsOnNetworkFolders](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbnailsonnetworkfolders) - [ADMX_Thumbnails/DisableThumbsDBOnNetworkFolders](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbsdbonnetworkfolders) +- [ADMX_TouchInput/TouchInputOff_1](./policy-csp-admx-touchinput.md#admx-touchinput-touchinputoff_1) +- [ADMX_TouchInput/TouchInputOff_2](./policy-csp-admx-touchinput.md#admx-touchinput-touchinputoff_2) +- [ADMX_TouchInput/PanningEverywhereOff_1](./policy-csp-admx-touchinput.md#admx-touchinput-panningeverywhereoff_1) +- [ADMX_TouchInput/PanningEverywhereOff_2](./policy-csp-admx-touchinput.md#admx-touchinput-panningeverywhereoff_2) - [ADMX_TPM/BlockedCommandsList_Name](./policy-csp-admx-tpm.md#admx-tpm-blockedcommandslist-name) - [ADMX_TPM/ClearTPMIfNotReady_Name](./policy-csp-admx-tpm.md#admx-tpm-cleartpmifnotready-name) - [ADMX_TPM/IgnoreDefaultList_Name](./policy-csp-admx-tpm.md#admx-tpm-ignoredefaultlist-name) @@ -1221,9 +1225,13 @@ ms.date: 10/08/2020 - [ADMX_WCM/WCM_DisablePowerManagement](./policy-csp-admx-wcm.md#admx-wcm-wcm-disablepowermanagement) - [ADMX_WCM/WCM_EnableSoftDisconnect](./policy-csp-admx-wcm.md#admx-wcm-wcm-enablesoftdisconnect) - [ADMX_WCM/WCM_MinimizeConnections](./policy-csp-admx-wcm.md#admx-wcm-wcm-minimizeconnections) +- [ADMX_WDI/WdiDpsScenarioExecutionPolicy](./policy-csp-admx-wdi.md#admx-wdi-wdidpsscenarioexecutionpolicy) +- [ADMX_WDI/WdiDpsScenarioDataSizeLimitPolicy](./policy-csp-admx-wdi.md#admx-wdi-wdidpsscenariodatasizelimitpolicy) - [ADMX_WinCal/TurnOffWinCal_1](./policy-csp-admx-wincal.md#admx-wincal-turnoffwincal-1) - [ADMX_WinCal/TurnOffWinCal_2](./policy-csp-admx-wincal.md#admx-wincal-turnoffwincal-2) - [ADMX_WindowsAnytimeUpgrade/Disabled](./policy-csp-admx-windowsanytimeupgrade.md#admx-windowsanytimeupgrade-disabled) +- [ADMX_WindowsColorSystem/ProhibitChangingInstalledProfileList_1](./policy-csp-admx-windowscolorsystem.md#admx-windowscolorsystem-prohibitchanginginstalledprofilelist_1] +- [ADMX_WindowsColorSystem/ProhibitChangingInstalledProfileList_2](./policy-csp-admx-windowscolorsystem.md#admx-windowscolorsystem-prohibitchanginginstalledprofilelist_2] - [ADMX_WindowsConnectNow/WCN_DisableWcnUi_1](./policy-csp-admx-windowsconnectnow.md#admx-windowsconnectnow-wcn-disablewcnui-1) - [ADMX_WindowsConnectNow/WCN_DisableWcnUi_2](./policy-csp-admx-windowsconnectnow.md#admx-windowsconnectnow-wcn-disablewcnui-2) - [ADMX_WindowsConnectNow/WCN_EnableRegistrar](./policy-csp-admx-windowsconnectnow.md#admx-windowsconnectnow-wcn-enableregistrar) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index a03f3f09f7..392a113392 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -3727,6 +3727,23 @@ The following diagram shows the Policy configuration service provider in tree fo +### ADMX_TouchInput policies + +
+
+ ADMX_TouchInput/TouchInputOff_1 +
+
+ ADMX_TouchInput/TouchInputOff_2 +
+
+ ADMX_TouchInput/PanningEverywhereOff_1 +
+
+ ADMX_TouchInput/PanningEverywhereOff_2 +
+
+ ### ADMX_TPM policies
@@ -4205,6 +4222,17 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_WDI Policies + +
+
+ ADMX_WDI/WdiDpsScenarioExecutionPolicy +
+
+ ADMX_WDI/WdiDpsScenarioDataSizeLimitPolicy +
+
+ ### ADMX_WinCal policies
@@ -4224,6 +4252,17 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_WindowsColorSystem policies + +
+
+ ADMX_WindowsColorSystem/ProhibitChangingInstalledProfileList_1 +
+
+ ADMX_WindowsColorSystem/ProhibitChangingInstalledProfileList_2 +
+
+ ### ADMX_WindowsConnectNow policies
diff --git a/windows/client-management/mdm/policy-csp-admx-globalization.md b/windows/client-management/mdm/policy-csp-admx-globalization.md index d558de2248..6c360c3c98 100644 --- a/windows/client-management/mdm/policy-csp-admx-globalization.md +++ b/windows/client-management/mdm/policy-csp-admx-globalization.md @@ -13,8 +13,6 @@ manager: dansimp --- # Policy CSP - ADMX_Globalization -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
diff --git a/windows/client-management/mdm/policy-csp-admx-touchinput.md b/windows/client-management/mdm/policy-csp-admx-touchinput.md new file mode 100644 index 0000000000..a5a34ab417 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-touchinput.md @@ -0,0 +1,333 @@ +--- +title: Policy CSP - ADMX_TouchInput +description: Policy CSP - ADMX_TouchInput +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 09/23/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_TouchInput +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_TouchInput policies + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
+
+ ADMX_TouchInput/TouchInputOff_1 +
+
+ ADMX_TouchInput/TouchInputOff_2 +
+
+ ADMX_TouchInput/PanningEverywhereOff_1 +
+
+ ADMX_TouchInput/PanningEverywhereOff_2 +
+
+ + +
+ + +**ADMX_TouchInput/TouchInputOff_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Turn off Tablet PC touch input Turns off touch input, which allows the user to interact with their computer using their finger. + +- If you enable this setting, the user will not be able to produce input with touch. They will not be able to use touch input or touch gestures such as tap and double tap, the touch pointer, and other touch-specific features. +- If you disable this setting, the user can produce input with touch, by using gestures, the touch pointer, and other-touch specific features. + +If you do not configure this setting, touch input is on by default. Note: Changes to this setting will not take effect until the user logs off. + + + + +ADMX Info: +- GP Friendly name: *Turn off Tablet PC touch input* +- GP name: *TouchInputOff_1* +- GP path: *Windows Components\Tablet PC\Touch Input* +- GP ADMX file name: *TouchInput.admx* + + + + +**ADMX_TouchInput/TouchInputOff_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Turn off Tablet PC touch input Turns off touch input, which allows the user to interact with their computer using their finger. + +- If you enable this setting, the user will not be able to produce input with touch. They will not be able to use touch input or touch gestures such as tap and double tap, the touch pointer, and other touch-specific features. +- If you disable this setting, the user can produce input with touch, by using gestures, the touch pointer, and other-touch specific features. + +If you do not configure this setting, touch input is on by default. Note: Changes to this setting will not take effect until the user logs off. + + + + +ADMX Info: +- GP Friendly name: *Turn off Tablet PC touch input* +- GP name: *TouchInputOff_2* +- GP path: *Windows Components\Tablet PC\Touch Input* +- GP ADMX file name: *TouchInput.admx* + + + + +
+ + +**ADMX_TouchInput/PanningEverywhereOff_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Turn off Panning Turns off touch panning, which allows users pan inside windows by touch. On a compatible PC with a touch digitizer, by default users are able to scroll or pan inside a scrolling area by dragging up or down directly on the scrolling content. + +- If you enable this setting, the user will not be able to pan windows by touch. + +- If you disable this setting, the user can pan windows by touch. If you do not configure this setting, Touch Panning is on by default. + +> [!NOTE] +> Changes to this setting will not take effect until the user logs off. + + + + +ADMX Info: +- GP Friendly name: *Turn off Touch Panning* +- GP name: *PanningEverywhereOff_1* +- GP path: *Windows Components\Tablet PC\Touch Input* +- GP ADMX file name: *TouchInput.admx* + + + +
+ +**ADMX_TouchInput/PanningEverywhereOff_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Turn off Panning Turns off touch panning, which allows users pan inside windows by touch. On a compatible PC with a touch digitizer, by default users are able to scroll or pan inside a scrolling area by dragging up or down directly on the scrolling content. + +- If you enable this setting, the user will not be able to pan windows by touch. + +- If you disable this setting, the user can pan windows by touch. If you do not configure this setting, Touch Panning is on by default. + +> [!NOTE] +> Changes to this setting will not take effect until the user logs off. + + + + +ADMX Info: +- GP Friendly name: *Turn off Touch Panning* +- GP name: *PanningEverywhereOff_2* +- GP path: *Windows Components\Tablet PC\Touch Input* +- GP ADMX file name: *TouchInput.admx* + + + +
+ + + + diff --git a/windows/client-management/mdm/policy-csp-admx-wdi.md b/windows/client-management/mdm/policy-csp-admx-wdi.md new file mode 100644 index 0000000000..900905feee --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-wdi.md @@ -0,0 +1,185 @@ +--- +title: Policy CSP - ADMX_WDI +description: Policy CSP - ADMX_WDI +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/09/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_WDI + +
+ + +## ADMX_WDI policies + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
+
+ ADMX_WDI/WdiDpsScenarioExecutionPolicy +
+
+ ADMX_WDI/WdiDpsScenarioDataSizeLimitPolicy +
+
+ + +
+ + +**ADMX_WDI/WdiDpsScenarioExecutionPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting determines the data retention limit for Diagnostic Policy Service (DPS) scenario data. +- If you enable this policy setting, you must enter the maximum size of scenario data that should be retained in megabytes. Detailed troubleshooting data related to scenarios will be retained until this limit is reached. +- If you disable or do not configure this policy setting, the DPS deletes scenario data once it exceeds 128 megabytes in size. +No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately. +This policy setting will only take effect when the Diagnostic Policy Service is in the running state. +When the service is stopped or disabled, diagnostic scenario data will not be deleted. +The DPS can be configured with the Services snap-in to the Microsoft Management Console. + + + + +ADMX Info: +- GP Friendly name: *Diagnostics: Configure scenario retention* +- GP name: *WdiDpsScenarioExecutionPolicy* +- GP path: *System\Troubleshooting and Diagnostics* +- GP ADMX file name: *WDI.admx* + + + +
+ + +**ADMX_WDI/WdiDpsScenarioDataSizeLimitPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting determines the execution level for Diagnostic Policy Service (DPS) scenarios. + +- If you enable this policy setting, you must select an execution level from the drop-down menu. + +If you select problem detection and troubleshooting only, the DPS will detect problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will attempt to automatically fix problems it detects or indicate to the user that assisted resolution is available. + +- If you disable this policy setting, Windows cannot detect, troubleshoot, or resolve any problems that are handled by the DPS. + +If you do not configure this policy setting, the DPS enables all scenarios for resolution by default, unless you configure separate scenario-specific policy settings. This policy setting takes precedence over any scenario-specific policy settings when it is enabled or disabled. Scenario-specific policy settings only take effect if this policy setting is not configured. No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately. + + + + +ADMX Info: +- GP Friendly name: *Diagnostics: Configure scenario execution level* +- GP name: *WdiDpsScenarioDataSizeLimitPolicy* +- GP path: *System\Troubleshooting and Diagnostics* +- GP ADMX file name: *WDI.admx* + + + +
+ + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md b/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md new file mode 100644 index 0000000000..fe79bb59e1 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md @@ -0,0 +1,182 @@ +--- +title: Policy CSP - ADMX_WindowsColorSystem +description: Policy CSP - ADMX_WindowsColorSystem +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 10/27/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_WindowsColorSystem + +
+ + +## ADMX_WindowsColorSystem policies + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
+
+ ADMX_WindowsColorSystem/ProhibitChangingInstalledProfileList_1 +
+
+ ADMX_WindowsColorSystem/ProhibitChangingInstalledProfileList_2 +
+
+ + +
+ + +**WindowsColorSystem/ProhibitChangingInstalledProfileList_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy setting affects the ability of users to install or uninstall color profiles. + +- If you enable this policy setting, users cannot install new color profiles or uninstall previously installed color profiles. + +- If you disable or do not configure this policy setting, all users can install new color profiles. Standard users can uninstall color profiles that they previously installed. Administrators will be able to uninstall all color profiles. + + + + +ADMX Info: +- GP Friendly name: *Prohibit installing or uninstalling color profiles* +- GP name: *ProhibitChangingInstalledProfileList_1* +- GP path: *Windows Components\Windows Color System* +- GP ADMX file name: *WindowsColorSystem.admx* + + + +
+ + +**WindowsColorSystem/ProhibitChangingInstalledProfileList_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy setting affects the ability of users to install or uninstall color profiles. + +- If you enable this policy setting, users cannot install new color profiles or uninstall previously installed color profiles. + +- If you disable or do not configure this policy setting, all users can install new color profiles. Standard users can uninstall color profiles that they previously installed. Administrators will be able to uninstall all color profiles. + + + + +ADMX Info: +- GP Friendly name: *Prohibit installing or uninstalling color profiles* +- GP name: *ProhibitChangingInstalledProfileList_2* +- GP path: *Windows Components\Windows Color System* +- GP ADMX file name: *WindowsColorSystem.admx* + + + + +
+ + + + diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 1d385366fb..d04dd64448 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -577,6 +577,8 @@ items: href: policy-csp-admx-tcpip.md - name: ADMX_Thumbnails href: policy-csp-admx-thumbnails.md + - name: ADMX_TouchInput + href: policy-csp-admx-touchinput.md - name: ADMX_TPM href: policy-csp-admx-tpm.md - name: ADMX_UserExperienceVirtualization @@ -587,10 +589,14 @@ items: href: policy-csp-admx-w32time.md - name: ADMX_WCM href: policy-csp-admx-wcm.md + - name: ADMX_WDI + href: policy-csp-admx-wdi.md - name: ADMX_WinCal href: policy-csp-admx-wincal.md - name: ADMX_WindowsAnytimeUpgrade href: policy-csp-admx-windowsanytimeupgrade.md + - name: ADMX_WindowsColorSystem + href: policy-csp-admx-windowscolorsystem.md - name: ADMX_WindowsConnectNow href: policy-csp-admx-windowsconnectnow.md - name: ADMX_WindowsExplorer From 72328e9427e400cf593faee1aaee0802c973c716 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Thu, 23 Sep 2021 16:32:10 +0530 Subject: [PATCH 312/458] Updated --- .../mdm/policies-in-policy-csp-admx-backed.md | 8 + .../policy-configuration-service-provider.md | 29 + .../mdm/policy-csp-admx-errorreporting.md | 295 ++------ .../mdm/policy-csp-admx-eventforwarding.md | 32 +- .../mdm/policy-csp-admx-eventlog.md | 226 ++---- .../mdm/policy-csp-admx-explorer.md | 63 +- .../mdm/policy-csp-admx-filerecovery.md | 21 +- .../policy-csp-admx-fileservervssprovider.md | 21 +- .../mdm/policy-csp-admx-filesys.md | 100 +-- .../mdm/policy-csp-admx-folderredirection.md | 59 +- .../mdm/policy-csp-admx-globalization.md | 155 +---- .../mdm/policy-csp-admx-previousversions.md | 646 ++++++++++++++++++ windows/client-management/mdm/toc.yml | 2 + 13 files changed, 892 insertions(+), 765 deletions(-) create mode 100644 windows/client-management/mdm/policy-csp-admx-previousversions.md diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 914708f36d..bedfa39992 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -821,6 +821,14 @@ ms.date: 10/08/2020 - [ADMX_PowerShellExecutionPolicy/EnableScripts](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enablescripts) - [ADMX_PowerShellExecutionPolicy/EnableTranscripting](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enabletranscripting) - [ADMX_PowerShellExecutionPolicy/EnableUpdateHelpDefaultSourcePath](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enableupdatehelpdefaultsourcepath) +- [ADMX_PreviousVersions/DisableLocalPage_1](./policy-csp-admx-previousversions.md#admx-previousversions-disablelocalpage_1) +- [ADMX_PreviousVersions/DisableLocalPage_2](./policy-csp-admx-previousversions.md#admx-previousversions-disablelocalpage_2) +- [ADMX_PreviousVersions/DisableRemotePage_1](./policy-csp-admx-previousversions.md#admx-previousversions-disableremotepage_1) +- [ADMX_PreviousVersions/DisableRemotePage_2](./policy-csp-admx-previousversions.md#admx-previousversions-disableremotepage_2) +- [ADMX_PreviousVersions/HideBackupEntries_1](./policy-csp-admx-previousversions.md#admx-previousversions-hidebackupentries_1) +- [ADMX_PreviousVersions/HideBackupEntries_2](./policy-csp-admx-previousversions.md#admx-previousversions-hidebackupentries_2) +- [ADMX_PreviousVersions/DisableLocalRestore_1](./policy-csp-admx-previousversions.md#admx-previousversions-disablelocalrestore_1) +- [ADMX_PreviousVersions/DisableLocalRestore_2](./policy-csp-admx-previousversions.md#admx-previousversions-disablelocalrestore_2) - [ADMX_Printing/AllowWebPrinting](./policy-csp-admx-printing.md#admx-printing-allowwebprinting) - [ADMX_Printing/ApplicationDriverIsolation](./policy-csp-admx-printing.md#admx-printing-applicationdriverisolation) - [ADMX_Printing/CustomizedSupportUrl](./policy-csp-admx-printing.md#admx-printing-customizedsupporturl) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 392a113392..9218729fca 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -2862,6 +2862,35 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_PreviousVersions policies + +
+
+ ADMX_PreviousVersions/DisableLocalPage_1 +
+
+ ADMX_PreviousVersions/DisableLocalPage_2 +
+
+ ADMX_PreviousVersions/DisableRemotePage_1 +
+
+ ADMX_PreviousVersions/DisableRemotePage_2 +
+
+ ADMX_PreviousVersions/HideBackupEntries_1 +
+
+ ADMX_PreviousVersions/HideBackupEntries_2 +
+
+ ADMX_PreviousVersions/DisableLocalRestore_1 +
+
+ ADMX_PreviousVersions/DisableLocalRestore_2 +
+
+ ### ADMX_Printing policies
diff --git a/windows/client-management/mdm/policy-csp-admx-errorreporting.md b/windows/client-management/mdm/policy-csp-admx-errorreporting.md index 5db935cf84..05786ce5b4 100644 --- a/windows/client-management/mdm/policy-csp-admx-errorreporting.md +++ b/windows/client-management/mdm/policy-csp-admx-errorreporting.md @@ -13,14 +13,19 @@ manager: dansimp --- # Policy CSP - ADMX_ErrorReporting -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
## ADMX_ErrorReporting policies +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
ADMX_ErrorReporting/PCH_AllOrNoneDef @@ -146,8 +151,8 @@ manager: dansimp Education - No - No + Yes + Yes @@ -177,12 +182,6 @@ This policy setting is ignored if the Configure Error Reporting policy setting i For related information, see the Configure Error Reporting and Report Operating System Errors policy settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -227,8 +226,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -254,12 +253,6 @@ If this policy setting is enabled, the Exclude errors for applications on this l If you disable or do not configure this policy setting, the Default application reporting settings policy setting takes precedence. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -304,8 +297,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -337,12 +330,7 @@ Also see the "Default Application Reporting" and "Application Exclusion List" po This setting will be ignored if the 'Configure Error Reporting' setting is disabled or not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -387,8 +375,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -433,12 +421,6 @@ If you disable this policy setting, configuration settings in the policy setting See related policy settings Display Error Notification (same folder as this policy setting), and Turn off Windows Error Reporting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -483,8 +465,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -512,12 +494,6 @@ If you do not configure this policy setting, users can change this setting in Co See also the Configure Error Reporting policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -562,8 +538,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -587,12 +563,6 @@ If you enable this policy setting, you can configure Windows Error Reporting arc If you disable or do not configure this policy setting, no Windows Error Reporting information is stored. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -662,12 +632,6 @@ If you enable this policy setting, you can configure Windows Error Reporting arc If you disable or do not configure this policy setting, no Windows Error Reporting information is stored. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -712,8 +676,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -737,12 +701,6 @@ If you enable or do not configure this policy setting, any memory dumps generate If you disable this policy setting, then all memory dumps are uploaded according to the default consent and notification settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -811,14 +769,6 @@ If you enable or do not configure this policy setting, any memory dumps generate If you disable this policy setting, then all memory dumps are uploaded according to the default consent and notification settings. - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - ADMX Info: - GP Friendly name: *Automatically send memory dumps for OS-generated error reports* @@ -862,8 +812,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -887,12 +837,6 @@ If you enable this policy setting, WER does not throttle data; that is, WER uplo If you disable or do not configure this policy setting, WER throttles data by default; that is, WER does not upload more than one CAB file for a report that contains data about the same event types. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -937,8 +881,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -963,11 +907,6 @@ If you disable or do not configure this policy setting, WER throttles data by de > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1012,8 +951,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1037,12 +976,6 @@ If you enable this policy setting, WER does not check for network cost policy re If you disable or do not configure this policy setting, WER does not send data, but will check the network cost policy again if the network profile is changed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1087,8 +1020,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1112,12 +1045,6 @@ If you enable this policy setting, WER does not check for network cost policy re If you disable or do not configure this policy setting, WER does not send data, but will check the network cost policy again if the network profile is changed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1162,8 +1089,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1187,12 +1114,6 @@ If you enable this policy setting, WER does not determine whether the computer i If you disable or do not configure this policy setting, WER checks for solutions while a computer is running on battery power, but does not upload report data until the computer is connected to a more permanent power source. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1237,8 +1158,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1262,12 +1183,6 @@ If you enable this policy setting, WER does not determine whether the computer i If you disable or do not configure this policy setting, WER checks for solutions while a computer is running on battery power, but does not upload report data until the computer is connected to a more permanent power source. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1312,8 +1227,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1337,12 +1252,6 @@ If you enable this policy setting, you can specify the name or IP address of an If you disable or do not configure this policy setting, Windows Error Reporting sends error reports to Microsoft. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1386,8 +1295,8 @@ ADMX Info: Yes Education - No - No + Yes + Yes @@ -1421,12 +1330,6 @@ If you enable this policy setting, you can add specific event types to a list by If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1471,8 +1374,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1496,12 +1399,6 @@ If you enable this policy setting, the default consent levels of Windows Error R If you disable or do not configure this policy setting, custom consent policy settings for error reporting determine the consent level for specified event types, and the default consent setting determines only the consent level of any other error reports. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1546,8 +1443,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1571,12 +1468,6 @@ If you enable this policy setting, the default consent levels of Windows Error R If you disable or do not configure this policy setting, custom consent policy settings for error reporting determine the consent level for specified event types, and the default consent setting determines only the consent level of any other error reports. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1621,8 +1512,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1654,12 +1545,6 @@ If you enable this policy setting, you can set the default consent handling for If this policy setting is disabled or not configured, then the consent level defaults to the highest-privacy setting: Always ask before sending data. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1704,8 +1589,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1737,12 +1622,6 @@ If you enable this policy setting, you can set the default consent handling for If this policy setting is disabled or not configured, then the consent level defaults to the highest-privacy setting: Always ask before sending data. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1787,8 +1666,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1812,12 +1691,6 @@ If you enable this policy setting, Windows Error Reporting does not send any pro If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1862,8 +1735,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1888,12 +1761,6 @@ If you disable or do not configure this policy setting, errors are reported on a -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1938,8 +1805,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1963,12 +1830,6 @@ If you enable this policy setting, you can create a list of applications that ar If you disable or do not configure this policy setting, errors are reported on all Microsoft and Windows applications by default. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2013,8 +1874,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -2038,12 +1899,6 @@ If you enable this policy setting, Windows Error Reporting events are not record If you disable or do not configure this policy setting, Windows Error Reporting events and errors are logged to the system event log, as with other Windows-based programs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2088,8 +1943,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -2113,12 +1968,6 @@ If you enable this policy setting, Windows Error Reporting events are not record If you disable or do not configure this policy setting, Windows Error Reporting events and errors are logged to the system event log, as with other Windows-based programs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2163,8 +2012,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -2188,12 +2037,6 @@ If you enable this policy setting, any additional data requests from Microsoft i If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2238,8 +2081,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -2265,12 +2108,6 @@ The Maximum number of reports to queue setting determines how many reports can b If you disable or do not configure this policy setting, Windows Error Reporting reports are not queued, and users can only send reports at the time that a problem occurs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2315,8 +2152,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -2342,12 +2179,6 @@ The Maximum number of reports to queue setting determines how many reports can b If you disable or do not configure this policy setting, Windows Error Reporting reports are not queued, and users can only send reports at the time that a problem occurs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2360,7 +2191,5 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md index dc00ad7337..6c88919cf8 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md +++ b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md @@ -14,14 +14,19 @@ manager: dansimp # Policy CSP - ADMX_EventForwarding -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
## ADMX_EventForwarding policies +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
ADMX_EventForwarding/ForwarderResourceUsage @@ -66,8 +71,8 @@ manager: dansimp Education - No - No + Yes + Yes @@ -93,12 +98,7 @@ If you disable or do not configure this policy setting, forwarder resource usage This setting applies across all subscriptions for the forwarder (source computer). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -145,8 +145,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -178,12 +178,6 @@ When using the HTTP protocol, use port 5985. If you disable or do not configure this policy setting, the Event Collector computer will not be specified. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -196,8 +190,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-eventlog.md b/windows/client-management/mdm/policy-csp-admx-eventlog.md index 1dda6c7ce0..e5bb236763 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventlog.md +++ b/windows/client-management/mdm/policy-csp-admx-eventlog.md @@ -13,14 +13,19 @@ manager: dansimp --- # Policy CSP - ADMX_EventLog -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
## ADMX_EventLog policies +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
ADMX_EventLog/Channel_LogEnabled @@ -121,8 +126,8 @@ manager: dansimp Education - No - No + Yes + Yes @@ -146,12 +151,6 @@ If you enable or do not configure this policy setting, then events can be writte If the policy setting is disabled, then no new events can be logged. Events can always be read from the log, regardless of this policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -196,8 +195,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -221,12 +220,6 @@ If you enable this policy setting, the Event Log uses the path specified in this If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -270,8 +263,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -295,12 +288,6 @@ If you enable this policy setting, the Event Log uses the path specified in this If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -345,8 +332,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -370,12 +357,6 @@ If you enable this policy setting, the Event Log uses the path specified in this If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -420,8 +401,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -445,12 +426,6 @@ If you enable this policy setting, the Event Log uses the path specified in this If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -495,8 +470,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -520,12 +495,6 @@ If you enable this policy setting, you can configure the maximum log file size t If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -570,8 +539,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -597,12 +566,6 @@ If you disable this policy setting and the "Retain old events" policy setting is If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -647,8 +610,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -674,12 +637,6 @@ If you disable this policy setting and the "Retain old events" policy setting is If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -724,8 +681,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -751,12 +708,6 @@ If you disable this policy setting and the "Retain old events" policy setting is If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -801,8 +752,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -828,12 +779,6 @@ If you disable this policy setting and the "Retain old events" policy setting is If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -852,8 +797,9 @@ ADMX Info: - - + + + @@ -877,8 +823,8 @@ ADMX Info: - - + +
Windows EditionSupported?EditionWindows 10Windows 11
Home
EducationNoNoYesYes
@@ -905,12 +851,6 @@ If you disable or do not configure this policy setting, all authenticated users > If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -955,8 +895,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -983,12 +923,6 @@ If you disable or do not configure this policy setting, only system software and > If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1033,8 +967,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1061,12 +995,6 @@ If you disable or do not configure this policy setting, all authenticated users > If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1111,8 +1039,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1139,12 +1067,6 @@ If you disable or do not configure this policy setting, only system software and > If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1188,8 +1110,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1215,12 +1137,6 @@ If you disable this policy setting, all authenticated users and system services If you do not configure this policy setting, the previous policy setting configuration remains in effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1265,8 +1181,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1292,12 +1208,6 @@ If you disable this policy setting, only system software and administrators can If you do not configure this policy setting, the previous policy setting configuration remains in effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1342,8 +1252,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1369,12 +1279,6 @@ If you disable this policy setting, all authenticated users and system services If you do not configure this policy setting, the previous policy setting configuration remains in effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1419,8 +1323,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1446,12 +1350,6 @@ If you disable this policy setting, only system software and administrators can If you do not configure this policy setting, the previous policy setting configuration remains in effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1496,8 +1394,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1523,12 +1421,6 @@ If you disable or do not configure this policy setting and a log file reaches it Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1573,8 +1465,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1600,12 +1492,6 @@ If you disable or do not configure this policy setting and a log file reaches it Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1650,8 +1536,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1677,12 +1563,6 @@ If you disable or do not configure this policy setting and a log file reaches it Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1695,7 +1575,5 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-explorer.md b/windows/client-management/mdm/policy-csp-admx-explorer.md index a74f3183f5..c7514101dd 100644 --- a/windows/client-management/mdm/policy-csp-admx-explorer.md +++ b/windows/client-management/mdm/policy-csp-admx-explorer.md @@ -13,14 +13,19 @@ manager: dansimp --- # Policy CSP - ADMX_Explorer -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
## ADMX_Explorer policies +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
ADMX_Explorer/AdminInfoUrl @@ -74,8 +79,8 @@ manager: dansimp Education - No - No + Yes + Yes @@ -95,12 +100,6 @@ manager: dansimp Sets the target of the More Information link that will be displayed when the user attempts to run a program that is blocked by policy. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -145,8 +144,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -175,14 +174,6 @@ If you disable or do not configure this policy setting, the menu bar will not be > [!NOTE] > When the menu bar is not displayed, users can access the menu bar by pressing the 'ALT' key. - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - ADMX Info: - GP Friendly name: *Display the menu bar in File Explorer* @@ -226,8 +217,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -249,12 +240,6 @@ This policy setting allows administrators who have configured roaming profile in If you enable this policy setting on a machine that does not contain all programs installed in the same manner as it was on the machine on which the user had last logged on, unexpected behavior could occur. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -299,8 +284,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -327,12 +312,6 @@ If you disable or do not configure this policy setting, users will be able to ad > Enabling this policy setting does not prevent the user from being able to add new items such as files and folders to their actual file system profile folder at %userprofile%. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -376,8 +355,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -397,12 +376,6 @@ ADMX Info: This policy is similar to settings directly available to computer users. Disabling animations can improve usability for users with some visual disabilities as well as improving performance and battery life in some scenarios. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -415,6 +388,4 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-filerecovery.md b/windows/client-management/mdm/policy-csp-admx-filerecovery.md index 5b451adc45..aeb520d2ea 100644 --- a/windows/client-management/mdm/policy-csp-admx-filerecovery.md +++ b/windows/client-management/mdm/policy-csp-admx-filerecovery.md @@ -13,9 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_FileRecovery -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -60,8 +64,8 @@ manager: dansimp Education - No - No + Yes + Yes @@ -81,12 +85,7 @@ manager: dansimp > This policy setting applies to all sites in Trusted zones. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -96,8 +95,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md b/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md index 2d631edea5..416b833dea 100644 --- a/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md +++ b/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_FileServerVSSProvider -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -62,8 +67,8 @@ manager: dansimp Education - No - No + Yes + Yes @@ -90,12 +95,6 @@ By default, the RPC protocol message between File Server VSS provider and File S > To make changes to this setting effective, you must restart Volume Shadow Copy (VSS) Service. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -108,8 +107,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-filesys.md b/windows/client-management/mdm/policy-csp-admx-filesys.md index 010a794280..54c474440a 100644 --- a/windows/client-management/mdm/policy-csp-admx-filesys.md +++ b/windows/client-management/mdm/policy-csp-admx-filesys.md @@ -13,13 +13,18 @@ manager: dansimp --- # Policy CSP - ADMX_FileSys -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
-## ADMX_FileSys policies +## ADMX_FileSys policies + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -80,8 +85,8 @@ manager: dansimp Yes Education - No - No + Yes + Yes @@ -101,12 +106,7 @@ manager: dansimp Compression can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of compressed files. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -150,8 +150,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -175,12 +175,6 @@ A value of 0, the default, will enable delete notifications for all volumes. A value of 1 will disable delete notifications for all volumes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -223,8 +217,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -243,13 +237,6 @@ ADMX Info: Encryption can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of encrypted files. - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -292,8 +279,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -313,12 +300,6 @@ ADMX Info: Encrypting the page file prevents malicious users from reading data that has been paged to disk, but also adds processing overhead for filesystem operations. Enabling this setting will cause the page files to be encrypted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -361,8 +342,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -382,12 +363,6 @@ ADMX Info: Enabling Win32 long paths will allow manifested win32 applications and Windows Store applications to access paths beyond the normal 260 character limit per node on file systems that support it. Enabling this setting will cause the long paths to be accessible within the process. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -430,8 +405,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -453,12 +428,6 @@ This policy setting provides control over whether or not short names are generat If you enable short names on all volumes then short names will always be generated. If you disable them on all volumes then they will never be generated. If you set short name creation to be configurable on a per volume basis then an on-disk flag will determine whether or not short names are created on a given volume. If you disable short name creation on all data volumes then short names will only be generated for files created on the system volume. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -497,13 +466,13 @@ ADMX Info: Enterprise - No - No + Yes + Yes Education - No - No + Yes + Yes @@ -533,12 +502,6 @@ For more information, refer to the Windows Help section. > If this policy is disabled or not configured, local administrators may select the types of symbolic links to be evaluated. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -581,8 +544,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -602,12 +565,7 @@ ADMX Info: TXF deprecated features included savepoints, secondary RM, miniversion and roll forward. Enable it if you want to use the APIs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -620,8 +578,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-folderredirection.md b/windows/client-management/mdm/policy-csp-admx-folderredirection.md index dd4a6ae95e..9bdab22253 100644 --- a/windows/client-management/mdm/policy-csp-admx-folderredirection.md +++ b/windows/client-management/mdm/policy-csp-admx-folderredirection.md @@ -13,14 +13,19 @@ manager: dansimp --- # Policy CSP - ADMX_FolderRedirection -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
## ADMX_FolderRedirection policies +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
ADMX_FolderRedirection/DisableFRAdminPin @@ -111,12 +116,6 @@ If you disable or do not configure this policy setting, redirected shell folders > If one or more valid folder GUIDs are specified in the policy setting "Do not automatically make specific redirected folders available offline", that setting will override the configured value of "Do not automatically make all redirected folders available offline". -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -190,12 +189,6 @@ If you disable or do not configure this policy setting, all redirected shell fol > The configuration of this policy for any folder will override the configured value of "Do not automatically make all redirected folders available offline". -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -265,12 +258,6 @@ If you enable this policy setting, when the path to a redirected folder is chang If you disable or do not configure this policy setting, when the path to a redirected folder is changed and Folder Redirection is configured to move the content to the new location, Windows copies the contents of the local cache to the new network location, then deleted the content from the old network location. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -342,12 +329,6 @@ If you disable or not configure this policy setting, Windows Vista, Windows 7, W > This policy is valid only on Windows Vista, Windows 7, Windows 8, and Windows Server 2012 when it processes a legacy redirection policy already deployed for these folders in your existing localized environment. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -420,12 +401,6 @@ If you disable or not configure this policy setting, Windows Vista, Windows 7, W > This policy is valid only on Windows Vista, Windows 7, Windows 8, and Windows Server 2012 when it processes a legacy redirection policy already deployed for these folders in your existing localized environment. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -499,12 +474,6 @@ If you disable or do not configure this policy setting and the user has redirect > If you enable this policy setting in Computer Configuration and User Configuration, the Computer Configuration policy setting takes precedence. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -548,8 +517,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -578,12 +547,7 @@ If you disable or do not configure this policy setting and the user has redirect > If you enable this policy setting in Computer Configuration and User Configuration, the Computer Configuration policy setting takes precedence. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -596,8 +560,5 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. - diff --git a/windows/client-management/mdm/policy-csp-admx-globalization.md b/windows/client-management/mdm/policy-csp-admx-globalization.md index 6c360c3c98..812087e3a5 100644 --- a/windows/client-management/mdm/policy-csp-admx-globalization.md +++ b/windows/client-management/mdm/policy-csp-admx-globalization.md @@ -19,6 +19,13 @@ manager: dansimp ## ADMX_Globalization policies +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
ADMX_Globalization/BlockUserInputMethodsForSignIn @@ -156,12 +163,7 @@ If the policy is Enabled, then the user will get input methods enabled for the s If the policy is Disabled or Not Configured, then the user will be able to use input methods enabled for their user account on the sign-in page. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -239,12 +241,6 @@ If this policy setting is enabled at the machine level, it cannot be disabled by To set this policy setting on a per-user basis, make sure that you do not configure the per-machine policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -322,12 +318,6 @@ If this policy setting is enabled at the machine level, it cannot be disabled by To set this policy setting on a per-user basis, make sure that you do not configure the per-machine policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -405,12 +395,6 @@ If you disable or do not configure this policy setting, the user can see the Adm -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -485,12 +469,6 @@ If you disable or do not configure this policy setting, the user sees the option > Even if a user can see the GeoID option, the "Disallow changing of geographical location" option can prevent them from actually changing their current geographical location. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -564,12 +542,6 @@ If you enable this policy setting, the user does not see the option for changing -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -641,12 +613,6 @@ If you enable this policy setting, the user does not see the regional formats op If you disable or do not configure this policy setting, the user sees the regional formats options for changing and customizing the user locale. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -730,12 +696,6 @@ This policy setting is related to the "Turn off handwriting personalization" pol > Handwriting personalization works only for Microsoft handwriting recognizers, and not with third-party recognizers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -819,12 +779,6 @@ This policy setting is related to the "Turn off handwriting personalization" pol > Handwriting personalization works only for Microsoft handwriting recognizers, and not with third-party recognizers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -896,12 +850,6 @@ If you enable this policy setting, administrators can select a system locale onl If you disable or do not configure this policy setting, administrators can select any system locale shipped with the operating system. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -975,12 +923,6 @@ If you enable this policy setting, only locales in the specified locale list can If you disable or do not configure this policy setting, users can select any locale installed on the computer, unless restricted by the "Disallow selection of Custom Locales" policy setting. If this policy setting is enabled at the computer level, it cannot be disabled by a per-user policy. If this policy setting is disabled at the computer level, the per-user policy is ignored. If this policy setting is not configured at the computer level, restrictions are based on per-user policies. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1056,12 +998,6 @@ If you disable or do not configure this policy setting, users can select any loc If this policy setting is enabled at the computer level, it cannot be disabled by a per-user policy. If this policy setting is disabled at the computer level, the per-user policy is ignored. If this policy setting is not configured at the computer level, restrictions are based on per-user policies. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1132,12 +1068,6 @@ If you enable this policy setting, the UI language of Windows menus and dialogs If you disable or do not configure this policy setting, the user can specify which UI language is used. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1211,12 +1141,6 @@ If you disable or do not configure this policy setting, there is no restriction To enable this policy setting in Windows Server 2003, Windows XP, or Windows 2000, to use the "Restrict selection of Windows menus and dialogs language" policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1290,12 +1214,6 @@ If you enable this policy setting at the computer level, it cannot be disabled b To set this policy setting on a per-user basis, make sure that the per-computer policy setting is not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1369,12 +1287,6 @@ If you enable this policy setting at the computer level, it cannot be disabled b To set this policy setting on a per-user basis, make sure that the per-computer policy setting is not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1452,12 +1364,6 @@ If this policy is set to Enabled at the computer level, then it cannot be disabl To set this policy on a per-user basis, make sure that the per-computer policy is set to Not Configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1535,12 +1441,6 @@ If this policy is set to Enabled at the computer level, then it cannot be disabl To set this policy on a per-user basis, make sure that the per-computer policy is set to Not Configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1612,12 +1512,6 @@ To enable this policy setting in Windows Vista, use the "Restricts the UI langua If you disable or do not configure this policy setting, the logged-on user can access the dialog box controls in the Regional and Language Options control panel to select any available UI language. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1690,12 +1584,6 @@ If the policy is Disabled or Not Configured, then the user will be free to chang Note that the availability and function of this setting is dependent on supported languages being enabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1769,12 +1657,6 @@ If the policy is Disabled or Not Configured, then the user will be free to chang Note that the availability and function of this setting is dependent on supported languages being enabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1847,12 +1729,6 @@ If the policy is Disabled or Not Configured, then the user will be free to chang Note that the availability and function of this setting is dependent on supported languages being enabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1926,12 +1802,6 @@ If the policy is Disabled or Not Configured, then the user will be free to chang Note that the availability and function of this setting is dependent on supported languages being enabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2005,12 +1875,6 @@ For example, the default value, 2029, specifies that all two-digit years less th If you disable or do not configure this policy setting, Windows does not interpret two-digit year formats using this scheme for the program. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2023,7 +1887,4 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. - \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-previousversions.md b/windows/client-management/mdm/policy-csp-admx-previousversions.md new file mode 100644 index 0000000000..b129567b19 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-previousversions.md @@ -0,0 +1,646 @@ +--- +title: Policy CSP - ADMX_PreviousVersions +description: Policy CSP - ADMX_PreviousVersions +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/01/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_PreviousVersions + +
+ + +## ADMX_PreviousVersions policies + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
+
+ ADMX_PreviousVersions/DisableLocalPage_1 +
+
+ ADMX_PreviousVersions/DisableLocalPage_2 +
+
+ ADMX_PreviousVersions/DisableRemotePage_1 +
+
+ ADMX_PreviousVersions/DisableRemotePage_2 +
+
+ ADMX_PreviousVersions/HideBackupEntries_1/a> +
+
+ ADMX_PreviousVersions/HideBackupEntries_2 +
+
+ ADMX_PreviousVersions/DisableLocalRestore_1 +
+
+ ADMX_PreviousVersions/DisableLocalRestore_2 +
+
+ + +
+ + +**ADMX_PreviousVersions/DisableLocalPage_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a local file. + +- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a local file. + +- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a local file. + +- If the user clicks the Restore button, Windows attempts to restore the file from the local disk. + +- If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a local file. + + + + + +ADMX Info: +- GP Friendly name: *Prevent restoring local previous versions* +- GP name: *DisableLocalPage_1* +- GP path: *Windows Components\File Explorer\Previous Versions* +- GP ADMX file name: *PreviousVersions.admx* + + + +
+ + +**ADMX_PreviousVersions/DisableLocalPage_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a local file. + +- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a local file. + +- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a local file. + +- If the user clicks the Restore button, Windows attempts to restore the file from the local disk. + +- If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a local file. + + + + + +ADMX Info: +- GP Friendly name: *Prevent restoring local previous versions* +- GP name: *DisableLocalPage_2* +- GP path: *Windows Components\File Explorer\Previous Versions* +- GP ADMX file name: *PreviousVersions.admx* + + + +
+ + +**ADMX_PreviousVersions/DisableRemotePage_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a file on a file share. + +- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a file on a file share. + +- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a file on a file share. + +- If the user clicks the Restore button, Windows attempts to restore the file from the file share. + +- If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a file on a file share. + + + + + +ADMX Info: +- GP Friendly name: *Prevent restoring remote previous versions* +- GP name: *DisableRemotePage_1* +- GP path: *Windows Components\File Explorer\Previous Versions* +- GP ADMX file name: *PreviousVersions.admx* + + + +
+ + +**ADMX_PreviousVersions/DisableRemotePage_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a file on a file share. + +- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a file on a file share. + +- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a file on a file share. + +- If the user clicks the Restore button, Windows attempts to restore the file from the file share. + +- If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a file on a file share. + + + + + +ADMX Info: +- GP Friendly name: *Prevent restoring remote previous versions* +- GP name: *DisableRemotePage_1* +- GP path: *Windows Components\File Explorer\Previous Versions* +- GP ADMX file name: *PreviousVersions.admx* + + + + +
+ + +**ADMX_PreviousVersions/HideBackupEntries_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy setting lets you hide entries in the list of previous versions of a file in which the previous version is located on backup media. Previous versions can come from the on-disk restore points or the backup media. + +- If you enable this policy setting, users cannot see any previous versions corresponding to backup copies, and can see only previous versions corresponding to on-disk restore points. + +- If you disable this policy setting, users can see previous versions corresponding to backup copies as well as previous versions corresponding to on-disk restore points. + +If you do not configure this policy setting, it is disabled by default. + + + + + +ADMX Info: +- GP Friendly name: *Hide previous versions of files on backup location* +- GP name: *HideBackupEntries_1* +- GP path: *Windows Components\File Explorer\Previous Versions* +- GP ADMX file name: *PreviousVersions.admx* + + + +
+ + +**ADMX_PreviousVersions/HideBackupEntries_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy setting lets you hide entries in the list of previous versions of a file in which the previous version is located on backup media. Previous versions can come from the on-disk restore points or the backup media. + +- If you enable this policy setting, users cannot see any previous versions corresponding to backup copies, and can see only previous versions corresponding to on-disk restore points. + +- If you disable this policy setting, users can see previous versions corresponding to backup copies as well as previous versions corresponding to on-disk restore points. + +If you do not configure this policy setting, it is disabled by default. + + + + + +ADMX Info: +- GP Friendly name: *Hide previous versions of files on backup location* +- GP name: *HideBackupEntries_2* +- GP path: *Windows Components\File Explorer\Previous Versions* +- GP ADMX file name: *PreviousVersions.admx* + + + +
+ + +**ADMX_PreviousVersions/DisableLocalRestore_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a file on a file share. + +- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a file on a file share. + +- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a file on a file share. + +- If the user clicks the Restore button, Windows attempts to restore the file from the file share. + +- If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a file on a file share. + + + + + +ADMX Info: +- GP Friendly name: *Prevent restoring remote previous versions* +- GP name: *DisableLocalRestore_1* +- GP path: *Windows Components\File Explorer\Previous Versions* +- GP ADMX file name: *PreviousVersions.admx* + + + + +
+ +**ADMX_PreviousVersions/DisableLocalRestore_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a file on a file share. + +- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a file on a file share. + +- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a file on a file share. + +- If the user clicks the Restore button, Windows attempts to restore the file from the file share. + +- If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a file on a file share. + + + + +ADMX Info: +- GP Friendly name: *Prevent restoring remote previous versions* +- GP name: *DisableLocalRestore_2* +- GP path: *Windows Components\File Explorer\Previous Versions* +- GP ADMX file name: *PreviousVersions.admx* + + + + + diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index d04dd64448..91a4c42484 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -529,6 +529,8 @@ items: href: policy-csp-admx-power.md - name: ADMX_PowerShellExecutionPolicy href: policy-csp-admx-powershellexecutionpolicy.md + - name: ADMX_PreviousVersions + href: policy-csp-admx-previousversions.md - name: ADMX_Printing href: policy-csp-admx-printing.md - name: ADMX_Printing2 From 4c41d91252348e32bb716e269736984524614ac4 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Thu, 23 Sep 2021 16:35:18 +0530 Subject: [PATCH 313/458] Update policy-csp-admx-touchinput.md --- windows/client-management/mdm/policy-csp-admx-touchinput.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-admx-touchinput.md b/windows/client-management/mdm/policy-csp-admx-touchinput.md index a5a34ab417..61f1751ef3 100644 --- a/windows/client-management/mdm/policy-csp-admx-touchinput.md +++ b/windows/client-management/mdm/policy-csp-admx-touchinput.md @@ -36,7 +36,7 @@ manager: dansimp ADMX_TouchInput/TouchInputOff_2
- ADMX_TouchInput/PanningEverywhereOff_1 + ADMX_TouchInput/PanningEverywhereOff_1
ADMX_TouchInput/PanningEverywhereOff_2 From e1847122f0694ca23d8fd1f6b157334dda2141b8 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Thu, 23 Sep 2021 16:53:48 +0530 Subject: [PATCH 314/458] Updated --- .../mdm/policies-in-policy-csp-admx-backed.md | 1 + .../policy-configuration-service-provider.md | 7 ++ .../mdm/policy-csp-admx-pushtoinstall.md | 103 ++++++++++++++++++ windows/client-management/mdm/toc.yml | 2 + 4 files changed, 113 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-admx-pushtoinstall.md diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index bedfa39992..cc3b267bd9 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -872,6 +872,7 @@ ms.date: 10/08/2020 - [ADMX_Programs/NoProgramsCPL](./policy-csp-admx-programs.md#admx-programs-noprogramscpl) - [ADMX_Programs/NoWindowsFeatures](./policy-csp-admx-programs.md#admx-programs-nowindowsfeatures) - [ADMX_Programs/NoWindowsMarketplace](./policy-csp-admx-programs.md#admx-programs-nowindowsmarketplace) +- [ADMX_PushToInstall/DisablePushToInstall](./policy-csp-admx-pushtoinstall.md#admx-pushtoinstall-disablepushtoinstall) - [ADMX_Reliability/EE_EnablePersistentTimeStamp](./policy-csp-admx-reliability.md#admx-reliability-ee-enablepersistenttimestamp) - [ADMX_Reliability/PCH_ReportShutdownEvents](./policy-csp-admx-reliability.md#admx-reliability-pch-reportshutdownevents) - [ADMX_Reliability/ShutdownEventTrackerStateFile](./policy-csp-admx-reliability.md#admx-reliability-shutdowneventtrackerstatefile) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 9218729fca..a5a16c472b 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -3033,6 +3033,13 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_PushToInstall policies + +
+
+ ADMX_PushToInstall/DisablePushToInstall +
+ ### ADMX_Reliability policies
diff --git a/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md b/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md new file mode 100644 index 0000000000..2dd314e5ca --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md @@ -0,0 +1,103 @@ +--- +title: Policy CSP - ADMX_PushToInstall +description: Policy CSP - ADMX_PushToInstall +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/01/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_PushToInstall + +
+ + +## ADMX_PushToInstall policies + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
+
+ ADMX_PushToInstall/DisablePushToInstall +
+
+ + +
+ + +**ADMX_PushToInstall/DisablePushToInstall** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +If you enable this setting, users will not be able to push Apps to this device from the Microsoft Store running on other devices or the web. + + + + +ADMX Info: +- GP Friendly name: *Turn off Push To Install service* +- GP name: *DisablePushToInstall* +- GP path: *Windows Components\Push To Install* +- GP ADMX file name: *PushToInstall.admx* + + + + + + diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 91a4c42484..719aa56b63 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -537,6 +537,8 @@ items: href: policy-csp-admx-printing2.md - name: ADMX_Programs href: policy-csp-admx-programs.md + - name: ADMX_PushToInstall + href: policy-csp-admx-pushtoinstall.md - name: ADMX_Reliability href: policy-csp-admx-reliability.md - name: ADMX_RemoteAssistance From 318286a8d2b6f8f6ceee2c96abc0b424b59f7fbe Mon Sep 17 00:00:00 2001 From: Alice-at-Microsoft <79878795+Alice-at-Microsoft@users.noreply.github.com> Date: Tue, 21 Sep 2021 11:27:30 -0700 Subject: [PATCH 315/458] Update deployment-service-overview.md Group Policy info, links to Intune --- .../update/deployment-service-overview.md | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md index 63c9c6aa24..546749d1dd 100644 --- a/windows/deployment/update/deployment-service-overview.md +++ b/windows/deployment/update/deployment-service-overview.md @@ -81,7 +81,7 @@ To use the deployment service, you use a management tool built on the platform, ### Using Microsoft Endpoint Manager -Microsoft Endpoint Manager integrates with the deployment service to provide Windows client update management capabilities. For more information, see [Windows 10 feature updates policy in Intune](/mem/intune/protect/windows-10-feature-updates). +Microsoft Endpoint Manager integrates with the deployment service to provide Windows client update management capabilities. For more information, see [Feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates). ### Scripting common actions using PowerShell @@ -115,7 +115,7 @@ You should continue to use deployment rings as part of the servicing strategy fo ### Monitoring deployments to detect rollback issues -During a feature update deployment, driver combinations can sometimes result in an unexpected update failure that makes the device revert to the previously installed operating system version. The deployment service can monitor devices for such issues and automatically pause deployments when this happens, giving you time to detect and mitigate issues. +During deployments of Windows 11 or Windows 10 feature updates, driver combinations can sometimes result in an unexpected update failure that makes the device revert to the previously installed operating system version. The deployment service can monitor devices for such issues and automatically pause deployments when this happens, giving you time to detect and mitigate issues. ### How to enable deployment protections @@ -124,21 +124,16 @@ Deployment scheduling controls are always available, but to take advantage of th #### Device prerequisites -> [!NOTE] -> Deployment protections are currently in preview and available if you're using Update Compliance. If you set these policies on a a device that isn't enrolled in Update Compliance, there is no effect. - - Diagnostic data is set to *Required* or *Optional*. - The **AllowWUfBCloudProcessing** policy is set to **8**. #### Set the **AllowWUfBCloudProcessing** policy -To enroll devices in Windows Update for Business cloud processing, set the **AllowWUfBCloudProcessing** policy using mobile device management (MDM) policy. - -> [!NOTE] -> Setting this policy by using Group Policy isn't currently supported. +To enroll devices in Windows Update for Business cloud processing, set the **AllowWUfBCloudProcessing** policy using mobile device management (MDM) policy or Group Policy. | Policy | Sets registry key under **HKLM\\Software** | |--------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------| +| GPO for Windows 10, version 1809 or later: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Allow WUfB Cloud Processing** | \\Policies\\Microsoft\\Windows\\DataCollection\\AllowWUfBCloudProcessing | | MDM for Windows 10, version 1809 or later: ../Vendor/MSFT/ Policy/Config/System/**AllowWUfBCloudProcessing** | \\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing | Following is an example of setting the policy using Microsoft Endpoint Manager: @@ -184,5 +179,5 @@ Avoid using different channels to manage the same resources. If you use Microsof To learn more about the deployment service, try the following: -- [Windows 10 feature updates policy in Intune](/mem/intune/protect/windows-10-feature-updates) +- [Feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates) - [Windows updates API overview in Microsoft Graph](/graph/windowsupdates-concept-overview) From 0efafa2077b9009fef00c7e5e5811b8320c950b8 Mon Sep 17 00:00:00 2001 From: Meghana Athavale Date: Fri, 24 Sep 2021 13:54:53 +0530 Subject: [PATCH 316/458] Updated --- .../mdm/policy-csp-admx-nca.md | 67 +--- .../mdm/policy-csp-admx-ncsi.md | 60 +--- .../mdm/policy-csp-admx-netlogon.md | 256 +++---------- .../mdm/policy-csp-admx-networkconnections.md | 200 ++--------- .../mdm/policy-csp-admx-offlinefiles.md | 339 +++--------------- .../mdm/policy-csp-admx-peertopeercaching.md | 74 +--- .../policy-csp-admx-performancediagnostics.md | 39 +- .../mdm/policy-csp-admx-power.md | 186 ++-------- ...licy-csp-admx-powershellexecutionpolicy.md | 39 +- .../mdm/policy-csp-admx-printing.md | 193 ++-------- .../mdm/policy-csp-admx-printing2.md | 74 +--- .../mdm/policy-csp-admx-programs.md | 60 +--- .../mdm/policy-csp-admx-reliability.md | 39 +- .../mdm/policy-csp-admx-remoteassistance.md | 25 +- .../mdm/policy-csp-admx-removablestorage.md | 235 ++---------- 15 files changed, 350 insertions(+), 1536 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-nca.md b/windows/client-management/mdm/policy-csp-admx-nca.md index 1148c8b887..1ed67abd42 100644 --- a/windows/client-management/mdm/policy-csp-admx-nca.md +++ b/windows/client-management/mdm/policy-csp-admx-nca.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_nca -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -118,12 +122,7 @@ Each string can be one of the following types: You must configure this setting to have complete NCA functionality. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -189,12 +188,7 @@ ADMX Info: This policy setting specifies commands configured by the administrator for custom logging. These commands will run in addition to default log commands. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -266,12 +260,7 @@ Each entry consists of the text PING: followed by the IPv6 address of an IPsec t You must configure this setting to have complete NCA functionality. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -339,12 +328,7 @@ This policy setting specifies the string that appears for DirectAccess connectiv If this setting is not configured, the string that appears for DirectAccess connectivity is “Corporate Connection”. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -421,12 +405,7 @@ To restore the DirectAccess rules to the NRPT and resume normal DirectAccess fun If this setting is not configured, users do not have Connect or Disconnect options. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -493,12 +472,7 @@ This policy setting specifies whether NCA service runs in Passive Mode or not. Set this to Disabled to keep NCA probing actively all the time. If this setting is not configured, NCA probing is in active mode by default. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -568,12 +542,7 @@ Set this to Disabled to prevent user confusion when you are just using DirectAcc If this setting is not configured, the entry for DirectAccess connectivity appears. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -641,12 +610,7 @@ This policy setting specifies the e-mail address to be used when sending the log When the user sends the log files to the Administrator, NCA uses the default e-mail client to open a new message with the support email address in the To: field of the message, then attaches the generated log files as a .html file. The user can review the message and add additional information before sending the message. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -659,8 +623,7 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-ncsi.md b/windows/client-management/mdm/policy-csp-admx-ncsi.md index a970faaac9..9aff94fad5 100644 --- a/windows/client-management/mdm/policy-csp-admx-ncsi.md +++ b/windows/client-management/mdm/policy-csp-admx-ncsi.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_NCSI -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -101,12 +105,7 @@ manager: dansimp This policy setting enables you to specify the expected address of the host name used for the DNS probe. Successful resolution of the host name to this address indicates corporate connectivity. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -172,12 +171,7 @@ ADMX Info: This policy setting enables you to specify the host name of a computer known to be on the corporate network. Successful resolution of this host name to the expected address indicates corporate connectivity. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -243,12 +237,7 @@ ADMX Info: This policy setting enables you to specify the list of IPv6 corporate site prefixes to monitor for corporate connectivity. Reachability of addresses with any of these prefixes indicates corporate connectivity. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -314,12 +303,7 @@ ADMX Info: This policy setting enables you to specify the URL of the corporate website, against which an active probe is performed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -388,12 +372,7 @@ ADMX Info: This policy setting enables you to specify the HTTPS URL of the corporate website that clients use to determine the current domain location (i.e. whether the computer is inside or outside the corporate network). Reachability of the URL destination indicates that the client location is inside corporate network; otherwise it is outside the network. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -459,12 +438,7 @@ ADMX Info: This policy setting enables you to specify DNS binding behavior. NCSI by default will restrict DNS lookups to the interface it is currently probing on. If you enable this setting, NCSI will allow the DNS lookups to happen on any interface. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -530,12 +504,7 @@ ADMX Info: This Policy setting enables you to specify passive polling behavior. NCSI polls various measurements throughout the network stack on a frequent interval to determine if network connectivity has been lost. Use the options to control the passive polling behavior. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -548,7 +517,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-netlogon.md b/windows/client-management/mdm/policy-csp-admx-netlogon.md index 4b32723dd1..60cfff66e4 100644 --- a/windows/client-management/mdm/policy-csp-admx-netlogon.md +++ b/windows/client-management/mdm/policy-csp-admx-netlogon.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_Netlogon -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -197,12 +201,7 @@ To specify this behavior in the DC Locator DNS SRV records, click Enabled, and t If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -276,12 +275,7 @@ If you disable this policy setting, DC Locator APIs will ONLY return IPv4 DC add If you do not configure this policy setting, DC Locator APIs can return IPv4/IPv6 DC address. This is the default behavior of the DC Locator. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -355,12 +349,7 @@ If you enable this policy setting, when the AllowSingleLabelDnsDomain policy is If you disable this policy setting, when the AllowSingleLabelDnsDomain policy is not enabled, computers to which this policy is applied, will only use NetBIOS name resolution to attempt to locate a domain controller hosting an Active Directory domain specified with a single-label name. The computers will not attempt DNS name resolution in this case, unless the computer is searching for a domain with a single label DNS name to which this computer is joined, in the Active Directory forest. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -436,12 +425,7 @@ If you disable this policy setting, Net Logon will not allow the negotiation and If you do not configure this policy setting, Net Logon will not allow the negotiation and use of older cryptography algorithms. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -517,12 +501,7 @@ If you disable this policy setting, computers to which this setting is applied w If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -596,12 +575,7 @@ If you disable this policy setting, the DCs will not register site-specific DC L If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -678,12 +652,7 @@ If you enable or do not configure this policy setting, the DC location algorithm If you disable this policy setting, the DC location algorithm can use NetBIOS-based discovery as a fallback mechanism when DNS based discovery fails. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -759,12 +728,7 @@ If you disable this policy setting, the DCs will not attempt to verify any passw If you do not configure this policy setting, it is not applied to any DCs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -843,12 +807,7 @@ If the value of this setting is less than the value specified in the NegativeCac > If the value for this setting is too large, a client will not attempt to find any DCs that were initially unavailable. If the value set in this setting is very small and the DC is not available, the traffic caused by periodic DC discoveries may be excessive. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -929,12 +888,7 @@ If the value for this setting is smaller than the value specified for the Initia If the value for this setting is too small and the DC is not available, the frequent retries may produce excessive network traffic. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1007,12 +961,7 @@ The default value for this setting is to not quit retrying (0). The maximum valu > If the value for this setting is too small, a client will stop trying to find a DC too soon. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1080,12 +1029,7 @@ ADMX Info: This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that periodically attempt to locate DCs, and it is applied before returning the DC information to the caller program. The default value for this setting is infinite (4294967200). The maximum value for this setting is (4294967200), while the maximum that is not treated as infinity is 49 days (49*24*60*60=4233600). Any larger value is treated as infinity. The minimum value for this setting is to always refresh (0). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1161,12 +1105,7 @@ If you specify zero for this policy setting, the default behavior occurs as desc If you disable this policy setting or do not configure it, the default behavior occurs as described above. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1266,12 +1205,7 @@ If you disable this policy setting, DCs configured to perform dynamic registrati If you do not configure this policy setting, DCs use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1348,12 +1282,7 @@ To specify the Refresh Interval of the DC records, click Enabled, and then enter If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1430,12 +1359,7 @@ The default local configuration is enabled. A reboot is not required for changes to this setting to take effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1506,12 +1430,7 @@ To specify the TTL for DC Locator DNS records, click Enabled, and then enter a v If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1583,12 +1502,7 @@ To specify the expected dial-up delay at logon, click Enabled, and then enter th If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1664,12 +1578,7 @@ If you disable this policy setting, Force Rediscovery will be used by default fo If you do not configure this policy setting, Force Rediscovery will be used by default for the machine at every 12 hour interval, unless the local machine setting in the registry is a different value. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1743,12 +1652,7 @@ To specify the sites covered by the GC Locator DNS SRV records, click Enabled, a If you do not configure this policy setting, it is not applied to any GCs, and GCs use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1825,12 +1729,7 @@ If you enable this policy setting, this DC does not process incoming mailslot me If you disable or do not configure this policy setting, this DC processes incoming mailslot messages. This is the default behavior of DC Locator. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1904,12 +1803,7 @@ To specify the Priority in the DC Locator DNS SRV resource records, click Enable If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1983,12 +1877,7 @@ To specify the Weight in the DC Locator DNS SRV records, click Enabled, and then If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2060,12 +1949,7 @@ By default, the maximum size of the log file is 20MB. If you enable this policy If you disable or do not configure this policy setting, the default behavior occurs as indicated above. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2139,12 +2023,7 @@ To specify the sites covered by the DC Locator application directory partition-s If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2217,12 +2096,7 @@ The default value for this setting is 45 seconds. The maximum value for this set > If the value for this setting is too large, a client will not attempt to find any DCs that were initially unavailable. If the value for this setting is too small, clients will attempt to find DCs even when none are available. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2301,12 +2175,7 @@ By default, the Netlogon share will grant shared read access to files on the sha If you enable this policy setting, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those approved by the administrator. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2376,12 +2245,7 @@ This policy setting determines when a successful DC cache entry is refreshed. Th The default value for this setting is 30 minutes (1800). The maximum value for this setting is (4294967200), while the maximum that is not treated as infinity is 49 days (49*24*60*60=4233600). Any larger value will be treated as infinity. The minimum value for this setting is to always refresh (0). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2460,12 +2324,7 @@ To specify this behavior, click Enabled and then enter a value. The range of val If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2543,12 +2402,7 @@ None of these operations are critical. 15 minutes is optimal in all but extreme To enable the setting, click Enabled, and then specify the interval in seconds. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2622,12 +2476,7 @@ To specify the sites covered by the DC Locator DNS SRV records, click Enabled, a If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2701,12 +2550,7 @@ To specify the site name for this setting, click Enabled, and then enter the sit If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2785,12 +2629,7 @@ By default, the SYSVOL share will grant shared read access to files on the share If you enable this policy setting, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those approved by the administrator. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2866,12 +2705,7 @@ If you disable this policy setting, Try Next Closest Site DC Location will not b If you do not configure this policy setting, Try Next Closest Site DC Location will not be used by default for the machine. If the DS_TRY_NEXTCLOSEST_SITE flag is used explicitly, the Next Closest Site behavior will be used. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2945,12 +2779,7 @@ If you disable this policy setting, DCs will not register DC Locator DNS resourc If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2963,7 +2792,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-networkconnections.md b/windows/client-management/mdm/policy-csp-admx-networkconnections.md index 22f39d543e..93c7d26bdf 100644 --- a/windows/client-management/mdm/policy-csp-admx-networkconnections.md +++ b/windows/client-management/mdm/policy-csp-admx-networkconnections.md @@ -14,8 +14,12 @@ manager: dansimp # Policy CSP - ADMX_NetworkConnections -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -177,12 +181,7 @@ The Install and Uninstall buttons appear in the properties dialog box for connec > Nonadministrators are already prohibited from adding and removing connection components, regardless of this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -259,12 +258,7 @@ If you disable this setting or do not configure it, the Advanced Settings item i > Nonadministrators are already prohibited from accessing the Advanced Settings dialog box, regardless of this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -346,12 +340,7 @@ Changing this setting from Enabled to Not Configured does not enable the Advance > To open the Advanced TCP/IP Setting dialog box, in the Network Connections folder, right-click a connection icon, and click Properties. For remote access connections, click the Networking tab. In the "Components checked are used by this connection" box, click Internet Protocol (TCP/IP), click the Properties button, and then click the Advanced button. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -428,12 +417,7 @@ If you disable this setting or do not configure it, the Properties dialog box fo > Nonadministrators are already prohibited from enabling or disabling components for a LAN connection, regardless of this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -516,12 +500,7 @@ When enabled, the "Prohibit deletion of remote access connections" setting takes > This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -602,12 +581,7 @@ When enabled, this setting takes precedence over the "Ability to delete all user > This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -681,12 +655,7 @@ If the "Enable Network Connections settings for Administrators" is disabled or n If you disable this setting or do not configure it, the Remote Access Preferences item is enabled for all users. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -756,12 +725,7 @@ When enabled, the icon for Internet access will be shown in the system tray even If you disable this setting or do not configure it, the "local access only" icon will be used when a user is connected to a network with local access only. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -838,12 +802,7 @@ If you disable this setting or do not configure it, Windows XP settings that exi > This setting is intended to be used in a situation in which the Group Policy object that these settings are being applied to contains both Windows 2000 Professional and Windows XP Professional computers, and identical Network Connections policy behavior is required between all Windows 2000 Professional and Windows XP Professional computers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -917,12 +876,7 @@ If you disable this policy setting, traffic between remote client computers runn If you do not configure this policy setting, traffic between remote client computers running DirectAccess and the Internet is not routed through the internal network. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -992,12 +946,7 @@ If you enable this policy setting, this condition will not be reported as an err If you disable or do not configure this policy setting, a DHCP-configured connection that has not been assigned an IP address will be reported via a notification, providing the user with information as to how the problem can be resolved. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1082,12 +1031,7 @@ The Local Area Connection Properties dialog box includes a list of the network c > Nonadministrators are already prohibited from accessing properties of components for a LAN connection, regardless of this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1164,12 +1108,7 @@ If you do not configure this setting, only Administrators and Network Configurat > Administrators can still enable/disable LAN connections from Device Manager when this setting is disabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1248,12 +1187,7 @@ If you disable this setting or do not configure it, a Properties menu item appea > Nonadministrators have the right to view the properties dialog box for a connection but not to make changes, regardless of this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1330,12 +1264,7 @@ If you disable this setting or do not configure it, the Make New Connection icon > This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1414,12 +1343,7 @@ If you enable the "Windows Firewall: Protect all network connections" policy set If you disable this setting or do not configure it, the Internet Connection Firewall is disabled when a LAN Connection or VPN connection is created, but users can use the Advanced tab in the connection properties to enable it. The Internet Connection Firewall is enabled by default on the connection for which Internet Connection Sharing is enabled. In addition, remote access connections created through the Make New Connection Wizard have the Internet Connection Firewall enabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1502,12 +1426,7 @@ If you do not configure this setting, only Administrators and Network Configurat > This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1590,12 +1509,7 @@ The Networking tab of the Remote Access Connection Properties dialog box include > This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1667,12 +1581,7 @@ If the "Enable Network Connections settings for Administrators" is disabled or n If you disable this setting or do not configure it, the Connect and Disconnect options for remote access connections are available to all users. Users can connect or disconnect a remote access connection by double-clicking the icon representing the connection, by right-clicking it, or by using the File menu. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1753,12 +1662,7 @@ If you disable this setting or do not configure it, a Properties menu item appea > This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1839,12 +1743,7 @@ When the "Ability to rename LAN connections or remote access connections availab This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1923,12 +1822,7 @@ If this setting is not configured, only Administrators and Network Configuration > This setting does not prevent users from using other programs, such as Internet Explorer, to rename remote access connections. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2005,12 +1899,7 @@ If you do not configure this setting, only Administrators and Network Configurat When the "Ability to rename LAN connections or remote access connections available to all users" setting is configured (set to either enabled or disabled), this setting does not apply. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2087,12 +1976,7 @@ If you disable this setting or do not configure it, the Rename option is enabled > This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2175,12 +2059,7 @@ Nonadministrators are already prohibited from configuring Internet Connection Sh Disabling this setting does not prevent Wireless Hosted Networking from using the ICS service for DHCP services. To prevent the ICS service from running, on the Network Permissions tab in the network's policy properties, select the "Don't use hosted networks" check box. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2254,12 +2133,7 @@ If the "Enable Network Connections settings for Administrators" is disabled or n If you disable this setting or do not configure it, the connection status taskbar icon and Status dialog box are available to all users. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2329,12 +2203,7 @@ If you enable this policy setting, domain users must elevate when setting a netw If you disable or do not configure this policy setting, domain users can set a network's location without elevating. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2347,6 +2216,5 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md index 51ec6464ca..27a8bd6ae6 100644 --- a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md +++ b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_OfflineFiles -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -224,12 +228,7 @@ If you enable this setting, when you make a folder available offline, all folder If you disable this setting or do not configure it, the system asks users whether they want subfolders to be made available offline when they make a parent folder available offline. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -304,12 +303,7 @@ If you do not configure this policy setting, no files or folders are made availa > This setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy settings will be combined and all specified files will be available for offline use. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -384,12 +378,7 @@ If you do not configure this policy setting, no files or folders are made availa > This setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy settings will be combined and all specified files will be available for offline use. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -461,12 +450,7 @@ You can also configure Background Sync for network shares that are in user selec If you disable or do not configure this policy setting, Windows performs a background sync of offline folders in the slow-link mode at a default interval with the start of the sync varying between 0 and 60 additional minutes. In Windows 7 and Windows Server 2008 R2, the default sync interval is 360 minutes. In Windows 8 and Windows Server 2012, the default sync interval is 120 minutes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -548,12 +532,7 @@ If you enable this setting and specify an auto-cached space limit greater than t This setting replaces the Default Cache Size setting used by pre-Windows Vista systems. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -638,12 +617,7 @@ This setting appears in the Computer Configuration and User Configuration folder Also, see the "Non-default server disconnect actions" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -728,12 +702,7 @@ This setting appears in the Computer Configuration and User Configuration folder Also, see the "Non-default server disconnect actions" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -814,12 +783,7 @@ If you do not configure this setting, disk space for automatically cached files > To change the amount of disk space used for automatic caching without specifying a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then use the slider bar associated with the "Amount of disk space to use for temporary offline files" option. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -894,12 +858,7 @@ If you do not configure this policy setting, Offline Files is enabled on Windows > Changes to this policy setting do not take effect until the affected computer is restarted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -977,12 +936,7 @@ If you do not configure this policy setting, encryption of the Offline Files cac This setting is applied at user logon. If this setting is changed after user logon then user logoff and logon is required for this setting to take effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1063,12 +1017,7 @@ To use this setting, in the "Enter" box, select the number corresponding to the > This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1149,12 +1098,7 @@ To use this setting, in the "Enter" box, select the number corresponding to the > This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1224,12 +1168,7 @@ If you enable this policy setting, a user will be unable to create files with th If you disable or do not configure this policy setting, a user can create a file of any type in the folders that have been made available offline. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1304,12 +1243,7 @@ To use this setting, type the file name extension in the "Extensions" box. To ty > To make changes to this setting effective, you must log off and log on again. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1394,12 +1328,7 @@ This setting appears in the Computer Configuration and User Configuration folder Also, see the "Non-default server disconnect actions" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1484,12 +1413,7 @@ This setting appears in the Computer Configuration and User Configuration folder Also, see the "Non-default server disconnect actions" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1564,12 +1488,7 @@ This setting appears in the Computer Configuration and User Configuration folder > To view the Offline Files Folder, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then click "View Files." -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1644,12 +1563,7 @@ This setting appears in the Computer Configuration and User Configuration folder > To view the Offline Files Folder, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then click "View Files." -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1724,12 +1638,7 @@ This setting appears in the Computer Configuration and User Configuration folder > This setting provides a quick method for locking down the default settings for Offline Files. To accept the defaults, just enable this setting. You do not have to disable any other settings in this folder. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1804,12 +1713,7 @@ This setting appears in the Computer Configuration and User Configuration folder > This setting provides a quick method for locking down the default settings for Offline Files. To accept the defaults, just enable this setting. You do not have to disable any other settings in this folder. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1883,12 +1787,7 @@ If you disable or do not configure this policy setting, users can manually speci > - The "Make Available Offline" command is called "Always available offline" on computers running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1962,12 +1861,7 @@ If you disable or do not configure this policy setting, users can manually speci > - The "Make Available Offline" command is called "Always available offline" on computers running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2045,12 +1939,7 @@ If you do not configure this policy setting, the "Make Available Offline" comman > - If the "Remove 'Make Available Offline' command" policy setting is enabled, this setting has no effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2128,12 +2017,7 @@ If you do not configure this policy setting, the "Make Available Offline" comman > - If the "Remove 'Make Available Offline' command" policy setting is enabled, this setting has no effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2214,12 +2098,7 @@ This setting appears in the Computer Configuration and User Configuration folder > To display or hide reminder balloons without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Enable reminders" check box. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2300,12 +2179,7 @@ This setting appears in the Computer Configuration and User Configuration folder > To display or hide reminder balloons without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Enable reminders" check box. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2379,12 +2253,7 @@ If you enable this policy setting, transparent caching is enabled and configurab If you disable or do not configure this policy setting, remote files will be not be transparently cached on client computers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2456,12 +2325,7 @@ If you enable this setting, when you make a folder available offline, all folder If you disable this setting or do not configure it, the system asks users whether they want subfolders to be made available offline when they make a parent folder available offline. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2534,12 +2398,7 @@ If you disable this setting or do not configure it, automatically and manually c > Files are not synchronized before they are deleted. Any changes to local files since the last synchronization are lost. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2609,12 +2468,7 @@ If you enable or do not configure this policy setting, only new files and folder If you disable this policy setting, all administratively assigned folders are synchronized at logon. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2689,12 +2543,7 @@ This setting appears in the Computer Configuration and User Configuration folder > To set reminder balloon frequency without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Display reminder balloons every ... minutes" option. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2769,12 +2618,7 @@ This setting appears in the Computer Configuration and User Configuration folder > To set reminder balloon frequency without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Display reminder balloons every ... minutes" option. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2844,12 +2688,7 @@ Reminder balloons appear when the user's connection to a network file is lost or This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2919,12 +2758,7 @@ Reminder balloons appear when the user's connection to a network file is lost or This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2994,12 +2828,7 @@ Reminder balloons appear when the user's connection to a network file is lost or This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3069,12 +2898,7 @@ Reminder balloons appear when the user's connection to a network file is lost or This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3154,12 +2978,7 @@ In Windows 8 or Windows Server 2012, set the Latency threshold to 1ms to keep us If you disable this policy setting, computers will not use the slow-link mode. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3234,12 +3053,6 @@ If this setting is disabled or not configured, the default threshold value of 64 > Use the following formula when entering the slow link value: [ bps / 100]. For example, if you want to set a threshold value of 128,000 bps, enter a value of 1280. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -3318,12 +3131,7 @@ This setting appears in the Computer Configuration and User Configuration folder > To change the synchronization method without changing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select the "Synchronize all offline files before logging off" option. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3402,12 +3210,7 @@ This setting appears in the Computer Configuration and User Configuration folder > To change the synchronization method without changing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select the "Synchronize all offline files before logging off" option. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3486,12 +3289,7 @@ This setting appears in the Computer Configuration and User Configuration folder > To change the synchronization method without setting a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select the "Synchronize all offline files before logging on" option. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3572,12 +3370,7 @@ This setting appears in the Computer Configuration and User Configuration folder > To change the synchronization method without setting a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select the "Synchronize all offline files before logging on" option. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3650,12 +3443,7 @@ If you disable or do not configuring this setting, files are not synchronized wh > If the computer is suspended by closing the display on a portable computer, files are not synchronized. If multiple users are logged on to the computer at the time the computer is suspended, a synchronization is not performed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3728,12 +3516,7 @@ If you disable or do not configuring this setting, files are not synchronized wh > If the computer is suspended by closing the display on a portable computer, files are not synchronized. If multiple users are logged on to the computer at the time the computer is suspended, a synchronization is not performed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3803,12 +3586,7 @@ If you enable this setting, synchronization can occur in the background when the If this setting is disabled or not configured, synchronization will not run in the background on network folders when the user's network is roaming, near, or over the plan's data limit. The network folder must also be in "slow-link" mode, as specified by the "Configure slow-link mode" policy to avoid network usage. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3878,12 +3656,7 @@ If you enable this policy setting, the "Work offline" command is not displayed i If you disable or do not configure this policy setting, the "Work offline" command is displayed in File Explorer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3953,12 +3726,7 @@ If you enable this policy setting, the "Work offline" command is not displayed i If you disable or do not configure this policy setting, the "Work offline" command is displayed in File Explorer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3971,8 +3739,7 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md index 06e6d88a46..e3e5caf8a1 100644 --- a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md +++ b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_PeerToPeerCaching -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -121,12 +125,7 @@ Select one of the following: > This policy setting is supported on computers that are running Windows Vista Business, Enterprise, and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -205,12 +204,7 @@ Select one of the following: > This policy setting is supported on computers that are running Windows Vista Business, Enterprise, and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -295,12 +289,7 @@ Hosted cache clients must trust the server certificate that is issued to the hos > This policy setting is supported on computers that are running Windows Vista Business, Enterprise, and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -388,12 +377,7 @@ Select one of the following: - Disabled. With this selection, this policy is not applied to client computers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -477,12 +461,7 @@ In circumstances where this setting is enabled, you can also select and configur - Hosted cache servers. To add hosted cache server computer names to this policy setting, click Enabled, and then click Show. The Show Contents dialog box opens. Click Value, and then type the computer names of the hosted cache servers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -560,12 +539,7 @@ In circumstances where this policy setting is enabled, you can also select and c - Type the maximum round trip network latency (milliseconds) after which caching begins. Specifies the amount of time, in milliseconds, after which BranchCache client computers begin to cache content locally. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -650,12 +624,7 @@ In circumstances where this setting is enabled, you can also select and configur > This policy setting is supported on computers that are running Windows Vista Business, Enterprise, and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -737,12 +706,7 @@ In circumstances where this setting is enabled, you can also select and configur - Specify the age in days for which segments in the data cache are valid. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -827,12 +791,7 @@ Select from the following versions - Windows 8. If you select this version, Windows 8 will run the version of BranchCache that is included in the operating system. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -845,7 +804,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md b/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md index 088f65c0dc..c0586ccf19 100644 --- a/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md +++ b/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_PerformanceDiagnostics -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -104,12 +108,7 @@ No system restart or service restart is required for this policy to take effect: This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -187,12 +186,7 @@ No system restart or service restart is required for this policy to take effect: This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -270,12 +264,7 @@ No system restart or service restart is required for this policy to take effect: This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -353,12 +342,7 @@ No system restart or service restart is required for this policy to take effect: This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -371,8 +355,7 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-power.md b/windows/client-management/mdm/policy-csp-admx-power.md index 4b6fc28e8f..46c9adf221 100644 --- a/windows/client-management/mdm/policy-csp-admx-power.md +++ b/windows/client-management/mdm/policy-csp-admx-power.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_Power -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -161,12 +165,7 @@ If you disable this policy setting, network connectivity in standby is not guara If you do not configure this policy setting, users control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -236,12 +235,7 @@ If you enable this policy setting, an application or service may prevent the sys If you disable or do not configure this policy setting, users control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -315,12 +309,7 @@ If you enable this policy setting, select one of the following actions: If you disable this policy or do not configure this policy setting, users control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -390,12 +379,7 @@ If you enable this policy setting, any application, service, or device driver pr If you disable or do not configure this policy setting, applications, services, or drivers do not prevent Windows from automatically transitioning to sleep. Only user input is used to determine if Windows should automatically sleep. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -465,12 +449,7 @@ If you enable this policy setting, any application, service, or device driver pr If you disable or do not configure this policy setting, applications, services, or drivers do not prevent Windows from automatically transitioning to sleep. Only user input is used to determine if Windows should automatically sleep. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -540,12 +519,7 @@ If you enable this policy setting, the computer automatically sleeps when networ If you disable or do not configure this policy setting, the computer does not automatically sleep when network files are open. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -615,12 +589,7 @@ If you enable this policy setting, the computer automatically sleeps when networ If you disable or do not configure this policy setting, the computer does not automatically sleep when network files are open. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -690,12 +659,7 @@ If you enable this policy setting, you must specify a power plan, specified as a If you disable or do not configure this policy setting, users can see and change this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -770,12 +734,7 @@ If you enable this policy setting, select one of the following actions: If you disable or do not configure this policy setting, users control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -850,12 +809,7 @@ If you enable this policy setting, select one of the following actions: If you disable or do not configure this policy setting, users control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -927,12 +881,7 @@ To set the action that is triggered, see the "Critical Battery Notification Acti If you disable this policy setting or do not configure it, users control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1006,12 +955,7 @@ The notification will only be shown if the "Low Battery Notification Action" pol If you disable or do not configure this policy setting, users can control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1083,12 +1027,7 @@ To set the action that is triggered, see the "Low Battery Notification Action" p If you disable this policy setting or do not configure it, users control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1160,12 +1099,7 @@ If you disable this policy setting, network connectivity in standby is not guara If you do not configure this policy setting, users control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1235,12 +1169,7 @@ If you enable this policy setting, an application or service may prevent the sys If you disable or do not configure this policy setting, users control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1314,12 +1243,7 @@ If you enable this policy setting, select one of the following actions: If you disable this policy or do not configure this policy setting, users control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1389,12 +1313,7 @@ If you enable this policy setting, you must provide a value, in seconds, indicat If you disable or do not configure this policy setting, users can see and change this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1464,12 +1383,7 @@ If you enable this policy setting, you must provide a value, in seconds, indicat If you disable or do not configure this policy setting, users can see and change this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1545,12 +1459,7 @@ If you enable this policy setting, the computer system safely shuts down and rem If you disable or do not configure this policy setting, the computer system safely shuts down to a fully powered-off state. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1622,12 +1531,7 @@ If you disable this policy setting, the desktop background slideshow is disabled If you disable or do not configure this policy setting, users control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1699,12 +1603,7 @@ If you disable this policy setting, the desktop background slideshow is disabled If you disable or do not configure this policy setting, users control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1774,12 +1673,7 @@ If you enable this policy setting, specify a power plan from the Active Power Pl If you disable or do not configure this policy setting, users control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1849,12 +1743,7 @@ If you enable this policy setting, the client computer is locked and prompted fo If you disable or do not configure this policy setting, users control if their computer is automatically locked or not after performing a resume operation. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1924,12 +1813,7 @@ If you enable this policy setting, Power Throttling will be turned off. If you disable or do not configure this policy setting, users control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1999,12 +1883,7 @@ If you enable this policy setting, you must enter a numeric value (percentage) t If you disable or do not configure this policy setting, users can see and change this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2017,7 +1896,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md index e53466c621..d2d7e0d5b4 100644 --- a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md +++ b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_PowerShellExecutionPolicy -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -102,12 +106,7 @@ To add modules and snap-ins to the policy setting list, click Show, and then typ > This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -183,12 +182,7 @@ If you disable this policy setting, no scripts are allowed to run. > This policy setting exists under both "Computer Configuration" and "User Configuration" in the Local Group Policy Editor. The "Computer Configuration" has precedence over "User Configuration." If you disable or do not configure this policy setting, it reverts to a per-machine preference setting; the default if that is not configured is "No scripts allowed." -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -264,12 +258,7 @@ If you use the OutputDirectory setting to enable transcript logging to a shared > This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -343,12 +332,7 @@ If this policy setting is disabled or not configured, this policy setting does n > This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -361,7 +345,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-printing.md b/windows/client-management/mdm/policy-csp-admx-printing.md index e2d5216e21..cceb1665c6 100644 --- a/windows/client-management/mdm/policy-csp-admx-printing.md +++ b/windows/client-management/mdm/policy-csp-admx-printing.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_Printing -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -170,12 +174,7 @@ Internet printing is an extension of Internet Information Services (IIS). To use Also, see the "Custom support URL in the Printers folder's left pane" setting in this folder and the "Browse a common Web site to find printers" setting in User Configuration\Administrative Templates\Control Panel\Printers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -252,12 +251,7 @@ If you disable this policy setting, then print drivers will be loaded within all > - This policy setting is only checked once during the lifetime of a process. After changing the policy, a running application must be relaunched before settings take effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -334,12 +328,7 @@ Also, see the "Activate Internet printing" setting in this setting folder and th Web view is affected by the "Turn on Classic Shell" and "Do not allow Folder Options to be opened from the Options button on the View tab of the ribbon" settings in User Configuration\Administrative Templates\Windows Components\Windows Explorer, and by the "Enable Active Desktop" setting in User Configuration\Administrative Templates\Desktop\Active Desktop. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -413,12 +402,7 @@ This policy setting is not configured by default, and the behavior depends on th By default, Windows Ultimate, Professional and Home SKUs will continue to search for compatible Point and Print drivers from Windows Update, if needed. However, you must explicitly enable this policy setting for other versions of Windows (for example Windows Enterprise, and all versions of Windows Server 2008 R2 and later) to have the same behavior. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -502,12 +486,7 @@ In Windows 10 and later, only TCP/IP printers can be shown in the wizard. If you In Windows 8 and later, Bluetooth printers are not shown so its limit does not apply to those versions of Windows. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -580,12 +559,7 @@ If you disable this setting, the network printer browse page is removed from wit > This setting affects the Add Printer Wizard only. It does not prevent users from using other programs to search for shared printers or to connect to network printers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -666,12 +640,7 @@ If you do not enable this policy setting, the behavior is the same as disabling > In cases where the client print driver does not match the server print driver (mismatched connection), the client will always process the print job, regardless of the setting of this policy. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -739,12 +708,7 @@ Determines whether the XPS Rasterization Service or the XPS-to-GDI conversion (X This setting may improve the performance of the XPS Rasterization Service or the XPS-to-GDI conversion (XGC) on machines that have a relatively powerful CPU as compared to the machine’s GPU. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -818,12 +782,7 @@ This setting makes it easy for users to find the printers you want them to add. Also, see the "Custom support URL in the Printers folder's left pane" and "Activate Internet printing" settings in "Computer Configuration\Administrative Templates\Printers." -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -898,12 +857,7 @@ If you enable this setting, installation of a printer using a kernel-mode driver > By applying this policy, existing kernel-mode drivers will be disabled upon installation of service packs or reinstallation of the Windows XP operating system. This policy does not apply to 64-bit kernel-mode printer drivers as they cannot be installed and associated with a print queue. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -975,12 +929,7 @@ If you disable this setting, Windows will manage the default printer. If you do not configure this setting, default printer management will not change. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1050,12 +999,7 @@ If you enable this group policy setting, the default MXDW output format is the l If you disable or do not configure this policy setting, the default MXDW output format is OpenXPS (*.oxps). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1127,12 +1071,7 @@ This setting does not prevent users from running other programs to delete a prin If this policy is disabled, or not configured, users can delete printers using the methods described above. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1213,12 +1152,7 @@ In Windows 10 and later, only TCP/IP printers can be shown in the wizard. If you In Windows 8 and later, Bluetooth printers are not shown so its limit does not apply to those versions of Windows. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1288,12 +1222,7 @@ If this setting is enabled, users will only be able to point and print to printe If this setting is disabled, or not configured, users will not be restricted to package-aware point and print only. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1363,12 +1292,7 @@ If this setting is enabled, users will only be able to point and print to printe If this setting is disabled, or not configured, users will not be restricted to package-aware point and print only. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1442,12 +1366,7 @@ If this setting is enabled, users will only be able to package point and print t If this setting is disabled, or not configured, package point and print will not be restricted to specific print servers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1521,12 +1440,7 @@ If this setting is enabled, users will only be able to package point and print t If this setting is disabled, or not configured, package point and print will not be restricted to specific print servers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1600,12 +1514,7 @@ Type the location of the user's computer. When users search for printers, the sy If you disable this setting or do not configure it, and the user does not type a location as a search criterion, the system searches for a nearby printer based on the IP address and subnet mask of the user's computer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1677,12 +1586,7 @@ If you enable this setting, users can browse for printers by location without kn If you disable this setting or do not configure it, Location Tracking is disabled. Printer proximity is estimated using the standard method (that is, based on IP address and subnet mask). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1757,12 +1661,7 @@ If you disable this policy setting, the print spooler will execute print drivers > - This policy setting takes effect without restarting the print spooler service. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1837,12 +1736,7 @@ If you disable or do not configure this policy setting, the print spooler uses t > - This policy setting takes effect without restarting the print spooler service. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1914,12 +1808,7 @@ If you enable this policy setting, these searches begin at the location you spec This setting only provides a starting point for Active Directory searches for printers. It does not restrict user searches through Active Directory. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1996,12 +1885,7 @@ If you do not configure this setting, shared printers are announced to browse ma > A client license is used each time a client computer announces a printer to a print browse master on the domain. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2074,12 +1958,7 @@ If you enable this policy setting, the print job name will be included in new lo > This setting does not apply to Branch Office Direct Printing jobs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2151,12 +2030,7 @@ If you enable this policy setting, then all printer extensions will not be allow If you disable this policy setting or do not configure it, then all printer extensions that have been installed will be allowed to run. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2169,7 +2043,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-printing2.md b/windows/client-management/mdm/policy-csp-admx-printing2.md index 6dd43fb7c3..be91226a5a 100644 --- a/windows/client-management/mdm/policy-csp-admx-printing2.md +++ b/windows/client-management/mdm/policy-csp-admx-printing2.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_Printing2 -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -116,12 +120,7 @@ The default behavior is to automatically publish shared printers in Active Direc > This setting is ignored if the "Allow printers to be published" setting is disabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -196,12 +195,7 @@ If you disable this setting, the domain controller does not prune this computer' > You can use the "Directory Pruning Interval" and "Directory Pruning Retry" settings to adjust the contact interval and number of contact attempts. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -283,12 +277,7 @@ You can enable this setting to change the default behavior. To use this setting, > If you disable automatic pruning, remember to delete printer objects manually whenever you remove a printer or print server. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -365,12 +354,7 @@ If you do not configure or disable this setting the default values will be used. > This setting is used only on domain controllers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -445,12 +429,7 @@ By default, the pruning thread runs at normal priority. However, you can adjust > This setting is used only on domain controllers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -527,12 +506,7 @@ If you do not configure or disable this setting, the default values are used. > This setting is used only on domain controllers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -609,12 +583,7 @@ Note: This setting does not affect the logging of pruning events; the actual pru > This setting is used only on domain controllers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -686,12 +655,7 @@ When the policy is disabled, the spooler will not accept client connections nor The spooler must be restarted for changes to this policy to take effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -763,12 +727,7 @@ To enable this additional verification, enable this setting, and then select a v To disable verification, disable this setting, or enable this setting and select "Never" for the verification interval. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -781,6 +740,5 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-programs.md b/windows/client-management/mdm/policy-csp-admx-programs.md index 666626b0f5..d6dcf488e4 100644 --- a/windows/client-management/mdm/policy-csp-admx-programs.md +++ b/windows/client-management/mdm/policy-csp-admx-programs.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_Programs -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -109,12 +113,7 @@ This setting does not prevent users from using other tools and methods to change This setting does not prevent the Default Programs icon from appearing on the Start menu. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -191,12 +190,7 @@ If this setting is disabled or is not configured, the "Install a program from th > If the "Hide Programs Control Panel" setting is enabled, this setting is ignored. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -268,12 +262,7 @@ If this setting is disabled or not configured, the "View installed updates" task This setting does not prevent users from using other tools and methods to install or uninstall programs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -343,12 +332,7 @@ If this setting is disabled or not configured, "Programs and Features" will be a This setting does not prevent users from using other tools and methods to view or uninstall programs. It also does not prevent users from linking to related Programs Control Panel Features including Windows Features, Get Programs, or Windows Marketplace. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -422,12 +406,7 @@ When enabled, this setting takes precedence over the other settings in this fold This setting does not prevent users from using other tools and methods to install or uninstall programs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -497,12 +476,7 @@ If this setting is disabled or is not configured, the "Turn Windows features on This setting does not prevent users from using other tools and methods to configure services or enable or disable program components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -577,12 +551,7 @@ If this feature is disabled or is not configured, the "Get new programs from Win > If the "Hide Programs control Panel" setting is enabled, this setting is ignored. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -595,8 +564,7 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-reliability.md b/windows/client-management/mdm/policy-csp-admx-reliability.md index c5d4d1c0ef..90b7ddfb6a 100644 --- a/windows/client-management/mdm/policy-csp-admx-reliability.md +++ b/windows/client-management/mdm/policy-csp-admx-reliability.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_Reliability -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -101,12 +105,7 @@ If you do not configure this policy setting, the Persistent System Timestamp is > This feature might interfere with power configuration settings that turn off hard disks after a period of inactivity. These power settings may be accessed in the Power Options Control Panel. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -182,12 +181,7 @@ If you do not configure this policy setting, users can adjust this setting using Also see the "Configure Error Reporting" policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -266,12 +260,7 @@ If you do not configure this policy setting, the default behavior for the System > By default, the System State Data feature is always enabled on Windows Server 2003. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -352,12 +341,7 @@ If you do not configure this policy setting, the default behavior for the Shutdo > By default, the Shutdown Event Tracker is only displayed on computers running Windows Server. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -370,8 +354,7 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-remoteassistance.md b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md index f4cf7d10ed..a6af07f6c6 100644 --- a/windows/client-management/mdm/policy-csp-admx-remoteassistance.md +++ b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_RemoteAssistance -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -92,12 +96,7 @@ If you disable this policy setting, computers running this version and a previou If you do not configure this policy setting, users can configure the setting in System Properties in the Control Panel. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -185,12 +184,7 @@ If you disable this policy setting, application-based settings are used. If you do not configure this policy setting, application-based settings are used. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -202,7 +196,6 @@ ADMX Info:
-> [!NOTE] -> These policies are for upcoming release. + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-removablestorage.md b/windows/client-management/mdm/policy-csp-admx-removablestorage.md index 2f66562c7a..da757e7ffe 100644 --- a/windows/client-management/mdm/policy-csp-admx-removablestorage.md +++ b/windows/client-management/mdm/policy-csp-admx-removablestorage.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_RemovableStorage -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -183,12 +187,7 @@ If you disable or do not configure this setting, the operating system does not f > If no reboot is forced, the access right does not take effect until the operating system is restarted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -261,12 +260,7 @@ If you disable or do not configure this setting, the operating system does not f > If no reboot is forced, the access right does not take effect until the operating system is restarted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -336,12 +330,7 @@ If you enable this policy setting, execute access is denied to this removable st If you disable or do not configure this policy setting, execute access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -410,12 +399,7 @@ If you enable this policy setting, read access is denied to this removable stora If you disable or do not configure this policy setting, read access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -485,12 +469,7 @@ If you enable this policy setting, read access is denied to this removable stora If you disable or do not configure this policy setting, read access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -560,12 +539,7 @@ If you enable this policy setting, write access is denied to this removable stor If you disable or do not configure this policy setting, write access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -635,12 +609,7 @@ If you enable this policy setting, write access is denied to this removable stor If you disable or do not configure this policy setting, write access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -710,12 +679,7 @@ If you enable this policy setting, read access is denied to these removable stor If you disable or do not configure this policy setting, read access is allowed to these removable storage classes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -785,12 +749,7 @@ If you enable this policy setting, read access is denied to these removable stor If you disable or do not configure this policy setting, read access is allowed to these removable storage classes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -860,12 +819,7 @@ If you enable this policy setting, write access is denied to these removable sto If you disable or do not configure this policy setting, write access is allowed to these removable storage classes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -934,12 +888,7 @@ If you enable this policy setting, write access is denied to these removable sto If you disable or do not configure this policy setting, write access is allowed to these removable storage classes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1008,12 +957,7 @@ If you enable this policy setting, execute access is denied to this removable st If you disable or do not configure this policy setting, execute access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1082,12 +1026,7 @@ If you enable this policy setting, read access is denied to this removable stora If you disable or do not configure this policy setting, read access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1156,12 +1095,7 @@ If you enable this policy setting, read access is denied to this removable stora If you disable or do not configure this policy setting, read access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1229,12 +1163,7 @@ If you enable this policy setting, write access is denied to this removable stor If you disable or do not configure this policy setting, write access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1303,12 +1232,7 @@ If you enable this policy setting, write access is denied to this removable stor If you disable or do not configure this policy setting, write access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1376,12 +1300,7 @@ If you enable this policy setting, execute access is denied to this removable st If you disable or do not configure this policy setting, execute access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1450,12 +1369,7 @@ If you enable this policy setting, read access is denied to this removable stora If you disable or do not configure this policy setting, read access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1523,12 +1437,7 @@ If you enable this policy setting, read access is denied to this removable stora If you disable or do not configure this policy setting, read access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1600,12 +1509,7 @@ If you disable or do not configure this policy setting, write access is allowed > To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives." -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1676,12 +1580,7 @@ If you enable this policy setting, no access is allowed to any removable storage If you disable or do not configure this policy setting, write and read accesses are allowed to all removable storage classes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1752,12 +1651,7 @@ If you enable this policy setting, no access is allowed to any removable storage If you disable or do not configure this policy setting, write and read accesses are allowed to all removable storage classes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1826,12 +1720,7 @@ If you enable this policy setting, remote users can open direct handles to remov If you disable or do not configure this policy setting, remote users cannot open direct handles to removable storage devices in remote sessions. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1900,12 +1789,7 @@ If you enable this policy setting, execute access is denied to this removable st If you disable or do not configure this policy setting, execute access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1973,12 +1857,7 @@ If you enable this policy setting, read access is denied to this removable stora If you disable or do not configure this policy setting, read access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2047,12 +1926,7 @@ If you enable this policy setting, read access is denied to this removable stora If you disable or do not configure this policy setting, read access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2120,12 +1994,7 @@ If you enable this policy setting, write access is denied to this removable stor If you disable or do not configure this policy setting, write access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2194,12 +2063,7 @@ If you enable this policy setting, write access is denied to this removable stor If you disable or do not configure this policy setting, write access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2268,12 +2132,7 @@ If you enable this policy setting, read access is denied to this removable stora If you disable or do not configure this policy setting, read access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2341,12 +2200,7 @@ If you enable this policy setting, read access is denied to this removable stora If you disable or do not configure this policy setting, read access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2415,12 +2269,7 @@ If you enable this policy setting, write access is denied to this removable stor If you disable or do not configure this policy setting, write access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2489,12 +2338,7 @@ If you enable this policy setting, write access is denied to this removable stor If you disable or do not configure this policy setting, write access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2506,7 +2350,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + \ No newline at end of file From 699d9dc2ff0597625a5782328c7f6a01c9daaf7d Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Fri, 24 Sep 2021 18:50:39 +0530 Subject: [PATCH 317/458] Create policy-csp-admx-qos.md --- .../mdm/policy-csp-admx-qos.md | 399 ++++++++++++++++++ 1 file changed, 399 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-admx-qos.md diff --git a/windows/client-management/mdm/policy-csp-admx-qos.md b/windows/client-management/mdm/policy-csp-admx-qos.md new file mode 100644 index 0000000000..723c882610 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-qos.md @@ -0,0 +1,399 @@ +--- +title: Policy CSP - ADMX_QOS +description: Policy CSP - ADMX_QOS +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 08/13/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_QOS + +
+ + +## ADMX_QOS policies + +
+
+ ADMX_QOS/QosServiceTypeBestEffort_C +
+
+ ADMX_QOS/QosServiceTypeBestEffort_PV +
+
+ ADMX_QOS/QosNonBestEffortLimit/a> +
+
+ ADMX_QOS/QosServiceTypeControlledLoad_C +
+
+ ADMX_QOS/QosServiceTypeControlledLoad_NC +
+
+ ADMX_QOS/QosServiceTypeGuaranteed_C +
+
+ ADMX_QOS/QosServiceTypeGuaranteed_NC/a> +
+
+ ADMX_QOS/QosServiceTypeNetworkControl_C +
+
+ ADMX_QOS/QosServiceTypeQualitative_C +
+
+ ADMX_QOS/QosServiceTypeBestEffort_NC +
+
+ ADMX_QOS/QosServiceTypeNetworkControl_NC/a> +
+
+ ADMX_QOS/QosServiceTypeQualitative_NC/a> +
+
+ ADMX_QOS/QosServiceTypeControlledLoad_PV/a> +
+
+ ADMX_QOS/QosServiceTypeGuaranteed_PV/a> +
+
+ ADMX_QOS/QosServiceTypeNetworkControl_PV/a> +
+
+ ADMX_QOS/QosServiceTypeNetworkControl_PV/a> +
+
+ ADMX_QOS/QosServiceTypeNonConforming/a> +
+
+ ADMX_QOS/QosServiceTypeQualitative_PV/a> +
+
+ ADMX_QOS/QosMaxOutstandingSends/a> +
+
+ ADMX_QOS/QosTimerResolution/a> +
+
+ + +
+ + +**ADMX_Reliability/EE_EnablePersistentTimeStamp** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows the system to detect the time of unexpected shutdowns by writing the current time to disk on a schedule controlled by the Timestamp Interval. + +If you enable this policy setting, you are able to specify how often the Persistent System Timestamp is refreshed and subsequently written to the disk. You can specify the Timestamp Interval in seconds. + +If you disable this policy setting, the Persistent System Timestamp is turned off and the timing of unexpected shutdowns is not recorded. + +If you do not configure this policy setting, the Persistent System Timestamp is refreshed according the default, which is every 60 seconds beginning with Windows Server 2003. + +> [!NOTE] +> This feature might interfere with power configuration settings that turn off hard disks after a period of inactivity. These power settings may be accessed in the Power Options Control Panel. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP Friendly name: *Enable Persistent Time Stamp* +- GP name: *EE_EnablePersistentTimeStamp* +- GP path: *System* +- GP ADMX file name: *Reliability.admx* + + + +
+ +
+ + +**ADMX_Reliability/PCH_ReportShutdownEvents** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not unplanned shutdown events can be reported when error reporting is enabled. + +If you enable this policy setting, error reporting includes unplanned shutdown events. + +If you disable this policy setting, unplanned shutdown events are not included in error reporting. + +If you do not configure this policy setting, users can adjust this setting using the control panel, which is set to "Upload unplanned shutdown events" by default. + +Also see the "Configure Error Reporting" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP Friendly name: *Report unplanned shutdown events* +- GP name: *PCH_ReportShutdownEvents* +- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* +- GP ADMX file name: *Reliability.admx* + + + +
+ +
+ + +**ADMX_Reliability/ShutdownEventTrackerStateFile** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting defines when the Shutdown Event Tracker System State Data feature is activated. + +The system state data file contains information about the basic system state as well as the state of all running processes. + +If you enable this policy setting, the System State Data feature is activated when the user indicates that the shutdown or restart is unplanned. + +If you disable this policy setting, the System State Data feature is never activated. + +If you do not configure this policy setting, the default behavior for the System State Data feature occurs. + +> [!NOTE] +> By default, the System State Data feature is always enabled on Windows Server 2003. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP Friendly name: *Activate Shutdown Event Tracker System State Data feature* +- GP name: *ShutdownEventTrackerStateFile* +- GP path: *System* +- GP ADMX file name: *Reliability.admx* + + + +
+ +
+ + +**ADMX_Reliability/ShutdownReason** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. The Shutdown Event Tracker can be displayed when you shut down a workstation or server. This is an extra set of questions that is displayed when you invoke a shutdown to collect information related to why you are shutting down the computer. + +If you enable this setting and choose "Always" from the drop-down menu list, the Shutdown Event Tracker is displayed when the computer shuts down. + +If you enable this policy setting and choose "Server Only" from the drop-down menu list, the Shutdown Event Tracker is displayed when you shut down a computer running Windows Server. (See "Supported on" for supported versions.) + +If you enable this policy setting and choose "Workstation Only" from the drop-down menu list, the Shutdown Event Tracker is displayed when you shut down a computer running a client version of Windows. (See "Supported on" for supported versions.) + +If you disable this policy setting, the Shutdown Event Tracker is not displayed when you shut down the computer. + +If you do not configure this policy setting, the default behavior for the Shutdown Event Tracker occurs. + +> [!NOTE] +> By default, the Shutdown Event Tracker is only displayed on computers running Windows Server. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP Friendly name: *Display Shutdown Event Tracker* +- GP name: *ShutdownReason* +- GP path: *System* +- GP ADMX file name: *Reliability.admx* + + + +
+ +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. + + + From bb51aac13cd4e08c040fae8d6ca3226138b21b59 Mon Sep 17 00:00:00 2001 From: Ashok Lobo Date: Fri, 24 Sep 2021 20:11:23 +0530 Subject: [PATCH 318/458] Updated for task 5441097 --- .../smart-card-and-remote-desktop-services.md | 6 ++--- .../smart-cards/smart-card-architecture.md | 6 ++--- ...rt-card-certificate-propagation-service.md | 6 ++--- ...ertificate-requirements-and-enumeration.md | 8 +++---- .../smart-card-debugging-information.md | 6 ++--- .../smart-cards/smart-card-events.md | 6 ++--- ...card-group-policy-and-registry-settings.md | 6 ++--- ...how-smart-card-sign-in-works-in-windows.md | 6 ++--- .../smart-card-removal-policy-service.md | 8 +++---- ...rt-card-smart-cards-for-windows-service.md | 6 ++--- .../smart-card-tools-and-settings.md | 6 ++--- ...-windows-smart-card-technical-reference.md | 6 ++--- .../how-user-account-control-works.md | 24 ++++++++++--------- ...-group-policy-and-registry-key-settings.md | 5 ++-- .../user-account-control-overview.md | 7 +++--- ...ccount-control-security-policy-settings.md | 7 ++++-- 16 files changed, 63 insertions(+), 56 deletions(-) diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md index d5c9651f0f..70b89b04ee 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md +++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md @@ -1,5 +1,5 @@ --- -title: Smart Card and Remote Desktop Services (Windows 10) +title: Smart Card and Remote Desktop Services (Windows) description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,13 +12,13 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/24/2021 ms.reviewer: --- # Smart Card and Remote Desktop Services -Applies To: Windows 10, Windows Server 2016 +Applies To: Windows 10, Windows 11, Windows Server 2016 and above This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in. diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md index 63cbad9b26..604f470a49 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md +++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md @@ -1,5 +1,5 @@ --- -title: Smart Card Architecture (Windows 10) +title: Smart Card Architecture (Windows) description: This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,13 +12,13 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/24/2021 ms.reviewer: --- # Smart Card Architecture -Applies To: Windows 10, Windows Server 2016 +Applies To: Windows 10, Windows 11, Windows Server 2016 and above This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system, including credential provider architecture and the smart card subsystem architecture. diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md index dbcf86ee67..32f79fdf8f 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md @@ -1,5 +1,5 @@ --- -title: Certificate Propagation Service (Windows 10) +title: Certificate Propagation Service (Windows) description: This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,13 +12,13 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 08/24/2021 ms.reviewer: --- # Certificate Propagation Service -Applies To: Windows 10, Windows Server 2016 +Applies To: Windows 10, Windows 11, Windows Server 2016 and above This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation. diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md index a220e7e658..7e32d7679f 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md +++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md @@ -1,5 +1,5 @@ --- -title: Certificate Requirements and Enumeration (Windows 10) +title: Certificate Requirements and Enumeration (Windows) description: This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,13 +12,13 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/24/2021 ms.reviewer: --- # Certificate Requirements and Enumeration -Applies To: Windows 10, Windows Server 2016 +Applies To: Windows 10, Windows 11, Windows Server 2016 and above This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in. @@ -185,7 +185,7 @@ Certificate requirements are listed by versions of the Windows operating system. The smart card certificate has specific format requirements when it is used with Windows XP and earlier operating systems. You can enable any certificate to be visible for the smart card credential provider. -| **Component** | **Requirements for Windows 8.1, Windows 8, Windows 7, Windows Vista, and Windows 10** | **Requirements for Windows XP** | +| **Component** | **Requirements for Windows 8.1, Windows 8, Windows 7, Windows Vista, Windows 10, and Windows 11** | **Requirements for Windows XP** | |--------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | CRL distribution point location | Not required | The location must be specified, online, and available, for example:
\[1\]CRL Distribution Point
Distribution Point Name:
Full Name:
URL= | | Key usage | Digital signature | Digital signature | diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md index a084d3c132..b65f0ce66c 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md +++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md @@ -1,5 +1,5 @@ --- -title: Smart Card Troubleshooting (Windows 10) +title: Smart Card Troubleshooting (Windows) description: Describes the tools and services that smart card developers can use to help identify certificate issues with the smart card deployment. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,13 +12,13 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/24/2021 ms.reviewer: --- # Smart Card Troubleshooting -Applies To: Windows 10, Windows Server 2016 +Applies To: Windows 10, Windows 11, Windows Server 2016 and above This article explains tools and services that smart card developers can use to help identify certificate issues with the smart card deployment. diff --git a/windows/security/identity-protection/smart-cards/smart-card-events.md b/windows/security/identity-protection/smart-cards/smart-card-events.md index bb93b39cce..b8f7de6f81 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-events.md +++ b/windows/security/identity-protection/smart-cards/smart-card-events.md @@ -1,5 +1,5 @@ --- -title: Smart Card Events (Windows 10) +title: Smart Card Events (Windows) description: This topic for the IT professional and smart card developer describes events that are related to smart card deployment and development. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,13 +12,13 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/24/2021 ms.reviewer: --- # Smart Card Events -Applies To: Windows 10, Windows Server 2016 +Applies To: Windows 10, Windows 11, Windows Server 2016 and above This topic for the IT professional and smart card developer describes events that are related to smart card deployment and development. diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md index 50d2b45bb2..ad5011e9b9 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md +++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md @@ -1,5 +1,5 @@ --- -title: Smart Card Group Policy and Registry Settings (Windows 10) +title: Smart Card Group Policy and Registry Settings (Windows) description: Discover the Group Policy, registry key, local security policy, and credential delegation policy settings that are available for configuring smart cards. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,13 +12,13 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/23/2021 ms.reviewer: --- # Smart Card Group Policy and Registry Settings -Applies to: Windows 10, Windows Server 2016 +Applies to: Windows 10, Windows 11, Windows Server 2016 and above This article for IT professionals and smart card developers describes the Group Policy settings, registry key settings, local security policy settings, and credential delegation policy settings that are available for configuring smart cards. diff --git a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md index 9939c9ec73..8dc9a36c37 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md +++ b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md @@ -1,5 +1,5 @@ --- -title: How Smart Card Sign-in Works in Windows (Windows 10) +title: How Smart Card Sign-in Works in Windows (Windows) description: This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,13 +12,13 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/24/2021 ms.reviewer: --- # How Smart Card Sign-in Works in Windows -Applies To: Windows 10, Windows Server 2016 +Applies To: Windows 10, Windows 11, Windows Server 2016 and above This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system. It includes the following resources about the architecture, certificate management, and services that are related to smart card use: diff --git a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md index 3f72307e25..c52deb3971 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md @@ -1,5 +1,5 @@ --- -title: Smart Card Removal Policy Service (Windows 10) +title: Smart Card Removal Policy Service (Windows) description: This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,17 +12,17 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/24/2021 ms.reviewer: --- # Smart Card Removal Policy Service -Applies To: Windows 10, Windows Server 2016 +Applies To: Windows 10, Windows 11, Windows Server 2016 This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation. -The smart card removal policy service is applicable when a user has signed in with a smart card and subsequently removes that smart card from the reader. The action that is performed when the smart card is removed is controlled by Group Policy settings. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md). +The smart card removal policy service is applicable when a user has signed in with a smart card and then removes that smart card from the reader. The action that is performed when the smart card is removed is controlled by Group Policy settings. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md). **Smart card removal policy service** diff --git a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md index e4548fc317..b55d171543 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md @@ -1,5 +1,5 @@ --- -title: Smart Cards for Windows Service (Windows 10) +title: Smart Cards for Windows Service (Windows) description: This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service manages readers and application interactions. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,13 +12,13 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/24/2021 ms.reviewer: --- # Smart Cards for Windows Service -Applies To: Windows 10, Windows Server 2016 +Applies To: Windows 10, Windows 11, Windows Server 2016 and above This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service (formerly called Smart Card Resource Manager) manages readers and application interactions. diff --git a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md index 74fdcc3e8f..1151e206de 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md +++ b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md @@ -1,5 +1,5 @@ --- -title: Smart Card Tools and Settings (Windows 10) +title: Smart Card Tools and Settings (Windows) description: This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,13 +12,13 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/24/2021 ms.reviewer: --- # Smart Card Tools and Settings -Applies To: Windows 10, Windows Server 2016 +Applies To: Windows 10, Windows 11, Windows Server 2016 and above This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events. diff --git a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md index 99defcec30..dfd605776c 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md +++ b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md @@ -1,5 +1,5 @@ --- -title: Smart Card Technical Reference (Windows 10) +title: Smart Card Technical Reference (Windows) description: Learn about the Windows smart card infrastructure for physical smart cards, and how smart card-related components work in Windows. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,13 +12,13 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/24/2021 ms.reviewer: --- # Smart Card Technical Reference -Applies To: Windows 10, Windows Server 2016 +Applies To: Windows 10, Windows 11, Windows Server 2016 and above The Smart Card Technical Reference describes the Windows smart card infrastructure for physical smart cards and how smart card-related components work in Windows. This document also contains information about tools that information technology (IT) developers and administrators can use to troubleshoot, debug, and deploy smart card-based strong authentication in the enterprise. diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md index 76159c664d..abdfb49e90 100644 --- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md +++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md @@ -1,5 +1,5 @@ --- -title: How User Account Control works (Windows 10) +title: How User Account Control works (Windows) description: User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware. ms.assetid: 9f921779-0fd3-4206-b0e4-05a19883ee59 ms.reviewer: @@ -14,19 +14,21 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 11/16/2018 +ms.date: 09/23/2021 --- # How User Account Control works **Applies to** - Windows 10 +- Windows 11 +- Windows Server 2016 and above User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware. ## UAC process and interactions -Each app that requires the administrator access token must prompt for consent. The one exception is the relationship that exists between parent and child processes. Child processes inherit the user's access token from the parent process. Both the parent and child processes, however, must have the same integrity level. Windows 10 protects processes by marking their integrity levels. Integrity levels are measurements of trust. A "high" integrity application is one that performs tasks that modify system data, such as a disk partitioning application, while a "low" integrity application is one that performs tasks that could potentially compromise the operating system, such as a Web browser. Apps with lower integrity levels cannot modify data in applications with higher integrity levels. When a standard user attempts to run an app that requires an administrator access token, UAC requires that the user provide valid administrator credentials. +Each app that requires the administrator access token must prompt for consent. The one exception is the relationship that exists between parent and child processes. Child processes inherit the user's access token from the parent process. Both the parent and child processes, however, must have the same integrity level. Windows 10 and Windows 11 protect processes by marking their integrity levels. Integrity levels are measurements of trust. A "high" integrity application is one that performs tasks that modify system data, such as a disk partitioning application, while a "low" integrity application is one that performs tasks that could potentially compromise the operating system, such as a Web browser. Apps with lower integrity levels cannot modify data in applications with higher integrity levels. When a standard user attempts to run an app that requires an administrator access token, UAC requires that the user provide valid administrator credentials. In order to better understand how this process happens, let's look at the Windows logon process. @@ -40,17 +42,17 @@ By default, standard users and administrators access resources and run apps in t When an administrator logs on, two separate access tokens are created for the user: a standard user access token and an administrator access token. The standard user access token contains the same user-specific information as the administrator access token, but the administrative Windows privileges and SIDs are removed. The standard user access token is used to start apps that do not perform administrative tasks (standard user apps). The standard user access token is then used to display the desktop (explorer.exe). Explorer.exe is the parent process from which all other user-initiated processes inherit their access token. As a result, all apps run as a standard user unless a user provides consent or credentials to approve an app to use a full administrative access token. -A user that is a member of the Administrators group can log on, browse the Web, and read e-mail while using a standard user access token. When the administrator needs to perform a task that requires the administrator access token, Windows 10 automatically prompts the user for approval. This prompt is called an elevation prompt, and its behavior can be configured by using the Local Security Policy snap-in (Secpol.msc) or Group Policy. For more info, see [User Account Control security policy settings](user-account-control-security-policy-settings.md). +A user that is a member of the Administrators group can log on, browse the Web, and read e-mail while using a standard user access token. When the administrator needs to perform a task that requires the administrator access token, Windows 10 or Windows 11 automatically prompts the user for approval. This prompt is called an elevation prompt, and its behavior can be configured by using the Local Security Policy snap-in (Secpol.msc) or Group Policy. For more info, see [User Account Control security policy settings](user-account-control-security-policy-settings.md). ### The UAC User Experience -When UAC is enabled, the user experience for standard users is different from that of administrators in Admin Approval Mode. The recommended and more secure method of running Windows 10 is to make your primary user account a standard user account. Running as a standard user helps to maximize security for a managed environment. With the built-in UAC elevation component, standard users can easily perform an administrative task by entering valid credentials for a local administrator account. The default, built-in UAC elevation component for standard users is the credential prompt. +When UAC is enabled, the user experience for standard users is different from that of administrators in Admin Approval Mode. The recommended and more secure method of running Windows 10 or Windows 11 is to make your primary user account a standard user account. Running as a standard user helps to maximize security for a managed environment. With the built-in UAC elevation component, standard users can easily perform an administrative task by entering valid credentials for a local administrator account. The default, built-in UAC elevation component for standard users is the credential prompt. The alternative to running as a standard user is to run as an administrator in Admin Approval Mode. With the built-in UAC elevation component, members of the local Administrators group can easily perform an administrative task by providing approval. The default, built-in UAC elevation component for an administrator account in Admin Approval Mode is called the consent prompt. **The consent and credential prompts** -With UAC enabled, Windows 10 prompts for consent or prompts for credentials of a valid local administrator account before starting a program or task that requires a full administrator access token. This prompt ensures that no malicious software can be silently installed. +With UAC enabled, Windows 10 or Windows 11 prompts for consent or prompts for credentials of a valid local administrator account before starting a program or task that requires a full administrator access token. This prompt ensures that no malicious software can be silently installed. **The consent prompt** @@ -68,12 +70,12 @@ The following is an example of the UAC credential prompt. **UAC elevation prompts** -The UAC elevation prompts are color-coded to be app-specific, enabling for immediate identification of an application's potential security risk. When an app attempts to run with an administrator's full access token, Windows 10 first analyzes the executable file to determine its publisher. Apps are first separated into three categories based on the file's publisher: Windows 10, publisher verified (signed), and publisher not verified (unsigned). The following diagram illustrates how Windows 10 determines which color elevation prompt to present to the user. +The UAC elevation prompts are color-coded to be app-specific, enabling for immediate identification of an application's potential security risk. When an app attempts to run with an administrator's full access token, Windows 10 or Windows 11 first analyzes the executable file to determine its publisher. Apps are first separated into three categories based on the file's publisher: Windows 10 or Windows 11, publisher verified (signed), and publisher not verified (unsigned). The following diagram illustrates how Windows determines which color elevation prompt to present to the user. The elevation prompt color-coding is as follows: - Red background with a red shield icon: The app is blocked by Group Policy or is from a publisher that is blocked. -- Blue background with a blue and gold shield icon: The application is a Windows 10 administrative app, such as a Control Panel item. +- Blue background with a blue and gold shield icon: The application is a Windows 10 and Windows 11 administrative app, such as a Control Panel item. - Blue background with a blue shield icon: The application is signed by using Authenticode and is trusted by the local computer. - Yellow background with a yellow shield icon: The application is unsigned or signed but is not yet trusted by the local computer. @@ -87,7 +89,7 @@ The shield icon on the **Change date and time** button indicates that the proces **Securing the elevation prompt** -The elevation process is further secured by directing the prompt to the secure desktop. The consent and credential prompts are displayed on the secure desktop by default in Windows 10. Only Windows processes can access the secure desktop. For higher levels of security, we recommend keeping the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting enabled. +The elevation process is further secured by directing the prompt to the secure desktop. The consent and credential prompts are displayed on the secure desktop by default in Windows 10 and Windows 11. Only Windows processes can access the secure desktop. For higher levels of security, we recommend keeping the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting enabled. When an executable file requests elevation, the interactive desktop, also called the user desktop, is switched to the secure desktop. The secure desktop dims the user desktop and displays an elevation prompt that must be responded to before continuing. When the user clicks **Yes** or **No**, the desktop switches back to the user desktop. @@ -281,7 +283,7 @@ The slider will never turn UAC completely off. If you set it to Never notify< Because system administrators in enterprise environments attempt to secure systems, many line-of-business (LOB) applications are designed to use only a standard user access token. As a result, you do not need to replace the majority of apps when UAC is turned on. -Windows 10 includes file and registry virtualization technology for apps that are not UAC-compliant and that require an administrator's access token to run correctly. When an administrative apps that is not UAC-compliant attempts to write to a protected folder, such as Program Files, UAC gives the app its own virtualized view of the resource it is attempting to change. The virtualized copy is maintained in the user's profile. This strategy creates a separate copy of the virtualized file for each user that runs the non-compliant app. +Windows 10 and Windows 11 include file and registry virtualization technology for apps that are not UAC-compliant and that require an administrator's access token to run correctly. When an administrative apps that is not UAC-compliant attempts to write to a protected folder, such as Program Files, UAC gives the app its own virtualized view of the resource it is attempting to change. The virtualized copy is maintained in the user's profile. This strategy creates a separate copy of the virtualized file for each user that runs the non-compliant app. Most app tasks operate properly by using virtualization features. Although virtualization allows a majority of applications to run, it is a short-term fix and not a long-term solution. App developers should modify their apps to be compliant as soon as possible, rather than relying on file, folder, and registry virtualization. @@ -301,7 +303,7 @@ All UAC-compliant apps should have a requested execution level added to the appl ### Installer detection technology -Installation programs are apps designed to deploy software. Most installation programs write to system directories and registry keys. These protected system locations are typically writeable only by an administrator in Installer detection technology, which means that standard users do not have sufficient access to install programs. Windows 10 heuristically detects installation programs and requests administrator credentials or approval from the administrator user in order to run with access privileges. Windows 10 also heuristically detects updates and programs that uninstall applications. One of the design goals of UAC is to prevent installations from being run without the user's knowledge and consent because installation programs write to protected areas of the file system and registry. +Installation programs are apps designed to deploy software. Most installation programs write to system directories and registry keys. These protected system locations are typically writeable only by an administrator in Installer detection technology, which means that standard users do not have sufficient access to install programs. Windows 10 and Windows 11 heuristically detect installation programs and requests administrator credentials or approval from the administrator user in order to run with access privileges. Windows 10 and Windows 11 also heuristically detect updates and programs that uninstall applications. One of the design goals of UAC is to prevent installations from being run without the user's knowledge and consent because installation programs write to protected areas of the file system and registry. Installer detection only applies to: diff --git a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md index 6f65b3199e..a4ae0b4d3d 100644 --- a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md +++ b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md @@ -1,5 +1,5 @@ --- -title: User Account Control Group Policy and registry key settings (Windows 10) +title: User Account Control Group Policy and registry key settings (Windows) description: Here's a list of UAC Group Policy and registry key settings that your organization can use to manage UAC. ms.prod: w10 ms.mktglfcycl: deploy @@ -21,7 +21,8 @@ ms.reviewer: **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above ## Group Policy settings There are 10 Group Policy settings that can be configured for User Account Control (UAC). The table lists the default for each of the policy settings, and the following sections explain the different UAC policy settings and provide recommendations. These policy settings are located in **Security Settings\\Local Policies\\Security Options** in the Local Security Policy snap-in. For more information about each of the Group Policy settings, see the Group Policy description. For information about the registry key settings, see [Registry key settings](#registry-key-settings). diff --git a/windows/security/identity-protection/user-account-control/user-account-control-overview.md b/windows/security/identity-protection/user-account-control/user-account-control-overview.md index a95145abaa..263dd2fe27 100644 --- a/windows/security/identity-protection/user-account-control/user-account-control-overview.md +++ b/windows/security/identity-protection/user-account-control/user-account-control-overview.md @@ -1,5 +1,5 @@ --- -title: User Account Control (Windows 10) +title: User Account Control (Windows) description: User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. ms.assetid: 43ac4926-076f-4df2-84af-471ee7d20c38 ms.reviewer: @@ -14,14 +14,15 @@ ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management ms.topic: article -ms.date: 07/27/2017 +ms.date: 09/24/2011 --- # User Account Control **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings. diff --git a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md index 793fe303aa..9a6cb42323 100644 --- a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md +++ b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md @@ -1,5 +1,5 @@ --- -title: User Account Control security policy settings (Windows 10) +title: User Account Control security policy settings (Windows) description: You can use security policies to configure how User Account Control works in your organization. ms.assetid: 3D75A9AC-69BB-4EF2-ACB3-1769791E1B98 ms.reviewer: @@ -14,13 +14,16 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/24/2021 --- # User Account Control security policy settings **Applies to** - Windows 10 +- Windows 11 +- Windows Server 2016 and above + You can use security policies to configure how User Account Control works in your organization. They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy. From 2742f229b233c9dc3044d3f416f230efe6ae3b11 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Fri, 24 Sep 2021 21:09:06 +0530 Subject: [PATCH 319/458] Updated --- .../mdm/policies-in-policy-csp-admx-backed.md | 8 + .../policy-configuration-service-provider.md | 43 +++ .../mdm/policy-csp-admx-radar.md | 114 ++++++ .../mdm/policy-csp-admx-sdiagschd.md | 114 ++++++ .../mdm/policy-csp-admx-servermanager.md | 341 ++++++++++++++++++ .../mdm/policy-csp-admx-soundrec.md | 181 ++++++++++ windows/client-management/mdm/toc.yml | 8 + 7 files changed, 809 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-admx-radar.md create mode 100644 windows/client-management/mdm/policy-csp-admx-sdiagschd.md create mode 100644 windows/client-management/mdm/policy-csp-admx-servermanager.md create mode 100644 windows/client-management/mdm/policy-csp-admx-soundrec.md diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 6c81fd4df2..183dad995e 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -864,6 +864,7 @@ ms.date: 10/08/2020 - [ADMX_Programs/NoProgramsCPL](./policy-csp-admx-programs.md#admx-programs-noprogramscpl) - [ADMX_Programs/NoWindowsFeatures](./policy-csp-admx-programs.md#admx-programs-nowindowsfeatures) - [ADMX_Programs/NoWindowsMarketplace](./policy-csp-admx-programs.md#admx-programs-nowindowsmarketplace) +- [ADMX_Radar/WdiScenarioExecutionPolicy](./policy-csp-admx-radar.md#admx-radar-wdiscenarioexecutionpolicy) - [ADMX_Reliability/EE_EnablePersistentTimeStamp](./policy-csp-admx-reliability.md#admx-reliability-ee-enablepersistenttimestamp) - [ADMX_Reliability/PCH_ReportShutdownEvents](./policy-csp-admx-reliability.md#admx-reliability-pch-reportshutdownevents) - [ADMX_Reliability/ShutdownEventTrackerStateFile](./policy-csp-admx-reliability.md#admx-reliability-shutdowneventtrackerstatefile) @@ -921,12 +922,17 @@ ms.date: 10/08/2020 - [ADMX_sdiageng/BetterWhenConnected](./policy-csp-admx-sdiageng.md#admx-sdiageng-betterwhenconnected) - [ADMX_sdiageng/ScriptedDiagnosticsExecutionPolicy](./policy-csp-admx-sdiageng.md#admx-sdiageng-scripteddiagnosticsexecutionpolicy) - [ADMX_sdiageng/ScriptedDiagnosticsSecurityPolicy](./policy-csp-admx-sdiageng.md#admx-sdiageng-scripteddiagnosticssecuritypolicy) +- [ADMX_sdiagschd/ScheduledDiagnosticsExecutionPolicy](./policy-csp-admx-sdiagschd.md#admx-sdiagschd-scheduleddiagnosticsexecutionpolicy) - [ADMX_Securitycenter/SecurityCenter_SecurityCenterInDomain](/policy-csp-admx-securitycenter.md#admx-securitycenter-securitycenter-securitycenterindomain) - [ADMX_Sensors/DisableLocationScripting_1](./policy-csp-admx-sensors.md#admx-sensors-disablelocationscripting-1) - [ADMX_Sensors/DisableLocationScripting_2](./policy-csp-admx-sensors.md#admx-sensors-disablelocationscripting-2) - [ADMX_Sensors/DisableLocation_1](./policy-csp-admx-sensors.md#admx-sensors-disablelocation-1) - [ADMX_Sensors/DisableSensors_1](./policy-csp-admx-sensors.md#admx-sensors-disablesensors-1) - [ADMX_Sensors/DisableSensors_2](./policy-csp-admx-sensors.md#admx-sensors-disablesensors-2) +- [ADMX_ServerManager/Do_not_display_Manage_Your_Server_page](./policy-csp-admx-servermanager.md#admx-servermanager-do_not_display_manage_your_server_page) +- [ADMX_ServerManager/ServerManagerAutoRefreshRate](./policy-csp-admx-servermanager.md#admx-servermanager-servermanagerautorefreshrate) +- [ADMX_ServerManager/DoNotLaunchInitialConfigurationTasks](./policy-csp-admx-servermanager.md#admx-servermanager-donotlaunchinitialconfigurationtasks) +- [ADMX_ServerManager/DoNotLaunchServerManager](./policy-csp-admx-servermanager.md#admx-servermanager-donotlaunchservermanager) - [ADMX_Servicing/Servicing](./policy-csp-admx-servicing.md#admx-servicing-servicing) - [ADMX_SettingSync/DisableAppSyncSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disableappsyncsettingsync) - [ADMX_SettingSync/DisableApplicationSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disableapplicationsettingsync) @@ -964,6 +970,8 @@ ms.date: 10/08/2020 - [ADMX_Snmp/SNMP_Communities](./policy-csp-admx-snmp.md#admx-snmp-snmp-communities) - [ADMX_Snmp/SNMP_PermittedManagers](./policy-csp-admx-snmp.md#admx-snmp-snmp-permittedmanagers) - [ADMX_Snmp/SNMP_Traps_Public](./policy-csp-admx-snmp.md#admx-snmp-snmp-traps-public) +- [ADMX_SoundRec/Soundrec_DiableApplication_TitleText_1](./policy-csp-admx-soundrec.md#admx-soundrec-soundrec_diableapplication_titletext_1) +- [ADMX_SoundRec/Soundrec_DiableApplication_TitleText_2](./policy-csp-admx-soundrec.md#admx-soundrec-soundrec_diableapplication_titletext_2) - [ADMX_StartMenu/AddSearchInternetLinkInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-addsearchinternetlinkinstartmenu) - [ADMX_StartMenu/ClearRecentDocsOnExit](./policy-csp-admx-startmenu.md#admx-startmenu-clearrecentdocsonexit) - [ADMX_StartMenu/ClearRecentProgForNewUserInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-clearrecentprogfornewuserinstartmenu) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index a03f3f09f7..0efd56f9ae 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -3004,6 +3004,13 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_Radar policies +
+
+ ADMX_Radar/WdiScenarioExecutionPolicy +
+
+ ### ADMX_Reliability policies
@@ -3191,6 +3198,14 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_sdiagschd policies + +
+
+ ADMX_sdiagschd/ScheduledDiagnosticsExecutionPolicy +
+
+ ### ADMX_sdiageng policies
@@ -3233,6 +3248,23 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_ServerManager policies + +
+
+ ADMX_ServerManager/Do_not_display_Manage_Your_Server_page +
+
+ ADMX_ServerManager/ServerManagerAutoRefreshRate +
+
+ ADMX_ServerManager/DoNotLaunchInitialConfigurationTasks +
+
+ ADMX_ServerManager/DoNotLaunchServerManager +
+
+ ### ADMX_Servicing policies
@@ -3384,6 +3416,17 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_SoundRec policies + +
+
+ ADMX_SoundRec/Soundrec_DiableApplication_TitleText_1 +
+
+ ADMX_SoundRec/Soundrec_DiableApplication_TitleText_2 +
+
+ ### ADMX_StartMenu policies
diff --git a/windows/client-management/mdm/policy-csp-admx-radar.md b/windows/client-management/mdm/policy-csp-admx-radar.md new file mode 100644 index 0000000000..f1161f6d53 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-radar.md @@ -0,0 +1,114 @@ +--- +title: Policy CSP - ADMX_Radar +description: Policy CSP - ADMX_Radar +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/08/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_Radar + +
+ + +## ADMX_Radar policies + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
+
+ ADMX_Radar/WdiScenarioExecutionPolicy +
+
+ + +
+ + +**ADMX_Radar/WdiScenarioExecutionPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy determines the execution level for Windows Resource Exhaustion Detection and Resolution. + +- If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Resource Exhaustion problems and attempt to determine their root causes. + +These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Resource Exhaustion problems and indicate to the user that assisted resolution is available. + +- If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve any Windows Resource Exhaustion problems that are handled by the DPS. + +If you do not configure this policy setting, the DPS will enable Windows Resource Exhaustion for resolution by default. +This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. No system restart or service restart is required for this policy to take effect: changes take effect immediately. This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. + + + + +ADMX Info: +- GP Friendly name: *Configure Scenario Execution Level* +- GP name: *WdiScenarioExecutionPolicy* +- GP path: *System\Troubleshooting and Diagnostics\Windows Resource Exhaustion Detection and Resolution* +- GP ADMX file name: *Radar.admx* + +
+ + + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-sdiagschd.md b/windows/client-management/mdm/policy-csp-admx-sdiagschd.md new file mode 100644 index 0000000000..f19401826c --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-sdiagschd.md @@ -0,0 +1,114 @@ +--- +title: Policy CSP - ADMX_sdiagschd +description: Policy CSP - ADMX_sdiagschd +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 09/17/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_sdiagschd + +
+ + +## ADMX_sdiagschd policies + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
+
+ ADMX_sdiagschd/ScheduledDiagnosticsExecutionPolicy +
+
+ + +
+ + +**ADMX_sdiagschd/ScheduledDiagnosticsExecutionPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy determines whether scheduled diagnostics will run to proactively detect and resolve system problems. + +- If you enable this policy setting, you must choose an execution level. + +If you choose detection and troubleshooting only, Windows will periodically detect and troubleshoot problems. The user will be notified of the problem for interactive resolution. +If you choose detection, troubleshooting and resolution, Windows will resolve some of these problems silently without requiring user input. + +- If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve problems on a scheduled basis. + +If you do not configure this policy setting, local troubleshooting preferences will take precedence, as configured in the control panel. If no local troubleshooting preference is configured, scheduled diagnostics are enabled for detection, troubleshooting and resolution by default. No reboots or service restarts are required for this policy to take effect: changes take effect immediately. This policy setting will only take effect when the Task Scheduler service is in the running state. When the service is stopped or disabled, scheduled diagnostics will not be executed. The Task Scheduler service can be configured with the Services snap-in to the Microsoft Management Console. + + + + +ADMX Info: +- GP Friendly name: *Configure Scheduled Maintenance Behavior* +- GP name: *ScheduledDiagnosticsExecutionPolicy* +- GP path: *System\Troubleshooting and Diagnostics\Scheduled Maintenance* +- GP ADMX file name: *sdiagschd.admx* + + + +
+ + + + diff --git a/windows/client-management/mdm/policy-csp-admx-servermanager.md b/windows/client-management/mdm/policy-csp-admx-servermanager.md new file mode 100644 index 0000000000..2bdd21ec6f --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-servermanager.md @@ -0,0 +1,341 @@ +--- +title: Policy CSP - ADMX_ServerManager +description: Policy CSP - ADMX_ServerManager +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 09/18/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_ServerManager + +
+ + +## ADMX_ServerManager policies + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
+
+ ADMX_ServerManager/Do_not_display_Manage_Your_Server_page +
+
+ ADMX_ServerManager/ServerManagerAutoRefreshRate +
+
+ ADMX_ServerManager/DoNotLaunchInitialConfigurationTasks +
+
+ ADMX_ServerManager/DoNotLaunchServerManager +
+
+ + +
+ + +**ADMX_ServerManager/Do_not_display_Manage_Your_Server_page** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to turn off the automatic display of Server Manager at logon. + +- If you enable this policy setting, Server Manager is not displayed automatically when a user logs on to the server. + +- If you disable this policy setting, Server Manager is displayed automatically when a user logs on to the server. + +If you do not configure this policy setting, Server Manager is displayed when a user logs on to the server. However, if the "Do not show me this console at logon" (Windows Server 2008 and Windows Server 2008 R2) or “Do not start Server Manager automatically at logon” (Windows Server 2012) option is selected, the console is not displayed automatically at logon. + +> [!NOTE] +> Regardless of the status of this policy setting, Server Manager is available from the Start menu or the Windows taskbar. + + + + + +ADMX Info: +- GP Friendly name: *Do not display Server Manager automatically at logon* +- GP name: *Do_not_display_Manage_Your_Server_page* +- GP path: *System\Server Manager* +- GP ADMX file name: *ServerManager.admx* + + + +
+ + + +**ADMX_ServerManager/ServerManagerAutoRefreshRate** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to set the refresh interval for Server Manager. Each refresh provides Server Manager with updated information about which roles and features are installed on servers that you are managing by using Server Manager. Server Manager also monitors the status of roles and features installed on managed servers. + +- If you enable this policy setting, Server Manager uses the refresh interval specified in the policy setting instead of the “Configure Refresh Interval” setting (in Windows Server 2008 and Windows Server 2008 R2), or the “Refresh the data shown in Server Manager every [x] [minutes/hours/days]” setting (in Windows Server 2012) that is configured in the Server Manager console. + +- If you disable this policy setting, Server Manager does not refresh automatically. If you do not configure this policy setting, Server Manager uses the refresh interval settings that are specified in the Server Manager console. + +> [!NOTE] +> The default refresh interval for Server Manager is two minutes in Windows Server 2008 and Windows Server 2008 R2, or 10 minutes in Windows Server 2012. + + + + + + +ADMX Info: +- GP Friendly name: *Configure the refresh interval for Server Manager* +- GP name: *ServerManagerAutoRefreshRate* +- GP path: *System\Server Manager* +- GP ADMX file name: *ServerManager.admx* + + + +
+ + +**ADMX_ServerManager/DoNotLaunchInitialConfigurationTasks** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to turn off the automatic display of the Initial Configuration Tasks window at logon on Windows Server 2008 and Windows Server 2008 R2. + +- If you enable this policy setting, the Initial Configuration Tasks window is not displayed when an administrator logs on to the server. + +- If you disable this policy setting, the Initial Configuration Tasks window is displayed when an administrator logs on to the server. + +If you do not configure this policy setting, the Initial Configuration Tasks window is displayed when an administrator logs on to the server. However, if an administrator selects the "Do not show this window at logon" option, the window is not displayed on subsequent logons. + + + + + +ADMX Info: +- GP Friendly name: *Do not display Initial Configuration Tasks window automatically at logon* +- GP name: *DoNotLaunchInitialConfigurationTasks* +- GP path: *System\Server Manager* +- GP ADMX file name: *ServerManager.admx* + + + +
+ + +**ADMX_ServerManager/DoNotLaunchServerManager** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to turn off the automatic display of the Manage Your Server page. + +- If you enable this policy setting, the Manage Your Server page is not displayed each time an administrator logs on to the server. + +- If you disable or do not configure this policy setting, the Manage Your Server page is displayed each time an administrator logs on to the server. + +However, if the administrator has selected the "Don’t display this page at logon" option at the bottom of the Manage Your Server page, the page is not displayed. + + + + + +ADMX Info: +- GP Friendly name: *Do not display Manage Your Server page at logon* +- GP name: *DoNotLaunchServerManager* +- GP path: *System\Server Manager* +- GP ADMX file name: *ServerManager.admx* + + + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-soundrec.md b/windows/client-management/mdm/policy-csp-admx-soundrec.md new file mode 100644 index 0000000000..8e63a59f12 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-soundrec.md @@ -0,0 +1,181 @@ +--- +title: Policy CSP - ADMX_SoundRec +description: Policy CSP - ADMX_SoundRec +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/01/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_SoundRec + +
+ + +## ADMX_SoundRec policies + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
+
+ ADMX_SoundRec/Soundrec_DiableApplication_TitleText_1 +
+
+ ADMX_SoundRec/Soundrec_DiableApplication_TitleText_2 +
+
+ + +
+ + +**ADMX_SoundRec/Soundrec_DiableApplication_TitleText_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy specifies whether Sound Recorder can run. Sound Recorder is a feature of Microsoft Windows Vista that can be used to record sound from an audio input device where the recorded sound is encoded and saved as an audio file. + +If you enable this policy setting, Sound Recorder will not run. + +If you disable or do not configure this policy setting, Sound Recorder can be run. + + + + +ADMX Info: +- GP Friendly name: *Do not allow Sound Recorder to run* +- GP name: *Soundrec_DiableApplication_TitleText_1* +- GP path: *Windows Components\Sound Recorder* +- GP ADMX file name: *SettingSync.admx* + + + +
+ + + +**ADMX_SoundRec/Soundrec_DiableApplication_TitleText_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy specifies whether Sound Recorder can run. Sound Recorder is a feature of Microsoft Windows Vista that can be used to record sound from an audio input device where the recorded sound is encoded and saved as an audio file. + +If you enable this policy setting, Sound Recorder will not run. + +If you disable or do not configure this policy setting, Sound Recorder can be run. + + + + +ADMX Info: +- GP Friendly name: *Do not allow Sound Recorder to run* +- GP name: *Soundrec_DiableApplication_TitleText_2* +- GP path: *Windows Components\Sound Recorder* +- GP ADMX file name: *SettingSync.admx* + + + +
+ + + diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 1d385366fb..933e030d81 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -535,6 +535,8 @@ items: href: policy-csp-admx-printing2.md - name: ADMX_Programs href: policy-csp-admx-programs.md + - name: ADMX_Radar + href: policy-csp-admx-radar.md - name: ADMX_Reliability href: policy-csp-admx-reliability.md - name: ADMX_RemoteAssistance @@ -547,10 +549,14 @@ items: href: policy-csp-admx-scripts.md - name: ADMX_sdiageng href: policy-csp-admx-sdiageng.md + - name: ADMX_sdiagschd + href: policy-csp-admx-sdiagschd.md - name: ADMX_Securitycenter href: policy-csp-admx-securitycenter.md - name: ADMX_Sensors href: policy-csp-admx-sensors.md + - name: ADMX_ServerManager + href: policy-csp-admx-servermanager.md - name: ADMX_Servicing href: policy-csp-admx-servicing.md - name: ADMX_SettingSync @@ -567,6 +573,8 @@ items: href: policy-csp-admx-smartcard.md - name: ADMX_Snmp href: policy-csp-admx-snmp.md + - name: ADMX_SoundRec + href: policy-csp-admx-soundrec.md - name: ADMX_StartMenu href: policy-csp-admx-startmenu.md - name: ADMX_SystemRestore From 1a6bee08d91d5c1df134735e0e8dc899b3f75ee3 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Sun, 26 Sep 2021 15:04:37 +0530 Subject: [PATCH 320/458] Updated --- .../mdm/policy-csp-admx-datacollection.md | 20 +- .../mdm/policy-csp-admx-qos.md | 399 ------------------ 2 files changed, 10 insertions(+), 409 deletions(-) delete mode 100644 windows/client-management/mdm/policy-csp-admx-qos.md diff --git a/windows/client-management/mdm/policy-csp-admx-datacollection.md b/windows/client-management/mdm/policy-csp-admx-datacollection.md index e86a85cc6a..3955a74bc1 100644 --- a/windows/client-management/mdm/policy-csp-admx-datacollection.md +++ b/windows/client-management/mdm/policy-csp-admx-datacollection.md @@ -13,14 +13,19 @@ manager: dansimp --- # Policy CSP - ADMX_DataCollection -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
## ADMX_DataCollection policies +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
ADMX_DataCollection/CommercialIdPolicy @@ -62,8 +67,8 @@ manager: dansimp Education - No - No + Yes + Yes @@ -87,12 +92,7 @@ If your organization is participating in a program that requires this device to If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its telemetry data with your organization. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: diff --git a/windows/client-management/mdm/policy-csp-admx-qos.md b/windows/client-management/mdm/policy-csp-admx-qos.md deleted file mode 100644 index 723c882610..0000000000 --- a/windows/client-management/mdm/policy-csp-admx-qos.md +++ /dev/null @@ -1,399 +0,0 @@ ---- -title: Policy CSP - ADMX_QOS -description: Policy CSP - ADMX_QOS -ms.author: dansimp -ms.localizationpriority: medium -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: manikadhiman -ms.date: 08/13/2020 -ms.reviewer: -manager: dansimp ---- - -# Policy CSP - ADMX_QOS - -
- - -## ADMX_QOS policies - -
-
- ADMX_QOS/QosServiceTypeBestEffort_C -
-
- ADMX_QOS/QosServiceTypeBestEffort_PV -
-
- ADMX_QOS/QosNonBestEffortLimit/a> -
-
- ADMX_QOS/QosServiceTypeControlledLoad_C -
-
- ADMX_QOS/QosServiceTypeControlledLoad_NC -
-
- ADMX_QOS/QosServiceTypeGuaranteed_C -
-
- ADMX_QOS/QosServiceTypeGuaranteed_NC/a> -
-
- ADMX_QOS/QosServiceTypeNetworkControl_C -
-
- ADMX_QOS/QosServiceTypeQualitative_C -
-
- ADMX_QOS/QosServiceTypeBestEffort_NC -
-
- ADMX_QOS/QosServiceTypeNetworkControl_NC/a> -
-
- ADMX_QOS/QosServiceTypeQualitative_NC/a> -
-
- ADMX_QOS/QosServiceTypeControlledLoad_PV/a> -
-
- ADMX_QOS/QosServiceTypeGuaranteed_PV/a> -
-
- ADMX_QOS/QosServiceTypeNetworkControl_PV/a> -
-
- ADMX_QOS/QosServiceTypeNetworkControl_PV/a> -
-
- ADMX_QOS/QosServiceTypeNonConforming/a> -
-
- ADMX_QOS/QosServiceTypeQualitative_PV/a> -
-
- ADMX_QOS/QosMaxOutstandingSends/a> -
-
- ADMX_QOS/QosTimerResolution/a> -
-
- - -
- - -**ADMX_Reliability/EE_EnablePersistentTimeStamp** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows the system to detect the time of unexpected shutdowns by writing the current time to disk on a schedule controlled by the Timestamp Interval. - -If you enable this policy setting, you are able to specify how often the Persistent System Timestamp is refreshed and subsequently written to the disk. You can specify the Timestamp Interval in seconds. - -If you disable this policy setting, the Persistent System Timestamp is turned off and the timing of unexpected shutdowns is not recorded. - -If you do not configure this policy setting, the Persistent System Timestamp is refreshed according the default, which is every 60 seconds beginning with Windows Server 2003. - -> [!NOTE] -> This feature might interfere with power configuration settings that turn off hard disks after a period of inactivity. These power settings may be accessed in the Power Options Control Panel. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP Friendly name: *Enable Persistent Time Stamp* -- GP name: *EE_EnablePersistentTimeStamp* -- GP path: *System* -- GP ADMX file name: *Reliability.admx* - - - -
- -
- - -**ADMX_Reliability/PCH_ReportShutdownEvents** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not unplanned shutdown events can be reported when error reporting is enabled. - -If you enable this policy setting, error reporting includes unplanned shutdown events. - -If you disable this policy setting, unplanned shutdown events are not included in error reporting. - -If you do not configure this policy setting, users can adjust this setting using the control panel, which is set to "Upload unplanned shutdown events" by default. - -Also see the "Configure Error Reporting" policy setting. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP Friendly name: *Report unplanned shutdown events* -- GP name: *PCH_ReportShutdownEvents* -- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* -- GP ADMX file name: *Reliability.admx* - - - -
- -
- - -**ADMX_Reliability/ShutdownEventTrackerStateFile** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting defines when the Shutdown Event Tracker System State Data feature is activated. - -The system state data file contains information about the basic system state as well as the state of all running processes. - -If you enable this policy setting, the System State Data feature is activated when the user indicates that the shutdown or restart is unplanned. - -If you disable this policy setting, the System State Data feature is never activated. - -If you do not configure this policy setting, the default behavior for the System State Data feature occurs. - -> [!NOTE] -> By default, the System State Data feature is always enabled on Windows Server 2003. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP Friendly name: *Activate Shutdown Event Tracker System State Data feature* -- GP name: *ShutdownEventTrackerStateFile* -- GP path: *System* -- GP ADMX file name: *Reliability.admx* - - - -
- -
- - -**ADMX_Reliability/ShutdownReason** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. The Shutdown Event Tracker can be displayed when you shut down a workstation or server. This is an extra set of questions that is displayed when you invoke a shutdown to collect information related to why you are shutting down the computer. - -If you enable this setting and choose "Always" from the drop-down menu list, the Shutdown Event Tracker is displayed when the computer shuts down. - -If you enable this policy setting and choose "Server Only" from the drop-down menu list, the Shutdown Event Tracker is displayed when you shut down a computer running Windows Server. (See "Supported on" for supported versions.) - -If you enable this policy setting and choose "Workstation Only" from the drop-down menu list, the Shutdown Event Tracker is displayed when you shut down a computer running a client version of Windows. (See "Supported on" for supported versions.) - -If you disable this policy setting, the Shutdown Event Tracker is not displayed when you shut down the computer. - -If you do not configure this policy setting, the default behavior for the Shutdown Event Tracker occurs. - -> [!NOTE] -> By default, the Shutdown Event Tracker is only displayed on computers running Windows Server. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP Friendly name: *Display Shutdown Event Tracker* -- GP name: *ShutdownReason* -- GP path: *System* -- GP ADMX file name: *Reliability.admx* - - - -
- -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. - - - From fe6ef4f3615841747044830c668e20e1a990c404 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Sun, 26 Sep 2021 19:57:05 +0530 Subject: [PATCH 321/458] Updated --- .../mdm/policy-csp-admx-disknvcache.md | 1672 +++++++++++++++++ 1 file changed, 1672 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-admx-disknvcache.md diff --git a/windows/client-management/mdm/policy-csp-admx-disknvcache.md b/windows/client-management/mdm/policy-csp-admx-disknvcache.md new file mode 100644 index 0000000000..21b8d23df4 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-disknvcache.md @@ -0,0 +1,1672 @@ +--- +title: Policy CSP - ADMX_DiskNVCache +description: Policy CSP - ADMX_DiskNVCache +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 08/12/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_DiskNVCache + + +
+ + +## ADMX_DiskNVCache policies + +
+
+ ADMX_DiskNVCache/BootResumePolicy +
+
+ ADMX_DiskNVCache/CachePowerModePolicy +
+
+ ADMX_DiskNVCache/FeatureOffPolicy +
+
+ ADMX_DiskNVCache/SolidStatePolicy +
+
+ + +
+ + +**ADMX_DiskNVCache/BootResumePolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting turns off the boot and resume optimizations for the hybrid hard disks in the system. + +If you enable this policy setting, the system does not use the non-volatile (NV) cache to optimize boot and resume. + +If you disable this policy setting, the system uses the NV cache to achieve faster boot and resume. +The system determines the data that will be stored in the NV cache to optimize boot and resume. + +The required data is stored in the NV cache during shutdown and hibernate, respectively. This might cause a slight increase in the time taken for shutdown and hibernate. If you do not configure this policy setting, the default behavior is observed and the NV cache is used for boot and resume optimizations. + +This policy setting is applicable only if the NV cache feature is on. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP Friendly name: *Turn off boot and resume optimizations* +- GP name: *DNS_AllowFQDNNetBiosQueries* +- GP path: *System\Disk NV Cache* +- GP ADMX file name: *DnsClient.admx* + + + +
+ + +**ADMX_DnsClient/DNS_AppendToMultiLabelName** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that computers may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails. + +A name containing dots, but not dot-terminated, is called an unqualified multi-label name, for example "server.corp" is an unqualified multi-label name. The name "server.corp.contoso.com." is an example of a fully qualified name because it contains a terminating dot. + +For example, if attaching suffixes is allowed, an unqualified multi-label name query for "server.corp" will be queried by the DNS client first. If the query succeeds, the response is returned to the client. If the query fails, the unqualified multi-label name is appended with DNS suffixes. These suffixes can be derived from a combination of the local DNS client's primary domain suffix, a connection-specific domain suffix, and a DNS suffix search list. + +If attaching suffixes is allowed, and a DNS client with a primary domain suffix of "contoso.com" performs a query for "server.corp" the DNS client will send a query for "server.corp" first, and then a query for "server.corp.contoso.com." second if the first query fails. + +If you enable this policy setting, suffixes are allowed to be appended to an unqualified multi-label name if the original name query fails. + +If you disable this policy setting, no suffixes are appended to unqualified multi-label name queries if the original name query fails. + +If you do not configure this policy setting, computers will use their local DNS client settings to determine the query behavior for unqualified multi-label names. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP Friendly name: *Allow DNS suffix appending to unqualified multi-label name queries* +- GP name: *DNS_AppendToMultiLabelName* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_Domain** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies a connection-specific DNS suffix. This policy setting supersedes local connection-specific DNS suffixes, and those configured using DHCP. To use this policy setting, click Enabled, and then enter a string value representing the DNS suffix. + +If you enable this policy setting, the DNS suffix that you enter will be applied to all network connections used by computers that receive this policy setting. + +If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied connection specific DNS suffix, if configured. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP Friendly name: *Connection-specific DNS suffix* +- GP name: *DNS_Domain* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_DomainNameDevolutionLevel** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if the devolution level that DNS clients will use if they perform primary DNS suffix devolution during the name resolution process. + +With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name. + +The DNS client appends DNS suffixes to the single-label, unqualified domain name based on the state of the Append primary and connection specific DNS suffixes radio button and Append parent suffixes of the primary DNS suffix check box on the DNS tab in Advanced TCP/IP Settings for the Internet Protocol (TCP/IP) Properties dialog box. + +Devolution is not enabled if a global suffix search list is configured using Group Policy. + +If a global suffix search list is not configured, and the Append primary and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to a single-label name when it sends DNS queries: + +- The primary DNS suffix, as specified on the Computer Name tab of the System control panel. +- Each connection-specific DNS suffix, assigned either through DHCP or specified in the DNS suffix for this connection box on the DNS tab in the Advanced TCP/IP Settings dialog box for each connection. + +For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server. + +If a DNS suffix search list is not specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server. + +For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it is under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix cannot be devolved beyond a devolution level of two. The devolution level can be configured using this policy setting. The default devolution level is two. + +If you enable this policy setting and DNS devolution is also enabled, DNS clients use the DNS devolution level that you specify. + +If you disable this policy setting or do not configure it, DNS clients use the default devolution level of two provided that DNS devolution is enabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP Friendly name: *Primary DNS suffix devolution level* +- GP name: *DNS_DomainNameDevolutionLevel* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_IdnEncoding** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured. + +If this policy setting is enabled, IDNs are not converted to Punycode. + +If this policy setting is disabled, or if this policy setting is not configured, IDNs are converted to Punycode when the computer is on non-domain networks with no WINS servers configured. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP Friendly name: *Turn off IDN encoding* +- GP name: *DNS_IdnEncoding* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_IdnMapping** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to the Nameprep form, a canonical Unicode representation of the string. + +If this policy setting is enabled, IDNs are converted to the Nameprep form. + +If this policy setting is disabled, or if this policy setting is not configured, IDNs are not converted to the Nameprep form. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP Friendly name: *IDN mapping* +- GP name: *DNS_IdnMapping* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_NameServer** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting defines the DNS servers to which a computer sends queries when it attempts to resolve names. This policy setting supersedes the list of DNS servers configured locally and those configured using DHCP. + +To use this policy setting, click Enabled, and then enter a space-delimited list of IP addresses in the available field. To use this policy setting, you must enter at least one IP address. + +If you enable this policy setting, the list of DNS servers is applied to all network connections used by computers that receive this policy setting. + +If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied list of DNS servers, if configured. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP Friendly name: *DNS servers* +- GP name: *DNS_NameServer* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_PreferLocalResponsesOverLowerOrderDns** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that responses from link local name resolution protocols received over a network interface that is higher in the binding order are preferred over DNS responses from network interfaces lower in the binding order. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). + +If you enable this policy setting, responses from link local protocols will be preferred over DNS responses if the local responses are from a network with a higher binding order. + +If you disable this policy setting, or if you do not configure this policy setting, then DNS responses from networks lower in the binding order will be preferred over responses from link local protocols received from networks higher in the binding order. + +> [!NOTE] +> This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP Friendly name: *Prefer link local responses over DNS when received over a network with higher precedence* +- GP name: *DNS_PreferLocalResponsesOverLowerOrderDns* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + + +
+ + +**ADMX_DnsClient/DNS_PrimaryDnsSuffix** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the primary DNS suffix used by computers in DNS name registration and DNS name resolution. + +To use this policy setting, click Enabled and enter the entire primary DNS suffix you want to assign. For example: microsoft.com. + +> [!IMPORTANT] +> In order for changes to this policy setting to be applied on computers that receive it, you must restart Windows. + +If you enable this policy setting, it supersedes the primary DNS suffix configured in the DNS Suffix and NetBIOS Computer Name dialog box using the System control panel. + +You can use this policy setting to prevent users, including local administrators, from changing the primary DNS suffix. + +If you disable this policy setting, or if you do not configure this policy setting, each computer uses its local primary DNS suffix, which is usually the DNS name of Active Directory domain to which it is joined. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP Friendly name: *Primary DNS suffix* +- GP name: *DNS_PrimaryDnsSuffix* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_RegisterAdapterName** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if a computer performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix. + +By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: mycomputer.microsoft.com. + +If you enable this policy setting, a computer will register A and PTR resource records with its connection-specific DNS suffix, in addition to the primary DNS suffix. This applies to all network connections used by computers that receive this policy setting. + +For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, a computer will register A and PTR resource records for mycomputer.VPNconnection and mycomputer.microsoft.com when this policy setting is enabled. + +Important: This policy setting is ignored on a DNS client computer if dynamic DNS registration is disabled. + +If you disable this policy setting, or if you do not configure this policy setting, a DNS client computer will not register any A and PTR resource records using a connection-specific DNS suffix. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP Friendly name: *Register DNS records with connection-specific DNS suffix* +- GP name: *DNS_RegisterAdapterName* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_RegisterReverseLookup** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if DNS client computers will register PTR resource records. + +By default, DNS clients configured to perform dynamic DNS registration will attempt to register PTR resource record only if they successfully registered the corresponding A resource record. + +If you enable this policy setting, registration of PTR records will be determined by the option that you choose under Register PTR records. + +To use this policy setting, click Enabled, and then select one of the following options from the drop-down list: + +- Do not register: Computers will not attempt to register PTR resource records +- Register: Computers will attempt to register PTR resource records even if registration of the corresponding A records was not successful. +- Register only if A record registration succeeds: Computers will attempt to register PTR resource records only if registration of the corresponding A records was successful. + +If you disable this policy setting, or if you do not configure this policy setting, computers will use locally configured settings. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP Friendly name: *Register PTR records* +- GP name: *DNS_RegisterReverseLookup* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_RegistrationEnabled** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server. + +If you enable this policy setting, or you do not configure this policy setting, computers will attempt to use dynamic DNS registration on all network connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network connection, the connection-specific configuration must allow dynamic DNS registration, and this policy setting must not be disabled. + +If you disable this policy setting, computers may not use dynamic DNS registration for any of their network connections, regardless of the configuration for individual network connections. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP Friendly name: *Dynamic update* +- GP name: *DNS_RegistrationEnabled* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_RegistrationOverwritesInConflict** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses. + +This policy setting is designed for computers that register address (A) resource records in DNS zones that do not use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and does not allow a DNS client to overwrite records that are registered by other computers. + +During dynamic update of resource records in a zone that does not use Secure Dynamic Updates, an A resource record might exist that associates the client's host name with an IP address different than the one currently in use by the client. By default, the DNS client attempts to replace the existing A resource record with an A resource record that has the client's current IP address. + +If you enable this policy setting or if you do not configure this policy setting, DNS clients maintain their default behavior and will attempt to replace conflicting A resource records during dynamic update. + +If you disable this policy setting, existing A resource records that contain conflicting IP addresses will not be replaced during a dynamic update, and an error will be recorded in Event Viewer. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP Friendly name: *Replace addresses in conflicts* +- GP name: *DNS_RegistrationOverwritesInConflict* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_RegistrationRefreshInterval** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies to computers performing dynamic DNS updates. + +Computers configured to perform dynamic DNS registration of A and PTR resource records periodically reregister their records with DNS servers, even if the record has not changed. This reregistration is required to indicate to DNS servers that records are current and should not be automatically removed (scavenged) when a DNS server is configured to delete stale records. + +> [!WARNING] +> If record scavenging is enabled on the zone, the value of this policy setting should never be longer than the value of the DNS zone refresh interval. Configuring the registration refresh interval to be longer than the refresh interval of the DNS zone might result in the undesired deletion of A and PTR resource records. + +To specify the registration refresh interval, click Enabled and then enter a value of 1800 or greater. The value that you specify is the number of seconds to use for the registration refresh interval. For example, 1800 seconds is 30 minutes. + +If you enable this policy setting, registration refresh interval that you specify will be applied to all network connections used by computers that receive this policy setting. + +If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied setting. By default, client computers configured with a static IP address attempt to update their DNS resource records once every 24 hours and DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP Friendly name: *Registration refresh interval* +- GP name: *DNS_RegistrationRefreshInterval* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_RegistrationTtl** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by computers to which this policy setting is applied. + +To specify the TTL, click Enabled and then enter a value in seconds (for example, 900 is 15 minutes). + +If you enable this policy setting, the TTL value that you specify will be applied to DNS resource records registered for all network connections used by computers that receive this policy setting. + +If you disable this policy setting, or if you do not configure this policy setting, computers will use the TTL settings specified in DNS. By default, the TTL is 1200 seconds (20 minutes). + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP Friendly name: *TTL value for A and PTR records* +- GP name: *DNS_RegistrationTtl* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_SearchList** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the DNS suffixes to attach to an unqualified single-label name before submission of a DNS query for that name. + +An unqualified single-label name contains no dots. The name "example" is a single-label name. This is different from a fully qualified domain name such as "example.microsoft.com." + +Client computers that receive this policy setting will attach one or more suffixes to DNS queries for a single-label name. For example, a DNS query for the single-label name "example" will be modified to "example.microsoft.com" before sending the query to a DNS server if this policy setting is enabled with a suffix of "microsoft.com." + +To use this policy setting, click Enabled, and then enter a string value representing the DNS suffixes that should be appended to single-label names. You must specify at least one suffix. Use a comma-delimited string, such as "microsoft.com,serverua.microsoft.com,office.microsoft.com" to specify multiple suffixes. + +If you enable this policy setting, one DNS suffix is attached at a time for each query. If a query is unsuccessful, a new DNS suffix is added in place of the failed suffix, and this new query is submitted. The values are used in the order they appear in the string, starting with the leftmost value and proceeding to the right until a query is successful or all suffixes are tried. + +If you disable this policy setting, or if you do not configure this policy setting, the primary DNS suffix and network connection-specific DNS suffixes are appended to the unqualified queries. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP Friendly name: *DNS suffix search list* +- GP name: *DNS_SearchList* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_SmartMultiHomedNameResolution** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. In the event that multiple positive responses are received, the network binding order is used to determine which response to accept. + +If you enable this policy setting, the DNS client will not perform any optimizations. DNS queries will be issued across all networks first. LLMNR queries will be issued if the DNS queries fail, followed by NetBT queries if LLMNR queries fail. + +If you disable this policy setting, or if you do not configure this policy setting, name resolution will be optimized when issuing DNS, LLMNR and NetBT queries. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP Friendly name: *Turn off smart multi-homed name resolution* +- GP name: *DNS_SmartMultiHomedNameResolution* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_SmartProtocolReorder** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that the DNS client should prefer responses from link local name resolution protocols on non-domain networks over DNS responses when issuing queries for flat names. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). + +If you enable this policy setting, the DNS client will prefer DNS responses, followed by LLMNR, followed by NetBT for all networks. + +If you disable this policy setting, or if you do not configure this policy setting, the DNS client will prefer link local responses for flat name queries on non-domain networks. + +> [!NOTE] +> This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP Friendly name: *Turn off smart protocol reordering* +- GP name: *DNS_SmartProtocolReorder* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_UpdateSecurityLevel** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security level for dynamic DNS updates. + +To use this policy setting, click Enabled and then select one of the following values: + +- Unsecure followed by secure - computers send secure dynamic updates only when nonsecure dynamic updates are refused. +- Only unsecure - computers send only nonsecure dynamic updates. +- Only secure - computers send only secure dynamic updates. + +If you enable this policy setting, computers that attempt to send dynamic DNS updates will use the security level that you specify in this policy setting. + +If you disable this policy setting, or if you do not configure this policy setting, computers will use local settings. By default, DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP Friendly name: *Update security level* +- GP name: *DNS_UpdateSecurityLevel* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_UpdateTopLevelDomainZones** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if computers may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com." + +By default, a DNS client that is configured to perform dynamic DNS update will update the DNS zone that is authoritative for its DNS resource records unless the authoritative zone is a top-level domain or root zone. + +If you enable this policy setting, computers send dynamic updates to any zone that is authoritative for the resource records that the computer needs to update, except the root zone. + +If you disable this policy setting, or if you do not configure this policy setting, computers do not send dynamic updates to the root zone or top-level domain zones that are authoritative for the resource records that the computer needs to update. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP Friendly name: *Update top level domain zones* +- GP name: *DNS_UpdateTopLevelDomainZones* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_UseDomainNameDevolution** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if the DNS client performs primary DNS suffix devolution during the name resolution process. + +With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name. + +The DNS client appends DNS suffixes to the single-label, unqualified domain name based on the state of the Append primary and connection specific DNS suffixes radio button and Append parent suffixes of the primary DNS suffix check box on the DNS tab in Advanced TCP/IP Settings for the Internet Protocol (TCP/IP) Properties dialog box. + +Devolution is not enabled if a global suffix search list is configured using Group Policy. + +If a global suffix search list is not configured, and the Append primary and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to a single-label name when it sends DNS queries: + +The primary DNS suffix, as specified on the Computer Name tab of the System control panel. + +Each connection-specific DNS suffix, assigned either through DHCP or specified in the DNS suffix for this connection box on the DNS tab in the Advanced TCP/IP Settings dialog box for each connection. + +For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server. + +If a DNS suffix search list is not specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server. + +For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it is under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix cannot be devolved beyond a devolution level of two. The devolution level can be configured using the primary DNS suffix devolution level policy setting. The default devolution level is two. + +If you enable this policy setting, or if you do not configure this policy setting, DNS clients attempt to resolve single-label names using concatenations of the single-label name to be resolved and the devolved primary DNS suffix. + +If you disable this policy setting, DNS clients do not attempt to resolve names that are concatenations of the single-label name to be resolved and the devolved primary DNS suffix. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP Friendly name: *Primary DNS suffix devolution* +- GP name: *DNS_UseDomainNameDevolution* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/Turn_Off_Multicast** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that link local multicast name resolution (LLMNR) is disabled on client computers. + +LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible. + +If you enable this policy setting, LLMNR will be disabled on all available network adapters on the client computer. + +If you disable this policy setting, or you do not configure this policy setting, LLMNR will be enabled on all available network adapters. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP Friendly name: *Turn off multicast name resolution* +- GP name: *Turn_Off_Multicast* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. + + From 9102fc263de63400df2fd579f2345f857c2d28e2 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Sun, 26 Sep 2021 19:58:46 +0530 Subject: [PATCH 322/458] Update policy-csp-admx-disknvcache.md --- windows/client-management/mdm/policy-csp-admx-disknvcache.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-disknvcache.md b/windows/client-management/mdm/policy-csp-admx-disknvcache.md index 21b8d23df4..fdbd184e60 100644 --- a/windows/client-management/mdm/policy-csp-admx-disknvcache.md +++ b/windows/client-management/mdm/policy-csp-admx-disknvcache.md @@ -101,8 +101,7 @@ This policy setting is applicable only if the NV cache feature is on. > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). From d1ba094dfd847bfcfbd1442e6f5f881cea17754a Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Sun, 26 Sep 2021 22:17:43 +0530 Subject: [PATCH 323/458] Updated --- .../mdm/policies-in-policy-csp-admx-backed.md | 4 + .../policy-configuration-service-provider.md | 17 + .../mdm/policy-csp-admx-disknvcache.md | 1518 +---------------- windows/client-management/mdm/toc.yml | 2 + 4 files changed, 79 insertions(+), 1462 deletions(-) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 0897f1666a..6b60ddd4ba 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -167,6 +167,10 @@ ms.date: 10/08/2020 - [ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration](./policy-csp-admx-devicesetup.md#admx-devicesetup-driversearchplaces-searchorderconfiguration) - [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_1](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-1) - [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_2](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-2) +- [ADMX_DiskNVCache/BootResumePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-dlt_bootresumepolicy) +- [ADMX_DiskNVCache/CachePowerModePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-dlt_cachepowermodepolicy) +- [ADMX_DiskNVCache/FeatureOffPolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-dlt_featureoffpolicy) +- [ADMX_DiskNVCache/SolidStatePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-dlt_solidstatepolicy) - [ADMX_DistributedLinkTracking/DLT_AllowDomainMode](./policy-csp-admx-distributedlinktracking.md#admx-distributedlinktracking-dlt_allowdomainmode) - [ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-allowfqdnnetbiosqueries) - [ADMX_DnsClient/DNS_AppendToMultiLabelName](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-appendtomultilabelname) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index a4847a452f..7bbf5190cd 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -747,6 +747,23 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### ADMX_DiskNVCache policies + +
+
+ ADMX_DiskNVCache/BootResumePolicy +
+
+ ADMX_DiskNVCache/CachePowerModePolicy +
+
+ ADMX_DiskNVCache/FeatureOffPolicy +
+
+ ADMX_DiskNVCache/SolidStatePolicy +
+
+ ### ADMX_DistributedLinkTracking policies
diff --git a/windows/client-management/mdm/policy-csp-admx-disknvcache.md b/windows/client-management/mdm/policy-csp-admx-disknvcache.md index fdbd184e60..7a22bcb596 100644 --- a/windows/client-management/mdm/policy-csp-admx-disknvcache.md +++ b/windows/client-management/mdm/policy-csp-admx-disknvcache.md @@ -20,6 +20,13 @@ manager: dansimp ## ADMX_DiskNVCache policies +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
ADMX_DiskNVCache/BootResumePolicy @@ -98,52 +105,52 @@ The required data is stored in the NV cache during shutdown and hibernate, respe This policy setting is applicable only if the NV cache feature is on. - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: - GP Friendly name: *Turn off boot and resume optimizations* -- GP name: *DNS_AllowFQDNNetBiosQueries* +- GP name: *BootResumePolicy* - GP path: *System\Disk NV Cache* -- GP ADMX file name: *DnsClient.admx* +- GP ADMX file name: *DiskNVCache.admx*
-**ADMX_DnsClient/DNS_AppendToMultiLabelName** +**ADMX_DiskNVCache/FeatureOffPolicy** - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -160,34 +167,23 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that computers may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails. +This policy setting turns off all support for the non-volatile (NV) cache on all hybrid hard disks in the system. +To check if you have hybrid hard disks in the system, from Device Manager, right-click the disk drive and select Properties. The NV cache can be used to optimize boot and resume by reading data from the cache while the disks are spinning up. The NV cache can also be used to reduce the power consumption of the system by keeping the disks spun down while satisfying reads and writes from the cache. -A name containing dots, but not dot-terminated, is called an unqualified multi-label name, for example "server.corp" is an unqualified multi-label name. The name "server.corp.contoso.com." is an example of a fully qualified name because it contains a terminating dot. + If you enable this policy setting, the system will not manage the NV cache and will not enable NV cache power saving mode. -For example, if attaching suffixes is allowed, an unqualified multi-label name query for "server.corp" will be queried by the DNS client first. If the query succeeds, the response is returned to the client. If the query fails, the unqualified multi-label name is appended with DNS suffixes. These suffixes can be derived from a combination of the local DNS client's primary domain suffix, a connection-specific domain suffix, and a DNS suffix search list. +If you disable this policy setting, the system will manage the NV cache on the disks if the other policy settings for the NV cache are appropriately configured. -If attaching suffixes is allowed, and a DNS client with a primary domain suffix of "contoso.com" performs a query for "server.corp" the DNS client will send a query for "server.corp" first, and then a query for "server.corp.contoso.com." second if the first query fails. - -If you enable this policy setting, suffixes are allowed to be appended to an unqualified multi-label name if the original name query fails. - -If you disable this policy setting, no suffixes are appended to unqualified multi-label name queries if the original name query fails. - -If you do not configure this policy setting, computers will use their local DNS client settings to determine the query behavior for unqualified multi-label names. +This policy setting will take effect on next boot. If you do not configure this policy setting, the default behavior is to turn on support for the NV cache. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: -- GP Friendly name: *Allow DNS suffix appending to unqualified multi-label name queries* -- GP name: *DNS_AppendToMultiLabelName* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* +- GP Friendly name: *Turn off non-volatile cache feature* +- GP name: *FeatureOffPolicy* +- GP path: *System\Disk NV Cache* +- GP ADMX file name: *DiskNVCache.admx* @@ -195,32 +191,38 @@ ADMX Info:
-**ADMX_DnsClient/DNS_Domain** +**ADMX_DiskNVCache/SolidStatePolicy** - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -237,1435 +239,27 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies a connection-specific DNS suffix. This policy setting supersedes local connection-specific DNS suffixes, and those configured using DHCP. To use this policy setting, click Enabled, and then enter a string value representing the DNS suffix. +This policy setting turns off the solid state mode for the hybrid hard disks. -If you enable this policy setting, the DNS suffix that you enter will be applied to all network connections used by computers that receive this policy setting. +If you enable this policy setting, frequently written files such as the file system metadata and registry may not be stored in the NV cache. + +If you disable this policy setting, the system will store frequently written data into the non-volatile (NV) cache. This allows the system to exclusively run out of the NV cache and power down the disk for longer periods to save power. + +This can cause increased wear of the NV cache. If you do not configure this policy setting, the default behavior of the system is observed and frequently written files will be stored in the NV cache. Note: This policy setting is applicable only if the NV cache feature is on. -If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied connection specific DNS suffix, if configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: -- GP Friendly name: *Connection-specific DNS suffix* -- GP name: *DNS_Domain* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
- - -**ADMX_DnsClient/DNS_DomainNameDevolutionLevel** - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if the devolution level that DNS clients will use if they perform primary DNS suffix devolution during the name resolution process. - -With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name. - -The DNS client appends DNS suffixes to the single-label, unqualified domain name based on the state of the Append primary and connection specific DNS suffixes radio button and Append parent suffixes of the primary DNS suffix check box on the DNS tab in Advanced TCP/IP Settings for the Internet Protocol (TCP/IP) Properties dialog box. - -Devolution is not enabled if a global suffix search list is configured using Group Policy. - -If a global suffix search list is not configured, and the Append primary and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to a single-label name when it sends DNS queries: - -- The primary DNS suffix, as specified on the Computer Name tab of the System control panel. -- Each connection-specific DNS suffix, assigned either through DHCP or specified in the DNS suffix for this connection box on the DNS tab in the Advanced TCP/IP Settings dialog box for each connection. - -For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server. - -If a DNS suffix search list is not specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server. - -For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it is under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix cannot be devolved beyond a devolution level of two. The devolution level can be configured using this policy setting. The default devolution level is two. - -If you enable this policy setting and DNS devolution is also enabled, DNS clients use the DNS devolution level that you specify. - -If you disable this policy setting or do not configure it, DNS clients use the default devolution level of two provided that DNS devolution is enabled. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP Friendly name: *Primary DNS suffix devolution level* -- GP name: *DNS_DomainNameDevolutionLevel* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
- - -**ADMX_DnsClient/DNS_IdnEncoding** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured. - -If this policy setting is enabled, IDNs are not converted to Punycode. - -If this policy setting is disabled, or if this policy setting is not configured, IDNs are converted to Punycode when the computer is on non-domain networks with no WINS servers configured. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP Friendly name: *Turn off IDN encoding* -- GP name: *DNS_IdnEncoding* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
- - -**ADMX_DnsClient/DNS_IdnMapping** - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to the Nameprep form, a canonical Unicode representation of the string. - -If this policy setting is enabled, IDNs are converted to the Nameprep form. - -If this policy setting is disabled, or if this policy setting is not configured, IDNs are not converted to the Nameprep form. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP Friendly name: *IDN mapping* -- GP name: *DNS_IdnMapping* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
- - -**ADMX_DnsClient/DNS_NameServer** - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting defines the DNS servers to which a computer sends queries when it attempts to resolve names. This policy setting supersedes the list of DNS servers configured locally and those configured using DHCP. - -To use this policy setting, click Enabled, and then enter a space-delimited list of IP addresses in the available field. To use this policy setting, you must enter at least one IP address. - -If you enable this policy setting, the list of DNS servers is applied to all network connections used by computers that receive this policy setting. - -If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied list of DNS servers, if configured. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP Friendly name: *DNS servers* -- GP name: *DNS_NameServer* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
- - -**ADMX_DnsClient/DNS_PreferLocalResponsesOverLowerOrderDns** - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that responses from link local name resolution protocols received over a network interface that is higher in the binding order are preferred over DNS responses from network interfaces lower in the binding order. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). - -If you enable this policy setting, responses from link local protocols will be preferred over DNS responses if the local responses are from a network with a higher binding order. - -If you disable this policy setting, or if you do not configure this policy setting, then DNS responses from networks lower in the binding order will be preferred over responses from link local protocols received from networks higher in the binding order. - -> [!NOTE] -> This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP Friendly name: *Prefer link local responses over DNS when received over a network with higher precedence* -- GP name: *DNS_PreferLocalResponsesOverLowerOrderDns* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* +- GP Friendly name: *Turn off solid state mode* +- GP name: *SolidStatePolicy* +- GP path: *System\Disk NV Cache* +- GP ADMX file name: *DiskNVCache.admx* -
- - -**ADMX_DnsClient/DNS_PrimaryDnsSuffix** - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the primary DNS suffix used by computers in DNS name registration and DNS name resolution. - -To use this policy setting, click Enabled and enter the entire primary DNS suffix you want to assign. For example: microsoft.com. - -> [!IMPORTANT] -> In order for changes to this policy setting to be applied on computers that receive it, you must restart Windows. - -If you enable this policy setting, it supersedes the primary DNS suffix configured in the DNS Suffix and NetBIOS Computer Name dialog box using the System control panel. - -You can use this policy setting to prevent users, including local administrators, from changing the primary DNS suffix. - -If you disable this policy setting, or if you do not configure this policy setting, each computer uses its local primary DNS suffix, which is usually the DNS name of Active Directory domain to which it is joined. - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP Friendly name: *Primary DNS suffix* -- GP name: *DNS_PrimaryDnsSuffix* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
- - -**ADMX_DnsClient/DNS_RegisterAdapterName** - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if a computer performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix. - -By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: mycomputer.microsoft.com. - -If you enable this policy setting, a computer will register A and PTR resource records with its connection-specific DNS suffix, in addition to the primary DNS suffix. This applies to all network connections used by computers that receive this policy setting. - -For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, a computer will register A and PTR resource records for mycomputer.VPNconnection and mycomputer.microsoft.com when this policy setting is enabled. - -Important: This policy setting is ignored on a DNS client computer if dynamic DNS registration is disabled. - -If you disable this policy setting, or if you do not configure this policy setting, a DNS client computer will not register any A and PTR resource records using a connection-specific DNS suffix. - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP Friendly name: *Register DNS records with connection-specific DNS suffix* -- GP name: *DNS_RegisterAdapterName* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
- - -**ADMX_DnsClient/DNS_RegisterReverseLookup** - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if DNS client computers will register PTR resource records. - -By default, DNS clients configured to perform dynamic DNS registration will attempt to register PTR resource record only if they successfully registered the corresponding A resource record. - -If you enable this policy setting, registration of PTR records will be determined by the option that you choose under Register PTR records. - -To use this policy setting, click Enabled, and then select one of the following options from the drop-down list: - -- Do not register: Computers will not attempt to register PTR resource records -- Register: Computers will attempt to register PTR resource records even if registration of the corresponding A records was not successful. -- Register only if A record registration succeeds: Computers will attempt to register PTR resource records only if registration of the corresponding A records was successful. - -If you disable this policy setting, or if you do not configure this policy setting, computers will use locally configured settings. - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP Friendly name: *Register PTR records* -- GP name: *DNS_RegisterReverseLookup* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
- - -**ADMX_DnsClient/DNS_RegistrationEnabled** - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server. - -If you enable this policy setting, or you do not configure this policy setting, computers will attempt to use dynamic DNS registration on all network connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network connection, the connection-specific configuration must allow dynamic DNS registration, and this policy setting must not be disabled. - -If you disable this policy setting, computers may not use dynamic DNS registration for any of their network connections, regardless of the configuration for individual network connections. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP Friendly name: *Dynamic update* -- GP name: *DNS_RegistrationEnabled* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
- - -**ADMX_DnsClient/DNS_RegistrationOverwritesInConflict** - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses. - -This policy setting is designed for computers that register address (A) resource records in DNS zones that do not use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and does not allow a DNS client to overwrite records that are registered by other computers. - -During dynamic update of resource records in a zone that does not use Secure Dynamic Updates, an A resource record might exist that associates the client's host name with an IP address different than the one currently in use by the client. By default, the DNS client attempts to replace the existing A resource record with an A resource record that has the client's current IP address. - -If you enable this policy setting or if you do not configure this policy setting, DNS clients maintain their default behavior and will attempt to replace conflicting A resource records during dynamic update. - -If you disable this policy setting, existing A resource records that contain conflicting IP addresses will not be replaced during a dynamic update, and an error will be recorded in Event Viewer. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP Friendly name: *Replace addresses in conflicts* -- GP name: *DNS_RegistrationOverwritesInConflict* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
- - -**ADMX_DnsClient/DNS_RegistrationRefreshInterval** - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies to computers performing dynamic DNS updates. - -Computers configured to perform dynamic DNS registration of A and PTR resource records periodically reregister their records with DNS servers, even if the record has not changed. This reregistration is required to indicate to DNS servers that records are current and should not be automatically removed (scavenged) when a DNS server is configured to delete stale records. - -> [!WARNING] -> If record scavenging is enabled on the zone, the value of this policy setting should never be longer than the value of the DNS zone refresh interval. Configuring the registration refresh interval to be longer than the refresh interval of the DNS zone might result in the undesired deletion of A and PTR resource records. - -To specify the registration refresh interval, click Enabled and then enter a value of 1800 or greater. The value that you specify is the number of seconds to use for the registration refresh interval. For example, 1800 seconds is 30 minutes. - -If you enable this policy setting, registration refresh interval that you specify will be applied to all network connections used by computers that receive this policy setting. - -If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied setting. By default, client computers configured with a static IP address attempt to update their DNS resource records once every 24 hours and DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP Friendly name: *Registration refresh interval* -- GP name: *DNS_RegistrationRefreshInterval* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
- - -**ADMX_DnsClient/DNS_RegistrationTtl** - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by computers to which this policy setting is applied. - -To specify the TTL, click Enabled and then enter a value in seconds (for example, 900 is 15 minutes). - -If you enable this policy setting, the TTL value that you specify will be applied to DNS resource records registered for all network connections used by computers that receive this policy setting. - -If you disable this policy setting, or if you do not configure this policy setting, computers will use the TTL settings specified in DNS. By default, the TTL is 1200 seconds (20 minutes). - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP Friendly name: *TTL value for A and PTR records* -- GP name: *DNS_RegistrationTtl* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
- - -**ADMX_DnsClient/DNS_SearchList** - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the DNS suffixes to attach to an unqualified single-label name before submission of a DNS query for that name. - -An unqualified single-label name contains no dots. The name "example" is a single-label name. This is different from a fully qualified domain name such as "example.microsoft.com." - -Client computers that receive this policy setting will attach one or more suffixes to DNS queries for a single-label name. For example, a DNS query for the single-label name "example" will be modified to "example.microsoft.com" before sending the query to a DNS server if this policy setting is enabled with a suffix of "microsoft.com." - -To use this policy setting, click Enabled, and then enter a string value representing the DNS suffixes that should be appended to single-label names. You must specify at least one suffix. Use a comma-delimited string, such as "microsoft.com,serverua.microsoft.com,office.microsoft.com" to specify multiple suffixes. - -If you enable this policy setting, one DNS suffix is attached at a time for each query. If a query is unsuccessful, a new DNS suffix is added in place of the failed suffix, and this new query is submitted. The values are used in the order they appear in the string, starting with the leftmost value and proceeding to the right until a query is successful or all suffixes are tried. - -If you disable this policy setting, or if you do not configure this policy setting, the primary DNS suffix and network connection-specific DNS suffixes are appended to the unqualified queries. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP Friendly name: *DNS suffix search list* -- GP name: *DNS_SearchList* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
- - -**ADMX_DnsClient/DNS_SmartMultiHomedNameResolution** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. In the event that multiple positive responses are received, the network binding order is used to determine which response to accept. - -If you enable this policy setting, the DNS client will not perform any optimizations. DNS queries will be issued across all networks first. LLMNR queries will be issued if the DNS queries fail, followed by NetBT queries if LLMNR queries fail. - -If you disable this policy setting, or if you do not configure this policy setting, name resolution will be optimized when issuing DNS, LLMNR and NetBT queries. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP Friendly name: *Turn off smart multi-homed name resolution* -- GP name: *DNS_SmartMultiHomedNameResolution* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
- - -**ADMX_DnsClient/DNS_SmartProtocolReorder** - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that the DNS client should prefer responses from link local name resolution protocols on non-domain networks over DNS responses when issuing queries for flat names. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). - -If you enable this policy setting, the DNS client will prefer DNS responses, followed by LLMNR, followed by NetBT for all networks. - -If you disable this policy setting, or if you do not configure this policy setting, the DNS client will prefer link local responses for flat name queries on non-domain networks. - -> [!NOTE] -> This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP Friendly name: *Turn off smart protocol reordering* -- GP name: *DNS_SmartProtocolReorder* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
- - -**ADMX_DnsClient/DNS_UpdateSecurityLevel** - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security level for dynamic DNS updates. - -To use this policy setting, click Enabled and then select one of the following values: - -- Unsecure followed by secure - computers send secure dynamic updates only when nonsecure dynamic updates are refused. -- Only unsecure - computers send only nonsecure dynamic updates. -- Only secure - computers send only secure dynamic updates. - -If you enable this policy setting, computers that attempt to send dynamic DNS updates will use the security level that you specify in this policy setting. - -If you disable this policy setting, or if you do not configure this policy setting, computers will use local settings. By default, DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP Friendly name: *Update security level* -- GP name: *DNS_UpdateSecurityLevel* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
- - -**ADMX_DnsClient/DNS_UpdateTopLevelDomainZones** - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if computers may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com." - -By default, a DNS client that is configured to perform dynamic DNS update will update the DNS zone that is authoritative for its DNS resource records unless the authoritative zone is a top-level domain or root zone. - -If you enable this policy setting, computers send dynamic updates to any zone that is authoritative for the resource records that the computer needs to update, except the root zone. - -If you disable this policy setting, or if you do not configure this policy setting, computers do not send dynamic updates to the root zone or top-level domain zones that are authoritative for the resource records that the computer needs to update. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP Friendly name: *Update top level domain zones* -- GP name: *DNS_UpdateTopLevelDomainZones* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
- - -**ADMX_DnsClient/DNS_UseDomainNameDevolution** - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if the DNS client performs primary DNS suffix devolution during the name resolution process. - -With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name. - -The DNS client appends DNS suffixes to the single-label, unqualified domain name based on the state of the Append primary and connection specific DNS suffixes radio button and Append parent suffixes of the primary DNS suffix check box on the DNS tab in Advanced TCP/IP Settings for the Internet Protocol (TCP/IP) Properties dialog box. - -Devolution is not enabled if a global suffix search list is configured using Group Policy. - -If a global suffix search list is not configured, and the Append primary and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to a single-label name when it sends DNS queries: - -The primary DNS suffix, as specified on the Computer Name tab of the System control panel. - -Each connection-specific DNS suffix, assigned either through DHCP or specified in the DNS suffix for this connection box on the DNS tab in the Advanced TCP/IP Settings dialog box for each connection. - -For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server. - -If a DNS suffix search list is not specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server. - -For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it is under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix cannot be devolved beyond a devolution level of two. The devolution level can be configured using the primary DNS suffix devolution level policy setting. The default devolution level is two. - -If you enable this policy setting, or if you do not configure this policy setting, DNS clients attempt to resolve single-label names using concatenations of the single-label name to be resolved and the devolved primary DNS suffix. - -If you disable this policy setting, DNS clients do not attempt to resolve names that are concatenations of the single-label name to be resolved and the devolved primary DNS suffix. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP Friendly name: *Primary DNS suffix devolution* -- GP name: *DNS_UseDomainNameDevolution* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
- - -**ADMX_DnsClient/Turn_Off_Multicast** - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that link local multicast name resolution (LLMNR) is disabled on client computers. - -LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible. - -If you enable this policy setting, LLMNR will be disabled on all available network adapters on the client computer. - -If you disable this policy setting, or you do not configure this policy setting, LLMNR will be enabled on all available network adapters. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP Friendly name: *Turn off multicast name resolution* -- GP name: *Turn_Off_Multicast* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 22e27a3a21..fc3d64ad92 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -455,6 +455,8 @@ items: href: policy-csp-admx-dfs.md - name: ADMX_DigitalLocker href: policy-csp-admx-digitallocker.md + - name: ADMX_DiskNVCache + href: policy-csp-admx-disknvcache.md - name: ADMX_DistributedLinkTracking href: policy-csp-admx-distributedlinktracking.md - name: ADMX_DnsClient From 2752f0c875e8cc35edbfdf8c56ca742da721737a Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Mon, 27 Sep 2021 00:38:37 +0530 Subject: [PATCH 324/458] Updated --- .../mdm/policies-in-policy-csp-admx-backed.md | 9 + .../policy-configuration-service-provider.md | 43 ++ .../mdm/policy-csp-admx-diskquota.md | 500 ++++++++++++++++++ .../mdm/policy-csp-admx-iscsi.md | 249 +++++++++ windows/client-management/mdm/toc.yml | 8 +- 5 files changed, 807 insertions(+), 2 deletions(-) create mode 100644 windows/client-management/mdm/policy-csp-admx-diskquota.md create mode 100644 windows/client-management/mdm/policy-csp-admx-iscsi.md diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 6b60ddd4ba..c2fd311c26 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -171,6 +171,12 @@ ms.date: 10/08/2020 - [ADMX_DiskNVCache/CachePowerModePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-dlt_cachepowermodepolicy) - [ADMX_DiskNVCache/FeatureOffPolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-dlt_featureoffpolicy) - [ADMX_DiskNVCache/SolidStatePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-dlt_solidstatepolicy) +- [ADMX_DiskQuota/DQ_RemovableMedia](./policy-csp-admx-diskquota.md#admx-diskquota-dq_removablemedia) +- [ADMX_DiskQuota/DQ_Enable](./policy-csp-admx-diskquota.md#admx-diskquota-dq_enable) +- [ADMX_DiskQuota/DQ_Enforce](./policy-csp-admx-diskquota.md#admx-diskquota-dq_enforce) +- [ADMX_DiskQuota/DQ_LogEventOverLimit](./policy-csp-admx-diskquota.md#admx-diskquota-dq_logeventoverlimit) +- [ADMX_DiskQuota/DQ_LogEventOverThreshold](./policy-csp-admx-diskquota.md#admx-diskquota-dq_logeventoverthreshold) +- [ADMX_DiskQuota/DQ_Limit](./policy-csp-admx-diskquota.md#admx-diskquota-dq_limit) - [ADMX_DistributedLinkTracking/DLT_AllowDomainMode](./policy-csp-admx-distributedlinktracking.md#admx-distributedlinktracking-dlt_allowdomainmode) - [ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-allowfqdnnetbiosqueries) - [ADMX_DnsClient/DNS_AppendToMultiLabelName](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-appendtomultilabelname) @@ -408,6 +414,9 @@ ms.date: 10/08/2020 - [ADMX_ICM/WinMSG_NoInstrumentation_1](./policy-csp-admx-icm.md#admx-icm-winmsg_noinstrumentation-1) - [ADMX_ICM/WinMSG_NoInstrumentation_2](./policy-csp-admx-icm.md#admx-icm-winmsg_noinstrumentation-2) - [ADMX_IIS/PreventIISInstall](./policy-csp-admx-iis.md#admx-iis-preventiisinstall) +- [ADMX_iSCSI/iSCSIGeneral_RestrictAdditionalLogins](./policy-csp-admx-iscsi.md#admx-iscsi-iscsigeneral_restrictadditionallogins) +- [ADMX_iSCSI/iSCSIGeneral_ChangeIQNName](./policy-csp-admx-iscsi.md#admx-iscsi-iscsigeneral_changeiqnname) +- [ADMX_iSCSI/iSCSISecurity_ChangeCHAPSecret](./policy-csp-admx-iscsi.md#admx-iscsi-iscsisecurity_changechapsecret) - [ADMX_kdc/CbacAndArmor](./policy-csp-admx-kdc.md#admx-kdc-cbacandarmor) - [ADMX_kdc/ForestSearch](./policy-csp-admx-kdc.md#admx-kdc-forestsearch) - [ADMX_kdc/PKINITFreshness](./policy-csp-admx-kdc.md#admx-kdc-pkinitfreshness) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 7bbf5190cd..a1717215e9 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -764,6 +764,29 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### ADMX_DiskQuota policies + +
+
+ ADMX_DiskQuota/DQ_RemovableMedia +
+
+ ADMX_DiskQuota/DQ_Enable +
+
+ ADMX_DiskQuota/DQ_Enforce +
+
+ ADMX_DiskQuota/DQ_LogEventOverLimit +
+
+ ADMX_DiskQuota/DQ_LogEventOverThreshold +
+
+ ADMX_DiskQuota/DQ_Limit +
+
+ ### ADMX_DistributedLinkTracking policies
@@ -1595,6 +1618,26 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### ADMX_iSCSI policies + +
+
+ ADMX_iSCSI/iSCSIGeneral_RestrictAdditionalLogins +
+
+ ADMX_iSCSI/iSCSIGeneral_ChangeIQNName +
+
+ ADMX_iSCSI/iSCSISecurity_ChangeCHAPSecret +
+
+ ### ADMX_kdc policies
diff --git a/windows/client-management/mdm/policy-csp-admx-diskquota.md b/windows/client-management/mdm/policy-csp-admx-diskquota.md new file mode 100644 index 0000000000..928b7fe4ff --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-diskquota.md @@ -0,0 +1,500 @@ +--- +title: Policy CSP - ADMX_DiskQuota +description: Policy CSP - ADMX_DiskQuota +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 08/12/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_DiskQuota + + +
+ +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +## ADMX_DiskQuota policies + + +
+
+ ADMX_DiskQuota/DQ_RemovableMedia +
+
+ ADMX_DiskQuota/DQ_Enable +
+
+ ADMX_DiskQuota/DQ_Enforce +
+
+ ADMX_DiskQuota/DQ_LogEventOverLimit +
+
+ ADMX_DiskQuota/DQ_LogEventOverThreshold +
+
+ ADMX_DiskQuota/DQ_Limit +
+
+ + +
+ + +**ADMX_DiskQuota/DQ_RemovableMedia** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting extends the disk quota policies in this folder to NTFS file system volumes on removable media. + +If you disable or do not configure this policy setting, the disk quota policies established in this folder apply to fixed-media NTFS volumes only. + +When this policy setting is applied, the computer will apply the disk quota to both fixed and removable media. + + + + +ADMX Info: +- GP Friendly name: *Apply policy to removable media* +- GP name: *DQ_RemovableMedia* +- GP path: *System\Disk Quotas* +- GP ADMX file name: *DiskQuota.admx* + + + + +
+ + +**ADMX_DiskQuota/DQ_Enable** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting turns on and turns off disk quota management on all NTFS volumes of the computer, and prevents users from changing the setting. + +If you enable this policy setting, disk quota management is turned on, and users cannot turn it off. + +If you disable the policy setting, disk quota management is turned off, and users cannot turn it on. If this policy setting is not configured, disk quota management is turned off by default, but administrators can turn it on. + +To prevent users from changing the setting while a setting is in effect, the system disables the "Enable quota management" option on the Quota tab of NTFS volumes. + +This policy setting turns on disk quota management but does not establish or enforce a particular disk quota limit. + +To specify a disk quota limit, use the "Default quota limit and warning level" policy setting. Otherwise, the system uses the physical space on the volume as the quota limit. + +To turn on or turn off disk quota management without specifying a setting, in My Computer, right-click the name of an NTFS volume, click Properties, click the Quota tab, and then click "Enable quota management." + + + + +ADMX Info: +- GP Friendly name: *Enable disk quotas* +- GP name: *DQ_Enable* +- GP path: *System\Disk Quotas* +- GP ADMX file name: *DiskQuota.admx* + + + + +
+ + + +**ADMX_DiskQuota/DQ_Enforce** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting determines whether disk quota limits are enforced and prevents users from changing the setting. + +If you enable this policy setting, disk quota limits are enforced. + +If you disable this policy setting, disk quota limits are not enforced. When you enable or disable this policy setting, the system disables the "Deny disk space to users exceeding quota limit" option on the Quota tab so administrators cannot make changes while the setting is in effect. + +If you do not configure this policy setting, the disk quota limit is not enforced by default, but administrators can change the setting. Enforcement is optional. When users reach an enforced disk quota limit, the system responds as though the physical space on the volume were exhausted. When users reach an unenforced limit, their status in the Quota Entries window changes, but they can continue to write to the volume as long as physical space is available. + +This policy setting overrides user settings that enable or disable quota enforcement on their volumes. + +To specify a disk quota limit, use the "Default quota limit and warning level" policy setting. Otherwise, the system uses the physical space on the volume as the quota limit. + + + + +ADMX Info: +- GP Friendly name: *Enforce disk quota limit* +- GP name: *DQ_Enforce* +- GP path: *System\Disk Quotas* +- GP ADMX file name: *DiskQuota.admx* + + + + +
+ + + +**ADMX_DiskQuota/DQ_LogEventOverLimit** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting determines whether the system records an event in the local Application log when users reach their disk quota limit on a volume, and prevents users from changing the logging setting. + +If you enable this policy setting, the system records an event when the user reaches their limit. + +If you disable this policy setting, no event is recorded. Also, when you enable or disable this policy setting, the system disables the "Log event when a user exceeds their quota limit" option on the Quota tab, so administrators cannot change the setting while a setting is in effect. If you do not configure this policy setting, no events are recorded, but administrators can use the Quota tab option to change the setting. + +This policy setting is independent of the enforcement policy settings for disk quotas. As a result, you can direct the system to log an event, regardless of whether or not you choose to enforce the disk quota limit. Also, this policy setting does not affect the Quota Entries window on the Quota tab. Even without the logged event, users can detect that they have reached their limit, because their status in the Quota Entries window changes. + +To find the logging option, in My Computer, right-click the name of an NTFS file system volume, click Properties, and then click the Quota tab. + + + + + +ADMX Info: +- GP Friendly name: *Log event when quota limit is exceeded* +- GP name: *DQ_LogEventOverLimit* +- GP path: *System\Disk Quotas* +- GP ADMX file name: *DiskQuota.admx* + + + +
+ + + +**ADMX_DiskQuota/DQ_LogEventOverThreshold** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting determines whether the system records an event in the Application log when users reach their disk quota warning level on a volume. + +If you enable this policy setting, the system records an event. + +If you disable this policy setting, no event is recorded. When you enable or disable this policy setting, the system disables the corresponding "Log event when a user exceeds their warning level" option on the Quota tab so that administrators cannot change logging while a policy setting is in effect. + +If you do not configure this policy setting, no event is recorded, but administrators can use the Quota tab option to change the logging setting. This policy setting does not affect the Quota Entries window on the Quota tab. Even without the logged event, users can detect that they have reached their warning level because their status in the Quota Entries window changes. + +To find the logging option, in My Computer, right-click the name of an NTFS file system volume, click Properties, and then click the Quota tab. + + + + +ADMX Info: +- GP Friendly name: *Log event when quota warning level is exceeded* +- GP name: *DQ_LogEventOverThreshold* +- GP path: *System\Disk Quotas* +- GP ADMX file name: *DiskQuota.admx* + + + + +
+ + + +**ADMX_DiskQuota/DQ_Limit** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting specifies the default disk quota limit and warning level for new users of the volume. +This policy setting determines how much disk space can be used by each user on each of the NTFS file system volumes on a computer. It also specifies the warning level, the point at which the user's status in the Quota Entries window changes to indicate that the user is approaching the disk quota limit. + +This setting overrides new users’ settings for the disk quota limit and warning level on their volumes, and it disables the corresponding options in the "Select the default quota limit for new users of this volume" section on the Quota tab. +This policy setting applies to all new users as soon as they write to the volume. It does not affect disk quota limits for current users, or affect customized limits and warning levels set for particular users (on the Quota tab in Volume Properties). + +If you disable or do not configure this policy setting, the disk space available to users is not limited. The disk quota management feature uses the physical space on each volume as its quota limit and warning level. When you select a limit, remember that the same limit applies to all users on all volumes, regardless of actual volume size. Be sure to set the limit and warning level so that it is reasonable for the range of volumes in the group. + +This policy setting is effective only when disk quota management is enabled on the volume. Also, if disk quotas are not enforced, users can exceed the quota limit you set. When users reach the quota limit, their status in the Quota Entries window changes, but users can continue to write to the volume. + + + + +ADMX Info: +- GP Friendly name: *Specify default quota limit and warning level* +- GP name: *DQ_Limit* +- GP path: *System\Disk Quotas* +- GP ADMX file name: *DiskQuota.admx* + + + + +
+ + + diff --git a/windows/client-management/mdm/policy-csp-admx-iscsi.md b/windows/client-management/mdm/policy-csp-admx-iscsi.md new file mode 100644 index 0000000000..f26e77cac0 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-iscsi.md @@ -0,0 +1,249 @@ +--- +title: Policy CSP - ADMX_iSCSI +description: Policy CSP - ADMX_iSCSI +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/17/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_iSCSI + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
+ + +## ADMX_iSCSI policies + +
+
+ ADMX_iSCSI/iSCSIGeneral_RestrictAdditionalLogins +
+
+ ADMX_iSCSI/iSCSIGeneral_ChangeIQNName +
+
+ ADMX_iSCSI/iSCSISecurity_ChangeCHAPSecret +
+
+ + +
+ + +**ADMX_iSCSI/iSCSIGeneral_RestrictAdditionalLogins** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +If enabled then new iSNS servers may not be added and thus new targets discovered via those iSNS servers; existing iSNS servers may not be removed. + +If disabled then new iSNS servers may be added and thus new targets discovered via those iSNS servers; existing iSNS servers may be removed. + + + + + +ADMX Info: +- GP English name: *Do not allow manual configuration of iSNS servers* +- GP name: *iSCSIGeneral_RestrictAdditionalLogins* +- GP path: *System\iSCSI\iSCSI Target Discovery* +- GP ADMX file name: *iSCSI.admx* + + + +
+ + +**ADMX_iSCSI/iSCSIGeneral_ChangeIQNName** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +If enabled then new target portals may not be added and thus new targets discovered on those portals; existing target portals may not be removed. + +If disabled then new target portals may be added and thus new targets discovered on those portals; existing target portals may be removed. + + + + +ADMX Info: +- GP English name: *Do not allow manual configuration of target portals* +- GP name: *iSCSIGeneral_ChangeIQNName* +- GP path: *System\iSCSI\iSCSI Target Discovery* +- GP ADMX file name: *iSCSI.admx* + + + +
+ + +**ADMX_iSCSI/iSCSISecurity_ChangeCHAPSecret** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +If enabled then do not allow the initiator CHAP secret to be changed. + +If disabled then the initiator CHAP secret may be changed. + + + + + +ADMX Info: +- GP English name: *Do not allow changes to initiator CHAP secret* +- GP name: *iSCSISecurity_ChangeCHAPSecret* +- GP path: *System\iSCSI\iSCSI Security* +- GP ADMX file name: *iSCSI.admx* + + + +
+ + + + diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index fc3d64ad92..6ea77fa9dc 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -456,7 +456,9 @@ items: - name: ADMX_DigitalLocker href: policy-csp-admx-digitallocker.md - name: ADMX_DiskNVCache - href: policy-csp-admx-disknvcache.md + href: policy-csp-admx-disknvcache.md + - name: ADMX_DiskQuota + href: policy-csp-admx-diskquota.md - name: ADMX_DistributedLinkTracking href: policy-csp-admx-distributedlinktracking.md - name: ADMX_DnsClient @@ -508,7 +510,9 @@ items: - name: ADMX_ICM href: policy-csp-admx-icm.md - name: ADMX_IIS - href: policy-csp-admx-iis.md + href: policy-csp-admx-iis.md + - name: ADMX_iSCSI + href: policy-csp-admx-iscsi.md - name: ADMX_kdc href: policy-csp-admx-kdc.md - name: ADMX_Kerberos From 3854ea2d0d67b6a26661a90690e0347869bc0211 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Mon, 27 Sep 2021 08:52:02 +0530 Subject: [PATCH 325/458] Updated --- .../mdm/policies-in-policy-csp-admx-backed.md | 2 + .../policy-configuration-service-provider.md | 11 ++ .../mdm/policy-csp-admx-srmfci.md | 180 ++++++++++++++++++ windows/client-management/mdm/toc.yml | 2 + 4 files changed, 195 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-admx-srmfci.md diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index c2fd311c26..940415d69f 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -997,6 +997,8 @@ ms.date: 10/08/2020 - [ADMX_Snmp/SNMP_Communities](./policy-csp-admx-snmp.md#admx-snmp-snmp-communities) - [ADMX_Snmp/SNMP_PermittedManagers](./policy-csp-admx-snmp.md#admx-snmp-snmp-permittedmanagers) - [ADMX_Snmp/SNMP_Traps_Public](./policy-csp-admx-snmp.md#admx-snmp-snmp-traps-public) +- [ADMX_srmfci/EnableShellAccessCheck](./policy-csp-admx-srmfci.md#admx-srmfci-enableshellaccesscheck) +- [ADMX_srmfci/AccessDeniedConfiguration](./policy-csp-admx-srmfci.md#admx-srmfci-accessdeniedconfiguration) - [ADMX_StartMenu/AddSearchInternetLinkInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-addsearchinternetlinkinstartmenu) - [ADMX_StartMenu/ClearRecentDocsOnExit](./policy-csp-admx-startmenu.md#admx-startmenu-clearrecentdocsonexit) - [ADMX_StartMenu/ClearRecentProgForNewUserInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-clearrecentprogfornewuserinstartmenu) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index a1717215e9..b445646a02 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -3582,6 +3582,17 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### ADMX_srmfci policies + +
+
+ ADMX_srmfci/EnableShellAccessCheck +
+
+ ADMX_srmfci/AccessDeniedConfiguration +
+
+ ### ADMX_StartMenu policies
diff --git a/windows/client-management/mdm/policy-csp-admx-srmfci.md b/windows/client-management/mdm/policy-csp-admx-srmfci.md new file mode 100644 index 0000000000..ade211ea40 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-srmfci.md @@ -0,0 +1,180 @@ +--- +title: Policy CSP - ADMX_srmfci +description: Policy CSP - ADMX_srmfci +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 09/18/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_srmfci + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
+ + +## ADMX_srmfci policies + +
+
+ ADMX_srmfci/EnableShellAccessCheck +
+
+ ADMX_srmfci/AccessDeniedConfiguration +
+
+ + +
+ + +**ADMX_srmfci/EnableShellAccessCheck** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This Group Policy Setting should be set on Windows clients to enable access-denied assistance for all file types. + + + + + +ADMX Info: +- GP Friendly name: *Enable access-denied assistance on client for all file types* +- GP name: *EnableShellAccessCheck* +- GP path: *System\Access-Denied Assistance* +- GP ADMX file name: *srmfci.admx* + + + +
+ + +**ADMX_srmfci/AccessDeniedConfiguration** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting specifies the message that users see when they are denied access to a file or folder. You can customize the Access Denied message to include additional text and links. You can also provide users with the ability to send an email to request access to the file or folder to which they were denied access. + +If you enable this policy setting, users receive a customized Access Denied message from the file servers on which this policy setting is applied. + +If you disable this policy setting, users see a standard Access Denied message that doesn't provide any of the functionality controlled by this policy setting, regardless of the file server configuration. + +If you do not configure this policy setting, users see a standard Access Denied message unless the file server is configured to display the customized Access Denied message. By default, users see the standard Access Denied message. + + + + +ADMX Info: +- GP Friendly name: *Customize message for Access Denied errors* +- GP name: *AccessDeniedConfiguration* +- GP path: *System\Access-Denied Assistance* +- GP ADMX file name: *srmfci.admx* + + + +
+ + + + diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 6ea77fa9dc..1e054a04b7 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -599,6 +599,8 @@ items: href: policy-csp-admx-smartcard.md - name: ADMX_Snmp href: policy-csp-admx-snmp.md + - name: ADMX_srmfci + href: policy-csp-admx-srmfci.md - name: ADMX_StartMenu href: policy-csp-admx-startmenu.md - name: ADMX_SystemRestore From 801f87d0c91a0ebce677f1c352e1f84581043600 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Mon, 27 Sep 2021 10:27:29 +0530 Subject: [PATCH 326/458] Updated --- .../mdm/policies-in-policy-csp-admx-backed.md | 4 + .../policy-configuration-service-provider.md | 22 ++ .../mdm/policy-csp-admx-tabletshell.md | 186 +++++++++++++++++ .../mdm/policy-csp-admx-terminalserver.md | 192 ++++++++++++++++++ windows/client-management/mdm/toc.yml | 4 + 5 files changed, 408 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-admx-tabletshell.md create mode 100644 windows/client-management/mdm/policy-csp-admx-terminalserver.md diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 940415d69f..d8399c2efd 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -1067,6 +1067,8 @@ ms.date: 10/08/2020 - [ADMX_StartMenu/StartMenuLogOff](./policy-csp-admx-startmenu.md#admx-startmenu-startmenulogoff) - [ADMX_StartMenu/StartPinAppsWhenInstalled](./policy-csp-admx-startmenu.md#admx-startmenu-startpinappswheninstalled) - [ADMX_SystemRestore/SR_DisableConfig](./policy-csp-admx-systemrestore.md#admx-systemrestore-sr-disableconfig) +- [ADMX_TabletShell/DisableInkball_1](./policy-csp-admx-tabletshell.md#admx-tabletshell-disableinkball_1) +- [ADMX_TabletShell/DisableNoteWriterPrinting_1](./policy-csp-admx-tabletshell.md#admx-tabletshell-disablenotewriterprinting_1) - [ADMX_Taskbar/DisableNotificationCenter](./policy-csp-admx-taskbar.md#admx-taskbar-disablenotificationcenter) - [ADMX_Taskbar/EnableLegacyBalloonNotifications](./policy-csp-admx-taskbar.md#admx-taskbar-enablelegacyballoonnotifications) - [ADMX_Taskbar/HideSCAHealth](./policy-csp-admx-taskbar.md#admx-taskbar-hidescahealth) @@ -1102,6 +1104,8 @@ ms.date: 10/08/2020 - [ADMX_tcpip/Teredo_Server_Name](./policy-csp-admx-tcpip.md#admx-tcpip-teredo-server-name) - [ADMX_tcpip/Teredo_State](./policy-csp-admx-tcpip.md#admx-tcpip-teredo-state) - [ADMX_tcpip/Windows_Scaling_Heuristics_State](./policy-csp-admx-tcpip.md#admx-tcpip-windows-scaling-heuristics-state) +- [ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_enable) +- [ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_auth_method) - [ADMX_Thumbnails/DisableThumbnails](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbnails) - [ADMX_Thumbnails/DisableThumbnailsOnNetworkFolders](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbnailsonnetworkfolders) - [ADMX_Thumbnails/DisableThumbsDBOnNetworkFolders](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbsdbonnetworkfolders) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index b445646a02..8ae9173a0f 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -3807,6 +3807,17 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### ADMX_TabletShell policies + +
+
+ ADMX_TabletShell/DisableInkball_1 +
+
+ ADMX_TabletShell/DisableNoteWriterPrinting_1 +
+
+ ### ADMX_Taskbar policies
@@ -3922,6 +3933,17 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### ADMX_TerminalServer policies + +
+
+ ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE +
+
+ ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD/a> +
+
+ ### ADMX_Thumbnails policies
diff --git a/windows/client-management/mdm/policy-csp-admx-tabletshell.md b/windows/client-management/mdm/policy-csp-admx-tabletshell.md new file mode 100644 index 0000000000..53648b8f57 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-tabletshell.md @@ -0,0 +1,186 @@ +--- +title: Policy CSP - ADMX_TabletShell +description: Policy CSP - ADMX_TabletShell +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 09/23/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_TabletShell + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
+ + +## ADMX_TabletShell policies + +
+
+ ADMX_TabletShell/DisableInkball_1 +
+
+ ADMX_TabletShell/DisableNoteWriterPrinting_1 +
+
+ + +
+ + +**ADMX_TabletShell/DisableInkball_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Prevents start of InkBall game. + +If you enable this policy, the InkBall game will not run. + +If you disable this policy, the InkBall game will run. If you do not configure this policy, the InkBall game will run. + + + + + +ADMX Info: +- GP Friendly name: *Do not allow Inkball to run* +- GP name: *DisableInkball_1* +- GP path: *Windows Components\Tablet PC\Accessories* +- GP ADMX file name: *TabletShell.admx* + + + + +
+ + +**ADMX_TabletShell/DisableNoteWriterPrinting_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Prevents printing to Journal Note Writer. + +If you enable this policy, the Journal Note Writer printer driver will not allow printing to it. It will remain displayed in the list of available printers, but attempts to print to it will fail. + +If you disable this policy, you will be able to use this feature to print to a Journal Note. If you do not configure this policy, users will be able to use this feature to print to a Journal Note. + + + + + + +ADMX Info: +- GP Friendly name: *Do not allow printing to Journal Note Writer* +- GP name: *DisableNoteWriterPrinting_1* +- GP path: *Windows Components\Tablet PC\Accessories* +- GP ADMX file name: *TabletShell.admx* + + + +
+ + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md new file mode 100644 index 0000000000..ed42ebde3f --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -0,0 +1,192 @@ +--- +title: Policy CSP - ADMX_TerminalServer +description: Policy CSP - ADMX_TerminalServer +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 09/23/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_TerminalServer + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
+ + +## ADMX_TerminalServer policies + +
+
+ ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE +
+
+ ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD +
+
+ + +
+ + +**ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to specify whether the client computer redirects its time zone settings to the Remote Desktop Services session. + +If you enable this policy setting, clients that are capable of time zone redirection send their time zone information to the server. The server base time is then used to calculate the current session time (current session time = server base time + client time zone). + +If you disable or do not configure this policy setting, the client computer does not redirect its time zone information and the session time zone is the same as the server time zone. + +Time zone redirection is possible only when connecting to at least a Microsoft Windows Server 2003 terminal server with a client using RDP 5.1 or later. + + + + + +ADMX Info: +- GP Friendly name: *Allow time zone redirection* +- GP name: *TS_GATEWAY_POLICY_ENABLE* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + + +
+ + +**ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy setting specifies whether to prevent the sharing of Clipboard contents (Clipboard redirection) between a remote computer and a client computer during a Remote Desktop Services session. + +You can use this setting to prevent users from redirecting Clipboard data to and from the remote computer and the local computer. By default, Remote Desktop Services allows Clipboard redirection. + +If you enable this policy setting, users cannot redirect Clipboard data. + +If you disable this policy setting, Remote Desktop Services always allows Clipboard redirection. + +If you do not configure this policy setting, Clipboard redirection is not specified at the Group Policy level. + + + + + + +ADMX Info: +- GP Friendly name: *Do not allow Clipboard redirection* +- GP name: *TS_GATEWAY_POLICY_AUTH_METHOD* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + + + + diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 1e054a04b7..497927b006 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -605,10 +605,14 @@ items: href: policy-csp-admx-startmenu.md - name: ADMX_SystemRestore href: policy-csp-admx-systemrestore.md + - name: ADMX_TabletShell + href: policy-csp-admx-tabletshell.md - name: ADMX_Taskbar href: policy-csp-admx-taskbar.md - name: ADMX_tcpip href: policy-csp-admx-tcpip.md + - name: ADMX_TerminalServer + href: policy-csp-admx-terminalserver.md - name: ADMX_Thumbnails href: policy-csp-admx-thumbnails.md - name: ADMX_TPM From c5d15d05dc96cd7dc3117b4f7dd7545f480796ed Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Mon, 27 Sep 2021 10:32:22 +0530 Subject: [PATCH 327/458] Update policy-csp-admx-diskquota.md --- windows/client-management/mdm/policy-csp-admx-diskquota.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-diskquota.md b/windows/client-management/mdm/policy-csp-admx-diskquota.md index 928b7fe4ff..83390e65e6 100644 --- a/windows/client-management/mdm/policy-csp-admx-diskquota.md +++ b/windows/client-management/mdm/policy-csp-admx-diskquota.md @@ -101,7 +101,7 @@ manager: dansimp -This policy setting extends the disk quota policies in this folder to NTFS file system volumes on removable media. +This policy setting extends the disk quota policies in this folder to NTFS file system volumes on the removable media. If you disable or do not configure this policy setting, the disk quota policies established in this folder apply to fixed-media NTFS volumes only. @@ -252,7 +252,7 @@ This policy setting determines whether disk quota limits are enforced and preven If you enable this policy setting, disk quota limits are enforced. -If you disable this policy setting, disk quota limits are not enforced. When you enable or disable this policy setting, the system disables the "Deny disk space to users exceeding quota limit" option on the Quota tab so administrators cannot make changes while the setting is in effect. +If you disable this policy setting, disk quota limits are not enforced. When you enable or disable this policy setting, the system disables the "Deny disk space to users exceeding quota limit" option on the Quota tab. Therefore, the administrators cannot make changes while the setting is in effect. If you do not configure this policy setting, the disk quota limit is not enforced by default, but administrators can change the setting. Enforcement is optional. When users reach an enforced disk quota limit, the system responds as though the physical space on the volume were exhausted. When users reach an unenforced limit, their status in the Quota Entries window changes, but they can continue to write to the volume as long as physical space is available. From 107f7928a3f2f2c120997e193dd204354e4a5d50 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Mon, 27 Sep 2021 11:00:57 +0530 Subject: [PATCH 328/458] Update policy-csp-admx-diskquota.md --- windows/client-management/mdm/policy-csp-admx-diskquota.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-diskquota.md b/windows/client-management/mdm/policy-csp-admx-diskquota.md index 83390e65e6..7310f62ec1 100644 --- a/windows/client-management/mdm/policy-csp-admx-diskquota.md +++ b/windows/client-management/mdm/policy-csp-admx-diskquota.md @@ -174,7 +174,7 @@ This policy setting turns on and turns off disk quota management on all NTFS vol If you enable this policy setting, disk quota management is turned on, and users cannot turn it off. -If you disable the policy setting, disk quota management is turned off, and users cannot turn it on. If this policy setting is not configured, disk quota management is turned off by default, but administrators can turn it on. +If you disable the policy setting, disk quota management is turned off, and users cannot turn it on. This policy setting is not configured, disk quota management is turned off by default, but administrators can turn it on. To prevent users from changing the setting while a setting is in effect, the system disables the "Enable quota management" option on the Quota tab of NTFS volumes. @@ -252,7 +252,7 @@ This policy setting determines whether disk quota limits are enforced and preven If you enable this policy setting, disk quota limits are enforced. -If you disable this policy setting, disk quota limits are not enforced. When you enable or disable this policy setting, the system disables the "Deny disk space to users exceeding quota limit" option on the Quota tab. Therefore, the administrators cannot make changes while the setting is in effect. +If you disable this policy setting, disk quota limits are not enforced. When you enable or disable this policy setting, the system disables the "Deny disk space to users exceed quota limit" option on the Quota tab. Therefore, the administrators cannot make changes while the setting is in effect. If you do not configure this policy setting, the disk quota limit is not enforced by default, but administrators can change the setting. Enforcement is optional. When users reach an enforced disk quota limit, the system responds as though the physical space on the volume were exhausted. When users reach an unenforced limit, their status in the Quota Entries window changes, but they can continue to write to the volume as long as physical space is available. From 3bead0be5f79b8dcae6b987ba70cd426cd5be428 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Mon, 27 Sep 2021 11:08:16 +0530 Subject: [PATCH 329/458] Update policy-csp-admx-diskquota.md --- windows/client-management/mdm/policy-csp-admx-diskquota.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-diskquota.md b/windows/client-management/mdm/policy-csp-admx-diskquota.md index 7310f62ec1..16ccbf1dce 100644 --- a/windows/client-management/mdm/policy-csp-admx-diskquota.md +++ b/windows/client-management/mdm/policy-csp-admx-diskquota.md @@ -174,7 +174,7 @@ This policy setting turns on and turns off disk quota management on all NTFS vol If you enable this policy setting, disk quota management is turned on, and users cannot turn it off. -If you disable the policy setting, disk quota management is turned off, and users cannot turn it on. This policy setting is not configured, disk quota management is turned off by default, but administrators can turn it on. +If you disable the policy setting, disk quota management is turned off, and users cannot turn it on. When this policy setting is not configured then the disk quota management is turned off by default, and the administrators can turn it on. To prevent users from changing the setting while a setting is in effect, the system disables the "Enable quota management" option on the Quota tab of NTFS volumes. @@ -254,7 +254,7 @@ If you enable this policy setting, disk quota limits are enforced. If you disable this policy setting, disk quota limits are not enforced. When you enable or disable this policy setting, the system disables the "Deny disk space to users exceed quota limit" option on the Quota tab. Therefore, the administrators cannot make changes while the setting is in effect. -If you do not configure this policy setting, the disk quota limit is not enforced by default, but administrators can change the setting. Enforcement is optional. When users reach an enforced disk quota limit, the system responds as though the physical space on the volume were exhausted. When users reach an unenforced limit, their status in the Quota Entries window changes, but they can continue to write to the volume as long as physical space is available. +If you do not configure this policy setting, the disk quota limit is not enforced by default, but administrators can change the setting. Enforcement is optional. When users reach an enforced disk quota limit, the system responds as though the physical space on the volume were exhausted. When users reach an unenforced limit, their status in the Quota Entries window changes. However, the users can continue to write to the volume as long as physical space is available. This policy setting overrides user settings that enable or disable quota enforcement on their volumes. From a06af9cf5d81ba43636d7c94fcb2b808f28c99e1 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Mon, 27 Sep 2021 14:38:30 +0530 Subject: [PATCH 330/458] Update policies-in-policy-csp-admx-backed.md --- .../mdm/policies-in-policy-csp-admx-backed.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index d8399c2efd..d2fdaa80a3 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -167,10 +167,10 @@ ms.date: 10/08/2020 - [ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration](./policy-csp-admx-devicesetup.md#admx-devicesetup-driversearchplaces-searchorderconfiguration) - [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_1](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-1) - [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_2](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-2) -- [ADMX_DiskNVCache/BootResumePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-dlt_bootresumepolicy) -- [ADMX_DiskNVCache/CachePowerModePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-dlt_cachepowermodepolicy) -- [ADMX_DiskNVCache/FeatureOffPolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-dlt_featureoffpolicy) -- [ADMX_DiskNVCache/SolidStatePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-dlt_solidstatepolicy) +- [ADMX_DiskNVCache/BootResumePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-bootresumepolicy) +- [ADMX_DiskNVCache/CachePowerModePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-cachepowermodepolicy) +- [ADMX_DiskNVCache/FeatureOffPolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-featureoffpolicy) +- [ADMX_DiskNVCache/SolidStatePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-solidstatepolicy) - [ADMX_DiskQuota/DQ_RemovableMedia](./policy-csp-admx-diskquota.md#admx-diskquota-dq_removablemedia) - [ADMX_DiskQuota/DQ_Enable](./policy-csp-admx-diskquota.md#admx-diskquota-dq_enable) - [ADMX_DiskQuota/DQ_Enforce](./policy-csp-admx-diskquota.md#admx-diskquota-dq_enforce) From 38c328ae8e9b521604624093467a41c866acfd67 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Mon, 27 Sep 2021 15:00:53 +0530 Subject: [PATCH 331/458] Updated --- .../policy-configuration-service-provider.md | 2 +- .../mdm/policy-csp-admx-disknvcache.md | 76 ++++++++++++++++++- 2 files changed, 76 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 8ae9173a0f..2f93d5a6f7 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -759,7 +759,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
ADMX_DiskNVCache/FeatureOffPolicy
-
+
1 ADMX_DiskNVCache/SolidStatePolicy
diff --git a/windows/client-management/mdm/policy-csp-admx-disknvcache.md b/windows/client-management/mdm/policy-csp-admx-disknvcache.md index 7a22bcb596..faa88f82d6 100644 --- a/windows/client-management/mdm/policy-csp-admx-disknvcache.md +++ b/windows/client-management/mdm/policy-csp-admx-disknvcache.md @@ -119,7 +119,7 @@ ADMX Info:
-**ADMX_DiskNVCache/FeatureOffPolicy** +**ADMX_DiskNVCache/CachePowerModePolicy** @@ -176,6 +176,78 @@ If you disable this policy setting, the system will manage the NV cache on the d This policy setting will take effect on next boot. If you do not configure this policy setting, the default behavior is to turn on support for the NV cache. + + + +ADMX Info: +- GP Friendly name: *Turn off non-volatile cache feature* +- GP name: *FeatureOffPolicy* +- GP path: *System\Disk NV Cache* +- GP ADMX file name: *DiskNVCache.admx* + + + +
+**ADMX_DiskNVCache/FeatureOffPolicy** + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting turns off all support for the non-volatile (NV) cache on all hybrid hard disks in the system. + +To check if you have hybrid hard disks in the system, from Device Manager, right-click the disk drive and select Properties. The NV cache can be used to optimize boot and resume by reading data from the cache while the disks are spinning up. The NV cache can also be used to reduce the power consumption of the system by keeping the disks spun down while satisfying reads and writes from the cache. + +If you enable this policy setting, the system will not manage the NV cache and will not enable NV cache power saving mode. + +If you disable this policy setting, the system will manage the NV cache on the disks if the other policy settings for the NV cache are appropriately configured. + +This policy setting will take effect on next boot. If you do not configure this policy setting, the default behavior is to turn on support for the NV cache. + + + @@ -260,6 +332,8 @@ ADMX Info: +
+ From 26c17be5993873ac7ff107b7f7ff9f1e0544acdc Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Mon, 27 Sep 2021 15:06:10 +0530 Subject: [PATCH 332/458] Updated --- .../mdm/policies-in-policy-csp-admx-backed.md | 1 - .../policy-configuration-service-provider.md | 3 - .../mdm/policy-csp-admx-disknvcache.md | 73 ------------------- 3 files changed, 77 deletions(-) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index d2fdaa80a3..4817994eaa 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -168,7 +168,6 @@ ms.date: 10/08/2020 - [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_1](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-1) - [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_2](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-2) - [ADMX_DiskNVCache/BootResumePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-bootresumepolicy) -- [ADMX_DiskNVCache/CachePowerModePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-cachepowermodepolicy) - [ADMX_DiskNVCache/FeatureOffPolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-featureoffpolicy) - [ADMX_DiskNVCache/SolidStatePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-solidstatepolicy) - [ADMX_DiskQuota/DQ_RemovableMedia](./policy-csp-admx-diskquota.md#admx-diskquota-dq_removablemedia) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 2f93d5a6f7..37eb3df14f 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -753,9 +753,6 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
ADMX_DiskNVCache/BootResumePolicy
-
- ADMX_DiskNVCache/CachePowerModePolicy -
ADMX_DiskNVCache/FeatureOffPolicy
diff --git a/windows/client-management/mdm/policy-csp-admx-disknvcache.md b/windows/client-management/mdm/policy-csp-admx-disknvcache.md index faa88f82d6..2c19a0ace8 100644 --- a/windows/client-management/mdm/policy-csp-admx-disknvcache.md +++ b/windows/client-management/mdm/policy-csp-admx-disknvcache.md @@ -31,9 +31,6 @@ manager: dansimp
ADMX_DiskNVCache/BootResumePolicy
-
- ADMX_DiskNVCache/CachePowerModePolicy -
ADMX_DiskNVCache/FeatureOffPolicy
@@ -118,76 +115,6 @@ ADMX Info:
- -**ADMX_DiskNVCache/CachePowerModePolicy** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting turns off all support for the non-volatile (NV) cache on all hybrid hard disks in the system. -To check if you have hybrid hard disks in the system, from Device Manager, right-click the disk drive and select Properties. The NV cache can be used to optimize boot and resume by reading data from the cache while the disks are spinning up. The NV cache can also be used to reduce the power consumption of the system by keeping the disks spun down while satisfying reads and writes from the cache. - - If you enable this policy setting, the system will not manage the NV cache and will not enable NV cache power saving mode. - -If you disable this policy setting, the system will manage the NV cache on the disks if the other policy settings for the NV cache are appropriately configured. - -This policy setting will take effect on next boot. If you do not configure this policy setting, the default behavior is to turn on support for the NV cache. - - - - -ADMX Info: -- GP Friendly name: *Turn off non-volatile cache feature* -- GP name: *FeatureOffPolicy* -- GP path: *System\Disk NV Cache* -- GP ADMX file name: *DiskNVCache.admx* - - - -
**ADMX_DiskNVCache/FeatureOffPolicy** From 0c9ee789d670160e3c019c36816592e1ce6a96c5 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Mon, 27 Sep 2021 17:21:55 +0530 Subject: [PATCH 333/458] Updated --- .../mdm/policy-csp-abovelock.md | 12 ++- .../mdm/policy-csp-accounts.md | 54 +++++++---- .../mdm/policy-csp-activexcontrols.md | 21 +++-- .../policy-csp-admx-activexinstallservice.md | 32 +++---- .../mdm/policy-csp-admx-addremoveprograms.md | 89 ++++--------------- .../mdm/policy-csp-admx-appcompat.md | 64 ++----------- 6 files changed, 96 insertions(+), 176 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md index 36f429b833..b872c74469 100644 --- a/windows/client-management/mdm/policy-csp-abovelock.md +++ b/windows/client-management/mdm/policy-csp-abovelock.md @@ -46,19 +46,23 @@ manager: dansimp - + + - + + - + + - + +
HomeNoNoNoNo
ProYes, starting in Windows 10, version 1607YesYesYes
EnterpriseYes, starting in Windows 10, version 1607YesYesYes
EducationYes, starting in Windows 10, version 1607YesYesYes
diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md index 2416669864..ed466fe64a 100644 --- a/windows/client-management/mdm/policy-csp-accounts.md +++ b/windows/client-management/mdm/policy-csp-accounts.md @@ -48,27 +48,33 @@ manager: dansimp Home - NoNo + No + No Pro - Yes, starting in Windows 10, version 1607Yes + Yes + Yes Enterprise - Yes, starting in Windows 10, version 1607Yes + Yes + Yes Education - Yes, starting in Windows 10, version 1607Yes + Yes + Yes Mobile - Yes, starting in Windows 10, version 1607Yes + Yes + Yes Mobile Enterprise - Yes, starting in Windows 10, version 1607Yes + Yes + Yes @@ -121,27 +127,33 @@ The following list shows the supported values: Pro - Yes, starting in Windows 10, version 1607Yes + Yes + Yes Business - Yes, starting in Windows 10, version 1607Yes + Yes + Yes Enterprise - Yes, starting in Windows 10, version 1607Yes + Yes + Yes Education - Yes, starting in Windows 10, version 1607Yes + Yes + Yes Mobile - Yes, starting in Windows 10, version 1607Yes + Yes + Yes Mobile Enterprise - Yes, starting in Windows 10, version 1607Yes + Yes + Yes @@ -191,27 +203,33 @@ The following list shows the supported values: Pro - Yes, starting in Windows 10, version 1607Yes + Yes + Yes Business - Yes, starting in Windows 10, version 1607Yes + Yes + Yes Enterprise - Yes, starting in Windows 10, version 1607Yes + Yes + Yes Education - Yes, starting in Windows 10, version 1607Yes + Yes + Yes Mobile - Yes, starting in Windows 10, version 1607Yes + Yes + Yes Mobile Enterprise - Yes, starting in Windows 10, version 1607Yes + Yes + Yes diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md index 05a023f63f..95c9e7d80b 100644 --- a/windows/client-management/mdm/policy-csp-activexcontrols.md +++ b/windows/client-management/mdm/policy-csp-activexcontrols.md @@ -14,6 +14,12 @@ manager: dansimp # Policy CSP - ActiveXControls +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -46,15 +52,18 @@ manager: dansimp Pro - Yes, starting in Windows 10, version 1607Yes + Yes + Yes Enterprise - Yes, starting in Windows 10, version 1607Yes + Yes + Yes Education - Yes, starting in Windows 10, version 1607Yes + Yes + Yes @@ -79,12 +88,6 @@ If you disable or do not configure this policy setting, ActiveX controls prompt Note: Wild card characters cannot be used when specifying the host URLs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: diff --git a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md index 6194474bad..c574952e31 100644 --- a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md +++ b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md @@ -13,8 +13,14 @@ manager: dansimp --- # Policy CSP - ADMX_ActiveXInstallService -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
@@ -36,24 +42,28 @@ manager: dansimp - + - + + - + + - + + - + +
Windows EditionEdition Windows 10 Windows 11
HomeNoNoNoNo
ProYes, starting in Windows 10, version 1903YesYesYes
EnterpriseYes, starting in Windows 10, version 1903YesYesYes
EducationYes, starting in Windows 10, version 1903YesYesYes
@@ -81,12 +91,6 @@ If the trusted site uses the HTTPS protocol, this policy setting can also contro > This policy setting applies to all sites in Trusted zones. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -99,8 +103,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md index 6e80fa4b4b..f7b9ef9ea1 100644 --- a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md +++ b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md @@ -14,8 +14,13 @@ manager: dansimp # Policy CSP - ADMX_AddRemovePrograms -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
@@ -121,12 +126,6 @@ If you disable this setting or do not configure it, all programs (Category: All) > This setting is ignored if either the "Remove Add or Remove Programs" setting or the "Hide Add New Programs page" setting is enabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -176,8 +175,8 @@ ADMX Info: Enterprise - No - No + Yes + Yes Education @@ -208,12 +207,6 @@ If you disable this setting or do not configure it, the "Add a program from CD-R > If the "Hide Add New Programs page" setting is enabled, this setting is ignored. Also, if the "Prevent removable media source for any install" setting (located in User Configuration\Administrative Templates\Windows Components\Windows Installer) is enabled, users cannot add programs from removable media, regardless of this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -295,12 +288,7 @@ If you disable this setting or do not configure it, "Add programs from Microsoft > If the "Hide Add New Programs page" setting is enabled, this setting is ignored. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -384,12 +372,7 @@ If you disable this setting or do not configure it, "Add programs from your netw > If the "Hide Add New Programs page" setting is enabled, this setting is ignored. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -467,12 +450,7 @@ This policy setting removes the Add New Programs button from the Add or Remove P If you disable this setting or do not configure it, the Add New Programs button is available to all users. This setting does not prevent users from using other tools and methods to install programs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -551,12 +529,7 @@ This policy setting prevents users from using Add or Remove Programs. This setti If you disable this setting or do not configure it, Add or Remove Programs is available to all users. When enabled, this setting takes precedence over the other settings in this folder. This setting does not prevent users from using other tools and methods to install or uninstall programs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -636,12 +609,7 @@ If you disable this setting or do not configure it, the Set Program Access and D -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -719,12 +687,7 @@ This policy setting removes the Change or Remove Programs button from the Add or If you disable this setting or do not configure it, the Change or Remove Programs page is available to all users. This setting does not prevent users from using other tools and methods to delete or uninstall programs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -806,12 +769,7 @@ If you disable this setting or do not configure it, "Set up services" appears on > When "Set up services" does not appear, clicking the Add/Remove Windows Components button starts the Windows Component Wizard immediately. Because the only remaining option on the Add/Remove Windows Components page starts the wizard, that option is selected automatically, and the page is bypassed. To remove "Set up services" and prevent the Windows Component Wizard from starting, enable the "Hide Add/Remove Windows Components page" setting. If the "Hide Add/Remove Windows Components page" setting is enabled, this setting is ignored. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -893,12 +851,6 @@ If you disable this setting or do not configure it, the Support Info hyperlink a > Not all programs provide a support information hyperlink. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -977,12 +929,7 @@ This policy setting removes the Add/Remove Windows Components button from the Ad If you disable this setting or do not configure it, the Add/Remove Windows Components button is available to all users. This setting does not prevent users from using other tools and methods to configure services or add or remove program components. However, this setting blocks user access to the Windows Component Wizard. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1003,8 +950,6 @@ ADMX Info: -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-appcompat.md b/windows/client-management/mdm/policy-csp-admx-appcompat.md index d3ca0e63c5..2708da9adc 100644 --- a/windows/client-management/mdm/policy-csp-admx-appcompat.md +++ b/windows/client-management/mdm/policy-csp-admx-appcompat.md @@ -14,8 +14,12 @@ manager: dansimp # Policy CSP - ADMX_AppCompat -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -128,12 +132,6 @@ If the status is set to Not Configured, the OS falls back on a local policy set > This setting appears only in Computer Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -205,12 +203,6 @@ Enabling this policy setting removes the property page from the context-menus, b -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -286,12 +278,6 @@ Disabling telemetry will take effect on any newly launched applications. To ensu -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -368,12 +354,6 @@ If you disable or do not configure this policy setting, the Switchback will be t Reboot the system after changing the setting to ensure that your system accurately reflects those changes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -451,12 +431,6 @@ This option is useful to server administrators who require faster performance an -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -524,12 +498,6 @@ This policy setting exists only for backward compatibility, and is not valid for -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -604,12 +572,6 @@ If you disable or do not configure this policy setting, the PCA will be turned o -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -683,12 +645,6 @@ If you disable or do not configure this policy setting, Steps Recorder will be e -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -765,12 +721,6 @@ If you disable or do not configure this policy setting, the Inventory Collector -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -782,8 +732,6 @@ ADMX Info: -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. From 792889b6e7774c3706369317654cf2a8b623d681 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Mon, 27 Sep 2021 17:43:50 +0530 Subject: [PATCH 334/458] Update policy-csp-admx-touchinput.md --- windows/client-management/mdm/policy-csp-admx-touchinput.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-touchinput.md b/windows/client-management/mdm/policy-csp-admx-touchinput.md index 61f1751ef3..e5ddae159b 100644 --- a/windows/client-management/mdm/policy-csp-admx-touchinput.md +++ b/windows/client-management/mdm/policy-csp-admx-touchinput.md @@ -13,8 +13,6 @@ manager: dansimp --- # Policy CSP - ADMX_TouchInput -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
From d0551f280a43b95c4568c7e92c5c2e85d55b7081 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 27 Sep 2021 21:13:01 +0500 Subject: [PATCH 335/458] Update policy-csp-timelanguagesettings.md --- .../client-management/mdm/policy-csp-timelanguagesettings.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md index 8ef9349148..732cf867cc 100644 --- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md +++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md @@ -76,6 +76,9 @@ manager: dansimp Specifies the time zone to be applied to the device. This is the standard Windows name for the target time zone. +> [!TIP] +> To get the list of available time zones, run `Get-TimeZone -ListAvailable` in PowerShell. + From 2dfc9da62b3fb802653f7c0f951e85ddf3847278 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Mon, 27 Sep 2021 10:48:42 -0700 Subject: [PATCH 336/458] fixing broken links --- windows/security/index.yml | 16 ++++++++-------- .../windows-security-baselines.md | 11 ++++------- 2 files changed, 12 insertions(+), 15 deletions(-) diff --git a/windows/security/index.yml b/windows/security/index.yml index 64e0ecd4fb..d7f93945a5 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -38,7 +38,7 @@ landingContent: - linkListType: concept links: - text: Trusted Platform Module - url: /windows/security/information-protection/tpm/trusted-platform-module-top-node.md + url: information-protection/tpm/trusted-platform-module-top-node.md - text: Hardware-based root of trust url: threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md - text: System Guard Secure Launch and SMM protection @@ -46,7 +46,7 @@ landingContent: - text: Virtualization-based protection of code integrity url: threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md - text: Kernel DMA Protection - url: /windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md + url: information-protection/kernel-dma-protection-for-thunderbolt.md # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) @@ -109,7 +109,7 @@ landingContent: - text: Windows Credential Theft Mitigation url: identity-protection/windows-credential-theft-mitigation-guide-abstract.md - text: Protect domain credentials - url: /windows/security/identity-protection/credential-guard/credential-guard.md + url: identity-protection/credential-guard/credential-guard.md - text: Windows Defender Credential Guard url: identity-protection/credential-guard/credential-guard.md - text: Lost or forgotten passwords @@ -151,13 +151,13 @@ landingContent: - linkListType: reference links: - text: Microsoft Security Development Lifecycle - url: /windows/security/threat-protection/msft-security-dev-lifecycle.md + url: threat-protection/msft-security-dev-lifecycle.md - text: Microsoft Bug Bounty - url: /windows/security/threat-protection/microsoft-bug-bounty-program.md + url: threat-protection/microsoft-bug-bounty-program.md - text: Common Criteria Certifications - url: /windows/security/threat-protection/windows-platform-common-criteria.md + url: threat-protection/windows-platform-common-criteria.md - text: Federal Information Processing Standard (FIPS) 140 Validation - url: /windows/security/threat-protection/fips-140-validation.md + url: threat-protection/fips-140-validation.md # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) @@ -166,5 +166,5 @@ landingContent: - linkListType: reference links: - text: Windows and Privacy Compliance - url: /windows/privacy/windows-10-and-privacy-compliance.md + url: /windows/privacy/windows-10-and-privacy-compliance diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md index ce11769894..435be7648b 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md @@ -51,16 +51,13 @@ You can use security baselines to: ## Where can I get the security baselines? -[Windows MDM (Mobile Device Management) baselines](/mem/intune/protect/security-baseline-settings-mdm-all.md) are the settings that Microsoft Intune supports for devices that run Windows 10 and Windows 11. The default values for settings represent the recommended configuration for applicable devices. +There are several ways to get and use security baselines: -[MDM (Mobile Device Management) security baselines](/windows/client-management/mdm/#mdm-security-baseline.md) function like the Microsoft group policy-based security baselines and can easily integrate this into an existing MDM management tool. +1. You can download the security baselines from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319). This download page is for the Security Compliance Toolkit (SCT), which comprises tools that can assist admins in managing baselines in addition to the security baselines. The security baselines are included in the [Security Compliance Toolkit (SCT)](security-compliance-toolkit-10.md), which can be downloaded from the Microsoft Download Center. The SCT also includes tools to help admins manage the security baselines. You can also [Get Support for the security baselines](get-support-for-security-baselines.md) -You can download the security baselines from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319). This download page is for the Security Compliance Toolkit (SCT), which comprises tools that can assist admins in managing baselines in addition to the security baselines. +2. [MDM (Mobile Device Management) security baselines](/windows/client-management/mdm/#mdm-security-baseline.md) function like the Microsoft group policy-based security baselines and can easily integrate this into an existing MDM management tool. -The security baselines are included in the [Security Compliance Toolkit (SCT)](security-compliance-toolkit-10.md), which can be downloaded from the Microsoft Download Center. The SCT also includes tools to help admins manage the security baselines. - -[![Security Compliance Toolkit.](./../images/security-compliance-toolkit-1.png)](security-compliance-toolkit-10.md) -[![Get Support.](./../images/get-support.png)](get-support-for-security-baselines.md) +3. MDM Security baselines can easily be configures in Microsoft Endpoint Manager on devices that run Windows 10 and 11. The following article provides the detail steps: [Windows MDM (Mobile Device Management) baselines](/mem/intune/protect/security-baseline-settings-mdm-all.md). ## Community From 28ac62dcb159d8eaba97289699b4b6ec0b146f4a Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Mon, 27 Sep 2021 11:42:02 -0700 Subject: [PATCH 337/458] WDAC landing page --- .../windows-defender-application-control/index.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 windows/security/threat-protection/windows-defender-application-control/index.yml diff --git a/windows/security/threat-protection/windows-defender-application-control/index.yml b/windows/security/threat-protection/windows-defender-application-control/index.yml new file mode 100644 index 0000000000..e69de29bb2 From 838fca04d007ed7517f040c9b2f080ef9ce54876 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Mon, 27 Sep 2021 11:42:14 -0700 Subject: [PATCH 338/458] WDAC landing --- .../index.yml | 117 ++++++++++++++++++ 1 file changed, 117 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/index.yml b/windows/security/threat-protection/windows-defender-application-control/index.yml index e69de29bb2..cc794d927c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/index.yml +++ b/windows/security/threat-protection/windows-defender-application-control/index.yml @@ -0,0 +1,117 @@ +### YamlMime:Landing + +title: Application Control for Windows +metadata: + title: Application Control for Windows + description: Landing page for Windows Defender Application Control +# services: service +# ms.service: microsoft-WDAC-AppLocker +# ms.subservice: Application-Control +# ms.topic: landing-page +# author: Kim Klein +# ms.author: Jordan Geurten +# manager: Jeffrey Sutherland +# ms.update: 04/30/2021 +# linkListType: overview | how-to-guide | tutorial | video +landingContent: +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card + - title: Learn about Application Control + linkLists: + - linkListType: overview + links: + - text: What is WDAC (WDAC Overview)? + url: wdac-and-applocker-overview.md + - text: What is AppLocker? + url: applocker\applocker-overview.md + - text: WDAC and AppLocker feature availability + url: feature-availability.md + # Card + - title: Learn about Policy Design + linkLists: + - linkListType: overview + links: + - text: Using code signing to simplify application control + url: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md + - text: Recommended blocks + url: microsoft-recommended-block-rules.md + - text: Recommended driver blocks + url: microsoft-recommended-driver-block-rules.md + - text: Example policies + url: example-wdac-base-policies.md + - text: LOB Win32 apps on S Mode + url: LOB-win32-apps-on-s.md + - text: Managing multiple policies + url: deploy-multiple-windows-defender-application-control-policies.md + - linkListType: how-to-guide + links: + - text: Create a WDAC policy for a lightly managed device + url: create-wdac-policy-for-lightly-managed-devices.md + - text: Create a WDAC policy for a fully managed device + url: create-wdac-policy-for-fully-managed-devices.md + - text: Create a WDAC policy for a fixed-workload + url: create-initial-default-policy.md + - text: Using catalog files + url: deploy-catalog-files-to-support-windows-defender-application-control.md + - text: WDAC Wizard tool + url: wdac-wizard.md + #- linkListType: Tutorial (videos) + # links: + # - text: Using the WDAC Wizard + # url: video md + # - text: Specifying custom values + # url: video md + # Card + - title: Learn about Policy Configuration + linkLists: + - linkListType: overview + links: + - text: Understanding policy and file rules + url: select-types-of-rules-to-create.md + - linkListType: how-to-guide + links: + - text: Allow managed installer and configure managed installer rules + url: configure-authorized-apps-deployed-with-a-managed-installer.md + - text: Allow reputable apps with ISG + url: use-windows-defender-application-control-with-intelligent-security-graph.md + - text: Managed MSIX and Appx Packaged Apps + url: manage-packaged-apps-with-windows-defender-application-control.md + - text: Allow com object registration + url: allow-com-object-registration-in-windows-defender-application-control-policy.md + - text: Manage plug-ins, add-ins and modules + url: use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md + # Card + - title: Learn how to deploy WDAC Policies + linkLists: + - linkListType: overview + links: + - text: Signed policies + url: use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md + - text: Audit and enforce policies + url: audit-and-enforce-windows-defender-application-control-policies.md + - text: Disabling WDAC policies + url: disable-windows-defender-application-control-policies.md + - linkListType: tutorial + links: + - text: Deployment with MDM + url: deploy-windows-defender-application-control-policies-using-intune.md + - text: Deployment with MEMCM + url: deployment/deploy-wdac-policies-with-memcm.md + - text: Deployment with script and refresh policy + url: deployment/deploy-wdac-policies-with-script.md + - text: Deployment with Group Policy + url: deploy-windows-defender-application-control-policies-using-group-policy.md + # Card + - title: Learn how to monitor WDAC events + linkLists: + - linkListType: overview + links: + - text: Understanding event IDs + url: event-id-explanations.md + - text: Understanding event Tags + url: event-tag-explanations.md + - linkListType: how-to-guide + links: + - text: Querying using advanced hunting + url: querying-application-control-events-centrally-using-advanced-hunting.md \ No newline at end of file From c042afdbed4ae1d4e811f2277a97736f5ba9544e Mon Sep 17 00:00:00 2001 From: nandans-msft <91498973+nandans-msft@users.noreply.github.com> Date: Mon, 27 Sep 2021 21:24:08 +0100 Subject: [PATCH 339/458] Link to Feature Updates Deployment On line 53, added a link to the Feature Updates for Windows 10 documentation for added clarity. --- windows/whats-new/windows-11-prepare.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md index b301ed3de2..d8e46a6497 100644 --- a/windows/whats-new/windows-11-prepare.md +++ b/windows/whats-new/windows-11-prepare.md @@ -50,7 +50,7 @@ The tools that you use for core workloads during Windows 10 deployments can stil - The product field must specify Windows 11 in order for devices to upgrade to Windows 11. If only the target version field is configured, the device will be offered matching versions of the same product. - For example, if a device is running Windows 10, version 2004 and only the target version is configured to 21H1, this device will be offered version Windows 10, version 21H1, even if multiple products have a 21H1 version. - Quality update deferrals will continue to work the same across both Windows 10 and Windows 11. This is true regardless of which management tool you use to configure Windows Update for Business policies. -- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use feature update deployments to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. +- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use [Feature Update Deployments](mem/intune/protect/windows-10-feature-updates) to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. ## Cloud-based management From ee789c0ceb1293a053e3a698d277a628c7d6c7d9 Mon Sep 17 00:00:00 2001 From: nandans-msft <91498973+nandans-msft@users.noreply.github.com> Date: Mon, 27 Sep 2021 21:31:39 +0100 Subject: [PATCH 340/458] Extra clarification. Line 53 - Added extra clarification for the Feature Update Deployment to indicate holds. --- windows/whats-new/windows-11-prepare.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md index d8e46a6497..11ae4f3231 100644 --- a/windows/whats-new/windows-11-prepare.md +++ b/windows/whats-new/windows-11-prepare.md @@ -50,7 +50,7 @@ The tools that you use for core workloads during Windows 10 deployments can stil - The product field must specify Windows 11 in order for devices to upgrade to Windows 11. If only the target version field is configured, the device will be offered matching versions of the same product. - For example, if a device is running Windows 10, version 2004 and only the target version is configured to 21H1, this device will be offered version Windows 10, version 21H1, even if multiple products have a 21H1 version. - Quality update deferrals will continue to work the same across both Windows 10 and Windows 11. This is true regardless of which management tool you use to configure Windows Update for Business policies. -- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use [Feature Update Deployments](mem/intune/protect/windows-10-feature-updates) to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. +- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use [Feature Update Deployments](mem/intune/protect/windows-10-feature-updates) to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. If you aren’t ready to move to Windows 11, keep the Feature Update Deployment at the version you are currently on. When you are ready to start upgrading devices, change the feature update deployment setting to specify Windows 11. ## Cloud-based management From 2a261bac7590e6a8a14913c99b3e652de542ed68 Mon Sep 17 00:00:00 2001 From: nandans-msft <91498973+nandans-msft@users.noreply.github.com> Date: Mon, 27 Sep 2021 21:54:17 +0100 Subject: [PATCH 341/458] Changing upper case in link Line 54 - changing upper case letters in the link as suggested by JaimeO. --- windows/whats-new/windows-11-prepare.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md index 11ae4f3231..ad8033c027 100644 --- a/windows/whats-new/windows-11-prepare.md +++ b/windows/whats-new/windows-11-prepare.md @@ -50,7 +50,7 @@ The tools that you use for core workloads during Windows 10 deployments can stil - The product field must specify Windows 11 in order for devices to upgrade to Windows 11. If only the target version field is configured, the device will be offered matching versions of the same product. - For example, if a device is running Windows 10, version 2004 and only the target version is configured to 21H1, this device will be offered version Windows 10, version 21H1, even if multiple products have a 21H1 version. - Quality update deferrals will continue to work the same across both Windows 10 and Windows 11. This is true regardless of which management tool you use to configure Windows Update for Business policies. -- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use [Feature Update Deployments](mem/intune/protect/windows-10-feature-updates) to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. If you aren’t ready to move to Windows 11, keep the Feature Update Deployment at the version you are currently on. When you are ready to start upgrading devices, change the feature update deployment setting to specify Windows 11. +- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use [feature update deployments](mem/intune/protect/windows-10-feature-updates) to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. If you aren’t ready to move to Windows 11, keep the Feature Update Deployment at the version you are currently on. When you are ready to start upgrading devices, change the feature update deployment setting to specify Windows 11. ## Cloud-based management From 386d9ee05ffd8ebdebd34d6b773e0e5a339179e7 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Mon, 27 Sep 2021 13:55:10 -0700 Subject: [PATCH 342/458] Update windows/security/threat-protection/windows-defender-application-control/index.yml Co-authored-by: Jordan Geurten --- .../windows-defender-application-control/index.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/index.yml b/windows/security/threat-protection/windows-defender-application-control/index.yml index cc794d927c..1d905f2f89 100644 --- a/windows/security/threat-protection/windows-defender-application-control/index.yml +++ b/windows/security/threat-protection/windows-defender-application-control/index.yml @@ -21,7 +21,7 @@ landingContent: linkLists: - linkListType: overview links: - - text: What is WDAC (WDAC Overview)? + - text: What is Windows Defender Application Control (WDAC)? url: wdac-and-applocker-overview.md - text: What is AppLocker? url: applocker\applocker-overview.md From 38ebbb7e4fe790a86d1b167355629d69bd6c79ea Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Mon, 27 Sep 2021 13:55:24 -0700 Subject: [PATCH 343/458] Update windows/security/threat-protection/windows-defender-application-control/index.yml Co-authored-by: Jordan Geurten --- .../windows-defender-application-control/index.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/index.yml b/windows/security/threat-protection/windows-defender-application-control/index.yml index 1d905f2f89..9f25459a54 100644 --- a/windows/security/threat-protection/windows-defender-application-control/index.yml +++ b/windows/security/threat-protection/windows-defender-application-control/index.yml @@ -113,5 +113,5 @@ landingContent: url: event-tag-explanations.md - linkListType: how-to-guide links: - - text: Querying using advanced hunting + - text: Querying events using advanced hunting url: querying-application-control-events-centrally-using-advanced-hunting.md \ No newline at end of file From d6008c20c83972e42fdbcb7d6114e6f07e860876 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Mon, 27 Sep 2021 13:55:41 -0700 Subject: [PATCH 344/458] Update windows/security/threat-protection/windows-defender-application-control/index.yml Co-authored-by: Jordan Geurten --- .../windows-defender-application-control/index.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/index.yml b/windows/security/threat-protection/windows-defender-application-control/index.yml index 9f25459a54..aa94483b51 100644 --- a/windows/security/threat-protection/windows-defender-application-control/index.yml +++ b/windows/security/threat-protection/windows-defender-application-control/index.yml @@ -86,7 +86,7 @@ landingContent: linkLists: - linkListType: overview links: - - text: Signed policies + - text: Using signed policies to protect against tampering url: use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md - text: Audit and enforce policies url: audit-and-enforce-windows-defender-application-control-policies.md From a4eeae92e3e73dab56ce82e59916f7464d834839 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Mon, 27 Sep 2021 13:55:50 -0700 Subject: [PATCH 345/458] Update windows/security/threat-protection/windows-defender-application-control/index.yml Co-authored-by: Jordan Geurten --- .../windows-defender-application-control/index.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/index.yml b/windows/security/threat-protection/windows-defender-application-control/index.yml index aa94483b51..1dfb1ad68e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/index.yml +++ b/windows/security/threat-protection/windows-defender-application-control/index.yml @@ -52,7 +52,7 @@ landingContent: url: create-wdac-policy-for-fully-managed-devices.md - text: Create a WDAC policy for a fixed-workload url: create-initial-default-policy.md - - text: Using catalog files + - text: Deploying catalog files for WDAC management url: deploy-catalog-files-to-support-windows-defender-application-control.md - text: WDAC Wizard tool url: wdac-wizard.md From a8b34e773e5a2f3517b070a4cf723969729711e2 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Mon, 27 Sep 2021 13:55:58 -0700 Subject: [PATCH 346/458] Update windows/security/threat-protection/windows-defender-application-control/index.yml Co-authored-by: Jordan Geurten --- .../windows-defender-application-control/index.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/index.yml b/windows/security/threat-protection/windows-defender-application-control/index.yml index 1dfb1ad68e..a7ad5b3447 100644 --- a/windows/security/threat-protection/windows-defender-application-control/index.yml +++ b/windows/security/threat-protection/windows-defender-application-control/index.yml @@ -38,7 +38,7 @@ landingContent: url: microsoft-recommended-block-rules.md - text: Recommended driver blocks url: microsoft-recommended-driver-block-rules.md - - text: Example policies + - text: Example WDAC policies url: example-wdac-base-policies.md - text: LOB Win32 apps on S Mode url: LOB-win32-apps-on-s.md From f80a7eab76ad2e0720d26d7c289ea0d8fce51929 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Mon, 27 Sep 2021 13:56:12 -0700 Subject: [PATCH 347/458] Update windows/security/threat-protection/windows-defender-application-control/index.yml Co-authored-by: Jordan Geurten --- .../windows-defender-application-control/index.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/index.yml b/windows/security/threat-protection/windows-defender-application-control/index.yml index a7ad5b3447..ef19a07a45 100644 --- a/windows/security/threat-protection/windows-defender-application-control/index.yml +++ b/windows/security/threat-protection/windows-defender-application-control/index.yml @@ -36,7 +36,7 @@ landingContent: url: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md - text: Recommended blocks url: microsoft-recommended-block-rules.md - - text: Recommended driver blocks + - text: Microsoft's Recommended Driver Blocklist url: microsoft-recommended-driver-block-rules.md - text: Example WDAC policies url: example-wdac-base-policies.md From bb6509fd97d5ff8645046187ef4cd8a97f4f0081 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Mon, 27 Sep 2021 13:56:23 -0700 Subject: [PATCH 348/458] Update windows/security/threat-protection/windows-defender-application-control/index.yml Co-authored-by: Jordan Geurten --- .../windows-defender-application-control/index.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/index.yml b/windows/security/threat-protection/windows-defender-application-control/index.yml index ef19a07a45..461c852493 100644 --- a/windows/security/threat-protection/windows-defender-application-control/index.yml +++ b/windows/security/threat-protection/windows-defender-application-control/index.yml @@ -34,7 +34,7 @@ landingContent: links: - text: Using code signing to simplify application control url: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md - - text: Recommended blocks + - text: Microsoft's Recommended Blocklist url: microsoft-recommended-block-rules.md - text: Microsoft's Recommended Driver Blocklist url: microsoft-recommended-driver-block-rules.md From 72a76311c9e3acf95041ab4d6622c700ed979eb6 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Mon, 27 Sep 2021 13:56:34 -0700 Subject: [PATCH 349/458] Update windows/security/threat-protection/windows-defender-application-control/index.yml Co-authored-by: Jordan Geurten --- .../windows-defender-application-control/index.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/index.yml b/windows/security/threat-protection/windows-defender-application-control/index.yml index 461c852493..ef5892459f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/index.yml +++ b/windows/security/threat-protection/windows-defender-application-control/index.yml @@ -54,7 +54,7 @@ landingContent: url: create-initial-default-policy.md - text: Deploying catalog files for WDAC management url: deploy-catalog-files-to-support-windows-defender-application-control.md - - text: WDAC Wizard tool + - text: Using the WDAC Wizard url: wdac-wizard.md #- linkListType: Tutorial (videos) # links: From 61b73948e29f1d500056eeea83417868d1d995ce Mon Sep 17 00:00:00 2001 From: nandans-msft <91498973+nandans-msft@users.noreply.github.com> Date: Mon, 27 Sep 2021 22:03:05 +0100 Subject: [PATCH 350/458] Minor tweaks Line 53 - changed the second occurrence of feature update deployments to lower case, added "set at the version...". --- windows/whats-new/windows-11-prepare.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md index ad8033c027..da063c4529 100644 --- a/windows/whats-new/windows-11-prepare.md +++ b/windows/whats-new/windows-11-prepare.md @@ -50,7 +50,7 @@ The tools that you use for core workloads during Windows 10 deployments can stil - The product field must specify Windows 11 in order for devices to upgrade to Windows 11. If only the target version field is configured, the device will be offered matching versions of the same product. - For example, if a device is running Windows 10, version 2004 and only the target version is configured to 21H1, this device will be offered version Windows 10, version 21H1, even if multiple products have a 21H1 version. - Quality update deferrals will continue to work the same across both Windows 10 and Windows 11. This is true regardless of which management tool you use to configure Windows Update for Business policies. -- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use [feature update deployments](mem/intune/protect/windows-10-feature-updates) to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. If you aren’t ready to move to Windows 11, keep the Feature Update Deployment at the version you are currently on. When you are ready to start upgrading devices, change the feature update deployment setting to specify Windows 11. +- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use [feature update deployments](/mem/intune/protect/windows-10-feature-updates) to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. If you aren’t ready to move to Windows 11, keep the feature update version set at the version you are currently on. When you are ready to start upgrading devices, change the feature update deployment setting to specify Windows 11. ## Cloud-based management From fecb25bdd9a571843207297922dd1ae728721346 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Mon, 27 Sep 2021 14:20:39 -0700 Subject: [PATCH 351/458] edits --- .../TOC.yml | 3 +++ .../zero-trust-windows-device-health.md | 19 ++++++++++--------- 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml index c867f6aee4..6e2bbdd64b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml @@ -1,5 +1,8 @@ - name: Application Control for Windows + href: index.yml +- name: About application control for Windows href: windows-defender-application-control.md + expanded: true items: - name: WDAC and AppLocker Overview href: wdac-and-applocker-overview.md diff --git a/windows/security/zero-trust-windows-device-health.md b/windows/security/zero-trust-windows-device-health.md index 259a09da92..17f22fad49 100644 --- a/windows/security/zero-trust-windows-device-health.md +++ b/windows/security/zero-trust-windows-device-health.md @@ -25,23 +25,24 @@ The [Zero Trust Principles](https://www.microsoft.com/security/business/zero-tru - **Assume breach**. Prevent attackers from obtaining access to minimize potential damage to data and systems. Protect privileged roles, verify end-to-end encryption, use analytics to get visibility, and drive threat detection to improve defenses. -For Windows 11, the Zero Trust concept of verify explicitly applies to the risks introduced by both devices and users. Windows 11 provides IT administrators the attestation and measurements to determine whether a device meets requirements and can be trusted. And Windows 11 works out of the box with Microsoft Intune and Azure Active Directory, so access decisions and enforcement are seamless. Plus, IT Administrators can easily customize Windows 11 to meet specific user and policy requirements for access, privacy, compliance, and more. +The Zero Trust concept of **verify explicitly** applies to the risks introduced by both devices and users. Windows provides IT administrators the attestation and measurements to determine whether a device meets requirements and can be trusted. Microsoft Intune and Azure Active Directory can be used to manage and enforce access. Plus, IT Administrators can easily customize Windows to meet specific user and policy requirements for access, privacy, compliance, and more. ## Device health attestation on Windows -Zero Trust principles state that all endpoints are untrusted unless they are verified. The verification process uses remote attestation as the secure channel to determine and present the device’s health. Remote attestation determines: - -- If the device can be trusted. The determination is made with the help of a secure root of trust (Trusted Platform Module). Devices can attest that the TPM is enabled and in the attestation flow. - -- If the OS booted correctly. Many security risks can emerge during the boot process as this process can be the most privileged component of the whole system. + Many security risks can emerge during the boot process as this process can be the most privileged component of the whole system. Zero Trust principles state that all endpoints are untrusted unless they are verified. The verification process uses remote attestation as the secure channel to determine and present the device’s health. Remote attestation determines: +- If the device can be trusted. +- If the operating system booted correctly. - If the OS has the right set of security features enabled. -Windows includes many security features to help protect users from malware and attacks. However, trusting the Windows security components can only be achieved if the platform boots as expected and was not tampered with. Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, ELAM, DRTM, Trusted Boot and other low-level hardware and firmware security features to protect your PC from attacks. When you power on your PC until your anti-malware starts, Windows is backed with the appropriate hardware configurations helps keep you safe. [Measured and Trusted boot](information-protection/secure-the-windows-10-boot-process.md), implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to a security coprocessor (TPM) that acts as the Root of Trust. Remote Attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper resilient report. Remote attestation is the trusted auditor of your systems boot, allowing relying parties to bind trust to the device and its security. + +These determinations are made with the help of a secure root of trust using the Trusted Platform Module (TPM). Devices can attest that the TPM is enabled in the attestation flow, and that the device has not been tampered with. + +Windows includes many security features to help protect users from malware and attacks. However, trusting the Windows security components can only be achieved if the platform boots as expected and was not tampered with. Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, Early-launch antimalware (ELAM), Dynamic Root of Trust for Measurement (DRTM), Trusted Boot, and other low-level hardware and firmware security features. When you power on your PC until your anti-malware starts, Windows is backed with the appropriate hardware configuration to help keep you safe. [Measured and Trusted boot](information-protection/secure-the-windows-10-boot-process.md), implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to a security coprocessor (TPM) that acts as the Root of Trust. Remote Attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper resilient report. Remote attestation is the trusted auditor of your system's boot, allowing specific entities to trust the device. A summary of the steps involved in attestation and Zero Trust on the device side are as follows: 1. During each step of the boot process, such as a file load, update of special variables, and more, information such as file hashes and signature are measured in the TPM PCRs. The measurements are bound by a [Trusted Computing Group specification](https://trustedcomputinggroup.org/resource/pc-client-platform-tpm-profile-ptp-specification/) (TCG) that dictates what events can be recorded and the format of each event. -2. Once Windows has booted, the attestor/verifier requests the TPM to fetch the measurements stored in its Platform Configuration Register (PCR) alongside a TCG log. Both of these together form the attestation evidence that’s sent to the attestation service (learn more about the attestation service below). +2. Once Windows has booted, the attestor/verifier requests the TPM to fetch the measurements stored in its Platform Configuration Register (PCR) alongside a TCG log. Both of these together form the attestation evidence that is then sent to the attestation service. 3. The TPM is verified by using the keys/cryptographic material available on the chipset with an [Azure Certificate Service](/windows-server/identity/ad-ds/manage/component-updates/tpm-key-attestation). @@ -57,7 +58,7 @@ A summary of the steps involved in attestation and Zero Trust on the device side 7. The device then sends the report to the MEM cloud to assess the trustworthiness of the platform according to the admin-configured device compliance rules. -8. Conditional access, along with device-compliance state then decides to grant access to protected resource or not. +8. Conditional access, along with device-compliance state then decides to allow or deny access. ## Additional Resources From 7d0e4c9b3476fcf8777f1afb14c08ffd02c93be4 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Mon, 27 Sep 2021 19:01:18 -0700 Subject: [PATCH 352/458] Acrolinx: "Bitlocker" --- windows/security/TOC.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 5773487419..d150e02df0 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -75,7 +75,7 @@ items: - name: Encrypted Hard Drive href: information-protection/encrypted-hard-drive.md - - name: Bitlocker + - name: BitLocker href: information-protection/bitlocker/bitlocker-overview.md items: - name: Overview of BitLocker Device Encryption in Windows From 56482fd86dc864f69a11794597b39ebcabcb8dc0 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Mon, 27 Sep 2021 19:01:41 -0700 Subject: [PATCH 353/458] Acrolinx: "sessions.Learn" --- windows/security/identity.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity.md b/windows/security/identity.md index b9a43f3ca6..0cfa07beba 100644 --- a/windows/security/identity.md +++ b/windows/security/identity.md @@ -20,7 +20,7 @@ Malicious actors launch millions of password attacks every day. Weak passwords, | Security capabilities | Description | |:---|:---| | Securing user identity with Windows Hello | Windows Hello and Windows Hello for Business replace password-based authentication with a stronger authentication model to sign into your device using a passcode (PIN) or other biometric based authentication. This PIN or biometric based authentication is only valid on the device that you registered it for and cannot be used on another deviceLearn more: [Windows Hello for Business](identity-protection\hello-for-business\hello-overview.md) | -| Windows Defender Credential Guard and Remote Credential Guard | Windows Defender Credential Guard helps protects your systems from credential theft attack techniques (pass-the-hash or pass-the-ticket) as well as helping prevent malware from accessing system secrets even if the process is running with admin privileges. Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that's requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions.Learn more: [Protect derived domain credentials with Windows Defender Credential Guard](identity-protection/credential-guard/credential-guard-how-it-works.md) and [Protect Remote Desktop credentials with Windows Defender Remote Credential Guard](identity-protection/remote-credential-guard.md)| +| Windows Defender Credential Guard and Remote Credential Guard | Windows Defender Credential Guard helps protects your systems from credential theft attack techniques (pass-the-hash or pass-the-ticket) as well as helping prevent malware from accessing system secrets even if the process is running with admin privileges. Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that's requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions. Learn more: [Protect derived domain credentials with Windows Defender Credential Guard](identity-protection/credential-guard/credential-guard-how-it-works.md) and [Protect Remote Desktop credentials with Windows Defender Remote Credential Guard](identity-protection/remote-credential-guard.md)| | FIDO Alliance | Fast Identity Online (FIDO) defined protocols are becoming the open standard for providing strong authentication that helps prevent phishing and are user-friendly and privacy-respecting. Windows 11 supports the use of device sign-in with FIDO 2 security keys, and with Microsoft Edge or other modern browsers, supports the use of secure FIDO-backed credentials to keep user accounts protected. Learn more about the [FIDO Alliance](https://fidoalliance.org/). | | Microsoft Authenticator | The Microsoft Authenticator app is a perfect companion to help keep secure with Windows 11. It allows easy, secure sign-ins for all your online accounts using multi-factor authentication, passwordless phone sign-in, or password autofill. You also have additional account management options for your Microsoft personal, work, or school accounts. Microsoft Authenticator can be used to set up multi-factor authentication for your users. Learn more: [Enable passwordless sign-in with the Microsoft Authenticator app](/azure/active-directory/authentication/howto-authentication-passwordless-phone.md). | | Smart Cards | Smart cards are tamper-resistant portable storage devices that can enhance the security of tasks in Windows, such as authenticating clients, signing code, securing e-mail, and signing in with Windows domain accounts. Learn more about [Smart Cards](identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md).| From 8141b262f48821f7a6b0c0d0b234ef0db6f24ef9 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Mon, 27 Sep 2021 19:08:57 -0700 Subject: [PATCH 354/458] Acrolinx: "navigiation" --- .../windows-defender-security-center/wdsc-device-security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md index dfa866ecb4..8526440bc9 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md @@ -29,7 +29,7 @@ You can choose to hide the section from users of the machine. This can be useful ## Hide the Device security section -You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app. +You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigation bar on the side of the app. This can only be done in Group Policy. From ccea675fe492f9382d171abe75ba28eb4b7f8e64 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Mon, 27 Sep 2021 19:10:04 -0700 Subject: [PATCH 355/458] Acrolinx: "navigiation" --- .../windows-defender-security-center/wdsc-family-options.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md index a719854982..a9e4a148c5 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md @@ -33,7 +33,7 @@ In Windows 10, version 1709, the section can be hidden from users of the machine ## Hide the Family options section -You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app. +You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigation bar on the side of the app. This can only be done in Group Policy. From bf6c648e6b493a316a279d758785747d0e426a5d Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Mon, 27 Sep 2021 20:05:35 -0700 Subject: [PATCH 356/458] Added image border via updated image reference --- .../wdsc-windows-10-in-s-mode.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md index 3b0f4cf952..7f3ef48df0 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md @@ -26,7 +26,7 @@ Windows 10 in S mode is streamlined for tighter security and superior performanc The Windows Security interface is a little different in Windows 10 in S mode. The **Virus & threat protection** area has fewer options, because the built-in security of Windows 10 in S mode prevents viruses and other threats from running on devices in your organization. In addition, devices running Windows 10 in S mode receive security updates automatically. -![Screen shot of the Windows Security app Virus & threat protection area in Windows 10 in S mode.](images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png) +:::image type="content" alt-text="Screen shot of the Windows Security app Virus & threat protection area in Windows 10 in S mode." source="images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png"::: For more information about Windows 10 in S mode, including how to switch out of S mode, see [Windows 10 Pro/Enterprise in S mode](/windows/deployment/windows-10-pro-in-s-mode). From f57e7e1552713385ddff5c0388cea4eb80eba821 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Tue, 28 Sep 2021 10:59:22 +0530 Subject: [PATCH 357/458] Updated --- .../mdm/policy-csp-admx-desktop.md | 327 +++++------------- .../mdm/policy-csp-admx-deviceinstallation.md | 103 ++---- .../mdm/policy-csp-admx-devicesetup.md | 32 +- .../mdm/policy-csp-admx-digitallocker.md | 33 +- ...policy-csp-admx-distributedlinktracking.md | 21 +- .../mdm/policy-csp-admx-dnsclient.md | 249 ++++--------- .../mdm/policy-csp-admx-dwm.md | 75 ++-- .../mdm/policy-csp-admx-eaime.md | 149 +++----- .../mdm/policy-csp-admx-encryptfilesonmove.md | 22 +- .../mdm/policy-csp-admx-enhancedstorage.md | 76 ++-- 10 files changed, 325 insertions(+), 762 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-desktop.md b/windows/client-management/mdm/policy-csp-admx-desktop.md index 4fb236ccc9..575e15bf06 100644 --- a/windows/client-management/mdm/policy-csp-admx-desktop.md +++ b/windows/client-management/mdm/policy-csp-admx-desktop.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_Desktop -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -146,8 +151,8 @@ manager: dansimp Education - No - No + Yes + Yes @@ -173,12 +178,7 @@ If you disable this setting or do not configure it, the filter bar does not appe To see the filter bar, open Network Locations, click Entire Network, and then click Directory. Right-click the name of a Windows domain, and click Find. Type the name of an object in the directory, such as "Administrator." If the filter bar does not appear above the resulting display, on the View menu, click Filter. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -223,8 +223,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -252,12 +252,7 @@ If you disable this setting or do not configure it, the Active Directory folder This setting is designed to let users search Active Directory but not tempt them to casually browse Active Directory. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -302,8 +297,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -329,12 +324,7 @@ If you disable this setting or do not configure it, the system displays up to 10 This setting is designed to protect the network and the domain controller from the effect of expansive searches. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -379,8 +369,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -407,12 +397,6 @@ If you disable this setting or do not configure it, Active Desktop is disabled b > If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting (in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both of these policies are ignored. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -457,8 +441,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -485,12 +469,7 @@ If you disable this setting or do not configure it, Active Desktop is disabled b > If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting (in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both these policies are ignored. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -534,8 +513,8 @@ ADMX Info: Yes Education - No - No + Yes + Yes @@ -557,12 +536,6 @@ Prevents the user from enabling or disabling Active Desktop or changing the Acti This is a comprehensive setting that locks down the configuration you establish by using other policies in this folder. This setting removes the Web tab from Display in Control Panel. As a result, users cannot enable or disable Active Desktop. If Active Desktop is already enabled, users cannot add, remove, or edit Web content or disable, lock, or synchronize Active Desktop components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -607,8 +580,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -632,12 +605,7 @@ Removing icons and shortcuts does not prevent the user from using another method Also, see "Items displayed in Places Bar" in User Configuration\Administrative Templates\Windows Components\Common Open File Dialog to remove the Desktop icon from the Places Bar. This will help prevent users from saving data to the Desktop. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -682,8 +650,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -710,12 +678,7 @@ If you disable this setting or do not configure it, the default behavior of the > When this setting is not enabled, users can run the Desktop Cleanup Wizard, or have it run automatically every 60 days from Display, by clicking the Desktop tab and then clicking the Customize Desktop button. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -760,8 +723,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -783,12 +746,7 @@ Removes the Internet Explorer icon from the desktop and from the Quick Launch ba This setting does not prevent the user from starting Internet Explorer by using other methods. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -833,8 +791,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -863,12 +821,7 @@ If you do not configure this setting, the default is to display Computer as usua > In operating systems earlier than Microsoft Windows Vista, this policy applies to the My Computer icon. Hiding Computer and its contents does not hide the contents of the child folders of Computer. For example, if the users navigate into one of their hard drives, they see all of their folders and files there, even if this setting is enabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -913,8 +866,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -942,12 +895,6 @@ This setting does not remove the My Documents icon from the Start menu. To do so > To make changes to this setting effective, you must log off from and log back on to Windows 2000 Professional. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -992,8 +939,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1018,12 +965,7 @@ This setting only affects the desktop icon. It does not prevent users from conne > In operating systems earlier than Microsoft Windows Vista, this policy applies to the My Network Places icon. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1068,8 +1010,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1093,12 +1035,7 @@ If you enable this setting, the Properties option will not be present when the u If you disable or do not configure this setting, the Properties option is displayed as usual. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1143,8 +1080,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1172,12 +1109,7 @@ If you enable this policy setting, the Properties menu command will not be displ If you disable or do not configure this policy setting, the Properties menu command is displayed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1222,8 +1154,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1247,12 +1179,7 @@ If you disable this setting or do not configure it, when you open a document in If you enable this setting, shared folders are not added to Network Locations automatically when you open a document in the shared folder. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1297,8 +1224,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1325,12 +1252,6 @@ This setting does not prevent the user from using other methods to gain access t > To make changes to this setting effective, you must log off and then log back on. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1375,8 +1296,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1400,12 +1321,7 @@ If you enable this setting, the Properties option will not be present when the u If you disable or do not configure this setting, the Properties option is displayed as usual. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1445,13 +1361,13 @@ ADMX Info: Enterprise - No - No + Yes + Yes Education - No - No + Yes + Yes @@ -1473,12 +1389,7 @@ Prevents users from saving certain changes to the desktop. If you enable this setting, users can change the desktop, but some changes, such as the position of open windows or the size and position of the taskbar, are not saved when users log off. However, shortcuts placed on the desktop are always saved. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1523,8 +1434,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1548,12 +1459,6 @@ If you enable this policy, application windows will not be minimized or restored If you disable or do not configure this policy, this window minimizing and restoring gesture will apply. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1598,8 +1503,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1630,12 +1535,6 @@ Also, see the "Allow only bitmapped wallpaper" in the same location, and the "Pr > This setting does not apply to remote desktop server sessions. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1680,8 +1579,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1705,12 +1604,6 @@ This setting removes the "New" button from Web tab in Display in Control Panel. Also, see the "Disable all items" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1755,8 +1648,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1783,12 +1676,7 @@ If you enable this setting, items added to the desktop cannot be closed; they al > This setting does not prevent users from deleting items from their Active Desktop. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1833,8 +1721,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1860,12 +1748,7 @@ This setting does not prevent users from adding Web content to their Active Desk Also, see the "Prohibit closing items" and "Disable all items" settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1910,8 +1793,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1933,12 +1816,7 @@ Prevents users from changing the properties of Web content items on their Active This setting disables the Properties button on the Web tab in Display in Control Panel. Also, it removes the Properties item from the menu for each item on the Active Desktop. As a result, users cannot change the properties of an item, such as its synchronization schedule, password, or display characteristics. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1983,8 +1861,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -2009,12 +1887,7 @@ This setting removes all Active Desktop items from the desktop. It also removes > This setting does not disable Active Desktop. Users can still use image formats, such as JPEG and GIF, for their desktop wallpaper. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2059,8 +1932,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -2090,12 +1963,7 @@ You can also use this setting to delete particular Web-based items from users' d > For this setting to take affect, you must log off and log on to the system. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2140,8 +2008,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -2171,12 +2039,7 @@ If you enable this setting, users cannot add or remove toolbars from the desktop Also, see the "Prohibit adjusting desktop toolbars" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2221,8 +2084,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -2249,12 +2112,7 @@ This setting does not prevent users from adding or removing toolbars on the desk Also, see the "Prevent adding, dragging, dropping and closing the Taskbar's toolbars" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2299,8 +2157,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -2322,12 +2180,7 @@ Permits only bitmap images for wallpaper. This setting limits the desktop backgr Also, see the "Desktop Wallpaper" and the "Prevent changing wallpaper" (in User Configuration\Administrative Templates\Control Panel\Display) settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2340,7 +2193,5 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md index 9be53d2bcc..b8b64ce774 100644 --- a/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_DeviceInstallation -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -78,13 +83,13 @@ manager: dansimp Enterprise - No - No + Yes + Yes Education - No - No + Yes + Yes @@ -108,12 +113,7 @@ If you enable this policy setting, members of the Administrators group can use t If you disable or do not configure this policy setting, members of the Administrators group are subject to all policy settings that restrict device installation. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -158,8 +158,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -183,12 +183,7 @@ If you enable this policy setting, Windows displays the text you type in the Det If you disable or do not configure this policy setting, Windows displays a default message when a policy setting prevents device installation. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -233,8 +228,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -258,12 +253,7 @@ If you enable this policy setting, Windows displays the text you type in the Mai If you disable or do not configure this policy setting, Windows displays a default title in a notification when a policy setting prevents device installation. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -308,8 +298,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -333,12 +323,7 @@ If you enable this policy setting, Windows waits for the number of seconds you s If you disable or do not configure this policy setting, Windows waits 240 seconds for a device installation task to complete before terminating the installation. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -383,8 +368,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -410,12 +395,7 @@ If you disable or do not configure this policy setting, the system does not forc Note: If no reboot is forced, the device installation restriction right will not take effect until the system is restarted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -460,8 +440,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -484,12 +464,7 @@ If you enable this policy setting, Windows is prevented from installing removabl If you disable or do not configure this policy setting, Windows can install and update device drivers for removable devices as allowed or prevented by other policy settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -534,8 +509,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -559,12 +534,7 @@ If you enable this policy setting, Windows does not create a system restore poin If you disable or do not configure this policy setting, Windows creates a system restore point as it normally would. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -609,8 +579,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -635,12 +605,7 @@ If you disable or do not configure this policy setting, only members of the Admi -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -653,6 +618,4 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-devicesetup.md b/windows/client-management/mdm/policy-csp-admx-devicesetup.md index 83ee93d63c..17ee9b18a7 100644 --- a/windows/client-management/mdm/policy-csp-admx-devicesetup.md +++ b/windows/client-management/mdm/policy-csp-admx-devicesetup.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_DeviceSetup -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -65,8 +70,8 @@ manager: dansimp Education - No - No + Yes + Yes @@ -90,12 +95,7 @@ If you enable this policy setting, "Found New Hardware" balloons do not appear w If you disable or do not configure this policy setting, "Found New Hardware" balloons appear while a device is being installed, unless the driver for the device suppresses the balloons. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -140,8 +140,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -167,12 +167,6 @@ Note that searching always implies that Windows will attempt to search Windows U If you disable or do not configure this policy setting, members of the Administrators group can determine the priority order in which Windows searches source locations for device drivers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -185,7 +179,5 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-digitallocker.md b/windows/client-management/mdm/policy-csp-admx-digitallocker.md index 62334a7178..e9379aa5be 100644 --- a/windows/client-management/mdm/policy-csp-admx-digitallocker.md +++ b/windows/client-management/mdm/policy-csp-admx-digitallocker.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_DigitalLocker -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -65,8 +70,8 @@ manager: dansimp Education - No - No + Yes + Yes @@ -92,12 +97,7 @@ If you enable this setting, Digital Locker will not run. If you disable or do not configure this setting, Digital Locker can be run. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -142,8 +142,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -169,12 +169,7 @@ If you enable this setting, Digital Locker will not run. If you disable or do not configure this setting, Digital Locker can be run. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -187,8 +182,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md b/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md index a15f2e874e..ed55f58aa5 100644 --- a/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md +++ b/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_DistributedLinkTracking -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -62,8 +67,8 @@ manager: dansimp Education - No - No + Yes + Yes @@ -89,12 +94,6 @@ This policy should not be set unless the DLT server is running on all domain con > This policy setting applies to all sites in Trusted zones. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -107,8 +106,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-dnsclient.md b/windows/client-management/mdm/policy-csp-admx-dnsclient.md index 41090af7c8..f1dc91e8d4 100644 --- a/windows/client-management/mdm/policy-csp-admx-dnsclient.md +++ b/windows/client-management/mdm/policy-csp-admx-dnsclient.md @@ -14,8 +14,12 @@ manager: dansimp # Policy CSP - ADMX_DnsClient -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -125,8 +129,8 @@ manager: dansimp Education - No - No + Yes + Yes @@ -150,12 +154,7 @@ If you enable this policy setting, NetBT queries will be issued for multi-label If you disable this policy setting, or if you do not configure this policy setting, NetBT queries will only be issued for single-label names, such as "example" and not for multi-label and fully qualified domain names. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -199,8 +198,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -232,12 +231,6 @@ If you disable this policy setting, no suffixes are appended to unqualified mult If you do not configure this policy setting, computers will use their local DNS client settings to determine the query behavior for unqualified multi-label names. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -282,8 +275,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -307,12 +300,7 @@ If you enable this policy setting, the DNS suffix that you enter will be applied If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied connection specific DNS suffix, if configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -357,8 +345,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -399,12 +387,7 @@ If you enable this policy setting and DNS devolution is also enabled, DNS client If you disable this policy setting or do not configure it, DNS clients use the default devolution level of two provided that DNS devolution is enabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -450,8 +433,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -475,12 +458,7 @@ If this policy setting is enabled, IDNs are not converted to Punycode. If this policy setting is disabled, or if this policy setting is not configured, IDNs are converted to Punycode when the computer is on non-domain networks with no WINS servers configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -525,8 +503,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -550,12 +528,7 @@ If this policy setting is enabled, IDNs are converted to the Nameprep form. If this policy setting is disabled, or if this policy setting is not configured, IDNs are not converted to the Nameprep form. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -600,8 +573,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -627,12 +600,7 @@ If you enable this policy setting, the list of DNS servers is applied to all net If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied list of DNS servers, if configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -677,8 +645,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -705,12 +673,6 @@ If you disable this policy setting, or if you do not configure this policy setti > This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -756,8 +718,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -787,12 +749,7 @@ You can use this policy setting to prevent users, including local administrators If you disable this policy setting, or if you do not configure this policy setting, each computer uses its local primary DNS suffix, which is usually the DNS name of Active Directory domain to which it is joined. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -837,8 +794,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -867,12 +824,7 @@ Important: This policy setting is ignored on a DNS client computer if dynamic DN If you disable this policy setting, or if you do not configure this policy setting, a DNS client computer will not register any A and PTR resource records using a connection-specific DNS suffix. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -917,8 +869,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -949,12 +901,7 @@ To use this policy setting, click Enabled, and then select one of the following If you disable this policy setting, or if you do not configure this policy setting, computers will use locally configured settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -999,8 +946,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1024,12 +971,7 @@ If you enable this policy setting, or you do not configure this policy setting, If you disable this policy setting, computers may not use dynamic DNS registration for any of their network connections, regardless of the configuration for individual network connections. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1074,8 +1016,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1103,12 +1045,7 @@ If you enable this policy setting or if you do not configure this policy setting If you disable this policy setting, existing A resource records that contain conflicting IP addresses will not be replaced during a dynamic update, and an error will be recorded in Event Viewer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1153,8 +1090,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1185,12 +1122,7 @@ If you enable this policy setting, registration refresh interval that you specif If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied setting. By default, client computers configured with a static IP address attempt to update their DNS resource records once every 24 hours and DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1235,8 +1167,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1262,12 +1194,7 @@ If you enable this policy setting, the TTL value that you specify will be applie If you disable this policy setting, or if you do not configure this policy setting, computers will use the TTL settings specified in DNS. By default, the TTL is 1200 seconds (20 minutes). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1312,8 +1239,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1343,12 +1270,7 @@ If you enable this policy setting, one DNS suffix is attached at a time for each If you disable this policy setting, or if you do not configure this policy setting, the primary DNS suffix and network connection-specific DNS suffixes are appended to the unqualified queries. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1394,8 +1316,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1419,12 +1341,7 @@ If you enable this policy setting, the DNS client will not perform any optimizat If you disable this policy setting, or if you do not configure this policy setting, name resolution will be optimized when issuing DNS, LLMNR and NetBT queries. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1469,8 +1386,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1497,12 +1414,6 @@ If you disable this policy setting, or if you do not configure this policy setti > This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1546,8 +1457,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1577,12 +1488,7 @@ If you enable this policy setting, computers that attempt to send dynamic DNS up If you disable this policy setting, or if you do not configure this policy setting, computers will use local settings. By default, DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1627,8 +1533,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1654,12 +1560,7 @@ If you enable this policy setting, computers send dynamic updates to any zone th If you disable this policy setting, or if you do not configure this policy setting, computers do not send dynamic updates to the root zone or top-level domain zones that are authoritative for the resource records that the computer needs to update. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1704,8 +1605,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1747,12 +1648,7 @@ If you enable this policy setting, or if you do not configure this policy settin If you disable this policy setting, DNS clients do not attempt to resolve names that are concatenations of the single-label name to be resolved and the devolved primary DNS suffix. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1797,8 +1693,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1824,12 +1720,7 @@ If you enable this policy setting, LLMNR will be disabled on all available netwo If you disable this policy setting, or you do not configure this policy setting, LLMNR will be enabled on all available network adapters. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1841,7 +1732,5 @@ ADMX Info: -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-dwm.md b/windows/client-management/mdm/policy-csp-admx-dwm.md index 37070921de..b8fc8128ce 100644 --- a/windows/client-management/mdm/policy-csp-admx-dwm.md +++ b/windows/client-management/mdm/policy-csp-admx-dwm.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_DWM -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -77,8 +82,8 @@ manager: dansimp Education - No - No + Yes + Yes @@ -105,12 +110,6 @@ If you disable or do not configure this policy setting, the default internal col > This policy setting can be used in conjunction with the "Prevent color changes of window frames" setting, to enforce a specific color for window frames that cannot be changed by users. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -156,8 +155,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -184,12 +183,7 @@ If you disable or do not configure this policy setting, the default internal col > This policy setting can be used in conjunction with the "Prevent color changes of window frames" setting, to enforce a specific color for window frames that cannot be changed by users. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -234,8 +228,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -261,12 +255,7 @@ If you disable or do not configure this policy setting, window animations are tu Changing this policy setting requires a logoff for it to be applied. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -310,8 +299,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -337,12 +326,7 @@ If you disable or do not configure this policy setting, window animations are tu Changing this policy setting requires a logoff for it to be applied. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -387,8 +371,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -415,12 +399,7 @@ If you disable or do not configure this policy setting, you allow users to chang > This policy setting can be used in conjunction with the "Specify a default color for window frames" policy setting, to enforce a specific color for window frames that cannot be changed by users. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -465,8 +444,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -493,12 +472,6 @@ If you disable or do not configure this policy setting, you allow users to chang > This policy setting can be used in conjunction with the "Specify a default color for window frames" policy setting, to enforce a specific color for window frames that cannot be changed by users. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -511,7 +484,5 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-eaime.md b/windows/client-management/mdm/policy-csp-admx-eaime.md index 36cb590d5c..f339803e93 100644 --- a/windows/client-management/mdm/policy-csp-admx-eaime.md +++ b/windows/client-management/mdm/policy-csp-admx-eaime.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_EAIME -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -94,8 +99,8 @@ manager: dansimp Education - No - No + Yes + Yes @@ -123,12 +128,7 @@ This policy setting applies to Japanese Microsoft IME only. > Changes to this setting will not take effect until the user logs off. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -172,8 +172,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -214,12 +214,7 @@ This policy setting applies to Japanese Microsoft IME only. > Changes to this setting will not take effect until the user logs off. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -264,8 +259,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -296,12 +291,7 @@ This policy setting is applied to Japanese Microsoft IME. > Changes to this setting will not take effect until the user logs off. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -346,8 +336,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -376,12 +366,6 @@ This policy setting applies to Japanese Microsoft IME only. > Changes to this setting will not take effect until the user logs off. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -401,7 +385,8 @@ ADMX Info: - + + @@ -425,8 +410,8 @@ ADMX Info: - - + +
EditionSuppWindows 10Windows 11
Home
EducationNoNoYesYes
@@ -457,12 +442,7 @@ This policy setting applies to Japanese Microsoft IME. > Changes to this setting will not take effect until the user logs off. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -507,8 +487,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -536,12 +516,7 @@ If you disable or do not configure this policy setting, Open Extended Dictionary This policy setting is applied to Japanese Microsoft IME. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -586,8 +561,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -613,12 +588,7 @@ If you disable or do not configure this policy setting, auto-tuning data is save This policy setting applies to Japanese Microsoft IME only. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -663,8 +633,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -692,12 +662,7 @@ If you don't configure this policy setting, it will be turned off by default, an This Policy setting applies to Microsoft CHS Pinyin IME and JPN IME. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -742,8 +707,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -771,12 +736,7 @@ If you don't configure this policy setting, it will be turned off by default, an This Policy setting applies only to Microsoft CHS Pinyin IME. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -821,8 +781,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -850,12 +810,7 @@ If you don't configure this policy setting, it will be turned on by default, and This Policy setting applies only to Microsoft CHS Pinyin IME. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -895,13 +850,13 @@ ADMX Info: Enterprise - No - No + Yes + Yes Education - No - No + Yes + Yes @@ -929,12 +884,7 @@ If you don't configure this policy setting, it will be turned off by default, an This Policy setting applies only to Microsoft CHS Pinyin IME. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -979,8 +929,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1006,12 +956,7 @@ If you disable or do not configure this policy setting, misconversion logging is This policy setting applies to Japanese Microsoft IME and Traditional Chinese IME. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1024,7 +969,5 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md index b063efc3d2..c302a45683 100644 --- a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md +++ b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_EncryptFilesonMove -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -62,8 +67,8 @@ manager: dansimp Education - No - No + Yes + Yes @@ -89,12 +94,7 @@ If you disable or do not configure this policy setting, File Explorer automatica This setting applies only to files moved within a volume. When files are moved to other volumes, or if you create a new file in an encrypted folder, File Explorer encrypts those files automatically. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -107,8 +107,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md index 950fe416fa..2d325be21b 100644 --- a/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md +++ b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_EnhancedStorage -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -72,13 +77,13 @@ manager: dansimp Enterprise - No - No + Yes + Yes Education - No - No + Yes + Yes @@ -102,12 +107,6 @@ If you enable this policy setting, only Enhanced Storage devices that contain a If you disable or do not configure this policy setting, all Enhanced Storage devices are usable on your computer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -152,8 +151,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -177,12 +176,6 @@ If you enable this policy setting, only IEEE 1667 silos that match a silo type i If you disable or do not configure this policy setting, all IEEE 1667 silos on Enhanced Storage devices are usable on your computer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -227,8 +220,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -252,12 +245,6 @@ If you enable this policy setting, a password cannot be used to unlock an Enhanc If you disable or do not configure this policy setting, a password can be used to unlock an Enhanced Storage device. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -302,8 +289,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -327,12 +314,6 @@ If you enable this policy setting, non-Enhanced Storage removable devices are no If you disable or do not configure this policy setting, non-Enhanced Storage removable devices are allowed on your computer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -377,8 +358,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -404,12 +385,6 @@ If you enable this policy setting, the Enhanced Storage device remains locked wh If you disable or do not configure this policy setting, the Enhanced Storage device state is not changed when the computer is locked. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -454,8 +429,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -479,12 +454,6 @@ If you enable this policy setting, only USB root hub connected Enhanced Storage If you disable or do not configure this policy setting, USB Enhanced Storage devices connected to both USB root hubs and non-root hubs will be allowed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -497,8 +466,5 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. - From 4fa1b3ca16538d60ee76e158e716d964fa70f54c Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Tue, 28 Sep 2021 11:35:38 +0530 Subject: [PATCH 358/458] Updated --- .../mdm/policy-csp-admx-ciphersuiteorder.md | 31 +- .../mdm/policy-csp-admx-com.md | 31 +- .../mdm/policy-csp-admx-controlpanel.md | 55 ++-- .../policy-csp-admx-controlpaneldisplay.md | 264 +++++------------- .../mdm/policy-csp-admx-cpls.md | 22 +- .../policy-csp-admx-credentialproviders.md | 46 +-- .../mdm/policy-csp-admx-credssp.md | 122 ++------ .../mdm/policy-csp-admx-credui.md | 36 +-- .../mdm/policy-csp-admx-ctrlaltdel.md | 52 ++-- 9 files changed, 188 insertions(+), 471 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md index b0f0a3ca01..514efdce81 100644 --- a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md +++ b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md @@ -14,8 +14,12 @@ manager: dansimp # Policy CSP - ADMX_CipherSuiteOrder -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -66,8 +70,8 @@ manager: dansimp Education - No - No + Yes + Yes @@ -93,12 +97,7 @@ If you disable or do not configure this policy setting, default cipher suite ord For information about supported cipher suites, see [Cipher Suites in TLS/SSL (Schannel SSP)](/windows/win32/secauthn/cipher-suites-in-schannel). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -145,8 +144,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -182,12 +181,6 @@ CertUtil.exe -DisplayEccCurve ``` -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -200,7 +193,5 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-com.md b/windows/client-management/mdm/policy-csp-admx-com.md index 515d46c987..abac5580d8 100644 --- a/windows/client-management/mdm/policy-csp-admx-com.md +++ b/windows/client-management/mdm/policy-csp-admx-com.md @@ -14,8 +14,12 @@ manager: dansimp # Policy CSP - ADMX_COM -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -66,8 +70,8 @@ manager: dansimp Education - No - No + Yes + Yes @@ -95,12 +99,7 @@ If you disable or do not configure this policy setting, the program continues wi This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -147,8 +146,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -176,12 +175,6 @@ If you disable or do not configure this policy setting, the program continues wi This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -194,7 +187,5 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-controlpanel.md b/windows/client-management/mdm/policy-csp-admx-controlpanel.md index bd127d636b..bdd6e7f313 100644 --- a/windows/client-management/mdm/policy-csp-admx-controlpanel.md +++ b/windows/client-management/mdm/policy-csp-admx-controlpanel.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_ControlPanel -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -71,8 +76,8 @@ manager: dansimp Education - No - No + Yes + Yes @@ -104,12 +109,7 @@ If both the "Hide specified Control Panel items" setting and the "Show only spec > The Display Control Panel item cannot be hidden in the Desktop context menu by using this setting. To hide the Display Control Panel item and prevent users from modifying the computer's display settings use the "Disable Display Control Panel" setting instead. Note: To hide pages in the System Settings app, use the "Settings Page Visibility" setting under Computer Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -154,8 +154,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -184,12 +184,7 @@ If this policy setting is not configured, the Control Panel opens to the view us > Icon size is dependent upon what the user has set it to in the previous session. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -234,8 +229,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -271,12 +266,7 @@ This setting removes PC settings from: If users try to select a Control Panel item from the Properties item on a context menu, a message appears explaining that a setting prevents the action. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -324,8 +314,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -358,12 +348,6 @@ If both the "Hide specified Control Panel items" setting and the "Show only spec > To hide pages in the System Settings app, use the "Settings Page Visibility" setting under Computer Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -376,7 +360,4 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. - \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md index 828dd52285..d86682733e 100644 --- a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md +++ b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_ControlPanelDisplay -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -131,8 +136,8 @@ manager: dansimp Education - No - No + Yes + Yes @@ -156,12 +161,7 @@ If you enable this setting, the Display Control Panel does not run. When users t Also, see the "Prohibit access to the Control Panel" (User Configuration\Administrative Templates\Control Panel) and "Remove programs on Settings menu" (User Configuration\Administrative Templates\Start Menu & Taskbar) settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -210,8 +210,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -234,12 +234,7 @@ Removes the Settings tab from Display in Control Panel. This setting prevents users from using Control Panel to add, configure, or change the display settings on the computer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -289,8 +284,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -317,12 +312,6 @@ If you disable or do not configure this setting, a user may change the color sch For Windows 7 and later, use the "Prevent changing color and appearance" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -371,8 +360,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -400,12 +389,6 @@ If you disable or do not configure this setting, there is no effect. > If you enable this setting but do not specify a theme using the "load a specific theme" setting, the theme defaults to whatever the user previously set or the system default. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -454,8 +437,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -480,12 +463,6 @@ When enabled on Windows XP, this setting disables the "Windows and buttons" drop When enabled on Windows XP and later systems, this setting prevents users and applications from changing the visual style through the command line. Also, a user may not apply a different visual style when changing themes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -534,8 +511,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -564,12 +541,6 @@ If you enable it, a screen saver runs, provided the following two conditions hol Also, see the "Prevent changing Screen Saver" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -618,8 +589,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -648,12 +619,7 @@ This can be used in conjunction with the "Prevent changing lock screen and logon Note: This setting only applies to Enterprise, Education, and Server SKUs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -702,8 +668,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -728,12 +694,6 @@ If this setting is enabled, the "Font size" drop-down list on the Appearance tab If you disable or do not configure this setting, a user may change the font size using the "Font size" drop-down list on the Appearance tab. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -782,8 +742,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -808,12 +768,6 @@ By default, users can change the background image shown when the machine is lock If you enable this setting, the user will not be able to change their lock screen and logon image, and they will instead see the default image. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -862,8 +816,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -892,12 +846,6 @@ If the "Force a specific background and accent color" policy is also set on a su If the "Force a specific Start background" policy is also set on a supported version of Windows, then that background takes precedence over this policy. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -946,8 +894,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -974,12 +922,6 @@ If this setting is disabled or not configured, the Color (or Window Color) page For systems prior to Windows Vista, this setting hides the Appearance and Themes tabs in the in Display in Control Panel. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1028,8 +970,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1060,12 +1002,6 @@ Note: You must also enable the "Desktop Wallpaper" setting to prevent users from Also, see the "Allow only bitmapped wallpaper" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1114,8 +1050,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1142,12 +1078,6 @@ If you enable this setting, none of the desktop icons can be changed by the user For systems prior to Windows Vista, this setting also hides the Desktop tab in the Display Control Panel. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1196,8 +1126,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1222,12 +1152,6 @@ If you enable this policy setting, users that are not required to press CTRL + A If you disable or do not configure this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see a lock screen after locking their PC. They must dismiss the lock screen using touch, the keyboard, or by dragging it with the mouse. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1276,8 +1200,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1302,12 +1226,6 @@ By default, users can use the Pointers tab in the Mouse Control Panel to add, re If you enable this setting, none of the mouse pointer scheme settings can be changed by the user. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1356,8 +1274,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1380,12 +1298,6 @@ Prevents the Screen Saver dialog from opening in the Personalization or Display This setting prevents users from using Control Panel to add, configure, or change the screen saver on the computer. It does not prevent a screen saver from running. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1434,8 +1346,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1460,12 +1372,6 @@ By default, users can use the Sounds tab in the Sound Control Panel to add, remo If you enable this setting, none of the Sound Scheme settings can be changed by the user. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1514,8 +1420,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1540,12 +1446,6 @@ By default, users can change the background and accent colors. If this setting is enabled, the background and accent colors of Windows will be set to the specified colors and users cannot change those colors. This setting will not be applied if the specified colors do not meet a contrast ratio of 2:1 with white text. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1594,8 +1494,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1627,12 +1527,6 @@ To ensure that a computer will be password protected, enable the "Enable Screen > To remove the Screen Saver dialog, use the "Prevent changing Screen Saver" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1679,8 +1573,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1715,12 +1609,6 @@ This setting has no effect under any of the following circumstances: When not configured, whatever wait time is set on the client through the Screen Saver dialog in the Personalization or Display Control Panel is used. The default is 15 minutes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1739,8 +1627,9 @@ ADMX Info: - - + + + @@ -1768,8 +1657,8 @@ ADMX Info: - - + +
Windows EditionSupported?EditionWindows 10Windows 11
Home
EducationNoNoYesYes
@@ -1801,12 +1690,6 @@ If the specified screen saver is not installed on a computer to which this setti > This setting can be superseded by the "Enable Screen Saver" setting. If the "Enable Screen Saver" setting is disabled, this setting is ignored, and screen savers do not run. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1855,8 +1738,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1881,12 +1764,6 @@ If you enable this setting, the theme that you specify will be applied when a ne If you disable or do not configure this setting, the default theme will be applied at the first logon. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1905,8 +1782,9 @@ ADMX Info: - - + + + @@ -1934,8 +1812,8 @@ ADMX Info: - - + +
Windows EditionSupported?EditionWindows 10Windows 11
Home
EducationNoNoYesYes
@@ -1969,12 +1847,6 @@ If you disable or do not configure this setting, the users can select the visual > To select the Windows Classic visual style, leave the box blank beside "Path to Visual Style:" and enable this setting. When running Windows 8 or Windows RT, you cannot apply the Windows Classic visual style. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2023,8 +1895,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -2049,12 +1921,6 @@ If this setting is set to zero or not configured, then Start uses the default ba If this setting is set to a nonzero value, then Start uses the specified background, and users cannot change it. If the specified background is not supported, the default background is used. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2067,7 +1933,5 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-cpls.md b/windows/client-management/mdm/policy-csp-admx-cpls.md index e1ee9b86de..71ba7fb9c0 100644 --- a/windows/client-management/mdm/policy-csp-admx-cpls.md +++ b/windows/client-management/mdm/policy-csp-admx-cpls.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_Cpls -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -66,8 +71,8 @@ manager: dansimp Education - No - No + Yes + Yes @@ -95,12 +100,7 @@ If you enable this policy setting, the default user account picture will display If you disable or do not configure this policy setting, users will be able to customize their account pictures. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -113,8 +113,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md index 0cad585609..92d2b7cfc2 100644 --- a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md +++ b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_CredentialProviders -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -72,8 +77,8 @@ manager: dansimp Education - No - No + Yes + Yes @@ -102,12 +107,7 @@ If you don't configure this policy setting on a domain-joined device, a user can If you don't configure this policy setting on a workgroup device, a user on a Connected Standby device can change the amount of time after the device's screen turns off before a password is required when waking the device. The time is limited by any EAS settings or Group Policies that affect the maximum idle time before a device locks. Additionally, if a password is required when a screensaver turns on, the screensaver timeout will limit the options the user may choose. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -156,8 +156,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -185,12 +185,6 @@ If you disable or do not configure this policy setting, the system picks the def > A list of registered credential providers and their GUIDs can be found in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -240,8 +234,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -269,12 +263,6 @@ If you enable this policy, an administrator can specify the CLSIDs of the creden If you disable or do not configure this policy, all installed and otherwise enabled credential providers are available for authentication purposes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -287,9 +275,5 @@ ADMX Info:
-> [!NOTE] -> These policies are for upcoming release. - - -These policies are currently only available as part of a Windows Insider release. \ No newline at end of file + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-credssp.md b/windows/client-management/mdm/policy-csp-admx-credssp.md index f55b199a4f..2c66db1203 100644 --- a/windows/client-management/mdm/policy-csp-admx-credssp.md +++ b/windows/client-management/mdm/policy-csp-admx-credssp.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_CredSsp -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -96,8 +101,8 @@ manager: dansimp Education - No - No + Yes + Yes @@ -132,12 +137,7 @@ If you disable or do not configure (by default) this policy setting, delegation > - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -186,8 +186,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -228,12 +228,6 @@ https://go.microsoft.com/fwlink/?LinkId=301508 > - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -282,8 +276,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -319,12 +313,6 @@ If you enable this policy setting, CredSSP version support will be selected base For more information about the vulnerability and servicing requirements for protection, see https://go.microsoft.com/fwlink/?linkid=866660 -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -373,8 +361,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -412,12 +400,6 @@ If you disable this policy setting, delegation of fresh credentials is not permi > - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -466,8 +448,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -505,12 +487,6 @@ If you disable this policy setting, delegation of fresh credentials is not permi > - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -559,8 +535,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -598,12 +574,6 @@ If you disable this policy setting, delegation of saved credentials is not permi > - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -652,8 +622,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -691,12 +661,6 @@ If you disable this policy setting, delegation of saved credentials is not permi > - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -745,8 +709,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -782,12 +746,6 @@ If you disable or do not configure (by default) this policy setting, this policy This policy setting can be used in combination with the "Allow delegating default credentials" policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating default credentials" server list. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -836,8 +794,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -873,12 +831,6 @@ If you disable or do not configure (by default) this policy setting, this policy This policy setting can be used in combination with the "Allow delegating fresh credentials" policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating fresh credentials" server list. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -927,8 +879,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -964,12 +916,6 @@ If you disable or do not configure (by default) this policy setting, this policy This policy setting can be used in combination with the "Allow delegating saved credentials" policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating saved credentials" server list. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1018,8 +964,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1056,12 +1002,6 @@ If you disable or do not configure this policy setting, Restricted Admin and Rem > On Windows 8.1 and Windows Server 2012 R2, enabling this policy will enforce Restricted Administration mode, regardless of the mode chosen. These versions do not support Remote Credential Guard. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1074,8 +1014,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-credui.md b/windows/client-management/mdm/policy-csp-admx-credui.md index d1ad1b5737..b6e48f936c 100644 --- a/windows/client-management/mdm/policy-csp-admx-credui.md +++ b/windows/client-management/mdm/policy-csp-admx-credui.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_CredUI -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -69,8 +74,8 @@ manager: dansimp Education - No - No + Yes + Yes @@ -98,12 +103,6 @@ If you enable this policy setting, users will be required to enter Windows crede If you disable or do not configure this policy setting, users will enter Windows credentials within the user’s desktop session, potentially allowing malicious code access to the user’s Windows credentials. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -152,8 +151,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -174,12 +173,7 @@ ADMX Info: Available in the latest Windows 10 Insider Preview Build. If you turn this policy setting on, local users won’t be able to set up and use security questions to reset their passwords. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -190,10 +184,6 @@ ADMX Info: -
- -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. - +< diff --git a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md index 9836d5e9d0..0098e79df8 100644 --- a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md +++ b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_CtrlAltDel -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -75,8 +80,8 @@ manager: dansimp Education - No - No + Yes + Yes @@ -101,12 +106,7 @@ If you enable this policy setting, the 'Change Password' button on the Windows S However, users are still able to change their password when prompted by the system. The system prompts users for a new password when an administrator requires a new password or their password is expiring. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -156,8 +156,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -187,12 +187,6 @@ If you disable or do not configure this policy setting, users will be able to lo > To lock a computer without configuring a setting, press Ctrl+Alt+Delete, and then click Lock this computer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -240,8 +234,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -268,12 +262,6 @@ If you enable this policy setting, users will not be able to access Task Manager If you disable or do not configure this policy setting, users can access Task Manager to start and stop programs, monitor the performance of their computers, view and monitor all programs running on their computers, including system services, find the executable names of programs, and change the priority of the process in which programs run. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -322,8 +310,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -350,12 +338,6 @@ Also, see the 'Remove Logoff on the Start Menu' policy setting. If you disable or do not configure this policy setting, users can see and select the Log off menu item when they press Ctrl+Alt+Del. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -368,8 +350,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. From 279f4a52425727e8414ed832c163ca36f05d82d6 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Tue, 28 Sep 2021 14:12:33 +0530 Subject: [PATCH 359/458] Updated --- .../mdm/policy-csp-admx-appxpackagemanager.md | 22 ++- .../mdm/policy-csp-admx-appxruntime.md | 52 ++---- .../mdm/policy-csp-admx-attachmentmanager.md | 61 ++----- .../mdm/policy-csp-admx-auditsettings.md | 23 ++- .../mdm/policy-csp-admx-bits.md | 163 +++++------------- 5 files changed, 98 insertions(+), 223 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md index 0b8b0533a4..4e924cb2a7 100644 --- a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md +++ b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_AppxPackageManager -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + + > [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -62,8 +67,8 @@ manager: dansimp Education - No - No + Yes + Yes @@ -94,12 +99,7 @@ If you enable this policy setting, Group Policy allows deployment operations (ad If you disable or do not configure this policy setting, Group Policy blocks deployment operations of Windows Store apps when using a special profile. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -112,7 +112,5 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-appxruntime.md b/windows/client-management/mdm/policy-csp-admx-appxruntime.md index aaec3dafb9..74860dbb38 100644 --- a/windows/client-management/mdm/policy-csp-admx-appxruntime.md +++ b/windows/client-management/mdm/policy-csp-admx-appxruntime.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_AppXRuntime -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -71,8 +76,8 @@ manager: dansimp Education - No - No + Yes + Yes @@ -95,12 +100,7 @@ If you enable this policy setting, you can define additional Content URI Rules t If you disable or don't set this policy setting, Windows Store apps will only use the static Content URI Rules. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -145,8 +145,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -171,12 +171,6 @@ If you enable this policy setting, Windows Store apps cannot open files in the d If you disable or do not configure this policy setting, Windows Store apps can open files in the default desktop app for a file type. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -221,8 +215,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -249,12 +243,6 @@ If you disable or do not configure this policy setting, all Universal Windows ap > This policy should not be enabled unless recommended by Microsoft as a security response because it can cause severe app compatibility issues. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -299,8 +287,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -328,12 +316,6 @@ If you disable or do not configure this policy setting, Windows Store apps can o > Enabling this policy setting does not block Windows Store apps from opening the default desktop app for the http, https, and mailto URI schemes. The handlers for these URI schemes are hardened against URI-based vulnerabilities from untrusted sources, reducing the associated risk. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -346,8 +328,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md index ad8afe2281..9ddc5dc7bc 100644 --- a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md +++ b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_AttachmentManager -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -74,8 +79,8 @@ manager: dansimp Education - No - No + Yes + Yes @@ -105,12 +110,6 @@ If you disable this policy setting, Windows uses its default trust logic, which If you do not configure this policy setting, Windows uses its default trust logic, which prefers the file handler over the file type. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -154,8 +153,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -187,12 +186,6 @@ If you disable this policy setting, Windows sets the default risk level to moder If you do not configure this policy setting, Windows sets the default risk level to moderate. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -237,8 +230,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -264,12 +257,6 @@ If you disable this policy setting, Windows uses its built-in list of file types If you do not configure this policy setting, Windows uses its built-in list of high-risk file types. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -314,8 +301,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -341,12 +328,6 @@ If you disable this policy setting, Windows uses its default trust logic. If you do not configure this policy setting, Windows uses its default trust logic. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -391,8 +372,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -418,12 +399,6 @@ If you disable this policy setting, Windows uses its default trust logic. If you do not configure this policy setting, Windows uses its default trust logic. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -436,7 +411,5 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-auditsettings.md b/windows/client-management/mdm/policy-csp-admx-auditsettings.md index e2ccc80ff4..5e4ce66ca3 100644 --- a/windows/client-management/mdm/policy-csp-admx-auditsettings.md +++ b/windows/client-management/mdm/policy-csp-admx-auditsettings.md @@ -12,9 +12,14 @@ ms.reviewer: manager: dansimp --- -# Policy CSP - ADMX_AuditSettings -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +# Policy CSP - ADMX_AuditSettings. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -62,8 +67,8 @@ manager: dansimp Education - No - No + Yes + Yes @@ -92,12 +97,6 @@ Default is Not configured. > When this policy setting is enabled, any user with access to read the security events will be able to read the command line arguments for any successfully created process. Command line arguments can contain sensitive or private information, such as passwords or user data. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -110,8 +109,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-bits.md b/windows/client-management/mdm/policy-csp-admx-bits.md index 76a477a1a4..db5b7fc71f 100644 --- a/windows/client-management/mdm/policy-csp-admx-bits.md +++ b/windows/client-management/mdm/policy-csp-admx-bits.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_Bits -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -101,8 +106,8 @@ manager: dansimp Education - No - No + Yes + Yes @@ -127,14 +132,8 @@ If you disable or do not configure this policy setting, the BITS client uses Win > [!NOTE] > This policy setting does not affect the use of Windows Branch Cache by applications other than BITS. This policy setting does not apply to BITS transfers over SMB. This setting has no effect if the computer's administrative settings for Windows Branch Cache disable its use entirely. - + -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -179,8 +178,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -207,12 +206,7 @@ If you disable or do not configure this policy setting, the computer attempts to > This policy setting has no effect if the "Allow BITS peer caching" policy setting is disabled or not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -257,8 +251,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -285,12 +279,7 @@ If you disable or do not configure this policy setting, the computer will offer > This setting has no effect if the "Allow BITS peer caching" setting is disabled or not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -336,8 +325,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -363,12 +352,7 @@ If you enable this policy setting, BITS downloads files from peers, caches the f If you disable or do not configure this policy setting, the BITS peer caching feature will be disabled, and BITS will download files directly from the origin server. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -414,8 +398,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -446,12 +430,6 @@ If you disable this policy setting or do not configure it, the default value of > This setting has no effect if the "Allow BITS peer caching" policy setting is disabled or not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -496,8 +474,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -526,12 +504,6 @@ If you disable or do not configure this policy setting, the limits defined for w > The bandwidth limits that are set for the maintenance period supersede any limits defined for work and other schedules. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -577,8 +549,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -604,12 +576,6 @@ You can specify a limit to use for background jobs during a work schedule. For e If you disable or do not configure this policy setting, BITS uses all available unused bandwidth for background job transfers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -655,8 +621,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -683,12 +649,6 @@ If you disable or do not configure this policy setting, the default size of the > This policy setting has no effect if the "Allow BITS peer caching" setting is disabled or not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -733,8 +693,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -761,12 +721,6 @@ If you disable or do not configure this policy setting, files that have not been > This policy setting has no effect if the "Allow BITS Peercaching" policy setting is disabled or not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -807,12 +761,12 @@ ADMX Info: Enterprise Yes - Yestd> + Yes Education - No - No + Yes + Yes @@ -840,12 +794,7 @@ If you enable this policy setting, you can set the maximum job download time to If you disable or do not configure this policy setting, the default value of 90 days (7,776,000 seconds) will be used. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -890,8 +839,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -918,12 +867,7 @@ If you disable or do not configure this policy setting, BITS will use the defaul > BITS Jobs created by services and the local administrator account do not count toward this limit. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -968,8 +912,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -996,12 +940,7 @@ If you disable or do not configure this policy setting, BITS will use the defaul > BITS jobs created by services and the local administrator account do not count toward this limit. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1046,8 +985,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1074,12 +1013,7 @@ If you disable or do not configure this policy setting, BITS will use the defaul > This limit must be lower than the setting specified in the "Maximum number of BITS jobs for this computer" policy setting, or 300 if the "Maximum number of BITS jobs for this computer" policy setting is not configured. BITS jobs created by services and the local administrator account do not count toward this limit. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1124,8 +1058,8 @@ ADMX Info: Education - No - No + Yes + Yes @@ -1152,12 +1086,7 @@ If you disable or do not configure this policy setting, BITS will limit ranges t > BITS Jobs created by services and the local administrator account do not count toward this limit. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1170,8 +1099,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. From c16ef88881d0a1331e6a08f45c3eaa44c5491929 Mon Sep 17 00:00:00 2001 From: Meghana Athavale Date: Tue, 28 Sep 2021 14:18:38 +0530 Subject: [PATCH 360/458] Updated with review comments --- .../mdm/policy-csp-admx-networkconnections.md | 13 ++++++------- .../mdm/policy-csp-admx-printing.md | 4 +--- .../mdm/policy-csp-admx-reliability.md | 2 -- 3 files changed, 7 insertions(+), 12 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-networkconnections.md b/windows/client-management/mdm/policy-csp-admx-networkconnections.md index 93c7d26bdf..e0e2c1610b 100644 --- a/windows/client-management/mdm/policy-csp-admx-networkconnections.md +++ b/windows/client-management/mdm/policy-csp-admx-networkconnections.md @@ -792,14 +792,13 @@ This policy setting determines whether settings that existed in Windows 2000 Ser The set of Network Connections group settings that existed in Windows 2000 Professional also exists in Windows XP Professional. In Windows 2000 Professional, all of these settings had the ability to prohibit the use of certain features from Administrators. -By default, Network Connections group settings in Windows XP Professional do not have the ability to prohibit the use of features from Administrators. +By default, Network Connections group settings in Windows do not have the ability to prohibit the use of features from Administrators. -If you enable this setting, the Windows XP settings that existed in Windows 2000 Professional will have the ability to prohibit Administrators from using certain features. These settings are "Ability to rename LAN connections or remote access connections available to all users", "Prohibit access to properties of components of a LAN connection", "Prohibit access to properties of components of a remote access connection", "Ability to access TCP/IP advanced configuration", "Prohibit access to the Advanced Settings Item on the Advanced Menu", "Prohibit adding and removing components for a LAN or remote access connection", "Prohibit access to properties of a LAN connection", "Prohibit Enabling/Disabling components of a LAN connection", "Ability to change properties of an all user remote access connection", "Prohibit changing properties of a private remote access connection", "Prohibit deletion of remote access connections", "Ability to delete all user remote access connections", "Prohibit connecting and disconnecting a remote access connection", "Ability to Enable/Disable a LAN connection", "Prohibit access to the New Connection Wizard", "Prohibit renaming private remote access connections", "Prohibit access to the Remote Access Preferences item on the Advanced menu", "Prohibit viewing of status for an active connection". When this setting is enabled, settings that exist in both Windows 2000 Professional and Windows XP Professional behave the same for administrators. +If you enable this setting, the Windows XP settings that existed in Windows 2000 Professional will have the ability to prohibit Administrators from using certain features. These settings are "Ability to rename LAN connections or remote access connections available to all users", "Prohibit access to properties of components of a LAN connection", "Prohibit access to properties of components of a remote access connection", "Ability to access TCP/IP advanced configuration", "Prohibit access to the Advanced Settings Item on the Advanced Menu", "Prohibit adding and removing components for a LAN or remote access connection", "Prohibit access to properties of a LAN connection", "Prohibit Enabling/Disabling components of a LAN connection", "Ability to change properties of an all user remote access connection", "Prohibit changing properties of a private remote access connection", "Prohibit deletion of remote access connections", "Ability to delete all user remote access connections", "Prohibit connecting and disconnecting a remote access connection", "Ability to Enable/Disable a LAN connection", "Prohibit access to the New Connection Wizard", "Prohibit renaming private remote access connections", "Prohibit access to the Remote Access Preferences item on the Advanced menu", "Prohibit viewing of status for an active connection". When this setting is enabled, settings that exist in both Windows 2000 Professional and Windows behave the same for administrators. + +If you disable this setting or do not configure it, Windows settings that existed in Windows 2000 will not apply to administrators. -If you disable this setting or do not configure it, Windows XP settings that existed in Windows 2000 will not apply to administrators. -> [!NOTE] -> This setting is intended to be used in a situation in which the Group Policy object that these settings are being applied to contains both Windows 2000 Professional and Windows XP Professional computers, and identical Network Connections policy behavior is required between all Windows 2000 Professional and Windows XP Professional computers. @@ -1501,7 +1500,7 @@ If you disable this setting or do not configure it, the Properties button is ena The Networking tab of the Remote Access Connection Properties dialog box includes a list of the network components that the connection uses. To view or change the properties of a component, click the name of the component, and then click the Properties button beneath the component list. -> [NOTE] +> [!NOTE] > Not all network components have configurable properties. For components that are not configurable, the Properties button is always disabled. > > When the "Ability to change properties of an all user remote access connection" or "Prohibit changing properties of a private remote access connection" settings are set to deny access to the Remote Access Connection Properties dialog box, the Properties button for remote access connection components is blocked. @@ -2045,7 +2044,7 @@ ICS lets administrators configure their system as an Internet gateway for a smal If you enable this setting, ICS cannot be enabled or configured by administrators, and the ICS service cannot run on the computer. The Advanced tab in the Properties dialog box for a LAN or remote access connection is removed. The Internet Connection Sharing page is removed from the New Connection Wizard. The Network Setup Wizard is disabled. -If you disable this setting or do not configure it and have two or more connections, administrators can enable ICS. The Advanced tab in the properties dialog box for a LAN or remote access connection is available. In addition, the user is presented with the option to enable Internet Connection Sharing in the Network Setup Wizard and Make New Connection Wizard. (The Network Setup Wizard is available only in Windows XP Professional.) +If you disable this setting or do not configure it and have two or more connections, administrators can enable ICS. The Advanced tab in the properties dialog box for a LAN or remote access connection is available. In addition, the user is presented with the option to enable Internet Connection Sharing in the Network Setup Wizard and Make New Connection Wizard. By default, ICS is disabled when you create a remote access connection, but administrators can use the Advanced tab to enable it. When running the New Connection Wizard or Network Setup Wizard, administrators can choose to enable ICS. diff --git a/windows/client-management/mdm/policy-csp-admx-printing.md b/windows/client-management/mdm/policy-csp-admx-printing.md index cceb1665c6..fe3a0db756 100644 --- a/windows/client-management/mdm/policy-csp-admx-printing.md +++ b/windows/client-management/mdm/policy-csp-admx-printing.md @@ -399,7 +399,6 @@ If you disable this policy setting, the client computer will only search the loc This policy setting is not configured by default, and the behavior depends on the version of Windows that you are using. -By default, Windows Ultimate, Professional and Home SKUs will continue to search for compatible Point and Print drivers from Windows Update, if needed. However, you must explicitly enable this policy setting for other versions of Windows (for example Windows Enterprise, and all versions of Windows Server 2008 R2 and later) to have the same behavior. @@ -847,14 +846,13 @@ ADMX Info: Determines whether printers using kernel-mode drivers may be installed on the local computer. Kernel-mode drivers have access to system-wide memory, and therefore poorly-written kernel-mode drivers can cause stop errors. -If you disable this setting, or do not configure it, then printers using a kernel-mode drivers may be installed on the local computer running Windows XP Home Edition and Windows XP Professional. If you do not configure this setting on Windows Server 2003 family products, the installation of kernel-mode printer drivers will be blocked. If you enable this setting, installation of a printer using a kernel-mode driver will not be allowed. > [!NOTE] -> By applying this policy, existing kernel-mode drivers will be disabled upon installation of service packs or reinstallation of the Windows XP operating system. This policy does not apply to 64-bit kernel-mode printer drivers as they cannot be installed and associated with a print queue. +> This policy does not apply to 64-bit kernel-mode printer drivers as they cannot be installed and associated with a print queue. diff --git a/windows/client-management/mdm/policy-csp-admx-reliability.md b/windows/client-management/mdm/policy-csp-admx-reliability.md index 90b7ddfb6a..d7e4ecc5bc 100644 --- a/windows/client-management/mdm/policy-csp-admx-reliability.md +++ b/windows/client-management/mdm/policy-csp-admx-reliability.md @@ -256,8 +256,6 @@ If you disable this policy setting, the System State Data feature is never activ If you do not configure this policy setting, the default behavior for the System State Data feature occurs. -> [!NOTE] -> By default, the System State Data feature is always enabled on Windows Server 2003. From 4a5580786e1a6ae71e2f8e4f7bf1894b575ffb82 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 28 Sep 2021 07:39:57 -0700 Subject: [PATCH 361/458] Update docfx.json Changing Microsoft 365 security to Windows security --- windows/security/docfx.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/docfx.json b/windows/security/docfx.json index 3a997cd1e9..d1a625e8bd 100644 --- a/windows/security/docfx.json +++ b/windows/security/docfx.json @@ -48,7 +48,7 @@ "folder_relative_path_in_docset": "./" } }, - "titleSuffix": "Microsoft 365 Security", + "titleSuffix": "Windows security", "contributors_to_exclude": [ "rjagiewich", "traya1", From 046287fd565696df7282b2b0fcb2c6053ac1b021 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 28 Sep 2021 10:22:53 -0700 Subject: [PATCH 362/458] Update policy-csp-timelanguagesettings.md --- .../client-management/mdm/policy-csp-timelanguagesettings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md index 732cf867cc..b6c1c6d85e 100644 --- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md +++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 09/27/2019 +ms.date: 09/28/2021 ms.reviewer: manager: dansimp --- From 9084ed655b94533391ae4d894b5b58d127c02cfe Mon Sep 17 00:00:00 2001 From: Asha Iyengar Date: Tue, 28 Sep 2021 23:15:12 +0530 Subject: [PATCH 363/458] Made a change --- .../smart-card-how-smart-card-sign-in-works-in-windows.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md index 8dc9a36c37..05d1dbf771 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md +++ b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md @@ -1,5 +1,5 @@ --- -title: How Smart Card Sign-in Works in Windows (Windows) +title: How Smart Card Sign-in Works in Windows description: This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system. ms.prod: w10 ms.mktglfcycl: deploy From 5e27c5ce8ac7e2061cc664cac4ed045a62ff28d6 Mon Sep 17 00:00:00 2001 From: Asha Iyengar Date: Tue, 28 Sep 2021 23:20:43 +0530 Subject: [PATCH 364/458] Minor changes --- .../user-account-control/how-user-account-control-works.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md index abdfb49e90..a5676db15b 100644 --- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md +++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md @@ -28,9 +28,9 @@ User Account Control (UAC) is a fundamental component of Microsoft's overall sec ## UAC process and interactions -Each app that requires the administrator access token must prompt for consent. The one exception is the relationship that exists between parent and child processes. Child processes inherit the user's access token from the parent process. Both the parent and child processes, however, must have the same integrity level. Windows 10 and Windows 11 protect processes by marking their integrity levels. Integrity levels are measurements of trust. A "high" integrity application is one that performs tasks that modify system data, such as a disk partitioning application, while a "low" integrity application is one that performs tasks that could potentially compromise the operating system, such as a Web browser. Apps with lower integrity levels cannot modify data in applications with higher integrity levels. When a standard user attempts to run an app that requires an administrator access token, UAC requires that the user provide valid administrator credentials. +Each app that requires the administrator access token must prompt for consent. The one exception is the relationship that exists between parent and child processes. Child processes inherit the user's access token from the parent process. Both the parent and child processes, however, must have the same integrity level. Windows protects processes by marking their integrity levels. Integrity levels are measurements of trust. A "high" integrity application is one that performs tasks that modify system data, such as a disk partitioning application, while a "low" integrity application is one that performs tasks that could potentially compromise the operating system, such as a Web browser. Apps with lower integrity levels cannot modify data in applications with higher integrity levels. When a standard user attempts to run an app that requires an administrator access token, UAC requires that the user provide valid administrator credentials. -In order to better understand how this process happens, let's look at the Windows logon process. +To better understand how this process happens, let's look at the Windows logon process. ### Logon process From e5b694fcd418b6abe30251056b4f9307e6d65e5c Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Tue, 28 Sep 2021 11:05:05 -0700 Subject: [PATCH 365/458] Update delivery-optimization-workflow.md --- windows/deployment/update/delivery-optimization-workflow.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/delivery-optimization-workflow.md b/windows/deployment/update/delivery-optimization-workflow.md index 4336f3ab23..8a493889bd 100644 --- a/windows/deployment/update/delivery-optimization-workflow.md +++ b/windows/deployment/update/delivery-optimization-workflow.md @@ -40,5 +40,5 @@ This workflow allows Delivery Optimization to securely and efficiently deliver r | kv\*.prod.do.dsp.mp.microsoft.com | 443| KeyValue | Bootstrap service provides endpoints for all other services as well as device configs. | **countryCode**: The country the client is connected from
**doClientVersion**: The version of the DoSvc client
**Profile**: The device type (for example, PC or Xbox)
**eId**: Client grouping Id
**CacheHost**: Cache host id | | cp\*.prod.do.dsp.mp.microsoft.com
| 443 | Content Policy | Provides content specific policies as well as content metadata URLs. | **Profile**: The device type (for example, PC or Xbox)
**ContentId**: The content identifier
**doClientVersion**: The version of the DoSvc client
**countryCode**: The country the client is connected from
**altCatalogId**: If ContentId isn't available, use the download URL instead
**eId**: Client grouping Id
**CacheHost**: Cache host id | | disc\*.prod.do.dsp.mp.microsoft.com | 443 | Discovery | Directs clients to a particular instance of the peer matching service (Array), ensuing that clients are collocated by factors, such as content, groupId and external IP. | **Profile**: The device type (for example, PC or Xbox)
**ContentId**: The content identifier
**doClientVersion**: The version of the DoSvc client
**partitionId**: Client partitioning hint
**altCatalogId**: If ContentId isn't available, use the download URL instead
**eId**: Client grouping Id | -| array\*.prod.do.dsp.mp.microsoft.com | 443 | Arrays | Provides the client with list of peers that have the same content and belong to the same peer group. | **Profile**: The device type (for example, PC or Xbox)
**ContentId**: The content identifier
**doClientVersion**: The version of the DoSvc client
**altCatalogId**: If ContentId isn't available, use the download URL instead
**PeerId**: Identified of the device running DO client
**ReportedIp**: The internal / private IP Address
**IsBackground**: Is the download interactive or background
**Uploaded**: Total bytes uploaded to peers
**Downloaded**: Total bytes downloaded from peers
**DownloadedCdn**: Total bytes downloaded from CDN
**Left**: Bytes left to download
**Peers Wanted**: Total number of peers wanted
**Group Id**: Group the device belongs to (set via DownloadMode 2 + Group ID GP / MDM policies)
**Scope**: The Download mode
**UploadedBPS**: The upload speed in bytes per second
**DownloadBPS**: The download speed in Bytes per second
**eId**: Client grouping Id | +| array\*.prod.do.dsp.mp.microsoft.com | 443 | Arrays | Provides the client with list of peers that have the same content and belong to the same peer group. | **Profile**: The device type (for example, PC or Xbox)
**ContentId**: The content identifier
**doClientVersion**: The version of the DoSvc client
**altCatalogId**: If ContentId isn't available, use the download URL instead
**PeerId**: Identity of the device running DO client
**ReportedIp**: The internal / private IP Address
**IsBackground**: Is the download interactive or background
**Uploaded**: Total bytes uploaded to peers
**Downloaded**: Total bytes downloaded from peers
**DownloadedCdn**: Total bytes downloaded from CDN
**Left**: Bytes left to download
**Peers Wanted**: Total number of peers wanted
**Group Id**: Group the device belongs to (set via DownloadMode 2 + Group ID GP / MDM policies)
**Scope**: The Download mode
**UploadedBPS**: The upload speed in bytes per second
**DownloadBPS**: The download speed in Bytes per second
**eId**: Client grouping Id | | dl.delivery.mp.microsoft.com
emdl.ws.microsoft.com | 80 | Delivery Optimization metadata file hosting | CDN hostnames for Delivery Optimization content metadata files | Metadata download can come from different hostnames, but it's required for peer to peer. | From 5d0648b05cdcd08b123f75493d84d164114f68c4 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 28 Sep 2021 11:26:13 -0700 Subject: [PATCH 366/458] update with 11 --- .../windows-10-subscription-activation.md | 60 +++++++++++-------- 1 file changed, 35 insertions(+), 25 deletions(-) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 16e8c70c2a..b52b567397 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -1,6 +1,6 @@ --- -title: Windows 10 Subscription Activation -description: In this article, you will learn how to dynamically enable Windows 10 Enterprise or Education subscriptions. +title: Windows 10/11 Subscription Activation +description: In this article, you will learn how to dynamically enable Windows 10 and Windows 11 Enterprise or Education subscriptions. keywords: upgrade, update, task sequence, deploy ms.custom: seo-marvel-apr2020 ms.prod: w10 @@ -17,45 +17,49 @@ search.appverid: ms.topic: article --- -# Windows 10 Subscription Activation +# Windows 10/11 Subscription Activation -Starting with Windows 10, version 1703 Windows 10 Pro supports the Subscription Activation feature, enabling users to “step-up” from Windows 10 Pro to **Windows 10 Enterprise** automatically if they are subscribed to Windows 10 Enterprise E3 or E5. +Applies to: +- Windows 10 +- Windows 11 -With Windows 10, version 1903 the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education to the Enterprise grade edition for educational institutions—**Windows 10 Education**. +Starting with Windows 10, version 1703 Windows 10 Pro supports the Subscription Activation feature, enabling users to “step-up” from Windows 10 Pro or Windows 11 Pro to **Windows 10 Enterprise** or **Windows 11 Enterprise**, respectively, if they are subscribed to Windows 10/11 Enterprise E3 or E5. + +With Windows 10, version 1903 and later, the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education or Windows 11 Pro Education to the Enterprise grade editions for educational institutions—**Windows 10 Education** or **Windows 11 Education**. The Subscription Activation feature eliminates the need to manually deploy Windows 10 Enterprise or Education images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering Generic Volume License Keys (GVLKs), and subsequently rebooting client devices. -## Subscription Activation for Windows 10 Enterprise +## Subscription Activation for Windows 10 Enterprise and Windows 11 Enterprise -With Windows 10, version 1703 both Windows 10 Enterprise E3 and Windows 10 Enterprise E5 are available as online services via subscription. Deploying [Windows 10 Enterprise](planning/windows-10-enterprise-faq-itpro.yml) in your organization can now be accomplished with no keys and no reboots. +With Windows 10, version 1703 and later both Windows 10/11 Enterprise E3 and Windows 10/11 Enterprise E5 are available as online services via subscription. Deploying [Windows 10 Enterprise or Windows 11 Enterprise](planning/windows-10-enterprise-faq-itpro.yml) in your organization can now be accomplished with no keys and no reboots. If you are running Windows 10, version 1703 or later: -- Devices with a current Windows 10 Pro license can be seamlessly upgraded to Windows 10 Enterprise. -- Product key-based Windows 10 Enterprise software licenses can be transitioned to Windows 10 Enterprise subscriptions. +- Devices with a current Windows 10 Pro license or Windows 11 Pro license can be seamlessly upgraded to Windows 10 Enterprise or Windows 11 Enterprise, respectively. +- Product key-based Windows 10 Enterprise or Windows 11 Enterpise software licenses can be transitioned to Windows 10 Enterprise and Windows 11 Enterprise subscriptions. Organizations that have an Enterprise agreement can also benefit from the new service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Azure AD using [Azure AD Connect Sync](/azure/active-directory/connect/active-directory-aadconnectsync-whatis). -## Subscription Activation for Windows 10 Education +## Subscription Activation for Windows 10 Education and Windows 11 Education -Subscription Activation for Education works the same as the Enterprise version, but in order to use Subscription Activation for Education, you must have a device running Windows 10 Pro Education, version 1903 or later and an active subscription plan with a Windows 10 Enterprise license. For more information, see the [requirements](#windows-10-education-requirements) section. +Subscription Activation for Education works the same as the Enterprise version, but in order to use Subscription Activation for Education, you must have a device running Windows 10 Pro Education, version 1903 or later and an active subscription plan with a Windows 10 Enterprise or Windows 11 Enterprise license. For more information, see the [requirements](#windows-10-education-requirements) section. ## Summary - [Inherited Activation](#inherited-activation): Description of a new feature available in Windows 10, version 1803 and later. - [The evolution of Windows 10 deployment](#the-evolution-of-deployment): A short history of Windows deployment. - [Requirements](#requirements): Prerequisites to use the Windows 10 Subscription Activation model. -- [Benefits](#benefits): Advantages of Windows 10 subscription-based licensing. +- [Benefits](#benefits): Advantages of Windows 10/11 subscription-based licensing. - [How it works](#how-it-works): A summary of the subscription-based licensing option. -- [Virtual Desktop Access (VDA)](#virtual-desktop-access-vda): Enable Windows 10 Subscription Activation for VMs in the cloud. +- [Virtual Desktop Access (VDA)](#virtual-desktop-access-vda): Enable Windows 10/11 Subscription Activation for VMs in the cloud. -For information on how to deploy Windows 10 Enterprise licenses, see [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md). +For information on how to deploy Windows 10 Enterprise licenses, see [Deploy Windows 10/11 Enterprise licenses](deploy-enterprise-licenses.md). ## Inherited Activation -Inherited Activation is a new feature available in Windows 10, version 1803 that allows Windows 10 virtual machines to inherit activation state from their Windows 10 host. +Inherited Activation is a new feature available in Windows 10, version 1803 or later that allows Windows 10/11 virtual machines to inherit activation state from their Windows 10/11 host. -When a user with Windows 10 E3/E5 or A3/A5 license assigned creates a new Windows 10 virtual machine (VM) using a Windows 10 local host, the VM inherits the activation state from a host machine independent of whether user signs on with a local account or using an Azure Active Directory (AAD) account on a VM. +When a user with Windows 10/11 E3/E5 or A3/A5 license assigned creates a new Windows 10 virtual machine (VM) using a Windows 10/11 local host, the VM inherits the activation state from a host machine independent of whether user signs on with a local account or using an Azure Active Directory (AAD) account on a VM. To support Inherited Activation, both the host computer and the VM must be running Windows 10, version 1803 or later. The hypervisor platform must also be Windows Hyper-V. @@ -83,12 +87,15 @@ The following figure illustrates how deploying Windows 10 has evolved with each - **Windows 10, version 1903** updates Windows 10 Subscription Activation to enable step up from Windows 10 Pro Education to Windows 10 Education for those with a qualifying Windows 10 or Microsoft 365 subscription. +> [!NOTE] +> All the benefits of Windows 10 Subscription Activation are carried forward with Windows 11 and Windows 10/11 Subscription Activation. + ## Requirements -### Windows 10 Enterprise requirements +### Windows 10/11 Enterprise requirements > [!NOTE] -> The following requirements do not apply to general Windows 10 activation on Azure. Azure activation requires a connection to Azure KMS only, and supports workgroup, Hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure Virtual Machines](/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems#understanding-azure-kms-endpoints-for-windows-product-activation-of-azure-virtual-machines). +> The following requirements do not apply to general Windows 10/11 activation on Azure. Azure activation requires a connection to Azure KMS only, and supports workgroup, Hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure Virtual Machines](/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems#understanding-azure-kms-endpoints-for-windows-product-activation-of-azure-virtual-machines). > [!NOTE] > Currently, Subscription Activation is only available on commercial tenants and is currently not available on US GCC, GCC High, or DoD tenants. @@ -99,7 +106,7 @@ For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & - Azure Active Directory (Azure AD) available for identity management. - Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported. -For Microsoft customers that do not have EA or MPSA, you can obtain Windows 10 Enterprise E3/E5 or A3/A5 through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses, with the exception that Windows 10 Enterprise E3 is also available through CSP to devices running Windows 10, version 1607. For more information about obtaining Windows 10 Enterprise E3 through your CSP, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md). +For Microsoft customers that do not have EA or MPSA, you can obtain Windows 10 Enterprise E3/E5 or A3/A5 through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses, with the exception that Windows 10/11 Enterprise E3 is also available through CSP to devices running Windows 10, version 1607. For more information about obtaining Windows 10/11 Enterprise E3 through your CSP, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md). If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade benefits for Windows Cloud Subscriptions in CSP](https://www.microsoft.com/en-us/microsoft-365/blog/2017/01/19/new-windows-10-upgrade-benefits-windows-cloud-subscriptions-csp/) @@ -123,7 +130,7 @@ If the device is running Windows 10, version 1809 or later: ![Subscription Activation with MFA example 3.](images/sa-mfa3.png) -### Windows 10 Education requirements +### Windows 10/11 Education requirements - Windows 10 Pro Education, version 1903 or later installed on the devices to be upgraded. @@ -139,7 +146,7 @@ If the device is running Windows 10, version 1809 or later: ## Benefits -With Windows 10 Enterprise or Windows 10 Education, businesses and institutions can benefit from enterprise-level security and control. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Education or Windows 10 Enterprise to their users. Now, with Windows 10 Enterprise E3 or A3 and E5 or A5 being available as a true online service, it is available in select channels thus allowing all organizations to take advantage of enterprise-grade Windows 10 features. To compare Windows 10 editions and review pricing, see the following: +With Windows 10/11 Enterprise or Windows 10/11 Education, businesses and institutions can benefit from enterprise-level security and control. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10/11 Education or Windows 10/11 Enterprise to their users. Now, with Windows 10/11 Enterprise E3 or A3 and E5 or A5 being available as a true online service, it is available in select channels thus allowing all organizations to take advantage of enterprise-grade Windows 10 features. To compare Windows 10 editions and review pricing, see the following: - [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare) - [Enterprise Mobility + Security Pricing Options](https://www.microsoft.com/cloud-platform/enterprise-mobility-security-pricing) @@ -158,6 +165,9 @@ You can benefit by moving to Windows as an online service in the following ways: ## How it works +> [!NOTE] +. The following Windows 10 examples and scenarios also apply to Windows 11. + The device is AAD joined from **Settings > Accounts > Access work or school**. The IT administrator assigns Windows 10 Enterprise to a user. See the following figure. @@ -214,8 +224,8 @@ If you’re running Windows 7, it can be more work.  A wipe-and-load approach w The following policies apply to acquisition and renewal of licenses on devices: - Devices that have been upgraded will attempt to renew licenses about every 30 days, and must be connected to the Internet to successfully acquire or renew a license. -- If a device is disconnected from the Internet until its current subscription expires, the operating system will revert to Windows 10 Pro or Windows 10 Pro Education. As soon as the device is connected to the Internet again, the license will automatically renew. -- Up to five devices can be upgraded for each user license. If the user license is used for a sixth device, the operating system on the computer to which a user has not logged in the longest will revert to Windows 10 Pro or Windows 10 Pro Education. +- If a device is disconnected from the Internet until its current subscription expires, the operating system will revert to Windows 10/11 Pro or Windows 10/11 Pro Education. As soon as the device is connected to the Internet again, the license will automatically renew. +- Up to five devices can be upgraded for each user license. If the user license is used for a sixth device, the operating system on the computer to which a user has not logged in the longest will revert to Windows 10/11 Pro or Windows 10/11 Pro Education. - If a device meets the requirements and a licensed user signs in on that device, it will be upgraded. Licenses can be reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs. @@ -224,7 +234,7 @@ When you have the required Azure AD subscription, group-based licensing is the p ### Existing Enterprise deployments -If you are running Windows 10, version 1803 or later, Subscription Activation will automatically pull the firmware-embedded Windows 10 activation key and activate the underlying Pro License. The license will then step-up to Windows 10 Enterprise using Subscription Activation. This automatically migrates your devices from KMS or MAK activated Enterprise to Subscription activated Enterprise. +If you are running Windows 10, version 1803 or later, Subscription Activation will automatically pull the firmware-embedded Windows 10 activation key and activate the underlying Pro License. The license will then step-up to Windows 10/11 Enterprise using Subscription Activation. This automatically migrates your devices from KMS or MAK activated Enterprise to Subscription activated Enterprise. > [!CAUTION] > Firmware-embedded Windows 10 activation happens automatically only when we go through OOBE (Out Of Box Experience). @@ -273,7 +283,7 @@ See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md). ## Virtual Desktop Access (VDA) -Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://microsoft.com/en-us/CloudandHosting/licensing_sca.aspx). +Subscriptions to Windows 10/11 Enterprise are also available for virtualized clients. Windows 10/11 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://microsoft.com/en-us/CloudandHosting/licensing_sca.aspx). Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Subscription Activation](vda-subscription-activation.md). From acc1caa9c0efe9909c332368c165e2daabc5b7d1 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 28 Sep 2021 12:15:45 -0700 Subject: [PATCH 367/458] update with 11 --- windows/deployment/TOC.yml | 6 +- .../windows-10-enterprise-e3-overview.md | 67 +++++++++---------- .../windows-10-subscription-activation.md | 24 ++----- 3 files changed, 40 insertions(+), 57 deletions(-) diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 18817d1d38..cdcc9f1abd 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -134,13 +134,13 @@ href: deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md - name: Subscription Activation items: - - name: Windows 10 Subscription Activation + - name: Windows 10/11 Subscription Activation href: windows-10-subscription-activation.md - - name: Windows 10 Enterprise E3 in CSP + - name: Windows 10/11 Enterprise E3 in CSP href: windows-10-enterprise-e3-overview.md - name: Configure VDA for Subscription Activation href: vda-subscription-activation.md - - name: Deploy Windows 10 Enterprise licenses + - name: Deploy Windows 10/11 Enterprise licenses href: deploy-enterprise-licenses.md - name: Deploy Windows 10 updates items: diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md index 33fe4e9e80..f9f45982f7 100644 --- a/windows/deployment/windows-10-enterprise-e3-overview.md +++ b/windows/deployment/windows-10-enterprise-e3-overview.md @@ -1,5 +1,5 @@ --- -title: Windows 10 Enterprise E3 in CSP +title: Windows 10/11 Enterprise E3 in CSP description: Describes Windows 10 Enterprise E3, an offering that delivers, by subscription, the features of Windows 10 Enterprise edition. keywords: upgrade, update, task sequence, deploy ms.prod: w10 @@ -7,9 +7,9 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mdt -ms.date: 08/24/2017 +ms.date: 09/28/2021 ms.reviewer: -manager: laurawi +manager: dougeby ms.audience: itpro author: greg-lindsay audience: itpro @@ -17,51 +17,46 @@ ms.collection: M365-modern-desktop ms.topic: article --- -# Windows 10 Enterprise E3 in CSP +# Windows 10/11 Enterprise E3 in CSP -Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Windows 10 Enterprise E3 in CSP is a new offering that delivers, by subscription, exclusive features reserved for Windows 10 Enterprise edition. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10 Enterprise E3 in CSP provides a flexible, per-user subscription for small- and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following: +Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Windows 10/11 Enterprise E3 in CSP is available now for both Windows 10 and Windows 11. It delivers, by subscription, exclusive features reserved for Windows 10 or Windows 11 Enterprise editions. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10/11 Enterprise E3 in CSP provides a flexible, per-user subscription for small- and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following: -- Windows 10 Pro, version 1607 (Windows 10 Anniversary Update) or later, installed and activated, on the devices to be upgraded +- Windows 10 Pro, version 1607 (Windows 10 Anniversary Update) or later, installed and activated, on the devices to be upgraded. Windows 11 is considered "later" in this context. - Azure Active Directory (Azure AD) available for identity management -Starting with Windows 10, version 1607 (Windows 10 Anniversary Update), you can move from Windows 10 Pro to Windows 10 Enterprise more easily than ever before—no keys and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise and all the appropriate Windows 10 Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Windows 10 Enterprise device seamlessly steps back down to Windows 10 Pro. +Starting with Windows 10, version 1607 (Windows 10 Anniversary Update), you can move from Windows 10 Pro or Windows 11 Pro to Windows 10 Enterprise or Windows 11 Enterprise more easily than ever before—no keys and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10/11 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise or Windows 11 Pro to Windows 11 Enterprise and all the appropriate Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Enterprise device seamlessly steps back down to Windows 10 Pro or Windows 11 Pro. -Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise to their users. Now, with Windows 10 Enterprise E3 in CSP, small- and medium-sized organizations can more easily take advantage of Windows 10 Enterprise features. +Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise or Windows 11 Enterprise to their users. Now, with Windows 10/11 Enterprise E3 in CSP, small- and medium-sized organizations can more easily take advantage of Enterprise edition features. -When you purchase Windows 10 Enterprise E3 via a partner, you get the following benefits: - -- **Windows 10 Enterprise edition**. Devices currently running Windows 10 Pro, version 1607 can get Windows 10 Enterprise Current Branch (CB) or Current Branch for Business (CBB). This benefit does not include Long Term Service Branch (LTSB). - -- **Support from one to hundreds of users**. Although the Windows 10 Enterprise E3 in CSP program does not have a limitation on the number of licenses an organization can have, the program is designed for small- and medium-sized organizations. +When you purchase Windows 10/11 Enterprise E3 via a partner, you get the following benefits: +- **Windows 10/11 Enterprise edition**. Devices currently running Windows 10 Pro or Windows 11 Pro can get Windows 10/11 Enterprise Current Branch (CB) or Current Branch for Business (CBB). This benefit does not include Long Term Service Branch (LTSB). +- **Support from one to hundreds of users**. Although the Windows 10/11 Enterprise E3 in CSP program does not have a limitation on the number of licenses an organization can have, the program is designed for small- and medium-sized organizations. - **Deploy on up to five devices**. For each user covered by the license, you can deploy Windows 10 Enterprise edition on up to five devices. - -- **Roll back to Windows 10 Pro at any time**. When a user’s subscription expires or is transferred to another user, the Windows 10 Enterprise device reverts seamlessly to Windows 10 Pro edition (after a grace period of up to 90 days). - -- **Monthly, per-user pricing model**. This makes Windows 10 Enterprise E3 affordable for any organization. - +- **Roll back to Windows 10 Pro at any time**. When a user’s subscription expires or is transferred to another user, the Windows 10/11 Enterprise device reverts seamlessly to Windows 10/11 Pro edition (after a grace period of up to 90 days). +- **Monthly, per-user pricing model**. This makes Windows 10/11 Enterprise E3 affordable for any organization. - **Move licenses between users**. Licenses can be quickly and easily reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs. -How does the Windows 10 Enterprise E3 in CSP program compare with Microsoft Volume Licensing Agreements and Software Assurance? +How does the Windows 10/11 Enterprise E3 in CSP program compare with Microsoft Volume Licensing Agreements and Software Assurance? - [Microsoft Volume Licensing](https://www.microsoft.com/licensing/default.aspx) programs are broader in scope, providing organizations with access to licensing for all Microsoft products. - [Software Assurance](https://www.microsoft.com/Licensing/licensing-programs/software-assurance-default.aspx) provides organizations with the following categories of benefits: - **Deployment and management**. These benefits include planning services, Microsoft Desktop Optimization (MDOP), Windows Virtual Desktop Access Rights, Windows-To-Go Rights, Windows Roaming Use Rights, Windows Thin PC, Windows RT Companion VDA Rights, and other benefits. - - **Training**. These benefits include training vouchers, online e-learning, and a home use program. - - **Support**. These benefits include 24x7 problem resolution support, backup capabilities for disaster recovery, System Center Global Service Monitor, and a passive secondary instance of SQL Server. - - **Specialized**. These benefits include step-up licensing availability (which enables you to migrate software from an earlier edition to a higher-level edition) and to spread license and Software Assurance payments across three equal, annual sums. - In addition, in Windows 10 Enterprise E3 in CSP, a partner can manage your licenses for you. With Software Assurance, you, the customer, manage your own licenses. + In addition, in Windows 10/11 Enterprise E3 in CSP, a partner can manage your licenses for you. With Software Assurance, you, the customer, manage your own licenses. -In summary, the Windows 10 Enterprise E3 in CSP program is an upgrade offering that provides small- and medium-sized organizations easier, more flexible access to the benefits of Windows 10 Enterprise edition, whereas Microsoft Volume Licensing programs and Software Assurance are broader in scope and provide benefits beyond access to Windows 10 Enterprise edition. +In summary, the Windows 10/11 Enterprise E3 in CSP program is an upgrade offering that provides small- and medium-sized organizations easier, more flexible access to the benefits of Windows 10 Enterprise edition, whereas Microsoft Volume Licensing programs and Software Assurance are broader in scope and provide benefits beyond access to the Enterprise edition of Windows 10 or Windows 11. ## Compare Windows 10 Pro and Enterprise editions +> [NOTE!] +> The following table only lists Windows 10. More information will be available about differences between Windows 11 editions after Windows 11 is generally available. + Windows 10 Enterprise edition has a number of features that are unavailable in Windows 10 Pro. Table 1 lists the Windows 10 Enterprise features not found in Windows 10 Pro. Many of these features are security-related, whereas others enable finer-grained device management. *Table 1. Windows 10 Enterprise features not found in Windows 10 Pro* @@ -140,19 +135,19 @@ Windows 10 Enterprise edition has a number of features that are unavailable in -## Deployment of Windows 10 Enterprise E3 licenses +## Deployment of Windows 10/11 Enterprise E3 licenses See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md). -## Deploy Windows 10 Enterprise features +## Deploy Windows 10/11 Enterprise features -Now that you have Windows 10 Enterprise edition running on devices, how do you take advantage of the Enterprise edition features and capabilities? What are the next steps that need to be taken for each of the features discussed in [Table 1](#compare-windows10-pro-and-enterprise-editions)? +Now that you have Windows 10/11 Enterprise edition running on devices, how do you take advantage of the Enterprise edition features and capabilities? What are the next steps that need to be taken for each of the features discussed in [Table 1](#compare-windows10-pro-and-enterprise-editions)? -The following sections provide you with the high-level tasks that need to be performed in your environment to help users take advantage of the Windows 10 Enterprise edition features. +The following sections provide you with the high-level tasks that need to be performed in your environment to help users take advantage of the Windows 10/11 Enterprise edition features. ### Credential Guard\* -You can implement Credential Guard on Windows 10 Enterprise devices by turning on Credential Guard on these devices. Credential Guard uses Windows 10 virtualization-based security features (Hyper-V features) that must be enabled on each device before you can turn on Credential Guard. You can turn on Credential Guard by using one of the following methods: +You can implement Credential Guard on Windows 10 Enterprise devices by turning on Credential Guard on these devices. Credential Guard uses Windows 10/11 virtualization-based security features (Hyper-V features) that must be enabled on each device before you can turn on Credential Guard. You can turn on Credential Guard by using one of the following methods: - **Automated**. You can automatically turn on Credential Guard for one or more devices by using Group Policy. The Group Policy settings automatically add the virtualization-based security features and configure the Credential Guard registry settings on managed devices. @@ -174,7 +169,7 @@ For more information about implementing Credential Guard, see the following reso ### Device Guard -Now that the devices have Windows 10 Enterprise, you can implement Device Guard on the Windows 10 Enterprise devices by performing the following steps: +Now that the devices have Windows 10/11 Enterprise, you can implement Device Guard on the Windows 10 Enterprise devices by performing the following steps: 1. **Optionally, create a signing certificate for code integrity policies**. As you deploy code integrity policies, you might need to sign catalog files or code integrity policies internally. To do this, you will either need a publicly issued code signing certificate (that you purchase) or an internal certificate authority (CA). If you choose to use an internal CA, you will need to create a code signing certificate. @@ -197,7 +192,7 @@ For more information about implementing Device Guard, see: ### AppLocker management -You can manage AppLocker in Windows 10 Enterprise by using Group Policy. Group Policy requires that the you have AD DS and that the Windows 10 Enterprise devices are joined to the your AD DS domain. You can create AppLocker rules by using Group Policy, and then target those rules to the appropriate devices. +You can manage AppLocker in Windows 10 Enterprise by using Group Policy. Group Policy requires that the you have AD DS and that the Windows 10/11 Enterprise devices are joined to the your AD DS domain. You can create AppLocker rules by using Group Policy, and then target those rules to the appropriate devices. For more information about AppLocker management by using Group Policy, see [AppLocker deployment guide](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide). @@ -209,7 +204,7 @@ App-V requires an App-V server infrastructure to support App-V clients. The prim - **App-V sequencer**. The App-V sequencer is a typical client device that is used to sequence (capture) apps and prepare them for hosting from the App-V server. You install apps on the App-V sequencer, and the App-V sequencer software determines the files and registry settings that are changed during app installation. Then the sequencer captures these settings to create a virtualized app. -- **App-V client**. The App-V client must be enabled on any client device on which apps will be run from the App-V server. These will be the Windows 10 Enterprise E3 devices. +- **App-V client**. The App-V client must be enabled on any client device on which apps will be run from the App-V server. These will be the Windows 10/11 Enterprise E3 devices. For more information about implementing the App-V server, App-V sequencer, and App-V client, see the following resources: @@ -253,7 +248,7 @@ The Managed User Experience feature is a set of Windows 10 Enterprise edition f ## Related topics -[Windows 10 Enterprise Subscription Activation](windows-10-subscription-activation.md) -
[Connect domain-joined devices to Azure AD for Windows 10 experiences](/azure/active-directory/devices/hybrid-azuread-join-plan) -
[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare) -
[Windows for business](https://www.microsoft.com/windowsforbusiness/default.aspx) \ No newline at end of file +[Windows 10/11 Enterprise Subscription Activation](windows-10-subscription-activation.md)
+[Connect domain-joined devices to Azure AD for Windows 10 experiences](/azure/active-directory/devices/hybrid-azuread-join-plan)
+[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
+[Windows for business](https://www.microsoft.com/windowsforbusiness/default.aspx)
\ No newline at end of file diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index b52b567397..3582a6b312 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -27,7 +27,7 @@ Starting with Windows 10, version 1703 Windows 10 Pro supports the Subscription With Windows 10, version 1903 and later, the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education or Windows 11 Pro Education to the Enterprise grade editions for educational institutions—**Windows 10 Education** or **Windows 11 Education**. -The Subscription Activation feature eliminates the need to manually deploy Windows 10 Enterprise or Education images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering Generic Volume License Keys (GVLKs), and subsequently rebooting client devices. +The Subscription Activation feature eliminates the need to manually deploy Enterprise or Education edition images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering Generic Volume License Keys (GVLKs), and subsequently rebooting client devices. ## Subscription Activation for Windows 10 Enterprise and Windows 11 Enterprise @@ -42,7 +42,7 @@ Organizations that have an Enterprise agreement can also benefit from the new se ## Subscription Activation for Windows 10 Education and Windows 11 Education -Subscription Activation for Education works the same as the Enterprise version, but in order to use Subscription Activation for Education, you must have a device running Windows 10 Pro Education, version 1903 or later and an active subscription plan with a Windows 10 Enterprise or Windows 11 Enterprise license. For more information, see the [requirements](#windows-10-education-requirements) section. +Subscription Activation for Education works the same as the Enterprise version, but in order to use Subscription Activation for Education, you must have a device running Windows 10 Pro Education, version 1903 or later and an active subscription plan with a Windows 10 Enterprise or Windows 11 Enterprise license. For more information, see the [requirements](#windows-10-11-education-requirements) section. ## Summary @@ -59,7 +59,7 @@ For information on how to deploy Windows 10 Enterprise licenses, see [Deploy Win Inherited Activation is a new feature available in Windows 10, version 1803 or later that allows Windows 10/11 virtual machines to inherit activation state from their Windows 10/11 host. -When a user with Windows 10/11 E3/E5 or A3/A5 license assigned creates a new Windows 10 virtual machine (VM) using a Windows 10/11 local host, the VM inherits the activation state from a host machine independent of whether user signs on with a local account or using an Azure Active Directory (AAD) account on a VM. +When a user with Windows 10/11 E3/E5 or A3/A5 license assigned creates a new Windows 10 or Windows 11 virtual machine (VM) using a Windows 10/11 local host, the VM inherits the activation state from a host machine independent of whether user signs on with a local account or using an Azure Active Directory (AAD) account on a VM. To support Inherited Activation, both the host computer and the VM must be running Windows 10, version 1803 or later. The hypervisor platform must also be Windows Hyper-V. @@ -72,37 +72,28 @@ The following figure illustrates how deploying Windows 10 has evolved with each ![Illustration of how Windows 10 deployment has evolved.](images/sa-evolution.png) - **Windows 7** required you to redeploy the operating system using a full wipe-and-load process if you wanted to change from Windows 7 Professional to Windows 10 Enterprise.
- - **Windows 8.1** added support for a Windows 8.1 Pro to Windows 8.1 Enterprise in-place upgrade (considered a “repair upgrade” because the OS version was the same before and after).  This was a lot easier than wipe-and-load, but it was still time-consuming.
- - **Windows 10, version 1507** added the ability to install a new product key using a provisioning package or using MDM to change the SKU.  This required a reboot, which would install the new OS components, and took several minutes to complete. However, it was a lot quicker than in-place upgrade.
- - **Windows 10, version 1607** made a big leap forward. Now you can just change the product key and the SKU instantly changes from Windows 10 Pro to Windows 10 Enterprise.  In addition to provisioning packages and MDM, you can just inject a key using SLMGR.VBS (which injects the key into WMI), so it became trivial to do this using a command line.
- - **Windows 10, version 1703** made this “step-up” from Windows 10 Pro to Windows 10 Enterprise automatic for those that subscribed to Windows 10 Enterprise E3 or E5 via the CSP program.
- - **Windows 10, version 1709** adds support for Windows 10 Subscription Activation, very similar to the CSP support but for large enterprises, enabling the use of Azure AD for assigning licenses to users. When those users sign in on an AD or Azure AD-joined machine, it automatically steps up from Windows 10 Pro to Windows 10 Enterprise.
- - **Windows 10, version 1803** updates Windows 10 Subscription Activation to enable pulling activation keys directly from firmware for devices that support firmware-embedded keys. It is no longer necessary to run a script to perform the activation step on Windows 10 Pro prior to activating Enterprise. For virtual machines and hosts running Windows 10, version 1803 [Inherited Activation](#inherited-activation) is also enabled.
- - **Windows 10, version 1903** updates Windows 10 Subscription Activation to enable step up from Windows 10 Pro Education to Windows 10 Education for those with a qualifying Windows 10 or Microsoft 365 subscription. - -> [!NOTE] -> All the benefits of Windows 10 Subscription Activation are carried forward with Windows 11 and Windows 10/11 Subscription Activation. +- **Windows 11** updates Subscription Activation to work on both Windows 10 and Windows 11 devices. **Important**: Subscription activation does not update a device from Windows 10 to Windows 11. Only the edition is updated. ## Requirements ### Windows 10/11 Enterprise requirements > [!NOTE] -> The following requirements do not apply to general Windows 10/11 activation on Azure. Azure activation requires a connection to Azure KMS only, and supports workgroup, Hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure Virtual Machines](/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems#understanding-azure-kms-endpoints-for-windows-product-activation-of-azure-virtual-machines). +> The following requirements do not apply to general Windows client activation on Azure. Azure activation requires a connection to Azure KMS only, and supports workgroup, Hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure Virtual Machines](/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems#understanding-azure-kms-endpoints-for-windows-product-activation-of-azure-virtual-machines). > [!NOTE] > Currently, Subscription Activation is only available on commercial tenants and is currently not available on US GCC, GCC High, or DoD tenants. For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following: -- Windows 10 (Pro or Enterprise) version 1703 or later installed on the devices to be upgraded. +- Windows 10 (Pro or Enterprise) version 1703 or later installed on the devices to be upgraded. Windows 11 is considered a "later" version in this context. - Azure Active Directory (Azure AD) available for identity management. - Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported. @@ -133,11 +124,8 @@ If the device is running Windows 10, version 1809 or later: ### Windows 10/11 Education requirements - Windows 10 Pro Education, version 1903 or later installed on the devices to be upgraded. - - A device with a Windows 10 Pro Education digital license. You can confirm this information in **Settings > Update & Security > Activation**. - - The Education tenant must have an active subscription to Microsoft 365 with a Windows 10 Enterprise license or a Windows 10 Enterprise or Education subscription. - - Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported. > [!IMPORTANT] From 246e887958b4b73f7fdf44d4d332fed0adbbae1f Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 28 Sep 2021 12:26:57 -0700 Subject: [PATCH 368/458] update with 11 --- .../deployment/deploy-enterprise-licenses.md | 80 ++++++++----------- .../deployment/vda-subscription-activation.md | 4 +- 2 files changed, 37 insertions(+), 47 deletions(-) diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index 1101efd400..35d5e7ad7f 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -1,10 +1,10 @@ --- -title: Deploy Windows 10 Enterprise licenses +title: Deploy Windows 10/11 Enterprise licenses ms.reviewer: manager: laurawi ms.audience: itpro ms.author: greglin -description: Steps to deploy Windows 10 Enterprise licenses for Windows 10 Enterprise E3 or E5 Subscription Activation, or for Windows 10 Enterprise E3 in CSP +description: Steps to deploy Windows 10 Enterprise or Windows 11 Enterprise licenses for Windows 10/11 Enterprise E3 or E5 Subscription Activation, or for Windows 10/11 Enterprise E3 in CSP keywords: upgrade, update, task sequence, deploy ms.prod: w10 ms.mktglfcycl: deploy @@ -16,18 +16,18 @@ author: greg-lindsay ms.topic: article --- -# Deploy Windows 10 Enterprise licenses +# Deploy Windows 10/11 Enterprise licenses -This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with [Windows 10 Enterprise Subscription Activation](windows-10-subscription-activation.md) or [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD). +This topic describes how to deploy Windows 10 or Windows 11 Enterprise E3 or E5 licenses with [Windows 10/11 Enterprise Subscription Activation](windows-10-subscription-activation.md) or [Windows 10/11 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD). ->[!NOTE] ->* Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later. ->* Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later. ->* Automatic, non-KMS activation requires Windows 10, version 1803 or later, on a device with a firmware-embedded activation key. ->* Windows 10 Enterprise Subscription Activation requires Windows 10 Enterprise per user licensing; it does not work on per device based licensing. +> [!NOTE] +> * Windows 10/11 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later. Windows 11 is considered "later" in this context. +> * Windows 10/11 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later. +> * Automatic, non-KMS activation requires Windows 10, version 1803 or later, on a device with a firmware-embedded activation key. +> * Windows 10/11 Enterprise Subscription Activation requires Windows 10/11 Enterprise per user licensing; it does not work on per device based licensing. ->[!IMPORTANT] ->An issue has been identified where devices can lose activation status or be blocked from upgrading to Windows Enterprise if the device is not able to connect to Windows Update. A workaround is to ensure that devices do not have the REG_DWORD present HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations and set to 1. If this REG_DWORD is present, it must be set to 0. +> [!IMPORTANT] +> An issue has been identified where devices can lose activation status or be blocked from upgrading to Windows Enterprise if the device is not able to connect to Windows Update. A workaround is to ensure that devices do not have the REG_DWORD present HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations and set to 1. If this REG_DWORD is present, it must be set to 0. > >Also ensure that the Group Policy setting: Computer Configuration > Administrative Templates > Windows Components > Windows Update > "Do not connect to any Windows Update Internet locations" is set to "Disabled". @@ -50,24 +50,17 @@ If you are an EA customer with an existing Office 365 tenant, use the following - **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3 - **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5 -1. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant. - -1. The admin can now assign subscription licenses to users. +2. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant. +3. The admin can now assign subscription licenses to users. Use the following process if you need to update contact information and retrigger activation in order to resend the activation email: 1. Sign in to the [Microsoft Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). - 2. Click **Subscriptions**. - 3. Click **Online Services Agreement List**. - 4. Enter your agreement number, and then click **Search**. - 5. Click the **Service Name**. - 6. In the **Subscription Contact** section, click the name listed under **Last Name**. - 7. Update the contact information, then click **Update Contact Details**. This will trigger a new email. Also in this article: @@ -76,9 +69,9 @@ Also in this article: ## Active Directory synchronization with Azure AD -You probably have on-premises Active Directory Domain Services (AD DS) domains. Users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Enterprise E3 or E5 licenses to users, you need to synchronize the identities in the on-premises ADDS domain with Azure AD. +You probably have on-premises Active Directory Domain Services (AD DS) domains. Users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10/11 Enterprise E3 or E5 licenses to users, you need to synchronize the identities in the on-premises ADDS domain with Azure AD. -You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Enterprise E3 or E5). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them. +You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10/11 Enterprise E3 or E5). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them. **Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](https://www.microsoft.com/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure. @@ -91,16 +84,16 @@ For more information about integrating on-premises AD DS domains with Azure AD, - [Integrating your on-premises identities with Azure Active Directory](/azure/active-directory/hybrid/whatis-hybrid-identity) - [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/) ->[!NOTE] ->If you are implementing Azure AD, and you already have an on-premises domain, you don't need to integrate with Azure AD, since your main authentication method is your internal AD. If you want to manage all your infrastructure in the cloud, you can safely configure your domain controller remotely to integrate your computers with Azure AD, but you won't be able to apply fine controls using GPO. Azure AD is best suited for the global administration of devices when you don't have any on-premises servers. +> [!NOTE] +> If you are implementing Azure AD, and you already have an on-premises domain, you don't need to integrate with Azure AD, since your main authentication method is your internal AD. If you want to manage all your infrastructure in the cloud, you can safely configure your domain controller remotely to integrate your computers with Azure AD, but you won't be able to apply fine controls using GPO. Azure AD is best suited for the global administration of devices when you don't have any on-premises servers. ## Preparing for deployment: reviewing requirements -Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic. +Devices must be running Windows 10 Pro, version 1703, or later and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic. ## Assigning licenses to users -Upon acquisition of Windows 10 subscription has been completed (Windows 10 Business, E3 or E5), customers will receive an email that will provide guidance on how to use Windows as an online service: +Upon acquisition of Windows 10/11 subscription has been completed (Windows 10 Business, E3 or E5), customers will receive an email that will provide guidance on how to use Windows as an online service: > [!div class="mx-imgBorder"] > ![profile.](images/al01.png) @@ -121,11 +114,11 @@ The following methods are available to assign licenses: ## Explore the upgrade experience -Now that your subscription has been established and Windows 10 Enterprise E3 or E5 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro, (version 1703 or later) to Windows 10 Enterprise. What will the users experience? How will they upgrade their devices? +Now that your subscription has been established and Windows 10 Enterprise E3 or E5 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro, (version 1703 or later) to Windows 10/11 Enterprise. What will the users experience? How will they upgrade their devices? ### Step 1: Join Windows 10 Pro devices to Azure AD -Users can join a Windows 10 Pro device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1703. +Users can join a Windows 10/11 Pro device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1703 or later. **To join a device to Azure AD the first time the device is started** @@ -176,16 +169,15 @@ Now the device is Azure AD–joined to the company's subscription. ### Step 2: Pro edition activation ->[!IMPORTANT] ->If your device is running Windows 10, version 1803 or later, this step is not needed. From Windows 10, version 1803, the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key. ->If the device is running Windows 10, version 1703 or 1709, then Windows 10 Pro must be successfully activated in **Settings > Update & Security > Activation**, as illustrated in **Figure 7a**. +> [!IMPORTANT] +> If your device is running Windows 10, version 1803 or later, this step is not needed. From Windows 10, version 1803, the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key. +> If the device is running Windows 10, version 1703 or 1709, then Windows 10 Pro must be successfully activated in **Settings > Update & Security > Activation**, as illustrated in **Figure 7a**.
Windows 10 Pro activated
Figure 7a - Windows 10 Pro activation in Settings -Windows 10 Pro activation is required before Enterprise E3 or E5 can be enabled (Windows 10, versions 1703 and 1709 only). - +Windows 10/11 Pro activation is required before Enterprise E3 or E5 can be enabled (Windows 10, versions 1703 and 1709 only). ### Step 3: Sign in using Azure AD account @@ -197,35 +189,33 @@ Once the device is joined to your Azure AD subscription, the user will sign in b ### Step 4: Verify that Enterprise edition is enabled -You can verify the Windows 10 Enterprise E3 or E5 subscription in **Settings > Update & Security > Activation**, as illustrated in **Figure 9**. +You can verify the Windows 10/11 Enterprise E3 or E5 subscription in **Settings > Update & Security > Activation**, as illustrated in **Figure 9**.
Windows 10 activated and subscription active **Figure 9 - Windows 10 Enterprise subscription in Settings** +If there are any problems with the Windows 10/11 Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process. -If there are any problems with the Windows 10 Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process. - ->[!NOTE] ->If you use slmgr /dli or /dlv commands to retrieve the activation information for the Windows 10 E3 or E5 license, the license information displayed will be the following: ->Name: Windows(R), Professional edition ->Description: Windows(R) Operating System, RETAIL channel ->Partial Product Key: 3V66T +> [!NOTE] +> If you use slmgr /dli or /dlv commands to retrieve the activation information for the Windows 10 E3 or E5 license, the license information displayed will be the following: +> Name: Windows(R), Professional edition +> Description: Windows(R) Operating System, RETAIL channel +> Partial Product Key: 3V66T ## Virtual Desktop Access (VDA) -Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://aka.ms/qmth). +Subscriptions to Windows 10/11 Enterprise are also available for virtualized clients. Windows 10/11 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://aka.ms/qmth). Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Enterprise Subscription Activation](vda-subscription-activation.md). ## Troubleshoot the user experience -In some instances, users may experience problems with the Windows 10 Enterprise E3 or E5 subscription. The most common problems that users may experience are as follows: +In some instances, users may experience problems with the Windows 10/11 Enterprise E3 or E5 subscription. The most common problems that users may experience are as follows: - The existing Windows 10 Pro, version 1703 or 1709 operating system is not activated. This problem does not apply to Windows 10, version 1803 or later. - -- The Windows 10 Enterprise E3 or E5 subscription has lapsed or has been removed. +- The Windows 10/11 Enterprise E3 or E5 subscription has lapsed or has been removed. Use the following figures to help you troubleshoot when users experience these common problems: diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md index 25ae02c985..c7c43f8741 100644 --- a/windows/deployment/vda-subscription-activation.md +++ b/windows/deployment/vda-subscription-activation.md @@ -20,7 +20,7 @@ ms.collection: M365-modern-desktop # Configure VDA for Windows 10 Subscription Activation -This document describes how to configure virtual machines (VMs) to enable [Windows 10 Subscription Activation](windows-10-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based licensing mechanism for managing access to virtual desktops. +This document describes how to configure virtual machines (VMs) to enable [Windows 10/11 Subscription Activation](windows-10-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based licensing mechanism for managing access to virtual desktops. Deployment instructions are provided for the following scenarios: 1. [Active Directory-joined VMs](#active-directory-joined-vms) @@ -29,7 +29,7 @@ Deployment instructions are provided for the following scenarios: ## Requirements -- VMs must be running Windows 10 Pro, version 1703 (also known as the Creator's Update) or later. +- VMs must be running Windows 10 Pro, version 1703 (also known as the Creator's Update) or later. - VMs must be Active Directory-joined or Azure Active Directory (AAD)-joined. - VMs must be generation 1. - VMs must be hosted by a [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) (QMTH). From 47467de7ff79e6e291e90e74a3783b3c73cb66fd Mon Sep 17 00:00:00 2001 From: MandiOhlinger Date: Tue, 28 Sep 2021 15:31:56 -0400 Subject: [PATCH 369/458] Updating applies to --- .../add-apps-and-features.md | 7 ++--- .../app-v/appv-auto-batch-sequencing.md | 9 ++++--- .../app-v/appv-auto-batch-updating.md | 9 ++++--- .../app-v/appv-auto-provision-a-vm.md | 13 +++++---- .../appv-client-configuration-settings.md | 9 ++++--- .../appv-create-a-package-accelerator.md | 7 +++-- ...application-package-package-accelerator.md | 7 +++-- .../appv-create-and-use-a-project-template.md | 9 ++++--- ...g-and-managing-virtualized-applications.md | 9 ++++--- .../app-v/appv-deploy-the-appv-server.md | 6 ++--- .../app-v/appv-deploying-appv.md | 9 ++++--- ...eploying-microsoft-office-2010-wth-appv.md | 9 ++++--- ...ploying-microsoft-office-2013-with-appv.md | 11 +++++--- ...ploying-microsoft-office-2016-with-appv.md | 15 ++++++----- ...deploying-the-appv-sequencer-and-client.md | 9 ++++--- .../app-v/appv-deploying-the-appv-server.md | 10 +++---- .../app-v/appv-deployment-checklist.md | 7 +++-- .../appv-enable-the-app-v-desktop-client.md | 11 +++++--- .../app-v/appv-evaluating-appv.md | 10 ++++--- .../app-v/appv-for-windows.md | 9 ++++--- .../app-v/appv-getting-started.md | 27 ++++++++++--------- .../app-v/appv-high-level-architecture.md | 7 +++-- .../app-v/appv-install-the-sequencer.md | 9 ++++--- ...an-existing-virtual-application-package.md | 8 +++--- .../app-v/appv-operations.md | 7 +++-- .../app-v/appv-planning-checklist.md | 9 ++++--- ...v-planning-folder-redirection-with-appv.md | 7 +++-- .../app-v/appv-planning-for-appv.md | 7 +++-- ...lanning-for-high-availability-with-appv.md | 5 +++- ...ing-for-sequencer-and-client-deployment.md | 9 ++++--- ...ppv-planning-for-using-appv-with-office.md | 9 ++++--- ...ctronic-software-distribution-solutions.md | 7 +++-- .../app-v/appv-planning-to-deploy-appv.md | 11 +++++--- .../app-v/appv-preparing-your-environment.md | 7 +++-- .../app-v/appv-prerequisites.md | 14 ++++++---- .../app-v/appv-security-considerations.md | 7 +++-- .../app-v/appv-sequence-a-new-application.md | 9 ++++--- .../app-v/appv-supported-configurations.md | 18 +++++++++---- .../apps-in-windows-10.md | 11 ++++---- .../provisioned-apps-windows-client-os.md | 9 ++++--- .../sideload-apps-in-windows-10.md | 16 +++++------ .../system-apps-windows-client-os.md | 9 ++++--- 42 files changed, 260 insertions(+), 147 deletions(-) diff --git a/windows/application-management/add-apps-and-features.md b/windows/application-management/add-apps-and-features.md index 30c4423927..557504605e 100644 --- a/windows/application-management/add-apps-and-features.md +++ b/windows/application-management/add-apps-and-features.md @@ -16,9 +16,10 @@ ms.topic: article # Add or hide features on the Windows client OS -> Applies to: -> -> - Windows 10 +**Applies to**: + +- Windows 10 +- Windows 11 The Windows client operating systems include more features that you and your users can install. These features are called [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) (opens another Microsoft web site), and can be installed at any time. On your organization-owned devices, you may want to control access to these other features. diff --git a/windows/application-management/app-v/appv-auto-batch-sequencing.md b/windows/application-management/app-v/appv-auto-batch-sequencing.md index fe2fe8690a..bed697e971 100644 --- a/windows/application-management/app-v/appv-auto-batch-sequencing.md +++ b/windows/application-management/app-v/appv-auto-batch-sequencing.md @@ -1,5 +1,5 @@ --- -title: Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10) +title: Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10/11) description: How to automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer). author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,11 +14,14 @@ ms.topic: article --- # Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) ->Applies to: Windows 10, version 1703 +**Applies to**: + +- Windows 10 +- Windows 11 Sequencing multiple apps at the same time requires you to install and start Microsoft Application Virtualization Sequencer (App-V Sequencer), and to install the necessary apps to collect any changes made to the operating system during the installation and building of the App-V package. -In Windows 10, version 1703, running the App-V Sequencer automatically captures and stores your customizations as an App-V project template (.appvt) file. If you want to make changes to this package later, your customizations will be automatically loaded from this template file. This is applicable to all of the sequencing scenarios: +Starting with Windows 10 version 1703, running the App-V Sequencer automatically captures and stores your customizations as an App-V project template (.appvt) file. If you want to make changes to this package later, your customizations will be automatically loaded from this template file. This is applicable to all of the sequencing scenarios: - Using the **New-BatchAppVSequencerPackages** cmdlet - Using the App-V Sequencer interface diff --git a/windows/application-management/app-v/appv-auto-batch-updating.md b/windows/application-management/app-v/appv-auto-batch-updating.md index 24651988b3..52349a97ee 100644 --- a/windows/application-management/app-v/appv-auto-batch-updating.md +++ b/windows/application-management/app-v/appv-auto-batch-updating.md @@ -1,5 +1,5 @@ --- -title: Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10) +title: Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10/11) description: How to automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer). author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,11 +14,14 @@ ms.topic: article --- # Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) ->Applies to: Windows 10, version 1703 +**Applies to**: + +- Windows 10 +- Windows 11 Updating multiple apps at the same time follows a similar process to the one used for [automatically sequencing multiple apps at the same time](appv-auto-batch-sequencing.md). However, when updating, you'll also have to pass your previously created app package files to the App-V Sequencer cmdlet. -Starting with Windows 10, version 1703, running the New-BatchAppVSequencerPackages cmdlet or the App-V Sequencer interface captures and stores all of your customizations as an App-V project template. If you want to make changes to this package later, your customizations are automatically loaded from this template file. +Starting with Windows 10 version 1703, running the New-BatchAppVSequencerPackages cmdlet or the App-V Sequencer interface captures and stores all of your customizations as an App-V project template. If you want to make changes to this package later, your customizations are automatically loaded from this template file. >[!NOTE] >If you're trying to sequence multiple apps at the same time, see [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md). diff --git a/windows/application-management/app-v/appv-auto-provision-a-vm.md b/windows/application-management/app-v/appv-auto-provision-a-vm.md index 1acb2935e3..2cfba09688 100644 --- a/windows/application-management/app-v/appv-auto-provision-a-vm.md +++ b/windows/application-management/app-v/appv-auto-provision-a-vm.md @@ -1,5 +1,5 @@ --- -title: Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10) +title: Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10/11) description: How to automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) PowerShell cmdlet or the user interface. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,9 +14,12 @@ ms.topic: article --- # Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) ->Applies to: Windows 10, version 1703 +**Applies to**: -Previous versions of the App-V Sequencer have required you to manually create your sequencing environment. Windows 10, version 1703 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. +- Windows 10 +- Windows 11 + +Previous versions of the App-V Sequencer have required you to manually create your sequencing environment. Starting with Windows 10 version 1703, the `New-AppVSequencerVM` and `Connect-AppvSequencerVM` Windows PowerShell cmdlets are available, which automatically create your sequencing environment for you, including provisioning your virtual machine. ## Automatic VM provisioning of the sequencing environment @@ -54,7 +57,7 @@ For this process to work, you must have a base operating system available as a V After you have a VHD file, you must provision your VM for auto-sequencing. -1. On the Host device, install Windows 10, version 1703 and the **Microsoft Application Virtualization (App-V) Auto Sequencer** component from the matching version of the Windows Assessment and Deployment Kit (ADK). For more info on how to install the App-V Sequencer, see [Install the App-V Sequencer](appv-install-the-sequencer.md). +1. On the Host device, install the Windows client and the **Microsoft Application Virtualization (App-V) Auto Sequencer** component from the matching version of the Windows Assessment and Deployment Kit (ADK). For more info on how to install the App-V Sequencer, see [Install the App-V Sequencer](appv-install-the-sequencer.md). 2. Make sure that Hyper-V is turned on. For more info about turning on and using Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/Hyper-V-on-Windows-Server). 3. Open PowerShell as an admin and run the **New-AppVSequencerVM** cmdlet, using the following parameters: @@ -93,7 +96,7 @@ If your apps require custom prerequisites, such as Microsoft SQL Server, we reco #### Provision an existing VM -1. On the Host device, install Windows 10, version 1703 and the **Microsoft Application Virtualization (App-V) Auto Sequencer** component from the matching version of the Windows Assessment and Deployment Kit (ADK). For more info on how to install the App-V Sequencer, see [Install the App-V Sequencer](appv-install-the-sequencer.md). +1. On the Host device, install the Windows client and the **Microsoft Application Virtualization (App-V) Auto Sequencer** component from the matching version of the Windows Assessment and Deployment Kit (ADK). For more info on how to install the App-V Sequencer, see [Install the App-V Sequencer](appv-install-the-sequencer.md). 2. Open PowerShell as an admin and run the **Connect-AppvSequencerVM** cmdlet, using the following parameters: diff --git a/windows/application-management/app-v/appv-client-configuration-settings.md b/windows/application-management/app-v/appv-client-configuration-settings.md index b0821ae348..c27a0a72b1 100644 --- a/windows/application-management/app-v/appv-client-configuration-settings.md +++ b/windows/application-management/app-v/appv-client-configuration-settings.md @@ -1,5 +1,5 @@ --- -title: About Client Configuration Settings (Windows 10) +title: About Client Configuration Settings (Windows 10/11) description: Learn about the App-V client configuration settings and how to use Windows PowerShell to modify the client configuration settings. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,10 @@ ms.topic: article --- # About Client Configuration Settings ->Applies to: Windows 10, version 1607 +**Applies to**: + +- Windows 10 +- Windows 11 The Microsoft Application Virtualization (App-V) client stores its configuration in the registry. Understanding how the register's format for data works can help you better understand the client, as you can configure many client actions by changing registry entries. This topic lists the App-V client configuration settings and explains their uses. You can use Windows PowerShell to modify the client configuration settings. For more information about using Windows PowerShell and App-V see [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md). @@ -29,7 +32,7 @@ The following table provides information about App-V client configuration settin |------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------| | Set-AppvClientConfiguration,
Set-AppvPublishingServer

**-PackageInstallationRoot**
String | Specifies directory where all new applications and updates will be installed. | Policy value not written (same as Not Configured) | | Set-AppvClientConfiguration,
Set-AppvPublishingServer

**-PackageSourceRoot**
String | Overrides source location for downloading package content. | Policy value not written (same as Not Configured) | -| Set-AppvClientConfiguration,
Set-AppvPublishingServer

**-AllowHighCostLaunch**
True (enabled); False (Disabled state) | This setting controls whether virtualized applications are launched on Windows 10 machines connected by a metered network connection (for example, 4G). | 0 | +| Set-AppvClientConfiguration,
Set-AppvPublishingServer

**-AllowHighCostLaunch**
True (enabled); False (Disabled state) | This setting controls whether virtualized applications are launched on Windows client machines connected by a metered network connection (for example, 4G). | 0 | | Set-AppvClientConfiguration,
Set-AppvPublishingServer

**-ReestablishmentRetries**
Integer (0–99) | Specifies the number of times to retry a dropped session. | Policy value not written (same as Not Configured) | | Set-AppvClientConfiguration,
Set-AppvPublishingServer

**-ReestablishmentInterval**
Integer (0–3600) | Specifies the number of seconds between attempts to reestablish a dropped session. | Policy value not written (same as Not Configured) | | Set-AppvClientConfiguration,
Set-AppvPublishingServer

**-LocationProvider**
String | Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface. | Policy value not written (same as Not Configured) | diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator.md b/windows/application-management/app-v/appv-create-a-package-accelerator.md index 19d0617e41..bc872e32f4 100644 --- a/windows/application-management/app-v/appv-create-a-package-accelerator.md +++ b/windows/application-management/app-v/appv-create-a-package-accelerator.md @@ -1,5 +1,5 @@ --- -title: How to create a package accelerator (Windows 10) +title: How to create a package accelerator (Windows 10/11) description: Learn how to create App-V Package Accelerators to automatically generate new virtual application packages. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,10 @@ ms.topic: article --- # How to create a package accelerator ->Applies to: Windows 10, version 1607 +**Applies to**: + +- Windows 10 +- Windows 11 App-V Package Accelerators automatically generate new virtual application packages. diff --git a/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md b/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md index f091625f1a..0386b3f99e 100644 --- a/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md +++ b/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md @@ -1,5 +1,5 @@ --- -title: How to create a virtual application package using an App-V Package Accelerator (Windows 10) +title: How to create a virtual application package using an App-V Package Accelerator (Windows 10/11) description: How to create a virtual application package using an App-V Package Accelerator. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,10 @@ ms.topic: article --- # How to create a virtual application package using an App-V Package Accelerator ->Applies to: Windows 10, version 1607 +**Applies to**: + +- Windows 10 +- Windows 11 Use the following procedure to create a virtual application package with the App-V Package Accelerator. diff --git a/windows/application-management/app-v/appv-create-and-use-a-project-template.md b/windows/application-management/app-v/appv-create-and-use-a-project-template.md index 4927af50b8..29401f6f29 100644 --- a/windows/application-management/app-v/appv-create-and-use-a-project-template.md +++ b/windows/application-management/app-v/appv-create-and-use-a-project-template.md @@ -1,5 +1,5 @@ --- -title: Create and apply an App-V project template to a sequenced App-V package (Windows 10) +title: Create and apply an App-V project template to a sequenced App-V package (Windows 10/11) description: Steps for how to create and apply an App-V project template (.appvt) to a sequenced App-V package. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,12 +14,15 @@ ms.topic: article --- # Create and apply an App-V project template to a sequenced App-V package ->Applies to: Windows 10, version 1607 +**Applies to**: + +- Windows 10 +- Windows 11 You can use an App-V Project Template (.appvt) file to save commonly applied settings associated with an existing virtual application package. You can then apply these settings whenever you create new virtual application packages in your environment, streamlining the package creation process. App-V Project Templates differ from App-V Package Accelerators because App-V Package Accelerators are application-specific, while App-V Project Templates can be applied to multiple applications. To learn more about package accelerators, see [How to create a package accelerator](appv-create-a-package-accelerator.md). >[!IMPORTANT] ->In Windows 10, version 1703, running the **New-AppvSequencerPackage** or the **Update-AppvSequencerPackage** cmdlets will automatically capture and store your customizations as an App-V Project Template. If you want to make changes to this package later, you can automatically load your customizations from this template file. If you have an auto-saved template and you attempt to load another template through the *TemplateFilePath* parameter, the customization value from the parameter will override the auto-saved template. +>Starting with Windows 10 version 1703, running the **New-AppvSequencerPackage** or the **Update-AppvSequencerPackage** cmdlets will automatically capture and store your customizations as an App-V Project Template. If you want to make changes to this package later, you can automatically load your customizations from this template file. If you have an auto-saved template and you attempt to load another template through the *TemplateFilePath* parameter, the customization value from the parameter will override the auto-saved template. ## Create a project template diff --git a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md index 0d5400a65a..76e0a87b14 100644 --- a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md +++ b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md @@ -1,5 +1,5 @@ --- -title: Creating and managing App-V virtualized applications (Windows 10) +title: Creating and managing App-V virtualized applications (Windows 10/11) description: Create and manage App-V virtualized applications to monitor and record the installation process for an application to be run as a virtualized application. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,10 @@ ms.topic: article --- # Creating and managing App-V virtualized applications ->Applies to: Windows 10, version 1607 +**Applies to**: + +- Windows 10 +- Windows 11 After you have properly deployed the Microsoft Application Virtualization (App-V) sequencer, you can use it to monitor and record the installation and setup process for an application to be run as a virtualized application. @@ -119,7 +122,7 @@ A template can specify and store multiple settings as follows: - **General Options**. Enables the use of **Windows Installer**, **Append Package Version to Filename**. - **Exclusion Items.** Contains the Exclusion pattern list. -In Windows 10, version 1703, running the **new-appvsequencerpackage** or **update-appvsequencepackage** cmdlets automatically captures and stores all of your customizations as an App-V project template. If you want to make changes to this package later, your customizations are automatically loaded from this template file. +Starting with Windows 10 version 1703, running the **new-appvsequencerpackage** or **update-appvsequencepackage** cmdlets automatically captures and stores all of your customizations as an App-V project template. If you want to make changes to this package later, your customizations are automatically loaded from this template file. >[!IMPORTANT] >If you attempt to load another template through the *_TemplateFilePath_* parameter while already having an auto-saved template, the customization value from the parameter will override the auto-saved template. diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server.md b/windows/application-management/app-v/appv-deploy-the-appv-server.md index e8fa0ac8b9..a29b019396 100644 --- a/windows/application-management/app-v/appv-deploy-the-appv-server.md +++ b/windows/application-management/app-v/appv-deploy-the-appv-server.md @@ -1,6 +1,6 @@ --- -title: How to Deploy the App-V Server (Windows 10) -description: Use these instructions to deploy the Application Virtualization (App-V) Server in App-V for Windows 10. +title: How to Deploy the App-V Server (Windows 10/11) +description: Use these instructions to deploy the Application Virtualization (App-V) Server in App-V for Windows 10/11. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -32,7 +32,7 @@ ms.topic: article 1. Download the App-V server components. All five App-V server components are included in the Microsoft Desktop Optimization Pack (MDOP) 2015 ISO package, which can be downloaded from either of the following locations: * The [MSDN (Microsoft Developer Network) subscriptions site](https://msdn.microsoft.com/subscriptions/downloads/default.aspx#FileId=65215). You must have a MSDN subscription to download the MDOP ISO package from this site. - * The [Volume Licensing Service Center](https://www.microsoft.com/licensing/default.aspx) if you're using [Windows 10 for Enterprise or Education](https://www.microsoft.com/WindowsForBusiness/windows-product-home). + * The [Volume Licensing Service Center](https://www.microsoft.com/licensing/default.aspx) if you're using [Windows client for Enterprise or Education](https://www.microsoft.com/WindowsForBusiness/windows-product-home). 2. Copy the App-V server installation files to the computer on which you want to install it. diff --git a/windows/application-management/app-v/appv-deploying-appv.md b/windows/application-management/app-v/appv-deploying-appv.md index 04cd90525d..10fee7b05b 100644 --- a/windows/application-management/app-v/appv-deploying-appv.md +++ b/windows/application-management/app-v/appv-deploying-appv.md @@ -1,5 +1,5 @@ --- -title: Deploying App-V (Windows 10) +title: Deploying App-V (Windows 10/11) description: App-V supports several different deployment options. Learn how to complete App-V deployment at different stages in your App-V deployment. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -12,9 +12,12 @@ manager: dansimp ms.author: greglin ms.topic: article --- -# Deploying App-V for Windows 10 +# Deploying App-V for Windows client ->Applies to: Windows 10, version 1607 +**Applies to**: + +- Windows 10 +- Windows 11 App-V supports several different deployment options. Review this topic for information about the tasks that you must complete at different stages in your deployment. diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md index 7a38ac29e7..f4ac45ec12 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md @@ -1,5 +1,5 @@ --- -title: Deploying Microsoft Office 2010 by Using App-V (Windows 10) +title: Deploying Microsoft Office 2010 by Using App-V (Windows 10/11) description: Create Office 2010 packages for Microsoft Application Virtualization (App-V) using the App-V Sequencer or the App-V Package Accelerator. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,10 @@ ms.topic: article --- # Deploying Microsoft Office 2010 by Using App-V ->Applies to: Windows 10, version 1607 +**Applies to**: + +- Windows 10 +- Windows 11 You can create Office 2010 packages for Microsoft Application Virtualization (App-V) using one of the following methods: @@ -37,7 +40,7 @@ Sequencing Office 2010 is one of the main methods for creating an Office 2010 pa ## Creating Office 2010 App-V packages using package accelerators -Office 2010 App-V packages can be created through package accelerators. Microsoft has provided package accelerators for creating Office 2010 on Windows 10, Windows 8, and Windows 7. The following pages will show you which package accelerator is best for creating Office 2010 App-V packages on your version of Windows: +Office 2010 App-V packages can be created through package accelerators. Microsoft has provided package accelerators for creating Office 2010 on Windows 10/11, Windows 8, and Windows 7. The following pages will show you which package accelerator is best for creating Office 2010 App-V packages on your version of Windows: * [App-V 5.0 Package Accelerator for Office Professional Plus 2010 – Windows 8](https://gallery.technet.microsoft.com/App-V-50-Package-a29410db) * [App-V 5.0 Package Accelerator for Office Professional Plus 2010 – Windows 7](https://gallery.technet.microsoft.com/App-V-50-Package-e7ef536b) diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md index 778f467100..c986e312c3 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md @@ -1,5 +1,5 @@ --- -title: Deploying Microsoft Office 2013 by Using App-V (Windows 10) +title: Deploying Microsoft Office 2013 by Using App-V (Windows 10/11) description: Use Application Virtualization (App-V) to deliver Microsoft Office 2013 as a virtualized application to computers in your organization. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,10 @@ ms.topic: article --- # Deploying Microsoft Office 2013 by Using App-V ->Applies to: Windows 10, version 1607 +**Applies to**: + +- Windows 10 +- Windows 11 Use the information in this article to use Application Virtualization (App-V) to deliver Microsoft Office 2013 as a virtualized application to computers in your organization. For information about using App-V to deliver Office 2010, see [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md). To successfully deploy Office 2013 with App-V, you need to be familiar with Office 2013 and App-V. @@ -73,7 +76,7 @@ Before you start, make sure that the computer on which you are installing the Of You create Office 2013 App-V packages with the Office Deployment Tool. The following instructions explain how to create an Office 2013 App-V package with Volume Licensing or Subscription Licensing. -Create Office 2013 App-V packages on 64-bit Windows computers. Once created, the Office 2013 App-V package will run on 32-bit and 64-bit Windows 7, Windows 8.1, and Windows 10 computers. +Create Office 2013 App-V packages on 64-bit Windows computers. Once created, the Office 2013 App-V package will run on 32-bit and 64-bit Windows 7, Windows 8.1, and Windows 10/11 computers. ### Download the Office Deployment Tool @@ -148,7 +151,7 @@ After you download the Office 2013 applications through the Office Deployment To #### What you'll need to do -* Create the Office 2013 App-V packages on 64-bit Windows computers. However, the package will run on 32-bit and 64-bit Windows 7, Windows 8, and Windows 10 computers. +* Create the Office 2013 App-V packages on 64-bit Windows computers. However, the package will run on 32-bit and 64-bit Windows 7, Windows 8, and Windows 10/11 computers. * Create an Office App-V package for either the Subscription Licensing package or Volume Licensing by using the Office Deployment Tool, then modify the **Customconfig.xml** configuration file. The following table summarizes the values you need to enter in the **Customconfig.xml** file for the licensing model you’re using. The steps in the sections that follow the table will specify the exact entries you need to make. diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md index 654fa05a45..15a331200f 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md @@ -1,5 +1,5 @@ --- -title: Deploying Microsoft Office 2016 by using App-V (Windows 10) +title: Deploying Microsoft Office 2016 by using App-V (Windows 10/11) description: Use Application Virtualization (App-V) to deliver Microsoft Office 2016 as a virtualized application to computers in your organization. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,10 @@ ms.topic: article --- # Deploying Microsoft Office 2016 by using App-V ->Applies to: Windows 10, version 1607 +**Applies to**: + +- Windows 10 +- Windows 11 Use the information in this article to use Application Virtualization (App-V) to deliver Microsoft Office 2016 as a virtualized application to computers in your organization. For information about using App-V to deliver Office 2013, see [Deploying Microsoft Office 2013 by using App-V](appv-deploying-microsoft-office-2013-with-appv.md). For information about using App-V to deliver Office 2010, see [Deploying Microsoft Office 2010 by using App-V](appv-deploying-microsoft-office-2010-wth-appv.md). @@ -64,7 +67,7 @@ The computer on which you are installing the Office Deployment Tool must have th | Prerequisite | Description | |----------------------|--------------------| | Prerequisite software | .Net Framework 4 | -| Supported operating systems | 64-bit version of Windows 10
64-bit version of Windows 8 or 8.1
64-bit version of Windows 7 | +| Supported operating systems | 64-bit version of Windows 10/11
64-bit version of Windows 8 or 8.1
64-bit version of Windows 7 | >[!NOTE] >In this topic, the term “Office 2016 App-V package” refers to subscription licensing. @@ -73,7 +76,7 @@ The computer on which you are installing the Office Deployment Tool must have th You create Office 2016 App-V packages by using the Office Deployment Tool. The following instructions explain how to create an Office 2016 App-V package with subscription licensing. -Create Office 2016 App-V packages on 64-bit Windows computers. Once created, the Office 2016 App-V package will run on 32-bit and 64-bit Windows 7, Windows 8.1, and Windows 10 computers. +Create Office 2016 App-V packages on 64-bit Windows computers. Once created, the Office 2016 App-V package will run on 32-bit and 64-bit Windows 7, Windows 8.1, and Windows 10/11 computers. ### Download the Office Deployment Tool @@ -146,7 +149,7 @@ After you download the Office 2016 applications through the Office Deployment To #### What you’ll need to do -* Create the Office 2016 App-V packages on 64-bit Windows computers. However, the package will run on 32-bit and 64-bit Windows 7, Windows 8 or 8.1, and Windows 10 computers. +* Create the Office 2016 App-V packages on 64-bit Windows computers. However, the package will run on 32-bit and 64-bit Windows 7, Windows 8 or 8.1, and Windows 10/11 computers. * Create an Office App-V package for either Subscription Licensing package by using the Office Deployment Tool, and then modify the **Customconfig.xml** configuration file. The following table summarizes the values you need to enter in the **Customconfig.xml** file. The steps in the sections that follow the table will specify the exact entries you need to make. @@ -377,7 +380,7 @@ The following table describes the requirements and options for deploying Visio 2 ## Related topics -* [Deploying App-V for Windows 10](appv-deploying-appv.md) +* [Deploying App-V for Windows client](appv-deploying-appv.md) * [Deploying Microsoft Office 2013 by using App-V](appv-deploying-microsoft-office-2013-with-appv.md) * [Deploying Microsoft Office 2010 by using App-V](appv-deploying-microsoft-office-2010-wth-appv.md) * [Office 2016 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117) \ No newline at end of file diff --git a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md index 9547612b38..484a48bf68 100644 --- a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md +++ b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md @@ -1,5 +1,5 @@ --- -title: Deploying the App-V Sequencer and configuring the client (Windows 10) +title: Deploying the App-V Sequencer and configuring the client (Windows 10/11) description: Learn how to deploy the App-V Sequencer and configure the client by using the ADMX template and Group Policy. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,10 @@ ms.topic: article --- # Deploying the App-V Sequencer and configuring the client ->Applies to: Windows 10, version 1607 +**Applies to**: + +- Windows 10 +- Windows 11 The App-V Sequencer and client let administrators to virtualize and run virtual applications. @@ -23,7 +26,7 @@ The App-V Sequencer and client let administrators to virtualize and run virtual The App-V client is the component that runs a virtualized application on a target computer. The client lets users interact with icons and file types, starting virtualized applications. The client can also get the virtual application content from the management server. >[!NOTE] ->In Windows 10, version 1607, App-V is included with the operating system. You only need to enable it. +>Starting with Windows 10 version 1607, App-V is included with the operating system. You only need to enable it. [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md) diff --git a/windows/application-management/app-v/appv-deploying-the-appv-server.md b/windows/application-management/app-v/appv-deploying-the-appv-server.md index 71d9510a36..5677a2f846 100644 --- a/windows/application-management/app-v/appv-deploying-the-appv-server.md +++ b/windows/application-management/app-v/appv-deploying-the-appv-server.md @@ -1,6 +1,6 @@ --- -title: Deploying the App-V Server (Windows 10) -description: Learn how to deploy the Application Virtualization (App-V) Server in App-V for Windows 10 by using different deployment configurations described in this article. +title: Deploying the App-V Server (Windows 10/11) +description: Learn how to deploy the Application Virtualization (App-V) Server in App-V for Windows 10/11 by using different deployment configurations described in this article. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -19,9 +19,9 @@ ms.topic: article You can install the Application Virtualization (App-V) server components using different deployment configurations, which are described in this topic. Before you install the server features, review the server section of [App-V security considerations](appv-security-considerations.md). >[!NOTE] ->If you plan to use the App-V server components in your deployment, note that the version number is still listed as App-V 5.x, as the App-V server components have not changed in App-V for Windows 10. +>If you plan to use the App-V server components in your deployment, note that the version number is still listed as App-V 5.x, as the App-V server components have not changed in App-V for Windows client. -To learn more about deploying App-V for Windows 10, read [What's new in App-V](appv-about-appv.md). +To learn more about deploying App-V for Windows client, read [What's new in App-V](appv-about-appv.md). >[!IMPORTANT] >Before installing and configuring the App-V servers, you must specify the port or ports where each component will be hosted. You must also add the associated firewall rules to allow incoming requests to access the specified ports, as the installer does not modify firewall settings. @@ -49,7 +49,7 @@ App-V offers the following five server components, each of which serves a specif All five App-V server components are included in the Microsoft Desktop Optimization Pack (MDOP) 2015 ISO package, which can be downloaded from either of the following locations: * The [MSDN (Microsoft Developer Network) subscriptions site](https://msdn.microsoft.com/subscriptions/downloads/default.aspx#FileId=65215). You must have a MSDN subscription to download the MDOP ISO package from this site. -* The [Volume Licensing Service Center](https://www.microsoft.com/licensing/default.aspx) if you're using [Windows 10 for Enterprise or Education](https://www.microsoft.com/WindowsForBusiness/windows-product-home). +* The [Volume Licensing Service Center](https://www.microsoft.com/licensing/default.aspx) if you're using [Windows client for Enterprise or Education](https://www.microsoft.com/WindowsForBusiness/windows-product-home). In large organizations, you might want to install more than one instance of the server components to get the following benefits. diff --git a/windows/application-management/app-v/appv-deployment-checklist.md b/windows/application-management/app-v/appv-deployment-checklist.md index 4183212c31..72d0a6d1d0 100644 --- a/windows/application-management/app-v/appv-deployment-checklist.md +++ b/windows/application-management/app-v/appv-deployment-checklist.md @@ -1,5 +1,5 @@ --- -title: App-V Deployment Checklist (Windows 10) +title: App-V Deployment Checklist (Windows 10/11) description: Use the App-V deployment checklist to understand the recommended steps and items to consider when deploying App-V features. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,10 @@ ms.topic: article --- # App-V Deployment Checklist ->Applies to: Windows 10, version 1607 +**Applies to**: + +- Windows 10 +- Windows 11 This checklist outlines the recommended steps and items to consider when deploying App-V features. Use it to organize your priorities while you deploy App-V. You can copy this checklist into a spreadsheet program and customize it for your use. diff --git a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md index 7aa623a0a3..69000c221c 100644 --- a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md +++ b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md @@ -1,6 +1,6 @@ --- -title: Enable the App-V in-box client (Windows 10) -description: Learn how to enable the Microsoft Application Virtualization (App-V) in-box client installed with Windows 10. +title: Enable the App-V in-box client (Windows 10/11) +description: Learn how to enable the Microsoft Application Virtualization (App-V) in-box client installed with Windows 10/11. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -14,11 +14,14 @@ ms.topic: article --- # Enable the App-V in-box client ->Applies to: Windows 10, version 1607 +**Applies to**: + +- Windows 10 +- Windows 11 The App-V client is the component that runs virtualized applications on user devices. Once you enable the client, users can interact with icons and file names to start virtualized applications. The client can also get virtual application content from the management server. -With Windows 10, version 1607, the App-V client is installed automatically. However, you'll still need to enable the client yourself to allow user devices to access and run virtual applications. You can set up the client with the Group Policy editor or with Windows PowerShell. +Starting with Windows 10 version 1607, the App-V client is installed automatically. However, you'll still need to enable the client yourself to allow user devices to access and run virtual applications. You can set up the client with the Group Policy editor or with Windows PowerShell. Here's how to enable the App-V client with Group Policy: diff --git a/windows/application-management/app-v/appv-evaluating-appv.md b/windows/application-management/app-v/appv-evaluating-appv.md index 731ea42546..10d3e83e75 100644 --- a/windows/application-management/app-v/appv-evaluating-appv.md +++ b/windows/application-management/app-v/appv-evaluating-appv.md @@ -1,6 +1,6 @@ --- -title: Evaluating App-V (Windows 10) -description: Learn how to evaluate App-V for Windows 10 in a lab environment before deploying into a production environment. +title: Evaluating App-V (Windows 10/11) +description: Learn how to evaluate App-V for Windows 10/11 in a lab environment before deploying into a production environment. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -15,8 +15,10 @@ ms.author: greglin # Evaluating App-V -**Applies to** -- Windows 10, version 1607 +**Applies to**: + +- Windows 10 +- Windows 11 > [!NOTE] > [!INCLUDE [Application Virtualization will be end of life in April 2026](../includes/app-v-end-life-statement.md)] diff --git a/windows/application-management/app-v/appv-for-windows.md b/windows/application-management/app-v/appv-for-windows.md index 51b2a21a10..0cc3adc116 100644 --- a/windows/application-management/app-v/appv-for-windows.md +++ b/windows/application-management/app-v/appv-for-windows.md @@ -1,5 +1,5 @@ --- -title: Application Virtualization (App-V) (Windows 10) +title: Application Virtualization (App-V) (Windows 10/11) description: See various topics that can help you administer Application Virtualization (App-V) and its components. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -12,9 +12,12 @@ manager: dansimp ms.author: greglin ms.topic: article --- -# Application Virtualization (App-V) for Windows 10 overview +# Application Virtualization (App-V) for Windows client overview ->Applies to: Windows 10, version 1607 +**Applies to**: + +- Windows 10 +- Windows 11 > [!NOTE] > [!INCLUDE [Application Virtualization will be end of life in April 2026](../includes/app-v-end-life-statement.md)] diff --git a/windows/application-management/app-v/appv-getting-started.md b/windows/application-management/app-v/appv-getting-started.md index fd20851076..3f649a92c9 100644 --- a/windows/application-management/app-v/appv-getting-started.md +++ b/windows/application-management/app-v/appv-getting-started.md @@ -1,6 +1,6 @@ --- -title: Getting Started with App-V (Windows 10) -description: Get started with Microsoft Application Virtualization (App-V) for Windows 10. App-V for Windows 10 delivers Win32 applications to users as virtual applications. +title: Getting Started with App-V (Windows 10/11) +description: Get started with Microsoft Application Virtualization (App-V) for Windows 10/11. App-V for Windows client devices delivers Win32 applications to users as virtual applications. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -12,35 +12,38 @@ manager: dansimp ms.author: greglin ms.topic: article --- -# Getting started with App-V for Windows 10 +# Getting started with App-V for Windows client ->Applies to: Windows 10, version 1607 +**Applies to**: + +- Windows 10 +- Windows 11 > [!NOTE] > [!INCLUDE [Application Virtualization will be end of life in April 2026](../includes/app-v-end-life-statement.md)] -Microsoft Application Virtualization (App-V) for Windows 10 delivers Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service in real time and on an as-needed basis. Users launch virtual applications from familiar access points and interact with them as if they were installed locally. +Microsoft Application Virtualization (App-V) for Windows delivers Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service in real time and on an as-needed basis. Users launch virtual applications from familiar access points and interact with them as if they were installed locally. -With the release of Windows 10, version 1607, App-V is included with the [Windows 10 for Enterprise edition](https://www.microsoft.com/WindowsForBusiness/windows-for-enterprise). If you're new to Windows 10 and App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users. To learn what you need to know before getting started with App-V, see the [Application Virtualization (App-V) overview](appv-for-windows.md). +Starting with Windows 10 version 1607, App-V is included with the [Windows 10 for Enterprise edition](https://www.microsoft.com/WindowsForBusiness/windows-for-enterprise). If you're new to Windows client and App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users. To learn what you need to know before getting started with App-V, see the [Application Virtualization (App-V) overview](appv-for-windows.md). -If you’re already using App-V, performing an in-place upgrade to Windows 10 on user devices automatically installs the App-V client and migrates users’ App-V applications and settings. For more information about how to configure an existing App-V installation after upgrading user devices to Windows 10, see [Upgrading to App-V for Windows 10 from an existing installation](appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md). +If you’re already using App-V, performing an in-place upgrade to Windows 10/11 on user devices automatically installs the App-V client and migrates users’ App-V applications and settings. For more information about how to configure an existing App-V installation after upgrading user devices to Windows 10/11, see [Upgrading to App-V for Windows from an existing installation](appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md). >[!IMPORTANT] >You can upgrade your existing App-V installation to App-V for Windows from App-V versions 5.0 SP2 and higher only. If you are using an earlier version of App-V, you’ll need to upgrade your existing App-V installation to App-V 5.0 SP2 before upgrading to App-V for Windows. To learn more about previous versions of App-V, see [MDOP information experience](/microsoft-desktop-optimization-pack/index). -## Getting started with App-V for Windows 10 (new installations) +## Getting started with App-V for Windows (new installations) -To start using App-V to deliver virtual applications to users, you’ll need to download, enable, and install server- and client-side components. The following table describes the App-V for Windows 10 components, what they do, and where to find them. +To start using App-V to deliver virtual applications to users, you’ll need to download, enable, and install server- and client-side components. The following table describes the App-V for Windows client components, what they do, and where to find them. | Component | What it does | Where to find it | |------------|--|------| -| App-V server components | App-V offers five server components that work together to allow you to host and publish virtual applications, generate usage reports, and manage your App-V environment. For more details, see [Deploying the App-V Server](appv-deploying-the-appv-server.md).

If you're already using App-V 5.x, you don't need to redeploy the App-V server components, as they haven't changed since App-V 5.0's release. | The App-V server components are included in the Microsoft Desktop Optimization Pack (MDOP) 2015 ISO package that can be downloaded from the following locations:

If you have a Microsoft Developer Network (MSDN) subscription, use the [MSDN (Microsoft Developer Network) subscriptions site](https://msdn.microsoft.com/subscriptions/downloads/default.aspx#FileId=65215) to download the MDOP ISO package.

If you're using [Windows 10 for Enterprise or Education](https://www.microsoft.com/WindowsForBusiness/windows-product-home), download it from the [Volume Licensing Service Center](https://www.microsoft.com/licensing/default.aspx).

See [Deploying the App-V Server](appv-deploying-the-appv-server.md) for more information about installing and using the server components.| -| App-V client and App-V Remote Desktop Services (RDS) client | The App-V client is the component that runs virtualized applications on user devices, allowing users to interact with icons and file names to start virtualized applications. | The App-V client is automatically installed with Windows 10, version 1607.

To learn how to enable the client, see [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md). | -| App-V sequencer | Use the App-V sequencer to convert Win32 applications into virtual packages for deployment to user devices. Devices must run the App-V client to allow users to interact with virtual applications. | Installed with the [Windows Assessment and Deployment kit (ADK) for Windows 10, version 1607](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). | +| App-V server components | App-V offers five server components that work together to allow you to host and publish virtual applications, generate usage reports, and manage your App-V environment. For more details, see [Deploying the App-V Server](appv-deploying-the-appv-server.md).

If you're already using App-V 5.x, you don't need to redeploy the App-V server components, as they haven't changed since App-V 5.0's release. | The App-V server components are included in the Microsoft Desktop Optimization Pack (MDOP) 2015 ISO package that can be downloaded from the following locations:

If you have a Microsoft Developer Network (MSDN) subscription, use the [MSDN (Microsoft Developer Network) subscriptions site](https://msdn.microsoft.com/subscriptions/downloads/default.aspx#FileId=65215) to download the MDOP ISO package.

If you're using [Windows client for Enterprise or Education](https://www.microsoft.com/WindowsForBusiness/windows-product-home), download it from the [Volume Licensing Service Center](https://www.microsoft.com/licensing/default.aspx).

See [Deploying the App-V Server](appv-deploying-the-appv-server.md) for more information about installing and using the server components.| +| App-V client and App-V Remote Desktop Services (RDS) client | The App-V client is the component that runs virtualized applications on user devices, allowing users to interact with icons and file names to start virtualized applications. | Starting with Windows 10 version 1607, the App-V client is automatically installed.

To learn how to enable the client, see [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md). | +| App-V sequencer | Use the App-V sequencer to convert Win32 applications into virtual packages for deployment to user devices. Devices must run the App-V client to allow users to interact with virtual applications. | Installed with the [Windows Assessment and Deployment kit (ADK) for Windows client](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). | For more information about these components, see [High Level Architecture for App-V](appv-high-level-architecture.md). diff --git a/windows/application-management/app-v/appv-high-level-architecture.md b/windows/application-management/app-v/appv-high-level-architecture.md index 7c11b77a24..fef069e911 100644 --- a/windows/application-management/app-v/appv-high-level-architecture.md +++ b/windows/application-management/app-v/appv-high-level-architecture.md @@ -1,5 +1,5 @@ --- -title: High-level architecture for App-V (Windows 10) +title: High-level architecture for App-V (Windows 10/11) description: Use the information in this article to simplify your Microsoft Application Virtualization (App-V) deployment. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,10 @@ ms.topic: article --- # High-level architecture for App-V ->Applies to: Windows 10, version 1607 +**Applies to**: + +- Windows 10 +- Windows 11 Use the following information to simplify your Microsoft Application Virtualization (App-V) deployment. diff --git a/windows/application-management/app-v/appv-install-the-sequencer.md b/windows/application-management/app-v/appv-install-the-sequencer.md index 9bde5d0531..633c980c5b 100644 --- a/windows/application-management/app-v/appv-install-the-sequencer.md +++ b/windows/application-management/app-v/appv-install-the-sequencer.md @@ -1,5 +1,5 @@ --- -title: Install the App-V Sequencer (Windows 10) +title: Install the App-V Sequencer (Windows 10/11) description: Learn how to install the App-V Sequencer to convert Win32 applications into virtual packages for deployment to user devices. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,11 +14,14 @@ ms.topic: article --- # Install the App-V Sequencer ->Applies to: Windows 10, version 1607 +**Applies to**: + +- Windows 10 +- Windows 11 Use the App-V Sequencer to convert Win32 applications into virtual packages for deployment to user devices. Those devices must be running the App-V client to allow users to interact with virtual applications. -The App-V Sequencer is included in the Windows 10 Assessment and Deployment Kit (Windows ADK). +The App-V Sequencer is included in the Windows client Assessment and Deployment Kit (Windows ADK). >[!NOTE] >The computer that will run the sequencer must not have the App-V client enabled. As a best practice, choose a computer with the same hardware and software configurations as the computers that will run the virtual applications. The sequencing process is resource-intensive, so make sure the computer that will run the Sequencer has plenty of memory, a fast processor, and a fast hard drive. diff --git a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md index 0cc6df1e55..6b47cd4840 100644 --- a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md +++ b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md @@ -1,5 +1,5 @@ --- -title: How to Modify an Existing Virtual Application Package (Windows 10) +title: How to Modify an Existing Virtual Application Package (Windows 10/11) description: Learn how to modify an existing virtual application package and add a new application to an existing virtual application package. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -15,8 +15,10 @@ ms.author: greglin # How to Modify an Existing Virtual Application Package -**Applies to** -- Windows 10, version 1607 +**Applies to**: + +- Windows 10 +- Windows 11 This topic explains how to: diff --git a/windows/application-management/app-v/appv-operations.md b/windows/application-management/app-v/appv-operations.md index 91ddd5b656..d098e56921 100644 --- a/windows/application-management/app-v/appv-operations.md +++ b/windows/application-management/app-v/appv-operations.md @@ -1,5 +1,5 @@ --- -title: Operations for App-V (Windows 10) +title: Operations for App-V (Windows 10/11) description: Learn about the various types of App-V administration and operating tasks that are typically performed by an administrator. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,10 @@ ms.topic: article --- # Operations for App-V ->Applies to: Windows 10, version 1607 +**Applies to**: + +- Windows 10 +- Windows 11 This section of the Microsoft Application Virtualization (App-V) Administrator’s Guide includes information about the various types of App-V administration and operating tasks that are typically performed by an administrator. This section also includes step-by-step procedures to help you successfully perform those tasks. diff --git a/windows/application-management/app-v/appv-planning-checklist.md b/windows/application-management/app-v/appv-planning-checklist.md index 50887ca724..b85b69132e 100644 --- a/windows/application-management/app-v/appv-planning-checklist.md +++ b/windows/application-management/app-v/appv-planning-checklist.md @@ -1,11 +1,11 @@ --- -title: App-V Planning Checklist (Windows 10) +title: App-V Planning Checklist (Windows 10/11) description: Learn about the recommended steps and items to consider when planning an Application Virtualization (App-V) deployment. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w10 +ms.prod: w10/11 ms.date: 04/18/2018 ms.reviewer: manager: dansimp @@ -14,7 +14,10 @@ ms.topic: article --- # App-V Planning Checklist ->Applies to: Windows 10, version 1607 +**Applies to**: + +- Windows 10/11 +- Windows 11 This checklist can be used to help you plan for preparing your organization for an App-V deployment. diff --git a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md index 18032d260a..5a586baefb 100644 --- a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md +++ b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md @@ -1,5 +1,5 @@ --- -title: Planning to Use Folder Redirection with App-V (Windows 10) +title: Planning to Use Folder Redirection with App-V (Windows 10/11) description: Learn about folder redirection with App-V. Folder redirection enables users and administrators to redirect the path of a folder to a new location. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,10 @@ ms.topic: article --- # Planning to Use Folder Redirection with App-V ->Applies to: Windows 10, version 1607 +**Applies to**: + +- Windows 10 +- Windows 11 Microsoft Application Virtualization (App-V) supports the use of folder redirection, a feature that enables users and administrators to redirect the path of a folder to a new location. diff --git a/windows/application-management/app-v/appv-planning-for-appv.md b/windows/application-management/app-v/appv-planning-for-appv.md index 9f7685040d..6f5c42093c 100644 --- a/windows/application-management/app-v/appv-planning-for-appv.md +++ b/windows/application-management/app-v/appv-planning-for-appv.md @@ -1,5 +1,5 @@ --- -title: Planning for App-V (Windows 10) +title: Planning for App-V (Windows 10/11) description: Use the information in this article to plan to deploy App-V without disrupting your existing network or user experience. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,10 @@ ms.topic: article --- # Planning for App-V ->Applies to: Windows 10, version 1607 +**Applies to**: + +- Windows 10 +- Windows 11 > [!NOTE] > [!INCLUDE [Application Virtualization will be end of life in April 2026](../includes/app-v-end-life-statement.md)] diff --git a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md index 4cdce6102f..500b47e979 100644 --- a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md +++ b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md @@ -14,7 +14,10 @@ ms.topic: article --- # Planning for high availability with App-V Server ->Applies to: Windows 10, version 1607 +**Applies to**: + +- Windows 10 +- Windows 11 Microsoft Application Virtualization (App-V) system configurations can take advantage of options that maintain a high available service level. diff --git a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md index f6e0a38b9e..380ec453b7 100644 --- a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md +++ b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md @@ -1,5 +1,5 @@ --- -title: Planning for the App-V Sequencer and Client Deployment (Windows 10) +title: Planning for the App-V Sequencer and Client Deployment (Windows 10/11) description: Learn what you need to do to plan for the App-V Sequencer and Client deployment, and where to find additional information about the deployment process. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,10 @@ ms.topic: article --- # Planning for the App-V Sequencer and Client Deployment ->Applies to: Windows 10, version 1607 +**Applies to**: + +- Windows 10 +- Windows 11 Before you can use App-V, you must install the App-V Sequencer and enable the App-V client. You can also the App-V shared content store, although it isn't required. The following sections will tell you how to set these up. @@ -38,7 +41,7 @@ Ideally, you should install the sequencer on a computer running as a virtual mac ## Planning for App-V client deployment -In Windows 10, version 1607, the App-V client is included with the operating system. For more information, see [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md). +Starting with Windows 10 version 1607, the App-V client is included with the operating system. For more information, see [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md). ## Planning for the App-V Shared Content Store (SCS) diff --git a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md index 9db1afb81a..a7779a7e96 100644 --- a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md +++ b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md @@ -1,5 +1,5 @@ --- -title: Planning for Deploying App-V with Office (Windows 10) +title: Planning for Deploying App-V with Office (Windows 10/11) description: Use the information in this article to plan how to deploy Office within Microsoft Application Virtualization (App-V). author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,10 @@ ms.topic: article --- # Planning for deploying App-V with Office ->Applies to: Windows 10, version 1607 +**Applies to**: + +- Windows 10 +- Windows 11 Use the following information to plan how to deploy Office within Microsoft Application Virtualization (App-V). @@ -92,7 +95,7 @@ To bypass the auto-registration operation for native Word 2010, follow these ste * In Windows 7k, select **Start**, type **regedit** in the Start Search box, then select the Enter key. - * In Windows 8.1 or Windows 10, enter **regedit**, select **Enter** on the Start page, then select the Enter key. + * In Windows client, enter **regedit**, select **Enter** on the Start page, then select the Enter key. If you're prompted for an administrator password, enter the password. If you're prompted for a confirmation, select **Continue**. 3. Locate and then select the following registry subkey: diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md index a5ab9870cf..776072fef4 100644 --- a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md @@ -1,5 +1,5 @@ --- -title: Planning to Deploy App-V with an Electronic Software Distribution System (Windows 10) +title: Planning to Deploy App-V with an Electronic Software Distribution System (Windows 10/11) description: Planning to Deploy App-V with an Electronic Software Distribution System author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,10 @@ ms.topic: article --- # Planning to Deploy App-V with an electronic software distribution system ->Applies to: Windows 10, version 1607 +**Applies to**: + +- Windows 10 +- Windows 11 If you are using an electronic software distribution (ESD) system to deploy App-V packages, review the following planning considerations. For information about deploying App-V with Microsoft Endpoint Configuration Manager, see [Introduction to application management in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682125(v=technet.10)#BKMK_Appv). diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv.md b/windows/application-management/app-v/appv-planning-to-deploy-appv.md index 0b26e63e8a..0793ec479e 100644 --- a/windows/application-management/app-v/appv-planning-to-deploy-appv.md +++ b/windows/application-management/app-v/appv-planning-to-deploy-appv.md @@ -1,5 +1,5 @@ --- -title: Planning to Deploy App-V (Windows 10) +title: Planning to Deploy App-V (Windows 10/11) description: Learn about the different deployment configurations and requirements to consider before you deploy App-V for Windows 10. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -12,11 +12,14 @@ manager: dansimp ms.author: greglin ms.topic: article --- -# Planning to Deploy App-V for Windows 10 +# Planning to Deploy App-V for Windows client ->Applies to: Windows 10, version 1607 +**Applies to**: -There are several different deployment configurations and requirements to consider before you deploy App-V for Windows 10. Review this topic for information about what you'll need to make a deployment plan that best meets your needs. +- Windows 10 +- Windows 11 + +There are several different deployment configurations and requirements to consider before you deploy App-V for Windows client. Review this topic for information about what you'll need to make a deployment plan that best meets your needs. ## App-V supported configurations diff --git a/windows/application-management/app-v/appv-preparing-your-environment.md b/windows/application-management/app-v/appv-preparing-your-environment.md index 9753d170ef..7b441ae569 100644 --- a/windows/application-management/app-v/appv-preparing-your-environment.md +++ b/windows/application-management/app-v/appv-preparing-your-environment.md @@ -1,5 +1,5 @@ --- -title: Preparing Your Environment for App-V (Windows 10) +title: Preparing Your Environment for App-V (Windows 10/11) description: Use this info to prepare for deployment configurations and prerequisites for Microsoft Application Virtualization (App-V). ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -14,7 +14,10 @@ ms.topic: article --- # Preparing your environment for App-V ->Applies to: Windows 10, version 1607 +**Applies to**: + +- Windows 10 +- Windows 11 There are several different deployment configurations and prerequisites that you must consider before creating your deployment plan for Microsoft App-V. The following articles will help you gather the information you need to set up a deployment plan that best suits your business’ needs. diff --git a/windows/application-management/app-v/appv-prerequisites.md b/windows/application-management/app-v/appv-prerequisites.md index 2cdfd2d90c..fabd6776e3 100644 --- a/windows/application-management/app-v/appv-prerequisites.md +++ b/windows/application-management/app-v/appv-prerequisites.md @@ -1,5 +1,5 @@ --- -title: App-V Prerequisites (Windows 10) +title: App-V Prerequisites (Windows 10/11) description: Learn about the prerequisites you need before you begin installing Application Virtualization (App-V). author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -12,11 +12,15 @@ manager: dansimp ms.author: greglin ms.topic: article --- -# App-V for Windows 10 prerequisites ->Applies to: Windows 10, version 1607 +# App-V for Windows client prerequisites -Before installing App-V for Windows 10, ensure that you have installed all of the following required prerequisite software. +**Applies to**: + +- Windows 10 +- Windows 11 + +Before installing App-V for Windows client, ensure that you have installed all of the following required prerequisite software. For a list of supported operating systems and hardware requirements for the App-V server, sequencer, and client, see [App-V Supported Configurations](appv-supported-configurations.md). @@ -26,7 +30,7 @@ The following table indicates the software that is already installed for differe |Operating system|Prerequisite description| |---|---| -|Windows 10|All prerequisite software is already installed.| +|Windows 10/11|All prerequisite software is already installed.| |Windows 8.1|All prerequisite software is already installed.
If you're running Windows 8, upgrade to Windows 8.1 before using App-V.| |Windows Server 2016|The following prerequisite software is already installed:
- Microsoft .NET Framework 4.5
- Windows PowerShell 3.0

Installing Windows PowerShell requires a restart.| |Windows 7|No prerequisite software is installed. You must install the software before you can install App-V.| diff --git a/windows/application-management/app-v/appv-security-considerations.md b/windows/application-management/app-v/appv-security-considerations.md index 02603d57b2..6707151ad2 100644 --- a/windows/application-management/app-v/appv-security-considerations.md +++ b/windows/application-management/app-v/appv-security-considerations.md @@ -1,5 +1,5 @@ --- -title: App-V Security Considerations (Windows 10) +title: App-V Security Considerations (Windows 10/11) description: Learn about accounts and groups, log files, and other security-related considerations for Microsoft Application Virtualization (App-V). author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,10 @@ ms.topic: article --- # App-V security considerations ->Applies to: Windows 10, version 1607 +**Applies to**: + +- Windows 10 +- Windows 11 This topic contains a brief overview of the accounts and groups, log files, and other security-related considerations for Microsoft Application Virtualization (App-V). diff --git a/windows/application-management/app-v/appv-sequence-a-new-application.md b/windows/application-management/app-v/appv-sequence-a-new-application.md index 0c47bf69b6..84d323ae88 100644 --- a/windows/application-management/app-v/appv-sequence-a-new-application.md +++ b/windows/application-management/app-v/appv-sequence-a-new-application.md @@ -1,5 +1,5 @@ --- -title: Manually sequence a new app using the Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10) +title: Manually sequence a new app using the Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10/11) description: Learn how to manually sequence a new app by using the App-V Sequencer that's included with the Windows ADK. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,9 +14,12 @@ ms.topic: article --- # Manually sequence a new app using the Microsoft Application Virtualization Sequencer (App-V Sequencer) ->Applies to: Windows 10, version 1607 and later +**Applies to**: -In Windows 10, version 1607, the App-V Sequencer is included with the Windows ADK. For more info on how to install the App-V Sequencer, see [Install the App-V Sequencer](appv-install-the-sequencer.md). +- Windows 10 +- Windows 11 + +Starting with Windows 10 version 1607, the App-V Sequencer is included with the Windows ADK. For more info on how to install the App-V Sequencer, see [Install the App-V Sequencer](appv-install-the-sequencer.md). ## Before you start sequencing diff --git a/windows/application-management/app-v/appv-supported-configurations.md b/windows/application-management/app-v/appv-supported-configurations.md index f2d40d15b1..4fe89ecc0c 100644 --- a/windows/application-management/app-v/appv-supported-configurations.md +++ b/windows/application-management/app-v/appv-supported-configurations.md @@ -1,6 +1,6 @@ --- -title: App-V Supported Configurations (Windows 10) -description: Learn the requirements to install and run App-V supported configurations in your Windows 10 environment. +title: App-V Supported Configurations (Windows 10/11) +description: Learn the requirements to install and run App-V supported configurations in your Windows 10/11 environment. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -14,9 +14,17 @@ ms.topic: article --- # App-V Supported Configurations ->Applies to: Windows 10, version 1607; Window Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 (Extended Security Update) +**Applies to**: -This topic specifies the requirements to install and run App-V in your Windows 10 environment. For information about prerequisite software such as the .NET Framework, see [App-V prerequisites](appv-prerequisites.md). +- Windows 10 +- Windows 11 +- Window Server 2019 +- Windows Server 2016 +- Windows Server 2012 R2 +- Windows Server 2012 +- Windows Server 2008 R2 (Extended Security Update) + +This topic specifies the requirements to install and run App-V in your Windows client environment. For information about prerequisite software such as the .NET Framework, see [App-V prerequisites](appv-prerequisites.md). ## App-V Server system requirements @@ -98,7 +106,7 @@ The following table lists the SQL Server versions that are supported for the App ## App-V client and Remote Desktop Services client requirements -With Windows 10, version 1607 and later releases, the App-V client is included with Windows 10 Enterprise and Windows 10 Education. The App-V client is no longer part of the Microsoft Desktop Optimization Pack. Before you can use the App-V client, it must be enabled, as described in [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md). +Starting with Windows 10 version 1607, the App-V client is included with Windows Enterprise and Windows Education. The App-V client is no longer part of the Microsoft Desktop Optimization Pack. Before you can use the App-V client, it must be enabled, as described in [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md). Similarly, the App-V Remote Desktop Services (RDS) client is included with Windows Server 2016 Standard and Windows Server 2016 Datacenter. diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md index f30e8fa94f..43bc4bec68 100644 --- a/windows/application-management/apps-in-windows-10.md +++ b/windows/application-management/apps-in-windows-10.md @@ -1,5 +1,5 @@ --- -title: Learn about the different app types in Windows 10 | Microsoft Docs +title: Learn about the different app types in Windows 10/11 | Microsoft Docs ms.reviewer: manager: dougeby description: Learn more and understand the different types of apps that run on Windows 10 and Windows 11. For example, learn more about UWP, WPF, Win32, and Windows Forms apps, including the best way to install these apps. @@ -15,9 +15,10 @@ ms.topic: article # Overview of apps on Windows client devices -> Applies to: -> -> - Windows 10 +**Applies to**: + +- Windows 10 +- Windows 11 ## Before you begin @@ -76,7 +77,7 @@ When your apps are ready, you can add or deploy these apps to your Windows devic - **Manually install**: On your devices, users can install apps from the Microsoft Store, from the internet, and from an organization shared drive. These apps, and more, are listed in **Settings** > **Apps** > **Apps and Features**. - If you want to prevent users from downloading apps on organization owned devices, use an MDM provider, like Microsoft Intune. For example, you can create a policy that allows or prevents users from sideloading apps, only allow the private store, and more. For more information on the features you can restrict, see [Windows 10 (and newer) device settings to allow or restrict features using Intune](/mem/intune/configuration/device-restrictions-windows-10). + If you want to prevent users from downloading apps on organization owned devices, use an MDM provider, like Microsoft Intune. For example, you can create a policy that allows or prevents users from sideloading apps, only allow the private store, and more. For more information on the features you can restrict, see [Windows client device settings to allow or restrict features using Intune](/mem/intune/configuration/device-restrictions-windows-10). For an overview of the different types of device policies you can create, see [Apply features and settings on your devices using device profiles in Microsoft Intune](/mem/intune/configuration/device-profiles). diff --git a/windows/application-management/provisioned-apps-windows-client-os.md b/windows/application-management/provisioned-apps-windows-client-os.md index 48795d6801..04aa767487 100644 --- a/windows/application-management/provisioned-apps-windows-client-os.md +++ b/windows/application-management/provisioned-apps-windows-client-os.md @@ -2,7 +2,7 @@ title: Get the provisioned apps on Windows client operating system | Microsoft Docs ms.reviewer: manager: dougeby -description: Use the Windows PowerShell Get-AppxProvisionedPackage command to get a list off the provisioned apps installed in Windows OS. See a list of some common provisioned apps installed a Windows Enterprise client computer or device, including Windows 10. +description: Use the Windows PowerShell Get-AppxProvisionedPackage command to get a list off the provisioned apps installed in Windows OS. See a list of some common provisioned apps installed a Windows Enterprise client computer or device, including Windows 10/11. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -15,9 +15,10 @@ ms.topic: article # Provisioned apps installed with the Windows client OS -> Applies to: -> -> - Windows 10 +**Applies to**: + +- Windows 10 +- Windows 11 Provisioned apps are included with the OS, and automatically installed when a user signs into a Windows device the first time. They are per-user apps, and typically installed in the `C:\Program Files\WindowsApps` folder. On your Windows devices, you can use Windows PowerShell to see the provisioned apps automatically installed. diff --git a/windows/application-management/sideload-apps-in-windows-10.md b/windows/application-management/sideload-apps-in-windows-10.md index 7edd100ef0..645475d40c 100644 --- a/windows/application-management/sideload-apps-in-windows-10.md +++ b/windows/application-management/sideload-apps-in-windows-10.md @@ -1,6 +1,6 @@ --- title: Sideload LOB apps in Windows client OS | Microsoft Docs -description: Learn how to sideload line-of-business (LOB) apps in Windows client operating systems, including Windows 10. When you sideload an app, you deploy a signed app package to a device. +description: Learn how to sideload line-of-business (LOB) apps in Windows client operating systems, including Windows 10/11. When you sideload an app, you deploy a signed app package to a device. ms.assetid: C46B27D0-375B-4F7A-800E-21595CF1D53D ms.reviewer: manager: dougeby @@ -10,15 +10,15 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mobile author: greg-lindsay -ms.date: 08/31/2021 ms.localizationpriority: medium --- # Sideload line of business (LOB) apps in Windows client devices -> Applies to: -> -> - Windows 10 +**Applies to**: + +- Windows 10 +- Windows 11 > [!NOTE] > Starting with Windows 10 2004, sideloading is enabled by default. You can deploy a signed package onto a device without a special configuration. @@ -56,9 +56,9 @@ Managed devices are typically owned by your organization. They're managed by Gro Unmanaged devices are devices that are not managed by your organization. These devices are typically personal devices owned by users. Users can turn on sideloading using the Settings app. > [!IMPORTANT] -> To install an app on Windows 10 and later, you can: +> To install an app on Windows client, you can: > -> - [Install Windows 10 apps from a web page](/windows/msix/app-installer/installing-windows10-apps-web). +> - [Install Windows apps from a web page](/windows/msix/app-installer/installing-windows10-apps-web). > - Users can double-click any `.msix` or `.appx` package. ### User interface @@ -98,7 +98,7 @@ This step installs the app certificate to the local device. Installing the certi -OR- - You can use a runtime provisioning package to import a security certificate. For information about applying a provisioning package to a Windows 10 device, see runtime instructions on [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package). + You can use a runtime provisioning package to import a security certificate. For information about applying a provisioning package, see runtime instructions on [Create a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package). ## Step 3: Install the app diff --git a/windows/application-management/system-apps-windows-client-os.md b/windows/application-management/system-apps-windows-client-os.md index 6ebea1ded8..d498c17fb4 100644 --- a/windows/application-management/system-apps-windows-client-os.md +++ b/windows/application-management/system-apps-windows-client-os.md @@ -2,7 +2,7 @@ title: Get the system apps on Windows client operating system | Microsoft Docs ms.reviewer: manager: dougeby -description: Use the Windows PowerShell Get-AppxPackage command to get a list off the system apps installed in Windows OS. See a list of some common system apps installed a Windows Enterprise client computer or device, including Windows 10. +description: Use the Windows PowerShell Get-AppxPackage command to get a list off the system apps installed in Windows OS. See a list of some common system apps installed a Windows Enterprise client computer or device, including Windows 10/11. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -15,9 +15,10 @@ ms.topic: article # System apps installed with the Windows client OS -> Applies to: -> -> - Windows 10 +**Applies to**: + +- Windows 10 +- Windows 11 On all Windows devices, the OS automatically installs some apps. These apps are called system apps, and are typically installed in the `C:\Windows\` folder. On your Windows devices, you can use Windows PowerShell to see the system apps automatically installed. From d1ee55fb2680e4f0b12bc6a121cac491df6bbbe3 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 28 Sep 2021 12:38:39 -0700 Subject: [PATCH 370/458] update with 11 --- windows/deployment/windows-10-enterprise-e3-overview.md | 6 +++++- windows/deployment/windows-10-subscription-activation.md | 6 +++--- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md index f9f45982f7..2eeaf3054d 100644 --- a/windows/deployment/windows-10-enterprise-e3-overview.md +++ b/windows/deployment/windows-10-enterprise-e3-overview.md @@ -1,6 +1,6 @@ --- title: Windows 10/11 Enterprise E3 in CSP -description: Describes Windows 10 Enterprise E3, an offering that delivers, by subscription, the features of Windows 10 Enterprise edition. +description: Describes Windows 10/11 Enterprise E3, an offering that delivers, by subscription, the features of Windows 10/11 Enterprise edition. keywords: upgrade, update, task sequence, deploy ms.prod: w10 ms.mktglfcycl: deploy @@ -19,6 +19,10 @@ ms.topic: article # Windows 10/11 Enterprise E3 in CSP +Applies to: +- Windows 10 +- Windows 11 + Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Windows 10/11 Enterprise E3 in CSP is available now for both Windows 10 and Windows 11. It delivers, by subscription, exclusive features reserved for Windows 10 or Windows 11 Enterprise editions. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10/11 Enterprise E3 in CSP provides a flexible, per-user subscription for small- and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following: - Windows 10 Pro, version 1607 (Windows 10 Anniversary Update) or later, installed and activated, on the devices to be upgraded. Windows 11 is considered "later" in this context. diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 3582a6b312..398d4cb1c4 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -29,7 +29,7 @@ With Windows 10, version 1903 and later, the Subscription Activation feature als The Subscription Activation feature eliminates the need to manually deploy Enterprise or Education edition images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering Generic Volume License Keys (GVLKs), and subsequently rebooting client devices. -## Subscription Activation for Windows 10 Enterprise and Windows 11 Enterprise +## Subscription Activation for Windows 10/11 Enterprise With Windows 10, version 1703 and later both Windows 10/11 Enterprise E3 and Windows 10/11 Enterprise E5 are available as online services via subscription. Deploying [Windows 10 Enterprise or Windows 11 Enterprise](planning/windows-10-enterprise-faq-itpro.yml) in your organization can now be accomplished with no keys and no reboots. @@ -40,9 +40,9 @@ With Windows 10, version 1703 and later both Windows 10/11 Enterprise E3 and Win Organizations that have an Enterprise agreement can also benefit from the new service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Azure AD using [Azure AD Connect Sync](/azure/active-directory/connect/active-directory-aadconnectsync-whatis). -## Subscription Activation for Windows 10 Education and Windows 11 Education +## Subscription Activation for Windows 10/11 Education -Subscription Activation for Education works the same as the Enterprise version, but in order to use Subscription Activation for Education, you must have a device running Windows 10 Pro Education, version 1903 or later and an active subscription plan with a Windows 10 Enterprise or Windows 11 Enterprise license. For more information, see the [requirements](#windows-10-11-education-requirements) section. +Subscription Activation for Education works the same as the Enterprise version, but in order to use Subscription Activation for Education, you must have a device running Windows 10 Pro Education, version 1903 or later and an active subscription plan with a Windows 10 Enterprise or Windows 11 Enterprise license. For more information, see the [requirements](#windows-1011-education-requirements) section. ## Summary From 5319d8da7fa75dca539ba5efb0db11ec39419fcb Mon Sep 17 00:00:00 2001 From: MandiOhlinger Date: Tue, 28 Sep 2021 15:41:15 -0400 Subject: [PATCH 371/458] fixed typo --- windows/application-management/app-v/appv-planning-checklist.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/application-management/app-v/appv-planning-checklist.md b/windows/application-management/app-v/appv-planning-checklist.md index b85b69132e..38dcba49db 100644 --- a/windows/application-management/app-v/appv-planning-checklist.md +++ b/windows/application-management/app-v/appv-planning-checklist.md @@ -16,7 +16,7 @@ ms.topic: article **Applies to**: -- Windows 10/11 +- Windows 10 - Windows 11 This checklist can be used to help you plan for preparing your organization for an App-V deployment. From 4f6b56af6e1165cd9603c4fe32b61fb6636fe10c Mon Sep 17 00:00:00 2001 From: MandiOhlinger Date: Tue, 28 Sep 2021 15:42:25 -0400 Subject: [PATCH 372/458] fixed another typo --- windows/application-management/app-v/appv-planning-checklist.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/application-management/app-v/appv-planning-checklist.md b/windows/application-management/app-v/appv-planning-checklist.md index 38dcba49db..ec6b16a771 100644 --- a/windows/application-management/app-v/appv-planning-checklist.md +++ b/windows/application-management/app-v/appv-planning-checklist.md @@ -5,7 +5,7 @@ author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w10/11 +ms.prod: w10 ms.date: 04/18/2018 ms.reviewer: manager: dansimp From e48fe882c5e09760efc805e4a44a71e169fada04 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 28 Sep 2021 13:24:08 -0700 Subject: [PATCH 373/458] update with 11 --- .../windows-10-enterprise-e3-overview.md | 6 ++--- .../windows-10-subscription-activation.md | 23 +++++++++++-------- 2 files changed, 16 insertions(+), 13 deletions(-) diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md index 2eeaf3054d..e1d673f759 100644 --- a/windows/deployment/windows-10-enterprise-e3-overview.md +++ b/windows/deployment/windows-10-enterprise-e3-overview.md @@ -23,12 +23,12 @@ Applies to: - Windows 10 - Windows 11 -Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Windows 10/11 Enterprise E3 in CSP is available now for both Windows 10 and Windows 11. It delivers, by subscription, exclusive features reserved for Windows 10 or Windows 11 Enterprise editions. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10/11 Enterprise E3 in CSP provides a flexible, per-user subscription for small- and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following: +Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. With the release of Windows 11, Windows 10/11 Enterprise E3 in CSP is available. It delivers, by subscription, exclusive features reserved for Windows 10 or Windows 11 Enterprise editions. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10/11 Enterprise E3 in CSP provides a flexible, per-user subscription for small- and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following: -- Windows 10 Pro, version 1607 (Windows 10 Anniversary Update) or later, installed and activated, on the devices to be upgraded. Windows 11 is considered "later" in this context. +- Windows 10 Pro, version 1607 (Windows 10 Anniversary Update) or later (or Windows 11), installed and activated, on the devices to be upgraded. - Azure Active Directory (Azure AD) available for identity management -Starting with Windows 10, version 1607 (Windows 10 Anniversary Update), you can move from Windows 10 Pro or Windows 11 Pro to Windows 10 Enterprise or Windows 11 Enterprise more easily than ever before—no keys and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10/11 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise or Windows 11 Pro to Windows 11 Enterprise and all the appropriate Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Enterprise device seamlessly steps back down to Windows 10 Pro or Windows 11 Pro. +You can move from Windows 10 Pro or Windows 11 Pro to Windows 10 Enterprise or Windows 11 Enterprise more easily than ever before — with no keys, and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10/11 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise or Windows 11 Pro to Windows 11 Enterprise and all the appropriate Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Enterprise device seamlessly steps back down to Windows 10 Pro or Windows 11 Pro. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise or Windows 11 Enterprise to their users. Now, with Windows 10/11 Enterprise E3 in CSP, small- and medium-sized organizations can more easily take advantage of Enterprise edition features. diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 398d4cb1c4..b1736d3583 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -31,7 +31,7 @@ The Subscription Activation feature eliminates the need to manually deploy Enter ## Subscription Activation for Windows 10/11 Enterprise -With Windows 10, version 1703 and later both Windows 10/11 Enterprise E3 and Windows 10/11 Enterprise E5 are available as online services via subscription. Deploying [Windows 10 Enterprise or Windows 11 Enterprise](planning/windows-10-enterprise-faq-itpro.yml) in your organization can now be accomplished with no keys and no reboots. +With Windows 10, version 1703 and later both Windows 10/11 Enterprise E3 and Windows 10/11 Enterprise E5 are available as online services via subscription. Deploying Windows 10 Enterprise or Windows 11 Enterprise in your organization can now be accomplished with no keys and no reboots. If you are running Windows 10, version 1703 or later: @@ -40,24 +40,27 @@ With Windows 10, version 1703 and later both Windows 10/11 Enterprise E3 and Win Organizations that have an Enterprise agreement can also benefit from the new service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Azure AD using [Azure AD Connect Sync](/azure/active-directory/connect/active-directory-aadconnectsync-whatis). -## Subscription Activation for Windows 10/11 Education +> [!NOTE] +> You cannot use Subscripton Activation to upgrade from Windows 10 to Windows 11. The operating system version does not change when you switch to Enterprise edition. -Subscription Activation for Education works the same as the Enterprise version, but in order to use Subscription Activation for Education, you must have a device running Windows 10 Pro Education, version 1903 or later and an active subscription plan with a Windows 10 Enterprise or Windows 11 Enterprise license. For more information, see the [requirements](#windows-1011-education-requirements) section. +## Subscription Activation for Education -## Summary +Subscription Activation for Education works the same as the Enterprise version, but in order to use Subscription Activation for Education, you must have a device running Windows 10 Pro Education, version 1903 or later (or Windows 11) and an active subscription plan with a Windows 10/11 Enterprise license. For more information, see the [requirements](#windows-1011-education-requirements) section. + +## In this article - [Inherited Activation](#inherited-activation): Description of a new feature available in Windows 10, version 1803 and later. -- [The evolution of Windows 10 deployment](#the-evolution-of-deployment): A short history of Windows deployment. -- [Requirements](#requirements): Prerequisites to use the Windows 10 Subscription Activation model. -- [Benefits](#benefits): Advantages of Windows 10/11 subscription-based licensing. +- [The evolution of deployment](#the-evolution-of-deployment): A short history of Windows deployment. +- [Requirements](#requirements): Prerequisites to use the Windows 10/11 Subscription Activation model. +- [Benefits](#benefits): Advantages of subscription-based licensing. - [How it works](#how-it-works): A summary of the subscription-based licensing option. -- [Virtual Desktop Access (VDA)](#virtual-desktop-access-vda): Enable Windows 10/11 Subscription Activation for VMs in the cloud. +- [Virtual Desktop Access (VDA)](#virtual-desktop-access-vda): Enable Windows 10 Subscription Activation for VMs in the cloud. For information on how to deploy Windows 10 Enterprise licenses, see [Deploy Windows 10/11 Enterprise licenses](deploy-enterprise-licenses.md). ## Inherited Activation -Inherited Activation is a new feature available in Windows 10, version 1803 or later that allows Windows 10/11 virtual machines to inherit activation state from their Windows 10/11 host. +Inherited Activation is a new feature available in Windows 10, version 1803 or later (Windows 11 is considered "later" here) that allows Windows 10/11 virtual machines to inherit activation state from their Windows 10/11 host. When a user with Windows 10/11 E3/E5 or A3/A5 license assigned creates a new Windows 10 or Windows 11 virtual machine (VM) using a Windows 10/11 local host, the VM inherits the activation state from a host machine independent of whether user signs on with a local account or using an Azure Active Directory (AAD) account on a VM. @@ -154,7 +157,7 @@ You can benefit by moving to Windows as an online service in the following ways: ## How it works > [!NOTE] -. The following Windows 10 examples and scenarios also apply to Windows 11. +> The following Windows 10 examples and scenarios also apply to Windows 11. The device is AAD joined from **Settings > Accounts > Access work or school**. From 8af70e6c8781e51a0183d9adb26aca64cfd59c68 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 28 Sep 2021 13:31:50 -0700 Subject: [PATCH 374/458] update with 11 --- windows/deployment/windows-10-subscription-activation.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index b1736d3583..55559f11aa 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -10,7 +10,7 @@ ms.sitesec: library ms.pagetype: mdt audience: itpro author: greg-lindsay -manager: laurawi +manager: dougeby ms.collection: M365-modern-desktop search.appverid: - MET150 @@ -47,7 +47,7 @@ Organizations that have an Enterprise agreement can also benefit from the new se Subscription Activation for Education works the same as the Enterprise version, but in order to use Subscription Activation for Education, you must have a device running Windows 10 Pro Education, version 1903 or later (or Windows 11) and an active subscription plan with a Windows 10/11 Enterprise license. For more information, see the [requirements](#windows-1011-education-requirements) section. -## In this article +## Article summary - [Inherited Activation](#inherited-activation): Description of a new feature available in Windows 10, version 1803 and later. - [The evolution of deployment](#the-evolution-of-deployment): A short history of Windows deployment. @@ -56,7 +56,7 @@ Subscription Activation for Education works the same as the Enterprise version, - [How it works](#how-it-works): A summary of the subscription-based licensing option. - [Virtual Desktop Access (VDA)](#virtual-desktop-access-vda): Enable Windows 10 Subscription Activation for VMs in the cloud. -For information on how to deploy Windows 10 Enterprise licenses, see [Deploy Windows 10/11 Enterprise licenses](deploy-enterprise-licenses.md). +For information on how to deploy Enterprise licenses, see [Deploy Windows 10/11 Enterprise licenses](deploy-enterprise-licenses.md). ## Inherited Activation From 032397009672607734df52d1941f34fef9609b69 Mon Sep 17 00:00:00 2001 From: MandiOhlinger Date: Tue, 28 Sep 2021 16:34:40 -0400 Subject: [PATCH 375/458] app-v round 2 --- ...ministrator-with-the-management-console.md | 4 +-- ...de-packages-with-the-management-console.md | 4 +-- ...appv-administering-appv-with-powershell.md | 4 +-- ...pplications-with-the-management-console.md | 4 +-- ...inistrators-to-enable-connection-groups.md | 4 +-- ...ation-publishing-and-client-interaction.md | 4 +-- ...ment-configuration-file-with-powershell.md | 6 ++-- ...user-configuration-file-with-powershell.md | 6 ++-- .../app-v/appv-auto-batch-sequencing.md | 5 +-- .../app-v/appv-auto-batch-updating.md | 5 +-- .../appv-auto-clean-unpublished-packages.md | 6 ++-- .../app-v/appv-auto-provision-a-vm.md | 5 +-- .../app-v/appv-available-mdm-settings.md | 34 +++++++++---------- .../app-v/appv-capacity-planning.md | 2 +- .../appv-client-configuration-settings.md | 5 +-- ...to-packages-with-the-management-console.md | 4 +-- ...on-groups-to-ignore-the-package-version.md | 4 +-- ...eive-updates-from-the-publishing-server.md | 4 +-- .../appv-connect-to-the-management-console.md | 4 +-- .../app-v/appv-connection-group-file.md | 4 +-- ...pv-connection-group-virtual-environment.md | 4 +-- ...e-created-in-a-previous-version-of-appv.md | 12 +++---- ...blished-and-globally-published-packages.md | 4 +-- .../app-v/appv-create-a-connection-group.md | 4 +-- ...ration-file-with-the-management-console.md | 4 +-- ...e-a-package-accelerator-with-powershell.md | 4 +-- .../appv-create-a-package-accelerator.md | 5 +-- ...application-package-package-accelerator.md | 5 +-- .../appv-create-and-use-a-project-template.md | 5 +-- ...g-and-managing-virtualized-applications.md | 5 +-- ...-extensions-with-the-management-console.md | 4 +-- ...e-a-package-with-the-management-console.md | 4 +-- .../app-v/appv-dynamic-configuration.md | 6 ++-- .../app-v/appv-for-windows.md | 5 +-- ...-a-packages-with-the-management-console.md | 4 +-- ...hing-server-with-the-management-console.md | 5 ++- ...f-a-package-with-the-management-console.md | 5 ++- ...-extensions-with-the-management-console.md | 5 ++- .../applies-to-windows-client-versions.md | 15 ++++++++ 39 files changed, 104 insertions(+), 119 deletions(-) create mode 100644 windows/application-management/includes/applies-to-windows-client-versions.md diff --git a/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md b/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md index 2b8eb78f4d..ba98c209b2 100644 --- a/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md +++ b/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md @@ -1,5 +1,5 @@ --- -title: How to Add or Remove an Administrator by Using the Management Console (Windows 10) +title: How to Add or Remove an Administrator by Using the Management Console (Windows 10/11) description: Add or remove an administrator on the Microsoft Application Virtualization (App-V) server by using the Management Console. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to add or remove an administrator by using the Management Console ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the following procedures to add or remove an administrator on the Microsoft Application Virtualization (App-V) server. diff --git a/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md b/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md index d09522b1ba..a91752fa7d 100644 --- a/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md +++ b/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md @@ -1,5 +1,5 @@ --- -title: How to Add or Upgrade Packages by Using the Management Console (Windows 10) +title: How to Add or Upgrade Packages by Using the Management Console (Windows 10/11) description: Add or remove an administrator on the Microsoft Application Virtualization (App-V) server by using the Management Console. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to add or upgrade packages by using the Management Console ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] You can use the following procedure to add or upgrade a package to the App-V Management Console. To upgrade a package that already exists in the Management Console, use the following steps and import the upgraded package using the same package **Name**. diff --git a/windows/application-management/app-v/appv-administering-appv-with-powershell.md b/windows/application-management/app-v/appv-administering-appv-with-powershell.md index fd18bc7d76..92659b1ce8 100644 --- a/windows/application-management/app-v/appv-administering-appv-with-powershell.md +++ b/windows/application-management/app-v/appv-administering-appv-with-powershell.md @@ -1,5 +1,5 @@ --- -title: Administering App-V by using Windows PowerShell (Windows 10) +title: Administering App-V by using Windows PowerShell (Windows 10/11) description: Administer App-V by using Windows PowerShell and learn where to find more information about PowerShell for App-V. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # Administering App-V by using Windows PowerShell ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Microsoft Application Virtualization (App-V) supports Windows PowerShell cmdlets that give administrators a quick and easy way to manage App-V. The following sections will tell you more about how to use Windows PowerShell with App-V. diff --git a/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md b/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md index 9b26750d0e..32b6f0bef7 100644 --- a/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md +++ b/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md @@ -1,5 +1,5 @@ --- -title: Administering App-V Virtual Applications by using the Management Console (Windows 10) +title: Administering App-V Virtual Applications by using the Management Console (Windows 10/11) description: Administering App-V Virtual Applications by using the Management Console author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # Administering App-V Virtual Applications by using the Management Console ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the Microsoft Application Virtualization (App-V) management server to manage packages, connection groups, and package access in your environment. The server publishes application icons, shortcuts, and file type associations to authorized computers running the App-V client. One or more management servers typically share a common data store for configuration and package information. diff --git a/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md b/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md index af9ea8e786..728de7998a 100644 --- a/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md +++ b/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md @@ -1,5 +1,5 @@ --- -title: Only Allow Admins to Enable Connection Groups (Windows 10) +title: Only Allow Admins to Enable Connection Groups (Windows 10/11) description: Configure the App-V client so that only administrators, not users, can enable or disable connection groups. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to allow only administrators to enable connection groups ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] You can configure the App-V client so that only administrators, not users, can enable or disable connection groups. In earlier versions of App-V, there was no way to restrict access to disabling connection groups to users. diff --git a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md index 130ad633ee..0c949d9dd5 100644 --- a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md +++ b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md @@ -1,5 +1,5 @@ --- -title: Application Publishing and Client Interaction (Windows 10) +title: Application Publishing and Client Interaction (Windows 10/11) description: Learn technical information about common App-V Client operations and their integration with the local operating system. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # Application publishing and client interaction ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] This article provides technical information about common App-V Client operations and their integration with the local operating system. diff --git a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md index bf6f0effd2..a8a744e7e2 100644 --- a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md +++ b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md @@ -1,6 +1,6 @@ --- -title: Apply deployment config file via Windows PowerShell (Windows 10) -description: How to apply the deployment configuration file by using Windows PowerShell for Windows 10. +title: Apply deployment config file via Windows PowerShell (Windows 10/11) +description: How to apply the deployment configuration file by using Windows PowerShell for Windows 10/11. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -14,7 +14,7 @@ ms.topic: article --- # How to apply the deployment configuration file by using Windows PowerShell ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] When you add or set a package to a computer running the App-V client before it's been published, a dynamic deployment configuration file is applied to it. The dynamic deployment configuration file configures the default settings for the package that all users share on the computer running the App-V client. This section will tell you how to use a deployment configuration file. diff --git a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md index 851e74f1e6..1650a46de5 100644 --- a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md +++ b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md @@ -1,6 +1,6 @@ --- -title: How to apply the user configuration file by using Windows PowerShell (Windows 10) -description: How to apply the user configuration file by using Windows PowerShell (Windows 10). +title: How to apply the user configuration file by using Windows PowerShell (Windows 10/11) +description: How to apply the user configuration file by using Windows PowerShell (Windows 10/11). author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -14,7 +14,7 @@ ms.topic: article --- # How to apply the user configuration file by using Windows PowerShell ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] When you publish a package to a specific user, you'll also need to specify a dynamic user configuration file to tell that package how to run. diff --git a/windows/application-management/app-v/appv-auto-batch-sequencing.md b/windows/application-management/app-v/appv-auto-batch-sequencing.md index bed697e971..7875e506a1 100644 --- a/windows/application-management/app-v/appv-auto-batch-sequencing.md +++ b/windows/application-management/app-v/appv-auto-batch-sequencing.md @@ -14,10 +14,7 @@ ms.topic: article --- # Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) -**Applies to**: - -- Windows 10 -- Windows 11 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Sequencing multiple apps at the same time requires you to install and start Microsoft Application Virtualization Sequencer (App-V Sequencer), and to install the necessary apps to collect any changes made to the operating system during the installation and building of the App-V package. diff --git a/windows/application-management/app-v/appv-auto-batch-updating.md b/windows/application-management/app-v/appv-auto-batch-updating.md index 52349a97ee..3ce6b6faac 100644 --- a/windows/application-management/app-v/appv-auto-batch-updating.md +++ b/windows/application-management/app-v/appv-auto-batch-updating.md @@ -14,10 +14,7 @@ ms.topic: article --- # Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) -**Applies to**: - -- Windows 10 -- Windows 11 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Updating multiple apps at the same time follows a similar process to the one used for [automatically sequencing multiple apps at the same time](appv-auto-batch-sequencing.md). However, when updating, you'll also have to pass your previously created app package files to the App-V Sequencer cmdlet. diff --git a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md index acf7bb3cdf..38ab629d22 100644 --- a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md +++ b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md @@ -1,5 +1,5 @@ --- -title: Auto-remove unpublished packages on App-V client (Windows 10) +title: Auto-remove unpublished packages on App-V client (Windows 10/11) description: How to automatically clean up any unpublished packages on your App-V client devices. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,9 +14,9 @@ ms.topic: article --- # Automatically clean up unpublished packages on the App-V client ->Applies to: Windows 10, version 1703 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] -If you wanted to free up additional storage space in previous versions of App-V, you would have had to manually remove your unpublished packages from your client devices. Windows 10, version 1703 introduces the ability to use PowerShell or Group Policy settings to automatically clean up your unpublished packages after restarting your device. +If you wanted to free up additional storage space in previous versions of App-V, you would have had to manually remove your unpublished packages from your client devices. Starting with Windows 10 version 1703, use PowerShell or Group Policy settings to automatically clean up your unpublished packages after restarting your device. ## Clean up with PowerShell cmdlets diff --git a/windows/application-management/app-v/appv-auto-provision-a-vm.md b/windows/application-management/app-v/appv-auto-provision-a-vm.md index 2cfba09688..f9e98f0849 100644 --- a/windows/application-management/app-v/appv-auto-provision-a-vm.md +++ b/windows/application-management/app-v/appv-auto-provision-a-vm.md @@ -14,10 +14,7 @@ ms.topic: article --- # Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) -**Applies to**: - -- Windows 10 -- Windows 11 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Previous versions of the App-V Sequencer have required you to manually create your sequencing environment. Starting with Windows 10 version 1703, the `New-AppVSequencerVM` and `Connect-AppvSequencerVM` Windows PowerShell cmdlets are available, which automatically create your sequencing environment for you, including provisioning your virtual machine. diff --git a/windows/application-management/app-v/appv-available-mdm-settings.md b/windows/application-management/app-v/appv-available-mdm-settings.md index 2b73883501..107fab760e 100644 --- a/windows/application-management/app-v/appv-available-mdm-settings.md +++ b/windows/application-management/app-v/appv-available-mdm-settings.md @@ -1,5 +1,5 @@ --- -title: Available Mobile Device Management (MDM) settings for App-V (Windows 10) +title: Available Mobile Device Management (MDM) settings for App-V (Windows 10/11) description: Learn the available Mobile Device Management (MDM) settings you can use to configure App-V on Windows 10. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,22 +14,22 @@ ms.topic: article --- # Available Mobile Device Management (MDM) settings for App-V -With Windows 10, version 1703, you can configure, deploy, and manage your App-V apps with the following Mobile Device Management (MDM) settings. For the full list of available settings, see the [EnterpriseAppVManagement CSP](/windows/client-management/mdm/enterpriseappvmanagement-csp) page. +Starting with Windows 10 version 1703, you can configure, deploy, and manage your App-V apps with the following Mobile Device Management (MDM) settings. For the full list of available settings, see the [EnterpriseAppVManagement CSP](/windows/client-management/mdm/enterpriseappvmanagement-csp) page. |Policy name|Supported versions|URI full path|Data type|Values| |---|---|---|---|---| -|Name|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //Name|String|Read-only data, provided by your App-V packages.| -|Version|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //Version|String|Read-only data, provided by your App-V packages.| -|Publisher|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //Publisher|String|Read-only data, provided by your App-V packages.| -|InstallLocation|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //InstallLocation|String|Read-only data, provided by your App-V packages.| -|InstallDate|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //InstallDate|String|Read-only data, provided by your App-V packages.| -|Users|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //Users|String|Read-only data, provided by your App-V packages.| -|AppVPackageID|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //AppVPackageID|String|Read-only data, provided by your App-V packages.| -|AppVVersionID|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //AppVVersionID|String|Read-only data, provided by your App-V packages.| -|AppVPackageUri|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //AppVPackageUri|String|Read-only data, provided by your App-V packages.| -|LastError|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/
AppVPublishing/LastSync/LastError|String|Read-only data, provided by your App-V packages.| -|LastErrorDescription|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/LastSync/LastErrorDescription|String|- **0**: No errors returned during publish.
- **1**: Unpublish groups failed during publish.
- **2**: Publish no-group packages failed during publish.
- **3**: Publish group packages failed during publish.
- **4**: Unpublish packages failed during publish.
- **5**: New policy write failed during publish.
- **6**: Multiple non-fatal errors occurred during publish.| -|SyncStatusDescription|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/LastSync/SyncStatusDescription|String|- **0**: App-V publishing is idle.
- **1**: App-V connection groups publish in progress.
- **2**: App-V packages (non-connection group) publish in progress.
- **3**: App-V packages (connection group) publish in progress.
- **4**: App-V packages unpublish in progress.| -|SyncProgress|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/LastSync/SyncProgress|String|- **0**: App-V Sync is idle.
- **1**: App-V Sync is initializing.
- **2**: App-V Sync is in progress.
- **3**: App-V Sync is complete.
- **4**: App-V Sync requires device reboot.| -|PublishXML|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/
AppVPublishing/Sync/PublishXML|String|Custom value, entered by admin.| -|Policy|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/
AppVDynamicPolicy/configurationid/Policy|String|Custom value, entered by admin.| \ No newline at end of file +|Name|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //Name|String|Read-only data, provided by your App-V packages.| +|Version|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //Version|String|Read-only data, provided by your App-V packages.| +|Publisher|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //Publisher|String|Read-only data, provided by your App-V packages.| +|InstallLocation|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //InstallLocation|String|Read-only data, provided by your App-V packages.| +|InstallDate|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //InstallDate|String|Read-only data, provided by your App-V packages.| +|Users|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //Users|String|Read-only data, provided by your App-V packages.| +|AppVPackageID|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //AppVPackageID|String|Read-only data, provided by your App-V packages.| +|AppVVersionID|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //AppVVersionID|String|Read-only data, provided by your App-V packages.| +|AppVPackageUri|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //AppVPackageUri|String|Read-only data, provided by your App-V packages.| +|LastError|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/
AppVPublishing/LastSync/LastError|String|Read-only data, provided by your App-V packages.| +|LastErrorDescription|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/LastSync/LastErrorDescription|String|- **0**: No errors returned during publish.
- **1**: Unpublish groups failed during publish.
- **2**: Publish no-group packages failed during publish.
- **3**: Publish group packages failed during publish.
- **4**: Unpublish packages failed during publish.
- **5**: New policy write failed during publish.
- **6**: Multiple non-fatal errors occurred during publish.| +|SyncStatusDescription|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/LastSync/SyncStatusDescription|String|- **0**: App-V publishing is idle.
- **1**: App-V connection groups publish in progress.
- **2**: App-V packages (non-connection group) publish in progress.
- **3**: App-V packages (connection group) publish in progress.
- **4**: App-V packages unpublish in progress.| +|SyncProgress|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/LastSync/SyncProgress|String|- **0**: App-V Sync is idle.
- **1**: App-V Sync is initializing.
- **2**: App-V Sync is in progress.
- **3**: App-V Sync is complete.
- **4**: App-V Sync requires device reboot.| +|PublishXML|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/
AppVPublishing/Sync/PublishXML|String|Custom value, entered by admin.| +|Policy|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/
AppVDynamicPolicy/configurationid/Policy|String|Custom value, entered by admin.| \ No newline at end of file diff --git a/windows/application-management/app-v/appv-capacity-planning.md b/windows/application-management/app-v/appv-capacity-planning.md index 76f23f4537..75a7a8d6ec 100644 --- a/windows/application-management/app-v/appv-capacity-planning.md +++ b/windows/application-management/app-v/appv-capacity-planning.md @@ -1,5 +1,5 @@ --- -title: App-V Capacity Planning (Windows 10) +title: App-V Capacity Planning (Windows 10/11) description: Use these recommendations as a baseline to help determine capacity planning information that is appropriate to your organization’s App-V infrastructure. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization diff --git a/windows/application-management/app-v/appv-client-configuration-settings.md b/windows/application-management/app-v/appv-client-configuration-settings.md index c27a0a72b1..f66d17b837 100644 --- a/windows/application-management/app-v/appv-client-configuration-settings.md +++ b/windows/application-management/app-v/appv-client-configuration-settings.md @@ -14,10 +14,7 @@ ms.topic: article --- # About Client Configuration Settings -**Applies to**: - -- Windows 10 -- Windows 11 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] The Microsoft Application Virtualization (App-V) client stores its configuration in the registry. Understanding how the register's format for data works can help you better understand the client, as you can configure many client actions by changing registry entries. This topic lists the App-V client configuration settings and explains their uses. You can use Windows PowerShell to modify the client configuration settings. For more information about using Windows PowerShell and App-V see [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md). diff --git a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md index 82dca3e617..92657e83fa 100644 --- a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md +++ b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md @@ -1,5 +1,5 @@ --- -title: How to configure access to packages by using the Management Console (Windows 10) +title: How to configure access to packages by using the Management Console (Windows 10/11) description: How to configure access to packages by using the App-V Management Console. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to configure access to packages by using the Management Console ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Before you deploy an App-V virtualized package, you must configure the Active Directory Domain Services (AD DS) security groups that will be allowed to access and run the applications. The security groups may contain computers or users. Entitling a package to a computer group publishes the package globally to all computers in the group. diff --git a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md index 12b44773a7..c2d3446d5e 100644 --- a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md +++ b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md @@ -1,5 +1,5 @@ --- -title: How to make a connection group ignore the package version (Windows 10) +title: How to make a connection group ignore the package version (Windows 10/11) description: Learn how to make a connection group ignore the package version with the App-V Server Management Console. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to make a connection group ignore the package version -> Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] You can use Application Virtualization (App-V) to configure a connection group to use any version of a package, simplifying package upgrades and reducing the number of connection groups you need to create. diff --git a/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md b/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md index 9dadc20365..b4b2fc014d 100644 --- a/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md +++ b/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md @@ -1,5 +1,5 @@ --- -title: How to configure the client to receive package and connection groups updates from the publishing server (Windows 10) +title: How to configure the client to receive package and connection groups updates from the publishing server (Windows 10/11) description: How to configure the client to receive package and connection groups updates from the publishing server. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to configure the client to receive package and connection groups updates from the publishing server ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] The App-V publishing server's single-point management and high scalability lets you deploy packages and connection groups and keep them up to date. diff --git a/windows/application-management/app-v/appv-connect-to-the-management-console.md b/windows/application-management/app-v/appv-connect-to-the-management-console.md index b2414c2635..48b893e5af 100644 --- a/windows/application-management/app-v/appv-connect-to-the-management-console.md +++ b/windows/application-management/app-v/appv-connect-to-the-management-console.md @@ -1,5 +1,5 @@ --- -title: How to connect to the Management Console (Windows 10) +title: How to connect to the Management Console (Windows 10/11) description: In this article, learn the procedure for connecting to the App-V Management Console through your web browser. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to connect to the Management Console ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the following procedure to connect to the App-V Management Console. diff --git a/windows/application-management/app-v/appv-connection-group-file.md b/windows/application-management/app-v/appv-connection-group-file.md index 70072685d4..b73008a5ac 100644 --- a/windows/application-management/app-v/appv-connection-group-file.md +++ b/windows/application-management/app-v/appv-connection-group-file.md @@ -1,5 +1,5 @@ --- -title: About the connection group file (Windows 10) +title: About the connection group file (Windows 10/11) description: A summary of what the connection group file is and how to configure it. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # About the connection group file ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] ## Connection group file overview diff --git a/windows/application-management/app-v/appv-connection-group-virtual-environment.md b/windows/application-management/app-v/appv-connection-group-virtual-environment.md index a1a9c16649..dcd72b455c 100644 --- a/windows/application-management/app-v/appv-connection-group-virtual-environment.md +++ b/windows/application-management/app-v/appv-connection-group-virtual-environment.md @@ -1,5 +1,5 @@ --- -title: About the connection group virtual environment (Windows 10) +title: About the connection group virtual environment (Windows 10/11) description: Learn how the connection group virtual environment works and how package priority is determined. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # About the connection group virtual environment ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] ## How package priority is determined diff --git a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md index 44e0487b4e..1088fd28a2 100644 --- a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md +++ b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md @@ -1,5 +1,5 @@ --- -title: How to convert a package created in a previous version of App-V (Windows 10) +title: How to convert a package created in a previous version of App-V (Windows 10/11) description: Use the package converter utility to convert a virtual application package created in a previous version of App-V. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to convert a package created in a previous version of App-V ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] You can use the package converter utility to upgrade virtual application packages created by previous versions of App-V. This section will tell you how to convert existing virtual application packages for upgrade. @@ -28,9 +28,9 @@ The package converter can only directly convert packages created by an App-V seq ## App-V 4.6 installation folder is redirected to virtual file system root -When you convert packages from App-V 4.6 to App-V for Windows 10, the App-V for Windows 10 package can access the hardcoded drive that you were required to use when you created 4.6 packages. The drive letter will be the drive you selected as the installation drive on the 4.6 sequencing machine. (The default drive is drive Q.) +When you convert packages from App-V 4.6 to App-V for Windows 10/11, the App-V for Windows client package can access the hardcoded drive that you were required to use when you created 4.6 packages. The drive letter will be the drive you selected as the installation drive on the 4.6 sequencing machine. (The default drive is drive Q.) -The App-V package converter will save the App-V 4.6 installation root folder and short folder names in the FilesystemMetadata.xml file in the **Filesystem** element. When the App-V for Windows 10 client creates the virtual process, it will map requests from the App-V 4.6 installation root to the virtual file system root. +The App-V package converter will save the App-V 4.6 installation root folder and short folder names in the FilesystemMetadata.xml file in the **Filesystem** element. When the App-V for Windows client creates the virtual process, it will map requests from the App-V 4.6 installation root to the virtual file system root. ## Getting started @@ -50,9 +50,9 @@ The App-V package converter will save the App-V 4.6 installation root folder and ConvertFrom-AppvLegacyPackage C:\contentStore C:\convertedPackages ``` - In this cmdlet, `C:\contentStore` represents the location of the existing package and `C:\convertedPackages` is the output directory to which the resulting App-V for Windows 10 virtual application package file will be saved. By default, if you do not specify a new name, the old package name will be used. + In this cmdlet, `C:\contentStore` represents the location of the existing package and `C:\convertedPackages` is the output directory to which the resulting App-V for Windows client virtual application package file will be saved. By default, if you do not specify a new name, the old package name will be used. - Additionally, the package converter optimizes performance of packages in App-V for Windows 10 by setting the package to stream fault the App-V package.  This is more performant than the primary feature block and fully downloading the package. The flag **DownloadFullPackageOnFirstLaunch** allows you to convert the package and set the package to be fully downloaded by default. + Additionally, the package converter optimizes performance of packages in App-V for Windows client by setting the package to stream fault the App-V package.  This is more performant than the primary feature block and fully downloading the package. The flag **DownloadFullPackageOnFirstLaunch** allows you to convert the package and set the package to be fully downloaded by default. > [!NOTE] > Before you specify the output directory, you must create the output directory. diff --git a/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md b/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md index 1b3212816f..70409e9d70 100644 --- a/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md +++ b/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md @@ -1,5 +1,5 @@ --- -title: How to create a connection croup with user-published and globally published packages (Windows 10) +title: How to create a connection croup with user-published and globally published packages (Windows 10/11) description: How to create a connection croup with user-published and globally published packages. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to create a connection croup with user-published and globally published packages ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] You can create user-entitled connection groups that contain both user-published and globally published packages, using either of the following methods: diff --git a/windows/application-management/app-v/appv-create-a-connection-group.md b/windows/application-management/app-v/appv-create-a-connection-group.md index 38fb3646e7..35002a1b2b 100644 --- a/windows/application-management/app-v/appv-create-a-connection-group.md +++ b/windows/application-management/app-v/appv-create-a-connection-group.md @@ -1,5 +1,5 @@ --- -title: How to create a connection group (Windows 10) +title: How to create a connection group (Windows 10/11) description: Learn how to create a connection group with the App-V Management Console and where to find information about managing connection groups. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to create a connection group ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use these steps to create a connection group by using the App-V Management Console. To use Windows PowerShell to create connection groups, see [How to manage connection groups on a stand-alone computer by using Windows PowerShell](appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md). diff --git a/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md b/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md index 34f45644e9..877f356159 100644 --- a/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md +++ b/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md @@ -1,5 +1,5 @@ --- -title: How to create a custom configuration file by using the App-V Management Console (Windows 10) +title: How to create a custom configuration file by using the App-V Management Console (Windows 10/11) description: How to create a custom configuration file by using the App-V Management Console. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to create a custom configuration file by using the App-V Management Console ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] You can use a dynamic configuration to customize an App-V package for a specific user. However, you must first create the dynamic user configuration (.xml) file or the dynamic deployment configuration file before you can use the files. Creation of the file is an advanced manual operation. For general information about dynamic user configuration files, see [About App-V dynamic configuration](appv-dynamic-configuration.md). diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md index 3e6fe295f1..79b713f591 100644 --- a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md +++ b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md @@ -1,5 +1,5 @@ --- -title: How to create a package accelerator by using Windows PowerShell (Windows 10) +title: How to create a package accelerator by using Windows PowerShell (Windows 10/11) description: Learn how to create an App-v Package Accelerator by using Windows PowerShell. App-V Package Accelerators automatically sequence large, complex applications. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to create a package accelerator by using Windows PowerShell ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] App-V Package Accelerators automatically sequence large, complex applications. Also, when you apply an App-V Package Accelerator, you don't have to manually install an application to create the virtualized package. diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator.md b/windows/application-management/app-v/appv-create-a-package-accelerator.md index bc872e32f4..c9eff04f48 100644 --- a/windows/application-management/app-v/appv-create-a-package-accelerator.md +++ b/windows/application-management/app-v/appv-create-a-package-accelerator.md @@ -14,10 +14,7 @@ ms.topic: article --- # How to create a package accelerator -**Applies to**: - -- Windows 10 -- Windows 11 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] App-V Package Accelerators automatically generate new virtual application packages. diff --git a/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md b/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md index 0386b3f99e..7a9d9a8b7f 100644 --- a/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md +++ b/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md @@ -14,10 +14,7 @@ ms.topic: article --- # How to create a virtual application package using an App-V Package Accelerator -**Applies to**: - -- Windows 10 -- Windows 11 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the following procedure to create a virtual application package with the App-V Package Accelerator. diff --git a/windows/application-management/app-v/appv-create-and-use-a-project-template.md b/windows/application-management/app-v/appv-create-and-use-a-project-template.md index 29401f6f29..908c5fc16f 100644 --- a/windows/application-management/app-v/appv-create-and-use-a-project-template.md +++ b/windows/application-management/app-v/appv-create-and-use-a-project-template.md @@ -14,10 +14,7 @@ ms.topic: article --- # Create and apply an App-V project template to a sequenced App-V package -**Applies to**: - -- Windows 10 -- Windows 11 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] You can use an App-V Project Template (.appvt) file to save commonly applied settings associated with an existing virtual application package. You can then apply these settings whenever you create new virtual application packages in your environment, streamlining the package creation process. App-V Project Templates differ from App-V Package Accelerators because App-V Package Accelerators are application-specific, while App-V Project Templates can be applied to multiple applications. To learn more about package accelerators, see [How to create a package accelerator](appv-create-a-package-accelerator.md). diff --git a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md index 76e0a87b14..6a372fbbdf 100644 --- a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md +++ b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md @@ -14,10 +14,7 @@ ms.topic: article --- # Creating and managing App-V virtualized applications -**Applies to**: - -- Windows 10 -- Windows 11 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] After you have properly deployed the Microsoft Application Virtualization (App-V) sequencer, you can use it to monitor and record the installation and setup process for an application to be run as a virtualized application. diff --git a/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md b/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md index b6ed9b54af..4de66c5d97 100644 --- a/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md +++ b/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md @@ -1,5 +1,5 @@ --- -title: How to customize virtual application extensions for a specific AD group by using the Management Console (Windows 10) +title: How to customize virtual application extensions for a specific AD group by using the Management Console (Windows 10/11) description: How to customize virtual application extensions for a specific AD group by using the Management Console. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to customize virtual applications extensions for a specific AD group by using the Management Console ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the following procedure to customize the virtual application extensions for an Active Directory (AD) group. diff --git a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md index 989346048b..775893310a 100644 --- a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md +++ b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md @@ -1,5 +1,5 @@ --- -title: How to delete a package in the Management Console (Windows 10) +title: How to delete a package in the Management Console (Windows 10/11) description: Learn how to delete a package in the App-V Management Console and where to find information about operations for App-V. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to delete a package in the Management Console ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the following procedure to delete an App-V package. diff --git a/windows/application-management/app-v/appv-dynamic-configuration.md b/windows/application-management/app-v/appv-dynamic-configuration.md index 8d5b3cafad..26a4d6b23c 100644 --- a/windows/application-management/app-v/appv-dynamic-configuration.md +++ b/windows/application-management/app-v/appv-dynamic-configuration.md @@ -1,5 +1,5 @@ --- -title: About App-V Dynamic Configuration (Windows 10) +title: About App-V Dynamic Configuration (Windows 10/11) description: Learn how to create or edit an existing Application Virtualization (App-V) dynamic configuration file. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # About App-V dynamic configuration ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] You can use dynamic configuration to customize an App-V package for a user. This article will tell you how to create or edit an existing dynamic configuration file. @@ -562,7 +562,7 @@ The following table describes the various script events and the context under wh ### Using multiple scripts on a single event trigger -App-V supports the use of multiple scripts on a single event trigger for App-V packages, including packages that you convert from App-V 4.6 to App-V for Windows 10. To enable the use of multiple scripts, App-V uses a script launcher application, named ScriptRunner.exe, which is included in the App-V client. +App-V supports the use of multiple scripts on a single event trigger for App-V packages, including packages that you convert from App-V 4.6 to App-V for Windows client. To enable the use of multiple scripts, App-V uses a script launcher application, named ScriptRunner.exe, which is included in the App-V client. #### How to use multiple scripts on a single event trigger diff --git a/windows/application-management/app-v/appv-for-windows.md b/windows/application-management/app-v/appv-for-windows.md index 0cc3adc116..32c7f7e7ef 100644 --- a/windows/application-management/app-v/appv-for-windows.md +++ b/windows/application-management/app-v/appv-for-windows.md @@ -14,10 +14,7 @@ ms.topic: article --- # Application Virtualization (App-V) for Windows client overview -**Applies to**: - -- Windows 10 -- Windows 11 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] > [!NOTE] > [!INCLUDE [Application Virtualization will be end of life in April 2026](../includes/app-v-end-life-statement.md)] diff --git a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md index c438b69062..f50ef817a3 100644 --- a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md +++ b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md @@ -1,5 +1,5 @@ --- -title: How to publish a package by using the Management console (Windows 10) +title: How to publish a package by using the Management console (Windows 10/11) description: Learn how the Management console in App-V can help you enable admin controls as well as publish App-V packages. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to publish a package by using the Management console ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the following procedure to publish an App-V package. Once you publish a package, computers running the App-V client can access and run the applications in that package. diff --git a/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md b/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md index 7023d46bce..509d82740c 100644 --- a/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md +++ b/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md @@ -1,5 +1,5 @@ --- -title: How to Register and Unregister a Publishing Server by Using the Management Console (Windows 10) +title: How to Register and Unregister a Publishing Server by Using the Management Console (Windows 10/11) description: How to Register and Unregister a Publishing Server by Using the Management Console author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -15,8 +15,7 @@ ms.author: greglin # How to Register and Unregister a Publishing Server by Using the Management Console -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] You can register and unregister publishing servers that will synchronize with the App-V management server. You can also see the last attempt that the publishing server made to synchronize the information with the management server. diff --git a/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md index 28caecc4fa..52fd89cf85 100644 --- a/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md +++ b/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md @@ -1,5 +1,5 @@ --- -title: How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console (Windows 10) +title: How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console (Windows 10/11) description: How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -15,8 +15,7 @@ ms.author: greglin # How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the following procedure to transfer the access and default package configurations to another version of a package by using the management console. diff --git a/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md b/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md index 96494e493b..3e7c56d05e 100644 --- a/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md +++ b/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md @@ -1,5 +1,5 @@ --- -title: How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console (Windows 10) +title: How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console (Windows 10/11) description: How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -15,8 +15,7 @@ ms.author: greglin # How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the following procedure to view and configure default package extensions. diff --git a/windows/application-management/includes/applies-to-windows-client-versions.md b/windows/application-management/includes/applies-to-windows-client-versions.md new file mode 100644 index 0000000000..33ade955c1 --- /dev/null +++ b/windows/application-management/includes/applies-to-windows-client-versions.md @@ -0,0 +1,15 @@ +--- +author: MandiOhlinger +ms.author: mandia +ms.date: 09/28/2021 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: w10 +ms.topic: include +--- + +**Applies to**: + +- Windows 10 +- Windows 11 From 003394794a309fba980f065a1ff1d096c7e1a7ca Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 28 Sep 2021 13:40:14 -0700 Subject: [PATCH 376/458] update --- .../windows-10-subscription-activation.md | 24 ++++++++++--------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 55559f11aa..725f2f12f6 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -29,6 +29,19 @@ With Windows 10, version 1903 and later, the Subscription Activation feature als The Subscription Activation feature eliminates the need to manually deploy Enterprise or Education edition images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering Generic Volume License Keys (GVLKs), and subsequently rebooting client devices. +See the following topics: + +- [Subscription Activation](#subscription-activation-for-windows-1011-enterprise): An introduction to Subscription Activation for Windows 10/11 Enterprise. +- [Subscription Activation for Education](#subscription-activation-for-windows-1011-enterprise): Information about Subscription Activation for Windows 10/11 Education. +- [Inherited Activation](#inherited-activation): Description of a new feature available in Windows 10, version 1803 and later. +- [The evolution of deployment](#the-evolution-of-deployment): A short history of Windows deployment. +- [Requirements](#requirements): Prerequisites to use the Windows 10/11 Subscription Activation model. +- [Benefits](#benefits): Advantages of subscription-based licensing. +- [How it works](#how-it-works): A summary of the subscription-based licensing option. +- [Virtual Desktop Access (VDA)](#virtual-desktop-access-vda): How to enable Windows 10 Subscription Activation for VMs in the cloud. + +For information on how to deploy Enterprise licenses, see [Deploy Windows 10/11 Enterprise licenses](deploy-enterprise-licenses.md). + ## Subscription Activation for Windows 10/11 Enterprise With Windows 10, version 1703 and later both Windows 10/11 Enterprise E3 and Windows 10/11 Enterprise E5 are available as online services via subscription. Deploying Windows 10 Enterprise or Windows 11 Enterprise in your organization can now be accomplished with no keys and no reboots. @@ -47,17 +60,6 @@ Organizations that have an Enterprise agreement can also benefit from the new se Subscription Activation for Education works the same as the Enterprise version, but in order to use Subscription Activation for Education, you must have a device running Windows 10 Pro Education, version 1903 or later (or Windows 11) and an active subscription plan with a Windows 10/11 Enterprise license. For more information, see the [requirements](#windows-1011-education-requirements) section. -## Article summary - -- [Inherited Activation](#inherited-activation): Description of a new feature available in Windows 10, version 1803 and later. -- [The evolution of deployment](#the-evolution-of-deployment): A short history of Windows deployment. -- [Requirements](#requirements): Prerequisites to use the Windows 10/11 Subscription Activation model. -- [Benefits](#benefits): Advantages of subscription-based licensing. -- [How it works](#how-it-works): A summary of the subscription-based licensing option. -- [Virtual Desktop Access (VDA)](#virtual-desktop-access-vda): Enable Windows 10 Subscription Activation for VMs in the cloud. - -For information on how to deploy Enterprise licenses, see [Deploy Windows 10/11 Enterprise licenses](deploy-enterprise-licenses.md). - ## Inherited Activation Inherited Activation is a new feature available in Windows 10, version 1803 or later (Windows 11 is considered "later" here) that allows Windows 10/11 virtual machines to inherit activation state from their Windows 10/11 host. From 6308ff83d7eedb81621151a6c83fbd8ae2cbfa3d Mon Sep 17 00:00:00 2001 From: MandiOhlinger Date: Tue, 28 Sep 2021 17:15:06 -0400 Subject: [PATCH 377/458] app-v applies to round 3 --- .../app-v/appv-delete-a-connection-group.md | 4 ++-- ...-deploy-appv-databases-with-sql-scripts.md | 2 +- ...ctronic-software-distribution-solutions.md | 4 ++-- ...pv-deploy-the-appv-server-with-a-script.md | 2 +- .../app-v/appv-deploying-appv.md | 5 +---- ...eploying-microsoft-office-2010-wth-appv.md | 5 +---- ...ploying-microsoft-office-2013-with-appv.md | 5 +---- ...ploying-microsoft-office-2016-with-appv.md | 5 +---- ...ctronic-software-distribution-solutions.md | 2 +- ...deploying-the-appv-sequencer-and-client.md | 5 +---- .../app-v/appv-deployment-checklist.md | 5 +---- ...ctronic-software-distribution-solutions.md | 4 ++-- ...ting-on-the-appv-client-with-powershell.md | 5 ++--- .../appv-enable-the-app-v-desktop-client.md | 5 +---- .../app-v/appv-evaluating-appv.md | 5 +---- .../app-v/appv-getting-started.md | 5 +---- .../app-v/appv-high-level-architecture.md | 5 +---- ...ed-security-identifiers-with-powershell.md | 2 +- ...porting-databases-on-separate-computers.md | 2 +- ...agement-server-on-a-standalone-computer.md | 2 +- ...-publishing-server-on-a-remote-computer.md | 2 +- ...porting-server-on-a-standalone-computer.md | 2 +- .../app-v/appv-install-the-sequencer.md | 5 +---- ...-powershell-cmdlets-and-get-cmdlet-help.md | 4 ++-- .../app-v/appv-maintaining-appv.md | 10 ++++----- ...-a-stand-alone-computer-with-powershell.md | 4 ++-- ...-a-stand-alone-computer-with-powershell.md | 5 ++--- .../app-v/appv-managing-connection-groups.md | 5 ++--- ...grating-to-appv-from-a-previous-version.md | 11 +++++----- ...an-existing-virtual-application-package.md | 5 +---- ...fy-client-configuration-with-powershell.md | 5 ++--- ...ove-the-appv-server-to-another-computer.md | 2 +- .../app-v/appv-operations.md | 5 +---- .../app-v/appv-performance-guidance.md | 18 +++++++++------- .../app-v/appv-planning-checklist.md | 5 +---- ...v-planning-folder-redirection-with-appv.md | 5 +---- ...ppv-planning-for-appv-server-deployment.md | 2 +- .../app-v/appv-planning-for-appv.md | 5 +---- ...lanning-for-high-availability-with-appv.md | 5 +---- ...ing-for-sequencer-and-client-deployment.md | 5 +---- ...ppv-planning-for-using-appv-with-office.md | 5 +---- ...ctronic-software-distribution-solutions.md | 5 +---- .../app-v/appv-planning-to-deploy-appv.md | 5 +---- .../app-v/appv-preparing-your-environment.md | 5 +---- .../app-v/appv-prerequisites.md | 5 +---- .../app-v/appv-publish-a-connection-group.md | 4 ++-- ...release-notes-for-appv-for-windows-1703.md | 15 +++++++------ .../app-v/appv-reporting.md | 4 ++-- ...plications-inside-a-virtual-environment.md | 3 ++- .../app-v/appv-security-considerations.md | 5 +---- .../app-v/appv-sequence-a-new-application.md | 5 +---- ...appv-sequence-a-package-with-powershell.md | 7 +++---- .../app-v/appv-technical-reference.md | 5 ++--- .../app-v/appv-troubleshooting.md | 11 +++++----- ...indows-10-from-an-existing-installation.md | 21 +++++++++---------- ...ppv-using-the-client-management-console.md | 5 ++--- ...viewing-appv-server-publishing-metadata.md | 12 +++++------ 57 files changed, 114 insertions(+), 197 deletions(-) diff --git a/windows/application-management/app-v/appv-delete-a-connection-group.md b/windows/application-management/app-v/appv-delete-a-connection-group.md index a252b5a53d..a1a8185b9a 100644 --- a/windows/application-management/app-v/appv-delete-a-connection-group.md +++ b/windows/application-management/app-v/appv-delete-a-connection-group.md @@ -1,5 +1,5 @@ --- -title: How to delete a connection group (Windows 10) +title: How to delete a connection group (Windows 10/11) description: Learn how to delete an existing App-V connection group in the App-V Management Console and where to find information about managing connection groups. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to delete a connection group ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the following procedure to delete an existing App-V connection group. diff --git a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md index 8fd2c674f6..5cdd91138e 100644 --- a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md +++ b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md @@ -1,5 +1,5 @@ --- -title: How to Deploy the App-V Databases by Using SQL Scripts (Windows 10) +title: How to Deploy the App-V Databases by Using SQL Scripts (Windows 10/11) description: Learn how to use SQL scripts to install the App-V databases and upgrade the App-V databases to a later version. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization diff --git a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md index 0d670783b7..a8477d90ae 100644 --- a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md @@ -1,5 +1,5 @@ --- -title: How to deploy App-V packages using electronic software distribution (Windows 10) +title: How to deploy App-V packages using electronic software distribution (Windows 10/11) description: Learn how use an electronic software distribution (ESD) system to deploy App-V virtual applications to App-V clients. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to deploy App-V packages using electronic software distribution ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] You can use an electronic software distribution (ESD) system to deploy App-V virtual applications to App-V clients. diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md index 467272455a..ead9d82133 100644 --- a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md +++ b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md @@ -1,5 +1,5 @@ --- -title: How to Deploy the App-V Server Using a Script (Windows 10) +title: How to Deploy the App-V Server Using a Script (Windows 10/11) description: 'Learn how to deploy the App-V server by using a script (appv_server_setup.exe) from the command line.' author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization diff --git a/windows/application-management/app-v/appv-deploying-appv.md b/windows/application-management/app-v/appv-deploying-appv.md index 10fee7b05b..148567438b 100644 --- a/windows/application-management/app-v/appv-deploying-appv.md +++ b/windows/application-management/app-v/appv-deploying-appv.md @@ -14,10 +14,7 @@ ms.topic: article --- # Deploying App-V for Windows client -**Applies to**: - -- Windows 10 -- Windows 11 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] App-V supports several different deployment options. Review this topic for information about the tasks that you must complete at different stages in your deployment. diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md index f4ac45ec12..5ec4cf5cad 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md @@ -14,10 +14,7 @@ ms.topic: article --- # Deploying Microsoft Office 2010 by Using App-V -**Applies to**: - -- Windows 10 -- Windows 11 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] You can create Office 2010 packages for Microsoft Application Virtualization (App-V) using one of the following methods: diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md index c986e312c3..e895318669 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md @@ -14,10 +14,7 @@ ms.topic: article --- # Deploying Microsoft Office 2013 by Using App-V -**Applies to**: - -- Windows 10 -- Windows 11 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the information in this article to use Application Virtualization (App-V) to deliver Microsoft Office 2013 as a virtualized application to computers in your organization. For information about using App-V to deliver Office 2010, see [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md). To successfully deploy Office 2013 with App-V, you need to be familiar with Office 2013 and App-V. diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md index 15a331200f..cbe270cf7d 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md @@ -14,10 +14,7 @@ ms.topic: article --- # Deploying Microsoft Office 2016 by using App-V -**Applies to**: - -- Windows 10 -- Windows 11 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the information in this article to use Application Virtualization (App-V) to deliver Microsoft Office 2016 as a virtualized application to computers in your organization. For information about using App-V to deliver Office 2013, see [Deploying Microsoft Office 2013 by using App-V](appv-deploying-microsoft-office-2013-with-appv.md). For information about using App-V to deliver Office 2010, see [Deploying Microsoft Office 2010 by using App-V](appv-deploying-microsoft-office-2010-wth-appv.md). diff --git a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md index 032233877b..9485202cc5 100644 --- a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md @@ -14,7 +14,7 @@ ms.topic: article --- # Deploying App-V packages by using electronic software distribution (ESD) ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] You can deploy App-V packages using an electronic software distribution (ESD) solution. For information about planning to deploy App-V packages with an ESD, see [Planning to deploy App-V with an electronic software distribution system](appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md). diff --git a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md index 484a48bf68..bfd34cfcaa 100644 --- a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md +++ b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md @@ -14,10 +14,7 @@ ms.topic: article --- # Deploying the App-V Sequencer and configuring the client -**Applies to**: - -- Windows 10 -- Windows 11 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] The App-V Sequencer and client let administrators to virtualize and run virtual applications. diff --git a/windows/application-management/app-v/appv-deployment-checklist.md b/windows/application-management/app-v/appv-deployment-checklist.md index 72d0a6d1d0..aa72671760 100644 --- a/windows/application-management/app-v/appv-deployment-checklist.md +++ b/windows/application-management/app-v/appv-deployment-checklist.md @@ -14,10 +14,7 @@ ms.topic: article --- # App-V Deployment Checklist -**Applies to**: - -- Windows 10 -- Windows 11 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] This checklist outlines the recommended steps and items to consider when deploying App-V features. Use it to organize your priorities while you deploy App-V. You can copy this checklist into a spreadsheet program and customize it for your use. diff --git a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md index 93ddd8f4d6..bd42de3c84 100644 --- a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md @@ -1,5 +1,5 @@ --- -title: How to Enable Only Administrators to Publish Packages by Using an ESD (Windows 10) +title: How to Enable Only Administrators to Publish Packages by Using an ESD (Windows 10/11) description: Learn how to enable only administrators to publish packages by bsing an electronic software delivery (ESD). author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to enable only administrators to publish packages by using an ESD ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Starting in App-V 5.0 SP3, you can configure the App-V client so that only administrators (not end users) can publish or unpublish packages. In earlier versions of App-V, you could not prevent end users from performing these tasks. diff --git a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md index 8b6dd8e9fc..3983d8787c 100644 --- a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md +++ b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md @@ -1,5 +1,5 @@ --- -title: How to Enable Reporting on the App-V Client by Using Windows PowerShell (Windows 10) +title: How to Enable Reporting on the App-V Client by Using Windows PowerShell (Windows 10/11) description: How to Enable Reporting on the App-V Client by Using Windows PowerShell author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,8 +14,7 @@ ms.topic: article --- # How to Enable Reporting on the App-V Client by Using Windows PowerShell -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the following procedure to configure the App-V for reporting. diff --git a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md index 69000c221c..a0fd066d26 100644 --- a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md +++ b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md @@ -14,10 +14,7 @@ ms.topic: article --- # Enable the App-V in-box client -**Applies to**: - -- Windows 10 -- Windows 11 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] The App-V client is the component that runs virtualized applications on user devices. Once you enable the client, users can interact with icons and file names to start virtualized applications. The client can also get virtual application content from the management server. diff --git a/windows/application-management/app-v/appv-evaluating-appv.md b/windows/application-management/app-v/appv-evaluating-appv.md index 10d3e83e75..e15b0a5209 100644 --- a/windows/application-management/app-v/appv-evaluating-appv.md +++ b/windows/application-management/app-v/appv-evaluating-appv.md @@ -15,10 +15,7 @@ ms.author: greglin # Evaluating App-V -**Applies to**: - -- Windows 10 -- Windows 11 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] > [!NOTE] > [!INCLUDE [Application Virtualization will be end of life in April 2026](../includes/app-v-end-life-statement.md)] diff --git a/windows/application-management/app-v/appv-getting-started.md b/windows/application-management/app-v/appv-getting-started.md index 3f649a92c9..0e3c91919c 100644 --- a/windows/application-management/app-v/appv-getting-started.md +++ b/windows/application-management/app-v/appv-getting-started.md @@ -14,10 +14,7 @@ ms.topic: article --- # Getting started with App-V for Windows client -**Applies to**: - -- Windows 10 -- Windows 11 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] > [!NOTE] > [!INCLUDE [Application Virtualization will be end of life in April 2026](../includes/app-v-end-life-statement.md)] diff --git a/windows/application-management/app-v/appv-high-level-architecture.md b/windows/application-management/app-v/appv-high-level-architecture.md index fef069e911..62ec6658b4 100644 --- a/windows/application-management/app-v/appv-high-level-architecture.md +++ b/windows/application-management/app-v/appv-high-level-architecture.md @@ -14,10 +14,7 @@ ms.topic: article --- # High-level architecture for App-V -**Applies to**: - -- Windows 10 -- Windows 11 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the following information to simplify your Microsoft Application Virtualization (App-V) deployment. diff --git a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md index b0daa8e5c6..446fb2362d 100644 --- a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md +++ b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md @@ -1,5 +1,5 @@ --- -title: How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell (Windows 10) +title: How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell (Windows 10/11) description: How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization diff --git a/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md b/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md index b48c88fe55..2f8a941579 100644 --- a/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md +++ b/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md @@ -1,5 +1,5 @@ --- -title: How to Install the Management and Reporting Databases on separate computers from the Management and Reporting Services (Windows 10) +title: How to Install the Management and Reporting Databases on separate computers from the Management and Reporting Services (Windows 10/11) description: How to install the Management and Reporting Databases on separate computers from the Management and Reporting Services. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization diff --git a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md index 9a7bb5df47..c7c54d8a32 100644 --- a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md +++ b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md @@ -1,5 +1,5 @@ --- -title: How to install the Management Server on a Standalone Computer and Connect it to the Database (Windows 10) +title: How to install the Management Server on a Standalone Computer and Connect it to the Database (Windows 10/11) description: How to install the Management Server on a Standalone Computer and Connect it to the Database author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization diff --git a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md index 3ac42e959a..261eb206aa 100644 --- a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md +++ b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md @@ -1,5 +1,5 @@ --- -title: Install the Publishing Server on a Remote Computer (Windows 10) +title: Install the Publishing Server on a Remote Computer (Windows 10/11) description: Use the procedures in this article to install the Microsoft Application Virtualization (App-V) publishing server on a separate computer. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization diff --git a/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md index 41fb1e6ffa..f2848972d7 100644 --- a/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md +++ b/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md @@ -1,5 +1,5 @@ --- -title: How to install the Reporting Server on a standalone computer and connect it to the database (Windows 10) +title: How to install the Reporting Server on a standalone computer and connect it to the database (Windows 10/11) description: How to install the App-V Reporting Server on a Standalone Computer and Connect it to the Database author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization diff --git a/windows/application-management/app-v/appv-install-the-sequencer.md b/windows/application-management/app-v/appv-install-the-sequencer.md index 633c980c5b..410d7b4f25 100644 --- a/windows/application-management/app-v/appv-install-the-sequencer.md +++ b/windows/application-management/app-v/appv-install-the-sequencer.md @@ -14,10 +14,7 @@ ms.topic: article --- # Install the App-V Sequencer -**Applies to**: - -- Windows 10 -- Windows 11 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the App-V Sequencer to convert Win32 applications into virtual packages for deployment to user devices. Those devices must be running the App-V client to allow users to interact with virtual applications. diff --git a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md index 3f38081e58..c79bfcbc87 100644 --- a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md +++ b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md @@ -1,5 +1,5 @@ --- -title: How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help (Windows 10) +title: How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help (Windows 10/11) description: How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to load the Windows PowerShell cmdlets for App-V and get cmdlet help ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] ## Requirements for using Windows PowerShell cmdlets diff --git a/windows/application-management/app-v/appv-maintaining-appv.md b/windows/application-management/app-v/appv-maintaining-appv.md index 6375ae29ad..543c13a48b 100644 --- a/windows/application-management/app-v/appv-maintaining-appv.md +++ b/windows/application-management/app-v/appv-maintaining-appv.md @@ -1,11 +1,11 @@ --- -title: Maintaining App-V (Windows 10) -description: After you have deployed App-V for Windows 10, you can use the following information to maintain the App-V infrastructure. +title: Maintaining App-V (Windows 10/11) +description: After you have deployed App-V for Windows 10/11, you can use the following information to maintain the App-V infrastructure. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w10 +ms.prod: w10/11 ms.date: 09/27/2018 ms.reviewer: manager: dansimp @@ -14,9 +14,9 @@ ms.topic: article --- # Maintaining App-V ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] -After you have deployed App-V for Windows 10, you can use the following information to maintain the App-V infrastructure. +After you have deployed App-V for Windows client, you can use the following information to maintain the App-V infrastructure. ## Moving the App-V server diff --git a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md index 278b757481..102c1d61e6 100644 --- a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md +++ b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md @@ -1,5 +1,5 @@ --- -title: How to manage App-V packages running on a stand-alone computer by using Windows PowerShell (Windows 10) +title: How to manage App-V packages running on a stand-alone computer by using Windows PowerShell (Windows 10/11) description: How to manage App-V packages running on a stand-alone computer by using Windows PowerShell. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to manage App-V packages running on a stand-alone computer by using Windows PowerShell ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] The following sections explain how to perform various management tasks on a stand-alone client computer with Windows PowerShell cmdlets. diff --git a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md index 5333448a99..88a684ce46 100644 --- a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md +++ b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md @@ -1,5 +1,5 @@ --- -title: How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell (Windows 10) +title: How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell (Windows 10/11) description: How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -15,8 +15,7 @@ ms.author: greglin # How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] An App-V connection group allows you to run all the virtual applications as a defined set of packages in a single virtual environment. For example, you can virtualize an application and its plug-ins by using separate packages, but run them together in a single connection group. diff --git a/windows/application-management/app-v/appv-managing-connection-groups.md b/windows/application-management/app-v/appv-managing-connection-groups.md index 1a1fed1187..bfbd7fe594 100644 --- a/windows/application-management/app-v/appv-managing-connection-groups.md +++ b/windows/application-management/app-v/appv-managing-connection-groups.md @@ -1,5 +1,5 @@ --- -title: Managing Connection Groups (Windows 10) +title: Managing Connection Groups (Windows 10/11) description: Connection groups can allow administrators to manage packages independently and avoid having to add the same application multiple times to a client computer. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -15,8 +15,7 @@ ms.author: greglin # Managing Connection Groups -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Connection groups enable the applications within a package to interact with each other in the virtual environment, while remaining isolated from the rest of the system. By using connection groups, administrators can manage packages independently and can avoid having to add the same application multiple times to a client computer. diff --git a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md index da8bf8b6cc..894d080a23 100644 --- a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md +++ b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md @@ -1,6 +1,6 @@ --- -title: Migrating to App-V from a Previous Version (Windows 10) -description: Learn how to migrate to Microsoft Application Virtualization (App-V) for Windows 10 from a previous version. +title: Migrating to App-V from a Previous Version (Windows 10/11) +description: Learn how to migrate to Microsoft Application Virtualization (App-V) for Windows 10/11 from a previous version. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -15,10 +15,9 @@ ms.author: greglin # Migrating to App-V from previous versions -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] -To migrate from App-V 4.x to App-V for Windows 10, you must upgrade to App-V 5.x first. +To migrate from App-V 4.x to App-V for Windows 10/11, you must upgrade to App-V 5.x first. ## Improvements to the App-V Package Converter @@ -34,7 +33,7 @@ You can also use the `–OSDsToIncludeInPackage` parameter with the `ConvertFrom -New in App-V for Windows 10 +New in App-V for Windows client Prior to App-V for Windows 10 diff --git a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md index 6b47cd4840..69acd8e60e 100644 --- a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md +++ b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md @@ -15,10 +15,7 @@ ms.author: greglin # How to Modify an Existing Virtual Application Package -**Applies to**: - -- Windows 10 -- Windows 11 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] This topic explains how to: diff --git a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md index ad99c8c0b2..552c9efd53 100644 --- a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md +++ b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md @@ -1,5 +1,5 @@ --- -title: How to Modify Client Configuration by Using Windows PowerShell (Windows 10) +title: How to Modify Client Configuration by Using Windows PowerShell (Windows 10/11) description: Learn how to modify the Application Virtualization (App-V) client configuration by using Windows PowerShell. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -15,8 +15,7 @@ ms.author: greglin # How to Modify Client Configuration by Using Windows PowerShell -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the following procedure to configure the App-V client configuration. diff --git a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md index ea80b1f3c8..e3bd963ee4 100644 --- a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md +++ b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md @@ -1,5 +1,5 @@ --- -title: How to Move the App-V Server to Another Computer (Windows 10) +title: How to Move the App-V Server to Another Computer (Windows 10/11) description: Learn how to create a new management server console in your environment and learn how to connect it to the App-V database. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization diff --git a/windows/application-management/app-v/appv-operations.md b/windows/application-management/app-v/appv-operations.md index d098e56921..08dba24e7a 100644 --- a/windows/application-management/app-v/appv-operations.md +++ b/windows/application-management/app-v/appv-operations.md @@ -14,10 +14,7 @@ ms.topic: article --- # Operations for App-V -**Applies to**: - -- Windows 10 -- Windows 11 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] This section of the Microsoft Application Virtualization (App-V) Administrator’s Guide includes information about the various types of App-V administration and operating tasks that are typically performed by an administrator. This section also includes step-by-step procedures to help you successfully perform those tasks. diff --git a/windows/application-management/app-v/appv-performance-guidance.md b/windows/application-management/app-v/appv-performance-guidance.md index dba895b3b1..392ba61769 100644 --- a/windows/application-management/app-v/appv-performance-guidance.md +++ b/windows/application-management/app-v/appv-performance-guidance.md @@ -1,5 +1,5 @@ --- -title: Performance Guidance for Application Virtualization (Windows 10) +title: Performance Guidance for Application Virtualization (Windows 10/11) description: Learn how to configure App-V for optimal performance, optimize virtual app packages, and provide a better user experience with RDS and VDI. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -15,11 +15,13 @@ ms.author: greglin # Performance Guidance for Application Virtualization -**Applies to** -- Windows 7 SP1 -- Windows 10 -- Server 2012 R2 -- Server 2016 +**Applies to**: + +- Windows 7 SP1 +- Windows 10 +- Windows 11 +- Server 2012 R2 +- Server 2016 Learn how to configure App-V for optimal performance, optimize virtual app packages, and provide a better user experience with RDS and VDI. @@ -270,11 +272,11 @@ We recommend using User Experience Virtualization (UE-V) to capture and centrali For more information, see: -- [User Experience Virtualization (UE-V) for Windows 10 overview](/windows/configuration/ue-v/uev-for-windows) +- [User Experience Virtualization (UE-V) for Windows client overview](/windows/configuration/ue-v/uev-for-windows) - [Get Started with UE-V](/windows/configuration/ue-v/uev-getting-started) -In essence all that is required is to enable the UE-V service and download the following Microsoft authored App-V settings template from the [Microsoft User Experience Virtualization (UE-V) template gallery](https://gallery.technet.microsoft.com/Authored-UE-V-Settings-bb442a33). Register the template. For more information about UE-V templates, see [User Experience Virtualization (UE-V) for Windows 10 overview](/windows/configuration/ue-v/uev-for-windows). +In essence all that is required is to enable the UE-V service and download the following Microsoft authored App-V settings template from the [Microsoft User Experience Virtualization (UE-V) template gallery](https://gallery.technet.microsoft.com/Authored-UE-V-Settings-bb442a33). Register the template. For more information about UE-V templates, see [User Experience Virtualization (UE-V) for Windows client overview](/windows/configuration/ue-v/uev-for-windows). **Note**   Without performing an additional configuration step, User Environment Virtualization (UE-V) will not be able to synchronize the Start menu shortcuts (.lnk files) on the target computer. The .lnk file type is excluded by default. diff --git a/windows/application-management/app-v/appv-planning-checklist.md b/windows/application-management/app-v/appv-planning-checklist.md index ec6b16a771..90f3c89418 100644 --- a/windows/application-management/app-v/appv-planning-checklist.md +++ b/windows/application-management/app-v/appv-planning-checklist.md @@ -14,10 +14,7 @@ ms.topic: article --- # App-V Planning Checklist -**Applies to**: - -- Windows 10 -- Windows 11 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] This checklist can be used to help you plan for preparing your organization for an App-V deployment. diff --git a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md index 5a586baefb..40386c2097 100644 --- a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md +++ b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md @@ -14,10 +14,7 @@ ms.topic: article --- # Planning to Use Folder Redirection with App-V -**Applies to**: - -- Windows 10 -- Windows 11 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Microsoft Application Virtualization (App-V) supports the use of folder redirection, a feature that enables users and administrators to redirect the path of a folder to a new location. diff --git a/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md index f17f8cf5e9..b5f01d47c7 100644 --- a/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md +++ b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md @@ -1,5 +1,5 @@ --- -title: Planning for the App-V Server Deployment (Windows 10) +title: Planning for the App-V Server Deployment (Windows 10/11) description: Learn what you need to know so you can plan for the Microsoft Application Virtualization (App-V) 5.1 server deployment. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization diff --git a/windows/application-management/app-v/appv-planning-for-appv.md b/windows/application-management/app-v/appv-planning-for-appv.md index 6f5c42093c..0f7c0bbb39 100644 --- a/windows/application-management/app-v/appv-planning-for-appv.md +++ b/windows/application-management/app-v/appv-planning-for-appv.md @@ -14,10 +14,7 @@ ms.topic: article --- # Planning for App-V -**Applies to**: - -- Windows 10 -- Windows 11 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] > [!NOTE] > [!INCLUDE [Application Virtualization will be end of life in April 2026](../includes/app-v-end-life-statement.md)] diff --git a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md index 500b47e979..f3e4e0b58f 100644 --- a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md +++ b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md @@ -14,10 +14,7 @@ ms.topic: article --- # Planning for high availability with App-V Server -**Applies to**: - -- Windows 10 -- Windows 11 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Microsoft Application Virtualization (App-V) system configurations can take advantage of options that maintain a high available service level. diff --git a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md index 380ec453b7..f1c589ae07 100644 --- a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md +++ b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md @@ -14,10 +14,7 @@ ms.topic: article --- # Planning for the App-V Sequencer and Client Deployment -**Applies to**: - -- Windows 10 -- Windows 11 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Before you can use App-V, you must install the App-V Sequencer and enable the App-V client. You can also the App-V shared content store, although it isn't required. The following sections will tell you how to set these up. diff --git a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md index a7779a7e96..c5885a941b 100644 --- a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md +++ b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md @@ -14,10 +14,7 @@ ms.topic: article --- # Planning for deploying App-V with Office -**Applies to**: - -- Windows 10 -- Windows 11 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the following information to plan how to deploy Office within Microsoft Application Virtualization (App-V). diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md index 776072fef4..12d3de4f82 100644 --- a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md @@ -14,10 +14,7 @@ ms.topic: article --- # Planning to Deploy App-V with an electronic software distribution system -**Applies to**: - -- Windows 10 -- Windows 11 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] If you are using an electronic software distribution (ESD) system to deploy App-V packages, review the following planning considerations. For information about deploying App-V with Microsoft Endpoint Configuration Manager, see [Introduction to application management in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682125(v=technet.10)#BKMK_Appv). diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv.md b/windows/application-management/app-v/appv-planning-to-deploy-appv.md index 0793ec479e..3bb30afe33 100644 --- a/windows/application-management/app-v/appv-planning-to-deploy-appv.md +++ b/windows/application-management/app-v/appv-planning-to-deploy-appv.md @@ -14,10 +14,7 @@ ms.topic: article --- # Planning to Deploy App-V for Windows client -**Applies to**: - -- Windows 10 -- Windows 11 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] There are several different deployment configurations and requirements to consider before you deploy App-V for Windows client. Review this topic for information about what you'll need to make a deployment plan that best meets your needs. diff --git a/windows/application-management/app-v/appv-preparing-your-environment.md b/windows/application-management/app-v/appv-preparing-your-environment.md index 7b441ae569..979f7a1094 100644 --- a/windows/application-management/app-v/appv-preparing-your-environment.md +++ b/windows/application-management/app-v/appv-preparing-your-environment.md @@ -14,10 +14,7 @@ ms.topic: article --- # Preparing your environment for App-V -**Applies to**: - -- Windows 10 -- Windows 11 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] There are several different deployment configurations and prerequisites that you must consider before creating your deployment plan for Microsoft App-V. The following articles will help you gather the information you need to set up a deployment plan that best suits your business’ needs. diff --git a/windows/application-management/app-v/appv-prerequisites.md b/windows/application-management/app-v/appv-prerequisites.md index fabd6776e3..0e3e61bac8 100644 --- a/windows/application-management/app-v/appv-prerequisites.md +++ b/windows/application-management/app-v/appv-prerequisites.md @@ -15,10 +15,7 @@ ms.topic: article # App-V for Windows client prerequisites -**Applies to**: - -- Windows 10 -- Windows 11 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Before installing App-V for Windows client, ensure that you have installed all of the following required prerequisite software. diff --git a/windows/application-management/app-v/appv-publish-a-connection-group.md b/windows/application-management/app-v/appv-publish-a-connection-group.md index 27eb277fc2..4297883e3a 100644 --- a/windows/application-management/app-v/appv-publish-a-connection-group.md +++ b/windows/application-management/app-v/appv-publish-a-connection-group.md @@ -1,5 +1,5 @@ --- -title: How to Publish a Connection Group (Windows 10) +title: How to Publish a Connection Group (Windows 10/11) description: Learn how to publish a connection group to computers that run the Application Virtualization (App-V) client. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to Publish a Connection Group ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] After you create a connection group, you must publish it to computers that run the App-V client. diff --git a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md index 993c86f316..8765ba9fa6 100644 --- a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md +++ b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md @@ -1,6 +1,6 @@ --- -title: Release Notes for App-V for Windows 10, version 1703 (Windows 10) -description: A list of known issues and workarounds for App-V running on Windows 10, version 1703. +title: Release Notes for App-V for Windows 10 version 1703 (Windows 10/11) +description: A list of known issues and workarounds for App-V running on Windows 10 version 1703 and Windows 11. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -13,12 +13,11 @@ ms.author: greglin --- -# Release Notes for App-V for Windows 10, version 1703 +# Release Notes for App-V for Windows 10 version 1703 and later -**Applies to** -- Windows 10, version 1703 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] -The following are known issues and workarounds for Application Virtualization (App-V) running on Windows 10, version 1703. +The following are known issues and workarounds for Application Virtualization (App-V) running on Windows 10 version 1703 and later @@ -106,7 +105,7 @@ The following are known issues and workarounds for Application Virtualization (A ## Related resources list -For information that can help with troubleshooting App-V for Windows 10, see: +For information that can help with troubleshooting App-V for Windows client, see: - [Application Virtualization (App-V): List of Microsoft Support Knowledge Base Articles](https://social.technet.microsoft.com/wiki/contents/articles/14272.app-v-v5-x-list-of-microsoft-support-knowledge-base-articles.aspx) - [The Official Microsoft App-V Team Blog](/archive/blogs/appv/) @@ -119,6 +118,6 @@ For information that can help with troubleshooting App-V for Windows 10, see:
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). ## Related topics -- [What's new in App-V for Windows 10](appv-about-appv.md) +- [What's new in App-V for Windows client](appv-about-appv.md) - [Release Notes for App-V for Windows 10, version 1607](appv-release-notes-for-appv-for-windows-1703.md) \ No newline at end of file diff --git a/windows/application-management/app-v/appv-reporting.md b/windows/application-management/app-v/appv-reporting.md index a777b5a01e..31fd82260d 100644 --- a/windows/application-management/app-v/appv-reporting.md +++ b/windows/application-management/app-v/appv-reporting.md @@ -1,5 +1,5 @@ --- -title: About App-V Reporting (Windows 10) +title: About App-V Reporting (Windows 10/11) description: Learn how the App-V reporting feature collects information about computers running the App-V client and virtual application package usage. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # About App-V reporting ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Application Virtualization (App-V) includes a built-in reporting feature that collects information about computers running the App-V client and virtual application package usage. You can generate reports from a centralized database with this information. diff --git a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md index d552115faf..b22a3ebbce 100644 --- a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md +++ b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md @@ -1,5 +1,5 @@ --- -title: Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications (Windows 10) +title: Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications (Windows 10/11) description: Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -18,6 +18,7 @@ ms.author: greglin **Applies to** - Windows 7 SP1 - Windows 10 +- Windows 11 - Windows Server 2012 R2 - Windows Server 2016 diff --git a/windows/application-management/app-v/appv-security-considerations.md b/windows/application-management/app-v/appv-security-considerations.md index 6707151ad2..36f3d39141 100644 --- a/windows/application-management/app-v/appv-security-considerations.md +++ b/windows/application-management/app-v/appv-security-considerations.md @@ -14,10 +14,7 @@ ms.topic: article --- # App-V security considerations -**Applies to**: - -- Windows 10 -- Windows 11 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] This topic contains a brief overview of the accounts and groups, log files, and other security-related considerations for Microsoft Application Virtualization (App-V). diff --git a/windows/application-management/app-v/appv-sequence-a-new-application.md b/windows/application-management/app-v/appv-sequence-a-new-application.md index 84d323ae88..c456583c56 100644 --- a/windows/application-management/app-v/appv-sequence-a-new-application.md +++ b/windows/application-management/app-v/appv-sequence-a-new-application.md @@ -14,10 +14,7 @@ ms.topic: article --- # Manually sequence a new app using the Microsoft Application Virtualization Sequencer (App-V Sequencer) -**Applies to**: - -- Windows 10 -- Windows 11 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Starting with Windows 10 version 1607, the App-V Sequencer is included with the Windows ADK. For more info on how to install the App-V Sequencer, see [Install the App-V Sequencer](appv-install-the-sequencer.md). diff --git a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md index 6a5a084f6a..60d9e3bf9e 100644 --- a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md +++ b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md @@ -1,5 +1,5 @@ --- -title: How to sequence a package by using Windows PowerShell (Windows 10) +title: How to sequence a package by using Windows PowerShell (Windows 10/11) description: Learn how to sequence a new Microsoft Application Virtualization (App-V) package by using Windows PowerShell. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -15,8 +15,7 @@ ms.author: greglin # How to Sequence a Package by using Windows PowerShell -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the following procedure to create a new App-V package using Windows PowerShell. @@ -63,7 +62,7 @@ The following list displays additional optional parameters that can be used with - FullLoad - specifies that the package must be fully downloaded to the computer running the App-V before it can be opened. -In Windows 10, version 1703, running the new-appvsequencerpackage or the update-appvsequencepackage cmdlets automatically captures and stores all of your customizations as an App-V project template. If you want to make changes to this package later, your customizations are automatically loaded from this template file. +Starting with Windows 10 version 1703, the `new-appvsequencerpackage` or the `update-appvsequencepackage` cmdlets automatically capture and store all of your customizations as an App-V project template. If you want to make changes to this package later, your customizations are automatically loaded from this template file. > [!IMPORTANT] > If you have an auto-saved template and you attempt to load another template through the _TemplateFilePath_ parameter, the customization value from the parameter will override the auto-saved template. diff --git a/windows/application-management/app-v/appv-technical-reference.md b/windows/application-management/app-v/appv-technical-reference.md index ec6e36ed71..378c6cf052 100644 --- a/windows/application-management/app-v/appv-technical-reference.md +++ b/windows/application-management/app-v/appv-technical-reference.md @@ -1,5 +1,5 @@ --- -title: Technical Reference for App-V (Windows 10) +title: Technical Reference for App-V (Windows 10/11) description: Learn strategy and context for many performance optimization practices in this technical reference for Application Virtualization (App-V). author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -15,8 +15,7 @@ ms.author: greglin # Technical Reference for App-V -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] This section provides reference information related to managing App-V. diff --git a/windows/application-management/app-v/appv-troubleshooting.md b/windows/application-management/app-v/appv-troubleshooting.md index 2ee6c51728..0ca75469ad 100644 --- a/windows/application-management/app-v/appv-troubleshooting.md +++ b/windows/application-management/app-v/appv-troubleshooting.md @@ -1,5 +1,5 @@ --- -title: Troubleshooting App-V (Windows 10) +title: Troubleshooting App-V (Windows 10/11) description: Learn how to find information about troubleshooting Application Virtualization (App-V) and information about other App-V topics. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -15,10 +15,9 @@ ms.author: greglin # Troubleshooting App-V -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] -For information that can help with troubleshooting App-V for Windows 10, see: +For information that can help with troubleshooting App-V for Windows client, see: - [Application Virtualization (App-V): List of Microsoft Support Knowledge Base Articles](https://social.technet.microsoft.com/wiki/contents/articles/14272.app-v-v5-x-list-of-microsoft-support-knowledge-base-articles.aspx) @@ -33,9 +32,9 @@ For information that can help with troubleshooting App-V for Windows 10, see: ## Other resources -- [Application Virtualization (App-V) for Windows 10 overview](appv-for-windows.md) +- [Application Virtualization (App-V) for Windows client overview](appv-for-windows.md) -- [Getting Started with App-V for Windows 10](appv-getting-started.md) +- [Getting Started with App-V for Windows client](appv-getting-started.md) - [Planning for App-V](appv-planning-for-appv.md) diff --git a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md index fd2a4d1bf4..f1e570b02a 100644 --- a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md +++ b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md @@ -1,6 +1,6 @@ --- -title: Upgrading to App-V for Windows 10 from an existing installation (Windows 10) -description: Learn about upgrading to Application Virtualization (App-V) for Windows 10 from an existing installation. +title: Upgrading to App-V for Windows 10/11 from an existing installation (Windows 10/11) +description: Learn about upgrading to Application Virtualization (App-V) for Windows 10/11 from an existing installation. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -12,14 +12,13 @@ manager: dansimp ms.author: greglin --- -# Upgrading to App-V for Windows 10 from an existing installation +# Upgrading to App-V for Windows client from an existing installation -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] -If you’re already using App-V and you’re planning to upgrade user devices to Windows 10, you need to make only the following few adjustments to your existing environment to start using App-V for Windows 10. +If you’re already using App-V and you’re planning to upgrade user devices to Windows 10/11, you need to make only the following few adjustments to your existing environment to start using App-V for Windows client. -1. [Upgrade user devices to Windows 10](#upgrade-user-devices-to-windows-10). Performing an in-place upgrade automatically installs the App-V client and migrates users’ App-V applications and settings. +1. [Upgrade user devices to Windows 10/11](#upgrade-user-devices-to-windows-10). Performing an in-place upgrade automatically installs the App-V client and migrates users’ App-V applications and settings. 2. [Verify that App-V applications and settings were migrated correctly](#verify-that-app-v-applications-and-settings-were-migrated-correctly). @@ -31,13 +30,13 @@ If you’re already using App-V and you’re planning to upgrade user devices to These steps are explained in more detail below. -## Upgrade user devices to Windows 10 +## Upgrade user devices to Windows 10/11 -Performing an in-place upgrade automatically installs the App-V client and migrates users’ App-V applications and settings. See the [Windows 10 and Windows 10 Mobile document set](/windows/windows-10/) for information about upgrading user devices to Windows 10. +Performing an in-place upgrade automatically installs the App-V client and migrates users’ App-V applications and settings. See the [Windows document set](/windows/windows-10/) for information about upgrading user devices. ## Verify that App-V applications and settings were migrated correctly -After upgrading a user device to Windows 10, it’s important to verify that App-V applications and settings were migrated correctly during the upgrade. +After upgrading a user device, it’s important to verify that App-V applications and settings were migrated correctly during the upgrade. To verify that the user’s App-V application packages were migrated correctly, type `Get-AppvClientPackage` in Windows PowerShell. @@ -45,7 +44,7 @@ To verify that the user’s App-V settings were migrated correctly, type `Get-Ap ## Enable the in-box App-V client -With Windows 10, the App-V client is installed automatically. You need to enable the client to allow user devices to access and run virtual applications. You can enable the client with the Group Policy editor or with Windows PowerShell. +With Windows 10/11, the App-V client is installed automatically. You need to enable the client to allow user devices to access and run virtual applications. You can enable the client with the Group Policy editor or with Windows PowerShell. **To enable the App-V client with Group Policy** diff --git a/windows/application-management/app-v/appv-using-the-client-management-console.md b/windows/application-management/app-v/appv-using-the-client-management-console.md index 1f463763a0..4d7ae4ff1a 100644 --- a/windows/application-management/app-v/appv-using-the-client-management-console.md +++ b/windows/application-management/app-v/appv-using-the-client-management-console.md @@ -1,5 +1,5 @@ --- -title: Using the App-V Client Management Console (Windows 10) +title: Using the App-V Client Management Console (Windows 10/11) description: Learn how to use the Application Virtualization (App-V) client management console to manage packages on the computer running the App-V client. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -15,8 +15,7 @@ ms.author: greglin # Using the App-V Client Management Console -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] This topic provides information about using the Application Virtualization (App-V) client management console to manage packages on the computer running the App-V client. diff --git a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md index 8cb9a3b085..eebe3e0c35 100644 --- a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md +++ b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md @@ -1,5 +1,5 @@ --- -title: Viewing App-V Server Publishing Metadata (Windows 10) +title: Viewing App-V Server Publishing Metadata (Windows 10/11) description: Use this procedure to view App-V Server publishing metadata, which can help you resolve publishing-related issues. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -42,7 +42,7 @@ You can view the metadata for each request in an Internet browser by using a que ## Query syntax for viewing publishing metadata -This section provides information about queries for viewing publishing metadata for App-V 5.0 SP3 Server and App-V 5.1 server. The App-V server components have not changed since App-V 5.0 was released, so App-V 5.x Server is the version of the server used with App-V for Windows 10. +This section provides information about queries for viewing publishing metadata for App-V 5.0 SP3 Server and App-V 5.1 server. The App-V server components have not changed since App-V 5.0 was released, so App-V 5.x Server is the version of the server used with App-V for Windows client. **Query syntax** @@ -58,7 +58,7 @@ In this example: - A computer running Windows Server 2016 named “pubsvr01” hosts the Publishing service. -- The Windows client is Windows 10, 64-bit. +- The Windows client is 64-bit. **Query parameter descriptions** @@ -68,7 +68,7 @@ The following table describes the parameters shown in the preceding **Query synt |------------|---------------| | `` | Name of the App-V Publishing server. | | `` | Port to the App-V Publishing server, which you defined when you configured the Publishing server. | -| `ClientVersion=` | Windows 10 build number. You can obtain this number by running the following Windows PowerShell command:
`(Get-CimInstance Win32_OperatingSystem).version` | +| `ClientVersion=` | Windows client build number. You can obtain this number by running the following Windows PowerShell command:
`(Get-CimInstance Win32_OperatingSystem).version` | | `ClientOS=` | Operating system of the computer that is running the App-V client. Refer to the table that follows for the correct value.
You can omit this parameter, with the result that only the packages that were sequenced to support all operating systems will appear in the metadata. | To get the name of the Publishing server and the port number (`http://:`) from the App-V client, look at the URL configuration of the Get-AppvPublishingServer Windows PowerShell cmdlet. @@ -92,12 +92,12 @@ In your publishing metadata query, enter the string values that correspond to th - + - + From ef6e223a3334a7691877472377414ea2c6fe36aa Mon Sep 17 00:00:00 2001 From: MandiOhlinger Date: Tue, 28 Sep 2021 17:21:57 -0400 Subject: [PATCH 378/458] fixed validation warnings and suggestions --- .../appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md | 2 +- windows/application-management/app-v/appv-maintaining-appv.md | 2 +- ...ing-to-app-v-for-windows-10-from-an-existing-installation.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md index c79bfcbc87..081235fe4b 100644 --- a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md +++ b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md @@ -82,7 +82,7 @@ Starting in App-V 5.0 SP3, cmdlet help is available in two formats: |App-V Sequencer|**Update-Help -Module AppvSequencer**| |App-V Client|**Update-Help -Module AppvClient**| -* Online in the [Microsoft Desktop Optimization Pack](/powershell/mdop/get-started?view=win-mdop2-ps). +* Online in the [Microsoft Desktop Optimization Pack](/powershell/mdop/get-started). ## Displaying the help for a Windows PowerShell cmdlet diff --git a/windows/application-management/app-v/appv-maintaining-appv.md b/windows/application-management/app-v/appv-maintaining-appv.md index 543c13a48b..b67604f857 100644 --- a/windows/application-management/app-v/appv-maintaining-appv.md +++ b/windows/application-management/app-v/appv-maintaining-appv.md @@ -5,7 +5,7 @@ author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: w10/11 +ms.prod: w10 ms.date: 09/27/2018 ms.reviewer: manager: dansimp diff --git a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md index f1e570b02a..1645168178 100644 --- a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md +++ b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md @@ -18,7 +18,7 @@ ms.author: greglin If you’re already using App-V and you’re planning to upgrade user devices to Windows 10/11, you need to make only the following few adjustments to your existing environment to start using App-V for Windows client. -1. [Upgrade user devices to Windows 10/11](#upgrade-user-devices-to-windows-10). Performing an in-place upgrade automatically installs the App-V client and migrates users’ App-V applications and settings. +1. [Upgrade user devices to Windows 10/11](#upgrade-user-devices-to-windows-10-11). Performing an in-place upgrade automatically installs the App-V client and migrates users’ App-V applications and settings. 2. [Verify that App-V applications and settings were migrated correctly](#verify-that-app-v-applications-and-settings-were-migrated-correctly). From 645b4c380d0f00821393a6fe85f2a5c30aa18606 Mon Sep 17 00:00:00 2001 From: MandiOhlinger Date: Tue, 28 Sep 2021 17:28:02 -0400 Subject: [PATCH 379/458] fixed bookmark --- ...ing-to-app-v-for-windows-10-from-an-existing-installation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md index 1645168178..cb48f4c88a 100644 --- a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md +++ b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md @@ -18,7 +18,7 @@ ms.author: greglin If you’re already using App-V and you’re planning to upgrade user devices to Windows 10/11, you need to make only the following few adjustments to your existing environment to start using App-V for Windows client. -1. [Upgrade user devices to Windows 10/11](#upgrade-user-devices-to-windows-10-11). Performing an in-place upgrade automatically installs the App-V client and migrates users’ App-V applications and settings. +1. [Upgrade user devices to Windows 10/11](#upgrade-user-devices-to-windows-1011). Performing an in-place upgrade automatically installs the App-V client and migrates users’ App-V applications and settings. 2. [Verify that App-V applications and settings were migrated correctly](#verify-that-app-v-applications-and-settings-were-migrated-correctly). From 7e23517a5ad917e516841d9455ab16427a37bae6 Mon Sep 17 00:00:00 2001 From: Mandi Ohlinger Date: Tue, 28 Sep 2021 17:34:57 -0400 Subject: [PATCH 380/458] 10/11 --- .../enterprise-background-activity-controls.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/application-management/enterprise-background-activity-controls.md b/windows/application-management/enterprise-background-activity-controls.md index 0a72c19e87..9c4133cd25 100644 --- a/windows/application-management/enterprise-background-activity-controls.md +++ b/windows/application-management/enterprise-background-activity-controls.md @@ -17,7 +17,7 @@ To provide the best experience for consumers, Windows provides controls that giv By default, resource limits are imposed on applications. Foreground apps are given the most memory and execution time; background apps get less. Users are thus protected from poor foreground app performance and heavy battery drain. -Enterprise users want the same ability to enable or limit background activity. In Windows 10, version 1703 (also known as the Creators Update), enterprises can now configure settings via policy and provisioning that control background activity. +Enterprise users want the same ability to enable or limit background activity. Starting with Windows 10 version 1703, enterprises can now configure settings via policy and provisioning that control background activity. ## Background activity controls @@ -33,7 +33,7 @@ Here is the set of available controls for mobile devices:  ![Battery usage by app on mobile.](images/battery-usage-by-app-mobile.png) -Although the user interface differs across editions of the operating system, the policy and developer interface is consistent across Windows 10. For more information about these controls, see [Optimize background activity](/windows/uwp/debug-test-perf/optimize-background-activity). +Although the user interface differs across editions of the operating system, the policy and developer interface is consistent across Windows clients. For more information about these controls, see [Optimize background activity](/windows/uwp/debug-test-perf/optimize-background-activity). ## Enterprise background activity controls  @@ -62,4 +62,4 @@ The Universal Windows Platform ensures that consumers will have great battery li - [Run in the background indefinitely](/windows/uwp/launch-resume/run-in-the-background-indefinetly) - [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider#privacy-letappsruninbackground) -[Optimize background activity](/windows/uwp/debug-test-perf/optimize-background-activity) \ No newline at end of file +[Optimize background activity](/windows/uwp/debug-test-perf/optimize-background-activity) From bf43d60452829c13a1d0c3ff2a2c270dd31d66e7 Mon Sep 17 00:00:00 2001 From: Mandi Ohlinger Date: Tue, 28 Sep 2021 17:38:49 -0400 Subject: [PATCH 381/458] 10/11 --- .../manage-windows-mixed-reality.md | 32 +++++++++++-------- 1 file changed, 18 insertions(+), 14 deletions(-) diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md index 2305949341..775ad66f85 100644 --- a/windows/application-management/manage-windows-mixed-reality.md +++ b/windows/application-management/manage-windows-mixed-reality.md @@ -1,5 +1,5 @@ --- -title: Enable or block Windows Mixed Reality apps in the enterprise (Windows 10) +title: Enable or block Windows Mixed Reality apps in the enterprise (Windows 10/11) description: Learn how to enable Windows Mixed Reality apps in WSUS or block the Windows Mixed Reality portal in enterprises. ms.reviewer: manager: dansimp @@ -15,37 +15,41 @@ ms.topic: article # Enable or block Windows Mixed Reality apps in enterprises -**Applies to** - -- Windows 10 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] -[Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/) was introduced in Windows 10, version 1709 (also known as the Fall Creators Update), as a [Windows 10 Feature on Demand (FOD)](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). Features on Demand are Windows feature packages that can be added at any time. When a Windows 10 PC needs a new feature, it can request the feature package from Windows Update. +[Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/) was introduced in Windows 10, version 1709 (also known as the Fall Creators Update), as a [Windows Feature on Demand (FOD)](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). Features on Demand are Windows feature packages that can be added at any time. When a Windows client needs a new feature, it can request the feature package from Windows Update. Organizations that use Windows Server Update Services (WSUS) must take action to [enable Windows Mixed Reality](#enable-windows-mixed-reality-in-wsus). Any organization that wants to prohibit use of Windows Mixed Reality can [block the installation of the Mixed Reality Portal](#block-the-mixed-reality-portal). ## Enable Windows Mixed Reality in WSUS -1. [Check your version of Windows 10.](https://support.microsoft.com/help/13443/windows-which-operating-system) +1. [Check your version of Windows.](https://support.microsoft.com/help/13443/windows-which-operating-system) >[!NOTE] >You must be on at least Windows 10, version 1709, to run Windows Mixed Reality. 2. Windows Mixed Reality Feature on Demand (FOD) is downloaded from Windows Update. If access to Windows Update is blocked, you must manually install the Windows Mixed Reality FOD. - 1. Download the FOD .cab file for [Windows 10, version 2004](https://software-download.microsoft.com/download/pr/6cf73b63/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), [Windows 10, version 1903 and 1909](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab), [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), or [Windows 10, version 1709](https://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab). + 1. Download the FOD .cab file: - > [!NOTE] - > You must download the FOD .cab file that matches your operating system version. + - [Windows 10, version 2004](https://software-download.microsoft.com/download/pr/6cf73b63/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab) + - [Windows 10, version 1903 and 1909](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab) + - [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab) + - [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab) + - [Windows 10, version 1709](https://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab) + + > [!NOTE] + > You must download the FOD .cab file that matches your operating system version. 1. Use `Dism` to add Windows Mixed Reality FOD to the image. - ```powershell - Dism /Online /Add-Package /PackagePath:(path) - ``` + ```powershell + Dism /Online /Add-Package /PackagePath:(path) + ``` - > [!NOTE] - > You must rename the FOD .CAB file to : **Microsoft-Windows-Holographic-Desktop-FOD-Package\~31bf3856ad364e35\~amd64\~\~.cab** + > [!NOTE] + > You must rename the FOD .CAB file to : **Microsoft-Windows-Holographic-Desktop-FOD-Package\~31bf3856ad364e35\~amd64\~\~.cab** 1. In **Settings** > **Update & Security** > **Windows Update**, select **Check for updates**. From 667f3fd7d5e6f5f75bbf1f2627848670d11f8fe0 Mon Sep 17 00:00:00 2001 From: Mandi Ohlinger Date: Tue, 28 Sep 2021 17:43:02 -0400 Subject: [PATCH 382/458] Fixed path --- windows/application-management/manage-windows-mixed-reality.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md index 775ad66f85..8640d74fc3 100644 --- a/windows/application-management/manage-windows-mixed-reality.md +++ b/windows/application-management/manage-windows-mixed-reality.md @@ -15,7 +15,7 @@ ms.topic: article # Enable or block Windows Mixed Reality apps in enterprises -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] +[!INCLUDE [Applies to Windows client versions](./includes/applies-to-windows-client-versions.md)] [Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/) was introduced in Windows 10, version 1709 (also known as the Fall Creators Update), as a [Windows Feature on Demand (FOD)](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). Features on Demand are Windows feature packages that can be added at any time. When a Windows client needs a new feature, it can request the feature package from Windows Update. From b6ba405980cb95b018ec5ba354bfdb5272c5d310 Mon Sep 17 00:00:00 2001 From: Joe Henry Date: Tue, 28 Sep 2021 19:14:56 -0400 Subject: [PATCH 383/458] Update use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md Added a note that all policies must be PKCS 7 signed --- ...t-windows-defender-application-control-against-tampering.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md index 11d3f0df1e..3ceb3636e0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md @@ -46,6 +46,9 @@ To sign a WDAC policy with SignTool.exe, you need the following components: - An internal CA code signing certificate or a purchased code signing certificate +> [!NOTE] +> All policies (base and supplemental and single-policy format) must be pkcs7 signed. [PKCS 7 Standard](https://datatracker.ietf.org/doc/html/rfc5652) + If you do not have a code signing certificate, see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) for instructions on how to create one. If you use an alternate certificate or WDAC policy, be sure to update the following steps with the appropriate variables and certificate so that the commands will function properly. To sign the existing WDAC policy, copy each of the following commands into an elevated Windows PowerShell session: 1. Initialize the variables that will be used: From c77db21b149a0828f8fcae518d242b08d21e2370 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 28 Sep 2021 17:25:11 -0700 Subject: [PATCH 384/458] feedback --- windows/security/hardware.md | 2 +- windows/security/index.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/hardware.md b/windows/security/hardware.md index ae5f6ae709..435dd886c2 100644 --- a/windows/security/hardware.md +++ b/windows/security/hardware.md @@ -24,4 +24,4 @@ These new threats call for computing hardware that is secure down to the very co | Hardware-based root of trust with Windows Defender System Guard | To protect critical resources such as Windows authentication, single sign-on tokens, Windows Hello, and the Virtual Trusted Platform Module, a system's firmware and hardware must be trustworthy.
Windows Defender System Guard helps protect and maintain the integrity of the system as it starts up and validate that system integrity has truly been maintained through local and remote attestation.

Learn more about [How a hardware-based root of trust helps protect Windows](threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md) and [System Guard Secure Launch and SMM protection](threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md). | | Enable virtualization-based protection of code integrity | Hypervisor-protected Code Integrity (HVCI) is a virtualization based security (VBS) feature available in Windows. In the Windows Device Security settings, HVCI is referred to as Memory Integrity.
HVCI and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows Kernel. VBS uses the Windows Hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. HVCI is a critical component that protects and hardens this virtual environment by running kernel mode code integrity within it and restricting kernel memory allocations that could be used to compromise the system.

Learn more: [Enable virtualization-based protection of code integrity](threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md). | Kernel Direct Memory Access (DMA) Protection | PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with an experience identical to USB. Because PCI hot plug ports are external and easily accessible, PCs are susceptible to drive-by Direct Memory Access (DMA) attacks. Memory access protection (also known as Kernel DMA Protection) protects PCs against drive-by DMA attacks that use PCIe hot plug devices by limiting these external peripherals from being able to directly copy memory when the user has locked their PC.

Learn more about [Kernel DMA Protection](information-protection/kernel-dma-protection-for-thunderbolt.md). | -| Secure core devices | Microsoft is working closely with OEM partners and silicon vendors to build Secured-core PCs that feature deeply integrated hardware, firmware, and software to ensure enhanced security for devices, identities, and data.

Secured-core PCs provide protections that are useful against sophisticated attacks and can provide increased assurance when handling mission-critical data in some of the most data-sensitive industries, such as healthcare workers that handle medical records and other personally identifiable information (PII), commercial roles that handle high business impact and highly sensitive data, such as a financial controller with earnings data.

Learn more about [Secure core PCs](/windows-hardware/design/device-experiences/oem-highly-secure).| +| Secured-core PCs | Microsoft is working closely with OEM partners and silicon vendors to build Secured-core PCs that feature deeply integrated hardware, firmware, and software to ensure enhanced security for devices, identities, and data.

Secured-core PCs provide protections that are useful against sophisticated attacks and can provide increased assurance when handling mission-critical data in some of the most data-sensitive industries, such as healthcare workers that handle medical records and other personally identifiable information (PII), commercial roles that handle high business impact and highly sensitive data, such as a financial controller with earnings data.

Learn more about [Secured-core PCs](/windows-hardware/design/device-experiences/oem-highly-secure).| diff --git a/windows/security/index.yml b/windows/security/index.yml index d7f93945a5..7a5576692b 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -39,9 +39,9 @@ landingContent: links: - text: Trusted Platform Module url: information-protection/tpm/trusted-platform-module-top-node.md - - text: Hardware-based root of trust + - text: Windows Defender System Guard firmware protection url: threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md - - text: System Guard Secure Launch and SMM protection + - text: System Guard Secure Launch and SMM protection enablement url: threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md - text: Virtualization-based protection of code integrity url: threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md From 7e2414ec920033f9af0ff465f4f2c9a8aa217003 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Wed, 29 Sep 2021 13:05:23 +0530 Subject: [PATCH 385/458] CSP -03 : Windows 11 matrix update Updated the tables with Windows 11 and converted images into text respectively --- .../mdm/policy-csp-internetexplorer.md | 6716 +++++++++-------- .../mdm/policy-csp-kerberos.md | 54 +- .../mdm/policy-csp-kioskbrowser.md | 163 +- .../mdm/policy-csp-lanmanworkstation.md | 33 +- .../mdm/policy-csp-licensing.md | 54 +- ...policy-csp-localpoliciessecurityoptions.md | 10 - .../mdm/policy-csp-localusersandgroups.md | 25 +- .../mdm/policy-csp-lockdown.md | 34 +- 8 files changed, 3533 insertions(+), 3556 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index 8222726809..3d06d6810d 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -799,6 +799,12 @@ manager: dansimp +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -808,28 +814,34 @@ manager: dansimp

Windows 10

Windows 10/11

64-bit

WindowsClient_10.0_x64

Windows 10

Windows 10/11

32-bit

WindowsClient_10.0_x86
- - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -854,12 +866,6 @@ If you enable this policy setting, the user can add and remove search providers, If you disable or do not configure this policy setting, the user can configure their list of search providers unless another policy setting restricts such configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -879,28 +885,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -925,12 +937,6 @@ If you enable this policy setting, ActiveX Filtering is enabled by default for t If you disable or do not configure this policy setting, ActiveX Filtering is not enabled by default for the user. The user can turn ActiveX Filtering on or off. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -950,28 +956,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -1002,12 +1014,6 @@ Value - A number indicating whether Internet Explorer should deny or allow the a If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will still determine whether add-ons not in this list are assumed to be denied. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1027,28 +1033,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -1074,12 +1086,6 @@ If you disable this setting the user cannot change "User name and passwords on f If you do not configure this setting, the user has the freedom of turning on Auto complete for User name and passwords on forms and the option of prompting to save passwords. To display this option, the users open the Internet Options dialog box, click the Contents Tab and click the Settings button. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1099,28 +1105,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -1145,12 +1157,6 @@ If you enable this policy setting, the certificate address mismatch warning alwa If you disable or do not configure this policy setting, the user can choose whether the certificate address mismatch warning appears (by using the Advanced page in the Internet Control panel). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1170,28 +1176,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -1220,12 +1232,6 @@ If you do not configure this policy setting, it can be configured on the General If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting has no effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1245,28 +1251,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -1293,12 +1305,6 @@ If you disable this policy setting, Enhanced Protected Mode will be turned off. If you do not configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1318,28 +1324,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
@@ -1366,12 +1378,6 @@ If you disable this policy setting, users do not receive enhanced suggestions wh If you do not configure this policy setting, users can change the Suggestions setting on the Settings charm. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1402,28 +1408,34 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -1448,12 +1460,6 @@ If you turn this setting on, users can see and use the Enterprise Mode option fr If you disable or don't configure this policy setting, the menu option won't appear and users won't be able to run websites in Enterprise Mode. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1473,28 +1479,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -1519,12 +1531,6 @@ If you enable this policy setting, Internet Explorer downloads the website list If you disable or don't configure this policy setting, Internet Explorer opens all websites using Standards mode. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1544,28 +1550,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -1591,12 +1603,6 @@ This policy does not affect which security protocols are enabled. If you disable this policy, system defaults will be used. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1616,28 +1622,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -1662,12 +1674,6 @@ If you enable this policy setting, the user can add and remove sites from the li If you disable or do not configure this policy setting, the user can add and remove sites from the list. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1687,28 +1693,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -1735,12 +1747,6 @@ If you disable this policy setting, Internet Explorer uses an Internet Explorer If you do not configure this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages, but newer content written to common Internet standards may be displayed incorrectly. This option matches the default behavior of Internet Explorer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1760,28 +1766,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -1812,12 +1824,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1837,28 +1843,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -1889,12 +1901,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1914,28 +1920,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -1966,12 +1978,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1991,28 +1997,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -2043,12 +2055,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2068,28 +2074,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -2120,12 +2132,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2145,28 +2151,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -2197,12 +2209,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2222,28 +2228,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -2274,12 +2286,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2299,28 +2305,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -2345,12 +2357,6 @@ If you enable this policy setting, Internet Explorer goes directly to an intrane If you disable or do not configure this policy setting, Internet Explorer does not go directly to an intranet site for a one-word entry in the Address bar. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2370,28 +2376,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark7YesYes
Businesscheck mark7YesYes
Enterprisecheck mark7YesYes
Educationcheck mark7YesYes
@@ -2417,12 +2429,6 @@ This policy setting allows the administrator to enable "Save Target As" context For more information, see [https://go.microsoft.com/fwlink/?linkid=2102115](/deployedge/edge-ie-mode-faq) -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2452,28 +2458,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -2509,12 +2521,6 @@ If you disable or do not configure this policy, users may choose their own site- The list is a set of pairs of strings. Each string is separated by F000. Each pair of strings is stored as a registry name and value. The registry name is the site and the value is an index. The index has to be sequential. See an example below. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2559,28 +2565,34 @@ Value and index pairs in the SyncML example: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -2607,12 +2619,6 @@ If you disable this policy setting, users cannot run or install files with an in If you do not configure this policy, users can choose to run or install files with an invalid signature. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2632,28 +2638,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -2680,12 +2692,6 @@ If you disable this policy setting, the entry points and functionality associate If you do not configure this policy setting, the user can turn on and turn off the Suggested Sites feature. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2705,28 +2711,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -2757,12 +2769,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2782,28 +2788,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -2834,12 +2846,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2859,28 +2865,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -2911,12 +2923,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2936,28 +2942,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -2984,12 +2996,6 @@ If you disable this policy setting, Internet Explorer will not check server cert If you do not configure this policy setting, Internet Explorer will not check server certificates to see if they have been revoked. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -3009,28 +3015,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -3057,12 +3069,6 @@ If you disable this policy setting, Internet Explorer will not check the digital If you do not configure this policy, Internet Explorer will not check the digital signatures of executable programs or display their identities before downloading them to user computers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -3081,28 +3087,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark7YesYes
Businesscheck mark7YesYes
Enterprisecheck mark7YesYes
Educationcheck mark7YesYes
@@ -3147,12 +3159,6 @@ If the Windows Update for the next version of Microsoft Edge* or Microsoft Edge > For more information about the Windows update for the next version of Microsoft Edge including how to disable it, see [https://go.microsoft.com/fwlink/?linkid=2102115](/deployedge/edge-ie-mode-faq). This update applies only to Windows 10 version 1709 and higher. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -3374,28 +3380,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -3424,12 +3436,6 @@ If you disable this policy setting, Internet Explorer will not require consisten If you do not configure this policy setting, Internet Explorer requires consistent MIME data for all received files. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -3449,28 +3455,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
@@ -3495,12 +3507,6 @@ This setting determines whether IE automatically downloads updated versions of M If you disable or do not configure this setting, IE continues to download updated versions of VersionList.XML. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -3531,28 +3537,34 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -3579,12 +3591,6 @@ If you disable, or do not configure this policy setting, Flash is turned on for Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings, even if this policy setting is disabled, or not configured. However, if Adobe Flash is disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings and not through this policy setting, all applications that use Internet Explorer technology to instantiate Flash object can still do so. For more information, see "Group Policy Settings in Internet Explorer 10" in the Internet Explorer TechNet library. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -3604,28 +3610,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -3650,12 +3662,6 @@ If you enable this policy setting, Windows Defender SmartScreen warnings block t If you disable or do not configure this policy setting, the user can bypass Windows Defender SmartScreen warnings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -3675,28 +3681,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -3721,12 +3733,6 @@ If you enable this policy setting, Windows Defender SmartScreen warnings block t If you disable or do not configure this policy setting, the user can bypass Windows Defender SmartScreen warnings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -3746,28 +3752,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
@@ -3792,12 +3804,6 @@ If you enable this policy setting, the user cannot use the Compatibility View bu If you disable or do not configure this policy setting, the user can use the Compatibility View button and manage the Compatibility View sites list. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -3828,28 +3834,34 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -3874,12 +3886,6 @@ If you enable this policy setting, a user cannot set the number of days that Int If you disable or do not configure this policy setting, a user can set the number of days that Internet Explorer tracks views of pages in the History list. Users can delete browsing history. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -3899,28 +3905,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -3945,12 +3957,6 @@ If you enable this policy setting, a crash in Internet Explorer will exhibit beh If you disable or do not configure this policy setting, the crash detection feature for add-on management will be functional. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -3970,28 +3976,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -4018,12 +4030,6 @@ If you disable this policy setting, the user must participate in the CEIP, and t If you do not configure this policy setting, the user can choose to participate in the CEIP. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4043,28 +4049,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -4093,12 +4105,6 @@ If you do not configure this policy setting, the user can choose whether to dele If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting is enabled by default. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4118,28 +4124,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -4164,12 +4176,6 @@ If you enable this policy setting, the user cannot set the Feed Sync Engine to d If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4189,28 +4195,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -4237,12 +4249,6 @@ If you disable or do not configure this policy setting, the user can select whic Note: SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4262,28 +4268,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
@@ -4308,12 +4320,6 @@ If you enable this policy setting, the ability to synchronize feeds and Web Slic If you disable or do not configure this policy setting, the user can synchronize feeds and Web Slices in the background. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4344,28 +4350,34 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -4394,12 +4406,6 @@ Starting with Windows 8, the "Welcome to Internet Explorer" webpage is not avail If you disable or do not configure this policy setting, Internet Explorer may run the First Run wizard the first time the browser is started after installation. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4419,28 +4425,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -4469,12 +4481,6 @@ If you disable this policy setting, flip ahead with page prediction is turned on If you don't configure this setting, users can turn this behavior on or off, using the Settings charm. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4494,28 +4500,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
@@ -4542,12 +4554,6 @@ If you disable this policy setting, browser geolocation support is turned on. If you do not configure this policy setting, browser geolocation support can be turned on or off in Internet Options on the Privacy tab. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4578,28 +4584,34 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -4623,12 +4635,6 @@ If you enable this policy setting, a user cannot set a custom default home page. If you disable or do not configure this policy setting, the Home page box is enabled and users can choose their own home page. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4646,28 +4652,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark7YesYes
Businesscheck mark7YesYes
Enterprisecheck mark7YesYes
Educationcheck mark7YesYes
@@ -4699,12 +4711,6 @@ If you disable, or do not configure this policy, all sites are opened using the > Microsoft Edge Stable Channel must be installed for this policy to take effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4742,28 +4748,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -4788,12 +4800,6 @@ If you enable this policy setting, the user cannot continue browsing. If you disable or do not configure this policy setting, the user can choose to ignore certificate errors and continue browsing. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4813,28 +4819,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -4863,12 +4875,6 @@ If you disable this policy setting, InPrivate Browsing is available for use. If you do not configure this policy setting, InPrivate Browsing can be turned on or off through the registry. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4888,28 +4894,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -4938,12 +4950,6 @@ If you disable this policy setting, Internet Explorer 11 will use 32-bit tab pro If you don't configure this policy setting, users can turn this feature on or off using Internet Explorer settings. This feature is turned off by default. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -4963,28 +4969,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -5009,12 +5021,6 @@ If you enable this policy setting, the user will not be able to configure proxy If you disable or do not configure this policy setting, the user can configure proxy settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5034,28 +5040,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -5080,12 +5092,6 @@ If you enable this policy setting, the user cannot change the default search pro If you disable or do not configure this policy setting, the user can change the default search provider. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5105,28 +5111,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -5153,12 +5165,6 @@ If you disable or do not configure this policy setting, the user can add seconda Note: If the “Disable Changing Home Page Settings” policy is enabled, the user cannot add secondary home pages. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5178,28 +5184,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -5224,12 +5236,6 @@ If you enable this policy setting, the feature is turned off. If you disable or do not configure this policy setting, the feature is turned on. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5249,28 +5255,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -5296,12 +5308,6 @@ If you disable this policy or do not configure it, Internet Explorer checks ever This policy is intended to help the administrator maintain version control for Internet Explorer by preventing users from being notified about new versions of the browser. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5321,28 +5327,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
@@ -5369,12 +5381,6 @@ If you disable this policy setting, users are suggested matches when entering We If you do not configure this policy setting, users can choose to turn the auto-complete setting for web-addresses on or off. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5405,28 +5411,34 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -5455,12 +5467,6 @@ If you enable this policy setting, Internet Explorer will not give the user the If you disable or do not configure this policy setting, Internet Explorer notifies users and provides an option to run websites with incompatible ActiveX controls in regular Protected Mode. This is the default behavior. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5480,28 +5486,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -5531,12 +5543,6 @@ Note: The "Disable the Security page" policy (located in \User Configuration\Ad Also, see the "Security zones: Use only machine settings" policy. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5556,28 +5562,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -5607,12 +5619,6 @@ Note: The "Disable the Security page" policy (located in \User Configuration\Adm Also, see the "Security zones: Use only machine settings" policy. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5632,28 +5638,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -5680,12 +5692,6 @@ If you disable or don't configure this policy setting, Internet Explorer continu For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5705,28 +5711,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -5757,12 +5769,6 @@ If you disable or don't configure this policy setting, the list is deleted and I For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5782,28 +5788,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -5830,12 +5842,6 @@ If you disable this policy setting, local sites which are not explicitly mapped If you do not configure this policy setting, users choose whether to force local sites into the Intranet Zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5855,28 +5861,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -5903,12 +5915,6 @@ If you disable this policy setting, network paths are not necessarily mapped int If you do not configure this policy setting, users choose whether network paths are mapped into the Intranet Zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -5928,28 +5934,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -5976,12 +5988,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6001,28 +6007,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -6049,12 +6061,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6074,28 +6080,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -6120,12 +6132,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6145,28 +6151,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -6195,12 +6207,6 @@ If you disable this policy setting, a script cannot perform a clipboard operatio If you do not configure this policy setting, a script can perform a clipboard operation. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6220,28 +6226,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -6268,12 +6280,6 @@ If you disable this policy setting, users are prevented from dragging files or c If you do not configure this policy setting, users can drag files or copy and paste files from this zone automatically. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6293,28 +6299,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -6341,12 +6353,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6366,28 +6372,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -6414,12 +6426,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6439,28 +6445,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -6487,12 +6499,6 @@ If you disable this policy setting, XAML files are not loaded inside Internet Ex If you do not configure this policy setting, the user can decide whether to load XAML files inside Internet Explorer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6512,28 +6518,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -6560,12 +6572,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6585,28 +6591,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -6631,12 +6643,6 @@ If you enable this policy setting, the user is prompted before ActiveX controls If you disable this policy setting, the user does not see the per-site ActiveX prompt, and ActiveX controls can run from all sites in this zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6656,28 +6662,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -6702,12 +6714,6 @@ If you enable this policy setting, the TDC ActiveX control will not run from web If you disable this policy setting, the TDC Active X control will run from all sites in this zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6727,28 +6733,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -6775,12 +6787,6 @@ If you disable this policy setting, the possible harmful actions contained in sc If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6800,28 +6806,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -6848,12 +6860,6 @@ If you disable this policy setting, script access to the WebBrowser control is n If you do not configure this policy setting, the user can enable or disable script access to the WebBrowser control. By default, script access to the WebBrowser control is allowed only in the Local Machine and Intranet zones. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6873,28 +6879,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -6921,12 +6933,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -6946,28 +6952,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -6996,12 +7008,6 @@ If you do not configure this policy setting, the user can choose whether Windows Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7021,28 +7027,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -7067,12 +7079,6 @@ If you enable this policy setting, script is allowed to update the status bar. If you disable or do not configure this policy setting, script is not allowed to update the status bar. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7092,28 +7098,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -7140,12 +7152,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7165,28 +7171,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -7215,12 +7227,6 @@ If you selected Disable in the drop-down box, VBScript is prevented from running If you do not configure or disable this policy setting, VBScript is prevented from running. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7240,28 +7246,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -7288,12 +7300,6 @@ If you disable this policy setting, Internet Explorer always checks with your an If you don't configure this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7313,28 +7319,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -7361,12 +7373,6 @@ If you disable the policy setting, signed controls cannot be downloaded. If you do not configure this policy setting, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7386,28 +7392,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -7434,12 +7446,6 @@ If you disable this policy setting, users cannot run unsigned controls. If you do not configure this policy setting, users cannot run unsigned controls. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7459,28 +7465,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -7505,12 +7517,6 @@ If you enable this policy setting, the XSS Filter is turned on for sites in this If you disable this policy setting, the XSS Filter is turned off for sites in this zone, and Internet Explorer permits cross-site script injections. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7530,28 +7536,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -7580,12 +7592,6 @@ In Internet Explorer 10, if you disable this policy setting or do not configure In Internet Explorer 9 and earlier versions, if you disable this policy or do not configure it, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7605,28 +7611,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -7655,12 +7667,6 @@ In Internet Explorer 10, if you disable this policy setting or do not configure In Internet Explorer 9 and earlier versions, if you disable this policy setting or do not configure it, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7680,28 +7686,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -7728,12 +7740,6 @@ If you disable this policy setting, the actions that may be harmful cannot run; If you do not configure this policy setting, the MIME Sniffing Safety Feature will not apply in this zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7753,28 +7759,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -7801,12 +7813,6 @@ If you disable this policy setting, Protected Mode is turned off. The user canno If you do not configure this policy setting, the user can turn on or turn off Protected Mode. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7826,28 +7832,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -7874,12 +7886,6 @@ If you disable this policy setting, path information is removed when the user is If you do not configure this policy setting, the user can choose whether path information is sent when he or she is uploading a file via an HTML form. By default, path information is sent. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7899,28 +7905,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -7949,12 +7961,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -7974,28 +7980,34 @@ ADMX Info: - - + + + - + + - + + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck mark1YesYes
Procheck mark1YesYes
Business
Enterprisecheck mark1YesYes
Educationcheck mark1YesYes
@@ -8015,28 +8027,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -8069,12 +8087,6 @@ If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, the permission is set to High Safety. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -8094,28 +8106,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -8142,12 +8160,6 @@ If you disable this policy setting, users are prevented from running application If you do not configure this policy setting, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -8167,28 +8179,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -8223,12 +8241,6 @@ If you disable this policy setting, logon is set to Automatic logon only in Intr If you do not configure this policy setting, logon is set to Automatic logon only in Intranet zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -8248,28 +8260,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -8296,12 +8314,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -8321,28 +8333,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -8369,12 +8387,6 @@ If you disable this policy setting, Internet Explorer will not execute signed ma If you do not configure this policy setting, Internet Explorer will execute signed managed components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -8394,28 +8406,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -8442,12 +8460,6 @@ If you disable this policy setting, these files do not open. If you do not configure this policy setting, the user can configure how the computer handles these files. By default, these files are blocked in the Restricted zone, enabled in the Intranet and Local Computer zones, and set to prompt in the Internet and Trusted zones. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -8467,28 +8479,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -8515,12 +8533,6 @@ If you disable this policy setting, pop-up windows are not prevented from appear If you do not configure this policy setting, most unwanted pop-up windows are prevented from appearing. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -8540,28 +8552,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -8588,12 +8606,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -8613,28 +8625,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -8661,12 +8679,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -8686,28 +8698,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -8732,12 +8750,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -8757,28 +8769,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -8805,12 +8823,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -8830,28 +8842,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -8878,12 +8896,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -8903,28 +8915,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -8951,12 +8969,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -8976,28 +8988,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -9024,12 +9042,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -9049,28 +9061,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -9099,12 +9117,6 @@ If you do not configure this policy setting, the user can choose whether Windows Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -9124,28 +9136,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -9172,12 +9190,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -9197,28 +9209,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -9245,12 +9263,6 @@ If you disable this policy setting, Internet Explorer always checks with your an If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -9270,28 +9282,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -9320,12 +9338,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -9345,28 +9357,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -9399,12 +9417,6 @@ If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, the permission is set to Medium Safety. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -9424,28 +9436,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -9472,12 +9490,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -9497,28 +9509,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark7YesYes
Businesscheck mark7YesYes
Enterprisecheck mark7YesYes
Educationcheck mark7YesYes
@@ -9553,12 +9571,6 @@ Related policies: For more information on how to use this policy together with other related policies to create the optimal configuration for your organization, see [https://go.microsoft.com/fwlink/?linkid=2094210.](/DeployEdge/edge-ie-mode-policies#configure-internet-explorer-integration) -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -9596,28 +9608,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -9644,12 +9662,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -9669,28 +9681,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -9717,12 +9735,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -9742,28 +9754,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -9788,12 +9806,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -9813,28 +9825,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -9861,12 +9879,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -9886,28 +9898,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -9934,12 +9952,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -9959,28 +9971,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -10007,12 +10025,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -10032,28 +10044,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -10080,12 +10098,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -10105,28 +10117,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -10155,12 +10173,6 @@ If you do not configure this policy setting, the user can choose whether Windows Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -10180,28 +10192,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -10228,12 +10246,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -10253,28 +10265,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -10301,12 +10319,6 @@ If you disable this policy setting, Internet Explorer always checks with your an If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -10326,28 +10338,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -10376,12 +10394,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -10401,28 +10413,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -10455,12 +10473,6 @@ If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, the permission is set to Medium Safety. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -10480,28 +10492,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -10528,12 +10546,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -10553,28 +10565,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -10601,12 +10619,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -10626,28 +10638,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -10674,12 +10692,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -10699,28 +10711,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -10745,12 +10763,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -10770,28 +10782,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -10818,12 +10836,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -10843,28 +10855,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -10891,12 +10909,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -10916,28 +10928,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -10964,12 +10982,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -10989,28 +11001,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -11037,12 +11055,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -11062,28 +11074,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -11112,12 +11130,6 @@ If you do not configure this policy setting, the user can choose whether Windows Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -11137,28 +11149,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -11185,12 +11203,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -11210,28 +11222,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -11260,12 +11278,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -11285,28 +11297,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -11339,12 +11357,6 @@ If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, Java applets are disabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -11364,28 +11376,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -11412,12 +11430,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -11437,28 +11449,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -11491,12 +11509,6 @@ If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, Java applets are disabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -11516,28 +11528,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -11564,12 +11582,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -11589,28 +11601,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -11637,12 +11655,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -11662,28 +11674,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -11708,12 +11726,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -11733,28 +11745,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -11781,12 +11799,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -11806,28 +11818,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -11854,12 +11872,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -11879,28 +11891,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -11927,12 +11945,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -11952,28 +11964,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -12000,12 +12018,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -12025,28 +12037,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -12075,12 +12093,6 @@ If you do not configure this policy setting, the user can choose whether Windows Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -12100,28 +12112,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -12148,12 +12166,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -12173,28 +12185,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -12223,12 +12241,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -12248,28 +12260,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -12296,12 +12314,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -12321,28 +12333,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -12369,12 +12387,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -12394,28 +12406,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -12442,12 +12460,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -12467,28 +12479,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -12513,12 +12531,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -12538,28 +12550,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -12586,12 +12604,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -12611,28 +12623,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -12659,12 +12677,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -12684,28 +12696,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -12732,12 +12750,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -12757,28 +12769,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -12805,12 +12823,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -12830,28 +12842,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -12880,12 +12898,6 @@ If you do not configure this policy setting, the user can choose whether Windows Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -12905,28 +12917,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -12953,12 +12971,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -12978,28 +12990,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -13028,12 +13046,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -13053,28 +13065,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -13107,12 +13125,6 @@ If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, Java applets are disabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -13132,28 +13144,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -13180,12 +13198,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -13205,28 +13217,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -13253,12 +13271,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -13278,28 +13290,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -13326,12 +13344,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -13351,28 +13363,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -13397,12 +13415,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -13422,28 +13434,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -13470,12 +13488,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, users are queried whether to allow HTML fonts to download. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -13495,28 +13507,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -13543,12 +13561,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -13568,28 +13580,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -13616,12 +13634,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -13641,28 +13653,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -13689,12 +13707,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -13714,28 +13726,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -13764,12 +13782,6 @@ If you do not configure this policy setting, the user can choose whether Windows Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -13789,28 +13801,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -13837,12 +13855,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -13862,28 +13874,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -13912,12 +13930,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -13937,28 +13949,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -13991,12 +14009,6 @@ If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, Java applets are disabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -14016,28 +14028,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -14064,12 +14082,6 @@ If you disable this policy setting, users cannot open other windows and frames f If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -14089,28 +14101,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -14137,12 +14155,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -14162,28 +14174,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -14210,12 +14228,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -14235,28 +14247,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -14281,12 +14299,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -14306,28 +14318,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -14354,12 +14372,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -14379,28 +14391,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -14427,12 +14445,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -14452,28 +14464,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -14500,12 +14518,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -14525,28 +14537,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -14573,12 +14591,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -14598,28 +14610,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -14648,12 +14666,6 @@ If you do not configure this policy setting, the user can choose whether Windows Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -14673,28 +14685,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -14721,12 +14739,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -14746,28 +14758,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -14796,12 +14814,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -14821,28 +14833,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -14875,12 +14893,6 @@ If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, Java applets are disabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -14900,28 +14912,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -14948,12 +14966,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -14973,28 +14985,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -15021,12 +15039,6 @@ If you disable this policy setting, applications can use the MK protocol API. Re If you do not configure this policy setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -15046,28 +15058,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -15094,12 +15112,6 @@ If you disable this policy setting, Internet Explorer processes will allow a MIM If you do not configure this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -15119,28 +15131,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
@@ -15165,12 +15183,6 @@ If you enable this policy setting, you can choose which page to display when the If you disable or do not configure this policy setting, users can select their preference for this behavior. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -15204,28 +15216,34 @@ Supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -15252,12 +15270,6 @@ If you disable this policy setting, the Notification bar will not be displayed f If you do not configure this policy setting, the Notification bar will be displayed for Internet Explorer Processes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -15277,28 +15289,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -15323,12 +15341,6 @@ If you enable this policy setting, the user is not prompted to turn on Windows D If you disable or do not configure this policy setting, the user is prompted to decide whether to turn on Windows Defender SmartScreen during the first-run experience. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -15348,28 +15360,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -15394,12 +15412,6 @@ If you enable this policy setting, ActiveX controls cannot be installed on a per If you disable or do not configure this policy setting, ActiveX controls can be installed on a per-user basis. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -15419,28 +15431,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -15467,12 +15485,6 @@ If you disable this policy setting, no zone receives such protection for Interne If you do not configure this policy setting, any zone can be protected from zone elevation by Internet Explorer processes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -15492,28 +15504,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -15540,12 +15558,6 @@ If you disable or don't configure this policy setting, users will see the "Run t For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -15565,28 +15577,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -15613,12 +15631,6 @@ If you disable this policy setting, prompting for ActiveX control installations If you do not configure this policy setting, the user's preference will be used to determine whether to block ActiveX control installations for Internet Explorer processes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -15638,28 +15650,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -15686,12 +15704,6 @@ If you disable this policy setting, prompting will occur for file downloads that If you do not configure this policy setting, the user's preference determines whether to prompt for file downloads that are not user initiated for Internet Explorer processes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -15711,28 +15723,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -15759,12 +15777,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -15784,28 +15796,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -15832,12 +15850,6 @@ If you disable this policy setting, script code on pages in the zone is prevente If you do not configure this policy setting, script code on pages in the zone is prevented from running. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -15857,28 +15869,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -15905,12 +15923,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -15930,28 +15942,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -15976,12 +15994,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -16001,28 +16013,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -16049,12 +16067,6 @@ If you disable this policy setting, binary and script behaviors are not availabl If you do not configure this policy setting, binary and script behaviors are not available unless applications have implemented a custom security manager. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -16074,28 +16086,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -16124,12 +16142,6 @@ If you disable this policy setting, a script cannot perform a clipboard operatio If you do not configure this policy setting, a script cannot perform a clipboard operation. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -16149,28 +16161,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -16197,12 +16215,6 @@ If you disable this policy setting, users are prevented from dragging files or c If you do not configure this policy setting, users are queried to choose whether to drag or copy files from this zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -16222,28 +16234,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -16270,12 +16288,6 @@ If you disable this policy setting, files are prevented from being downloaded fr If you do not configure this policy setting, files are prevented from being downloaded from the zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -16295,28 +16307,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -16343,12 +16361,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, users are queried whether to allow HTML fonts to download. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -16368,28 +16380,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -16416,12 +16434,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -16441,28 +16453,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -16489,12 +16507,6 @@ If you disable this policy setting, XAML files are not loaded inside Internet Ex If you do not configure this policy setting, the user can decide whether to load XAML files inside Internet Explorer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -16514,28 +16526,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -16562,12 +16580,6 @@ If you disable this policy setting, a user's browser that loads a page containin If you do not configure this policy setting, a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another Web page. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -16587,28 +16599,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -16635,12 +16653,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -16660,28 +16672,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -16706,12 +16724,6 @@ If you enable this policy setting, the user is prompted before ActiveX controls If you disable this policy setting, the user does not see the per-site ActiveX prompt, and ActiveX controls can run from all sites in this zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -16731,28 +16743,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -16777,12 +16795,6 @@ If you enable this policy setting, the TDC ActiveX control will not run from web If you disable this policy setting, the TDC Active X control will run from all sites in this zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -16802,28 +16814,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -16850,12 +16868,6 @@ If you disable this policy setting, the possible harmful actions contained in sc If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -16875,28 +16887,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -16923,12 +16941,6 @@ If you disable this policy setting, script access to the WebBrowser control is n If you do not configure this policy setting, the user can enable or disable script access to the WebBrowser control. By default, script access to the WebBrowser control is allowed only in the Local Machine and Intranet zones. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -16948,28 +16960,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -16996,12 +17014,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -17021,28 +17033,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -17071,12 +17089,6 @@ If you do not configure this policy setting, the user can choose whether Windows Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -17096,28 +17108,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -17142,12 +17160,6 @@ If you enable this policy setting, script is allowed to update the status bar. If you disable or do not configure this policy setting, script is not allowed to update the status bar. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -17167,28 +17179,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -17215,12 +17233,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -17240,28 +17252,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -17290,12 +17308,6 @@ If you selected Disable in the drop-down box, VBScript is prevented from running If you do not configure or disable this policy setting, VBScript is prevented from running. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -17315,28 +17327,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -17363,12 +17381,6 @@ If you disable this policy setting, Internet Explorer always checks with your an If you don't configure this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -17388,28 +17400,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -17436,12 +17454,6 @@ If you disable the policy setting, signed controls cannot be downloaded. If you do not configure this policy setting, signed controls cannot be downloaded. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -17461,28 +17473,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -17509,12 +17527,6 @@ If you disable this policy setting, users cannot run unsigned controls. If you do not configure this policy setting, users cannot run unsigned controls. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -17534,28 +17546,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -17580,12 +17598,6 @@ If you enable this policy setting, the XSS Filter is turned on for sites in this If you disable this policy setting, the XSS Filter is turned off for sites in this zone, and Internet Explorer permits cross-site script injections. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -17605,28 +17617,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -17655,12 +17673,6 @@ In Internet Explorer 10, if you disable this policy setting or do not configure In Internet Explorer 9 and earlier versions, if you disable this policy or do not configure it, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -17680,28 +17692,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -17730,12 +17748,6 @@ In Internet Explorer 10, if you disable this policy setting or do not configure In Internet Explorer 9 and earlier versions, if you disable this policy setting or do not configure it, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -17755,28 +17767,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -17803,12 +17821,6 @@ If you disable this policy setting, the actions that may be harmful cannot run; If you do not configure this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -17828,28 +17840,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -17876,12 +17894,6 @@ If you disable this policy setting, path information is removed when the user is If you do not configure this policy setting, the user can choose whether path information is sent when he or she is uploading a file via an HTML form. By default, path information is sent. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -17901,28 +17913,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -17951,12 +17969,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -17976,28 +17988,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -18030,12 +18048,6 @@ If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, Java applets are disabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -18055,28 +18067,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -18103,12 +18121,6 @@ If you disable this policy setting, users are prevented from running application If you do not configure this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -18128,28 +18140,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -18184,12 +18202,6 @@ If you disable this policy setting, logon is set to Automatic logon only in Intr If you do not configure this policy setting, logon is set to Prompt for username and password. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -18209,28 +18221,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -18257,12 +18275,6 @@ If you disable this policy setting, users cannot open other windows and frames f If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -18282,28 +18294,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -18332,12 +18350,6 @@ If you disable this policy setting, controls and plug-ins are prevented from run If you do not configure this policy setting, controls and plug-ins are prevented from running. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -18357,28 +18369,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -18405,12 +18423,6 @@ If you disable this policy setting, Internet Explorer will not execute signed ma If you do not configure this policy setting, Internet Explorer will not execute signed managed components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -18430,28 +18442,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -18480,12 +18498,6 @@ If you disable this policy setting, script interaction is prevented from occurri If you do not configure this policy setting, script interaction is prevented from occurring. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -18505,28 +18517,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -18555,12 +18573,6 @@ If you disable this policy setting, scripts are prevented from accessing applets If you do not configure this policy setting, scripts are prevented from accessing applets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -18580,28 +18592,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -18628,12 +18646,6 @@ If you disable this policy setting, these files do not open. If you do not configure this policy setting, the user can configure how the computer handles these files. By default, these files are blocked in the Restricted zone, enabled in the Intranet and Local Computer zones, and set to prompt in the Internet and Trusted zones. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -18653,28 +18665,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -18701,12 +18719,6 @@ If you disable this policy setting, Protected Mode is turned off. The user canno If you do not configure this policy setting, the user can turn on or turn off Protected Mode. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -18726,28 +18738,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -18774,12 +18792,6 @@ If you disable this policy setting, pop-up windows are not prevented from appear If you do not configure this policy setting, most unwanted pop-up windows are prevented from appearing. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -18799,28 +18811,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -18847,12 +18865,6 @@ If you disable this policy setting, scripts can continue to create popup windows If you do not configure this policy setting, popup windows and other restrictions apply for File Explorer and Internet Explorer processes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -18872,28 +18884,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -18918,12 +18936,6 @@ If you enable this policy setting, the user cannot configure the list of search If you disable or do not configure this policy setting, the user can configure his or her list of search providers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -18943,28 +18955,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -18992,12 +19010,6 @@ This policy is intended to ensure that security zone settings apply uniformly to Also, see the "Security zones: Do not allow users to change policies" policy. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -19017,28 +19029,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark7YesYes
Businesscheck mark7YesYes
Enterprisecheck mark7YesYes
Educationcheck mark7YesYes
@@ -19066,12 +19084,6 @@ If you disable, or not configure this setting, then it opens all sites based on > If you have also enabled the [InternetExplorer/SendIntranetTraffictoInternetExplorer](#internetexplorer-policies) policy setting, then all intranet sites will continue to open in Internet Explorer 11. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -19111,28 +19123,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -19157,12 +19175,6 @@ If you enable this policy setting, ActiveX controls are installed only if the Ac If you disable or do not configure this policy setting, ActiveX controls, including per-user controls, are installed through the standard installation process. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -19182,28 +19194,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -19230,12 +19248,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -19255,28 +19267,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -19303,12 +19321,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -19328,28 +19340,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -19374,12 +19392,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -19399,28 +19411,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -19447,12 +19465,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -19472,28 +19484,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -19520,12 +19538,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, a warning is issued to the user that potentially risky navigation is about to occur. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -19545,28 +19557,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -19593,12 +19611,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -19618,28 +19630,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -19666,12 +19684,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -19691,28 +19703,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -19741,12 +19759,6 @@ If you do not configure this policy setting, the user can choose whether Windows Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -19766,28 +19778,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -19814,12 +19832,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -19839,28 +19851,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -19887,12 +19905,6 @@ If you disable this policy setting, Internet Explorer always checks with your an If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -19912,28 +19924,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -19962,12 +19980,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -19987,28 +19999,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -20041,12 +20059,6 @@ If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, the permission is set to Low Safety. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -20066,28 +20078,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -20114,12 +20132,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -20132,15 +20144,5 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md index 863153876a..d51018a42a 100644 --- a/windows/client-management/mdm/policy-csp-kerberos.md +++ b/windows/client-management/mdm/policy-csp-kerberos.md @@ -44,6 +44,13 @@ manager: dansimp
+> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
@@ -104,12 +111,6 @@ If you enable this policy setting, the Kerberos client searches the forests in t If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -179,12 +180,6 @@ If you enable this policy setting, the client computers will request claims, pro If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -263,12 +258,6 @@ If you disable or do not configure this policy, each algorithm will assume the * More information about the hash and checksum algorithms supported by the Windows Kerberos client and their default states can be found https://go.microsoft.com/fwlink/?linkid=2169037. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -344,12 +333,6 @@ If you enable this policy setting, the client computers in the domain enforce th If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -420,12 +403,6 @@ If you enable this policy setting, the Kerberos client requires that the KDC's X If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -501,12 +478,6 @@ If you disable or do not configure this policy setting, the Kerberos client or s > This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -587,16 +558,5 @@ Devices joined to Azure Active Directory in a hybrid environment need to interac
-Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md index b7c4328ba0..76dcd8f06b 100644 --- a/windows/client-management/mdm/policy-csp-kioskbrowser.md +++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md @@ -57,28 +57,34 @@ These policies currently only apply to Kiosk Browser app. Kiosk Browser is a Mic - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -95,7 +101,7 @@ These policies currently only apply to Kiosk Browser app. Kiosk Browser is a Mic -Added in Windows 10, version 1803. List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. +List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. > [!NOTE] > This policy only applies to the Kiosk Browser app in Microsoft Store. @@ -111,28 +117,34 @@ Added in Windows 10, version 1803. List of exceptions to the blocked website URL - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -149,7 +161,7 @@ Added in Windows 10, version 1803. List of exceptions to the blocked website URL -Added in Windows 10, version 1803. List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to. +List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to. > [!NOTE] > This policy only applies to the Kiosk Browser app in Microsoft Store. @@ -165,28 +177,34 @@ Added in Windows 10, version 1803. List of blocked website URLs (with wildcard s - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -203,7 +221,7 @@ Added in Windows 10, version 1803. List of blocked website URLs (with wildcard s -Added in Windows 10, version 1803. Configures the default URL kiosk browsers to navigate on launch and restart. +Configures the default URL kiosk browsers to navigate on launch and restart. > [!NOTE] > This policy only applies to the Kiosk Browser app in Microsoft Store. @@ -219,28 +237,34 @@ Added in Windows 10, version 1803. Configures the default URL kiosk browsers to - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -270,28 +294,34 @@ Shows the Kiosk Browser's end session button. When the policy is enabled, the Ki - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -308,7 +338,7 @@ Shows the Kiosk Browser's end session button. When the policy is enabled, the Ki -Added in Windows 10, version 1803. Enable/disable kiosk browser's home button. +Enable/disable kiosk browser's home button. > [!NOTE] > This policy only applies to the Kiosk Browser app in Microsoft Store. @@ -324,28 +354,34 @@ Added in Windows 10, version 1803. Enable/disable kiosk browser's home button. - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -362,7 +398,7 @@ Added in Windows 10, version 1803. Enable/disable kiosk browser's home button. -Added in Windows 10, version 1803. Enable/disable kiosk browser's navigation buttons (forward/back). +Enable/disable kiosk browser's navigation buttons (forward/back). > [!NOTE] > This policy only applies to the Kiosk Browser app in Microsoft Store. @@ -378,28 +414,34 @@ Added in Windows 10, version 1803. Enable/disable kiosk browser's navigation but - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -416,7 +458,7 @@ Added in Windows 10, version 1803. Enable/disable kiosk browser's navigation but -Added in Windows 10, version 1803. Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. +Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. The value is an int 1-1440 that specifies the amount of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty which means there is no idle timeout within the kiosk browser. @@ -427,15 +469,4 @@ The value is an int 1-1440 that specifies the amount of minutes the session is i
-Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-lanmanworkstation.md index f7c4cf4015..fd3a136e36 100644 --- a/windows/client-management/mdm/policy-csp-lanmanworkstation.md +++ b/windows/client-management/mdm/policy-csp-lanmanworkstation.md @@ -36,28 +36,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -74,7 +80,7 @@ manager: dansimp -Added in Windows 10, version 1803. This policy setting determines if the SMB client will allow insecure guest logons to an SMB server. +This policy setting determines if the SMB client will allow insecure guest logons to an SMB server. If you enable this policy setting or if you do not configure this policy setting, the SMB client will allow insecure guest logons. @@ -98,16 +104,5 @@ This setting supports a range of values between 0 and 1.
-Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - diff --git a/windows/client-management/mdm/policy-csp-licensing.md b/windows/client-management/mdm/policy-csp-licensing.md index 3bc05c7260..518cd8ad84 100644 --- a/windows/client-management/mdm/policy-csp-licensing.md +++ b/windows/client-management/mdm/policy-csp-licensing.md @@ -39,28 +39,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark1YesYes
Businesscheck mark1YesYes
Enterprisecheck mark1YesYes
Educationcheck mark1YesYes
@@ -77,7 +83,7 @@ manager: dansimp -Added in Windows 10, version 1607. Enables or Disable Windows license reactivation on managed devices. +Enables or Disable Windows license reactivation on managed devices. @@ -105,28 +111,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark1YesYes
Businesscheck mark1YesYes
Enterprisecheck mark1YesYes
Educationcheck mark1YesYes
@@ -143,7 +155,7 @@ The following list shows the supported values: -Added in Windows 10, version 1607. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state. +Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state. @@ -164,16 +176,6 @@ The following list shows the supported values:
-Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 1c0cdcacb8..0dac27d890 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -3798,15 +3798,5 @@ The following list shows the supported values:
-Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md index 5f21ba8658..523f62fb82 100644 --- a/windows/client-management/mdm/policy-csp-localusersandgroups.md +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -34,28 +34,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark9YesYes
Businesscheck mark9YesYes
Enterprisecheck mark9YesYes
Educationcheck mark9YesYes
@@ -72,7 +78,7 @@ manager: dansimp -Available in Windows 10, version 20H2. This policy setting allows IT admins to add, remove, or replace members of local groups on a managed device. +This policy setting allows IT admins to add, remove, or replace members of local groups on a managed device. > [!NOTE] > The [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership) policy setting also allows you to configure members (users or AAD groups) to a Windows 10 local group. However, it allows only for a full replace of the existing groups with the new members and does not allow selective add or remove. @@ -313,8 +319,5 @@ To troubleshoot Name/SID lookup APIs: ``` -Footnotes: - -Available in Windows 10, version 20H2 diff --git a/windows/client-management/mdm/policy-csp-lockdown.md b/windows/client-management/mdm/policy-csp-lockdown.md index 774ac1a21f..3300c86079 100644 --- a/windows/client-management/mdm/policy-csp-lockdown.md +++ b/windows/client-management/mdm/policy-csp-lockdown.md @@ -15,7 +15,6 @@ manager: dansimp # Policy CSP - LockDown -
@@ -36,28 +35,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark1YesYes
Businesscheck mark1YesYes
Enterprisecheck mark1YesYes
Educationcheck mark1YesYes
@@ -74,7 +79,7 @@ manager: dansimp -Added in Windows 10, version 1607. Allows the user to invoke any system user interface by swiping in from any screen edge using touch. +Allows the user to invoke any system user interface by swiping in from any screen edge using touch. The easiest way to verify the policy is to restart the explorer process or to reboot after the policy is applied. And then try to swipe from the right edge of the screen. The desired result is for Action Center to not be invoked by the swipe. You can also enter tablet mode and attempt to swipe from the top of the screen to rearrange. That will also be disabled. @@ -97,16 +102,5 @@ The following list shows the supported values:
-Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - From 8af95e7302cc43c0fc6734445a80b4973f19fdf3 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Wed, 29 Sep 2021 13:31:15 +0530 Subject: [PATCH 386/458] Checking Acrolinx score for this file --- windows/client-management/mdm/policy-csp-internetexplorer.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index 3d06d6810d..df389346d7 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -20144,5 +20144,4 @@ ADMX Info:
- \ No newline at end of file From 60fe20fc33a6b8fbce9df899352b79b17abbd700 Mon Sep 17 00:00:00 2001 From: Meghana Athavale Date: Wed, 29 Sep 2021 16:44:59 +0530 Subject: [PATCH 387/458] Updated --- .../mdm/policy-csp-credentialsdelegation.md | 43 +- .../mdm/policy-csp-credentialsui.md | 72 +- .../mdm/policy-csp-cryptography.md | 51 +- .../mdm/policy-csp-dataprotection.md | 51 +- .../mdm/policy-csp-datausage.md | 44 +- .../mdm/policy-csp-defender.md | 887 ++++++++++++------ .../mdm/policy-csp-deliveryoptimization.md | 631 ++++++++----- .../mdm/policy-csp-desktop.md | 44 +- .../mdm/policy-csp-deviceguard.md | 98 +- .../mdm/policy-csp-devicehealthmonitoring.md | 72 +- .../mdm/policy-csp-deviceinstallation.md | 272 +++--- .../mdm/policy-csp-devicelock.md | 313 +++--- .../mdm/policy-csp-display.md | 114 ++- .../mdm/policy-csp-dmaguard.md | 30 +- .../mdm/policy-csp-education.md | 101 +- 15 files changed, 1729 insertions(+), 1094 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-credentialsdelegation.md b/windows/client-management/mdm/policy-csp-credentialsdelegation.md index d4806508e7..a02c13b489 100644 --- a/windows/client-management/mdm/policy-csp-credentialsdelegation.md +++ b/windows/client-management/mdm/policy-csp-credentialsdelegation.md @@ -14,6 +14,12 @@ manager: dansimp # Policy CSP - CredentialsDelegation +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -36,31 +42,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -83,12 +96,7 @@ If you enable this policy setting, the host supports Restricted Admin or Remote If you disable or do not configure this policy setting, Restricted Administration and Remote Credential Guard mode are not supported. User will always need to pass their credentials to the host. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -101,16 +109,7 @@ ADMX Info:
-Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-credentialsui.md b/windows/client-management/mdm/policy-csp-credentialsui.md index 5fdff42127..0d294e4618 100644 --- a/windows/client-management/mdm/policy-csp-credentialsui.md +++ b/windows/client-management/mdm/policy-csp-credentialsui.md @@ -14,7 +14,12 @@ manager: dansimp # Policy CSP - CredentialsUI - +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -39,31 +44,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -89,12 +101,7 @@ By default, the password reveal button is displayed after a user types a passwor The policy applies to all Windows components and applications that use the Windows system controls, including Internet Explorer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -114,31 +121,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -159,12 +173,7 @@ If you enable this policy setting, all local administrator accounts on the PC wi If you disable this policy setting, users will always be required to type a user name and password to elevate. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -177,16 +186,7 @@ ADMX Info:
-Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md index 88e34b4df9..66af935c69 100644 --- a/windows/client-management/mdm/policy-csp-cryptography.md +++ b/windows/client-management/mdm/policy-csp-cryptography.md @@ -39,31 +39,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -108,31 +115,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -164,16 +178,7 @@ Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is
-Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md index afbff9a990..ed9a1f87c4 100644 --- a/windows/client-management/mdm/policy-csp-dataprotection.md +++ b/windows/client-management/mdm/policy-csp-dataprotection.md @@ -39,31 +39,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -99,31 +106,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markYesYes
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -150,15 +164,6 @@ Setting used by Windows 8.1 Selective Wipe.
-Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md index 652bf56c3c..9fcd657539 100644 --- a/windows/client-management/mdm/policy-csp-datausage.md +++ b/windows/client-management/mdm/policy-csp-datausage.md @@ -14,7 +14,12 @@ manager: dansimp # Policy CSP - DataUsage - +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -52,31 +57,38 @@ This policy is deprecated in Windows 10, version 1809. - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -103,12 +115,7 @@ If this policy setting is enabled, a drop-down list box presenting possible cost If this policy setting is disabled or is not configured, the cost of 4G connections is Fixed by default. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -121,16 +128,7 @@ ADMX Info:
-Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index c7445826de..fddac52c0c 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -156,31 +156,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markYesYes
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -226,31 +233,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markYesYes
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -296,31 +310,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markYesYes
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -367,31 +388,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markYesYes
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -437,31 +465,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markYesYes
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -507,31 +542,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markYesYes
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -577,31 +619,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markYesYes
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -647,31 +696,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markYesYes
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -709,31 +765,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markYesYes
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -779,31 +842,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markYesYes
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -849,31 +919,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markYesYes
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -919,31 +996,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markYesYes
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -981,31 +1065,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markYesYes
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -1051,31 +1142,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck mark3YesYes
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
+
@@ -1093,7 +1191,7 @@ The following list shows the supported values: > This policy is only enforced in Windows 10 for desktop. -Added in Windows 10, version 1709. This policy setting allows you to prevent Attack Surface reduction rules from matching on files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name. As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe".. +This policy setting allows you to prevent Attack Surface reduction rules from matching on files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name. As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe".. Value type is string. @@ -1117,31 +1215,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck mark3YesYes
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
+
@@ -1159,7 +1264,7 @@ ADMX Info: > This policy is only enforced in Windows 10 for desktop. -Added in Windows 10, version 1709. This policy setting enables setting the state (Block/Audit/Off) for each Attack surface reduction (ASR) rule. Each ASR rule listed can be set to one of the following states (Block/Audit/Off). The ASR rule ID and state should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid ASR rule ID, while the value contains the status ID indicating the status of the rule. +This policy setting enables setting the state (Block/Audit/Off) for each Attack surface reduction (ASR) rule. Each ASR rule listed can be set to one of the following states (Block/Audit/Off). The ASR rule ID and state should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid ASR rule ID, while the value contains the status ID indicating the status of the rule. For more information about ASR rule ID and status ID, see [Enable Attack Surface Reduction](/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction). @@ -1185,31 +1290,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markYesYes
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -1256,31 +1368,38 @@ Valid values: 0–100 - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck mark5YesYes
Procheck mark5YesYes
Businesscheck mark5YesYes
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
+
@@ -1338,31 +1457,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck mark3YesYes
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
+
@@ -1380,7 +1506,7 @@ ADMX Info: > This policy is only enforced in Windows 10 for desktop. -Added in Windows 10, version 1709. This policy setting determines how aggressive Microsoft Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer. +This policy setting determines how aggressive Microsoft Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer. If this setting is on, Microsoft Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency. @@ -1418,31 +1544,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck mark3YesYes
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
+
@@ -1459,7 +1592,7 @@ The following list shows the supported values: > [!NOTE] > This policy is only enforced in Windows 10 for desktop. -Added in Windows 10, version 1709. This feature allows Microsoft Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50. +This feature allows Microsoft Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50. The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds. @@ -1488,31 +1621,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck mark3YesYes
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
+
@@ -1551,31 +1691,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck mark3YesYes
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
+
@@ -1592,7 +1739,7 @@ ADMX Info: > [!NOTE] > This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersList and changed to ControlledFolderAccessProtectedFolders. -Added in Windows 10, version 1709. This policy settings allows adding user-specified folder locations to the controlled folder access feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the | as the substring separator. +This policy settings allows adding user-specified folder locations to the controlled folder access feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the | as the substring separator. @@ -1614,31 +1761,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markYesYes
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -1685,31 +1839,38 @@ Valid values: 0–90 - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck mark5YesYes
Procheck mark5YesYes
Businesscheck mark5YesYes
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
+
@@ -1765,31 +1926,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck mark5YesYes
Procheck mark5YesYes
Businesscheck mark5YesYes
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
+
@@ -1845,31 +2013,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck mark3YesYes
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
+
@@ -1886,7 +2061,7 @@ ADMX Info: > [!NOTE] > This policy is only enforced in Windows 10 for desktop. The previous name was EnableGuardMyFolders and changed to EnableControlledFolderAccess. -Added in Windows 10, version 1709. This policy enables setting the state (On/Off/Audit) for the controlled folder access feature. The controlled folder access feature removes modify and delete permissions from untrusted applications to certain folders such as My Documents. Value type is integer and the range is 0 - 2. +This policy enables setting the state (On/Off/Audit) for the controlled folder access feature. The controlled folder access feature removes modify and delete permissions from untrusted applications to certain folders such as My Documents. Value type is integer and the range is 0 - 2. @@ -1916,31 +2091,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck mark5YesYes
Procheck mark5YesYes
Businesscheck mark5YesYes
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
+
@@ -1994,31 +2176,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck mark3YesYes
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
+
@@ -2035,7 +2224,7 @@ ADMX Info: > [!NOTE] > This policy is only enforced in Windows 10 for desktop. -Added in Windows 10, version 1709. This policy allows you to turn network protection on (block/audit) or off. Network protection protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Value type is integer. +This policy allows you to turn network protection on (block/audit) or off. Network protection protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Value type is integer. If you enable this setting, network protection is turned on and employees can't turn it off. Its behavior can be controlled by the following options: Block and Audit. If you enable this policy with the ""Block"" option, users/apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Windows Defender Security Center. @@ -2071,31 +2260,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markYesYes
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -2135,31 +2331,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markYesYes
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -2199,31 +2402,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markYesYes
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -2269,31 +2479,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markYesYes
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -2311,7 +2528,7 @@ ADMX Info: > This policy is only enforced in Windows 10 for desktop. -Added in Windows 10, version 1607. Specifies the level of detection for potentially unwanted applications (PUAs). Windows Defender alerts you when potentially unwanted software is being downloaded or attempts to install itself on your computer. +Specifies the level of detection for potentially unwanted applications (PUAs). Windows Defender alerts you when potentially unwanted software is being downloaded or attempts to install itself on your computer. > [!NOTE] > Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software which might be unexpected or unwanted. By default in Windows 10 (version 2004 and later), Microsoft Defender Antivirus blocks apps that are considered PUA, for Enterprise (E5) devices. For more information about PUA, see [Detect and block potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). @@ -2344,31 +2561,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markYesYes
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -2419,31 +2643,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markYesYes
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -2490,31 +2721,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markYesYes
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -2567,31 +2805,38 @@ Valid values: 0–1380 - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markYesYes
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -2648,31 +2893,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markYesYes
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -2725,31 +2977,38 @@ Valid values: 0–1380. - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck mark5YesYes
Procheck mark5YesYes
Businesscheck mark5YesYes
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
+
@@ -2809,31 +3068,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck mark5YesYes
Procheck mark5YesYes
Businesscheck mark5YesYes
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
+
@@ -2888,31 +3154,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markYesYes
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -2963,31 +3236,38 @@ Valid values: 0–24. - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markYesYes
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -3036,31 +3316,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markYesYes
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -3111,16 +3398,6 @@ ADMX Info:
-Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. -- 9 - Available in Windows 10, version 20H2. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index a1644a0373..b889259061 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -14,6 +14,13 @@ manager: dansimp # Policy CSP - DeliveryOptimization +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
@@ -123,31 +130,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark1YesYes
Businesscheck mark1YesYes
Enterprisecheck mark1YesYes
Educationcheck mark1YesYes
+
@@ -165,7 +179,7 @@ manager: dansimp > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. -Added in Windows 10, version 1607. Specifies the maximum size in GB of Delivery Optimization cache. This policy overrides the DOMaxCacheSize policy. The value 0 (zero) means "unlimited" cache. Delivery Optimization will clear the cache when the device is running low on disk space. +Specifies the maximum size in GB of Delivery Optimization cache. This policy overrides the DOMaxCacheSize policy. The value 0 (zero) means "unlimited" cache. Delivery Optimization will clear the cache when the device is running low on disk space. The default value is 10. @@ -189,31 +203,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark2YesYes
Businesscheck mark2YesYes
Enterprisecheck mark2YesYes
Educationcheck mark2YesYes
+
@@ -231,7 +252,7 @@ ADMX Info: > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. -Added in Windows 10, version 1703. Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network. +Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network. @@ -260,31 +281,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark5YesYes
Businesscheck mark5YesYes
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
+
@@ -332,31 +360,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark8YesYes
Businesscheck mark8YesYes
Enterprisecheck mark8YesYes
Educationcheck mark8YesYes
+
@@ -412,31 +447,38 @@ When DHCP Option ID Force (2) is set, the client will query DHCP Option ID 235 a - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
+
@@ -450,7 +492,7 @@ When DHCP Option ID Force (2) is set, the client will query DHCP Option ID 235 a -Added in Windows 10, version 1803. This policy allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. +This policy allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. After the max delay is reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that could not be downloaded from peers. Note that a download that is waiting for peer sources, will appear to be stuck for the end user. The recommended value is 1 hour (3600). @@ -474,31 +516,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -547,31 +596,38 @@ Supported values: 0 - one month (in seconds) - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -618,31 +674,38 @@ Supported values: 0 - one month (in seconds) - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
+
@@ -656,7 +719,7 @@ Supported values: 0 - one month (in seconds) -Added in Windows 10, version 1803. This policy allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. +This policy allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that could not be downloaded from Peers. @@ -692,31 +755,38 @@ The following list shows the supported values as number of seconds: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -766,31 +836,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -833,31 +910,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
+
@@ -871,7 +955,7 @@ ADMX Info: -Added in Windows 10, version 1803. Set this policy to restrict peer selection to a specific source. Available options are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = AAD. +Set this policy to restrict peer selection to a specific source. Available options are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = AAD. When set, the Group ID will be assigned automatically from the selected source. @@ -913,31 +997,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark8YesYes
Businesscheck mark8YesYes
Enterprisecheck mark8YesYes
Educationcheck mark8YesYes
+
@@ -975,28 +1066,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -1041,31 +1138,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -1130,31 +1234,38 @@ This policy is deprecated. Use [DOMaxForegroundDownloadBandwidth](#deliveryoptim - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark8YesYes
Businesscheck mark8YesYes
Enterprisecheck mark8YesYes
Educationcheck mark8YesYes
+
@@ -1211,31 +1322,38 @@ This policy is deprecated because it only applies to uploads to Internet peers ( - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark1YesYes
Businesscheck mark1YesYes
Enterprisecheck mark1YesYes
Educationcheck mark1YesYes
+
@@ -1253,7 +1371,7 @@ This policy is deprecated because it only applies to uploads to Internet peers ( > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. -Added in Windows 10, version 1607. Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads. This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum QoS value set. +Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads. This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum QoS value set. The default value is 500. @@ -1277,31 +1395,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark2YesYes
Businesscheck mark2YesYes
Enterprisecheck mark2YesYes
Educationcheck mark2YesYes
+
@@ -1318,7 +1443,7 @@ ADMX Info: > [!NOTE] > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. -Added in Windows 10, version 1703. Specifies any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on battery power. Uploads will automatically pause when the battery level drops below the set minimum battery level. The recommended value to set is 40 (for 40%) if you allow uploads on battery. +Specifies any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on battery power. Uploads will automatically pause when the battery level drops below the set minimum battery level. The recommended value to set is 40 (for 40%) if you allow uploads on battery. The default value is 0. The value 0 (zero) means "not limited" and the cloud service default value will be used. @@ -1342,31 +1467,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark2YesYes
Businesscheck mark2YesYes
Enterprisecheck mark2YesYes
Educationcheck mark2YesYes
+
@@ -1384,7 +1516,7 @@ ADMX Info: > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. -Added in Windows 10, version 1703. Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. Recommended values: 64 GB to 256 GB. +Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. Recommended values: 64 GB to 256 GB. > [!NOTE] > If the DOMofidyCacheDrive policy is set, the disk size check will apply to the new working directory specified by this policy. @@ -1411,31 +1543,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark2YesYes
Businesscheck mark2YesYes
Enterprisecheck mark2YesYes
Educationcheck mark2YesYes
+
@@ -1453,7 +1592,7 @@ ADMX Info: > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. -Added in Windows 10, version 1703. Specifies the minimum content file size in MB enabled to use Peer Caching. Recommended values: 1 MB to 100,000 MB. +Specifies the minimum content file size in MB enabled to use Peer Caching. Recommended values: 1 MB to 100,000 MB. The default value is 100 MB. @@ -1477,31 +1616,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark2YesYes
Businesscheck mark2YesYes
Enterprisecheck mark2YesYes
Educationcheck mark2YesYes
+
@@ -1519,7 +1665,7 @@ ADMX Info: > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. -Added in Windows 10, version 1703. Specifies the minimum RAM size in GB required to use Peer Caching. For example, if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB. +Specifies the minimum RAM size in GB required to use Peer Caching. For example, if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB. The default value is 4 GB. @@ -1543,31 +1689,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark1YesYes
Businesscheck mark1YesYes
Enterprisecheck mark1YesYes
Educationcheck mark1YesYes
+
@@ -1585,7 +1738,7 @@ ADMX Info: > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. -Added in Windows 10, version 1607. Specifies the drive that Delivery Optimization should use for its cache. The drive location can be specified using environment variables, drive letter or using a full path. +Specifies the drive that Delivery Optimization should use for its cache. The drive location can be specified using environment variables, drive letter or using a full path. By default, %SystemDrive% is used to store the cache. @@ -1609,31 +1762,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark1YesYes
Businesscheck mark1YesYes
Enterprisecheck mark1YesYes
Educationcheck mark1YesYes
+
@@ -1651,7 +1811,7 @@ ADMX Info: > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. -Added in Windows 10, version 1607. Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. +Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. The value 0 (zero) means "unlimited"; No monthly upload limit is applied if 0 is set. @@ -1677,31 +1837,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
+
@@ -1715,7 +1882,7 @@ ADMX Info: -Added in Windows 10, version 1803. Specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads. +Specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads. Note that downloads from LAN peers will not be throttled even when this policy is set. @@ -1752,31 +1919,38 @@ This policy is deprecated. Use [DOPercentageMaxForegroundBandwidth](#deliveryopt - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
+
@@ -1790,7 +1964,7 @@ This policy is deprecated. Use [DOPercentageMaxForegroundBandwidth](#deliveryopt -Added in Windows 10, version 1803. Specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. +Specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. Note that downloads from LAN peers will not be throttled even when this policy is set. @@ -1814,31 +1988,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
+
@@ -1852,7 +2033,7 @@ ADMX Info: -Added in Windows 10, version 1803. Set this policy to restrict peer selection via selected option. +Set this policy to restrict peer selection via selected option. Options available are: 1=Subnet mask (more options will be added in a future release). Option 1 (Subnet mask) applies to both Download Mode LAN (1) and Group (2). @@ -1883,31 +2064,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
+
@@ -1921,15 +2109,10 @@ The following list shows the supported values: -Added in Windows 10, version 1803. Specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. +Specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1957,31 +2140,38 @@ This policy allows an IT Admin to define the following: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
+
@@ -1995,15 +2185,10 @@ This policy allows an IT Admin to define the following: -Added in Windows 10, version 1803. Specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. +Specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2024,16 +2209,6 @@ This policy allows an IT Admin to define the following:
-Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md index 9a3bcc48ee..1c8ca1f094 100644 --- a/windows/client-management/mdm/policy-csp-desktop.md +++ b/windows/client-management/mdm/policy-csp-desktop.md @@ -14,7 +14,12 @@ manager: dansimp # Policy CSP - Desktop - +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -36,31 +41,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscross markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -81,12 +93,7 @@ By default, a user can change the location of their individual profile folders l If you enable this setting, users are unable to type a new location in the Target box. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -99,16 +106,7 @@ ADMX Info:
-Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md index 157279f8f5..a7b099ab6f 100644 --- a/windows/client-management/mdm/policy-csp-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-deviceguard.md @@ -44,31 +44,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
+
@@ -121,31 +128,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
+
@@ -159,7 +173,7 @@ ADMX Info: -Added in Windows 10, version 1709. Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. Value type is integer. +Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. Value type is integer. @@ -187,31 +201,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
+
@@ -225,7 +246,7 @@ The following list shows the supported values: -Added in Windows 10, version 1709. This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials at next reboot. Value type is integer. +This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials at next reboot. Value type is integer. @@ -255,28 +276,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -293,7 +320,7 @@ The following list shows the supported values: -Added in Windows 10, version 1709. Specifies the platform security level at the next reboot. Value type is integer. +Specifies the platform security level at the next reboot. Value type is integer. @@ -315,15 +342,6 @@ The following list shows the supported values:
-Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md index 35190895c9..2d0bfe0011 100644 --- a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md +++ b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md @@ -42,31 +42,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -106,31 +113,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -169,31 +183,38 @@ IT Pros do not need to set this policy. Instead, Microsoft Intune is expected to - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -225,16 +246,7 @@ In most cases, an IT Pro does not need to define this policy. Instead, it is exp
-Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index 013edacaec..c14144ccd7 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -14,6 +14,13 @@ ms.localizationpriority: medium # Policy CSP - DeviceInstallation +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
@@ -59,31 +66,38 @@ ms.localizationpriority: medium - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark5YesYes
Businesscheck mark5YesYes
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
+
@@ -120,12 +134,7 @@ Peripherals can be specified by their [hardware identity](/windows-hardware/driv -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -183,31 +192,38 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -216,7 +232,7 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and > [!div class = "checklist"] > * Device -Added in Windows 10, version 1903. Also available in Windows 10, version 1809. +
@@ -244,12 +260,7 @@ If you disable or do not configure this policy setting, and no other policy sett Peripherals can be specified by their [device instance ID](/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -304,31 +315,38 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark5YesYes
Businesscheck mark5YesYes
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
+
@@ -367,12 +385,7 @@ If you disable or do not configure this policy setting, and no other policy sett Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -437,31 +450,38 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark5YesYes
Businesscheck mark5YesYes
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
+
@@ -500,12 +520,7 @@ Device instance IDs > Device IDs > Device setup class > Removable devices If you disable or do not configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -564,31 +579,38 @@ You can also change the evaluation order of device installation policy settings - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark5YesYes
Businesscheck mark5YesYes
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
+
@@ -609,12 +631,7 @@ If you enable this policy setting, Windows does not retrieve device metadata for If you disable or do not configure this policy setting, the setting in the Device Installation Settings dialog box controls whether Windows retrieves device metadata from the Internet. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -643,31 +660,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark5YesYes
Businesscheck mark5YesYes
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
+
@@ -691,12 +715,7 @@ If you enable this policy setting, Windows is prevented from installing or updat If you disable or do not configure this policy setting, Windows is allowed to install or update the driver package for any device that is not described by the "Prevent installation of devices that match any of these device IDs", "Prevent installation of devices for these device classes" policy setting, "Prevent installation of devices that match any of these device instance IDs", or "Prevent installation of removable devices" policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -758,31 +777,38 @@ You can also block installation by using a custom profile in Intune. - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -808,12 +834,7 @@ If you disable or do not configure this policy setting, devices can be installed Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -878,31 +899,38 @@ For example, this custom profile blocks installation and usage of USB devices wi - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark6YesYes
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
+
@@ -916,7 +944,7 @@ For example, this custom profile blocks installation and usage of USB devices wi -Added in Windows 10, version 1903. Also available in Windows 10, version 1809. This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. +This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. If you enable this policy setting, Windows is prevented from installing a device whose device instance ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. @@ -925,12 +953,7 @@ If you disable or do not configure this policy setting, devices can be installed Peripherals can be specified by their [device instance ID](/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1005,31 +1028,38 @@ with - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -1055,12 +1085,7 @@ If you disable or do not configure this policy setting, Windows can install and Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1117,15 +1142,6 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i
-Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index 3df3e81293..0288d5c9c7 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -75,31 +75,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecross markNoNo
Educationcross markNoNo
+
@@ -139,31 +146,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markYesYes
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -204,31 +218,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markYesYes
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -247,7 +268,7 @@ Determines the type of PIN required. This policy only applies if the **DeviceLoc > [!NOTE] > This policy must be wrapped in an Atomic command. > -> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions (Home, Pro, Enterprise, and Education). +> Always use the Replace command instead of Add for this policy in Windows for desktop editions (Home, Pro, Enterprise, and Education). @@ -275,31 +296,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markYesYes
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -318,7 +346,7 @@ Specifies whether device lock is enabled. > [!NOTE] > This policy must be wrapped in an Atomic command. > -> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions. +> Always use the Replace command instead of Add for this policy in Windows for desktop editions. @@ -374,31 +402,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markYesYes
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -441,31 +476,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markYesYes
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -508,31 +550,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck mark1YesYes
Procheck mark1YesYes
Businesscheck mark1YesYes
Enterprisecheck mark1YesYes
Educationcheck mark1YesYes
+
@@ -546,7 +595,7 @@ The following list shows the supported values: -Added in Windows 10, version 1607. Specifies the default lock screen and logon image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and logon screens. Users will not be able to change this image. +Specifies the default lock screen and logon image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and logon screens. Users will not be able to change this image. > [!NOTE] > This policy is only enforced in Windows 10 Enterprise and Education editions and not supported in Windows 10 Home and Pro. @@ -565,31 +614,38 @@ Value type is a string, which is the full image filepath and filename. - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markYesYes
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -639,31 +695,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markYesYes
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -707,31 +770,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markYesYes
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -750,7 +820,7 @@ The number of complex element types (uppercase and lowercase letters, numbers, a > [!NOTE] > This policy must be wrapped in an Atomic command. > -> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions. +> Always use the Replace command instead of Add for this policy in Windows for desktop editions. PIN enforces the following behavior for desktop and mobile devices: @@ -829,31 +899,38 @@ For additional information about this policy, see [Exchange ActiveSync Policy En - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markYesYes
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -872,7 +949,7 @@ Specifies the minimum number or characters required in the PIN or password. > [!NOTE] > This policy must be wrapped in an Atomic command. > -> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions. +> Always use the Replace command instead of Add for this policy in Windows for desktop editions. @@ -922,31 +999,38 @@ The following example shows how to set the minimum password length to 4 characte - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck mark3YesYes
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
+
@@ -983,31 +1067,38 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -1053,31 +1144,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck markYesYes
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
+
@@ -1117,15 +1215,6 @@ ADMX Info:
-Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md index 12a6952ffa..d24d5b7075 100644 --- a/windows/client-management/mdm/policy-csp-display.md +++ b/windows/client-management/mdm/policy-csp-display.md @@ -48,31 +48,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
+
@@ -108,31 +115,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
+
@@ -188,31 +202,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
+
@@ -248,31 +269,38 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark2YesYes
Businesscheck mark2YesYes
Enterprisecheck mark2YesYes
Educationcheck mark2YesYes
+
@@ -323,31 +351,38 @@ To validate on Desktop, do the following: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark2YesYes
Businesscheck mark2YesYes
Enterprisecheck mark2YesYes
Educationcheck mark2YesYes
+
@@ -391,16 +426,7 @@ To validate on Desktop, do the following:
-Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-dmaguard.md b/windows/client-management/mdm/policy-csp-dmaguard.md index 2ca5164a50..e16f8e14e9 100644 --- a/windows/client-management/mdm/policy-csp-dmaguard.md +++ b/windows/client-management/mdm/policy-csp-dmaguard.md @@ -35,31 +35,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark5YesYes
Businesscheck mark5YesYes
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
+
@@ -111,15 +118,6 @@ ADMX Info:
-Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md index 7d2b8ebb1e..42ade7935c 100644 --- a/windows/client-management/mdm/policy-csp-education.md +++ b/windows/client-management/mdm/policy-csp-education.md @@ -44,31 +44,38 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck mark8YesYes
Procheck mark8YesYes
Businesscheck mark8YesYes
Enterprisecheck mark8YesYes
Educationcheck mark8YesYes
+
@@ -82,7 +89,7 @@ manager: dansimp -Added in Windows 10, version 2004. This policy setting allows you to control whether graphing functionality is available in the Windows Calculator app. If you disable this policy setting, graphing functionality will not be accessible in the Windows Calculator app. If you enable or don't configure this policy setting, you will be able to access graphing functionality. +This policy setting allows you to control whether graphing functionality is available in the Windows Calculator app. If you disable this policy setting, graphing functionality will not be accessible in the Windows Calculator app. If you enable or don't configure this policy setting, you will be able to access graphing functionality. ADMX Info: @@ -107,31 +114,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
+
@@ -145,7 +159,7 @@ The following list shows the supported values: -Added in Windows 10, version 1709. This policy allows IT Admins to set the user's default printer. +This policy allows IT Admins to set the user's default printer. The policy value is expected to be the name (network host name) of an installed printer. @@ -160,31 +174,38 @@ The policy value is expected to be the name (network host name) of an installed - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
+
@@ -198,7 +219,7 @@ The policy value is expected to be the name (network host name) of an installed -Added in Windows 10, version 1709. Allows IT Admins to prevent user installation of additional printers from the printers settings. +Allows IT Admins to prevent user installation of additional printers from the printers settings. @@ -226,31 +247,38 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
+
@@ -264,7 +292,7 @@ The following list shows the supported values: -Added in Windows 10, version 1709. Allows IT Admins to automatically provision printers based on their names (network host names). +Allows IT Admins to automatically provision printers based on their names (network host names). The policy value is expected to be a `````` separated list of printer names. The OS will attempt to search and install the matching printer driver for each listed printer. @@ -272,16 +300,7 @@ The policy value is expected to be a `````` separated list of printer na
-Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. From 54df60f9ee4747a95558f69f4fbc88cac833f120 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Wed, 29 Sep 2021 20:46:59 +0530 Subject: [PATCH 388/458] Updated --- images/no.png | Bin 874 -> 0 bytes images/yes.png | Bin 614 -> 0 bytes includes/appliesto-2013-2016-2019-xxx-md.md | 1 - includes/appliesto-xxx-2016-2019-SUB-xxx-md.md | 1 - 4 files changed, 2 deletions(-) delete mode 100644 images/no.png delete mode 100644 images/yes.png delete mode 100644 includes/appliesto-2013-2016-2019-xxx-md.md delete mode 100644 includes/appliesto-xxx-2016-2019-SUB-xxx-md.md diff --git a/images/no.png b/images/no.png deleted file mode 100644 index 1aa084e6a3326f74e77306adc0bab27e6225b291..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 874 zcmV-w1C{)VP)1D+=^TCDiFvbv#PS{_?BS{~Hb)mp=v5JDn;p0srp zDBgaW-85T$xMZegr&Ez=(t>Ey}+rZ+~|$YN#|mt~xI#DM*RC1^}GS&Ol&CvNL58mSw8<`_Yj=Sus;0jgQ;anX**WR8^qo z!zlEI6Xk~wOloK@0FDs|c7az*3xk0BemZ5p zjtJ`U`t0HIYnvwcd45-~uA9K~|2CI5q&^}j=W^>fmpdpo@%1}K$7cZm1$j9T(lqo- zD;NlAE&y;ixwWXF)~)TqKWm$=fS#PwK{Yl50H`P_L}f)WYN{%Bn#-^p1h&}h;M|_6 zsG(k;PdPsOP3!af0RW6h2#TU`t+WW2&z}LXcg8}R1|t%IqISA>L^Hi$wr({A8Advh znp(TgD!)wp4on-P*&22V8O^rc_nG+x>kCEi-6M}dLI~Pk4?I*)YBzZP|D#Z=GuU2s z54MK$i3&;x!LwIAWgWdrt;u5Zhl6c9IP&J>=weG}-~EF;qQ2Sypi!<6CnX$zBw@ux zu@W{-!ZJym%VTqLt~Ce8Ef~$V$Mto!=7Z}00)LUfCpD&o@&Et;07*qoM6N<$f~ppT Awg3PC diff --git a/images/yes.png b/images/yes.png deleted file mode 100644 index d2285c5c46cfb8c983a2a725f4ff13e241a5f319..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 614 zcmV-s0-61ZP)Mxgdo$d#k7bF$_Of$yBR1%&{?RX(S-St3z34+VrXLUxEO`o(2VC^ z&+dKC``+ikIsC3rO5tTmTbu{3118W0ECLx|N?K~XR#&)%N?U}1$3VPBECs}*rB?S1 zmA1GByabvx;(1^|T58NQRNA5u$N~}VQ$hi_EG_lbY5H7zU_=M#69$IQzbk`4QrhBx zYpAqE6u6_4?QTsFyE=~F2=7`QK(A})PI1q5ZRg z^H1P-gUOB71V0No-put^_M={)ZBB8!{R91Gn!^WM00`C{)YRo0a`@ zUZ9IkkzRO6sJ@B5s7*s4!p)1LGzL!cc0SJf@3}quy3mYMgz(MDvjB-=e++ih~EgalK(_1H>BM+G@)tWBhcwIC%->I;N$c9E4Ear zT6YO}<}}<)q!wTX2x%S^KmlFSQfa5DJ&~lPz5(}vzb=4}DuLkbFLMD%0_`e6c&_{XFn7~=ecbB33Xr4+-ZB*-T1Bh3d_?=3=T>t<807*qoM6N<$f|?{1 AbN~PV diff --git a/includes/appliesto-2013-2016-2019-xxx-md.md b/includes/appliesto-2013-2016-2019-xxx-md.md deleted file mode 100644 index 9a496e3070..0000000000 --- a/includes/appliesto-2013-2016-2019-xxx-md.md +++ /dev/null @@ -1 +0,0 @@ -**APPLIES TO:** ![yes](../media/yes.png)2013 ![yes](../media/yes.png)2016 ![yes](../media/yes.png)2019 ![no](../media/no.png)SharePoint in Microsoft 365 diff --git a/includes/appliesto-xxx-2016-2019-SUB-xxx-md.md b/includes/appliesto-xxx-2016-2019-SUB-xxx-md.md deleted file mode 100644 index a97c23d538..0000000000 --- a/includes/appliesto-xxx-2016-2019-SUB-xxx-md.md +++ /dev/null @@ -1 +0,0 @@ -**APPLIES TO:** ![no-img-13](../media/no.png)2013 ![yes-img-16](../media/yes.png)2016 ![yes-img-19](../media/yes.png)2019 ![yes-img-se](../media/yes.png)Subscription Edition ![no-img-sop](../media/no.png)SharePoint in Microsoft 365 From 9512fa141ad4475b23bfdb5cb2729ca5a31d551d Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Wed, 29 Sep 2021 08:21:53 -0700 Subject: [PATCH 389/458] update --- windows/deployment/windows-10-enterprise-e3-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md index e1d673f759..f68b6a5e42 100644 --- a/windows/deployment/windows-10-enterprise-e3-overview.md +++ b/windows/deployment/windows-10-enterprise-e3-overview.md @@ -37,7 +37,7 @@ When you purchase Windows 10/11 Enterprise E3 via a partner, you get the follo - **Windows 10/11 Enterprise edition**. Devices currently running Windows 10 Pro or Windows 11 Pro can get Windows 10/11 Enterprise Current Branch (CB) or Current Branch for Business (CBB). This benefit does not include Long Term Service Branch (LTSB). - **Support from one to hundreds of users**. Although the Windows 10/11 Enterprise E3 in CSP program does not have a limitation on the number of licenses an organization can have, the program is designed for small- and medium-sized organizations. - **Deploy on up to five devices**. For each user covered by the license, you can deploy Windows 10 Enterprise edition on up to five devices. -- **Roll back to Windows 10 Pro at any time**. When a user’s subscription expires or is transferred to another user, the Windows 10/11 Enterprise device reverts seamlessly to Windows 10/11 Pro edition (after a grace period of up to 90 days). +- **Roll back to Windows 10/11 Pro at any time**. When a user’s subscription expires or is transferred to another user, the Windows 10/11 Enterprise device reverts seamlessly to Windows 10/11 Pro edition (after a grace period of up to 90 days). - **Monthly, per-user pricing model**. This makes Windows 10/11 Enterprise E3 affordable for any organization. - **Move licenses between users**. Licenses can be quickly and easily reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs. From eb7a3e90be308b89390132003127536f69e9303e Mon Sep 17 00:00:00 2001 From: jaimeo Date: Wed, 29 Sep 2021 08:38:18 -0700 Subject: [PATCH 390/458] updating one file as a test --- windows/deployment/update/waas-delivery-optimization.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index ab8834382a..423c1dc58e 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -21,7 +21,8 @@ ms.custom: seo-marvel-apr2020 **Applies to** -- Windows 10 +- Windows 10 +- Windows 11 > **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the master spreadsheet available at the [Download Center](https://www.microsoft.com/download/details.aspx?id=102158). From 55cd2d95d797a9c18affdcbca11eea94e654cdc6 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Wed, 29 Sep 2021 08:58:58 -0700 Subject: [PATCH 391/458] remainder of Delivery Optimization updates --- .../update/delivery-optimization-proxy.md | 5 +- .../update/delivery-optimization-workflow.md | 4 +- .../waas-delivery-optimization-reference.md | 11 ++- .../waas-delivery-optimization-setup.md | 5 +- .../update/waas-delivery-optimization.md | 77 +++---------------- 5 files changed, 29 insertions(+), 73 deletions(-) diff --git a/windows/deployment/update/delivery-optimization-proxy.md b/windows/deployment/update/delivery-optimization-proxy.md index 5e3fa30528..a03d3f5fb1 100644 --- a/windows/deployment/update/delivery-optimization-proxy.md +++ b/windows/deployment/update/delivery-optimization-proxy.md @@ -15,7 +15,10 @@ ms.topic: article # Using a proxy with Delivery Optimization -**Applies to**: Windows 10 +**Applies to** + +- Windows 10 +- Windows 11 When Delivery Optimization downloads content from HTTP sources, it uses the automatic proxy discovery capability of WinHttp to streamline and maximize the support for complex proxy configurations as it makes range requests from the content server. It does this by setting the **WINHTTP_ACCESS_TYPE_AUTOMATIC_PROXY** flag in all HTTP calls. diff --git a/windows/deployment/update/delivery-optimization-workflow.md b/windows/deployment/update/delivery-optimization-workflow.md index 4336f3ab23..4b2a35812c 100644 --- a/windows/deployment/update/delivery-optimization-workflow.md +++ b/windows/deployment/update/delivery-optimization-workflow.md @@ -17,8 +17,8 @@ ms.topic: article **Applies to** -- Windows 10 -- Windows 11 +- Windows 10 +- Windows 11 ## Download request workflow diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index df12b64c2c..47e7f5cd13 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -20,6 +20,7 @@ ms.custom: seo-marvel-apr2020 **Applies to** - Windows 10 +- Windows 11 > **Looking for more Group Policy settings?** See the master spreadsheet available at the [Download Center](https://www.microsoft.com/download/details.aspx?id=102158). @@ -116,6 +117,9 @@ Download mode dictates which download sources clients are allowed to use when do | Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching. | |Bypass (100) | Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You do not need to set this option if you are using Configuration Manager. If you want to disable peer-to-peer functionality, it's best to set **DownloadMode** to **0** or **99**. | +> [!NOTE] +> Starting with Windows 10, version 2006 (and in Windows 11), the Bypass option of Download Mode is no longer used. + >[!NOTE] >Group mode is a best-effort optimization and should not be relied on for an authentication of identity of devices participating in the group. @@ -160,7 +164,7 @@ In environments configured for Delivery Optimization, you might want to set an e ### Max Cache Size -This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows 10 client device that has 100 GB of available drive space, then Delivery Optimization will use up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. The default value for this setting is 20. +This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows client device that has 100 GB of available drive space, then Delivery Optimization will use up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. The default value for this setting is 20. ### Absolute Max Cache Size @@ -197,8 +201,9 @@ Starting in Windows 10, version 1803, specifies the maximum background download Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. ### Select a method to restrict peer selection -Starting in Windows 10, version 1803, set this policy to restrict peer selection via selected option. -Currently the only available option is **1 = Subnet mask**. The subnet mask option applies to both Download Modes LAN (1) and Group (2). +Starting in Windows 10, version 1803, set this policy to restrict peer selection via selected option. Currently the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. The subnet mask option applies to both Download Modes LAN (1) and Group (2). + +When you set option 0, Delivery Optimization will find peers behind the same NAT (same public IP) but still prioritize same subnet peers. When you set option 2, Delivery Optimization will restrict peer selection to peers that are locally discovered (using DNS-SD). When GroupID mode is set, it will default to using the same subnet. If you want to use the GroupID across subnets, use the NAT option = 0. ### Delay background download from http (in secs) Starting in Windows 10, version 1803, this allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. diff --git a/windows/deployment/update/waas-delivery-optimization-setup.md b/windows/deployment/update/waas-delivery-optimization-setup.md index ef3f3040cc..b15133d690 100644 --- a/windows/deployment/update/waas-delivery-optimization-setup.md +++ b/windows/deployment/update/waas-delivery-optimization-setup.md @@ -2,7 +2,7 @@ title: Set up Delivery Optimization ms.reviewer: manager: laurawi -description: In this article, learn how to set up Delivery Optimization, a new peer-to-peer distribution method in Windows 10. +description: In this article, learn how to set up Delivery Optimization. keywords: oms, operations management suite, wdav, updates, downloads, log analytics ms.prod: w10 ms.mktglfcycl: deploy @@ -15,11 +15,12 @@ ms.topic: article ms.custom: seo-marvel-apr2020 --- -# Set up Delivery Optimization for Windows 10 updates +# Set up Delivery Optimization for Windows client updates **Applies to** - Windows 10 +- Windows 11 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index 423c1dc58e..c6738e732c 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -1,5 +1,5 @@ --- -title: Delivery Optimization for Windows 10 updates +title: Delivery Optimization for Windows client updates manager: laurawi description: This article provides information about Delivery Optimization, a peer-to-peer distribution method in Windows 10. keywords: oms, operations management suite, wdav, updates, downloads, log analytics @@ -16,13 +16,12 @@ ms.topic: article ms.custom: seo-marvel-apr2020 --- -# Delivery Optimization for Windows 10 updates - +# Delivery Optimization for Windows client updates **Applies to** -- Windows 10 -- Windows 11 +- Windows 10 +- Windows 11 > **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the master spreadsheet available at the [Download Center](https://www.microsoft.com/download/details.aspx?id=102158). @@ -30,44 +29,17 @@ Windows updates, upgrades, and applications can contain packages with very large Delivery Optimization is a cloud-managed solution. Access to the Delivery Optimization cloud services is a requirement. This means that in order to use the peer-to-peer functionality of Delivery Optimization, devices must have access to the internet. -For information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization for Windows 10 updates](waas-delivery-optimization-setup.md). For a comprehensive list of all Delivery Optimization settings, see [Delivery Optimization reference](waas-delivery-optimization-reference.md). +For information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization](waas-delivery-optimization-setup.md). For a comprehensive list of all Delivery Optimization settings, see [Delivery Optimization reference](waas-delivery-optimization-reference.md). >[!NOTE] >WSUS can also use [BranchCache](waas-branchcache.md) for content sharing and caching. If Delivery Optimization is enabled on devices that use BranchCache, Delivery Optimization will be used instead. -## New in Windows 10, version 2004 +## New in Windows 10, version 20H2 and Windows 11 -- Enterprise network throttling: new settings have been added in Group Policy and mobile device management (MDM) to control foreground and background throttling as absolute values (Maximum Background Download Bandwidth in (in KB/s)). These settings are also available in the Windows user interface: - - ![absolute bandwidth settings in delivery optimization interface.](images/DO-absolute-bandwidth.png) - -- Activity Monitor now identifies the cache server used for as the source for Microsoft Connected Cache. For more information about using Microsoft Connected Cache with Configuration Manager, see [Microsoft Connected Cache](/mem/configmgr/core/plan-design/hierarchy/microsoft-connected-cache). - -- New options for [`Get-DeliveryOptimizationPerfSnap`](waas-delivery-optimization-setup.md#analyze-usage). - -- New cmdlets: - - `Enable-DeliveryOptimizationVerboseLogs` - - `Disable-DeliveryOptimizationVerboseLogs` - - `Get-DeliveryOptimizationLogAnalysis [ETL Logfile path] [-ListConnections]` - -- New policy settings: - - [DOCacheHost](waas-delivery-optimization-reference.md#cache-server-hostname) - - [DOCacheHostSource](waas-delivery-optimization-reference.md#cache-server-hostname-source) - - [DOMaxForegroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs); replaces DOPercentageMaxDownloadBandwidth - - [DOMaxBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-background-download-bandwidth-in-kbs) - -- Removed policy settings (if you set these policies in Windows 10, 2004, they will have no effect): - - DOMaxDownloadBandwidth; use [DOMaxBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-background-download-bandwidth-in-kbs) or [DOMaxForegroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs) instead. - - DOPercentageMaxDownloadBandwidth; use [DOMaxBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-background-download-bandwidth-in-kbs) or [DOMaxForegroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs) instead. - - DOMaxUploadBandwidth - -- Support for new types of downloads: - - Office installs and updates - - Xbox game pass games - - MSIX apps (HTTP downloads only) - - Microsoft Edge browser installations and updates - - [Dynamic updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-benefits-of-windows-10-dynamic-update/ba-p/467847) +- New peer selection options: Currently the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. The subnet mask option applies to both Download Modes LAN (1) and Group (2). When you set Option 0, Delivery Optimization will find peers behind the same NAT (same public IP) but still prioritize same subnet peers. When you set Option 2, Delivery Optimization will restrict peer selection to peers that are locally discovered (using DNS-SD). When GroupID mode is set, it will default to using the same subnet. If you want to use the GroupID across subnets, use the NAT option = 0. +- Local Peer Discovery: a new option for **Restrict Peer Selection By** (in Group Policy) or **DORestrictPeerSelectionBy** (in MDM). This option restricts the discovery of local peers using the DNS-SD protocol. When you set Option 2, Delivery Optimization will restrict peer selection to peers that are locally discovered (using DNS-SD). If you also enabled Group mode, Delivery Optimization will connect to locally discovered peers that are also part of the same group (that is, those which have the same Group ID). +- Starting with Windows 10, version 2006 (and in Windows 11), the Bypass option of [Download Mode](waas-delivery-optimization-reference.md#download-mode) is no longer used. ## Requirements @@ -83,8 +55,8 @@ The following table lists the minimum Windows 10 version that supports Delivery | Download package | Minimum Windows version | |------------------|---------------| -| Windows 10 updates (feature updates and quality updates) | 1511 | -| Windows 10 drivers | 1511 | +| Windows client updates (feature updates and quality updates) | 1511 | +| Windows client drivers | 1511 | | Windows Store files | 1511 | | Windows Store for Business files | 1511 | | Windows Defender definition updates | 1511 | @@ -101,7 +73,7 @@ The following table lists the minimum Windows 10 version that supports Delivery -In Windows 10 Enterprise, Professional, and Education editions, Delivery Optimization is enabled by default for peer-to-peer sharing on the local network (NAT). Specifically, all of the devices must be behind the same NAT, but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune. +In Windows client Enterprise, Professional, and Education editions, Delivery Optimization is enabled by default for peer-to-peer sharing on the local network (NAT). Specifically, all of the devices must be behind the same NAT, but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune. For more information, see "Download mode" in [Delivery optimization reference](waas-delivery-optimization-reference.md). @@ -255,28 +227,3 @@ Check Delivery Optimization settings that could limit participation in peer cach - Enable peer caching while the device connects using VPN. - Allow uploads when the device is on battery while under the set battery level - - - -## Learn more - -[Windows 10, Delivery Optimization, and WSUS](/archive/blogs/mniehaus/windows-10-delivery-optimization-and-wsus-take-2) - - -## Related articles - -- [Update Windows 10 in the enterprise](index.md) -- [Overview of Windows as a service](waas-overview.md) -- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) -- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) -- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) -- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](/intune/windows-update-for-business-configure) -- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) -- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) -- [Manage device restarts after updates](waas-restart.md) From b66eef7c0a7dff33412897185c7f9d095dca80f7 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Wed, 29 Sep 2021 09:10:48 -0700 Subject: [PATCH 392/458] removing view parameter per suggestion --- windows/deployment/update/waas-delivery-optimization.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index c6738e732c..4909cdd452 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -215,7 +215,7 @@ Try a Telnet test between two devices on the network to ensure they can connect 2. Run the test. For example, if you are on device with IP 192.168.8.12 and you are trying to test the connection to 192.168.9.17 run `telnet 192.168.9.17 7680` (the syntax is *telnet [destination IP] [port]*. You will either see a connection error or a blinking cursor like this /_. The blinking cursor means success. > [!NOTE] -> You can also use [Test-NetConnection](/powershell/module/nettcpip/test-netconnection?view=windowsserver2019-ps) instead of Telnet to run the test. +> You can also use [Test-NetConnection](/powershell/module/nettcpip/test-netconnection) instead of Telnet to run the test. > **Test-NetConnection -ComputerName 192.168.9.17 -Port 7680** ### None of the computers on the network are getting updates from peers From 6e7795c0f93dac82b9089389e03d3a144fe2a86f Mon Sep 17 00:00:00 2001 From: Baard Hermansen Date: Wed, 29 Sep 2021 19:01:29 +0200 Subject: [PATCH 393/458] Update policy-csp-localpoliciessecurityoptions.md Corrected two Notes sections that did not display correctly. --- .../policy-csp-localpoliciessecurityoptions.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 1c0cdcacb8..1b78a514c8 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -14,7 +14,6 @@ manager: dansimp # Policy CSP - LocalPoliciesSecurityOptions -
@@ -164,11 +163,10 @@ manager: dansimp
-
> [!NOTE] -> To find data formats (and other policy-related details), see [Policy DDF file](./policy-ddf-file.md). +> To find data formats (and other policy-related details), see [Policy DDF file](./policy-ddf-file.md). **LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts** @@ -3189,8 +3187,9 @@ This policy setting controls the behavior of the elevation prompt for administra The options are: - 0 - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. - > [!NOTE] - > Use this option only in the most constrained environments. + + > [!NOTE] + > Use this option only in the most constrained environments. - 1 - Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. @@ -3565,8 +3564,10 @@ This policy setting controls the behavior of all User Account Control (UAC) poli The options are: - 0 - Disabled: Admin Approval Mode and all related UAC policy settings are disabled. - > [!NOTE] - > If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. + + > [!NOTE] + > If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. + - 1 - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. From 9a4b2257b4501cf808d7e2e3a739f486a9de5033 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Wed, 29 Sep 2021 10:39:17 -0700 Subject: [PATCH 394/458] Update faq-md-app-guard.yml --- .../faq-md-app-guard.yml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml index 9ad53a26f5..c0d45b5bad 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -9,7 +9,7 @@ metadata: ms.localizationpriority: medium author: denisebmsft ms.author: deniseb - ms.date: 07/23/2021 + ms.date: 09/29/2021 ms.reviewer: manager: dansimp ms.custom: asr @@ -217,6 +217,16 @@ sections: Policy: Allow installation of devices using drivers that match these device setup classes - `{71a27cdd-812a-11d0-bec7-08002be2092f}` + - question: | + I'm encountering TCP fragmentation issues, and cannot enable my VPN connection. How do I fix this? + answer: | + WinNAT drops ICMP/UDP messages with packets greater than MTU when using Default Switch or Docker NAT network. Support for this has been added in [KB4571744](https://www.catalog.update.microsoft.com/Search.aspx?q=4571744). To fix the issue, install the update and enable the fix by following these steps: + + 1. Ensure that the FragmentAware DWORD is set to 1 in this registry setting: `\Registry\Machine\SYSTEM\CurrentControlSet\Services\Winnat`. + + 2. Reboot the device. + + additionalContent: | ## See also From 159c1c40cc824fa70767c910b870b54572c88802 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Wed, 29 Sep 2021 10:58:33 -0700 Subject: [PATCH 395/458] ZT updates --- windows/security/zero-trust-windows-device-health.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/windows/security/zero-trust-windows-device-health.md b/windows/security/zero-trust-windows-device-health.md index 17f22fad49..324d3a7083 100644 --- a/windows/security/zero-trust-windows-device-health.md +++ b/windows/security/zero-trust-windows-device-health.md @@ -27,6 +27,12 @@ The [Zero Trust Principles](https://www.microsoft.com/security/business/zero-tru The Zero Trust concept of **verify explicitly** applies to the risks introduced by both devices and users. Windows provides IT administrators the attestation and measurements to determine whether a device meets requirements and can be trusted. Microsoft Intune and Azure Active Directory can be used to manage and enforce access. Plus, IT Administrators can easily customize Windows to meet specific user and policy requirements for access, privacy, compliance, and more. +Zero Trust moves enterprise defenses from static, network-based perimeters to focus on users, assets, and resources. Both [Conditional access](/azure/active-directory/conditional-access/overview) and Device health attestation are used to help grant access to corporate resources. + +[Conditional access](/azure/active-directory/conditional-access/overview) evaluates identity signals to confirm that users are who they say they are. Access can then be allowed or blocked based on this information. + +For devices, each device needs to prove that it hasn't been tampered with and is in a good state. Windows 11 supports remote attestation to help confirm device compliance. This helps users access corporate resources whether they’re in the office, at home, or when they’re traveling. This capability is critical part of enabling hybrid, modern work environment. + ## Device health attestation on Windows Many security risks can emerge during the boot process as this process can be the most privileged component of the whole system. Zero Trust principles state that all endpoints are untrusted unless they are verified. The verification process uses remote attestation as the secure channel to determine and present the device’s health. Remote attestation determines: @@ -34,9 +40,9 @@ The Zero Trust concept of **verify explicitly** applies to the risks introduced - If the operating system booted correctly. - If the OS has the right set of security features enabled. -These determinations are made with the help of a secure root of trust using the Trusted Platform Module (TPM). Devices can attest that the TPM is enabled in the attestation flow, and that the device has not been tampered with. +These determinations are made with the help of a secure root of trust using the Trusted Platform Module (TPM). Devices can attest that the TPM is enabled in the attestation flow, and that the device has not been tampered with. -Windows includes many security features to help protect users from malware and attacks. However, trusting the Windows security components can only be achieved if the platform boots as expected and was not tampered with. Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, Early-launch antimalware (ELAM), Dynamic Root of Trust for Measurement (DRTM), Trusted Boot, and other low-level hardware and firmware security features. When you power on your PC until your anti-malware starts, Windows is backed with the appropriate hardware configuration to help keep you safe. [Measured and Trusted boot](information-protection/secure-the-windows-10-boot-process.md), implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to a security coprocessor (TPM) that acts as the Root of Trust. Remote Attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper resilient report. Remote attestation is the trusted auditor of your system's boot, allowing specific entities to trust the device. +Windows includes many security features to help protect users from malware and attacks. However, trusting the Windows security components can only be achieved if the platform boots as expected and was not tampered with. Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, Early-launch antimalware (ELAM), Dynamic Root of Trust for Measurement (DRTM), Trusted Boot, and other low-level hardware and firmware security features. When you power on your PC until your anti-malware starts, Windows is backed with the appropriate hardware configuration to help keep you safe. [Measured and Trusted boot](information-protection/secure-the-windows-10-boot-process.md), implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to a security coprocessor (TPM) that acts as the Root of Trust. Remote Attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper resilient report. Remote attestation is the trusted auditor of your system's boot, allowing specific entities to trust the device. A summary of the steps involved in attestation and Zero Trust on the device side are as follows: From 93dac72e3bcf49e30d29794daff02be31595dd5d Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 29 Sep 2021 11:02:42 -0700 Subject: [PATCH 396/458] Update policy-csp-localpoliciessecurityoptions.md --- ...policy-csp-localpoliciessecurityoptions.md | 79 +++++++++---------- 1 file changed, 39 insertions(+), 40 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 1b78a514c8..4b4556e7e0 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -5,9 +5,9 @@ ms.author: dansimp ms.topic: article ms.prod: w10 ms.technology: windows -author: manikadhiman +author: dansimp ms.localizationpriority: medium -ms.date: 05/02/2021 +ms.date: 09/29/2021 ms.reviewer: manager: dansimp --- @@ -522,9 +522,8 @@ Devices: Allow undock without having to log on. This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer. Default: Enabled. -Caution: - -Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable. +> [!CAUTION] +> Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable. @@ -664,7 +663,7 @@ For a computer to print to a shared printer, the driver for that shared printer Default on servers: Enabled. Default on workstations: Disabled ->[!Note] +>[!NOTE] >This setting does not affect the ability to add a local printer. This setting does not affect Administrators. @@ -1411,14 +1410,14 @@ If this setting is enabled, the Microsoft network client will not communicate wi Default: Disabled. ->[!Note] ->All Windows operating systems support both a client-side SMB component and a server-side SMB component.Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: ->- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. ->- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. ->- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. ->- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. +> [!Note] +> All Windows operating systems support both a client-side SMB component and a server-side SMB component.Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: +> - Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. +> - Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. +> - Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. +> - Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. > ->SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). +> SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). @@ -1491,16 +1490,16 @@ If this setting is enabled, the Microsoft network client will ask the server to Default: Enabled. ->[!Note] ->All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: ->- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. ->- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. ->- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. ->- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. ->If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. +> [!Note] +> All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: +> - Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. +> - Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. +> - Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. +> - Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. +> If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. > ->SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. -For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). +> SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. +> For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). @@ -1726,16 +1725,16 @@ If this setting is enabled, the Microsoft network server will not communicate wi Default: Disabled for member servers. Enabled for domain controllers. ->[!Note] ->All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: ->- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. ->- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. ->- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. ->- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. +> [!NOTE] +> All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: +> - Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. +> - Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. +> - Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. +> - Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. > ->Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. ->If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled. ->SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). +> Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. +> If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled. +> SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). @@ -1808,15 +1807,15 @@ If this setting is enabled, the Microsoft network server will negotiate SMB pack Default: Enabled on domain controllers only. ->[!Note] +> [!NOTE] > All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: ->- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. ->- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. ->- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. ->- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. ->If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. +> - Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. +> - Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. +> - Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. +> - Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. +> If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. > ->SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. +> SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). @@ -1894,8 +1893,8 @@ Disabled: No additional restrictions. Rely on default permissions. Default on workstations: Enabled. Default on server:Enabled. ->[!Important] ->This policy has no impact on domain controllers. +> [!IMPORTANT] +> This policy has no impact on domain controllers. From 9b4ed72c9f675475b12343a28a50ae412921150f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 29 Sep 2021 11:25:40 -0700 Subject: [PATCH 397/458] Update policy-csp-localpoliciessecurityoptions.md --- .../mdm/policy-csp-localpoliciessecurityoptions.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 4b4556e7e0..e181048e21 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -302,9 +302,8 @@ This security setting determines whether local accounts that are not password pr Default: Enabled. -Warning: - -Computers that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that does not have a password. This is especially important for portable computers. +> [!WARNING] +> Computers that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that does not have a password. This is especially important for portable computers. If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services. This setting does not affect logons that use domain accounts. From b0a155bfce30be6ffc06e8698ab55b51279e1849 Mon Sep 17 00:00:00 2001 From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com> Date: Wed, 29 Sep 2021 12:19:33 -0700 Subject: [PATCH 398/458] Update faq-md-app-guard.yml Removed obsolete issue --- .../faq-md-app-guard.yml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml index c0d45b5bad..eba1952007 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -171,12 +171,7 @@ sections: 10. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**. - - question: | - Why can I not launch Application Guard when Exploit Guard is enabled? - answer: | - There is a known issue such that if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to **use default**. - - - question: | + - question: | How can I disable portions of ICS without breaking Application Guard? answer: | ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We do not recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys. From b5a33b988ae9afe22cd9052f6af93a6f57cd020f Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Wed, 29 Sep 2021 13:26:11 -0700 Subject: [PATCH 399/458] addtl edits --- windows/security/zero-trust-windows-device-health.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/windows/security/zero-trust-windows-device-health.md b/windows/security/zero-trust-windows-device-health.md index 324d3a7083..a90992f99b 100644 --- a/windows/security/zero-trust-windows-device-health.md +++ b/windows/security/zero-trust-windows-device-health.md @@ -27,11 +27,13 @@ The [Zero Trust Principles](https://www.microsoft.com/security/business/zero-tru The Zero Trust concept of **verify explicitly** applies to the risks introduced by both devices and users. Windows provides IT administrators the attestation and measurements to determine whether a device meets requirements and can be trusted. Microsoft Intune and Azure Active Directory can be used to manage and enforce access. Plus, IT Administrators can easily customize Windows to meet specific user and policy requirements for access, privacy, compliance, and more. -Zero Trust moves enterprise defenses from static, network-based perimeters to focus on users, assets, and resources. Both [Conditional access](/azure/active-directory/conditional-access/overview) and Device health attestation are used to help grant access to corporate resources. +**Device health attestation** and **conditional access** are used to grant access to corporate resources. This helps reinforce a Zero Trust paradigm that moves enterprise defenses from static, network- based perimeters to focus on users, assets, and resources. -[Conditional access](/azure/active-directory/conditional-access/overview) evaluates identity signals to confirm that users are who they say they are. Access can then be allowed or blocked based on this information. +[Conditional access](/azure/active-directory/conditional-access/overview) evaluates identity signals to confirm that users are who they say they are before they are granted access to corporate resources. -For devices, each device needs to prove that it hasn't been tampered with and is in a good state. Windows 11 supports remote attestation to help confirm device compliance. This helps users access corporate resources whether they’re in the office, at home, or when they’re traveling. This capability is critical part of enabling hybrid, modern work environment. +Windows 11 supports device health attestation to confirm that devices are in a good state and have not been tampered with. This helps users access corporate resources whether they’re in the office, at home, or when they’re traveling. + +Attestation provides assurance of trust as it can verify the identity and status of essential components and that the device, firmware, and boot process has not been altered. Information about the firmware, boot process, and software, which is cryptographically stored in the security co-processor (TPM), is used to validate the security state of the device. Once the device is attested it can be granted access to resources. ## Device health attestation on Windows Many security risks can emerge during the boot process as this process can be the most privileged component of the whole system. Zero Trust principles state that all endpoints are untrusted unless they are verified. The verification process uses remote attestation as the secure channel to determine and present the device’s health. Remote attestation determines: From 9dd415335b8fc5a56e6bbe5b0f38cafd56855172 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Wed, 29 Sep 2021 14:31:35 -0700 Subject: [PATCH 400/458] safety commit --- .../feature-update-maintenance-window.md | 4 +- .../get-started-updates-channels-tools.md | 30 ++-- .../update/how-windows-update-works.md | 2 +- .../deployment/update/plan-define-strategy.md | 17 +-- .../deployment/update/waas-configure-wufb.md | 72 ++++------ ...aas-deployment-rings-windows-10-updates.md | 2 + .../deployment/update/waas-integrate-wufb.md | 32 ++--- .../update/waas-manage-updates-wufb.md | 132 +++--------------- .../waas-optimize-windows-10-updates.md | 6 +- windows/deployment/update/waas-overview.md | 131 +++++------------ windows/deployment/update/waas-quick-start.md | 43 ++---- ...s-servicing-channels-windows-10-updates.md | 124 ++-------------- .../update/waas-servicing-differences.md | 1 + ...s-servicing-strategy-windows-10-updates.md | 43 ++---- windows/deployment/update/waas-wu-settings.md | 24 ++-- .../update/waas-wufb-group-policy.md | 44 ++---- windows/deployment/update/wufb-autoupdate.md | 2 +- windows/deployment/update/wufb-basics.md | 1 + .../update/wufb-compliancedeadlines.md | 110 +-------------- .../deployment/update/wufb-managedrivers.md | 2 +- .../deployment/update/wufb-manageupdate.md | 2 + windows/deployment/update/wufb-onboard.md | 1 + 22 files changed, 186 insertions(+), 639 deletions(-) diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md index 771a7648f8..473abc5a46 100644 --- a/windows/deployment/update/feature-update-maintenance-window.md +++ b/windows/deployment/update/feature-update-maintenance-window.md @@ -13,7 +13,7 @@ ms.collection: M365-modern-desktop ms.topic: article ms.custom: seo-marvel-apr2020 --- - +{DELETE} # Deploy feature updates during maintenance windows **Applies to**: Windows 10 @@ -105,7 +105,7 @@ or documentation, even if Microsoft has been advised of the possibility of such ``` > [!NOTE] -> If you elect not to override the default setup priority, you will need to increase the [maximum run time](/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value. +> If you elect not to override the default setup priority, you will need to increase the [maximum run time](/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for feature update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value. ## Manually deploy feature updates diff --git a/windows/deployment/update/get-started-updates-channels-tools.md b/windows/deployment/update/get-started-updates-channels-tools.md index b034e4e658..726454837e 100644 --- a/windows/deployment/update/get-started-updates-channels-tools.md +++ b/windows/deployment/update/get-started-updates-channels-tools.md @@ -1,5 +1,5 @@ --- -title: Windows 10 updates, channels, and tools +title: Windows client updates, channels, and tools description: Brief summary of the kinds of Windows updates, the channels they are served through, and the tools for managing them keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools ms.prod: w10 @@ -12,7 +12,12 @@ manager: laurawi ms.topic: article --- -# Windows 10 updates, channels, and tools +# Windows client updates, channels, and tools + +**Applies to** + +- Windows 10 +- Windows 11 ## How Windows updates work @@ -30,34 +35,31 @@ version of the software. We include information here about many different update types you'll hear about, but the two overarching types that you have the most direct control over are *feature updates* and *quality updates*. -- **Feature updates:** Released twice per year, during the first half and second half of each calendar year. Feature updates add new features and functionality to Windows 10. Because they are delivered frequently (rather than every 3-5 years), they are easier to manage. -- **Quality updates:** Quality updates deliver both security and non-security fixes to Windows 10. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. They are typically released on the second Tuesday of each month, though they can be released at any time. The second-Tuesday releases are the ones that focus on security updates. Quality updates are *cumulative*, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update, including any out-of-band security fixes and any *servicing stack updates* that might have been released previously. +- **Feature updates:** Released as soon as they become available. Feature updates add new features and functionality to Windows 10. Because they are delivered frequently (rather than every 3-5 years), they are easier to manage. +- **Quality updates:** Quality updates deliver both security and non-security fixes. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. They are typically released on the second Tuesday of each month, though they can be released at any time. The second-Tuesday releases are the ones that focus on security updates. Quality updates are *cumulative*, so installing the latest quality update is sufficient to get all the available fixes for a specific feature update, including any out-of-band security fixes and any *servicing stack updates* that might have been released previously. - **Servicing stack updates:** The "servicing stack" is the code component that actually installs Windows updates. From time to time, the servicing stack itself needs to be updated in order to function smoothly. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. Servicing stack updates are not necessarily included in *every* monthly quality update, and occasionally are released out of band to address a late-breaking issue. Always install the latest available quality update to catch any servicing stack updates that might have been released. The servicing stack also contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/security-guidance/advisory/ADV990001). For more detail about servicing stack updates, see [Servicing stack updates](servicing-stack-updates.md). - **Driver updates**: These update drivers applicable to your devices. Driver updates are turned off by default in Windows Server Update Services (WSUS), but for cloud-based update methods, you can control whether they are installed or not. - **Microsoft product updates:** These update other Microsoft products, such as Office. You can enable or disable Microsoft updates by using policies controlled by various servicing tools. - ## Servicing channels -Windows 10 offers three servicing channels, each of which offers you a different level of flexibility with how and when updates are delivered to devices. Using the different servicing channels allows you to deploy Windows 10 "as a service," which conceives of deployment as a continual process of updates that roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process. +There are three servicing channels, each of which offers you a different level of flexibility with how and when updates are delivered to devices. Using the different servicing channels allows you to deploy Windows "as a service," which conceives of deployment as a continual process of updates that roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process. The first step of controlling when and how devices install updates is assigning them to the appropriate servicing channel. You can assign devices to a particular channel with any of several tools, including Microsoft Endpoint Configuration Manager, Windows Server Update Services (WSUS), and Group Policy settings applied by any of several means. By dividing devices into different populations ("deployment groups" or "rings") you can use servicing channel assignment, followed by other management features such as update deferral policies, to create a phased deployment of any update that allows you to start with a limited pilot deployment for testing before moving to a broad deployment throughout your organization. -### Semi-annual Channel +### General Availability Channel -In the Semi-annual Channel, feature updates are available as soon as Microsoft releases them, twice per year. As long as a device isn't set to defer feature updates, any device using the Semi-annual Channel will install a feature update as soon as it's released. If you use Windows Update for Business, the Semi-annual Channel provides three months of additional total deployment time before being required to update to the next release. +In the General Availability Channel, feature updates are available as soon as Microsoft releases them. As long as a device isn't set to defer feature updates, any device in this channel will install a feature update as soon as it's released. If you use Windows Update for Business, the channel provides three months of additional total deployment time before being required to update to the next release. -> [!NOTE] -> All releases of Windows 10 have **18 months of servicing for all editions**--these updates provide security and feature updates for the release. However, fall releases of the **Enterprise and Education editions** will have an **additional 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release**. This extended servicing window applies to Enterprise and Education editions starting with Windows 10, version 1607. ### Windows Insider Program for Business Insider preview releases are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features and compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered. There are actually three options within the Windows Insider Program for Business channel: -- Windows Insider Fast -- Windows Insider Slow +- Windows Insider Dev +- Windows Insider Beta - Windows Insider Release Preview We recommend that you use the Windows Insider Release Preview channel for validation activities. @@ -67,10 +69,10 @@ We recommend that you use the Windows Insider Release Preview channel for valida The **Long-Term Servicing Channel** is designed to be used only for specialized devices (which typically don't run Office) such as ones that control medical equipment or ATMs. Devices on this channel receive new feature releases every two to three years. LTSB releases service a special LTSB edition of Windows 10 and are only available through the [Microsoft Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). -The Semi-Annual Channel is the default servicing channel for all Windows 10 devices except those with the LTSB edition installed. The following table shows the servicing channels available to each Windows 10 edition. +The General Availability Channel is the default servicing channel for all Windows devices except those with the LTSB edition installed. The following table shows the servicing channels available to each edition. -| Windows 10 edition | Semi-Annual Channel | Insider Program | Long-Term Servicing Channel | +| Edition | General Availability Channel | Insider Program | Long-Term Servicing Channel | | --- | --- | --- | --- | | Home | ![yes.](images/checkmark.png)|![no](images/crossmark.png) | ![no](images/crossmark.png)| | Pro | ![yes.](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png)| diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md index 1cb0a47bf7..821586a7d8 100644 --- a/windows/deployment/update/how-windows-update-works.md +++ b/windows/deployment/update/how-windows-update-works.md @@ -1,6 +1,6 @@ --- title: How Windows Update works -description: In this article, learn about the process Windows Update uses to download and install updates on a Windows 10 devices. +description: In this article, learn about the process Windows Update uses to download and install updates on a Windows client devices. ms.prod: w10 ms.mktglfcycl: audience: itpro diff --git a/windows/deployment/update/plan-define-strategy.md b/windows/deployment/update/plan-define-strategy.md index c18d2b0576..289cffc216 100644 --- a/windows/deployment/update/plan-define-strategy.md +++ b/windows/deployment/update/plan-define-strategy.md @@ -14,6 +14,11 @@ ms.collection: m365initiative-coredeploy # Define update strategy with a calendar +**Applies to** + +- Windows 10 +- Windows 11 + Traditionally, organizations treated the deployment of operating system updates (especially feature updates) as a discrete project that had a beginning, a middle, and an end. A release was "built" (usually in the form of an image) and then distributed to users and their devices. Today, more organizations are treating deployment as a continual process of updates that roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process. Microsoft has been evolving its Windows 10 release cycles, update mechanisms, and relevant tools to support this model. Feature updates are released twice per year, around March and September. All releases of Windows 10 have 18 months of servicing for all editions. Fall releases of the Enterprise and Education editions have an additional 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release. @@ -21,7 +26,7 @@ Today, more organizations are treating deployment as a continual process of upda Though we encourage you to deploy every available release and maintain a fast cadence for some portion of your environment, we also recognize that you might have a large number of devices, and a need for little or no disruption, and so you might choose to update annually. The 18/30 month lifecycle cadence lets you allow some portion of your environment to move faster while a majority can move less quickly. ## Calendar approaches -You can use a calendar approach for either a faster twice-per-year cadence or an annual cadence. Depending on company size, installing Windows 10 feature updates less often than once annually risks devices going out of service and becoming vulnerable to security threats, because they will stop receiving the monthly security updates. +You can use a calendar approach for either a faster twice-per-year cadence or an annual cadence. Depending on company size, installing feature updates less often than once annually risks devices going out of service and becoming vulnerable to security threats, because they will stop receiving the monthly security updates. ### Annual Here's a calendar showing an example schedule that applies one Windows 10 feature update per calendar year, aligned with Microsoft Endpoint Manager and Microsoft 365 Apps release cycles: @@ -38,14 +43,4 @@ This cadence might be most suitable for you if any of these conditions apply: - You want to go quickly with feature updates, and want the ability to skip a feature update while keeping Windows 10 serviced in case business priorities change. Aligning to the Windows 10 feature update released in the second half of each calendar year, you get additional servicing for Windows 10 (30 months of servicing compared to 18 months). -### Rapid -This calendar shows an example schedule that installs each feature update as it is released, twice per year: -[ ![Update calendar showing a faster update cadence.](images/rapid-calendar.png) ](images/rapid-calendar.png#lightbox) - -This cadence might be best for you if these conditions apply: - -- You have a strong appetite for change. -- You want to continuously update supporting infrastructure and unlock new scenarios. -- Your organization has a large population of information workers that can use the latest features and functionality in Windows 10 and Office. -- You have experience with feature updates for Windows 10. diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md index d0c4ab43af..0c557a1ac6 100644 --- a/windows/deployment/update/waas-configure-wufb.md +++ b/windows/deployment/update/waas-configure-wufb.md @@ -1,5 +1,5 @@ --- -title: Configure Windows Update for Business (Windows 10) +title: Configure Windows Update for Business ms.reviewer: manager: laurawi description: You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. @@ -19,13 +19,14 @@ ms.topic: article **Applies to** - Windows 10 +- Windows 11 - Windows Server 2016 - Windows Server 2019 +- Windows Server 2022 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and above. The MDM policies use the OMA-URI setting from the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider). +You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and later, including Windows 11. The MDM policies use the OMA-URI setting from the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider). > [!IMPORTANT] > Beginning with Windows 10, version 1903, organizations can use Windows Update for Business policies, regardless of the diagnostic data level chosen. If the diagnostic data level is set to **0 (Security)**, Windows Update for Business policies will still be honored. For instructions, see [Configure the operating system diagnostic data level](/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels). @@ -33,7 +34,7 @@ You can use Group Policy or your mobile device management (MDM) service to confi ## Start by grouping devices -By grouping devices with similar deferral periods, administrators are able to cluster devices into deployment or validation groups which can be as a quality control measure as updates are deployed in Windows 10. With deferral windows and the ability to pause updates, administrators can effectively control and measure update deployments, updating a small pool of devices first to verify quality, prior to a broader roll-out to their organization. For more information, see [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md). +By grouping devices with similar deferral periods, administrators are able to cluster devices into deployment or validation groups which can be as a quality control measure as updates are deployed. With deferral windows and the ability to pause updates, administrators can effectively control and measure update deployments, updating a small pool of devices first to verify quality, prior to a broader roll-out to their organization. >[!TIP] >In addition to setting up multiple rings for your update deployments, also incorporate devices enrolled in the Windows Insider Program as part of your deployment strategy. This will provide you the chance to not only evaluate new features before they are broadly available to the public, but it also increases the lead time to provide feedback and influence Microsoft’s design on functional aspects of the product. For more information on Windows Insider program, see [https://insider.windows.com/](https://insider.windows.com/). @@ -43,13 +44,13 @@ By grouping devices with similar deferral periods, administrators are able to cl ## Configure devices for the appropriate service channel -With Windows Update for Business, you can set a device to be on either Windows Insider Preview or the Semi-Annual Channel servicing branch. For more information on this servicing model, see [Windows 10 servicing options](waas-overview.md#servicing-channels). +With Windows Update for Business, you can set a device to be on either Windows Insider Preview or the General Availability Channel servicing branch. For more information on this servicing model, see [Servicing channels](waas-overview.md#servicing-channels). **Release branch policies** | Policy | Sets registry key under HKLM\Software | | --- | --- | -| GPO for Windows 10, version 1607 or later:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\BranchReadinessLevel | +| GPO for Windows 10, version 1607 or later:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > **Select when feature updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\BranchReadinessLevel | | GPO for Windows 10, version 1511:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgrade | | MDM for Windows 10, version 1607 or later:
../Vendor/MSFT/Policy/Config/Update/
**BranchReadinessLevel** | \Microsoft\PolicyManager\default\Update\BranchReadinessLevel | | MDM for Windows 10, version 1511:
../Vendor/MSFT/Policy/Config/Update/
**RequireDeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade | @@ -64,9 +65,9 @@ Starting with Windows 10, version 1703, users can configure the branch readiness ## Configure when devices receive feature updates -After you configure the servicing branch (Windows Insider Preview or Semi-Annual Channel), you can then define if, and for how long, you would like to defer receiving Feature Updates following their availability from Microsoft on Windows Update. You can defer receiving these Feature Updates for a period of up to 365 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value. +After you configure the servicing branch (Windows Insider Preview or General Availability Channel), you can then define if, and for how long, you would like to defer receiving feature updates following their availability from Microsoft on Windows Update. You can defer receiving these feature updates for a period of up to 365 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value. -For example, a device on the Semi-Annual Channel with `DeferFeatureUpdatesPeriodinDays=30` will not install a feature update that is first publicly available on Windows Update in September until 30 days later, in October. +For example, a device on the General Availability Channel with `DeferFeatureUpdatesPeriodinDays=30` will not install a feature update that is first publicly available on Windows Update in September until 30 days later, in October.

@@ -74,7 +75,7 @@ For example, a device on the Semi-Annual Channel with `DeferFeatureUpdatesPeriod | Policy | Sets registry key under HKLM\Software | | --- | --- | -| GPO for Windows 10, version 1607 or later:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdates
\Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdatesPeriodInDays | +| GPO for Windows 10, version 1607 or later:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > **Select when feature updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdates
\Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdatesPeriodInDays | | GPO for Windows 10, version 1511:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgradePeriod | | MDM for Windows 10, version 1607 and later:
../Vendor/MSFT/Policy/Config/Update/
**DeferFeatureUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays | | MDM for Windows 10, version 1511:
../Vendor/MSFT/Policy/Config/Update/
**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade | @@ -84,7 +85,7 @@ For example, a device on the Semi-Annual Channel with `DeferFeatureUpdatesPeriod ## Pause feature updates -You can also pause a device from receiving Feature Updates by a period of up to 35 days from when the value is set. After 35 days has passed, the pause setting will automatically expire and the device will scan Windows Update for applicable Feature Updates. Following this scan, you can then pause Feature Updates for the device again. +You can also pause a device from receiving feature updates by a period of up to 35 days from when the value is set. After 35 days has passed, the pause setting will automatically expire and the device will scan Windows Update for applicable feature updates. Following this scan, you can then pause feature updates for the device again. Starting with Windows 10, version 1703, when you configure a pause by using policy, you must set a start date for the pause to begin. The pause period is calculated by adding 35 days to this start date. @@ -98,20 +99,20 @@ In cases where the pause policy is first applied after the configured start date | Policy | Sets registry key under HKLM\Software | | --- | --- | -| GPO for Windows 10, version 1607 or later:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > **Select when Feature Updates are received** | **1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates
**1703 and later:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdatesStartTime | +| GPO for Windows 10, version 1607 or later:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > **Select when feature updates are received** | **1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates
**1703 and later:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdatesStartTime | | GPO for Windows 10, version 1511:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause | | MDM for Windows 10, version 1607 or later:
../Vendor/MSFT/Policy/Config/Update/
**PauseFeatureUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdates
**1703 and later:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdatesStartTime | | MDM for Windows 10, version 1511:
../Vendor/MSFT/Policy/Config/Update/
**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause | -You can check the date that Feature Updates were paused by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. +You can check the date that feature updates were paused by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. -The local group policy editor (GPEdit.msc) will not reflect whether the Feature Update pause period has expired. Although the device will resume Feature Updates after 35 days automatically, the pause checkbox will remain selected in the policy editor. To check whether a device has automatically resumed taking Feature Updates, check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values: +The local group policy editor (GPEdit.msc) will not reflect whether the feature update pause period has expired. Although the device will resume feature updates after 35 days automatically, the pause check box will remain selected in the policy editor. To check whether a device has automatically resumed taking feature updates, check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values: | Value | Status| | --- | --- | -| 0 | Feature Updates not paused | -| 1 | Feature Updates paused | -| 2 | Feature Updates have auto-resumed after being paused | +| 0 | feature updates not paused | +| 1 | feature updates paused | +| 2 | feature updates have auto-resumed after being paused | >[!NOTE] >If not configured by policy, individual users can pause feature updates by using **Settings > Update & security > Windows Update > Advanced options**. @@ -122,9 +123,9 @@ Starting with Windows 10, version 1703, using Settings to control the pause beha - Any pending update installations are canceled. - Any update installation running when pause is activated will attempt to roll back. -## Configure when devices receive Quality Updates +## Configure when devices receive quality updates -Quality updates are typically published on the second Tuesday of every month, although they can be released at any time. You can define if, and for how long, you would like to defer receiving Quality updates following their availability. You can defer receiving these quality updates for a period of up to 30 days from their release by setting the **DeferQualityUpdatesPeriodinDays** value. +Quality updates are typically published on the second Tuesday of every month, although they can be released at any time. You can define if, and for how long, you would like to defer receiving quality updates following their availability. You can defer receiving these quality updates for a period of up to 30 days from their release by setting the **DeferQualityUpdatesPeriodinDays** value. You can set your system to receive updates for other Microsoft products—known as Microsoft updates (such as Microsoft Office, Visual Studio)—along with Windows updates by setting the **AllowMUUpdateService** policy. When you do this, these Microsoft updates will follow the same deferral and pause rules as all other quality updates. @@ -160,15 +161,15 @@ In cases where the pause policy is first applied after the configured start date | MDM for Windows 10, version 1607 or later:
../Vendor/MSFT/Policy/Config/Update/
**PauseQualityUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdates
**1703:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdatesStartTime | | MDM for Windows 10, version 1511:
../Vendor/MSFT/Policy/Config/Update/
**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause | -You can check the date that quality Updates were paused by checking the registry key **PausedQualityDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. +You can check the date that quality updates were paused by checking the registry key **PausedQualityDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. -The local group policy editor (GPEdit.msc) will not reflect whether the quality Update pause period has expired. Although the device will resume quality Updates after 35 days automatically, the pause checkbox will remain selected in the policy editor. To check whether a device has automatically resumed taking quality Updates, check the status registry key **PausedQualityStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values: +The local group policy editor (GPEdit.msc) will not reflect whether the quality update pause period has expired. Although the device will resume quality updates after 35 days automatically, the pause check box will remain selected in the policy editor. To check whether a device has automatically resumed taking quality Updates, check the status registry key **PausedQualityStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values: | Value | Status| | --- | --- | -| 0 | Quality Updates not paused | -| 1 | Quality Updates paused | -| 2 | Quality Updates have auto-resumed after being paused | +| 0 | quality updates not paused | +| 1 | quality updates paused | +| 2 | quality updates have auto-resumed after being paused | >[!NOTE] >If not configured by policy, individual users can pause quality updates by using **Settings > Update & security > Windows Update > Advanced options**. @@ -193,8 +194,8 @@ The **Manage preview builds** setting gives administrators control over enabling >* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds/Toggle user control over Insider builds** >* MDM: **System/AllowBuildPreview** -The policy settings to **Select when Feature Updates are received** allows you to choose between preview flight rings, and allows you to defer or pause their delivery. -* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business** - *Select when Preview Builds and Feature Updates are received* +The policy settings to **Select when feature updates are received** allows you to choose between preview flight rings, and allows you to defer or pause their delivery. +* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business** - *Select when Preview Builds and feature updates are received* * MDM: **Update/BranchReadinessLevel** ## Exclude drivers from quality updates @@ -216,7 +217,7 @@ The following are quick-reference tables of the supported policy values for Wind | GPO Key | Key type | Value | | --- | --- | --- | -| BranchReadinessLevel | REG_DWORD | 2: systems take Feature Updates for the Windows Insider build - Fast (added in Windows 10, version 1709)
4: systems take Feature Updates for the Windows Insider build - Slow (added in Windows 10, version 1709)
8: systems take Feature Updates for the Release Windows Insider build (added in Windows 10, version 1709)
16: for Windows 10, version 1703: systems take Feature Updates for the Current Branch (CB); for Windows 10, version 1709, 1803 and 1809: systems take Feature Updates from Semi-Annual Channel (Targeted) (SAC-T); for Windows 10, version 1903 or later: systems take Feature Updates from Semi-Annual Channel
32: systems take Feature Updates from Semi-Annual Channel
Note: Other value or absent: receive all applicable updates | +| BranchReadinessLevel | REG_DWORD | 2: systems take feature updates for the Windows Insider build - Fast (added in Windows 10, version 1709)
4: systems take feature updates for the Windows Insider build - Slow (added in Windows 10, version 1709)
8: systems take feature updates for the Release Windows Insider build (added in Windows 10, version 1709)

Other value or absent: receive all applicable updates | | DeferQualityUpdates | REG_DWORD | 1: defer quality updates
Other value or absent: don’t defer quality updates | | DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: defer quality updates by given days | | PauseQualityUpdatesStartTime | REG_DWORD | 1: pause quality updates
Other value or absent: don’t pause quality updates | @@ -230,7 +231,7 @@ The following are quick-reference tables of the supported policy values for Wind | MDM Key | Key type | Value | | --- | --- | --- | -| BranchReadinessLevel | REG_DWORD |2: systems take Feature Updates for the Windows Insider build - Fast (added in Windows 10, version 1709)
4: systems take Feature Updates for the Windows Insider build - Slow (added in Windows 10, version 1709)
8: systems take Feature Updates for the Release Windows Insider build (added in Windows 10, version 1709)
16: for Windows 10, version 1703: systems take Feature Updates for the Current Branch (CB); for Windows 10, version 1709, 1803 and 1809: systems take Feature Updates from Semi-Annual Channel (Targeted) (SAC-T); for Windows 10, version 1903 or later: systems take Feature Updates from Semi-Annual Channel
32: systems take Feature Updates from Semi-Annual Channel
Note: Other value or absent: receive all applicable updates | +| BranchReadinessLevel | REG_DWORD |2: systems take feature updates for the Windows Insider build - Fast (added in Windows 10, version 1709)
4: systems take feature updates for the Windows Insider build - Slow (added in Windows 10, version 1709)
8: systems take feature updates for the Release Windows Insider build (added in Windows 10, version 1709)
32: systems take feature updates from General Availability Channel
Note: Other value or absent: receive all applicable updates | | DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: defer quality updates by given days | | PauseQualityUpdatesStartTime | REG_DWORD | 1: pause quality updates
Other value or absent: don’t pause quality updates | | DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: defer feature updates by given days | @@ -253,20 +254,3 @@ When a device running a newer version sees an update available on Windows Update | PauseFeatureUpdates | PauseFeatureUpdatesStartTime | | PauseQualityUpdates | PauseQualityUpdatesStartTime | -## Related topics - -- [Update Windows 10 in the enterprise](index.md) -- [Overview of Windows as a service](waas-overview.md) -- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) -- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) -- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) -- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](/intune/windows-update-for-business-configure) -- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) -- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) -- [Manage device restarts after updates](waas-restart.md) diff --git a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md index 4070bb332d..fcb4115629 100644 --- a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md +++ b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md @@ -12,6 +12,8 @@ ms.collection: M365-modern-desktop ms.topic: article --- +{DELETE ALTOGETHER??} + # Build deployment rings for Windows client updates **Applies to** diff --git a/windows/deployment/update/waas-integrate-wufb.md b/windows/deployment/update/waas-integrate-wufb.md index 6460401d70..b5d5e02b67 100644 --- a/windows/deployment/update/waas-integrate-wufb.md +++ b/windows/deployment/update/waas-integrate-wufb.md @@ -1,5 +1,5 @@ --- -title: Integrate Windows Update for Business (Windows 10) +title: Integrate Windows Update for Business description: Use Windows Update for Business deployments with management tools such as Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager. ms.prod: w10 ms.mktglfcycl: manage @@ -17,6 +17,7 @@ ms.topic: article **Applies to** - Windows 10 +- Windows 11 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) @@ -25,7 +26,7 @@ You can integrate Windows Update for Business deployments with existing manageme ## Integrate Windows Update for Business with Windows Server Update Services -For Windows 10, version 1607, devices can now be configured to receive updates from both Windows Update (or Microsoft Update) and Windows Server Update Services (WSUS). In a joint WSUS and Windows Update for Business setup: +For Windows 10, version 1607 and later, devices can be configured to receive updates from both Windows Update (or Microsoft Update) and Windows Server Update Services (WSUS). In a joint WSUS and Windows Update for Business setup: - Devices will receive their Windows content from Microsoft and defer these updates according to Windows Update for Business policy - All other content synced from WSUS will be directly applied to the device; that is, updates to products other than Windows will not follow your Windows Update for Business deferral policies @@ -34,7 +35,7 @@ For Windows 10, version 1607, devices can now be configured to receive updates f **Configuration:** -- Device is configured to defer Windows Quality Updates using Windows Update for Business +- Device is configured to defer Windows quality updates using Windows Update for Business - Device is also configured to be managed by WSUS - Device is not configured to enable Microsoft Update (**Update/AllowMUUpdateService** = not enabled) - Admin has opted to put updates to Office and other products on WSUS @@ -46,11 +47,11 @@ For Windows 10, version 1607, devices can now be configured to receive updates f Third-party driversWSUSWSUSNo -### Configuration example \#2: Excluding drivers from Windows Quality Updates using Windows Update for Business +### Configuration example \#2: Excluding drivers from Windows quality updates using Windows Update for Business **Configuration:** -- Device is configured to defer Windows Quality Updates and to exclude drivers from Windows Update Quality Updates (**ExcludeWUDriversInQualityUpdate** = enabled) +- Device is configured to defer Windows quality updates and to exclude drivers from Windows Update quality updates (**ExcludeWUDriversInQualityUpdate** = enabled) - Device is also configured to be managed by WSUS - Admin has opted to put Windows Update drivers on WSUS @@ -66,7 +67,7 @@ For Windows 10, version 1607, devices can now be configured to receive updates f **Configuration:** -- Device is configured to defer Quality Updates using Windows Update for Business and to be managed by WSUS +- Device is configured to defer quality updates using Windows Update for Business and to be managed by WSUS - Device is configured to “receive updates for other Microsoft products” along with updates to Windows (**Update/AllowMUUpdateService** = enabled) - Admin has also placed Microsoft Update, non-Microsoft, and locally published update content on the WSUS server @@ -86,26 +87,9 @@ In this example, the deferral behavior for updates to Office and other non-Windo ## Integrate Windows Update for Business with Microsoft Endpoint Configuration Manager -For Windows 10, version 1607, organizations already managing their systems with a Configuration Manager solution can also have their devices configured for Windows Update for Business (i.e. setting deferral policies on those devices). Such devices will be visible in the Configuration Manager console, however they will appear with a detection state of **Unknown**. +For Windows 10, version 1607, organizations already managing their systems with a Configuration Manager solution can also have their devices configured for Windows Update for Business (that is, setting deferral policies on those devices). Such devices will be visible in the Configuration Manager console, however they will appear with a detection state of **Unknown**. ![Example of unknown devices.](images/wufb-sccm.png) For more information, see [Integration with Windows Update for Business in Windows 10](/sccm/sum/deploy-use/integrate-windows-update-for-business-windows-10). -## Related topics - -- [Update Windows 10 in the enterprise](index.md) -- [Overview of Windows as a service](waas-overview.md) -- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) -- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) -- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) -- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](/intune/windows-update-for-business-configure) -- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) -- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) -- [Manage device restarts after updates](waas-restart.md) \ No newline at end of file diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md index 850d6cec44..dea3bbba22 100644 --- a/windows/deployment/update/waas-manage-updates-wufb.md +++ b/windows/deployment/update/waas-manage-updates-wufb.md @@ -1,5 +1,5 @@ --- -title: Windows Update for Business (Windows 10) +title: Windows Update for Business ms.reviewer: manager: laurawi description: Learn how Windows Update for Business lets you manage when devices receive updates from Windows Update. @@ -18,14 +18,15 @@ ms.custom: seo-marvel-apr2020 **Applies to** - Windows 10 +- Windows 11 -Windows Update for Business is a free service that is available for all premium editions including Windows 10 Pro, Enterprise, Pro for Workstation, and Education editions. +Windows Update for Business is a free service that is available for all premium editions including Windows 10 and Windows 11 Pro, Enterprise, Pro for Workstation, and Education editions. > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) -Windows Update for Business enables IT administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or Mobile Device Management (MDM) solutions such as Microsoft Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. +Windows Update for Business enables IT administrators to keep the Windows client devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or Mobile Device Management (MDM) solutions such as Microsoft Intune to configure the Windows Update for Business settings that control how and when devices are updated. Specifically, Windows Update for Business lets you control update offerings and experiences to allow for reliability and performance testing on a subset of devices before deploying updates across the organization. It also provides a positive update experience for people in your organization. @@ -46,7 +47,7 @@ Windows Update for Business enables an IT administrator to receive and manage a Windows Update for Business provides management policies for several types of updates to Windows 10 devices: -- **Feature updates:** Previously referred to as "upgrades," feature updates contain not only security and quality revisions, but also significant feature additions and changes. Feature updates are released semi-annually in the fall and in the spring. +- **Feature updates:** Previously referred to as "upgrades," feature updates contain not only security and quality revisions, but also significant feature additions and changes. Feature updates are released as soon as they become available. - **Quality updates:** Quality updates are traditional operating system updates, typically released on the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as updates for Microsoft Office or Visual Studio) as quality updates. These non-Windows Updates are known as "Microsoft updates" and you can set devices to receive such updates (or not) along with their Windows updates. - **Driver updates:** Updates for non-Microsoft drivers that are relevant to your devices. Driver updates are on by default, but you can use Windows Update for Business policies to turn them off if you prefer. - **Microsoft product updates**: Updates for other Microsoft products, such as versions of Office that are installed by using Windows Installer (MSI). Versions of Office that are installed by using Click-to-Run can't be updated by using Windows Update for Business. Product updates are off by default. You can turn them on by using Windows Update for Business policies. @@ -62,16 +63,15 @@ You can defer or pause the installation of updates for a set period of time. The branch readiness level enables administrators to specify which channel of feature updates they want to receive. Today there are branch readiness level options for both pre-release and released updates: -- Windows Insider Fast -- Windows Insider Slow -- Windows Insider Release Preview -- Semi-Annual Channel +- Windows Insider Dev +- Windows Insider Beta +- Windows Insider Preview +- General Availability Channel -Prior to Windows 10, version 1903, there are two channels for released updates: Semi-Annual Channel and Semi-Annual Channel (Targeted). Deferral days are calculated against the release date of the chosen channel. Starting with Windows 10, version 1903 there is only the one release channel: Semi-Annual Channel. All deferral days are calculated against a release’s Semi-Annual Channel release date. For exact release dates, see [Windows Release Information](/windows/release-health/release-information). You can set the branch readiness level by using the **Select when Preview Builds and Feature Updates are Received** policy. To use this policy to manage pre-release builds, first enable preview builds by using the **Manage preview Builds** policy. #### Defer an update -A Windows Update for Business administrator can defer the installation of both feature and quality updates from deploying to devices within a bounded range of time from when those updates are first made available on the Windows Update service. You can use this deferral to allow time to validate deployments as they are pushed to devices. Deferrals work by allowing you to specify the number of days after an update is released before it is offered to a device. That is, if you set a feature update deferral period of 365 days, the device will not install a feature update that has been released for less than 365 days. To defer feature updates, use the **Select when Preview Builds and Feature Updates are Received** policy. +A Windows Update for Business administrator can defer the installation of both feature and quality updates from deploying to devices within a bounded range of time from when those updates are first made available on the Windows Update service. You can use this deferral to allow time to validate deployments as they are pushed to devices. Deferrals work by allowing you to specify the number of days after an update is released before it is offered to a device. That is, if you set a feature update deferral period of 365 days, the device will not install a feature update that has been released for less than 365 days. To defer feature updates, use the **Select when Preview Builds and feature updates are Received** policy. |Category |Maximum deferral period | @@ -88,7 +88,7 @@ A Windows Update for Business administrator can defer the installation of both f If you discover a problem while deploying a feature or quality update, the IT administrator can pause the update for 35 days from a specified start date to prevent other devices from installing it until the issue is mitigated. If you pause a feature update, quality updates are still offered to devices to ensure they stay secure. The pause period for both feature and quality updates is calculated from a start date that you set. -To pause feature updates, use the **Select when Preview Builds and Feature Updates are Received** policy and to pause quality updates use the **Select when Quality Updates are Received** policy. For more information, see [Pause feature updates](waas-configure-wufb.md#pause-feature-updates) and [Pause quality updates](waas-configure-wufb.md#pause-quality-updates). +To pause feature updates, use the **Select when Preview Builds and feature updates are Received** policy and to pause quality updates use the **Select when Quality Updates are Received** policy. For more information, see [Pause feature updates](waas-configure-wufb.md#pause-feature-updates) and [Pause quality updates](waas-configure-wufb.md#pause-quality-updates). Built-in benefits: When updating from Windows Update, you get the added benefits of built-in compatibility checks to prevent against a poor update experience for your device as well as a check to prevent repeated rollbacks. @@ -97,10 +97,10 @@ When updating from Windows Update, you get the added benefits of built-in compat For the best experience with Windows Update, follow these guidelines: -- Use devices for at least 6 hours per month, including at least 2 hours of continuous use. -- Keep devices regularly charged. Plugging in devices overnight enables them to automatically update outside of active hours. -- Make sure that devices have at least 10 GB of free space. -- Give devices unobstructed access to the Windows Update service. +- Use devices for at least 6 hours per month, including at least 2 hours of continuous use. +- Keep devices regularly charged. Plugging in devices overnight enables them to automatically update outside of active hours. +- Make sure that devices have at least 10 GB of free space. +- Give devices unobstructed access to the Windows Update service. ### Manage the end-user experience when receiving Windows Updates @@ -110,9 +110,9 @@ Windows Update for Business provides controls to help meet your organization’s Features like the smart busy check (which ensure updates don't happen when a user is signed in) and active hours help provide the best experience for end users while keeping devices more secure and up to date. Follow these steps to take advantage of these features: -1. Automatically download, install, and restart (default if no restart policies are set up or enabled) -2. Use the default notifications -3. Set update deadlines +1. Automatically download, install, and restart (default if no restart policies are set up or enabled). +2. Use the default notifications. +3. Set update deadlines. ##### Setting deadlines @@ -121,101 +121,11 @@ A compliance deadline policy (released in June 2019) enables you to set separate This policy enables you to specify the number of days from an update's publication date that it must be installed on the device. The policy also includes a configurable grace period that specifies the number of days from when the update is installed on the device until the device is forced to restart. This approach is useful in a vacation scenario as it allows, for example, users who have been away to have a bit of time before being forced to restart their devices when they return from vacation. #### Update Baseline -The large number of different policies offered for Windows 10 can be overwhelming. Update Baseline provides a clear list of recommended Windows update policy settings for IT administrators who want the best user experience while also meeting their update compliance goals. The Update Baseline for Windows 10 includes policy settings recommendations covering deadline configuration, restart behavior, power policies, and more. + +The large number of different policies offered can be overwhelming. Update Baseline provides a clear list of recommended Windows update policy settings for IT administrators who want the best user experience while also meeting their update compliance goals. The Update Baseline for Windows 10 includes policy settings recommendations covering deadline configuration, restart behavior, power policies, and more. The Update Baseline toolkit makes it easy by providing a single command for IT Admins to apply the Update Baseline to devices. You can get the Update Baseline toolkit from the [Download Center](https://www.microsoft.com/download/details.aspx?id=101056). >[!NOTE] ->The Update Baseline toolkit is available only for Group Policy. Update Baseline does not affect your offering policies, whether you’re using deferrals or target version to manage which updates are offered to your devices when. +>The Update Baseline toolkit is available only for Group Policy. Update Baseline does not affect your offering policies, whether you’re using deferrals or target version to manage which updates are offered to your devices when. Update Baseline is not currently supported for Windows 11. - +**Update/TargetProductVersion** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10, version 2004 and later. Enables IT administrators to specify which product they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy to target a new product. + +If no product is specified, the device will continue receiving newer versions of the Windows product it is currently on. For details about different Windows 10 versions, see [https://docs.microsoft.com/windows/release-health/release-information](https://docs.microsoft.com/windows/release-health/release-information). + + +ADMX Info: +- GP Friendly name: *Select the target Feature Update version* +- GP name: *TargetProductVersion* +- GP element: *TargetProductVersionId* +- GP path: *Windows Components/Windows Update/Windows Update for Business* +- GP ADMX file name: *WindowsUpdate.admx* + + + +Value type is a string containing a Windows product, forexample, “Windows 11” or “11” or “Windows 10”. + + + + + + + + +By using this Windows Update for Business policy to upgrade devices to a new product (ex. Windows 11) you are agreeing that when applying this operating system to a device either +(1) The applicable Windows license was purchased though volume licensing, or +(2) That you are authorized to bind your organization and are accepting on its behalf the relevant Microsoft Software License Terms to be found here: (https://www.microsoft.com/Useterms). + +
+ **Update/TargetReleaseVersion** From 05818270a70291c26ea3c90358d6e2e9270280c0 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Thu, 30 Sep 2021 12:48:23 +0530 Subject: [PATCH 413/458] Update policy-csp-update.md --- windows/client-management/mdm/policy-csp-update.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index b41fd6dc19..b357e14f2d 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -4339,7 +4339,8 @@ The following list shows the supported values: Available in Windows 10, version 2004 and later. Enables IT administrators to specify which product they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy to target a new product. -If no product is specified, the device will continue receiving newer versions of the Windows product it is currently on. For details about different Windows 10 versions, see [https://docs.microsoft.com/windows/release-health/release-information](https://docs.microsoft.com/windows/release-health/release-information). +If no product is specified, the device will continue receiving newer versions of the Windows product it is currently on. For details about different Windows 10 versions, see [release information](/windows/release-health/release-information). + ADMX Info: From 44523f1b60890cd2f98016cfbe3b20df73b488eb Mon Sep 17 00:00:00 2001 From: Ashok Lobo Date: Thu, 30 Sep 2021 19:23:01 +0530 Subject: [PATCH 414/458] Updated --- .../smart-cards/smart-card-smart-cards-for-windows-service.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md index b55d171543..ba3e2a4c05 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md @@ -26,7 +26,7 @@ The Smart Cards for Windows service provides the basic infrastructure for all ot The Smart Cards for Windows service runs in the context of a local service, and it is implemented as a shared service of the services host (svchost) process. The Smart Cards for Windows service, Scardsvr, has the following service description: -``` +```PowerShell Date: Thu, 30 Sep 2021 09:57:14 -0600 Subject: [PATCH 415/458] Update windows/client-management/mdm/policy-csp-update.md --- windows/client-management/mdm/policy-csp-update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index b357e14f2d..8b1cc3fa9f 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -4352,7 +4352,7 @@ ADMX Info: -Value type is a string containing a Windows product, forexample, “Windows 11” or “11” or “Windows 10”. +Value type is a string containing a Windows product, for example, “Windows 11” or “11” or “Windows 10”. From 593db0fed827594675a509c6cc27ab9ee0522a2a Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 30 Sep 2021 09:15:44 -0700 Subject: [PATCH 416/458] update --- .../deployment/vda-subscription-activation.md | 27 +++++++++++-------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md index c7c43f8741..a478f26f76 100644 --- a/windows/deployment/vda-subscription-activation.md +++ b/windows/deployment/vda-subscription-activation.md @@ -1,7 +1,7 @@ --- -title: Configure VDA for Windows 10 Subscription Activation +title: Configure VDA for Windows 10/11 Subscription Activation ms.reviewer: -manager: laurawi +manager: dougeby ms.audience: itpro ms.author: greglin author: greg-lindsay @@ -18,7 +18,11 @@ ms.topic: article ms.collection: M365-modern-desktop --- -# Configure VDA for Windows 10 Subscription Activation +# Configure VDA for Windows 10/11 Subscription Activation + +Applies to: +- Windows 10 +- Windows 11 This document describes how to configure virtual machines (VMs) to enable [Windows 10/11 Subscription Activation](windows-10-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based licensing mechanism for managing access to virtual desktops. @@ -29,17 +33,18 @@ Deployment instructions are provided for the following scenarios: ## Requirements -- VMs must be running Windows 10 Pro, version 1703 (also known as the Creator's Update) or later. +- VMs must be running Windows 10 Pro, version 1703 or later (Windows 11 is "later"). - VMs must be Active Directory-joined or Azure Active Directory (AAD)-joined. -- VMs must be generation 1. -- VMs must be hosted by a [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) (QMTH). +- VMs must be hosted by a Qualified Multitenant Hoster (QMTH). + - For more information, see (Qualified Multitenant Hoster (QMTH) +Program)[https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf] ## Activation ### Scenario 1 -- The VM is running Windows 10, version 1803 or later. -- The VM is hosted in Azure or another [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) (QMTH). +- The VM is running Windows 10, version 1803 or later (ex: Windows 11). +- The VM is hosted in Azure or another Qualified Multitenant Hoster (QMTH). When a user with VDA rights signs in to the VM using their AAD credentials, the VM is automatically stepped-up to Enterprise and activated. There is no need to perform Windows 10 Pro activation. This eliminates the need to maintain KMS or MAK in the qualifying cloud infrastructure. @@ -51,9 +56,9 @@ Deployment instructions are provided for the following scenarios: ### Scenario 3 -- The VM is running Windows 10, version 1703 or 1709, or the hoster is not an authorized [QMTH](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) partner. +- The VM is running Windows 10, version 1703 or 1709, or the hoster is not an authorized [QMTH](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf) partner. - In this scenario, the underlying Windows 10 Pro license must be activated prior to Subscription Activation of Windows 10 Enterprise. Activation is accomplished using a Windows 10 Pro Generic Volume License Key (GVLK) and a Volume License KMS activation server provided by the hoster. Alternatively, a KMS activation server can be used. KMS activation is provided for Azure VMs. For more information, see [Troubleshoot Azure Windows virtual machine activation problems](/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems). + In this scenario, the underlying Windows 10/11 Pro license must be activated prior to Subscription Activation of Windows 10/11 Enterprise. Activation is accomplished using a Generic Volume License Key (GVLK) and a Volume License KMS activation server provided by the hoster. Alternatively, a KMS activation server can be used. KMS activation is provided for Azure VMs. For more information, see [Troubleshoot Azure Windows virtual machine activation problems](/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems). For examples of activation issues, see [Troubleshoot the user experience](./deploy-enterprise-licenses.md#troubleshoot-the-user-experience). @@ -147,6 +152,6 @@ To create custom RDP settings for Azure: ## Related topics -[Windows 10 Subscription Activation](windows-10-subscription-activation.md) +[Windows 10/11 Subscription Activation](windows-10-subscription-activation.md)
[Recommended settings for VDI desktops](/windows-server/remote/remote-desktop-services/rds-vdi-recommendations)
[Licensing the Windows Desktop for VDI Environments](https://download.microsoft.com/download/1/1/4/114A45DD-A1F7-4910-81FD-6CAF401077D0/Microsoft%20VDI%20and%20VDA%20FAQ%20v3%200.pdf) \ No newline at end of file From ce00ae09a30c7b1c278409058bdd21339b2d7333 Mon Sep 17 00:00:00 2001 From: Jordan Geurten Date: Thu, 30 Sep 2021 09:21:35 -0700 Subject: [PATCH 417/458] xml now has parity with the current release of the vulnerable blocklist policy --- ...icrosoft-recommended-driver-block-rules.md | 652 ++++++++++++++---- 1 file changed, 500 insertions(+), 152 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index 21119863f7..c749cb9925 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -59,6 +59,46 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -128,40 +168,148 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -174,22 +322,22 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - - - + + + + + + + - + - - - - - + @@ -225,7 +373,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + @@ -247,17 +395,26 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- + + + + + + + + + - + @@ -288,6 +445,42 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -304,10 +497,10 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + @@ -315,118 +508,273 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - @@ -441,7 +789,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - 10.0.19565.0 + 10.0.22417.0 From 0587eb2f8e0c778c10b7a2689ac4c6886518eb8a Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 30 Sep 2021 09:35:04 -0700 Subject: [PATCH 418/458] update --- windows/deployment/windows-10-subscription-activation.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 725f2f12f6..76e534a4ae 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -23,8 +23,12 @@ Applies to: - Windows 10 - Windows 11 -Starting with Windows 10, version 1703 Windows 10 Pro supports the Subscription Activation feature, enabling users to “step-up” from Windows 10 Pro or Windows 11 Pro to **Windows 10 Enterprise** or **Windows 11 Enterprise**, respectively, if they are subscribed to Windows 10/11 Enterprise E3 or E5. +> [!NOTE] +> The Subscription Activation feature is available for qualifying devices running Windows 10 or Windows 11. This feature enables you to "step-up" from a Pro edition to the Enterprise or Education edition of Windows client. You cannot use Subscripton Activation to upgrade from Windows 10 to Windows 11, for example. The operating system version does not change when you switch to Enterprise edition. +Starting with Windows 10, version 1703, Windows 10 Pro supports the Subscription Activation feature, enabling users to “step-up” from Windows 10 Pro or Windows 11 Pro to **Windows 10 Enterprise** or **Windows 11 Enterprise**, respectively, if they are subscribed to Windows 10/11 Enterprise E3 or E5. + +**Education edition**
With Windows 10, version 1903 and later, the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education or Windows 11 Pro Education to the Enterprise grade editions for educational institutions—**Windows 10 Education** or **Windows 11 Education**. The Subscription Activation feature eliminates the need to manually deploy Enterprise or Education edition images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering Generic Volume License Keys (GVLKs), and subsequently rebooting client devices. @@ -53,9 +57,6 @@ With Windows 10, version 1703 and later both Windows 10/11 Enterprise E3 and Win Organizations that have an Enterprise agreement can also benefit from the new service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Azure AD using [Azure AD Connect Sync](/azure/active-directory/connect/active-directory-aadconnectsync-whatis). -> [!NOTE] -> You cannot use Subscripton Activation to upgrade from Windows 10 to Windows 11. The operating system version does not change when you switch to Enterprise edition. - ## Subscription Activation for Education Subscription Activation for Education works the same as the Enterprise version, but in order to use Subscription Activation for Education, you must have a device running Windows 10 Pro Education, version 1903 or later (or Windows 11) and an active subscription plan with a Windows 10/11 Enterprise license. For more information, see the [requirements](#windows-1011-education-requirements) section. From 8fc109633f3cd9c169ce109940b520df8101632c Mon Sep 17 00:00:00 2001 From: Jordan Geurten Date: Thu, 30 Sep 2021 09:39:22 -0700 Subject: [PATCH 419/458] Microsoft criteria for driver blocks have been updated. WDSI driver submission page is now linked too. --- .../microsoft-recommended-driver-block-rules.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index c749cb9925..f99fbc4154 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -33,10 +33,15 @@ Microsoft has strict requirements for code running in kernel. So, malicious acto - Hypervisor-protected code integrity (HVCI) enabled devices - Windows 10 in S mode (S mode) devices -Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this isn't possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events. +The vulnerable driver blocklist is designed to harden systems against 3rd party-developed drivers across the Windows ecosystem with any of the following: -> [!Note] -> This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. It's recommended that this policy be first validated in audit mode before rolling the rules into enforcement mode. +- Known security vulnerabilities which can be exploited by attackers to elevate privileges in the Windows kernel +- Malicious behaviors (i.e. malware) or certificates used to sign malware +- Behaviors which are not malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel + +Drivers can be submitted by IHVs, OEMs and Windows customers to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/wdsi/driversubmission). + +Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this isn't possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events. ```xml From 9731fbb12d7993ca409b9edcc69a8b24d0fc0800 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 30 Sep 2021 09:48:23 -0700 Subject: [PATCH 420/458] update --- windows/deployment/windows-10-subscription-activation.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 76e534a4ae..177dacf63d 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -23,12 +23,8 @@ Applies to: - Windows 10 - Windows 11 -> [!NOTE] -> The Subscription Activation feature is available for qualifying devices running Windows 10 or Windows 11. This feature enables you to "step-up" from a Pro edition to the Enterprise or Education edition of Windows client. You cannot use Subscripton Activation to upgrade from Windows 10 to Windows 11, for example. The operating system version does not change when you switch to Enterprise edition. - Starting with Windows 10, version 1703, Windows 10 Pro supports the Subscription Activation feature, enabling users to “step-up” from Windows 10 Pro or Windows 11 Pro to **Windows 10 Enterprise** or **Windows 11 Enterprise**, respectively, if they are subscribed to Windows 10/11 Enterprise E3 or E5. -**Education edition**
With Windows 10, version 1903 and later, the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education or Windows 11 Pro Education to the Enterprise grade editions for educational institutions—**Windows 10 Education** or **Windows 11 Education**. The Subscription Activation feature eliminates the need to manually deploy Enterprise or Education edition images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering Generic Volume License Keys (GVLKs), and subsequently rebooting client devices. @@ -51,12 +47,14 @@ For information on how to deploy Enterprise licenses, see [Deploy Windows 10/11 With Windows 10, version 1703 and later both Windows 10/11 Enterprise E3 and Windows 10/11 Enterprise E5 are available as online services via subscription. Deploying Windows 10 Enterprise or Windows 11 Enterprise in your organization can now be accomplished with no keys and no reboots. If you are running Windows 10, version 1703 or later: - - Devices with a current Windows 10 Pro license or Windows 11 Pro license can be seamlessly upgraded to Windows 10 Enterprise or Windows 11 Enterprise, respectively. - Product key-based Windows 10 Enterprise or Windows 11 Enterpise software licenses can be transitioned to Windows 10 Enterprise and Windows 11 Enterprise subscriptions. Organizations that have an Enterprise agreement can also benefit from the new service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Azure AD using [Azure AD Connect Sync](/azure/active-directory/connect/active-directory-aadconnectsync-whatis). +> [!NOTE] +> The Subscription Activation feature is available for qualifying devices running Windows 10 or Windows 11. You cannot use Subscription Activation to upgrade from Windows 10 to Windows 11. + ## Subscription Activation for Education Subscription Activation for Education works the same as the Enterprise version, but in order to use Subscription Activation for Education, you must have a device running Windows 10 Pro Education, version 1903 or later (or Windows 11) and an active subscription plan with a Windows 10/11 Enterprise license. For more information, see the [requirements](#windows-1011-education-requirements) section. From d05ee01ec09c6cf068f99c5586948bd2f7343f85 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Thu, 30 Sep 2021 10:00:20 -0700 Subject: [PATCH 421/458] updates from Aria --- windows/whats-new/windows-11-plan.md | 4 +--- windows/whats-new/windows-11-prepare.md | 12 +++++------- 2 files changed, 6 insertions(+), 10 deletions(-) diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md index 2aebecdb11..fe62d280f3 100644 --- a/windows/whats-new/windows-11-plan.md +++ b/windows/whats-new/windows-11-plan.md @@ -7,7 +7,6 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.author: greglin -ms.date: 08/18/2021 ms.reviewer: manager: laurawi ms.localizationpriority: high @@ -57,8 +56,7 @@ If you manage devices on behalf of your organization, you will be able to upgrad - Additional insight into safeguard holds. While safeguard holds will function for Windows 11 devices just as they do for Windows 10 today, administrators using Windows Update for Business will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Windows 11. > [!NOTE] -> If you use Windows Update for Business to manage feature update deployments today, you will need to leverage the **Target Version** policy rather than **Feature Update deferrals** to move from Windows 10 to Windows 11. Deferrals are great for quality updates or to move to newer version of the same product (from example, from Windows 10, version 20H2 to 21H1), but they cannot migrate a device between products (from Windows 10 to Windows 11).
-> Also, Windows 11 has a new End User License Agreement. If you are deploying with Windows Update for Business **Target Version** or with Windows Server Update Services, you are accepting this new End User License Agreement on behalf of the end-users within your organization. +> Also, Windows 11 has new Microsoft Software License Terms. If you are deploying with Windows Update for Business **Target Version** or with Windows Server Update Services, you are accepting these new license terms on behalf of the users in your organization. ##### Unmanaged devices diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md index da063c4529..45613110e8 100644 --- a/windows/whats-new/windows-11-prepare.md +++ b/windows/whats-new/windows-11-prepare.md @@ -7,7 +7,6 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.author: greglin -ms.date: 09/03/2021 ms.reviewer: manager: laurawi ms.localizationpriority: high @@ -41,16 +40,15 @@ The tools that you use for core workloads during Windows 10 deployments can stil - If you use [Microsoft Endpoint Configuration Manager](/mem/configmgr/), you can sync the new **Windows 11** product category and begin upgrading eligible devices. If you would like to validate Windows 11 prior to release, you can sync the **Windows Insider Pre-release** category as well. > [!NOTE] - > Configuration Manager will prompt you to accept the End User License Agreement on behalf of the users in your organization. + > Configuration Manager will prompt you to accept the Microsoft Software License Terms on behalf of the users in your organization. #### Cloud-based solutions -- If you use Windows Update for Business policies, you will need to use the **Target Version** capability rather than feature update deferrals to upgrade from Windows 10 to Windows 11. Feature update deferrals are great to move to newer versions of your current product (for example, Windows 10, version 20H2 to 21H1, but do not enable you to move between products (Windows 10 to Windows 11). +- If you use Windows Update for Business policies, you will need to use the **Target Version** capability (either through policy or the Windows Update for Business deployment service) rather than using feature update deferrals alone to upgrade from Windows 10 to Windows 11. Feature update deferrals are great to move to newer versions of your current product (for example, Windows 10, version 20H2 to 21H1), but won't automatically devices move between products (Windows 10 to Windows 11). - In Group Policy, **Select target Feature Update version** has two entry fields after taking the 9/1/2021 optional update ([KB5005101](https://support.microsoft.com/topic/september-1-2021-kb5005101-os-builds-19041-1202-19042-1202-and-19043-1202-preview-82a50f27-a56f-4212-96ce-1554e8058dc1)) or a later update: **Product Version** and **Target Version**. - - The product field must specify Windows 11 in order for devices to upgrade to Windows 11. If only the target version field is configured, the device will be offered matching versions of the same product. - - For example, if a device is running Windows 10, version 2004 and only the target version is configured to 21H1, this device will be offered version Windows 10, version 21H1, even if multiple products have a 21H1 version. -- Quality update deferrals will continue to work the same across both Windows 10 and Windows 11. This is true regardless of which management tool you use to configure Windows Update for Business policies. -- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use [feature update deployments](/mem/intune/protect/windows-10-feature-updates) to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. If you aren’t ready to move to Windows 11, keep the feature update version set at the version you are currently on. When you are ready to start upgrading devices, change the feature update deployment setting to specify Windows 11. + - The product field must specify Windows 11 in order for devices to upgrade to Windows 11. If only the target version field is configured, the device will be offered matching versions of the same product. For example, if a device is running Windows 10, version 2004 and only the target version is configured to 21H1, this device will be offered version Windows 10, version 21H1, even if multiple products have a 21H1 version. If you use deferrals today in Group Policy, your devices will continue to get the latest feature update of Windows 10 once it has reached your specified deferral age, but will not be offered Windows 11 until you specify this by using the **Select target Feature Update version** policy. Your deferrals will continue to apply in this case as well. +- Quality update deferrals and experience policies will continue to work the same across both Windows 10 and Windows 11. This is true regardless of which management tool you use to configure Windows Update for Business policies. +- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use the [feature update deployments](/mem/intune/protect/windows-10-feature-updates) page to select **Windows 11, version 21H2** and upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11 on the **Update Rings** page in Intune. If you aren’t ready to move to Windows 11, keep the feature update version set at the version you are currently on. When you are ready to start upgrading devices, change the feature update deployment setting to specify Windows 11. ## Cloud-based management From 88ae0df07a1411380e2ccbaa3cac9b949b9a790d Mon Sep 17 00:00:00 2001 From: Jordan Geurten Date: Thu, 30 Sep 2021 10:00:45 -0700 Subject: [PATCH 422/458] Fixed broken link by hardcoding locale --- .../microsoft-recommended-driver-block-rules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index f99fbc4154..f88525d4c9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -39,7 +39,7 @@ The vulnerable driver blocklist is designed to harden systems against 3rd party- - Malicious behaviors (i.e. malware) or certificates used to sign malware - Behaviors which are not malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel -Drivers can be submitted by IHVs, OEMs and Windows customers to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/wdsi/driversubmission). +Drivers can be submitted by IHVs, OEMs and Windows customers to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/en-us/wdsi/driversubmission). Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this isn't possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events. From 8f5b2533b83594b6a799899995d8fd89e8aa6231 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 30 Sep 2021 10:02:06 -0700 Subject: [PATCH 423/458] update --- windows/deployment/vda-subscription-activation.md | 9 ++++----- windows/deployment/windows-10-enterprise-e3-overview.md | 9 +++++---- windows/deployment/windows-10-subscription-activation.md | 6 ++---- 3 files changed, 11 insertions(+), 13 deletions(-) diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md index a478f26f76..a7081e65f1 100644 --- a/windows/deployment/vda-subscription-activation.md +++ b/windows/deployment/vda-subscription-activation.md @@ -33,11 +33,10 @@ Deployment instructions are provided for the following scenarios: ## Requirements -- VMs must be running Windows 10 Pro, version 1703 or later (Windows 11 is "later"). +- VMs must be running Windows 10 Pro, version 1703 or later. Windows 11 is "later" in this context. - VMs must be Active Directory-joined or Azure Active Directory (AAD)-joined. - VMs must be hosted by a Qualified Multitenant Hoster (QMTH). - - For more information, see (Qualified Multitenant Hoster (QMTH) -Program)[https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf] + - For more information, see [Qualified Multitenant Hoster Program](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf) (PDF download). ## Activation @@ -46,13 +45,13 @@ Program)[https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D - The VM is running Windows 10, version 1803 or later (ex: Windows 11). - The VM is hosted in Azure or another Qualified Multitenant Hoster (QMTH). - When a user with VDA rights signs in to the VM using their AAD credentials, the VM is automatically stepped-up to Enterprise and activated. There is no need to perform Windows 10 Pro activation. This eliminates the need to maintain KMS or MAK in the qualifying cloud infrastructure. + When a user with VDA rights signs in to the VM using their AAD credentials, the VM is automatically stepped-up to Enterprise and activated. There is no need to perform Windows 10/11 Pro activation. This eliminates the need to maintain KMS or MAK in the qualifying cloud infrastructure. ### Scenario 2 - The Hyper-V host and the VM are both running Windows 10, version 1803 or later. - [Inherited Activation](./windows-10-subscription-activation.md#inherited-activation) is enabled. All VMs created by a user with a Windows 10 E3 or E5 license are automatically activated independent of whether a user signs in with a local account or using an Azure Active Directory account. + [Inherited Activation](./windows-10-subscription-activation.md#inherited-activation) is enabled. All VMs created by a user with a Windows 10/11 E3 or E5 license are automatically activated independent of whether a user signs in with a local account or using an Azure Active Directory account. ### Scenario 3 diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md index f68b6a5e42..a4d743c9db 100644 --- a/windows/deployment/windows-10-enterprise-e3-overview.md +++ b/windows/deployment/windows-10-enterprise-e3-overview.md @@ -23,12 +23,14 @@ Applies to: - Windows 10 - Windows 11 -Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. With the release of Windows 11, Windows 10/11 Enterprise E3 in CSP is available. It delivers, by subscription, exclusive features reserved for Windows 10 or Windows 11 Enterprise editions. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10/11 Enterprise E3 in CSP provides a flexible, per-user subscription for small- and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following: +Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. With the release of Windows 11, Windows 10/11 Enterprise E3 in CSP is available. + +Windows 10/11 Enterprise E3 in CSP delivers, by subscription, exclusive features reserved for Windows 10 or Windows 11 Enterprise editions. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10/11 Enterprise E3 in CSP provides a flexible, per-user subscription for small- and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following: - Windows 10 Pro, version 1607 (Windows 10 Anniversary Update) or later (or Windows 11), installed and activated, on the devices to be upgraded. - Azure Active Directory (Azure AD) available for identity management -You can move from Windows 10 Pro or Windows 11 Pro to Windows 10 Enterprise or Windows 11 Enterprise more easily than ever before — with no keys, and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10/11 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise or Windows 11 Pro to Windows 11 Enterprise and all the appropriate Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Enterprise device seamlessly steps back down to Windows 10 Pro or Windows 11 Pro. +You can move from Windows 10 Pro or Windows 11 Pro to Windows 10 Enterprise or Windows 11 Enterprise more easily than ever before — with no keys, and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10/11 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise or Windows 11 Pro to Windows 11 Enterprise, and all the appropriate Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Enterprise device seamlessly steps back down to Windows 10 Pro or Windows 11 Pro. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise or Windows 11 Enterprise to their users. Now, with Windows 10/11 Enterprise E3 in CSP, small- and medium-sized organizations can more easily take advantage of Enterprise edition features. @@ -44,7 +46,6 @@ When you purchase Windows 10/11 Enterprise E3 via a partner, you get the follo How does the Windows 10/11 Enterprise E3 in CSP program compare with Microsoft Volume Licensing Agreements and Software Assurance? - [Microsoft Volume Licensing](https://www.microsoft.com/licensing/default.aspx) programs are broader in scope, providing organizations with access to licensing for all Microsoft products. - - [Software Assurance](https://www.microsoft.com/Licensing/licensing-programs/software-assurance-default.aspx) provides organizations with the following categories of benefits: - **Deployment and management**. These benefits include planning services, Microsoft Desktop Optimization (MDOP), Windows Virtual Desktop Access Rights, Windows-To-Go Rights, Windows Roaming Use Rights, Windows Thin PC, Windows RT Companion VDA Rights, and other benefits. @@ -58,7 +59,7 @@ In summary, the Windows 10/11 Enterprise E3 in CSP program is an upgrade offeri ## Compare Windows 10 Pro and Enterprise editions -> [NOTE!] +> [!NOTE] > The following table only lists Windows 10. More information will be available about differences between Windows 11 editions after Windows 11 is generally available. Windows 10 Enterprise edition has a number of features that are unavailable in Windows 10 Pro. Table 1 lists the Windows 10 Enterprise features not found in Windows 10 Pro. Many of these features are security-related, whereas others enable finer-grained device management. diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 177dacf63d..b4f0e331eb 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -71,9 +71,7 @@ To support Inherited Activation, both the host computer and the VM must be runni > The original version of this section can be found at [Changing between Windows SKUs](/archive/blogs/mniehaus/changing-between-windows-skus). -The following figure illustrates how deploying Windows 10 has evolved with each release. With this release, deployment is automatic. - -![Illustration of how Windows 10 deployment has evolved.](images/sa-evolution.png) +The following list illustrates how deploying Windows client has evolved with each release: - **Windows 7** required you to redeploy the operating system using a full wipe-and-load process if you wanted to change from Windows 7 Professional to Windows 10 Enterprise.
- **Windows 8.1** added support for a Windows 8.1 Pro to Windows 8.1 Enterprise in-place upgrade (considered a “repair upgrade” because the OS version was the same before and after).  This was a lot easier than wipe-and-load, but it was still time-consuming.
@@ -92,7 +90,7 @@ The following figure illustrates how deploying Windows 10 has evolved with each > [!NOTE] > The following requirements do not apply to general Windows client activation on Azure. Azure activation requires a connection to Azure KMS only, and supports workgroup, Hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure Virtual Machines](/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems#understanding-azure-kms-endpoints-for-windows-product-activation-of-azure-virtual-machines). -> [!NOTE] +> [!IMPORTANT] > Currently, Subscription Activation is only available on commercial tenants and is currently not available on US GCC, GCC High, or DoD tenants. For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following: From b41a13dd9fa59c7f5d99f029ff56d692b1188d3d Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 30 Sep 2021 10:16:53 -0700 Subject: [PATCH 424/458] update --- windows/deployment/deploy-enterprise-licenses.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index 35d5e7ad7f..9b4d7283c3 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -114,9 +114,9 @@ The following methods are available to assign licenses: ## Explore the upgrade experience -Now that your subscription has been established and Windows 10 Enterprise E3 or E5 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro, (version 1703 or later) to Windows 10/11 Enterprise. What will the users experience? How will they upgrade their devices? +Now that your subscription has been established and Windows 10/11 Enterprise E3 or E5 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro, (version 1703 or later) to Windows 10/11 Enterprise. What will the users experience? How will they upgrade their devices? -### Step 1: Join Windows 10 Pro devices to Azure AD +### Step 1: Join Windows 10/11 Pro devices to Azure AD Users can join a Windows 10/11 Pro device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1703 or later. @@ -206,7 +206,7 @@ If there are any problems with the Windows 10/11 Enterprise E3 or E5 license or ## Virtual Desktop Access (VDA) -Subscriptions to Windows 10/11 Enterprise are also available for virtualized clients. Windows 10/11 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://aka.ms/qmth). +Subscriptions to Windows 10/11 Enterprise are also available for virtualized clients. Windows 10/11 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [Qualified Multitenant Hoster](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf) (PDF download). Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Enterprise Subscription Activation](vda-subscription-activation.md). From 8262dc1a01114e630db17c31995c250e7993f9c3 Mon Sep 17 00:00:00 2001 From: Jason Sandys <63433304+jasonsandys-microsoft@users.noreply.github.com> Date: Thu, 30 Sep 2021 12:19:58 -0500 Subject: [PATCH 425/458] Update windows-11-prepare.md Updated URLs. --- windows/whats-new/windows-11-prepare.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md index d46c11a3bc..77d94ff64c 100644 --- a/windows/whats-new/windows-11-prepare.md +++ b/windows/whats-new/windows-11-prepare.md @@ -53,7 +53,7 @@ The tools that you use for core workloads during Windows 10 deployments can stil - If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use [feature update deployments](/mem/intune/protect/windows-10-feature-updates) to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. If you aren’t ready to move to Windows 11, keep the feature update version set at the version you are currently on. When you are ready to start upgrading devices, change the feature update deployment setting to specify Windows 11. > [!NOTE] - > Endpoints managed by Windows Update for Business will not automatically upgrade to Windows 11 unless an administrator explicllty configures a **Target Version** using the [TargetReleaseVersion](../client-management/mdm/policy-csp-update#update-targetreleaseversion) setting using a Windows CSP, a [feature update profile](/mem/intune/protect/windows-10-feature-updates) in Intune, or the [Select target Feature Update version setting](../deployment/update/waas-wufb-group-policy#i-want-to-stay-on-a-specific-version) in a group policy. + > Endpoints managed by Windows Update for Business will not automatically upgrade to Windows 11 unless an administrator explicllty configures a **Target Version** using the [TargetReleaseVersion](../../client-management/mdm/policy-csp-update#update-targetreleaseversion) setting using a Windows CSP, a [feature update profile](/mem/intune/protect/windows-10-feature-updates) in Intune, or the [Select target Feature Update version setting](../../deployment/update/waas-wufb-group-policy#i-want-to-stay-on-a-specific-version) in a group policy. ## Cloud-based management From 9bb0cb08eafba88b46fcdae2cea14f254c3d1acb Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 30 Sep 2021 10:21:04 -0700 Subject: [PATCH 426/458] typo --- windows/deployment/windows-10-subscription-activation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index b4f0e331eb..4d6d62258a 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -48,7 +48,7 @@ With Windows 10, version 1703 and later both Windows 10/11 Enterprise E3 and Win If you are running Windows 10, version 1703 or later: - Devices with a current Windows 10 Pro license or Windows 11 Pro license can be seamlessly upgraded to Windows 10 Enterprise or Windows 11 Enterprise, respectively. -- Product key-based Windows 10 Enterprise or Windows 11 Enterpise software licenses can be transitioned to Windows 10 Enterprise and Windows 11 Enterprise subscriptions. +- Product key-based Windows 10 Enterprise or Windows 11 Enterprise software licenses can be transitioned to Windows 10 Enterprise and Windows 11 Enterprise subscriptions. Organizations that have an Enterprise agreement can also benefit from the new service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Azure AD using [Azure AD Connect Sync](/azure/active-directory/connect/active-directory-aadconnectsync-whatis). From d525240ca25c763092f1f2f58434e458000f75e8 Mon Sep 17 00:00:00 2001 From: Jason Sandys <63433304+jasonsandys-microsoft@users.noreply.github.com> Date: Thu, 30 Sep 2021 12:43:39 -0500 Subject: [PATCH 427/458] Update windows-11-prepare.md Further URL tweaks. --- windows/whats-new/windows-11-prepare.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md index 77d94ff64c..256ab8439e 100644 --- a/windows/whats-new/windows-11-prepare.md +++ b/windows/whats-new/windows-11-prepare.md @@ -53,7 +53,7 @@ The tools that you use for core workloads during Windows 10 deployments can stil - If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use [feature update deployments](/mem/intune/protect/windows-10-feature-updates) to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. If you aren’t ready to move to Windows 11, keep the feature update version set at the version you are currently on. When you are ready to start upgrading devices, change the feature update deployment setting to specify Windows 11. > [!NOTE] - > Endpoints managed by Windows Update for Business will not automatically upgrade to Windows 11 unless an administrator explicllty configures a **Target Version** using the [TargetReleaseVersion](../../client-management/mdm/policy-csp-update#update-targetreleaseversion) setting using a Windows CSP, a [feature update profile](/mem/intune/protect/windows-10-feature-updates) in Intune, or the [Select target Feature Update version setting](../../deployment/update/waas-wufb-group-policy#i-want-to-stay-on-a-specific-version) in a group policy. + > Endpoints managed by Windows Update for Business will not automatically upgrade to Windows 11 unless an administrator explicllty configures a **Target Version** using the [TargetReleaseVersion](/windows/client-management/mdm/policy-csp-update#update-targetreleaseversion) setting using a Windows CSP, a [feature update profile](/mem/intune/protect/windows-10-feature-updates) in Intune, or the [Select target Feature Update version setting](/windows/deployment/update/waas-wufb-group-policy#i-want-to-stay-on-a-specific-version) in a group policy. ## Cloud-based management From 230d4b44eb56335887421d9e12b684638e3de12f Mon Sep 17 00:00:00 2001 From: Jordan Geurten Date: Thu, 30 Sep 2021 10:45:11 -0700 Subject: [PATCH 428/458] Added info about disputing blocks and addressed Acrolinx issues --- .../microsoft-recommended-driver-block-rules.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index f88525d4c9..2339453f16 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -28,20 +28,20 @@ ms.date: >[!NOTE] >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). -Microsoft has strict requirements for code running in kernel. So, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they're patched and rolled out to the ecosystem in an expedited manner. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy, which is applied to the following sets of devices: +Microsoft has strict requirements for code running in kernel. So, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they're quickly patched and rolled out to the ecosystem. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy, which is applied to the following sets of devices: - Hypervisor-protected code integrity (HVCI) enabled devices - Windows 10 in S mode (S mode) devices -The vulnerable driver blocklist is designed to harden systems against 3rd party-developed drivers across the Windows ecosystem with any of the following: +The vulnerable driver blocklist is designed to harden systems against third party-developed drivers across the Windows ecosystem with any of the following attributes: -- Known security vulnerabilities which can be exploited by attackers to elevate privileges in the Windows kernel -- Malicious behaviors (i.e. malware) or certificates used to sign malware -- Behaviors which are not malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel +- Known security vulnerabilities that can be exploited by attackers to elevate privileges in the Windows kernel +- Malicious behaviors (malware) or certificates used to sign malware +- Behaviors that are not malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel -Drivers can be submitted by IHVs, OEMs and Windows customers to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/en-us/wdsi/driversubmission). +Drivers can be submitted to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/en-us/wdsi/driversubmission). To dispute a block or request a change to the vulnerable driver blocklist, including updating a block rule once a driver vulnerability has been patched, visit the [Microsoft Security Intelligence portal](https://www.microsoft.com/en-us/wdsi) or submit feedback on this article. -Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this isn't possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events. +Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this isn't possible, Microsoft recommends blocking this list of drivers within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events. ```xml From dab05973ef0662c698511172c20c0707e575d1b5 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 30 Sep 2021 10:48:21 -0700 Subject: [PATCH 429/458] Update faq-md-app-guard.yml --- .../microsoft-defender-application-guard/faq-md-app-guard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml index eba1952007..9b02515ed7 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -9,7 +9,7 @@ metadata: ms.localizationpriority: medium author: denisebmsft ms.author: deniseb - ms.date: 09/29/2021 + ms.date: 09/30/2021 ms.reviewer: manager: dansimp ms.custom: asr From 63c489bc1fd2ac8f67b3d44144f349a7d9796677 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 30 Sep 2021 10:49:36 -0700 Subject: [PATCH 430/458] Update faq-md-app-guard.yml --- .../microsoft-defender-application-guard/faq-md-app-guard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml index 9b02515ed7..a34c5d900d 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -171,7 +171,7 @@ sections: 10. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**. - - question: | + - question: | How can I disable portions of ICS without breaking Application Guard? answer: | ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We do not recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys. From d8ec34075d74d4890aaa77e848304ba61d9f5c7b Mon Sep 17 00:00:00 2001 From: Jordan Geurten Date: Thu, 30 Sep 2021 10:50:33 -0700 Subject: [PATCH 431/458] Update microsoft-recommended-driver-block-rules.md --- .../microsoft-recommended-driver-block-rules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index 2339453f16..886064a829 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -39,7 +39,7 @@ The vulnerable driver blocklist is designed to harden systems against third part - Malicious behaviors (malware) or certificates used to sign malware - Behaviors that are not malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel -Drivers can be submitted to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/en-us/wdsi/driversubmission). To dispute a block or request a change to the vulnerable driver blocklist, including updating a block rule once a driver vulnerability has been patched, visit the [Microsoft Security Intelligence portal](https://www.microsoft.com/en-us/wdsi) or submit feedback on this article. +Drivers can be submitted to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/en-us/wdsi/driversubmission). To report an issue or request a change to the vulnerable driver blocklist, including updating a block rule once a driver vulnerability has been patched, visit the [Microsoft Security Intelligence portal](https://www.microsoft.com/en-us/wdsi) or submit feedback on this article. Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this isn't possible, Microsoft recommends blocking this list of drivers within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events. From e760c0de5198708ca8b71ac48619505e25e41549 Mon Sep 17 00:00:00 2001 From: Jordan Geurten Date: Thu, 30 Sep 2021 10:55:11 -0700 Subject: [PATCH 432/458] removed en-us locale from wdsi link --- .../microsoft-recommended-driver-block-rules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index 886064a829..3d1e37428f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -39,7 +39,7 @@ The vulnerable driver blocklist is designed to harden systems against third part - Malicious behaviors (malware) or certificates used to sign malware - Behaviors that are not malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel -Drivers can be submitted to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/en-us/wdsi/driversubmission). To report an issue or request a change to the vulnerable driver blocklist, including updating a block rule once a driver vulnerability has been patched, visit the [Microsoft Security Intelligence portal](https://www.microsoft.com/en-us/wdsi) or submit feedback on this article. +Drivers can be submitted to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/en-us/wdsi/driversubmission). To report an issue or request a change to the vulnerable driver blocklist, including updating a block rule once a driver vulnerability has been patched, visit the [Microsoft Security Intelligence portal](https://www.microsoft.com/wdsi) or submit feedback on this article. Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this isn't possible, Microsoft recommends blocking this list of drivers within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events. From fc5a66769dab066abc546662636d99cedc4ba497 Mon Sep 17 00:00:00 2001 From: David Bradette <87823519+DavidBradette@users.noreply.github.com> Date: Thu, 30 Sep 2021 15:33:53 -0600 Subject: [PATCH 433/458] Update windows-11.md Update to document to reflect the October 5th, 2021 release date. --- windows/whats-new/windows-11.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/windows-11.md b/windows/whats-new/windows-11.md index 77e2fa58a9..5780f4ac8f 100644 --- a/windows/whats-new/windows-11.md +++ b/windows/whats-new/windows-11.md @@ -37,7 +37,7 @@ Windows 11 is built on the same foundation as Windows 10, so the investments you ## How to get Windows 11 -Windows 11 will be delivered as an upgrade to eligible devices running Windows 10, beginning later in the 2021 calendar year. Windows 11 will also be available on eligible new devices. +Windows 11 will be delivered as an upgrade to eligible devices running Windows 10, beginning on October 5th, 2021. Windows 11 will also be available on eligible new devices. For administrators managing devices on behalf of their organization, Windows 11 will be available through the same, familiar channels that you use today for Windows 10 feature updates. You will be able to use existing deployment and management tools, such as Windows Update for Business, Microsoft Endpoint Manager, and Windows Autopilot. For more information, see [Plan for Windows 11](windows-11-plan.md). From 721ffc09b62984c3a2037c4aefa18d6c0c53763d Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 30 Sep 2021 16:49:59 -0700 Subject: [PATCH 434/458] Labeled code blocks The list of valid content types is here: https://review.docs.microsoft.com/en-us/help/contribute/metadata-taxonomies?branch=master#dev-lang --- .../hello-hybrid-aadj-sso-cert.md | 21 +++++++++++-------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index ca2cbe0e86..fba0adf89f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -230,7 +230,7 @@ Sign-in to the issuing certificate authority with access equivalent to _local ad 1. Open an elevated command prompt and type the following command: - ``` + ```console certutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE ``` @@ -404,11 +404,13 @@ Sign-in the NDES server with access equivalent to _Domain Admins_. 2. Type the following command to register the service principal name - ``` + ```console setspn -s http/[FqdnOfNdesServer] [DomainName\\NdesServiceAccount] ``` + where **[FqdnOfNdesServer]** is the fully qualified domain name of the NDES server and **[DomainName\NdesServiceAccount]** is the domain name and NDES service account name separated by a backslash (\\). An example of the command looks like the following: - ``` + + ```console setspn -s http/ndes.corp.contoso.com contoso\ndessvc ``` @@ -518,13 +520,13 @@ Sign-in to the NDES Server with _local administrator_ equivalent credentials. 3. Type the following command: - ``` + ```console reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v [registryValueName] /t REG_SZ /d [certificateTemplateName] ``` where **registryValueName** is one of the three value names from the above table and where **certificateTemplateName** is the name of the certificate template you created for Windows Hello for Business Azure AD joined devices. Example: - ``` + ```console reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v SignatureTemplate /t REG_SZ /d AADJWHFBAuthentication ``` @@ -713,9 +715,10 @@ Sign-in the NDES server with access equivalent to _local administrator_. 2. In the navigation bar, type - ``` + ```https https://[fqdnHostName]/certsrv/mscep/mscep.dll ``` + where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server. A web page similar to the following should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentService** source. @@ -766,7 +769,7 @@ Sign-in the NDES server with access equivalent to _local administrator_. 2. Run the following commands: - ``` + ```console reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxFieldLength /t REG_DWORD /d 65534 reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxRequestBytes /t REG_DWORD /d 65534 ``` @@ -894,7 +897,7 @@ Sign-in the NDES server with access equivalent to _domain admin_. 2. Type the following command to confirm the NDES Connector's last connection time is current. - ``` + ```console reg query hklm\software\Microsoft\MicrosoftIntune\NDESConnector\ConnectionStatus ``` @@ -904,7 +907,7 @@ Sign-in the NDES server with access equivalent to _domain admin_. 5. In the navigation bar, type: - ``` + ```console https://[fqdnHostName]/certsrv/mscep/mscep.dll ``` From e11578a51d0bb9171c2a649b2a7d9da05e6234c0 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 30 Sep 2021 18:15:22 -0700 Subject: [PATCH 435/458] Various corrections, mostly notes, tables, code blocks --- .../bitlocker/bcd-settings-and-bitlocker.md | 7 ++-- .../bitlocker/bitlocker-basic-deployment.md | 9 ++--- .../bitlocker/bitlocker-overview.md | 2 +- ...ve-encryption-tools-to-manage-bitlocker.md | 34 +++++++++++++------ .../ts-bitlocker-cannot-encrypt-issues.md | 11 ++++-- .../bitlocker/ts-bitlocker-config-issues.md | 4 +-- .../ts-bitlocker-decode-measured-boot-logs.md | 11 +++--- .../bitlocker/ts-bitlocker-intune-issues.md | 9 ++--- .../bitlocker/ts-bitlocker-recovery-issues.md | 32 ++++++++--------- 9 files changed, 72 insertions(+), 47 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md index 34a70a7698..3c10de8372 100644 --- a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md +++ b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md @@ -72,7 +72,8 @@ For example, either “`winload:hypervisordebugport`” or “`winload:0x250000f Setting that applies to all boot applications may be applied only to an individual application, however the reverse is not true. For example, one can specify either: “`all:locale`” or “`winresume:locale`”, but as the bcd setting “`win-pe`” does not apply to all boot applications, “`winload:winpe`” is valid, but “`all:winpe`” is not valid. The setting that controls boot debugging (“`bootdebug`” or 0x16000010) will always be validated and will have no effect if it is included in the provided fields. -> **Note:**  Take care when configuring BCD entries in the Group Policy setting. The Local Group Policy Editor does not validate the correctness of the BCD entry. BitLocker will fail to be enabled if the Group Policy setting specified is invalid. +> [!NOTE] +> Take care when configuring BCD entries in the Group Policy setting. The Local Group Policy Editor does not validate the correctness of the BCD entry. BitLocker will fail to be enabled if the Group Policy setting specified is invalid.   ### Default BCD validation profile @@ -109,7 +110,9 @@ The following table contains the default BCD validation profile used by BitLocke ### Full list of friendly names for ignored BCD settings This following is a full list of BCD settings with friendly names, which are ignored by default. These settings are not part of the default BitLocker validation profile, but can be added if you see a need to validate any of these settings before allowing a BitLocker–protected operating system drive to be unlocked. -> **Note:**  Additional BCD settings exist that have hex values but do not have friendly names. These settings are not included in this list. + +> [!NOTE] +> Additional BCD settings exist that have hex values but do not have friendly names. These settings are not included in this list. | Hex Value | Prefix | Friendly Name | | - | - | - | diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 5582a89d66..9a77ca4317 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -190,8 +190,8 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us -

Name

-

Parameters

+

Name

+

Parameters

Add-BitLockerKeyProtector

@@ -388,8 +388,9 @@ Get-ADUser -filter {samaccountname -eq "administrator"} > [!NOTE] > Use of this command requires the RSAT-AD-PowerShell feature. -> -> **Tip:**  In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features. + +> [!TIP] +> In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features. In the example below, the user wishes to add a domain SID-based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command: diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md index fd212875f8..bc8488a920 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md @@ -69,7 +69,7 @@ The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support th > [!NOTE] > TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature. - +> > Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI. The hard disk must be partitioned with at least two drives: diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md index d58028caea..a4bc245136 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md +++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md @@ -64,7 +64,8 @@ manage-bde –protectors -add C: -startupkey E: manage-bde -on C: ``` ->**Note:**  After the encryption is completed, the USB startup key must be inserted before the operating system can be started. +> [!NOTE] +> After the encryption is completed, the USB startup key must be inserted before the operating system can be started. An alternative to the startup key protector on non-TPM hardware is to use a password and an **ADaccountorgroup** protector to protect the operating system volume. In this scenario, you would add the protectors first. To add them, use this command: @@ -102,7 +103,8 @@ You may experience a problem that damages an area of a hard disk on which BitLoc The BitLocker Repair Tool (Repair-bde) can be used to access encrypted data on a severely damaged hard disk if the drive was encrypted by using BitLocker. Repair-bde can reconstruct critical parts of the drive and salvage recoverable data as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive has become corrupt, you must be able to supply a backup key package in addition to the recovery password or recovery key. This key package is backed up in Active Directory Domain Services (AD DS) if you used the default setting for AD DS backup. With this key package and either the recovery password or recovery key, you can decrypt portions of a BitLocker-protected drive if the disk is corrupted. Each key package will work only for a drive that has the corresponding drive identifier. You can use the BitLocker Recovery Password Viewer to obtain this key package from AD DS. ->**Tip:**  If you are not backing up recovery information to AD DS or if you want to save key packages alternatively, you can use the command `manage-bde -KeyPackage` to generate a key package for a volume. +> [!TIP] +> If you are not backing up recovery information to AD DS or if you want to save key packages alternatively, you can use the command `manage-bde -KeyPackage` to generate a key package for a volume. The Repair-bde command-line tool is intended for use when the operating system does not start or when you cannot start the BitLocker Recovery Console. Use Repair-bde if the following conditions are true: @@ -110,7 +112,8 @@ The Repair-bde command-line tool is intended for use when the operating system d - Windows does not start, or you cannot start the BitLocker recovery console. - You do not have a copy of the data that is contained on the encrypted drive. ->**Note:**  Damage to the drive may not be related to BitLocker. Therefore, we recommend that you try other tools to help diagnose and resolve the problem with the drive before you use the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers. +> [!NOTE] +> Damage to the drive may not be related to BitLocker. Therefore, we recommend that you try other tools to help diagnose and resolve the problem with the drive before you use the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers. The following limitations exist for Repair-bde: @@ -130,8 +133,8 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work -

Name

-

Parameters

+

Name

+

Parameters

Add-BitLockerKeyProtector

@@ -251,10 +254,13 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets. + A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the Get-BitLockerVolume cmdlet. + The Get-BitLockerVolume cmdlet output gives information on the volume type, protectors, protection status, and other details. ->**Tip:**  Occasionally, all protectors may not be shown when using `Get-BitLockerVolume` due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a full listing of the protectors. +> [!TIP] +> Occasionally, all protectors may not be shown when using `Get-BitLockerVolume` due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a full listing of the protectors. `Get-BitLockerVolume C: | fl` If you want to remove the existing protectors prior to provisioning BitLocker on the volume, you could use the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed. @@ -274,7 +280,8 @@ By using this information, you can then remove the key protector for a specific Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}" ``` ->**Note:**  The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command. +> [!NOTE] +> The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command. ### Using the BitLocker Windows PowerShell cmdlets with operating system volumes @@ -302,11 +309,13 @@ $pw = Read-Host -AsSecureString Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw ``` + ### Using an AD Account or Group protector in Windows PowerShell The **ADAccountOrGroup** protector, introduced in Windows 8 and Windows Server 2012, is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly fail over to and be unlocked by any member computer of the cluster. ->**Warning:**  The **ADAccountOrGroup** protector requires the use of an additional protector for use (such as TPM, PIN, or recovery key) when used on operating system volumes +> [!WARNING] +> The **ADAccountOrGroup** protector requires the use of an additional protector for use (such as TPM, PIN, or recovery key) when used on operating system volumes To add an **ADAccountOrGroup** protector to a volume, use either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G. @@ -316,13 +325,15 @@ Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Adminis For users who wish to use the SID for the account or group, the first step is to determine the SID associated with the account. To get the specific SID for a user account in Windows PowerShell, use the following command: ->**Note:**  Use of this command requires the RSAT-AD-PowerShell feature. +> [!NOTE] +> Use of this command requires the RSAT-AD-PowerShell feature. ```powershell get-aduser -filter {samaccountname -eq "administrator"} ``` ->**Tip:**  In addition to the PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features. +> [!TIP] +> In addition to the PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features. The following example adds an **ADAccountOrGroup** protector to the previously encrypted operating system volume using the SID of the account: @@ -330,7 +341,8 @@ The following example adds an **ADAccountOrGroup** protector to the previously e Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup S-1-5-21-3651336348-8937238915-291003330-500 ``` ->**Note:**  Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes. +> [!NOTE] +> Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes. ## More information diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md index f8dc37af5a..f2ed14e623 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md @@ -41,6 +41,7 @@ This issue may be caused by settings that are controlled by Group Policy Objects To resolve this issue, follow these steps: 1. Start Registry Editor, and navigate to the following subkey: + **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE** 1. Delete the following entries: @@ -55,9 +56,13 @@ To resolve this issue, follow these steps: You have a computer that is running Windows 10, version 1709 or version 1607, or Windows 11. You try to encrypt a USB drive by following these steps: 1. In Windows Explorer, right-click the USB drive and select **Turn on BitLocker**. + 1. On the **Choose how you want to unlock this drive** page, select **Use a password to unlock the drive**. + 1. Follow the instructions on the page to enter your password. + 1. On the **Are you ready to encrypt this drive?** page, select **Start encrypting**. + 1. The **Starting encryption** page displays the message "Access is denied." You receive this message on any computer that runs Windows 10 version 1709 or version 1607, or Windows 11, when you use any USB drive. @@ -72,13 +77,13 @@ To verify that this issue has occurred, follow these steps: 1. At the command prompt, enter the following command: - ```cmd + ```console C:\>sc sdshow bdesvc ``` The output of this command resembles the following: - > D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD) + > `D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)` 1. Copy this output, and use it as part of the [**ConvertFrom-SddlString**](/powershell/module/microsoft.powershell.utility/convertfrom-sddlstring) command in the PowerShell window, as follows. @@ -95,7 +100,7 @@ To verify that this issue has occurred, follow these steps: 1. To repair the security descriptor of BDESvc, open an elevated PowerShell window and enter the following command: - ```ps + ```powershell sc sdset bdesvc D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD) ``` diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md index 6b1ee39717..4142982e69 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md @@ -158,7 +158,7 @@ For more information and recommendations about backing up virtualized domain con When the VSS NTDS writer requests access to the encrypted drive, the Local Security Authority Subsystem Service (LSASS) generates an error entry that resembles the following: -``` +```console \# for hex 0xc0210000 / decimal -1071579136 ‎ STATUS\_FVE\_LOCKED\_VOLUME ntstatus.h ‎ \# This volume is locked by BitLocker Drive Encryption. @@ -166,7 +166,7 @@ When the VSS NTDS writer requests access to the encrypted drive, the Local Secur The operation produces the following call stack: -``` +```console \# Child-SP RetAddr Call Site ‎ 00 00000086\`b357a800 00007ffc\`ea6e7a4c KERNELBASE\!FindFirstFileExW+0x1ba \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 872\] ‎ 01 00000086\`b357abd0 00007ffc\`e824accb KERNELBASE\!FindFirstFileW+0x1c \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 208\] diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md index 276b174efd..66a69b499e 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md @@ -63,9 +63,11 @@ To use TBSLogGenerator, follow these steps: ![Properties and location of the TBSLogGenerator.exe file.](./images/ts-tpm-3.png) 1. Run the following command: - ```cmd + + ```console TBSLogGenerator.exe -LF \.log > \.txt ``` + where the variables represent the following values: - \<*LogFolderName*> = the name of the folder that contains the file to be decoded - \<*LogFileName*> = the name of the file to be decoded @@ -74,7 +76,7 @@ To use TBSLogGenerator, follow these steps: For example, the following figure shows Measured Boot logs that were collected from a Windows 10 computer and put into the C:\\MeasuredBoot\\ folder. The figure also shows a Command Prompt window and the command to decode the **0000000005-0000000000.log** file: - ```cmd + ```console TBSLogGenerator.exe -LF C:\MeasuredBoot\0000000005-0000000000.log > C:\MeasuredBoot\0000000005-0000000000.txt ``` @@ -90,7 +92,7 @@ The content of this text file resembles the following. To find the PCR information, go to the end of the file. - ![View of NotePad that shows the PCR information at the end of the text file.](./images/ts-tpm-7.png) +![View of NotePad that shows the PCR information at the end of the text file.](./images/ts-tpm-7.png) ## Use PCPTool to decode Measured Boot logs @@ -102,7 +104,8 @@ PCPTool is part of the [TPM Platform Crypto-Provider Toolkit](https://www.micros To download and install PCPTool, go to the Toolkit page, select **Download**, and follow the instructions. To decode a log, run the following command: -```cmd + +```console PCPTool.exe decodelog \.log > \.xml ``` diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md index 13b4676a20..1996e9d513 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md @@ -104,10 +104,11 @@ The procedures described in this section depend on the default disk partitions t To verify the configuration of the disk partitions, open an elevated Command Prompt window, and run the following commands: -``` +```console diskpart list volume ``` + ![Output of the list volume command in the Diskpart app.](./images/4509195-en-1.png) If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Endpoint Configuration Manager). @@ -118,7 +119,7 @@ If the status of any of the volumes is not healthy or if the recovery partition To verify the status of WinRE on the device, open an elevated Command Prompt window and run the following command: -```cmd +```console reagentc /info ``` The output of this command resembles the following. @@ -127,7 +128,7 @@ The output of this command resembles the following. If the **Windows RE status** is not **Enabled**, run the following command to enable it: -```cmd +```console reagentc /enable ``` @@ -135,7 +136,7 @@ reagentc /enable If the partition status is healthy, but the **reagentc /enable** command results in an error, verify that Windows Boot Loader contains the recovery sequence GUID. To do this, run the following command in an elevated Command Prompt window: -```cmd +```console bcdedit /enum all ``` diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md index aa70c53412..b2c8989eb7 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md @@ -49,7 +49,7 @@ You can use either of the following methods to manually back up or synchronize a For example, to back up all of the recovery information for the C: drive to AD DS, open an elevated Command Prompt window and run the following command: - ```cmd + ```console manage-bde -protectors -adbackup C: ``` @@ -60,7 +60,7 @@ You can use either of the following methods to manually back up or synchronize a You have a tablet or slate device, and you try to test BitLocker Recovery by running the following command: -```cmd +```console Manage-bde -forcerecovery ``` @@ -83,8 +83,8 @@ To resolve the restart loop, follow these steps: 1. On the BitLocker Recovery screen, select **Skip this drive**. 1. Select **Troubleshoot** \> **Advanced Options** \> **Command Prompt**. -1. In the Command Prompt window, run the following commands : - ```cmd +1. In the Command Prompt window, run the following commands: + ```console manage-bde –unlock C: -rp <48-digit BitLocker recovery password> manage-bde -protectors -disable C: ``` @@ -115,7 +115,7 @@ Devices that support Connected Standby (also known as *InstantGO* or *Always On, To verify the PCR values that are in use on a device, open and elevated Command Prompt window and run the following command: -```cmd +```console manage-bde.exe -protectors -get : ``` @@ -137,7 +137,7 @@ To do this, follow these steps: 1. Your keyboard layout. 1. Select **Troubleshoot** > **Advanced Options** > **Command Prompt**. 1. In the Command Prompt window, run the following commands: - ```cmd + ```console manage-bde -unlock -recoverypassword : manage-bde -protectors -disable : ``` @@ -155,7 +155,7 @@ To do this, follow these steps: To recover data from your Surface device if you cannot start Windows, follow steps 1 through 5 of [Step 1](#step-1) to return to the Command Prompt window, and then follow these steps: 1. At the command prompt, run the following command: - ```cmd + ```console manage-bde -unlock -recoverypassword : ``` In this command, \<*Password*\> is the BitLocker recovery password that you obtained in step 1 of [Step 1](#step-1), and \<*DriveLetter*> is the drive letter that is assigned to your operating system drive. @@ -172,14 +172,14 @@ To prevent this issue from recurring, we strongly recommend that you restore t To enable Secure Boot on a Surface device, follow these steps: 1. Suspend BitLocker. to do this, open an elevated Windows PowerShell window, and run the following cmdlet: - ```ps + ```powershell Suspend-BitLocker -MountPoint ":" -RebootCount 0 ``` In this command, <*DriveLetter*> is the letter that is assigned to your drive. 1. Restart the device, and then edit the BIOS to set the **Secure Boot** option to **Microsoft Only**. 1. Restart the device. 1. Open an elevated PowerShell window, and run the following cmdlet: - ```ps + ```powershell Resume-BitLocker -MountPoint ":" ``` @@ -188,13 +188,13 @@ To reset the PCR settings on the TPM, follow these steps: 1. Disable any Group Policy Objects that configure the PCR settings, or remove the device from any groups that enforce such policies. For more information, see [BitLocker Group Policy settings](./bitlocker-group-policy-settings.md). 1. Suspend BitLocker. To do this, open an elevated Windows PowerShell window, and run the following cmdlet: - ```ps + ```powershell Suspend-BitLocker -MountPoint ":" -RebootCount 0 ``` where <*DriveLetter*> is the letter assigned to your drive. 1. Run the following cmdlet: - ```ps + ```powershell Resume-BitLocker -MountPoint ":" #### Step 4: Suspend BitLocker during TPM or UEFI firmware updates @@ -209,13 +209,13 @@ You can avoid this scenario when you install updates to system firmware or TPM f To suspend BitLocker while you install TPM or UEFI firmware updates: 1. Open an elevated Windows PowerShell window, and run the following cmdlet: - ```ps + ```powershell Suspend-BitLocker -MountPoint ":" -RebootCount 0 ``` In this cmdlet <*DriveLetter*> is the letter that is assigned to your drive. 1. Install the Surface device driver and firmware updates. 1. After you install the firmware updates, restart the computer, open an elevated PowerShell window, and then run the following cmdlet: - ```ps + ```powershell Resume-BitLocker -MountPoint ":" ``` @@ -234,7 +234,7 @@ If your device is already in this state, you can successfully start Windows afte 1. If your device starts in the (WinRE) and prompts you for the recovery password again, select **Skip the drive**. 1. Select **Advanced options** > **Troubleshoot** > **Advanced options** > **Command Prompt**. 1. In the Command Prompt window, run the following commands: - ```cmd + ```console Manage-bde -unlock c: -rp <48 digit numerical recovery password separated by “-“ in 6 digit group> Manage-bde -protectors -disable c: exit @@ -245,7 +245,7 @@ If your device is already in this state, you can successfully start Windows afte > These commands suspend BitLocker for one restart of the device. The **-rc 1** option works only inside the operating system and does not work in the recovery environment. 1. Select **Continue**. Windows should start. 1. After Windows has started, open an elevated Command Prompt window and run the following command: - ```cmd + ```console Manage-bde -protectors -enable c: ``` @@ -254,7 +254,7 @@ If your device is already in this state, you can successfully start Windows afte To temporarily suspend BitLocker just before you restart the device, open an elevated Command Prompt window and run the following command: -```cmd +```console Manage-bde -protectors -disable c: -rc 1 ``` From 836f00b3bad5704bad0ad026099129a8d3bd6095 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 30 Sep 2021 19:08:57 -0700 Subject: [PATCH 436/458] Various fixes for consistent and reliable layout --- .../ts-bitlocker-decode-measured-boot-logs.md | 16 +++--- .../bitlocker/ts-bitlocker-intune-issues.md | 17 +++++-- .../bitlocker/ts-bitlocker-recovery-issues.md | 51 +++++++++++++++++++ 3 files changed, 73 insertions(+), 11 deletions(-) diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md index 66a69b499e..1b69d2c5db 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md @@ -86,13 +86,13 @@ To use TBSLogGenerator, follow these steps: ![Windows Explorer window that shows the text file that TBSLogGenerator produces.](./images/ts-tpm-5.png) -The content of this text file resembles the following. - -![Contents of the text file, as shown in NotePad.](./images/ts-tpm-6.png) - -To find the PCR information, go to the end of the file. - -![View of NotePad that shows the PCR information at the end of the text file.](./images/ts-tpm-7.png) + The content of this text file resembles the following. + + ![Contents of the text file, as shown in NotePad.](./images/ts-tpm-6.png) + + To find the PCR information, go to the end of the file. + + ![View of NotePad that shows the PCR information at the end of the text file.](./images/ts-tpm-7.png) ## Use PCPTool to decode Measured Boot logs @@ -117,4 +117,4 @@ where the variables represent the following values: The content of the XML file resembles the following. -![Command Prompt window that shows an example of how to use PCPTool.](./images/pcptool-output.jpg) +:::image type="content" alt-text="Command Prompt window that shows an example of how to use PCPTool." source="./images/pcptool-output.jpg" lightbox="./images/pcptool-output.jpg"::: diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md index 1996e9d513..44ad76e76b 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md @@ -20,7 +20,7 @@ ms.custom: bitlocker This article helps you troubleshoot issues that you may experience if you use Microsoft Intune policy to manage silent BitLocker encryption on devices. The Intune portal indicates whether BitLocker has failed to encrypt one or more managed devices. -![The BitLocker status indictors on the Intune portal.](./images/4509189-en-1.png) +:::image type="content" alt-text="The BitLocker status indictors on the Intune portal." source="./images/4509189-en-1.png" lightbox="./images/4509189-en-1.png"::: To start narrowing down the cause of the problem, review the event logs as described in [Troubleshoot BitLocker](troubleshoot-bitlocker.md). Concentrate on the Management and Operations logs in the **Applications and Services logs\\Microsoft\\Windows\\BitLocker-API** folder. The following sections provide more information about how to resolve the indicated events and error messages: @@ -122,6 +122,7 @@ To verify the status of WinRE on the device, open an elevated Command Prompt win ```console reagentc /info ``` + The output of this command resembles the following. ![Output of the reagentc /info command.](./images/4509193-en-1.png) @@ -142,7 +143,7 @@ bcdedit /enum all The output of this command resembles the following. -![Output of the bcdedit /enum all command.](./images/4509196-en-1.png) +:::image type="content" alt-text="Output of the bcdedit /enum all command." source="./images/4509196-en-1.png" lightbox="./images/4509196-en-1.png"::: In the output, locate the **Windows Boot Loader** section that includes the line **identifier={current}**. In that section, locate the **recoverysequence** attribute. The value of this attribute should be a GUID value, not a string of zeros. @@ -163,9 +164,13 @@ The device must have Unified Extensible Firmware Interface (UEFI) BIOS. Silent B To verify the BIOS mode, use the System Information app. To do this, follow these steps: 1. Select **Start**, and enter **msinfo32** in the **Search** box. + 1. Verify that the **BIOS Mode** setting is **UEFI** and not **Legacy**. + ![System Information app, showing the BIOS Mode setting.](./images/4509198-en-1.png) + 1. If the **BIOS Mode** setting is **Legacy**, you have to switch the BIOS into **UEFI** or **EFI** mode. The steps for doing this are specific to the device. + > [!NOTE] > If the device supports only Legacy mode, you cannot use Intune to manage BitLocker Device Encryption on the device. @@ -187,7 +192,7 @@ You can resolve this issue by verifying the PCR validation profile of the TPM an To verify that PCR 7 is in use, open an elevated Command Prompt window and run the following command: -```cmd +```console Manage-bde -protectors -get %systemdrive% ``` @@ -204,16 +209,22 @@ If **PCR Validation Profile** doesn't include **7** (for example, the values inc To verify the Secure Boot state, use the System Information app. To do this, follow these steps: 1. Select **Start**, and enter **msinfo32** in the **Search** box. + 1. Verify that the **Secure Boot State** setting is **On**, as follows: + ![System Information app, showing a supported Secure Boot State.](./images/4509201-en-1.png) + 1. If the **Secure Boot State** setting is **Unsupported**, you cannot use Silent BitLocker Encryption on this device. + ![System Information app, showing a unsupported Secure Boot State.](./images/4509202-en-1.png) > [!NOTE] > You can also use the [Confirm-SecureBootUEFI](/powershell/module/secureboot/confirm-securebootuefi) cmdlet to verify the Secure Boot state. To do this, open an elevated PowerShell window and run the following command: +> > ```ps > PS C:\> Confirm-SecureBootUEFI > ``` +> > If the computer supports Secure Boot and Secure Boot is enabled, this cmdlet returns "True." > > If the computer supports Secure Boot and Secure Boot is disabled, this cmdlet returns "False." diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md index b2c8989eb7..110aad6465 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md @@ -82,14 +82,21 @@ This behavior is by design for all versions of Windows. To resolve the restart loop, follow these steps: 1. On the BitLocker Recovery screen, select **Skip this drive**. + 1. Select **Troubleshoot** \> **Advanced Options** \> **Command Prompt**. + 1. In the Command Prompt window, run the following commands: + ```console manage-bde –unlock C: -rp <48-digit BitLocker recovery password> manage-bde -protectors -disable C: + ``` + 1. Close the Command Prompt window. + 1. Shut down the device. + 1. Start the device. Windows should start as usual. ## After you install UEFI or TPM firmware updates on Surface, BitLocker prompts for the recovery password @@ -130,21 +137,34 @@ If you have installed a TPM or UEFI update and your device cannot start, even if To do this, follow these steps: 1. Obtain your BitLocker recovery password from [your Microsoft.com account](https://account.microsoft.com/devices/recoverykey). If BitLocker is managed by a different method, such as Microsoft BitLocker Administration and Monitoring (MBAM), contact your administrator for help. + 1. Use another computer to download the Surface recovery image from [Download a recovery image for your Surface](https://support.microsoft.com/surfacerecoveryimage). Use the downloaded image to create a USB recovery drive. + 1. Insert the USB Surface recovery image drive into the Surface device, and start the device. + 1. When you are prompted, select the following items: + 1. Your operating system language. + 1. Your keyboard layout. + 1. Select **Troubleshoot** > **Advanced Options** > **Command Prompt**. + 1. In the Command Prompt window, run the following commands: + ```console manage-bde -unlock -recoverypassword : manage-bde -protectors -disable : + ``` + In these commands, \<*Password*\> is the BitLocker recovery password that you obtained in step 1, and \<*DriveLetter*> is the drive letter that is assigned to your operating system drive. + > [!NOTE] > For more information about how to use this command, see [manage-bde: unlock](/windows-server/administration/windows-commands/manage-bde-unlock). + 1. Restart the computer. + 1. When you are prompted, enter the BitLocker recovery password that you obtained in step 1. > [!NOTE] @@ -155,11 +175,15 @@ To do this, follow these steps: To recover data from your Surface device if you cannot start Windows, follow steps 1 through 5 of [Step 1](#step-1) to return to the Command Prompt window, and then follow these steps: 1. At the command prompt, run the following command: + ```console manage-bde -unlock -recoverypassword : ``` + In this command, \<*Password*\> is the BitLocker recovery password that you obtained in step 1 of [Step 1](#step-1), and \<*DriveLetter*> is the drive letter that is assigned to your operating system drive. + 1. After the drive is unlocked, use the **copy** or **xcopy** command to copy the user data to another drive. + > [!NOTE] > For more information about the these commands, see the [Windows commands](/windows-server/administration/windows-commands/windows-commands). @@ -172,13 +196,19 @@ To prevent this issue from recurring, we strongly recommend that you restore t To enable Secure Boot on a Surface device, follow these steps: 1. Suspend BitLocker. to do this, open an elevated Windows PowerShell window, and run the following cmdlet: + ```powershell Suspend-BitLocker -MountPoint ":" -RebootCount 0 ``` + In this command, <*DriveLetter*> is the letter that is assigned to your drive. + 1. Restart the device, and then edit the BIOS to set the **Secure Boot** option to **Microsoft Only**. + 1. Restart the device. + 1. Open an elevated PowerShell window, and run the following cmdlet: + ```powershell Resume-BitLocker -MountPoint ":" ``` @@ -186,16 +216,22 @@ To enable Secure Boot on a Surface device, follow these steps: To reset the PCR settings on the TPM, follow these steps: 1. Disable any Group Policy Objects that configure the PCR settings, or remove the device from any groups that enforce such policies. + For more information, see [BitLocker Group Policy settings](./bitlocker-group-policy-settings.md). + 1. Suspend BitLocker. To do this, open an elevated Windows PowerShell window, and run the following cmdlet: + ```powershell Suspend-BitLocker -MountPoint ":" -RebootCount 0 ``` where <*DriveLetter*> is the letter assigned to your drive. + 1. Run the following cmdlet: + ```powershell Resume-BitLocker -MountPoint ":" + ``` #### Step 4: Suspend BitLocker during TPM or UEFI firmware updates @@ -209,12 +245,18 @@ You can avoid this scenario when you install updates to system firmware or TPM f To suspend BitLocker while you install TPM or UEFI firmware updates: 1. Open an elevated Windows PowerShell window, and run the following cmdlet: + ```powershell Suspend-BitLocker -MountPoint ":" -RebootCount 0 + ``` + In this cmdlet <*DriveLetter*> is the letter that is assigned to your drive. + 1. Install the Surface device driver and firmware updates. + 1. After you install the firmware updates, restart the computer, open an elevated PowerShell window, and then run the following cmdlet: + ```powershell Resume-BitLocker -MountPoint ":" ``` @@ -230,10 +272,15 @@ You have a device that runs Windows 11, Windows 10, version 1703, Windows 10, v If your device is already in this state, you can successfully start Windows after suspending BitLocker from the Windows Recovery Environment (WinRE). To do this, follow these steps: 1. Retrieve the 48-digit BitLocker recovery password for the operating system drive from your organization's portal or from wherever the password was stored when BitLocker Drive Encryption was first turned on. + 1. On the Recovery screen, press Enter. When you are prompted, enter the recovery password. + 1. If your device starts in the (WinRE) and prompts you for the recovery password again, select **Skip the drive**. + 1. Select **Advanced options** > **Troubleshoot** > **Advanced options** > **Command Prompt**. + 1. In the Command Prompt window, run the following commands: + ```console Manage-bde -unlock c: -rp <48 digit numerical recovery password separated by “-“ in 6 digit group> Manage-bde -protectors -disable c: @@ -241,10 +288,14 @@ If your device is already in this state, you can successfully start Windows afte ``` These commands unlock the drive and then suspend BitLocker by disabling the TPM protectors on the drive. The final command closes the Command Prompt window. + > [!NOTE] > These commands suspend BitLocker for one restart of the device. The **-rc 1** option works only inside the operating system and does not work in the recovery environment. + 1. Select **Continue**. Windows should start. + 1. After Windows has started, open an elevated Command Prompt window and run the following command: + ```console Manage-bde -protectors -enable c: ``` From 49e8f7e77d00aa16643cbd2812520c1d0db43fa2 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 30 Sep 2021 19:17:52 -0700 Subject: [PATCH 437/458] Inserted blank line between primary text and secondary --- .../bitlocker/ts-bitlocker-decode-measured-boot-logs.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md index 1b69d2c5db..9c0af342bc 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md @@ -55,7 +55,8 @@ To install the tool, follow these steps: To use TBSLogGenerator, follow these steps: -1. After the installation finishes, open an elevated Command Prompt window and navigate to the following folder: +1. After the installation finishes, open an elevated Command Prompt window and navigate to the following folder: + **C:\\Program Files (x86)\\Windows Kits\\10\\Hardware Lab Kit\\Tests\\amd64\\NTTEST\\BASETEST\\ngscb** This folder contains the TBSLogGenerator.exe file. From 5d04122101442a1356715b5415804fb6d31d0c81 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Fri, 1 Oct 2021 10:53:54 +0530 Subject: [PATCH 438/458] Update policy-configuration-service-provider.md --- .../mdm/policy-configuration-service-provider.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 37eb3df14f..d202f20376 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -756,7 +756,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
ADMX_DiskNVCache/FeatureOffPolicy
-
1 +
ADMX_DiskNVCache/SolidStatePolicy
@@ -3937,7 +3937,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE
- ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD/a> + ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD
From d62cff733f3cf9eedb58c7208ec56e1912f53148 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Fri, 1 Oct 2021 12:01:01 +0530 Subject: [PATCH 439/458] Updated --- .../client-management/mdm/policy-csp-admx-errorreporting.md | 1 - windows/client-management/mdm/policy-csp-admx-eventlog.md | 3 ++- .../client-management/mdm/policy-csp-admx-previousversions.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-errorreporting.md b/windows/client-management/mdm/policy-csp-admx-errorreporting.md index 05786ce5b4..ddb1aea9f8 100644 --- a/windows/client-management/mdm/policy-csp-admx-errorreporting.md +++ b/windows/client-management/mdm/policy-csp-admx-errorreporting.md @@ -906,7 +906,6 @@ If you enable this policy setting, WER does not throttle data; that is, WER uplo If you disable or do not configure this policy setting, WER throttles data by default; that is, WER does not upload more than one CAB file for a report that contains data about the same event types. -> [!TIP] ADMX Info: diff --git a/windows/client-management/mdm/policy-csp-admx-eventlog.md b/windows/client-management/mdm/policy-csp-admx-eventlog.md index e5bb236763..acc2191553 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventlog.md +++ b/windows/client-management/mdm/policy-csp-admx-eventlog.md @@ -1505,7 +1505,8 @@ ADMX Info:
-**ADMX_EventLog/Channel_Log_Retention_4** +**ADMX_EventLog/Channel_Log_Retention_4** + diff --git a/windows/client-management/mdm/policy-csp-admx-previousversions.md b/windows/client-management/mdm/policy-csp-admx-previousversions.md index b129567b19..3065cc6777 100644 --- a/windows/client-management/mdm/policy-csp-admx-previousversions.md +++ b/windows/client-management/mdm/policy-csp-admx-previousversions.md @@ -40,7 +40,7 @@ manager: dansimp ADMX_PreviousVersions/DisableRemotePage_2
- ADMX_PreviousVersions/HideBackupEntries_1/a> + ADMX_PreviousVersions/HideBackupEntries_1/
ADMX_PreviousVersions/HideBackupEntries_2 From ed5fbc90447f8c980e12e70b50138548d6bd64e3 Mon Sep 17 00:00:00 2001 From: David Bradette <87823519+DavidBradette@users.noreply.github.com> Date: Fri, 1 Oct 2021 06:44:33 -0600 Subject: [PATCH 440/458] Update windows/whats-new/windows-11.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/whats-new/windows-11.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/windows-11.md b/windows/whats-new/windows-11.md index 5780f4ac8f..e41a2d7303 100644 --- a/windows/whats-new/windows-11.md +++ b/windows/whats-new/windows-11.md @@ -37,7 +37,7 @@ Windows 11 is built on the same foundation as Windows 10, so the investments you ## How to get Windows 11 -Windows 11 will be delivered as an upgrade to eligible devices running Windows 10, beginning on October 5th, 2021. Windows 11 will also be available on eligible new devices. +Windows 11 will be delivered as an upgrade to eligible devices running Windows 10, beginning on October 5, 2021. Windows 11 will also be available on eligible new devices. For administrators managing devices on behalf of their organization, Windows 11 will be available through the same, familiar channels that you use today for Windows 10 feature updates. You will be able to use existing deployment and management tools, such as Windows Update for Business, Microsoft Endpoint Manager, and Windows Autopilot. For more information, see [Plan for Windows 11](windows-11-plan.md). From f4809eb3e7efd82b3f84ef682015fe5306b7dcd8 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Fri, 1 Oct 2021 09:11:18 -0700 Subject: [PATCH 441/458] rearranging --- windows/whats-new/windows-11-plan.md | 4 ++-- windows/whats-new/windows-11-prepare.md | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md index fe62d280f3..887ec75b0d 100644 --- a/windows/whats-new/windows-11-plan.md +++ b/windows/whats-new/windows-11-plan.md @@ -38,7 +38,7 @@ If you are looking for ways to optimize your approach to deploying Windows 11, o As a first step, you will need to know which of your current devices meet the Windows 11 hardware requirements. Most devices purchased in the last 18-24 months will be compatible with Windows 11. Verify that your device meets or exceeds [Windows 11 requirements](windows-11-requirements.md) to ensure it is compatible. -Microsoft is currently developing analysis tools to help you evaluate your devices against the Windows 11 hardware requirements. When Windows 11 reaches general availability, end-users running Windows 10 Home, Pro, and Pro for Workstations will be able to use the [PC Health Check](https://www.microsoft.com/windows/windows-11#pchealthcheck) app to determine their eligibility for Windows 11. End-users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they are eligible for the upgrade.  +Microsoft is currently developing analysis tools to help you evaluate your devices against the Windows 11 hardware requirements. When Windows 11 reaches general availability, users running Windows 10 Home, Pro, and Pro for Workstations will be able to use the [PC Health Check](https://www.microsoft.com/windows/windows-11#pchealthcheck) app to determine their eligibility for Windows 11. End-users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they are eligible for the upgrade.  Enterprise organizations looking to evaluate device readiness in their environments can expect this capability to be integrated into existing Microsoft tools, such as Endpoint analytics and Update Compliance. This capability will be available when Windows 11 is generally available. Microsoft is also working with software publishing partners to facilitate adding Windows 11 device support into their solutions. @@ -56,7 +56,7 @@ If you manage devices on behalf of your organization, you will be able to upgrad - Additional insight into safeguard holds. While safeguard holds will function for Windows 11 devices just as they do for Windows 10 today, administrators using Windows Update for Business will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Windows 11. > [!NOTE] -> Also, Windows 11 has new Microsoft Software License Terms. If you are deploying with Windows Update for Business **Target Version** or with Windows Server Update Services, you are accepting these new license terms on behalf of the users in your organization. +> Also, Windows 11 has new Microsoft Software License Terms. If you are deploying with Windows Update for Business or Windows Server Update Services, you are accepting these new license terms on behalf of the users in your organization. ##### Unmanaged devices diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md index 45613110e8..c030667b92 100644 --- a/windows/whats-new/windows-11-prepare.md +++ b/windows/whats-new/windows-11-prepare.md @@ -45,10 +45,11 @@ The tools that you use for core workloads during Windows 10 deployments can stil #### Cloud-based solutions - If you use Windows Update for Business policies, you will need to use the **Target Version** capability (either through policy or the Windows Update for Business deployment service) rather than using feature update deferrals alone to upgrade from Windows 10 to Windows 11. Feature update deferrals are great to move to newer versions of your current product (for example, Windows 10, version 20H2 to 21H1), but won't automatically devices move between products (Windows 10 to Windows 11). + - If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use the [feature update deployments](/mem/intune/protect/windows-10-feature-updates) page to select **Windows 11, version 21H2** and upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11 on the **Update Rings** page in Intune. If you aren’t ready to move to Windows 11, keep the feature update version set at the version you are currently on. When you are ready to start upgrading devices, change the feature update deployment setting to specify Windows 11. - In Group Policy, **Select target Feature Update version** has two entry fields after taking the 9/1/2021 optional update ([KB5005101](https://support.microsoft.com/topic/september-1-2021-kb5005101-os-builds-19041-1202-19042-1202-and-19043-1202-preview-82a50f27-a56f-4212-96ce-1554e8058dc1)) or a later update: **Product Version** and **Target Version**. - The product field must specify Windows 11 in order for devices to upgrade to Windows 11. If only the target version field is configured, the device will be offered matching versions of the same product. For example, if a device is running Windows 10, version 2004 and only the target version is configured to 21H1, this device will be offered version Windows 10, version 21H1, even if multiple products have a 21H1 version. If you use deferrals today in Group Policy, your devices will continue to get the latest feature update of Windows 10 once it has reached your specified deferral age, but will not be offered Windows 11 until you specify this by using the **Select target Feature Update version** policy. Your deferrals will continue to apply in this case as well. - Quality update deferrals and experience policies will continue to work the same across both Windows 10 and Windows 11. This is true regardless of which management tool you use to configure Windows Update for Business policies. -- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use the [feature update deployments](/mem/intune/protect/windows-10-feature-updates) page to select **Windows 11, version 21H2** and upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11 on the **Update Rings** page in Intune. If you aren’t ready to move to Windows 11, keep the feature update version set at the version you are currently on. When you are ready to start upgrading devices, change the feature update deployment setting to specify Windows 11. + ## Cloud-based management From 208e82cb14f56a93688edcc1e630b652617fb809 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Fri, 1 Oct 2021 09:25:35 -0700 Subject: [PATCH 442/458] cleaning up some terminology --- windows/whats-new/windows-11-plan.md | 4 ++-- windows/whats-new/windows-11-prepare.md | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md index 887ec75b0d..7841ae8015 100644 --- a/windows/whats-new/windows-11-plan.md +++ b/windows/whats-new/windows-11-plan.md @@ -38,7 +38,7 @@ If you are looking for ways to optimize your approach to deploying Windows 11, o As a first step, you will need to know which of your current devices meet the Windows 11 hardware requirements. Most devices purchased in the last 18-24 months will be compatible with Windows 11. Verify that your device meets or exceeds [Windows 11 requirements](windows-11-requirements.md) to ensure it is compatible. -Microsoft is currently developing analysis tools to help you evaluate your devices against the Windows 11 hardware requirements. When Windows 11 reaches general availability, users running Windows 10 Home, Pro, and Pro for Workstations will be able to use the [PC Health Check](https://www.microsoft.com/windows/windows-11#pchealthcheck) app to determine their eligibility for Windows 11. End-users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they are eligible for the upgrade.  +Microsoft is currently developing analysis tools to help you evaluate your devices against the Windows 11 hardware requirements. When Windows 11 reaches general availability, users running Windows 10 Home, Pro, and Pro for Workstations will be able to use the [PC Health Check](https://www.microsoft.com/windows/windows-11#pchealthcheck) app to determine their eligibility for Windows 11. Users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they are eligible for the upgrade.  Enterprise organizations looking to evaluate device readiness in their environments can expect this capability to be integrated into existing Microsoft tools, such as Endpoint analytics and Update Compliance. This capability will be available when Windows 11 is generally available. Microsoft is also working with software publishing partners to facilitate adding Windows 11 device support into their solutions. @@ -83,7 +83,7 @@ The introduction of Windows 11 is also a good time to review your hardware refre ## Servicing and support -Along with end-user experience and security improvements, Windows 11 introduces enhancements to Microsoft's servicing approach based on your suggestions and feedback. +Along with user experience and security improvements, Windows 11 introduces enhancements to Microsoft's servicing approach based on your suggestions and feedback. **Quality updates**: Windows 11 and Windows 10 devices will receive regular monthly quality updates to provide security updates and bug fixes. diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md index c030667b92..7e584d2ea8 100644 --- a/windows/whats-new/windows-11-prepare.md +++ b/windows/whats-new/windows-11-prepare.md @@ -35,7 +35,7 @@ The tools that you use for core workloads during Windows 10 deployments can stil - If you use [Windows Server Update Service (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), you will need to sync the new **Windows 11** product category. After you sync the product category, you will see Windows 11 offered as an option. If you would like to validate Windows 11 prior to release, you can sync the **Windows Insider Pre-release** category as well. > [!NOTE] - > During deployment, you will be prompted to agree to the End User License Agreement on behalf of your users. Additionally, you will not see an x86 option because Windows 11 is not supported on 32-bit architecture. + > During deployment, you will be prompted to agree to the Microsoft Software License Terms on behalf of your users. Additionally, you will not see an x86 option because Windows 11 is not supported on 32-bit architecture. - If you use [Microsoft Endpoint Configuration Manager](/mem/configmgr/), you can sync the new **Windows 11** product category and begin upgrading eligible devices. If you would like to validate Windows 11 prior to release, you can sync the **Windows Insider Pre-release** category as well. @@ -53,7 +53,7 @@ The tools that you use for core workloads during Windows 10 deployments can stil ## Cloud-based management -If you aren’t already taking advantage of cloud-based management capabilities, like those available in [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), it's worth considering. In addition to consolidating device management and endpoint security into a single platform, Microsoft Endpoint Manager can better support the diverse bring-your-own-device (BYOD) ecosystem that is increasingly the norm with hybrid work scenarios. It can also enable you to track your progress against compliance and business objectives, while protecting end-user privacy. +If you aren’t already taking advantage of cloud-based management capabilities, like those available in [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), it's worth considering. In addition to consolidating device management and endpoint security into a single platform, Microsoft Endpoint Manager can better support the diverse bring-your-own-device (BYOD) ecosystem that is increasingly the norm with hybrid work scenarios. It can also enable you to track your progress against compliance and business objectives, while protecting user privacy. The following are some common use cases and the corresponding Microsoft Endpoint Manager capabilities that support them: @@ -112,9 +112,9 @@ At a high level, the tasks involved are: 6. Test and support the pilot devices. 7. Determine broad deployment readiness based on the results of the pilot. -## End-user readiness +## User readiness -Do not overlook the importance of end-user readiness to deliver an effective, enterprise-wide deployment of Windows 11. Windows 11 has a familiar design, but your users will see several enhancements to the overall user interface. They will also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows 11: +Do not overlook the importance of user readiness to deliver an effective, enterprise-wide deployment of Windows 11. Windows 11 has a familiar design, but your users will see several enhancements to the overall user interface. They will also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows 11: - Create a communications schedule to ensure that you provide the right message at the right time to the right groups of users, based on when they will see the changes. - Draft concise emails that inform users of what changes they can expect to see. Offer tips on how to use or customize their experience. Include information about support and help desk options. - Update help desk manuals with screenshots of the new user interface, the out-of-box experience for new devices, and the upgrade experience for existing devices. From 3aaf95e6884c10faf392f96ee2059af44c1da9e1 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Fri, 1 Oct 2021 10:18:02 -0700 Subject: [PATCH 443/458] safety/checkpoint commit --- windows/deployment/TOC.yml | 8 ++++---- windows/deployment/update/index.md | 7 ++++--- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 18817d1d38..2780fe7507 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -15,7 +15,7 @@ href: update/quality-updates.md - name: Basics of Windows updates, channels, and tools href: update/get-started-updates-channels-tools.md - - name: Servicing the Windows 10 operating system + - name: Prepare servicing strategy for Windows client updates href: update/waas-servicing-strategy-windows-10-updates.md - name: Deployment proof of concept @@ -47,7 +47,7 @@ href: update/plan-determine-app-readiness.md - name: Define your servicing strategy href: update/plan-define-strategy.md - - name: Delivery Optimization for Windows 10 updates + - name: Delivery Optimization for Windows client updates href: update/waas-delivery-optimization.md items: - name: Using a proxy with Delivery Optimization @@ -85,9 +85,9 @@ href: update/update-policies.md - name: Update Baseline href: update/update-baseline.md - - name: Set up Delivery Optimization for Windows 10 updates + - name: Set up Delivery Optimization for Windows client updates href: update/waas-delivery-optimization-setup.md - - name: Configure BranchCache for Windows 10 updates + - name: Configure BranchCache for Windows client updates href: update/waas-branchcache.md - name: Prepare your deployment tools items: diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md index 3f72fde718..08592c252b 100644 --- a/windows/deployment/update/index.md +++ b/windows/deployment/update/index.md @@ -1,6 +1,6 @@ --- -title: Update Windows 10 in enterprise deployments (Windows 10) -description: Windows as a service provides an all-new way to think about building, deploying, and servicing Windows 10. +title: Update Windows client in enterprise deployments +description: Windows as a service provides an all-new way to think about building, deploying, and servicing Windows client. ms.prod: w10 ms.mktglfcycl: manage author: jaimeo @@ -10,12 +10,13 @@ ms.author: jaimeo ms.topic: article --- -# Update Windows 10 in enterprise deployments +# Update Windows client in enterprise deployments **Applies to** - Windows 10 +- Windows 11 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) From 62161ac658eed9a50b620d38f4ab29922ef73c69 Mon Sep 17 00:00:00 2001 From: Jordan Geurten Date: Fri, 1 Oct 2021 10:42:43 -0700 Subject: [PATCH 444/458] Added "help" harden systems --- .../microsoft-recommended-driver-block-rules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index 3d1e37428f..4e5251d27d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -33,7 +33,7 @@ Microsoft has strict requirements for code running in kernel. So, malicious acto - Hypervisor-protected code integrity (HVCI) enabled devices - Windows 10 in S mode (S mode) devices -The vulnerable driver blocklist is designed to harden systems against third party-developed drivers across the Windows ecosystem with any of the following attributes: +The vulnerable driver blocklist is designed to help harden systems against third party-developed drivers across the Windows ecosystem with any of the following attributes: - Known security vulnerabilities that can be exploited by attackers to elevate privileges in the Windows kernel - Malicious behaviors (malware) or certificates used to sign malware From 959e157f6d254b40c3976c5ae9d0c8b0564a9f81 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Fri, 1 Oct 2021 23:56:08 +0530 Subject: [PATCH 445/458] Update policy-csp-admx-previousversions.md --- .../client-management/mdm/policy-csp-admx-previousversions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-admx-previousversions.md b/windows/client-management/mdm/policy-csp-admx-previousversions.md index 3065cc6777..64a89c8ccf 100644 --- a/windows/client-management/mdm/policy-csp-admx-previousversions.md +++ b/windows/client-management/mdm/policy-csp-admx-previousversions.md @@ -40,7 +40,7 @@ manager: dansimp ADMX_PreviousVersions/DisableRemotePage_2
- ADMX_PreviousVersions/HideBackupEntries_1/ + ADMX_PreviousVersions/HideBackupEntries_1
ADMX_PreviousVersions/HideBackupEntries_2 From eb99a3d49e0b6494bc1bcda408df2e6aedb85a23 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Fri, 1 Oct 2021 11:50:27 -0700 Subject: [PATCH 446/458] clean up TOC and redirects --- .openpublishing.redirection.json | 55 ++++ windows/deployment/TOC.yml | 32 +- .../change-history-for-update-windows-10.md | 51 ---- .../update/feature-update-conclusion.md | 25 -- .../feature-update-maintenance-window.md | 264 ---------------- .../update/feature-update-mission-critical.md | 44 --- windows/deployment/update/index.md | 22 +- .../update/waas-servicing-differences.md | 127 -------- ...s-servicing-strategy-windows-10-updates.md | 42 --- windows/deployment/update/waas-wufb-intune.md | 285 ------------------ windows/deployment/update/wufb-autoupdate.md | 37 --- windows/deployment/update/wufb-basics.md | 31 -- .../deployment/update/wufb-managedrivers.md | 68 ----- .../deployment/update/wufb-manageupdate.md | 61 ---- windows/deployment/update/wufb-onboard.md | 48 --- .../deployment/windows-10-missing-fonts.md | 18 +- 16 files changed, 87 insertions(+), 1123 deletions(-) delete mode 100644 windows/deployment/update/change-history-for-update-windows-10.md delete mode 100644 windows/deployment/update/feature-update-conclusion.md delete mode 100644 windows/deployment/update/feature-update-maintenance-window.md delete mode 100644 windows/deployment/update/feature-update-mission-critical.md delete mode 100644 windows/deployment/update/waas-servicing-differences.md delete mode 100644 windows/deployment/update/waas-servicing-strategy-windows-10-updates.md delete mode 100644 windows/deployment/update/waas-wufb-intune.md delete mode 100644 windows/deployment/update/wufb-autoupdate.md delete mode 100644 windows/deployment/update/wufb-basics.md delete mode 100644 windows/deployment/update/wufb-managedrivers.md delete mode 100644 windows/deployment/update/wufb-manageupdate.md delete mode 100644 windows/deployment/update/wufb-onboard.md diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 00a95b4582..49a449abe6 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -18959,6 +18959,61 @@ "source_path": "windows/security/identity-protection/change-history-for-access-protection.md", "redirect_url": "/windows/security/", "redirect_document_id": false + }, + { + "source_path": "windows/deployment/update/waas-deployment-rings-windows-10-updates.md", + "redirect_url": "/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md", + "redirect_document_id": true + }, + { + "source_path": "windows/deployment/update/waas-servicing-differences.md", + "redirect_url": "/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/update/waas-deployment-rings-windows-10-updates.md", + "redirect_url": "/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md", + "redirect_document_id": true + }, + { + "source_path": "windows/deployment/update/waas-servicing-differences.md", + "redirect_url": "/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md", + "redirect_document_id": true + }, + { + "source_path": "windows/deployment/update/waas-servicing-differences.md", + "redirect_url": "/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md", + "redirect_document_id": true + }, + { + "source_path": "windows/deployment/update/waas-servicing-differences.md", + "redirect_url": "/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md", + "redirect_document_id": true + }, + { + "source_path": "windows/deployment/update/waas-servicing-differences.md", + "redirect_url": "/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md", + "redirect_document_id": true + }, + { + "source_path": "windows/deployment/update/waas-servicing-differences.md", + "redirect_url": "/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md", + "redirect_document_id": true + }, + { + "source_path": "windows/deployment/update/waas-servicing-differences.md", + "redirect_url": "/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md", + "redirect_document_id": true + }, + { + "source_path": "windows/deployment/update/waas-servicing-differences.md", + "redirect_url": "/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md", + "redirect_document_id": true + }, + { + "source_path": "windows/deployment/update/waas-servicing-differences.md", + "redirect_url": "/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md", + "redirect_document_id": false } diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index a91592e726..78c5ebcab3 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -54,8 +54,6 @@ href: update/delivery-optimization-proxy.md - name: Delivery Optimization client-service communication href: update/delivery-optimization-workflow.md - - name: Best practices for feature updates on mission-critical devices - href: update/feature-update-mission-critical.md - name: Windows 10 deployment considerations href: planning/windows-10-deployment-considerations.md - name: Windows 10 infrastructure requirements @@ -79,7 +77,7 @@ items: - name: Prepare for Windows 11 href: /windows/whats-new/windows-11-prepare - - name: Prepare to deploy Windows 10 updates + - name: Prepare to deploy Windows client updates href: update/prepare-deploy-windows.md - name: Evaluate and update infrastructure href: update/update-policies.md @@ -97,8 +95,6 @@ href: deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md - name: Build a successful servicing strategy items: - - name: Build deployment rings for Windows 10 updates - href: update/waas-deployment-rings-windows-10-updates.md - name: Check release health href: update/check-release-health.md - name: Prepare updates using Windows Update for Business @@ -142,7 +138,7 @@ href: vda-subscription-activation.md - name: Deploy Windows 10/11 Enterprise licenses href: deploy-enterprise-licenses.md - - name: Deploy Windows 10 updates + - name: Deploy Windows client updates items: - name: Assign devices to servicing channels href: update/waas-servicing-channels-windows-10-updates.md @@ -154,20 +150,18 @@ href: update/waas-manage-updates-wsus.md - name: Deploy updates with Group Policy href: update/waas-wufb-group-policy.md - - name: Update Windows 10 media with Dynamic Update + - name: Update Windows client media with Dynamic Update href: update/media-dynamic-update.md - name: Migrating and acquiring optional Windows content href: update/optional-content.md - name: Safeguard holds href: update/safeguard-holds.md - - name: Manage the Windows 10 update experience + - name: Manage the Windows client update experience items: - name: Manage device restarts after updates href: update/waas-restart.md - name: Manage additional Windows Update settings href: update/waas-wu-settings.md - - name: Deploy feature updates during maintenance windows - href: update/feature-update-maintenance-window.md - name: Deploy feature updates for user-initiated installations href: update/feature-update-user-install.md - name: Use Windows Update for Business @@ -189,7 +183,7 @@ href: update/waas-wufb-group-policy.md - name: 'Walkthrough: use Intune to configure Windows Update for Business' href: update/deploy-updates-intune.md - - name: Monitor Windows 10 updates + - name: Monitor Windows client updates items: - name: Monitor Delivery Optimization href: update/waas-delivery-optimization-setup.md#monitor-delivery-optimization @@ -238,7 +232,7 @@ items: - name: Resolve upgrade errors items: - - name: Resolve Windows 10 upgrade errors + - name: Resolve Windows client upgrade errors href: upgrade/resolve-windows-10-upgrade-errors.md - name: Quick fixes href: upgrade/quick-fixes.md @@ -254,7 +248,7 @@ href: upgrade/log-files.md - name: Resolution procedures href: upgrade/resolution-procedures.md - - name: Submit Windows 10 upgrade errors + - name: Submit Windows client upgrade errors href: upgrade/submit-errors.md - name: Troubleshoot Windows Update items: @@ -275,9 +269,9 @@ items: - name: How does Windows Update work? href: update/how-windows-update-works.md - - name: Windows 10 upgrade paths + - name: Windows client upgrade paths href: upgrade/windows-10-upgrade-paths.md - - name: Windows 10 edition upgrade + - name: Windows client edition upgrade href: upgrade/windows-10-edition-upgrades.md - name: Deploy Windows 10 with Microsoft 365 href: deploy-m365.md @@ -289,11 +283,11 @@ href: update/waas-wu-settings.md - name: Delivery Optimization reference href: update/waas-delivery-optimization-reference.md - - name: Windows 10 in S mode + - name: Windows client in S mode href: s-mode.md - - name: Switch to Windows 10 Pro or Enterprise from S mode + - name: Switch to Windows client Pro or Enterprise from S mode href: windows-10-pro-in-s-mode.md - - name: Windows 10 deployment tools + - name: Windows client deployment tools items: - name: Windows client deployment scenarios and tools items: @@ -580,5 +574,5 @@ - name: "Appendix: Information sent to Microsoft during activation " href: volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md - - name: Install fonts in Windows 10 + - name: Install fonts in Windows client href: windows-10-missing-fonts.md diff --git a/windows/deployment/update/change-history-for-update-windows-10.md b/windows/deployment/update/change-history-for-update-windows-10.md deleted file mode 100644 index 1f326784c8..0000000000 --- a/windows/deployment/update/change-history-for-update-windows-10.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -title: Change history for Update Windows 10 (Windows 10) -description: This topic lists new and updated topics in the Update Windows 10 documentation for Windows 10. -ms.prod: w10 -ms.mktglfcycl: manage -audience: itpro -author: jaimeo -ms.author: jaimeo -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Change history for Update Windows 10 - -This topic lists new and updated topics in the [Update Windows 10](index.md) documentation for [Deploy and Update Windows 10](/windows/deployment). - ->If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history). - -## September 2018 - -| New or changed topic | Description | -| --- | --- | -| [Get started with Windows Update](windows-update-overview.md) | New | - - -## RELEASE: Windows 10, version 1709 - -The topics in this library have been updated for Windows 10, version 1709 (also known as the Fall Creators Update). - -## September 2017 - -| New or changed topic | Description | -| --- | --- | -| [Olympia Corp](olympia/olympia-enrollment-guidelines.md) | New | - -## July 2017 - -All topics were updated to reflect the new [naming changes](waas-overview.md#naming-changes). - -## May 2017 - -| New or changed topic | Description | -| --- | --- | -| [Manage additional Windows Update settings](waas-wu-settings.md) | New | - -## RELEASE: Windows 10, version 1703 - -The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The following new topics have been added: -* [Windows Insider Program for Business](/windows-insider/at-work-pro/wip-4-biz-get-started) -* [Windows Insider Program for Business](/windows-insider/at-work-pro/wip-4-biz-register) \ No newline at end of file diff --git a/windows/deployment/update/feature-update-conclusion.md b/windows/deployment/update/feature-update-conclusion.md deleted file mode 100644 index d8206d5491..0000000000 --- a/windows/deployment/update/feature-update-conclusion.md +++ /dev/null @@ -1,25 +0,0 @@ ---- -title: Best practices for feature updates - conclusion -description: This article includes final thoughts about how to deploy and stay up-to-date with Windows 10 feature updates. -ms.prod: w10 -ms.mktglfcycl: manage -audience: itpro -itproauthor: jaimeo -author: jaimeo -ms.localizationpriority: medium -ms.author: jaimeo -ms.reviewer: -manager: laurawi -ms.collection: M365-modern-desktop -ms.topic: article -ms.custom: seo-marvel-apr2020 ---- - -# Conclusion - -**Applies to**: Windows 10 - -Mission critical devices that need to be online 24x7 pose unique challenges for the IT Pro looking to stay current with the latest Windows 10 feature update. Because these devices are online continually, providing mission critical services, with only a small window of time available to apply feature updates, specific procedures are required to effectively keep these devices current, with as little downtime as possible. - -Whether you have defined servicing windows at your disposal where feature updates can be installed automatically, or you require user initiated installs by a technician, this whitepaper provides guidelines for either approach. Improvements are continually being made to Windows 10 setup to reduce device offline time for feature updates. This whitepaper will be updated as enhancements become available to improve the overall servicing approach and experience. - diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md deleted file mode 100644 index 473abc5a46..0000000000 --- a/windows/deployment/update/feature-update-maintenance-window.md +++ /dev/null @@ -1,264 +0,0 @@ ---- -title: Best practices - deploy feature updates during maintenance windows -description: Learn how to configure maintenance windows and how to deploy feature updates during a maintenance window. -ms.prod: w10 -ms.mktglfcycl: manage -audience: itpro -author: jaimeo -ms.localizationpriority: medium -ms.author: jaimeo -ms.reviewer: -manager: laurawi -ms.collection: M365-modern-desktop -ms.topic: article -ms.custom: seo-marvel-apr2020 ---- -{DELETE} -# Deploy feature updates during maintenance windows - -**Applies to**: Windows 10 - -Use the following information to deploy feature updates during a maintenance window. - -## Get ready to deploy feature updates - -### Step 1: Configure maintenance windows - -1. In the Configuration Manager console, choose **Assets and Compliance> Device Collections**. -2. In the **Device Collections** list, select the collection for which you intended to deploy the feature update(s). -3. On the **Home** tab, in the **Properties** group, choose **Properties**. -4. In the **Maintenance Windows** tab of the `` Properties dialog box, choose the New icon. -5. Complete the `` Schedule dialog. -6. Select from the Apply this schedule to drop-down list. -7. Choose **OK** and then close the **\ Properties** dialog box. - -### Step 2: Review computer restart device settings - -If you're not suppressing computer restarts and the feature update will be installed when no users are present, consider deploying a custom client settings policy to your feature update target collection to shorten the settings below or consider the total duration of these settings when defining your maintenance window duration. - -For example, by default, 90 minutes will be honored before the system is rebooted after the feature update install. If users will not be impacted by the user logoff or restart, there is no need to wait a full 90 minutes before rebooting the computer. If a delay and notification is needed, ensure that the maintenance window takes this into account along with the total time needed to install the feature update. - ->[!NOTE] -> The following settings must be shorter in duration than the shortest maintenance window applied to the computer. ->- **Display a temporary notification to the user that indicates the interval before the user is logged off or the computer restarts (minutes).** ->- **Display a dialog box that the user cannot close, which displays the countdown interval before the user is logged off or the computer restarts (minutes).** - -### Step 3: Enable Peer Cache - -Use **Peer Cache** to help manage deployment of content to clients in remote locations. Peer Cache is a built-in Configuration Manager solution that enables clients to share content with other clients directly from their local cache. - -[Enable Configuration Manager client in full OS to share content](/sccm/core/clients/deploy/about-client-settings#enable-configuration-manager-client-in-full-os-to-share-content) if you have clients in remote locations that would benefit from downloading feature update content from a peer instead of downloading it from a distribution point (or Microsoft Update). - -### Step 4: Override the default Windows setup priority (Windows 10, version 1709 and later) - -If you're deploying **Feature update to Windows 10, version 1709** or later, by default, portions of setup are configured to run at a lower priority. This can result in a longer total install time for the feature update. When deploying within a maintenance window, we recommend that you override this default behavior to benefit from faster total install times. To override the default priority, create a file called SetupConfig.ini on each machine to be upgraded in the below location containing the single section noted. - -**%systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini** - -``` -[SetupConfig] -Priority=Normal -``` - -You can use the new [Run Scripts](/sccm/apps/deploy-use/create-deploy-scripts) feature to run a PowerShell script like the sample below to create the SetupConfig.ini on target devices. - -```powershell -#Parameters -Param( - [string] $PriorityValue = "Normal" - ) - -#Variable for ini file path -$iniFilePath = "$env:SystemDrive\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini" - -#Variables for SetupConfig -$iniSetupConfigSlogan = "[SetupConfig]" -$iniSetupConfigKeyValuePair =@{"Priority"=$PriorityValue;} - -#Init SetupConfig content -$iniSetupConfigContent = @" -$iniSetupConfigSlogan -"@ - -#Build SetupConfig content with settings -foreach ($k in $iniSetupConfigKeyValuePair.Keys) -{ - $val = $iniSetupConfigKeyValuePair[$k] - - $iniSetupConfigContent = $iniSetupConfigContent.Insert($iniSetupConfigContent.Length, "`r`n$k=$val") -} - -#Write content to file -New-Item $iniFilePath -ItemType File -Value $iniSetupConfigContent -Force - -<# -Disclaimer -Sample scripts are not supported under any Microsoft standard support program or service. The sample scripts is -provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without -limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk -arising out of the use or performance of the sample script and documentation remains with you. In no event shall -Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable -for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, -loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample script -or documentation, even if Microsoft has been advised of the possibility of such damages. -#> -``` - -> [!NOTE] -> If you elect not to override the default setup priority, you will need to increase the [maximum run time](/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for feature update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value. - -## Manually deploy feature updates - -The following sections provide the steps to manually deploy a feature update. - -### Step 1: Specify search criteria for feature updates -There are potentially a thousand or more feature updates displayed in the Configuration Manager console. The first step in the workflow for manually deploying feature updates is to identify the feature updates that you want to deploy. - -1. In the Configuration Manager console, click **Software Library**. -2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. The synchronized feature updates are displayed. -3. In the search pane, filter to identify the feature updates that you need by using one or both of the following steps: - - In the search text box, type a search string that will filter the feature updates. For example, type the version number for a specific feature update, or enter a string that would appear in the title of the feature update. - - Click **Add Criteria**, select the criteria that you want to use to filter software updates, click **Add**, and then provide the values for the criteria. For example, Title contains 1803, Required is greater than or equal to 1, and Language equals English. - -4. Save the search for future use. - -### Step 2: Download the content for the feature updates -Before you deploy the feature updates, you can download the content as a separate step. Do this so you can verify that the content is available on the distribution points before you deploy the feature updates. This will help you to avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment. - -1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**. -2. Choose the **feature update(s)** to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Download**. - - The **Download Software Updates Wizard** opens. -3. On the **Deployment Package** page, configure the following settings: - **Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings: - - **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It is limited to 50 characters. - - **Description**: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters. - - **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\\server\sharename\path, or click **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. - - > [!NOTE] - > The deployment package source location that you specify cannot be used by another software deployment package. - - > [!IMPORTANT] - > The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files. - - > [!IMPORTANT] - > You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. - - Click **Next**. -4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then click **Next**. For more information about distribution points, see [Distribution point configurations](/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs). - - > [!NOTE] - > The Distribution Points page is available only when you create a new software update deployment package. -5. On the **Distribution Settings** page, specify the following settings: - - - **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: High, Medium, or Low. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. By default, packages are sent using Medium priority. - - **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](/sccm/core/plan-design/hierarchy/content-source-location-scenarios). - - **Prestaged distribution point settings**: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options: - - **Automatically download content when packages are assigned to distribution points**: Use this setting to ignore the prestage settings and distribute content to the distribution point. - - **Download only content changes to the distribution point**: Use this setting to prestage the initial content to the distribution point, and then distribute content changes to the distribution point. - - **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This is the default setting. - - For more information about prestaging content to distribution points, see [Use Prestaged content](/sccm/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage). - Click **Next**. -6. On the **Download Location** page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options: - - - **Download software updates from the Internet**: Select this setting to download the software updates from the location on the Internet. This is the default setting. - - **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard does not have Internet access. - - > [!NOTE] - > When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard. - - Click **Next**. -7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then click **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page. -8. On the **Summary** page, verify the settings that you selected in the wizard, and then click Next to download the software updates. -9. On the **Completion** page, verify that the software updates were successfully downloaded, and then click Close. - -#### To monitor content status -1. To monitor the content status for the feature updates, click **Monitoring** in the Configuration Manager console. -2. In the Monitoring workspace, expand **Distribution Status**, and then click **Content Status**. -3. Select the feature update package that you previously identified to download the feature updates. -4. On the **Home** tab, in the Content group, click **View Status**. - -### Step 3: Deploy the feature update(s) -After you determine which feature updates you intend to deploy, you can manually deploy the feature update(s). Use the following procedure to manually deploy the feature update(s). - -1. In the Configuration Manager console, click **Software Library**. -2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. -3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Deploy**. - - The **Deploy Software Updates Wizard** opens. -4. On the General page, configure the following settings: - - **Name**: Specify the name for the deployment. The deployment must have a unique name that describes the purpose of the deployment and differentiates it from other deployments in the Configuration Manager site. By default, Configuration Manager automatically provides a name for the deployment in the following format: **Microsoft Software Updates - \\** - - **Description**: Specify a description for the deployment. The description provides an overview of the deployment and any other relevant information that helps to identify and differentiate the deployment among others in Configuration Manager site. The description field is optional, has a limit of 256 characters, and has a blank value by default. - - **Software Update/Software Update Group**: Verify that the displayed software update group, or software update, is correct. - - **Select Deployment Template**: Specify whether to apply a previously saved deployment template. You can configure a deployment template to contain multiple common software update deployment properties and then apply the template when you deploy subsequent software updates to ensure consistency across similar deployments and to save time. - - **Collection**: Specify the collection for the deployment, as applicable. Members of the collection receive the feature updates that are defined in the deployment. -5. On the Deployment Settings page, configure the following settings: - - - **Type of deployment**: Specify the deployment type for the software update deployment. Select **Required** to create a mandatory software update deployment in which the feature updates are automatically installed on clients before a configured installation deadline. - - > [!IMPORTANT] - > After you create the software update deployment, you cannot later change the type of deployment. - - > [!NOTE] - > A software update group deployed as Required will be downloaded in background and honor BITS settings, if configured. - - - **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled and is available only when Type of deployment is set to Required. - - > [!WARNING] - > Before you can use this option, computers and networks must be configured for Wake On LAN. - - - **Detail level**: Specify the level of detail for the state messages that are reported by client computers. -6. On the Scheduling page, configure the following settings: - - - **Schedule evaluation**: Specify whether the available time and installation deadline times are evaluated according to UTC or the local time of the computer running the Configuration Manager console. - - > [!NOTE] - > When you select local time, and then select **As soon as possible** for the **Software available time** or **Installation deadline**, the current time on the computer running the Configuration Manager console is used to evaluate when updates are available or when they are installed on a client. If the client is in a different time zone, these actions will occur when the client's time reaches the evaluation time. - - - **Software available time**: Select **As soon as possible** to specify when the software updates will be available to clients: - - **As soon as possible**: Select this setting to make the software updates in the deployment available to clients as soon as possible. When the deployment is created, the client policy is updated, the clients are made aware of the deployment at their next client policy polling cycle, and then the software updates are available for installation. - - **Installation deadline**: Select **Specific time** to specify the installation deadline for the software updates in the deployment. - - > [!NOTE] - > You can configure the installation deadline setting only when **Type of deployment** is set to **Required** on the Deployment Settings page. - - - **Specific time**: Select this setting to automatically install the software updates in the deployment at a specific date and time. Set the date and time value to correspond with your defined maintenance window for the target collection. Allow sufficient time for clients to download the content in advance of the deadline. Adjust accordingly if clients in your environment will need additional download time. E.g., slow or unreliable network links. - - > [!NOTE] - > The actual installation deadline time is the specific time that you configure plus a random amount of time up to 2 hours. This reduces the potential impact of all client computers in the destination collection installing the software updates in the deployment at the same time. Configure the Computer Agent client setting, Disable deadline randomization to disable the installation randomization delay for the required software updates to allow a greater chance for the installation to start and complete within your defined maintenance window. For more information, see [Computer Agent](/sccm/core/clients/deploy/about-client-settings#computer-agent). -7. On the User Experience page, configure the following settings: - - **User notifications**: Specify whether to display notification of the software updates in Software Center on the client computer at the configured **Software available time** and whether to display user notifications on the client computers. When **Type of deployment** is set to **Available** on the Deployment Settings page, you cannot select **Hide in Software Center and all notifications**. - - **Deadline behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify the behavior that is to occur when the deadline is reached for the software update deployment. Specify whether to install the software updates in the deployment. Also specify whether to perform a system restart after software update installation regardless of a configured maintenance window. For more information about maintenance windows, see [How to use maintenance windows](/sccm/core/clients/manage/collections/use-maintenance-windows). - - **Device restart behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify whether to suppress a system restart on servers and workstations after software updates are installed and a system restart is required to complete the installation. - - > [!IMPORTANT] - > Suppressing system restarts can be useful in server environments or for cases in which you do not want the computers that are installing the software updates to restart by default. However, doing so can leave computers in an insecure state, whereas allowing a forced restart helps to ensure immediate completion of the software update installation. - - **Write filter handling for Windows Embedded devices**: When you deploy software updates to Windows Embedded devices that are write filter enabled, you can specify to install the software update on the temporary overlay and either commit changes later or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device. - - > [!NOTE] - > When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. - - **Software updates deployment re-evaluation behavior upon restart**: Starting in Configuration Manager version 1606, select this setting to configure software updates deployments to have clients run a software updates compliance scan immediately after a client installs software updates and restarts. This enables the client to check for additional software updates that become applicable after the client restarts, and to then install them (and become compliant) during the same maintenance window. -8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page. - - > [!NOTE] - > You can review recent software updates alerts from the Software Updates node in the Software Library workspace. -9. On the Download Settings page, configure the following settings: - - Specify whether the client will download and install the software updates when a client is connected to a slow network or is using a fallback content location. - - Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates is not available on a preferred distribution point. - - **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](/sccm/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache). - - **If software updates are not available on distribution point in current, neighbor or site groups, download content from Microsoft Updates**: Select this setting to have clients that are connected to the intranet download software updates from Microsoft Update if software updates are not available on distribution points. Internet-based clients can always go to Microsoft Update for software updates content. - - Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection. - - > [!NOTE] - > Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source priority](/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#content-source-priority). -10. On the Summary page, review the settings. To save the settings to a deployment template, click **Save As Template**, enter a name and select the settings that you want to include in the template, and then click **Save**. To change a configured setting, click the associated wizard page and change the setting. -11. Click **Next** to deploy the feature update(s). - -### Step 4: Monitor the deployment status - -After you deploy the feature update(s), you can monitor the deployment status. Use the following procedure to monitor the deployment status: - -1. In the Configuration Manager console, navigate to **Monitoring > Overview > Deployments**. -2. Click the software update group or software update for which you want to monitor the deployment status. -3. On the **Home** tab, in the **Deployment** group, click **View Status**. diff --git a/windows/deployment/update/feature-update-mission-critical.md b/windows/deployment/update/feature-update-mission-critical.md deleted file mode 100644 index 052bebb7c1..0000000000 --- a/windows/deployment/update/feature-update-mission-critical.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -title: Best practices and recommendations for deploying Windows 10 Feature updates to mission-critical devices -description: Learn how to use the Microsoft Endpoint Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates. -ms.prod: w10 -ms.mktglfcycl: manage -audience: itpro -itproauthor: jaimeo -author: jaimeo -ms.localizationpriority: medium -ms.author: jaimeo -ms.reviewer: -manager: laurawi -ms.collection: M365-modern-desktop -ms.topic: article -ms.custom: seo-marvel-apr2020 ---- - -# Best practices and recommendations for deploying Windows 10 Feature updates to mission critical devices - -**Applies to**: Windows 10 - -Managing an environment with devices that provide mission critical services 24 hours a day, 7 days a week, can present challenges in keeping these devices current with Windows 10 feature updates. The processes that you use to keep regular devices current with Windows 10 feature updates, often aren't the most effective to service mission critical devices. This whitepaper will focus on the recommended approach of using the Microsoft Endpoint Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates. - -For simplicity, we will outline the steps to deploy a feature update manually. If you prefer an automated approach, see [Manage Windows as a service using Configuration Manager](/configmgr/osd/deploy-use/manage-windows-as-a-service). - -Devices and shared workstations that are online and available 24 hours a day, 7 days a week, can be serviced via one of two primary methods: - -- **Service during maintenance windows** – Devices that have established maintenance windows will need to have feature updates scheduled to fit within these windows. -- **Service only when manually initiated** – Devices that need physical verification of the availability to update will need to have updates manually initiated by a technician. - -You can use Configuration Manager to deploy feature updates to Windows 10 devices in two ways. The first option is to use the software updates feature. The second option is to use a task sequence to deploy feature updates. There are times when deploying a Windows 10 feature update requires the use of a task sequence—for example: - -- **Upgrade to the next LTSC release.** With the LTSC servicing branch, feature updates are never provided to the Windows clients themselves. Instead, feature updates must be installed like a traditional in-place upgrade. -- **Additional required tasks.** When deploying a feature update requires additional steps (for example, suspending disk encryption, updating applications), you can use task sequences to orchestrate the additional steps. Software updates do not have the ability to add steps to their deployments. -- **Language pack installations.** When deploying a feature update requires the installation of additional language packs, you can use task sequences to orchestrate the installation. Software updates do not have the ability to natively install language packs. - -If you need to use a task sequence to deploy feature updates, see [Manage Windows as a service using Configuration Manager](/configmgr/osd/deploy-use/manage-windows-as-a-service) for more information. If you find that your requirement for a task sequence is based solely on the need to run additional tasks performed pre-install or pre-commit, see the new [run custom actions](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) functionality first introduced with Windows 10, version 1803. You might find this option useful in deploying software updates. - -Use the following information: - - -- [Deploy feature updates during maintenance windows](feature-update-maintenance-window.md) -- [Deploy feature updates for user-initiated installations](feature-update-user-install.md) -- [Conclusion](feature-update-conclusion.md) \ No newline at end of file diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md index 08592c252b..3eef8dae64 100644 --- a/windows/deployment/update/index.md +++ b/windows/deployment/update/index.md @@ -20,10 +20,8 @@ ms.topic: article > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) -Windows as a service provides a new way to think about building, deploying, and servicing the Windows operating system. The Windows as a service model is focused on continually providing new capabilities and updates while maintaining a high level of hardware and software compatibility. Deploying new versions of Windows is simpler than ever before: Microsoft releases new features two to three times per year rather than the traditional upgrade cycle where new features are only made available every few years. Ultimately, this model replaces the need for traditional Windows deployment projects, which can be disruptive and costly, and spreads the required effort out into a continuous updating process, reducing the overall effort required to maintain Windows 10 devices in your environment. In addition, with the Windows 10 operating system, organizations have the chance to try out “flighted” builds of Windows as Microsoft develops them, gaining insight into new features and the ability to provide continual feedback about them. +Windows as a service provides a new way to think about building, deploying, and servicing the Windows operating system. The Windows as a service model is focused on continually providing new capabilities and updates while maintaining a high level of hardware and software compatibility. Deploying new versions of Windows is simpler than ever before: Microsoft releases new features two to three times per year rather than the traditional upgrade cycle where new features are only made available every few years. Ultimately, this model replaces the need for traditional Windows deployment projects, which can be disruptive and costly, and spreads the required effort out into a continuous updating process, reducing the overall effort required to maintain Windows client devices in your environment. In addition, with the Windows client operating system, organizations have the chance to try out “flighted” builds of Windows as Microsoft develops them, gaining insight into new features and the ability to provide continual feedback about them. ->[!TIP] ->See [Windows 10 update history](https://support.microsoft.com/help/12387/windows-10-update-history) for details about each Windows 10 update released to date. @@ -31,20 +29,18 @@ Windows as a service provides a new way to think about building, deploying, and | Topic | Description| | --- | --- | -| [Quick guide to Windows as a service](waas-quick-start.md) | Provides a brief summary of the key points for the new servicing model for Windows 10. | -| [Overview of Windows as a service](waas-overview.md) | Explains the differences in building, deploying, and servicing Windows 10; introduces feature updates, quality updates, and the different servicing branches; compares servicing tools. | -| [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) | Explains the decisions you need to make in your servicing strategy. | -| [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) | Explains how to make use of servicing branches and update deferrals to manage Windows 10 updates. | -| [Assign devices to servicing branches for Windows 10 updates](./waas-servicing-channels-windows-10-updates.md) | Explains how to assign devices to the Semi-Annual Channel for feature and quality updates, and how to enroll devices in Windows Insider. | +| [Quick guide to Windows as a service](waas-quick-start.md) | Provides a brief summary of the key points for the servicing model for Windows client. | +| [Overview of Windows as a service](waas-overview.md) | Explains the differences in building, deploying, and servicing Windows client; introduces feature updates, quality updates, and the different servicing branches; compares servicing tools. | +| [Prepare servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md) | Explains the decisions you need to make in your servicing strategy. | +| [Assign devices to servicing branches for Windows client updates](/waas-servicing-channels-windows-10-updates.md) | Explains how to assign devices to the General Availability Channel for feature and quality updates, and how to enroll devices in Windows Insider. | | [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md) | Explains how to use Update Compliance to monitor and manage Windows Updates on devices in your organization. | -| [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | Explains the benefits of using Delivery Optimization or BranchCache for update distribution. | +| [Optimize update delivery](waas-optimize-windows-10-updates.md) | Explains the benefits of using Delivery Optimization or BranchCache for update distribution. | | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) | Explains how to use Windows Update for Business to manage when devices receive updates directly from Windows Update. Includes walkthroughs for configuring Windows Update for Business using Group Policy and Microsoft Intune. | -| [Deploy Windows 10 updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md) | Explains how to use WSUS to manage Windows 10 updates. | -| [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) | Explains how to use Configuration Manager to manage Windows 10 updates. | +| [Deploy Windows client updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md) | Explains how to use WSUS to manage Windows client updates. | +| [Deploy Windows client updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) | Explains how to use Configuration Manager to manage Windows client updates. | | [Manage device restarts after updates](waas-restart.md) | Explains how to manage update related device restarts. | | [Manage additional Windows Update settings](waas-wu-settings.md) | Provides details about settings available to control and configure Windows Update | | [Windows Insider Program for Business](/windows-insider/at-work-pro/wip-4-biz-get-started) | Explains how the Windows Insider Program for Business works and how to become an insider. | >[!TIP] ->Windows servicing is changing, but for disaster recovery scenarios and bare-metal deployments of Windows 10, you still can use traditional imaging software such as Microsoft Endpoint Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows 10 images is similar to deploying previous versions of Windows. ->With each release of a new feature update for CB, Microsoft makes available new .iso files for use in updating your custom images. Each Windows 10 build has a finite servicing lifetime, so it’s important that images stay up to date with the latest build. For detailed information about how to deploy Windows 10 to bare-metal machines or to upgrade to Windows 10 from previous builds of Windows, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). Additionally, Windows 10 clients can move from any supported version of Windows 10 (i.e. Version 1511) to the latest version directly (i.e 1709). \ No newline at end of file +>For disaster recovery scenarios and bare-metal deployments of Windows client, you still can use traditional imaging software such as Microsoft Endpoint Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows client images is similar to deploying previous versions of Windows. diff --git a/windows/deployment/update/waas-servicing-differences.md b/windows/deployment/update/waas-servicing-differences.md deleted file mode 100644 index 96d39838eb..0000000000 --- a/windows/deployment/update/waas-servicing-differences.md +++ /dev/null @@ -1,127 +0,0 @@ ---- -title: Servicing differences between Windows 10 and older operating systems -ms.reviewer: -manager: laurawi -description: In this article, learn the differences between servicing Windows 10 and servicing older operating systems. -keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools -ms.prod: w10 -ms.mktglfcycl: manage -audience: itpro -ms.localizationpriority: medium -ms.audience: itpro -author: jaimeo -ms.topic: article -ms.collection: M365-modern-desktop -ms.custom: seo-marvel-apr2020 ---- -# Understanding the differences between servicing Windows 10-era and legacy Windows operating systems -{DELETE} - -> Applies to: Windows 10 -> -> **February 15, 2019: This document has been corrected and edited to reflect that security-only updates for legacy OS versions are not cumulative. They were previously identified as cumulative similar to monthly rollups, which is inaccurate.** - -Today, many enterprise customers have a mix of modern and legacy client and server operating systems. Managing the servicing and updating differences between those legacy operating systems and Windows 10 versions adds a level of complexity that is not well understood. This can be confusing. With the end of support for legacy [Windows 7 SP1](https://support.microsoft.com/help/4057281/windows-7-support-will-end-on-january-14-2020) and Windows Server 2008 R2 variants on January 14, 2020, System Administrators have a critical need to understand how best to leverage a modern workplace to support system updates. - -The following provides an initial overview of how updating client and server differs between the Windows 10-era Operating Systems (such as, Windows 10 version 1709, Windows Server 2016) and legacy operating systems (such as Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2). - -> [!NOTE] -> A note on naming convention in this article: For brevity, "Windows 10" refers to all operating systems across client, server and IoT released since July 2015, while "legacy" refers to all operating systems prior to that period for client and server, including Windows 7, Window 8.1, Windows Server 2008 R2, Windows Server 2012 R2, etc. - -## Infinite fragmentation -Prior to Windows 10, all updates to operating system (OS) components were published individually. On "Update Tuesday," customers would pick and choose individual updates they wanted to apply. Most chose to update security fixes, while far fewer selected non-security fixes, updated drivers, or installed .NET Framework updates. - -As a result, each environment within the global Windows ecosystem that had only a subset of security and non-security fixes installed had a different set of binaries and behaviors than those that consistently installed every available update as tested by Microsoft. - -This resulted in a fragmented ecosystem that created diverse challenges in predictively testing interoperability, resulting in high update failure rates - which were subsequently mitigated by customers removing individual updates that were causing issues. Each customer that selectively removed individual updates amplified this fragmentation by creating more diverse environment permutations across the ecosystem. As an IT Administrator once quipped, "If you've seen one Windows 7 PC, you have seen one Windows 7 PC," suggesting no consistency or predictability across more than 250M commercial devices at the time. - -## Windows 10 – Next generation -Windows 10 provided an opportunity to end the era of infinite fragmentation. With Windows 10 and the Windows as a service model, updates came rolled together in the "latest cumulative update" (LCU) packages for both client and server. Every new update published includes all changes from previous updates, as well as new fixes. Since Windows client and server share the same code base, these LCUs allow the same update to be installed on the same client and server OS family, further reducing fragmentation. - -This helps simplify servicing. Devices with the original Release to Market (RTM) version of a feature release installed could get up to date by installing the most recent LCU. - -Windows publishes the new LCU packages for each Windows 10 version (1607, 1709, etc.) on the second Tuesday of each month. This package is classified as a required security update and contains contents from the previous LCU as well as new security, non-security, and Internet Explorer 11 (IE11) fixes. A reboot of the device might be required to complete installation of the update. - - -![High level cumulative update model.](images/servicing-cadence.png) -*Figure 1.0 - High level cumulative update model* - -Another benefit of the LCU model is fewer steps. Devices that have the original Release to Market (RTM) version of a release can install the most recent LCU to get up to date in one step, rather than having to install multiple updates with reboots after each. - -This cumulative update model for Windows 10 has helped provide the Windows ecosystem with consistent update experiences that can be predicted by baseline testing before release. Even with highly complex updates with hundreds of fixes, the number of incidents with monthly security updates for Windows 10 have fallen month over month since the initial release of Windows 10. - -### Points to consider - -- Windows 10 does not have the concept of a Security-Only or Monthly Rollup for updates. All updates are an LCU package, which includes the last release plus anything new. -- Windows 10 no longer has the concept of a "hotfix" since all individual updates must be rolled into the cumulative packages. (Note: Any private fix is offered for customer validation only, and then rolled into an LCU.) -- [Updates for the .NET Framework](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/) are NOT included in the Windows 10 LCU. They are separate packages with different behaviors depending on the version of .NET Framework being updated, and on which OS. As of October 2018, .NET Framework updates for Windows 10 will be separate and have their own cumulative update model. -- For Windows 10, available update types vary by publishing channel: - - For customers using Windows Server Update Services (WSUS) and for the Update Catalog, several different updates types for Windows 10 are rolled together for the core OS in a single LCU package, with exception of Servicing Stack Updates. - - Servicing Stack Updates (SSU) are available for download from the Update Catalog and can be imported through WSUS. Servicing Stack Updates (SSU) will be synced automatically (See this example for Windows 10, version 1709). Learn more about [Servicing Stack Updates](./servicing-stack-updates.md). - - For customers connecting to Windows Update, the new cloud update architecture uses a database of updates which break out all the different update types, including Servicing Stack Updates (SSU) and Dynamic Updates (DU). The update scanning in the Windows 10 servicing stack on the client automatically takes only the updates that are needed by the device to be completely up to date. -- Windows 7 and other legacy operating systems have cumulative updates that operate differently than in Windows 10 (see next section). - -## Windows 7 and legacy OS versions -While Windows 10 updates could have been controlled as cumulative from "Day 1," the legacy OS ecosystem for both client and server was highly fragmented. Recognizing the challenges of update quality in a fragmented environment, we moved Windows 7 to a cumulative update model in October 2016. - -Customers saw the LCU model used for Windows 10 as having packages that were too large and represented too much of a change for legacy operating systems, so a different model was implemented. Windows instead offered one cumulative package (Monthly Rollup) and one individual package (Security Only) for all legacy operating systems. - -The Monthly Rollup includes new non-security (if appropriate), security updates, Internet Explorer (IE) updates, and all updates from the previous month similar to the Windows 10 model. The Security-only package includes only new security updates for the month. This means that any security updates from any previous month are not included in current month's Security-Only Package. If a Security-Only update is missed, it is missed. Those updates will not appear in a future Security-Only update. Additionally, a cumulative package is offered for IE, which can be tested and installed separately, reducing the total update package size. The IE cumulative update includes both security and non-security fixes following the same model as Windows 10. - -![Legacy OS security-only update model.](images/security-only-update.png) -*Figure 2.0 - Legacy OS security-only update model* - -Moving to the cumulative model for legacy OS versions continues to improve predictability of update quality. The Windows legacy environments which have fully updated machines with Monthly Rollups are running the same baseline against which all legacy OS version updates are tested. These include all of the updates (security and non-security) prior to and after October 2016. Many customer environments do not have all updates prior to this change installed, which leaves some continued fragmentation in the ecosystem. Further, customers who are installing Security-Only Updates and potentially doing so inconsistently are also more fragmented than Microsoft's test environments for legacy OS version. This remaining fragmentation results in issues like those seen when the September 2016 Servicing Stack Update (SSU) was needed for smooth installation of the August 2018 security update. These environments did not have the SSU applied previously. - -### Points to consider -- Windows 7 and Windows 8 legacy operating system updates [moved from individual to cumulative in October 2016](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/More-on-Windows-7-and-Windows-8-1-servicing-changes/ba-p/166783). Devices with updates missing prior to that point are still missing those updates, as they were not included in the subsequent cumulative packages. -- "Hotfixes" are no longer published for legacy OS versions. All updates are rolled into the appropriate package depending on their classification as either non-security, security, or Internet Explorer updates. (Note: any private fix is offered for customer validation only. Once validated they are then rolled into a Monthly Rollup or IE cumulative update, as appropriate.) -- Both Monthly Rollups and Security-only updates released on Update Tuesday for legacy OS versions are identified as "security required" updates, because both have the full set of security updates in them. The Monthly Rollup may have additional non-security updates that are not included in the Security Only update. The "security" classification requires the device be rebooted so the update can be fully installed. -- Given the differences between the cumulative Monthly Rollups and the single-month Security-only update packages, switching between these update types is not advised. Differences in the baselines of these packages may result in installation errors and conflicts. Choosing one and staying on that update type with high consistency – Monthly Rollup or Security-only – is recommended. -- With all Legacy OS versions now in the Extended Support stage of their 10-year lifecycle, they typically receive only security updates for both Monthly Rollup and Security Only updates. Using Express for the Monthly Rollup results in almost the same package size as Security Only, with the added confidence of ensuring all relevant updates are installed. -- In [February 2017](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplified-servicing-for-Windows-7-and-Windows-8-1-the-latest/ba-p/166798), Windows pulled IE updates out of the legacy OS versions Security-only updates, while leaving them in the Monthly Rollup updates. This was done specifically to reduce package size based on customer feedback. -- The IE cumulative update includes both security and non-security updates and is also needed for to help secure the entire environment. This update can be installed separately or as part of the Monthly Rollup. -- [Updates for .NET Framework](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/) are NOT included in legacy Monthly Rollup or Security Only packages. They are separate packages with different behaviors depending on the version of the .NET Framework, and which legacy OS, being updated. -- For [Windows Server 2008 SP2](https://cloudblogs.microsoft.com/windowsserver/2018/06/12/windows-server-2008-sp2-servicing-changes/), cumulative updates began in October 2018, and follow the same model as Windows 7. Updates for IE9 are included in those packages, as the last supported version of Internet Explorer for that Legacy OS version. - -## Public preview releases -Lastly, the cumulative update model directly impacts the public Preview releases offered in the 3rd and/or 4th weeks of the month. Update Tuesday, also referred to as the "B" week release occurs on the second Tuesday of the month. It is always a required security update across all operating systems. In addition to this monthly release, Windows also releases non-security update "previews" targeting the 3rd (C) and the 4th (D) weeks of the month. These preview releases include that month's B-release plus a set of non-security updates for testing and validation as a cumulative package. We recommend IT Administrators uses the C/D previews to test the update in their environments. Any issues identified with the updates in the C/D releases are identified and then fixed or removed, prior to being rolled up in to the next month's B release package together with new security updates. Security-only Packages are not part of the C/D preview program. - -> [!NOTE] -> Only preview updates for the most recent release of Windows 10 are published to Windows Server Update Services (WSUS). For customers using the WSUS channel, and products such as Microsoft Endpoint Manager that rely on it, will not see preview updates for older versions of Windows 10. - -> [!NOTE] -> Preview updates for Windows 10 are not named differently than their LCU counterparts and do not contain the word 'Preview'. They can be identified by their release date (C or D week) and their classification as non-security updates. - -### Examples -Windows 10 version 1709: -- (9B) September 11, 2018 Update Tuesday / B release - includes security, non-security and IE update. This update is categorized as "Required, Security" it requires a system reboot. -- (9C) September 26, 2018 Preview C release - includes everything from 9B PLUS some non-security updates for testing/validation. This update is qualified as not required, non-security. No system reboot is required. -- (10B) October 9, 2018 Update Tuesday / B release includes all fixes included in 9B, all fixes in 9C and introduces new security fixes and IE updates. This update is qualified as "Required, Security" and requires a system reboot. -All of these updates are cumulative and build on each other for Windows 10. This is in contrast to legacy OS versions, where the 9C release becomes part of the "Monthly Rollup," but not the "Security Only" update. In other words, a Window 7 SP1 9C update is part of the cumulative "Monthly Rollup" but not included in the "Security Only" update because the fixes are qualified as "non-security". This is an important variation to note on the two models. - -![Preview releases in the Windows 10 LCU model.](images/servicing-previews.png) -*Figure 3.0 - Preview releases within the Windows 10 LCU model* - -## Previews vs. on-demand releases -In 2018, we experienced incidents which required urgent remediation that didn't map to the monthly update release cadence. These incidents were situations that required an immediate fix to an Update Tuesday release. While Windows engineering worked aggressively to respond within a week of the B-release, these "on-demand" releases created confusion with the C Preview releases. - -As a general policy, if a Security-Only package has a regression, which is defined as an unintentional error in the code of an update, then the fix for that regression will be added to the next month's Security-Only Update. The fix for that regression may also be offered as part an On-Demand release and will be rolled into the next Monthly Update. (Note: Exceptions do exist to this policy, based on timing.) - -### Point to consider -- When Windows identifies an issue with a Update Tuesday release, engineering teams work to remediate or fix the issue as quickly as possible. The outcome is often a new update which may be released at any time, including during the 3rd or 4th week of the month. Such updates are independent of the regularly scheduled "C" and "D" update previews. These updates are created on-demand to remediate a customer impacting issue. In most cases they are qualified as a "non-security" update, and do not require a system reboot. -- Rarely do incidents with Update Tuesday releases impact more than .1% of the total population. With the new Windows Update (WU) architecture, updates can be targeted to affected devices. This targeting is not available through the Update Catalog or WSUS channels, however. -- On-demand releases address a specific issue with an Update Tuesday release and are often qualified as "non-security" for one of two reasons. First, the fix may not be an additional security fix, but a non-security change to the update. Second, the "non-security" designation allows individuals or companies to choose when and how to reboot the devices, rather than forcing a system reboot on all Windows devices receiving the update globally. This trade-off is rarely a difficult choice as it has the potential to impact customer experience across client and server, across consumer and commercial customers for more than one billion devices. -- Because the cumulative model is used across Window 10 and legacy Windows OS versions, despite variations between these OS versions, an out of band release will include all of the changes from the Update Tuesday release plus the fix that addresses the issue. And since Windows no longer releases hotfixes, everything is cumulative in some way. - -In closing, I hope this overview of the update model across current and legacy Windows OS versions highlights the benefits of the Windows 10 cumulative update model to help defragment the Windows ecosystem environments, simplify servicing and help make systems more secure. - -## Resources -- [Simplifying updates for Windows 7 and 8.1](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplifying-updates-for-Windows-7-and-8-1/ba-p/166530) -- [Further simplifying servicing models for Windows 7 and Windows 8.1](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Further-simplifying-servicing-models-for-Windows-7-and-Windows-8/ba-p/166772) -- [More on Windows 7 and Windows 8.1 servicing changes](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/More-on-Windows-7-and-Windows-8-1-servicing-changes/ba-p/166783) -- [.NET Framework Monthly Rollups Explained](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/) -- [Simplified servicing for Windows 7 and Windows 8.1: the latest improvements](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplified-servicing-for-Windows-7-and-Windows-8-1-the-latest/ba-p/166798) -- [Windows Server 2008 SP2 servicing changes](https://cloudblogs.microsoft.com/windowsserver/2018/06/12/windows-server-2008-sp2-servicing-changes/) -- [Windows 10 update servicing cadence](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-update-servicing-cadence/ba-p/222376) -- [Windows 7 servicing stack updates: managing change and appreciating cumulative updates](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-7-servicing-stack-updates-managing-change-and/ba-p/260434) \ No newline at end of file diff --git a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md deleted file mode 100644 index c10019d563..0000000000 --- a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md +++ /dev/null @@ -1,42 +0,0 @@ ---- -title: Prepare servicing strategy for Windows client updates -description: A strong Windows client deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update. -ms.prod: w10 -ms.mktglfcycl: manage -author: jaimeo -ms.localizationpriority: medium -ms.author: jaimeo -ms.reviewer: -manager: laurawi -ms.topic: article -ms.collection: m365initiative-coredeploy ---- - -# Prepare servicing strategy for Windows 10 updates - - -**Applies to** - -- Windows 10 -- Windows 11 - - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -Here’s an example of what this process might look like: - -- **Configure test devices.** Configure test devices in the Windows Insider Program so that Insiders can test feature updates before they’re available to the Semi-Annual Channel. Typically, this population would be a few test devices that IT staff members use to evaluate pre-release builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program for Business. -- **Identify excluded devices.** For some organizations, special-purpose devices such as those used to control factory or medical equipment or run ATMs require a stricter, less frequent feature update cycle than the General Availability Channel can offer. For those devices, install the Enterprise LTSB edition to avoid feature updates for up to 10 years. Identify these devices, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly. -- **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that you’re looking for feedback rather than people to just “try it out” and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible. -- **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain will need to download an .admx package and copy it to their [Central Store](https://support.microsoft.com/help/929841/how-to-create-the-central-store-for-group-policy-administrative-templa) (or to the [PolicyDefinitions](/previous-versions/dotnet/articles/bb530196(v=msdn.10)) directory in the SYSVOL folder of a domain controller if not using a Central Store). You can manage new group policies from the latest release of Windows by using Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for “ADMX download for Windows build xxxx”. For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) -- **Choose a servicing tool.** Decide which product you’ll use to manage the Windows updates in your environment. If you’re currently using Windows Server Update Services (WSUS) or Microsoft Endpoint Manager to manage your Windows updates, you can continue using those products to manage Windows 10 or Windows 11 updates. Alternatively, you can use Windows Update for Business. In addition to which product you’ll use, consider how you’ll deliver the updates. Multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools). -- **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those apps that are the most business critical. Because the expectation is that application compatibility with new versions of Windows will be high, only the most business-critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](/mem/configmgr/desktop-analytics/overview). - - -Each time Microsoft releases a feature update, the IT department should use the following high-level process to help ensure that the broad deployment is successful: - -1. **Validate compatibility of business critical apps.** Test your most important business-critical applications for compatibility with the new Windows 10 feature update running on your Windows Insider machines identified in the earlier “Configure test machines” step of the Predeployment strategy section. The list of applications involved in this validation process should be small because most applications can be tested during the pilot phase. For more information about device and application compatibility, see the section Compatibility. -2. **Target and react to feedback.** With Windows 10, Microsoft expects application and device compatibility to be high, but it’s still important to have targeted groups within both the IT department and business units to verify application compatibility for the remaining applications in your application portfolio. Because only the most business-critical applications are tested beforehand, this activity will represent most of the application compatibility testing in your environment. It shouldn't necessarily be a formal process but rather user validation by using a particular application. So, the next step is to deploy the feature update to early-adopting IT users and your targeted groups running in the Semi-Annual channel that you identified in the “Recruit volunteers” step of the Predeployment strategy section. Be sure to communicate clearly that you’re looking for feedback as soon as possible, and state exactly how users can submit feedback to you. Should an issue arise, have a remediation plan to address it. -3. **Deploy broadly.** Finally, focus on the large-scale deployment using deployment rings, like the ones discussed in Table 1. Build deployment rings that target groups of computers in your selected update-management product. To reduce risk as much as possible, construct your deployment rings in a way that splits individual departments into multiple rings. This way, if you were to encounter an issue, you don’t prevent any critical business from continuing. By using this method, each deployment ring reduces risk as more people have been updated in any particular department. - - diff --git a/windows/deployment/update/waas-wufb-intune.md b/windows/deployment/update/waas-wufb-intune.md deleted file mode 100644 index fe639fa3d6..0000000000 --- a/windows/deployment/update/waas-wufb-intune.md +++ /dev/null @@ -1,285 +0,0 @@ ---- -title: Walkthrough use Intune to configure Windows Update for Business -description: In this article, learn how to configure Windows Update for Business settings using Microsoft Intune. -ms.prod: w10 -ms.mktglfcycl: manage -audience: itpro -ms.localizationpriority: medium -ms.audience: itpro -ms.date: 07/27/2017 -ms.reviewer: -manager: laurawi -ms.topic: article -ms.author: jaimeo -author: jaimeo ---- - -# Walkthrough: use Microsoft Intune to configure Windows Update for Business - - -**Applies to** - -- Windows 10 - - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - ->[!IMPORTANT] ->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products. -> ->In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel. - -You can use Intune to configure Windows Update for Business even if you don't have on-premises infrastructure when you use Intune in conjunction with Azure AD. Before configuring Windows Update for Business, consider a [deployment strategy](waas-servicing-strategy-windows-10-updates.md) for updates and feature updates in your environment. - -Windows Update for Business in Windows 10 version 1511 allows you to delay quality updates up to 4 weeks and feature updates up to an additional 8 months after Microsoft releases builds to the Current Branch for Business (CBB) servicing branch. In Windows 10 version 1607 and later, you can delay quality updates for up to 30 days and feature updates up to an additional 180 days after the release of either a Current Branch (CB) or CBB build. - -To use Intune to manage quality and feature updates in your environment, you must first create computer groups that align with your constructed deployment rings. - ->[!NOTE] ->Coming soon: [Intune Groups will be converted to Azure Active Directory-based Security Groups](/intune/deploy-use/use-groups-to-manage-users-and-devices-with-microsoft-intune) - -## Configure Windows Update for Business in Windows 10, version 1511 - -In this example, you use two security groups to manage your updates: **Ring 4 Broad business users** and **Ring 5 Broad business users #2** from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md). - -- The **Ring 4 Broad business users** group contains PCs of IT members who test the updates as soon as they're released for Windows clients in the Current Branch for Business (CBB) servicing branch. This phase typically occurs after testing on Current Branch (CB) devices. -- The **Ring 5 Broad business users #2** group consists of the first line-of-business (LOB) users, who consume quality updates after 1 week and feature updates 1 month after the CBB release. - ->[!NOTE] ->Although the [sample deployment rings](waas-deployment-rings-windows-10-updates.md) specify a feature update deferral of 2 weeks for Ring 5, deferrals in Windows 10, version 1511 are in increments of months only. - -### Configure the Ring 4 Broad business users deployment ring for CBB with no deferral - -1. Sign in to [https://manage.microsoft.com](https://manage.microsoft.com) with your Intune administrator credentials. - -2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane. - - ![Shows the UI for this step.](images/waas-wufb-intune-step2a.png) - -3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**. - -4. Name the policy **Windows Update for Business - CBB1**. Then, in the **OMA-URI Settings** section, click **Add**. - -5. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list. - -6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade**. - -7. In the **Value** box, type **1**, and then click **OK**. - - >[!NOTE] - >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) for the proper syntax. - - ![Settings for the RequireDeferUpgrade policy.](images/waas-wufb-intune-step7a.png) - -8. For this deployment ring, you're required to enable only CBB, so click **Save Policy**. - -9. In the **Deploy Policy: Windows Update for Business – CBB1** dialog box, click **Yes**. - - >[!NOTE] - >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**. - -10. In the **Manage Deployment: Windows Update for Business – CBB1** dialog box, select the **Ring 4 Broad business users** group, click **Add**, and then click **OK**. - -You have now configured the **Ring 4 Broad business users** deployment ring to enable the CBB servicing branch. Now, you must configure **Ring 5 Broad business users #2** to accommodate a 1-week delay for quality updates and a 1-month delay for feature updates. - -### Configure the Ring 5 Broad business users \#2 deployment ring for CBB with deferrals - -1. In the Policy workspace, click **Configuration Policies**, and then click **Add**. - -2. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**. - -3. Name the policy **Windows Update for Business – CBB2**. Then, in the **OMA-URI Settings** section, click **Add**. - In this policy, you add two OMA-URI settings, one for each deferment type. - -4. In **Setting name**, type **Enable Clients for CBB**, and then in the **Data type** list, select **Integer**. - -6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade**. Then, in the **Value** box, type **1**. - -7. Click **OK** to save the setting. - -8. In the **OMA-URI Settings** section, click **Add**. - -9. For this setting, in **Setting name**, type **Defer Updates for 1 Week**, and then in the **Data type** list, select **Integer**. - -11. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferUpdatePeriod**. - -12. In the **Value** box, type **1**. - -13. Click **OK** to save the setting. - -14. In the **OMA-URI Settings** section, click **Add**. - -15. For this setting, in **Setting name**, type **Defer Upgrades for 1 Month**, and then in the **Data type** list, select **Integer**. - -17. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferUpgradePeriod**. - -18. In the **Value** box, type **1**. - -19. Click **OK** to save the setting. - - Three settings should appear in the **Windows Update for Business – CBB2** policy. - - ![Settings for CBB2 policy.](images/waas-wufb-intune-step19a.png) - -20. Click **Save Policy**, and then click **Yes** at the **Deploy Policy** prompt. - -21. In the **Manage Deployment** dialog box, select the **Ring 5 Broad business users #2** computer group, click **Add**, and then click **OK**. - -## Configure Windows Update for Business in Windows 10 version 1607 - -To use Intune to manage quality and feature updates in your environment, you must first create computer groups that align with your constructed deployment rings. - -In this example, you use three security groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) to manage your updates: - -- **Ring 2 Pilot Business Users** contains the PCs of business users which are part of the pilot testing process, receiving CB builds 28 days after they are released. -- **Ring 4 Broad business users** consists of IT members who receive updates after Microsoft releases a Windows 10 build to the CBB servicing branch. -- **Ring 5 Broad business users #2** consists of LOB users on CBB, who receive quality updates after 7 days and feature updates after 14 days. - -### Configure Ring 2 Pilot Business Users policy - -1. Sign in to [https://manage.microsoft.com](https://manage.microsoft.com) with your Intune administrator credentials. - -2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane. - - ![Shows the UI for this step.](images/waas-wufb-intune-step2a.png) - -3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**. - -4. Name the policy **Windows Update for Business - CB2**. Then, in the **OMA-URI Settings** section, click **Add**. - -4. In **Setting name**, type **Enable Clients for CB**, and then select **Integer** from the **Data type** list. - -6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**. - -7. In the **Value** box, type **0**, and then click **OK**. - - >[!NOTE] - >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) for the proper syntax. - - ![Settings for the BranchReadinessLevel policy.](images/waas-wufb-intune-cb2a.png) - -8. Because the **Ring 2 Pilot Business Users** deployment ring receives the CB feature updates after 28 days, in the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting. - -8. In **Setting name**, type **Defer feature updates for 28 days**, and then select **Integer** from the **Data type** list. -10. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**. -11. In the **Value** box, type **28**, and then click **OK**. - - ![Settings for the DeferFeatureUpdatesPeriodInDays policy step 11.](images/waas-wufb-intune-step11a.png) - -9. Click **Save Policy**. - -9. In the **Deploy Policy: Windows Update for Business – CB2** dialog box, click **Yes**. - - >[!NOTE] - >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**. - -10. In the **Manage Deployment: Windows Update for Business – CB2** dialog box, select the **Ring 2 Pilot Business Users** group, click **Add**, and then click **OK**. - -You have now configured the **Ring 2 Pilot Business Users** deployment ring to enable CB feature update deferment for 14 days. Now, you must configure **Ring 4 Broad business users** to receive CBB features updates as soon as they're available. - -### Configure Ring 4 Broad business users policy - -2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane. - - ![Shows the UI for this step.](images/waas-wufb-intune-step2a.png) - -3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**. - -4. Name the policy **Windows Update for Business - CBB1**. Then, in the **OMA-URI Settings** section, click **Add**. - -5. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list. - -6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**. - -7. In the **Value** box, type **1**, and then click **OK**. - - >[!NOTE] - >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) for the proper syntax. - - -8. Because the **Ring 4 Broad business users** deployment ring receives the CBB feature updates immediately, in the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting. - -9. In **Setting name**, type **Defer feature updates for 0 days**, and then select **Integer** from the **Data type** list. - -10. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**. - -11. In the **Value** box, type **0**, and then click **OK**. - - ![Settings for the DeferFeatureUpdatesPeriodInDays policy for broad business.](images/waas-wufb-intune-cbb1a.png) - -12. Click **Save Policy**. - -13. In the **Deploy Policy: Windows Update for Business – CBB1** dialog box, click **Yes**. - - >[!NOTE] - >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**. - -14. In the **Manage Deployment: Windows Update for Business – CBB1** dialog box, select the **Ring 4 Broad business users** group, click **Add**, and then click **OK**. - -You have now configured the **Ring 4 Broad business users** deployment ring to receive CBB feature updates as soon as they're available. Finally, configure **Ring 5 Broad business users #2** to accommodate a 7-day delay for quality updates and a 14-day delay for feature updates. - - -### Configure Ring 5 Broad business users \#2 policy - -2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane. - - ![Shows the UI for this step.](images/waas-wufb-intune-step2a.png) - -3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**. - -4. Name the policy **Windows Update for Business - CBB2**. Then, in the **OMA-URI Settings** section, click **Add**. - -5. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list. - -6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**. - -7. In the **Value** box, type **1**, and then click **OK**. - - >[!NOTE] - >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) for the proper syntax. - - -8. In the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting. - -9. In **Setting name**, type **Defer quality updates for 7 days**, and then select **Integer** from the **Data type** list. - -10. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferQualityUpdatesPeriodInDays**. - -11. In the **Value** box, type **7**, and then click **OK**. - -12. In the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting. - -13. In **Setting name**, type **Defer feature updates for 14 days**, and then select **Integer** from the **Data type** list. - -14. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**. - -15. In the **Value** box, type **14**, and then click **OK**. - - ![Settings for the DeferFeatureUpdatesPeriodInDays policy.](images/waas-wufb-intune-cbb2a.png) - -16. Click **Save Policy**. - -17. In the **Deploy Policy: Windows Update for Business – CBB2** dialog box, click **Yes**. - - >[!NOTE] - >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**. - -18. In the **Manage Deployment: Windows Update for Business – CBB2** dialog box, select the **Ring 5 Broad Business Users #2** group, click **Add**, and then click **OK**. - -## Related topics - -- [Update Windows 10 in the enterprise](index.md) -- [Overview of Windows as a service](waas-overview.md) -- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) -- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) -- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) -- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) -- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) -- [Manage device restarts after updates](waas-restart.md) \ No newline at end of file diff --git a/windows/deployment/update/wufb-autoupdate.md b/windows/deployment/update/wufb-autoupdate.md deleted file mode 100644 index 35943d5dac..0000000000 --- a/windows/deployment/update/wufb-autoupdate.md +++ /dev/null @@ -1,37 +0,0 @@ ---- -title: Setting up Automatic Update in Windows Update for Business (Windows 10) -description: In this article, learn how to configure Automatic Update in Windows Update for Business with group policies. -ms.prod: w10 -ms.mktglfcycl: manage -audience: itpro -itproauthor: jaimeo -author: jaimeo -ms.audience: itpro -ms.date: 06/20/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- -{DELETE} -# Set up Automatic Update in Windows Update for Business with group policies - ->Applies to: Windows 10 - -Use the Automatic Update group policies to manage the interaction between Windows Update and clients. - -Automatic Update governs the "behind the scenes" download and installation processes. It's important to keep in mind the device limitation in your environment as the download and install process can consume processing power. The below section outlines the ideal configuration for devices with the least amount of user experience degradation. - -|Policy|Description | -|-|-| -|Configure Automatic Updates|Governs the installation activity that happens in the background. This allows you to configure the installation to happen during the [maintenance window](/configmgr/core/clients/manage/collections/use-maintenance-windows). Also, you can specify an installation time where the device will also try to install the latest packages. You can also pick a certain day and or week.| -|Automatic Update Detection Frequency|Lets you set the scan frequency the device will use to connect to Windows Update to see if there is any available content. Default is 22 hours, but you can increase or decrease the frequency. Keep in mind a desktop computer may need to scan less frequently than laptops, which can have intermittent internet connection.| -|Specify Intranet Microsoft Update Service Location|Used for Windows Server Update Services or Microsoft Endpoint Manager users who want to install custom packages that are not offered through Windows Update.| -|Do not connect to any Windows Update Internet locations
Required for Dual Scan|Prevents access to Windows Update.| - -## Suggested configuration - -|Policy|Location|Suggested configuration| -|-|-|-| -|Configure Automatic Updates| GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates| **Attention**: If you are using this policy, don't set it/configure it to get the default behavior. If you have set this policy, delete the reg key. This ensures the device uses the default behavior. Note that this is not the same as the default setting within the policy.

**Default behavior**: Download and installation happen automatically. The device will then be in a pending reboot state.

**Pro tip**: You can configure the scan frequency to be more frequent with the policy below.| -|Automatic Update Detection Frequency|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Automatic Updates detection frequency|State: Enabled
**Check for updates on the following interval (hours)**: 22| -|Do not connect to any Windows Update Internet locations (Required for Dual Scan) | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not connect to any Windows Update Internet locations |State: Disabled | \ No newline at end of file diff --git a/windows/deployment/update/wufb-basics.md b/windows/deployment/update/wufb-basics.md deleted file mode 100644 index 5279938d0e..0000000000 --- a/windows/deployment/update/wufb-basics.md +++ /dev/null @@ -1,31 +0,0 @@ ---- -title: Configure the Basic group policy for Windows Update for Business -description: In this article, you will learn how to configure the basic group policy for Windows Update for Business. -ms.custom: seo-marvel-apr2020 -ms.prod: w10 -ms.mktglfcycl: manage -audience: itpro -itproauthor: jaimeo -author: jaimeo -ms.localizationpriority: medium -ms.audience: itpro -ms.reviewer: -manager: laurawi -ms.topic: article ---- -# Configure the Basic group policy for Windows Update for Business -{DELETE} - -For Windows Update for Business configurations to work, devices need to be configured with minimum [diagnostic data](/windows/privacy/configure-windows-diagnostic-data-in-your-organization) level of "Basic." Additionally, compliance reporting for configured devices is obtained using [Monitor Windows Update with Update Compliance](./update-compliance-monitor.md). To view your data in Update Compliance [diagnostics data must be enabled](/windows/deployment/update/windows-analytics-get-started#set-diagnostic-data-levels) and the devices must be configured with a commercial ID, a unique GUID created for an enterprise at the time of onboarding. - -|Policy name|Description | -|-|-| -|Allow Telemetry|Enables Microsoft to run diagnostics on your device and troubleshoot.| -|Configure Commercial ID|This policy allows you to join the device to an entity.| - -## Suggested configuration - -|Policy|Location|Suggested configuration| -|-|-|-| -|Allow Telemetry |GPO: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Allow Telemetry |State: Enabled
**Option**: 1-Basic| -|Configure Commercial ID|GPO: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Commercial ID |State: Enabled
**Commercial ID**: The GUID created for you at the time of onboarding| \ No newline at end of file diff --git a/windows/deployment/update/wufb-managedrivers.md b/windows/deployment/update/wufb-managedrivers.md deleted file mode 100644 index d021810d58..0000000000 --- a/windows/deployment/update/wufb-managedrivers.md +++ /dev/null @@ -1,68 +0,0 @@ ---- -title: Managing drivers, dual-managed environments, and Delivery Optimization with group policies in Windows Update for Business -description: Learn how to manage drivers, dual managed environments, and bandwidth (Delivery Optimization) with GPOs in Windows Update for Business. -ms.prod: w10 -ms.mktglfcycl: manage -audience: itpro -itproauthor: jaimeo -ms.audience: itpro -author: jaimeo -ms.date: 06/21/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- -# Managing drivers, dual-managed environments, and Delivery Optimization with group policies -{DELETE} ->Applies to: Windows 10 - -Use the following group policy information to manage drivers, to manage environments using both Windows Update for Business and Windows Server Update Services, and to manage the bandwidth required for updates with Delivery Optimization. - -## Managing drivers -Windows Update for Business provides the ability to manage drivers from the Windows Update service. By default, drivers will be offered to your Windows Update-connected devices. Our guidance here is to continue to receive drivers from Windows Update. Alternatively, you can enable the following policy to stop receiving drivers from Windows Update. - -### Policy overview - -|Policy| Description | -|-|-| -|Do not include drivers with Windows Update |When enabled prevents Windows Update from offering drivers.| - -### Suggested configuration - -|Policy| Location|Suggested configuration | -|-|-|-| -|Do not include drivers with Windows Update |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not include drivers with Windows Updates|State: Disabled | - -## Dual-managed environment - -You can use an on-premises catalog, like WSUS, to deploy 3rd Party patches and use Windows Update to deploy feature and quality updates. We provide capabilities to deploy content from both Windows Update Service and from WSUS. In addition to the policies for managing drivers, apply the following configurations to your environment. - -|Policy| Description | -|-|-| -|Specify Intranet Microsoft Update Service Location| Used for WSUS/Microsoft Endpoint Manager customers who want to install custom packages that are not offered through Windows Update.| - -### Suggested configuration - -|Policy| Location|Suggested configuration | -|-|-|-| -|Specify Intranet Microsoft Update Service Location|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify Intranet Microsoft update service location|State: Enabled
**Set the Intranet Update service for detecting updates**:
**Set the Intranet statistics server**:
**Set the alternate download server**: | - -## Download Optimization - Managing your bandwidth - -[Delivery Optimization](waas-delivery-optimization.md) is Windows 10's built-in downloader and peer-caching technology that can benefit CSE for network bandwidth reduction of Windows 10 servicing updates. Windows 10 clients can source content from other devices on their local network that have already downloaded the same updates in addition to downloading these updates from Microsoft. Using the settings available for Delivery Optimization, clients can be configured into groups, allowing organizations to identify devices that are possibly the best candidates to fulfil peer-to-peer requests. To configure devices for delivery optimization, ensure the following configurations are set. - -|Policy| Description | -|-|-| -|Download Mode| 2=HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if exist) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2| -|Minimum Peer Caching Content File Size (in MB)|Specifies the minimum content file size in MB enabled to use peer caching.
Choose a size that meets your environment's constraints.| -|Allow uploads while the device is on battery while under set battery level (percentage)|Specify a battery level from 1-100, where the device will pause uploads once the battery level drops below that percentage. | -|Max Cache Age (in seconds)|Maximum number of seconds to keep data in cache.| - -### Suggested configuration - -|Policy| Location| Suggested configuration | -|-|-|-| -|Download Mode|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Download Mode|State: Enabled
**Download Mode**: Group (2)| -|Minimum Peer Caching Content File Size (in MB)|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Minimum Peer Caching Content File Size (in MB)|State: Enabled
**Minimum Peer caching content file size (in MB)**: 10 MB| -|Allow uploads while the device is on battery while under set battery level (percentage)|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Allow uploads while the device is on battery while under set battery level (percentage)|State: Enabled
**Minimum battery level (Percentage)**: 60| -|Max Cache Age (in seconds)|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Max Cache Age (in seconds)|State: Enabled
**Max Cache Age (in seconds)**: 604800 ~ 7 days| diff --git a/windows/deployment/update/wufb-manageupdate.md b/windows/deployment/update/wufb-manageupdate.md deleted file mode 100644 index c8edc83a4f..0000000000 --- a/windows/deployment/update/wufb-manageupdate.md +++ /dev/null @@ -1,61 +0,0 @@ ---- -title: Managing feature and quality updates with policies in Windows Update for Business (Windows 10) -description: Learn how to manage feature and quality updates using group policies in Windows Update for Business. -ms.prod: w10 -ms.mktglfcycl: manage -audience: itpro -itproauthor: jaimeo -author: jaimeo -ms.audience: itpro -ms.date: 06/20/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Manage feature and quality updates with group policies - -{dELETE} - ->Applies to: Windows 10 - -Windows Update for Business allows users to control when devices should receive a feature or quality update from Windows Update. Depending on the size of your organization you may want to do a wave deployment of updates. The first step in this process is to determine which Branch Readiness Level you want your organization on. For more information on which level is right for your organization review [Overview of Windows as a service](waas-overview.md). - -The following policies let you configure when you want a device to see a feature and or quality update from Windows Update. - -## Policy overview - -|Policy name| Description | -|-|-| -|Select when Quality Updates are received|Configures when the device should receive quality update. In this policy you can also select a date to pause receiving Quality Updates until. | -|Select when Preview Builds & feature Updates are received|Configures when the device should receive a feature update. You can also configure your branch readiness level. This policy also provides the ability to "pause" updates until a certain point. | -|Do not allow update deferral policies to cause scans against Windows Update|When enabled will not allow the deferral policies to cause scans against Windows Update.| - -## Suggested configuration for a non-wave deployment - -If you don't need a wave deployment and have a small set of devices to manage, we recommend the following configuration: - -|Policy| Location|Suggested configuration | -|-|-|-| -|Select when Quality Updates are received | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Quality Updates are received|State: Enabled
**Defer receiving it for this many days**: 0
**Pause Quality Updates**: Blank
*Note: use this functionality to prevent the device from receiving a quality update until the time passes| -|Select when Preview Builds & feature Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are received|State: Enabled
**Select Windows Readiness Level**: SAC
**Defer receiving for this many days**: 0-365
**Pause Feature Updates**: Blank
*Note: use this functionality to prevent the device from receiving a feature update until the time passes| -|Do not allow update deferral policies to cause scans against Windows Update|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not allow update deferral policies to cause scans against Windows Update|State: Disabled| - -## Suggested configuration for a wave deployment -![Graphic showing a deployment divided into rings for a wave deployment.](images/wufb-wave-deployment.png) - -## Early validation and testing -Depending on your organizational size and requirements you might be able to test feature updates earlier to identify if there are impacts to Line of Business applications. Our recommendation is to enroll a set of devices that are a good representation of your device ecosystem (for example, devices with accounting software or engineering software). Learn more about [different deployment rings](https://insider.windows.com/how-to-pc/#working-with-rings). - -|Policy|Location|Suggested configuration | -|-|-|-| -|Select when Preview Builds & feature Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are received|State: Enabled
**Select Windows Readiness Level**: WIP Fast or WIP slow
**Defer receiving for this many days**: 0
**Pause Feature Updates**: Blank *Note: use this functionality to prevent the device from receiving a feature update until the time passes.| -|Select when Quality Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Quality Updates are received|State: Enabled
**Defer receiving it for this many days**: 0
**Pause Quality Updates**: Blank
*Note: use this functionality to prevent the device from receiving a quality update until the time passes| - -## Wave deployment for feature updates - -If you want to deploy feature updates in waves we suggest using the following configuration. For the deferral days we recommend staging them out in 1-month increments. Manage your risk by placing critical devices later in the wave (deferrals > 30 or 60 days) while placing your low risk devices earlier in the wave (deferrals < 30 days). Using deferrals days is a great method to manage your wave deployment. Using this in combination with our suggested early validation will help you prepare your environment for the latest updates from Windows. - -|Policy|Location|Suggested configuration | -|-|-|-| -|Select when Preview Builds & feature Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are received|State: Enabled
**Select Windows Readiness Level**: SAC
**Defer receiving for this many days**: 0, 30, 60, 90, 120
**Pause Feature Updates**: Blank
*Note: use this functionality to prevent the device from receiving a feature update until the time passes diff --git a/windows/deployment/update/wufb-onboard.md b/windows/deployment/update/wufb-onboard.md deleted file mode 100644 index c2432e9bcb..0000000000 --- a/windows/deployment/update/wufb-onboard.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -title: Onboarding to Windows Update for Business (Windows 10) -description: Get started using Windows Update for Business, a tool that enables IT pros and power users to manage content they want to receive from Windows Update. -ms.prod: w10 -ms.mktglfcycl: manage -audience: itpro -itproauthor: jaimeo -ms.audience: itpro -author: jaimeo -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Onboarding to Windows Update for Business in Windows 10 -{DELETE} - ->Applies to: Windows 10 - -Windows Update for Business is a tool that enables IT pros and power users to manage content they want to receive from Windows Update Service. Windows Update for Business can control the following: - -- Interaction between the client and Windows Update service -- End user notification for pending updates -- Compliance deadlines for feature or quality updates -- Configure wave deployment for feature or quality updates bandwidth optimization - -We also provide additional functionality to manage your environment when risk or issues arise such as applications being blocked: - -- Uninstall latest feature or quality update -- Pause for a duration of time - -Use the following information to set up your environment using Windows Update for Business policies: - -- [Supported SKUs](#supported-editions) -- [Windows Update for Business basics](wufb-basics.md) -- [Setting up automatic update](wufb-autoupdate.md) -- [Managing feature and quality updates](wufb-manageupdate.md) -- [Enforcing compliance deadlines](wufb-compliancedeadlines.md) -- [Managing drivers, environments with both Windows Update for Business and WSUS, and Download Optmization](wufb-managedrivers.md) - -## Supported editions - -Windows Update for Business is supported on the following editions of Windows 10: - -- Windows 10 Education -- Windows 10 Enterprise -- Windows 10 Pro -- Windows 10 S (for Windows 10, version 1709 and earlier) diff --git a/windows/deployment/windows-10-missing-fonts.md b/windows/deployment/windows-10-missing-fonts.md index 7f9f5e72ad..930939cf41 100644 --- a/windows/deployment/windows-10-missing-fonts.md +++ b/windows/deployment/windows-10-missing-fonts.md @@ -1,6 +1,6 @@ --- -title: How to install fonts missing after upgrading to Windows 10 -description: Some of the fonts are missing from the system after you upgrade to Windows 10. +title: How to install fonts missing after upgrading to Windows client +description: Some of the fonts are missing from the system after you upgrade to Windows client. keywords: deploy, upgrade, FoD, optional feature ms.prod: w10 ms.mktglfcycl: plan @@ -9,18 +9,20 @@ ms.localizationpriority: medium audience: itpro author: greg-lindsay ms.audience: itpro -ms.date: 10/31/2017 ms.reviewer: manager: laurawi ms.topic: article --- -# How to install fonts that are missing after upgrading to Windows 10 +# How to install fonts that are missing after upgrading to Windows client -> Applies to: Windows 10 +**Applies to** -When you upgrade from the Windows 7, Windows 8, or Windows 8.1 operating system to Windows 10, certain fonts are no longer available by default post-upgrade. To reduce the operating system footprint, improve performance, and optimize disk space usage, we moved many of the fonts that were previously shipped with prior versions of Windows to the optional features of Windows 10. If you install a fresh instance of Windows 10, or upgrade an older version of Windows to Windows 10, these optional features are not enabled by default. As a result, these fonts appear to be missing from the system. +- Windows 10 +- Windows 11 -If you have documents created using the missing fonts, these documents might display differently on Windows 10. +When you upgrade from the Windows 7, Windows 8, or Windows 8.1 operating system to Windows 10 or Windows 11, certain fonts are no longer available by default post-upgrade. To reduce the operating system footprint, improve performance, and optimize disk space usage, we moved many of the fonts that were previously shipped with prior versions of Windows to the optional features of Windows client. If you install a fresh instance of Windows client, or upgrade an older version of Windows to Windows client, these optional features are not enabled by default. As a result, these fonts appear to be missing from the system. + +If you have documents created using the missing fonts, these documents might display differently on Windows client. For example, if you have an English (or French, German, or Spanish) version of Windows 10 installed, you might notice that fonts such as the following are appear to be missing: @@ -35,7 +37,7 @@ For example, if you have an English (or French, German, or Spanish) version of W - Gungsuh - GungsuhChe -If you want to use these fonts, you can enable the optional feature to add these back to your system. Be aware that this is a permanent change in behavior for Windows 10, and it will remain this way in future releases. +If you want to use these fonts, you can enable the optional feature to add these back to your system. Be aware that this is a permanent change in behavior for Windows client, and it will remain this way in future releases. ## Installing language-associated features via language settings: From 2901b97e7326cb2ff02696e0b20929d83dd80749 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Fri, 1 Oct 2021 13:19:17 -0700 Subject: [PATCH 447/458] fixing redirects --- .openpublishing.redirection.json | 40 ++++++++++++++++++-------------- windows/deployment/TOC.yml | 1 - 2 files changed, 22 insertions(+), 19 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 49a449abe6..3a06907fec 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -18971,49 +18971,53 @@ "redirect_document_id": false }, { - "source_path": "windows/deployment/update/waas-deployment-rings-windows-10-updates.md", - "redirect_url": "/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md", + "source_path": "windows/deployment/update/wufb-autoupdate.md", + "redirect_url": "/windows/deployment/update/update/waas-manage-updates-wufb.md", "redirect_document_id": true }, { - "source_path": "windows/deployment/update/waas-servicing-differences.md", - "redirect_url": "/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md", + "source_path": "windows/deployment/update/wufb-basics.md", + "redirect_url": "/windows/deployment/update/update/waas-manage-updates-wufb.md", "redirect_document_id": true }, { - "source_path": "windows/deployment/update/waas-servicing-differences.md", - "redirect_url": "/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md", + "source_path": "windows/deployment/update/wufb-managedrivers.md", + "redirect_url": "/windows/deployment/update/update/waas-manage-updates-wufb.md", "redirect_document_id": true }, { - "source_path": "windows/deployment/update/waas-servicing-differences.md", - "redirect_url": "/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md", + "source_path": "windows/deployment/update/wufb-manageupdate.md", + "redirect_url": "/windows/deployment/update/update/waas-manage-updates-wufb.md", "redirect_document_id": true }, { - "source_path": "windows/deployment/update/waas-servicing-differences.md", - "redirect_url": "/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md", + "source_path": "windows/deployment/update/wwufb-onboard.md", + "redirect_url": "/windows/deployment/update/update/waas-manage-updates-wufb.md", "redirect_document_id": true }, { - "source_path": "windows/deployment/update/waas-servicing-differences.md", - "redirect_url": "/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md", + "source_path": "windows/deployment/update/feature-update-conclusion.md", + "redirect_url": "/windows/deployment/update/update/waas-manage-updates-wufb.md", "redirect_document_id": true }, { - "source_path": "windows/deployment/update/waas-servicing-differences.md", - "redirect_url": "/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md", + "source_path": "windows/deployment/update/waas-wufb-intune.md", + "redirect_url": "/windows/deployment/update/update/waas-manage-updates-wufb.md", "redirect_document_id": true }, { - "source_path": "windows/deployment/update/waas-servicing-differences.md", - "redirect_url": "/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md", + "source_path": "windows/deployment/update/feature-update-maintenance-window.md", + "redirect_url": "/windows/deployment/update/update/waas-manage-updates-wufb.md", "redirect_document_id": true }, { - "source_path": "windows/deployment/update/waas-servicing-differences.md", - "redirect_url": "/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md", + "source_path": "windows/deployment/update/feature-update-mission-critical.md", + "redirect_url": "/windows/deployment/waas-manage-updates-wufb.md", "redirect_document_id": false + { + "source_path": "windows/deployment/update/change-history-for-update-windows-10.md", + "redirect_url": "/windows/deployment/deploy-whats-new.md", + "redirect_document_id": true } diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 78c5ebcab3..11ce81a381 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -17,7 +17,6 @@ href: update/get-started-updates-channels-tools.md - name: Prepare servicing strategy for Windows client updates href: update/waas-servicing-strategy-windows-10-updates.md - - name: Deployment proof of concept items: - name: Demonstrate Autopilot deployment on a VM From 84e9a5344db2fb9b29615a3d8ec8d2f512f3eec2 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Fri, 1 Oct 2021 13:23:37 -0700 Subject: [PATCH 448/458] fixing redirect syntax --- .openpublishing.redirection.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 3a06907fec..c01d75ccd3 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -19014,12 +19014,12 @@ "source_path": "windows/deployment/update/feature-update-mission-critical.md", "redirect_url": "/windows/deployment/waas-manage-updates-wufb.md", "redirect_document_id": false + }, { "source_path": "windows/deployment/update/change-history-for-update-windows-10.md", "redirect_url": "/windows/deployment/deploy-whats-new.md", "redirect_document_id": true - } - + } - ] + ] } From a412da1fe5d631e2964aded2d5b8e5cf1abd8aa1 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Fri, 1 Oct 2021 13:38:30 -0700 Subject: [PATCH 449/458] still trying to fix redirect --- .openpublishing.redirection.json | 38 ++++++++++++++++---------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index c01d75ccd3..9c343b5128 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -18962,62 +18962,62 @@ }, { "source_path": "windows/deployment/update/waas-deployment-rings-windows-10-updates.md", - "redirect_url": "/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md", + "redirect_url": "/windows/deployment/update/waas-servicing-strategy-windows-10-updates", "redirect_document_id": true }, { "source_path": "windows/deployment/update/waas-servicing-differences.md", - "redirect_url": "/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md", + "redirect_url": "/windows/deployment/update/waas-servicing-strategy-windows-10-updates", "redirect_document_id": false }, { "source_path": "windows/deployment/update/wufb-autoupdate.md", - "redirect_url": "/windows/deployment/update/update/waas-manage-updates-wufb.md", + "redirect_url": "/windows/deployment/update/update/waas-manage-updates-wufb", "redirect_document_id": true }, { "source_path": "windows/deployment/update/wufb-basics.md", - "redirect_url": "/windows/deployment/update/update/waas-manage-updates-wufb.md", - "redirect_document_id": true + "redirect_url": "/windows/deployment/update/update/waas-manage-updates-wufb", + "redirect_document_id": false }, { "source_path": "windows/deployment/update/wufb-managedrivers.md", - "redirect_url": "/windows/deployment/update/update/waas-manage-updates-wufb.md", - "redirect_document_id": true + "redirect_url": "/windows/deployment/update/update/waas-manage-updates-wufb", + "redirect_document_id": false }, { "source_path": "windows/deployment/update/wufb-manageupdate.md", - "redirect_url": "/windows/deployment/update/update/waas-manage-updates-wufb.md", - "redirect_document_id": true + "redirect_url": "/windows/deployment/update/update/waas-manage-updates-wufb", + "redirect_document_id": false }, { "source_path": "windows/deployment/update/wwufb-onboard.md", - "redirect_url": "/windows/deployment/update/update/waas-manage-updates-wufb.md", - "redirect_document_id": true + "redirect_url": "/windows/deployment/update/update/waas-manage-updates-wufb", + "redirect_document_id": false }, { "source_path": "windows/deployment/update/feature-update-conclusion.md", - "redirect_url": "/windows/deployment/update/update/waas-manage-updates-wufb.md", - "redirect_document_id": true + "redirect_url": "/windows/deployment/update/update/waas-manage-updates-wufb", + "redirect_document_id": false }, { "source_path": "windows/deployment/update/waas-wufb-intune.md", - "redirect_url": "/windows/deployment/update/update/waas-manage-updates-wufb.md", - "redirect_document_id": true + "redirect_url": "/windows/deployment/update/update/waas-manage-updates-wufb", + "redirect_document_id": false }, { "source_path": "windows/deployment/update/feature-update-maintenance-window.md", - "redirect_url": "/windows/deployment/update/update/waas-manage-updates-wufb.md", - "redirect_document_id": true + "redirect_url": "/windows/deployment/update/update/waas-manage-updates-wufb", + "redirect_document_id": false }, { "source_path": "windows/deployment/update/feature-update-mission-critical.md", - "redirect_url": "/windows/deployment/waas-manage-updates-wufb.md", + "redirect_url": "/windows/deployment/waas-manage-updates-wufb", "redirect_document_id": false }, { "source_path": "windows/deployment/update/change-history-for-update-windows-10.md", - "redirect_url": "/windows/deployment/deploy-whats-new.md", + "redirect_url": "/windows/deployment/deploy-whats-new", "redirect_document_id": true } From 7fe463367fbd7cac503c6c938a33217bb777b2fd Mon Sep 17 00:00:00 2001 From: jaimeo Date: Fri, 1 Oct 2021 13:52:47 -0700 Subject: [PATCH 450/458] cleaning up crosslinks --- .openpublishing.redirection.json | 4 +- windows/deployment/update/update-policies.md | 8 +-- ...aas-deployment-rings-windows-10-updates.md | 64 ------------------- .../update/waas-manage-updates-wsus.md | 7 +- ...s-servicing-strategy-windows-10-updates.md | 42 ++++++++++++ .../upgrade/windows-10-edition-upgrades.md | 2 - .../upgrade/windows-10-upgrade-paths.md | 2 - 7 files changed, 48 insertions(+), 81 deletions(-) delete mode 100644 windows/deployment/update/waas-deployment-rings-windows-10-updates.md create mode 100644 windows/deployment/update/waas-servicing-strategy-windows-10-updates.md diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 9c343b5128..a4937f6bfa 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -18963,7 +18963,7 @@ { "source_path": "windows/deployment/update/waas-deployment-rings-windows-10-updates.md", "redirect_url": "/windows/deployment/update/waas-servicing-strategy-windows-10-updates", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/deployment/update/waas-servicing-differences.md", @@ -18973,7 +18973,7 @@ { "source_path": "windows/deployment/update/wufb-autoupdate.md", "redirect_url": "/windows/deployment/update/update/waas-manage-updates-wufb", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/deployment/update/wufb-basics.md", diff --git a/windows/deployment/update/update-policies.md b/windows/deployment/update/update-policies.md index f6bb3195f2..4bbcdcad7e 100644 --- a/windows/deployment/update/update-policies.md +++ b/windows/deployment/update/update-policies.md @@ -18,8 +18,8 @@ ms.collection: M365-modern-desktop **Applies to** -- Windows 10 -- Windows 11 +- Windows 10 +- Windows 11 Keeping devices up to date is the best way to keep them working smoothly and securely. @@ -39,10 +39,6 @@ update is published plus any deferral. In addition, this policy includes a confi to opt out of automatic restarts until the deadline is reached (although we recommend always allowing automatic restarts for maximum update velocity). -> [!IMPORTANT] -> If you use the new **Specify deadlines for automatic updates and restarts** setting in Windows 10, -> version 1903, you must disable the [older deadline policies](wufb-compliancedeadlines.md#prior-to-windows-10-version-1709) because they could conflict. - We recommend you set deadlines as follows: - Quality update deadline, in days: 3 - Feature update deadline, in days: 7 diff --git a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md deleted file mode 100644 index fcb4115629..0000000000 --- a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md +++ /dev/null @@ -1,64 +0,0 @@ ---- -title: Build deployment rings for Windows client updates -description: Deployment rings in Windows client are similar to the deployment groups most organizations constructed for previous major revision upgrades. -ms.prod: w10 -ms.mktglfcycl: manage -author: jaimeo -ms.localizationpriority: medium -ms.author: jaimeo -ms.reviewer: -manager: laurawi -ms.collection: M365-modern-desktop -ms.topic: article ---- - -{DELETE ALTOGETHER??} - -# Build deployment rings for Windows client updates - -**Applies to** - -- Windows 10 -- Windows 11 - - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -> [!NOTE] -> We're in the process of updating this topic with more definitive guidance. In the meantime, see [this post](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Tactical-considerations-for-creating-Windows-deployment-rings/ba-p/746979) on the Windows 10 IT Pro blog for some great suggestions for a deployment ring structure. - -For Windows as a service, maintenance is ongoing and iterative. Deploying previous versions of Windows required organizations to build sets of users to roll out the changes in phases. Typically, these users ranged (in order) from the most adaptable and least risky to the least adaptable or riskiest. With Windows 10, a similar methodology exists, but construction of the groups is a little different. - -Deployment rings in Windows client are similar to the deployment groups most organizations constructed for previous major revision upgrades. They are simply a method by which to separate machines into a deployment timeline. With Windows client, you construct deployment rings a bit differently in each servicing tool, but the concepts remain the same. Each deployment ring should reduce the risk of issues derived from the deployment of the feature updates by gradually deploying the update to entire departments. As previously mentioned, consider including a portion of each department’s employees in several deployment rings. - -Defining deployment rings is generally a one-time event (or at least infrequent), but IT should revisit these groups to ensure that the sequencing is still correct. Also, there are times in which client computers could move between different deployment rings when necessary. - -Table 1 provides an example of the deployment rings you might use. - -**Table 1** - -| Deployment ring | Servicing channel | Deferral for feature updates | Deferral for quality updates | Example | -| --- | --- | --- | --- | --- | -| Preview | Windows Insider Program | None | None | A few machines to evaluate early builds prior to their arrival to the Semi-Annual channel | -| Broad | Semi-Annual channel | 120 days | 7-14 days | Broadly deployed to most of the organization and monitored for feedback
Pause updates if there are critical issues | -| Critical | Semi-Annual channel | 180 days | 30 days | Devices that are critical and will only receive updates once they've been vetted for some time by most of the organization | - ->[!NOTE] ->In this example, there are no rings made up of the long-term servicing channel (LTSC). The LTSC does not receive feature updates. - - -As Table 1 shows, each combination of servicing channel and deployment group is tied to a specific deployment ring. As you can see, the associated groups of devices are combined with a servicing channel to specify which deployment ring those devices and their users fall into. The naming convention used to identify the rings is customizable as long as the name clearly identifies the sequence. Deployment rings represent a sequential deployment timeline, regardless of the servicing channel they contain. Deployment rings will likely rarely change for an organization, but they should be periodically assessed to ensure that the deployment cadence still makes sense. - - -## Steps to manage updates for Windows client - -|  |  | -| --- | --- | -| ![done.](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) | -| ![done.](images/checklistdone.png) | [Prepare servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md) | -| ![done.](images/checklistdone.png) | Build deployment rings for Windows client updates (this article) | -| ![to do.](images/checklistbox.gif) | [Assign devices to servicing channels for Windows client updates](waas-servicing-channels-windows-10-updates.md) | -| ![to do.](images/checklistbox.gif) | [Optimize update delivery for Windows client updates](waas-optimize-windows-10-updates.md) | -| ![to do.](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
or [Deploy Windows client updates using Windows Server Update Services](waas-manage-updates-wsus.md)
or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) | - - diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md index 3556cec273..8bfab4700e 100644 --- a/windows/deployment/update/waas-manage-updates-wsus.md +++ b/windows/deployment/update/waas-manage-updates-wsus.md @@ -16,14 +16,11 @@ ms.topic: article **Applies to** -- Windows 10 -- Windows 11 +- Windows 10 +- Windows 11 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) ->[!IMPORTANT] ->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy or the registry. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel. - WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that Microsoft Endpoint Manager provides. diff --git a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md new file mode 100644 index 0000000000..fba2cf1830 --- /dev/null +++ b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md @@ -0,0 +1,42 @@ +--- +title: Prepare servicing strategy for Windows client updates +description: A strong Windows client deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update. +ms.prod: w10 +ms.mktglfcycl: manage +author: jaimeo +ms.localizationpriority: medium +ms.author: jaimeo +ms.reviewer: +manager: laurawi +ms.topic: article +ms.collection: m365initiative-coredeploy +--- + +# Prepare servicing strategy for Windows client updates + + +**Applies to** + +- Windows 10 +- Windows 11 + + +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + +Here’s an example of what this process might look like: + +- **Configure test devices.** Configure test devices in the Windows Insider Program so that Insiders can test feature updates before they’re available to the General Avialability Channel. Typically, this population would be a few test devices that IT staff members use to evaluate pre-release builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program for Business. +- **Identify excluded devices.** For some organizations, special-purpose devices such as those used to control factory or medical equipment or run ATMs require a stricter, less frequent feature update cycle than the General Availability Channel can offer. For those devices, install the Enterprise LTSB edition to avoid feature updates for up to 10 years. Identify these devices, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly. +- **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that you’re looking for feedback rather than people to just “try it out” and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible. +- **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain will need to download an .admx package and copy it to their [Central Store](https://support.microsoft.com/help/929841/how-to-create-the-central-store-for-group-policy-administrative-templa) (or to the [PolicyDefinitions](/previous-versions/dotnet/articles/bb530196(v=msdn.10)) directory in the SYSVOL folder of a domain controller if not using a Central Store). You can manage new group policies from the latest release of Windows by using Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for “ADMX download for Windows build xxxx”. For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) +- **Choose a servicing tool.** Decide which product you’ll use to manage the Windows updates in your environment. If you’re currently using Windows Server Update Services (WSUS) or Microsoft Endpoint Manager to manage your Windows updates, you can continue using those products to manage Windows 10 or Windows 11 updates. Alternatively, you can use Windows Update for Business. In addition to which product you’ll use, consider how you’ll deliver the updates. Multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools). +- **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those apps that are the most business critical. Because the expectation is that application compatibility with new versions of Windows will be high, only the most business-critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](/mem/configmgr/desktop-analytics/overview). + + +Each time Microsoft releases a feature update, the IT department should use the following high-level process to help ensure that the broad deployment is successful: + +1. **Validate compatibility of business critical apps.** Test your most important business-critical applications for compatibility with the new Windows 10 feature update running on your Windows Insider machines identified in the earlier “Configure test devices step of the previous section. The list of applications involved in this validation process should be small because most applications can be tested during the pilot phase. +2. **Target and react to feedback.** Microsoft expects application and device compatibility to be high, but it’s still important to have targeted groups within both the IT department and business units to verify application compatibility for the remaining applications in your application portfolio. Because only the most business-critical applications are tested beforehand, this activity will represent most of the application compatibility testing in your environment. It shouldn't necessarily be a formal process but rather user validation by using a particular application. So, the next step is to deploy the feature update to early-adopting IT users and your targeted groups running in the General Availability Channel that you identified in the “Recruit volunteers” step of the previous section. Be sure to communicate clearly that you’re looking for feedback as soon as possible, and state exactly how users can submit feedback to you. Should an issue arise, have a remediation plan to address it. +3. **Deploy broadly.** Finally, focus on the large-scale deployment using deployment rings. Build deployment rings that target groups of computers in your selected update-management product. To reduce risk as much as possible, construct your deployment rings in a way that splits individual departments into multiple rings. This way, if you were to encounter an issue, you don’t prevent any critical business from continuing. By using this method, each deployment ring reduces risk as more people have been updated in any particular department. + + diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md index c8a2c54c5a..1de5b11aa3 100644 --- a/windows/deployment/upgrade/windows-10-edition-upgrades.md +++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md @@ -71,7 +71,6 @@ X = unsupported
> - For information about upgrade paths in Windows 10 in S mode (for Pro or Education), check out [Windows 10 Pro/Enterprise in S mode](../windows-10-pro-in-s-mode.md) > - Each desktop edition in the table also has an N and KN SKU. These editions have had media-related functionality removed. Devices with N or KN SKUs installed can be upgraded to corresponding N or KN SKUs using the same methods. >
-> - Due to [naming changes](../update/waas-overview.md#naming-changes) the term LTSB might still be displayed in some products. This name will change to LTSC with subsequent feature updates. ## Upgrade using mobile device management (MDM) - To upgrade desktop editions of Windows 10 using MDM, you'll need to enter the product key for the upgraded edition in the **UpgradeEditionWithProductKey** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](/windows/client-management/mdm/windowslicensing-csp). @@ -239,7 +238,6 @@ You can move directly from Enterprise to any valid destination edition. In this
-> **Windows 10 LTSC/LTSB**: Due to [naming changes](../update/waas-overview.md#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions. > > **Windows N/KN**: Windows "N" and "KN" SKUs follow the same rules shown above. diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md index 8970d2a5cf..c50df27515 100644 --- a/windows/deployment/upgrade/windows-10-upgrade-paths.md +++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md @@ -27,8 +27,6 @@ If you are also migrating to a different edition of Windows, see [Windows 10 edi > **Windows 10 version upgrade**: You can directly upgrade any semi-annual channel version of Windows 10 to a newer, supported semi-annual channel version of Windows 10, even if it involves skipping versions. Work with your account representative if your current version of Windows is out of support. See the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet) for availability and service information. > -> **Windows 10 LTSC/LTSB**: Due to [naming changes](../update/waas-overview.md#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions. -> > In-place upgrade from Windows 7, Windows 8.1, or [Windows 10 semi-annual channel](/windows/release-health/release-information) to Windows 10 LTSC is not supported. **Note**: Windows 10 LTSC 2015 did not block this upgrade path. This was corrected in the Windows 10 LTSC 2016 release, which will now only allow data-only and clean install options. You can upgrade from Windows 10 LTSC to Windows 10 semi-annual channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). You will need to use the Product Key switch if you want to keep your apps. If you don't use the switch the option 'Keep personal files and apps' will be grayed out. The command line would be **setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx**, using your relevant Windows 10 SAC product key. For example, if using a KMS, the command line would be **setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43**. > > **Windows N/KN**: Windows "N" and "KN" SKUs (editions without media-related functionality) follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process. From 9a3e98f0c5f67d8747bc6ebd0ad118cf0d50a50b Mon Sep 17 00:00:00 2001 From: jaimeo Date: Fri, 1 Oct 2021 13:59:37 -0700 Subject: [PATCH 451/458] Acrolinx bump --- .../deployment/windows-10-missing-fonts.md | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/windows/deployment/windows-10-missing-fonts.md b/windows/deployment/windows-10-missing-fonts.md index 930939cf41..661e509be6 100644 --- a/windows/deployment/windows-10-missing-fonts.md +++ b/windows/deployment/windows-10-missing-fonts.md @@ -37,22 +37,22 @@ For example, if you have an English (or French, German, or Spanish) version of W - Gungsuh - GungsuhChe -If you want to use these fonts, you can enable the optional feature to add these back to your system. Be aware that this is a permanent change in behavior for Windows client, and it will remain this way in future releases. +If you want to use these fonts, you can enable the optional feature to add them back to your system. This is a permanent change in behavior for Windows client, and it will remain this way in future releases. ## Installing language-associated features via language settings: -If you want to use the fonts from the optional feature and you know that you will want to view Web pages, edit documents, or use apps in the language associated with that feature, add that language into your user profile. You do this the Settings app. +If you want to use the fonts from the optional feature and you know that you will want to view Web pages, edit documents, or use apps in the language associated with that feature, add that language into your user profile. Use the Settings app. For example, here are the steps to install the fonts associated with the Hebrew language: -1. Click **Start > Settings**. -2. In Settings, click **Time & language**, and then click **Region & language**. -3. If Hebrew is not included in the list of languages, click the plus sign (**+**) to add a language. -4. Find Hebrew, and then click it to add it to your language list. +1. Select **Start > Settings**. +2. In **Settings**, select **Time & language**, and then select **Region & language**. +3. If Hebrew is not included in the list of languages, select the plus sign (**+**) to add a language. +4. Find **Hebrew**, and then select it to add it to your language list. -Once you have added Hebrew to your language list, then the optional Hebrew font feature and other optional features for Hebrew language support are installed. This should only take a few minutes. +Once you have added Hebrew to your language list, then the optional Hebrew font feature and other optional features for Hebrew language support are installed. This process should only take a few minutes. -> Note: The optional features are installed by Windows Update. This means you need to be online for the Windows Update service to work. +> Note: The optional features are installed by Windows Update. You need to be online for the Windows Update service to work. ## Install optional fonts manually without changing language settings: @@ -60,11 +60,11 @@ If you want to use fonts in an optional feature but don't need to search web pag For example, here are the steps to install the fonts associated with the Hebrew language without adding the Hebrew language itself to your language preferences: -1. Click **Start > Settings**. -2. In Settings, click **Apps**, click **Apps & features**, and then click **Manage optional features**. +1. Select **Start > Settings**. +2. In **Settings**, select **Apps**, select **Apps & features**, and then select **Manage optional features**. -3. If you don't see **Hebrew Supplemental Fonts** in the list of installed features, click the plus sign (**+**) to add a feature. -4. Select **Hebrew Supplemental Fonts** in the list, and then click **Install**. +3. If you don't see **Hebrew Supplemental Fonts** in the list of installed features, select the plus sign (**+**) to add a feature. +4. Select **Hebrew Supplemental Fonts** in the list, and then clselectick **Install**. > Note: The optional features are installed by Windows Update. You need to be online for the Windows Update service to work. @@ -97,7 +97,7 @@ Here is a comprehensive list of the font families in each of the optional featur - Telugu Supplemental Fonts: Gautami, Vani - Thai Supplemental Fonts: Angsana New, AngsanaUPC, Browallia New, BrowalliaUPC, Cordia New, CordiaUPC, DilleniaUPC, EucrosiaUPC, FreesiaUPC, IrisUPC, JasmineUPC, KodchiangUPC, Leelawadee, LilyUPC -## Related Topics +## Related articles [Download the list of all available language FODs](https://download.microsoft.com/download/0/A/A/0AA4342D-3933-4216-A90D-3BA8392FB1D1/Windows%2010%201703%20FOD%20to%20LP%20Mapping%20Table.xlsx) From 0d31b89c2d68d330d062a84ed6cdb0e2bc4f2003 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Fri, 1 Oct 2021 14:25:42 -0700 Subject: [PATCH 452/458] still fixing redirects --- .openpublishing.redirection.json | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index a4937f6bfa..dd83d22d48 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -18972,42 +18972,42 @@ }, { "source_path": "windows/deployment/update/wufb-autoupdate.md", - "redirect_url": "/windows/deployment/update/update/waas-manage-updates-wufb", + "redirect_url": "/windows/deployment/update/waas-manage-updates-wufb", "redirect_document_id": false }, { "source_path": "windows/deployment/update/wufb-basics.md", - "redirect_url": "/windows/deployment/update/update/waas-manage-updates-wufb", + "redirect_url": "/windows/deployment/update/waas-manage-updates-wufb", "redirect_document_id": false }, { "source_path": "windows/deployment/update/wufb-managedrivers.md", - "redirect_url": "/windows/deployment/update/update/waas-manage-updates-wufb", + "redirect_url": "/windows/deployment/update/waas-manage-updates-wufb", "redirect_document_id": false }, { "source_path": "windows/deployment/update/wufb-manageupdate.md", - "redirect_url": "/windows/deployment/update/update/waas-manage-updates-wufb", + "redirect_url": "/windows/deployment/update/waas-manage-updates-wufb", "redirect_document_id": false }, { "source_path": "windows/deployment/update/wwufb-onboard.md", - "redirect_url": "/windows/deployment/update/update/waas-manage-updates-wufb", + "redirect_url": "/windows/deployment/update/waas-manage-updates-wufb", "redirect_document_id": false }, { "source_path": "windows/deployment/update/feature-update-conclusion.md", - "redirect_url": "/windows/deployment/update/update/waas-manage-updates-wufb", + "redirect_url": "/windows/deployment/update/waas-manage-updates-wufb", "redirect_document_id": false }, { "source_path": "windows/deployment/update/waas-wufb-intune.md", - "redirect_url": "/windows/deployment/update/update/waas-manage-updates-wufb", + "redirect_url": "/windows/deployment/update/waas-manage-updates-wufb", "redirect_document_id": false }, { "source_path": "windows/deployment/update/feature-update-maintenance-window.md", - "redirect_url": "/windows/deployment/update/update/waas-manage-updates-wufb", + "redirect_url": "/windows/deployment/update/waas-manage-updates-wufb", "redirect_document_id": false }, { From b2c9b83641086d07409e9d4ac7fb64568bdb0b1b Mon Sep 17 00:00:00 2001 From: mapalko Date: Fri, 1 Oct 2021 14:27:10 -0700 Subject: [PATCH 453/458] Update note on 3P passwordless --- .../identity-protection/hello-for-business/hello-faq.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index d2bee6b47c..735e563fb8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -219,4 +219,5 @@ sections: - question: Does Windows Hello for Business work with Mac and Linux clients? answer: | - Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms. However, Microsoft is open to third-parties who are interested in moving these platforms away from passwords. Interested third-parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration). \ No newline at end of file + Windows Hello for Business is a feature of the Windows platform. At this time, Microsoft is not developing clients for other platforms. + \ No newline at end of file From 1d585ef8aec24226c7dc336d87878c2d6496782a Mon Sep 17 00:00:00 2001 From: jaimeo Date: Fri, 1 Oct 2021 14:41:33 -0700 Subject: [PATCH 454/458] edits --- .../deployment/update/waas-delivery-optimization-reference.md | 4 ++-- windows/deployment/update/waas-delivery-optimization.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index 47e7f5cd13..2aea9ec10f 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -121,7 +121,7 @@ Download mode dictates which download sources clients are allowed to use when do > Starting with Windows 10, version 2006 (and in Windows 11), the Bypass option of Download Mode is no longer used. >[!NOTE] ->Group mode is a best-effort optimization and should not be relied on for an authentication of identity of devices participating in the group. +>When you use AAD tenant, AD Site, or AD Domain as source of group IDs, that the association of devices participating in the group should not be relied on for an authentication of identity of those devices. ### Group ID @@ -203,7 +203,7 @@ Starting in Windows 10, version 1803, specifies the maximum foreground download ### Select a method to restrict peer selection Starting in Windows 10, version 1803, set this policy to restrict peer selection via selected option. Currently the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. The subnet mask option applies to both Download Modes LAN (1) and Group (2). -When you set option 0, Delivery Optimization will find peers behind the same NAT (same public IP) but still prioritize same subnet peers. When you set option 2, Delivery Optimization will restrict peer selection to peers that are locally discovered (using DNS-SD). When GroupID mode is set, it will default to using the same subnet. If you want to use the GroupID across subnets, use the NAT option = 0. +If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID). ### Delay background download from http (in secs) Starting in Windows 10, version 1803, this allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index 4909cdd452..4bd4c62a37 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -37,7 +37,7 @@ For information about setting up Delivery Optimization, including tips for the b ## New in Windows 10, version 20H2 and Windows 11 -- New peer selection options: Currently the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. The subnet mask option applies to both Download Modes LAN (1) and Group (2). When you set Option 0, Delivery Optimization will find peers behind the same NAT (same public IP) but still prioritize same subnet peers. When you set Option 2, Delivery Optimization will restrict peer selection to peers that are locally discovered (using DNS-SD). When GroupID mode is set, it will default to using the same subnet. If you want to use the GroupID across subnets, use the NAT option = 0. +- New peer selection options: Currently the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. The subnet mask option applies to both Download Modes LAN (1) and Group (2). If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID)." - Local Peer Discovery: a new option for **Restrict Peer Selection By** (in Group Policy) or **DORestrictPeerSelectionBy** (in MDM). This option restricts the discovery of local peers using the DNS-SD protocol. When you set Option 2, Delivery Optimization will restrict peer selection to peers that are locally discovered (using DNS-SD). If you also enabled Group mode, Delivery Optimization will connect to locally discovered peers that are also part of the same group (that is, those which have the same Group ID). - Starting with Windows 10, version 2006 (and in Windows 11), the Bypass option of [Download Mode](waas-delivery-optimization-reference.md#download-mode) is no longer used. From 15597ac50c5ffe3b855a73296db89e2868573ac7 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 1 Oct 2021 15:20:41 -0700 Subject: [PATCH 455/458] remove link --- windows/whats-new/windows-11.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/whats-new/windows-11.md b/windows/whats-new/windows-11.md index 77e2fa58a9..d258bd7005 100644 --- a/windows/whats-new/windows-11.md +++ b/windows/whats-new/windows-11.md @@ -89,5 +89,4 @@ When Windows 11 reaches general availability, important servicing-related announ ## Also see [What's new in Windows 11](/windows-hardware/get-started/what-s-new-in-windows)
-[Windows 11 Security — Our Hacker-in-Chief Runs Attacks and Shows Solutions](https://www.youtube.com/watch?v=2RTwGNyhSy8)
[Windows 11: The Optimization and Performance Improvements](https://www.youtube.com/watch?v=oIYHRRTCVy4) From 5ea12b6d746047d1ba8e980f6d25865f657673b4 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 1 Oct 2021 15:23:56 -0700 Subject: [PATCH 456/458] Corrected note style; added blank lines for consistent presentation --- windows/deployment/windows-10-missing-fonts.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/windows/deployment/windows-10-missing-fonts.md b/windows/deployment/windows-10-missing-fonts.md index 661e509be6..d7492c26c2 100644 --- a/windows/deployment/windows-10-missing-fonts.md +++ b/windows/deployment/windows-10-missing-fonts.md @@ -46,13 +46,17 @@ If you want to use the fonts from the optional feature and you know that you wil For example, here are the steps to install the fonts associated with the Hebrew language: 1. Select **Start > Settings**. + 2. In **Settings**, select **Time & language**, and then select **Region & language**. + 3. If Hebrew is not included in the list of languages, select the plus sign (**+**) to add a language. + 4. Find **Hebrew**, and then select it to add it to your language list. Once you have added Hebrew to your language list, then the optional Hebrew font feature and other optional features for Hebrew language support are installed. This process should only take a few minutes. -> Note: The optional features are installed by Windows Update. You need to be online for the Windows Update service to work. +> [!NOTE] +> The optional features are installed by Windows Update. You need to be online for the Windows Update service to work. ## Install optional fonts manually without changing language settings: @@ -61,12 +65,15 @@ If you want to use fonts in an optional feature but don't need to search web pag For example, here are the steps to install the fonts associated with the Hebrew language without adding the Hebrew language itself to your language preferences: 1. Select **Start > Settings**. + 2. In **Settings**, select **Apps**, select **Apps & features**, and then select **Manage optional features**. 3. If you don't see **Hebrew Supplemental Fonts** in the list of installed features, select the plus sign (**+**) to add a feature. + 4. Select **Hebrew Supplemental Fonts** in the list, and then clselectick **Install**. -> Note: The optional features are installed by Windows Update. You need to be online for the Windows Update service to work. +> [!NOTE] +> The optional features are installed by Windows Update. You need to be online for the Windows Update service to work. ## Fonts included in optional font features From 72c7bfd7a900a2c695ba40fdc5cf89f41b475ede Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 1 Oct 2021 18:07:35 -0700 Subject: [PATCH 457/458] add link to win11 features --- windows/deployment/planning/features-lifecycle.md | 6 +++++- .../deployment/planning/windows-10-deprecated-features.md | 2 ++ windows/deployment/planning/windows-10-removed-features.md | 2 ++ 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/windows/deployment/planning/features-lifecycle.md b/windows/deployment/planning/features-lifecycle.md index 6aa1667383..cda0546fb7 100644 --- a/windows/deployment/planning/features-lifecycle.md +++ b/windows/deployment/planning/features-lifecycle.md @@ -12,7 +12,7 @@ ms.author: greglin ms.topic: article ms.custom: seo-marvel-apr2020 --- -# Windows 10 features lifecycle +# Windows client features lifecycle Applies to: - Windows 10 @@ -20,6 +20,10 @@ Applies to: Each release of Windows 10 and Windows 11 contains many new and improved features. Occasionally we also remove features and functionality, usually because there is a better option. +## Windows 11 features + +For information about features that are impacted when you upgrade from Windows 10 to Windows 11, see [Feature deprecations and removals](https://www.microsoft.com/windows/windows-11-specifications#table3) section on the **Find Windows 11 specs, features, and computer requirements** page. + ## Features no longer being developed The following topic lists features that are no longer being developed. These features might be removed in a future release. diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/deployment/planning/windows-10-deprecated-features.md index c23e505800..749e56b321 100644 --- a/windows/deployment/planning/windows-10-deprecated-features.md +++ b/windows/deployment/planning/windows-10-deprecated-features.md @@ -17,6 +17,8 @@ ms.topic: article Each version of Windows 10 adds new features and functionality; occasionally we also remove features and functionality, often because we've added a better option. Below are the details about the features and functionalities that are no longer being developed in Windows 10. For information about features that have been removed, see [Features we removed](windows-10-removed-features.md). +For information about features in Windows 11, see [Feature deprecations and removals](https://www.microsoft.com/windows/windows-11-specifications#table3). + The features described below are no longer being actively developed, and might be removed in a future update. Some features have been replaced with other features or functionality and some are now available from other sources. **The following list is subject to change and might not include every affected feature or functionality.** diff --git a/windows/deployment/planning/windows-10-removed-features.md b/windows/deployment/planning/windows-10-removed-features.md index 2725d29de0..b842f08ba3 100644 --- a/windows/deployment/planning/windows-10-removed-features.md +++ b/windows/deployment/planning/windows-10-removed-features.md @@ -24,6 +24,8 @@ For information about features that might be removed in a future release, see [W > [!NOTE] > Join the [Windows Insider program](https://insider.windows.com) to get early access to new Windows 10 builds and test these changes yourself. +For information about features in Windows 11, see [Feature deprecations and removals](https://www.microsoft.com/windows/windows-11-specifications#table3). + The following features and functionalities have been removed from the installed product image for Windows 10. Applications or code that depend on these features won't function in the release when it was removed, or in later releases. |Feature | Details and mitigation | Removed in version | From 9b9d83ce6910b2da6b4d7f590b1ef2b6d9068bdc Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 1 Oct 2021 18:18:15 -0700 Subject: [PATCH 458/458] Update features-lifecycle.md --- windows/deployment/planning/features-lifecycle.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/planning/features-lifecycle.md b/windows/deployment/planning/features-lifecycle.md index cda0546fb7..ee30d55e62 100644 --- a/windows/deployment/planning/features-lifecycle.md +++ b/windows/deployment/planning/features-lifecycle.md @@ -22,7 +22,7 @@ Each release of Windows 10 and Windows 11 contains many new and improved feature ## Windows 11 features -For information about features that are impacted when you upgrade from Windows 10 to Windows 11, see [Feature deprecations and removals](https://www.microsoft.com/windows/windows-11-specifications#table3) section on the **Find Windows 11 specs, features, and computer requirements** page. +For information about features that are impacted when you upgrade from Windows 10 to Windows 11, see [Feature deprecations and removals](https://www.microsoft.com/windows/windows-11-specifications#table3). ## Features no longer being developed