From c6f56e7ed933c737a8ec1098e9908838b9639913 Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Thu, 2 Jul 2020 14:08:12 +0300 Subject: [PATCH 01/42] add missing URLs Added missing URLs according to https://docs.microsoft.com/en-us/windows/privacy/manage-windows-1809-endpoints#windows-update In my opinion some of them can be excluded (for example *.dl.delivery.mp.microsoft.com is already included in *.delivery.mp.microsoft.com), but i guess someone else should make that call. I have added all of them, just to be sure. https://github.com/MicrosoftDocs/windows-itpro-docs/issues/6904 --- .../deployment/update/windows-update-troubleshooting.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/windows/deployment/update/windows-update-troubleshooting.md b/windows/deployment/update/windows-update-troubleshooting.md index 967245b7d0..8ed1fd70ea 100644 --- a/windows/deployment/update/windows-update-troubleshooting.md +++ b/windows/deployment/update/windows-update-troubleshooting.md @@ -110,7 +110,8 @@ If downloads through a proxy server fail with a 0x80d05001 DO_E_HTTP_BLOCKSIZE_M You may choose to apply a rule to permit HTTP RANGE requests for the following URLs: *.download.windowsupdate.com -*.dl.delivery.mp.microsoft.com +*.dl.delivery.mp.microsoft.com +*.delivery.mp.microsoft.com *.emdl.ws.microsoft.com If you cannot permit RANGE requests, keep in mind that this means you are downloading more content than needed in updates (as delta patching will not work). @@ -161,6 +162,10 @@ Check that your device can access these Windows Update endpoints: - `http://*.download.windowsupdate.com` - `http://wustat.windows.com` - `http://ntservicepack.microsoft.com` +- `https://*.prod.do.dsp.mp.microsoft.com` +- `http://*.dl.delivery.mp.microsoft.com` +- `https://*.delivery.mp.microsoft.com` +- `https://tsfe.trafficshaping.dsp.mp.microsoft.com` Allow these endpoints for future use. From 6b0bb0fdb60770dca650982148c913fb9ec35259 Mon Sep 17 00:00:00 2001 From: andreiztm Date: Fri, 21 Aug 2020 12:47:47 +0300 Subject: [PATCH 02/42] Documenting MBSA issue with latest cab file --- .../security/threat-protection/mbsa-removal-and-guidance.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md index 771169d40b..59f32f84e6 100644 --- a/windows/security/threat-protection/mbsa-removal-and-guidance.md +++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md @@ -17,6 +17,9 @@ manager: dansimp Microsoft Baseline Security Analyzer (MBSA) is used to verify patch compliance. MBSA also performed several other security checks for Windows, IIS, and SQL Server. Unfortunately, the logic behind these additional checks had not been actively maintained since Windows XP and Windows Server 2003. Changes in the products since then rendered many of these security checks obsolete and some of their recommendations counterproductive. MBSA was largely used in situations where neither Microsoft Update nor a local WSUS or Configuration Manager server was available, or as a compliance tool to ensure that all security updates were deployed to a managed environment. While MBSA version 2.3 introduced support for Windows Server 2012 R2 and Windows 8.1, it has since been deprecated and no longer developed. MBSA 2.3 is not updated to fully support Windows 10 and Windows Server 2016. + +> [!NOTE] +> In accordance with our [SHA-1 deprecation initiative](https://aka.ms/sha1deprecation), the Wsusscn2.cab file is no longer dual-signed using both SHA-1 and the SHA-2 suite of hash algorithms (specifically SHA-256). This file is now signed using only SHA-256. Administrators who verify digital signatures on this file should now expect only single SHA-256 signatures. Starting with the August 2020 Wsusscn2.cab file, MBSA will return the following error "The catalog file is damaged or an invalid catalog." when attempting to scan using the offline scan file. ## The Solution A script can help you with an alternative to MBSA’s patch-compliance checking: From 1c40be4b56ab78bd5c34bd90b4be276fcbb3523d Mon Sep 17 00:00:00 2001 From: Baard Hermansen Date: Fri, 21 Aug 2020 23:58:45 +0200 Subject: [PATCH 03/42] Update bitlocker-how-to-enable-network-unlock.md Corrected erroneous href links, which made almost all the text on the page into a clickable URL. Updated a couple of the code markdown. --- .../bitlocker-how-to-enable-network-unlock.md | 24 ++++++++++--------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md index a7a7e7fce7..f17eb6f51b 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md +++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md @@ -94,7 +94,7 @@ The server side configuration to enable Network Unlock also requires provisionin The following steps allow an administrator to configure Network Unlock in a domain where the Domain Functional Level is at least Windows Server 2012. -### Install the WDS Server role +### Install the WDS Server role The BitLocker Network Unlock feature will install the WDS role if it is not already installed. If you want to install it separately before you install BitLocker Network Unlock you can use Server Manager or Windows PowerShell. To install the role using Server Manager, select the **Windows Deployment Services** role in Server Manager. @@ -106,7 +106,7 @@ Install-WindowsFeature WDS-Deployment You must configure the WDS server so that it can communicate with DHCP (and optionally Active Directory Domain Services) and the client computer. You can do using the WDS management tool, wdsmgmt.msc, which starts the Windows Deployment Services Configuration Wizard. -### Confirm the WDS Service is running +### Confirm the WDS Service is running To confirm the WDS service is running, use the Services Management Console or Windows PowerShell. To confirm the service is running in Services Management Console, open the console using **services.msc** and check the status of the Windows Deployment Services service. @@ -115,7 +115,7 @@ To confirm the service is running using Windows PowerShell, use the following co ```powershell Get-Service WDSServer ``` -### Install the Network Unlock feature +### Install the Network Unlock feature To install the Network Unlock feature, use Server Manager or Windows PowerShell. To install the feature using Server Manager, select the **BitLocker Network Unlock** feature in the Server Manager console. @@ -124,7 +124,7 @@ To install the feature using Windows PowerShell, use the following command: ```powershell Install-WindowsFeature BitLocker-NetworkUnlock ``` -### Create the certificate template for Network Unlock +### Create the certificate template for Network Unlock A properly configured Active Directory Services Certification Authority can use this certificate template to create and issue Network Unlock certificates. @@ -154,7 +154,7 @@ To add the Network Unlock template to the Certification Authority, open the Cert After adding the Network Unlock template to the Certification Authority, this certificate can be used to configure BitLocker Network Unlock. -### Create the Network Unlock certificate +### Create the Network Unlock certificate Network Unlock can use imported certificates from an existing PKI infrastructure, or you can use a self-signed certificate. @@ -217,7 +217,7 @@ Certreq example: 3. Open an elevated command prompt and use the certreq tool to create a new certificate using the following command, specifying the full path to the file created previously, along with the file name: - ``` syntax + ```cmd certreq -new BitLocker-NetworkUnlock.inf BitLocker-NetworkUnlock.cer ``` @@ -225,7 +225,7 @@ Certreq example: 5. Launch Certificates - Local Machine by running **certlm.msc**. 6. Create a .pfx file by opening the **Certificates – Local Computer\\Personal\\Certificates** path in the navigation pane, right-clicking the previously imported certificate, selecting **All Tasks**, then **Export**. Follow through the wizard to create the .pfx file. -### Deploy the private key and certificate to the WDS server +### Deploy the private key and certificate to the WDS server With the certificate and key created, deploy them to the infrastructure to properly unlock systems. To deploy the certificates, do the following: @@ -280,6 +280,7 @@ SUBNET2=10.185.252.200/28 SUBNET3= 2001:4898:a:2::/64 ; an IPv6 subnet SUBNET4=2001:4898:a:3::/64; in production, the admin would likely give more useful names, like BUILDING9-EXCEPT-RECEP. ``` + Following the \[SUBNETS\] section, there can be sections for each Network Unlock certificate, identified by the certificate thumbprint formatted without any spaces, which define subnets clients can be unlocked from with that certificate. > [!NOTE] @@ -287,8 +288,9 @@ Following the \[SUBNETS\] section, there can be sections for each Network Unlock Subnet restrictions are defined within each certificate section by denoting the allowed list of permitted subnets. If any subnet is listed in a certificate section, then only those subnets listed are permitted for that certificate. If no subnet is listed in a certificate section, then all subnets are permitted for that certificate. If a certificate does not have a section in the subnet policy configuration file, then no subnet restrictions are applied for unlocking with that certificate. This means for restrictions to apply to every certificate, there must be a certificate section for every Network Unlock certificate on the server, and an explicit allowed list set for each certificate section. Subnet lists are created by putting the name of a subnet from the \[SUBNETS\] section on its own line below the certificate section header. Then, the server will only unlock clients with this certificate on the subnet(s) specified as in the list. For troubleshooting, a subnet can be quickly excluded without deleting it from the section by simply commenting it out with a prepended semi-colon. + ```ini -[‎2158a767e1c14e88e27a4c0aee111d2de2eafe60] +[2158a767e1c14e88e27a4c0aee111d2de2eafe60] ;Comments could be added here to indicate when the cert was issued, which Group Policy should get it, and so on. ;This list shows this cert is only allowed to unlock clients on SUBNET1 and SUBNET3 subnets. In this example, SUBNET2 is commented out. SUBNET1 @@ -298,14 +300,14 @@ SUBNET3 To disallow the use of a certificate altogether, its subnet list may contain the line “DISABLED". -## Turning off Network Unlock +## Turning off Network Unlock To turn off the unlock server, the PXE provider can be unregistered from the WDS server or uninstalled altogether. However, to stop clients from creating Network Unlock protectors the **Allow Network Unlock at startup** Group Policy setting should be disabled. When this policy setting is updated to disabled on client computers any Network Unlock key protectors on the computer will be deleted. Alternatively, the BitLocker Network Unlock certificate policy can be deleted on the domain controller to accomplish the same task for an entire domain. > [!NOTE] > Removing the FVE_NKP certificate store that contains the Network Unlock certificate and key on the WDS server will also effectively disable the server’s ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the Network Unlock server. -## Update Network Unlock certificates +## Update Network Unlock certificates To update the certificates used by Network Unlock, administrators need to import or generate the new certificate for the server and then update the Network Unlock certificate Group Policy setting on the domain controller. @@ -335,7 +337,7 @@ Files to gather when troubleshooting BitLocker Network Unlock include: 1. Start an elevated command prompt and run the following command: - ``` syntax + ```cmd wevtutil sl Microsoft-Windows-Deployment-Services-Diagnostics/Debug /e:true ``` 2. Open Event Viewer on the WDS server. From d142d0d9ce781bee4f86b16465c0188b4dc9a0b0 Mon Sep 17 00:00:00 2001 From: Baard Hermansen Date: Sat, 22 Aug 2020 01:54:53 +0200 Subject: [PATCH 04/42] Update bitlocker-group-policy-settings.md Converted all HTML tables to markdown style. Updated several URLs. --- .../bitlocker-group-policy-settings.md | 2212 ++++------------- 1 file changed, 533 insertions(+), 1679 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md index be8ab9ed7b..ad390ad5c3 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md +++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md @@ -20,19 +20,21 @@ ms.date: 04/17/2019 # BitLocker Group Policy settings **Applies to** -- Windows 10 + +- Windows 10 This topic for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption. To control what drive encryption tasks the user can perform from the Windows Control Panel or to modify other configuration options, you can use Group Policy administrative templates or local computer policy settings. How you configure these policy settings depends on how you implement BitLocker and what level of user interaction will be allowed. ->**Note:** A separate set of Group Policy settings supports the use of the Trusted Platform Module (TPM). For details about those settings, see [Trusted Platform Module Group Policy settings](/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings). +> [!NOTE] +> A separate set of Group Policy settings supports the use of the Trusted Platform Module (TPM). For details about those settings, see [Trusted Platform Module Group Policy settings](/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings). BitLocker Group Policy settings can be accessed using the Local Group Policy Editor and the Group Policy Management Console (GPMC) under **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption**. Most of the BitLocker Group Policy settings are applied when BitLocker is initially turned on for a drive. If a computer is not compliant with existing Group Policy settings, BitLocker may not be turned on or modified until the computer is in a compliant state. When a drive is out of compliance with Group Policy settings (for example, if a Group Policy setting was changed after the initial BitLocker deployment in your organization, and then the setting was applied to previously encrypted drives), no change can be made to the BitLocker configuration of that drive except a change that will bring it into compliance. If multiple changes are necessary to bring the drive into compliance, you must suspend BitLocker protection, make the necessary changes, and then resume protection. This situation could occur, for example, if a removable drive was initially configured to be unlocked with a password and then Group -Policy settings are changed to disallow passwords and require smart cards. In this situation, you need to suspend BitLocker protection by using the [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx) command-line tool, delete the password unlock method, and add the smart card method. After this is complete, BitLocker is compliant with the Group Policy setting and BitLocker protection on the drive can be resumed. +Policy settings are changed to disallow passwords and require smart cards. In this situation, you need to suspend BitLocker protection by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool, delete the password unlock method, and add the smart card method. After this is complete, BitLocker is compliant with the Group Policy setting and BitLocker protection on the drive can be resumed. ## BitLocker Group Policy settings @@ -99,98 +101,43 @@ The following policies are used to support customized deployment scenarios in yo This policy setting allows users on devices that are compliant with Modern Standby or the Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for preboot authentication. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy description

With this policy setting, you can allow TPM-only protection for newer, more secure devices, such as devices that support Modern Standby or HSTI, while requiring PIN on older devices.

Introduced

Windows 10, version 1703

Drive type

Operating system drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

Conflicts

This setting overrides the Require startup PIN with TPM option of the Require additional authentication at startup policy on compliant hardware. +||| +|--- |--- | +|Policy description|With this policy setting, you can allow TPM-only protection for newer, more secure devices, such as devices that support Modern Standby or HSTI, while requiring PIN on older devices.| +|Introduced|Windows 10, version 1703| +|Drive type|Operating system drives| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +|Conflicts|This setting overrides the **Require startup PIN with TPM** option of the [Require additional authentication at startup](#bkmk-unlockpol1) policy on compliant hardware.| +|When enabled|Users on Modern Standby and HSTI compliant devices will have the choice to turn on BitLocker without preboot authentication.| +|When disabled or not configured|The options of the [Require additional authentication at startup](#bkmk-unlockpol1) policy apply.| -

When enabled

Users on Modern Standby and HSTI compliant devices will have the choice to turn on BitLocker without preboot authentication.

When disabled or not configured

The options of the Require additional authentication at startup policy apply.

+**Reference** -Reference - -The preboot authentication option Require startup PIN with TPM of the [Require additional authentication at startup](#bkmk-unlockpol1) policy is often enabled to help ensure security for older devices that do not support Modern Standby. -But visually impaired users have no audible way to know when to enter a PIN. +The preboot authentication option **Require startup PIN with TPM** of the [Require additional authentication at startup](#bkmk-unlockpol1) policy is often enabled to help ensure security for older devices that do not support Modern Standby. But visually impaired users have no audible way to know when to enter a PIN. This setting enables an exception to the PIN-required policy on secure hardware. ### Allow network unlock at startup This policy controls a portion of the behavior of the Network Unlock feature in BitLocker. This policy is required to enable BitLocker Network Unlock on a network because it allows clients running BitLocker to create the necessary network key protector during encryption. + This policy is used in addition to the BitLocker Drive Encryption Network Unlock Certificate security policy (located in the **Public Key Policies** folder of Local Computer Policy) to allow systems that are connected to a trusted network to properly utilize the Network Unlock feature. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy description

With this policy setting, you can control whether a BitLocker-protected computer that is connected to a trusted local area network and joined to a domain can create and use network key protectors on TPM-enabled computers to automatically unlock the operating system drive when the computer is started.

Introduced

Windows Server 2012 and Windows 8

Drive type

Operating system drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

Conflicts

None

When enabled

Clients configured with a BitLocker Network Unlock certificate can create and use Network Key Protectors.

When disabled or not configured

Clients cannot create and use Network Key Protectors

+||| +|--- |--- | +|Policy description|With this policy setting, you can control whether a BitLocker-protected computer that is connected to a trusted local area network and joined to a domain can create and use network key protectors on TPM-enabled computers to automatically unlock the operating system drive when the computer is started.| +|Introduced|Windows Server 2012 and Windows 8| +|Drive type|Operating system drives| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +|Conflicts|None| +|When enabled|Clients configured with a BitLocker Network Unlock certificate can create and use Network Key Protectors.| +|When disabled or not configured|Clients cannot create and use Network Key Protectors| -Reference +**Reference** To use a network key protector to unlock the computer, the computer and the server that hosts BitLocker Drive Encryption Network Unlock must be provisioned with a Network Unlock certificate. The Network Unlock certificate is used to create a network key protector and to protect the information exchange with the server to unlock the computer. You can use the Group Policy setting **Computer Configuration\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate** on the domain controller to distribute this certificate to computers in your organization. This unlock method uses the TPM on the computer, so computers that do not have a TPM cannot create network key protectors to automatically unlock by using Network Unlock. ->**Note:** For reliability and security, computers should also have a TPM startup PIN that can be used when the computer is disconnected from the wired network or cannot connect to the domain controller at startup. +> [!NOTE] +> For reliability and security, computers should also have a TPM startup PIN that can be used when the computer is disconnected from the wired network or cannot connect to the domain controller at startup. For more information about Network Unlock, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). @@ -198,46 +145,17 @@ For more information about Network Unlock, see [BitLocker: How to enable Network This policy setting is used to control which unlock options are available for operating system drives. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy description

With this policy setting, you can configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker.

Introduced

Windows Server 2008 R2 and Windows 7

Drive type

Operating system drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

Conflicts

If one authentication method is required, the other methods cannot be allowed.

-

Use of BitLocker with a TPM startup key or with a TPM startup key and a PIN must be disallowed if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.

When enabled

Users can configure advanced startup options in the BitLocker Setup Wizard.

When disabled or not configured

Users can configure only basic options on computers with a TPM.

-

Only one of the additional authentication options can be required at startup; otherwise, a policy error occurs.

+||| +|--- |--- | +|Policy description|With this policy setting, you can configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker.| +|Introduced|Windows Server 2008 R2 and Windows 7| +|Drive type|Operating system drives| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +|Conflicts|If one authentication method is required, the other methods cannot be allowed. Use of BitLocker with a TPM startup key or with a TPM startup key and a PIN must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled.| +|When enabled|Users can configure advanced startup options in the BitLocker Setup Wizard.| +|When disabled or not configured|Users can configure only basic options on computers with a TPM.

Only one of the additional authentication options can be required at startup; otherwise, a policy error occurs.| -Reference +**Reference** If you want to use BitLocker on a computer without a TPM, select **Allow BitLocker without a compatible TPM**. In this mode, a password or USB drive is required for startup. The USB drive stores the startup key that is used to encrypt the drive. When the USB drive is inserted, the startup key is authenticated and the operating system drive is accessible. If the USB drive is lost or unavailable, BitLocker recovery is required to access the drive. @@ -275,101 +193,46 @@ There are four options for TPM-enabled computers or devices: This policy setting permits the use of enhanced PINs when you use an unlock method that includes a PIN. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy description

With this policy setting, you can configure whether enhanced startup PINs are used with BitLocker.

Introduced

Windows Server 2008 R2 and Windows 7

Drive type

Operating system drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

Conflicts

None

When enabled

All new BitLocker startup PINs that are set will be enhanced PINs. Existing drives that were protected by using standard startup PINs are not affected.

When disabled or not configured

Enhanced PINs will not be used.

- +||| +|--- |--- | +|Policy description|With this policy setting, you can configure whether enhanced startup PINs are used with BitLocker.| +|Introduced|Windows Server 2008 R2 and Windows 7| +|Drive type|Operating system drives| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +|Conflicts|None| +|When enabled|All new BitLocker startup PINs that are set will be enhanced PINs. Existing drives that were protected by using standard startup PINs are not affected.| +|When disabled or not configured|Enhanced PINs will not be used.| **Reference** Enhanced startup PINs permit the use of characters (including uppercase and lowercase letters, symbols, numbers, and spaces). This policy setting is applied when you turn on BitLocker. ->**Important:** Not all computers support enhanced PIN characters in the preboot environment. It is strongly recommended that users perform a system check during the BitLocker setup to verify that enhanced PIN characters can be used. +> [!IMPORANT] +> Not all computers support enhanced PIN characters in the preboot environment. It is strongly recommended that users perform a system check during the BitLocker setup to verify that enhanced PIN characters can be used. ### Configure minimum PIN length for startup This policy setting is used to set a minimum PIN length when you use an unlock method that includes a PIN. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy description

With this policy setting, you can configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits, and it can have a maximum length of 20 digits. By default, the minimum PIN length is 6.

Introduced

Windows Server 2008 R2 and Windows 7

Drive type

Operating system drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

Conflicts

None

When enabled

You can require that startup PINs set by users must have a minimum length you choose that is between 4 and 20 digits.

When disabled or not configured

Users can configure a startup PIN of any length between 6 and 20 digits.

+||| +|--- |--- | +|Policy description|With this policy setting, you can configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits, and it can have a maximum length of 20 digits. By default, the minimum PIN length is 6.| +|Introduced|Windows Server 2008 R2 and Windows 7| +|Drive type|Operating system drives| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +|Conflicts|None| +|When enabled|You can require that startup PINs set by users must have a minimum length you choose that is between 4 and 20 digits.| +|When disabled or not configured|Users can configure a startup PIN of any length between 6 and 20 digits.| -Reference +**Reference** -This policy setting is applied when you turn on BitLocker. -The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits. +This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits. Originally, BitLocker allowed from 4 to 20 characters for a PIN. Windows Hello has its own PIN for logon, which can be 4 to 127 characters. Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks. -The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings)) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made. +The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings)) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made. The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. @@ -388,61 +251,33 @@ If the minimum PIN length is reduced from the default of six characters, then th This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI ports until a user signs in to Windows. -| | | -| - | - | -| **Policy description** | This setting helps prevent attacks that use external PCI-based devices to access BitLocker keys. | -| **Introduced** | Windows 10, version 1703 | -| **Drive type** | Operating system drives | -| **Policy path** | Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption| -| **Conflicts** | None | -| **When enabled** | Every time the user locks the screen, DMA will be blocked on hot pluggable PCI ports until the user signs in again. | -| **When disabled or not configured** | DMA is available on hot pluggable PCI devices if the device is turned on, regardless of whether a user is signed in.| +| | | +|---------|---------| +|Policy description|This setting helps prevent attacks that use external PCI-based devices to access BitLocker keys.| +|Introduced|Windows 10, version 1703| +|Drive type|Operating system drives| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption| +|Conflicts|None| +|When enabled|Every time the user locks the scree, DMA will be blocked on hot pluggable PCI ports until the user signs in again.| +|When disabled or not configured|DMA is available on hot pluggable PCI devices if the device is turned on, regardless of whether a user is signed in.| **Reference** -This policy setting is only enforced when BitLocker or device encryption is enabled. As explained in the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2018/01/18/issue-with-bitlockerdma-setting-in-windows-10-fall-creators-update-v1709/), in some cases when this setting is enabled, internal, PCI-based peripherals can fail, including wireless network drivers and input and audio peripherals. This problem is fixed in the [April 2018 quality update](https://support.microsoft.com/help/4093105/windows-10-update-kb4093105). +This policy setting is only enforced when BitLocker or device encryption is enabled. As explained in the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2018/01/18/issue-with-bitlockerdma-setting-in-windows-10-fall-creators-update-v1709/), in some cases when this setting is enabled, internal, PCI-based peripherals can fail, including wireless network drivers and input and audio peripherals. This problem is fixed in the [April 2018 quality update](https://support.microsoft.com/help/4093105). ### Disallow standard users from changing the PIN or password This policy setting allows you to configure whether standard users are allowed to change the PIN or password that is used to protect the operating system drive. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy description

With this policy setting, you can configure whether standard users are allowed to change the PIN or password used to protect the operating system drive.

Introduced

Windows Server 2012 and Windows 8

Drive type

Operating system drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

Conflicts

None

When enabled

Standard users are not allowed to change BitLocker PINs or passwords.

When disabled or not configured

Standard users are permitted to change BitLocker PINs or passwords.

- +||| +|--- |--- | +|Policy description|With this policy setting, you can configure whether standard users are allowed to change the PIN or password used to protect the operating system drive.| +|Introduced|Windows Server 2012 and Windows 8| +|Drive type|Operating system drives| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +|Conflicts|None| +|When enabled|Standard users are not allowed to change BitLocker PINs or passwords.| +|When disabled or not configured|Standard users are permitted to change BitLocker PINs or passwords.| **Reference** @@ -452,55 +287,22 @@ To change the PIN or password, the user must be able to provide the current PIN This policy controls how non-TPM based systems utilize the password protector. Used in conjunction with the **Password must meet complexity requirements** policy, this policy allows administrators to require password length and complexity for using the password protector. By default, passwords must be eight characters in length. Complexity configuration options determine how important domain connectivity is for the client. For the strongest password security, administrators should choose **Require password complexity** because it requires domain connectivity, and it requires that the BitLocker password meets the same password complexity requirements as domain sign-in passwords. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy description

With this policy setting, you can specify the constraints for passwords that are used to unlock operating system drives that are protected with BitLocker.

Introduced

Windows Server 2012 and Windows 8

Drive type

Operating system drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

Conflicts

Passwords cannot be used if FIPS-compliance is enabled.

-
-Note

The System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing policy setting, which is located at Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options specifies whether FIPS-compliance is enabled.

-
-
- -

When enabled

Users can configure a password that meets the requirements you define. To enforce complexity requirements for the password, select Require complexity.

When disabled or not configured

The default length constraint of 8 characters will apply to operating system drive passwords and no complexity checks will occur.

- +||| +|--- |--- | +|Policy description|With this policy setting, you can specify the constraints for passwords that are used to unlock operating system drives that are protected with BitLocker.| +|Introduced|Windows Server 2012 and Windows 8| +|Drive type|Operating system drives| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +|Conflicts|Passwords cannot be used if FIPS-compliance is enabled.


**NOTE:** The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting, which is located at **Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options** specifies whether FIPS-compliance is enabled.| +|When enabled|Users can configure a password that meets the requirements you define. To enforce complexity requirements for the password, select **Require complexity**.| +|When disabled or not configured|The default length constraint of 8 characters will apply to operating system drive passwords and no complexity checks will occur.| **Reference** If non-TPM protectors are allowed on operating system drives, you can provision a password, enforce complexity requirements on the password, and configure a minimum length for the password. For the complexity requirement setting to be effective, the Group Policy setting **Password must meet complexity requirements**, which is located at **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\** must be also enabled. ->**Note:** These settings are enforced when turning on BitLocker, not when unlocking a volume. BitLocker allows unlocking a drive with any of the protectors that are available on the drive. +> [!NOTE] +> These settings are enforced when turning on BitLocker, not when unlocking a volume. BitLocker allows unlocking a drive with any of the protectors that are available on the drive. When set to **Require complexity**, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. When set to **Allow complexity**, a connection to a domain controller is attempted to validate that the complexity adheres to the rules set by the policy. If no domain controllers are found, the password will be accepted regardless of actual password complexity, and the drive will be encrypted by using that password as a protector. When set to **Do not allow complexity**, there is no password complexity validation. Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the **Minimum password length** box. @@ -515,44 +317,17 @@ When this policy setting is enabled, you can set the option **Configure password This policy setting is used to control what unlock options are available for computers running Windows Server 2008 or Windows Vista. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy description

With this policy setting, you can control whether the BitLocker Setup Wizard on computers running Windows Vista or Windows Server 2008 can set up an additional authentication method that is required each time the computer starts.

Introduced

Windows Server 2008 and Windows Vista

Drive type

Operating system drives (Windows Server 2008 and Windows Vista)

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

Conflicts

If you choose to require an additional authentication method, other authentication methods cannot be allowed.

When enabled

The BitLocker Setup Wizard displays the page that allows the user to configure advanced startup options for BitLocker. You can further configure setting options for computers with or without a TPM.

When disabled or not configured

The BitLocker Setup Wizard displays basic steps that allow users to enable BitLocker on computers with a TPM. In this basic wizard, no additional startup key or startup PIN can be configured.

+||| +|--- |--- | +|Policy description|With this policy setting, you can control whether the BitLocker Setup Wizard on computers running Windows Vista or Windows Server 2008 can set up an additional authentication method that is required each time the computer starts.| +|Introduced|Windows Server 2008 and Windows Vista| +|Drive type|Operating system drives (Windows Server 2008 and Windows Vista)| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +|Conflicts|If you choose to require an additional authentication method, other authentication methods cannot be allowed.| +|When enabled|The BitLocker Setup Wizard displays the page that allows the user to configure advanced startup options for BitLocker. You can further configure setting options for computers with or without a TPM.| +|When disabled or not configured|The BitLocker Setup Wizard displays basic steps that allow users to enable BitLocker on computers with a TPM. In this basic wizard, no additional startup key or startup PIN can be configured.| -Reference +**Reference** On a computer with a compatible TPM, two authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can require users to insert a USB drive that contains a startup key. It can also require users to enter a 6-digit to 20-digit startup PIN. @@ -579,97 +354,38 @@ To hide the advanced page on a TPM-enabled computer or device, set these options This policy setting is used to require, allow, or deny the use of smart cards with fixed data drives. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy description

With this policy setting, you can specify whether smart cards can be used to authenticate user access to the BitLocker-protected fixed data drives on a computer.

Introduced

Windows Server 2008 R2 and Windows 7

Drive type

Fixed data drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives

Conflicts

To use smart cards with BitLocker, you may also need to modify the object identifier setting in the Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance policy setting to match the object identifier of your smart card certificates.

When enabled

Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the Require use of smart cards on fixed data drives check box.

When disabled

Users cannot use smart cards to authenticate their access to BitLocker-protected fixed data drives.

When not configured

Smart cards can be used to authenticate user access to a BitLocker-protected drive.

+||| +|--- |--- | +|Policy description|With this policy setting, you can specify whether smart cards can be used to authenticate user access to the BitLocker-protected fixed data drives on a computer.| +|Introduced|Windows Server 2008 R2 and Windows 7| +|Drive type|Fixed data drives| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives| +|Conflicts|To use smart cards with BitLocker, you may also need to modify the object identifier setting in the **Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance** policy setting to match the object identifier of your smart card certificates.| +|When enabled|Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the **Require use of smart cards on fixed data drives** check box.| +|When disabled|Users cannot use smart cards to authenticate their access to BitLocker-protected fixed data drives.| +|When not configured|Smart cards can be used to authenticate user access to a BitLocker-protected drive.| -Reference +**Reference** ->**Note:** These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive by using any of the protectors that are available on the drive. +> [!NOTE] +> These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive by using any of the protectors that are available on the drive. ### Configure use of passwords on fixed data drives This policy setting is used to require, allow, or deny the use of passwords with fixed data drives. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy description

With this policy setting, you can specify whether a password is required to unlock BitLocker-protected fixed data drives.

Introduced

Windows Server 2008 R2 and Windows 7

Drive type

Fixed data drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives

Conflicts

To use password complexity, the Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements policy setting must also be enabled.

When enabled

Users can configure a password that meets the requirements you define. To require the use of a password, select Require password for fixed data drive. To enforce complexity requirements on the password, select Require complexity.

When disabled

The user is not allowed to use a password.

When not configured

Passwords are supported with the default settings, which do not include password complexity requirements and require only 8 characters.

+||| +|--- |--- | +|Policy description|With this policy setting, you can specify whether a password is required to unlock BitLocker-protected fixed data drives.| +|Introduced|Windows Server 2008 R2 and Windows 7| +|Drive type|Fixed data drives| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives| +|Conflicts|To use password complexity, the **Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements** policy setting must also be enabled.| +|When enabled|Users can configure a password that meets the requirements you define. To require the use of a password, select **Require password for fixed data drive**. To enforce complexity requirements on the password, select **Require complexity**.| +|When disabled|The user is not allowed to use a password.| +|When not configured|Passwords are supported with the default settings, which do not include password complexity requirements and require only 8 characters.| -Reference +**Reference** When set to **Require complexity**, a connection to a domain controller is necessary to validate the complexity of the password when BitLocker is enabled. @@ -679,115 +395,58 @@ When set to **Do not allow complexity**, no password complexity validation is pe Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the **Minimum password length** box. ->**Note:** These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive. +> [!NOTE] +> These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive. For the complexity requirement setting to be effective, the Group Policy setting **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Password must meet complexity requirements** must also be enabled. This policy setting is configured on a per-computer basis. This means that it applies to local user accounts and domain user accounts. Because the password filter that is used to validate password complexity is located on the domain controllers, local user accounts cannot access the password filter because they are not authenticated for domain access. When this policy setting is enabled, if you sign in with a local user account, and you attempt to encrypt a drive or change a password on an existing BitLocker-protected drive, an "Access denied" error message is displayed. In this situation, the password key protector cannot be added to the drive. Enabling this policy setting requires that connectivity to a domain be established before adding a password key protector to a BitLocker-protected drive. Users who work remotely and have periods of time in which they cannot connect to the domain should be made aware of this requirement so that they can schedule a time when they will be connected to the domain to turn on BitLocker or to change a password on a BitLocker-protected data drive. ->**Important:** Passwords cannot be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** specifies whether FIPS compliance is enabled. +> [!IMPORTANT] +> Passwords cannot be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** specifies whether FIPS compliance is enabled. ### Configure use of smart cards on removable data drives This policy setting is used to require, allow, or deny the use of smart cards with removable data drives. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy description

With this policy setting, you can specify whether smart cards can be used to authenticate user access to BitLocker-protected removable data drives on a computer.

Introduced

Windows Server 2008 R2 and Windows 7

Drive type

Removable data drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives

Conflicts

To use smart cards with BitLocker, you may also need to modify the object identifier setting in the Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance policy setting to match the object identifier of your smart card certificates.

When enabled

Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the Require use of smart cards on removable data drives check box.

When disabled or not configured

Users are not allowed to use smart cards to authenticate their access to BitLocker-protected removable data drives.

When not configured

Smart cards are available to authenticate user access to a BitLocker-protected removable data drive.

+||| +|--- |--- | +|Policy description|With this policy setting, you can specify whether smart cards can be used to authenticate user access to BitLocker-protected removable data drives on a computer.| +|Introduced|Windows Server 2008 R2 and Windows 7| +|Drive type|Removable data drives| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives| +|Conflicts|To use smart cards with BitLocker, you may also need to modify the object identifier setting in the **Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance** policy setting to match the object identifier of your smart card certificates.| +|When enabled|Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the **Require use of smart cards on removable data drives** check box.| +|When disabled or not configured|Users are not allowed to use smart cards to authenticate their access to BitLocker-protected removable data drives.| +|When not configured|Smart cards are available to authenticate user access to a BitLocker-protected removable data drive.| -Reference +**Reference** ->**Note:** These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive. +> [!NOTE] +> These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive. ### Configure use of passwords on removable data drives This policy setting is used to require, allow, or deny the use of passwords with removable data drives. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy description

With this policy setting, you can specify whether a password is required to unlock BitLocker-protected removable data drives.

Introduced

Windows Server 2008 R2 and Windows 7

Drive type

Removable data drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives

Conflicts

To use password complexity, the Password must meet complexity requirements policy setting, which is located at Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy must also be enabled.

When enabled

Users can configure a password that meets the requirements you define. To require the use of a password, select Require password for removable data drive. To enforce complexity requirements on the password, select Require complexity.

When disabled

The user is not allowed to use a password.

When not configured

Passwords are supported with the default settings, which do not include password complexity requirements and require only 8 characters.

- -Reference +||| +|--- |--- | +|Policy description|With this policy setting, you can specify whether a password is required to unlock BitLocker-protected removable data drives.| +|Introduced|Windows Server 2008 R2 and Windows 7| +|Drive type|Removable data drives| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives| +|Conflicts|To use password complexity, the **Password must meet complexity requirements** policy setting, which is located at **Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy** must also be enabled.| +|When enabled|Users can configure a password that meets the requirements you define. To require the use of a password, select **Require password for removable data drive**. To enforce complexity requirements on the password, select **Require complexity**.| +|When disabled|The user is not allowed to use a password.| +|When not configured|Passwords are supported with the default settings, which do not include password complexity requirements and require only 8 characters.| +**Reference** If you choose to allow the use of a password, you can require a password to be used, enforce complexity requirements, and configure a minimum length. For the complexity requirement setting to be effective, the Group Policy setting **Password must meet complexity requirements**, which is located at **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy** must also be enabled. ->**Note:** These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive. +> [!NOTE] +> These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive. Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the **Minimum password length** box. @@ -797,52 +456,26 @@ When set to **Allow complexity**, a connection to a domain controller will be at When set to **Do not allow complexity**, no password complexity validation will be done. ->**Note:** Passwords cannot be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** specifies whether FIPS compliance is enabled. +> [!NOTE] +> Passwords cannot be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** specifies whether FIPS compliance is enabled. -For information about this setting, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](https://technet.microsoft.com/library/jj852211.aspx). +For information about this setting, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing). ### Validate smart card certificate usage rule compliance This policy setting is used to determine what certificate to use with BitLocker. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy description

With this policy setting, you can associate an object identifier from a smart card certificate to a BitLocker-protected drive.

Introduced

Windows Server 2008 R2 and Windows 7

Drive type

Fixed and removable data drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption

Conflicts

None

When enabled

The object identifier that is specified in the Object identifier setting must match the object identifier in the smart card certificate.

When disabled or not configured

The default object identifier is used.

+||| +|--- |--- | +|Policy description|With this policy setting, you can associate an object identifier from a smart card certificate to a BitLocker-protected drive.| +|Introduced|Windows Server 2008 R2 and Windows 7| +|Drive type|Fixed and removable data drives| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption| +|Conflicts|None| +|When enabled|The object identifier that is specified in the **Object identifier** setting must match the object identifier in the smart card certificate.| +|When disabled or not configured|The default object identifier is used.| -Reference +**Reference** This policy setting is applied when you turn on BitLocker. @@ -850,50 +483,24 @@ The object identifier is specified in the enhanced key usage (EKU) of a certific The default object identifier is 1.3.6.1.4.1.311.67.1.1. ->**Note:** BitLocker does not require that a certificate have an EKU attribute; however, if one is configured for the certificate, it must be set to an object identifier that matches the object identifier configured for BitLocker. +> [!NOTE] +> BitLocker does not require that a certificate have an EKU attribute; however, if one is configured for the certificate, it must be set to an object identifier that matches the object identifier configured for BitLocker. ### Enable use of BitLocker authentication requiring preboot keyboard input on slates This policy setting allows users to enable authentication options that require user input from the preboot environment even if the platform indicates a lack of preboot input capability. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy description

With this policy setting, you can allow users to enable authentication options that require user input from the preboot environment, even if the platform indicates a lack of preboot input capability.

Introduced

Windows Server 2012 and Windows 8

Drive type

Operating system drive

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drive

Conflicts

None

When enabled

Devices must have an alternative means of preboot input (such as an attached USB keyboard).

When disabled or not configured

The Windows Recovery Environment must be enabled on tablets to support entering the BitLocker recovery password.

+||| +|--- |--- | +|Policy description|With this policy setting, you can allow users to enable authentication options that require user input from the preboot environment, even if the platform indicates a lack of preboot input capability.| +|Introduced|Windows Server 2012 and Windows 8| +|Drive type|Operating system drive| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drive| +|Conflicts|None| +|When enabled|Devices must have an alternative means of preboot input (such as an attached USB keyboard).| +|When disabled or not configured|The Windows Recovery Environment must be enabled on tablets to support entering the BitLocker recovery password.| -Reference +**Reference** The Windows touch keyboard (such as used by tablets) is not available in the preboot environment where BitLocker requires additional information, such as a PIN or password. @@ -911,44 +518,17 @@ If you do not enable this policy setting, the following options in the **Require This policy setting is used to require encryption of fixed drives prior to granting Write access. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy description

With this policy setting, you can set whether BitLocker protection is required for fixed data drives to be writable on a computer.

Introduced

Windows Server 2008 R2 and Windows 7

Drive type

Fixed data drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives

Conflicts

See the Reference section for a description of conflicts.

When enabled

All fixed data drives that are not BitLocker-protected are mounted as Read-only. If the drive is protected by BitLocker, it is mounted with Read and Write access.

When disabled or not configured

All fixed data drives on the computer are mounted with Read and Write access.

+||| +|--- |--- | +|Policy description|With this policy setting, you can set whether BitLocker protection is required for fixed data drives to be writable on a computer.| +|Introduced|Windows Server 2008 R2 and Windows 7| +|Drive type|Fixed data drives| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives| +|Conflicts|See the Reference section for a description of conflicts.| +|When enabled|All fixed data drives that are not BitLocker-protected are mounted as Read-only. If the drive is protected by BitLocker, it is mounted with Read and Write access.| +|When disabled or not configured|All fixed data drives on the computer are mounted with Read and Write access.| -Reference +**Reference** This policy setting is applied when you turn on BitLocker. @@ -966,48 +546,22 @@ Conflict considerations include: This policy setting is used to require that removable drives are encrypted prior to granting Write access, and to control whether BitLocker-protected removable drives that were configured in another organization can be opened with Write access. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy description

With this policy setting, you can configure whether BitLocker protection is required for a computer to be able to write data to a removable data drive.

Introduced

Windows Server 2008 R2 and Windows 7

Drive type

Removable data drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives

Conflicts

See the Reference section for a description of conflicts.

When enabled

All removable data drives that are not BitLocker-protected are mounted as Read-only. If the drive is protected by BitLocker, it is mounted with Read and Write access.

When disabled or not configured

All removable data drives on the computer are mounted with Read and Write access.

+||| +|--- |--- | +|Policy description|With this policy setting, you can configure whether BitLocker protection is required for a computer to be able to write data to a removable data drive.| +|Introduced|Windows Server 2008 R2 and Windows 7| +|Drive type|Removable data drives| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives| +|Conflicts|See the Reference section for a description of conflicts.| +|When enabled|All removable data drives that are not BitLocker-protected are mounted as Read-only. If the drive is protected by BitLocker, it is mounted with Read and Write access.| +|When disabled or not configured|All removable data drives on the computer are mounted with Read and Write access.| -Reference +**Reference** If the **Deny write access to devices configured in another organization** option is selected, only drives with identification fields that match the computer's identification fields are given Write access. When a removable data drive is accessed, it is checked for a valid identification field and allowed identification fields. These fields are defined by the **Provide the unique identifiers for your organization** policy setting. ->**Note:** You can override this policy setting with the policy settings under **User Configuration\\Administrative Templates\\System\\Removable Storage Access**. If the **Removable Disks: Deny write access** policy setting is enabled, this policy setting will be ignored. +> [!NOTE] +> You can override this policy setting with the policy settings under **User Configuration\\Administrative Templates\\System\\Removable Storage Access**. If the **Removable Disks: Deny write access** policy setting is enabled, this policy setting will be ignored. Conflict considerations include: @@ -1019,52 +573,22 @@ Conflict considerations include: This policy setting is used to prevent users from turning BitLocker on or off on removable data drives. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy description

With this policy setting, you can control the use of BitLocker on removable data drives.

Introduced

Windows Server 2008 R2 and Windows 7

Drive type

Removable data drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives

Conflicts

None

When enabled

You can select property settings that control how users can configure BitLocker.

When disabled

Users cannot use BitLocker on removable data drives.

When not configured

Users can use BitLocker on removable data drives.

+||| +|--- |--- | +|Policy description|With this policy setting, you can control the use of BitLocker on removable data drives.| +|Introduced|Windows Server 2008 R2 and Windows 7| +|Drive type|Removable data drives| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives| +|Conflicts|None| +|When enabled|You can select property settings that control how users can configure BitLocker.| +|When disabled|Users cannot use BitLocker on removable data drives.| +|When not configured|Users can use BitLocker on removable data drives.| -Reference +**Reference** This policy setting is applied when you turn on BitLocker. -For information about suspending BitLocker protection, see [BitLocker Basic Deployment](https://technet.microsoft.com/library/dn383581.aspx). +For information about suspending BitLocker protection, see [BitLocker Basic Deployment](bitlocker-basic-deployment.md). The options for choosing property settings that control how users can configure BitLocker are: @@ -1075,44 +599,17 @@ The options for choosing property settings that control how users can configure This policy setting is used to control the encryption method and cipher strength. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy description

With this policy setting, you can control the encryption method and strength for drives.

Introduced

Windows Server 2012 and Windows 8

Drive type

All drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption

Conflicts

None

When enabled

You can choose an encryption algorithm and key cipher strength for BitLocker to use to encrypt drives.

When disabled or not configured

Beginning with Windows 10, version 1511, BitLocker uses the default encryption method of XTS-AES 128-bit or the encryption method that is specified by the setup script. Windows Phone does not support XTS; it uses AES-CBC 128-bit by default and supports AES-CBC 256-bit by policy.

+||| +|--- |--- | +|Policy description|With this policy setting, you can control the encryption method and strength for drives.| +|Introduced|Windows Server 2012 and Windows 8| +|Drive type|All drives| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption| +|Conflicts|None| +|When enabled|You can choose an encryption algorithm and key cipher strength for BitLocker to use to encrypt drives.| +|When disabled or not configured|Beginning with Windows 10, version 1511, BitLocker uses the default encryption method of XTS-AES 128-bit or the encryption method that is specified by the setup script. Windows Phone does not support XTS; it uses AES-CBC 128-bit by default and supports AES-CBC 256-bit by policy.| -Reference +**Reference** The values of this policy determine the strength of the cipher that BitLocker uses for encryption. Enterprises may want to control the encryption level for increased security (AES-256 is stronger than AES-128). @@ -1123,7 +620,8 @@ For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the d Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. In these cases, this policy setting is ignored. ->**Warning:** This policy does not apply to encrypted drives. Encrypted drives utilize their own algorithm, which is set by the drive during partitioning. +> [!WARNING] +> This policy does not apply to encrypted drives. Encrypted drives utilize their own algorithm, which is set by the drive during partitioning. When this policy setting is disabled or not configured, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method that is specified in the setup script. @@ -1131,51 +629,21 @@ When this policy setting is disabled or not configured, BitLocker will use the d This policy controls how BitLocker reacts to systems that are equipped with encrypted drives when they are used as fixed data volumes. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy description

With this policy setting, you can manage BitLocker’s use of hardware-based encryption on fixed data drives and to specify which encryption algorithms BitLocker can use with hardware-based encryption.

Introduced

Windows Server 2012 and Windows 8

Drive type

Fixed data drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives

Conflicts

None

When enabled

You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.

When disabled

BitLocker cannot use hardware-based encryption with fixed data drives, and BitLocker software-based encryption is used by default when the drive in encrypted.

When not configured

BitLocker software-based encryption is used irrespective of hardware-based encryption ability. -

+||| +|--- |--- | +|Policy description|With this policy setting, you can manage BitLocker’s use of hardware-based encryption on fixed data drives and to specify which encryption algorithms BitLocker can use with hardware-based encryption.| +|Introduced|Windows Server 2012 and Windows 8| +|Drive type|Fixed data drives| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives| +|Conflicts|None| +|When enabled|You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.| +|When disabled|BitLocker cannot use hardware-based encryption with fixed data drives, and BitLocker software-based encryption is used by default when the drive in encrypted.| +|When not configured|BitLocker software-based encryption is used irrespective of hardware-based encryption ability.| -Reference +**Reference** ->**Note:** The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption. +> [!NOTE] +> The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption. The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive is not available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example: @@ -1186,52 +654,23 @@ The encryption algorithm that is used by hardware-based encryption is set when t This policy controls how BitLocker reacts when encrypted drives are used as operating system drives. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy description

With this policy setting, you can manage BitLocker’s use of hardware-based encryption on operating system drives and specify which encryption algorithms it can use with hardware-based encryption.

Introduced

Windows Server 2012 and Windows 8

Drive type

Operating system drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

Conflicts

None

When enabled

You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.

When disabled

BitLocker cannot use hardware-based encryption with operating system drives, and BitLocker software-based encryption is used by default when the drive in encrypted.

When not configured

BitLocker software-based encryption is used irrespective of hardware-based encryption ability.

+||| +|--- |--- | +|Policy description|With this policy setting, you can manage BitLocker’s use of hardware-based encryption on operating system drives and specify which encryption algorithms it can use with hardware-based encryption.| +|Introduced|Windows Server 2012 and Windows 8| +|Drive type|Operating system drives| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +|Conflicts|None| +|When enabled|You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.| +|When disabled|BitLocker cannot use hardware-based encryption with operating system drives, and BitLocker software-based encryption is used by default when the drive in encrypted.| +|When not configured|BitLocker software-based encryption is used irrespective of hardware-based encryption ability.| -Reference +**Reference** If hardware-based encryption is not available, BitLocker software-based encryption is used instead. ->**Note:** The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption. +> [!NOTE] +> The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption. The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive is not available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example: @@ -1242,52 +681,23 @@ The encryption algorithm that is used by hardware-based encryption is set when t This policy controls how BitLocker reacts to encrypted drives when they are used as removable data drives. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy description

With this policy setting, you can manage BitLocker’s use of hardware-based encryption on removable data drives and specify which encryption algorithms it can use with hardware-based encryption.

Introduced

Windows Server 2012 and Windows 8

Drive type

Removable data drive

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives

Conflicts

None

When enabled

You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.

When disabled

BitLocker cannot use hardware-based encryption with removable data drives, and BitLocker software-based encryption is used by default when the drive in encrypted.

When not configured

BitLocker software-based encryption is used irrespective of hardware-based encryption ability.

+||| +|--- |--- | +|Policy description|With this policy setting, you can manage BitLocker’s use of hardware-based encryption on removable data drives and specify which encryption algorithms it can use with hardware-based encryption.| +|Introduced|Windows Server 2012 and Windows 8| +|Drive type|Removable data drive| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives| +|Conflicts|None| +|When enabled|You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.| +|When disabled|BitLocker cannot use hardware-based encryption with removable data drives, and BitLocker software-based encryption is used by default when the drive in encrypted.| +|When not configured|BitLocker software-based encryption is used irrespective of hardware-based encryption ability.| -Reference +**Reference** If hardware-based encryption is not available, BitLocker software-based encryption is used instead. ->**Note:** The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption. +> [!NOTE] +> The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption. The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive is not available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example: @@ -1298,192 +708,86 @@ The encryption algorithm that is used by hardware-based encryption is set when t This policy controls whether fixed data drives utilize Used Space Only encryption or Full encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page so no encryption selection displays to the user. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy description

With this policy setting, you can configure the encryption type that is used by BitLocker.

Introduced

Windows Server 2012 and Windows 8

Drive type

Fixed data drive

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives

Conflicts

None

When enabled

This policy defines the encryption type that BitLocker uses to encrypt drives, and the encryption type option is not presented in the BitLocker Setup Wizard.

When disabled or not configured

The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.

+||| +|--- |--- | +|Policy description|With this policy setting, you can configure the encryption type that is used by BitLocker.| +|Introduced|Windows Server 2012 and Windows 8| +|Drive type|Fixed data drive| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives| +|Conflicts|None| +|When enabled|This policy defines the encryption type that BitLocker uses to encrypt drives, and the encryption type option is not presented in the BitLocker Setup Wizard.| +|When disabled or not configured|The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.| -Reference +**Reference** This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on. ->**Note:** This policy is ignored when you are shrinking or expanding a volume and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that is using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space. +> [!NOTE] +> This policy is ignored when you are shrinking or expanding a volume and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that is using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space. -For more information about the tool to manage BitLocker, see [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx). +For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde). ### Enforce drive encryption type on operating system drives This policy controls whether operating system drives utilize Full encryption or Used Space Only encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page, so no encryption selection displays to the user. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy description

With this policy setting, you can configure the encryption type that is used by BitLocker.

Introduced

Windows Server 2012 and Windows 8

Drive type

Operating system drive

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

Conflicts

None

When enabled

The encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option is not presented in the BitLocker Setup Wizard.

When disabled or not configured

The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.

+||| +|--- |--- | +|Policy description|With this policy setting, you can configure the encryption type that is used by BitLocker.| +|Introduced|Windows Server 2012 and Windows 8| +|Drive type|Operating system drive| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +|Conflicts|None| +|When enabled|The encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option is not presented in the BitLocker Setup Wizard.| +|When disabled or not configured|The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.| -Reference +**Reference** This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on. ->**Note:** This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space. +> [!NOTE] +> This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space. -For more information about the tool to manage BitLocker, see [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx). +For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde). ### Enforce drive encryption type on removable data drives This policy controls whether fixed data drives utilize Full encryption or Used Space Only encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page, so no encryption selection displays to the user. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy description

With this policy setting, you can configure the encryption type that is used by BitLocker.

Introduced

Windows Server 2012 and Windows 8

Drive type

Removable data drive

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives

Conflicts

None

When enabled

The encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option is not presented in the BitLocker Setup Wizard.

When disabled or not configured

The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.

+||| +|--- |--- | +|Policy description|With this policy setting, you can configure the encryption type that is used by BitLocker.| +|Introduced|Windows Server 2012 and Windows 8| +|Drive type|Removable data drive| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives| +|Conflicts|None| +|When enabled|The encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option is not presented in the BitLocker Setup Wizard.| +|When disabled or not configured|The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.| -Reference +**Reference** This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on. ->**Note:** This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that is using Full Encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space. +> [!NOTE] +> This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that is using Full Encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space. -For more information about the tool to manage BitLocker, see [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx). +For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde). ### Choose how BitLocker-protected operating system drives can be recovered This policy setting is used to configure recovery methods for operating system drives. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy description

With this policy setting, you can control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information.

Introduced

Windows Server 2008 R2 and Windows 7

Drive type

Operating system drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

Conflicts

You must disallow the use of recovery keys if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.

-

When using data recovery agents, you must enable the Provide the unique identifiers for your organization policy setting.

When enabled

You can control the methods that are available to users to recover data from BitLocker-protected operating system drives.

When disabled or not configured

The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS.

+||| +|--- |--- | +|Policy description|With this policy setting, you can control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information.| +|Introduced|Windows Server 2008 R2 and Windows 7| +|Drive type|Operating system drives| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +|Conflicts|You must disallow the use of recovery keys if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled.

When using data recovery agents, you must enable the **Provide the unique identifiers for your organization** policy setting.| +|When enabled|You can control the methods that are available to users to recover data from BitLocker-protected operating system drives.| +|When disabled or not configured|The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS.| -Reference +**Reference** This policy setting is applied when you turn on BitLocker. @@ -1500,50 +804,24 @@ In **Save BitLocker recovery information to Active Directory Domain Services**, Select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. ->**Note:** If the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** check box is selected, a recovery password is automatically generated. +> [!NOTE] +> If the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** check box is selected, a recovery password is automatically generated. ### Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista) This policy setting is used to configure recovery methods for BitLocker-protected drives on computers running Windows Server 2008 or Windows Vista. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy description

With this policy setting, you can control whether the BitLocker Setup Wizard can display and specify BitLocker recovery options.

Introduced

Windows Server 2008 and Windows Vista

Drive type

Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption

Conflicts

This policy setting provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information. If you choose the Do not allow option for both user recovery options, you must enable the Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) policy setting to prevent a policy error.

When enabled

You can configure the options that the Bitlocker Setup Wizard displays to users for recovering BitLocker encrypted data.

When disabled or not configured

The BitLocker Setup Wizard presents users with ways to store recovery options.

+||| +|--- |--- | +|Policy description|With this policy setting, you can control whether the BitLocker Setup Wizard can display and specify BitLocker recovery options.| +|Introduced|Windows Server 2008 and Windows Vista| +|Drive type|Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption| +|Conflicts|This policy setting provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information. If you choose the **Do not allow** option for both user recovery options, you must enable the **Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)** policy setting to prevent a policy error.| +|When enabled|You can configure the options that the Bitlocker Setup Wizard displays to users for recovering BitLocker encrypted data.| +|When disabled or not configured|The BitLocker Setup Wizard presents users with ways to store recovery options.| -Reference +**Reference** This policy is only applicable to computers running Windows Server 2008 or Windows Vista. This policy setting is applied when you turn on BitLocker. @@ -1551,53 +829,28 @@ Two recovery options can be used to unlock BitLocker-encrypted data in the absen Saving the recovery password to a USB drive stores the 48-digit recovery password as a text file and the 256-bit recovery key as a hidden file. Saving it to a folder stores the 48-digit recovery password as a text file. Printing it sends the 48-digit recovery password to the default printer. For example, not allowing the 48-digit recovery password prevents users from printing or saving recovery information to a folder. -> **Important:** If TPM initialization is performed during the BitLocker setup, TPM owner information is saved or printed with the BitLocker recovery information. +> [!IMPORTANT] +> If TPM initialization is performed during the BitLocker setup, TPM owner information is saved or printed with the BitLocker recovery information. > The 48-digit recovery password is not available in FIPS-compliance mode. -> -> **Important:** To prevent data loss, you must have a way to recover BitLocker encryption keys. If you do not allow both recovery options, you must enable the backup of BitLocker recovery information to AD DS. Otherwise, a policy error occurs. + +> [!IMPORTANT] +> To prevent data loss, you must have a way to recover BitLocker encryption keys. If you do not allow both recovery options, you must enable the backup of BitLocker recovery information to AD DS. Otherwise, a policy error occurs. ### Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) This policy setting is used to configure the storage of BitLocker recovery information in AD DS. This provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy description

With this policy setting, you can manage the AD DS backup of BitLocker Drive Encryption recovery information.

Introduced

Windows Server 2008 and Windows Vista

Drive type

Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista.

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption

Conflicts

None

When enabled

BitLocker recovery information is automatically and silently backed up to AD DS when BitLocker is turned on for a computer.

When disabled or not configured

BitLocker recovery information is not backed up to AD DS.

+||| +|--- |--- | +|Policy description|With this policy setting, you can manage the AD DS backup of BitLocker Drive Encryption recovery information.| +|Introduced|Windows Server 2008 and Windows Vista| +|Drive type|Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista.| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption| +|Conflicts|None| +|When enabled|BitLocker recovery information is automatically and silently backed up to AD DS when BitLocker is turned on for a computer.| +|When disabled or not configured|BitLocker recovery information is not backed up to AD DS.| -Reference +**Reference** This policy is only applicable to computers running Windows Server 2008 or Windows Vista. @@ -1618,92 +871,38 @@ For more information about this setting, see [TPM Group Policy settings](/window This policy setting is used to configure the default folder for recovery passwords. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy description

With this policy setting, you can specify the default path that is displayed when the BitLocker Setup Wizard prompts the user to enter the location of a folder in which to save the recovery password.

Introduced

Windows Vista

Drive type

All drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption

Conflicts

None

When enabled

You can specify the path that will be used as the default folder location when the user chooses the option to save the recovery password in a folder. You can specify a fully qualified path or include the target computer's environment variables in the path. If the path is not valid, the BitLocker Setup Wizard displays the computer's top-level folder view.

When disabled or not configured

The BitLocker Setup Wizard displays the computer's top-level folder view when the user chooses the option to save the recovery password in a folder.

+||| +|--- |--- | +|Policy description|With this policy setting, you can specify the default path that is displayed when the BitLocker Setup Wizard prompts the user to enter the location of a folder in which to save the recovery password.| +|Introduced|Windows Vista| +|Drive type|All drives| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption| +|Conflicts|None| +|When enabled|You can specify the path that will be used as the default folder location when the user chooses the option to save the recovery password in a folder. You can specify a fully qualified path or include the target computer's environment variables in the path. If the path is not valid, the BitLocker Setup Wizard displays the computer's top-level folder view.| +|When disabled or not configured|The BitLocker Setup Wizard displays the computer's top-level folder view when the user chooses the option to save the recovery password in a folder.| -Reference +**Reference** This policy setting is applied when you turn on BitLocker. ->**Note:** This policy setting does not prevent the user from saving the recovery password in another folder. +> [!NOTE] +> This policy setting does not prevent the user from saving the recovery password in another folder. ### Choose how BitLocker-protected fixed drives can be recovered This policy setting is used to configure recovery methods for fixed data drives. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy description

With this policy setting, you can control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials.

Introduced

Windows Server 2008 R2 and Windows 7

Drive type

Fixed data drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives

Conflicts

You must disallow the use of recovery keys if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.

-

When using data recovery agents, you must enable and configure the Provide the unique identifiers for your organization policy setting.

When enabled

You can control the methods that are available to users to recover data from BitLocker-protected fixed data drives.

When disabled or not configured

The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS.

+||| +|--- |--- | +|Policy description|With this policy setting, you can control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials.| +|Introduced|Windows Server 2008 R2 and Windows 7| +|Drive type|Fixed data drives| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives| +|Conflicts|You must disallow the use of recovery keys if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled.

When using data recovery agents, you must enable and configure the **Provide the unique identifiers for your organization** policy setting.| +|When enabled|You can control the methods that are available to users to recover data from BitLocker-protected fixed data drives.| +|When disabled or not configured|The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS.| -Reference +**Reference** This policy setting is applied when you turn on BitLocker. @@ -1716,55 +915,29 @@ Select **Omit recovery options from the BitLocker setup wizard** to prevent user In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select **Backup recovery password and key package**, the BitLocker recovery password and the key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. To recover this data, you can use the **Repair-bde** command-line tool. If you select **Backup recovery password only**, only the recovery password is stored in AD DS. -For more information about the BitLocker repair tool, see [Repair-bde](https://technet.microsoft.com/library/ff829851.aspx). +For more information about the BitLocker repair tool, see [Repair-bde](/windows-server/administration/windows-commands/repair-bde). Select the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. ->**Note:** If the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box is selected, a recovery password is automatically generated. +> [!NOTE] +> If the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box is selected, a recovery password is automatically generated. ### Choose how BitLocker-protected removable drives can be recovered This policy setting is used to configure recovery methods for removable data drives. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy description

With this policy setting, you can control how BitLocker-protected removable data drives are recovered in the absence of the required credentials.

Introduced

Windows Server 2008 R2 and Windows 7

Drive type

Removable data drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives

Conflicts

You must disallow the use of recovery keys if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.

-

When using data recovery agents, you must enable and configure the Provide the unique identifiers for your organization policy setting.

When enabled

You can control the methods that are available to users to recover data from BitLocker-protected removable data drives.

When disabled or not configured

The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS.

+||| +|--- |--- | +|Policy description|With this policy setting, you can control how BitLocker-protected removable data drives are recovered in the absence of the required credentials.| +|Introduced|Windows Server 2008 R2 and Windows 7| +|Drive type|Removable data drives| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives| +|Conflicts|You must disallow the use of recovery keys if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled. +When using data recovery agents, you must enable and configure the **Provide the unique identifiers for your organization** policy setting.| +|When enabled|You can control the methods that are available to users to recover data from BitLocker-protected removable data drives.| +|When disabled or not configured|The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS.| -Reference +**Reference** This policy setting is applied when you turn on BitLocker. @@ -1778,50 +951,24 @@ In **Save BitLocker recovery information to Active Directory Domain Services**, Select the **Do not enable BitLocker until recovery information is stored in AD DS for removable data drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. ->**Note:** If the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box is selected, a recovery password is automatically generated. +> [!NOTE] +> If the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box is selected, a recovery password is automatically generated. ### Configure the pre-boot recovery message and URL This policy setting is used to configure the entire recovery message and to replace the existing URL that is displayed on the pre-boot recovery screen when the operating system drive is locked. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy description

With this policy setting, you can configure the BitLocker recovery screen to display a customized message and URL.

Introduced

Windows 10

Drive type

Operating system drives

Policy path

Computer Configuration \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption \ Operating System Drives \ Configure pre-boot recovery message and URL

Conflicts

None

When enabled

The customized message and URL are displayed on the pre-boot recovery screen. If you have previously enabled a custom recovery message and URL and want to revert to the default message and URL, you must keep the policy setting enabled and select the Use default recovery message and URL option.

When disabled or not configured

If the setting has not been previously enabled the default pre-boot recovery screen is displayed for BitLocker recovery. If the setting previously was enabled and is subsequently disabled the last message in Boot Configuration Data (BCD) is displayed whether it was the default recovery message or the custom message.

+||| +|--- |--- | +|Policy description|With this policy setting, you can configure the BitLocker recovery screen to display a customized message and URL.| +|Introduced|Windows 10| +|Drive type|Operating system drives| +|Policy path|Computer Configuration \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption \ Operating System Drives \ Configure pre-boot recovery message and URL| +|Conflicts|None| +|When enabled|The customized message and URL are displayed on the pre-boot recovery screen. If you have previously enabled a custom recovery message and URL and want to revert to the default message and URL, you must keep the policy setting enabled and select the **Use default recovery message and URL** option.| +|When disabled or not configured|If the setting has not been previously enabled the default pre-boot recovery screen is displayed for BitLocker recovery. If the setting previously was enabled and is subsequently disabled the last message in Boot Configuration Data (BCD) is displayed whether it was the default recovery message or the custom message.| -Reference +**Reference** Enabling the **Configure the pre-boot recovery message and URL** policy setting allows you to customize the default recovery screen message and URL to assist customers in recovering their key. @@ -1831,111 +978,59 @@ Once you enable the setting you have three options: - If you select the **Use custom recovery message** option, type the custom message in the **Custom recovery message option** text box. The message that you type in the **Custom recovery message option** text box will be displayed on the pre-boot recovery screen. If a recovery URL is available, include it in the message. - If you select the **Use custom recovery URL** option, type the custom message URL in the **Custom recovery URL option** text box. The URL that you type in the **Custom recovery URL option** text box replaces the default URL in the default recovery message, which will be displayed on the pre-boot recovery screen. -> **Important:** Not all characters and languages are supported in the pre-boot environment. We strongly recommended that you verify the correct appearance of the characters that you use for the custom message and URL on the pre-boot recovery screen. -> -> **Important:** Because you can alter the BCDEdit commands manually before you have set Group Policy settings, you cannot return the policy setting to the default setting by selecting the **Not Configured** option after you have configured this policy setting. To return to the default pre-boot recovery screen leave the policy setting enabled and select the **Use default message** options from the **Choose an option for the pre-boot recovery message** drop-down list box. +> [!IMPORTANT] +> Not all characters and languages are supported in the pre-boot environment. We strongly recommended that you verify the correct appearance of the characters that you use for the custom message and URL on the pre-boot recovery screen. + +> [!IMPORTANT] +> Because you can alter the BCDEdit commands manually before you have set Group Policy settings, you cannot return the policy setting to the default setting by selecting the **Not Configured** option after you have configured this policy setting. To return to the default pre-boot recovery screen leave the policy setting enabled and select the **Use default message** options from the **Choose an option for the pre-boot recovery message** drop-down list box. ### Allow Secure Boot for integrity validation This policy controls how BitLocker-enabled system volumes are handled in conjunction with the Secure Boot feature. Enabling this feature forces Secure Boot validation during the boot process and verifies Boot Configuration Data (BCD) settings according to the Secure Boot policy. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy description

With this policy setting, you can configure whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives.

Introduced

Windows Server 2012 and Windows 8

Drive type

All drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

Conflicts

If you enable Allow Secure Boot for integrity validation, make sure the Configure TPM platform validation profile for native UEFI firmware configurations Group Policy setting is not enabled or include PCR 7 to allow BitLocker to use Secure Boot for platform or BCD integrity validation.

-

For more information about PCR 7, see Platform Configuration Register (PCR) in this topic.

When enabled or not configured

BitLocker uses Secure Boot for platform integrity if the platform is capable of Secure Boot-based integrity validation.

When disabled

BitLocker uses legacy platform integrity validation, even on systems that are capable of Secure Boot-based integrity validation.

+||| +|--- |--- | +|Policy description|With this policy setting, you can configure whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives.| +|Introduced|Windows Server 2012 and Windows 8| +|Drive type|All drives| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +|Conflicts|If you enable **Allow Secure Boot for integrity validation**, make sure the **Configure TPM platform validation profile for native UEFI firmware configurations** Group Policy setting is not enabled or include PCR 7 to allow BitLocker to use Secure Boot for platform or BCD integrity validation.

For more information about PCR 7, see [Platform Configuration Register (PCR)](#bkmk-pcr) in this topic.| +|When enabled or not configured|BitLocker uses Secure Boot for platform integrity if the platform is capable of Secure Boot-based integrity validation.| +|When disabled|BitLocker uses legacy platform integrity validation, even on systems that are capable of Secure Boot-based integrity validation.| -Reference +**Reference** Secure Boot ensures that the computer's preboot environment loads only firmware that is digitally signed by authorized software publishers. Secure Boot also provides more flexibility for managing preboot configurations than BitLocker integrity checks prior to Windows Server 2012 and Windows 8. When this policy is enabled and the hardware is capable of using Secure Boot for BitLocker scenarios, the **Use enhanced Boot Configuration Data validation profile** Group Policy setting is ignored, and Secure Boot verifies BCD settings according to the Secure Boot policy setting, which is configured separately from BitLocker. ->**Warning:** Disabling this policy might result in BitLocker recovery when manufacturer-specific firmware is updated. If you disable this policy, suspend BitLocker prior to applying firmware updates. +> [!WARNING] +> Disabling this policy might result in BitLocker recovery when manufacturer-specific firmware is updated. If you disable this policy, suspend BitLocker prior to applying firmware updates. ### Provide the unique identifiers for your organization This policy setting is used to establish an identifier that is applied to all drives that are encrypted in your organization. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy description

With this policy setting, you can associate unique organizational identifiers to a new drive that is enabled with BitLocker.

Introduced

Windows Server 2008 R2 and Windows 7

Drive type

All drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption

Conflicts

Identification fields are required to manage certificate-based data recovery agents on BitLocker-protected drives. BitLocker manages and updates certificate-based data recovery agents only when the identification field is present on a drive and it is identical to the value that is configured on the computer.

When enabled

You can configure the identification field on the BitLocker-protected drive and any allowed identification field that is used by your organization.

When disabled or not configured

The identification field is not required.

+||| +|--- |--- | +|Policy description|With this policy setting, you can associate unique organizational identifiers to a new drive that is enabled with BitLocker.| +|Introduced|Windows Server 2008 R2 and Windows 7| +|Drive type|All drives| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption| +|Conflicts|Identification fields are required to manage certificate-based data recovery agents on BitLocker-protected drives. BitLocker manages and updates certificate-based data recovery agents only when the identification field is present on a drive and it is identical to the value that is configured on the computer.| +|When enabled|You can configure the identification field on the BitLocker-protected drive and any allowed identification field that is used by your organization.| +|When disabled or not configured|The identification field is not required.| -Reference +**Reference** -These identifiers are stored as the identification field and the allowed identification field. The identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives, and it can be updated on existing BitLocker-protected drives by using the [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx) command-line tool. +These identifiers are stored as the identification field and the allowed identification field. The identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives, and it can be updated on existing BitLocker-protected drives by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool. An identification field is required to manage certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker manages and updates data recovery agents only when the identification field on the drive matches the value that is configured in the identification field. In a similar manner, BitLocker updates the BitLocker To Go Reader only when the identification field on the drive matches the value that is configured for the identification field. -For more information about the tool to manage BitLocker, see [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx). +For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde). The allowed identification field is used in combination with the **Deny write access to removable drives not protected by BitLocker** policy setting to help control the use of removable drives in your organization. It is a comma-separated list of identification fields from your organization or external organizations. -You can configure the identification fields on existing drives by using the [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx) command-line tool. +You can configure the identification fields on existing drives by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool. When a BitLocker-protected drive is mounted on another BitLocker-enabled computer, the identification field and the allowed identification field are used to determine whether the drive is from an outside organization. @@ -1945,44 +1040,17 @@ Multiple values separated by commas can be entered in the identification and all This policy setting is used to control whether the computer's memory will be overwritten the next time the computer is restarted. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy description

With this policy setting, you can control computer restart performance at the risk of exposing BitLocker secrets.

Introduced

Windows Vista

Drive type

All drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption

Conflicts

None

When enabled

The computer will not overwrite memory when it restarts. Preventing memory overwrite may improve restart performance, but it increases the risk of exposing BitLocker secrets.

When disabled or not configured

BitLocker secrets are removed from memory when the computer restarts.

+||| +|--- |--- | +|Policy description|With this policy setting, you can control computer restart performance at the risk of exposing BitLocker secrets.| +|Introduced|Windows Vista| +|Drive type|All drives| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption| +|Conflicts|None| +|When enabled|The computer will not overwrite memory when it restarts. Preventing memory overwrite may improve restart performance, but it increases the risk of exposing BitLocker secrets.| +|When disabled or not configured|BitLocker secrets are removed from memory when the computer restarts.| -Reference +**Reference** This policy setting is applied when you turn on BitLocker. BitLocker secrets include key material that is used to encrypt data. This policy setting applies only when BitLocker protection is enabled. @@ -1990,48 +1058,22 @@ This policy setting is applied when you turn on BitLocker. BitLocker secrets inc This policy setting determines what values the TPM measures when it validates early boot components before it unlocks an operating system drive on a computer with a BIOS configuration or with UEFI firmware that has the Compatibility Support Module (CSM) enabled. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy description

With this policy setting, you can configure how the computer's TPM security hardware secures the BitLocker encryption key.

Introduced

Windows Server 2012 and Windows 8

Drive type

Operating system drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

Conflicts

None

When enabled

You can configure the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.

When disabled or not configured

The TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script.

+||| +|--- |--- | +|Policy description|With this policy setting, you can configure how the computer's TPM security hardware secures the BitLocker encryption key.| +|Introduced|Windows Server 2012 and Windows 8| +|Drive type|Operating system drives| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +|Conflicts|None| +|When enabled|You can configure the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.| +|When disabled or not configured|The TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script.| -Reference +**Reference** This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection. ->**Important:** This Group Policy setting only applies to computers with BIOS configurations or to computers with UEFI firmware with the CSM enabled. Computers that use a native UEFI firmware configuration store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for native UEFI firmware configurations** Group Policy setting to configure the TPM PCR profile for computers that use native UEFI firmware. +> [!IMPORTANT] +> This Group Policy setting only applies to computers with BIOS configurations or to computers with UEFI firmware with the CSM enabled. Computers that use a native UEFI firmware configuration store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for native UEFI firmware configurations** Group Policy setting to configure the TPM PCR profile for computers that use native UEFI firmware. A platform validation profile consists of a set of PCR indices that range from 0 to 23. The default platform validation profile secures the encryption key against changes to the following: @@ -2043,7 +1085,8 @@ A platform validation profile consists of a set of PCR indices that range from 0 - Boot Manager (PCR 10) - BitLocker Access Control (PCR 11) ->**Note:** Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker’s sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs. +> [!NOTE] +> Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker’s sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs. The following list identifies all of the PCRs available: @@ -2065,44 +1108,17 @@ The following list identifies all of the PCRs available: This policy setting determines what values the TPM measures when it validates early boot components before unlocking a drive on a computer running Windows Vista, Windows Server 2008, or Windows 7. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy description

With this policy setting, you can configure how the computer's TPM security hardware secures the BitLocker encryption key.

Introduced

Windows Server 2008 and Windows Vista

Drive type

Operating system drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

Conflicts

None

When enabled

You can configure the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.

When disabled or not configured

The TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script.

+||| +|--- |--- | +|Policy description|With this policy setting, you can configure how the computer's TPM security hardware secures the BitLocker encryption key.| +|Introduced|Windows Server 2008 and Windows Vista| +|Drive type|Operating system drives| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +|Conflicts|None| +|When enabled|You can configure the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.| +|When disabled or not configured|The TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script.| -Reference +**Reference** This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker is already turned on with TPM protection. @@ -2116,7 +1132,8 @@ A platform validation profile consists of a set of PCR indices that range from 0 - Boot Manager (PCR 10) - BitLocker Access Control (PCR 11) ->**Note:** The default TPM validation profile PCR settings for computers that use an Extensible Firmware Interface (EFI) are the PCRs 0, 2, 4, and 11 only. +> [!NOTE] +> The default TPM validation profile PCR settings for computers that use an Extensible Firmware Interface (EFI) are the PCRs 0, 2, 4, and 11 only. The following list identifies all of the PCRs available: @@ -2134,56 +1151,29 @@ The following list identifies all of the PCRs available: - PCR 11: BitLocker access control - PCR 12 - 23: Reserved for future use ->**Warning:** Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs. +> [!WARNING] +> Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs. ### Configure TPM platform validation profile for native UEFI firmware configurations This policy setting determines what values the TPM measures when it validates early boot components before unlocking an operating system drive on a computer with native UEFI firmware configurations. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy description

With this policy setting, you can configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key.

Introduced

Windows Server 2012 and Windows 8

Drive type

Operating system drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

Conflicts

Setting this policy with PCR 7 omitted, overrides the Allow Secure Boot for integrity validation Group Policy setting, and it prevents BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation.

-

If your environments use TPM and Secure Boot for platform integrity checks, this policy should not be configured.

-

For more information about PCR 7, see Platform Configuration Register (PCR) in this topic.

When enabled

Before you turn on BitLocker, you can configure the boot components that the TPM validates before it unlocks access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.

When disabled or not configured

BitLocker uses the default platform validation profile or the platform validation profile that is specified by the setup script.

+||| +|--- |--- | +|Policy description|With this policy setting, you can configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key.| +|Introduced|Windows Server 2012 and Windows 8| +|Drive type|Operating system drives| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +|Conflicts|Setting this policy with PCR 7 omitted, overrides the **Allow Secure Boot for integrity validation** Group Policy setting, and it prevents BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation,

If your environments use TPM and Secure Boot for platform integrity checks, this policy should not be configured.

For more information about PCR 7, see [Platform Configuration Register (PCR)](#bkmk-pcr) in this topic.| +|When enabled|Before you turn on BitLocker, you can configure the boot components that the TPM validates before it unlocks access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.| +|When disabled or not configured|BitLocker uses the default platform validation profile or the platform validation profile that is specified by the setup script.| -Reference +**Reference** This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker is already turned on with TPM protection. ->**Important:** This Group Policy setting only applies to computers with a native UEFI firmware configuration. Computers with BIOS or UEFI firmware with a Compatibility Support Module (CSM) enabled store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for BIOS-based firmware configurations** Group Policy setting to configure the TPM PCR profile for computers with BIOS configurations or for computers with UEFI firmware with a CSM enabled. +> [!IMPORTANT] +> This Group Policy setting only applies to computers with a native UEFI firmware configuration. Computers with BIOS or UEFI firmware with a Compatibility Support Module (CSM) enabled store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for BIOS-based firmware configurations** Group Policy setting to configure the TPM PCR profile for computers with BIOS configurations or for computers with UEFI firmware with a CSM enabled. A platform validation profile consists of a set of Platform Configuration Register (PCR) indices ranging from 0 to 23. The default platform validation profile secures the encryption key against changes to the core system firmware executable code (PCR 0), extended or pluggable executable code (PCR 2), boot manager (PCR 4), and the BitLocker access control (PCR 11). @@ -2209,54 +1199,25 @@ The following list identifies all of the PCRs available: - PCR 14: Boot Authorities - PCR 15 – 23: Reserved for future use ->**Warning:** Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs. +> [!WARNING] +> Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs. ### Reset platform validation data after BitLocker recovery This policy setting determines if you want platform validation data to refresh when Windows is started following a BitLocker recovery. A platform validation data profile consists of the values in a set of Platform Configuration Register (PCR) indices that range from 0 to 23. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy description

With this policy setting, you can control whether platform validation data is refreshed when Windows is started following a BitLocker recovery.

Introduced

Windows Server 2012 and Windows 8

Drive type

Operating system drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

Conflicts

None

When enabled

Platform validation data is refreshed when Windows is started following a BitLocker recovery.

When disabled

Platform validation data is not refreshed when Windows is started following a BitLocker recovery.

When not configured

Platform validation data is refreshed when Windows is started following a BitLocker recovery.

+||| +|--- |--- | +|Policy description|With this policy setting, you can control whether platform validation data is refreshed when Windows is started following a BitLocker recovery.| +|Introduced|Windows Server 2012 and Windows 8| +|Drive type|Operating system drives| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +|Conflicts|None| +|When enabled|Platform validation data is refreshed when Windows is started following a BitLocker recovery.| +|When disabled|Platform validation data is not refreshed when Windows is started following a BitLocker recovery.| +|When not configured|Platform validation data is refreshed when Windows is started following a BitLocker recovery.| -Reference +**Reference** For more information about the recovery process, see the [BitLocker recovery guide](bitlocker-recovery-guide-plan.md). @@ -2264,95 +1225,40 @@ For more information about the recovery process, see the [BitLocker recovery gui This policy setting determines specific Boot Configuration Data (BCD) settings to verify during platform validation. A platform validation uses the data in the platform validation profile, which consists of a set of Platform Configuration Register (PCR) indices that range from 0 to 23. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy description

With this policy setting, you can specify Boot Configuration Data (BCD) settings to verify during platform validation.

Introduced

Windows Server 2012 and Windows 8

Drive type

Operating system drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

Conflicts

When BitLocker is using Secure Boot for platform and Boot Configuration Data integrity validation, the Use enhanced Boot Configuration Data validation profile Group Policy setting is ignored (as defined by the Allow Secure Boot for integrity validation Group Policy setting).

When enabled

You can add additional BCD settings, exclude the BCD settings you specify, or combine inclusion and exclusion lists to create a customized BCD validation profile, which gives you the ability to verify those BCD settings.

When disabled

The computer reverts to a BCD profile validation similar to the default BCD profile that is used by Windows 7.

When not configured

The computer verifies the default BCD settings in Windows.

+||| +|--- |--- | +|Policy description|With this policy setting, you can specify Boot Configuration Data (BCD) settings to verify during platform validation.| +|Introduced|Windows Server 2012 and Windows 8| +|Drive type|Operating system drives| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +|Conflicts|When BitLocker is using Secure Boot for platform and Boot Configuration Data integrity validation, the **Use enhanced Boot Configuration Data validation profile** Group Policy setting is ignored (as defined by the **Allow Secure Boot for integrity validation** Group Policy setting).| +|When enabled|You can add additional BCD settings, exclude the BCD settings you specify, or combine inclusion and exclusion lists to create a customized BCD validation profile, which gives you the ability to verify those BCD settings.| +|When disabled|The computer reverts to a BCD profile validation similar to the default BCD profile that is used by Windows 7.| +|When not configured|The computer verifies the default BCD settings in Windows.| -Reference +**Reference** ->**Note:** The setting that controls boot debugging (0x16000010) is always validated, and it has no effect if it is included in the inclusion or the exclusion list. +> [!NOTE] +> The setting that controls boot debugging (0x16000010) is always validated, and it has no effect if it is included in the inclusion or the exclusion list. ### Allow access to BitLocker-protected fixed data drives from earlier versions of Windows This policy setting is used to control whether access to drives is allowed by using the BitLocker To Go Reader, and if the application is installed on the drive. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy description

With this policy setting, you can configure whether fixed data drives that are formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with Service Pack 3 (SP3), or Windows XP with Service Pack 2 (SP2).

Introduced

Windows Server 2008 R2 and Windows 7

Drive type

Fixed data drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives

Conflicts

None

When enabled and When not configured

Fixed data drives that are formatted with the FAT file system can be unlocked on computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have Read-only access to BitLocker-protected drives.

When disabled

Fixed data drives that are formatted with the FAT file system and are BitLocker-protected cannot be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. BitLocker To Go Reader (bitlockertogo.exe) is not installed.

+||| +|--- |--- | +|Policy description|With this policy setting, you can configure whether fixed data drives that are formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with Service Pack 3 (SP3), or Windows XP with Service Pack 2 (SP2).| +|Introduced|Windows Server 2008 R2 and Windows 7| +|Drive type|Fixed data drives| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives| +|Conflicts|None| +|When enabled and When not configured|Fixed data drives that are formatted with the FAT file system can be unlocked on computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have Read-only access to BitLocker-protected drives.| +|When disabled|Fixed data drives that are formatted with the FAT file system and are BitLocker-protected cannot be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. BitLocker To Go Reader (bitlockertogo.exe) is not installed.| -Reference +**Reference** ->**Note:** This policy setting does not apply to drives that are formatted with the NTFS file system. +> [!NOTE] +> This policy setting does not apply to drives that are formatted with the NTFS file system. When this policy setting is enabled, select the **Do not install BitLocker To Go Reader on FAT formatted fixed drives** check box to help prevent users from running BitLocker To Go Reader from their fixed drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that does not have an identification field specified, or if the drive has the same identification field as specified in the **Provide unique identifiers for your organization** policy setting, the user is prompted to update BitLocker, and BitLocker To Go Reader is deleted from the drive. In this situation, for the fixed drive to be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check box is not selected, BitLocker To Go Reader will be installed on the fixed drive to enable users to unlock the drive on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. @@ -2360,46 +1266,20 @@ When this policy setting is enabled, select the **Do not install BitLocker To Go This policy setting controls access to removable data drives that are using the BitLocker To Go Reader and whether the BitLocker To Go Reader can be installed on the drive. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy description

With this policy setting, you can configure whether removable data drives that are formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2.

Introduced

Windows Server 2008 R2 and Windows 7

Drive type

Removable data drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives

Conflicts

None

When enabled and When not configured

Removable data drives that are formatted with the FAT file system can be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have Read-only access to BitLocker-protected drives.

When disabled

Removable data drives that are formatted with the FAT file system that are BitLocker-protected cannot be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. BitLocker To Go Reader (bitlockertogo.exe) is not installed.

+||| +|--- |--- | +|Policy description|With this policy setting, you can configure whether removable data drives that are formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2.| +|Introduced|Windows Server 2008 R2 and Windows 7| +|Drive type|Removable data drives| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives| +|Conflicts|None| +|When enabled and When not configured|Removable data drives that are formatted with the FAT file system can be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have Read-only access to BitLocker-protected drives.| +|When disabled|Removable data drives that are formatted with the FAT file system that are BitLocker-protected cannot be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. BitLocker To Go Reader (bitlockertogo.exe) is not installed.| -Reference +**Reference** ->**Note:** This policy setting does not apply to drives that are formatted with the NTFS file system. +> [!NOTE] +> This policy setting does not apply to drives that are formatted with the NTFS file system. When this policy setting is enabled, select the **Do not install BitLocker To Go Reader on FAT formatted removable drives** check box to help prevent users from running BitLocker To Go Reader from their removable drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that does not have an identification field specified, or if the drive has the same identification field as specified in the **Provide unique identifiers for your organization** policy setting, the user will be prompted to update BitLocker, and BitLocker To Go Reader is deleted from the drive. In this situation, for the removable drive to be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check box is not selected, BitLocker To Go Reader will be installed on the removable drive to enable users to unlock the drive on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2 that do not have BitLocker To Go Reader installed. @@ -2407,44 +1287,17 @@ When this policy setting is enabled, select the **Do not install BitLocker To Go You can configure the Federal Information Processing Standard (FIPS) setting for FIPS compliance. As an effect of FIPS compliance, users cannot create or save a BitLocker password for recovery or as a key protector. The use of a recovery key is permitted. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy description

Notes

Introduced

Windows Server 2003 with SP1

Drive type

System-wide

Policy path

Local Policies\Security Options\System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

Conflicts

Some applications, such as Terminal Services, do not support FIPS-140 on all operating systems.

When enabled

Users will be unable to save a recovery password to any location. This includes AD DS and network folders. In addition, you cannot use WMI or the BitLocker Drive Encryption Setup wizard to create a recovery password.

When disabled or not configured

No BitLocker encryption key is generated

+||| +|--- |--- | +|Policy description|Notes| +|Introduced|Windows Server 2003 with SP1| +|Drive type|System-wide| +|Policy path|Local Policies\Security Options\System cryptography: **Use FIPS compliant algorithms for encryption, hashing, and signing**| +|Conflicts|Some applications, such as Terminal Services, do not support FIPS-140 on all operating systems.| +|When enabled|Users will be unable to save a recovery password to any location. This includes AD DS and network folders. In addition, you cannot use WMI or the BitLocker Drive Encryption Setup wizard to create a recovery password.| +|When disabled or not configured|No BitLocker encryption key is generated| -Reference +**Reference** This policy needs to be enabled before any encryption key is generated for BitLocker. Note that when this policy is enabled, BitLocker prevents creating or using recovery passwords, so recovery keys should be used instead. @@ -2452,7 +1305,7 @@ You can save the optional recovery key to a USB drive. Because recovery password You can edit the FIPS setting by using the Security Policy Editor (Secpol.msc) or by editing the Windows registry. You must be an administrator to perform these procedures. -For more information about setting this policy, see [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](https://technet.microsoft.com/library/jj852197.aspx). +For more information about setting this policy, see [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing). ## Power management Group Policy settings: Sleep and Hibernate @@ -2476,11 +1329,12 @@ Changing from the default platform validation profile affects the security and m PCR 7 measures the state of Secure Boot. With PCR 7, BitLocker can leverage Secure Boot for integrity validation. Secure Boot ensures that the computer's preboot environment loads only firmware that is digitally signed by authorized software publishers. PCR 7 measurements indicate whether Secure Boot is on and which keys are trusted on the platform. If Secure Boot is on and the firmware measures PCR 7 correctly per the UEFI specification, BitLocker can bind to this information rather than to PCRs 0, 2, and 4 which have the measurements of the exact firmware and Bootmgr images loaded. This reduces the likelihood of BitLocker starting in recovery mode as a result of firmware and image updates, and it provides you with greater flexibility to manage the preboot configuration. -PCR 7 measurements must follow the guidance that is described in [Appendix A Trusted Execution Environment EFI Protocol](https://msdn.microsoft.com/library/windows/hardware/jj923068.aspx). +PCR 7 measurements must follow the guidance that is described in [Appendix A Trusted Execution Environment EFI Protocol](/windows-hardware/test/hlk/testref/trusted-execution-environment-efi-protocol). PCR 7 measurements are a mandatory logo requirement for systems that support Modern Standby (also known as Always On, Always Connected PCs), such as the Microsoft Surface RT. On such systems, if the TPM with PCR 7 measurement and Secure Boot are correctly configured, BitLocker binds to PCR 7 and PCR 11 by default. ## See also + - [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview) - [TPM Group Policy settings](/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings) - [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) From 67e0b9b0f59003a540cfd60ca430fd5ff42d8df1 Mon Sep 17 00:00:00 2001 From: Baard Hermansen Date: Sat, 22 Aug 2020 02:34:25 +0200 Subject: [PATCH 05/42] Update bitlocker-recovery-guide-plan.md Minor edits: Updated URLs, corrected spelling error, corrected outdated product name. --- .../bitlocker-recovery-guide-plan.md | 50 ++++++++----------- 1 file changed, 21 insertions(+), 29 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index 822f7a9985..62b9b1864d 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -20,6 +20,7 @@ ms.date: 02/28/2019 # BitLocker recovery guide **Applies to** + - Windows 10 This topic for IT professionals describes how to recover BitLocker keys from AD DS. @@ -42,7 +43,7 @@ BitLocker recovery is the process by which you can restore access to a BitLocker The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive: -- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality Administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](https://technet.microsoft.com/library/aa998357.aspx) (also configurable through [Windows Intune](https://technet.microsoft.com/library/jj733621.aspx)), to limit the number of failed password attempts before the device goes into Device Lockout. +- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality Administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) (also configurable through [Microsoft Intune](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/microsoft-intune)), to limit the number of failed password attempts before the device goes into Device Lockout. - On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 do not start BitLocker recovery in this case. TPM 2.0 does not consider a firmware change of boot device order as a security threat because the OS Boot Loader is not compromised. - Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD. - Failing to boot from a network drive before booting from the hard drive. @@ -83,14 +84,14 @@ The following list provides examples of specific events that will cause BitLocke > [!NOTE] > Before you begin recovery, we recommend that you determine what caused recovery. This might help prevent the problem from occurring again in the future. For instance, if you determine that an attacker has modified your computer by obtaining physical access, you can create new security policies for tracking who has physical presence. After the recovery password has been used to recover access to the PC, BitLocker will reseal the encryption key to the current values of the measured components. - + For planned scenarios, such as a known hardware or firmware upgrades, you can avoid initiating recovery by temporarily suspending BitLocker protection. Because suspending BitLocker leaves the drive fully encrypted, the administrator can quickly resume BitLocker protection after the planned task has been completed. Using suspend and resume also reseals the encryption key without requiring the entry of the recovery key. > [!NOTE] > If suspended BitLocker will automatically resume protection when the PC is rebooted, unless a reboot count is specified using the manage-bde command line tool. If software maintenance requires the computer be restarted and you are using two-factor authentication, you can enable BitLocker Network Unlock to provide the secondary authentication factor when the computers do not have an on-premises user to provide the additional authentication method. - + Recovery has been described within the context of unplanned or undesired behavior, but you can also cause recovery as an intended production scenario, in order to manage access control. For example, when you redeploy desktop or laptop computers to other departments or employees in your enterprise, you can force BitLocker into recovery before the computer is given to a new user. ## Testing recovery @@ -108,17 +109,16 @@ Before you create a thorough BitLocker recovery process, we recommend that you t 1. On the Start screen, type **cmd.exe**, and then click **Run as administrator**. 2. At the command prompt, type the following command and then press ENTER: - `manage-bde. -ComputerName -forcerecovery ` + `manage-bde -ComputerName -forcerecovery ` > [!NOTE] > Recovery triggered by `-forcerecovery` persists for multiple restarts until a TPM protector is added or protection is suspended by the user. When using Modern Standby devices (such as Surface devices), the `-forcerecovery` option is not recommended because BitLocker will have to be unlocked and disabled manually from the WinRE environment before the OS can boot up again. For more information, see [BitLocker Troubleshooting: Continuous reboot loop with BitLocker recovery on a slate device](https://social.technet.microsoft.com/wiki/contents/articles/18671.bitlocker-troubleshooting-continuous-reboot-loop-with-bitlocker-recovery-on-a-slate-device.aspx). - + ## Planning your recovery process When planning the BitLocker recovery process, first consult your organization's current best practices for recovering sensitive information. For example: How does your enterprise handle lost Windows passwords? How does your organization perform smart card PIN resets? You can use these best practices and related resources (people and tools) to help formulate a BitLocker recovery model. -Organizations that rely on BitLocker Drive Encryption and BitLocker To Go to protect data on a large number of computers and removable drives running the Windows 10, Windows 8, or Windows 7 operating systems and Windows to Go should consider using the Microsoft BitLocker Administration and Monitoring (MBAM) Tool version 2.0, which is included in the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software Assurance. MBAM makes BitLocker implementations easier to deploy and manage and allows administrators to provision and monitor encryption for operating system and fixed drives. MBAM prompts the user before encrypting fixed drives. MBAM also manages recovery keys for fixed and removable drives, making recovery easier to manage. MBAM can be used as part of a Microsoft System Center deployment or as a stand-alone solution. For more info, see [Microsoft BitLocker -Administration and Monitoring](https://technet.microsoft.com/windows/hh826072.aspx). +Organizations that rely on BitLocker Drive Encryption and BitLocker To Go to protect data on a large number of computers and removable drives running the Windows 10, Windows 8, or Windows 7 operating systems and Windows to Go should consider using the Microsoft BitLocker Administration and Monitoring (MBAM) Tool version 2.0, which is included in the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software Assurance. MBAM makes BitLocker implementations easier to deploy and manage and allows administrators to provision and monitor encryption for operating system and fixed drives. MBAM prompts the user before encrypting fixed drives. MBAM also manages recovery keys for fixed and removable drives, making recovery easier to manage. MBAM can be used as part of a Microsoft System Center deployment or as a stand-alone solution. For more info, see [Microsoft BitLocker Administration and Monitoring](/microsoft-desktop-optimization-pack/mbam-v25/). After a BitLocker recovery has been initiated, users can use a recovery password to unlock access to encrypted data. You must consider both self-recovery and recovery password retrieval methods for your organization. @@ -149,7 +149,7 @@ DS** check box if you want to prevent users from enabling BitLocker unless the c > [!NOTE] > If the PCs are part of a workgroup, users should be advised to save their BitLocker recovery password with their Microsoft Account online. Having an online copy of your BitLocker recovery password is recommended to help ensure that you do not lose access to your data in the event that recovery is required. - + The BitLocker Recovery Password Viewer for Active Directory Users and Computers tool allows domain administrators to view BitLocker recovery passwords for specific computer objects in Active Directory. You can use the following list as a template for creating your own recovery process for recovery password retrieval. This sample process uses the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool. @@ -190,7 +190,7 @@ Because the recovery password is 48 digits long the user may need to record the > [!NOTE] > Because the 48-digit recovery password is long and contains a combination of digits, the user might mishear or mistype the password. The boot-time recovery console uses built-in checksum numbers to detect input errors in each 6-digit block of the 48-digit recovery password, and offers the user the opportunity to correct such errors. - + ### Post-recovery analysis When a volume is unlocked using a recovery password, an event is written to the event log and the platform validation measurements are reset in the TPM to match the current configuration. Unlocking the volume means that the encryption key has been released and is ready for on-the-fly encryption @@ -226,7 +226,7 @@ The details of this reset can vary according to the root cause of the recovery. > [!NOTE] > You can perform a BitLocker validation profile reset by suspending and resuming BitLocker. - + - [Unknown PIN](#bkmk-unknownpin) - [Lost startup key](#bkmk-loststartup) - [Changes to boot files](#bkmk-changebootknown) @@ -261,19 +261,18 @@ This error might occur if you updated the firmware. As a best practice you shoul Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker–protected drives. - ## BitLocker recovery screen During BitLocker recovery, Windows can display a custom recovery message and hints that identify where a key can be retrieved from. These improvements can help a user during BitLocker recovery. ### Custom recovery message -BitLocker Group Policy settings in Windows 10, version 1511, let you confiure a custom recovery message and URL on the BitLocker recovery screen, which can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support. +BitLocker Group Policy settings in Windows 10, version 1511, let you configure a custom recovery message and URL on the BitLocker recovery screen, which can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support. This policy can be configured using GPO under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Configure pre-boot recovery message and URL**. It can also be configured using Intune mobile device management (MDM) in the BitLocker CSP: -*./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage* +*\./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage\* ![Custom URL](./images/bl-intune-custom-url.png) @@ -281,30 +280,26 @@ Example of customized recovery screen: ![Customized BitLocker Recovery Screen](./images/bl-password-hint1.png) - - ### BitLocker recovery key hints -BitLocker metadata has been enhanced in Windows 10, version 1903 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume’s recovery key. Hints are displayed on the recovery screen and refer to the location where key has been saved. Hints are displayed in both the modern (blue) and legacy (black) recovery screen. This applies to both the bootmanager recovery screen and the WinRE unlock screen. +BitLocker metadata has been enhanced in Windows 10, version 1903 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where key has been saved. Hints are displayed in both the modern (blue) and legacy (black) recovery screen. This applies to both the bootmanager recovery screen and the WinRE unlock screen. ![Customized BitLocker recovery screen](./images/bl-password-hint2.png) > [!IMPORTANT] > We don't recommend printing recovery keys or saving them to a file. Instead, use Active Directory backup or a cloud-based backup. Cloud-based backup includes Azure Active Directory (Azure AD) and Microsoft Account. - There are rules governing which hint is shown during the recovery (in order of processing): 1. Always display custom recovery message if it has been configured (using GPO or MDM). -2. Always display generic hint: "For more information, go to https://aka.ms/recoverykeyfaq." +2. Always display generic hint: "For more information, go to ". 3. If multiple recovery keys exist on the volume, prioritize the last created (and successfully backed up) recovery key. 4. Prioritize keys with successful backup over keys that have never been backed up. -5. Prioritize backup hints in the following order for remote backup locations: **Microsoft Account > Azure AD > Active Directory**. -6. If a key has been printed and saved to file, display a combined hint, “Look for a printout or a text file with the key,” instead of two separate hints. +5. Prioritize backup hints in the following order for remote backup locations: **Microsoft Account > Azure AD > Active Directory**. +6. If a key has been printed and saved to file, display a combined hint, "Look for a printout or a text file with the key," instead of two separate hints. 7. If multiple backups of the same type (remove vs. local) have been performed for the same recovery key, prioritize backup info with latest backed up date. -8. There is no specific hint for keys saved to an on-premises Active Directory. In this case, a custom message (if configured) or a generic message, “Contact your organization’s help desk,” will be displayed. -9. If two recovery keys are present on the disk, but only one has been successfully backed up, the system will ask for a key that has been backed up, even if another key is newer. - +8. There is no specific hint for keys saved to an on-premises Active Directory. In this case, a custom message (if configured) or a generic message, "Contact your organization's help desk," will be displayed. +9. If two recovery keys are present on the disk, but only one has been successfully backed up, the system will ask for a key that has been backed up, even if another key is newer. #### Example 1 (single recovery key with single backup) @@ -377,7 +372,6 @@ There are rules governing which hint is shown during the recovery (in order of p ![Example 4 of customized BitLocker recovery screen](./images/rp-example4.PNG) - #### Example 5 (multiple recovery passwords) | Custom URL | No | @@ -407,7 +401,6 @@ There are rules governing which hint is shown during the recovery (in order of p ![Example 5 of customized BitLocker recovery screen](./images/rp-example5.PNG) - ## Using additional recovery information Besides the 48-digit BitLocker recovery password, other types of recovery information are stored in Active Directory. This section describes how this additional information can be used. @@ -418,7 +411,7 @@ If the recovery methods discussed earlier in this document do not unlock the vol > [!NOTE] > You must use the BitLocker Repair tool **repair-bde** to use the BitLocker key package. - + The BitLocker key package is not saved by default. To save the package along with the recovery password in AD DS you must select the **Backup recovery password and key package** option in the Group Policy settings that control the recovery method. You can also export the key package from a working volume. For more details on how to export key packages, see [Retrieving the BitLocker Key Package](#bkmk-appendixc). ## Resetting recovery passwords @@ -455,6 +448,7 @@ You can reset the recovery password in two ways: ```powershell Manage-bde –protectors –adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692} ``` + > [!WARNING] > You must include the braces in the ID string. @@ -470,7 +464,7 @@ You can reset the recovery password in two ways: > [!NOTE] > To manage a remote computer, you can specify the remote computer name rather than the local computer name. - + You can use the following sample script to create a VBScript file to reset the recovery passwords. ```vb @@ -890,5 +884,3 @@ End Function ## See also - [BitLocker overview](bitlocker-overview.md) - - From 5734628c708cecb084340af5f85b49ac8fcbc996 Mon Sep 17 00:00:00 2001 From: Baard Hermansen Date: Sat, 22 Aug 2020 03:04:04 +0200 Subject: [PATCH 06/42] Update bitlocker-basic-deployment.md Converted HTML tables to markdown style. Updated markdown for Notes and Warning. --- .../bitlocker/bitlocker-basic-deployment.md | 216 +++++++----------- 1 file changed, 88 insertions(+), 128 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 405ffb126f..72f95894be 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -20,6 +20,7 @@ ms.date: 02/28/2019 # BitLocker basic deployment **Applies to** + - Windows 10 This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption. @@ -30,8 +31,9 @@ BitLocker provides full volume encryption (FVE) for operating system volumes, as In the event that the drive was prepared as a single contiguous space, BitLocker requires a new volume to hold the boot files. BdeHdCfg.exe can create these volumes. -> **Note:**  For more info about using this tool, see [Bdehdcfg](https://technet.microsoft.com/library/ee732026.aspx) in the Command-Line Reference. - +> [!NOTE] +> For more info about using this tool, see [Bdehdcfg](/windows-server/administration/windows-commands/bdehdcfg) in the Command-Line Reference. + BitLocker encryption can be done using the following methods: - BitLocker control panel @@ -47,52 +49,16 @@ To start encryption for a volume, select **Turn on BitLocker** for the appropria ### Operating system volume Upon launch, the BitLocker Drive Encryption Wizard verifies the computer meets the BitLocker system requirements for encrypting an operating system volume. By default, the system requirements are: - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
RequirementDescription

Hardware configuration

The computer must meet the minimum requirements for the supported Windows versions.

Operating system

BitLocker is an optional feature which can be installed by Server Manager on Windows Server 2012 and later.

Hardware TPM

TPM version 1.2 or 2.0

-

A TPM is not required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication.

BIOS configuration

    -

  • A Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware.

    • -

  • The boot order must be set to start first from the hard disk, and not the USB or CD drives.

    • -

  • The firmware must be able to read from a USB flash drive during startup.

    • -

File system

For computers that boot natively with UEFI firmware, at least one FAT32 partition for the system drive and one NTFS partition for the operating system drive.

-

For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive.

-

For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.

Hardware encrypted drive prerequisites (optional)

To use a hardware encrypted drive as the boot drive, the drive must be in the uninitialized state and in the security inactive state. In addition, the system must always boot with native UEFI version 2.3.1 or higher and the CSM (if any) disabled.

- + +|Requirement|Description| +|--- |--- | +|Hardware configuration|The computer must meet the minimum requirements for the supported Windows versions.| +|Operating system|BitLocker is an optional feature which can be installed by Server Manager on Windows Server 2012 and later.| +|Hardware TPM|TPM version 1.2 or 2.0.

A TPM is not required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication.| +|BIOS configuration|

  • A Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware.
  • The boot order must be set to start first from the hard disk, and not the USB or CD drives.
  • The firmware must be able to read from a USB flash drive during startup.
    • | +|File system|For computers that boot natively with UEFI firmware, at least one FAT32 partition for the system drive and one NTFS partition for the operating system drive.
    For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive.
    For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.| +|Hardware encrypted drive prerequisites (optional)|To use a hardware encrypted drive as the boot drive, the drive must be in the uninitialized state and in the security inactive state. In addition, the system must always boot with native UEFI version 2.3.1 or higher and the CSM (if any) disabled.| + Upon passing the initial configuration, users are required to enter a password for the volume. If the volume does not pass the initial configuration for BitLocker, the user is presented with an error dialog describing the appropriate actions to be taken. Once a strong password has been created for the volume, a recovery key will be generated. The BitLocker Drive Encryption Wizard will prompt for a location to save this key. A BitLocker recovery key is a special key that you can create when you turn on BitLocker Drive Encryption for the first time on each drive that you encrypt. You can use the recovery key to gain access to your computer if the drive that Windows is installed on (the operating system drive) is encrypted using BitLocker Drive Encryption and BitLocker detects a condition that prevents it from unlocking the drive when the computer is starting up. A recovery key can also be used to gain access to your files and folders on a removable data drive (such as an external hard drive or USB flash drive) that is encrypted using BitLocker To Go, if for some reason you forget the password or your computer cannot access the drive. @@ -105,8 +71,9 @@ When the recovery key has been properly stored, the BitLocker Drive Encryption W It is recommended that drives with little to no data utilize the **used disk space only** encryption option and that drives with data or an operating system utilize the **encrypt entire drive** option. -> **Note:**  Deleted files appear as free space to the file system, which is not encrypted by **used disk space only**. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools. - +> [!NOTE] +> Deleted files appear as free space to the file system, which is not encrypted by **used disk space only**. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools. + Selecting an encryption type and choosing **Next** will give the user the option of running a BitLocker system check (selected by default) which will ensure that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. It is recommended to run this system check before starting the encryption process. If the system check is not run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows. After completing the system check (if selected), the BitLocker Drive Encryption Wizard will restart the computer to begin encryption. Upon reboot, users are required to enter the password chosen to boot into the operating system volume. Users can check encryption status by checking the system notification area or the BitLocker control panel. @@ -142,52 +109,20 @@ The following table shows the compatibility matrix for systems that have been Bi Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Encryption Type

    Windows 10 and Windows 8.1

    Windows 8

    Windows 7

    Fully encrypted on Windows 8

    Presents as fully encrypted

    N/A

    Presented as fully encrypted

    Used Disk Space Only encrypted on Windows 8

    Presents as encrypt on write

    N/A

    Presented as fully encrypted

    Fully encrypted volume from Windows 7

    Presents as fully encrypted

    Presented as fully encrypted

    N/A

    Partially encrypted volume from Windows 7

    Windows 10 and Windows 8.1 will complete encryption regardless of policy

    Windows 8 will complete encryption regardless of policy

    N/A

    - +||||| +|--- |--- |--- |--- | +|Encryption Type|Windows 10 and Windows 8.1|Windows 8|Windows 7| +|Fully encrypted on Windows 8|Presents as fully encrypted|N/A|Presented as fully encrypted| +|Used Disk Space Only encrypted on Windows 8|Presents as encrypt on write|N/A|Presented as fully encrypted| +|Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A| +|Partially encrypted volume from Windows 7|Windows 10 and Windows 8.1 will complete encryption regardless of policy|Windows 8 will complete encryption regardless of policy|N/A| ## Encrypting volumes using the manage-bde command line interface -Manage-bde is a command-line utility that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the options, see [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx). +Manage-bde is a command-line utility that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the options, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde). + Manage-bde offers a multitude of wider options for configuring BitLocker. This means that using the command syntax may require care and possibly later customization by the user. For example, using just the `manage-bde -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected. + Command line users need to determine the appropriate syntax for a given situation. The following section covers general encryption for operating system volumes and data volumes. ### Operating system volume @@ -245,6 +180,7 @@ manage-bde -on C: ## Encrypting volumes using the BitLocker Windows PowerShell cmdlets Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Using Windows PowerShell's scripting capabilities, administrators can integrate BitLocker options into existing scripts with ease. The list below displays the available BitLocker cmdlets. + @@ -252,11 +188,11 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us - - + + - + - + - + - + - + - + - + - + - + - + - + - +

    Name

    Parameters

    Name

    Parameters

    Add-BitLockerKeyProtector

    Add-BitLockerKeyProtector

    -ADAccountOrGroup

    -ADAccountOrGroupProtector

    -Confirm

    @@ -278,26 +214,26 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us

    -WhatIf

    Backup-BitLockerKeyProtector

    Backup-BitLockerKeyProtector

    -Confirm

    -KeyProtectorId

    -MountPoint

    -WhatIf

    Disable-BitLocker

    Disable-BitLocker

    -Confirm

    -MountPoint

    -WhatIf

    Disable-BitLockerAutoUnlock

    Disable-BitLockerAutoUnlock

    -Confirm

    -MountPoint

    -WhatIf

    Enable-BitLocker

    Enable-BitLocker

    -AdAccountOrGroup

    -AdAccountOrGroupProtector

    -Confirm

    @@ -322,44 +258,44 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us

    -WhatIf

    Enable-BitLockerAutoUnlock

    Enable-BitLockerAutoUnlock

    -Confirm

    -MountPoint

    -WhatIf

    Get-BitLockerVolume

    Get-BitLockerVolume

    -MountPoint

    Lock-BitLocker

    Lock-BitLocker

    -Confirm

    -ForceDismount

    -MountPoint

    -WhatIf

    Remove-BitLockerKeyProtector

    Remove-BitLockerKeyProtector

    -Confirm

    -KeyProtectorId

    -MountPoint

    -WhatIf

    Resume-BitLocker

    Resume-BitLocker

    -Confirm

    -MountPoint

    -WhatIf

    Suspend-BitLocker

    Suspend-BitLocker

    -Confirm

    -MountPoint

    -RebootCount

    -WhatIf

    Unlock-BitLocker

    Unlock-BitLocker

    -AdAccountOrGroup

    -Confirm

    -MountPoint

    @@ -371,28 +307,38 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us
    - -Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets. -A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the Get-BitLocker volume cmdlet. The output from this cmdlet displays information on the volume type, protectors, protection status, and other useful information. -Occasionally, all protectors may not be shown when using Get-BitLockerVolume due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a listing of the protectors. -> **Note:**  In the event that there are more than four protectors for a volume, the pipe command may run out of display space. For volumes with more than four protectors, use the method described in the section below to generate a listing of all protectors with protector ID. - -`Get-BitLockerVolume C: | fl` +Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets. + +A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the `Get-BitLocker` volume cmdlet. The output from this cmdlet displays information on the volume type, protectors, protection status, and other useful information. + +Occasionally, all protectors may not be shown when using **Get-BitLockerVolume** due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a listing of the protectors. + +> [!NOTE] +> In the event that there are more than four protectors for a volume, the pipe command may run out of display space. For volumes with more than four protectors, use the method described in the section below to generate a listing of all protectors with protector ID. + +```powershell +Get-BitLockerVolume C: | fl +``` If you wanted to remove the existing protectors prior to provisioning BitLocker on the volume, you can utilize the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed. A simple script can pipe the values of each **Get-BitLockerVolume** return out to another variable as seen below: + ```powershell $vol = Get-BitLockerVolume $keyprotectors = $vol.KeyProtector ``` + Using this, we can display the information in the **$keyprotectors** variable to determine the GUID for each protector. Using this information, we can then remove the key protector for a specific volume using the command: + ```powershell Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}" ``` -> **Note:**  The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command. - + +> [!NOTE] +> The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command. + ### Operating system volume Using the BitLocker Windows PowerShell cmdlets is similar to working with the manage-bde tool for encrypting operating system volumes. Windows PowerShell offers users a lot of flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them using the BitLocker cmdlets for Windows PowerShell. @@ -401,11 +347,13 @@ To enable BitLocker with just the TPM protector. This can be done using the comm ```powershell Enable-BitLocker C: ``` + The example below adds one additional protector, the StartupKey protectors, and chooses to skip the BitLocker hardware test. In this example, encryption starts immediately without the need for a reboot. ```powershell Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath -SkipHardwareTest ``` + ### Data volume Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user defined password. Last, encryption begins. @@ -415,33 +363,40 @@ $pw = Read-Host -AsSecureString Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw ``` + ### Using a SID based protector in Windows PowerShell The ADAccountOrGroup protector is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover and be unlocked to any member computer of the cluster. ->**Warning:**  The SID-based protector requires the use of an additional protector (such as TPM, PIN, recovery key, etc.) when used on operating system volumes. - +> [!WARNING] +> The SID-based protector requires the use of an additional protector (such as TPM, PIN, recovery key, etc.) when used on operating system volumes. + To add an ADAccountOrGroup protector to a volume requires either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G. ```powershell Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator ``` + For users who wish to use the SID for the account or group, the first step is to determine the SID associated with the account. To get the specific SID for a user account in Windows PowerShell, use the following command: ```powershell -get-aduser -filter {samaccountname -eq "administrator"} +Get-ADUser -filter {samaccountname -eq "administrator"} ``` -> **Note:**  Use of this command requires the RSAT-AD-PowerShell feature. -> + +> [!NOTE] +> Use of this command requires the RSAT-AD-PowerShell feature. +> > **Tip:**  In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features. - + In the example below, the user wishes to add a domain SID based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command: ```powershell Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup "" ``` -> **Note:**  Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes. - + +> [!NOTE] +> Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes. + ## Checking BitLocker status To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet, Windows Explorer, manage-bde command line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use. We will look at each of the available methods in the following section. @@ -456,7 +411,7 @@ Checking BitLocker status with the control panel is the most common method used | **Off**| BitLocker is not enabled for the volume | | **Suspended** | BitLocker is suspended and not actively protecting the volume | | **Waiting for Activation**| BitLocker is enabled with a clear protector key and requires further action to be fully protected| - + If a drive is pre-provisioned with BitLocker, a status of "Waiting for Activation" displays with a yellow exclamation icon on the volume. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume is not in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the control panel, manage-bde tool, or WMI APIs to add an appropriate key protector. Once complete, the control panel will update to reflect the new status. Using the control panel, administrators can choose **Turn on BitLocker** to start the BitLocker Drive Encryption wizard and add a protector, like PIN for an operating system volume (or password if no TPM exists), or a password or smart card protector to a data volume. The drive security window displays prior to changing the volume status. Selecting **Activate BitLocker** will complete the encryption process. @@ -472,8 +427,10 @@ To check the status of a volume using manage-bde, use the following command: ```powershell manage-bde -status ``` -> **Note:**  If no volume letter is associated with the -status command, all volumes on the computer display their status. - + +> [!NOTE] +> If no volume letter is associated with the -status command, all volumes on the computer display their status. + ### Checking BitLocker status with Windows PowerShell Windows PowerShell commands offer another way to query BitLocker status for volumes. Like manage-bde, Windows PowerShell includes the advantage of being able to check the status of a volume on a remote computer. @@ -483,6 +440,7 @@ Using the Get-BitLockerVolume cmdlet, each volume on the system will display its ```powershell Get-BitLockerVolume -Verbose | fl ``` + This command will display information about the encryption method, volume type, key protectors, etc. ### Provisioning BitLocker during operating system deployment @@ -509,11 +467,13 @@ Decrypting volumes using manage-bde is very straightforward. Decryption with man ```powershell manage-bde -off C: ``` + This command disables protectors while it decrypts the volume and removes all protectors when decryption is complete. If a user wishes to check the status of the decryption, they can use the following command: ```powershell manage-bde -status C: ``` + ### Decrypting volumes using the BitLocker Windows PowerShell cmdlets Decryption with Windows PowerShell cmdlets is straightforward, similar to manage-bde. The additional advantage Windows PowerShell offers is the ability to decrypt multiple drives in one pass. In the example below, the user has three encrypted volumes, which they wish to decrypt. @@ -523,16 +483,16 @@ Using the Disable-BitLocker command, they can remove all protectors and encrypti ```powershell Disable-BitLocker ``` + If a user did not want to input each mount point individually, using the `-MountPoint` parameter in an array can sequence the same command into one line without requiring additional user input. An example command is: ```powershell Disable-BitLocker -MountPoint E:,F:,G: ``` + ## See also - [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) - [BitLocker recovery guide](bitlocker-recovery-guide-plan.md) - [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) - [BitLocker overview](bitlocker-overview.md) - - From 5af7ab5c8c6121a11ae2e8fba5a144d6fabe962c Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Sun, 23 Aug 2020 01:31:21 +0200 Subject: [PATCH 07/42] Windows/Troubleshooting: Link URL & format update As pointed out in issue ticket #8119, the last link of the page returns a 404 error. The parent page https://docs.microsoft.com/windows-server/ has been changed since that incorrectly formatted link was added. Old 404 URL: https://docs.microsoft.com/en-us/windows-server/troubleshoot/windows-server-support-solutions Proposed new URL: https://docs.microsoft.com/windows-server/troubleshoot/windows-server-troubleshooting Thanks to rossmpersonal for pointing out the 404 error. Resolves #8119 --- windows/client-management/windows-10-support-solutions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/windows-10-support-solutions.md b/windows/client-management/windows-10-support-solutions.md index 671e14612b..9274477150 100644 --- a/windows/client-management/windows-10-support-solutions.md +++ b/windows/client-management/windows-10-support-solutions.md @@ -131,4 +131,4 @@ This section contains advanced troubleshooting topics and links to help you reso ## Other Resources -### [Troubleshooting Windows Server components](https://docs.microsoft.com/windows-server/troubleshoot/windows-server-support-solutions) +- [Troubleshooting Windows Server components](https://docs.microsoft.com/windows-server/troubleshoot/windows-server-troubleshooting) From 9233d1f57e86e4442938095cc3c5d72d2de9dd21 Mon Sep 17 00:00:00 2001 From: Steve Burkett Date: Tue, 25 Aug 2020 09:46:40 +1200 Subject: [PATCH 08/42] Update troubleshoot-bitlocker.md : Correct Event Source names Correct the event source names from TCM -> TPM (typo?) Minor formatting correction --- .../bitlocker/troubleshoot-bitlocker.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md b/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md index 88e28e59eb..bf97db1389 100644 --- a/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md +++ b/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md @@ -27,11 +27,11 @@ Open Event Viewer and review the following logs under Applications and Services - Microsoft-Windows-BitLocker/BitLocker Operational - Microsoft-Windows-BitLocker/BitLocker Management -- **BitLocker-DrivePreparationTool**. Review the Admin log, the **Operational log, and any other logs that are generated in this folder. The default logs have the following unique names: +- **BitLocker-DrivePreparationTool**. Review the Admin log, the Operational log, and any other logs that are generated in this folder. The default logs have the following unique names: - Microsoft-Windows-BitLocker-DrivePreparationTool/Operational - Microsoft-Windows-BitLocker-DrivePreparationTool/Admin -Additionally, review the Windows logs\\System log for events that were produced by the TCM and TCM-WMI event sources. +Additionally, review the Windows logs\\System log for events that were produced by the TPM and TPM-WMI event sources. To filter and display or export logs, you can use the [wevtutil.exe](https://docs.microsoft.com/windows-server/administration/windows-commands/wevtutil) command-line tool or the [Get-WinEvent](https://docs.microsoft.com/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-6) cmdlet. From 0577a01a43ff7f633364df53246a8119af50f930 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 25 Aug 2020 17:00:41 +0500 Subject: [PATCH 09/42] Update changes-to-windows-diagnostic-data-collection.md --- .../privacy/changes-to-windows-diagnostic-data-collection.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md index 61f9a5cf61..fe1e8ae442 100644 --- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md +++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md @@ -64,10 +64,10 @@ A final set of changes includes two new policies that can help you fine-tune dia - The **Limit dump collection** policy is a new policy that can be used to limit the types of [crash dumps](https://docs.microsoft.com/windows/win32/dxtecharts/crash-dump-analysis) that can be sent back to Microsoft. If this policy is enabled, Windows Error Reporting will send only kernel mini dumps and user mode triage dumps. - Group Policy: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Limit Dump Collection** - - MDM policy: System/ LimitDiagnosticLogCollection + - MDM policy: System/LimitDumpCollection - The **Limit diagnostic log collection** policy is another new policy that limits the number of diagnostic logs that are sent back to Microsoft. If this policy is enabled, diagnostic logs are not sent back to Microsoft. - Group Policy: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Limit Diagnostic Log Collection** - - MDM policy: System/LimitDumpCollection + - MDM policy: System/LimitDiagnosticLogCollection >[!Important] >All of the changes mentioned in this section will not be released on versions of Windows, version 1809 and earlier as well as Windows Server 2019 and earlier. From 06adbf4f95b00819b720cb9c71074e1b29d70c46 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 25 Aug 2020 17:11:18 +0500 Subject: [PATCH 10/42] Update hello-cert-trust-validate-ad-prereq.md --- .../hello-cert-trust-validate-ad-prereq.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md index 6e1445768e..f380bd2aa3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md @@ -44,11 +44,12 @@ Windows Hello for Business uses asymmetric keys as user credentials (rather than Sign-in to the domain controller hosting the schema master operational role using enterprise administrator equivalent credentials. -1. Open an elevated command prompt. -2. Type ```cd /d x:\support\adprep``` where *x* is the drive letter of the DVD or mounted ISO. -3. To update the schema, type ```adprep /forestprep```. -4. Read the Adprep Warning. Type the letter **C** and press **Enter** to update the schema. -5. Close the Command Prompt and sign-out. +1. Mount ISO file (or enter the DVD) of Windows Server 2016 or later installation media. +2. Open an elevated command prompt. +3. Type ```cd /d x:\support\adprep``` where *x* is the drive letter of the DVD or mounted ISO. +4. To update the schema, type ```adprep /forestprep```. +5. Read the Adprep Warning. Type the letter **C** and press **Enter** to update the schema. +6. Close the Command Prompt and sign-out. ## Create the KeyCredential Admins Security Global Group From cb77a7f0125154355dfddf6cb967b752dfd0a38b Mon Sep 17 00:00:00 2001 From: Rei Ikei <47890550+reiikei@users.noreply.github.com> Date: Wed, 26 Aug 2020 09:31:33 +0900 Subject: [PATCH 11/42] Not need beta URLs for Intune In my understanding, following URLs are for CTIP environments. So customers should not be use following URLs. enrollment.manage-beta.microsoft.com portal.manage-beta.microsoft.com --- .../identity-protection/hello-for-business/hello-faq.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md index babc49afc3..390355cb33 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.md +++ b/windows/security/identity-protection/hello-for-business/hello-faq.md @@ -77,9 +77,7 @@ Communicating with Azure Active Directory uses the following URLs: - login.windows.net If your environment uses Microsoft Intune, you need these additional URLs: -- enrollment.manage-beta.microsoft.com - enrollment.manage.microsoft.com -- portal.manage-beta.microsoft.com - portal.manage.microsoft.com ## What is the difference between non-destructive and destructive PIN reset? From dcdf4c3e2c04cae79890b85a1950da1117a6b183 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 26 Aug 2020 12:12:49 +0500 Subject: [PATCH 12/42] Update windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-cert-trust-validate-ad-prereq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md index f380bd2aa3..0686de8a9a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md @@ -44,7 +44,7 @@ Windows Hello for Business uses asymmetric keys as user credentials (rather than Sign-in to the domain controller hosting the schema master operational role using enterprise administrator equivalent credentials. -1. Mount ISO file (or enter the DVD) of Windows Server 2016 or later installation media. +1. Mount the ISO file (or insert the DVD) containing the Windows Server 2016 or later installation media. 2. Open an elevated command prompt. 3. Type ```cd /d x:\support\adprep``` where *x* is the drive letter of the DVD or mounted ISO. 4. To update the schema, type ```adprep /forestprep```. From 3109454831afd7dc3e8add96a368f9550bb6d14f Mon Sep 17 00:00:00 2001 From: "MisterMik [MSFT]" <15340423+mistermik@users.noreply.github.com> Date: Thu, 27 Aug 2020 17:50:11 -0700 Subject: [PATCH 13/42] Update hello-hybrid-cert-whfb-settings-adfs.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Documentation is missing the ClientRoleIdentifier : 38aa3b87-a06d-4817-b275-7a316988d93b This is misleading as customer doesn't know which ObjectIdentifier make the change to. --- .../hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md index 00c8e2e6f2..8a9763ebcd 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md @@ -71,7 +71,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva > 2. Right click "Scope Descriptions" and select "Add Scope Description". > 3. Under name type "ugs" and Click Apply > OK. > 4. Launch Powershell as Administrator. -> 5. Execute the command "Get-AdfsApplicationPermission". Look for the ScopeNames :{openid, aza} that has the ClientRoleIdentifier Make a note of the ObjectIdentifier. +> 5. Execute the command "Get-AdfsApplicationPermission". Look for the ScopeNames :{openid, aza} that has the ClientRoleIdentifier is equal to 38aa3b87-a06d-4817-b275-7a316988d93b and make a note of the ObjectIdentifier. > 6. Execute the command "Set-AdfsApplicationPermission -TargetIdentifier -AddScope 'ugs'. > 7. Restart the ADFS service. > 8. On the client: Restart the client. User should be prompted to provision WHFB. From 843e498b9beda5485a700b0a056642c40c30da3f Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Fri, 28 Aug 2020 16:13:55 +0500 Subject: [PATCH 14/42] Update hello-feature-dual-enrollment.md --- .../hello-for-business/hello-feature-dual-enrollment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md index 0a52de0945..028fdd4868 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md @@ -49,7 +49,7 @@ In this task you will ### Configure Active Directory to support Domain Administrator enrollment -The designed Windows for Business configuration has you give the **Key Admins** (or **KeyCredential Admins** when using domain controllers prior to Windows Server 2016) group read and write permissions to the msDS-KeyCredentialsLink attribute. You provided these permissions at root of the domain and use object inheritance to ensure the permissions apply to all users in the domain regardless of their location within the domain hierarchy. +The designed Windows Hello for Business configuration gives the **Key Admins** (or **KeyCredential Admins** when using domain controllers prior to Windows Server 2016) group read and write permissions to the msDS-KeyCredentialsLink attribute. You provided these permissions at root of the domain and use object inheritance to ensure the permissions apply to all users in the domain regardless of their location within the domain hierarchy. Active Directory Domain Services uses AdminSDHolder to secure privileged users and groups from unintentional modification by comparing and replacing the security on privileged users and groups to match those defined on the AdminSDHolder object on an hourly cycle. For Windows Hello for Business, your domain administrator account may receive the permissions but they will disappear from the user object unless you give the AdminSDHolder read and write permissions to the msDS-KeyCredential attribute. From e49dd9860883154ce2aeb4fba9a0b78e745aef60 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sat, 29 Aug 2020 18:18:20 +0500 Subject: [PATCH 15/42] Update hello-hybrid-aadj-sso-base.md --- .../hello-hybrid-aadj-sso-base.md | 24 +++++++++---------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 8df0ef33bb..e9c5fe59e6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -301,23 +301,21 @@ A **Trusted Certificate** device configuration profile is how you deploy trusted Sign-in a workstation with access equivalent to a _domain user_. -1. Sign-in to the [Azure Portal](https://portal.azure.com/). -2. Select **All Services**. Type **Intune** to filter the list of services. Click **Microsoft Intune**. -3. Click **device enrollment**. +1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). +2. Select **Devices**. +3. Click **Enroll devices**. 4. Click **Windows enrollment** 5. Under **Windows enrollment**, click **Windows Hello for Business**. ![Create Intune Windows Hello for Business Policy](images/aadj/IntuneWHFBPolicy-00.png) -6. Under **Priority**, click **Default**. -7. Under **All users and all devices**, click **Settings**. -8. Select **Enabled** from the **Configure Windows Hello for Business** list. -9. Select **Required** next to **Use a Trusted Platform Module (TPM)**. By default, Windows Hello for Business prefers TPM 2.0 or falls backs to software. Choosing **Required** forces Windows Hello for Business to only use TPM 2.0 or TPM 1.2 and does not allow fall back to software based keys. -10. Type the desired **Minimum PIN length** and **Maximum PIN length**. +6. Select **Enabled** from the **Configure Windows Hello for Business** list. +7. Select **Required** next to **Use a Trusted Platform Module (TPM)**. By default, Windows Hello for Business prefers TPM 2.0 or falls backs to software. Choosing **Required** forces Windows Hello for Business to only use TPM 2.0 or TPM 1.2 and does not allow fall back to software based keys. +8. Type the desired **Minimum PIN length** and **Maximum PIN length**. > [!IMPORTANT] > The default minimum PIN length for Windows Hello for Business on Windows 10 is 6. Microsoft Intune defaults the minimum PIN length to 4, which reduces the security of the user's PIN. If you do not have a desired PIN length, set the minimum PIN length to 6. ![Intune Windows Hello for Business policy settings](images/aadj/IntuneWHFBPolicy-01.png) -11. Select the appropriate configuration for the following settings. +9. Select the appropriate configuration for the following settings. * **Lowercase letters in PIN** * **Uppercase letters in PIN** * **Special characters in PIN** @@ -326,10 +324,10 @@ Sign-in a workstation with access equivalent to a _domain user_. > [!NOTE] > The Windows Hello for Business PIN is not a symmetric key (a password). A copy of the current PIN is not stored locally or on a server like in the case of passwords. Making the PIN as complex and changed frequently as a password increases the likelihood of forgotten PINs. Additionally, enabling PIN history is the only scenario that requires Windows 10 to store older PIN combinations (protected to the current PIN). Windows Hello for Business combined with a TPM provides anti-hammering functionality that prevents brute force attacks of the user's PIN. If you are concerned with user-to-user shoulder surfacing, rather that forcing complex PIN that change frequently, consider using the [Multifactor Unlock](feature-multifactor-unlock.md) feature. -12. Select **Yes** next to **Allow biometric authentication** if you want to allow users to use biometrics (fingerprint and/or facial recognition) to unlock the device. To further secure the use of biometrics, select **Yes** to **Use enhanced anti-spoofing, when available**. -13. Select **No** to **Allow phone sign-in**. This feature has been deprecated. -14. Click **Save** -15. Sign-out of the Azure portal. +10. Select **Yes** next to **Allow biometric authentication** if you want to allow users to use biometrics (fingerprint and/or facial recognition) to unlock the device. To further secure the use of biometrics, select **Yes** to **Use enhanced anti-spoofing, when available**. +11. Select **No** to **Allow phone sign-in**. This feature has been deprecated. +12. Click **Save** +13. Sign-out of the Microsoft Endpoint Manager admin center. > [!IMPORTANT] > For more details about the actual experience after everything has been configured, please see [Windows Hello for Business and Authentication](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication). From f7d344e677b5cc08595db7e28807cf422baa8e86 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sat, 29 Aug 2020 18:23:37 +0500 Subject: [PATCH 16/42] Add files via upload added for the article https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base#configure-windows-hello-for-business-device-enrollment --- .../hello-for-business/images/aadj/MEM.png | Bin 0 -> 53116 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 windows/security/identity-protection/hello-for-business/images/aadj/MEM.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/MEM.png b/windows/security/identity-protection/hello-for-business/images/aadj/MEM.png new file mode 100644 index 0000000000000000000000000000000000000000..d98d871f21c168d773975cd48eb74fed63566890 GIT binary patch literal 53116 zcmd431yt1U^FK=W!isddfV6Ze-O>^g(v9RQ(p?J@f;7^hh;&Hz(p^f&0us{Q@PG69 z`1!{FoEztN&%NiKBS%=?`|LdP%)DmiHS_TPg{nLVhXMx)2??a|Tt)*433UVs2_+f} z1$YI={5uQqAF{KCycAN&5Y;B|1Dds@iX;+Jc{J{|DLU{oHuSlkGZGR${Qe8M+v%$X z64LMk1sO>#ccbka?6jA^zVAk@EmZE+tv7gOdhLp?&+V-?toKiw?j27Hzu(gq`j(QJz|LJR3(^O4X4we}v*4T6N(7-WfhfyLQHT8EmScjr7hx>b$ z(w$3Q+5JfCH0V6K6Ky%6bRIbPaF*`eRCF?7rrx-&zj*$MK_T|9f9MJ@{lCA9#fitO z`SUU{Gr8lR2UuV5%>8*lE6bwx@!u~ONc2LL{(e~_AQqAM_xtit9>bsfv#{d->B4zg zntpFJoSlzu!v``%*(iR1j{A+%xNRq%8_c}v_I?;z+Q{QFH&t$(d17a*8N=1@{E*Rp zt`=Dedh6kn6G(Twvd~21;l6+Eaa3JhErkUWd$zjz(2pwN*W*8;=Vc+HL0*Upma=&+ zznhYJLdiU@-R43Y`26}@B|`W$8k5?mF!2CS3iG`vf$Z$x}zq3Ga>7De)C#f6kUxi zkSWuhN|1_jX|ct}o-gm{AI0EM2)b@Bh0@5BInLKF-tBt(g$I(dPe2zvx_6*yWsTzE zH`e=sI@iC3%Wj{`Szi3UKDvyg;3t$Uedt?e)*1ezQ0J)9h-}>M@~pCA4&4qnn$qXP z?Ur#mw%~Qso^LnP5#ih^pouKnvt8o!z?ih7wbXNN`mYa19Tl z4Oe|)SdVt0ddeC7yLOh>dSI&Fg-yUBKI#6@Z4UF^b2XIBa2bVmK+m3@*|Q^Q&oY&h zF=&#Gd)#XlI=eqTI5;@Uf`yM`UH)y>sp;{vgosNc@6qGU@f?QZLnY2-rYPo=h<$oA zj&FgPF#7JJtK)Gs*$Y)xS~&F++|U6pIH+{Ru3nihtF~@fCD~tk>P7M^cROS0QRqqz zSFqxf!mMZPCJaTO@K^;?2d)q5vCAhY1{K3AdM3AAf^$>hfM_~X?tr;!D4@j&t`7<# zPEC67-y>i;n{Gc6)CudaE0l~qEN$br8+|V#c(sdk?+vkbM=L0TK{bk8)U$WFQ`Wl@ zT@+E5%Ydfuedlu~*E@tOUcWunEP7Juz?mp3e)>-1DVd{COAkGVVSO;|m-g$6Ylyl< z|Assp+3rwL-4U!o@nv!tX&4iF^sN)kzBQTAL)3uBl&^>#rLbR`uH3uLFZEDkmH^Cj zk=JJN14{b(`d;b#LCn~Y_nPVzM}a?@f32l%@7J0)W2fTc;se&tb$7xLQV83rhUf76 zTvkociacX6i1(3;WXYjT^TzO6>Sdy-(M;FDho!2vi}9~A6_mM&geY5BTu>AEuA?>Y ze`6~(X&WHtor?K_=27qJFM|JcZv8>tX_b>^S!5RW6=e~(CAs5=_Qvx%6y(VP&D$&1 zYTpbgf9ay&1=8}UKrY-P-O9|531VGCW%zs}VIVevY|2CLW4|MRMqO5pHrPJzxvs=y(!D(QSlRS2?e!1mi`-$udB@3pRP3{iM9P|%B^;hRXfZqw#CjN zk)t9PRdR=deI?K8Ef_03d7R!&1&{_ND*%cr=#S@{W6C@?zl&y6k-e6~^@@J}t-YY0 zA2?dm+`(nIL(BD8g!t|}F8N$&b~L`}E#{&)jgxYxPYLZN;9J14QOC($4B;k0M`?YB zYwPMffD?9Q?Mpiy*VJe+*Q|NVHTQ1HO2&kGiP(fOCT}Y|lD!FQ0GuHb*{(-|#4A_E zVk1T04)f2*@Hox~Nn!lNK|b7o;crJ*3WW@b$oOY~RmeQ);C0Fdu;THK{*F8w)qES( zu>6sS<0Wm;XceVw)$mv9&#<$K9Tia zrFws7RrRO_)JCawaYo2B=XJIl6`QUu21}*EQ&Pg>@#6@-T9so_x)&9r_wXU9sRrZ``Zx8s6!y{NYgPFgFMP zc0`S+w|+Fcy=-}?m4`06vKbo(N)ig3zsbU+OsGx7Bf4L+1;Km@3Vu80F?XI`Xz@w&O^SI){O_Jl7Zi(d#t|?raXb zo4gPXLwC=910lz2tGMRyM&3m$q{g3af!fH!@;C0V8aKgZ4?M`U=tAK%-EGd1)^ZvD z5v>n0z1z)IO?0QvnkeUU_qWAxS0XkD+K)L0?U|#E^+RdzG!Z^X$~6Ox!W?Ev__CWh>%B7mHUS;htx1&A zr)S&q4Q@wUEiKobuJ1+C`JYu`jx5?tb?AG@81T7?{gT;Weh|6~@ zY-p|UYOi7PHpNQv*+mDflY_(O;VxN3!8YJOO{(X}!EC=cB|2D$;twWKc)qBiywh1Y zJ}2u!7eft&s`ea>lD^o6DeB5$A>-k6j{S-g)(=s5G{eZ)kbB^FwNyC-ZZ!xudQs1$h`?M zdcGWQD3)Yl`LkmemGywESj5FBb;6P7NJu8KUtZ0CMgJh&UFkxEu1jy>)aIj+yVNwu zLA}edsK~ptz$TUl-H6U*B-%UvZI{R$~ z^0S{}D^(8p0c(Qw${`)-yjVH8n8>WUdB`Yo3Gu*A7iORs^AP2-S>nIBO7}C$oG|VS zs9_Qsjkw*vqVrWSX1Gp+)4JdgXBc1aw-W4ewrr10S6a8}OFuuPcw^fYIeAdxApKU| z5k?tUDg`SS6#a-Cn47bLw$CjTiNnnBx(w;JY1`AEu~-}G$!DSnljP7G+4gi^)CMbs z@c#Y%w*aPq3zs3HpT#>7wak}N_Ig+GL;>WQc*mqe>b*kGIvUBs@JeQInBPe+?BcC; z$_RXS3glk`TWjhJP0`L2!zZra_w;S^l+(<4qn#e%;qS0Wi;|K&;UWA9cht=;-QIWP zT|2UI`{A~K?`+5I-}fEOUp5y%e)D50;JNlj%AEU;cYooIZvM@2yvuuIr9eDY2=fHg zt5~-jg@g9to8LJhb?1m(f@Z(#*v<&<1|PgRbnOPVlf6YT5>l*8YM;ztDMCleq|8gu z-q2S~nEtm%*8#yE;jy7XHqZ-H;2dHZTqqIqJ3!=r7lmlvAZQ8wfsu4u?)2^();ti# z%ChfMZy=Q?S_U$FU!dwp_8dxeBDvv@E+HM@<8THN{UBOTu(&Y-4CFoxZ&=-GK)q1X z&+u;O;^=KBnf(i2{^hb81?l@UUudVK+C+iRpIqMT4P^qU+<1G)bv=5~DFB)ZH-3}2 z8k63iJC2XW{Z3aOMgxejx6tGTd;vb?AIGvRI1ChAve zH@DH<=ZLWk{|_rK28I7|N%vcHw#FeLZ_Ks@EQJM;38IHTNqA+Ni314+OYyPu%xM%5 zpBDV}D>&W%>%Y?3x?qW$EHVnoa#89}=FYt-$ZHoP2ILC1(Y2`k%t1VN3RG}({9rK69$uo>Hnq^Jvd)+Tl66f z1Z_>G``um`n%72?m7P~13gME%LL#n970{8#+p{%$w^w^kwzfFk#C2Y;`n@>PRzj48 zbZ~2-%v7s=C58=-jR#$q9P3Rw99T@xBp2Uo?Tn3-!LKw`RM1?Xb12;l9fnsk;qndc z9P0Cm(~@g0%X3&Ilmh>BFSGF-CVqo&TSCEtvwTt8?%Nx6ObQ}H<)4gYBjk{&An0~> z3boJ3_!$m1`Ws!OX&Lp#AwS%AwL-(+Z?l4-8i}JHX8U%y>XnUfEwuSv4hAHA?MZ+K zCi*1_>BwroFkDVJR@?qxM?+uOr=Q8a;fg_FsWsGu8xN!$s~+($^7lX21$Yo7RM@q-??;XlDU~aq zawmp+-?9m8pEZ z;toovs%HN3xe_UBp^;Qv+{#`6|B(}Z5f2;&^4j@6*)B=Z`x057*Qz`OS=%gZ@PmJ0 z1!O^(q9Ecdv7BNb4mWh0f7$&@MnSo69ZTt?hPz(30qiI1+Juowe_JL~#Aw^Yf4)AE z;g*VmdJ~KF+d-qj%Qy4h`X2o4IIo*pQAY>J*JR?1`qDDVIhUg11+B5@xQzqw=LK57 z#TMI(>Xv0b$f=Z}LA@cKwtThp{*%OjIbFx7gTiNu8juDjQ~i-HjgE~#(tb{R0Oha# z9Ezn(dNY13_j1Ms(FG&%kuPD1GTxZs9tI)eM8J{Y0TwcWb5&)ul(>-%;?3eR{V14o zaEScXr1tgXw>)6Y*uukPxMN)WWt zW*^m41?KHVcR~x2Crfd*4$OC0y~!^bMEQm)AQC2mTwA-y6DINB4>gzK=TmHVjebAI zg#-%?0N$cl47dt)@zF=*xGKNB}z|C;kYD!L7{Asf4w8Mo&P~Q zmTGyAcrRlwt)2lm)llC5kMZ#T7WT#lA#PX7>R!ah=NS>>}qzh1+DPrY&|*@?A>&Ss~*7MqVX@-KcRG-vP<5MHaKs8e^w)r zdA`CXB(fa6BIw{4#rn9wF~o-zKqIWtvI+BA(}KH;$}H zQwqpSGZcvZ`%(Maq*8}~&$lh<*Go*C>9=q%0olue1gGVRJCEJx@v^8*o~PSStp;o| zH%D_r#p4-R|0S;g97GA?1u5M)=`?#>&r@oKX!<$#nZyqoG;&Zl0+if000!^F1Q?_Q zf_Zf(cP|R;oD*ncA$eT(!hf&KC4y6B_RD@PmgJ}Wh0g|XG z9aFbArPWgyJg7Nq8Y{pDk3Pk~tG(!<7eiM`;YlG!8(1RZuZe&JOWe?k?(+Pc%Of{VGsz$=BN&c;u+dzLQzTRe^De6b|sZg6(e z z@-b5>uaJg2EDCU2)HZ~+i#agwFW{X#L!dRH%k_;a{XnCJ1oLwR`KMeeJ1~U`k~Dg` zZpDtggmZ+Nht7L!hsL~ZHCiEpg|0Lr#uc{`#CX9f2fz_&oVDzB&IzN&xSCXM>|hqxGvc_va9`NauXL(8*xD z8gLF4u#zT;{q4G4qPnP)k?Y-2Ax2XfA&@Kzhg8^P>7c`@eL_ZRcz$VmRoyxL#d zI$}%h|A^Sd`$6V-_X~`QPpPmS3@8M%jdwT_hiOKVJ2vDN{z6RU^Gx_Jrq`u$DH?6R zUM^%xg-NRp!o0?=2WcBUS$^1!RPf_d&9K~WfR)U#$5#ovFS(!#%F8J5!uDN=&&-RZ z!BXiY_}TO32zcnh!xvaX?3eKqI_(#a@6Z>@vZaeLq^PFFMik&t#4|*?toUqr-P^8D z@9hI;JI?S@mH9$}tHr={vCo8@@mF?$2jYbu9+0oFJ)?&=pndkO;rHl{<)>L_>f^u7 z6sJ%&6AH2^P$13NHX(oawM-$b^gvB>;vpYDziiFHZ{M41%>C_$gYAW_+lX4~iF1Ze zSqUz3nX8VB(<3cF(vAc5Agx(;fR<%FY$1Lrme2Mku>(^;wOh$>)N%nB~dfUg8Pd3lQuwJ)%|HfvlWycVu{+1{-STGTXE-1ZSAJY1+4;gLGE ziu6xe74|`!BVcP{-wd@b?j}JkZN)1Ik;YO<9X{f!4|OH}*uIJSfs18TI)wMeD8UJ3 zy?EOk8emWSVHRQ7{-bS)&c75m%xvmowTJk*N>&&(=$*QCbrw`P*37n{&X8eGu?Na> zqB|Vf80a>3q7Ewu<7XSyWt2o8W=$VAG2YEH;g6ErwKf_MuvM0woF~YWhG{;3dw0&m zD6KBczVz+u20_F;-Dxn?kV+|;;2uqcWC&5;Z0*|=b8&KZ57Bi+-s)jA#`RpS6ZPZf z&zcVRCD{w6z#m8#+!|rM=_#0oMrSr0v=~>%JX_m++-6r3^taJ6{Kzg-qr_=uVGKEI ze}S;)TVOY}Tf%Ot?Bl@|V zpg^D-!43QkMx!^cG}4h&WF29HL=h)Uwx z>)Gh|BAs%$;_40EQyn22rj#}a#wF#DI7_2=?U6Fdhm!~epNiVX)mB@MlmzNsHAqMH zXDhg<>rhwA&5HMLHa89&qXz1~o$he~K9JUuK4es`&ExRByIRbQ>+1PPFTEAMG|2hV z-58G;bAcY>qF z%0h0Mw_c~`TnVE`VsxVM>+0aamo%t`aSER+hEvu&xfsjG?A3~<$?l2M4q57N0b2?S zvo@}-9~?;~2yrlXxK=oU5*>U>jH7-1Wys5RI&4zs6VxVut)%E!Uy-3e@m@16*S|RZ zjD+(ueJ^!dE`M--Irv`c^Q5W-Yw^Ls!uuKt&b!lrv**m7i{HJ4TvImY(~VeDFi%IV zEcPC;2LaKPVQ~~x6veNgmPzHf_1@l?kH46}0`=(dA{}rOV+RG++gantO>FZB|iQ! z-e2m8#hA6oTD{iU;DU#jrjDnAsXh*QRdzDp_e0d zOP=BhW!+MasdJ;)U8Oi?_f01!>?bjTGQX+wOFN(fD%wXWrOjhYsn0C%gJ7r?Zoe#4 zVsZF;HLEk&rzfuW$CN3f43AT2L$jC&;2a@~ z#yYW7Jm^mq!4WtwW>R|$rxAh@9uWYq`F|H+^>?O9==dF1>e ztSg@JMe5a%tQgT$_%g-S&b*a+%BWWf)3| z2~o0d3T=8*iwRH>LDQej#zm{RM|*9_+;R6NP)0u+)-(a-;;HgKiY?N09`%;p+>RM zMR2mIC;D7&mN5m=BOQ66^~F~yVC#VTx)n>`NJwlyZF%7ke?R5dFrknoas)l}=j|?C z-k1cksE_4&{v#@(+b88;;M>szI;vZ}#3!Br##_0eDgBnu4lgY$cG( z2QyRtsWA=F8VtW9ZpRXay=n~K!X0S%HmlApF~Vpes1*1B3SD#&Sk{51I8pT2%nBuA&nQ@79fHkM`8*J5J#I_++X|%wy4!w-2xlDn57vE7ydB9O9BHBho(BP`drhY)}{A7vU}8>*XGUH|DSK-G|7Vq1bHWx{{$PqM7xQHZDl zugK|vNbEBRC(Q)XQ?$Mb&iU&ElWTg-JgIo>5p$M=7fasGh*)ZsAKln=pyEhWi`(-r zl)$*ycsm986tNovggdedOh^7BU%5Fozp&)Vt+)qdfha{Hmu&dT>u%@(dyq3c#m#K!^NR@qhf@990ZWFU zcUzz1=xRVNUC{i#1)_@*>;nM6Dp`>i@(^0?0)z`eK-y3h8PlXTjwz9_n6H`dFVF3^ z6`Ja!!1@W@!RNCZO|XZ7myjbZO0=1Dqg2S%DuP3VL+e7CBDj@yr zyEi=&3&uRpt*}yqQP22*h9phk`1gF4-~JK5pm^nGG>n;8X_n=8A{n$lq(}KHl0_k6 zoe6?uWnN~ebu{8&1&jM5zndsi6M`~0J?NGitsM6LI~K+mGZ!qAu79YAfY5 z$W(GQ5xU{?bQh2DP$#OAPZ0d`edVZip@REak%Hwwq#Q2&T9ifugx2sakMtA+RaKC1 zq#fe3teR#8>Y?@kiikX7u5F}ZMF3cDpXGzxg*E1&W{nvub7cT{d1Lp$UI@yy=foHq z8Wi;Yw#-8G3IN!Y3BA||WIZ)xftSbK0u;$<@p(gmj@|-q)Twu^AsrCO|1fy2xzUyc zz8}`LvVysce{p>b{}3F2IzHf?k(MMAUf9Rs)gS?79Tw!-`#(e%X`7=C-(0uR-54eZ z8Rh@+6L*LC??3jQ#v({0VEO>j%k&@1+rw{8Za43=#~9#G08S6!B31uzy+38kW~X6S z=A<8@sazSz9g!{WsmgbR|2EGdt~t@W*bAq}Du2lpydm;$Sn_FwdV$Dl&SSgR+Ld+a z$sK_LUFsdizu$a&F|2k2ck$W%wB$0zPv7jbY5wvzFH;)jcJ;j&SPgiJw4jnp;*M(&~K^#3Ln|0};DG z2Zum@OjIWk?+lS!mU&N)0MAKV)pkdcJB04f@lWfK@51Fx#qU{4fLRB)0pk`Sj6>Kg zt=yyG%dgnP&1-@| zL%NV8Y2mv0{&n|*Blh(A3;T{V6l({ep-)ZK49}oMG!8_;iX7Nd3%@^?5DBKsOJE@yp`uq?cWBSnGxaSSY#rbWR=3A0wO7F6 zKW%#&!t?31_{Txj>^i(N$bo+!zLj6#EWEsjR#|1%Y0sh}lak=0QB^1_ARB03q865@g)f(3I z8L*d1Y&EGPeSETA{(d$pIuoCX;BY)a6#*0ma;^`JJnWo?PW&*+1Y$A7DXmrN@F|S4 zl4+-b`hF3ne=XuOwvj#3IJounZQr*woKP%XTK?=t#FyDG0jG?V7=k==r`*no2szqn zOEsXS2>uW_VC{t(rAH=TGNau&l^I*FJf{k%Ef^dH5K;}3<3ZUEBGw1zYwP+Fu~AO`G$})fe(&ICm!Qxko(^vrSw2^rN7#^E!@UW zSpKWGQP2kU^Xd_GVYa1H;Ai<4Plf>(eS=8LUvO_?jLN)|n~;gM)%Xu$Oh2~X=wBS) z{~xK$KdAFRYd-z#ocV5tA%5P)}C3n8F+qyeyL_5R4Vwy((W zgPD^*D+$X@QbO{uAXK}oxcZ24%JHo%&3bjkfxJ+94Uvl|g*M3#7JlP!2_q!{6u=Jo@ zJRxbM+HKEBU4yk4KqK5b+R;v%egFxc-`nfhb-o|>My4b6U25WBYDOlH<#NaRvx#L{ z74?Ul?u!|sUUDfppqdHY|Lx;vn&C|amWJ`0k)FpJqkltIRU}>w5eu->jgcGnnX0RE z%p||dpO5d}t>lQ&Pda*dISD~z411se{5}6H0B@?}7leZ{K}u2bcj(c5Ft35+(fthu zHaLtdVqh~rbI6g1=W7j%?wnW^$O;-BTK#R6NJEDeSpVy`@0U{Vt*^pK%_EI*p=v|( z80$?HE(8Q2Us3-8`hp3Q+WaTfZ*F_k=CAsmK1mgfq7**eWK9-#GMebH$aH}B41IbU z)Y}J})sYH&66E>H!qdhTrc+&7^vEherA;xzQk15crjtE_F`-`9H1nsdCWt;$2xVFezm>nBcK~N z`yvQIBX%=mEOMMJE^_<%C7aHi&)K}2R@^Jr0+j_TTd zK&1qNR;vEbsMM!62j8aEoAEuwLBe(*CrU0)>ZrC%6- zMs)Q#9AH%_*Y)IR!+kbCC#ino!){A_qW?ks)}8VGB*lS~R2ypC6^!=D+xwcUQ=;n& z2MGq>&3>U9{y_eaKfuKHHB{yF;te`{kira(z?S+ZPwo^pl+R)~}R=(vf{Cr(cliIVm(P zJ{D5C3vZ1M-{w?t6?%SUGff}~o_<5mGxw8$;zM1dx8NeO2j$~$dD`%sA>q9=m!En^ z>%;Qb?YNxBJF`h1K)jld1W>I?*4+1GiD@_UEg~^-u(aiN#%?^{Scl&IBeA)!6Lp>@1c>Bms|K+iqsC98G^jobqpsWFs(=(@Q>OWxJFO zVL`(bI}$){gpns~Xa)V?gpUXkAfSZ*le5qF-n4>9FFl+sHgYqOWfK0zV_-hvua0Vj z)+gUn?}3Dz5PL#;Raj=@16TBCmW(5tAZ{8+46ZXFM>1|y#e z2t18TXzPm>K23%~ks?(X`~Ou~ycN%hc%Ahmw1(NUp@fN)Hj>dwLDc>1yWpMy<8Q^X znGJ>ajStK$+9iFLRL3sk(dL4C9xRWPjx@eHA+oK#;PaU5!AtP&D{~j7B;KDX2qYQ! z9ug!SD*8U1Z;o1H{Iu()R7BRt?$JNN7teP;0Eo)Ls1O{C)SWi7<|9osp1H?pg;5zq zcc;c_YOJXU3|~LG){v`w%Fu;8ZPZUhRpcWig;56d+C3*LU5qy=iz#6{uVpdsh*sj~ zgQ-3uN{}4gf3W~2;aCU&x7n}01TKk51D^y2mw>YAM1H~0K^@QijE~-&@`QUGF-_u# zrf_nv=r(=&Sog|RF9Dj-Q2qiKj3&?wV^ICI$DL7sb+eG?-AaXz+MTv-VaN*-l~pz$ zz30@e9GGS>j1Z{-=?s*OVch7xn1V7SRD}%L#~mk+Bo{<{HKt8SN`i4!o1(%zh+{ItpwDds z_|-n3_;PggWMLO%w9SZls6ctxYfEQK(hR)7%4o1 zw3W>)vUQg*&K1j4!x&FD+CK>4 zzs?&?sliiMbga{$DP}e#q5f(i%bS2FlqyA2K>BO!n%G`Gt9sksgIzSEmZo2NkomK_5e%lR-1(Cx+Kgk z`N)i#il=Rg!9UMn?=*qR3c2^SHMzsir1`1>E_WJgux zb-&Vk%%rm5k@j6%Y`9>$!!csMegb`o{fhTBI!2$aKf)%%KBO`Y>s*AitHJuwYjmt@ z;&SZYK9~{6W(|B>_N0ND_qP3`IwAz@VZI0IXo*0&Baz)U1R*a-C8OO^J;~|*6oanzwt{2tt@gY3viYUv-v6I3PV(+IGG5vWm-!m?ME2^BY>9g!uWFwsC z*2hDMl=YWx@Q(bhznT=~UzwF!oc-k_D|Xxi+Q$KkSe=NR9lj&pin9-kY)R3Zk|2ol z@0UOXM92F!C5k~e4A&g^H+?qt^mRkm7db~{ECbGab< z7GPb!Lo=`AdUs@39pH=XivunOowHT+BMU?r2XSI(J0)S*za-wD*}wS z^;iReC~2KMwE|tPKLzExE+35>5iSmdSzr=0NMb>I__GEa!wm6N^#~uy!A>A9CPFA) zePL0*WHyG`ei{4>I2#`(3@E={yJ8s$uIX&eHmp54rmm3i38UIDnRlmrg4A0r^y_Mh zdf(?!gKHq;Eqkz-K;k30E=>QkIBp4Av20g;`;cCA6P!iyXAD0_PEip!50;AN{qU?~ z8Js?}(4keoP31D;9=skq=-hOQ}wblEL(k>}% zPl!LZQ1-?qY4|a>T!7ytR{e!tsjuiL58k^$(gUD}1&)d>TScRK~tBHJsa zM3&8U#US)vl|Y!->(0@`TC1+F-FjHu>lIfDP@B#N8?QSBNF`@Ce&?VN8p^WvY8TXu zE~>R~1!^*5VLEcVS7|G}Slgp~|1&a~njMKOq&yOt1b$-jY|SC00C!(0>I*$te~7Hx z563`b2|n2>fu;O?9n;FJeByI5-6lhdvX`c{_tEoBKMv%uvn2^^k#k1l6^$&^KgA^Z ztH#x<5*dq({=Iry`rgfHvrYPFH^!@S+6`f^>%$z1)SgdT7)gVoHAruHl%Pv~N{aKVi~w&0|OB(*X~3{Wiib-BJCaDIt(pYlZL zYh!)nbmwfF4SL^;L*6+3w;QQWdzJZ_^V-v;eHWxb10S6xVz9s7^YGuZ06#mgkzm}3 zirU`+OQkgZc)(DnRTyv$T+pbnlVnqp1Kn)*RurMTL)EF;ui%B!twTap#BUuU135St1M1RdyPJ}DN z7!tb%9ko+XUXg#5@2<@7Qck?_OGQhVzfAF@It3QZLKjG zpp^vf!5frJs{;qEu%mo>n{g7lmOqM|uwh(?ICc08)BGcld(+a(roGw|Zx8vUl^5lH zcMniWc(J*8JvQ-w>i#N6O)5u1wgdPZ289d7-U=7}56yNDjHL^P=c{di2K86=msO3y ziJ#=i7m^kkOj9oGYfbB+d#MmMIT~a{0X|6Zpb~X@7vtr>KP`mXm!fTc{1tedgV#}f zaV>99I#a;=#H-Z6-yb%+K8=>un(6{nK^ez;&`dFQZyU*%cMXbkf_NU?cJ}P!H7;iC- z9~e_pyXgJ;QSC|@JA`;S2dtcV+V@f3yDu{qzqnlq&_f9IZk<%5KRJqclnAJXn75bA zQJ?lLE<}c86PCKjdeISu3qia4HRkd1mO$v^uc&6(sN^r?fl6JFB?xB4STv8g!)_x! zaJf?2_R+mSH&kgSvtn*4&wm%qcKfVXAQqdCxi^#+uZKum&O2@F8IsNS@*a%CG}aXD zV(|onZ)*wEHNMFq9yb~_I;nPn#m5Ao?q^jbtLk8lolc{Ba{r@jIKub!C}ZQh+qHvV zl=`o-oihyr;G<63C*n&oiAjril4G>(w{%|uhu-J(u$Q*Q24%u}f4lU?s}vt})_S#j(hTOFV-jH| zK(zSXH5~2OC&VIP7PVX2?%1WIjo);*=J1jsw-0w?o}E9uZ!8c$=bjT(F}mp}IuS#y z@##EI5TjQx%#WMavQ+~HBl9&FXxkq#UrP|^4c--kcDG*8VXetVufqvTt4;efe<__&Ct|}Glk*5ktZuC=g zt+6G#{ajuDWbGe}ia5EtsM(Qrs)htK4j?fC(`N#0(^_x`>zkRPR^yK<0sh6_gwgho ze|-B}21k>Y&mGN1K-Xr;FRm9be<^J&NJraW)g*8n8s8AN1D0_E4wDwOrgE?84zNh= zFo??aT8Hq7DOO0yVrIy;b`Ny2_zzzERY2VDJP&cZ_MP(veqp}FJI57Km9b`n zAVQFCw&(?E9*-1YB%LVFWPj(^dpM&VUyczSsRyf!88kCn(3*xGu?Lf<@R_o&NoDj) zM@EV#5Lb>V!5XkalA!lw`(G33_vZf?bjHMyvNZ3i0^FiG;j6)Es^s zq5I(R&lwToopBD|?pU5hhj29QP4iw7+-$y-j=k)wd3Gy0M>Gd9$Q7&=I?niBfq=b; zgiwX#eU}<&bjv)h)ef5StROqAOf90+G8O%ZfN=@Smm{_B1Kf#4G5hAQnUV8qkut@* zf{H%@0_YFkhdlMT-R7$j;PTAJ`Y(QW{TxkvN`eM{hJ4zwiY5PjpwDAv{#*V35##=1 zWBxNtKDtl(|1;1b-xDnV6)^wo`QIVyk3|0wg#SK;|A<9@Z0rA0lz&$XTA#3qkRV(@w0I=vc0;qP_VBQeLd&^3wDyVqUVI$O-Vjn^A+% zmPT8(#3AbDUtVrb%B;3hk3oXUygU4jJcfrwDZES32Vv4z*Oc7DuQ1biG6(T{bVZ+K zMHVN2q)-Bg{eBpTQtWthICErgLCfdd*sDaZk}>|TCJ>Rd1MDg!Vb5Yy5U$_sJPFGK z#<#x#BOx%}(@Y6^Y=WH~o}uL!WZ{wcBlcfS{GeyTGL{(3ckHBtFYNi#2lI z*R}|gqssoUL3PP5nxD)T3x}=%3Mttg`Qz7 z@}6tjUG;*Y-C<=UW12AV`!oqLkYGau;Xa2;3A9^_Xp>1Wij~g~)hMb0< zFffY(?fddP%7Go>a-rx?MviuDs~j$eoQf=rLun4&W`g{{$G_oV1xCUE0T=)Qe$%sg z8GJ{(?4$0#Js+UxqHS<}{f{sQu&XIZrI?pa>W`9PXsR{(f*ajt6JwFY7!^Hm_28(1 zEHE-jaBhP(UFEdO;|2wM-Z}N`=_GH1pB@-aBSN?OFqr>oQC0#o4F|*1 z*zP=|048i3;W4<#YutpWE~hcZ2Ga*2-Q1{ve_>uB&$3+F3*(CPm#xj6HmM2)s6CU! zxI&v9!vQy*&e$Q|2@6GRo~saVrvMj|In!+Jkcky0c*_ifDXw05{EkFO0HqY#9}3@S z2Jh@m6DP$YQJuqAMmROOiU~<#SBS!t9-DM5I?}DbYWp<@I~LA>D3c^DQD_kAImBit zg9JR0EL_f5J@XqRxL+J5jtj1A{a>`bbySq!8$C*Q3eqVEDBUQffFJ@Qq5{(0B`sY; zDgr7E3J5A7CBx7$beD7uARyf!1H(O|e(L*McinZ@UH3m1Grn{Bea?RN-p^@_GUid` zy{Tx~(2O86oN4(0b2bROa%BPXQ1Mb+&kkQuN}Ha;W$#t%O!{#D5UeRccG9y;zjNtL zGFgrgQ&~ow_Tw+$*4P#Lmt1XUSOs-bsMaR9A#S0}$q9zqJM=h@CfPi1?v8r+@Fuiz z&q}#>8%v5LGyEZGSVlPCFc5+?^K^5}GdN%-%YL&!j#ruuW#LA~-!^$8L;W3J^X;63 zp2K(vrj_LBGGV4y`H0^vBG-ptwaSs(q~ZN+;Omz~kyutPG{VrUnv}^77xXt$bK2x+ zRnkva?trF&MDlNO-_9^A^7QyV%nR$FKqb#W+UjOl5PkaRAr~FCy&61+;1qNAF1#b_ zug?qC6jnhfNpBc`h7yNwip9w-F^a{ib0er2J#)w=2Jw%dfZi zk!{_4(WyWF$(l~Xb3JJSg*E?e{cM-@ zhLiA|=BB2BtHTt-E*$rxTUC)U+IOGB{ek_<1W)3{Jyj&EL7{yPoH7GA3p)2UH0jMi z9!Lq!{+IUkS@_&#VcPXz#WvTUmM~P%j|i#@PzTq z1l;E*auIp0Dzevq+T)aR&QSo-5JfiPZ{WUF$YJ$?=)?n{UkYM>S+5wvu%w5s+rIC{Y^7plnV&&431TJdl7*m+%zWU@ej-Qw!R|J^r`+>)tISzmvKhwJ;{ zMch4A7n6CICFc($Y4lgGcK+Q%z?qOWTeceBCx-Gpomm6Ij3Mi6MEpMljM%*di+@K( ztp42$!#CoJeC^t-{xttMqIa;NLT+9C{K}%-J*X#9&&qEDO?@yC- zuHS@C^{q!rZ`Zo5Ke^!xVh;uCJ0KXN8WWJrINe!$KP-7lLKc6JVgn;2o2nH_|9WvS z8EBJndJQJIezq6o;3bL9RJsDPLv8WRKAHU=;Nq<3;2xHj(O zUzuBjrlT}Mf1Yro0>)w5*NMeHl9=Dbx-a&PRELYUc$$<%@>DZLC8*u@-Py;_4?YXTQ_;wpom#7kmAI-?1Mv zI3;UU8_~7Dx;d{AA50sOnwpv%QEsseGmjH4?lH4C5xx!we(EK0lB zk=z!(o+38qpej*`)iKFMDoG13SWMlu5iY%>(Bneg!l@yFe=33wCxzZiz|V~Z9YvUZ zo%b6*t^Zm2wZMi;MU~*oWc|Y{%ump?qlcuD{zn@9fr!0b<0|)Q9Y}-go&I7SdsuH= zvq)-bUQup-Znx4cRtGY=QhGi4Q9P^@t!-CI3-MiD{Pb)>tEQNoyh-)bADQBv3y&Z0N8LxEClJR=^=WXIKn4=OGcw>zfukLL9 z-AX^R7=rwEB>9q7XqOOIXh$p7{%dcsc3Vq=c@cy-|I1iD;W09ySK^~L3ZiZcc4J|` z3HY>J&X2LtHZJ)I4sZ%cu|;58XBK_SdtC67M;nCbpKOf5HoDRryejtRy>6&$}t~)ae{Y09&bb_%Wjt1yF7-Ih%NRGU_4q;b?p)K6y-_m4s1Uq6$L8n zpeGUodsdN-8G~jI&F7+314kL13YOkWE!FP#Njo>3d!l)J_(n_zk|sC)qAG`@?7i5p zms|H|GD~{`7D1Q`@Eo9$PmI7GwEgP^ri6*sw<3==(Sae;iLC)dTIHY58eN>Hp#11_ zLJ=Zu{LkOf^o+7sh&~XI{C=Nnp-I@0d={|%zi|X=G;#V0G5r?W#sMu%52wHdSVvfg z!v9~78nH$j0eVb1R%T2PK0n@?;SKE;Z15Y*zGKP-#BJy@82cZ7<9^&eVV!k;f+G9S>TD`*7c6xk)ihcWT_+6xAoLJlG8&OO)w>T zCkH=I%sLAjtx^<#&4-v&vIf=$UZB(i_S5D_`fjF?GD?JXg56F4#tU#+FA$&jv#Kn= zwSO@_@=EH9_?8!ffUt}|Tbq|SKON*ByrueC|F7q2%=s}w$|_;Hx49g%NL3x@ zh}wOV#M3}d8w%3+16JH5o?!mS~sQvY0;c}TxShATJ=2%tO@md)Q6 zRYG{KrJw^e>RYsoTjngQ^NWrjo#1sg!%nqV{Skd1T!z@+kUCt6CKj14d2ho)_Bj+q zCojYnbn_xgig6DM{5f3#Qp3mr&k)QIpPsAsH_SB(mAHeQ7}8z1$YBk5><@nTjF;4_ zSjC#jqkp8si2HFRVoTZy;P(cNny-6HhIB34>5`> zR7z>x~Rq-ncqfoBU)< zDK$9rWsVZFr4*c=9p0<4lqR!BiLy3jgV7O<$H7vs2B^42Uy0+~oxD<%DU8(@j#XgG zI85e508sqT+tvwN`M);uz#CwgK&}y2>+yL_VtVJDSRpVD95xe?(3S?ND&!vF+0_jW zby4N_^QqSuO~q_A_4;L)`OS}%f*91p*jF1Nt9b8Yag!r83X=tBB0f6n4`b@K9Wtgz zviiDViVcg^pQYaW-ntlnsD28e3pe{(vCMD(c zjN$Eob(a|Pl^v?UbVYUl1*{AK)$=1g9e2@Biz9bKM}7I3&#z|$y8^o6!TMOS*Y>QR zHh07MrZXIaolLZP$R%)hR_BUy#&y)ELV!-urb>rVhDlpweu)>B<s7Gur``Cbv)WBbc!`80+WDG*4e>%IgaATTJ@T1l4 zlkFJoG|?a7Bt(1|qc3v!1glwpA7q)6Bd0(0b^Om#Esf4Ze+D+}^covT9!%-HsGVJl`7TNqnFfPeYMUZke@s<@|bb&pHnca)APtYI$+U+V4I*@`^4I-Sb21OFV4g(&WT zpWVjGE7Lp#+MX?Q=e8^|l6-8q_#~{cGR&Ov!-shBJ{A-@`|PE0m}c(t?Q0}{m}fj@ zPo8GB+VuJ1bi*VURYkG9}T^H&!Y}-N{MnF zn0w9<(@(l43U;SX3gGO`GGK12e?MgU6Zsxj;%Th=oPQKF*cCc#t@i?==O5ikg5>69 z!Bt_dxu3;SFY`>gK2LR~*Q#k7+d|isumq-crS>Whb%Rb24k0pW0EVr!U3( zWa*?f7USeIozlXt@m@-~e@l{ZE{YQ?;2B9;WHR1h&y}95UGrn-WAAK7^+MZu@R+(e zvDHm+)0vABKn97|FJej#VI_+^!CLO!3$dedKCCyjbMsUbHtVRz2rd6;ycO?0;P(aw0hIZL5^MGELrFQoY99#|j_C;4cn^Qm!A|ev#D?Rx95A*=5ukcr}aw z03!TBGI9P!!UqtaU$KR0(uw4(%xL?bFBE2_|4fS!XjsU+O>XFMt}%CFR9wvJWk#l%C z@pDjwcz_g0oqynG^N(S;8iiUK-OYP$)-t;nLIw_?debLv?u(KZ<1cWfmJYGxYi9IW zqMab<FZ(1q#<4rAxWW-*GnBy!z?{!f$h+}@}XgDeCwn1xN&}yczW|BoZFpxk1 z?o{>;6&r23A%ONw>X)K0FFzGjaii4fv)AWk7%<{1&vOza&` zqU?zz88a_0Pf){!K2293H7B4#@L|=6MXJv8a;qnslp01>1*TD&K?=&$%HMDbK3Ted z8-g7D)IF;UT|OK$4lMN^GsFGl;P%l70iY%!JK{s*L@Td+U^rX!%WkSH{k^x5NV(UjShTCi~th@STG zN;qD)guVwSBjgsNRh(t_()w#J;QjR%q29HJi7Lk4b8ceO)-MgG>EVuel%+ovIBms( z`-k5QJ%1|sC>sy6r$9c24%3{*MJkaeZ{j=8FN}U4h9{kzb9m^0HDO1XdP35*G1TKy z&Y!Q?gOLKw_S`7UqJ&SR!2Nk~J{~hG-ClBnX)?F9KGFEh;u=BdWG|Rcc)lp;ue6gE=Nww*KK8n-0!fjji52eV15s z2&pe)q(z>nDau-@%#WEUQB7o+LR{hlCNP9WI;MEEn0_*BX%UYK=#{Ra#&qh-%m6t5 zLUI-sIMFc=&5{ndXe8g5sK*pfOmdDYlsKy$N`Dl9%YT*xTy%w#FoE2PKsO`&rc0qms5D1^#Z;9@42S)dJ~eM6O0q2z=t zTzQ*31;FTqSLk5(ka6o#k$%n5(Uh|>%;fg#q})^VvP=gcRtav>kpt2@ZL-2Nv~?`Q zYm?rb=CUJlR>?a2WsmxZp_sI8>tYeA??+ey`a6 zNm0;L+l2HM%)G0sC>|kqK5+-k&1-ycZ|a86G5 zV!xeSEk~!C2XM!}%ih~I=myrmL4XDlB^2P+W0=@6G6o-(UkX01K@ADflymHih2PgmY#v9(2kYYPq9U(!w7M9JTkcL@?Y8c*e~xISHO+Ib`cCuJ@_S9O z;p8&3ow+=4d{Al{NP)qT7MHq`>Fab9a%VrOh)K*EoAkK2jrG7EaAerYZh+nW2UYNV zc|-H1|5BoHNIwfQjnMYWrQE zB&TJ6dL?Nx3YGK=229j=IoBrnDr8VZP-Or*6l!aa)p&&bX_?v8LQ&ZR{>te~(T&TJ z@MG1?pIxYH`CF{6XDHdJ`1;*8M!i_AZpn&f$1G{rA5r)lT4`KY5Ta{m9e zk(4$Hl^TraV7o_9&3}{M%$nwI*?c!%zcW+mJSRC;q1+HK<$f0=4L2JqBN}eB2VC^C zFU1aPme1jiuz%bLG5!%My%&h>x$|qTvIh12>^*UD0Ku&iT+vA=N zT{=H?)MkcE1-!BFS8ln;>&|Xc3J^e<^}0MLPEvqhV%TD8`sOh~^*WaX!sx})T>`83 zHO5=}wT50?YAotS&belJZqLQZ5Wg)pl(#@BuV$|#sQ^$j z5wR@jl+TK_bHzh9o#};E#E#;D%Ya;kvHTg60rMh&Km@2kN>243U~I`A#;uvDE>Fth zx6=f@7(2&UA1zue7G?+SUuj5IM}ZD#K&E;gTuQ#w#mBeFCquC>rrDu;mCPR)Qr(-( z=n&8sE~2}BgEoPQpn{eKCt=xOunAC4b}{e2$1s!BPt#~3kzih7F6!LM_ zd`5_fYNAZ|t&b=48`k7)nbX|E(wYcJ&-n9=Xf~_JhAR>+=C7mX8F;?XTk6JDlxfB8 zb`bBnP0U1QT5?78m&lvX@)|IRbd&-@4<_nZtJVZJE-&0WOTgHJLc0Dt zZ+@hb7qp$-0yP_x_QfAcmHoQ;E9c`QbPQZ^&8hipCsIz=D>c3`I(d`nM!UEOxyZ~C z4!&kHH^M2E3|v<0F=V%Wg2${It1UsKEBt~i@j%gC!Y0k&y+->XvH;MgUCuu$4VgVT zy(TnGbaqELF7;!>Wwy2)jn^$+iy~4v4Wf6m<*z#uwaBasHl6CWt+__4u4lD8$1q*FX-&5-va=mWR zLT+>Uq^xEj@UdwXnO`LP?=Azu0s!Y^z&0-`D)LU;8Y^bifCl&EswSq=@GEQVuT|(Y zRIl}X1)J*gtV`NVRM5Ab+2)>mOE-Fs-x1c4-MYFNlYu*mncs7a!K+ff(<$B#(TLj&1lT2#}xVcwWPvH^5zXT=5<(1?b(*2Dhgo*3AlvOl;ak-r6@E_S*RxCN{6mBQN|!9wqm&N8b5}f z7x~Ynat9acXf1e!aND(Y44^@{Jw&6-o>C!$9pPzC=|+wCoP4m?PmETl#u3N9OPc9P~??=zgI5xE=b-5f?JG>!1`%5onf7Oag7Uhs%%0dXaCR~k#!6-38tkgJYm;<+${kER?fY8Choi}$67D9M;_3`w>AKiBQX=yk zpL|b*$O?A)KE(V3ANRJp$@{M-2+qwIe0Xr?6_`pZ9-o_v=D1~JM2k*;LPz4`n~C>t z9*vua=Jzd2&;7hlH$k~0Fq_e6G|=0akt`X4FcIk<^)?R+UjEXP!zNJ^s>OFpGUkWv zWPfE5`?phXA!dfBfs@zdyBM;El1d@kF1xXMu`2rc#(38UDHho63VRy)JPE^MzJeMf ztTl!#)brH#K@B)*so26vhL0|(+i4J->PDv@8%{23a?IUO^gb|k{(?BeV<3u4x8V7ZhG}Git}4; zNn#iU?m#P~rlR5yr zszz;i%L^s)E=RUE|k;+w~!Z+X9jhJr-)+m#i z#?~I1wuN%`oAF&QdjBGXFDkR1&`kgG{nBwFP^QDTLoLT4gC)~UQRb=Z=ePs?5K*&8 zW5zuLC@$yW7Q#$B%M!cw?eQ_aj-&9+d1~{9069v%?){yY?=z3DTaX()UfXY8dFcw2 zuq$dA5MM!5&-QqYJ+hjL9;Mqk<_YKNy zW}x;exb~TrFp&6~Si}GljOf1Q55nfkv||Qq46Yo6?9sO%HHs&aC$FcWHcBTNnIpwb zkI-iiuoUI++>p1NLCJ1rSu~Vy&ji*xZaH&(Q9MJgBx&lEprR)11NMeewYU6ShiWSv zXUa(>r-jVD7XX|#{)y=-e1>!c+8;*I`gdvxJTh_44jJaFJw>a0m7DIERRY||IxG#aLY57^c7w5+j!wO7C ze`WrXo|AY1D>y;bAitK|Q@?$;fQDqQhOdqpCBE{U~YEi7!0k z5v}}xfXrSebA$U^EHpg*sP2C;f@g8wH&!2Y@g#@q#Cdbm3qTl2>F}sFyjQ*|D?3MSB$^ zJNMC3G=6Ud3k0FQrn2~VGnnbNI=crCNX;tNI6R0zKsxUqZms4RM^CF(zd*FLeJLqE zVSP7pDm_Sab)9=CBr@Qk_}a-#&s7{vf68J9!!xEg6o1ZE8<&0BEnVs#9qU&93u|NV zGz~>LZsKMf+;tlX1MWrjVj=1lIqU%uX{`st-bx$(<^G1?mOn8;Olk>ZL}$*!>9<5P z4M9yIRe0~QgKv8?<2but&S&JzhseqgsU4u;7b-_zio)Z)CQOY06+~TKdY;vEoz&}K zO-JnHb~QZf!+y0I%+Db8T6-4a+~4T|8kfL>XMBz`+*$Iy{~Y7gctwUL<1-r={c+1w zlSz9s`tS|DS%8zF#GEm6hWMufcAiShmiACm`YN;3GSai%VwPu1V_Cy z?!?j>a3W|aIYPN9;h9mcCg zalPGl6grO`jBw5C^%Ym6a_b276bqI#prG2-E6ZBHB}cw6PJHO`UA@bFW)Cf-D9Q9p zcyBm>Fq(b*?Gbl2!NBwdy*dh^5h8L{S|)!I-YnmT(saM>GjsLg9xlb=8+Imlvafar zI&@$veiR~5&emk_5vZwQJeB-sl%!s-Uz4$-=Ur%eMZ-bvdkR!A5m+NEevn`9g;>25 zwmX@85qs?RHOT$TT{D9HyOU`|34SZ^oc^gaOdu`P58=m9^veXYVJ3JH+YKV?%_3Ui z{sro!7qN$kYZh!)53Go}jwF<0dbrYK;OET_!UQn7tR+UFM8E>b!{C|6dZ-g#K8k6* zDRRf_^d8|cU8CCz#g0sO2kf?K`RRyPj+e>pv$32cP`9lhocj`QeaUqd3o#F;1DHCn z^o1m3_F{b^%e|N08V&9SIx zhnqn`NkLdllepQ~#8)2N(vu8PWVF#>6N?xpjesg}ZbEcRWv?l(DfNtBJ6gdSpA%pe zcQl`Da)0|3D^gKv+8V=bHl0{NiZxC>Wa%>*8p0d81`LxtMQ0=qTX;3JZm(R0`zQah z2|}P+%VXkvZH^)W<+nca<~I=1U$ ze#JtJcp^*vswgyR*#yC_rgO`pbX?~& z2^YH+gfvgD-{PviGM}$#;y4(siE~S2g7h5*u%-+$W~7Z%NfYo0kJL*!&7}*Nz_Hx0 z$`@k7p1@(VReZHF1Lu_;oxCy9nymqx5y+&eOD64j_y- zPooE=E?@Ri7MYHyLVJ0zW*o&NDhq@Gdbs1T2_LwM{`8b4aDn+FJ!@Y(%v5{K)%$}K zjIZ7S+qQAxrpA@eDh|c9L4tYSgiuzD=dD+2W6xhKG!{Po3B{Sgim(AS`cG)SbamOGa6L|V~LF^%>e z;d2o#Da&DYD_;3@;z+AqVzz*ZmelcU2gkHdNq7&ifBKNdRva!C8aMF6=a|y^GFKH} zqTjC0FqH-<=i{FYPCtZn09?HLVmsghzcTKu?J&m#W*m5a*v=YwR^>@CzccH*ZCLI8 z!(+^FY-k9W!sB)7_yvvKyRdT-e0_v>i(-mb(1h3GjJU3%EXi=*c-3Fiw>6IDRZGJF z$9!XDpUDtPQKAIhtg4paaA&{ePxiSw@ygL&L$#&?QO8x9QRGj1v8h?V=*a; zu}H1j%dxIq#!_}0pZ$4jbT!@E9|V=Txa?$^1>Omu#wxfiOQvCv)?SPs^R<=@3<>#}09l39p@Ds!l89-~LA)f2S|OLP;S_QpLBeCe&VY=6b*%I4$Cf;sA^U^R`;3Oz8%9~dw?FCr(} zsF*swJ&!+m&o7bF#xjQ@C)st4r+#?+VX#J6DfGG#$94K#Go9ef(J*1bVM#HeilVNY zCWZV{?I`65uu*?P@wyV;L@=I)O`&!!F`YU_1)nW0q6egCoQhPb$1uskMt`gr^Y&K- z6ODv<5v_i9*h8Gc1KKU$(qoYAoPvnpkgRRZp>lvHTV@E!sSIp|O6*neIX5*r7!>@Fw-xaky-co> zRXK3^2eT#{ypgw0ywch8Yi|+koK51j9nF(9mG|dQZL1no z*THEnAUHumpSf4e5}C+&8Cx#}2b+DC=(TBKRy8OXgOG#PER~YAoU+-*aCV$r<5O-t z#OS&FV()~Q8!CfCk=Uc;)oCWsV@yCZFUXEHQz+V~Yj2sK9nQYYAd^gK8SB{l1k!l( zUC-MUXR^j?v1RuH)yUB&{a@+MjdN2K$K#ng=4jx>6+6znQs;&74ir7;>J#BXD`fy8~;Kqfsd~_}eWe zOOr1=i_G~mJhPG}8f?B_Fi%gAiQw=ZtT@4)r(TIZ#Xcxy_w;ycN)?#px++*(R}1{W z*v##Bk^=97B-$En3FKqNquHHi#BwmqSqy|YwL`pPg6KqVcF+l9_ zhmj`T)Ya=ebFz_5cKLG*2dRfH>DFA>NcLZ1e`gPSm- zimpe(^Y;%tY(Qj|nCkaeNxw`lA3i8{^OCFZ^aVnhjNkmYznkm9u=Q9U8sIhy<(M50 zXxVVg)9jsmKEkMRIIv40oWP*SbYUwnE(ZS&oDxhO9BPuZ1! zwLKpZ@YQFrJyRdg-(6u}rCm`?{wCSez4+3YZ6lb#_4}Vy;#h!7KnWaNO^-JwhX2U^ zvN8S|ad6YFu{H1JZWHrANeO3Vsd%Tsu@dOraz_3l`FN0Wf6k!t+V%UuN8$6Y(lGx_ z!iX*G{nV_%&!+adlldJv)g6rv1yVhv?EKz^A|(6U*xKxFIzK zT~{P@9+0c~Lse+rCEz}+{GTBP*|#5QP{XsfRF16V8S@>nRjRn&GkEN`80e$J0+{Jb zZBj{xuT^$L^!p1^choc@dO1a`dOx5kTI*(eOPym@1H~C=xZ@!^ncCl7l!f^2j~0#b z&7pqWkgk{VTG_}z<~dA=+rg(qJvYuL&oZ*I%FV}9U&?x+D|%Go%raQhbG&1gTp?vQ zdARoWS1J>IJsmnh9XDLGVuQni{SmS2NvU-|OKrZ>G|UyaN~wiYnEe=9US0-eot-DY z+OG6vh)myjSdIXhpTjVpqO4SUF`Jn$KGMeuaZcloo%L!9TJiIr%j+LvVUtQbMG&~y zBqJc=)|f5M?>jubev$CGvs{-a;?!dg(jvHzs@+D&omdI|4}24mcC-AbHez_sQ1B}M;5T( ze0wC?Uhkdbuj#E$|Jb%j%pk3K z#$Q8mayF=~Q#>=oKq}d!Ib}UgvCwgAs#4`)gD_w~$HybK0?>1m06}gLs@-R(+TkYG zK=mpvzT3`1t*4Sy9_Q`62D(g6CNTz)>5y9FR?W_|xBg6pJ?*SfUPk!|CsCN^~sEk#!Hc2bx zyJLTI_>~~Y+Nj=qxncK-ciaKTHFFumeHCLyHGq%(V1`oFnMmK39(k6Q<%cxG5ql>` zSl)MvRy}}P2)O~9IF3Fv8p*fmQ*~KAAup7B%)Yb`v86hgl=2gnPf^n~%f(Kqd<~{g zIk0czsqwUMcqhp5QK@Y-l!T0*>uqW2$M)K{m1=jNVA=QC6HXkhe|Wf^U|fDEU)boo zCI@)X9d;}Cfpp^_DQzm?`%%;BP*|(6kCW@`u)g$azTaAz;p!dGfztg8F~4VX@2R$` zw(FCOo=4$=6vv&z3!9-SODtdf8VE*aoIuJbX`DM8@ciW7SQla6PtmZzw`4 zbF^zO2$dj=byLk5cCNR?Z-oibANrDn=K422^?_m37_B?#v>->H zOxBk?AApsB`=+Z{s+Xmp5<5c5>Nv&ySnz&Cj}A&z(#x@%rlCGtWmxUxIyK*j!im zmZn=`m@NI2`$yq!n_=OSWeM?M))zD;YR%Wuu82c{*9ck4*LyhXSb;Ynf*sMMv-+$U zJ>B-ly1|CT2nL5wIKm>GH5NK(i3;^?;0@cm%zv@7bCCMg`+WH~7^}Iyz};~2IEzyB zqjfPeg`T6$$Xww3*6|^%&Jb{S;dTXq2m#1g^8fTg3e*SLUxZD*`Kl zXiZG4x0IO*u2R5akp0;Qs3xpGRp|KqxZ%+Yl=7FB`u_x+fOda?`uvZaIOr4OE0M6)A^vINHKwVR2P!(Z5LiHtBWB z@q`CfNv{~t5(Om_+|jv3;)mwteHhGiNY1xiY8{`yW=3wxu|+z#yC;#5#9arLK9PWk z_KUGE-TS$nrP4Ve7P-o;?0@v}_QjD;KuYdu@$1G9DGEmzpYl!S=g)wA@GbK%4Rqj8 zQM2}>-l>|*q^{d5RbJI~)$rG%Eg(}guP^+gAC$BZIZ?-WUSJpyY9^KqvhcdG=CHdkuQVbqe+TjrM{;6OSAw! z|5X(8w>SaqG4$8B(f{@T^GB^aTQ%E|yFga)+_mFhX?t%);HK`3)@!tbvwo?{?N2!l zKu^b*eE{MTDxf=W4yMJgRSE-2jWx+>MyQjo&my!cZLyZ~`^R4d>>c1%S_=~OzhoQU zt^;#H-|uEXkeQFCmGQ`9;{&k7U%+uAfIKze=mC&@LqNz(S5^`_;&O4dFDjlb2(0xOP zyWlB-{yx3!#=7UbD>@anU0rdSpay~}@0QI|^2+l};*|#~a}_)cZytem`!c=L%#s__ zQw798Fiii1mF+GUHfvpRFAdQ_p8Vd%0`NvTh#%A#2>Z@>q0{gaP!?@okAcFere(V} z=!i>?Pc`qqQj|5}X+ZQk8PIl! zf}mKC5Dp;%jO0@X8qpH6ha6}rrxNDhSbQq!aRFnczgN>sj@fBp=wZenqi6k4^~%uW z8aYvGmAMK2i_QN1fYb5M@%xpA2OHHF&wkYU8W~Z&_%I*W`*2v6O1g!kzgd0wmNxLA zyG&A9Vaa0N>!U{cOE&qBY6tDM;b3#VWY0fxwO4v&YZ|%yvQDL+tn=dH)#VH1Wnv@4 z()}!FJET+RoPo^o;j)GnJ^_~$fCOaRE%HEe$aa}ABx?)EK|p7$6MbZ|XUXFk03;6X zOMl;I0Lxvn0?H!kKOAVv1*){iU!ZP z@pf)GiKP4osG_dj^VN@B-&|CTsZ?In>kmbuHKYG1lK@06>)m-8ci-lyI`HRcRw>Pnx;^z2onU<8|LVs9?J6Yt$gd-t~pC#C?^*p)yHzztZHqb1g@oMEh*HT)7HOA>Y>gVYt4i%k^9`Wa zVJ0KHri(`dhvhv+B*?os4zpLidb$neVgJt!n2i=*XEh~o;*e}bMV90+OMl;b*tyG0 zo~Rnt`T=3U&m?TJ3mEZ6Qc@~f&(MG}NB`EWEt$atSsH})dIxUgEJKFr zd-NLk85ABbj&RIxnh^C;?upKr;|naZ&)6})q{?BKanW(orx&$t1(dXvG)@ z?~iM{Hl9qX7A69~xH_(}kRMA-2`^5n71R^wGYd$KAuGuz8Nl~pc`oHFWz$YW_$8%m zaCt$Ka zgmy5N1B7-^K?&~y5%09J7LXtQ8<>y+#Z7{Tn}3k7WY*neP>_|Cmw5RNBM=WBf#Gx+ zMG{wH68)NwZ!kZG zE@_d>7U3z7y$Xb?&hpG&;S|P6iXyA^Bx#SW{nAybMg0Q6zyF{lfXaB`s-SI=`d&Vk zlvT)DI1qkhL*PCltF7bYFa2l)ie zofpB`v1S7$IH6WGM9Yp+qs}a;t+gw6Ck@^>=kPH6?{Y9|F!wrOKi1g_^yq~eBHSg$ z8ek)FA$awf3um7(pOE*F$Xyzx5Fn-ZzO5@Mb%Vjxgoc9c-6r<(J^xGNrmriXpBUmK zGsGpoW?h(ccPXWdR4lK;TXQ99<%+e`%-n097WR#-oAtD6T5E0dmR=W#Vl8D{)+W`*UMnTxdNJ~5<%FSOU6^4}$uJ#IxvlO_J^)Iq*{-bNXdc4w8btyv{1lfgJJ#Sy}`)=>e}FX`R4xa_~{6^Quh8!+n-G|{B_9Foc! zaDGRcvn54fp>#tybvo{OLdC6t3k7%gXdKq`O;6>7e)I2BJkkFpZMk!!MYXj5S&n~` zA^u?|{uM0zD-Z>|M?f^Yp)(!z#H#WHW!N*OiFG_sMb4J|1b$EZwd9KLoIXfAe zhLZpcyvke_!7F)D7}N!^{vGiFX&_2Is`khC@&4|46%`yD@`VEQ~?*Z4B z1ho3ooJ+scjBxe$qOr;i8%KGW!$GL=PLxWfVTCI(w(45!Z{emt#CN;itHFJn7sPb! z%S$_RPR>5a3|7*N6kmOICI4Sc2#D`6)G?_jaOFfC`DuS_v(BM;4Q(e%=Olv)7>RbC zYglp?$dm>)qG$!}A2sThCagjFM0`6ouG)GnrW=0Y@Q_t#w}Jjf`*B#C;QgQd24NJ2 zq3CRsIc$5pWPMI&6M6i`_tSQv_sWzxJaBjI+W@2ngoglHj7<2nHk_{sV&?2zLJeSo zA#ByN$}^{WxE(0|gzjn$@bgEjP-h@W#6$sy+u0kWaYhBSuQ+sjwq|=_mpBJ97r1m- zd9*&aRo+Sa*>P!TA{ z3-R>}m|1{W7mhCx`C71ltli$F=^gA)JmpS1pwIuJziOOl+h%xuOZm-{-<&tm3mXyJ zcyzZL$8@%4j-5V!e0ep^3!DO;Wshf$3<=_i!QB1R z@`{iP1@<~$zm{P@k;DUXUg%jG&Y=JSyXB-m{Vb*w7n`4=khp|t0!#dWLe(Ft4$=e&%mJ1i=+UXary`EhXP--R9Vxx zE}t_vfGSQ18PiIUey1^Nyy#q=QRXWY z!~6#A)Z`w9AX77SWU2RZio@@~FQ|{ssl;mPi#ba&jgRFT(6ITLZB-WG4rXq_$vPzFoB z`x?h5Q5+TI8h(#SQi3^{H9VFdPj$IUL7=CYrf57kM~d0ZI0{2x;#6DeyXYvB z0@e1|4a(=wuC&$SFnDq4^#t2kVsA1qYW-ddi4ew~xsvlRcF`;C8;3JZ#Z7+3G69Io zi8SY?8zEV;yUK6-AuqvFftTw66UWhTLMV+)R^Cme4+IHWUmUi003;3`UrH5a& zb2onG!0A$URM@r{c^4;hZYNRM^>UKR&U9V~@?PN!W{QDktJYbU^2=eRwK&AJqIoV| zbC~HB%SICM4R-)fGWf}&Ab0hR7eICg%mxO0;H0yY<;SVCZulCM5DysE;^dJ(_ z-KkPi(jXF&(hiNJw8VfQDGft6(j_5+Gzde3bcY~aLw8Eo-JJ6~M>yZ_z3X>#t$Ww~ zZ`RE0z2A8D`@TWv+IpTWr?NJw#_RFj;VV< zirc95w8PrO^mV=M&av9I+vS!c(T=<0RiWdDBJ*<{TE~LP)8S1F5AwQw4{dfTFj=_P zYtDv73<(FkHk_~_AEQP5$gBt1&a})OUqdc(9!O&%zc184_kZPJ=FZF1X5*sG`5n70 zqYR5WY1n+gm)*Bk502Hp^^-SDGJ%D$YZ4;G`=#X1)zg-J%1Gv58I?*$eFStYS7-1e zLtfz6SGRlt1L|n|a)N#qu;pzMq2om_C->M42`J5Y8wQyL#EcIk36i)-BJ!}cpcnTg zV}?J^k}Z>I`(-sFUP@ewUW8*&?9$-GWC(8r4L(T<90T8bvKIjBI3Wv$X(!QU`rSux zCbZZ+_L_c*6P-K}M1xuM6he?maOP_%(6Ni}dlkcm@pvUP0M*rF#=P;fQiXoUh#z&= z;~f!_n`AeDRKt>20ljpOa+ofC<2Y34h6UX$>4|h?f$>V`2-vjEU}zhhXnlSSF!d z^5Yox5$JsSIcLip-Z-0l10e+5MnKq<4~uof0idl6dgv-^ew$!|)>FJ5M(YV0$JcmB z%6LXOL9Icuh%-O~D=zpp{r26b&?ZLAbX9XE^Brq34L@`QJ(Gd%(lWNENdcbhlm(n~ ziOnwrG>FeXp?|TABscDc%P~?k%8znRx_9V6Mf|vAS)2dELlZ&DaS~Yx-uoe-&UM#mg<2ksC@0o zA)K69N!cBDqhA2zhyL;5v+{(buvDC1&Ahy9Q>T3i2U;w4zk)ZeH_}$7&o0)3Q#JR5 zixP#w+kQDd>PEaU#z%&z5(<&A!}K^$6$-@l!DHQ1Pk?gql0Qa##-7E`_6Av@&Jr3r z^ApBLz{Cd`lWmN2p~7@mR#FkW;>&av3`O4weFY@fz{DW`0|v zO@oT(y&9XIRsVBheZpV;iT9+F4RBxVXI$ufb$y$AU~7eMuvlV={wCB*d8Ai3-M0W6 zI3h{&qj4_XtT8|+rz6|MzyX9n_n5^xlq0U8`Wa~q?Li9NiRg)hC~tysCi_6w6Eg4_ zNZ=RZeF{DzUrf2CJ_FRG;G6ey*Bl+%@XVr#gdf$5j_W{MOt~y&8xU%@jO`}Kq0tp!Co&@-(YS4E==k$r22>?%%zF+ME`+@IcwXfuT#SIZKxve?hq%r!Cy5v>}ES(+#B_dhC8a|%)G zz|3V5UcA{KG5pTS`g=}W7RmsW)gZ&)M?xsqlu3Fm6^9L>G~rO;;DZFIZ|F=UnKb?P zCKxTEP@j{a5>L8d#~+Bz=}^BU<=*fFGc3Q)*$dudHy``1c>k4Q3Xar4hSf*-%|;MI zBSXH|mxz^++7EJP#6Wu&$Gg~~l%FCo6t5K{#Tv_dH5T|WBo{y$>0X3Vfu-BD z>7f{?)c5&X;l?%_O@0*s_(I^As9(90H0?USIv&Gqc2sKi@oxr<7AaVt4t*PS+rJdO zPgKr@OdJ83)9BDC%kG|>D05~}MwHqE!vZY)(ya|6B*b_e60HYG`hw4W`Ece`pPG0T zplS%RVegWXAT+25EXA$V;9!;{HG73@NdnmqJ>4#JUPUyu2`VosH29yegWh9}la#tb z7&RWyM7y%WSqoT!A+iXa&e6M_#+HXKC$O&{@6YUmwctk)-tcjD3cN!4GmMl)TBqpG z{nH8v@om&e=w`&+=@gHHpPWEc+=kus@V8zb0b>P-HDXQgw!1kq4uHwJ9ka0Q9Rb_s z*tOi>Ac@#^2ClmGt7r27z!3U+*F^I_s-yfHb%%V}PhfVI*4FQw4a)+to3GIIdMA*t z=dK>?pAPe*uejDMKJX)>o4o38di{O)jN2ij=T1|B*a#r};vcx9X@FZ(HF523KyvOa zrL2s1a3w7LBFb+vs-u{aa-u8#4R3&S;wC^eY>P_|*L1#rg%iwtkjXGJGr;72^tOQEaar}7 z!YrWLr#t@EcTEcbW`FM2xMEx>L3EQf{5z7R8VIz8|Ez8z#~DQZ^WmeneFP<%x|~xp z$Ydt2FSyfeJ`AA`jMGVI1J^IX=anqO{q^*?XBfvz-4&PSgGbUEPzmQD3by_Rvz`zJ z#y>fR0JDe;NPWkLH;jL6UFv4ZGum!ac`4G2&K`gcJ=G81>rnH&>@_OmH=G?Z5Eh`H z_g`{eK?IRm`!Q84B)N6(xv#Y4Y=TiolYPP4dCJAn2ikOD3!cF zl^5u#%mZ?kTE_d6=9KvC(ND9TjH1E_y(1;yG1w25qhMy52!qHU>^3o=st=D+<2gk) z-x}wzAM^@gW4d_=3ov0p@Z0pQJNZst$ zVJMkA{~3O#BLV)UElKWI%gRhyF`$MP_Z$xUZVYzY8JZEUOr5zyGd8Y54M^h8&G4_a z=!V`fTy1YLlsy83V(FQ8p>#3@Fg1eshiCV~#mo?9H|zvv-RjzfM!jYe#zM5tleEvDbfAR@Ss zbrBk5R2F~Xy~RvvwRe>#|I<#?e>^C>H#zp z`iu2_>|*}t5o{9trw`t#@*o0F2B zkJALe*na-BWhLPkJVc1g8*o13IBB3O29D7|Vz}bo2EX{>C@D7?CTy zSn}j?opUJWqf>!s{KU*J7^WU=6+pwTVxb=--ZA%0sESm$lS$C5wG#q3#M_WLz;v>~ zTkdM#=zD!p)1H%*mUevjAXtdcKcDTL{$C2y)JTk zAG3^?HWAXiKx^8xG~3y*+f=gev>jHK%c-X^oW2s~ zTI{Ti+SYf$fS#5jD)J@3rBbXd=i5Eufn;c?462*P&U6-wALZ}`lfmnr{H0Sm!pz1X z8Vj=xQ#s|NCmVV%;)93YumVPH!{-yVwe~2~?<>mRz-x<*s4g(qfQaMm)$LU7P8$$> z;IzS}$9v=oki%k=cqtKsZ zS4%MU>#KUATz2`q3(Z__eWSX#ULCF}5H66~1PzP&{HGH5ckCb#D$|-b;_)lv%hmF) z?;gk9Gz+E_ixs)K-6QTN+tNEVm;9?;M9UJUpH=oa*F-~$Zdipk_<=uwg}J8!Q@c}C z^>dy6**)R=*`4xC!XI{8GPl!yo$YfEGIj>fwo^;g=-xzS-tZCrOie0-#by=$V~Brm zg@480-98}wPX=}VzLh6X8evY*exWUtNxe|}i7&Qn91kyVk#3y}kjx51@qUE$0i{O& zLNz+^x}9%9fyKGn`C!>z6a}C$oE>gxy?$L`JzEbT0|76k9}(JZM&y4kV(oWlXWWi; zoWQjO+Y{wzJ4K=>@Vnlgafr2ibF>d@H3AeK{l$((McBzbzX=G)O9299ZvsAYfv^aG zF8z0$D-f{3#r*%oPZ`9(s7zx6Ojj{B%v)zPxc?fW6j)&!$!@@jO zxKwcg2+jO^#D9C@Zy)pjPXsCdmgm32k^h^m0$80u5e~<$1GeV^4wm%X>j{I+R37(S zE&}P35(y#Oq5-zlcaEa~h67;A5c98-tPX+&qGM2ys3dUr9~Uc!8JtVY~B7>ay@hE)3`Q4Cu#mUnC*hhxhW% zAOdksF`^#FU!0$&yxia2e#?>%FTH~56Wjwh;{6sb&q4iOqjKZKN?XNIePiYfbQt;f zEl`lRJ_&cxu}$NIVYLCJv7bKG97%_@g+#PcRaOL+VB6nS4S=~AA}a8$^FsMH|B~@>GwZLYwHu2!ll>*X;nuHbRi2*rn(|pc>$FI(3NNh1?{J57Z zDWNUXZ44bbT*j^~{{?TVytnkA7klETc&chc>SSI_enb!4;tF?X4J?xu8ihBPJ(&dV z=yNuURVI{5tJc$Sa>8F^XYS`CO9!Cg0hRP_hbI8dS+RECm?w%I&Ejllx!TKt5d4bE z{f;&QFFX?_WJuT1?6QAgLMZM>X7Vwc#OoB4_}0C~C+#DGlb*?{F^~)Ubcn$u#ET&t zDj9M}Z4!0a`*3pqMESlNB(Tzb`CS0%82CQJoawGMdNBJyH7qJ}rF}O!3~iaYXQnUpBj&Ec=Gpy{*qI;1#f)~DvG?6hn;wwt*e4xkhtpkbz2kyI*K zbc6&-jx2bfHx6G-GWua~1zUCpy9aslo6Hzy!u7qjbk3h;Mb*dXOlm~?{s;^5^zOrm zh_}m9H^!{Q0HV(o!X`>ty3Nnx)TfCv7W*GabuUJMgUT~o@}?b8K8P5P5r*(%ztxFH z`XlU!NyVIvG?M8LqOeU~{9rC+=`X??qmdIfz+bS9fHBM&ZkWJJTlM|BM-KX(1C+K$ zhHmpYkT1eDt1AnHQtQX-UkBjL42&9m$Latr2%7-8aiWUAUIQ&idrEUVaknh^0yZj zr~`d2r;Yl7f@J%Eo~6ooKE%JRPJCMU>=Zsc+-KXxr74)L{+rp}{0$mgP8scegiXS3 z?rzxA#0&5@XgUBe`<2*f?OxUigx=I8WbZ8z$-)`%7=^kuVU#rbEa#*bVC5cRKCRC= z*83`{Si#NIllE{fydcW?>~8^|FPbK9$3MLsFENx?3@669bZ`9J+xsSw)Qi(k5aQ^Iy~{)%&>MBHQX^i) zMZQwEY|!_LIQApuM>S&ofYy-+Ze8YpMtr^{E5VUKKkNe6SQt`%3(du|K8|p;&CbVC zrv~^Z&$kga_RQ2_rT{DcCYk;B7U1cPe!N5XrP2z;@BI5aHdUUfGSdc}Y#dQ?rMtp| z<9F`O*!y%O@@KXJdHL=>qkMRX8*HtlU&8OhoR5#c@KsAoU^EcpPw;Op-u64k>SsIe zTzwCfPvNLu1Mp`T?p>uFHnRe*M*q4IQ0p~gKrw_V_%~Hj4yKfVqo2%;PXBwO1iTP> zzb;DC1Zx;LMl=Bu)J^${+r7F#cf(T__x+gQVx?Tu47L4aOddUw49yg?1b z>PeGAYY7l_g=DGb%i*E#HdwAUyIR(D1av@L>#f8lKnr@61_PU)=D~!@B%v6WE=^HV zZS^9}mnV3NKWxN+Qy~@}3XP2CoyOnnr{l-lo+K8m9?q?;{cOT3RiC-nrdDESp3=J3 zVqj1l#glCNBMED_8vu}vyGcvHdY-cQIZh8a!FNQ^+@K=$Tp95J_B8k1t#kw97&vV9 zT8UvjKZ)R-0;;)NX)zG|%dC!)fv@+DI5XRwpz>>C+kG}bN(U;){qHIXm{_RQM!&>Y zY+exo6_lKUf}LWO?^@FUCdTRB(bzk~HhEWEQht*TvG5slmpNFCe&xnV#5q8%%0y#V zwYGRQE{&z~#Ab`;+50(nNyV0rjM34Gs8jTthJ0fU9suAqXOASYyFN}EHw>#03?%fg zlp3Y$x2=jk!P7CJ|E|^^ii+HNcdn|(Y#L7HgP%@C>(yDkKIl(pl%I8W=!?uAa142TA2!9qIh1spVh`ah4%ertr1`yC{T+d}pP-{$Q=Lqr zByEW>g=hPs{NMa0S!*qR=eym+`{}%`R4;tpY8_SkeCHwQcHlw7JOC`-T~Hsgv!1Et zN6$;l0y1gR4G*$0xO>pap5g2EqDBcJwS|4@`7y4M6rhHS8RDG(-Q|bLAoqk!Er~G_ z2ZFzvS|_7ZM;Y}`y@?QQ$&TtP9!A!L>{w@`O;Sy`&3v6q`7W44NoV+LO>9i^TG>HO zqn^P1s)afOq+M*~$xC=M2p#r4^6VLGA5)N}Rh4Z(GrXx+G2E~n>nx!&q5kDd4!;2} z^_ItHa|3p+*moL!WEwbHof^4={Fib8$AX_uqSZNC@ZmD@SSj;JwfmX`3<~e_lq=W zd$RTxdw`NXT&jgxvgaPF4|_2kL+0`RMi$f}&mw%htA>jTF9}6owG#%1SW9SR31K$j zZDH2$X^ah$5}q0fXPj6kC&pz7r|vY^cn|?oMM%1bSYcVi>HhHJJ97mi1m*9VHIkkn z%dkJP(Z4M0=d(~Iu-llC%wTI37u-jz#BRIduo}<#)mkgU>WQ#5F)4c$WDi$i>-k(A zB9*oSfF^J02A{gop>DN;&S&!PCyQ7GS!^dG-14%*u&Q7RX4)vp$Sf#cXx}q=pFMu^ z=$pVz1$TaZ_~g(f<%JG@8f-n2kMj8opc63fd%_!Alc6J%QARqPkr9~8QHFN4EF z=YE+uiT9xmJfB6TYl#jd%^N6g_ac?#sKg~7gPYFiIiJOJ#s_cWgw>!|SnPAO3z1%L zxZ#?sQc-GjJ*k}&29-1sTxSX=3@L27*m?>vEe_O&0T|k?8UP}3Bw+X2=_9wOQzD?K z$G4OA$jR(YE!uMT4vYo^R^-O8c&yBLe~K5DCavf6&6~lIJ)a(!h|kc;hdv@&vZ%yG zbvCjIf^Ym<`Ld>P`19Gar+*|_8Ml*%Ce3mbHBU**35Vys_n63ACx;&{RJHJo_@>ej zM@C|;5CQg;r@WDcY-`%#s6;vf>R7~BI#s~Wj4{m1h*dwE?;mv{b?6M`g2V)5nZvzk zen!HMy5U}ye$jJY`Nuk9Sh=-eW!7}ylN)Kc0>fo?iX>C{oTAF{DEh<06mOGO#}(!H;&1MK!X8 zY_kk#%9e2Il;M8V?k&Rp2jzs>ns-BnKglExQ9x z)@-Q{Sdq+~f)u(7}@C4AGnpE(vJC|2QyV(j)xpQ%6S zk^%GEjr@=T-LU!8mZ*=yan*-CgN-gV_W>8*klI@3WjVdovl`H*;rx3^z?~LRdZ-^@ z{0fWaEyC98{Fy|3_(6;kgOGBU!U%t-Z!5fcoQ9s>tG1pyb8PnFo?|i% zGR5(5_}mRx|AXX25+;#G^pVD~S@`=7G$^h;_w?0`JUBgxr{h~RjV!4bukXDe7rHBR z-~$Sbl*D;;`P4!`KP(D1vLZb4hkCc{AKZ0C4 z9bb}pmDI<1qjN*J`K?^MK&TOyp+^BMNxZyS>CL%aV##~e(=qaql_t3ed z&?30#yU<_!qqy*#OX(KfUEtNRl{L(wh|E*2+)z@)9#_Ure<5poUoWCqR_(u|o4 zhW2@t51o47HF(%BTtfbB6=A`8B|ohjXv%NpV;}{c*Ye>Meagd6B!@x->|54fzf0&V zd}I$E90_4dOoCq$;mkGz8zTY5f_JC?xGjbytG+xRn>UcxYHfTX!*x8``j~LpI-8ID zA2QZy(@fFC?cx(Gwxh{J2KF>ShcP@ZATU_2TgYlJCv6#tZjDHrE(X7X90Dq~zC)M+ ze4`C(VDKB<7e9=oO3F*Kgn^Qbk!8648u1OT@A&Roma3zHH2%flJM;UuG5Rm_P!@Y^Z~=SQ}aOU4V<25Q?X(fDdqf2*o;K3xBq#A7v4W%mXB?|M%+ z#?+d%N$Z9>AmzF@iMI$(G{Amiq)2b}#}Dr~hz^hhK3&6m*EkKglU?JuA(jES6o3oB|Zx3 zV}yf)Yn<@5!PAlA{{no5vp{Q-e^0TLd=L1X&w|1`X#dd;75Mz$d4ZMF@w8(%3LIRb z*MHo50B-y!l#I6v5l&=2#c>8kv>)_W6SzdKA=PDN%B*m3xM%)8S2!S6ePe8J#sgY z0Tf4_zXz^3*+%$e&c|cM6MzcrD7phBXd4>--M@%l=!Q~l+n(&c2~|veemZ5>Pa)`{ z66Ll!kPeU#fU-MXeLAtOv!~_#Lf5%cY-Tp?2-lx&aOc!fZx11#2+SeRus!T8^TEgo zz_*WhBYd`+N!oC>o_CH5K7AJ!r326XmSu|SbU!%AHu9wFSnqP~a?(8l%N0hiV9v>& zy4XonWS%y2VCy8|&vVrD8QO($qKXJB{7WQ75T2d-p6|6&%}z|bUcv+OXFOK@y3R08 z@Tz&FseraEWvTZ_N4TT?8kT?XRb^&DT7~?BE~fmkK<$bak;moCwdJqjVoB;L`xljg zg_+69aAuA0sE*43s;XQ!oKbcrtfcm}i16iDH`Pg#BG*ZZ;Yx~n!Z(hKLx`-kwE0rp zNU!xp&IPAb90H7zS7q;0RSjUAp!^_l`HQ~2@Lf(B6GXj}1XhK)C8Nap==d}EEm9OjfH{QXo6+q3TXwReCu$@2Cj(4|&E)-?7$X*NqG<=Le8Bp1~;=W;L^X1MWTT zN1xR`tG}~jS@#MmC+YoReecNt(#K)^&^iy8)QE_qY7scGMhd2;we|RH!*uGWhDBA? zXrimDh935I_1|x?K0oYgOUnIIrPF7aqpOF*X)hMlSy+blEasYy_>tk{7c^!_HIuWw z5@l{Jtx|`${ad2`!>aThll1p^1Rta#9>L{B8kD4X*k0|@QU zdtcK)`kFlt`EqbTJca$OK7p(b9RBp?b7~KZC=sJ`l2Tu~GhhDv{6uv}OG%4cMba@d zP(2)i6zoz+=fWHl-izEN<-1{F|F+tcaf%bEEza(rkNSqU?Vskn<`^z)cXhb2scmHoNat`h9TFjw2OWUHTSE;E8$G)o}Yf^Tt`r5m0V0E>0VWL?KCo0vqH>mx^OC| zuV_=f3%koA%8$Ebo?OVkBg*k!1=!hPgedHCbuPACTDKjb#&;S}$T^KlOoG*P>{;sD4Sief(<%)H^{@!r$GUH-&_B3|~iEtHhZvd+= z=Eo%(FFC%F)tddqHhj|k+k&Nnv+Z%cBYSnPvy4se>c?7H>7ua9rgH*x2Py4&MLA#n zRdZU5l5dT*P~G`80Yhi3m50so2figFOTyc$@~aJjDO=;tJ!_#~I+qtMj}-N)E0n>^ zXid|c`#?ohJ&JLs+b`9p`3A1j@P3^Ls#*J!Uk5~Nal@$8Q*g+bcbbL|-upacdcD?u zt<0*107K%lxpR*~8`GJwsuH)ir`DwZaxoyq{mIYmMqxw!^|gzmve;lx1mxR`E+A>m z{k4zPuj;IypSSgeMorM8@HTq+*o-2==&HkP72rR?tNNaAT3B}!3lh$HtXmc?20fzaCfNi zz_LfcvloRqombbi*2&R@`YDmqY!Kcf-tPYJ874IO9C!^<2~NYW58D@nIji*kr5jJK zWTX4*T{ZhII}Nppbc%Lo2lCL4kB*K~99?s?EwNn+XU|UByCi70Pp4LX6#}Ivthp-B zkA**nwAa@V%Rhg2;Z&95MY>MHJ)m$j#$SN}Y$Lb&6x760!CLFS9OLGgWYo}PRp&5< zkFzakyFMJf;P-)O`!b^pNzhu+o}Z2h7~X{9!q^*{&0ii}u4Wn~xLX=U*| z0cRqda}P;QrOhwXb|2@p=WVG-qL~s!HQ+^M=2dX9yo^eQ$jD@EvXU}z6~|UJdOMY| z;@H`DD_a_lmuxDHWF~#C;YNG?wh+obQ>L{fxUoG3CETP5x-_G#X=4*FGq8S5OWDP= ztm#blLYL_Y_mRo)xQ__M!%WrZyhXSehTBG(+nFWMf}S~NqD_`p#yzMRx-H5U*b58; zxK(@=1*z+sS)c^YlK!#N$6xoZAQO_GOlB7mHkwXm3Vx;Ij%$YU1vObo=GJe)eYd-dzB|i~AVD9~Bob28-#){-h z%oq^qjL##bKO9nwGnHqh_%Kwk+Z|un2PQ_Zz!6U)Zdov$2LsJjAN;sk3F54Ria>`e zv}@b>9u2e1sN$Om11(O`s~_Mi%BxAt>CxvT88!QqMk?@@4ysP^&x6AC)|Qt>f2;NL zU(;S9J4`}$`*NDL{V(7q%w2#IuFw`%8ejIMrZuTh1*!c%>gFN5GUG`3Ha61v_# zoe?7%_hh$GZrj=B?NKSRefN1F<7-i9a!BAib?81_yDZb%N|(jbB|{M@l%UH(A{?^w zY>FPq{bKrSVCfWnMFGbwH@`5@fr6=8?FL86kma+&hc{hl)lPhmU4!Yc<+22;*&7PJjnA7>Cgoo39pWYF^9QJCVpt) z0JE^DXL(U`p{h+No@7!ld4U;7&rL6qo!?QK7=!aY{f8fnLYJK2QDy!)-{K}nk zBy-ao^eIbySOd=xL?C`po6|XI=l?>fC6zm1jTCE2mU+yFRj|*QZP7)z@&IrXQKzan zws#w6DC#n0BUgtU@6d|Rh=mwphYM@Qp11JrIBW}s924f)$@K@foexsCfvCBv2i5N|>4peK(q| zxhTz|_rxV$h9k1_M9|7XlhI|n&0=?4KJ|DD)+nXR%~WU>`#U{MuNtJ^muWj1Zc$tD zQ)p9WaOKU+itDy${WYehJucndIlV+v}U^m0Aal!)dhs7;v|{h`qfeQpt&OobCOOC9AkL;9&nUk-tq#!jj-Sfpncyh4Z~n~ zo@a#jdJyqzPg4qXQPx_-N$0Ysa}}@QY0HmjJpqzmRHg>iqT$)yIm5>8ve8(Wf_L`q zB$laCLFv@!wuvuZsGHt|Q@fzhW@F@+v|`fb;%d_L63kXi_8g;T*x7j{ypO~%kjoof z$XmdW(D9@mEn8kyNv2RYUWd85q#+M3}L`^b(8dcDD~z`i57ZJ2&k#9YVKd_CJ!NeU7T=3_%15cOSCa zb@5fbpAj4Bo#L6|qPKhZ34BWAnM0+Hs_JrxJv$a6KP}DKCznxh_EWwv9wHFFz=A<( zzMmrIe_Nay+fbk_eF}`7(UXu(Qnb8s>$y0)eO?|=45Y}yG6p|dHjnx!!k*Kb+E>d5 z*wsPgIn1#`e2HdiV^)%g)dXm*CMx7;tv~i&p$)u`lP}DX;{q95s2daewXZ`}aW$fFFWX Date: Sat, 29 Aug 2020 18:25:44 +0500 Subject: [PATCH 17/42] Update hello-hybrid-aadj-sso-base.md --- .../hello-for-business/hello-hybrid-aadj-sso-base.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index e9c5fe59e6..4fa728cea5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -306,15 +306,13 @@ Sign-in a workstation with access equivalent to a _domain user_. 3. Click **Enroll devices**. 4. Click **Windows enrollment** 5. Under **Windows enrollment**, click **Windows Hello for Business**. - ![Create Intune Windows Hello for Business Policy](images/aadj/IntuneWHFBPolicy-00.png) + ![Create Windows Hello for Business Policy](images/aadj/MEM.png) 6. Select **Enabled** from the **Configure Windows Hello for Business** list. 7. Select **Required** next to **Use a Trusted Platform Module (TPM)**. By default, Windows Hello for Business prefers TPM 2.0 or falls backs to software. Choosing **Required** forces Windows Hello for Business to only use TPM 2.0 or TPM 1.2 and does not allow fall back to software based keys. 8. Type the desired **Minimum PIN length** and **Maximum PIN length**. > [!IMPORTANT] > The default minimum PIN length for Windows Hello for Business on Windows 10 is 6. Microsoft Intune defaults the minimum PIN length to 4, which reduces the security of the user's PIN. If you do not have a desired PIN length, set the minimum PIN length to 6. -![Intune Windows Hello for Business policy settings](images/aadj/IntuneWHFBPolicy-01.png) - 9. Select the appropriate configuration for the following settings. * **Lowercase letters in PIN** * **Uppercase letters in PIN** From c5ac249e84634a21a2b8ca5b52d161ac7a9012f4 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 30 Aug 2020 16:38:57 +0500 Subject: [PATCH 18/42] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-base.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 4fa728cea5..41ea919388 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -304,7 +304,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). 2. Select **Devices**. 3. Click **Enroll devices**. -4. Click **Windows enrollment** +4. Select **Windows enrollment**. 5. Under **Windows enrollment**, click **Windows Hello for Business**. ![Create Windows Hello for Business Policy](images/aadj/MEM.png) 6. Select **Enabled** from the **Configure Windows Hello for Business** list. From 37040d327f2fe45e2f78b0677836f47e5ab66803 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 30 Aug 2020 16:39:12 +0500 Subject: [PATCH 19/42] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-base.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 41ea919388..3e9d7ffd7c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -308,7 +308,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 5. Under **Windows enrollment**, click **Windows Hello for Business**. ![Create Windows Hello for Business Policy](images/aadj/MEM.png) 6. Select **Enabled** from the **Configure Windows Hello for Business** list. -7. Select **Required** next to **Use a Trusted Platform Module (TPM)**. By default, Windows Hello for Business prefers TPM 2.0 or falls backs to software. Choosing **Required** forces Windows Hello for Business to only use TPM 2.0 or TPM 1.2 and does not allow fall back to software based keys. +7. Select **Required** next to **Use a Trusted Platform Module (TPM)**. By default, Windows Hello for Business prefers TPM 2.0 or falls backs to software. Choosing **Required** forces Windows Hello for Business to only use TPM 2.0 or TPM 1.2 and does not allow fall back to software-based keys. 8. Type the desired **Minimum PIN length** and **Maximum PIN length**. > [!IMPORTANT] > The default minimum PIN length for Windows Hello for Business on Windows 10 is 6. Microsoft Intune defaults the minimum PIN length to 4, which reduces the security of the user's PIN. If you do not have a desired PIN length, set the minimum PIN length to 6. From 53e85fe9885103e67539fcebafb87839fe9726ab Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 30 Aug 2020 16:39:20 +0500 Subject: [PATCH 20/42] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-base.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 3e9d7ffd7c..1691111db2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -309,7 +309,7 @@ Sign-in a workstation with access equivalent to a _domain user_. ![Create Windows Hello for Business Policy](images/aadj/MEM.png) 6. Select **Enabled** from the **Configure Windows Hello for Business** list. 7. Select **Required** next to **Use a Trusted Platform Module (TPM)**. By default, Windows Hello for Business prefers TPM 2.0 or falls backs to software. Choosing **Required** forces Windows Hello for Business to only use TPM 2.0 or TPM 1.2 and does not allow fall back to software-based keys. -8. Type the desired **Minimum PIN length** and **Maximum PIN length**. +8. Enter the desired **Minimum PIN length** and **Maximum PIN length**. > [!IMPORTANT] > The default minimum PIN length for Windows Hello for Business on Windows 10 is 6. Microsoft Intune defaults the minimum PIN length to 4, which reduces the security of the user's PIN. If you do not have a desired PIN length, set the minimum PIN length to 6. From 2b94e6fc22a0d0a323605a50bfb4bf8b4ca99139 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 30 Aug 2020 16:39:28 +0500 Subject: [PATCH 21/42] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-base.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 1691111db2..7713dff6d3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -313,7 +313,7 @@ Sign-in a workstation with access equivalent to a _domain user_. > [!IMPORTANT] > The default minimum PIN length for Windows Hello for Business on Windows 10 is 6. Microsoft Intune defaults the minimum PIN length to 4, which reduces the security of the user's PIN. If you do not have a desired PIN length, set the minimum PIN length to 6. -9. Select the appropriate configuration for the following settings. +9. Select the appropriate configuration for the following settings: * **Lowercase letters in PIN** * **Uppercase letters in PIN** * **Special characters in PIN** From be5b9a2a0bef98d61b7abc8da8d274943bc4eed9 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 30 Aug 2020 16:39:37 +0500 Subject: [PATCH 22/42] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-base.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 7713dff6d3..3f505dd143 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -323,7 +323,7 @@ Sign-in a workstation with access equivalent to a _domain user_. > The Windows Hello for Business PIN is not a symmetric key (a password). A copy of the current PIN is not stored locally or on a server like in the case of passwords. Making the PIN as complex and changed frequently as a password increases the likelihood of forgotten PINs. Additionally, enabling PIN history is the only scenario that requires Windows 10 to store older PIN combinations (protected to the current PIN). Windows Hello for Business combined with a TPM provides anti-hammering functionality that prevents brute force attacks of the user's PIN. If you are concerned with user-to-user shoulder surfacing, rather that forcing complex PIN that change frequently, consider using the [Multifactor Unlock](feature-multifactor-unlock.md) feature. 10. Select **Yes** next to **Allow biometric authentication** if you want to allow users to use biometrics (fingerprint and/or facial recognition) to unlock the device. To further secure the use of biometrics, select **Yes** to **Use enhanced anti-spoofing, when available**. -11. Select **No** to **Allow phone sign-in**. This feature has been deprecated. +11. Select **No** to **Allow phone sign-in**. This feature has been deprecated. 12. Click **Save** 13. Sign-out of the Microsoft Endpoint Manager admin center. From 63084c6f3f25497963a17efc6dc4e762d6e0f39c Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 30 Aug 2020 16:39:47 +0500 Subject: [PATCH 23/42] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-base.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 3f505dd143..b91cf9dba8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -324,7 +324,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 10. Select **Yes** next to **Allow biometric authentication** if you want to allow users to use biometrics (fingerprint and/or facial recognition) to unlock the device. To further secure the use of biometrics, select **Yes** to **Use enhanced anti-spoofing, when available**. 11. Select **No** to **Allow phone sign-in**. This feature has been deprecated. -12. Click **Save** +12. Choose **Save**. 13. Sign-out of the Microsoft Endpoint Manager admin center. > [!IMPORTANT] From 34dc21c2ebd8861c804f908d9f7d811824c0f8ec Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 30 Aug 2020 16:41:28 +0500 Subject: [PATCH 24/42] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-base.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index b91cf9dba8..f933e513ee 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -325,7 +325,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 10. Select **Yes** next to **Allow biometric authentication** if you want to allow users to use biometrics (fingerprint and/or facial recognition) to unlock the device. To further secure the use of biometrics, select **Yes** to **Use enhanced anti-spoofing, when available**. 11. Select **No** to **Allow phone sign-in**. This feature has been deprecated. 12. Choose **Save**. -13. Sign-out of the Microsoft Endpoint Manager admin center. +13. Sign out of the Microsoft Endpoint Manager admin center. > [!IMPORTANT] > For more details about the actual experience after everything has been configured, please see [Windows Hello for Business and Authentication](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication). From fa6a13733977975fe585cad1868df1bde8750e53 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 30 Aug 2020 16:41:36 +0500 Subject: [PATCH 25/42] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-base.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index f933e513ee..8e614d8c3a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -301,7 +301,7 @@ A **Trusted Certificate** device configuration profile is how you deploy trusted Sign-in a workstation with access equivalent to a _domain user_. -1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). +1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). 2. Select **Devices**. 3. Click **Enroll devices**. 4. Select **Windows enrollment**. From 25a16d7b5be9be62ef41ef08c35fc74a72a39ca0 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 30 Aug 2020 16:41:44 +0500 Subject: [PATCH 26/42] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-base.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 8e614d8c3a..5fb3572002 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -303,7 +303,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). 2. Select **Devices**. -3. Click **Enroll devices**. +3. Choose **Enroll devices**. 4. Select **Windows enrollment**. 5. Under **Windows enrollment**, click **Windows Hello for Business**. ![Create Windows Hello for Business Policy](images/aadj/MEM.png) From f2b37bb9293663329836bcefff6140946c74224c Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 30 Aug 2020 16:41:51 +0500 Subject: [PATCH 27/42] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-base.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 5fb3572002..062527d00d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -305,7 +305,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 2. Select **Devices**. 3. Choose **Enroll devices**. 4. Select **Windows enrollment**. -5. Under **Windows enrollment**, click **Windows Hello for Business**. +5. Under **Windows enrollment**, select **Windows Hello for Business**. ![Create Windows Hello for Business Policy](images/aadj/MEM.png) 6. Select **Enabled** from the **Configure Windows Hello for Business** list. 7. Select **Required** next to **Use a Trusted Platform Module (TPM)**. By default, Windows Hello for Business prefers TPM 2.0 or falls backs to software. Choosing **Required** forces Windows Hello for Business to only use TPM 2.0 or TPM 1.2 and does not allow fall back to software-based keys. From cb07d7456c71403de562ce66db7340e4ee25af0e Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 30 Aug 2020 16:41:59 +0500 Subject: [PATCH 28/42] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-base.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 062527d00d..1702d87fb2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -311,7 +311,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 7. Select **Required** next to **Use a Trusted Platform Module (TPM)**. By default, Windows Hello for Business prefers TPM 2.0 or falls backs to software. Choosing **Required** forces Windows Hello for Business to only use TPM 2.0 or TPM 1.2 and does not allow fall back to software-based keys. 8. Enter the desired **Minimum PIN length** and **Maximum PIN length**. > [!IMPORTANT] - > The default minimum PIN length for Windows Hello for Business on Windows 10 is 6. Microsoft Intune defaults the minimum PIN length to 4, which reduces the security of the user's PIN. If you do not have a desired PIN length, set the minimum PIN length to 6. + > The default minimum PIN length for Windows Hello for Business on Windows 10 is six. Microsoft Intune defaults the minimum PIN length to four, which reduces the security of the user's PIN. If you do not have a desired PIN length, set the minimum PIN length to six. 9. Select the appropriate configuration for the following settings: * **Lowercase letters in PIN** From 065409eaa060c680ba5fd0bf633ad806ac82731f Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 30 Aug 2020 16:42:10 +0500 Subject: [PATCH 29/42] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-base.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 1702d87fb2..ea9a52eb2d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -322,7 +322,7 @@ Sign-in a workstation with access equivalent to a _domain user_. > [!NOTE] > The Windows Hello for Business PIN is not a symmetric key (a password). A copy of the current PIN is not stored locally or on a server like in the case of passwords. Making the PIN as complex and changed frequently as a password increases the likelihood of forgotten PINs. Additionally, enabling PIN history is the only scenario that requires Windows 10 to store older PIN combinations (protected to the current PIN). Windows Hello for Business combined with a TPM provides anti-hammering functionality that prevents brute force attacks of the user's PIN. If you are concerned with user-to-user shoulder surfacing, rather that forcing complex PIN that change frequently, consider using the [Multifactor Unlock](feature-multifactor-unlock.md) feature. -10. Select **Yes** next to **Allow biometric authentication** if you want to allow users to use biometrics (fingerprint and/or facial recognition) to unlock the device. To further secure the use of biometrics, select **Yes** to **Use enhanced anti-spoofing, when available**. +10. Select **Yes** next to **Allow biometric authentication** if you want to allow users to use biometrics (fingerprint and/or facial recognition) to unlock the device. To further secure the use of biometrics, select **Yes** to **Use enhanced anti-spoofing, when available**. 11. Select **No** to **Allow phone sign-in**. This feature has been deprecated. 12. Choose **Save**. 13. Sign out of the Microsoft Endpoint Manager admin center. From a4a57bab3cf2bdda2740a0e7d8d511e1f1f97968 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 30 Aug 2020 16:42:18 +0500 Subject: [PATCH 30/42] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-base.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index ea9a52eb2d..d95d915f91 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -319,6 +319,7 @@ Sign-in a workstation with access equivalent to a _domain user_. * **Special characters in PIN** * **PIN expiration (days)** * **Remember PIN history** + > [!NOTE] > The Windows Hello for Business PIN is not a symmetric key (a password). A copy of the current PIN is not stored locally or on a server like in the case of passwords. Making the PIN as complex and changed frequently as a password increases the likelihood of forgotten PINs. Additionally, enabling PIN history is the only scenario that requires Windows 10 to store older PIN combinations (protected to the current PIN). Windows Hello for Business combined with a TPM provides anti-hammering functionality that prevents brute force attacks of the user's PIN. If you are concerned with user-to-user shoulder surfacing, rather that forcing complex PIN that change frequently, consider using the [Multifactor Unlock](feature-multifactor-unlock.md) feature. From dad8d2e2fb4bece4dfa2cfa27aef1fde33cac6d2 Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Fri, 4 Sep 2020 15:59:34 -0700 Subject: [PATCH 31/42] network protection update --- .../enable-network-protection.md | 45 +++++-------------- 1 file changed, 11 insertions(+), 34 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md index f081c6ad4a..12bf4e6a76 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md @@ -1,6 +1,6 @@ --- -title: Turning on network protection -description: Enable Network protection with Group Policy, PowerShell, or Mobile Device Management and Configuration Manager. +title: Turn on network protection +description: Enable network protection with Group Policy, PowerShell, or Mobile Device Management and Configuration Manager. keywords: ANetwork protection, exploits, malicious website, ip, domain, domains, enable, turn on search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -14,7 +14,7 @@ ms.reviewer: manager: dansimp --- -# Turning on network protection +# Turn on network protection **Applies to:** @@ -22,6 +22,8 @@ manager: dansimp [Network protection](network-protection.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the internet. You can [audit network protection](evaluate-network-protection.md) in a test environment to view which apps would be blocked before you enable it. +[Learn more about network filtering configuration options](https://docs.microsoft.com/en-us/mem/intune/protect/endpoint-protection-windows-10#network-filtering) + ## Check if network protection is enabled Check if network protection has been enabled on a local device by using Registry editor. @@ -40,9 +42,8 @@ Check if network protection has been enabled on a local device by using Registry Enable network protection by using any of these methods: * [PowerShell](#powershell) -* [Microsoft Intune](#intune) * [Mobile Device Management (MDM)](#mobile-device-management-mdm) -* [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager) +* [Microsoft Endpoint Manager / Intune](#microsoft-endpoint-manager-formerly-intune) * [Group Policy](#group-policy) ### PowerShell @@ -62,41 +63,17 @@ Enable network protection by using any of these methods: Use `Disabled` instead of `AuditMode` or `Enabled` to turn off the feature. -### Intune - -1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune. - -2. Go to **Device configuration** > **Profiles** > **Create profile**. - -3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**. - - ![Create endpoint protection profile](../images/create-endpoint-protection-profile.png) - -4. Select **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**. - - ![Enable network protection in Intune](../images/enable-np-intune.png) - -5. Select **OK** to save each open section and **Create**. - -6. Select the profile called **Assignments**, assign to **All Users & All Devices**, and **Save**. - -### Mobile Device Management (MDM) +### Mobile device management (MDM) Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable or disable network protection or enable audit mode. -## Microsoft Endpoint Configuration Manager +### Microsoft Endpoint Manager (formerly Intune) -1. In Microsoft Endpoint Configuration Manager, go to **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. +1. Sign into the Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com) -2. Then go to **Home** > **Create Exploit Guard Policy**. +2. Create or edit an [endpoint protection configuration profile](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-configure) -3. Enter a name and a description, select **Network protection**, and then **Next**. - -4. Choose whether to block or audit access to suspicious domains and select **Next**. - -5. Review the settings and select **Next** to create the policy. - -6. After the policy is created, **Close**. +3. Under "Configuration Settings" in the profile flow, go to **Microsoft Defender Exploit Guard** > **Network filtering** > **Network protection** > **Enable** or **Audit only** ### Group Policy From ede7ee4845b1e8fde93ba929e99e4273d1720b17 Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Fri, 4 Sep 2020 16:03:15 -0700 Subject: [PATCH 32/42] remove enus --- .../microsoft-defender-atp/enable-network-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md index 12bf4e6a76..dbe7692a37 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md @@ -22,7 +22,7 @@ manager: dansimp [Network protection](network-protection.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the internet. You can [audit network protection](evaluate-network-protection.md) in a test environment to view which apps would be blocked before you enable it. -[Learn more about network filtering configuration options](https://docs.microsoft.com/en-us/mem/intune/protect/endpoint-protection-windows-10#network-filtering) +[Learn more about network filtering configuration options](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#network-filtering) ## Check if network protection is enabled From 84e7eb14d12f90403fcd1eb2046a49acf5ae2ae4 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 9 Sep 2020 09:32:48 -0700 Subject: [PATCH 33/42] Added new Update policy setting --- .../mdm/policy-csp-update.md | 76 ++++++++++++++++++- 1 file changed, 75 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 38e9dd4066..a628a70813 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -192,7 +192,10 @@ manager: dansimp Update/SetDisableUXWUAccess
    - Update/SetEDURestart + Update/f +
    +
    + Update/SetProxyBehaviorForUpdateDetection
    Update/TargetReleaseVersion @@ -4133,6 +4136,77 @@ The following list shows the supported values:
    + + +**Update/SetProxyBehaviorForUpdateDetection** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procheck mark
    Businesscheck mark
    Enterprisecheck mark
    Educationcheck mark
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +By default, HTTP WSUS servers scan only if system proxy is configured. This policy setting allows you to configure user proxy as a fallback for detecting updates while using an HTTP based intranet server despite the vulnerabilities it presents. + +This policy setting does not impact those customers who have, per Microsoft recommendation, secured their WSUS server with TLS/SSL protocol, thereby using HTTPS based intranet servers to keep systems secure. That said, if a proxy is required, we recommend configuring a system proxy to ensure the highest level of security. + + + +ADMX Info: +- GP English name: *Allow user proxy to be used as a fallback if detection using system proxy fails* +- GP name: ** +- GP path: *Windows Components/Windows Update/SpecifyintranetMicrosoftupdateserviceLocation* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 - Allow system proxy only for HTTP scans. +- 1 - Allow user proxy to be used as a fallback if detection using system proxy fails. +> [!NOTE] +> Configuring this policy setting to 1 exposes your environment to potential security risk and makes scans unsecure. + + + + +
    + **Update/TargetReleaseVersion** From bb9f486e255faf57825632ce04c87721c093e0ae Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 9 Sep 2020 10:27:15 -0700 Subject: [PATCH 34/42] minor update --- windows/client-management/mdm/policy-csp-update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index a628a70813..d964981cd4 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -192,7 +192,7 @@ manager: dansimp Update/SetDisableUXWUAccess
    - Update/f + Update/SetEDURestart
    Update/SetProxyBehaviorForUpdateDetection From d9a3d81a0a1941f7e941ee6df91942732ed0e815 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 9 Sep 2020 12:18:58 -0700 Subject: [PATCH 35/42] Updated GP info --- .../mdm/policy-csp-update.md | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index d964981cd4..4eb6ccaccf 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -4152,19 +4152,19 @@ The following list shows the supported values: Pro - check mark + check mark1 Business - check mark + check mark1 Enterprise - check mark + check mark1 Education - check mark + check mark1 @@ -4181,23 +4181,24 @@ The following list shows the supported values: -By default, HTTP WSUS servers scan only if system proxy is configured. This policy setting allows you to configure user proxy as a fallback for detecting updates while using an HTTP based intranet server despite the vulnerabilities it presents. +Available in Windows 10, version 1607 and later. By default, HTTP WSUS servers scan only if system proxy is configured. This policy setting allows you to configure user proxy as a fallback for detecting updates while using an HTTP based intranet server despite the vulnerabilities it presents. This policy setting does not impact those customers who have, per Microsoft recommendation, secured their WSUS server with TLS/SSL protocol, thereby using HTTPS based intranet servers to keep systems secure. That said, if a proxy is required, we recommend configuring a system proxy to ensure the highest level of security. ADMX Info: -- GP English name: *Allow user proxy to be used as a fallback if detection using system proxy fails* -- GP name: ** -- GP path: *Windows Components/Windows Update/SpecifyintranetMicrosoftupdateserviceLocation* +- GP English name: *Select the proxy behavior for Windows Update client for detecting updates with non-TLS (HTTP) based service* +- GP name: *Select the proxy behavior* +- GP element: *Select the proxy behavior* +- GP path: *Windows Components/Windows Update/Specify intranet Microsoft update service location* - GP ADMX file name: *WindowsUpdate.admx* The following list shows the supported values: -- 0 - Allow system proxy only for HTTP scans. +- 0 (default) - Allow system proxy only for HTTP scans. - 1 - Allow user proxy to be used as a fallback if detection using system proxy fails. > [!NOTE] > Configuring this policy setting to 1 exposes your environment to potential security risk and makes scans unsecure. From f2640ab730886a5edc652fb1610a4d8b5aab05ea Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Wed, 9 Sep 2020 13:03:42 -0700 Subject: [PATCH 36/42] updated link --- .../microsoft-defender-atp/tvm-dashboard-insights.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md index 11aa392b29..af31192f3b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md @@ -55,7 +55,7 @@ You can navigate through the portal using the menu options available in all sect Area | Description :---|:--- **Dashboard** | Get a high-level view of the organization exposure score, Microsoft Secure Score for Devices, device exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed device data. -[**Security recommendations**](tvm-remediation.md) | See the list of security recommendations, their related components, whether software or software versions in your network have reached end-of-support, insights, number or exposed devices, impact, and request for remediation. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your devices are joined through Azure Active Directory and you've enabled your Intune connections in Microsoft Defender ATP. +[**Security recommendations**](tvm-security-recommendation.md) | See the list of security recommendations, their related components, whether software or software versions in your network have reached end-of-support, insights, number or exposed devices, impact, and request for remediation. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your devices are joined through Azure Active Directory and you've enabled your Intune connections in Microsoft Defender ATP. [**Remediation**](tvm-remediation.md) | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions. [**Software inventory**](tvm-software-inventory.md) | See the list of software, versions, weaknesses, whether there's an exploit found on the software, whether the software or software version has reached end-of-support, prevalence in the organization, how many were installed, how many exposed devices there are, and the numerical value of the impact. You can select each item in the list and opt to open the software page that shows the associated vulnerabilities, misconfigurations, affected device, version distribution details, and missing KBs (security updates). [**Weaknesses**](tvm-weaknesses.md) | See the list of common vulnerabilities and exposures, the severity, the common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed devices there are. You can select each item in the list to see a flyout panel with the vulnerability description and other details. From b8913f5b229394d0ddd52e00dd973b56a9bed48a Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 9 Sep 2020 13:30:16 -0700 Subject: [PATCH 37/42] update urls --- .../downloads/mdatp-urls.xlsx | Bin 18213 -> 18176 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx index 84b5f2a66467e388d41c0299d5193fcf0b3e2fd3..bd35122350d32aa1293c2156966b22a90c7a39c5 100644 GIT binary patch delta 9930 zcmY+qWmKF?(=|M}JHaKm1-D_a1a~I{cPCiz0E2t5!JXg`+$Fe6a0u@15In#;$vMyY z?(h25Yu2vn>XKbGy}BS8#xEMC3I+*GL-B%74+j8vA^`wc006+lj@{kC+1A9t!IsVA zqun>nkIG9N*v}%?FI|_n*n(%_jOx?0B)AG;uID(Zy}1OQkgW;oUhta0$3@P<5|c8W z*7jDR+vQ01B11mc;H;)&$)!;aVJe~vdIz*gq0#dga|?K)>j++ivc-_`b8hh2MRM(U zw$gmLcbmhKG(132w1=gjWsv95yU%tmyN=x9t$IU^1#0wV*RkM`_GBec%hg;b$irex zBCruTP6#oNRX*-2e=IbO-v*7^vk!mbOzZ0rLmfyIvBKigX+Ns1T+pwHFi~ZkhEd9u zB2$#7-0b#M(Dz)nMVULV^E@y-f$b%Hse6S@+(?6iyesU)Zql#TJ0?yhA4tI1BNeQQ7J_qLppmbn%% zM={Tp)nP{vav%3p>tFH13b@!ikSToq#nTxEzrB{>HM}ultFJIp%uKtjGx20AVKRJm2lAVq z=#x=L0$;lz*))>&L|S8oJzCcut-;h^U)#(BbxurXC%BKBz$*GRWBIwXBoaqpPv*jGLh>AI8nCte{KHman{qLlD3^{;$V&T(R(QP?nd=BrlGX!W@t_XFu&|$o` zqSLBRlcy8KQP@4z9m97=Sbl9iz*=-$0WBzLh^+@M+j2l3K6MX+wG+iJuK7qp57AY?!p4kv~18C37C-PB*~7tQijV+hgOAGJ=SM+4873H-COY=O410FB+nDt%cJj z_r32LAx_zv&M0{&*{usJ6SF5%xuDcSn55fP;o(rI=aL!KX!H1M4ZTDB*DKK}V5`8C zt_e>?y{1c1az zkU)yjvA{_sFPNL?xVjAzbLfcEwXNe3qrGBwBP>j^x9B&m4yr==rKiozN$IdHTifUR zHTjg0-#$yoQ$AllUa9X{wy%`)v(K+=Z`Ldg8NN>sy&h>iIt4#novzd^Eu18?V~rGz z$@{K6(X6??TwaL2Z1q%*-8`Ohj^C2&ZkW5T_<)zs4A*YGT4zn4+m`k146X=UcaAI` z+m@HW_8r%5l}q0DjvfXl$mfm31jdG?i>?#GV`U&iJuk2HN-wVynG7~Yu2eSEH4 zUb;A=n6GRtUA$s0T)uLCd>S}vo!z~kO}eY`)j4|s;-9!>X`K zG{JkfrkJ=I>dvC-!XVOIa z_3zy@C*wBBPmv=Bvo64tAf$8+qlgZT&*bp8i!4|XJvi>I%j}}QKka>8j}N-rb6V%k zoh}tu33np4Y&ANDuW{y2jw$EM&a(OG;C6nJF2aE|HGXR(w4E+$O?kP$2S43kT#BC+ z3HNI`db5$=(3O#gpEVgvuemQLVLooo@*=jI_Vb3cZ&kR^-UMh865l6%?&G>){nW>G z!HU+$bX{DaAI}%l)y0#&dB5O2H3$-=nm8U8{6#&Bv#W$MAUOcyMO z$XC?~;9-_m6h|$==VD4xGa|VOc96|0o{)g1B_W86Y0y1j{d z)hSV8laciuSz4|-fP>KsmXu~Vr9D$V7ICw>ym&GsER;2Wo&8lNv8x|VY1Di*%!cvO);MVO=M|n zl+EHdyqHY+YJ>Ska{f;E@51$Bzn@&HX;^iudg+n*I90coya7c!mxYS!4O{-P4SvPx zRkx~6NN8c*2c5Bks#q}{lp;bq?b^Ns0z|W=FG+q8s9;4u=#DDplQ4<8!f!VZMYf#K zdnFH|%dm5%HUaV7VyM=1@Bm(21#9EClI-*G6S)$2)G2yWaEHc`)%fHMm?(65a&Vq; zs{LXq37}pS3M70cG_@%ml&XkxA`g5W$;QRgpyUJ$ho+SvCIz(2D<+*Cix>g~Od*28 zKG&4@-~%UXS#$p)mtXnyxL-AA1x`4N^Cp;EW|HcLr5gR;Tcb{w3Nh@yZ(hiw(?XYA zq*LmHYc}&6ur1gwC8bDyuYF(qW)Lzb7xrG0L89yzV_n_x`p3v{T6&NllL8A7MNR;c zd?C`J%C@s^NsqdG!^0<`;b2MscPA)aHqrFxhhWC42!h6)88w{;iCufyMAD{>3}B9f z&2)HkUsvZ_wilJ|%)Pqjz=0mNxv<;wrcaTu2$xV(yJs`>iDpzC>y;@YQhzpK2MwKN zAZr1A-eR1YCq=$<<#1u!hBtZJMoo=;Jeuika0Ibc&1C9O2tT;M% zkBy@*px~W9U>pIYLq@<71G%gMcm_rtuG4YRpM>JA&arJEPUNUy0XCi;Cc|zqUIY#y zP8Lr$MA8FYNTGR6gjFEH%Dc5uPE2e>NdxpM*{D`pTMypy(1_N&09!SLfe2pOgWx|2 z)Sa&f4)c1y1Quk9oBf!Cl5HWYdVfT20uGI~KM%=K6)tChLq=5x1V|zA@$qpcIgBn5 zi0yRbN?iD$f)alvbI`k@<>Se?azjH>^vMk|g`!_Udqz6~tKL+J_;4WHQ5jAZe9(z{ z!sc`RE~!ar5Uoduiz&WuHnHI4{^0G?Y}cT>MFLbz;4~#KTF{+Qhe}y0!vE`pHD&rQ zQxm)tl3lP;VtGc2AXz%PIb{WA$UftJ#P(%_4-7(kz6s1m>!sQMhA9OYnPO#o*b*)x4%FPwb2r?KWM9=0}X; z17|gg!m}B*-o{UO-nQgad%z4LjVWF^_C-XPB3NZWcvjU;EbHHGa1RC~s5y8iP^77g zHzwoA>p?_cdm8P|?IH#xs<@Le&8h1dcsi)LaAs7I8^$FbI8%`oFyMPqk!?KS&E?C{ zL%49tF%>Jr6yRO;{1U=vvambK`SD^+G1)2fy^PX3 zkARUrCFDbAm0 zYr=~EgX{geKLMLS{F5{W-A9dWa`fJV1d;_#h=%(0h|x2nHc-SXE@P${CIt?G45n&o zYFujQ_y|gmGiKP3w9Xj-Lq=Lo$nDqRb||`s$sI2Q4=2sYkc|vgaS-w+mmC*E=>t_yH(%3%Rg-uT9lglgDTTb^gRnUEZ4)@Y5pNJ7P^M-inH9d|0P`cn{a)>>YGU^f5 zaJZ6)!?}ne>eerIbDHEIPWlGUh~f2gonKk1xV3S7jMDl|AGEp_W(jq z@Z!Y7``4`AgK=?MvT~X4&gXRWJM-H?Ino4u2y^Q|Q^-~7pD zKm(Rw2&XZU!Upk&^j`=lP?3Y%sXuvCiwO!gF*NqmoO6O_OsuO=|9b#vu%b+eAgX_Z zrJ56hB;C+8Y(#`;gV#VDey2a_)e;^k^smJfP>X5)T1=zT6G(G~ z?8XS%R=z+rlD!QGLUyFw;7 zstjMw&2T8-V#Jz#ZlJ0~jBIkqeu${_;cq$3d}eM3M0wm`iZ8c0X8id^)Nbw*cYOrb8~51*s6aip3N|1Tt?U+;pZcCqYP z6gN@>!Ey{6j&mGwsliZZ4Ssp~2IHRTL ziKxd3EYD=&Q4$Y3^=P>D4}U1Ugsa#P@LvAC(Gz}_3p|^dA3jj9#@Uc9afVj6N$cUm zRYK8#ThF88VH|;3TdI~qg456G4KQRPCXm`-gBFgi?SPi>=lM_WSttJ9GC8hN(`Skp zXHQ-R;>ZWpqSQhS0cZmc-z+dEb=Z9cv5zWU@Ajk$*8(oTMTsFSZ}xm6)FBrm*s(2) z`{|e^MOVUOYVnhvz@QJY$5#()raoO!UGMyD{7XorXwP;gR-gHH;Y|jR671Z8U;-U;S>S1 ze)-QGs~R!VKPcD|qmNd9CPWNI`dcJK{U6Yo_rjd^L5x#_T zzaewK%?)MDWZ6!#7-xFKe=E0JYy@$2R7@5rMRN9za$IecnhZ0lxuhe0s9~3iKrd8# zkPjR^%!U>L`wuO@sbgFpdy~N7r>)`R8wQpHq7hyBAZa;!e)9}Nm^UW4R0*Z0ta{JKZa<5>_r3OSW~PO`kvm-8P73|J8Mr_du>!VDGs{^kZQkM%|)qqsd} zJrn*A%Roo>XG$}&Qv986%%~{T!>DLXv_bFtZCUDdx>#RcXIK*@Ot2o&r9mKq=f4dp zWG=UZIAki9J8B9)1m|>OK-1DELr+|1zDC-=i~fOw=6E!iO84kLe80frnUlgJhB}ed z9UBZd!BJWLQa9Qn0*V#}_2k@;7OdDJ*024;bwqns9Rr*v{0dMrZb<3$h-f@bqc>HJ z93K@s@WRDTM`Oos0)+ljC~8kiM&6SMzO_w1Hp-ppgq&*QFG{g6##A|0xGme_M3 zhm3aYzk?RXk4ax;lSKz`N;gOM3BR0&z(7HpRWW^YhMFQZdQ<37-@CIPkbnK*n2`sU z-RrW>5$qHs=$LTsGzgU7#lb8<>Yyc?3Ce5uwDOwnAJ0LNDA~O{8-I}Lf01aRHq>Nt zq`pi)yl#uPe_$@SvJXP1y+3RL{4p5{RyKKXOz8%8`vB$cfM#b!X~;+&2-zH%hrOyx zndCF!kiRqz)r-g8j;gzQAo+x-z!tr&woA>CsO9`1Wo&oth;HS^Sl;w|QKLLIN^;$4 z57BjV`(KhF+S~7C;LHRnU~nwI&oFj`%N#tjNHZ3t;0(ycrzWZapJnCM2y*8$(EZZ@ zfYJ;i;Rn6OHhvooo9N;PHApUB)fC{xFR;{vpzS0nml40t2Qx9D3s` zOQPZQ$@j{0}sn$?J56o_h+WdW(&g7wO z04$ZgE7hyJ!MJU}TTIBHEca&?=>`_=?e}3xrg=G~2$6+SCVoTqzstLN_?P|+w*Hg8AG$t7i3zym{IgL)6FF0zg zmi_CNip`Z=ps+NzFC#UWKJ+*J!gyK<`Ece#deDEcp<-!-PUm-r^EYs0M*+ z<^!T3boz=ayMu--N;%OY!^w(VaHCj(!O@D>%FT+tJ2wScdPiV0cKECBp)}bPByON7 zB4&$h>`ueFpEz``8ZUa-1va#S=00+B(dy22EKx2f?~=?(#vH7Ab{r<|#dS%fb>Wne zN1V+(2Hctexpk|iDy=i}6B@?rb~I+8@7ooe$UX;-T+5^3t;GtJ`r5Qoh%EjACcEi>cKIfByE|zSc&eAy~|w z{^Wb5_jJSwHWb-j+B9^l@m;aInH4=YR-budU3>93v1>T`ZQik5`R96Xe$1^yzv6b~ zN8ap9eKl#8z2W=~=G}9F{@K%Lfq$pQynx zb|iv!xtq=HM#KK<X9+udd^JXY{BWI5KeQ61@^&5n%p@4#I)3bTQmJ);BWBcxu2EQN~AFfHS z#p)BDl&YXYLg!)l1PL`d4RN(ECoZL6A`ErAgkHB5r!+UQ=GVl*O1Q`3w7G}AeB}sS zscK`=Lc3nZRyZsupzHxLW>AFxZ1Yl%Kd*awsr{JdWcZNJjB+;|ojUOWT8`}q<0j1K zQTrwPC7uteu)_nY&caJ2m0x@+qVs2}UVUC?6q!1bQrn+F-Bz&5)`QIhB4mCBQ*}hZ z5cmgO>3p|;81u^E+-~YUb%i6AH@C(nAI%uT;W5_!!a{NtxA}qfE42A)yODE8)m?d^ zgf=#R_wv&ZAp6#M;Le9 zQxrS1&BzNG!6Mdt3fTq5IeHi)yGT+Z@ytP)d7Zj=USl<0D=CsB5~X(@0UbI@8!vG) zB=5B=VDYJu}U8DlAf&JovaD`s5k51Rn+9XaXzT4>jL^h=;6CQ6kG6MaZovx zZ6ZQ|GE(}h#nH%2R)duXjCG!Yl9SNI`CD`HAa)Fclk8q-QN(hoDe(9F#_0;@uZluj z>Q^s_K*q?cIKP<8ZY}ZUYV_P^mk7G5`ETU3mMNtslihM3KGF#$AskX$8g?&vtWce1 z$Ia`%6+Y9*!fMD#7ipY`4(dL*UvnezJUih5y%Mi%SqrrJ)xT7x3T}Bj#(dyxo3^aR zP&>hMJ#@A|942oUV4rJo^IgxwsD__`E2z>Rf-6xCm-K7d-Rs`pm7Z&Ep#A0*%?D2z92l<1b*#0q`|7-q zaChOSt;AH~W>urI_-O)YUUkmdud-nE=~Rudz~^WP{uFT{O+=B6#wY>Nb*_UB+C-|{ z$>!9x(-~^`I`BT02blO?T)?f-lOy%jo<&&35DA%8j+n@Q`yJurisTk@U292*t)nB6 zL{YrPCa%mP?+q3eF9};0?4UA;pI|m13Jh0fxXiw$7ePB%B`I$wR%*uy)DQZyhlS)O znYyGL3;}0X0~~4?(qw{#!hB61yXjz68A#UJQ>wPj8PS@$#Rw*~zlDy7Wq)f2bF1E9 zFDJ}DKtyFe%G{Y<`$Xpcw#S>5m>{-S4{HlGv@L8>eg=O(09zTZp&!;KO*_nzB#)NW ze}8rzv(>wh}BaLd2jg)M>J`bCMPhlM;5i_h}eK5-ACMs2z#WDRH- zX=^-E+=J|a>bnZI=13G5OY75;4L+_nUmscIfwwT)aL-ob&RocrTx$tM2ixW+g*e~w zA01c#(DoupIk*zMyS9Wi*du zALQc+_kq@}m5bA@zU*=9Zi4O)C9~#5gc+_WDsj;TX$EfeSYX$2!BJ3!NtP8Io1nb0 zAlTsPVI;Ud+Fxs7 zTltHFT3<`mH}`%qDSG6d2g~nkWw3lM*>Bw_e%(B^B|5tOIDO0s{`P#cG{C$RCOum~ zT5@SQ9u88hFRhTGM^Pgt{&)>Rqs|Oj&MEkmxB@f*w_^mUNV2^XIQYmXR(j`h1b_y=}#(mP6iJOv?f zCV0NB=IJm+V$QsJQx=#vuO_2dtkrkV6%Qnolk?rEms!40MGE#~98XwVxG=LGPb0z{ zE7+4id*Y8;P%}Tp)5_l@oFCvHEw^K9CbC9!-!}jFc6Nz!a@%B{sn$AG;uF%rU3jg6{}mV7yXsByhwr8=yAf>2*&^D}u* zfhZhA{iX+|3Mnp316cb;I0W={UG!U}X5F?qF85*(S!@4|UGJ;x0GyeGL|(eL*1fCF zc*w3)RTq=`_Lj#2A_!yTp~2a1_JI0KN>P(dXX20nKGkpkv?0Vzl^IrKuj$%145-rGnrq;F=`i#I z^TB_Gn0znJ6jB3t7*J*1Y=1&@cdey)8mn*RAc=sMHSqpk(TMN zWfISBp!Qe-B-t2_#@AVH!`kN2f#f#CTfl3ISjjpS$W&iB`^Nu$vyxk@DO zj8L7r`J%F_v-eo@1{z{0mhjpX$#d7MSp$o<4=AgZJM?3d9@|7svTvo2uQtMbM99)z zR9Arqz3T4dy82D)pbIb@jDFch|V)ksfxa~Zu&8Zvl7A>E($~e8t;`XQzY(U z$lQI$T=+>ahQkrTtRj#2CNA_w8^7CQVhq678(;cv)14Bes5pF44e769b`&ldarI{y z6ZzB+>vA`U27W6>5RpHZHMeGkFr0EMEaB&&ybf|OPB$|AG7LX0vh^E{&`> z^Xsk)-MFoia^Ur7HTqN!A0^4J+=-#}hknx3sz^4CulN2XVCy<-(#EH+{3jN)!E~hF zft!1>^hA!V7r?X!>(N!EDzu@IRJS4oI*BO90K&Vjip3cKUD(Kw}#4Fgr8k`MBf+QO*ur(i=ASaWjc*JtUG#dOC(o<#4- z*KF!?sURv4aA|Cd!0ko_@vAHP3a^|RU#y#*hb)Zb7@|jc#)2A47F9EHbDpP36&sh$ z+?>yKKX)~!o$O*VU;wR^w@W1zz6nb`f*17RK0yXE?ZN6A$`=M^M4Iw0IKC|_@6vuR zTB_TVy*8)PXe1L{tGE~3Mv4IWd+T?v%Xy#gapsi9fs3nSMP)KLi2VDGobPtsbSDZ? zVl_zKzG{%#PVwev^Fea-oZmZS&E|gM7q4p(oPa8fC&DtYOQ476OSDIVUJR9zuDt& z?;{hGM=YgB*$$J!u@_Dn=^^l))0#8Q3oHs2G4&^%z2hSF487cJ-~`7D7^acWMS-iy z*MnjOlGam0y0OQ8Y)5PehHq(! z3UuE1@AHJjN=U*GLgpmsN&mk;jQ{|~e~3SeBnYA8YqI}F6jA^H`tId_J|i|rE*k;F zT9O&offrKEO9$PR88(~`GQ!6M!IENz#o~vk@)NMA$iu+0LS_GN==mFd7yv*O768Ec eAAQjMA>L9VFhP)3DPb5z$h{Oj;ydv_fd2< delta 9921 zcmZX4WmsEVw>8j0f#UA&E-7wBf)=N^7k4Nw8}|YwSaEl^;spW(r&zH9#R|o(xLi)p zd+xdK_vP14o-ya1nPbec)=pMn9DGq6d@cM7U^28phw>R5oc#+pI7~P=I4^rnPbXJ9 zGbblI4lf7$N-YPc3@)q(F`LJpQ%^!AG?da`cnH?Xi)Fj@7aN`_{biQC z+?;!QzN4BM%oFA|(Rn3s-&n6jGIqOl7PFEKrKvY5u_n#o}tlkUk_j*o7wP-N%$qx2}NdN!DFSr1u5 zJ8ruzNW*R62f1Wne2=OHv)jkgjv5(r4=O#)?{N2y>`RW)6=&u@Y^y16QZ~yS;n$Vl zPKluB63u$Q4_IXyJ7PihRrGJ1Jx2c_3mEEjOyZWVw3J&^Yn3RtA$%Q=JI}Z(+f%(^ zL0tMQD1Z?qs3)SJ4}Hc;-T~2a?nX80F1?+w#?!OgNk&e*R0chEk3p?UiYoiYs@<`j zmN+|_lgqivy{x7rNz_J9@ZxM~jZogN4s=#Z?7b=7Hr?L;I<8FuUx|IAFd~~R4)kPo zmtxT$u{H#MqaY6!L6)5OJmKgLDt;Wce*QQCd6|2hERH~p+&+J~C+L;w55(Ct%caEP zq_e5_?!1$<9J1K?z#Q94Ej!7A>Vu9&t|T^{bOq|S&9`w9|Xu%bSi z>rTDVU=7XJH*&k{P?7}dRQVk6YG-`JDd4=S=mnmS2tY6xRhz`c&$p#EXV_em4--^WB|h zUAp{4Q+es=gU*RWC7MawE^6uf>$T3|^V{`K68lMa9)rT=X@K_*by9m>Ze#za9CRyn zWOnOgGvTk@TL(VS6lH;Xxb3|A4z*R~+JXuMiy9w-ERE4%hDwisI<_>-8;J)8hXH|n zL}Le<%O3gG(Qx$Rq`#pdO*gbpL@U80?MGOdrmQ?}U2d1G#QS|-wKuN59a@n2lKQ3c^JPYA&D{Ot&GvG;?w8Nvl}3l!Dod$% zZI7~DM~_=j-~o1$~l^gzdo}Cn*GO&_h~Vgmd|!g z9$RmHx`5@airWqFgvxeEOw7;|-Oy7(&e1z-oaS~`-#O_qu`wj+v1UEO-+iiadZ1@D&uVjpaQON2aYbY z?pM1X_$xi!W^7a@GJZR@uZoe4+i#t@j^3SfPH;|W@3rBGKbGJQwl( zknYzd#*#KfoXqjGgt7f(o?_r}(J=?muR%?3{`xBiV8u|gW9eHjeW+g!U>)Xk$a^WA za9?N7oiKY-d;Kw$-pT3$fAR6i#s1>5V#(Ec`}dAmhxonGhx0=L(uXc!Z+RQD;z%U| zum?C!$L3%mtva1gtTgEQ!d;^!TGe5*l_;mW$YwbT?X7l$eHNDu`z1*0{ z$+(4XxC2~5q(OfVaMx1ESN4_BO!VTe3`gY)&x`HWf)vu zzP&$LTfe`?^o^`pyV4ZeKdUB>I%+Y6b$fnKiR&{8*`<+M<=Lj8U3H0|>1WO**_;3D z_m&NJwO*A?W3^tBjdwMXB}H*HkvT=WqZx@J=Jb4>p=2#n|M1n_dL`W&Cg;TdCUeO} zPOmXu=iw6b-acR~GN)1m^IyRAey*9ae)TDe(OX|^M^x6uZ#3C7a$`fej0PiNqNqQ+ zUs(lAMin!xo+%Ks0WgPYqJF|tVpfWQ)Vvt%ihgd*CCqB6eEy!zw(*2X^fg7Y%$Azi z&IuOeT{W7NQlfBC^ro6#un3Fdm=tOm9uISxx(S5`tPg-1#WG%);bRsuO(7MYKM&GO zK^U~Ai#u34Rf~^I3w5&~TMupgH_Tb7;jFc9OG#~|9?UpI1`)nm26CHFHp}sY-K+3*%mR%Rn_mz3yE9?jSlS1|)sp{TRfWhJ zo9p|jHLsp-LQ@2Ls)+C?V>lm|neumJq~h&gfvE+50!Mb{3kVc}sxZ71bvf2NZ}`+d zC4xPuFFe3c(cmJ+!P5Gj*kM^w@Vc4!whLN6;%;08R>9OdS7NU^stx^fqQ4_#Vy-;o zU@Q(vCa&D*Wex1%8t2PGj7iR~(YFv~iC=zH-^F6_B70lNCNFPCAIREk{zEMgpM5`L z!cTqyK#sUoP3!Ics>Tn`N_i2ehSg(kYGM!(luSXGrkUcUz^J0fN^PQ*Wf}jP98qVo ztBYJ`;rVAc);Fdm$t9-Y$(X*~n+W-Gy?uh-Oxjq-UhF9b(a;S9R@R&(dhaPc6!?nW z(7jL&z0Vk?0YnEjSM2JUHDZQ>K*VO(AhldoU&-#p zf|nsesI~d`{S%a~s*J?aIJlDCGYCwXQn}$Tt?4#s9k|dU8zQOUqmgNAc?q%lv6~n{Ba4?7 zsmV71)^yV5(IKu!e=PBN>aZ#jFhfy^#_Hof5y(SMcWqd7%0}1V( z>E$8|&kctq=)qZVB@M8K5t;dV)JbHiert(6F2v4ed!o|xYlw1hl6msC%gBmcx<)LS zqGAvtrf;qcCI1|fRBp25bCPTm6S6g3u-6o_3c(upF;i}g#E&s@SYSwes1SgW*2~+* z_lx`m#f8KOg&OIogpppdBwCv&n{IBLn;ru_Jw0u|gc=c`%hx;p zPfals>``6}n-F0Unn@Hfir}(N{OUq4DS^tZ~TyI^zEA^D^>h>0bXmWlu-WCnU?tgdYBms7LZk+FUfohltF*8y$LMf#C9TsldU*aH3%ME`a$G5cj^u1S)dfZrO zxO>J8B$Co*vcIy$$SM8Nh8a(!ypoA+5RtNyDl~+t-QkJ8G;4S3L>W4U(hZ)%zQT)8 zBJk670l>9S$4%Tv$H3LZg~rHGy2f1yPJaPKyT-uDj=&B=8F)f3DcGt+n)ZF5FNLB- zWQ9`0SgQD~Sxu1*4^+!+{DUJz!{4WRv{D|u@j{hqlys%(#Wj!sd!=A!gL)w{UT7ky zJIcKYrbrC_`ND-h%#V|l}>L)=Wi zgUb-#>z28I-3WM6MB90Ygjk`tKMjg#$E>CicLl60)YaAhnx8Ng#!tgs3>raYVJZR| zuhEa(li8opKQ#^+Mj2_;d%6t7@X8Vx|B}+xdz>;fa~k|Ky{k}K0Ds2WcrI#xzNtsG zFdr}90$pScmtKbD_gnWuNrnH&NS$~2N>gGKJ)gzNElxv_2PyZoD)4 z+Y7%UN&|oOr%stB*;J_zLE~keb73&a3M+fNivt&4nROVlu5@9r&|y-(-2W<}K`Sf{-uQG#Xm|g<)N0q_D1peiICs%M6RW-v{A4SYM=6HqN$S6Q{p~nqo>lPcbjNW zajG!5V+R#gVHR@U^1uPgpEnW2aY93iaawwh0eT~fn@#A+>20hc``k$mjXXqpop$bY zQeMF^&_%Z!;oVc+?9yUv_j=^`AX(FSc|4xzC`l943FzX?vDI;=iPFx|k0*0cEt5i9 z(uhM0-y4VH9xuLhC+WcHOzQ^8k$ zjw7)@vPDb#A?eRR^_D>3paDvHeO5rN^=0T+5*jiS6Ilw%1xnTsQ?X2AuAIm_gj?5Z z)qvN3XkD9@58#d-;xw`SB)%prp$grgb>dP*g8C(qg?@X1%^zrD%t6@(ANo)7Ml(Ff z+b8>E%zXP~pR&dHPnJ`~R)nRJ8`+59E*TSP5z6@C_#HOIGaw$J4Kibn2l08LR4CKu ziBi2{iYH3nOYa6rt|goJ>ea=TLcm^sx(&Z9&%+Zf4>qxdCszimLZ7iiur0X!2DXId zy(DGnXy;RX2a4YPDFgM4*fY_GtfDahtgEyer0}Nf$ziVsXQYVHPSkd>D7}KuYA-Uy zfQndk%+q&;L`;NnQm^ z@icIS79<60x+e?xCzPzhaYG;zSNJh$3KtDu5;0g(LF6a~))|$GhNL3)Ik! z)jID4;ZSht1)u47g(p*Zh7Sp|63lCJO++3SHf=ZdL2h}Dr2+Uox=yC9At{dGEvt-x z;2~l9XvE)d4r~PIU4L>FyrT5QxxtdyhtW?^96oy3BEIIg{#)}Ls#(%#=JaMJ zBw9W{lqmDDm5FL8FJ(FkRTh7qOXTIH?LeC?bZWZ~4N35r{)Cv4K$H=}%<-|Au+YrV;U6KzD%S@`CE|0%vLFd$l@fskSh@p5 zhsb<)IJHKLyu&6HcYzQirc+HO@#?*;W9h+J%RM%D{!ilBao^d(Ro zETTS=)k$Rhdz12Xn}}ZNU$dXUHmK9cm%H=vissTIOXZlJ2$W7T} z4FIMhRm@0S(w=gAV&{g+hNOH}pdAOz_kl{WVTa3mNUzp6|HA@k9g+qnE9Uy(OdE&8 z@u9B6TlR#>ip8<-*95EDU>0fp!9RITNv4%aPRx^=pWsyJUg_2Ae-YM>-VX&eN}f6~ zuen$!)YJXhSpgDi*6*KcF#l6Sxn<{?e&yA{<));OKrN+Hlwt|XES*`<1Xrubj=%5e ze+Z7x&+t35VpbZ-p7A%Q$=ef9GNo8EBBQ@c)iV;(gcxj=GpxTp5a4sGCjUnh@yd%Q zHcG-68fmgElNue8ZHQ( zkm3s}kMeSM%HhJ?9a3A$qMU(1{t)|wgb=Qlt}H^Jo2POd@1zklHnt4xS}ed%tKF+> z@|tv6Fx_#>bV$1EKgGu>r=Qv=X<%r)jC0nG14th35{}?)8G3sR1p(fo{T{;7{c((6 z@PlDTm8UosNPVxK@^9OP&UKX{sz2eZt7+L@>6x#5yc-;AZKfQ^ zi%oOZ%-#ha%47`Ny6T?f{-pN}mKDQT-m2G>qvQK@v0wJib)-k*@&v5KZHj{oj=mKm zk?3Jj&9(1ZZ)*ElGxVw*9E3`-jI=5H6LLK{_kflknI7;kB9L^E>0&J^vR0~uF3?Eg z+9^B@mJ-0jT`Lt~BvaS@CM>*`kR2=XH{ACx{NWRx{Xcl}$<$gqhHLgR-hOETmI;&y z%@p@6T#R2sgXRYPusrweFR@ZK9_D5b_kf=ktG>gO`@CHO z4IjoG&wkh4+}HYxmV0;_H%CA(T5smeyV@o^`@ihl{jOc6Cqf)mH(V?NG}D`Syyjdw1Y-he|Y~ zvyQ*_@MG5^`9(oD1*17g=aXe8uj7U|KE4C-7tY&u{ujDY*1oL@4% zj*PK3FXbXf8F8yhM3=^UQ50=F7)q47Gjz(6Y?;dIvfcpr1#010Q+hAM${#FUpfb67PreJnlN8Gw#)oC?sCUs7Z>5Jd0hn zHrfrG@>mk`k18z@OhOGE19+b#PMi*(=HEJ#VN2(L$5Fyis4UawiG@}nyO~W~sq^@F z`|{z7i9IjJ&kMogvkyzbNNW-(W_5mh8Y0GHl1r<7)OlLZ5zpCg| zzAlW8XS}M|!h4{UuX^2%bRRighX;CHnj~5-Y6=S)>t|$+xne`C7Zl?6hQ5yG_SiSQ z(zUVzVA+C46AebnH_P0O)M2zLzCctbhd3u8lpu}33-LUHP2Lf^1b`{xcQ3nB=$oY= zl|7*8J%=$LhHcT7s+^=jMLBaxG|RRcE8eL!U6k03ZEV3U`S1tzz*=0_j+uP)-wVAV z@Cx`bl#t31yIV7ygCj=3Jd%NS<7~1i17Zh2m?xPiYwRKBR~7lw)ET5^0%zVG{*Fs6 zAvbeths)gO)hTu~_>V{erO{_WftZH9+EU;3c{L4RxxszZoRhSopR0YHym*P~8I>~cjW;=iu zCR6R!ikI)Jw>0x%_#19x=LRGn32vsuuF1_g<--mpV;O%SiJ5sIj9D9TznfeSjV{8? zX}`m`3GFz|wCO)Wyo^!=;SYIl;- zl6`(l3+ZrR0aTeSHvP54A?Ewfb-hp-_wCKxO|Y4Qwg8koaS>*aCP-l!OuyU;lup@qHzx@`Ss zuY$eCFl`#=F0{WiAMuMji#q}zKAE5{A4aT-Wgny31BLU2^3%>YGhXBTJdg%S@P#EUjt6yA9*?!t0-q9Ok zzJ}TQX81Wo+N<5lx#GeY@U68L0Ly;%#Q~3Y^F^PhThee6bXs^FAEgQ>ll%7Ci{?@H zOW(HOj{fu>|Jf>k;=qW=<$5vH&F197{Q79silaMYKZ-#kZ}4VyzDrexYEOE@f*c~- zsbmqPs?%pCq@6*-O{=$)TOuCjBaO7!Wf&21J z$tCB`*Z(BX*PR?hO1_;xZJotiGx?jNn#5@DbbXg)N9fJ=>6hW;JVFB^9{xS3JpV~EwmLMgUBv!DEK z8+<2Czq#O_Nwd1l>Y^@PZ`{lob5yybbqpK1TaH`gK)-@{Ke_^>J4#G<+wvJn!gn^s zd1J9Z>atMQrs(!_vi#9BIJ6>UgtQOK&(`jwBDNGB2K$}er+gpvw{NC~_Y^%v2`s5; zU5MNEMiS!Q!lVxSG&3xI-x-l=i{9q1D=BXE4nZBZfX#lZj1%OQ9;KHS`EK{=LCeUb z#GeHFBDLrr>Cb_gWBZ?kJMen(91OUg~Rghach&as;nb15WgrhP4r5 z*3=bW?hnk99r_A(C#y8C8wjPdiuJTqXd%zbVq=?ch7dn0L+v@FGQ&%<;Y>6A60tc# zL?gonIPr@0ZL%y3E&JjPNU(WJ7J?ah7}|EiU_K84HQB%&t4RJJy$cRr1@bmA3O#G5 zJ}{opn$knTkEL(E;!WX=lDhCdn0YNPSKdij)n=Cx_&@m7E8auR*KFiN*9UGYuasmqpk z8KcaWl63$w{#zm0>^RtGE@fuyHDj(X0H{Z7-_LlnH8y{HvUVPxie!IFa*(Sl^~XFs$IS!D0l78l zZ5MumC~2VgevNFw7%9?mFq(;fik;Y}L=H!=NYRim);PHim4vu;P9St@GI_PqUawww z4b=hox&O|~?Gl6CqNDDY-Ls5v3qT*SndJRP&w^qGLU!xlxQR*(2K+O6^7bKE+7 z9;2R~xP9}C%uZE?#xVwhmY>G^qdBA={$@_iVZG}S$;rKe^_J(PH3ZQ}@8o-}G}eL4 zBb)ViV^=$w6%AExDfNLK^L$FRHL(3iCr30O!d%K5@10J6HAp#`Wz%eGUV`2xKO2*r zBB?WHfTD-ssq3ltK6&smb>pRtOTsy_=gV~)tGk;6+&a*=PosVBbPDEuGB^Ecm6bfa z@V9qLxQBCfDQ}nB%e>qDMz*WY*mEu`$Coxqr(P(*idDouznNyt(Jp@GW?`Vm4zj+C%q=Z{1gTeC==d>qL8&&ao9JmUz4svLCR0ZVnO~XU-mw zMUUdYx&?%0pP9#S43iRO3CJlB&X0S|7%T}hrle>a)!%JGC4z*i>zN(LviBx)^-4>E z;!va#hKGNlWgtIt!ZM5-mOp?)Tnl=D$O*A9oh%fc7O$O+f;nSe!umD?}t(n(!64Xe?I9VMpK_x3N67c`wl5IX8XWN6xUM!krE$d3A{HUee=}v0~Ss ze*K&6!BRYTENFn4L|OZ^W9=NIb3`^mCAxo>Cqs#ph34qknT(?MJ`ZOM)BX)mFgD+k zMcC=UPs_}<@Pjl-T!p76*e(h-`Ax;{!Xv~`&gihQ2CORChs@{|M7eLP#4eL$Zad~R zyyTJAb5)_OWxbuC5%;3XmwiINxuvJ@=XDd7Tj&ExXz&m4%MKSt6G;KBR|yfH0_DAR zeOw5#bH1$7+wm(jD+j2o7_mwM!TlmBCp`W$L(1}Hh*%c{bPJ{eD%+>K)VyTzvI51BBg4sr|Y{&?b<0el`IOG*8650nH9Cid`i8Z56U8=o)P#< z98>SFzf)Vmd7bV-JtC@%4LpyPJ34I$^Rx?YRX^>ri$$Wvct;h{D0|ib&ab{qFD22| z1gW6TvZwCfbAD$%eWpV6I^9r`Oc8Xxja^d?@lvA#5(G?Zk7GWM0X1#x(zDO`SjlrQ z3&ERdX8auHFPQG#M`ydz`0=9%Um7n;yA3q3Ex;A56T|68!6mAZ%8}x&%<`d&c4@uF zsc{DU4xUx&A^2?%-5`FjfagX?;0yFIZ$+@m;R-#_{M_^2v=gxr1r1lH!Td)S3wo%y zS*X#Y5#a5xXPydS@dhekI(Q&9aZDM?g%x@v*CDm(YX(~@ z(UE6?-;Gj`YeaBq*moes7EW=HyS)&QCsi+d5!cT9;Nh|5*QM=#{_LC92M*PAEW99s z50&T55__{W*?EKB)$}!_=!imrQfH?(EQH}v1HBavXgbD0F$nU)3`#*BE2QCdxWcO6 z>3i}*T5N#Ib+IIm7<58ozn5t^t`YcN9Ie|e&ju{%@@dthv2D5>mY)@NtA-#PkSjy* z9=%0%wm8IglA|=V9!z?bVJ#ZXcp(C9m(?U69F`ayzQK^MHSX&Cy!W&}ur4nvz_GY7 zr`2}*n~#vG#5lL43x7f5U(uwZ#C-kbDbWt3bB)xf#-tMNi#6~`|Jn@hyE|*>8gh5&nYsu z_ulpv5OEoN(*NGM{9kMsgk9z}d@{sIMissW(k-J2{|bT+X8fCJ$ZIe@JTF8WECyc& TNdb$(yFzBb3`mwze`WX|@eZ5i From 82250e95eaa570d7ed0c322ba26b4819170a34e5 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 9 Sep 2020 14:01:05 -0700 Subject: [PATCH 38/42] Added new Update setting --- .../mdm/new-in-windows-mdm-enrollment-management.md | 7 +++++++ .../mdm/policy-configuration-service-provider.md | 3 +++ .../mdm/policy-csps-supported-by-iot-enterprise.md | 1 + 3 files changed, 11 insertions(+) diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 83fd0ea765..fdd17f0525 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -58,6 +58,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s - [What is dmwappushsvc?](#what-is-dmwappushsvc) - **Change history in MDM documentation** + - [September 2020](#september-2020) - [August 2020](#august-2020) - [July 2020](#july-2020) - [June 2020](#june-2020) @@ -1414,6 +1415,7 @@ Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelNam
  • Update/ExcludeWUDriversInQualityUpdate
  • Update/PauseFeatureUpdates
  • Update/PauseQualityUpdates
    • +
  • Update/SetAutoRestartNotificationDisable
  • Update/UpdateServiceUrlAlternate (Added in the January service release of Windows 10, version 1607)
  • WindowsInkWorkspace/AllowWindowsInkWorkspace
  • WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace
    • @@ -1996,6 +1998,11 @@ How do I turn if off? | The service can be stopped from the "Services" console o ## Change history in MDM documentation +### September 2020 +|New or updated topic | Description| +|--- | ---| +|[Policy CSP - Update](policy-csp-update.md)|Added the following policy setting:
    Update/SetAutoRestartNotificationDisable
    | + ### August 2020 |New or updated topic | Description| |--- | ---| diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 7986a6fae0..5bb7f9d9c8 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -3918,6 +3918,9 @@ The following diagram shows the Policy configuration service provider in tree fo
    Update/SetEDURestart
    +
    + Update/SetProxyBehaviorForUpdateDetection +
    Update/TargetReleaseVersion
    diff --git a/windows/client-management/mdm/policy-csps-supported-by-iot-enterprise.md b/windows/client-management/mdm/policy-csps-supported-by-iot-enterprise.md index 617be22113..fe61104ca3 100644 --- a/windows/client-management/mdm/policy-csps-supported-by-iot-enterprise.md +++ b/windows/client-management/mdm/policy-csps-supported-by-iot-enterprise.md @@ -66,6 +66,7 @@ ms.date: 07/18/2019 - [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates) - [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod) - [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#update-configuredeadlinenoautoreboot) +- [Update/SetAutoRestartNotificationDisable](policy-csp-update.md#update-setautorestartnotificationdisable) ## Related topics From 53f31dd95340250a12e9c13adea2968201e21436 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 9 Sep 2020 14:27:23 -0700 Subject: [PATCH 39/42] Corrected policy name --- .../mdm/new-in-windows-mdm-enrollment-management.md | 4 ++-- .../mdm/policy-csps-supported-by-iot-enterprise.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index fdd17f0525..b311f49601 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -1415,7 +1415,7 @@ Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelNam
  • Update/ExcludeWUDriversInQualityUpdate
  • Update/PauseFeatureUpdates
  • Update/PauseQualityUpdates
    • -
  • Update/SetAutoRestartNotificationDisable
    • +
  • Update/SetProxyBehaviorForUpdateDetection
  • Update/UpdateServiceUrlAlternate (Added in the January service release of Windows 10, version 1607)
  • WindowsInkWorkspace/AllowWindowsInkWorkspace
  • WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace
    • @@ -2001,7 +2001,7 @@ How do I turn if off? | The service can be stopped from the "Services" console o ### September 2020 |New or updated topic | Description| |--- | ---| -|[Policy CSP - Update](policy-csp-update.md)|Added the following policy setting:
    Update/SetAutoRestartNotificationDisable
    | +|[Policy CSP - Update](policy-csp-update.md)|Added the following policy setting:
    Update/SetProxyBehaviorForUpdateDetection
    | ### August 2020 |New or updated topic | Description| diff --git a/windows/client-management/mdm/policy-csps-supported-by-iot-enterprise.md b/windows/client-management/mdm/policy-csps-supported-by-iot-enterprise.md index fe61104ca3..8e70dd707e 100644 --- a/windows/client-management/mdm/policy-csps-supported-by-iot-enterprise.md +++ b/windows/client-management/mdm/policy-csps-supported-by-iot-enterprise.md @@ -66,7 +66,7 @@ ms.date: 07/18/2019 - [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates) - [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod) - [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#update-configuredeadlinenoautoreboot) -- [Update/SetAutoRestartNotificationDisable](policy-csp-update.md#update-setautorestartnotificationdisable) +- [Update/SetProxyBehaviorForUpdateDetection](policy-csp-update.md#update-setproxybehaviorforupdatedetection) ## Related topics From 342d800e1e5d09426f7801e1de4339da99dc75de Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Wed, 9 Sep 2020 14:37:28 -0700 Subject: [PATCH 40/42] add text per customer request --- .../microsoft-defender-atp/web-content-filtering.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md index cc9c36fae9..2c2ed8bfbc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md +++ b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md @@ -76,10 +76,18 @@ To add a new policy: 4. Specify the policy scope. Select the device groups to specify where to apply the policy. Only devices in the selected device groups will be prevented from accessing websites in the selected categories. 5. Review the summary and save the policy. The policy may take up to 15 minutes to apply to your selected devices. +Tip: You can deploy a policy without selecting any category on a device group. This action will create an audit only policy, to help you understand user behavior before creating a block policy. + >[!NOTE] >If you are removing a policy or changing device groups at the same time, this might cause a delay in policy deployment. ->ProTip: You can deploy a policy without selecting any category on a device group. This action will create an audit only policy, to help you understand user behavior before creating a block policy. +### Allow specific websites + +It is possible to override the blocked category in web content filtering to allow a single site by creating a custom indicator policy. The custom indicator policy will supersede the web content filtering policy when it is applied to the device group in question. + +1. Create a custom indicator in the Microsoft Defender Security Center by going to **Settings** > **Indicators** > **URL/Domain** > **Add Item** +2. Enter the domain of the site +3. Set the policy action to **Allow**. ## Web content filtering cards and details From fd019c2a946cd7d7d655c8120dbcf6096be9a0e5 Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Wed, 9 Sep 2020 14:51:50 -0700 Subject: [PATCH 41/42] note per customer request --- .../microsoft-defender-atp/enable-network-protection.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md index dbe7692a37..b54b1ac8a7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md @@ -89,6 +89,9 @@ Use the following procedure to enable network protection on domain-joined comput 3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Network protection**. +> [!NOTE] +> On older versions of Windows, the group policy path may say "Windows Defender Antivirus" instead of "Microsoft Defender Antivirus." + 4. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section, you must specify one of the following options: * **Block** - Users can't access malicious IP addresses and domains * **Disable (Default)** - The Network protection feature won't work. Users won't be blocked from accessing malicious domains From 2fc1ed61b6b7f7004e251488d222dcb5b206bb50 Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Wed, 9 Sep 2020 14:54:26 -0700 Subject: [PATCH 42/42] updating toc to match heading --- windows/security/threat-protection/TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 0ec64812e8..b43ed6868d 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -97,7 +97,7 @@ #### [Network protection]() ##### [Protect your network](microsoft-defender-atp/network-protection.md) ##### [Evaluate network protection](microsoft-defender-atp/evaluate-network-protection.md) -##### [Turning on network protection](microsoft-defender-atp/enable-network-protection.md) +##### [Turn on network protection](microsoft-defender-atp/enable-network-protection.md) #### [Web protection]() ##### [Web protection overview](microsoft-defender-atp/web-protection-overview.md)