From 16f717dc93507bf7e796d4b40727032f1bd3de27 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Tue, 26 Sep 2017 09:34:46 -0700 Subject: [PATCH 01/21] set up new topic --- windows/application-management/TOC.md | 1 + ...ange-history-for-application-management.md | 14 +++++-- windows/application-management/index.md | 1 + .../manage-windows-mixed-reality.md | 37 +++++++++++++++++++ 4 files changed, 49 insertions(+), 4 deletions(-) create mode 100644 windows/application-management/manage-windows-mixed-reality.md diff --git a/windows/application-management/TOC.md b/windows/application-management/TOC.md index 35f3b14372..5adf6e1def 100644 --- a/windows/application-management/TOC.md +++ b/windows/application-management/TOC.md @@ -1,6 +1,7 @@ # [Manage applications in Windows 10](index.md) ## [Sideload apps](sideload-apps-in-windows-10.md) ## [Remove background task resource restrictions](enterprise-background-activity-controls.md) +## [Enable or block Windows Mixed Reality apps in the enterprise](manage-windows-mixed-reality.md) ## [Application Virtualization (App-V) for Windows](app-v/appv-for-windows.md) ### [Getting Started with App-V](app-v/appv-getting-started.md) #### [What's new in App-V for Windows 10, version 1703 and earlier](app-v/appv-about-appv.md) diff --git a/windows/application-management/change-history-for-application-management.md b/windows/application-management/change-history-for-application-management.md index 3aca385415..a8a4c9a073 100644 --- a/windows/application-management/change-history-for-application-management.md +++ b/windows/application-management/change-history-for-application-management.md @@ -1,20 +1,26 @@ --- -title: Change history for Configure Windows 10 (Windows 10) +title: Change history for Application management in Windows 10 (Windows 10) description: This topic lists changes to documentation for configuring Windows 10. keywords: ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -ms.localizationpriority: high +ms.localizationpriority: medium author: jdeckerms -ms.date: 09/15/2017 +ms.date: 10/17/2017 --- -# Change history for Configure Windows 10 +# Change history for Application management in Windows 10 This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile. +## RELEASE: Windows 10, version 1709 + +The topics in this library have been updated for Windows 10, version 1709 (also known as the Fall Creators Update). The following new topic has been added: + +- [Enable or block Windows Mixed Reality apps in the enterprise](manage-windows-mixed-reality.md) + ## September 2017 | New or changed topic | Description | | --- | --- | diff --git a/windows/application-management/index.md b/windows/application-management/index.md index b42c674d12..e96291a634 100644 --- a/windows/application-management/index.md +++ b/windows/application-management/index.md @@ -21,6 +21,7 @@ Learn about managing applications in Windows 10 and Windows 10 Mobile clients. |---|---| |[Sideload apps in Windows 10](sideload-apps-in-windows-10.md)| Requirements and instructions for side-loading LOB applications on Windows 10 and Windows 10 Mobile clients| | [Remove background task resource restrictions](enterprise-background-activity-controls.md) | Windows provides controls to manage which experiences may run in the background. | +| [Enable or block Windows Mixed Reality apps in the enterprise](manage-windows-mixed-reality.md) | Learn how to enable or block Windows Mixed Reality apps. | |[App-V](app-v/appv-getting-started.md)| Microsoft Application Virtualization (App-V) for Windows 10 enables organizations to deliver Win32 applications to users as virtual applications| | [Service Host process refactoring](svchost-service-refactoring.md) | Changes to Service Host grouping in Windows 10 | |[Per User services in Windows 10](sideload-apps-in-windows-10.md)| Overview of per user services and instructions for viewing and disabling them in Windows 10 and Windows 2016| diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md new file mode 100644 index 0000000000..511bcad1fd --- /dev/null +++ b/windows/application-management/manage-windows-mixed-reality.md @@ -0,0 +1,37 @@ +--- +title: Enable or block Windows Mixed Reality apps in the enterprise (Windows 10) +description: Learn how to enable or block Windows Mixed Reality apps. +keyboards: ["mr", "mr portal", "mixed reality portal", "mixed reality"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: medium +author: jdeckerms +ms.author: jdecker +ms.date: 10/17/2017 +--- + +# Enable or block Windows Mixed Reality apps in the enterprise +**Applies to** + +- Windows 10 + +intro + +## enable + +Setting up Mixed Reality on Enterprise Network +To enable downloading Windows Mixed Reality software (feature on demand package), IT admin need to do the following. +Enterprises that are using Creator’s Update clients + WSUS can approve Windows Mixed Reality package by unblocking the following KBs (I’m double checking with WSD to confirm the KB numbers) +4016509 +3180030 +3197985 + +Enterprises that use RS3 client will not be able to install FOD directly from WSUS. Instead, the enterprise IT admin/user will need to user one of the two options listed below to install Windows Mixed Reality software. +Have user manually install the Mixed Reality Software +IT admin can create Side by side feature store (shared folder) using instructions here: +https://technet.microsoft.com/en-us/library/jj127275(v=ws.11).aspx + +## block + +Since MRP is an app and blocking this app is sufficient for your scenario, via AppLocker should be sufficient for now. To make sure enterprise understand it, please file a doc bug to publish the instruction of leveraging AppLocker CSP to block Mixed Reality Portal and control Oasis. In the doc, AppLocker CSP doc is here: https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/applocker-csp it has a list of inbox app that could be controlled by this CSP, MRP/Oasis needs to be listed there as well. Provide the content and assign to Maricia – cpub writer for CSP. From f7ef92ddd0c51969eb7c98e20b8ff09563b2888d Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Wed, 27 Sep 2017 06:26:10 -0700 Subject: [PATCH 02/21] sync --- windows/application-management/manage-windows-mixed-reality.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md index 511bcad1fd..6a7151bd3a 100644 --- a/windows/application-management/manage-windows-mixed-reality.md +++ b/windows/application-management/manage-windows-mixed-reality.md @@ -16,7 +16,7 @@ ms.date: 10/17/2017 - Windows 10 -intro +Windows 10, version 1709 (also known as the Fall Creators Update), introduces [Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/08/28/windows-mixed-reality-holiday-update/). ## enable From 463d37d65b5e2d3c4836087e898e8b4e32ea08a0 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 28 Sep 2017 07:24:16 -0700 Subject: [PATCH 03/21] sync --- .../manage-windows-mixed-reality.md | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md index 6a7151bd3a..4c7ed498e8 100644 --- a/windows/application-management/manage-windows-mixed-reality.md +++ b/windows/application-management/manage-windows-mixed-reality.md @@ -16,12 +16,13 @@ ms.date: 10/17/2017 - Windows 10 -Windows 10, version 1709 (also known as the Fall Creators Update), introduces [Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/08/28/windows-mixed-reality-holiday-update/). +Windows 10, version 1709 (also known as the Fall Creators Update), introduces [Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/08/28/windows-mixed-reality-holiday-update/). Organizations that use Windows Server Update Services (WSUS) must take action to [enable Windows Mixed Reality](#enable). Any organization that wants to prohibit use of Windows Mixed Reality can [block the installation of the Mixed Reality Portal](#block). -## enable -Setting up Mixed Reality on Enterprise Network -To enable downloading Windows Mixed Reality software (feature on demand package), IT admin need to do the following. + +## Enable Windows Mixed Reality in WSUS + +To enable users to download Windows Mixed Reality software (feature on demand package), IT admin need to do the following. Enterprises that are using Creator’s Update clients + WSUS can approve Windows Mixed Reality package by unblocking the following KBs (I’m double checking with WSD to confirm the KB numbers) 4016509 3180030 @@ -31,7 +32,14 @@ Enterprises that use RS3 client will not be able to install FOD directly from WS Have user manually install the Mixed Reality Software IT admin can create Side by side feature store (shared folder) using instructions here: https://technet.microsoft.com/en-us/library/jj127275(v=ws.11).aspx - + + + ## block Since MRP is an app and blocking this app is sufficient for your scenario, via AppLocker should be sufficient for now. To make sure enterprise understand it, please file a doc bug to publish the instruction of leveraging AppLocker CSP to block Mixed Reality Portal and control Oasis. In the doc, AppLocker CSP doc is here: https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/applocker-csp it has a list of inbox app that could be controlled by this CSP, MRP/Oasis needs to be listed there as well. Provide the content and assign to Maricia – cpub writer for CSP. + + +## Related topics + +- [Mixed reality](https://developer.microsoft.com/windows/mixed-reality/mixed_reality) \ No newline at end of file From 9fbf3bdbe21d48224af63660b27458a75849d82b Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Mon, 2 Oct 2017 10:22:14 -0700 Subject: [PATCH 04/21] enable WMR w/WSUS --- .../manage-windows-mixed-reality.md | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md index 4c7ed498e8..bab211b8e7 100644 --- a/windows/application-management/manage-windows-mixed-reality.md +++ b/windows/application-management/manage-windows-mixed-reality.md @@ -12,6 +12,7 @@ ms.date: 10/17/2017 --- # Enable or block Windows Mixed Reality apps in the enterprise + **Applies to** - Windows 10 @@ -22,16 +23,16 @@ Windows 10, version 1709 (also known as the Fall Creators Update), introduces [W ## Enable Windows Mixed Reality in WSUS -To enable users to download Windows Mixed Reality software (feature on demand package), IT admin need to do the following. -Enterprises that are using Creator’s Update clients + WSUS can approve Windows Mixed Reality package by unblocking the following KBs (I’m double checking with WSD to confirm the KB numbers) -4016509 -3180030 -3197985 +To enable users to download the Windows Mixed Reality software, enterprises using WSUS can approve Windows Mixed Reality package by unblocking the following KBs: + +- KB4016509 +- KB3180030 +- KB3197985 -Enterprises that use RS3 client will not be able to install FOD directly from WSUS. Instead, the enterprise IT admin/user will need to user one of the two options listed below to install Windows Mixed Reality software. -Have user manually install the Mixed Reality Software -IT admin can create Side by side feature store (shared folder) using instructions here: -https://technet.microsoft.com/en-us/library/jj127275(v=ws.11).aspx +Enterprises will not be able to install Windows Mixed Reality Feature on Demand (FOD) directly from WSUS. Instead, use one of the following options to install Windows Mixed Reality software: + +- Manually install the Mixed Reality Software +- IT admin can create [Side by side feature store (shared folder)](https://technet.microsoft.com/library/jj127275.aspx) From 76f3adf608368e8089f2ff1899cea438b335ee87 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 5 Oct 2017 06:07:03 -0700 Subject: [PATCH 05/21] update link --- windows/application-management/manage-windows-mixed-reality.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md index bab211b8e7..4a9f219c07 100644 --- a/windows/application-management/manage-windows-mixed-reality.md +++ b/windows/application-management/manage-windows-mixed-reality.md @@ -17,7 +17,7 @@ ms.date: 10/17/2017 - Windows 10 -Windows 10, version 1709 (also known as the Fall Creators Update), introduces [Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/08/28/windows-mixed-reality-holiday-update/). Organizations that use Windows Server Update Services (WSUS) must take action to [enable Windows Mixed Reality](#enable). Any organization that wants to prohibit use of Windows Mixed Reality can [block the installation of the Mixed Reality Portal](#block). +Windows 10, version 1709 (also known as the Fall Creators Update), introduces [Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/). Organizations that use Windows Server Update Services (WSUS) must take action to [enable Windows Mixed Reality](#enable). Any organization that wants to prohibit use of Windows Mixed Reality can [block the installation of the Mixed Reality Portal](#block). From 4f8b3beca8f3eb65dabbe4bc90f18cada5ad1371 Mon Sep 17 00:00:00 2001 From: Your Name Date: Tue, 10 Oct 2017 10:02:53 -0700 Subject: [PATCH 06/21] Updated deny rules --- .../deploy-code-integrity-policies-steps.md | 554 ++++++++++++++++-- 1 file changed, 490 insertions(+), 64 deletions(-) diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md index 8b11311fb6..3af32baedf 100644 --- a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md +++ b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md @@ -76,7 +76,9 @@ Certain software applications may allow additional code to run by design. These Microsoft recommends that you install the latest security updates. The June 2017 Windows updates resolve several issues in in-box PowerShell modules that allowed an attacker to bypass Windows Defender Device Guard code integrity policies. These modules cannot be blocked by name or version, and therefore must be blocked by their corresponding hashes. -Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet: +For October 2017, we are announcing an update to system.management.automation.dll in which we are revoking older versions by hash values, instead of version rules. + +Microsoft recommends that you block the following icrosoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet: ``` @@ -94,9 +96,6 @@ Microsoft recommends that you block the following Microsoft-signed applications - - - @@ -113,7 +112,7 @@ Microsoft recommends that you block the following Microsoft-signed applications - + @@ -123,43 +122,257 @@ Microsoft recommends that you block the following Microsoft-signed applications - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - @@ -178,21 +391,20 @@ Microsoft recommends that you block the following Microsoft-signed applications - - - - - - - - - - - - - - - + + + + + + + + + + + + + + @@ -219,19 +431,233 @@ Microsoft recommends that you block the following Microsoft-signed applications - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + v 0 From 0f7ccbfe983dcdde62d5e307957b9e6bd87535c0 Mon Sep 17 00:00:00 2001 From: Your Name Date: Tue, 10 Oct 2017 10:17:41 -0700 Subject: [PATCH 07/21] Fix typo --- .../device-guard/deploy-code-integrity-policies-steps.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md index 3af32baedf..8c523bb65d 100644 --- a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md +++ b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md @@ -78,7 +78,7 @@ Microsoft recommends that you install the latest security updates. The June 2017 For October 2017, we are announcing an update to system.management.automation.dll in which we are revoking older versions by hash values, instead of version rules. -Microsoft recommends that you block the following icrosoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet: +Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet: ``` From 7d724f797976896c6adeedde639da77559ccab4c Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 10 Oct 2017 11:32:05 -0700 Subject: [PATCH 08/21] added visualuiaverifynative.exe --- .../device-guard/deploy-code-integrity-policies-steps.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md index 8c523bb65d..ca63dd6b20 100644 --- a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md +++ b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md @@ -122,6 +122,7 @@ Microsoft recommends that you block the following Microsoft-signed applications + @@ -405,6 +406,7 @@ Microsoft recommends that you block the following Microsoft-signed applications + @@ -657,7 +659,7 @@ Microsoft recommends that you block the following Microsoft-signed applications - v + 0 From fe4f3f71e01386820634ef0fd0b34eca43e01c77 Mon Sep 17 00:00:00 2001 From: Nicholas Brower Date: Tue, 10 Oct 2017 18:34:02 +0000 Subject: [PATCH 09/21] Merged PR 3675: Policy CSP bug fixes. [Bug 13932995](https://microsoft.visualstudio.com/OS/_workitems/edit/13932995) --- .../mdm/policy-csp-applicationmanagement.md | 7 ------- .../mdm/policy-csp-authentication.md | 7 ------- .../mdm/policy-csp-browser.md | 8 ++++---- .../mdm/policy-csp-experience.md | 7 ------- ...policy-csp-localpoliciessecurityoptions.md | 20 +++++++++---------- .../mdm/policy-csp-notifications.md | 7 ------- .../client-management/mdm/policy-csp-start.md | 10 +--------- .../mdm/policy-csp-wirelessdisplay.md | 7 ++++++- 8 files changed, 21 insertions(+), 52 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index 7953580ab4..6f5802427e 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -496,13 +496,6 @@ ms.date: 09/29/2017

Allows disabling of the retail catalog and only enables the Private store. -> [!IMPORTANT] -> This node must be accessed using the following paths: -> -> - **./User/Vendor/MSFT/Policy/Config/ApplicationManagement/RequirePrivateStoreOnly** to set the policy. -> - **./User/Vendor/MSFT/Policy/Result/ApplicationManagement/RequirePrivateStoreOnly** to get the result. - -

The following list shows the supported values: - 0 (default) – Allow both public and Private store. diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index d33bbd648c..9db44013c0 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -119,13 +119,6 @@ ms.date: 09/29/2017

Allows an EAP cert-based authentication for a single sign on (SSO) to access internal resources. -> [!IMPORTANT] -> This node must be accessed using the following paths: -> -> - **./User/Vendor/MSFT/Policy/Config/Authentication/AllowEAPCertSSO** to set the policy. -> - **./User/Vendor/MSFT/Policy/Result/Authentication/AllowEAPCertSSO** to get the result. - -

The following list shows the supported values: - 0 – Not allowed. diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index 2c7f399858..e31c570992 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 10/10/2017 --- # Policy CSP - Browser @@ -231,7 +231,7 @@ ms.date: 09/29/2017

To verify AllowAutofill is set to 0 (not allowed): -1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile. +1. Open Microsoft Edge. 2. In the upper-right corner of the browser, click **…**. 3. Click **Settings** in the drop down list, and select **View Advanced Settings**. 4. Verify the setting **Save form entries** is greyed out. @@ -1177,8 +1177,8 @@ Employees cannot remove these search engines, but they can set any one as the de check mark check mark - check mark - check mark + cross mark + cross mark diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index 4dfcea0e83..8f2199edcd 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -736,13 +736,6 @@ ms.date: 09/29/2017

This policy allows IT admins to turn on experiences that are typically for consumers only, such as Start suggestions, Membership notifications, Post-OOBE app install and redirect tiles. -> [!IMPORTANT] -> This node must be accessed using the following paths: -> -> - **./User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsConsumerFeatures** to set the policy. -> - **./User/Vendor/MSFT/Policy/Result/Experience/AllowWindowsConsumerFeatures** to get the result. - - 

The following list shows the supported values: - 0 – Not allowed. diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index f2c1e120e8..bb7fdbd8d7 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 10/05/2017 --- # Policy CSP - LocalPoliciesSecurityOptions @@ -999,17 +999,17 @@ This policy setting controls the behavior of the elevation prompt for administra The options are: -• Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments. +- 0 - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments. -• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. +- 1 - Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. -• Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. +- 2 - Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. -• Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. +- 3 - Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. -• Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. +- 4 - Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. -• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. +- 5 - Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. Value type is integer. Supported operations are Add, Get, Replace, and Delete. @@ -1057,11 +1057,11 @@ This policy setting controls the behavior of the elevation prompt for standard u The options are: -• Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. +- 3 - Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. -• Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls. +- 0 - Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls. -• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. +- 1 - Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. Value type is integer. Supported operations are Add, Get, Replace, and Delete. diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md index f85714b12c..4b0a9b5e62 100644 --- a/windows/client-management/mdm/policy-csp-notifications.md +++ b/windows/client-management/mdm/policy-csp-notifications.md @@ -64,13 +64,6 @@ ms.date: 09/29/2017

Added in Windows 10, version 1607. Boolean value that turns off notification mirroring. -> [!IMPORTANT] -> This node must be accessed using the following paths: -> -> - **./User/Vendor/MSFT/Policy/Config/Notifications/DisallowNotificationMirroring** to set the policy. -> - **./User/Vendor/MSFT/Policy/Result/Notifications/DisallowNotificationMirroring** to get the result. - -

For each user logged into the device, if you enable this policy (set value to 1) the app and system notifications received by this user on this device will not get mirrored to other devices of the same logged in user. If you disable or do not configure this policy (set value to 0) the notifications received by this user on this device will be mirrored to other devices of the same logged in user. This feature can be turned off by apps that do not want to participate in Notification Mirroring. This feature can also be turned off by the user in the Cortana setting page.

No reboot or service restart is required for this policy to take effect. diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index f73f1b8331..03c3fb2ea4 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -1536,15 +1536,7 @@ ms.date: 09/29/2017 > [!IMPORTANT] -> This node is set on a per-user basis and must be accessed using the following paths: -> - **./User/Vendor/MSFT/Policy/Config/Start/StartLayout** to configure the policy. -> - **./User/Vendor/MSFT/Policy/Result/Start/StartLayout** to query the current value of the policy. -> -> -> Added in Windows 10 version 1703: In addition to being able to set this node on a per user-basis, it can now also be set on a per-device basis using the following paths: -> - **./Device/Vendor/MSFT/Policy/Config/Start/StartLayout** to configure the policy. -> - **./Device/Vendor/MSFT/Policy/Result/Start/StartLayout** to query the current value of the policy. - +> Added in Windows 10 version 1703: In addition to being able to set this node on a per user-basis, it can now also be set on a per-device basis. For more information, see [Policy scope](./policy-configuration-service-provider.md#policy-scope)

Allows you to override the default Start layout and prevents the user from changing it. If both user and device policies are set, the user policy will be used. Apps pinned to the taskbar can also be changed with this policy diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md index 0d7ab2b543..e249ddea29 100644 --- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md +++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md @@ -234,7 +234,12 @@ ms.date: 09/29/2017 -

Added in Windows 10, version 1703. +

Added in Windows 10, version 1703. Setting this policy controls whether or not the wireless display can send input—keyboard, mouse, pen, and touch input if the display supports it—back to the source device. + +

Allowed values: + +- 0 - Wireless display input disabled. +- 1 (default) - Wireless display input enabled. From 2fc6b0b6aa73e86000a4baf4197ab60dc2ca0dda Mon Sep 17 00:00:00 2001 From: Nicholas Brower Date: Tue, 10 Oct 2017 18:39:41 +0000 Subject: [PATCH 10/21] Merged PR 3678: Intro section added to Olympia enrollment guidelines. --- .../olympia/olympia-enrollment-guidelines.md | 28 ++++++++++++++++--- 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md index fddd959017..03d4f5f475 100644 --- a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md +++ b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md @@ -6,10 +6,30 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/14/2017 +ms.date: 09/15/2017 --- -# Olympia Corp enrollment guidelines +# Olympia Corp + +## What is Windows Insider Lab for Enterprise and Olympia Corp? + +Windows Insider Lab for Enterprise is intended for Windows Insiders who want to try new experimental and pre-release Enterprise Privacy and Security features*. To get the complete experience of these Enterprise features, Olympia Corp, a virtual corporation has been set up to reflect the IT infrastructure of real world business. Selected customers are invited to join Olympia Corp and try these features. + +As an Olympia user, you will have an opportunity to: + +- Use various Enterprise features like WIP (Windows Information Protection), ATP (Advanced Threat Protection), WDAG (Windows Defender Application Guard), and APP-V (Application virtualization). +- Learn how Microsoft is preparing for GDPR, as well as enabling enterprise customers to prepare for their own readiness. +- Validate and test pre-release software in your environment. +- Provide feedback. +- Interact with engineering team members through a variety of communication channels. + +\* Enterprise features may have reduced, or different security, privacy, accessibility, availability, and reliability standards relative to commercially provided services and software. We may change or discontinue any of the Enterprise features at any time without notice. + +For more information about Olympia Corp, please see [https://olympia.windows.com/Info/FAQ](https://olympia.windows.com/Info/FAQ). + +To request an Olympia Corp account, please fill out the survey at [https://aka.ms/RegisterOlympia](https://aka.ms/RegisterOlympia). + +## Enrollment guidelines Welcome to Olympia Corp. Here are the steps to add your account to your PC. @@ -23,7 +43,7 @@ Choose one of the following two enrollment options: -## Keep your current Windows 10 edition +### Keep your current Windows 10 edition 1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your PC (see [local administrator](https://support.microsoft.com/en-us/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)). @@ -57,7 +77,7 @@ Choose one of the following two enrollment options: -## Upgrade your Windows 10 edition from Pro to Enterprise +### Upgrade your Windows 10 edition from Pro to Enterprise 1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your PC (see [local administrator](https://support.microsoft.com/en-us/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)). From 30179949d07fbcc564a64c722ab408cf70380839 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Tue, 10 Oct 2017 20:14:32 +0000 Subject: [PATCH 11/21] Merged PR 3684: Added clarification to subscription activation article Added clarification that Windows 10 Pro must be activated. --- .../deployment/deploy-enterprise-licenses.md | 21 +++++++++++++----- .../deployment/images/sa-pro-activation.png | Bin 0 -> 44736 bytes ...s-10-enterprise-subscription-activation.md | 4 ++-- 3 files changed, 18 insertions(+), 7 deletions(-) create mode 100644 windows/deployment/images/sa-pro-activation.png diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index be1ce53781..e3e55cf21f 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy localizationpriority: high ms.sitesec: library ms.pagetype: mdt -ms.date: 08/23/2017 +ms.date: 10/10/2017 author: greg-lindsay --- @@ -74,9 +74,9 @@ The following methods are available to assign licenses: Now that your subscription has been established and Windows 10 Enterprise E3 or E5 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro, version 1703 edition to Windows 10 Enterprise edition. So what will the users experience? How will they upgrade their devices? -### Step 1: Join users’ devices to Azure AD +### Step 1: Join Windows 10 Pro devices to Azure AD -Users can join a device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1703. +Users can join a Windows 10 Pro device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1703. **To join a device to Azure AD the first time the device is started** @@ -125,7 +125,18 @@ Now the device is Azure AD joined to the company’s subscription. Now the device is Azure AD joined to the company’s subscription. -### Step 2: Sign in using Azure AD account +### Step 2: Verify that Pro edition is activated + +Windows 10 Pro just be successfully activated in **Settings > Update & Security > Activation**, as illustrated in **Figure 7a**. + + +Windows 10 Pro activated +
**Figure 7a - Windows 10 Pro activation in Settings**
+ +Windows 10 Pro activation is required before Enterprise E3 or E5 can be enabled. + + +### Step 3: Sign in using Azure AD account Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device. @@ -133,7 +144,7 @@ Once the device is joined to your Azure AD subscription, the user will sign in b **Figure 8. Sign in by using Azure AD account** -### Step 3: Verify that Enterprise edition is enabled +### Step 4: Verify that Enterprise edition is enabled You can verify the Windows 10 Enterprise E3 or E5 subscription in **Settings > Update & Security > Activation**, as illustrated in **Figure 9**. diff --git a/windows/deployment/images/sa-pro-activation.png b/windows/deployment/images/sa-pro-activation.png new file mode 100644 index 0000000000000000000000000000000000000000..4066c45dad80974f9641c6475cde6c28f5c731ca GIT binary patch literal 44736 zcmcG$Wmr^S*f&Zul+4hb3P^V-3=I+z1`b^k(nxp1&?O~Z20b9sJ(QGyba!`4y&M0} zd!6SxU(aBg*%v?UiI`MEc6D7tG~OFBJ)gSp8E6jPec#JXl9#6ut}LhhN=Y+e zL^+ady2k77#An{k&i-QI<0x0nU!MbsY`4J-r}h3Rzmt9ef$xuvw2|7rufKl^V_dM3 z0Wk)HWk@`Zccw(MY3Ut}`<3G<%-3#?R8^Ga{=Em!L;Ebm%F3$V(6#W*^u&6aLTzn* zJ=83cjL2Yw=Y3cR_~9IEzgBVPpM)=R?x{?E4Z$O4!GQPkgr<;SPZ>Xa0EjVyNb^*N zq=_%%J_W}%GDK|1gr;*pq5W#5((ixHz|Q&dCNOg033B6B!I;KZBGBRd6D?tXmE#TR zzpKn+^EZfY?!1v9Y3)m&?9zVBh-yP_XSY?|#M zjwHybb_zYgp=?P>;07^2s_pAtAEwZFZHJwec!xi^A}Xg^Sgw;!&;A*SMEpA)%p+ng z^_JHzK*H;{yRJr~9{5-1y*kZTd1sa=UIly$JX2lX8R+f6Zals4PyWt#iG6aD1D~eM zCH1SVcvXIcn_ljcL@xs3m?dCX(i)?E$WC+1+DNL_N}&ya>I$6kxPdEjlWQOjt``h z!f(a?Ps`LY#fZ;4j6AmUB!{nY{AB;0x-}{uIX4l~G4Q6vql`pqGQ^RHW%aCu;p_Wf z5lKpB>;J|-_>w1=K!5sKl<443lJ4FK+!i~&L4&r9jxMGB2s~4aqin;UKk4c1EybQ_ zMT`0#G+pf8T_4o=-CeN~S2_D$t{HMp6p{kx_Td|)~w6zM$PBertG=qhXGJvpir zmPT@A!&EIHE8Vd*P@li=*Kwude*DPP&0-4`e}~(n`;^!K0`BxX_3l=1^Zf1FwC>ZV zAE&JWci#Tf8~TXW%4Pcx0>Z5D-h|w7^rgtv!CuY6e#=<#yBgq|`Hp|LYO+Ql_OZa{ z{`SIk7tyUVSMTEU>Vjb=5hSq`p>ucx8GlNZs4K)5*Bfb z2giIcv!0`HeHT$!`bNVcn_{6M=yvMlZSn1?x>jDJ_EDuVd&+TdLk1g$`M_the8t$G zvX8`&t_wbHvCmI`%Qh7pANTRhB&tI{)Xcf2HyyU)xlVuhI(4|zVf#Br+D^##@7C8+ ztx_Ff$7Q*N{Wfg+AALM6vsqsIV%d@hjVHT*UaMD6Rasm&{+l$Hey;N#7TM=>Zid;e zlg8LH?kmv(DtIXp7qg=TS=}^FQA70Zivi=6W-7&6rJsk$;S91>*kAj~z0#IbY3=yT zSrl%lBa-;3k4Mskt!IaX7nefM=k~%TFWkOb(2A z!y~Dr3X8v(_p;}aW=K#MUBa*){Sy5$^V!(Ty#=3(%z+HCQRwxqK*Mqb#|^o_v%Jdz zk%b@4KG&WLF19m2tNG1-y+3Dpm`|Fg9xKrzvx_Nv^A5mVnGVJw=C>x{KHZI@cOENR zUJN4q$@21Ztrji+d${e-Df6@^9PLcB^_&9@sT`dxW^J5Rx7mM3f7$&^d@FhWsQC7h z{O6F**7xxh^pZD)FFPo89aWrt*9S9q@@nKG$;L~x1r7@844OQB1$KXosx{N(jin5J z)(+ds33^odaqX9OZ^9GXyPGSmD)X1*9iJS)WA6-os)cMOe|P?Pc-+X(?FL?ZYo2hb zGf`ULackwug!EHc3)iaWoHgGZt31EETsbLeDh`x^boI6)mCI_H_q@lv&R0y&Y+o(h z{p7X$gDF6qjVnun&JDTVtH}l)sM$Wd<5poxy&+y6nRFjc2U_Et>&#VnM^RLv``^FeQ`r%Ui@-!pY&9vnSeD3 zouE-iPb&TLJJM?FiE|y_>C`!3X1HE1g;^w%K)*jspt#?TpGE8qz|{h!-95|W-j+ff z`uHu8{nLGnZ^cRFDyQJCHL&Q{^xC;uT;TiH=B&bpzhs8DF#}CIm1hyA-KtUll`Sg2 z``a3k#(XVkpzo|>H*HhXJ7cGdIky>L4pvRxVc}COO2lRY(>g8HY_#?S-};SNToT*6 zUVZa?5osEt&%9d#q(!{0?Y}x@q)nD)Nvnv;)r`emcVP{id675d*mgw>|85gG-5mj1 zX@8e1y;Sy%&0x+3(MfjR%bGo@E_wS{lk?v(8DkqY{~av{QTQLIfcppkSEIoJX1FUY z8=qfh(SFhHEy^|*FmwIy*N|4`-2H#MxQKZ4%5tvSxa~iPGtrldKKSo=&?Q@PeXujqqW(F?2%ZW z95#~`#&l#R`d{=LT!o!CHN0-mCIt966gCDkOa1Qe(&`R>udl+Yt;TGY+C$P(lfJ5? zaF3T8w)AIcvnN%)6rMuL*8&%?ng01Au zp{zLp~_khAY)Q^K$KRTN*ymoTTh#f#XpZ%RbK$d6-a z=}??7+5lzM5C5Qkhr5Pm!EM23JYSK}Ycn_OCO>jabcU*$GZddP0VmDx)06>RC<(xu zsSt95&80}5=1Ds5LutZ|u)z0gzml4MngPZ2r)|yLc*q)}n{G$u)83W?9|K zH|>sTwrSY=soNi$=FPD027u7>tJOqXpql@bC6o}X5*z>?oIPuXL*Sg#ki>p||8WE< zN14Xb1AV(JhkY=Pa_7>_3)b!YmCUuXPy7H2*?xCZo@d);VKg7%krtdrn7Mj&AJgKr z3zd^f-uEWZbzy%jZ#u68#(Gk0BV)y}X2G|C*5`DX`|&s2=KcDe8`HbP4#Ml>A?S7g z#DeEeX{pckIUOr0-XBxUBxyhJDkS*3NuWL*$f=LsDyt8-NLR#UpCfJc@+t)FYnMVjhUl4S9dE~V?L8P%ohK!Sbfc++ylJJJFZSnVYG{S5 zKIxWTpYQDmDFI_Gr)g0b!Z)51N-%jTPXpAepFbd6M!*w;=-7%mq4{4VCA7paEpU97KxX)nO{0i5c8x!Nq>&rM)u zWnv750pw`m!i&y5CeOXlU#H&r!;DEJ*K8?Mph{=u`O&0l>{K{wmL)d5w*w0c0hx)F z3wTiK8R*QqtgdS#0F6tgPCXl%Mgc6xJj=?Fc8a6E?xVF7Ls!(OkO)G{ut&7B%Fgp1 z8&};F0eWE98C#K^@zQi%ucPh)2>88j0^##r-kN$ws&C^V>~D+Q$+h5tHZ97Y81Cz7 z79}4>zi5@f5UM5MVmjnwtx<(&s=C4y!;-eCeUekr0GI)#`@Dk_JlQf!2=@yK4KoQ5 zq#LySS;)GcM?gk`I_qnpG*n&U>`(tJ(`FM|3J&g<){`(&F-ejrk9Q9RL_RHvtm~4- zu4+Kowf9L%Ej4CyB;2IP>boldX-;#oN5C{2vO(BrsrlA`^SP2P z;Z~_Y<5qm2YvdYBG0*o8y`Zm(wYbvx%_26i`?y<9Eg{*7fvxq!r6x)m3^9kZYhmr| zbNx8~E>`C1mBe8y`Zk=5+6@*QA?i+oi&&dY+!31+Zs=|;HCP=iD3O*x9 zA;7>KYxl1fJ+GsxY2zWbp7p)nvykvQKNV%v!X}w_z-})@@iSzhDp(>{XXJ~3=@EZp z)TV+feOV*jwrjpJ_gYJOH_H@#mWt&d6##k1lqKz%1+Ospsi8j)Jsi6So{fN0q|^`K z<}X|q1F+3a06>8Yr2v%3TLZzus6{Bch+@zCr$C9Aya+U5V?A=*vp8gqZ)zJ>ax8e~4C%5;`+<|Hlh#&o5FmzeUyIE;yc9Irsa8+M4<5 zd^>IQem6@(RG_y%r>u%gck?2-kInqc`R|%82`t>ak_~%IgnR)$M`nGg@Y%lcDAcV~ zVTovh6&E2G*SBv-A^mcQ8{}eT@vXG&mZ_eNah}pAHjvF0r-zlB=F~*m%>km9`{iYN za+)qiwNeK0!}?)M{4C++8hCG*aS7(mcs@E!z->oh^{#4rq*|r~T>I4MXkfpKQxc?1 zm2C1o`Zq(2Euxu8uZpYw^u}Lf?!(v2MorqLat4#Ci8KL=7~Q}lvq8e;bZD1Sx;KIc z$uGnSkQ*~f)R-B}CM||Q({ifT>i{Z7?>oxhtTSggJ%gm%Ng-WUEZqMn(Epz_C*aTSR8=D2Q|M%@ z52Rb*Z4CZ!4T{tanjS0h?Ck%n!f0c^;C&KZ`06`AR^`*FgsdJY3cu3>w}PdAnDq!1 zD&p@^{#5+l?AIp*(G%s%H;wL&eZ9R$4iDCX&IjWgpj6HP0A_K$TNMkSxFj)$+;9-J z@8#jrPe1_8G+*zhhXbq+@vLWHpn89AuxpB4r#PE~a{&w8TFV`FJyr1%}r!)KM+OjV|(t_fHS(pb+o*1ZL$K6m{l z(>-??UWu0R&5-2%q`;84=>z7nD8Tbn03@-EXKU zSY13mT*+zDIBW_~pt~DCat;Yf^y(@NgXn!P+YCI`lKK;>(}9sb<|Er7fjyAg8<9Wd zh6|;Iyf%}(4@BZ+miUx)Ho&@k+?+bx9cOH7rT~Gk(IwJq`R=P4ZNqM5pSSO?PfzVW znbH|cI4nvT0!;Pd`Zz!4*{^c|qX-RM#@;sD0DKWjSYCF9@NRM%J^nh;D$M8lLY~4NVuO7+AI3o~OV3EZ940nrQ=X zSPaA~QBGoqE_``OO$|VC*mKui%ZGw_2o#8OQmHXVW0kD%wkjQRfhD>sX`*cW0o(YBP6Yk(`8C&O+2W9tYVsa0cAEF|wT;qX+Q z(?4b;L5FakbD5~Kl&9%9>ZZ3h^f^ny8#)<$K2-YcfyhLf>fwNqoUAwPcs!GX&kt;L z?dl2}@G^YPr|bd-$&!NY>(EuQKT_`nJ(-ieY={dUT-Gws`9;3y0Go% zNWEaeD|5dB*;Jf&?=G)4vgd3uBR2tRJd8TGaIDxm1-UI?##D`}Js+?>dn9qHG4nq0rJfOh z_QS=u5Er;?NlT-O_5t8UxH`g&Y_@ zh;M}5-g5W17?2D;+(sU5relLxkQ+dBxL*QB%2^{SQ`QZ`tNhNi8&jdX^BH@6|CKJ3 z2W5U=2_3uAD0=g>e7$?(FJQkM)w1nFbnEap9wfz z+|7~zR`Fn<$lN{HHUz?xts9-oB_EBWp56n~@!}P2AvXs47&&GDcG$>hQE2*Sc6`Ko z&{{5_sQ@{YZDyh+`KF<>>v24=^o9+Wr)(OJy2cya?4NJu1T}g(%3lF;=;n$DK+|x5 zC)c$A-WA9n30FYGHWCUW^=Cp8F_BlrR-z#25E*bh(m*q zy-&t}+Rmujd}ezA>E+|{MSNSX>ANP~Iq4)f-0iEB{)D#E<=s7B2d4n0;Phf?h`B z?S@RyUTaTH4@$r<G;&IV=25y4EKJ>etjlJ8@c0g^5Qo-uNov(wO z6I-7j8g|v=!bjOW5fznO(7LI`8I^k2S4i4}Mzp6Nl|r@v_1(^eMY8tQVV2@-f;tt} zM{zLM^d*MrALIMWciArE+Vd5U=uMr8H%sTKs9Z>o=X@ah^Fgy&nJNU zYA8&GvW+>O>{WC;f(}7-epoJv;ArU-N!C)T>73?9=eDXe*K;Ylp6lE*T>Mbs==e)$nwp9VV!n==E#Tj^-Y`LKWpNs}@aX z<0l>^vu}J>oaDw7IQ1j)P%m)F{#>HvBV$AXrzLPG#5@XSci^z z(ho3kTT*J>4wbwBwRiI*qMWAL@lDmR1cb+ZU%lw?5V5jGe{cfha_y#da~Jo0?|e}O zi0r?SnS@ zyM%Bc)L?-N1sghZwE9u3kQ{K$+rmC^ye(Qi*aw7=Cq-Mg_{=es`4Ks$9CP4Fl)&Jj zp&Xmcv%qT%-?{?gIdT+hjsx|QrbfaK-@?YIN?W}?+k@xjV;#Ru)ri zO??+JC1s; zfK7XS5mL6Fmo3~K6pGr64ojM%|II;stru@MKki&lkZvK=r~bp_$*9CDhity1rgiVG z3hU?f)_8>xk3q=C-f@Wx?1_%~p{(jIlu1z;WZX+1jT#P(hx%_Nb61mtU#X5XdYlvh z61EpeHWD-2o=6M2i+*YI%vXp$J_JnF418+g{tmEQ!v>+}>1KQ|VM7=rD1WuA zVgJ~HO`ZjyA*wpS3O$kj^cXOA%EACI81+7cf@J`}tN9Z$Wqmpk;P)PXS`?>I&b^~n zw#Z@~Czg*qL{pNH<`76>A#o+zKd=e3RF#qD7O2^--N^DvIBY+40B0z%{#*QleGK{TpPE*JLe@YFfPqqwDv?@-RS9iqlNNBM%mEE z%!)CpfM(u!2AO+qJN@JRdVgAPhM1F{O4-LM)?{(cH_l;!EhHIFRD?V zw2QJ+7Jjw~bNbn_tSE#rZaflGL0ib1j3CfjaX7TY+4=MRwL!1o^QK+iLQG|gPmcl; zNKatN5BesSxdleuA$IPe>70X9JR_gmTx|FEdsb*XOK^wxjc$c5gu$TcM{G4iy_@&l z)rP?@?0tQf#jGzy(RbnqD^vO0MiZQ&}lDh`T-bag*U9(;E4W}Cpg!@uhN4;oTqJa%44Ih`#6l@Jk-U%Bb7ec>GkzXjfC)zi=>ED!LBWnhKCmFAx z;~~h3x2YwEl)z^|j)>RpCGD4N78e@QOJI7T9D4QhaLmuwF2UHEhJFmt(6kXx41%0hv@WPn)&fz#St9~zX$oa zH_aj|Z37*MAO=>G-WeS6(m1rD_689`H;r$mWtM*Xq^LjN6I9=LfE=@fmV4h+k4i&D>sN-L%rW%D3c(R_HXd3dT?NWRxm-ko(A)ce-$;Z z))#gAQcbNlOZBJBe2gPheUm?@9w76jGZR`AVpx%n-wxGUA+^4m3hvUogA+6YB;;vFIF36a?n(7oCKq!+#joeniI_GyI-Iow$S>H5cV@!}D3#TV&) zDjD;;3OCv8rtCW^BjM$0BDR&F~JDf*PQok4?+|1SZg{dFpK%H&8*Sx zCu!a{nIxRKPs7&XdQXGFCTFs4pHDZ`F24S-&Jp?kmO$eCH#EqVw04wld2`!;zH+nj zq-FQnn*!}pXqTXJzTx;}+zWW#qg$NO@(N%*jp3o=3~O8hyz_itGuwR`$No<<`$8}N zuoxpa{ji0Uv1+lU#4nI2G`8 zT5Kq^!_PLo(xFw9g|T6Y&=|@#zWW?n`2fI9)?H}!*(*p?JHAqfULm~@t!S~BaNoAA zkd+ieUj$%d&rfJmoyN4Wc>|{6FC@t$l0RDkLCyVM7yEm+dZUX8vG&5d>CHJF2l4N) z%(Nj7?7_ouqz88OVXnS9HYd&JWf%eV`fYJJTxbhWi^r(29;YBIf=2Rq(zS=64p3k0 za(|ePZ(b*g+D;2T zNZi=8R^LI<6?}S35t+Z@lJKX=4=(*Vpp&jode}TpA$~}R;`?zmH?>xHLF-+4{Wd#& zYdFN4l05g#_gC{15<&+V*ni_$hYDm3ZyMEyp6zfhWDV;LTQn-ZAkU3mOLystqFiaB z;$vc$c*GYfoB7P;rZIjW$eg!7pagy5<3``02x39ccWhh@I~j0fUTtvRT6TO}tW^zY zB#x@H&yiFMI7jqBmu4Vytoa_Y&eq85ui3sIjRV=R3@#<_F7v~}IU@2XC>{rsI|s)S z^O!7}_4mbC6E5Pqx-M9y|#swibpV_>l8y=5xP`mQT z3lKrKpG!e-o%7e=LGhFR`-U&8B3>HFfvsWJ07PDx%GjI)=xKs6i8}MXNu?ytc8mLg z)IDqS8kDk3gBfK0PFt6|EZqQK>rl*>DJKD6@0K=r@*&#rk&t_&ul>q@5=T6lWri}@2e`^n2ob23a0!(97;&PUyX)zq!q(Hx_l_q zUdO$xb0cz$IHGjRqAaaep>M-ns2B{% z5BK@#O@lsONN(WXHep5^jB3I}mk2IKn>U7=W~s}uT+p@ioPVXuHn#G2Uw0QdF8eTE zl1A=5MF#2hf`HTDuzBjUor#NDApe-T=ze=oh#MQxkgd`ar_8NG>zq`?*)t!UASM1uagPmF( zKQ^0WQM^rR$L#L$K=U=F0RN&9!Ni1by(Xq;;VYo7(VkmK$qNMH*J2dqtv8WJBkk?V z)wFMQLBx6-?$SrcOJ?1D;YE@~$U{Gt7&F*8xV_2qtP%)9JjWz>1Vft?Y8jdCBbU;z zP&C)NR45}=eiVUgIvzc*P0cexx%p@V=O|hewL?lK<8YGoqj$%^yFRL&J@$p;2Mt8h z1$2jnxhSQx^FVoF5^Sog*odBP)Zu7{=vAI?aauP$hXE`3Jz;T9FWXiC@$C|?WbhOv zF7}CZ{pwX0wf$+VAQ^p;EJ7U8eYX7hl~35_dVOV-^}tW>)m}Wu40S6ihap%(b?Dip zKeLG#y(WnUt#Vsr?&%ckMzUATwiUEODv1v*pz%<;OId-GV1uCta?}?MWo zL+Q@tsLi#zB~x{AdKGBYE^)k661UbfTuwdW5_3I5IT88~gXkADWqdLuWa5#3k{eG) zR1EUluQA%Xktb@i5A^E*Zyx8AMLHT!i28EIS<0T zT{XS<>)C5WXry5lt&z{U{4}BXp+C8il7LPu;7|<_R`UU|M5?Z(Sn{s3JC-R0sQVV8 z@a=eiSsVE+z!4oC*MW{VLoSkgh%RKy#+`7fOd1-1##e3m=Tw7OafWbYDFdSJN#hi} zkwx_a_l8UN=jqL{UAt}I1%gV(>lb3&W1V3o<7k@|R+M5)#YYVPc=&9b6Epq{nO z&rT`E)uSKViyr06AJK=zh^Hl?X< zM?#+B$8eI^20+Cp94;$AC`~=LITt!|gJ31F5uL$YFyY&g678yfy@U*p^|W4~pzbfV z1!1!SRj)a$LuJgbqfZQnKI5_XZUW$%Ev&GprpD<3)-K&6dI`V#Rv^_$4<<}2r-srf zfjxUC5vGZNozE%_{_B1o51>*)S4Uc%AmB(GBMzt5>o&4ZY7ZIJ{+{h@EWNlydAx+4 zl&0bY5Mpx~rQ_eSgijjj9}F3#K+uK5V>(5Ea3lhGwtFq$VbZZ2fRSZ}6ATH7N{K92 z2XTzD-jo}>Bv}cEkdw<7m;S8T-pAqeZoZ<}e0x1WV4jTgM2U^_y^InOuFhTGofuge zo`YJD`-^$sYug18q@dUN?$*XG5cD56I!3REflXXGPUZ_$Qu=4NpTJL4ziqZw!BVe& z`5Kn&&CY)C>YwduHvIy@l!3F zqU~JotK&QBc@;aKHnhM_>IqzL1IH#5o#fF)^kVRi5oC#+18>VjqMJYXEJ48+W^>rq z$@Qe6o_I3m*4T{2aQH6?*B)fNBjVFbS3Kt;rzva?Gy17JUvO-+bKVZ9dq9qvItH_t zQwR(8d6Jy#x1(e0OY}(2jR;dFA5KlAQ@`HK?)G}m@v-U{{}s#7@ELla;08XPc%1#n zVphkKFz*DzR`yV#$m@jbxD$%p$*uYYrE{_!#6T;Qn~+EgO8S2t@VhmdT`lfWrK79Ii_bpcz!1r zp{GT!q<^O$D!L!w)o?6WAM;|E|E~LcOv*QfxOsM2)`7Aa;}y-Vt*i8=0pQORTZsMEaEu%>-GWOrO6gwcII|u6*d5!bJ_{yu})Q zC)}PeZ$;4>mSsxuKG3(35)p4;v}v8v+(Jp20Il0H3#IeioJbAe22Y>jsUC>KY$<<) z282>jtN={?w7KPV~3%OUBj+>IPy{ajlntR~*|ZcT+`If1Kp zQhywpdfW<5*fwL;4Y#QaNrEe=WbTrUN}< zUJLE`6aCPwg-iw0R{lYPYbHV)*#iOmPe|yCNZ(ws79dSKHpEg5mzXn3V$~mfPG%mH zXkfjW6r`!L<&|azvN{iXn;ws1dVeZau5?N~z`%}Q`RdP>uuaw&r{r)%lB!5!pS5L5 z;z~DZ2h{8*)o3X6oP9Y$~0Ud)ff0-|paG8ignJ)5JXhLs=d3rdL zVVPLv1Q0OWJIuTYB>yj#_Rptauaa1h8OT}TN8`)zJRQchd|%) zc>_WFK+{O9i3ec&Z4guua(0AZaPW5b7%{Y76r= zwjecC17uK`LqGcdy*N17FtL?shr!>1c$NcOBjG86EgZNrrDdU{yJ0C_!6`yKe?eN< zoC3qkRpNjQV)52k2A71OPVnex;U@0JZXX*_Xj461`7b8B3kY-@k7y3U6hGLYYAt7);Aa zW-w_;Dq!_F8xPcD(>liyMyfIk?GN1yG1-CfB?pYe@P}02UMI|d03ksioWw!ia!=4Q zq@%zU_>dvTW8aO`JT}Z2$|V&jst7UG5~FPvy-|aW2v#e9OcE_Z%^2McM^5MpMn@u= zXD{4Mzp(Vs9ZIMwpXOYl$|sKR8wvx20#evC zZr}YT$1hFu7)JNCd=paosDeQwgiH+R8r^%aYs1M)7IO#LyG0{68qq4bpgujC zC-zFK^!i}Qu7|cK$;Q5EwG!P$?8tlez(?Q!%|oVLlO?ivicUV`R?>W+p@!S)X@QgB zvQEGO_k{oyQ7ekFOvo4oUYi5Nm_nNO)mq9NZq%U<5EY9<+p9XOqEuwPYfQ|1Z;rZs z{)o!)?_*v*Wwv~J=@`pw0GZO{UCHi$PPYJ%pcsM{Q(VkTtnNT&W|I+O>?@1YzDVx+ z9=zfsafYZW0wVu=K`q^q{Q@OZDbDUyX1i{C@$4xDa)oLP&SqFm{@85*Hr?R`O0qjH zPotNpNC|n%YyUHMBpi}u(d=~JmGim)hgA|sM2`q+1#q29w#WaA>&zy|!2LRbZn4DR z6y*^hF;G=a2u{%@LcTl(4F4z6txuLPKVd8_npR)z%}iu>90vB4WImSgJblsLCxFxb z7>CEo5DGMuzX#fyUvf8JE>y4;LK;zC9Qx;mtc@j!46PE-c3-g+Ff=a9!2QFu_bQ<1RI=bL&Eak0Ag zO+w!Rkx2yYp&L4KqM6OF0CMU}`vSn5^!1Zfr5DB8M=j&3kQ`Z>U-EQpYH-?=|$W=XW{Q&SNlD8zlfz4;l=?N~VyHgl7Gnz3sbDE|6% zU^Eq@PsS!Qx)Y@jk4(3y?ZJsnme6q-g@q)K!0f+&%+JLpd(Jt)(Wk_kxk{!w(rrS+ zh2z{L7ew-R5V?&COZm=Tz)mOmyp@o!kLhjpWf^KRu1=aMLAy>npJ`f~a`4%Cf(rN1 znP_&cia5|%U}qZ>?al=AsQCDsE!Zid`tgiD`p%;=2=G`+LINYZt1XAysp~Y>lsFs* z1vXN4+Qss7A8E10kk?`r3|y^WBA^J`o!7Fh=XzdceSo!S=QisYW~idm8`kdsuEyj; z9^xei#}Mf|y`?3M#Us;o8Y9Lo_TVSsH^#>Kq~aPb%BFPtg|)UADqLER&#wWxY-TbV z7Y0CI_leSu-@dFjfBqW%!V6A)8lDZDZ~SX??-!2d^EHViu#MvL>s>xn(BM&D@H^Z) zs5|sa1u^fN?)$``7e90tuXo3uNs=(lRw~fd#(wWI(|+)If{E1*yI@DtAVl6_#`^{w z5Mbyc*>e(s2uDLXDn(4 z(#W+jGpQtoJmTSi7K*ppZwOvx!Vl%#hvgw#Otlx&);tYMq11Y-rJQiXq6Kg@oTi8t zQVd!Kno<80LwkuA{X*Tn0Ru)q&Qb4;5*@H7!k{xoohFWMEZ_OHT(M=*rlqQ^3$sa9 z(JQKyH^o{5ta74b1)wz>(J%y6;$CE11cMyDu^>3iA;(N&Yzb}?8tyQ>Lsd;h68$wu= z4A~+<@wd{`IS~0Ug2cnIQEv+mR0I-4Zwc>Yu_2O})h~>9T$h{X~egHq{-;fxUwDJ5UvL<1`@#k&A`^h0Yh1mtLm12esiQ43LIMKoz7 znJAVKRqD9xu>3k#i!6`zdm){ELNW({0??qw+B04MG9d5!Fss;D7I#mV_ggLi4>h9+ zn8&OIwB?Z1me|VC=n0;77wJ?d!;b^W*w;(b42R4ay125Jx=t@AvG3xhE(qFbCzG$E zP6lpeqR}=|uED5W!QhYpz!eF>&kNu7d=_i*n6)Ge{#fUlsef}2I~N~hR`iPzmz6Ua zHuS9wi!=SrsOdl?K^vGH_8Vo%UqdQ*bmX&@cS#5A34|C#AQjB56j#aydOh;~zShNP zPmaNaGHmx2i6sD{K{6#var)B`M_ZWW^UvZ{I8;4KK7Oq(A;hB}OvMz%?u2C9h;>qF zWA;;VJXgu}55%!!uQj^?`sLFKx2$DNNjW>5UFPrgWmh z`>gN{vdWHDVOX`;*DJ3eDfgB7z;prv>mKaDbf;L+uZ#XWcv@4FuQ4xJCX$?fU9C1& z5SDBU&gX-%j|?K?xOe1J$T$~CENk5?SA(i!oD}G*YhM^W-JmdiHY)X=s#-vw zeGc@OJK#Y#h@@%pSb#*Q(sK1V&_h&Iff$!Jjy#l-Gd@G2!G|8pVCTwJKi87*g;>I+ zIlV#V!GdEm1tAq**r{7!!L&@cxlvLIZxV#<@OP>4=*Er;VvS}1G?TE!U}??>en%EV zfQW!$9IKFu=TS!TUL&`a?jRkj=#d;t`LWRH(mGhWqX?rUj4t1d_5u>aXBPy@!=*KZ z&CIL`zit(wJHN=(T+6QdWQ$>Xl5%5?z4C zDooTK$&ByVY4jX}>Pl+&<6RvY4G*_KZC?d9*-Iqt2JVhvYhE9SN;>Xfo9S%$#3eYR?Llth&6 z6T`Gvjh@@S<34Ik;s!cIeJR8ic){WrM{ffr3bB4f(#ST8lzx_H{npo=$07E_n+Gq; zcE7`&M`JSo-eg}oYiyF|upSN5-7~hw@O2&2VaaQX_1h|zDkkQILYWU)$*tV*G`38h z|J|}mD)1c_NJWd6sHNH>2(gzb`RE&(iSjC>e~dsG8xHF^EyW`ZuYp}X8R6PAvx97h z3dX9_B%Ue4?Q_$Qs(A%f3$e-=j0$pjUouLxi+yDYI|o_wM?W8`PgA-J~A~ubMX7x+20PS=a_#K zmezyR#WY6cYzc&T|FFkBGPVj~s$E@NQRgDu|L~^=qUeYGQyY&}&G;EkS+Iie~ePqD39Ke9MxJ zDKaNPEG_5R`b+r+qw2!s68nYbX2aPDhdP;B6WW-4n*zlE6msU{LB8KFl5g{dEiwAV za>udW@&2{$ej72(ZT0J0d@dG_L-&e~2D7}WiB8wPWr7!F2Tp$}optxTDvzFr<#93{~JeS!MjQ~1=3#oeThttW;yLX? z44)vUumQ^EG+`WP4~hxJ4Td~1k;_9N$Tv2t1BfY_9}FOxcQgr>U{UHWNwdg?3YYv%F-`CJBQYg|k0TfpKn(Z{;KwH%XwqoBf}<8RMB z{x0XG^r>~UP}^pJWw4B-5lP42^p@d`1O^{HjtU2bxi+2!8_qv4*&|y;&`6oTHzVgT zE-e0gyuu46a|9@#7~Hx^hGCEKQYt+N1ihpY=qBc>hnxqHQWkTKAK92Pn2@RP5M%`W zL|J|E_ZnU2Y3TPk>7a^7`if}X5v1fzMAk=Btlcl8-FDYNFtxVFR%M{>X!%qpf8H+( zo-tugU2@{Kj1DtK3$V{C&Es#h=D!-@I4p~`3G#-M2UFv2u4bjDrl%A4Dt)yI-VU9l zB_hxAC{lE1sNj4(7AQ5qore0Bq*n8{Oj-gddAN^7M~D1d3=dR0y_-#U6vW>ILOP1j z@j_{Q5$bk{pQ(x@PA65gB4{F{BD`a4;-aeJ6f`1^{yi}>4}JVhwgIc@1cIwk)s5cS zkl5kRO5)30L@f)Nk87;P*vln%DHNwwg7&Voy0f(WeR3!(yhjoVeTs=wGQXy>`2G^a zF#k>Kj7Q)y6?40iLTyY*#S}xjj@%%nmUj*x=Vw;j zv)%ot6N12IukLiA_RiIIaI7TZm}BZj9fcl)?~#7K3tJ((94Bi+7-}Ckd3I#<3x(Q` ze2}tQ<;Cm3YGG<+-8UQ#qr>zpg`(cpmATJ?u>-fU>@b2wMexZ!VDKedVzK6|xR2yf z`KL3_GpvSDbI=icd?g`EaT555PeZsPZIkxUr4JYUGe06gh{e-9p}Bfg+D#GqBz5i0 zM7J576N7#?a>)j6aKk#e$tv=WdeBU}S`;m{8Y9T&R z+rW;nOVLYUfASAZ)dYvvPnJT}+6hvA*v(C^BqIS{mIP!3i7YR@@qI`1sDO~+3~?^o z%R-zOx;JT90Bnv_stpjo0X6}!0F7r#54-&uuh!G)x;?yryh`GxUts8QZt&*P;cphe zWY8Z0w!vgS{22t~G6p0Shl^5B4xE`*_jc&`xa#rUfUt^*(iYGqDuUB4AW&nI{Npxa zb#H-A@!VBFD%ztGBh;kX1GmUr8pHg;K;$k001gKG9^^rLp)zhOx(G zTUj^C(JbeOoL|bPA_wgp9mds;=gZyXAy8SqmX%k42?S_i4ft0%IUG695gg82$WX65biG);p)--=0#QjTpco_lBMG}a|$aQP`t0->_<SBSdaL_hU-*i5o~ubnW1zVMdn0EpfR9sZgc>T^Do z>|0r|sd}88{3v-nu%ck^-DCUvbJ1m2OFFAXLdhG4Y{Su~pM0aH9%bvR5j|Rb6ULAL z$-bO_<061k)`=c_k{;vJM^#9^Bf&h2?Bn zVM(jL}6|D+x>8BWm zW{l(J^>@jW6}@Sc4{*R`k^~sX$m!mcd?ISZw{*3K7fYpq6a*pjiPKz5d?9@$xh!1& zucit8UBdpv&59v$L!PP0gm1>=pDA;^ zuhrty^Z&!yTZToshV8#14I&{a4N}q|U4nohf+C7T!yus2-Q7|Kok|(x(49j!NJ+Oy z4&aaj`+i*Sd+h)Iw2!@yV|`eQrOeFpJagaIeO>4IJL8V@!Kx45h#us0)_pfqzwxWX zJFU^hr+5BJ3gM_&qiZy@eY*0@?Z}PCyV9hXW2s~zOYz2}#BjXDz-Q}M3n1KV9F%THEZ=%EHA zlN_6ct$%N2(Or%vOm0e~uej1OFqkU0LSC2)@1S)Cv4QQ%%XQsZlHOdKiR;b z!$F&KGJG2Rzza-`VIN_^B++L3@8$uo*vHeFS)5fY5*8Md+h*sXu&v)BdL{(EBC9 z4Ln*#-FVzuONEP+`C?lS=H}BJ{G`5qPfP5suhr-BhFKSQ(Uo-2V?d-Mee)|b&YK<< zS$ioViziHx7Lx!@5--PSoX!8_(X@(pzKwiNQkeUnw!-7Lb_850p31iRc!F?0%U3@` zmy&pjiT#HNm89h!efO0RM+{7AczXF<`wa6a$f!-5UU?XD!C;|VuYdV7l=nC53yA;oVYqpKyDR?dP@_{w!joDrTsm$z=wDCx*%@Z6hjN*mY@o@)NnBsre_bp;VrK zTS2CIx|F2PGQ>v-wSRlLQN8Kwps|nd!IK@`JLj;`Q!#I=r*PXgPj-{(i(8{Bux{%R z+bIdp6IZ8S1JSaXbsD|5#~*)XUig04cAnyX6tqwA_relAX=Ml}^-q|$%NiIc{=PPH z^E4wlVL{JK;qj`uEo8+QGUZFuWEbJaLL34(mSiMXG*F52jrL+D_MMsUw6>{*#>1)PB zW^y!s7ADir#8*xlQKD2=?b2~(+teH>>YE^2D(inccC8Q{iJ^)uQX(6L*(@;IxaoDd zTrL*B54UO(^DcbJ-G8jLw{bF|SYb6P!@)2~>YsXybJTaIe6OrZ|C(#-M49BDbRLGI{z>S_Q)_MD5qp$165KDB)cD(h@P&Y#HR?z1gp?kVqYaXo)yShB| zLh=&76J5^nBy((w8%J5Xj%PLt8T{=T4t0y?bR^bDf_vI&X!y#=jW5iK=L{scz(9ug zMStPQt`vH8vbL&^(=vRr8*wPT`iq`xeTt5?(OslV@jRUFP{(a4Q$DS$+MHrb=ni2Q z&HN{`@un50?cE2XVF6>mR(}=Yuff7wYbTCMU8Iv-`zz1?tWCYhaNb#4ak9ZUXbDMI z*d&`X-{=uDw)(nP#$6IHez6g`&h~dV*m-+i&}rvGyK~{A(<3M3P9^ikFY6_S3Z{q| zz1aG%m8VjZOwxQ7T=+|v`8QJXHy`Y=gelObPnj)Ax);FFPlpV>(NhdGo#1(~uKbZo zLU>+RaSgZj9lR4@?;6N8bg?8Jx?pn|kA$o7 zOZY~@S>G`cnDP}5pR~l!>2s}BDm^x^eeaYM?0l>?ol>7S%XZr+m(2!9R(ccY6K%;x zgGu`GZTc79R0r_$@_V79@EtWso~JxEz%Kln(3e-Jq+TA=m(u9B{BhwH<;9BMqj1}= z;SKM_Q6~$XN1xxS7>bFAVjaZ1aI=H?V@7Kta_1U<6ea1genK~t4sg<85z~j6v+i89 z-4GtCOV6>v3kzy}k#S2Q_8F_f2rh|496{G0x~0~DZ1n!oGy3Dxy)Qxt3op9FgIIS3A>V{6yiHLJpI7j-1>dV*VRMZ@N7+`K z`6|`gYCF|@#wJ;SlBG%FW;XMJ&F|xf%Q1;7i1PHqP))NameIZ6c5d^TJZVDg>3a^v z)eGDfIqjFQH~?-TKdkw&R5jscDt%L7lTMM_o@q4F&L%zUV%b+ScM6DdJOw$AB$u>4 z@TJ=abFEF?{6ec7c^}eqz%6)g;p~ymGZuXwCPvGO_o+%R?o#T$^e@msK_!+NNPkxQWw@Z_B=B4H|N+!4P z)IGA2`D3Pi=?Yt*5j(+niE7HZ@E%NRjjaLxJ>I|^6|TB1F2^?)K&t4wKm)TMU?TS9 zH)z{#aj?1P(@yG3$=N@y)K!br)hbb*@3yVf4QfEU>0JVkmgZTqrrAQxd= zN6xyn>=ZpZ%wZ;E2PJt)=GOG#Zd&$3p`e&X&=F*u@VkT=vd&&n)= zhw|B@iF76GLa+Bo36%A4g$6jJHojzOQ;D%_U)LKrxK#w}si0TMoKe=&;&ur+XS;>= zJpEr=Hr4<98v!B+@Le*+tP@=~M>~vtP%737O^uq#LagQg3yahILbw9Pd%u7((iRNV zD}Yb96DV<+>;L>HC^_=IO~0&;^4096%2q!`P7 zTA9t9kMcNNVvzxkB&<`jtI!TGQ@2>~ zzw)&dkh=n|O^fx!0U+Cbd$?hhY6n_};IPWp^@w-{m^%BI{7%gN1JOi54l{k=Z!UD% z405#(OlE>CtO#-TAS~7kFzKBJ0FyU@4f{bdj|JlZFX(4yEMr=VfhSq(KjzHfHW0TzJxdZFV0GV}sD@rSOZNgsffndbSL4hLkIzZ2mO zfTo}iq;0c}*lNLR&KrZ3koj|^^r?jX{45w)uW!LO2RW*)qioK%GlM0}9;?zUs9_*`8-Za`Xp{;H|A zc9=zE*MSdsRqt6~*DwX190#n}D12S`?EPO=wp-WJebc@Ee22XM^$`PMewpP)lHK@i zv=Rh-KU*#xQ&@^oA-L`B;w}Tq4aWn_Cf}sX-GjZU!&oKDHzHJTc zmIuCZw8CvGWIbRwL^r}nC+YB+*u^Iw!PE>4r%|U2E0zf0#G3*3qs<9arkwXLptJg< zclY0yTvsd2t4<~hR?T=4O+q!HaSa}`VsgeUU1iLfQ@4GaE8iZC^98c~@y#3h?%!i4x zyzamUGs_Wj4?#N#CdtPbunL_x{r716;i+K#g8JYKI3$L&x?rkH-?~H*xTRz>TUECx z>C>>qqFTN*l}+DScK`RXbHkl4q?-HoIQ6@j zMb7@;?Tg4e%(_7s!_sL*v*pJL;cJ#eRS& zA)-~yXqo_Rg@_mbrk4Fccxw;LqyznVbn-qmjp$$2DYZdB;;}FVNJ&X42BNgW@Q@cj zp1(;T@KPOZSW7hc$H`D$Vl(4YW<3NBZCJA(M#T9ISrk~Vdi$vu!bk;y{oB%R^B!0z zfEX+*<=o!v_um-tU)>MM&Ln1CCymg+?qRh~Z3QGS)kIWxUqKMbh&C0V7*oo3*&LN` zcqM*Arbj5g)U@?_mg#7&y0|ymhSW;b_0MznhxcFQ18|2;Dzwyty(g?`yeiuc&p&=YimvOh_v?MRoV3O2T zcIpcsGjcka7MReBd{i-0o!dFJhawD2GwW` zzdBN+SkBOEGtUiptyT#gMwdK#x`29O)sfz&G!U|ywYQ*}z_&C-3OuZE$A31R)#?Mw z;A@ORrU5{X7J$qCQ!-mUf2eZu$6sLllf%?;w3 z1BQfQ0NYX3oSOjzW7`4d9&|+{pll?EgZe>B24HUGVr=%YEfwsWF;!n9?eAsNlQj{{ zfC^!}V+(B4Yf2DG&Mw39s!+zFmlF7KKVg76$&X?66fl&!`$UUbwz-s2>FsL1gr@;k zNFqFB3$O)#pJxl*uY)LxjesL^wV~SP*^#geVMPCJZrBV>R~rwBY^yIO6+j!Zp6 z=5ccC8+SwipM+)+>dbxw?WOGZU*0M-3t7tRp00!ijEm{ZOU!$iLyS%0TByK)AY5_b z|5iy68vv4;kJtlyl6wJP%uMz<_H`-!m*m9}?EvF2t%%RKdReFOmVoAvy!CB;4`-T3 zvP(IC<0`T6?ba993nb1rhra|HRI$T;AYON^80oWq0kkwX(CoEbr&h!=dt*mQumw~Q zox}u`cdsRp5@Er5z@;#E-I^G1-l_p>`Wz7nFbcTzNfrzI-*3NF>0O?98c^wP=sjX> zhAC67Bt<7j2hkBcL`9iGi=SaXoO}+f4Zd`3?|II|*xx(GwRp_{oXOVM*ErYhsga~L zE*a(%>6JZV;Q<0R>6sF`{S6hCPvP4x`@*rF>mFtGc2Ry40m&vG!I>==aR*j)b$RY> z-uVwd)6JC#xybZDd4YjRQO|01GdF{>uMr|y3H*T8tvsLTr!ibkXaPlDn4Zf@zycV$L?U8i9R&#?$gezq~UKE^(6e6L*Zl`Xmc=tBIe|WD( zDinT+czY44$J}g!MgVe3Z5p7rM6h+@Rvbu+`gWZg5~KtblBafs?yjbr4!Q;7!K zLtP#*FImy_X3}$l4|p1u+vUg2AwH|s-Nl-V-qBI2F4OP10gDqMt9zy)>~-{d&zNwb zRr0Cg5i9bFv{~hcGBMGECe_!PTJ9R;J`!(ywW2P92%>;Bp^aXSin;>*^+)o={ZOuk`o!lJiVt$LOz5GtH32B*|kk}4};CqB)g!dE9(x~LvrkoHY}NZTKdrnRQ_0iS4|hL0qJYyg(rLnC)!9bGVE#o`n)KAInaiaFg)=>w`3s@?Bhvbe=ATlz7v&Efcj_ga8 zThrM6A(?wZ>oYMNQn5%v$i!@5dD>Jq2;9^udSwJ&1!i=r-!Dw(d_j?dk&yvVrMMg{ zd&4S+8MHBt9cF6{yVl>DH)XTQ67osc#BnsUEW&JtdWET)`|h?polF6}l}FLt{c%tceh z>M~;7rY7>ubgVZnhomWz59iHxb;88oBcl6PB@xy*yhW>sU#NgmTTo-lT}8ih1 zKA%xjj0HKf9TNcS2$z$ew)Hb@AMvHRh%==oVK ztGJ#P7RYq1o3!h398SDsxyBq+-)M*HTUKB#2>X$LK&+>TtGjdoQ6)`nY=n^zMQ6gt zV%pQNv6-6-Q`=~b8gtXxwwjPYUT6A71F(+cbg4Q{qf~W{$8Mv@w`p5B zuIo9TPvC?jo+quka@}rf!S8$klgUH%>=E)nV_f`v?Mqv4U+_a7d%b;@gU{M*%8P8h zp1(^U9kx7d<~ax;$k*Vl`+2>t>m9cIQzFYb55D_i#9fd53tiSa9)ypljiOcQZC4X5 zweKzYbyTOf(cseaVWxu(FJ3Gu+q_GKAegLilDGBs8*i8%W>IQ{ z?};80Kd98%>hWcGm~-c*_1%TB$Xi@q?y)W_-4gqtmOjq(p;cviK-)&cYZu}o96v(B zIb&6gwLG6ouhDcqY3Qt(nRtJd&CWde%RYG_ZN8c}V2bbVwxAo@J?#(Xia}v!Od@_g z#cx^odYON;_iyTGLs%R6k&8u7brx1cfWAwtnXTOlf)jK+Xummqj;HKFe_!K-yiB6b zxWQ>*A1N76>;ZV$jz`7jAu<08zUgMN_SqJcMK5*-cKE*X(RJ)w4m#Kp_n2XJ@L4*C zo@-~SYi2FK(nvO6oole`zCp!yb7(RFIdh-5l7#NaQ?@)5sopWKiOuEHE3~i8>mc_25bTlg>ENz`P9#sM zko?uf;i3F$!FBnQpG{OaH*Vn~;!#b8pS&nq-#>e57X7<@z`-cwy7Um%o=Q{74JPDq zwAFH9`CxB>t;Ktm-CIO1HLRvKE!k0}d5Kgx2HWn8LQZB+*@~3aRZ|g;_a@r?lkU>;jmt8~zV>EYDXmvuYl+*%9ll zmY=bi^qIt2nq?o8F~hvF7g>?dVkMVW1|Gyx#Wk?&vlygDWk0OA@8JKeX35ypMd~eo z>GS=M19;>ZAkyvo9sXx=yOMmw+8)MgqI z8|J_RGmf7WzUwFvF;;j>CwX;hUGy4@c}C-DXyIakvcl~Kk-KKLJuisEFE^g(R~poGfO3zFbd*?o{-U$;~K zeOjeR9OW`=OsUvL%uUE#cV{+T-6P=B(?=SeF}E{i$1R?VIO%)1mau%GOb80MYc3 zMf@Yn51-3q^H_C&yIwXUVD|BMV~r?$b@Y3LDGWG!@8B~y1cWz(BlaDiRXGNKVBzh# z({LomfHbF&m%J1pP-+L>6js9Q?rLx{4eJU`@~2R)3U9~1L#V_{2ydwl-$y+Hbnc}t zMxrDp8baLeT#yCOv)CH!3lJLB#|z-NFGU!tPio@WLFL(X35wSf1U`8xbXfLugxKWa z!4U^05gTFzHFtbMWM!=<3LzDdTAka@pTiFEgKM;aO?-6;YW4W9)RN#P+##?hb!K9rgnwi~ zWAql80$Aiff>;%A$q3`C(Cu@)pa4xJ*1q;HiwPl0+7!wj&x#GD;)p|IazPja)6Hy7 zK}@n$Q%;&)-FIgEV}G)zOw2@9m%eN14hz?Z@FrvI*Xp{#xo7#vMOQ(tQ2 zCVU86w`c0^?NVb^YoJc2`lgiIMHS}NDINHiJc)x(ALf-qb^TjUOKM;!B`?j31adz8 zk-MQ(f_3C78tgBcM-IXgVr|XcLw>$9#k6NcVmiz}=Sfb87P>v(Sg8+pkd_docp|xpc;+ehjeLfWO%aewTkVyi!}A-HMBo zj1^=u57EEPx5^+$Eng@Fb8wLOtV*y&=@$s2OL0hQyAldg5z&`LaCg3aG3e;h1E(KU z43R}zw|jo!BZ18*t;v6FQd$8vzCW3Z7vmf-o_HI#Six@;w%6|7bvRVXzIT)x zoDhd5Tm4{v{i$=vCdi&?v^hEqb;+V`m}79?s!An2$2@c=SYPpN5qmfBXjdVV zCq>6_if^mrCSUp7F@aA*-%uo{o!(Lj^5;LeGTW3$38>T=7yvO-Lu!2u-7VMzHz%Ku- zsdGH&kF;?=`44LHYtL~H9An2_TcVh>36E%l`^L&xnj5ysTTf!x>^ve@Z^Lw@KG;XQZ8&Za^!({CxC+_$WMgbX6;`rvzc*p9;X zjOj|_A7+a%LSFMrn0~)UupD#PcDYZ!G0$?d1`Ix>+_fE?<+#a|kI5GGoqbm-JH z&F2Gl$bLppA+du}mFOq4jIqcB4E?Lx8-vdibTQ9e*`JcNP2);+`iJ(le(g0A47662)GcXSQQr|O)fCPB^G4Ds7rJqM?Rc^W zn6{4>9e58S2nthSKgq;Tp0P2ZQXcpy7x11Um15RHW!ZexxZa5)?s!3 zW(Cv8Q4pjS=XGdmXXC_CN&t6>>PeE4}t!M_7jMl?AN25c$L z@AF$-rThE5Lk)CLge|TaI%RA=qhMudwMs#gr}Lr*EKu^%9cLB>X!o%X}0Rtq#I*z8P*#7~?`Y3IV33Va;_9I>*WEM@&s#&|@}VQZ2S z49xOv2n=DOb0$Y-wMQeHEX`{8MwI#DEMlmJ^sNBdS#IPw-Ij3ZH6p`Vf7o45c}bd+ zVROb+*{9rVvxkPxep2qUV=zIUfVJat>VojswN!BR+%{r@W(9vNVHDi>|0LScxQYX7 z0wEbG?8c#iAUj_iiEtq4-HE2(mRJN&s~*Z)1>avj9dP6C4%<0+*(XSP5WL1q6m{`l z0q1Ho7N2ahL1$T-KoChap@}4=9^z>AQ&;fMOmbm39ik`07iMZzGCs_zCh%M}{G>1u zbKb(HmeV$+CZwQI&!iE&!iKTP5QR_;Tg9eWzaZ1Nb830+VQ-NI#5 zC{xc%?UZnEBQ!`z% z|9A=ntWa!D;q~7<0b$~xvk?Mw{?E_IdvX!{2>iF&;ooE=P}IVzmm&vX4QX2zBJP3H zEvQYu?4*tb=YBu+;{z@v(LaakwGBVKAD`JzCB3K{>4hHAV2)zJ2n3`FXvN{H!m^hN zfVgSLa83$AuG2puXp5eCRsQ7@Pl|1r34u&`1K@YYdcL{@1|AxS*|6MKG(IhNvvbF#<%hzVA z>gK~(Vapa$?9pZ~Ebs7xOE|N6QZOx6IXb$sH4^E{oH>O|iTuluV!aSY+*V`PTZbDc z>!1YhvaxczUm4F>-dM6bOmdVZ$``Q}KVI^oj8|HC)CxZ7+EZz5owvPM)W5s?!8$KU zNPyZ+)U|3lr;%dD^HaQ0sa3DQg~LeqXC*#Da5HtWZd~;VA#Ml~r`cAehyhnTF4W}O zeLyO@>I76CKD0m_#_O%H9Bs-4t{1O5yh_OYn!wA^?XQuRCC5)}jutGNwX~*f=P1&I z#%xaFk-hOkyyQ4`@7tT?SHo;2?wVI^aaz9M#UsB(jo3ZeT&G?Y5AN^8Uy5FEV$iTS zkLhIL?0QfdwHo^ylrNwNz-^)8-M)2R;n02`y>#HEX zrn_9C$}um~(Yf}_%_AmWZc21Ve`NL0kfyO-w+HbgoJ0K8Gu0(LvRY9QzqXLC{o*rj z?F{G6UcEq;wjK2$vJqomZ1B-)K*J#ZD%}pPI1hgcOS(CZox_4RCqUSfuu#5Zd z?aH>_enIz&qxZ$Z?sJWJ?j;@6atA*bS64gj_hgr^&|iTUy*lr;+|l}!0HaJ-y44Bj zk!4^)+jUcFm8`&^y7+1rAiGoY{{8xbESpJj*2HiKItqS()bI2E^9b++O{N6ux8a8y zLqj0WDt`OVWQjeHobWr`zVXokbX)&7T@mI;^nw=5eCNVzH9sOj+RD1W7z``B4hTCY zKva)Cf)s{$(=lX!M?zw9rPL`0of1wbYI)*UuHrf?uxxPhh0B@90#;pPv zCWZk*h;=XQ4>aKfGiT}YibWQuKtEGD0<3>gL136wsFfit4o*&KQqK81%~zLhU^+St znDu*X?%;G$4o23eO`G&pP%I%xrC7+^xz@Y^4Z*8t05|8V5)l2sODYxmQl<*2x&Q=4 zIg@J5sL8(>?IG`V_CP2sZvu+90Ga@~T_7=WJbnj&(eq7Lm)`Y2JLEeYl4R`Fla#=x zHwsSTWRH~SOAY@r0yGo>f&c9FXl`T|Wb^_Ng0I_XSyQuO zB<3Y=-IWA0yR`aOkbVampr5|4i?G8}X}O{uiOF*Zgs?#yv!)wS;05h>ZvF&uI%f?2 zf#ltvfqcs8>wnkH6MO^#zHEj4cpjZu3Rw_j;U0IN;R^I#1w15XY(%Z6%koN&!OVRM zXbg6MtjzIh8K4S=R~&0u{B~z+p&59b`3#t=&$NTHWF-*3%>5TSsZ>Z|#z5bOp)cJ9 zmtyE#DZiTVOf_G40SrdoLhDEZ2r>hYk{uLEu>bq`Gnug~ukd5Vp=y!X_=o&v>s5iC(W{cofz&J3pW4~{{jL60#IruG>16Oe! z{3m5Y2<&H(5*kse2pdAZ43hszwd>CBKBX;rl+7FV-$gjp`wF(If6tM|10aouF7*F1 zrB0V8lD}WmX1;Ad?T)-4^uMzsq1`Pai;L6EXA6n;7elnqtJyRsQPlr#N2+S|6+*du z5p1E*p9)}Nr>F-i_oTf~<_kt2%}tDx&3y&?5ONZl)2ED1J4xy(RM02Ue)VtCo>JYi z9lHxO`LBB2iqof(*lB8?7$WR@i;EM=w(7h8ee<~Af(2T;+vS8~5H_*K6c$aWQbXgHK=g}xl(Oy#>1uN#&I45~&Fz}%{^F8^ zGHdIvHot7j6~2}<3>#*wh7~r6ep@`nn5q?5p0P@ZCgGXQzWtX)_&>k)aU}c=Ilfpy z?)DO*wgrK=NsEZo2zD{P* zOth}yNSa9aeLT5bAh~{4#5^`r#Z<#B_}!twq7BuKF}X9bYgL|d*l)L)I@Q5yqM%9O zsK9|9?>>_LWcdr;1wD3rq+m}cO4$(?+LGfGEvF3A6hHTUYiUXM_{Or`nPGXxT`RV- zWTE!$GmMT~k33KPR(XYMrPg1Tr*WFo3(gehp3lho{SWCw_O*Eo-lt8`DBgp+s=N|c z;3U}IkJ9M62#u6G2SR)Y!(OcgF+^IufL+m!JR8DRTy46KE4R>_Y-ZIT6akm130m|^ z(J*@^bmI$-^6;kqN>;NgX3~L5ng^*e&u^X+s0-ZCxl$N~C(LibPs(Cz-C8qw7W{X9 zSZ?gtO*n9si@F;$Jk>^2g!*t+8K1~mY#h10+({~Xsnm2EKd@obi^sd_iS(YJPnI>l zu7Qs?_}={UMQL|4AZ%j?Qj^N4F^M)s=^`=+i6?^yf#$rz&7{7n*NHcta8u7*;4oT` zPZ0M7)AAe0+UDiQt(xid^LIAmElHbs=@&9-v-969D6tn8jo4PaMRDvL*4|b|l-GY2 ztzn}NbF(H(+Pm>+x{6+aB7U{hNw2(7TytoT-0vzmGgg6@-EcE?H-vF?>CE8k?8h0w zh2La)d3HUDt@PZ8(W$alWB=5!fqGvgA_`UtWvqX-_Wrgo&-r2!a*hD+)$M8DOKtQ=`JTF)0XAI*Z56DEW`?u<$OGTah-i^9Gy{h@V;MoJ@IXb z$T9=55R1Nf>Zb>(5ym*~E+|@gvBtx6vN)O0@OETVU#PP%N4YId)++aB_F6NObmD`9 z%S9Kjghy#|e#*Vx*F5*V#<;Tchhwm{QE`LtXd9@?XBgZ@%%t%+)LZ znjvLAj&R)!ClCF-*6oz{x-(h9?{Dx9q&9air0lQiSswo!KtSd>XI~2MM*rdjo=kLT zrUbG+Yt!Kq1jf5wNub)*I{a%pDkoUd6SE<)KPxl(V zX&-eE*s>vMA}!yA$wqm~TWrK=o3-fv5h=wfPF?D*)%)nnz$5bJdt}ilb z67MNqPd*N_9C~7S(djEnY9VrteUTgG{p-!h6XSIOH3@V9S*%oo`W4ch!kU?gak>lW zT;X%MjvI6n-+EbiwTnL{@aS|t`akPIFo8c*=cHoQmHJj*p)^zXak{VT>o$^cpe{y@ zcnnwZ=Lk?yn`z${B=iZ?@ywHKCHUu^&5QB}Yc6}_N1P~A z%v$sHM^qBl(?VUnNxjOHX0fy47Fk(Y=JW{(cOf;*GAK_jfS`ODlxS8EO`8$q4v0g7 zQVLd_#RuM~c^>=6Ztii0^{Y9CX{jYxsZfESD_DT+Isu})Y6wr{D+VfInd1dXFy^o+ zC`w##9|dI;6yCYJCk)EVf~Q}C&I1a$iK+Qcns*W@tM5tDteQl;=oxONNRyUf>=fw} z8imRZZrMv`<`n=|ZwF=ELr5@e^iS(74^VmiqZZE77D>}!{%8XPT(t%n{-D+0|B))^ z?f8$BVYatFzb&=-d){D{pZxOOxF#~fkfYOnIq~B^QZw%W!>zT9&sY{v zC4v-4CeKy!b0Clf!G(vAP#ltvI`^%Evb|!uTy!F=rF=-lj|z-~cfiydHiI5-7IreD8Da^z%z7?vJrbHfo@ z&<90>xz4H_U^gsr;@v|K~; zK#2JG@$Cta0N^?wd=7F$&w`IZl)%})6!Cs&Fa$X}E)1BK&Y|BZ@PhWxHuK(_XO?!; z(V*|~Z#GBDDE+gzcKtTJD5o4HPd4S&BKWOVkUF%BKMJVE^nmh3)R~u5AIDdR><|*)5qJXPDNkf+ZXM%>EJK`PM_jC|)mrDVj0$-mQF2=frKx+W@_XK) zorK8`MBExO9B)sH?yM-9nmx-JD*v(sWeZv$d%#pu?r=1yfrx#cNoDQyD$0p5LC~-w^pGC zPR$v}veM8X|Mb*n6?pe6 z0N<;n9Xe@&=b$!^mTVE+qbw+F`(MD^ByUA1(CXF8-h?9j;>@AL&d|!R1Q!NFd%J=-f!$+_!_(d$aa}JpZP+e6_9BH#GLhM z5`xRxY~T*%)?UBew+lqBs}gd>4DtGq@ZG=V+x(I$1Bhw=8hPbHIbt)^K3wre2a?5X z2N4VGhpzz;T&a=!+&HrhbehO*C3A%o&WePk`*vkLoB~e5LS{b823PH*3af;$rfP!w zZ@--G>S#ng;ePW}Blf4fFaM_S;Z|DU_-^`30{IP#6T1 zBHNdvi$Ck8x}2;Z1EZ03M~`6GeegXBk8(Sx0ioBmEh_zN`8m7ST!z7Fx08ye9c_0% zish~Fg*MqYpyXzjP@;331(InfbB1-hlO7!*_+_^W3{%DE6Cl<$Pr zIal&ugZPRecCy;x8pfv4Ce4#8$AF~#Kf4fz}`?ZZ6=GruCyK(~Fa*%4C( zl(oOWcYRZ06NJm}*s-kjB@GqY?%D;?mX*gftRpstHRZVIY@c@R(%y%Y*b&@bUy&@6V-|62E^OVw!~i+ zU=C-iaQ2(M`lr%QY}$GFj^Oew)@bVc(bvPoaKu1j8+)KVQ04CJnZ*XDTHhm;@B3+L zj%@$zw%>|hFY_BZC~sYVgJ=NfZ}}(EHTF(7XfH~I#;A$PW*(?$wt5j9f*UqV;>5r# z4Q0@zh^d&B0_o5g24K6FZ|(+=t>^cmed!6s|6u}m?E-tnDu?(ZJJ=5_ zYo{aaY!@+*JOl~9W0)1@L+!T3V{Nl5YafK)6gO+b5%he<-*zTja}W&T6_&krL3L}a`@KD%Zl zAUtT4df6FxqTF5*GQ9^Dg7y^$Ur8Xk^f6*0@(Jcy)6T=Haldx`_EN8W_8tXC1K7a2 z=qDVpRj(KyxxqdL;wR9PGiOgdOQ5H0wtNI4DW||kF@Ln8Ca^KM-vR2*f(lEf^`^S@7Vi_>Fb%+QjHZqo!GrEm&|e#b}q_jngiX zj5w&sXOrJFi+Zin1-U+s;}Yns#WoiydYgoY&33{dep-wR@Rb$O@9(RtJ{dOR_v^Ju zv%RBCYo5@__(>Li+F|=CQYc%ZE{E+;B=#WT*25$suU%;r@|Ilm=eP|W%A291al&kr zSuBN}1TUebBI1H&wKM=^7+!A^sgqCoREd-~70>mvANKpX_LZ_-1s%2vwB#A3$0Wg(_hr&!tQ&u3;eQS}3 zytTW#N$B23{FV(mc9vmY{L{c~pZ84X1M<44t3owE(0vu~pVf@@-Sw-}Ys}Dw0lHmp zAmRo17Xor{^!fKQHqicre!%+wCG-~Y>%=>DdQOg_9=(DTz;Gjk{nP&5PMGTR{nUTE zAl6NR3v@E57KRj@2U5|G?I*Xlkey+&CEQPZ>8sAUMA_f*{jb~jaYn`zkFE1gK1K(9 zG{WP(I2)}L+m|(S&LGDL7Ck=QVDP?lv8q)=4 zbNmyc-a8>=G^5rEk_cQy!3BEc(G1sDpYz}!dDR%ZXuY8imbPt(|2k~o;nF207}p*f zeTJTp=Balmi6^1WfUGg{MxHG zk4A~pq&tGMQy3>2We65Das^XjiLMdU_UJH6O| zA>TtYV|g1BX&ZNq>RFZsj>dN)b<)sR1jcXplGozc!jO)QK;4Il+A^E8KoPszu-+k# zfrf`TIJwcOIi7fP#Z8Ep2I+*eu+URJw&Zw~JNCb}pFI7h~CS3AW_ z<)hfSBXxL5R2CYwo9jx%{SyKVhMfpg-*^yDGGb?I|A1n0OcXk65`{|rV}4xa3(783>0Wi8Fr zbBKE@{)#(3hy!vu0cISRqS9sp165*yV(Jpidt*`>A{^1g^;-+-+wUN@j;XG*PC5VG zWTOi+IGF#f>P7R0`Bo4et}-9TtyD=A)K}uR(jSb-Ic|w8V-i_bpV)nx0x%nT(B!!C z6&J0?e2!;4`Lo=``tIg;U`OU6rV*%+97vNGq8`k6vx7%djaONq_xD|j*#ESM+h6~` z#b1MA@xO&G;{F%nmD9tG8DRLZ*_|!4%=x$2DN#BSY0^GP6CVKif<%zz`{EdsdZoZC z0G(Szt^fUH0&N$)H_R(gWVHOn{)2N+YwQ3wcqQQWOP3@0a&3WoxNZ(~xgm3q6+B6E zV=!ax&tqe3i7JQw5uWbtQp z;IN7SwDY^Sc>gWJ$R8GYp{V>cySG5Nz)O4HSEv zEF5_74r;(_OoMl43#KNeL)d*FF#Hv$b1R0RxGs5raOgX~0CPw?;0oT~2kDPRphRJ6 z0_FWS5G+=qR=Uo8wkC>pfK{d%giY4d#+hRN+ZeVW%eBOmDKdlnmj)A0{$Isic|4SD+b*Rn2_=-07E;+lmTZr$q7cfy4ra2Ol%*^sOO~iC5mB^0 z)=9<~jABsPS}}%%kjErjmMneeHRJug&+qqr|Gdv1@7JHrn7QY^uj{;y^E{99I3na= zQhv0nEZ_E?Z1uERVB;U-6vz}TK(rhAqbQ?YOvxT4c9U3bWijdQ)`fdn<@38@X2%K#7b`6mSH~7i4$BFe8kO7SjNVGAtaZ zGCteU@Ofwt(3Hpaor7eylY}4e0)LwlB$57MFVEUT7M^+&TX9)8ai5M_?YRZxaUQTx zN`2|omjZ>lm`@nf;|x!!IYXfk#=*em#p)bn$DYuGs%#4f5Q@gWF9rpBAsjlDIC`<8)+NXr?W!L2j~`x5Js&XZr}+7*f2(SvbcLSVRDW{kNLsN_1369B>|4M^b`9baU?$wq+WL5)+j{|!Qfi8 zCFie06cDwR_ms&2A1CF_h6}$i+DA9=LS^H?nLk}oec?N4AaP9VWLISVnf##$L9HPW z%BCSt47x829cHid+2RNJ=p_gIClv&-ilFJ}V-WrR;R*T^)4Z=onec_M@!9(&VVpwn zq${#MtHy5^#6-$p?`vPnM@5MSnl+tyv4+YtB zdX`4GvW?>e;tPYDXu=A@eIP58f+FKTfkwL`IsPHWY7%JJVu)p9UX@P4pwt;*OG&qY zMjW;y(4e5l#6ZG=723*@A94-cs&A%bk`Y;6QBp$oj!8_b%TGoS)u-3utMKEt{u#X%|_~@?$#!j0+b0Vp(I| zrqlZcoYjLcm=;P)*)X&;mVTNAjHm6d9J!oQ?eCFzVJr6cn`85!)+Tbe(20IwQJf$f z*4A9GYH3++RPl7JJ@ZlpBIL5m-!l3fVyiEhC8kQI#Ws)E|6n%7E+(Axntp!Lb#=N@ zBctNSrc0N;yw@L{+lmF{x6!^m#KZKOJD?)=!@R}kd-mrd?3U8H@(E^g8EMsM?e4tT zcpfx#9!aIX(Q}JO>cmZ@fMd-@p~x}l)Vb!QEKOQ=`Kq2XNum}pQaVSq*1qgf zBkWvOM8YOHpsqFQS_;B&O8ZKeGqvvcCh0@-BvwPTJ?0q2u%OMV^pOS}RP_Y|r;>=v zy9%L8)v@G%6x$;I#brFEYJCDCq<(i#_(|2Fy~Cu9?q%%D|VD_>o?TeM%RMktCjH zOOgStE+*q{hbAF>$i_+w`bZoL8zz)PZV}~~fd5)qGF+rvTxO`6g!ED6;>gSM&iXo!j#$B*M~zr+xw6P+y&1Ku z&Dlo|xUFZupP;44c0|p$xmZX~O>me)v-R50v}shYFp6EksQ_W7gpuL7nX6_2FV|Pd zh>iM`kt8VtrPP_?JI_3}DDXGke?45Wt9pBW`Gq%yWo30Afw!d0$Z^5d0(4fJ&c4SBEGv3t~WI-2~S zV|>r#Vu_-HPliX<&U#T zx>;X1|JFmBArbICF}BAHN83hj8|w6PgHDw}#^SSI##UZ(@m@oGjMOvDWvZLugAeIDi1m&^c_l`e zkqg);6+3YysbnsUD#5J&!>I9{48bOmG^4iUu!@r2MQ2v{#l9s?ZSXwpb|Y2N^7WgP z{Vw8$DdSIrCi>HolLz`R^>Oph-wO^LuP$uKR+o2MurylW99W0gE6h=9L?|(`d+c?MF8Lw(s6hRx3cCX)0=h)Lw3YB& zY5hp<5uV=7K5~=6rBiP<(%{kPlOy`oW$LFqH}e)oO7=tW9LW76@a!cYtVLOF0gLE@ z`Hp>BD_ql!OH#U2sQspuX1~G{DCm*;kjjQ<<-t_)3;C!OCc!8dD^KOqK?Ek|%K4|! z{XhDkdr*!C0O(%ceJ*|p{E;(+nYVpcoMzO41aQK|f_obo$rA*C6c3hl#zjj0LJCRB zzS&!39l8U$-1jX2?vp1RYyiy~ZzvX(A_C9{6#%_2_ZjNJ&v-=DRTM0P1P)p>Q((rWxqEV?yP_1z{7MQyeuE9zE&w?EH<;xz z@rfkT-6#zIy*xAWI0u_1m<6RfHyw8{ufd3bC{hnpo&#DAcXR>}_XSlL8|+gWauETw zfU-1cTk?(8A+RgK-v+j$hZW#8#`_bp2&{KaU2NPDXw{gwBeWVSja@v--Cz2ULmn2? zV~Xv8O=5vYItGF|J3s--$^6kt0#buY+6+3UTajo55`|C-Uk=IC3?)Ow%z+4hw?Mg4 zB?@gOq=&J67VY-G00!nmL)TOfyv0Ux@oGy_EYWexC$~?|^c9z_SIk#go zP-S;*mlQ^|d?e0*3=F48@-HITx$T13inf4UFW&R}&10e?c*N&fP{El)`KsJu`0H0v zuYc?&aj#?}CA=va%Jh{NL?)_Ut`nIf-vqfS@}SW81*~cU$oqt5o2U*72sO{?B%4UR zwTi~?(iSk6bfV})aZz@Jb%3x=Io$U)q)bq*vS*UH4fWpLKNUFvPmAHhbrW(6&CT-p zRs>9TeVG_i8s2P}yw~8fuK?wmtDd9}Kk6|xRztF8@yykL_gIP8K>I4MHPl@WeMqBq3Yk<*91Wbm+}&-5jO)86@AB;4 z+H@Xpe-FkEpgMFM(ZV(rkQ8uEDE0wwYI*;mA};!W{02iFGsd&j2iA$O3GE;{_ph;JGkjl9)>&q0so@Q7hvXcR|GjS6?7wLu{Bw(^p zwxhf$FaugS8X=-W8`diHv^%Rd_BWF`Ji2wEe>JfCNSr_GN)(T`WNWBtOEqx5Bl(S; z^i(F14nMJP`O~twphCb;~b{=SzBg`GJ~jVz3vvGG$NDZisMcvB+O3 zGUh&cw!4<}_Tod<;fpak`hPOCn4tj?qM7LNzZ`N;MNL39<&JXu80g7i;4v+!uarhj zAHR*9fbEP!Vrgh?AQECG5NlCLD?QD^<+(_J4lNasCDTQn7%%9MmBC+iKrnvX{650G zDhRJO{Z`i-m9_~kjaZCj7KmT8JTl42hL-QEH9Dvp099HMh$ouAzU38ys2MYRg|yBC z^^Jk5y9cO{3{dU?Q}Y}ew6}b1y$Jde0ril;hs)m&Z+u{oER|}wLe8Xi8Q=dUe0zl! z&^I~Q^!uP?930OOUC}h0#W$qfR!1fu@7)&v@>%0{M(F{qw zF`)Zc0=>Hz4i`tnD`6*vF16lOL)1uI-mxSi93*rUk)f?tDO-2W{?F6A#>I*u?i7INHx))Q-M5KZOL2M0w{F_Z$J?CeIvP zHB$Tea1p$hG#oh?(6IWzJ`Nw{23D)jG@y|h@Hu#x2KAURow>_vHu?!AkQ|BgkXvgY zCB9F8eaatR80#eDRfCzlXwnl2Sq?aYt2;hJ|F=ymH|XONQ`C&7r&>C=Lv7$T^7l&1 z%=A=Mjk1wo`bqMgxc6^bhgmlNZO%QC7Zc>7tsm)F;^qc-uObW~8?=La<5nMvO%*gv z=q!ZjfQ_Yr9?@8>pmRpAk;~%Tgba2MQU>I?0jhfhzzqCZ0cM{Zib zZ*9KpD4I>Cgx=b_Yzw8E-%&{aXNvj^_JZnWPa*{D&J{jHI}|`r;#}?bV)^xY^`9Tj zDQzf*J?v3uZd|=S^Cz{!p1#vf^?%0w4A$2!IEqq!G?2(?L-ZQ4f6;PRZT9#3hO*sc zNihdd`B;;0SMe+cpGWGCJ2**Bs{6!tI|gbKt@TnqLL9;E+KW0Tck+vftR^A@1a0ST zOHkga?%OrN;n=-@oX}7op@=#1;L727M9yt0Wvvn$06|AL4A^FBRqb{<)Vgl9Va_WK zi^UMawhs&J7F}L^UtyVFv(3lHlVEGvr_4Zey=SLi;0wpCxo#k>3U#tqw(DzLUc?AD zDY8`p0-zKic^Rmf{lYsNGz@Rm>PJqclOS|R)>4>{L}N)xU1#_3mIHZVcHvuI(olud zN<`3w-8YcG04t>n%5z`(uB=&a^Lu$o;Y5cha^poWForUHTd6DWe-%FDvIqr3l4N3E znW?~rfTai$WvmK1=MO4o{XoO|b zVXQgtii(SXS#hE)%m^%%Q<3-#dAG%KAnMNmXhOn&?yxV*(Al152o?X2PnE(JgB)?e zr-8(xf7r>rp?^CK6vVvd#`^*w-q0YeQXrfdh8bldjPbe+S!4szfHWt|0pr7E@Qh^? z%CABEklTDf7|!rX|DeB~KJLP1dSkrOzxPvokvvrEXo`d!**L8`fl~wism`LJ%05{DiaYCIHxOXcyaUFMGq1+*G^&7k(UKZubf~rvrKq1;bcThZ3hNKW-1SK7z7gSXNfJSol{pK|w(C2Xl63?P;Ay zF6~nwUQ);dd?FTG+*1u?Re_)oiekSvP&3*=))4~VYyp(;WT=3WF!k|5<-knXUpn(l z6^X2Zh}5`T#7{WS{GDf!updBI#sm_S`wbHS_t7l*FHMvOB*8{#RNwfn^Qrm1@;~+{ z6_fuuumEeT=Z+B>xe0RH>MbeJy$0xEP=K9*Fi0*FaW*W0 z&#)K+{QY^#aQk+^@yqe)`lJ9Lsn2q9^uSvB6onJ0wDm4a^^O15vJSri5?eofqEjz` zzQv$NCo}q^cx#KRXYTA2^2@Sf(91k=kcK^ejBk=I?~L7-{jFmV8p@OBRgNLaQQx}Y zP{`02PysImVc4E2l&{H1WHT{ryA7KAK=$>hEs!ks>=snx_x;TYbU&YV$*&*QxVx#- zBOe;;O0g}55n@w*d@crjSWyR2Z7T^dA3KgVm!fxL+|F&J9Xk z3uqIO;YMNwRn=3iY6#oUFE7mg@C6c+LvxL));s+*jh?aQpq{P2vgSb^x^sY^G`qRcTT)M%{&j<13J&SndZs8|kHNd8; zz9ZTPuM{>5Hmw(m6>4j&DExma#??t*9oQ!=Wi3Z(8+7wlWa6586RZwk+@F{Myk@vFz<3)KX3eZ#Nz|{oWm~X z5Qq%qCy8h}WUNNyemUnKo%)#cXg8}Tv>)(1zGLoumWC3?H_bO{-=8Pnz0ht=LHQX2 z*42z0Xeh~^eE(RZCXEdy<>-t~ewryWvN0s`NLxAu-83eN35 z-{wV7Ky-y=J5B-sFWvTRN8cg{<-UVn5OCoheu5TC9pcm-hV*^uD*qJ7d&D;G8MBT# z8jk>9z;^q;V{zjU-6gIB7KOV6#l|8YQBWjY_7*aSWseJmk~g+--t#9FV?8 zr#c%5sxp_@e?k)Z=be!MpA7JSW0?PMROR%vR)sU1`6P7;-if&<-}5Sc^pKD)=g=Ov z^1t}KPwO{OOn=B2%#!62|58mg41U1ER-Wun@8Rnl_x{x*KH?zMAoZ$7P7Pe|(2MQI zZ#>^xm{}NHdcF4D#jMSHCX2VTjX18nc=}e#;McEnDTRS~LoFMJtrPY{#?MD*F!3Gy z?WwoVRaN7;`x*P`=N7{S2OyiYHcmHtim@O@%5Gv_7UufeP}^KR&K$epq0;RNJMH(I zfl9a$NY#4x)kZb^fa;NywOr%HMW30$oYV-FR-TE1?Y86dZJ5FZ<^@L16~Fcm;)oDB zSNmh}o_BGNd%;7)GbOjgPuReyW2g?_o|HVRA!XQJ>Ou`1{gR2Gi|bo4HQZSn4F1*a zgzhM9^yT0Be6D=fo&=c`#OScURHN5lO zy(Q9j6FYuJmMxvrIcrB-q#V|Pg=%wkh?mxy3%uaK)S7bOOz`%-g3bxA+;qlwN9S=Q z*1R)pmZiGwMbl!iiNbkowp`&hWytHV&hi#-U5*kqW+zmp%O&P2UwR|>x?uA@){S2F z%$2z=IN+6!C&FjY%U|XoT}4T9#tyU#^%7nF41oZjH_=vNI z64_KuIB;o=q|HMy00Us%tfZPRqq`Cmrh@yG7nGxSsr{>DB2lx-p-Xm~GR&ne ZukUueL()G@&{zfk4D^lligcVJ{s#pYLXrRg literal 0 HcmV?d00001 diff --git a/windows/deployment/windows-10-enterprise-subscription-activation.md b/windows/deployment/windows-10-enterprise-subscription-activation.md index 9f6b5c02a8..f7b3ae116c 100644 --- a/windows/deployment/windows-10-enterprise-subscription-activation.md +++ b/windows/deployment/windows-10-enterprise-subscription-activation.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy localizationpriority: high ms.sitesec: library ms.pagetype: mdt -ms.date: 08/23/2017 +ms.date: 10/10/2017 author: greg-lindsay --- @@ -34,7 +34,7 @@ For information on how to deploy Windows 10 Enterprise licenses, see [Deploy Win For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following: -- Windows 10 (Pro or Enterprise) version 1703 or later installed on the devices to be upgraded +- Windows 10 (Pro or Enterprise) version 1703 or later installed and **activated** on the devices to be upgraded - Azure Active Directory (Azure AD) available for identity management - Devices must be Azure AD-joined or Active Directory joined with Azure AD Connect. Workgroup-joined devices are not supported. From 82f3d9d64be674ccb73d9a7984f018d46da92af8 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Tue, 10 Oct 2017 13:41:41 -0700 Subject: [PATCH 12/21] Mixed Reality Portal & AppLocker CSP --- .../manage-windows-mixed-reality.md | 45 +++++++++++++++++- .../client-management/mdm/applocker-csp.md | 47 ++++++++++++++++++- 2 files changed, 89 insertions(+), 3 deletions(-) diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md index 4a9f219c07..8918fb6977 100644 --- a/windows/application-management/manage-windows-mixed-reality.md +++ b/windows/application-management/manage-windows-mixed-reality.md @@ -31,14 +31,55 @@ To enable users to download the Windows Mixed Reality software, enterprises usin Enterprises will not be able to install Windows Mixed Reality Feature on Demand (FOD) directly from WSUS. Instead, use one of the following options to install Windows Mixed Reality software: -- Manually install the Mixed Reality Software +- Manually install the Mixed Reality software - IT admin can create [Side by side feature store (shared folder)](https://technet.microsoft.com/library/jj127275.aspx) ## block -Since MRP is an app and blocking this app is sufficient for your scenario, via AppLocker should be sufficient for now. To make sure enterprise understand it, please file a doc bug to publish the instruction of leveraging AppLocker CSP to block Mixed Reality Portal and control Oasis. In the doc, AppLocker CSP doc is here: https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/applocker-csp it has a list of inbox app that could be controlled by this CSP, MRP/Oasis needs to be listed there as well. Provide the content and assign to Maricia – cpub writer for CSP. +You can use the [AppLocker configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp) to block the Mixed Reality software. + +In the following example, the **Id** can be any generated GUID and the **Name** can be any name you choose. Note that `BinaryVersionRange="*"` allows you to block any app executable in the Mixed Reality Portal package. **Binary/VersionRange**, as shown in the example, will block all versions of the Mixed Reality Portal app. + +```xml + + + + $CmdID$ + + + ./Vendor/MSFT/PolicyManager/My/ApplicationManagement/ApplicationRestrictions + + + chr + text/plain + + + <RuleCollection Type="Appx" EnforcementMode="Enabled"> + <FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"> + <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /> + </FilePublisherCondition> + </Conditions> + </FilePublisherRule> + <FilePublisherRule Id="d26da4e7-0b01-484d-a8d3-d5b5341b2d55" Name="Block Mixed Reality Portal" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.HolographicFirstRun" BinaryName="*"> + <BinaryVersionRange LowSection="*" HighSection="*" /> + </FilePublisherCondition> + </Conditions> + </FilePublisherRule> + </RuleCollection>> + + + + + + + +``` ## Related topics diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index e0eb928b60..dce9633c00 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -33,7 +33,7 @@ Defines the root node for the AppLocker configuration service provider. **ApplicationLaunchRestrictions** Defines restrictions for applications. -> **Note**   +> [!NOTE]   > When you create a list of allowed apps, all [inbox apps](#inboxappsandcomponents) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need. > > In Windows 10 Mobile, when you create a list of allowed apps, the [settings app that rely on splash apps](#settingssplashapps) are blocked. To unblock these apps, you must include them in your list of allowed apps. @@ -571,6 +571,10 @@ The following list shows the apps that may be included in the inbox. 906beeda-b7e6-4ddc-ba8d-ad5031223ef9 906beeda-b7e6-4ddc-ba8d-ad5031223ef9 + +Mixed Reality Portal + +Microsoft.Windows.HolographicFirstRun Money 1e0440f1-7abf-4b9a-863d-177970eefb5e @@ -856,6 +860,47 @@ The following example blocks the usage of the map application. ``` +The following example disables the Mixed Reality Portal. In the example, the **Id** can be any generated GUID and the **Name** can be any name you choose. Note that `BinaryVersionRange="*"` allows you to block any app executable in the Mixed Reality Portal package. **Binary/VersionRange**, as shown in the example, will block all versions of the Mixed Reality Portal app. + +```xml + + + + $CmdID$ + + + ./Vendor/MSFT/PolicyManager/My/ApplicationManagement/ApplicationRestrictions + + + chr + text/plain + + + <RuleCollection Type="Appx" EnforcementMode="Enabled"> + <FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"> + <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /> + </FilePublisherCondition> + </Conditions> + </FilePublisherRule> + <FilePublisherRule Id="d26da4e7-0b01-484d-a8d3-d5b5341b2d55" Name="Block Mixed Reality Portal" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.HolographicFirstRun" BinaryName="*"> + <BinaryVersionRange LowSection="*" HighSection="*" /> + </FilePublisherCondition> + </Conditions> + </FilePublisherRule> + </RuleCollection>> + + + + + + + +``` + The following example for Windows 10 Mobile denies all apps and allows the following apps: - [settings app that rely on splash apps](#settingssplashapps) From e256b07ef7b44bf21a21fad520079adc11072fef Mon Sep 17 00:00:00 2001 From: Nicholas Brower Date: Tue, 10 Oct 2017 20:45:46 +0000 Subject: [PATCH 13/21] Merged PR 3685: Removing duplicate policies. --- .../policy-configuration-service-provider.md | 36 -- .../mdm/policy-csp-internetexplorer.md | 522 ------------------ 2 files changed, 558 deletions(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index f0b176f45a..1ec70c933b 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1148,9 +1148,6 @@ The following diagram shows the Policy configuration service provider in tree fo

InternetExplorer/DisableAdobeFlash
-
- InternetExplorer/DisableBlockingOfOutdatedActiveXControls -
InternetExplorer/DisableBypassOfSmartScreenWarnings
@@ -1325,9 +1322,6 @@ The following diagram shows the Policy configuration service provider in tree fo
InternetExplorer/InternetZoneNavigateWindowsAndFrames
-
- InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsNotSignedWithAuthenticode -
InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode
@@ -1337,9 +1331,6 @@ The following diagram shows the Policy configuration service provider in tree fo
InternetExplorer/InternetZoneUsePopupBlocker
-
- InternetExplorer/InternetZoneWebsitesInLessPrivilegedZonesCanNavigateIntoThisZone -
InternetExplorer/IntranetZoneAllowAccessToDataSources
@@ -1373,9 +1364,6 @@ The following diagram shows the Policy configuration service provider in tree fo
InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls
-
- InternetExplorer/IntranetZoneInitializeAndScriptActiveXControlsNotMarkedSafe -
InternetExplorer/IntranetZoneJavaPermissions
@@ -1727,9 +1715,6 @@ The following diagram shows the Policy configuration service provider in tree fo
InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames
-
- InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFramesAcrossDomains -
InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins
@@ -1745,9 +1730,6 @@ The following diagram shows the Policy configuration service provider in tree fo
InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles
-
- InternetExplorer/RestrictedSitesZoneTurnOnCrossSiteScriptingFilter -
InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode
@@ -1796,18 +1778,9 @@ The following diagram shows the Policy configuration service provider in tree fo
InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls
-
- InternetExplorer/TrustedSitesZoneDontRunAntimalwareProgramsAgainstActiveXControls -
InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls
-
- InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedAsSafe -
-
- InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedSafe -
InternetExplorer/TrustedSitesZoneJavaPermissions
@@ -3094,7 +3067,6 @@ The following diagram shows the Policy configuration service provider in tree fo - [InternetExplorer/CheckSignaturesOnDownloadedPrograms](./policy-csp-internetexplorer.md#internetexplorer-checksignaturesondownloadedprograms) - [InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-consistentmimehandlinginternetexplorerprocesses) - [InternetExplorer/DisableAdobeFlash](./policy-csp-internetexplorer.md#internetexplorer-disableadobeflash) -- [InternetExplorer/DisableBlockingOfOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-disableblockingofoutdatedactivexcontrols) - [InternetExplorer/DisableBypassOfSmartScreenWarnings](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarnings) - [InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles) - [InternetExplorer/DisableConfiguringHistory](./policy-csp-internetexplorer.md#internetexplorer-disableconfiguringhistory) @@ -3152,11 +3124,9 @@ The following diagram shows the Policy configuration service provider in tree fo - [InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-internetzonelaunchingapplicationsandfilesiniframe) - [InternetExplorer/InternetZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-internetzonelogonoptions) - [InternetExplorer/InternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-internetzonenavigatewindowsandframes) -- [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsNotSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-internetzonerunnetframeworkreliantcomponentsnotsignedwithauthenticode) - [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-internetzonerunnetframeworkreliantcomponentssignedwithauthenticode) - [InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneshowsecuritywarningforpotentiallyunsafefiles) - [InternetExplorer/InternetZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-internetzoneusepopupblocker) -- [InternetExplorer/InternetZoneWebsitesInLessPrivilegedZonesCanNavigateIntoThisZone](./policy-csp-internetexplorer.md#internetexplorer-internetzonewebsitesinlessprivilegedzonescannavigateintothiszone) - [InternetExplorer/IntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowaccesstodatasources) - [InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforactivexcontrols) - [InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforfiledownloads) @@ -3168,7 +3138,6 @@ The following diagram shows the Policy configuration service provider in tree fo - [InternetExplorer/IntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowuserdatapersistence) - [InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzonedonotrunantimalwareagainstactivexcontrols) - [InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrols) -- [InternetExplorer/IntranetZoneInitializeAndScriptActiveXControlsNotMarkedSafe](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrolsnotmarkedsafe) - [InternetExplorer/IntranetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-intranetzonejavapermissions) - [InternetExplorer/IntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-intranetzonenavigatewindowsandframes) - [InternetExplorer/LocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowaccesstodatasources) @@ -3286,13 +3255,11 @@ The following diagram shows the Policy configuration service provider in tree fo - [InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelaunchingapplicationsandfilesiniframe) - [InternetExplorer/RestrictedSitesZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelogonoptions) - [InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframes) -- [InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFramesAcrossDomains](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframesacrossdomains) - [InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunactivexcontrolsandplugins) - [InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunnetframeworkreliantcomponentssignedwithauthenticode) - [InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptactivexcontrolsmarkedsafeforscripting) - [InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptingofjavaapplets) - [InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneshowsecuritywarningforpotentiallyunsafefiles) -- [InternetExplorer/RestrictedSitesZoneTurnOnCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneturnoncrosssitescriptingfilter) - [InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneturnonprotectedmode) - [InternetExplorer/RestrictedSitesZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneusepopupblocker) - [InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-scriptedwindowsecurityrestrictionsinternetexplorerprocesses) @@ -3309,10 +3276,7 @@ The following diagram shows the Policy configuration service provider in tree fo - [InternetExplorer/TrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowsmartscreenie) - [InternetExplorer/TrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowuserdatapersistence) - [InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonedonotrunantimalwareagainstactivexcontrols) -- [InternetExplorer/TrustedSitesZoneDontRunAntimalwareProgramsAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonedontrunantimalwareprogramsagainstactivexcontrols) - [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols) -- [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedAsSafe](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrolsnotmarkedassafe) -- [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedSafe](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrolsnotmarkedsafe) - [InternetExplorer/TrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonejavapermissions) - [InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonenavigatewindowsandframes) - [Kerberos/AllowForestSearchOrder](./policy-csp-kerberos.md#kerberos-allowforestsearchorder) diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index 1a97e52c6c..f8d45a8179 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -110,9 +110,6 @@ ms.date: 09/29/2017
InternetExplorer/DisableAdobeFlash
-
- InternetExplorer/DisableBlockingOfOutdatedActiveXControls -
InternetExplorer/DisableBypassOfSmartScreenWarnings
@@ -287,9 +284,6 @@ ms.date: 09/29/2017
InternetExplorer/InternetZoneNavigateWindowsAndFrames
-
- InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsNotSignedWithAuthenticode -
InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode
@@ -299,9 +293,6 @@ ms.date: 09/29/2017
InternetExplorer/InternetZoneUsePopupBlocker
-
- InternetExplorer/InternetZoneWebsitesInLessPrivilegedZonesCanNavigateIntoThisZone -
InternetExplorer/IntranetZoneAllowAccessToDataSources
@@ -335,9 +326,6 @@ ms.date: 09/29/2017
InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls
-
- InternetExplorer/IntranetZoneInitializeAndScriptActiveXControlsNotMarkedSafe -
InternetExplorer/IntranetZoneJavaPermissions
@@ -689,9 +677,6 @@ ms.date: 09/29/2017
InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames
-
- InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFramesAcrossDomains -
InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins
@@ -707,9 +692,6 @@ ms.date: 09/29/2017
InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles
-
- InternetExplorer/RestrictedSitesZoneTurnOnCrossSiteScriptingFilter -
InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode
@@ -758,18 +740,9 @@ ms.date: 09/29/2017
InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls
-
- InternetExplorer/TrustedSitesZoneDontRunAntimalwareProgramsAgainstActiveXControls -
InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls
-
- InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedAsSafe -
-
- InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedSafe -
InternetExplorer/TrustedSitesZoneJavaPermissions
@@ -2636,61 +2609,6 @@ ADMX Info: - GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management* - GP ADMX file name: *inetres.admx* - - -
- -**InternetExplorer/DisableBlockingOfOutdatedActiveXControls** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
- - - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Turn off blocking of outdated ActiveX controls for Internet Explorer* -- GP name: *VerMgmtDisable* -- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management* -- GP ADMX file name: *inetres.admx* -
@@ -6090,61 +6008,6 @@ ADMX Info: - GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* - GP ADMX file name: *inetres.admx* - - -
- -**InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsNotSignedWithAuthenticode** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
- - - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Run .NET Framework-reliant components not signed with Authenticode* -- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* -
@@ -6310,61 +6173,6 @@ ADMX Info: - GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* - GP ADMX file name: *inetres.admx* - - -
- -**InternetExplorer/InternetZoneWebsitesInLessPrivilegedZonesCanNavigateIntoThisZone** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
- - - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Web sites in less privileged Web content zones can navigate into this zone* -- GP name: *IZ_PolicyZoneElevationURLaction_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* -
@@ -7052,61 +6860,6 @@ ADMX Info: - GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* - GP ADMX file name: *inetres.admx* - - -
- -**InternetExplorer/IntranetZoneInitializeAndScriptActiveXControlsNotMarkedSafe** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
- - - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* -
@@ -14180,61 +13933,6 @@ ADMX Info: - GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* - - -
- -**InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFramesAcrossDomains** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
- - - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Navigate windows and frames across different domains* -- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* -
@@ -14510,61 +14208,6 @@ ADMX Info: - GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* - GP ADMX file name: *inetres.admx* - - -
- -**InternetExplorer/RestrictedSitesZoneTurnOnCrossSiteScriptingFilter** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
- - - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Turn on Cross-Site Scripting Filter* -- GP name: *IZ_PolicyTurnOnXSSFilter_Both_Restricted* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* -
@@ -15522,61 +15165,6 @@ ADMX Info: - GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* - GP ADMX file name: *inetres.admx* - - -
- -**InternetExplorer/TrustedSitesZoneDontRunAntimalwareProgramsAgainstActiveXControls** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
- - - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Don't run antimalware programs against ActiveX controls* -- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* -
@@ -15642,116 +15230,6 @@ ADMX Info: - GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* - GP ADMX file name: *inetres.admx* - - -
- -**InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedAsSafe** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
- - - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - -
- -**InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedSafe** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
- - - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* -
From 4bfea5ae1990bffbec3509f1e6f85b8c8ce87526 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Tue, 10 Oct 2017 13:56:20 -0700 Subject: [PATCH 14/21] fix heading --- windows/application-management/manage-windows-mixed-reality.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md index 8918fb6977..ea252bae8e 100644 --- a/windows/application-management/manage-windows-mixed-reality.md +++ b/windows/application-management/manage-windows-mixed-reality.md @@ -36,7 +36,7 @@ Enterprises will not be able to install Windows Mixed Reality Feature on Demand -## block +## Block the Mixed Reality Portal You can use the [AppLocker configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp) to block the Mixed Reality software. From 5c78b5344c5590cd68b4326ba1f343a66b45e868 Mon Sep 17 00:00:00 2001 From: Nicholas Brower Date: Tue, 10 Oct 2017 23:19:08 +0000 Subject: [PATCH 15/21] Merged PR 3690: Fixing links. --- .../policy-configuration-service-provider.md | 23 +++++++++++-------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 1ec70c933b..1d7f9a2f02 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -458,6 +458,9 @@ The following diagram shows the Policy configuration service provider in tree fo
Browser/AllowSmartScreen
+
Browser/ClearBrowsingDataOnExit
@@ -692,6 +695,12 @@ The following diagram shows the Policy configuration service provider in tree fo
Defender/CloudExtendedTimeout
+
+ Defender/ControlledFolderAccessAllowedApplications +
+
+ Defender/ControlledFolderAccessProtectedFolders +
Defender/DaysToRetainCleanedMalware
@@ -710,12 +719,6 @@ The following diagram shows the Policy configuration service provider in tree fo
Defender/ExcludedProcesses
-
- Defender/ControlledFolderAccessAllowedApplications -
-
- Defender/ControlledFolderAccessProtectedFolders -
Defender/PUAProtection
@@ -1871,9 +1874,6 @@ The following diagram shows the Policy configuration service provider in tree fo
LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
-
- LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode -
LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation
@@ -1889,6 +1889,9 @@ The following diagram shows the Policy configuration service provider in tree fo
LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations
+
+ LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode +
LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation
@@ -2654,7 +2657,7 @@ The following diagram shows the Policy configuration service provider in tree fo System/DisableSystemRestore
- System/LimitEnhancedDiagnosticDataWindowsAnalytics + System/LimitEnhancedDiagnosticDataWindowsAnalytics
System/TelemetryProxy From 534a243873ad37d68f0eb7762428e8bf6a30101d Mon Sep 17 00:00:00 2001 From: Nicholas Brower Date: Tue, 10 Oct 2017 23:20:39 +0000 Subject: [PATCH 16/21] Merged PR 3693: Added Olympia documentation to What's New. --- .../update/change-history-for-update-windows-10.md | 8 +++++++- .../update/olympia/olympia-enrollment-guidelines.md | 2 +- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/change-history-for-update-windows-10.md b/windows/deployment/update/change-history-for-update-windows-10.md index 8051af1421..9d6238e609 100644 --- a/windows/deployment/update/change-history-for-update-windows-10.md +++ b/windows/deployment/update/change-history-for-update-windows-10.md @@ -6,7 +6,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: DaniHalfin ms.author: daniha -ms.date: 07/27/2017 +ms.date: 10/10/2017 --- # Change history for Update Windows 10 @@ -15,6 +15,12 @@ This topic lists new and updated topics in the [Update Windows 10](index.md) doc >If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history). +## September 2017 + +| New or changed topic | Description | +| --- | --- | +| [Olympia Corp](olympia/olympia-enrollment-guidelines.md) | New | + ## July 2017 All topics were updated to reflect the new [naming changes](waas-overview.md#naming-changes). diff --git a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md index 03d4f5f475..91d87362f3 100644 --- a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md +++ b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/15/2017 +ms.date: 10/10/2017 --- # Olympia Corp From 27118c71151c61ce4c6238b456219dc541c48916 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 10 Oct 2017 17:19:08 -0700 Subject: [PATCH 17/21] added that only RSA is supported --- .../deploy-code-integrity-policies-steps.md | 44 ++++++++++++------- ...certificate-for-code-integrity-policies.md | 4 +- 2 files changed, 31 insertions(+), 17 deletions(-) diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md index ca63dd6b20..a27db98ffe 100644 --- a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md +++ b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md @@ -16,19 +16,25 @@ author: brianlic-msft For an overview of the process described in the following procedures, see [Deploy code integrity policies: policy rules and file rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md). To understand how the deployment of code integrity policies fits with other steps in the Windows Defender Device Guard deployment process, see [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md). -## Create a code integrity policy from a golden computer +## Create a code integrity policy from a reference computer -The process for creating a golden code integrity policy from a reference system is straightforward. This section outlines the process that is required to successfully create a code integrity policy with Windows PowerShell. First, for this example, you must initiate variables to be used during the creation process. Rather than using variables, you can simply use the full file paths in the command. Next, you create the code integrity policy by scanning the system for installed applications. When created, the policy file is converted to binary format so that Windows can consume its contents. +This section outlines the process to create a code integrity policy with Windows PowerShell. +For this example, you must initiate variables to be used during the creation process or use the full file paths in the command. +Then create the code integrity policy by scanning the system for installed applications. +The policy file is converted to binary format when it gets created so that Windows can interpret it. > [!Note] -> Before you begin this procedure, make sure that the reference PC is virus and malware-free,and that any software you want to be scanned is installed on the system before creating the code integrity policy. +> Make sure the reference computer is virus and malware-free, and install any software you want to be scanned before creating the code integrity policy. ### Scripting and applications -Each installed software application should be validated as trustworthy before you create a policy. We recommend that you review the reference PC for software that can load arbitrary DLLs and run code or scripts that could render the PC more vulnerable. Examples include software aimed at development or scripting such as msbuild.exe (part of Visual Studio and the .NET Framework) which can be removed if you do not want it to run scripts. -You can remove or disable such software on reference PCs used to create code integrity policies. You can also fine-tune your control by using Windows Defender Device Guard in combination with AppLocker, as described in [Windows Defender Device Guard with AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies#device-guard-with-applocker). +Each installed software application should be validated as trustworthy before you create a policy. +We recommend that you review the reference computer for software that can load arbitrary DLLs and run code or scripts that could render the PC more vulnerable. +Examples include software aimed at development or scripting such as msbuild.exe (part of Visual Studio and the .NET Framework) which can be removed if you do not want it to run scripts. +You can remove or disable such software on the reference computer. +You can also fine-tune your control by [using Windows Defender Device Guard in combination with AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies#device-guard-with-applocker). -Members of the security community\* continuously collaborate with Microsoft® to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Windows Defender Device Guard code integrity policies. +Members of the security community\* continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Windows Defender Device Guard code integrity policies. Unless your use scenarios explicitly require them, Microsoft recommends that you block the following applications. These applications or files can be used by an attacker to circumvent Application Whitelisting policies, including Windows Defender Device Guard: @@ -70,11 +76,15 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
>[!Note] ->This application list is fluid and will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. +>This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. -Certain software applications may allow additional code to run by design. These types of applications should be blocked by your Windows Defender Device Guard policy. In addition, when an application version is upgraded to fix a security vulnerability or potential Windows Defender Device Guard bypass, you should add deny rules to your code integrity policies for that application’s previous, less secure versions. +Certain software applications may allow additional code to run by design. +These types of applications should be blocked by your Windows Defender Device Guard policy. +In addition, when an application version is upgraded to fix a security vulnerability or potential Windows Defender Device Guard bypass, you should add deny rules to your code integrity policies for that application’s previous, less secure versions. -Microsoft recommends that you install the latest security updates. The June 2017 Windows updates resolve several issues in in-box PowerShell modules that allowed an attacker to bypass Windows Defender Device Guard code integrity policies. These modules cannot be blocked by name or version, and therefore must be blocked by their corresponding hashes. +Microsoft recommends that you install the latest security updates. +The June 2017 Windows updates resolve several issues in PowerShell modules that allowed an attacker to bypass Windows Defender Device Guard code integrity policies. +These modules cannot be blocked by name or version, and therefore must be blocked by their corresponding hashes. For October 2017, we are announcing an update to system.management.automation.dll in which we are revoking older versions by hash values, instead of version rules. @@ -681,7 +691,7 @@ To create a code integrity policy, copy each of the following commands into an e ` New-CIPolicy -Level PcaCertificate -FilePath $InitialCIPolicy –UserPEs 3> CIPolicyLog.txt ` - > [!Notes] + > [!Note] > - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the code integrity policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Windows Defender Device Guard. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. @@ -725,7 +735,7 @@ When code integrity policies are run in audit mode, it allows administrators to > [!Note] - > - The illustration shows the example file name *DeviceGuardPolicy.bin* because this name was used earlier in this topic, in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). Also, this policy file does not need to be copied to every system. You can instead copy the code integrity policies to a file share to which all computer accounts have access. + > - The illustration shows the example file name *DeviceGuardPolicy.bin* because this name was used earlier in this topic, in [Create a code integrity policy from a reference computer](#create-a-code-integrity-policy-from-a-golden-computer). Also, this policy file does not need to be copied to every system. You can instead copy the code integrity policies to a file share to which all computer accounts have access. > - Any policy you select here is converted to SIPolicy.p7b when it is deployed to the individual computers. @@ -892,15 +902,17 @@ Now that this policy is in enforced mode, you can deploy it to your test compute ## Signing code integrity policies with SignTool.exe -Signed code integrity policies give organizations the highest level of malware protection available in Windows 10. In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer. These policies are designed to prevent administrative tampering and kernel mode exploit access. With this in mind, it is much more difficult to remove signed code integrity policies than unsigned ones. Before you sign and deploy a signed code integrity policy, we recommend that you audit the policy to discover any blocked applications that should be allowed to run. For more information about how to audit code integrity policies, see the [Audit code integrity policies](#audit-code-integrity-policies) section. +Signed code integrity policies give organizations the highest level of malware protection available in Windows 10. +In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer. +These policies are designed to prevent administrative tampering and kernel mode exploit access. +With this in mind, it is much more difficult to remove signed code integrity policies. +Before you sign and deploy a signed code integrity policy, we recommend that you [audit the policy](#audit-code-integrity-policies) to discover any blocked applications that should be allowed to run. -Signing code integrity policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward. If you do not currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md) to create one with your on-premises CA. +Signing code integrity policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward. +If you do not currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md) to create one with your on-premises CA. Before signing code integrity policies for the first time, be sure to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath -Option 9` even if you're not sure whether the option is already enabled—if so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Code integrity policy rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md#code-integrity-policy-rules) in "Deploy code integrity policies: policy rules and file rules." -> [!Note] -> Signing code integrity policies is the last step in a code integrity deployment. It is much more difficult to remove a signed code integrity policy than an unsigned one. Before you deploy a signed code integrity policy to deployed client computers, be sure to test its effect on a subset of computers. - To sign a code integrity policy with SignTool.exe, you need the following components: - SignTool.exe, found in the Windows SDK (Windows 7 or later) diff --git a/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md b/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md index dbd9304e45..de08418e65 100644 --- a/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md +++ b/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md @@ -16,7 +16,9 @@ author: brianlic-msft As you deploy code integrity policies (part of Windows Defender Device Guard), you might need to sign catalog files or code integrity policies internally. To do this, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip this topic and instead follow other topics listed in [Deploy Windows Defender Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md). -If you have not purchased a certificate but have an internal CA, complete these steps to create a code signing certificate: +If you have an internal CA, complete these steps to create a code signing certificate. +Only RSA algorithm is supported for the code signing certificate, and signatures must be PKCS 1.5 padded. +ECDSA is not supported. 1. Open the Certification Authority Microsoft Management Console (MMC) snap-in, and then select your issuing CA. From f56c7efd45cd8bffa1fc7c4c27b4fbfa1ad4fe11 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Wed, 11 Oct 2017 00:32:35 +0000 Subject: [PATCH 18/21] Merged PR 3696: typo: changed "just" to "must" typo --- windows/deployment/deploy-enterprise-licenses.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index e3e55cf21f..acf2df0f24 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -127,7 +127,7 @@ Now the device is Azure AD joined to the company’s subscription. ### Step 2: Verify that Pro edition is activated -Windows 10 Pro just be successfully activated in **Settings > Update & Security > Activation**, as illustrated in **Figure 7a**. +Windows 10 Pro must be successfully activated in **Settings > Update & Security > Activation**, as illustrated in **Figure 7a**. Windows 10 Pro activated From 867cd85678870b7cd6e9dec3b5ec9da6b1280eb8 Mon Sep 17 00:00:00 2001 From: Elizabeth Ross Date: Wed, 11 Oct 2017 02:25:42 +0000 Subject: [PATCH 19/21] Merged PR 3697: Merge vs-wipheadingchanges to master Updated topic headings to appear in right nav --- .../create-wip-policy-using-sccm.md | 28 ++++++++----------- 1 file changed, 11 insertions(+), 17 deletions(-) diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md index af978f2b5a..3de0553a21 100644 --- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md +++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md @@ -20,9 +20,6 @@ ms.localizationpriority: medium System Center Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network. ->[!IMPORTANT] ->If you previously created a WIP policy using System Center Configuration Manager version 1511 or 1602, you’ll need to recreate it using version 1606 or later. Editing a WIP policy created in version 1511 or 1602 is not supported in later versions and there is no migration path between older and newer WIP policies. - ## Add a WIP policy After you’ve installed and set up System Center Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy. @@ -57,7 +54,7 @@ The **Create Configuration Item Wizard** starts. The **Configure Windows Information Protection settings** page appears, where you'll configure your policy for your organization. -### Add app rules to your policy +## Add app rules to your policy During the policy-creation process in System Center Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file. @@ -65,7 +62,7 @@ The steps to add your app rules are based on the type of rule template being app >[!IMPORTANT] >Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. -#### Add a store app rule to your policy +### Add a store app rule to your policy For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list. **To add a store app** @@ -150,7 +147,7 @@ If you don't know the publisher or product name, you can find them for both desk } ``` -#### Add a desktop app rule to your policy +### Add a desktop app rule to your policy For this example, we’re going to add Internet Explorer, a desktop app, to the **App Rules** list. **To add a desktop app to your policy** @@ -223,7 +220,7 @@ Path Publisher ``` Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box. -#### Add an AppLocker policy file +### Add an AppLocker policy file For this example, we’re going to add an AppLocker XML file to the **App Rules** list. You’ll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content. **To create an app rule and xml file using the AppLocker tool** @@ -314,7 +311,7 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules* The file is imported and the apps are added to your **App Rules** list. -#### Exempt apps from WIP restrictions +### Exempt apps from WIP restrictions If you're running into compatibility issues where your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak. **To exempt a store app, a desktop app, or an AppLocker policy file app rule** @@ -339,7 +336,7 @@ If you're running into compatibility issues where your app is incompatible with 5. Click **OK**. -### Manage the WIP-protection level for your enterprise data +## Manage the WIP-protection level for your enterprise data After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode. We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Hide Overrides**. @@ -356,7 +353,7 @@ We recommend that you start with **Silent** or **Override** while verifying with ![Create Configuration Item wizard, choose your WIP-protection level](images/wip-sccm-appmgmt.png) -### Define your enterprise-managed identity domains +## Define your enterprise-managed identity domains Corporate identity, usually expressed as your primary internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you’ve marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies. You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (contoso.com|newcontoso.com). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list. @@ -367,7 +364,7 @@ You can specify multiple domains owned by your enterprise by separating them wit ![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity](images/wip-sccm-corp-identity.png) -### Choose where apps can access enterprise data +## Choose where apps can access enterprise data After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT). @@ -451,7 +448,7 @@ There are no default locations included with WIP, you must add each of your netw For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md). -### Choose your optional WIP-related settings +## Choose your optional WIP-related settings After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings. ![Create Configuration Item wizard, Choose any additional, optional settings](images/wip-sccm-additionalsettings.png) @@ -488,7 +485,7 @@ After you've decided where your protected apps can access enterprise data on you 2. After you pick all of the settings you want to include, click **Summary**. -### Review your configuration choices in the Summary screen +## Review your configuration choices in the Summary screen After you've finished configuring your policy, you can review all of your info on the **Summary** screen. **To view the Summary screen** @@ -515,7 +512,4 @@ After you’ve created your WIP policy, you'll need to deploy it to your organiz - [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md) -- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) - ->[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file +- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) \ No newline at end of file From e9d8099e619fb432f8da435f74358a28d1d1bb51 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Wed, 11 Oct 2017 06:10:45 -0700 Subject: [PATCH 20/21] fix --- windows/application-management/manage-windows-mixed-reality.md | 2 +- windows/client-management/mdm/applocker-csp.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md index ea252bae8e..69313ce229 100644 --- a/windows/application-management/manage-windows-mixed-reality.md +++ b/windows/application-management/manage-windows-mixed-reality.md @@ -40,7 +40,7 @@ Enterprises will not be able to install Windows Mixed Reality Feature on Demand You can use the [AppLocker configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp) to block the Mixed Reality software. -In the following example, the **Id** can be any generated GUID and the **Name** can be any name you choose. Note that `BinaryVersionRange="*"` allows you to block any app executable in the Mixed Reality Portal package. **Binary/VersionRange**, as shown in the example, will block all versions of the Mixed Reality Portal app. +In the following example, the **Id** can be any generated GUID and the **Name** can be any name you choose. Note that `BinaryName="*"` allows you to block any app executable in the Mixed Reality Portal package. **Binary/VersionRange**, as shown in the example, will block all versions of the Mixed Reality Portal app. ```xml diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index dce9633c00..5ab0e0ff0b 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -860,7 +860,7 @@ The following example blocks the usage of the map application. ``` -The following example disables the Mixed Reality Portal. In the example, the **Id** can be any generated GUID and the **Name** can be any name you choose. Note that `BinaryVersionRange="*"` allows you to block any app executable in the Mixed Reality Portal package. **Binary/VersionRange**, as shown in the example, will block all versions of the Mixed Reality Portal app. +The following example disables the Mixed Reality Portal. In the example, the **Id** can be any generated GUID and the **Name** can be any name you choose. Note that `BinaryName="*"` allows you to block any app executable in the Mixed Reality Portal package. **Binary/VersionRange**, as shown in the example, will block all versions of the Mixed Reality Portal app. ```xml From 67c5dbeabbd0b7dc39d9f1b5f30c50d5d7df34f2 Mon Sep 17 00:00:00 2001 From: Elizabeth Ross Date: Wed, 11 Oct 2017 14:23:06 +0000 Subject: [PATCH 21/21] Merged PR 3699: Merge vs-wipheadingchanges to master Updated headings to appear in the right nav --- .../create-wip-policy-using-intune-azure.md | 24 +++++++++---------- .../create-wip-policy-using-intune.md | 20 ++++++++-------- 2 files changed, 22 insertions(+), 22 deletions(-) diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 48b2f0abd2..7ce9d2ae5d 100644 --- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -50,7 +50,7 @@ After you’ve set up Intune for your organization, you must create a WIP-specif >[!NOTE] >Optionally, you can also add your apps and set your settings from the **Add a policy** blade, but for the purposes of this documentation, we recommend instead that you create the policy first, and then use the subsequent menus that become available. -### Add apps to your Allowed apps list +## Add apps to your Allowed apps list During the policy-creation process in Intune, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. The steps to add your apps are based on the type of template being applied. You can add a recommended app, a store app (also known as a Universal Windows Platform (UWP) app), or a signed Windows desktop app. @@ -58,7 +58,7 @@ The steps to add your apps are based on the type of template being applied. You >[!Important] >Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **Allowed apps** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. -#### Add a Recommended app to your Allowed apps list +### Add a Recommended app to your Allowed apps list For this example, we’re going to add Microsoft Edge, a recommended app, to the **Allowed apps** list. **To add a recommended app** @@ -80,7 +80,7 @@ For this example, we’re going to add Microsoft Edge, a recommended app, to the ![Microsoft Intune management console: Allowed apps blade with recommended apps](images/wip-azure-allowed-apps-with-apps.png) -#### Add a Store app to your Allowed apps list +### Add a Store app to your Allowed apps list For this example, we’re going to add Microsoft Power BI, a store app, to the **Allowed apps** list. **To add a Store app** @@ -150,7 +150,7 @@ If you don't know the publisher or product name, you can find them for both desk >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example:
{
"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
} -#### Add a Desktop app to your Allowed apps list +### Add a Desktop app to your Allowed apps list For this example, we’re going to add WordPad, a desktop app, to the **Allowed apps** list. **To add a Desktop app** @@ -223,7 +223,7 @@ For this example, we’re going to add WordPad, a desktop app, to the **Allowed ``` Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter into the **Publisher** box and `WORDPAD.EXE` is the text to enter into the **File** box. -#### Import a list of apps to your Allowed apps list +### Import a list of apps to your Allowed apps list For this example, we’re going to add an AppLocker XML file to the **Allowed apps** list. You’ll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content. **To create a list of Allowed apps using the AppLocker tool** @@ -311,7 +311,7 @@ For this example, we’re going to add an AppLocker XML file to the **Allowed ap The file imports and the apps are added to your **Allowed app** list. -#### Add exempt apps to your policy +### Add exempt apps to your policy If you're running into compatibility issues where your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak. **To exempt a Store app, a Desktop app, or an AppLocker policy file from the Allowed apps list** @@ -336,7 +336,7 @@ If you're running into compatibility issues where your app is incompatible with 4. Click **OK**. -### Manage the WIP protection mode for your enterprise data +## Manage the WIP protection mode for your enterprise data After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode. We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Hide Overrides**. @@ -361,7 +361,7 @@ We recommend that you start with **Silent** or **Allow Overrides** while verifyi 2. Click **Save**. -### Define your enterprise-managed corporate identity +## Define your enterprise-managed corporate identity Corporate identity, usually expressed as your primary Internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you’ve marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies. Starting with Windows 10, version 1703, Intune automatically determines your corporate identity and adds it to the **Corporate identity** field. @@ -376,7 +376,7 @@ Starting with Windows 10, version 1703, Intune automatically determines your cor ![Microsoft Intune, Set your corporate identity for your organization](images/wip-azure-required-settings-corp-identity.png) -### Choose where apps can access enterprise data +## Choose where apps can access enterprise data After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT). @@ -453,7 +453,7 @@ There are no default locations included with WIP, you must add each of your netw - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network. -### Upload your Data Recovery Agent (DRA) certificate +## Upload your Data Recovery Agent (DRA) certificate After you create and deploy your WIP policy to your employees, Windows begins to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data while you maintain the private key that can unencrypt the data. >[!Important] @@ -468,7 +468,7 @@ After you create and deploy your WIP policy to your employees, Windows begins to ![Microsoft Intune, Upload your Data Recovery Agent (DRA) certificate](images/wip-azure-advanced-settings-efsdra.png) -### Choose your optional WIP-related settings +## Choose your optional WIP-related settings After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings. **To set your optional settings** @@ -501,7 +501,7 @@ After you've decided where your protected apps can access enterprise data on you - **Off, or not configured.** Stops using Azure Rights Management encryption with WIP. -### Choose to set up Azure Rights Management with WIP +## Choose to set up Azure Rights Management with WIP WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files by using removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703. diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md index b40ee0a441..b21ecd9232 100644 --- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md +++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md @@ -33,7 +33,7 @@ After you’ve set up Intune for your organization, you must create a WIP-specif ![Microsoft Intune: Fill out the required Name and optional Description fields](images/intune-generalinfo.png) -### Add app rules to your policy +## Add app rules to your policy During the policy-creation process in Intune, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file. @@ -41,7 +41,7 @@ The steps to add your app rules are based on the type of rule template being app >[!Important] >Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App Rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. -#### Add a store app rule to your policy +### Add a store app rule to your policy For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list. **To add a store app** @@ -118,7 +118,7 @@ If you don't know the publisher or product name, you can find them for both desk } ``` -#### Add a desktop app rule to your policy +### Add a desktop app rule to your policy For this example, we’re going to add Internet Explorer, a desktop app, to the **App Rules** list. **To add a desktop app** @@ -191,7 +191,7 @@ In this example, you'd get the following info: ``` Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box. -#### Add an AppLocker policy file +### Add an AppLocker policy file For this example, we’re going to add an AppLocker XML file to the **App Rules** list. You’ll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content. **To create an app rule and xml file using the AppLocker tool** @@ -282,7 +282,7 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules* The file is imported and the apps are added to your **App Rules** list. -#### Exempt apps from WIP restrictions +### Exempt apps from WIP restrictions If you're running into compatibility issues where your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak. **To exempt a store app, a desktop app, or an AppLocker policy file app rule** @@ -306,7 +306,7 @@ If you're running into compatibility issues where your app is incompatible with 5. Click **OK**. -### Manage the WIP protection mode for your enterprise data +## Manage the WIP protection mode for your enterprise data After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode. We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Allow Overrides** or **Hide Overrides**. @@ -320,7 +320,7 @@ We recommend that you start with **Silent** or **Allow Overrides** while verifyi ![Microsoft Intune, Set the protection mode for your data](images/intune-protection-mode.png) -### Define your enterprise-managed corporate identity +## Define your enterprise-managed corporate identity Corporate identity, usually expressed as your primary Internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you’ve marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies. You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (`contoso.com|newcontoso.com`). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list. @@ -330,7 +330,7 @@ You can specify multiple domains owned by your enterprise by separating them wit ![Microsoft Intune, Set your primary Internet domains](images/intune-corporate-identity.png) -### Choose where apps can access enterprise data +## Choose where apps can access enterprise data After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT). @@ -412,7 +412,7 @@ There are no default locations included with WIP, you must add each of your netw For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md). -### Choose to set up Azure Rights Management with WIP +## Choose to set up Azure Rights Management with WIP WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files via removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703. @@ -422,7 +422,7 @@ Optionally, if you don’t want everyone in your organization to be able to shar >[!NOTE] >For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic. -### Choose your optional WIP-related settings +## Choose your optional WIP-related settings After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings. ![Microsoft Intune, Choose any additional, optional settings](images/intune-optional-settings.png)