---
.../windows-autopilot-and-surface-devices.md | 4 ++--
...-windows-7-and-windows-server-2008-r2-sp1.yml | 10 ----------
...es-windows-8.1-and-windows-server-2012-r2.yml | 10 ----------
.../status-windows-10-1507.yml | 10 ++++++++++
...s-windows-10-1607-and-windows-server-2016.yml | 12 ++++++++++++
.../status-windows-10-1709.yml | 12 ++++++++++++
.../status-windows-10-1803.yml | 12 ++++++++++++
...s-windows-10-1809-and-windows-server-2019.yml | 12 ++++++++++++
.../status-windows-10-1903.yml | 12 ++++++++++++
.../status-windows-10-1909.yml | 12 ++++++++++++
...us-windows-8.1-and-windows-server-2012-r2.yml | 10 ++++++++++
.../status-windows-server-2012.yml | 10 ++++++++++
...ershell-cmdlets-windows-defender-antivirus.md | 16 ++++++++--------
13 files changed, 112 insertions(+), 30 deletions(-)
diff --git a/devices/surface/windows-autopilot-and-surface-devices.md b/devices/surface/windows-autopilot-and-surface-devices.md
index add490a9a7..1fbdba19cf 100644
--- a/devices/surface/windows-autopilot-and-surface-devices.md
+++ b/devices/surface/windows-autopilot-and-surface-devices.md
@@ -13,7 +13,7 @@ ms.author: dansimp
ms.topic: article
ms.localizationpriority: medium
ms.audience: itpro
-ms.date: 02/13/2020
+ms.date: 02/14/2020
---
# Windows Autopilot and Surface devices
@@ -51,7 +51,7 @@ Surface partners that are enabled for Windows Autopilot include:
- [ALSO](https://www.also.com/ec/cms5/de_1010/1010_anbieter/microsoft/windows-autopilot/index.jsp)
- [Atea](https://www.atea.com/)
-- [Bechtle](https://www.bechtle.com/backend/cms/marken/microsoft/microsoft-windows-autopilot)
+- [Bechtle](https://www.bechtle.com/marken/microsoft/microsoft-windows-autopilot)
- [Cancom](https://www.cancom.de/)
- [CDW](https://www.cdw.com/)
- [Computacenter](https://www.computacenter.com/uk)
diff --git a/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml
index 8ae49f0e18..1a52dc5fb6 100644
--- a/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml
+++ b/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml
@@ -40,7 +40,6 @@ sections:
Windows updates that are SHA-2 signed may not be offered for Symantec and Norton AV
Windows updates that are SHA-2 signed are not available with Symantec or Norton antivirus program installed
See details > | August 13, 2019
KB4512506 | Resolved External
| August 27, 2019
02:29 PM PT |
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details > | June 11, 2019
KB4503292 | Resolved
KB4512514 | August 17, 2019
02:00 PM PT |
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.
See details > | August 13, 2019
KB4512506 | Resolved
KB4517297 | August 16, 2019
02:00 PM PT |
- System may be unresponsive after restart with certain McAfee antivirus products
Devices running certain McAfee Endpoint security applications may be slow or unresponsive at startup.
See details > | April 09, 2019
KB4493472 | Resolved External
| August 13, 2019
06:59 PM PT |
"
@@ -106,12 +105,3 @@ sections:
Devices starting using PXE from a WDS or SCCM servers may fail to startDevices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503292 on a WDS server.
Affected platforms: - Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Resolution: This issue was resolved in KB4512514.
Back to top | June 11, 2019
KB4503292 | Resolved
KB4512514 | Resolved:
August 17, 2019
02:00 PM PT
Opened:
July 10, 2019
02:51 PM PT |
"
-
-- title: April 2019
-- items:
- - type: markdown
- text: "
- | Details | Originating update | Status | History |
- | System may be unresponsive after restart with certain McAfee antivirus products Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update.
Affected platforms: - Client: Windows 8.1; Windows 7 SP1
- Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. McAfee has released an automatic update to address this issue. Guidance for McAfee customers can be found in the following McAfee support articles:
Back to top | April 09, 2019
KB4493472 | Resolved External
| Last updated:
August 13, 2019
06:59 PM PT
Opened:
April 09, 2019
10:00 AM PT |
-
- "
diff --git a/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml
index 3ad99d98ca..44809071a4 100644
--- a/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml
+++ b/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml
@@ -37,7 +37,6 @@ sections:
Windows RT 8.1 devices may have issues opening Internet Explorer 11
On Windows RT 8.1 devices, Internet Explorer 11 may not open and you may receive an error.
See details > | September 10, 2019
KB4516067 | Resolved
KB4516041 | September 24, 2019
10:00 AM PT |
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details > | June 11, 2019
KB4503276 | Resolved
KB4512478 | August 17, 2019
02:00 PM PT |
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.
See details > | August 13, 2019
KB4512488 | Resolved
KB4517298 | August 16, 2019
02:00 PM PT |
- System may be unresponsive after restart with certain McAfee antivirus products
Devices running certain McAfee Endpoint security applications may be slow or unresponsive at startup.
See details > | April 09, 2019
KB4493446 | Resolved External
| August 13, 2019
06:59 PM PT |
"
@@ -84,12 +83,3 @@ sections:
Devices starting using PXE from a WDS or SCCM servers may fail to startDevices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503276 on a WDS server.
Affected platforms: - Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Resolution: This issue was resolved in KB4512478.
Back to top | June 11, 2019
KB4503276 | Resolved
KB4512478 | Resolved:
August 17, 2019
02:00 PM PT
Opened:
July 10, 2019
02:51 PM PT |
"
-
-- title: April 2019
-- items:
- - type: markdown
- text: "
- | Details | Originating update | Status | History |
- | System may be unresponsive after restart with certain McAfee antivirus products Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update.
Affected platforms: - Client: Windows 8.1; Windows 7 SP1
- Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. McAfee has released an automatic update to address this issue. Guidance for McAfee customers can be found in the following McAfee support articles:
Back to top | April 09, 2019
KB4493446 | Resolved External
| Last updated:
August 13, 2019
06:59 PM PT
Opened:
April 09, 2019
10:00 AM PT |
-
- "
diff --git a/windows/release-information/status-windows-10-1507.yml b/windows/release-information/status-windows-10-1507.yml
index df76e08bd1..3846d88d01 100644
--- a/windows/release-information/status-windows-10-1507.yml
+++ b/windows/release-information/status-windows-10-1507.yml
@@ -60,6 +60,7 @@ sections:
- type: markdown
text: "This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
+ You might encounter issues with KB4502496
You might encounter issues trying to install or after installing KB4502496
See details > | N/A
February 11, 2019
KB4502496 | Mitigated
| February 15, 2020
12:02 AM PT |
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.
See details > | OS Build 10240.18368
October 08, 2019
KB4520011 | Mitigated External
| November 05, 2019
03:36 PM PT |
Certain operations performed on a Cluster Shared Volume may fail
Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).
See details > | OS Build 10240.18094
January 08, 2019
KB4480962 | Mitigated
| April 25, 2019
02:00 PM PT |
@@ -72,6 +73,15 @@ sections:
"
+- title: February 2020
+- items:
+ - type: markdown
+ text: "
+ | Details | Originating update | Status | History |
+ You might encounter issues with KB4502496You might encounter issues trying to install or after installing KB4502496.
Affected platforms: - Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1
- Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To help a sub-set of affected devices, the standalone security update ( KB4502496) has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Updates (LCUs), Monthly Rollups or Security Only updates.
If this update is installed and you are experiencing issues, you can uninstall this update. - Select the start button or Windows Desktop Search and type update history and select View your Update history.
- On the Settings/View update history dialog window, Select Uninstall Updates.
- On the Installed Updates dialog window, find and select KB4502496 and select the Uninstall button.
- Restart your device.
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.
Back to top | N/A
February 11, 2019
KB4502496 | Mitigated
| Last updated:
February 15, 2020
12:02 AM PT
Opened:
February 15, 2020
12:02 AM PT |
+
+ "
+
- title: November 2019
- items:
- type: markdown
diff --git a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml
index 349276ccd7..0fcc5e9d8c 100644
--- a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml
+++ b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml
@@ -60,6 +60,8 @@ sections:
- type: markdown
text: "This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
+ “Reset this PC” feature might fail
“Reset this PC” feature is also called “Push Button Reset” or PBR.
See details > | N/A
February 11, 2019
KB4524244 | Mitigated
| February 15, 2020
12:02 AM PT |
+ You might encounter issues with KB4524244
You might encounter issues trying to install or after installing KB4524244
See details > | N/A
February 11, 2019
KB4524244 | Mitigated
| February 15, 2020
12:02 AM PT |
Windows may not start on certain Lenovo and Fujitsu laptops with less than 8GB of RAM
Windows may fail to start on certain Lenovo and Fujitsu laptops that have less than 8 GB of RAM.
See details > | OS Build 14393.2608
November 13, 2018
KB4467691 | Resolved External
| January 23, 2020
02:08 PM PT |
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.
See details > | OS Build 14393.3274
October 08, 2019
KB4519998 | Mitigated External
| November 05, 2019
03:36 PM PT |
Certain operations performed on a Cluster Shared Volume may fail
Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).
See details > | OS Build 14393.2724
January 08, 2019
KB4480961 | Mitigated
| April 25, 2019
02:00 PM PT |
@@ -74,6 +76,16 @@ sections:
"
+- title: February 2020
+- items:
+ - type: markdown
+ text: "
+ | Details | Originating update | Status | History |
+ | “Reset this PC” feature might fail Using the “Reset this PC” feature, also called “Push Button Reset” or PBR, might fail. You might restart into recovery with “Choose an option” at the top of the screen with various options or you might restart to your desktop and receive the error “There was a problem resetting your PC”.
Affected platforms: - Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Workaround: The standalone security update, KB4524244 has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Update (LCU), Monthly Rollup or Security Only update.
If you have installed this update and are experiencing this issue, the following steps should allow you to reset your device: - Select the start button or Windows Desktop Search and type update history and select View your Update history.
- On the Settings/View update history dialog window, Select Uninstall Updates.
- On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
- Restart your device.
- Upon restart use the “Reset this PC” feature and you should not encounter this issue.
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.
Back to top | N/A
February 11, 2019
KB4524244 | Mitigated
| Last updated:
February 15, 2020
12:02 AM PT
Opened:
February 15, 2020
12:02 AM PT |
+ You might encounter issues with KB4524244You might encounter issues trying to install or after installing KB4524244.
Affected platforms: - Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1
- Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To help a sub-set of affected devices, the standalone security update ( KB4524244) has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Updates (LCUs), Monthly Rollups or Security Only updates.
If this update is installed and you are experiencing issues, you can uninstall this update. - Select the start button or Windows Desktop Search and type update history and select View your Update history.
- On the Settings/View update history dialog window, Select Uninstall Updates.
- On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
- Restart your device.
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.
Back to top | N/A
February 11, 2019
KB4524244 | Mitigated
| Last updated:
February 15, 2020
12:02 AM PT
Opened:
February 15, 2020
12:02 AM PT |
+
+ "
+
- title: November 2019
- items:
- type: markdown
diff --git a/windows/release-information/status-windows-10-1709.yml b/windows/release-information/status-windows-10-1709.yml
index 68f5967f84..bb6904a30e 100644
--- a/windows/release-information/status-windows-10-1709.yml
+++ b/windows/release-information/status-windows-10-1709.yml
@@ -60,6 +60,8 @@ sections:
- type: markdown
text: "This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
+ “Reset this PC” feature might fail
“Reset this PC” feature is also called “Push Button Reset” or PBR.
See details > | N/A
February 11, 2019
KB4524244 | Mitigated
| February 15, 2020
12:02 AM PT |
+ You might encounter issues with KB4524244
You might encounter issues trying to install or after installing KB4524244
See details > | N/A
February 11, 2019
KB4524244 | Mitigated
| February 15, 2020
12:02 AM PT |
Unable to create local users in Chinese, Japanese and Korean during device setup
You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.
See details > | OS Build 16299.1387
September 10, 2019
KB4516066 | Resolved
KB4534318 | January 23, 2020
02:00 PM PT |
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.
See details > | OS Build 16299.1451
October 08, 2019
KB4520004 | Mitigated External
| November 05, 2019
03:36 PM PT |
Certain operations performed on a Cluster Shared Volume may fail
Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).
See details > | OS Build 16299.904
January 08, 2019
KB4480978 | Mitigated
| April 25, 2019
02:00 PM PT |
@@ -73,6 +75,16 @@ sections:
"
+- title: February 2020
+- items:
+ - type: markdown
+ text: "
+ | Details | Originating update | Status | History |
+ | “Reset this PC” feature might fail Using the “Reset this PC” feature, also called “Push Button Reset” or PBR, might fail. You might restart into recovery with “Choose an option” at the top of the screen with various options or you might restart to your desktop and receive the error “There was a problem resetting your PC”.
Affected platforms: - Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Workaround: The standalone security update, KB4524244 has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Update (LCU), Monthly Rollup or Security Only update.
If you have installed this update and are experiencing this issue, the following steps should allow you to reset your device: - Select the start button or Windows Desktop Search and type update history and select View your Update history.
- On the Settings/View update history dialog window, Select Uninstall Updates.
- On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
- Restart your device.
- Upon restart use the “Reset this PC” feature and you should not encounter this issue.
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.
Back to top | N/A
February 11, 2019
KB4524244 | Mitigated
| Last updated:
February 15, 2020
12:02 AM PT
Opened:
February 15, 2020
12:02 AM PT |
+ You might encounter issues with KB4524244You might encounter issues trying to install or after installing KB4524244.
Affected platforms: - Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1
- Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To help a sub-set of affected devices, the standalone security update ( KB4524244) has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Updates (LCUs), Monthly Rollups or Security Only updates.
If this update is installed and you are experiencing issues, you can uninstall this update. - Select the start button or Windows Desktop Search and type update history and select View your Update history.
- On the Settings/View update history dialog window, Select Uninstall Updates.
- On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
- Restart your device.
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.
Back to top | N/A
February 11, 2019
KB4524244 | Mitigated
| Last updated:
February 15, 2020
12:02 AM PT
Opened:
February 15, 2020
12:02 AM PT |
+
+ "
+
- title: November 2019
- items:
- type: markdown
diff --git a/windows/release-information/status-windows-10-1803.yml b/windows/release-information/status-windows-10-1803.yml
index d5408f495b..42a74822e9 100644
--- a/windows/release-information/status-windows-10-1803.yml
+++ b/windows/release-information/status-windows-10-1803.yml
@@ -64,6 +64,8 @@ sections:
- type: markdown
text: "This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
+ “Reset this PC” feature might fail
“Reset this PC” feature is also called “Push Button Reset” or PBR.
See details > | N/A
February 11, 2019
KB4524244 | Mitigated
| February 15, 2020
12:02 AM PT |
+ You might encounter issues with KB4524244
You might encounter issues trying to install or after installing KB4524244
See details > | N/A
February 11, 2019
KB4524244 | Mitigated
| February 15, 2020
12:02 AM PT |
Unable to create local users in Chinese, Japanese and Korean during device setup
You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.
See details > | OS Build 17134.1006
September 10, 2019
KB4516058 | Resolved
KB4534308 | January 23, 2020
02:00 PM PT |
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.
See details > | OS Build 17134.1069
October 08, 2019
KB4520008 | Mitigated External
| November 05, 2019
03:36 PM PT |
Certain operations performed on a Cluster Shared Volume may fail
Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).
See details > | OS Build 17134.523
January 08, 2019
KB4480966 | Mitigated
| April 25, 2019
02:00 PM PT |
@@ -77,6 +79,16 @@ sections:
"
+- title: February 2020
+- items:
+ - type: markdown
+ text: "
+ | Details | Originating update | Status | History |
+ | “Reset this PC” feature might fail Using the “Reset this PC” feature, also called “Push Button Reset” or PBR, might fail. You might restart into recovery with “Choose an option” at the top of the screen with various options or you might restart to your desktop and receive the error “There was a problem resetting your PC”.
Affected platforms: - Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Workaround: The standalone security update, KB4524244 has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Update (LCU), Monthly Rollup or Security Only update.
If you have installed this update and are experiencing this issue, the following steps should allow you to reset your device: - Select the start button or Windows Desktop Search and type update history and select View your Update history.
- On the Settings/View update history dialog window, Select Uninstall Updates.
- On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
- Restart your device.
- Upon restart use the “Reset this PC” feature and you should not encounter this issue.
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.
Back to top | N/A
February 11, 2019
KB4524244 | Mitigated
| Last updated:
February 15, 2020
12:02 AM PT
Opened:
February 15, 2020
12:02 AM PT |
+ You might encounter issues with KB4524244You might encounter issues trying to install or after installing KB4524244.
Affected platforms: - Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1
- Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To help a sub-set of affected devices, the standalone security update ( KB4524244) has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Updates (LCUs), Monthly Rollups or Security Only updates.
If this update is installed and you are experiencing issues, you can uninstall this update. - Select the start button or Windows Desktop Search and type update history and select View your Update history.
- On the Settings/View update history dialog window, Select Uninstall Updates.
- On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
- Restart your device.
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.
Back to top | N/A
February 11, 2019
KB4524244 | Mitigated
| Last updated:
February 15, 2020
12:02 AM PT
Opened:
February 15, 2020
12:02 AM PT |
+
+ "
+
- title: November 2019
- items:
- type: markdown
diff --git a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml
index 7beb2e9c30..a6c69b9a7e 100644
--- a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml
+++ b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml
@@ -64,6 +64,8 @@ sections:
- type: markdown
text: "This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
+ “Reset this PC” feature might fail
“Reset this PC” feature is also called “Push Button Reset” or PBR.
See details > | N/A
February 11, 2019
KB4524244 | Mitigated
| February 15, 2020
12:02 AM PT |
+ You might encounter issues with KB4524244
You might encounter issues trying to install or after installing KB4524244
See details > | N/A
February 11, 2019
KB4524244 | Mitigated
| February 15, 2020
12:02 AM PT |
Unable to create local users in Chinese, Japanese and Korean during device setup
You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.
See details > | OS Build 17763.737
September 10, 2019
KB4512578 | Resolved
KB4534321 | January 23, 2020
02:00 PM PT |
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.
See details > | OS Build 17763.805
October 08, 2019
KB4519338 | Mitigated External
| November 05, 2019
03:36 PM PT |
Devices with some Asian language packs installed may receive an error
Devices with Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND.\"
See details > | OS Build 17763.437
April 09, 2019
KB4493509 | Mitigated
| May 03, 2019
10:59 AM PT |
@@ -78,6 +80,16 @@ sections:
"
+- title: February 2020
+- items:
+ - type: markdown
+ text: "
+ | Details | Originating update | Status | History |
+ | “Reset this PC” feature might fail Using the “Reset this PC” feature, also called “Push Button Reset” or PBR, might fail. You might restart into recovery with “Choose an option” at the top of the screen with various options or you might restart to your desktop and receive the error “There was a problem resetting your PC”.
Affected platforms: - Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Workaround: The standalone security update, KB4524244 has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Update (LCU), Monthly Rollup or Security Only update.
If you have installed this update and are experiencing this issue, the following steps should allow you to reset your device: - Select the start button or Windows Desktop Search and type update history and select View your Update history.
- On the Settings/View update history dialog window, Select Uninstall Updates.
- On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
- Restart your device.
- Upon restart use the “Reset this PC” feature and you should not encounter this issue.
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.
Back to top | N/A
February 11, 2019
KB4524244 | Mitigated
| Last updated:
February 15, 2020
12:02 AM PT
Opened:
February 15, 2020
12:02 AM PT |
+ You might encounter issues with KB4524244You might encounter issues trying to install or after installing KB4524244.
Affected platforms: - Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1
- Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To help a sub-set of affected devices, the standalone security update ( KB4524244) has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Updates (LCUs), Monthly Rollups or Security Only updates.
If this update is installed and you are experiencing issues, you can uninstall this update. - Select the start button or Windows Desktop Search and type update history and select View your Update history.
- On the Settings/View update history dialog window, Select Uninstall Updates.
- On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
- Restart your device.
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.
Back to top | N/A
February 11, 2019
KB4524244 | Mitigated
| Last updated:
February 15, 2020
12:02 AM PT
Opened:
February 15, 2020
12:02 AM PT |
+
+ "
+
- title: November 2019
- items:
- type: markdown
diff --git a/windows/release-information/status-windows-10-1903.yml b/windows/release-information/status-windows-10-1903.yml
index c37a9ca547..cb7133af96 100644
--- a/windows/release-information/status-windows-10-1903.yml
+++ b/windows/release-information/status-windows-10-1903.yml
@@ -64,6 +64,8 @@ sections:
- type: markdown
text: "This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
+ “Reset this PC” feature might fail
“Reset this PC” feature is also called “Push Button Reset” or PBR.
See details > | N/A
February 11, 2019
KB4524244 | Mitigated
| February 15, 2020
12:02 AM PT |
+ You might encounter issues with KB4524244
You might encounter issues trying to install or after installing KB4524244
See details > | N/A
February 11, 2019
KB4524244 | Mitigated
| February 15, 2020
12:02 AM PT |
Issues with some older versions of Avast and AVG anti-virus products
Microsoft and Avast has identified compatibility issues with some versions of Avast and AVG Antivirus.
See details > | N/A
| Mitigated External
| November 25, 2019
05:25 PM PT |
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.
See details > | OS Build 18362.418
October 08, 2019
KB4517389 | Mitigated External
| November 05, 2019
03:36 PM PT |
@@ -76,6 +78,16 @@ sections:
"
+- title: February 2020
+- items:
+ - type: markdown
+ text: "
+ | Details | Originating update | Status | History |
+ | “Reset this PC” feature might fail Using the “Reset this PC” feature, also called “Push Button Reset” or PBR, might fail. You might restart into recovery with “Choose an option” at the top of the screen with various options or you might restart to your desktop and receive the error “There was a problem resetting your PC”.
Affected platforms: - Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Workaround: The standalone security update, KB4524244 has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Update (LCU), Monthly Rollup or Security Only update.
If you have installed this update and are experiencing this issue, the following steps should allow you to reset your device: - Select the start button or Windows Desktop Search and type update history and select View your Update history.
- On the Settings/View update history dialog window, Select Uninstall Updates.
- On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
- Restart your device.
- Upon restart use the “Reset this PC” feature and you should not encounter this issue.
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.
Back to top | N/A
February 11, 2019
KB4524244 | Mitigated
| Last updated:
February 15, 2020
12:02 AM PT
Opened:
February 15, 2020
12:02 AM PT |
+ You might encounter issues with KB4524244You might encounter issues trying to install or after installing KB4524244.
Affected platforms: - Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1
- Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To help a sub-set of affected devices, the standalone security update ( KB4524244) has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Updates (LCUs), Monthly Rollups or Security Only updates.
If this update is installed and you are experiencing issues, you can uninstall this update. - Select the start button or Windows Desktop Search and type update history and select View your Update history.
- On the Settings/View update history dialog window, Select Uninstall Updates.
- On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
- Restart your device.
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.
Back to top | N/A
February 11, 2019
KB4524244 | Mitigated
| Last updated:
February 15, 2020
12:02 AM PT
Opened:
February 15, 2020
12:02 AM PT |
+
+ "
+
- title: November 2019
- items:
- type: markdown
diff --git a/windows/release-information/status-windows-10-1909.yml b/windows/release-information/status-windows-10-1909.yml
index 5d5aa24d52..631a1ea8d9 100644
--- a/windows/release-information/status-windows-10-1909.yml
+++ b/windows/release-information/status-windows-10-1909.yml
@@ -64,6 +64,8 @@ sections:
- type: markdown
text: "This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
+ “Reset this PC” feature might fail
“Reset this PC” feature is also called “Push Button Reset” or PBR.
See details > | N/A
February 11, 2019
KB4524244 | Mitigated
| February 15, 2020
12:02 AM PT |
+ You might encounter issues with KB4524244
You might encounter issues trying to install or after installing KB4524244
See details > | N/A
February 11, 2019
KB4524244 | Mitigated
| February 15, 2020
12:02 AM PT |
Issues with some older versions of Avast and AVG anti-virus products
Microsoft and Avast has identified compatibility issues with some versions of Avast and AVG Antivirus.
See details > | N/A
| Mitigated External
| November 25, 2019
05:25 PM PT |
"
@@ -75,6 +77,16 @@ sections:
"
+- title: February 2020
+- items:
+ - type: markdown
+ text: "
+ | Details | Originating update | Status | History |
+ | “Reset this PC” feature might fail Using the “Reset this PC” feature, also called “Push Button Reset” or PBR, might fail. You might restart into recovery with “Choose an option” at the top of the screen with various options or you might restart to your desktop and receive the error “There was a problem resetting your PC”.
Affected platforms: - Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Workaround: The standalone security update, KB4524244 has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Update (LCU), Monthly Rollup or Security Only update.
If you have installed this update and are experiencing this issue, the following steps should allow you to reset your device: - Select the start button or Windows Desktop Search and type update history and select View your Update history.
- On the Settings/View update history dialog window, Select Uninstall Updates.
- On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
- Restart your device.
- Upon restart use the “Reset this PC” feature and you should not encounter this issue.
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.
Back to top | N/A
February 11, 2019
KB4524244 | Mitigated
| Last updated:
February 15, 2020
12:02 AM PT
Opened:
February 15, 2020
12:02 AM PT |
+ You might encounter issues with KB4524244You might encounter issues trying to install or after installing KB4524244.
Affected platforms: - Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1
- Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To help a sub-set of affected devices, the standalone security update ( KB4524244) has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Updates (LCUs), Monthly Rollups or Security Only updates.
If this update is installed and you are experiencing issues, you can uninstall this update. - Select the start button or Windows Desktop Search and type update history and select View your Update history.
- On the Settings/View update history dialog window, Select Uninstall Updates.
- On the Installed Updates dialog window, find and select KB4524244 and select the Uninstall button.
- Restart your device.
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.
Back to top | N/A
February 11, 2019
KB4524244 | Mitigated
| Last updated:
February 15, 2020
12:02 AM PT
Opened:
February 15, 2020
12:02 AM PT |
+
+ "
+
- title: November 2019
- items:
- type: markdown
diff --git a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml
index 596f76e9d2..8a62e5b48c 100644
--- a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml
+++ b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml
@@ -60,6 +60,7 @@ sections:
- type: markdown
text: "This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
+ You might encounter issues with KB4502496
You might encounter issues trying to install or after installing KB4502496
See details > | February 11, 2020
KB4502496 | Mitigated
| February 15, 2020
12:02 AM PT |
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.
See details > | October 08, 2019
KB4520005 | Mitigated External
| November 05, 2019
03:36 PM PT |
Japanese IME doesn't show the new Japanese Era name as a text input option
With previous dictionary updates installed, the Japanese IME doesn't show the new Japanese Era name as an input option.
See details > | April 25, 2019
KB4493443 | Mitigated
| May 15, 2019
05:53 PM PT |
Certain operations performed on a Cluster Shared Volume may fail
Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).
See details > | January 08, 2019
KB4480963 | Mitigated
| April 25, 2019
02:00 PM PT |
@@ -73,6 +74,15 @@ sections:
"
+- title: February 2020
+- items:
+ - type: markdown
+ text: "
+ | Details | Originating update | Status | History |
+ You might encounter issues with KB4502496You might encounter issues trying to install or after installing KB4502496.
Affected platforms: - Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1
- Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To help a sub-set of affected devices, the standalone security update ( KB4502496) has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Updates (LCUs), Monthly Rollups or Security Only updates.
If this update is installed and you are experiencing issues, you can uninstall this update. - Select the start button or Windows Desktop Search and type update history and select View your Update history.
- On the Settings/View update history dialog window, Select Uninstall Updates.
- On the Installed Updates dialog window, find and select KB4502496 and select the Uninstall button.
- Restart your device.
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.
Back to top | February 11, 2020
KB4502496 | Mitigated
| Last updated:
February 15, 2020
12:02 AM PT
Opened:
February 15, 2020
12:02 AM PT |
+
+ "
+
- title: November 2019
- items:
- type: markdown
diff --git a/windows/release-information/status-windows-server-2012.yml b/windows/release-information/status-windows-server-2012.yml
index c83ea0923f..95f21c394f 100644
--- a/windows/release-information/status-windows-server-2012.yml
+++ b/windows/release-information/status-windows-server-2012.yml
@@ -60,6 +60,7 @@ sections:
- type: markdown
text: "This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
+ You might encounter issues with KB4502496
You might encounter issues trying to install or after installing KB4502496
See details > | February 11, 2020
KB4502496 | Mitigated
| February 15, 2020
12:02 AM PT |
TLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.
See details > | October 08, 2019
KB4520007 | Mitigated External
| November 05, 2019
03:36 PM PT |
Japanese IME doesn't show the new Japanese Era name as a text input option
With previous dictionary updates installed, the Japanese IME doesn't show the new Japanese Era name as an input option.
See details > | April 25, 2019
KB4493462 | Mitigated
| May 15, 2019
05:53 PM PT |
Certain operations performed on a Cluster Shared Volume may fail
Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).
See details > | January 08, 2019
KB4480975 | Mitigated
| April 25, 2019
02:00 PM PT |
@@ -73,6 +74,15 @@ sections:
"
+- title: February 2020
+- items:
+ - type: markdown
+ text: "
+ | Details | Originating update | Status | History |
+ You might encounter issues with KB4502496You might encounter issues trying to install or after installing KB4502496.
Affected platforms: - Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1
- Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To help a sub-set of affected devices, the standalone security update ( KB4502496) has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog. Note This does not affect any other update, including Latest Cumulative Updates (LCUs), Monthly Rollups or Security Only updates.
If this update is installed and you are experiencing issues, you can uninstall this update. - Select the start button or Windows Desktop Search and type update history and select View your Update history.
- On the Settings/View update history dialog window, Select Uninstall Updates.
- On the Installed Updates dialog window, find and select KB4502496 and select the Uninstall button.
- Restart your device.
Next steps: We are working on an improved version of this update in coordination with our partners and will release it in a future update.
Back to top | February 11, 2020
KB4502496 | Mitigated
| Last updated:
February 15, 2020
12:02 AM PT
Opened:
February 15, 2020
12:02 AM PT |
+
+ "
+
- title: November 2019
- items:
- type: markdown
diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
index 80c59d0658..8631d5a627 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
@@ -23,27 +23,26 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration, and you can read more about it at the [PowerShell hub on MSDN](https://msdn.microsoft.com/powershell/mt173057.aspx).
+You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration. You can read more about it at the [PowerShell hub on MSDN](https://docs.microsoft.com/previous-versions/msdn10/mt173057(v=msdn.10)).
-For a list of the cmdlets and their functions and available parameters, see the [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) topic.
+For a list of the cmdlets and their functions and available parameters, see the [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender) topic.
-PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software.
+PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software.
> [!NOTE]
> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr), [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), or [Windows Defender Antivirus Group Policy ADMX templates](https://support.microsoft.com/kb/927367).
-Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell.
+Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell.
You can [configure which settings can be overridden locally with local policy overrides](configure-local-policy-overrides-windows-defender-antivirus.md).
PowerShell is typically installed under the folder _%SystemRoot%\system32\WindowsPowerShell_.
-
## Use Windows Defender Antivirus PowerShell cmdlets
-1. Click **Start**, type **powershell**, and press **Enter**.
-2. Click **Windows PowerShell** to open the interface.
-3. Enter the command and parameters.
+1. In the Windows search bar, type **powershell**.
+2. Select **Windows PowerShell** from the results to open the interface.
+3. Enter the PowerShell command and any parameters.
> [!NOTE]
> You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
@@ -53,6 +52,7 @@ To open online help for any of the cmdlets type the following:
```PowerShell
Get-Help -Online
```
+
Omit the `-online` parameter to get locally cached help.
## Related topics
From 2d1defac6dfff34147a78d4811868994edfcba5b Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Mon, 17 Feb 2020 09:41:07 +0500
Subject: [PATCH 06/28] Update
windows/client-management/advanced-troubleshooting-802-authentication.md
Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../advanced-troubleshooting-802-authentication.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md
index 84a600c394..c80e2a92b7 100644
--- a/windows/client-management/advanced-troubleshooting-802-authentication.md
+++ b/windows/client-management/advanced-troubleshooting-802-authentication.md
@@ -59,7 +59,7 @@ First, validate the type of EAP method being used:
-If a certificate is used for its authentication method, check if the certificate is valid. For server (NPS) side, you can confirm what certificate is being used from the EAP property menu. In **NPS snapp-in**, go to **Policies** > **Network Policies**. Right click on the policy and select **Properties**. In the pop-up window, go to the **Constraints** tab and select select the **Authentication methods** section.
+If a certificate is used for its authentication method, check if the certificate is valid. For server (NPS) side, you can confirm what certificate is being used from the EAP property menu. In **NPS snapp-in**, go to **Policies** > **Network Policies**. Right click on the policy and select **Properties**. In the pop-up window, go to the **Constraints** tab and select the **Authentication methods** section.
From ebb61c760520b00a343e1fe8e93f742bc25de554 Mon Sep 17 00:00:00 2001
From: erroltuparker
Date: Mon, 17 Feb 2020 15:52:14 +1000
Subject: [PATCH 07/28] Fixed scripting issue
Merge-CIPolicy command had a mistype causing the line to fail
---
.../create-wdac-policy-for-lightly-managed-devices.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
index 6fc44116aa..309ad25451 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
@@ -117,7 +117,7 @@ Alice follows these steps to complete this task:
$PathRules += New-CIPolicyRule -FilePathRule "%windir%\*"
$PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files\*"
$PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files (x86)\*"
- Merge-CIPolicy -OutputFilePath = $LamnaPolicy -PolicyPaths $LamnaPolicy -Rules $PathRules
+ Merge-CIPolicy -OutputFilePath $LamnaPolicy -PolicyPaths $LamnaPolicy -Rules $PathRules
```
7. If appropriate, add additional signer or file rules to further customize the policy for your organization.
From c78f53e5549f44a4fd508fd8d37b5f4eed24492d Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Tue, 18 Feb 2020 09:31:14 +0500
Subject: [PATCH 08/28] Update
windows/client-management/advanced-troubleshooting-802-authentication.md
Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
.../advanced-troubleshooting-802-authentication.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md
index c80e2a92b7..6b16e86cd0 100644
--- a/windows/client-management/advanced-troubleshooting-802-authentication.md
+++ b/windows/client-management/advanced-troubleshooting-802-authentication.md
@@ -59,7 +59,7 @@ First, validate the type of EAP method being used:
-If a certificate is used for its authentication method, check if the certificate is valid. For server (NPS) side, you can confirm what certificate is being used from the EAP property menu. In **NPS snapp-in**, go to **Policies** > **Network Policies**. Right click on the policy and select **Properties**. In the pop-up window, go to the **Constraints** tab and select the **Authentication methods** section.
+If a certificate is used for its authentication method, check if the certificate is valid. For server (NPS) side, you can confirm what certificate is being used from the EAP property menu. In **NPS snap-in**, go to **Policies** > **Network Policies**. Right click on the policy and select **Properties**. In the pop-up window, go to the **Constraints** tab and select the **Authentication methods** section.
From 6659a973fcd597a0b60779ab127daf03994c8239 Mon Sep 17 00:00:00 2001
From: krupatms
Date: Tue, 18 Feb 2020 14:06:21 -0800
Subject: [PATCH 09/28] Test, updated Caps
---
.../microsoft-defender-atp/web-content-filtering.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
index 14439573d7..18f9157dbd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
@@ -73,7 +73,7 @@ Cyren's web content classification technology is integrated by design into Micro
Learn more at https://www.cyren.com/products/url-filtering.
-### Cyren permissions
+### Cyren Permissions
"Sign in and read user profile" allows Cyren to read your tenant info from your Microsoft Defender ATP account, such as your tenant ID, which will be tied to your Cyren license.
@@ -168,4 +168,4 @@ You need to be logged in to an AAD account with either App administrator or Glob
- [Web protection overview](web-protection-overview.md)
- [Web threat protection](web-threat-protection.md)
- [Monitor web security](web-protection-monitoring.md)
-- [Respond to web threats](web-protection-response.md)
\ No newline at end of file
+- [Respond to web threats](web-protection-response.md)
From be53411407c09d761fbc5ae2e65983b97f844702 Mon Sep 17 00:00:00 2001
From: Gary Moore
Date: Tue, 18 Feb 2020 17:28:38 -0800
Subject: [PATCH 10/28] Indented note, added a period
---
.../create-wdac-policy-for-lightly-managed-devices.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
index 309ad25451..d25131d06d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
@@ -43,8 +43,8 @@ Alice identifies the following key factors to arrive at the "circle-of-trust" fo
- All clients are running Windows 10 version 1903 or above;
- All clients are managed by Microsoft Endpoint Manager (MEM) either with Configuration Manager (MEMCM) standalone or hybrid mode with Intune;
-> [!NOTE]
-> Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager (SCCM)
+ > [!NOTE]
+ > Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager (SCCM).
- Some, but not all, apps are deployed using MEMCM;
- Most users are local administrators on their devices;
From 365c262952440ed2f97619e90ad2f52ba8098b3e Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Wed, 19 Feb 2020 16:34:34 +0500
Subject: [PATCH 11/28] Update
windows/client-management/advanced-troubleshooting-802-authentication.md
Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../advanced-troubleshooting-802-authentication.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md
index 6b16e86cd0..124846eb32 100644
--- a/windows/client-management/advanced-troubleshooting-802-authentication.md
+++ b/windows/client-management/advanced-troubleshooting-802-authentication.md
@@ -59,7 +59,7 @@ First, validate the type of EAP method being used:
-If a certificate is used for its authentication method, check if the certificate is valid. For server (NPS) side, you can confirm what certificate is being used from the EAP property menu. In **NPS snap-in**, go to **Policies** > **Network Policies**. Right click on the policy and select **Properties**. In the pop-up window, go to the **Constraints** tab and select the **Authentication methods** section.
+If a certificate is used for its authentication method, check if the certificate is valid. For server (NPS) side, you can confirm what certificate is being used from the EAP property menu. In **NPS snap-in**, go to **Policies** > **Network Policies**. Right click on the policy and select **Properties**. In the pop-up window, go to the **Constraints** tab and select the **Authentication Methods** section.
From 944a11cad7654d549b9ccf7c717d98d19fc842d5 Mon Sep 17 00:00:00 2001
From: rogersoMS <44718379+rogersoMS@users.noreply.github.com>
Date: Wed, 19 Feb 2020 23:15:04 +0930
Subject: [PATCH 12/28] Multiple corrections required (see notes)
@Dansimp
1) This note is contradictory - need to clarify this:
"> [!NOTE]
> Device credential group policy setting is not supported for enrolling into Microsoft Intune. "
2) We should remove all references to "Primary Domain Controller" (PDC) - it's not the 90's with Windows NT 4.0 anymore !
3) "Restart the Domain Controller for the policy to be available."
A reboot is not required
4) "Enforce a GPO link"
This is in contradiction with our recommended practices. We should not be suggesting this.
---
...-windows-10-device-automatically-using-group-policy.md | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
index 4ced3aefe8..36ba902151 100644
--- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
@@ -120,9 +120,6 @@ Requirements:
> In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have the Windows 10, version 1903 feature update installed.
The default behavior for older releases is to revert to **User Credential**.
-> [!NOTE]
-> Device credential group policy setting is not supported for enrolling into Microsoft Intune.
-
When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD."
To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app).
@@ -174,7 +171,7 @@ Requirements:
> 1803 -->[Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880) or
> 1809 --> [Administrative Templates for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576) or
> 1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495&WT.mc_id=rss_alldownloads_all)
-> 2. Install the package on the Primary Domain Controller (PDC).
+> 2. Install the package on the Domain Controller.
> 3. Navigate, depending on the version to the folder:
> 1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2**, or
> 1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2**, or
@@ -182,14 +179,13 @@ Requirements:
> 4. Rename the extracted Policy Definitions folder to **PolicyDefinitions**.
> 5. Copy PolicyDefinitions folder to **C:\Windows\SYSVOL\domain\Policies**.
> (If this folder does not exist, then be aware that you will be switching to a [central policy store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) for your entire domain).
-> 6. Restart the Primary Domain Controller for the policy to be available.
+> 6. Restart the Domain Controller for the policy to be available.
> This procedure will work for any future version as well.
1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**.
2. Create a Security Group for the PCs.
3. Link the GPO.
4. Filter using Security Groups.
-5. Enforce a GPO link.
## Troubleshoot auto-enrollment of devices
From 6c352ba5598a0362510da4aa4e9ccaf0ad005734 Mon Sep 17 00:00:00 2001
From: Payge Winfield
Date: Wed, 19 Feb 2020 07:55:54 -0800
Subject: [PATCH 13/28] Created SCEP Whitepaper and added it to TOC
---
devices/hololens/TOC.md | 1 +
devices/hololens/scep-whitepaper.md | 77 +++++++++++++++++++++++++++++
2 files changed, 78 insertions(+)
create mode 100644 devices/hololens/scep-whitepaper.md
diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md
index d1c0ab596f..eb7e69cdbd 100644
--- a/devices/hololens/TOC.md
+++ b/devices/hololens/TOC.md
@@ -62,6 +62,7 @@
## [Known issues](hololens-known-issues.md)
## [Frequently asked questions](hololens-faq.md)
## [Hololens services status](hololens-status.md)
+## [SCEP Whitepaper](scep-whitepaper.md)
# [Release Notes](hololens-release-notes.md)
# [Give us feedback](hololens-feedback.md)
diff --git a/devices/hololens/scep-whitepaper.md b/devices/hololens/scep-whitepaper.md
new file mode 100644
index 0000000000..cc43bdc285
--- /dev/null
+++ b/devices/hololens/scep-whitepaper.md
@@ -0,0 +1,77 @@
+---
+title: SCEP Whitepaper
+description: A whitepaper that describes how Microsoft mitigates the vulnerabilities of SCEP.
+ms.assetid: bd55ecd1-697a-4b09-8274-48d1499fcb0b
+author: pawinfie
+ms.author: pawinfie
+ms.date: 02/12/2020
+keywords: hololens, Windows Mixed Reality, security
+ms.prod: hololens
+ms.sitesec: library
+ms.topic: article
+ms.localizationpriority: high
+appliesto:
+- HoloLens 1 (1st gen)
+- HoloLens 2
+---
+
+# SCEP Whitepaper
+
+## High Level
+
+### How the SCEP Challenge PW is secured
+
+We work around the weakness of the SCEP protocol by generating custom challenges in Intune itself. The challenge string we create is signed/encrypted, and contains the information we’ve configured in Intune for certificate issuance into the challenge blob. This means the blob used as the challenge string contains the expected CSR information like the Subject Name, Subject Alternative Name, and other attributes.
+
+We then pass that to the device and then the device generates it’s CSR and passes it, and the blob to the SCEP URL it received in the MDM profile. On NDES servers running the Intune SCEP module we perform a custom challenge validation that validates the signature on the blob, decrypts the challenge blob itself, compare it to the CSR received, and then determine if we should issue the cert. If any portion of this check fails then the certificate request is rejected.
+
+## Behind the scenes
+
+### Intune Connector has a number of responsibilities
+
+1. The connector is SCEP policy module which contains a "Certification Registration Point" component which interacts with the Intune service, and is responsible for validating, and securing the SCEP request coming into the NDES server.
+
+1. The connector will install an App Pool on the NDES IIS server > Microsoft Intune CRP service Pool, and a CertificateRegistrationSvc under the "Default Web Site" on IIS.
+
+1. **When the Intune NDES connector is first configured/setup on the NDES server, a certificate is issued from the Intune cloud service to the NDES server. This cert is used to securely communicate with the Intune cloud service - customer tenant. The cert is unique to the customers NDES server. Can be viewed in Certlm.msc issued by SC_Online_Issuing. This certs Public key is used by Intune in the cloud to encrypt the challenge blob. In addition, when the connector is configured, Intune's public key is sent to the NDES server.**
+ >[!NOTE]
+ >The connector communication with Intune is strictly outbound traffic.
+
+1. The Intune cloud service combined with the Intune connector/policy module addresses the SCEP protocol challenge password weakness (in the SCEP protocol) by generating a custom challenge. The challenge is generated in Intune itself.
+
+ 1. In the challenge blob, Intune puts information that we expect in the cert request (CSR - Certificate Signing Request) coming from a mobile device like the following: what we expect the Subject and SAN (validated against AAD attributes/properties of the user/device) to be, and specifics contained in the Intune SCEP profile that is created by an Intune admin, i.e., Request Handling, EKU, Renewal, validity period, key size, renewal period.
+ >[!NOTE]
+ >The Challenge blob is Encrypted with the Connectors Public Key, and Signed with Intune's (cloud service) Private Key. The device cannot decrypt the challenge
+
+ 1. When an Intune admin creates a SCEP profile in their tenant, Intune will send the SCEP profile payload along with the Encrypted and Signed Challenge to the targeted device. The device generates a CSR, and reaches out to NDES URL (contained in the SCEP profile). The device cert request payload contains the CSR, and the encrypted, signed challenge blob.
+
+ 1. When the device reaches out to the NDES server (via the NDES/SCEP URL provided in the SCEP Profile payload), the SCEP cert request validation is performed by the policy module running on the NDES server. The challenge signature is verified using Intune's public key (which is on the NDES server, when the connector was installed and configured) and decrypted using the connectors private key. The policy module compares the CSR details against the decrypted challenge and determines if a cert should be issued. If the CSR passes validation, the NDES server requests a certificate from the CA on behalf of the user/device.
+ >[!NOTE]
+ >The above process takes place on the NDES server running the Policy Module. No interaction with the Intune cloud service takes place.
+
+ 1. The NDES connector notification/reporting of cert delivery takes place after NDES sends the issued cert to the device. This is performed as a separate operation outside the cert request flow. Meaning that once NDES sends the cert to the device via the AAD app proxy (or other publishing firewall/proxy, a log is written with the cert delivery details on the NDES server by the connector (file location \Program Files\Microsoft Intune\CertificateRequestStatus\Succeed\ folder. The connector will look here, and send updates to Intune.
+
+ 1. The mobile device must be enrolled in Intune. If not, we reject the request as well
+
+ 1. The Intune connector disables the standard NDES challenge password request URL on the NDES server.
+
+ 1. The NDES server SCEP URI in most customer deployments is made available to the internet via Azure App Proxy, or an on-prem reverse proxy, i.e. F5.
+ >[!NOTE]
+ >The Azure App Proxy is an outbound-only connection over Port 443, from the customers onprem network where the App Proxy connector is running on a server. The AAD app proxy can also be hosted on the NDES server. No inbound ports required when using Azure App Proxy.
+
+ 1. The mobile device talks only to the NDES URI
+
+ 1. Side note: AAD app proxy's role is to make onprem resources (like NDES and other customer onprem web services) securely available to the internet.
+
+ 1. The Intune connector must communicate with the Intune cloud service. The connector communication will not go through the Azure App Proxy. The connector will talk with the Intune cloud service via whatever mechanism a customer has onprem to allow outbound traffic to the internet, i.e. Internal proxy service.
+ >[!NOTE]
+ > if a proxy is used by the customer, no SSL packet inspection can take place for the NDES/Connector server going out.
+
+1. Connector traffic with Intune cloud service consists of the following operations:
+
+ 1. 1st time configuration of the connector: Authentication to AAD during the initial connector setup.
+
+ 1. Connector checks in with Intune, and will process and any cert revocation transactions (i.e, if the Intune tenant admin issues a remote wipe – full or partial, also If a user unenrolls their device from Intune), reporting on issued certs, renewing the connectors’ SC_Online_Issuing certificate from Intune. Also note: the NDES Intune connector has shared PKCS cert functionality (if you decide to issue PKCS/PFX based certs) so the connector checks to Intune for PKCS cert requests even though there won’t be any requests to process. We are splitting that functionality out, so this connector just handles SCEP, but no ETA yet.
+
+1. [Here](https://docs.microsoft.com/intune/intune-endpoints#microsoft-intune-certificate-connector) is a reference for Intune NDES connector network communications.
+
From 2d68b6dad706c24b1e5d43a82ad0bb383165b014 Mon Sep 17 00:00:00 2001
From: Payge Winfield
Date: Wed, 19 Feb 2020 08:01:05 -0800
Subject: [PATCH 14/28] created faq security doc and added it to TOC
---
devices/hololens/TOC.md | 1 +
devices/hololens/hololens-faq-security.md | 124 ++++++++++++++++++++++
2 files changed, 125 insertions(+)
create mode 100644 devices/hololens/hololens-faq-security.md
diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md
index eb7e69cdbd..3e6b5f8706 100644
--- a/devices/hololens/TOC.md
+++ b/devices/hololens/TOC.md
@@ -61,6 +61,7 @@
## [Troubleshoot HoloLens](hololens-troubleshooting.md)
## [Known issues](hololens-known-issues.md)
## [Frequently asked questions](hololens-faq.md)
+## [Frequently Asked Security Questions](hololens-faq-security.md)
## [Hololens services status](hololens-status.md)
## [SCEP Whitepaper](scep-whitepaper.md)
diff --git a/devices/hololens/hololens-faq-security.md b/devices/hololens/hololens-faq-security.md
new file mode 100644
index 0000000000..ae9f0de47c
--- /dev/null
+++ b/devices/hololens/hololens-faq-security.md
@@ -0,0 +1,124 @@
+---
+title: Frequently Asked Security Questions
+description: security questions frequently asked about the hololens
+ms.assetid: bd55ecd1-697a-4b09-8274-48d1499fcb0b
+author: pawinfie
+ms.author: pawinfie
+ms.date: 02/19/2020
+keywords: hololens, Windows Mixed Reality, security
+ms.prod: hololens
+ms.sitesec: library
+ms.topic: article
+ms.localizationpriority: high
+appliesto:
+- HoloLens 1 (1st gen)
+- HoloLens 2
+---
+
+# Frequently Asked Security Questions
+
+## HoloLens 1st Gen Security Questions
+
+1. **What type of wireless is used?**
+ 1. 802.11ac and Bluetooth 4.1 LE
+1. **What type of architecture is incorporated? For example: point to point, mesh or something else?**
+ 1. Wi-Fi can be used in infrastructure mode to communicate with other wireless access points.
+ 1. Bluetooth can be used to talk peer to peer between multiple HoloLens if the customers application supports it or to other Bluetooth devices.
+1. **What is FCC ID?**
+ 1. C3K1688
+1. **What frequency range and channels does the device operate on and is it configurable?**
+ 1. Wi-Fi: The frequency range is not user configurable and depends on the country of use. In the US Wi-Fi uses both 2.4 GHz (1-11) channels and 5 GHz (36-64, 100-165) channels.
+ 1. Bluetooth: Bluetooth uses the standard 2.4-2.48 GHz range.
+1. **Can the device blacklist or white list specific frequencies?**
+ 1. This is not controllable by the user/device
+1. **What is the power level for both transmit and receive? Is it adjustable? What is the range of operation?**
+ 1. Our emissions testing standards can be found [here](https://fccid.io/C3K1688). Range of operation is highly dependent on the access point and environment - but is roughly equivalent to other high-quality phones, tablets, or PCs.
+1. **What is the duty cycle/lifetime for normal operation?**
+ 1. 2-3hrs of active use and up to 2 weeks of standby time
+ 1. Battery lifetime is unavailable.
+1. **What is transmit and receive behavior when a tool is not in range?**
+ 1. HoloLens transmit/receive follows the standard Wi-Fi/Bluetooth pattern. At the edge of its range, you'll probably notice input getting choppy until it fully disconnects, but after you get back in range it should quickly reconnect.
+1. **What is deployment density per square foot?**
+ 1. This is dependent on your network infrastructure.
+1. **Can device use the infrastructure as a client?**
+ 1. Yes
+1. **What protocol is used?**
+ 1. HoloLens does not use any proprietary protocols
+1. **OS update frequency – What is the frequency of OS updates for the HL? Is there a set schedule? Does Microsoft release security patches as needed, etc.**
+ 1. Microsoft does provide OS updates to HoloLens exactly the same way it is done for Windows 10. There are normally two major updates per year, one in spring, one in fall. As HoloLens is a Windows device, the update concept is the same as with any other Windows device. Microsoft releases Security patches as needed and follows the same concept as done on any other Windows device.
+1. **OS hardening – What options are there to harden the OS? Can we remove or shutdown unnecessary apps or services?**
+ 1. HoloLens behaves like a smartphone. It is comparable to other modern Windows devices. HoloLens can be managed by either Microsoft Intune or other Modern Device Management Solutions, like MobileIron, Airwatch, or Soti. There are Policies you can set in these Management Systems to put Security policies on the device and in order to harden the device. There is also the option in deleting any unnecessary applications if wanted.
+1. **How will software applications be managed and updated? What control do we have to define what apps are loaded and app update process for apps that are living in the Microsoft store?**
+ 1. HoloLens gets software applications only through the Windows store. Only Appx Application Packages can be installed, which are developed for the Use of HoloLens. You can see this in the Microsoft Store with a little logo next to the application which shows the HoloLens device. Any control that you have over the management of Store applications also applies to HoloLens. You can use the concept of the official store or the store for business. Apps can either be side-loaded (manual process to load an app on a Windows device) or can be managed through an MDM so that apps are automatically pulled from the store when needed.
+1. **What is the frequency of updates to apps in the store for HoloLens?**
+ 1. As we follow the same concept of the Microsoft Store and pull apps from there, the update cycle is determined by the developer of the Application. All management options that you have to control the update mechanism in the store apply to HoloLens as well.
+1. **Is there a secure boot capability for the HoloLens?**
+ 1. Yes
+1. **Is there an ability to disable or disconnect peripheral support from the device?**
+ 1. Yes
+1. **Is there an ability to control or disable the use of ports on the device?**
+ 1. The HoloLens only contains 2 ports (one for headphones and one for charging or connecting to PCs). There is not ability to disable the port due to functionality and recovery reasons.
+1. **Antivirus, end point detection, IPS, app control whitelist – Any ability to run antivirus, end point detection, IPS, app control whitelist, etc.**
+ 1. Windows Holographic for Business (commercial suite) does support Windows Defender Smart Screen. If an antivirus company were to create and publish their app to the Universal Windows Platform, it could be downloaded on HoloLens. At present, no companies have done this for HoloLens.
+ 1. Whitelisting apps is possible by using the Microsoft Enterprise Store, where you can choose only what specific apps can be downloaded. Also, through MDM you can lock what specific apps can be run or even seen on the device.
+1. **Can we quarantine the device from prod network until we update the device if it has been offline for an extended period of time? Ex. Device has been sitting in a drawer not powered up for a period (6 months) and has not received any updates, patches, etc. When it tries to come on the network can we flag it and say you must update on another network prior to being complaint to join the network.**
+ 1. This is something that can be managed on the infrastructure level by either an MDM or an on-prem server. The device can be flagged as not compliant if it does not meet a specified Update version.
+1. **Does Microsoft include any back doors or access to services that allows Microsoft to connect to the device for screen sharing or remote support at will?**
+ 1. No
+1. **When a PKI cert is being generated for trusted communication, we want the cert to be generated on the device so that we know it’s only on that device, unique to that device, and can’t be exported or used to impersonate the device. Is this true on HoloLens? If not is there a potential mitigation?**
+ 1. CSR for SCEP is generated on the device itself. Intune and the on premise SCEP connector help secure the requests themselves by adding and verifying a challenge string that’s sent to the client.
+ 1. Since HoloLens (1st Gen and 2nd Gen) have a TPM module, these certs would be stored in the TPM module, and are unable to be extracted. Additionally, even if it could be extracted, the challenge strings couldn’t be verified on a different device, rendering the certs/key unusable on different devices.
+1. **SCEP is vulnerable. How does Microsoft mitigate the known vulnerabilities of SCEP?**
+ 1. This [SCEP Whitepaper](scep-whitepaper.md) addresses how Microsoft mitigates SCEP vulnerabilities.
+
+## HoloLens 2nd Gen Security Questions
+
+1. **What type of wireless is used?**
+ 1. 802.11ac and Bluetooth 5.0
+1. **What type of architecture is incorporated? For example: point to point, mesh or something else?**
+ 1. Wi-Fi can be used in infrastructure mode to communicate with other wireless access points.
+ 1. Bluetooth can be used to talk peer to peer between multiple HoloLens if the customers application supports it or to other Bluetooth devices.
+1. **What is FCC ID?**
+ 1. C3K1855
+1. **What frequency range and channels does the device operate on and is it configurable?**
+ 1. Wi-Fi: The frequency range is not user configurable and depends on the country of use. In the US Wi-Fi uses both 2.4 GHz (1-11) channels and 5 GHz (36-64, 100-165) channels.
+1. **Can the device blacklist or white list specific frequencies?**
+ 1. This is not controllable by the user/device
+1. **What is the power level for both transmit and receive? Is it adjustable? What is the range of operation?**
+ 1. Wireless power levels depend on the channel of operation. Devices are calibrated to perform at the highest power levels allowed based on the region’s regulatory rules.
+1. **What is the duty cycle/lifetime for normal operation?**
+ 1. *Currently unavailable.*
+1. **What is transmit and receive behavior when a tool is not in range?**
+ 1. HoloLens transmit/receive follows the standard Wi-Fi/Bluetooth pattern. At the edge of its range, you'll probably notice input getting choppy until it fully disconnects, but after you get back in range it should quickly reconnect.
+1. **What is deployment density per square foot?**
+ 1. This is dependent on your network infrastructure.
+1. **Can device use the infrastructure as a client?**
+ 1. Yes
+1. **What protocol is used?**
+ 1. HoloLens does not use any proprietary protocols
+1. **OS update frequency – What is the frequency of OS updates for the HL? Is there a set schedule? Does Microsoft release security patches as needed, etc.**
+ 1. Microsoft does provide OS updates to HoloLens exactly the same way it is done for Windows 10. There are normally two major updates per year, one in spring, one in fall. As HoloLens is a Windows device, the update concept is the same as with any other Windows device. Microsoft releases Security patches as needed and follows the same concept as done on any other Windows device.
+1. **OS hardening – What options are there to harden the OS? Can we remove or shutdown unnecessary apps or services?**
+ 1. HoloLens behaves like a smartphone. It is comparable to other modern Windows devices. HoloLens can be managed by either Microsoft Intune or other Modern Device Management Solutions, like MobileIron, Airwatch, or Soti. There are Policies you can set in these Management Systems to put Security policies on the device and in order to harden the device. There is also the option in deleting any unnecessary applications if wanted.
+1. **How will software applications be managed and updated? What control do we have to define what apps are loaded and app update process for apps that are living in the Microsoft store?**
+ 1. HoloLens gets software applications only through the Windows store. Only Appx Application Packages can be installed, which are developed for the Use of HoloLens. You can see this in the Microsoft Store with a little logo next to the application which shows the HoloLens device. Any control that you have over the management of Store applications also applies to HoloLens. You can use the concept of the official store or the store for business. Apps can either be side-loaded (manual process to load an app on a Windows device) or can be managed through an MDM so that apps are automatically pulled from the store when needed.
+1. **What is the frequency of updates to apps in the store for HoloLens?**
+ 1. As we follow the same concept of the Microsoft Store and pull apps from there, the update cycle is determined by the developer of the Application. All management options that you have to control the update mechanism in the store apply to HoloLens as well.
+1. **Is there a secure boot capability for the HoloLens?**
+ 1. Yes
+1. **Is there an ability to disable or disconnect peripheral support from the device?**
+ 1. Yes
+1. **Is there an ability to control or disable the use of ports on the device?**
+ 1. The HoloLens only contains 2 ports (one for headphones and one for charging or connecting to PCs). There is not ability to disable the port due to functionality and recovery reasons.
+1. **Antivirus, end point detection, IPS, app control whitelist – Any ability to run antivirus, end point detection, IPS, app control whitelist, etc.**
+ 1. HoloLens 2nd Gen supports Windows Defender Smart Screen. If an antivirus company were to create and publish their app to the Universal Windows Platform, it could be downloaded on HoloLens. At present, no companies have done this for HoloLens.
+ 1. Whitelisting apps is possible by using the Microsoft Enterprise Store, where you can choose only what specific apps can be downloaded. Also, through MDM you can lock what specific apps can be run or even seen on the device.
+1. **Can we quarantine the device from prod network until we update the device if it has been offline for an extended period of time? Ex. Device has been sitting in a drawer not powered up for a period (6 months) and has not received any updates, patches, etc. When it tries to come on the network can we flag it and say you must update on another network prior to being complaint to join the network.**
+ 1. This is something that can be managed on the infrastructure level by either an MDM or an on-prem server. The device can be flagged as not compliant if it does not meet a specified Update version.
+1. **Does Microsoft include any back doors or access to services that allows Microsoft to connect to the device for screen sharing or remote support at will?**
+ 1. No
+1. **When a PKI cert is being generated for trusted communication, we want the cert to be generated on the device so that we know it’s only on that device, unique to that device, and can’t be exported or used to impersonate the device. Is this true on HoloLens? If not is there a potential mitigation?**
+ 1. CSR for SCEP is generated on the device itself. Intune and the on premise SCEP connector help secure the requests themselves by adding and verifying a challenge string that’s sent to the client.
+ 1. Since HoloLens (1st Gen and 2nd Gen) have a TPM module, these certs would be stored in the TPM module, and are unable to be extracted. Additionally, even if it could be extracted, the challenge strings couldn’t be verified on a different device, rendering the certs/key unusable on different devices.
+1. **SCEP is vulnerable. How does Microsoft mitigate the known vulnerabilities of SCEP?**
+ 1. This [SCEP Whitepaper](scep-whitepaper.md) addresses how Microsoft mitigates SCEP vulnerabilities.
From a24b15f4e699d9dad2c4af096ba2e28768d53b8c Mon Sep 17 00:00:00 2001
From: Payge Winfield
Date: Wed, 19 Feb 2020 08:03:00 -0800
Subject: [PATCH 15/28] added audiance to FAQ seucirty and
---
devices/hololens/hololens-faq-security.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/devices/hololens/hololens-faq-security.md b/devices/hololens/hololens-faq-security.md
index ae9f0de47c..b56e555f7d 100644
--- a/devices/hololens/hololens-faq-security.md
+++ b/devices/hololens/hololens-faq-security.md
@@ -9,7 +9,9 @@ keywords: hololens, Windows Mixed Reality, security
ms.prod: hololens
ms.sitesec: library
ms.topic: article
+audience: ITPro
ms.localizationpriority: high
+manager: bradke
appliesto:
- HoloLens 1 (1st gen)
- HoloLens 2
From 26281a7f4c315bf4e2a2ed3047df152fcceb0510 Mon Sep 17 00:00:00 2001
From: Payge Winfield
Date: Wed, 19 Feb 2020 08:05:37 -0800
Subject: [PATCH 16/28] added audiance. Format changes
---
.../hololens-commercial-infrastructure.md | 23 ++++++++++---------
1 file changed, 12 insertions(+), 11 deletions(-)
diff --git a/devices/hololens/hololens-commercial-infrastructure.md b/devices/hololens/hololens-commercial-infrastructure.md
index 568bbe92e5..f241deb9fc 100644
--- a/devices/hololens/hololens-commercial-infrastructure.md
+++ b/devices/hololens/hololens-commercial-infrastructure.md
@@ -10,6 +10,7 @@ ms.topic: article
ms.localizationpriority: high
ms.date: 1/23/2020
ms.reviewer:
+audience: ITPro
manager: bradke
appliesto:
- HoloLens (1st gen)
@@ -50,12 +51,12 @@ HoloLens does support a limited set of cloud disconnected experiences.
### HoloLens Specific Network Requirements
-Make sure that these ports and URLs are allowed on your network firewall. This will enable HoloLens to function properly. The latest list can be found [here](hololens-offline.md).
+Make sure that [this list](hololens-offline.md) of endpoints are allowed on your network firewall. This will enable HoloLens to function properly.
### Remote Assist Specific Network Requirements
1. The recommended bandwidth for optimal performance of Remote Assist is 1.5Mbps. Detailed network requirements and additional information can be found [here](https://docs.microsoft.com/MicrosoftTeams/prepare-network).
-**Please note, if you don’t network have network speeds of at least 1.5Mbps, Remote Assist will still work. However, quality may suffer.**
+**(Please note, if you don’t network have network speeds of at least 1.5Mbps, Remote Assist will still work. However, quality may suffer).**
1. Make sure that these ports and URLs are allowed on your network firewall. This will enable Microsoft Teams to function. The latest list can be found [here](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges#skype-for-business-online-and-microsoft-teams).
### Guides Specific Network Requirements
@@ -65,17 +66,17 @@ Guides only require network access to download and use the app.
## Azure Active Directory Guidance
>[!NOTE]
->This step is only necessary if your company plans on managing the HoloLens and mixed reality apps.
+>This step is only necessary if your company plans on managing the HoloLens.
1. Ensure that you have an Azure AD License.
-Please [HoloLens Licenses Requirements](hololens-licenses-requirements.md)for additional information.
+Please [HoloLens Licenses Requirements](hololens-licenses-requirements.md) for additional information.
1. If you plan on using Auto Enrollment, you will have to [Configure Azure AD enrollment.](https://docs.microsoft.com/intune/deploy-use/.set-up-windows-device-management-with-microsoft-intune#azure-active-directory-enrollment)
1. Ensure that your company’s users are in Azure Active Directory (Azure AD).
Instructions for adding users can be found [here](https://docs.microsoft.com/azure/active-directory/fundamentals/add-users-azure-active-directory).
-1. We suggest that users who will be need similar licenses are added to a group.
+1. We suggest that users who need similar licenses are added to the same group.
1. [Create a Group](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal)
1. [Add users to groups](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-members-azure-portal)
@@ -100,10 +101,10 @@ These steps ensure that your company’s users (or a group of users) can add dev
### Ongoing device management
>[!NOTE]
->This step is only necessary if your company plans on managing the HoloLens and mixed reality apps.
+>This step is only necessary if your company plans to manage the HoloLens.
Ongoing device management will depend on your mobile device management infrastructure. Most have the same general functionality but the user interface may vary widely.
-1. [CSPs (Configuration Service Providers)](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices) allows you to create and deploy management settings for the devices on your network. Some CSPs are supported by HoloLens devices. (See the list of CSPs for HoloLens [here](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices)).
+1. [CSPs (Configuration Service Providers)](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices) allows you to create and deploy management settings for the devices on your network. A list of CSPs for HoloLens can be found [here](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices).
1. [Compliance policies](https://docs.microsoft.com/intune/device-compliance-get-started) are rules and settings that devices must meet to be compliant in your corporate infrastructure. Use these policies with Conditional Access to block access to company resources for devices that are non-compliant. For example, you can create a policy that requires Bitlocker be enabled.
@@ -144,7 +145,7 @@ Read more about [installing apps on HoloLens](https://docs.microsoft.com/hololen
### Certificates
-You can distribute certifcates through your MDM provider. If your company requires certificates, Intune supports PKCS, PFX, and SCEP. It is important to understand which certificate is right for your company. Please visit [here](https://docs.microsoft.com/intune/protect/certificates-configure) to determine which cert is best for you. If you plan to use certs for HoloLens Authentication, PFX or SCEP may be right for you.
+You can distribute certifcates through your MDM provider. If your company requires certificates, Intune supports PKCS, PFX, and SCEP. It is important to understand which certificate is right for your company. Please visit [here](https://docs.microsoft.com/intune/protect/certificates-configure) to determine which cert is best for you. If you plan to use certificates for HoloLens Authentication, PFX or SCEP may be right for you.
Steps for SCEP can be found [here](https://docs.microsoft.com/intune/protect/certificates-profile-scep).
@@ -161,8 +162,8 @@ Directions for upgrading to the commercial suite can be found [here](https://doc
1. Check your app settings
1. Log into your Microsoft Store Business account
- 1. **Manage** > **Products and Services** > **Apps and Software** > **Select the app you want to sync** > **Private Store Availability** > **Select “Everyone” or “Specific Groups”*
- 1. If you do not see your apps in **Intune** > **Client Apps** > **Apps** , you may have to [sync your apps](https://docs.microsoft.com/intune/apps/windows-store-for-business#synchronize-apps) again.
+ 1. **Manage > Products and Services > Apps and Software > Select the app you want to sync > Private Store Availability > Select “Everyone” or “Specific Groups”**
+ 1. If you do not see your apps in **Intune > Client Apps > Apps** , you may have to [sync your apps](https://docs.microsoft.com/intune/apps/windows-store-for-business#synchronize-apps) again.
1. [Create a device profile for Kiosk mode](https://docs.microsoft.com/intune/configuration/kiosk-settings#create-the-profile)
@@ -183,4 +184,4 @@ Certificates can be deployed via you MDM (see "certificates" in the [MDM Section
## Next (Optional) Step: [Configure HoloLens using a provisioning package](hololens-provisioning.md)
-## Next Step: [Enroll your device](hololens-enroll-mdm.md)
+## Next Step: [Enroll your device](hololens-enroll-mdm.md)
\ No newline at end of file
From d7cd34b946c29c47c0e085d4762da2da8090d534 Mon Sep 17 00:00:00 2001
From: Payge Winfield
Date: Wed, 19 Feb 2020 08:09:19 -0800
Subject: [PATCH 17/28] Minor changes and added audience
---
devices/hololens/hololens-licenses-requirements.md | 14 +++-----------
1 file changed, 3 insertions(+), 11 deletions(-)
diff --git a/devices/hololens/hololens-licenses-requirements.md b/devices/hololens/hololens-licenses-requirements.md
index 7636395a6b..3f398e81e7 100644
--- a/devices/hololens/hololens-licenses-requirements.md
+++ b/devices/hololens/hololens-licenses-requirements.md
@@ -10,6 +10,7 @@ ms.topic: article
ms.localizationpriority: high
ms.date: 1/23/2020
ms.reviewer:
+audience: ITPro
manager: bradke
appliesto:
- HoloLens (1st gen)
@@ -35,16 +36,6 @@ You may need to upgrade your HoloLens 1st Gen Device to Windows Holographic for
- Acquire a HoloLens Enterprise license XML file
- Apply the XML file to the HoloLens. You can do this through a [Provisioning package](hololens-provisioning.md) or through your [Mobile Device Manager](https://docs.microsoft.com/intune/configuration/holographic-upgrade)
-Some of the HoloLens configurations you can apply in a provisioning package:
-
-- Apply certificates to the device
-- Set up a Wi-Fi connection
-- Pre-configure out of box questions like language and locale
-- (HoloLens 2) bulk enroll in mobile device management
-- (HoloLens v1) Apply key to enable Windows Holographic for Business
-
-Follow [this guide](hololens-provisioning.md) to create and apply a provisioning package to HoloLens.
-
### Remote Assist License Requirements
Make sure you have the required licensing and device. Updated licensing and product requirements can be found [here](https://docs.microsoft.com/dynamics365/mixed-reality/remote-assist/requirements).
@@ -68,4 +59,5 @@ Updated licensing and device requirements can be found [here](https://docs.micro
Additional information regarding kiosk mode will be covered in [Configuring your Network for HoloLens](hololens-commercial-infrastructure.md#how-to-configure-kiosk-mode-using-microsoft-intune).
-## Next Step: [Configure your network for HoloLens](hololens-commercial-infrastructure.md)
\ No newline at end of file
+## Next Step: [Configure your network for HoloLens](hololens-commercial-infrastructure.md)
+
From f2447b6da59b96007c7f614400d258f31515fb5b Mon Sep 17 00:00:00 2001
From: Payge Winfield
Date: Wed, 19 Feb 2020 08:37:07 -0800
Subject: [PATCH 18/28] minor change to provisioning doc
---
devices/hololens/hololens-provisioning.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/devices/hololens/hololens-provisioning.md b/devices/hololens/hololens-provisioning.md
index 7eefba6e17..392032737a 100644
--- a/devices/hololens/hololens-provisioning.md
+++ b/devices/hololens/hololens-provisioning.md
@@ -54,7 +54,7 @@ Provisioning packages can include management instructions and policies, customiz
### 1. Install Windows Configuration Designer on your PC. (There are two ways to do this).
1. **Option 1:** [From Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22)
-2. **Option 2:** [From the Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). If you install Windows Configurations Designer from the Windows ADK, select **Configuration Designer** from the **Select the features you want to install** dialog box.
+2. **Option 2:** [From the Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). If you install Windows Configurations Designer from the Windows ADK, select **Configuration Designer** from the **Select the features you want to install** dialog box.
### 2. Create the Provisioning Package
From 5673bc21779b3e6a6b79362b199f6dd7252eeda9 Mon Sep 17 00:00:00 2001
From: Payge Winfield
Date: Wed, 19 Feb 2020 08:43:29 -0800
Subject: [PATCH 19/28] removed a space
---
devices/hololens/hololens-licenses-requirements.md | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/devices/hololens/hololens-licenses-requirements.md b/devices/hololens/hololens-licenses-requirements.md
index 3f398e81e7..c89587c100 100644
--- a/devices/hololens/hololens-licenses-requirements.md
+++ b/devices/hololens/hololens-licenses-requirements.md
@@ -59,5 +59,4 @@ Updated licensing and device requirements can be found [here](https://docs.micro
Additional information regarding kiosk mode will be covered in [Configuring your Network for HoloLens](hololens-commercial-infrastructure.md#how-to-configure-kiosk-mode-using-microsoft-intune).
-## Next Step: [Configure your network for HoloLens](hololens-commercial-infrastructure.md)
-
+## Next Step: [Configure your network for HoloLens](hololens-commercial-infrastructure.md)
\ No newline at end of file
From e328cb2b81710414f3669a5b5455aea117604e22 Mon Sep 17 00:00:00 2001
From: Payge Winfield
Date: Wed, 19 Feb 2020 08:46:00 -0800
Subject: [PATCH 20/28] addded content to FAQ
---
devices/hololens/hololens-FAQ.md | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/devices/hololens/hololens-FAQ.md b/devices/hololens/hololens-FAQ.md
index a183165e4a..a75a6e8676 100644
--- a/devices/hololens/hololens-FAQ.md
+++ b/devices/hololens/hololens-FAQ.md
@@ -43,6 +43,7 @@ This FAQ addresses the following questions and issues:
- [I'm having problems with the HoloLens clicker](#im-having-problems-with-the-hololens-clicker)
- [I can't connect to Wi-Fi](#i-cant-connect-to-wi-fi)
- [My HoloLens isn't running well, is unresponsive, or won't start](#my-hololens-isnt-running-well-is-unresponsive-or-wont-start)
+- [HoloLens Management Questions](#hololens-management-questions)
- [How do I delete all spaces?](#how-do-i-delete-all-spaces)
- [I cannot find or use the keyboard to type in the HoloLens 2 Emulator](#i-cannot-find-or-use-the-keyboard-to-type-in-the-hololens-2-emulator)
@@ -204,6 +205,21 @@ If your device isn't performing properly, see [Restart, reset, or recover HoloLe
[Back to list](#list)
+## HoloLens Management Questions
+
+1. **Can I use SCCM to manage the HoloLens?**
+ 1. No. An MDM must be used to manage the HoloLens
+1. **Can I use Active Directory to manage HoloLens user accounts?**
+ 1. No, Azure AD must be used to manage user accounts.
+1. **Is the HoloLens capable of ADCS auto enrollment?**
+ 1. No
+1. **Can the HoloLens participate in WNA/IWA?**
+ 1. No
+1. **Does the HoloLens support branding?**
+ 1. No. However, one work around is to create a custom app and enable Kiosk mode. The custom app can have branding which can then launch other apps (such as Remote Assist). Another option is to change all of the users profile pictures in AAD to your company logo. (However, this may not be desirable for all scenarios)
+1. **What logging capabilities are available on HL1 and HL2?**
+ 1. Are the logging capabilities on HL1/HL2 similar to Windows computers?
+
## How do I delete all spaces?
*Coming soon*
@@ -215,3 +231,4 @@ If your device isn't performing properly, see [Restart, reset, or recover HoloLe
*Coming soon*
[Back to list](#list)
+
From 83e7b41be7335b95530609609c83ca2743cfd874 Mon Sep 17 00:00:00 2001
From: Payge Winfield
Date: Wed, 19 Feb 2020 08:48:55 -0800
Subject: [PATCH 21/28] whitespace edits
---
devices/hololens/TOC.md | 2 +-
devices/hololens/hololens-FAQ.md | 1 -
devices/hololens/scep-whitepaper.md | 1 -
3 files changed, 1 insertion(+), 3 deletions(-)
diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md
index 3e6b5f8706..c93f45cfd9 100644
--- a/devices/hololens/TOC.md
+++ b/devices/hololens/TOC.md
@@ -61,7 +61,7 @@
## [Troubleshoot HoloLens](hololens-troubleshooting.md)
## [Known issues](hololens-known-issues.md)
## [Frequently asked questions](hololens-faq.md)
-## [Frequently Asked Security Questions](hololens-faq-security.md)
+## [Frequently asked security questions](hololens-faq-security.md)
## [Hololens services status](hololens-status.md)
## [SCEP Whitepaper](scep-whitepaper.md)
diff --git a/devices/hololens/hololens-FAQ.md b/devices/hololens/hololens-FAQ.md
index a75a6e8676..ace8a93088 100644
--- a/devices/hololens/hololens-FAQ.md
+++ b/devices/hololens/hololens-FAQ.md
@@ -231,4 +231,3 @@ If your device isn't performing properly, see [Restart, reset, or recover HoloLe
*Coming soon*
[Back to list](#list)
-
diff --git a/devices/hololens/scep-whitepaper.md b/devices/hololens/scep-whitepaper.md
index cc43bdc285..438ea3c34a 100644
--- a/devices/hololens/scep-whitepaper.md
+++ b/devices/hololens/scep-whitepaper.md
@@ -74,4 +74,3 @@ We then pass that to the device and then the device generates it’s CSR and pas
1. Connector checks in with Intune, and will process and any cert revocation transactions (i.e, if the Intune tenant admin issues a remote wipe – full or partial, also If a user unenrolls their device from Intune), reporting on issued certs, renewing the connectors’ SC_Online_Issuing certificate from Intune. Also note: the NDES Intune connector has shared PKCS cert functionality (if you decide to issue PKCS/PFX based certs) so the connector checks to Intune for PKCS cert requests even though there won’t be any requests to process. We are splitting that functionality out, so this connector just handles SCEP, but no ETA yet.
1. [Here](https://docs.microsoft.com/intune/intune-endpoints#microsoft-intune-certificate-connector) is a reference for Intune NDES connector network communications.
-
From 440bc999d01aafb0939c45fe863ffd4b45332c14 Mon Sep 17 00:00:00 2001
From: Payge Winfield
Date: Wed, 19 Feb 2020 08:50:40 -0800
Subject: [PATCH 22/28] edit security link and added expectation
---
devices/hololens/hololens-requirements.md | 44 ++++++++++++++---------
1 file changed, 27 insertions(+), 17 deletions(-)
diff --git a/devices/hololens/hololens-requirements.md b/devices/hololens/hololens-requirements.md
index 9487a2f331..8216a270ff 100644
--- a/devices/hololens/hololens-requirements.md
+++ b/devices/hololens/hololens-requirements.md
@@ -13,14 +13,16 @@ ms.date: 07/15/2019
# Deploy HoloLens in a commercial environment
-You can deploy and configure HoloLens at scale in a commercial setting. This article provides instructions for deploying HoloLens devices in a commercial environment. This guide assumes basic familiarity with HoloLens. Follow the [get started guide](hololens1-setup.md) to set up HoloLens for the first time.
+You can deploy and configure HoloLens at scale in a commercial setting. This article provides instructions for deploying HoloLens devices in a commercial environment. This guide assumes basic familiarity with HoloLens. Follow the [get started guide](hololens1-setup.md) to set up HoloLens for the first time.
+
+This document also assumes that the HoloLens has been evaluated by security teams as safe to use on the corporate network. Frequently asked security questions can be found [here](hololens-faq-security.md)
## Overview of Deployment Steps
1. [Determine what features you need](hololens-requirements.md#step-1-determine-what-you-need)
1. [Determine what licenses you need](hololens-licenses-requirements.md)
1. [Configure your network for HoloLens](hololens-commercial-infrastructure.md).
- 1. This section includes bandwidth requirements, URL and Ports that need to be whitelisted on your firewall, Azure AD guidance, Mobile Device Management Guidance, app deployment/management guidance, and certificate guidance.
+ 1. This section includes bandwidth requirements, URL, and ports that need to be whitelisted on your firewall; Azure AD guidance; Mobile Device Management (MDM) Guidance; app deployment/management guidance; and certificate guidance.
1. (Optional) [Configure HoloLens using a provisioning package](hololens-provisioning.md)
1. [Enroll Device](hololens-enroll-mdm.md)
1. [Set up ring based updates for HoloLens](hololens-updates.md)
@@ -40,37 +42,35 @@ Kiosk mode is a way to restrict the apps that a user has access to. This means t
**What Kiosk Mode do I require?**
-There are two types of Kiosk Modes: Single app and multi-app. Single app kiosk mode allows user to only access one app while multi-app kiosk mode allows users to access multiple specified apps. To determine which kiosk mode is right for your corporation, the following two questions need to be answered:
+There are two types of Kiosk Modes: Single app and multi-app. Single app kiosk mode allows user to only access one app while multi-app kiosk mode allows users to access multiple, specified apps. To determine which kiosk mode is right for your corporation, the following two questions need to be answered:
-1. **Do different users who are require different experiences/restrictions?** Example, User A is a field service engineer who only needs access to Remote Assist. User B is a trainee who only needs access to guides… etc.
+1. **Do different users require different experiences/restrictions?** Consider the following example: User A is a field service engineer who only needs access to Remote Assist. User B is a trainee who only needs access to Guides.
1. If yes, you will require the following:
- 1. Azure AD Accounts as the method of signing into the devices.
- 1. Multi-app kiosk mode.
+ 1. Azure AD Accounts as the method of signing into the device.
+ 1. **Multi-app** kiosk mode.
1. If no, continue to question two
1. **Do you require a multi-app experience?**
- 1. If yes, Multi-app kiosk is mode is needed
- 1. If your answer to question 1 and 2 are both no, Single-app kiosk mode can be used
+ 1. If yes, **Multi-app** kiosk is mode is needed
+ 1. If your answer to question 1 and 2 are both no, **single-app** kiosk mode can be used
-**How to set up Kiosk Mode**
+**How to Configure Kiosk Mode:**
There are two main ways ([provisioning packages](hololens-kiosk.md#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) and [MDM](hololens-kiosk.md#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803)) to deploy kiosk mode for HoloLens. These options will be discussed later in the document; however, you can use the links above to jump to the respective sections in this doc.
### Apps
-This deployment guide will cover the following types of apps:
+The majority of the steps found in this document will also apply to the following apps:
1. Remote Assist
2. Guides
3. Customer Apps
-Each step in this document will include instructions for each specific app.
-
### Type of identity
Determine the type of identity that will be used to sign into the device.
1. **Local Accounts:** This account is local to the device (like a local admin account on a windows PC). This will allow only 1 user to log into the device.
-2. **MSA:** This will be a personal account (like outlook, hotmail, gmail, yahoo, etc.) This will allow only 1 user to log into the device.
+2. **MSA:** This is a personal account (like outlook, hotmail, gmail, yahoo, etc.) This will allow only 1 user to log into the device.
3. **Azure Active Directory (Azure AD) accounts:** This is an account created in Azure AD. This grants your corporation the ability to manage the HoloLens device. This will allow multiple users to log into the HoloLens 1st Gen Commercial Suite/the HoloLens 2 device.
### Determine your enrollment method
@@ -87,17 +87,27 @@ Determine the type of identity that will be used to sign into the device.
More information can be found [here](hololens-enroll-mdm.md)
-### Determine if you need a provisioning package
+### Determine if you need to create a provisioning package
-There are two methods to configure a HoloLens device (Provisioning packages and MDMs). We suggest using your MDM to configure you HoloLens device, however, there are some scenarios where using a provisioning package is the better choice:
+There are two methods to configure a HoloLens device (Provisioning packages and MDMs). We suggest using your MDM to configure you HoloLens device. However, there are some scenarios where using a provisioning package is the better choice:
-1. You want to skip the Out of Box Experience (OOBE)
+1. You want to configure the HoloLens to skip the Out of Box Experience (OOBE)
1. You are having trouble deploying certificate in a complex network. The majority of the time you can deploy certificates using MDM (even in complex environments). However, some scenarios require certificates to be deployed through the provisioning package.
+Some of the HoloLens configurations you can apply in a provisioning package:
+
+- Apply certificates to the device
+- Set up a Wi-Fi connection
+- Pre-configure out of box questions like language and locale
+- (HoloLens 2) bulk enroll in mobile device management
+- (HoloLens v1) Apply key to enable Windows Holographic for Business
+
+If you decide to use provisioning packages, follow [this guide](hololens-provisioning.md).
+
## Next Step: [Determine what licenses you need](hololens-licenses-requirements.md)
## Get support
Get support through the Microsoft support site.
-[File a support request](https://support.microsoft.com/supportforbusiness/productselection?sapid=e9391227-fa6d-927b-0fff-f96288631b8f).
\ No newline at end of file
+[File a support request](https://support.microsoft.com/supportforbusiness/productselection?sapid=e9391227-fa6d-927b-0fff-f96288631b8f)
From e252ae3f830c9b3e050ff56229b30af87fd4ea9e Mon Sep 17 00:00:00 2001
From: Payge Winfield
Date: Wed, 19 Feb 2020 08:53:09 -0800
Subject: [PATCH 23/28] added audience
---
devices/hololens/hololens-requirements.md | 1 +
devices/hololens/scep-whitepaper.md | 1 +
2 files changed, 2 insertions(+)
diff --git a/devices/hololens/hololens-requirements.md b/devices/hololens/hololens-requirements.md
index 8216a270ff..f856f571e8 100644
--- a/devices/hololens/hololens-requirements.md
+++ b/devices/hololens/hololens-requirements.md
@@ -6,6 +6,7 @@ ms.sitesec: library
ms.assetid: 88bf50aa-0bac-4142-afa4-20b37c013001
author: scooley
ms.author: scooley
+audience: ITPro
ms.topic: article
ms.localizationpriority: medium
ms.date: 07/15/2019
diff --git a/devices/hololens/scep-whitepaper.md b/devices/hololens/scep-whitepaper.md
index 438ea3c34a..06b7527960 100644
--- a/devices/hololens/scep-whitepaper.md
+++ b/devices/hololens/scep-whitepaper.md
@@ -9,6 +9,7 @@ keywords: hololens, Windows Mixed Reality, security
ms.prod: hololens
ms.sitesec: library
ms.topic: article
+audience: ITPro
ms.localizationpriority: high
appliesto:
- HoloLens 1 (1st gen)
From 4d04dafeec038f6de6c0e3602627a8e6defafc6b Mon Sep 17 00:00:00 2001
From: Payge Winfield
Date: Wed, 19 Feb 2020 08:55:49 -0800
Subject: [PATCH 24/28] added image
---
.../hololens/images/mdm-enrollment-error.png | Bin 0 -> 76632 bytes
1 file changed, 0 insertions(+), 0 deletions(-)
create mode 100644 devices/hololens/images/mdm-enrollment-error.png
diff --git a/devices/hololens/images/mdm-enrollment-error.png b/devices/hololens/images/mdm-enrollment-error.png
new file mode 100644
index 0000000000000000000000000000000000000000..77b695d1cfa73afb96f83a8e8b0b7ef58d30f65c
GIT binary patch
literal 76632
zcmYJa19T-#)GmBtOpJ+bBGOWa5c!XJXr!*tTu+#CP8B{@?wpSEIVt>b0tO
z)yA`*{aZ;v5)mF39smF!N=u2U007`Z|DG3Nq5oZbsui#Q-N0N_Bt-z#Q~0OUF^4aBdC9UI7caM7XW}D?7tH%_VCsW0Qf4B786$U(7*UN^d^)}VTjoh-1qC8
zc9{;_&IUR{w|BIsT{z>6xhJohng44^w(0-cY6_0&c)cmh{y4GKW|Moj)wmMB`ux=u
z_xyFr-sHqc00AoRlRjAb%U55nbd%c#6Z-X1JL3^%3D+Qvf>VTQ*4_hWfgm2>GWfNMm^l5!kJ~;@c^#70R&WAw=4X`(H{Jp0HX9cP1
zPOiU3-toyywppP=)Mt8Ssa_ar>
z$G%igrXhqHBiR?(a*S{%s1ZwTsXxlel!0TjXVj#wfr6-kd5-ez<&$|lv-=O{r*=Z5
zy?fx81e@M>HPzJ;NzLD4{@*lmMf^Dc1#V&t!YEagRYeH2
zh*t8KbP&2^g)-Z)v3|Joc?i}MtwX0RiM`>yMc;HFT{m!uu~6EsQb)S3iz!N)ReZRM
za1fvkim?8_pEm!+_6khxwN@g4%j3X3unK0BA;u_TiB1zvzC}RA@C-BxwzMT{EK1;`Sk)SkBsjdZ1;d%RH0`8LH$Ic*`)pO{7+JYy6x4~4#%1%+Px?%Y
zj=|>+q|7>z|3{qemsh&?2UXd|k2dsB1fn1yR&^g%H8jgihpeGnVx`MHzdlk|dp;4v
z;mikI&{u}Oc;$Z9c2Bvde|D2M@#1aco#lCJe`+369UfFm>IB#Q_36Fg
z4O%g7&l49K0gRsyNJEOVAcxfX>KKKZXw62SYqHqCbI~ixhzJ|Shaf;D=Ry>-*-!~m
zVIFUcDCqxKPy32G8!GjFr|4;a-YPb@s}Zd`p*4#3Mty5)c4Ru)y73M(
z{=kjoKz~y@lH4*>bhW`!IIj^;6o-Wcd`LdfO(J2crY4%LMs!=?E8w~^ZJqs%GUXWSBCPotsP&%aeK`zTL|q8=?fiSgZuH7cEUFt0fq+hFS*p$jl{&lJG-Y!2!`WxM
zi;Add|AszWzn@iYc+MrVAShyg0Qp`gbD%#wlonQj7S#|8yxk;E5(soX&~`&b)G+R!
zONSIfbh_Pjsi2Y#SJ)YvGWo5!ET-Lz($Cy|K00B;PJl&0jp$KlJt*=%-}4EP(c%zx
z{!GX+tII&3srFnG4(dl1;Q
z%uZf%Z?J#Nv%GSu_&i1AG
z=OH-`T=_`rx4k`WN3sFdtFpM%cLt)cgUeSgw894u^~;e;*|B+s%eVXGx)i%pVPd7J
zleLGdB&lrCyrnxO({uWEl_}aP6?R4f4uc3W2Csm%pkw}`B5#Ft
z$kVhMGifD-vJyxxdK?<4CrE}SO%
z**&C#b*~9b{j{j}k=)-VoBwo|Ro~9vN(p+GFRG~G55|W0V@lf9uyW^3O|IJy$9RQ`
z`Ho&TU-5?}g`WSX6@8`3Ap#cOR!0ADRW)#LD)pSDEpe}|+Q5=7l=+&4q;Z>pe}Y~#
z(;7^noZ)3FP0s6{rL^!03B)mrgr|Mde^pl6_S1XmY_Z7KDOB+l{W9P#7ocs1#SG+-
zmn9gNUe)4*c4AdA24{t2Yg!8;-|x+QNV#$bnQ;-w3)bnevVjYN%eyumDCP|hGpi)h
zdNM#rl0uTyrK3`i9RAtwAUEIoIbBxbD211t+$IW7g+l&0SngcQ=awiTR7@jR^dsd1
z77OXR_p*d3im6ONwSX;f@j%hKlSeDGN|rKTIkA}QnS4@CioL04tehTEu(T|#wU4(p
z^M%}?iensnCMQQbP;>&YG-Y%#Z9MJ6U%x^Iq0Guj(%U*LokgYK$p
zW0G3xzqvJ8n2pQMLKFX-Z;^Pl`>goVan8pPCp?@Nn_lLz)=s1py_9Vb<}f>CtL#`S
z4SIvWeGgEuDvzBPU)_eXhP2PZkjD(S5&t>oDy>PY8m`S#bBJPyDp=zg@sZ|oHhES4
z>)=>}{(5ntHg?JD^w5k42@p|B|6~t5G`ZcpaYg#c=N8aNJ~uY$J?CI8Dk+e?a|T?r
z#)>>on5)%t|If=f?VqiI7CLL>V5Q1K4PWUo0SdhJ`x{OK(|E)u#uD>3ME&WLAY&1?
z8%hxhx;5P>s4*9&S0AQP!~x?5C+aBb^q3j4nhb=*k)YHhvxo98LN-0LfkZu-m|-pW
z{83WNlkk$koUD{)G@@FCgIAKJBGb-FM3Yzgv|{;ZIGmiI5B2a;uSZ$|`g$uq_KL;#
zu5@y+nSPLs{s(4a%iympbOS(mFYC$hV81SNo~n!OmVZ(}P-mTek^*9KH%6{CC@GmMZ|n2FATuBm&NM0CEjGo}TP8G5$FOOvO4?6MhQ`ZmJWq4_x~fTYPO=oP
zlj`{u%u7wRl8R&OE4PobGMuw@*LgHU-KbN(Dhw+vW=6!d(b=+D?GAJ=CjgW?NBIE{
zs&)&~i+&!1tTrfl=_=3F>|I&a7*qKE3tAcyo?JbQkWOR7C=@SdiqrO=;W_r{QI!sGm0V5~
zH1;wY-yxjjfZvBtef4u{2Y7sm04nfJ7(>+Kdq~yTGS3txbLbIg2P1iM8|KdJZ$n&*
z5yP$~3?~Q!8?~-aCNTn(6=Si4cP#zeMv8j}{XeDkst%BvYR?mbuZg$^vb1Vyvb|jCl5hK4(#}iXpoI@5
zWg}o$Ik5j#b@
zMp$fO!X~UPMg2-_H=+f@qQ#=hdWR%u!_|ZhHCaQ-GxU>d)CnC4|3rAUR;_#KjNQ7X
zO8{@KUz?Ryd|9#_8XP;NHsYpACXQumt84&zFBgt0KGvO&{9ZPqC%CI|zG>&t5(cp0
zY;)QMH^k=Z;w{MRHdI%AYA32!v?idbBajtwz
ztWoBbP=m2ljJ9H3qn>tnEnyYE$!!+V;j~8r
zFodF2Ub-zv!hmyVX!5P9q*Sq!2mt4m4wJ3o#_iPV8Fq3S+6)LyW2ZYGSnd_yI3HV^
zff91p?6Lnk4`&>02Vz
zP`-;w#7C#Ij6C0M^|=L@x`A9_O2C+2oLw1?`f0S5OwC+4cVua!+P=noO=l6h8Z=BL
z_wf`!8tiNi5AHwL_ch>Q9iUYCQ^4B?*)Ee^BsF)Pv?FiDoMxe`%P7XYRB$2x(u$N8
zA1_4trFCdk`KVe(&Chu(Q}dsX@jb=h#~~$-OX|>3>9=5NdPte
zMyU2H+i{(Rq{8!$z-pMyZ8j@P*-3s{20%JZ;s8{H!u(sZP2(8gr+*x8xx`A0^+vII
zs=wB8ptYU0HAvU=h7Nu*Oc@VnO(hR8#o4zh5VMo^qzM%
z6bwqH=$gQO6`2!eb$oxo)QpKmAKsmi7VlBuDfem9!Z95ww1v1k7@0e7rOnRF5gp5&
zGJh^O=t5IeNtkWa2Uf1vA`6cX#49G^QQScTRIIOEu1Sg?%lT3mJ^h*>j~-T+DU7I3
zv247(R$?=CM_4Z;GuK|+xCPAfs_&bFlg=z)Fx-ELBC)Q9^
zzM^6e2_BY`n>}ft?kCOcf9lRCSQWPj2ZEs{hg)Gk
zc>AgHkogSwO}N$Z+g*@dI5oyDURBR@QAblp$z~1b~$aJ4#^u)?e#6&=0^#|4a
zV(lE6n63vl-L*)cfs^|H+nI)v`&M+ya#u!1Ha_PQ916;l!^drocjvdF>yT&nDSb;I)IXi
zE_j2oFMX5aKv>@%c<02Fu&^|@NVDhW?-KXBh8!s8O7}F+rWDLR%(0F4cLc@@>ygNv
z0gfDY7sLD3oiOcI!#Eb`5x>cyyrJo!eYQa6dI8t%!!k
zcjx>2T{u`Tt^?b^uc`y*e6+5ZD&TS#WrecW(ryCG?;ww5*0ixhjL@RkXKQ5!FYOrnianK)dwa%win1mdZLl_>_XJ)*
z|3zV)AyKxfZG_AgLcjf(cs|oOZJ|t0Cq83^mvVhqA7F9yM%)xZsMD`7Fq~n{I(0V%
zIBcCq+jv*WULhZ1m*Tpc@
z$kb?_H(X6>Z-k8Kt2j{nI*x)o#~7%>$UR7mN?PxLnR-CV%NfK|9`2>!$s?>Lu*|KT
z6grmAYE5|SmTBGAQqbAwDym@5!KaRyM8|nlfe^j*`1?Qbgyf_LGC+lJQ~d3_{7m;@
z>_{G33j9pHba;zheX6K?W=={$JcU`tVm$F>Y4Olx#0(A5rpp}0;o;H#U6IX7tVC3==G5z;iXDd
zZE2FJT;51=Su_^g3$X_R4){pT%Kms&3uXN>t}%m7G246hv4-Q7IveEs+`z3aFXKH>
z-AcU`!PTZh==OCHiJDePXrmaF_}N73jMVsSPh|lbr~PJe-RiI3i6sTw0btmi?(|F5
z`XLpmOntJ0C6Gx8U=mC74JFTxXA@5NyuRSlF2nhg&$&i-8-rZVFSrW1ys^NN>D|2$
zI%--P)hFnHW`^_#Ny(g@R}aVHZn+*;cI+@M@zCB6ixM
z0SFy{txr7iH>*<7fu!0%AS|p5=c$|0=KE!O1SHBs^8VjV-B$0nl*u%!h0N5{AYh3C
zF$oEnsAR0@_OBoomm>uHl@=_VQ=DchxvGok!y;!L4G~Opd??xiY91K91#uu?n&B1OpKkrkZ;uV^yChE(<&|jqu$cb>56u+Oh6T<
z-FMF+2IqscpRO3(r{P36B>=uds8+W}XlG!gYo?(V5Sjj03Q(O`Ue*d|yAb*IlW^}W
zdHv?ilzFoeAI-q?#gohTl`VxqHx!jjB2Vzpb0{i(rP~CCkl#9}UFb9v8~ZE{B=pe6c*XpdX*tDfBEG&*23}_GPf~grts7aEs|2k{v8+PkEgL);W5`
zs?<(FV{WGW%EpZaV{RCuU#pU&A7SnpYy}$ZzA2|_cYG;v8=34|qXDtzM
zc(8wT{On)e_6yUv)G=N?gOVEei4baq2BR!oj9{LR2*?W@b6xIc09F5u)#`DFxgy{0
z>s$ri?8gf39mixdXN9&u_mWuNh`PMLNfMcCy@z*^@{+hUOCxevY4=!Yn|9Rs$6;T2G*9L>`&eCZOgvK6&(Y?TJ|XUTY9
zfsf8$$?k?=4utM<$lbDBJMm@%y?&d>;X*Bo&FxbpGk%NfH=@tt#We7Hp%Hj{rDJ=&
z$h{rx`DA*(s*nKrb`jmaEN}1LPxqK}ukE}}@*bov;$(tZFSNo<@hM13_@SmS{s`x&
z%E%`;FPjeN#uhNA=W)M`3Ek!tyQh?|^E$LXIKadqj&DnXb2KLup_Y=C_)ruaI-!YF
zI>XFUrL=9ZW^$g-&C^}iu-q<3M0A4WwBH(9aoV5hd_e}asZvGZbHW9MA&GWyFx@kzmOUQzSHbo5}`-`Ga8a`8;OI{23hPm|GRkyJTqtgyd21maBSu-tPsC
zFEbu*68$&xSF~}=xa0{3%@7Z7Za9429f*vy=LF87ly%+bCWKc!Pn2R?XY(+R`G;aB
zdGnka1V*NrjIb?`6G3n@I|ih+*gUqum$TOE%?zQ4ctht#Credy-5*Cbjh44$&30O0
zfdwLx&NPDTi!6CUCjQ3vtUkBbUxviYJ$bNjkim9q%_f~17gRyat|ur@@dBWy^_tn8
zj#sTNYfPDlNV`xe@99nfK{PCiov>@XokGP=xX11{45E+mVbIBbDClAR$gVBVt@fA$tndlv4TMJ)C9aBiN)L-y-gEGe27
zYvv}?D~-h$XY8YC#rFbxO(i9>$=1TK!zNZg4d{(jUYx^Q?eUYunUK!*_V=j*uIW71S
z-uuEjH{Vd}Xa%m*Xd}7|{sHs+cVt#U*Y9>!)AC&uXuH~mCk`o#o1{#DOO4Ts9M&b*
zkq}S^{?c~3Qt!vl(|j82&{G{7L%?H<{kV>Ox7_6-`94!C@cMWW(LfbL%Flpk;P=>c
zN)IN5sG%42{eMu7nVKyK(@ecd>k~gnEJecnz*jT|-KM^}`D3NO%C(aK<-at+gkjBy
zxr?mu3$U!k%|w9_ii-BDBh(QQ^(wZT^#p<+E4bM_&%NdBcyT_*g!RsMN*ekx_4R19
zd9L{U?(m5vQKE@Q21XA9`5p-w*6_mX_yuw$xEVM!!@GsNGv(q`av5CH2s1bFWR9Q_
z)Z*0Wxq8-^v2Tu-Lx>Yu{F$MJVBaS)V=GhtSsy!IKik!zsF#;<&0AI=I;I-vg*&~~
z@fBMF885&*y1RdLUlKKji_9%qHTFeP1b$3ViX;FsYftcpWk+)b@C~|lF!;(ccGnK0E55#cM2k|;aFBO_0uAh5aB_O+}{Ag
zA2U^|$a+2Q$R99Ky*ngijt?MIzG*2*WzP_XaX#-m0G=jAfl*h@OvupLQ=*zjniA&V
z=o6;2dzwDmfiNqW%9kI+Oue`)eOeEI(_vG@UZ0Vcb}U^3m5{GBcGKG(HT>y-+K=yO
zGBZq3;00kgmWay4R6amY;|S~bb0b#B(9=~F9jHuO6#<_aBP0Z~4(Ho#p(9@zs@Q#>
zX7Xp{&?2zeOYlVXi{Q-vem)lezg^plvD!A0;Rz?`Zry5*y@jW!R~S{v6VQQzSlc6nhlx2QNhp0
zU`KZw@C?5X$;!<}#Bb;tJ7Gk+#*^)ct=?Y(5n9Vr&bzW%JWf%>T~rxt_TkyQ&AOko
zDJc=G`ldT~Aue3rpD0fko2Eb^)nbOhTbE_Ws|oI`9!EkfdrC53MVx$<{2;hchP>H_
z7H!>~&5%MbHGc1vo$gGYzHg;YQ_M2~fc!mwm24rUp?aal<`(pq8$4J6l2mrSGO0fiX|a@$&xAXfz@jRBeT&*Y-FthXIgj`$=e*@ewc>$+0)mrhD?Yo6p;d
z)PBo5;Gz@!EEr+Q1|Hlm7jdkdR;DfI4eoTw9e^v@N;Ro^h9M-=NE7a;E}*
z3kB1wCmvg40M%Gxh}M4>Bd+He1-WChT9aP!OV=^Y@D8XI`M?dp!`c=rruTK~&b2b;
z{XL5r1s;($1QecVSyFYXZj~TA6e>PXVe^y<-XDg?bbGxwuLb;o9fWGbX16BKa0>2@
zm8t8i`8jgaoj{U)Tk_3=w$^RZns)h`yIfCv2fGo6n8p_;6gMzmR+QKvaBK+2%*p%nLs(Es}Q&llnl`ua3s@mvGvGsiVz
z2&3`+Mz=}~`-EY%89@PhNK|BY(+9uvF;crpk+Fi?b!YRD^bj4zahIpTYT7Nik}N-{Sk=g;E4*2
z4)A-E7v1Q3yGZ`!oWj4rSpFN{w0LtMz}}AQt~xfCCzd>5+&KZB7q6GVvc@b2zEUA8
zEVjos@Eo}wLCy-IJ;mE$yIWLg4fX>D(TsqT8rUS?(UBD5-jw=I(8@;&uF@6
zz0|a0DVQH$3|1_}(S96_4Ro-*QVlU%wyc!Z=9&x;c>zK-RVju2P$PR8Qg=O@LE3D0
z?~7!^b@d9{F3n_S1**;*WKynl->=Xqh{2nU&VeM^fy2&cbBAkXL{B)}PnpAz%aa)>
zrmok~07)*~gVJ~CgvOs#xI%WlvHfqH`TNtCH(&49iY!zlaEA}`fYCF3RV!hUZc8Y5
z_*~=O+S!v8Z@w|O&TJSM5vewBXuC|#p%K&u7QZFd3GFuA7s$0CRG=CG*Sm5HY?|G6
zU`@|!-|Nl?3^Gd8WpsV?)&lPpdQL_%4daOLUV=EJaCB|NPDOpeoRuh#w=un5)PT6^
z?c#B+;mnTF38y0@
zh*Q!3c56bFBV*%W|hBfghS6Ke4%9YP*KHlWg&E_Qqj#j+tQS6
zTnfVNa2=61UbWB|#D_b`*gD8kL5KRaIm`Ipn($esha=774
z-IcLqVKu-;P@*yIfi{T({(6jqpiM9|BJXbR>G;ho0IKYrP22!Id5%H|Rx|#CcB9oD
z$4;kt$iiSj^ecZqE+gH70y$1`@-A(*VHgBailj#Dw2PmqOqj+t8ajJ&Nf|^(XBiik=hng4`US!{SA*sc5Q>A28`|CY
zL_E2h|GDCM(0WLQLSt6`iYzgbh(HWBGc{l}aZmTY&&l9)wZ@+k>o&mGgiz4Fu%7#f
zl%$iAzji!0WHx?#Dw%84|Fp@mPux&5yr!%hlF)%QbJcOp;`yY5fd=^PuiDl`cwiyW
zza!v#tN3-}?Rv@sKCO?D_6s4N%J<=Kxz=LSIVLUhU)Y!pow9hOgFCxEbh!vtPIXsZ#M+cDF(mlU&iTKV_z$(YVA;B~
zNj(;uZp$W^f!m4EdZLQY%|ZG+jV?n1V65=7Ul1A2dG4-??3e~#(AQ_%L~WvQ1fdMr
zZ9{&9O>slV3J*k@V?!m$L;#sRZj>6&*kE5U*J>-?P<06jcwD)0vM#}T_<_y;Fo4)oZUfV!V$X|ie-44I1V5YPQ
zB2{r*AIZAzr9HJ|vajnb>!dyu>+C-t2pdOQXI%pNhskLlFM?qy16pli-lKYlfRs
z&o`0Fk4P4Z+>gwlQ|KG(=aKWn@_oG@^#Bg?u<0-92FZ-olpiydQ^{rvN4}guhd(ZX
z?q`74cH`exZMqv`;5x{QAH`*?`c+QeGdMScQ+Pbr&v@Hs>d8#dh$~s%i^}vmrC^IS
zu2|1nIW99q`Jl#aT%+~pbN8>@JPEe)UrN8g@)QMLkr(!b%&z~MK<`k1@knSn#9Q+x
zQwf|1XRy2Ac3XULJA=6TbRbN&z;)LkTpwS#8*Mic$RrS3rYFLaauMOVL8t*P`d3oJ
z_&FtfLb>{z|JKhtQ`*2UeQvP2)Ljb2{{UeD{10mYxy7~htYrv%T}q*g+e&E2{N}iKqOtH*2^Wf#8@3SW
ztj3&C9BYFxkfaS34Yqr^9
zLx=09NfZ`~&wfZ-ViwyOb!@2^wB7DT_eWK^;>m};fdfysZBnU%UM*L}wUNvF=hfiy
zW9H7ztSW41ADag5ro?Wc5!X*cvi271a66dTj6TH7eD_`xF&TA|uE8hLf$fhgvM9Y;
zun=3q-`_d{c{<
z!w0$OXTBFbsid7z*hbjO0YJK2E`x^
z`q)B`6mOOF+TPcv6#wyIFE2=#@QIH=Jl80c-j@Jv5`6}I28HhQ#+y7n1n=2MjQH+J
z#|~<~$+Fn(!M+)uJ!U>zK^AFQ+ci{T-9CHk**O`PT!F;KZY(=EbJX{&T5KgH+`kZ{;28W-5k?X>4nH)_I
z&19NqQ_f_s=bVb$3q4%Fz`7k4@FUSR3Ig3QqCK>Zn8EQ8^|@+sHg$YsCt-gIY%@#Eg&!UW)-PtGD=hCt
z$)d9P5V;|-U*SV4%UWm*_F%SW2(EseN{y~pV%&*P2y%O^uH(XUSQN?Sc
zo;4_*1+yHU;c8rN<4K$~vVFtb?1L$V$E(obTu~?tl53BmpxsQxxLPl|^0ZE&q!j8$
zILyWNwRWCLj*=)VQ(HU2fsDg%x2uvp!?W{P_;K_>cErh8Q#~%#q8FNXDtPAJ^QFO^
zhbLQ2csk7&p~KU6melEuW}^v9YQ%4c{DJX)X${P%P~uQ&>~7>OBOyU(akdIzM{XHG`d(9Bk^UA0
zaFy3un}K)RZNtD!Z3`s@!H-%~pA0`{k1Jiz$JY9+JL!sGAahid2#5b7N>;fm)3d$-
zUCB2(tYV;3q3@`lCZkN*J&T7==aBE0IAj>j7mJ$9J$BO-o1R*SXfbtERxNrrvcVjT
zq#fpWF2JlT+gRnPFC84{fF>rH~~tw!&XqWKLIon7ALC
z_!v#%a~b{A$frQssR;}pLbVig!`BH^P}?zpZ@kL!wJVt}`1m;{e?Jy+rcs+oul?8u
zO@c|c>98g)rR?3b0__lLdbUPWk?pMv(fJ;p9+9YD%~=VRSg_px6!X~Ii#{mjLAic|=h6bfR&d(0dnV}5_+C08d}~|@5W_6%Q2ry>
z5%gW&zi)$Ec83fw=OG!Cv$28kaI*Oie~p!}SEhLvGo|egh+`OsONuA*R?N69PSDuD
z%|5qOy0(eRHoTOcq?X><{C?e=$5?{6#t+zXOR3}t4_66awE#6P
z<@8UTm{-|`I@3A&2aqT6mBm4q3ag5(!s$hzAS(&x7O2ZD
ziY^Z?n9Vh|ddd9;T8Nb9`?z+P!C1z8v!H8c`%heq_RPFT(a&%C0)xHwAGa=HVASL&
zO`}{#WcLOCz~^L)Haq*pmQ~A@X~NatvHq4}>|u<=h7mc3$OpR*p`Ml^gWb;u>g(ZE
z%bL!eQ}yS{MmXBvH7;}##-y->@z-+#yokQOYM(bSn^_&k4Nv-;Qv{J;&3tvoM}s80
zS``#E>f${vMfdisKruU@-cg&Ia)Qb_E!lihy*6hgf)3=~-F?kG4n
zMR~?@MCzk{T|Xk#5(SZt?)e*L{#;KMU)<`sKvx8!xo?6T4!`$UkF6L7Yt67RM-eD}
zE2C($&d8&J-k$QL&yiN@kMkIOwf*5WcKeo!O26d!ZTXXJfl5mld~0a=b9-%~l=vgE
zU16V>cqRh_+9RcR=}~D;O94>&rhGCI9g6mGVFTbkmz_Jq72PkBGn~n;9PVrDHQ26B71#!1>P-AY3dEh=xr{
zNN5*bn*FveUp5GdTHrldE95U`)Cv@d-Kw1M9+Cr0U*n5)gc{^O?`TUgz-3f|7GTJc
z^e2;Q8Eqos+^=ERnm=$h!zM_C<|65`i+)UYYWo}FpAs@GFUfFJcxvVaK~>U^4NlzR
z2RB)V9fu4qnP;$9!C@I~cFtNpElP5^(yXp+3+0>Y_h!10q#vUMSw-Z_Bpq%@hAr_k
zd+MN#bza=xnP(UC@r0WTF7zh^`<5C~sq69_MpUk1yl+Fb+7;jB77c`wev7(?-ZkIxg9t_)BoI-9&Ka`vO-yoo3HOl0=$t
zi(xji<8Jf8E)kmfWgf}gROBi*-`FFep5d+$qkpko2bb%=2FQFS
z03PmGIuRietVT@h{2Z#^l;m2Qdxvz(;c6=L`FAWc#|nVP>uY`H@E<-rVI^NfV)6?k
zt(bT<%aPRgcL#$`Hb5qF@+-Ew)$By*r7~35crnwTASP@!NAeWPtKN6<%sR_k9r_=g
z!4f~eqovCA&rtwRTTs5G&<_?A-Lse+nfg3G{>0|BCxsuE)z-iLQ|1ev$FDn6rH*dP
z=Ql=^nU*&{7MoO({9D5LK7r<6Zir@zPZ~I=_+k4e$a*xXiqB2hOS)*S!WRO82uQe^
zyk=KWiv*zcafK4}+Xk2%)riCc;#?AchbpDrLI!mp3B4&mC`)}am5qR;V$F^5+?`Eo
ziHfSOa6CNF_gQEp(;#XS*%yT__!qhYYt3c+8?Bb`kFWXMqHtB=SiW$*v9mf`-^Y-&
zOv2-dr!I7Yq5aAe<=btb!13uF)|YfanPHZjH!ct`8W#Vo6zoer0-~aG<)F8
zsqBS>!*}GtXvqF1sM)Tzf@Qxd_ReFyJSu`lSG-CM9sL-200gS7)Wc<#g
z6-6PNYJy{CWSA=ex?8`lHCq;dG{*aBBZ|q@;tBUJ3I=n}={Z&l5(@vgA44cs1u`c8
z*&dvE+BUigZu8JT{F$*45ZUJy|3ZwDEnqJKaGf#LB+7)3d*ppoP`w+f4UvDmE(#*eV8wq{c{u{TsH@
zP74p#�Gd!lv2jRIfFQTRfY(v#QO0QnE0ZS+b^P?^R{r8~-_CaKkyn$Mdr`o`2q
z3+OD2eb?AF3kWXgck7Mc^)fKm5C%n_S^lk<=10*gD-0kxpY@rsy%8@QZk{V(CQ@UN
z%5CqkL3XzGvt*_D60H;A>>xi~vnYRTCOI!Du@R`M6@9m0b20-`MM$s1Zp&C~@>0(K
z9|AY^YXewZiijyuW24#pEgLMWT)YrYjzDJ!n6LNFJyZ8UXOVPi_~c0V)erutr%A!V
zDDH1cTBjDNsi*L=MFSFgD!OWU93u5u2=5E9mMjD5WN){F$B1=a>-u==JVtz6&OW@|
zmg|_mJ3iR}5i08KfYRydpj+mO9YH7|I=@3)wqGpv>`(T=nnyAQXXNdKKbNESt=CT6^gzMjC2tJPDdv#|0FmCwz|D>2z(TP
z9WiJH<)!X6xvJ{^&OBDgSG*=!@j77xM_n|79e%bI&*ZqQytdTBq3mVlaNBub-M#J5FGX5
z#s@uu02RJNonIAH?z=yu*O$SB)M3@k4P|mQAW;Y$ADxEiTq>XnVb}YI&S)z^>J7Sw
zbiPbe7kW|9L?2{eO7#!|m{U1CXvoINJ*I0`z-%DH``ywOlGu2y@h2pk-RyTs
z`z2;aYcigb;1;>Qi
zaseWD*oY*Lw+ybf%aFcah(f|FW_g|9A-3ltgpt(Wip+|Vz{W(hNe)F=m16FU$AqL=
zWawyjXC*vRq=DawFaX+GSOE6E6vVfGQr2)-S~{b+Leru*<3x8E9th{@U;?CR=B8$@9M94QbE6sGBVn6#x}Lr41s+c6Knv(*=tzz>8p|J{KjkN)L*>+D>8ejYPLNii%|Y>jx=HLmgC
zQp0x%ppe&dQjrPu$al-tYH*>0S;9Yt+Ka<*0ZWX!;fg)4DFJ-*9&v=Pmw;06WNt{I
z%QvIiqNqz~S<@l(l%UD}b2Eqp-f(SNE`1l{frR>^HBZqj
z&h*hvzf%Ooip}*Q@^mC0wG?ozYy^X7V3FNz^@0=ytOBZF6b6z?7GyAEh_)kY)?EAU
zeuN3$ASfXc>hlG}APV;V89X-t%gbXTqDzqz+keg7-)Ou4ey7ft4~w&>QzQo%=G_w*
znXTY|$q#T{+bFk)PRaqx^Ua)XlP9YbbeaR>a8+raJO0`P#JS&42R(!33BJ#uR@lNt
z;iE@EcCDrfmQ(3`Ex==47wPzp8=gi>qptUhOZ*@s%bARzPJ$_EW)MzP{6u_X>7ofk=0r>SCM$U;4J6zwWNWI
z&su^#U2Fv?Y(nnl_nTre+snk6O!lOs~kVf>qQEwk7+_J^!s)09ypausD)-7)^6at`#=b5^z
z{VR9qlwOqW8D!Z0|17_R&vzVRT5UIl%=XlTq`%Aax*1S=uyhB{#>dq^K!QDQ*pUfK
zeH8@xJ=mjGJC$6#Ucg3%AKBN!iV`qTACfgY-?ku4Yo6SN8`-pA%)4H$P;v
zx~{Nc*R^ECT`yM5eHPmx65RbQ0S6NR9Dq(e$v<``rB+}NujXDyjbO8L1Y2F+D(>4|
z$D~U5PZ&TM+oG43f+2~RICeN`@2tO8CezEaKM^27*a8t4$bV)41Mqzpg#phSe
zVPN{UR+*#93vNK00$OnXF;MHJHEywX-`|??@;f=_5wr`48_f-=A_cVno+9#B1T-!K
z;&RX%2!2jXqp7@U%Z8hj4C9=NT~cu`2@qZ8m)+JzYVO>f7J|xdpI18jJ@G$>Rue6^
z@?p@Ba*U+4y}(6BD|2Qx+C5Qunl6L!mJ?T(j4BPfa2a&b_%=HZg)CE;E?jymp%tut
z#^jszzos>tc8!L|n$4P=ltX*_C_+@7$(ZtWL@N;ZN%WBHU)24S&Yf#$S6&4<49@>H
zop=bahM}e(X-c(qzgj}q4p|EuCV#2GBKh^dpECTgy1t9JeP9GckUnqGG?smNLkP7kAj2PSMgPZrHagJ+BldP4%tWXKvTM9Nes+x+ReG
zR4rCuhoYkLt{9%POA(3PoWtg&jEB~U#fUVpvffGoOJY@*F8oD2b*U3;e~E_<$o7D;
zHJwPx>L#K@&_=&A)a`R+v)w?TBH{srw@l8QDI4)a{c~BCG?|J>%+LUjrz)MWfOk1SRy_!W%RAP*E%N;Zf
ztxjd-a#@l1c^*Zd#$8QK`G=7wc@5{6AfOqc+6!#wsfGU!053t%zF}VWLyR3U9HYk1
zC%`GgzU|BLbJuRTaP>Yy9_FI9W4q|ZenEdJmL<$W{cjrJ+?gB3Q-tysW;*3a(f73UA;-^Y7<+b#fd
zz&Y<%)8rF)H~`X%otsyo#n)fr!ts6Bx^EBaw;qV($Jq=+-dWygZGd%GiGVi;YnLrX
z-+m);_jWR-O&N|JgNNZ+W})E$wXZ$mP97qmN?f{h4D|?FCQX=SUvH1FAL!u#?FIID
z{Ro7sSWhy{k|xDhWC0Y)e3(X%<+1+dFTr|l
zn;zal0BANImHTa8k4YJ*iL!mOQtqPjAM0cLhTYJcnkqq%BtRxWO*zzzRG9LqzM>SJ
zUva4xQeoA8bb4n^*iSDnO7pb;Z4i3&?t)Y2^~sV+=rds^o)Z8#BF{9%1lzDUHwB~n
zc0uBzIk@XZw02F#=$!2o;mkji<@S4UkWqzlFT&mX+M8HwDxy1;h*U
zIDTj^KL6xDurMJJK7xG#Q|mLTUNIt28)A9wX+X*d`49R%Si5!&8vXDSjvPB-FAh~Z
z1Std2NC~zs9E%oT{SgPQJ~Y6n<>}WA_cj0uqa^DYTDEF~5z}TPkA2(vT_B7~>X;dm
z$D+xPEpah9*=keo>QYjAH&!sPMWbfTaQgIVDkgSwCL`r-BWoH)88NCkDpbv&08gGiMW3D>
z(4|8=+`j$T6pEMH#`#EP8BQJFhoIV>eO
z`l(SvOioyXO0@&EvDph6@siA^7}0Aee(pTTjHidlDag^fjJbfD1Adqnubodul;PUR
zo%rm>&RBcwx_uJFCjTQ<@Oz7}Dk%~58Z^b$od=!o#_8?VGC)x|woQ~Zq9qsBRk7aH
zGG#2<*ZUnl|HuC?cAdR%OE}Ia6<8B2gYq^>Bp*(jsiwpmf7R|adYaIgxl)lH-MoN4
zO~1m%#5w3aVhkGhoq;tGcGF&Aba
zIkl&n*dC>&Ss2uR2tNA5S2%f6A8i#k4jJ%KOOr=Np-7Npf*-%9igiH1#dfksqg7YI
z3Y_1v6!pJrWRJnC925>q=N$mV#5BuOnsE<<+SbF+N%QdBqYo2{FV?G;p;(TbC%4h<
zvj$kXWUVc!_}QzX_G$^H$A9635an5KId5H%
zH?wb6HEY!eD|a8YfkY^%r9{C50)K+aKuI=|W{<|W;dNgna1br_4v_
zl+9_Mx?rr-`{&X2r2F=5J7G^qb6c5K;TyvS}D
z6w?e)qyQ(6tizW-wL;>yeeVT88c9{!5{DPQf;1#?w5~ls4>JGrJwSKQ?m^41{srR~
zthE^+fea}>78V7$nHVx`0KRVU4VEM&AiuDPc7m~$2#+;X$eIBP(!k~v=Gf;nmM&O{
z%PbuhkwQD)L~MhKuRg9-}~|%>aE{|9hOc
z{~T4!N3Ex&r~pBQzR~5S0TBMNN+)RvtW%4x&}YCtj#*VYe27tl@9r~<<7!{i`*KYzKjp%8@ZRSGn8H(7`f~xDP{4~t$^AozZ
zYK(vUUA%Pg>q0-~S^OUDZBCy)E_aMr>
zEVF=siXi~BH36S~`W1GbyX`#rBw4e6HS}u$qviQ7-iv|nK#N$
zbp?{I9YObwKjOQ_&C#&kK%9S&W^Ew(v9c0C+bjw5JGXB&+W+)D>NoxoEjkZH4&_YG
zomrj|RQ7qjY*6(04&|{yLrhw<$?4w$j=U$3XuX)SC-A3cVDG`D)7#Lrd1JJ0(-D`?
zUxim+P-lHwa^fN4VKHe{ZyE-4=&VU0{1t{`3}Z0u#ZSXs8(LXAVK5
zkNyP*u0AjTWHqkDtZ;7uAoaD90<`Pc4x?w!L}pc`16nokpnfdO%fyr!QFR{I
zO|TBHPOOd|(NsE*nj#L;z@E8uh5)D?e*Uo)=FXap1E-GR_PzUf_AnK9c)W1^D%P%F
zjh=l5qUn#Vv1QW=g!~m|+-(Vrim8^MONRI4u?_g@r#4u%=Lq%ByGvjykzU9jsI7pn
zEDH(aW}IGb{xSt!
zdUr;HrVTK0>J%J4d=z(Y-NUm-&+v%lxOC|}Hg4O1ej^8>@lQWt>5|nb=V)DkFU0iy
zN{1PGa-L%5*gp8E(GOU>W()4$yiLP;4TlaN!^>Rf`&k-UZdo!F^&2$C=|^d{1g6om
zo=OrR5pRB8zX5(QK=
z5Q=OQbbp%x%4d0Pwuxzm2^d0J0%MM<3fse@S(KU*TtBu2e{9?atB+o>57O#mlp2L=
z6Ky0^hI6M6phN5C_^D|V*27ZD)CD|x{Mf$aoqXpG4j(;+@sp67rk|M4HucIX(~jqN$BCJMC~5tA#{MaaYc
zQAM$?#*u?3(Bh}2XwmWqEKOK~^XJ$%9z4Q>lzX^-`xcI#JdcHom*M9&ZD{N|GT_Iv;^)b>1U78)d^{xp(lVuFK{F>|
zR3KQHhg~z5;HU3@#I)thaOw7C+(>3$rHnqjrw@p-A2E((-pNPxsQwe6bKcLTWtvb>
z^~4i`7JbdVF!v!Q4)2YB_@{rxkhv>R?y$$(l0C_zmNLmH0np1w=g|GvEJ#mnai
zJlmsP^LALeED6WXoyFY;5ApP2GM?PKhO-whVfpH{=+=q4rd4xn-M$kA1fnKOY;S?9
zU=4LrumGFqjzH5-{tYMYJZJ5(n;VdhRS?6y20*-~ZmY`ANBb`AF>=;am}Hoz{+1oZ|H1=sf^PUH46=&qrwEuD+VWRuI-|qS?eJr>AJFuN#^}$H`@Vg9IohqFlF|MPZT6$uph2?ldr>)Pgy`pJ@?LT>
zW=@!bwyoQsS^E~~J8&R|^c#+DJ^P?*zusv6Q!@-6HX0{RpQD1(l12o2h{nr={WAJg
zw1^hq(wS{&*KZ&;A361l07y$L2KMfQUVZxE
z#_hY-N;SbM9Nf5s_0t>YQnKukZW)hYP;I1oRhnd5vrsl=QH$&scQIjDXUtu=1UXf#
zKWgttRIrbR?8!9@>e&;sS8YdrC1WyL!0&*Tvg}k$A3c@8X*OPZJT{Y3O#r0#xd>X=
z(hXBlq*^^G6wb$^%Lmb-*AQ$!f7|&4ik3~(26|CuO(nwqd?a5ziSeU{;)jL}(Y|ea
z^zT0a0|yU6pZ@*PqHR0$A2I@mkDo(Dr5C4mtiU(_@&Cb&bJuJJ$k~&jw4BY{#=$E9
zBo7%$Ejf`x88-UMWNEaH>N4CoyAi#*bVsidbCIJemv=VH5fi
z;Ej?`eVkXzsoJpYDN4cO*;CQ1WfxpaDYka3WV#LjVobk}&7=9dY7Ty`p>Lo5ShVq|
z?SoT$s_hJWJ{GbWB5fg1!%nho+WYv*$@1m;?rqPztC1=zD}3i|*2BTn8;jmaC!V6r1#R5x`1
z5X)DX@e;$w4adw?OOYG<{$Z_VfDBaz2x5!z^yNb&tVkf}Z-LgW+M|2VUMyn|^dHa<
z9lG^EkKTQ;dFvLGl@+4w*;RCD_9ce0Ju^8_v{^FCEKYHX(}$w>03fMAbzk?W9?z~$
z0HBx2>031dL4kl5Il0+*{O|!zpE`-PYgS|7!ueRWas>_@JU~Ts9XZ)qG{6KMG$^iU)x9=n)zp$8t
zE%77`%y>N2(;?bJVBgRQ7NW8&9S>f-Ku(#ap`FDL(;HHtRLG{U=&Kj+MFXWM;fOvf
zEf?ila^pRP*Id6;oW<3(e#x@{Q}(lDq!$!(^h(`k`zIL6_V{Rw%rbH$S?R67gzz
z+oSff;LP7w@d9b7X?Q{4DXLfrn2XBc-GqKGiFMihz;^
z1cFtzM~i9KXitsgLH~?jT%2oV+qLrm7TG6I7GTTv9XNa83Z6ZGfe?X@u}Y_>mgLli
z`sip?ekxK@Qwda^4aLrnNab{7Q%-TU7bfa2LC(`#NX^Vb3G2*n?V~o<5*R^DsDgNr
zgO{8_oVk7tTla3o{)4-5`}Q5S0s9IQvxyx`Q2&mRXK9(E(umz>IA+K8RJ*W#qZKGG
z%0g;J22v{tj>QzwlKQpkTUF>J?k5NPhwO^qm@k_}XG#JAkCJqzVrnKE{D#N3m+n8YC^Ai}foLu>bHe
z+ReDDe<0~!uHkruo7RmN)sAFeK#U$t
zDB=&|MOGU7PZlbq>lDUNC7m7?AV_1+L6x@(_wPK!sZ(dMk~(u);$o~{zXm5cAWF|j
zN7!b8DLc>apk;$EF?J3C75lc{xUa0^6sI_SIC={JiQI1XW_QyX{Ob|OyIoOFg=rJ3
z^Emsvo`*Hj&^oP
zcV4CQ%GD(|gyS!R@Md-Bo&%if#??ktl|v)jw@IPo+!#(Q{z@U&<&7D=u6vhWr>Br+
zMCy=KbX^}O{%hXeJX2|2=VwOn74f1DFR$Z?bf)`n`PFF$g?}AKzYcKH41u$GI(CN#
zJslIG0jLh^jl-Icpm~hSSb4E<{sR2lAHKoOCt0W>g8>{=cgX6`IekS=eJQM)nDZ;J=d_1>VquKrS2q>cpJxp0Zt#9H%xiibTJ&a~
z&dt~Pymm1%W?q-VDeG%;!C~EoRbAATDV^1gP!MB$1>z3C|#m&)`aVLa)
z<(yxWEXI8m+fH340BRqTU@c0}-qW`o8_BY6QJ85dd!B_<2>h82oaoc=cC
zyfQ>iGpdx=*kDLAa}fd_LHO!wfgsJC(h>ZNRsOcfJggYV#|Z}sB^XUanN9BG)z!a
znEL{g#|}foMnB^0wTGx8&e5I_=gB$29_<2Q=I;qWP9=?;{yGX
z*BIc}lV{p|9jVbgruLCJOJMqR(3W-U@XhC6V$s5-sPqPHw$t|ASGZ}#3@dHOVZx2l9Cdnrl#5xnj-a!P$UF<(oj+y+kaG5QI35(
zcA#0qM(Ez98&Xo9*~WAA5(7YSnT}JOJ}AWjP@Mi^^gaNj(eU|GC(*S{D=eBh0~b%9
zKvlWk?Bh@<97NiSRBYI|4&AzU!Pj4Xj`3s1;rWY~&{O%E^$A1;ezZB2hC~}k34Y$*
zd|vl7PI3BMk(R!0-@c6j0|sF1*s<8XdpGj(a%~{s+>atZKO4u69KyJfBT)aVFVV4G
zdtAA6*`Bo1!*-H&djij5#3@d3`cM=HKymu3l0Z@F<3|`hpg-z=`Y{^U{{}s}c0#XS
z-3WL(qYFV#tM+a1$Im`NcgG-n@Be(4YZ6|NL{bYu6UNdiOBbvqx97Z`TIjeEl`*(@hya5s&Uaw5LZ!_DwS#
z>EaR|r#O9BiUXiH{nbgI1u4zV!`-V_v18K)j2}A^-MV!`kDgsIbi@!WN?d}2M~@)o
z*)#iGfQ*13jyuQmu5e>x
zk2e9AoD20hr*r~8dd^V`zOfr|ic_3E2*m+Voc`*hFXY$g+Y0u!X)1Qx1S)l}c^)eJ
zTIZvj5dx%Y3nQywF<(2o{$=`4ZpSH3e-+YGUv>AwX*S3qJsIYJd=pj;2y{#5bg=`S
z;Ex`c*M{j>_&CKWP9KEg04Pp>eWIcl0IJr9(99mx66}N!i24z()%T~O_L#6Ua^@&H
z5Jt5=VPSz|RzlX{PtbpIJ5F)>tB_<^vpz2H(RDZ+LL{u0eNz7QB2axQME~}pL<0Vp
zcsovCA=Aqqv=urIfZ`OV4@q$V6sNxp#c+(2elQe5I2yE(uD;wA)dxJo0W%b~AHu@&
zN1qB{2*(iUI%X-}L%-l1r#SshNFYedVRdJK^i|o~D1l8K#1lKba{4lw^TLNX0E$zb
zJ~aK`1Ayvkg+D>RGT1NDZ;JO{&E&sCQk<^xe4FGS0|oy#km^mW#u~~wXsoMG14!As
zvpser=JZns{K&cY-b26O{VPam*U970Na`-ye
z^nPyVTW_jL2d9b`z0u}1>+M~>-%kqr*Q)1tdDB^4_nLTRgQizk
zbb4uO9T{^x>x6OY`;|wW{>Rhb1_0F+yt*z%@AZD$({*)D)iqqT_+RakisyE*Sn{vQ
z^?cj?#Yr90*#!AUwy%Dq9Gy4g827INygset6(e1_rL9})za_n&)7SK;?!Au`_U$tM
z39{r_hwg_d&AIX1eBVmb;?!~PP~GrqpLg5QiKbsydR+;o->X3Gefh`e)jhkaLvCIQ
z|J$f;lJ8CWodC+qc^QG=O^q#G`grcOFT%@HD?EZkweT@K{oJ@#6vyZoU?R^7C2tF&
zAJMBk6h)pYo7%{k6>-g$J4a&Cw7hcO~rIFwQmoUj@|9ThjgNo?X=;
z-B%h4``f5)lJ6v2mtF;O_?Bck0ElHX0OYZ6UFkax0zhGfsP!_uHU%qS%rTx!Qw;;!
zW?!CJ3Ej-?=#<+jxjfV^Ojzw?F`W4k=PDLOUseAb0igF&-SAGF|DGh?T-kAWbj#(s
z*Q6_j{V&$@Zzl3&eeyML;#OC3uWHqPcohRcx^`qFY7%BzRAJnr%JEzPC=v%ie^>P1
z0|5O3y>Yv4_&096zEpF&ouSU{-#~6Eb=`jl`bz;Ik?y!<{pC>qcT(N5{R*;*qV&81
zKawOj{x3MU$}FyP`Y!2)(sH!z`vK7F`>!;z{ND&DKbI%c8~5sx?z?IHHu}XR-=mX`+gG(}KW80WuNEH{ErjjuR`KMt`50gZ+XW&_48YJQ`mP>ic=l>@3{xal>pa?-u83-
zNpE|)s&UchmSwlQI|lk#XS_FKhLsbLa(@lt=#S
zEe6iwmcE5W7^5g+&DawFa^RD*2kiB1igUt11UkAe03-=_LhvjGfE)Zry#av4so;(7(MJ(p
z361kfWl5C0^+eHq;e
z!Srkokj$1dGo&1JwD=zs0J+Tky^t$EF>;IlP8G=Gt+0PlQhsV-CqI`ZUA=1eS43X}
zK#q)v6vlzr^5=cWgF%&ob4LKk2_2`u2l`C_$ayb|BW7Qddj?f%>0U-`+YN2tSSnx3Oh>paZQ
zwEAmO$S8kY&g-W6K6;(Un_=tL$=g&nj=qv!Q=>P^vTM@IF)|9IyZX`cm^P7Wq^$aJ
z!dQGN0ljeT^~(lXO1+KNv?hbu6yldcu?hREx1|JG$p@lI~4gL0+Y;Ukkw>
zg>diJrMkS;<;kVG`r>`}-{Q!lBGR9ZJ~-Q(N+
zU7rQ1s;WXbEZzEM-Y(URU-$T$e_hA!y>Z3k8)@pO_75;_0Hq~m2t{K1$k>+Fo@!DP
z(+Hx~K9p3Jp(>$@O!?)(!J^U5IpMb?00<9(0i~bwHH|;n-Wm>)d*S
zoO@3Hams3?8X
z_v+^3z8O}>y75H1uWQ#&_oGpE+G-kyu%CWX_~c!mh7h|vH{NJGstJ&ywIM`!LvK)y
zvhMV$33cx3DBC0Yx;*+W(cvS9asS~XgjHAclZ%MQ82>KMZh6F$d+nCP_195;I?Dg;
zHj;DWiQIJR-j~d{X}s;+JQPRdUf1>4x$9g%)g1-QWTKkoT1br*onhH
z`r>?u^~Y%R7q6^4Iy1(sPt9yZqfR@Tv0yxF**Wm}d~fikFfKoJ&)syD
zhYBv6CBDDjnssnspndj4C(Dw;VI&MGzr>5iXoRfh)Ifqmn%N=&v@Z
zVO=@$9YvUB^oPh7qp>JfuUd)||0=gzFFJSoVxHw{6~2%Ui30f^^6+Ihx(AU
zz4U}-z&os`u=P*zOL^e^TJ}}`ysj@D8CKOA;kElAU)5tRU0puv#!;KOJnLFV@hx)n
z!s{~0i4@oMuY0Yd+b4C;?Q3=G!3`%sDn3IBuj`mB@Pte=UH6)#G(#+RlyRc07sXc|
zZa!|BI*Ozd4;(mvjEoGs?}pcT-DBM}T>e~M-%m~*SblCiwZH62jR)mr*;u+biTRgV
zTSTcVYt)}roi>sUqpTta+xG3jqqK}zd%ezEyy(1c{_efEok+*JWsq~*)Abh_FY5mm
zMiI>$c{#Z_b?i9OQlDF#Fw14SfcF(nY`8p`d~zUQ`pfi)_^Lr}ZXWjSJxCppYiYWC
zxa5{c&gIkP(Mk93gMJkNaw|p7ttipKg9p*GXHQ(GLessv0xyAeJDuxqic0=6Dr{{z
zrfP~t21Q{)MBt_vq-e}YP*`}bG}Iy0(cJW1Aut0+MI^Lq3Xl1^`3HkR3nS<9Bj?@^
z1Oj%HW8oN1qk%9DNCh4~dI&EKi1JgpFI>2Y`STXg;CPrPg@~*v?}%PzMp7OME4OFQ
z9;{lm%D{$5@nwvZuc$8n?)QRR;OO$>rlrwJG~&n07pZv34jK-y91#jMJFmj21B9b~
zggDX(@jSqK2nj&a0MyF32t1hr=QYzWC@8?P<;!u7<&gq611p}aUYvHQTNXK8yY=SE
zfP2raQ#YLITwz2ildg5o@AsRZo3`S(X{j9)*2)vRUzZ0rU-#O*FF!e**LCs}=usP0
zv!22&$l_0}~W!QL>QLAA%1IJP{G>##bDZ;vw
z;T3pRdIC#2io~B=CpuCBc%S8AyO^BDTy;d?RBfYpN-Kmp^JZiJ!2f||X@0KEyF9sJjW5-w44ayb
zM;STsSJ&7%z@PG}KFEMU%DpeB{=>3Id;}`R*t_!(4(z*(vXTny-Ma_#mnLBLg3;(V
z=w}QVG77WjCt^1H(EbBQ?L)T$K*5j$?wx@USzvn^z$b5r`rxn3!lq3tvGu?q6a|7#
z`-ItE1VA+rwnI2b*$PnZs}Tq}eNlR&M*K>?#XFtKuX0KrUA^GegZ$0K$`@jrS92hw
zfk#yRMUvXt#aWv3+{`~o?a>`%iwyzt{y{~h(U%J;iDqM&z%y>TP
zVIT7`d1W5%dyDkq#t83OT9kLM`mFL{o^|ta^LCv`gJpdP_BMg6?#rnx;@9P)?zz&d
zTLytsiKnAkMDCUHX4|SS#pp2t2mR{y1)bL|-~V*_O#rB_kgDQFj2MBoZQGim*DR3yMY`uYH;&TKF(8GY
zv{=VdRi@{3q|&jeY-v7?+^E>h@UT%q#S&)63xwFn3ditun@IT@Ac-k#Q`!t5h3+a9
zmuHt3IhQ|?H9o@zD6~T5Pl>+g&Yy=D=`ZZQ;-|kz$90a(Lo(zN63f@�$GHm8ZV^
zeCN)cSD?nt&kZN4D|iYga>L3`BqLtUvP%iCU%e8$x9;NTT6M#`XrQf=vjc~!{j5hS
zSt{Tl^YP0NXv8W5uaUCVvXgg7NeNcdI9|AX)r`ChY>-DAp|TFei+FH(ahkGymp3D20oNZswRTcj+&UH?qPo0^#8chl
zsZ*!0aN$B5V2a!{>dKi&Wp?UW8k^~}9A-!4_@DkP4eOFt;?9j*7G9c0k|Db(wdM@w
zln(3L^oCMVAL3wLa!Pvk>;)DtT234EFjnT*z*
zDWRU>s4L>7FO^5A3f`&`RC%k|*_=^{M@w#OK#gpRi;L}OYn_rGDn0=r8JS{^)MV_-
z%F14KCRYFi*mN!hqHv{Ur34N79#yq<{!E+>8iD*Ap%Hhh3?y0=;*HQ6xPiZJm-It%*MeU_@-&Qob?;gdM@>QL?{w}$)T2<*qNpUI4
zO3M-Oliz^kQc7QY5h{^iki&K_L?z`bOatx-cv0jHpn`QLAQYlPlA;RuJT?;$2~;8E
zqYL=p*H`Q*&lQwC$*s>%8Km+lD=$HMdfKaYRoT?$g#|^%N0j;7j3s%Nq0|grWqA>b
z3dKtS;{~v2$wKTsc*xpAeI!8OBOB|0AIDHQOSV*WsgE&p)>NE1L%>8nbnnE8Qyl#*
zW<6I}UC2r1)Q+yqi7$m!{j0sK&$7=%2_9-$KY=O_{8b#(@LT{$W$?1hMXdLHwrfBG
z67t~ZQOgdf@geBT#@ZE|v3>Jd>)6)5?A_6tEG%C!30wB;wZ5fR4KXk2djUvI-ACA;
z98kmdW5I(}ev}vFp|T_smBml7WBY3CV7apWVU#m%#SQqYP+nTddM$#7{E8&^K3{aTTe2vba{Husb9I#DP4}f+#G8-)m3|*Qz6u(4){VacWrf)+Uj;(cL+e+q
z!KhK=@t8)Y!mBi^SyyG04fZ`xIf~iOJXICU!;wp`KY+ZV5)`vN`~;VpVF~gm9wfWc
zi;`o>w64XM+D7N%PklrE&y{(#m)m!=oHTXnRLq(+%fhIg+&-#w6i!Y$((Pw%Uh-Es
z9bKKI0jlIaApODcn#uB%m!UL22L%M#LDsouxD=;?eO2WNF`NL9o1WVzRnIDi{6*q*
z(V|7TfB(Mmru@W*;y5zx05ZiBuWA>C(SAiyl=aMJH+x|x_9NM2eX-wERZ73)T77CD
z8)AO|icwbd1U)(oBCwzhAwVuJ$)?<}uX!j)?2l}5l
z#HZ>`dc^rY38G-IGeJf{?2w|xKySwZ|-6|BA^ow
zs$-G+pOM66`^W=+h+oH>Cz>Z{fr5}l+VeNCvoAz1?=Cy-*{TE
zV1bR=G*hIGqPkUGs!S_at~8$4ujhz4J)QSGxN`ms`gG}xK3#ia>4F3t+JD##yaf5c
zp*>i$aTOLOEWrA$8*%;4U7O0TjRX<&mf^;gi&&kMh{Pp}ux{-d?B2Z_^X4zaxr>*f
zy)FWweje2(Hp*hV$arqwzTJ3Ox^$`Wtd6aYuJT>Gb`3|49I>=if13Jz#(Fz(;y8{U
zKaOR~mSM+^9ggv*5<7bIC`Zi+tmlPTvu2Hjkzx_4j?SNV>PG3UUAq>UnVGSU>wsxj
z$;ePC-$csO@@31hV#SJBTE!M#r24!{{x)pbjAe-{k+5_*PMthQqvRM4m1D<_?O2|)
z1PO_YSk8^e$w^1@{o7cxb3d{w1GdZ(VseE9$GdlI!@cBdZ1Vt~+`ogv2lp}0V_3ar
z9rlpt@`_R%JAMeK&m6noLO%tG<>mcj`*V!-o%BJ&H7NIdtd{Zr!@&^k2%qW`J&7zKWAa
zjR99NE4U%M)f|>#-Ba
zVLT0ua`N)9clS1|N?J;ni1q8%<3;*QvmsuOAE!>7#wE(sg>&akb`uj5O|Bk2dSr4W
zCxg6`<#F$8Ry2iuFvPm8^m}pe&^{bFv==81?#9-2Nw|OO3ND;Fj{d#+;OC#aVcwz@
zIC=gW>n()s8!6L=_u}-iL&i_i@Z^%wD({$IhH%ds0WTu;Sr)
z>T~Scwafa8+D3gqU_@=F_K-d~efqS8QNPg=lJu&;j{5#)>Ykr}{uy1mbTI>bg9A3D
ztN1c(Y8wGm^{dO5FXQ;JW7emo?@m)cDX*hP*`JmrT0h>m{{RXJ)NK}sAn@Lu+t|8c
zJ=QHJe+%Ye`-XKWAuugwe@jSOfwb%#8$4-1s(d9+(!1hK{n0h5A}xVQ@2O1M3#2j&
z5J^vHe~{v<%+eXsosw6DQM+k2U8I!E3RzdzPYnkoUfjOP{=RMv^G>2oScILs_n?gZ
zl0BG%zbEL@b^xwl%)p*K2a&LB9`);7?B0A3S-6<
zdR;uI-b+|6k;>%i8}Y1uK6L0%v~1ZD^XAR7GRn>fz^W{=4{G0K)LGK;SvlG48LTt)
zV%D84KPzLpOoEry3CpmL{bk?2y;w}WxnNlWjx(Lo(kh0P>{L^JU$9-bV8zPCSeh^w
zTehx6UVavNixL36z@mkTc=Gs}@%ZrJL(>DY)2eUrBAGu%d60fqc~u^j
zEzKHRdw(=KbPcwYt=su7U%6somM1MI(71~0*RC?$3M^Tg$WD{5Nk~)f+J8d*YIK1{
zzGu(QC@!M$tEnQ!DCX!p50fVj!HP92EX*}3>TW%IVlBbL#ful2?sXcuWtcyA9&&S>
z4PSZL**MO|7U+?}lad=hemovNcxd;-4jev)r>W0u#^5wT*z!dSI65w+!uR0L^^2G{dpdUS+071mm!RM}-Bs2@
zIf0ckEiDBgz%YOQJj|Fe-HeY$Ko^r;$DHPH?QK_?W@>%U>9am0c2$7v0_6s
z*f%kM)-*HXw{Ko&eO+OFC1Sw9!8l6*6lDFYEqs~@VmoL=t{JC|RC){9rZ>pTl`EGG
zl_)6qT*U#F-m@n*!u4VGs?``aYy|dFaU`>iwc*@V;;I|lXA=#xv#+8IEg{f4hTBxm
z=a`n#-bRq^^=KKk8Yc)IX3d;~!-tOJ&g}=dc;PzJyvNS1rO78ItGjpaqS3#G%U93i
z(v>p=1X(zC@)(9ro`q~LjW+8<@|p4SC8kfFh;yd|z-w{g%n1w|Jirv<#miT4kBX(d
zya6=luEXw+Drn_r6*tm~5b7oKp
z-?F~2Xwg#gR7D^dVBK$eH2@IE(KNjjx@1$zPC!#eNQPH+Et^ssuExHtRFX>)ke{1R
zk6M%6u@ffX5JAwjTQ_JhiV!4F&@zbWg=i%r{&cKgy_LZ8Jg+rSswP-rT}GaQW5hzFTqO8muBqglGhL!7Z`|>3`ym1FXyz#-(a
zB1#C*makrm4eQt8@})Dlb>j-wQ(h-do`Fh^n6&|X$)Y8gFm3`4(xBhGc>`CkUNwU{
zZ{B<}#Nt^-_0XY%xJq56e!GZ$Z4r%42?4YxvAxLojjlFq|boN~XTsw`)6w3?4{%U4y*`4kP*QeS*i`7&LM$
zZa;o%ah^XLj`4$huCYkPstoH9LO)8Z+cRDfEF!G!lQ?&#^;F>Cv3}#z_0AKWM6|C*+uCD)w}wlbb#Al
ze-HGZ03cO_Mw`x*yF2Z^bLTFbK`F>%=cgcCzHkvEhmRz%zQi
z+q`l#XRlZ?>JwZ^g{+XZ-b8%EP9njfs;AV=tKELgb_hz#W|J+|-~K>E>zrw%PL%!*
z*ET}DG`Xv8W;~RAgz-oO<7qiwx&|i3?<s<5r{^U|vu-ZRAhT
z&lGFx)#Jr#IVo1VU8}MR%aoWiZm&)9*12J?YTrF*0G-^DcLU~bhl
zEotL^oa=XjqtCugOthdcF#9f?Vn*r;V=kEF)rSj(y~1bot@@$49Dmp=7CM*GsQe^!
z@RarEbJ}67Z*PN*P=_vUX7dW7^uQRX<68a7+`n`1(tiZ4wn+iSASi;5O*^c^Wh&o^
zcS}*T*j+*Ih2+T}r6=t0Zua<)oA?v_U|6h1S}X`S(8(zeX9ceW;~l#QlAT}`^Z0}Q
zTQd$K{0x+-&M8RXX|*`qPLJ&aYtZ8kjW(4!VH+|HJ1S$~Pyfi00b!$dhLoLYzsiSe
zCIQdwv>Q8e1t>U37~_SDK_{Bd%=dFRL27YF#sud~z_?1G)_pZUce;ZkB{av-L(caGN&Cub
zI-Ui(EUgbzU|yCi#-fP{&D}7?jd!*vun77Cp{2$eJy;V44l0mco?S@dt(>LgtHA#bFl-1c_KBC`(^IU+G9X6M)a$jQvabC?7~
z=8N^8JeHi|Nw4g171IfHh&&D<++CFTj%(%DTM;(NINVsNErRaI=_aFjuUFDZX28D&
zjo>`WdUD?m(_;*zu9`gCu|i(IqB(vH`k&hP)(?y5d?dI%I5Sd)D4Tt^V!7OfPGLbVMFM6B^JE*FScSnPXJ}fQA
zXALYTl6H(2Kz--$ZRz{WI(8sSHN2JV{Ki6lv^P6|q%_UELWxE_s%-28hy&C*P3QjJ
zRnrJs%gr!F6+zU6SW+H6-CF24)9=v%$^pT&X4p#vgcDBz7K$AkgXn-Zs#q
zOGcpIjkmk13F@%6-Opz(vc!Ac?x)>#=_*EB{cDu7awCkzB8@k?ZE4K;KGq^P9da-&
zjFYn8(OfGQMk?ZUt&s_~Xc*@Qk0IfkEdRlJl^Wa%b)eE~QmcB_loL!(EsQlKk37+w
zVGW&|GGzZmqD3a~_xbZ%WqKI`AEt}l#V5vX1gc_0Bq_{Yh6TU6u5Ptr)AM0_M)8!x&s>{lJf0|aL~4s$-6>tY!?Mv}gg=1+9^N&pB5W^q
zw{1uI)XI%HzEwTM9X^)Tfr
zzb$Kvs~qj5EC`iTDmQPxaOrfz!aT90j5X+d9)HN1%nXasAjqG^TPeH!ffKJAwYb|HoZr5b8)i8cN
z6Z4hSMEId$6))|MZ|HkA_bxS-KzI#PC}A~X?Mv$lKWKe0ioQ8SOP&HSjMa0PPy
z0a@-mbKXiNHFjQ%-l}cK>PLr0c32#q$#(Lzb#>*(P}xAzGBZNLBy61yH#tKN*|Wxy
z?_Mlx*eOYI-7OO7tokODvZB81bk(@mQuu&0{jYE^yGTZ_vs;tJNz&_dQ?@!5Sm(`*
zdAKBp%O5LR(vSbxPRgOy<;fuot)Z|ena0jfG7pnY5;I8o?y#VcaTAnsJ;hqzfn`(P
zrU-YtXhIzJ!7?w{WN%~saRh8g7fJ`_Wb#pL6_iXQ#L@H>Mh^|Gb=XuA|LDL>MHw@~
zph8IvqO(J0SoN+?FkY|MM+)v&{$hsnO`<-@CUEUt*#nxbr*(ZLIVc+_Q5eZ>eGI=)
zYQXE5@lMrtHcZ~8HN3P{=e^D#5?Y(iA8CJYb)uY0=U+i&HBR*xvm*}=Oi0V?M4R8t
zSHUlW)UNfxK&8-jo-{e^7-ReuMyvmD6g(+Ht=v7KnCpGS*7H*=~)AC660@&xlv#nkd*+pdt*OpQs@R+|lYt
zJ%qvb$pa+%xLeIBD`vG5R_VZm*4*0Q;3p8qI{Kwlu#%Zjq-Q6l!_k|3E&|e;MBY{cAB8?p+tDSCayzf;c!pV{TGz?!F)AcxQ0up^P
z!88_@ttR3P9D99SewWx@Sg`p$Ms=xlG~uR>?*4YTNEB$zK$^M^x270CEta=
zE9{qCx9Lt7fqN6Ur2%ce-M;6rt2H#QgOfoo&^FiuY5%zTDutDjwpWDNoK6^k1MiIX
zX$DhN%d;r3`dHd1Af5LeVc_2YsZN_!{QDhmiT+N)<#IRj^_p#zIXyZ<#%f5_QPwOk$InGno6RFo*pL0=gxm6wi=~$39`410Q1b27I+l8?*c!OxmfLDUrzE
zf!InF%_o!>?1hPH-34VJ_v&YuvDHwA^+5xs&Z4H<^%`=#PMgH9zavS{WFytK?;A;l
zF2=~&>c%$_8d-b+Ty!sa)PW0y0&!aqK!UsKTAWaU>;Zz?u$ZbqfQi{KRaHgbb#4v>
z4C*b)VxP2sFa=T^lYYPL$0|e&DqUdAo$b2OOhT)j;r0$s{$kNor`1{wIJCg`Vvj$d
z&1wVk;D>!euBQ?S-wRj9>~2)$6xeAFD6b7YlD9VxRGhxD&(*SdE&)(nne7_|j`uGx
z+S7w1RgC=+&zXlg-0$zb+-k+vX}61P$nPx$T+Cl?HxLF`ZQ}TUA+=Exgs5|6I#7~Z
zzuDjgaycU^*eO6txpX%Bp@J@E*8)oz@eRm@V-9RtEX=9iEDt%dzv&4;+MHfQ)CPV$lp9T-UP=2uM*)u8wkwz~
zTu#r(9lPWBte3S;&4fCAD@>~)%4kZ}&v!cPhZF3-Xq8VJyHN1CTY9{%82$)?MxcCsGz@_VEP-~Ing>9w
zyQ~JDPb*-o)W#_`5-#@2bMSU`1%jWeZ0*S?jNDPvdj0*4qzd~=RK`CtLPiWX9oy`<
zgLlj01afxEvb{(hFW?u
zug41~_IyrUr8v@<155)(VDG~6Z$KQrP;}87?9A0|G8zd4qGtOK{0pVqkusi_B;p21
z)>e)AYGwnY&$j9=mnVY8pj!S03Yhr?SBpIkG0dvzAs4XtJ#2@~RJe;6#<>u7udicc^Pywu@haIE46
zNnvmkGG&44iByW!S_$#QKvpdclh{JT-X;`8+AG@RX16EudcEPo-y8lt(v%c*kQ^?1
zJgGo@JLaSeps+fXlf%QFNk73>o|*4Ywk!vGdt5ArtT_9NhC#zQH<+MRGSFvb^mCZa
z1@1M2uy0ze8IBFdpJqY(3!ti$q;fRRF!%uZk#&Iym2uFNNNWgfkh^9!5R78uss>RF
zXCf~9z2J5}{Klkw|L>zpP9S!dNW(!G1m^r-vo`=}Ss}uXm6{
zn7)~sX=RN!0^JSjqiNh{5!^*6ZARALp~ka$y(l}s2!yS@F{L)sUb0u5+%_zBc|1`7
ziFOl%N2N~egR^9FZvIaxt{s~6SG&PHE$PmFGCS+}s_lSv|R_p4!<*x55`y6PvBm9Ap$j(?;rT5)ioML8GTfmVW=bz2E=kj4T)SbMYoKe#ykcHFU9ChBk6
zbB3IS;9G*c{Z262PDK-gVcFNhpPo3?swm+utYhS;J
z$ipwf%RgY2GH9mo<_6Yblur+@N?Wtot(h|B^<%%kkdBAr#k9IiP{-%AV)O!$zP8C<
z{|3;&6+%@>(E8%Veb}mG3#y==R)%
z3M$h`6s~=<&mJ59`QXKVD8}wUVF+|uKJ>z}GUoJX>?^%iztxX|J?FvAaCplmk2{;w
zbBkQ0B*n$symxAA&Ay_dsDN$eiZl1O-k->y8bAOxt5FoxP9&o)m+LEcZmBul%U9xK
z2-xTG6M7z>|G2WRj|Wp9#(OPCLgt
zsjML+nkK{0{x_eBrcO}IGTIIXUuX=F#V6l_xuCLNxU)fDMMu~eMulc8+3yTYxRurN
zPB0g>+xs7@WCDShX#=Oadk4*mP$Hxp*2qb%sI!cqg+gK2OeRPEd~y*lrIh#fOi`n;
z<6aA@t)`=?Wi2TV?db3ryVK>P0bUPEx=4^@J&5tL)x{rDhs`LV8>wE*8!*YQ9Y@pPIX&@X#!_CUhyK9Ksag
zrgI*&%n%LFY11uaJ42=Lz`W9AJUVb%e&Q5I!wOdYNMM>(8`>gwk6&utl(^f#tEyr@!
zHa(B<5XpFA(ny(4n6S|E?gc$(yxI~yC1KmD`Z-h4VbYC-3yn8BUpQ8ZSc_Jo*l>KJ
zMZ|bb4(?l_g8qnr!Q*X_FsCKtxvP9vCDh5-Dyyi6h70!
zZ1$K^pHuU+qHXJvbvI7>hL!Q0G}%4~hP=tz?f=ADv7{)f(=yDn+*3I(H5;u?pc$G|
ztJC5Ig81#!peSrX&6?+^r2*OpC0;
zkLSOPS-j?OaQ>j`8L0dW`JvUeo!TGd1czQUJMX6?^=+Ue9Ygb1Cr)M$gl4VFZ;t_G
zRN&O_^JCBHxyscDxLl`m!|VOEEEXS7X)61Q#9Q)&1DmhrtK@2TL!X4YtZqlVeGE^|
zyIOFL4pctB?xSy}el>Y*(OrM$g@qE^X7Q{CEEovq2fjX+H0mC%I1$wrixa&1NRwdi7}(~a7FCBfB;
zUd1%tf+&;4&xdMWOm=!IB>W2s-1))|uRNMptP#ezbq&
zunw1AIty~-yF>6s?HbG!ojYHmriP1MV~$n4fca(LFj?Gp?+?@avh1qKwP(h+%WwRw
zL6O&!Hu=%3nX7Qt-?HfuGU9T&3(p+hd;K)nhBFm#yZUdc9Nd+g+ah01nyE+ojJh^Q^V
z*_avEI~$onzoMQJ86|^Z0$IW}x47AeCfTnua)z@glZR+mpnhMu!^88UKVIweG@aYc
z4;Rk6v#yZP3u~4imGuC(ebX5R3}9pnv>c1&J_S%t5@DlZUz}3P+52Om$^1r@AxA9fcS}kU1-bxV=lDySSuUh^
z&L;*r)tgkL;NDg+M@f{)Mh2r6w<{%FODqf(U2^I#kd;b>2_V8TDHjk;5`6kH8wmmS
zLs`*)Y{-RxzX|iCQelWN0b{i}*0r_CVM`Tn29(?Ps)ts{U6GddVy;^y%}iiuxB0u-
z=?tpO%)6v9~>Ka*o5T)}LS)G1=cu`moW1iAr7j|z)Vd-*)kFigJ)1%bYppX=fg=0co$t_mfvJ(h;4aF4ZXU2<7Bo51&R_SE4GSv`kD9y4D
z{@rNRMb_)7qyDlw#3`!kn|)8Zq@}j^SQjJ_C@+n~dM%5Ag7V3cRzkkI%A3t(wl~Z7
zp~g*xerqvrnLSpeyI`YW$Pd4Rm<4@b(Rl|jwq|LkA}yBYsW98X?5{iQMwQJGV8Ae=
zWNEBvHY=(&`&@C@?R%qy8weOnjmZDi2n0KY3aUDNn{T8~+e1aKJUK15C4i7nkx+Is
zxsZ*!+kox;btk2f