From 0031fb023b1ad22cb6927e851420734ca30e727f Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Tue, 19 Jun 2018 15:38:23 -0700
Subject: [PATCH 01/34] added new SMB v2 policy

---
 ...nt-digitally-sign-communications-always.md |  52 ++++----
 ...nt-digitally-sign-communications-always.md | 113 ++++++++++++++++++
 2 files changed, 134 insertions(+), 31 deletions(-)
 create mode 100644 windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md

diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
index 0dccc80a87..257be8d173 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
@@ -1,5 +1,5 @@
 ---
-title: Microsoft network client Digitally sign communications (always) (Windows 10)
+title: SMB v1 Microsoft network client Digitally sign communications (always) (Windows 10)
 description: Describes the best practices, location, values, policy management and security considerations for the Microsoft network client Digitally sign communications (always) security policy setting.
 ms.assetid: 4b7b0298-b130-40f8-960d-60418ba85f76
 ms.prod: w10
@@ -10,47 +10,43 @@ author: brianlic-msft
 ms.date: 04/19/2017
 ---
 
-# Microsoft network client: Digitally sign communications (always)
+# SMB v1 Microsoft network client: Digitally sign communications (always)
 
 **Applies to**
 -   Windows 10
 
-Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting.
+Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting for SMB v3 and SMB v2. 
 
 ## Reference
 
 The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. 
-This policy setting determines whether SMB packet signing must be negotiated before further communication with the Server service is permitted.
 
 Implementation of digital signatures in high-security networks helps prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data loss or problems with data access or security.
 
-If server-side SMB signing is required, a client device will not be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client device will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers.
+With SMB v2 clients and servers, signing can be either required or not required. If this policy setting is enabled, SMBv2 clients will digitally sign all packets. 
 
-If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled.
+Performance is improved with SMB v2 signing compared with SMB v1. If you are using SMB2 plus signing with a 1GbE network and a modern CPU, there is limited degradation in performance. If you are using a faster network (like 10GbE), the performance impact of signing will be greater.
 
-Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions.
-
-There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications:
+There is another policy setting that relates to packet-signing requirements for SMB v3 and SMB v2 communications:
 -   [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md)
--   [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md)
--   [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md)
+
+There is a negotiation done between the SMB client and the SMB server to decide whether signing will effectively be used.
+Here’s a summary of the effective behavior for SMB v3 and v2:
+
+|   | Server – Required | Server – Not Required |
+| Client – Required | Signed | Signed           | 
+| Client – Not Required | Signed <sup>*</sup> | Not Signed<sup>**</sup> |
+<sup>*</sup> Default for domain controller SMB traffic
+<sup>**</sup> Default for all other SMB traffic
 
 ### Possible values
 
 -   Enabled
 -   Disabled
--   Not defined
 
 ### Best practices
 
-1.  Configure the following security policy settings as follows:
-
-    -   Disable **Microsoft network client: Digitally sign communications (always)**.
-    -   Disable [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md).
-    -   Enable [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md).
-    -   Enable [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
-
-2.  Alternately, you can set all of these policy settings to Enabled, but enabling them can cause slower performance on client devices and prevent them from communicating with legacy SMB applications and operating systems.
+Enable **Microsoft network client: Digitally sign communications (always)**.
 
 ### Location
 
@@ -62,8 +58,8 @@ The following table lists the actual and effective default values for this polic
 
 | Server type or GPO | Default value |
 | - | - |
-| Default Domain Policy| Not defined| 
-| Default Domain Controller Policy | Not defined| 
+| Default Domain Policy| Disabled| 
+| Default Domain Controller Policy | Disabled| 
 | Stand-Alone Server Default Settings | Disabled| 
 | DC Effective Default Settings | Disabled| 
 | Member Server Effective Default Settings | Disabled| 
@@ -91,20 +87,14 @@ SMB is the resource-sharing protocol that is supported by many Windows operating
 
 Configure the settings as follows:
 
--   Disable **Microsoft network client: Digitally sign communications (always)**.
--   Disable [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md).
--   Enable [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md).
--   Enable [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
+-   Enable **Microsoft network client: Digitally sign communications (always)**.
 
-In highly secure environments, we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems.
-
->**Note:**  An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.
+>[!NOTE]  
+>An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.
  
 ### Potential impact
 
-Implementations of the SMB file and print-sharing protocol support mutual authentication. This prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server.
 
-Implementation of SMB signing may negatively affect performance because each packet must be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure devices to ignore all unsigned SMB communications, older applications and operating systems cannot connect. However, if you completely disable all SMB signing, computers are vulnerable to session-hijacking attacks.
 
 ## Related topics
 
diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md
new file mode 100644
index 0000000000..77b50470ff
--- /dev/null
+++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md
@@ -0,0 +1,113 @@
+---
+title: SMB v1 Microsoft network client Digitally sign communications (always) (Windows 10)
+description: Describes the best practices, location, values, policy management and security considerations for the Microsoft network client Digitally sign communications (always) security policy setting.
+ms.assetid: 4b7b0298-b130-40f8-960d-60418ba85f76
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 04/19/2017
+---
+
+# SMB v1 Microsoft network client: Digitally sign communications (always)
+
+**Applies to**
+-   Windows 10
+
+This topic is about the Server Message Block (SMB) v1 protocol. SMNB v1 is not secure and has been deprecated in Windows. Beginning with Windows 10 Fall Creators Update and Windows Server, version 1709, SMB v1 is not installed by default. 
+
+The rest of this topic describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting only for SMB v1. The same policy setting can be applied to computers that run SMB v2. Fore more information, see [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md).
+
+## Reference
+
+The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. 
+This policy setting determines whether SMB packet signing must be negotiated before further communication with the Server service is permitted.
+
+Implementation of digital signatures in high-security networks helps prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data loss or problems with data access or security.
+
+If server-side SMB signing is required, a client device will not be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client device will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers.
+
+If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled.
+
+Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions.
+
+There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications:
+-   [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md)
+-   [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md)
+-   [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md)
+
+### Possible values
+
+-   Enabled
+-   Disabled
+-   Not defined
+
+### Best practices
+
+1.  Configure the following security policy settings as follows:
+
+    -   Disable **Microsoft network client: Digitally sign communications (always)**.
+    -   Disable [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md).
+    -   Enable [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md).
+    -   Enable [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
+
+2.  Alternately, you can set all of these policy settings to Enabled, but enabling them can cause slower performance on client devices and prevent them from communicating with legacy SMB applications and operating systems.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+| Server type or GPO | Default value |
+| - | - |
+| Default Domain Policy| Not defined| 
+| Default Domain Controller Policy | Not defined| 
+| Stand-Alone Server Default Settings | Disabled| 
+| DC Effective Default Settings | Disabled| 
+| Member Server Effective Default Settings | Disabled| 
+| Client Computer Effective Default Settings | Disabled| 
+ 
+## Policy management
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+## Security considerations
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Session hijacking uses tools that allow attackers who have access to the same network as the client device or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned Server Message Block (SMB) packets and then modify the traffic and forward it so that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client computer after legitimate authentication, and gain unauthorized access to data.
+
+SMB is the resource-sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission does not take place.
+
+### Countermeasure
+
+Configure the settings as follows:
+
+-   Disable **Microsoft network client: Digitally sign communications (always)**.
+-   Disable [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md).
+-   Enable [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md).
+-   Enable [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
+
+In highly secure environments, we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems.
+
+>**Note:**  An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.
+ 
+### Potential impact
+
+Implementations of the SMB file and print-sharing protocol support mutual authentication. This prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server.
+
+Implementation of SMB signing may negatively affect performance because each packet must be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure devices to ignore all unsigned SMB communications, older applications and operating systems cannot connect. However, if you completely disable all SMB signing, computers are vulnerable to session-hijacking attacks.
+
+## Related topics
+
+- [Security Options](security-options.md)

From 43be5f90177d0aedc2b16e07ce7baf98a9b61a33 Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Tue, 19 Jun 2018 16:42:52 -0700
Subject: [PATCH 02/34] added smbv2 topics

---
 windows/security/threat-protection/TOC.md     |   6 +-
 ...nt-digitally-sign-communications-always.md |  24 ++--
 ...er-digitally-sign-communications-always.md |  58 ++++-----
 ...nt-digitally-sign-communications-always.md |  12 +-
 ...y-sign-communications-if-server-agrees.md} |  12 +-
 ...er-digitally-sign-communications-always.md | 116 ++++++++++++++++++
 ...y-sign-communications-if-client-agrees.md} |  12 +-
 7 files changed, 172 insertions(+), 68 deletions(-)
 rename windows/security/threat-protection/security-policy-settings/{microsoft-network-client-digitally-sign-communications-if-server-agrees.md => smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md} (85%)
 create mode 100644 windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md
 rename windows/security/threat-protection/security-policy-settings/{microsoft-network-server-digitally-sign-communications-if-client-agrees.md => smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md} (85%)

diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index a5d9a290c7..199c2b4b21 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -761,12 +761,14 @@
 ##### [Interactive logon: Require smart card](security-policy-settings/interactive-logon-require-smart-card.md)
 ##### [Interactive logon: Smart card removal behavior](security-policy-settings/interactive-logon-smart-card-removal-behavior.md)
 ##### [Microsoft network client: Digitally sign communications (always)](security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md)
-##### [Microsoft network client: Digitally sign communications (if server agrees)](security-policy-settings/microsoft-network-client-digitally-sign-communications-if-server-agrees.md)
+##### [SMBv1 Microsoft network client: Digitally sign communications (always)](security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md)
+##### [SMBv1 Microsoft network client: Digitally sign communications (if server agrees)](security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md)
 ##### [Microsoft network client: Send unencrypted password to third-party SMB servers](security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md)
 ##### [Microsoft network server: Amount of idle time required before suspending session](security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md)
 ##### [Microsoft network server: Attempt S4U2Self to obtain claim information](security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md)
 ##### [Microsoft network server: Digitally sign communications (always)](security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md)
-##### [Microsoft network server: Digitally sign communications (if client agrees)](security-policy-settings/microsoft-network-server-digitally-sign-communications-if-client-agrees.md)
+##### [SMBv1 Microsoft network server: Digitally sign communications (always)](security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md)
+##### [SMBv1 Microsoft network server: Digitally sign communications (if client agrees)](security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md)
 ##### [Microsoft network server: Disconnect clients when logon hours expire](security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md)
 ##### [Microsoft network server: Server SPN target name validation level](security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md)
 ##### [Network access: Allow anonymous SID/Name translation](security-policy-settings/network-access-allow-anonymous-sidname-translation.md)
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
index 257be8d173..62b3f5875e 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
@@ -1,21 +1,21 @@
 ---
-title: SMB v1 Microsoft network client Digitally sign communications (always) (Windows 10)
-description: Describes the best practices, location, values, policy management and security considerations for the Microsoft network client Digitally sign communications (always) security policy setting.
+title: Microsoft network client Digitally sign communications (always) (Windows 10)
+description: For SMBv3 and SMBv2, describes the best practices, location, values, policy management and security considerations for the Microsoft network client Digitally sign communications (always) security policy setting.
 ms.assetid: 4b7b0298-b130-40f8-960d-60418ba85f76
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
-ms.date: 04/19/2017
+ms.date: 06/19/2018
 ---
 
-# SMB v1 Microsoft network client: Digitally sign communications (always)
+# Microsoft network client: Digitally sign communications (always)
 
 **Applies to**
 -   Windows 10
 
-Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting for SMB v3 and SMB v2. 
+Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting for SMBv3 and SMBv2. 
 
 ## Reference
 
@@ -23,15 +23,13 @@ The Server Message Block (SMB) protocol provides the basis for file and print sh
 
 Implementation of digital signatures in high-security networks helps prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data loss or problems with data access or security.
 
-With SMB v2 clients and servers, signing can be either required or not required. If this policy setting is enabled, SMBv2 clients will digitally sign all packets. 
+Beginning with SMBv2 clients and servers, signing can be either required or not required. If this policy setting is enabled, SMBv2 clients will digitally sign all packets. 
 
-Performance is improved with SMB v2 signing compared with SMB v1. If you are using SMB2 plus signing with a 1GbE network and a modern CPU, there is limited degradation in performance. If you are using a faster network (like 10GbE), the performance impact of signing will be greater.
+Performance of SMB signing is improved in SMBv2. If you are using a 1 Gb Ethernet network and a modern CPU, there is limited degradation in performance. If you are using a faster network (such as 10 Gb), the performance impact of signing will be greater.
 
-There is another policy setting that relates to packet-signing requirements for SMB v3 and SMB v2 communications:
--   [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md)
+Another policy setting determines whether signing is required for SMBv3 and SMBv2 server communications: [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md).
 
-There is a negotiation done between the SMB client and the SMB server to decide whether signing will effectively be used.
-Here’s a summary of the effective behavior for SMB v3 and v2:
+There is a negotiation done between the SMB client and the SMB server to decide whether signing will effectively be used. The following table has the effective behavior for SMBv3 and SMBv2:
 
 |   | Server – Required | Server – Not Required |
 | Client – Required | Signed | Signed           | 
@@ -79,13 +77,13 @@ This section describes how an attacker might exploit a feature or its configurat
 
 ### Vulnerability
 
-Session hijacking uses tools that allow attackers who have access to the same network as the client device or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned Server Message Block (SMB) packets and then modify the traffic and forward it so that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client computer after legitimate authentication, and gain unauthorized access to data.
+Session hijacking uses tools that allow attackers who have access to the same network as the client device or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client computer after legitimate authentication, and gain unauthorized access to data.
 
 SMB is the resource-sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission does not take place.
 
 ### Countermeasure
 
-Configure the settings as follows:
+Configure this setting as follows:
 
 -   Enable **Microsoft network client: Digitally sign communications (always)**.
 
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
index 0cb1a1d201..e6edf596be 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
@@ -1,13 +1,13 @@
 ---
 title: Microsoft network server Digitally sign communications (always) (Windows 10)
-description: Describes the best practices, location, values, policy management and security considerations for the Microsoft network server Digitally sign communications (always) security policy setting.
+description: For SMBv3 and SMBv2, describes the best practices, location, values, policy management and security considerations for the Microsoft network server Digitally sign communications (always) security policy setting.
 ms.assetid: 2007b622-7bc2-44e8-9cf1-d34b62117ea8
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
-ms.date: 04/19/2017
+ms.date: 06/19/2016
 ---
 
 # Microsoft network server: Digitally sign communications (always)
@@ -15,45 +15,36 @@ ms.date: 04/19/2017
 **Applies to**
 -   Windows 10
 
-Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting.
+Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting for SMBv3 and SMBv2.
 
 ## Reference
 
 The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. 
-This policy setting determines whether SMB packet signing must be negotiated before further communication with the Server service is permitted.
 
-Implementation of digital signatures in high-security networks helps to prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data loss or problems with data access or security.
+Implementation of digital signatures in high-security networks helps prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data loss or problems with data access or security.
 
-For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md). Devices that have this policy set will not be able to communicate with devices that do not have server-side packet signing enabled. By default, server-side packet signing is enabled only on domain controllers. Server-side packet signing can be enabled on devices by setting [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
+Beginning with SMBv2 clients and servers, signing can be either required or not required. If this policy setting is enabled, SMBv2 clients will digitally sign all packets. 
 
-If server-side SMB signing is required, a client device will not be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client device will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers.
+Performance of SMB signing is improved in SMBv2. If you are using a 1 Gb Ethernet network and a modern CPU, there is limited degradation in performance. If you are using a faster network (such as 10 Gb), the performance impact of signing will be greater.
 
-If server-side SMB signing is enabled, SMB packet signing will be negotiated with client devices that have SMB signing enabled.
+Another policy setting determines whether signing is required for SMBv3 and SMBv2 server communications: [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md).
 
-Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions.
+There is a negotiation done between the SMB client and the SMB server to decide whether signing will effectively be used. The following table has the effective behavior for SMBv3 and SMBv2:
 
-There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications:
-
--   [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md)
--   [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md)
--   [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md)
+|   | Server – Required | Server – Not Required |
+| Client – Required | Signed | Signed           | 
+| Client – Not Required | Signed <sup>*</sup> | Not Signed<sup>**</sup> |
+<sup>*</sup> Default for domain controller SMB traffic
+<sup>**</sup> Default for all other SMB traffic
 
 ### Possible values
 
 -   Enabled
 -   Disabled
--   Not defined
 
 ### Best practices
 
-1.  Configure the following security policy settings as follows:
-
-    -   Disable [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md).
-    -   Disable **Microsoft network server: Digitally sign communications (always)**.
-    -   Enable [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md).
-    -   Enable [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
-
-2.  Alternately, you can set all of these policy settings to Enabled, but enabling them can cause slower performance on client devices and prevent them from communicating with legacy SMB applications and operating systems.
+Enable **Microsoft network server: Digitally sign communications (always)**.
 
 ### Location
 
@@ -65,11 +56,11 @@ The following table lists the actual and effective default values for this polic
 
 | Server type or GPO | Default value |
 | - | - |
-| Default Domain Policy| Not defined|
+| Default Domain Policy| Disabled|
 | Default Domain Controller Policy | Enabled| 
-| Stand-Alone Server Default Settings | Not defined| 
+| Stand-Alone Server Default Settings | Disabled| 
 | DC Effective Default Settings | Enabled| 
-| Member Server Effective Default Settings| Not defined| 
+| Member Server Effective Default Settings| Disabled| 
 | Client Computer Effective Default Settings | Disabled| 
  
 ## Policy management
@@ -92,22 +83,15 @@ SMB is the resource-sharing protocol that is supported by many Windows operating
 
 ### Countermeasure
 
-Configure the settings as follows:
+Configure this setting as follows:
 
--   Disable [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md).
--   Disable **Microsoft network server: Digitally sign communications (always)**.
--   Enable [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md).
--   Enable [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
+-   Enable **Microsoft network server: Digitally sign communications (always)**.
 
-In highly secure environments we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems.
-
->**Note:**  An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.
+>[!NOTE]  
+>An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.
  
 ### Potential impact
 
-Implementations of the SMB file and print-sharing protocol support mutual authentication. This prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server.
-
-Implementation of SMB signing may negatively affect performance because each packet must be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure computers to ignore all unsigned SMB communications, older applications and operating systems cannot connect. However, if you completely disable all SMB signing, devices are vulnerable to session-hijacking attacks.
 
 ## Related topics
 
diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md
index 77b50470ff..a8d2c9ece7 100644
--- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md
@@ -1,23 +1,23 @@
 ---
-title: SMB v1 Microsoft network client Digitally sign communications (always) (Windows 10)
-description: Describes the best practices, location, values, policy management and security considerations for the Microsoft network client Digitally sign communications (always) security policy setting.
+title: SMBv1 Microsoft network client Digitally sign communications (always) (Windows 10)
+description: For SMBv1 only, describes the best practices, location, values, policy management and security considerations for the Microsoft network client Digitally sign communications (always) security policy setting.
 ms.assetid: 4b7b0298-b130-40f8-960d-60418ba85f76
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
-ms.date: 04/19/2017
+ms.date: 06/19/2018
 ---
 
-# SMB v1 Microsoft network client: Digitally sign communications (always)
+# SMBv1 Microsoft network client: Digitally sign communications (always)
 
 **Applies to**
 -   Windows 10
 
-This topic is about the Server Message Block (SMB) v1 protocol. SMNB v1 is not secure and has been deprecated in Windows. Beginning with Windows 10 Fall Creators Update and Windows Server, version 1709, SMB v1 is not installed by default. 
+This topic is about the Server Message Block (SMB) v1 protocol. SMBv1 is not secure and has been deprecated in Windows. Beginning with Windows 10 Fall Creators Update and Windows Server, version 1709, [SMBv1 is not installed by default](https://support.microsoft.com/help/4034314/smbv1-is-not-installed-by-default-in-windows). 
 
-The rest of this topic describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting only for SMB v1. The same policy setting can be applied to computers that run SMB v2. Fore more information, see [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md).
+The rest of this topic describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting only for SMBv1. The same policy setting can be applied to computers that run SMBv2. For more information, see [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md).
 
 ## Reference
 
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-if-server-agrees.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md
similarity index 85%
rename from windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-if-server-agrees.md
rename to windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md
index e796441281..9f63ec7ead 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-if-server-agrees.md
+++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md
@@ -1,6 +1,6 @@
 ---
-title: Microsoft network client Digitally sign communications (if server agrees) (Windows 10)
-description: Describes the best practices, location, values, and security considerations for the Microsoft network client Digitally sign communications (if server agrees) security policy setting.
+title: SMBv1 Microsoft network client Digitally sign communications (if server agrees) (Windows 10)
+description: For SMBv1 only, describes the best practices, location, values, and security considerations for the Microsoft network client Digitally sign communications (if server agrees) security policy setting.
 ms.assetid: e553f700-aae5-425c-8650-f251c90ba5dd
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -8,14 +8,16 @@ ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
 
-ms.date: 04/19/2017
+ms.date: 06/19/2018
 ---
-# Microsoft network client: Digitally sign communications (if server agrees)
+# SMBv1 Microsoft network client: Digitally sign communications (if server agrees)
 
 **Applies to**
 -   Windows 10
 
-Describes the best practices, location, values, and security considerations for the **Microsoft network client: Digitally sign communications (if server agrees)** security policy setting.
+This topic is about the Server Message Block (SMB) v1 protocol. SMBv1 is not secure and has been deprecated in Windows. Beginning with Windows 10 Fall Creators Update and Windows Server, version 1709, [SMBv1 is not installed by default](https://support.microsoft.com/help/4034314/smbv1-is-not-installed-by-default-in-windows). 
+
+The rest of this topic describes the best practices, location, values, and security considerations for the **Microsoft network client: Digitally sign communications (if server agrees)** security policy setting only for SMBv1. The same policy setting can be applied to computers that run SMBv2. For more information, see [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md).
 
 ## Reference
 
diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md
new file mode 100644
index 0000000000..7cca91e960
--- /dev/null
+++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md
@@ -0,0 +1,116 @@
+---
+title: SMB v1 Microsoft network server Digitally sign communications (always) (Windows 10)
+description: For SMB v1 only, describes the best practices, location, values, policy management and security considerations for the Microsoft network server Digitally sign communications (always) security policy setting.
+ms.assetid: 2007b622-7bc2-44e8-9cf1-d34b62117ea8
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 06/19/201
+---
+
+# SMB v1 Microsoft network server: Digitally sign communications (always)
+
+**Applies to**
+-   Windows 10
+
+This topic is about the Server Message Block (SMB) v1 protocol. SMBv1 is not secure and has been deprecated in Windows. Beginning with Windows 10 Fall Creators Update and Windows Server, version 1709, [SMB v1 is not installed by default](https://support.microsoft.com/help/4034314/smbv1-is-not-installed-by-default-in-windows).  
+
+The rest of this topic describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting only for SMBv1. The same policy setting can be applied to computers that run SMBv2. Fore more information, see [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md).
+
+## Reference
+
+The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. 
+This policy setting determines whether SMB packet signing must be negotiated before further communication with the Server service is permitted.
+
+Implementation of digital signatures in high-security networks helps to prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data loss or problems with data access or security.
+
+For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md). Devices that have this policy set will not be able to communicate with devices that do not have server-side packet signing enabled. By default, server-side packet signing is enabled only on domain controllers. Server-side packet signing can be enabled on devices by setting [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
+
+If server-side SMB signing is required, a client device will not be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client device will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers.
+
+If server-side SMB signing is enabled, SMB packet signing will be negotiated with client devices that have SMB signing enabled.
+
+Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions.
+
+There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications:
+
+-   [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md)
+-   [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md)
+-   [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md)
+
+### Possible values
+
+-   Enabled
+-   Disabled
+-   Not defined
+
+### Best practices
+
+1.  Configure the following security policy settings as follows:
+
+    -   Disable [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md).
+    -   Disable **Microsoft network server: Digitally sign communications (always)**.
+    -   Enable [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md).
+    -   Enable [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
+
+2.  Alternately, you can set all of these policy settings to Enabled, but enabling them can cause slower performance on client devices and prevent them from communicating with legacy SMB applications and operating systems.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+| Server type or GPO | Default value |
+| - | - |
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Enabled| 
+| Stand-Alone Server Default Settings | Not defined| 
+| DC Effective Default Settings | Enabled| 
+| Member Server Effective Default Settings| Not defined| 
+| Client Computer Effective Default Settings | Disabled| 
+ 
+## Policy management
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+## Security considerations
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Session hijacking uses tools that allow attackers who have access to the same network as the client device or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned Server Message Block (SMB) packets and then modify the traffic and forward it so that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client device after legitimate authentication and gain unauthorized access to data.
+
+SMB is the resource-sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission does not take place.
+
+### Countermeasure
+
+Configure the settings as follows:
+
+-   Disable [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md).
+-   Disable **Microsoft network server: Digitally sign communications (always)**.
+-   Enable [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md).
+-   Enable [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
+
+In highly secure environments we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems.
+
+>**Note:**  An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.
+ 
+### Potential impact
+
+Implementations of the SMB file and print-sharing protocol support mutual authentication. This prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server.
+
+Implementation of SMB signing may negatively affect performance because each packet must be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure computers to ignore all unsigned SMB communications, older applications and operating systems cannot connect. However, if you completely disable all SMB signing, devices are vulnerable to session-hijacking attacks.
+
+## Related topics
+
+- [Security Options](security-options.md)
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-if-client-agrees.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md
similarity index 85%
rename from windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-if-client-agrees.md
rename to windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md
index 2eafb89626..3e76b64678 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-if-client-agrees.md
+++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md
@@ -1,21 +1,23 @@
 ---
-title: Microsoft network server Digitally sign communications (if client agrees) (Windows 10)
-description: Describes the best practices, location, values, policy management and security considerations for the Microsoft network server Digitally sign communications (if client agrees) security policy setting.
+title: SMBv1 Microsoft network server Digitally sign communications (if client agrees) (Windows 10)
+description: For SMBv1 only, describes the best practices, location, values, policy management and security considerations for the Microsoft network server Digitally sign communications (if client agrees) security policy setting.
 ms.assetid: c92b2e3d-1dbf-4337-a145-b17a585f4fc1
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
-ms.date: 04/19/2017
+ms.date: 06/19/2018
 ---
 
-# Microsoft network server: Digitally sign communications (if client agrees)
+# SMBv1 Microsoft network server: Digitally sign communications (if client agrees)
 
 **Applies to**
 -   Windows 10
 
-Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (if client agrees)** security policy setting.
+This topic is about the Server Message Block (SMB) v1 protocol. SMBv1 is not secure and has been deprecated in Windows. Beginning with Windows 10 Fall Creators Update and Windows Server, version 1709, [SMBv1 is not installed by default](https://support.microsoft.com/help/4034314/smbv1-is-not-installed-by-default-in-windows). 
+
+The rest of this topic describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (if client agrees)** security policy setting only for SMBv1. The same policy setting can be applied to computers that run SMBv2. For more information, see [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
 
 ## Reference
 

From 5a863756fa75333a7aa8ec10277ce62aacf7f46f Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Wed, 20 Jun 2018 09:46:31 -0700
Subject: [PATCH 03/34] fixed links

---
 .../security-options.md                       |  8 ++++----
 ...nt-digitally-sign-communications-always.md | 18 ++++++++---------
 ...ly-sign-communications-if-server-agrees.md | 18 ++++++++---------
 ...er-digitally-sign-communications-always.md | 20 +++++++++----------
 ...ly-sign-communications-if-client-agrees.md | 18 ++++++++---------
 5 files changed, 41 insertions(+), 41 deletions(-)

diff --git a/windows/security/threat-protection/security-policy-settings/security-options.md b/windows/security/threat-protection/security-policy-settings/security-options.md
index 502b856b25..c33e590f5c 100644
--- a/windows/security/threat-protection/security-policy-settings/security-options.md
+++ b/windows/security/threat-protection/security-policy-settings/security-options.md
@@ -66,13 +66,13 @@ For info about setting security policies, see [Configure security policy setting
 | [Interactive logon: Require Domain Controller authentication to unlock workstation](interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md)| Describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Require Domain Controller authentication to unlock workstation** security policy setting. |
 | [Interactive logon: Require smart card](interactive-logon-require-smart-card.md) | Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Require smart card** security policy setting.| 
 | [Interactive logon: Smart card removal behavior](interactive-logon-smart-card-removal-behavior.md) | Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Smart card removal behavior** security policy setting.| 
-| [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md) | Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting. |
-| [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md)| Describes the best practices, location, values, and security considerations for the **Microsoft network client: Digitally sign communications (if server agrees)** security policy setting. |
+| [Microsoft network client: Digitally sign communications (always)](smbv1-microsoft-network-client-digitally-sign-communications-always.md) | Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting. |
+| [Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md)| Describes the best practices, location, values, and security considerations for the **Microsoft network client: Digitally sign communications (if server agrees)** security policy setting. |
 | [Microsoft network client: Send unencrypted password to third-party SMB servers](microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Send unencrypted password to third-party SMB servers** security policy setting. |
 | [Microsoft network server: Amount of idle time required before suspending session](microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md)| Describes the best practices, location, values, and security considerations for the **Microsoft network server: Amount of idle time required before suspending session** security policy setting. |
 | [Microsoft network server: Attempt S4U2Self to obtain claim information](microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md)| Describes the best practices, location, values, management, and security considerations for the **Microsoft network server: Attempt S4U2Self to obtain claim information** security policy setting. |
-| [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting.| 
-| [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (if client agrees)** security policy setting. |
+| [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting.| 
+| [Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (if client agrees)** security policy setting. |
 | [Microsoft network server: Disconnect clients when logon hours expire](microsoft-network-server-disconnect-clients-when-logon-hours-expire.md)| Describes the best practices, location, values, and security considerations for the **Microsoft network server: Disconnect clients when logon hours expire** security policy setting. |
 | [Microsoft network server: Server SPN target name validation level](microsoft-network-server-server-spn-target-name-validation-level.md)| Describes the best practices, location, and values, policy management and security considerations for the **Microsoft network server: Server SPN target name validation level** security policy setting. |
 | [Network access: Allow anonymous SID/Name translation](network-access-allow-anonymous-sidname-translation.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Allow anonymous SID/Name translation** security policy setting.| 
diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md
index a8d2c9ece7..c8cb5783ba 100644
--- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md
@@ -33,9 +33,9 @@ If server-side SMB signing is enabled, SMB packet signing will be negotiated wit
 Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions.
 
 There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications:
--   [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md)
--   [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md)
--   [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md)
+-   [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md)
+-   [Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md)
+-   [Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md)
 
 ### Possible values
 
@@ -48,9 +48,9 @@ There are three other policy settings that relate to packet-signing requirements
 1.  Configure the following security policy settings as follows:
 
     -   Disable **Microsoft network client: Digitally sign communications (always)**.
-    -   Disable [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md).
-    -   Enable [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md).
-    -   Enable [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
+    -   Disable [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md).
+    -   Enable [Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md).
+    -   Enable [Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
 
 2.  Alternately, you can set all of these policy settings to Enabled, but enabling them can cause slower performance on client devices and prevent them from communicating with legacy SMB applications and operating systems.
 
@@ -94,9 +94,9 @@ SMB is the resource-sharing protocol that is supported by many Windows operating
 Configure the settings as follows:
 
 -   Disable **Microsoft network client: Digitally sign communications (always)**.
--   Disable [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md).
--   Enable [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md).
--   Enable [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
+-   Disable [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md).
+-   Enable [Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md).
+-   Enable [Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
 
 In highly secure environments, we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems.
 
diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md
index 9f63ec7ead..191104c296 100644
--- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md
+++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md
@@ -33,9 +33,9 @@ Using SMB packet signing can impose up to a 15 percent performance degradation o
 
 There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications:
 
--   [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md)
--   [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md)
--   [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md)
+-   [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md)
+-   [Microsoft network client: Digitally sign communications (always)](smbv1-microsoft-network-client-digitally-sign-communications-always.md)
+-   [Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md)
 
 ### Possible values
 
@@ -47,10 +47,10 @@ There are three other policy settings that relate to packet-signing requirements
 
 1.  Configure the following security policy settings as follows:
 
-    -   Disable [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md).
-    -   Disable [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md).
+    -   Disable [Microsoft network client: Digitally sign communications (always)](smbv1-microsoft-network-client-digitally-sign-communications-always.md).
+    -   Disable [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md).
     -   Enable **Microsoft Network Client: Digitally Sign Communications (If Server Agrees)**.
-    -   Enable [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
+    -   Enable [Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
 
 2.  Alternately, you can set all of these policy settings to Enabled, but enabling them can cause slower performance on client devices and prevent them from communicating with legacy SMB applications and operating systems.
 
@@ -94,10 +94,10 @@ SMB is the resource-sharing protocol that is supported by many Windows operating
 
 Configure the settings as follows:
 
--   Disable [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md).
--   Disable [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md).
+-   Disable [Microsoft network client: Digitally sign communications (always)](smbv1-microsoft-network-client-digitally-sign-communications-always.md).
+-   Disable [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md).
 -   Enable **Microsoft network client: Digitally sign communications (if server agrees)**.
--   Enable [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
+-   Enable [Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
 
 In highly secure environments we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems.
 
diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md
index 7cca91e960..cff5d35423 100644
--- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md
@@ -26,7 +26,7 @@ This policy setting determines whether SMB packet signing must be negotiated bef
 
 Implementation of digital signatures in high-security networks helps to prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data loss or problems with data access or security.
 
-For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md). Devices that have this policy set will not be able to communicate with devices that do not have server-side packet signing enabled. By default, server-side packet signing is enabled only on domain controllers. Server-side packet signing can be enabled on devices by setting [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
+For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set [Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md). Devices that have this policy set will not be able to communicate with devices that do not have server-side packet signing enabled. By default, server-side packet signing is enabled only on domain controllers. Server-side packet signing can be enabled on devices by setting [Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
 
 If server-side SMB signing is required, a client device will not be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client device will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers.
 
@@ -36,9 +36,9 @@ Using SMB packet signing can impose up to a 15 percent performance degradation o
 
 There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications:
 
--   [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md)
--   [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md)
--   [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md)
+-   [Microsoft network client: Digitally sign communications (always)](smbv1-microsoft-network-client-digitally-sign-communications-always.md)
+-   [Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md)
+-   [Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md)
 
 ### Possible values
 
@@ -50,10 +50,10 @@ There are three other policy settings that relate to packet-signing requirements
 
 1.  Configure the following security policy settings as follows:
 
-    -   Disable [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md).
+    -   Disable [Microsoft network client: Digitally sign communications (always)](smbv1-microsoft-network-client-digitally-sign-communications-always.md).
     -   Disable **Microsoft network server: Digitally sign communications (always)**.
-    -   Enable [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md).
-    -   Enable [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
+    -   Enable [Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md).
+    -   Enable [Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
 
 2.  Alternately, you can set all of these policy settings to Enabled, but enabling them can cause slower performance on client devices and prevent them from communicating with legacy SMB applications and operating systems.
 
@@ -96,10 +96,10 @@ SMB is the resource-sharing protocol that is supported by many Windows operating
 
 Configure the settings as follows:
 
--   Disable [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md).
+-   Disable [Microsoft network client: Digitally sign communications (always)](smbv1-microsoft-network-client-digitally-sign-communications-always.md).
 -   Disable **Microsoft network server: Digitally sign communications (always)**.
--   Enable [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md).
--   Enable [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
+-   Enable [Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md).
+-   Enable [Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
 
 In highly secure environments we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems.
 
diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md
index 3e76b64678..a07b4d029e 100644
--- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md
+++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md
@@ -34,9 +34,9 @@ Using SMB packet signing can impose up to a 15 percent performance degradation o
 
 There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications:
 
--   [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md)
--   [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md)
--   [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md)
+-   [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md)
+-   [Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md)
+-   [Microsoft network client: Digitally sign communications (always)](smbv1-microsoft-network-client-digitally-sign-communications-always.md)
 
 ### Possible values
 
@@ -48,9 +48,9 @@ There are three other policy settings that relate to packet-signing requirements
 
 1.  Configure the following security policy settings as follows:
 
-    -   Disable [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md).
-    -   Disable [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md).
-    -   Enable [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md).
+    -   Disable [Microsoft network client: Digitally sign communications (always)](smbv1-microsoft-network-client-digitally-sign-communications-always.md).
+    -   Disable [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md).
+    -   Enable [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md).
     -   Enable **Microsoft Network Server: Digitally Sign Communications (If Client Agrees)**.
 
 2.  Alternately, you can set all of these policy settings to Enabled, but enabling them can cause slower performance on client devices and prevent them from communicating with legacy SMB applications and operating systems.
@@ -94,9 +94,9 @@ SMB is the resource-sharing protocol that is supported by many Windows operating
 
 Configure the settings as follows:
 
--   Disable [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md).
--   Disable [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md).
--   Enable [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md).
+-   Disable [Microsoft network client: Digitally sign communications (always)](smbv1-microsoft-network-client-digitally-sign-communications-always.md).
+-   Disable [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md).
+-   Enable [Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md).
 -   Enable **Microsoft network server: Digitally sign communications (if client agrees)**.
 
 In highly secure environments we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems.

From 542c891ed119fa048051c2f6cf8875f267e91f3e Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Wed, 20 Jun 2018 13:13:42 -0700
Subject: [PATCH 04/34] fixed links

---
 ...ork-client-digitally-sign-communications-if-server-agrees.md | 2 +-
 ...ork-server-digitally-sign-communications-if-client-agrees.md | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md
index 191104c296..707cdf82c8 100644
--- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md
+++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md
@@ -17,7 +17,7 @@ ms.date: 06/19/2018
 
 This topic is about the Server Message Block (SMB) v1 protocol. SMBv1 is not secure and has been deprecated in Windows. Beginning with Windows 10 Fall Creators Update and Windows Server, version 1709, [SMBv1 is not installed by default](https://support.microsoft.com/help/4034314/smbv1-is-not-installed-by-default-in-windows). 
 
-The rest of this topic describes the best practices, location, values, and security considerations for the **Microsoft network client: Digitally sign communications (if server agrees)** security policy setting only for SMBv1. The same policy setting can be applied to computers that run SMBv2. For more information, see [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md).
+The rest of this topic describes the best practices, location, values, and security considerations for the **Microsoft network client: Digitally sign communications (if server agrees)** security policy setting only for SMBv1. The same policy setting can be applied to computers that run SMBv2. For more information, see [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-always.md).
 
 ## Reference
 
diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md
index a07b4d029e..637fa2d2a5 100644
--- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md
+++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md
@@ -17,7 +17,7 @@ ms.date: 06/19/2018
 
 This topic is about the Server Message Block (SMB) v1 protocol. SMBv1 is not secure and has been deprecated in Windows. Beginning with Windows 10 Fall Creators Update and Windows Server, version 1709, [SMBv1 is not installed by default](https://support.microsoft.com/help/4034314/smbv1-is-not-installed-by-default-in-windows). 
 
-The rest of this topic describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (if client agrees)** security policy setting only for SMBv1. The same policy setting can be applied to computers that run SMBv2. For more information, see [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
+The rest of this topic describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (if client agrees)** security policy setting only for SMBv1. The same policy setting can be applied to computers that run SMBv2. For more information, see [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-always.md).
 
 ## Reference
 

From db506fb96c0d5b2cdec73ae9ad1661910d90ed85 Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Thu, 21 Jun 2018 10:06:38 -0700
Subject: [PATCH 05/34] added feedback from Ned

---
 ...client-digitally-sign-communications-always.md | 15 ++++++++-------
 ...server-digitally-sign-communications-always.md | 13 +++++++------
 2 files changed, 15 insertions(+), 13 deletions(-)

diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
index 62b3f5875e..94a9e4f4c7 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
@@ -21,22 +21,25 @@ Describes the best practices, location, values, policy management and security c
 
 The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. 
 
-Implementation of digital signatures in high-security networks helps prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data loss or problems with data access or security.
+Implementation of digital signatures in high-security networks helps prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause failure to access data.
 
 Beginning with SMBv2 clients and servers, signing can be either required or not required. If this policy setting is enabled, SMBv2 clients will digitally sign all packets. 
 
-Performance of SMB signing is improved in SMBv2. If you are using a 1 Gb Ethernet network and a modern CPU, there is limited degradation in performance. If you are using a faster network (such as 10 Gb), the performance impact of signing will be greater.
+Performance of SMB signing is improved in SMBv2. For more details, see [Potential impact](#potential-impact). 
 
 Another policy setting determines whether signing is required for SMBv3 and SMBv2 server communications: [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md).
 
 There is a negotiation done between the SMB client and the SMB server to decide whether signing will effectively be used. The following table has the effective behavior for SMBv3 and SMBv2:
 
 |   | Server – Required | Server – Not Required |
+|---|-------------------|-----------------------|
 | Client – Required | Signed | Signed           | 
 | Client – Not Required | Signed <sup>*</sup> | Not Signed<sup>**</sup> |
+
 <sup>*</sup> Default for domain controller SMB traffic
 <sup>**</sup> Default for all other SMB traffic
 
+
 ### Possible values
 
 -   Enabled
@@ -79,20 +82,18 @@ This section describes how an attacker might exploit a feature or its configurat
 
 Session hijacking uses tools that allow attackers who have access to the same network as the client device or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client computer after legitimate authentication, and gain unauthorized access to data.
 
-SMB is the resource-sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission does not take place.
+SMB is the resource-sharing protocol that is supported by many Windows operating systems. It is the basis of many modern features like Storage Spaces Direct, Storage Replica, and SMB Direct, as well as many legacy protocols and tools. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission does not take place.
 
 ### Countermeasure
 
-Configure this setting as follows:
-
--   Enable **Microsoft network client: Digitally sign communications (always)**.
+Enable **Microsoft network client: Digitally sign communications (always)**.
 
 >[!NOTE]  
 >An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.
  
 ### Potential impact
 
-
+Storage speeds impact performance. A faster drive on the source and destination allows more throughput, which causes more CPU usage of signing. If you are using a 1 Gb Ethernet network or slower storage speed with a modern CPU, there is limited degradation in performance. If you are using a faster network (such as 10 Gb), the performance impact of signing may be greater.
 
 ## Related topics
 
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
index e6edf596be..b2c7639a38 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
@@ -21,19 +21,21 @@ Describes the best practices, location, values, policy management and security c
 
 The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. 
 
-Implementation of digital signatures in high-security networks helps prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data loss or problems with data access or security.
+Implementation of digital signatures in high-security networks helps prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause failure to access data.
 
 Beginning with SMBv2 clients and servers, signing can be either required or not required. If this policy setting is enabled, SMBv2 clients will digitally sign all packets. 
 
-Performance of SMB signing is improved in SMBv2. If you are using a 1 Gb Ethernet network and a modern CPU, there is limited degradation in performance. If you are using a faster network (such as 10 Gb), the performance impact of signing will be greater.
+Performance of SMB signing is improved in SMBv2. For more details, see [Potential impact](#potential-impact). 
 
 Another policy setting determines whether signing is required for SMBv3 and SMBv2 server communications: [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md).
 
 There is a negotiation done between the SMB client and the SMB server to decide whether signing will effectively be used. The following table has the effective behavior for SMBv3 and SMBv2:
 
 |   | Server – Required | Server – Not Required |
+|---|-------------------|-----------------------|
 | Client – Required | Signed | Signed           | 
 | Client – Not Required | Signed <sup>*</sup> | Not Signed<sup>**</sup> |
+
 <sup>*</sup> Default for domain controller SMB traffic
 <sup>**</sup> Default for all other SMB traffic
 
@@ -79,19 +81,18 @@ This section describes how an attacker might exploit a feature or its configurat
 
 Session hijacking uses tools that allow attackers who have access to the same network as the client device or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned Server Message Block (SMB) packets and then modify the traffic and forward it so that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client device after legitimate authentication and gain unauthorized access to data.
 
-SMB is the resource-sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission does not take place.
+SMB is the resource-sharing protocol that is supported by many Windows operating systems. It is the basis of many modern features like Storage Spaces Direct, Storage Replica, and SMB Direct, as well as many legacy protocols and tools. If either side fails the authentication process, data transmission does not take place.
 
 ### Countermeasure
 
-Configure this setting as follows:
-
--   Enable **Microsoft network server: Digitally sign communications (always)**.
+Enable **Microsoft network server: Digitally sign communications (always)**.
 
 >[!NOTE]  
 >An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.
  
 ### Potential impact
 
+Storage speeds impact performance. A faster drive on the source and destination allows more throughput, which causes more CPU usage of signing. If you are using a 1 Gb Ethernet network or slower storage speed with a modern CPU, there is limited degradation in performance. If you are using a faster network (such as 10 Gb), the performance impact of signing may be greater.
 
 ## Related topics
 

From f3a84dbd8cc24b8495cff8df7a1ef57fe2430631 Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Thu, 21 Jun 2018 10:39:30 -0700
Subject: [PATCH 06/34] added feedback from Ned

---
 ...oft-network-client-digitally-sign-communications-always.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
index 94a9e4f4c7..8de0bc6f6d 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
@@ -35,8 +35,8 @@ There is a negotiation done between the SMB client and the SMB server to decide
 |---|-------------------|-----------------------|
 | Client – Required | Signed | Signed           | 
 | Client – Not Required | Signed <sup>*</sup> | Not Signed<sup>**</sup> |
-
-<sup>*</sup> Default for domain controller SMB traffic
+</br>
+<sup>*</sup> Default for domain controller SMB traffic</br>
 <sup>**</sup> Default for all other SMB traffic
 
 

From 3af5baae1df77a086538ae10264f7f72bcc17552 Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Thu, 21 Jun 2018 10:44:00 -0700
Subject: [PATCH 07/34] fixing table

---
 ...t-network-client-digitally-sign-communications-always.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
index 8de0bc6f6d..f1e9f17d86 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
@@ -34,10 +34,10 @@ There is a negotiation done between the SMB client and the SMB server to decide
 |   | Server – Required | Server – Not Required |
 |---|-------------------|-----------------------|
 | Client – Required | Signed | Signed           | 
-| Client – Not Required | Signed <sup>*</sup> | Not Signed<sup>**</sup> |
+| Client – Not Required | Signed <sup>1</sup> | Not Signed<sup>2</sup> |
 </br>
-<sup>*</sup> Default for domain controller SMB traffic</br>
-<sup>**</sup> Default for all other SMB traffic
+<sup>1</sup> Default for domain controller SMB traffic</br>
+<sup>2</sup> Default for all other SMB traffic
 
 
 ### Possible values

From e5c321261c7980ac7f099862f596dd27f15c982a Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Thu, 21 Jun 2018 11:10:11 -0700
Subject: [PATCH 08/34] fixed table

---
 ...network-server-digitally-sign-communications-always.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
index b2c7639a38..d45548a3d2 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
@@ -34,10 +34,10 @@ There is a negotiation done between the SMB client and the SMB server to decide
 |   | Server – Required | Server – Not Required |
 |---|-------------------|-----------------------|
 | Client – Required | Signed | Signed           | 
-| Client – Not Required | Signed <sup>*</sup> | Not Signed<sup>**</sup> |
-
-<sup>*</sup> Default for domain controller SMB traffic
-<sup>**</sup> Default for all other SMB traffic
+| Client – Not Required | Signed <sup>1</sup> | Not Signed<sup>2</sup> |
+</br>
+<sup>1</sup> Default for domain controller SMB traffic</br>
+<sup>2</sup> Default for all other SMB traffic
 
 ### Possible values
 

From 5ea24a2e044c1eadf8b1d156846c36112f7605b5 Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Thu, 21 Jun 2018 11:23:26 -0700
Subject: [PATCH 09/34] fixed table

---
 ...osoft-network-client-digitally-sign-communications-always.md | 2 +-
 ...osoft-network-server-digitally-sign-communications-always.md | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
index f1e9f17d86..e81a6f0afa 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
@@ -29,7 +29,7 @@ Performance of SMB signing is improved in SMBv2. For more details, see [Potentia
 
 Another policy setting determines whether signing is required for SMBv3 and SMBv2 server communications: [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md).
 
-There is a negotiation done between the SMB client and the SMB server to decide whether signing will effectively be used. The following table has the effective behavior for SMBv3 and SMBv2:
+There is a negotiation done between the SMB client and the SMB server to decide whether signing will effectively be used. The following table has the effective behavior for SMBv3 and SMBv2.
 
 |   | Server – Required | Server – Not Required |
 |---|-------------------|-----------------------|
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
index d45548a3d2..f7639192e5 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
@@ -29,7 +29,7 @@ Performance of SMB signing is improved in SMBv2. For more details, see [Potentia
 
 Another policy setting determines whether signing is required for SMBv3 and SMBv2 server communications: [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md).
 
-There is a negotiation done between the SMB client and the SMB server to decide whether signing will effectively be used. The following table has the effective behavior for SMBv3 and SMBv2:
+There is a negotiation done between the SMB client and the SMB server to decide whether signing will effectively be used. The following table has the effective behavior for SMBv3 and SMBv2.
 
 |   | Server – Required | Server – Not Required |
 |---|-------------------|-----------------------|

From 6128b80826243071cc1cdbb45b2027c7d0090e3e Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Thu, 21 Jun 2018 13:32:22 -0700
Subject: [PATCH 10/34] revised intro

---
 ...k-client-digitally-sign-communications-always.md | 12 +++++-------
 ...k-server-digitally-sign-communications-always.md | 13 ++++++-------
 2 files changed, 11 insertions(+), 14 deletions(-)

diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
index e81a6f0afa..32fdb5eb85 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
@@ -7,13 +7,14 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
-ms.date: 06/19/2018
+ms.date: 06/21/2018
 ---
 
 # Microsoft network client: Digitally sign communications (always)
 
 **Applies to**
 -   Windows 10
+-   Windows Server
 
 Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting for SMBv3 and SMBv2. 
 
@@ -21,13 +22,9 @@ Describes the best practices, location, values, policy management and security c
 
 The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. 
 
-Implementation of digital signatures in high-security networks helps prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause failure to access data.
+Implementation of digital signatures in high-security networks helps prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data access failure.
 
-Beginning with SMBv2 clients and servers, signing can be either required or not required. If this policy setting is enabled, SMBv2 clients will digitally sign all packets. 
-
-Performance of SMB signing is improved in SMBv2. For more details, see [Potential impact](#potential-impact). 
-
-Another policy setting determines whether signing is required for SMBv3 and SMBv2 server communications: [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md).
+Beginning with SMBv2 clients and servers, signing can be either required or not required. If this policy setting is enabled, SMBv2 clients will digitally sign all packets. Another policy setting determines whether signing is required for SMBv3 and SMBv2 server communications: [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md).
 
 There is a negotiation done between the SMB client and the SMB server to decide whether signing will effectively be used. The following table has the effective behavior for SMBv3 and SMBv2.
 
@@ -39,6 +36,7 @@ There is a negotiation done between the SMB client and the SMB server to decide
 <sup>1</sup> Default for domain controller SMB traffic</br>
 <sup>2</sup> Default for all other SMB traffic
 
+Performance of SMB signing is improved in SMBv2. For more details, see [Potential impact](#potential-impact). 
 
 ### Possible values
 
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
index f7639192e5..fe1f6c5200 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
@@ -7,13 +7,14 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
-ms.date: 06/19/2016
+ms.date: 06/21/2018
 ---
 
 # Microsoft network server: Digitally sign communications (always)
 
 **Applies to**
 -   Windows 10
+-   Windows Server
 
 Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting for SMBv3 and SMBv2.
 
@@ -21,13 +22,9 @@ Describes the best practices, location, values, policy management and security c
 
 The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. 
 
-Implementation of digital signatures in high-security networks helps prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause failure to access data.
+Implementation of digital signatures in high-security networks helps prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings can cause data access failure.
 
-Beginning with SMBv2 clients and servers, signing can be either required or not required. If this policy setting is enabled, SMBv2 clients will digitally sign all packets. 
-
-Performance of SMB signing is improved in SMBv2. For more details, see [Potential impact](#potential-impact). 
-
-Another policy setting determines whether signing is required for SMBv3 and SMBv2 server communications: [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md).
+Beginning with SMBv2 clients and servers, signing can be either required or not required. If this policy setting is enabled, SMBv2 clients will digitally sign all packets. Another policy setting determines whether signing is required for SMBv3 and SMBv2 server communications: [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md).
 
 There is a negotiation done between the SMB client and the SMB server to decide whether signing will effectively be used. The following table has the effective behavior for SMBv3 and SMBv2.
 
@@ -39,6 +36,8 @@ There is a negotiation done between the SMB client and the SMB server to decide
 <sup>1</sup> Default for domain controller SMB traffic</br>
 <sup>2</sup> Default for all other SMB traffic
 
+Performance of SMB signing is improved in SMBv2. For more details, see [Potential impact](#potential-impact). 
+
 ### Possible values
 
 -   Enabled

From 26e15628b496d32775e82ff392968042fd3f5b5e Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Thu, 21 Jun 2018 13:56:42 -0700
Subject: [PATCH 11/34] revised intro

---
 ...oft-network-client-digitally-sign-communications-always.md | 4 ++--
 ...oft-network-server-digitally-sign-communications-always.md | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
index 32fdb5eb85..8792852d43 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
@@ -30,8 +30,8 @@ There is a negotiation done between the SMB client and the SMB server to decide
 
 |   | Server – Required | Server – Not Required |
 |---|-------------------|-----------------------|
-| Client – Required | Signed | Signed           | 
-| Client – Not Required | Signed <sup>1</sup> | Not Signed<sup>2</sup> |
+| **Client – Required** | Signed | Signed           | 
+| **Client – Not Required** | Signed <sup>1</sup> | Not Signed<sup>2</sup> |
 </br>
 <sup>1</sup> Default for domain controller SMB traffic</br>
 <sup>2</sup> Default for all other SMB traffic
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
index fe1f6c5200..740aad436d 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
@@ -30,8 +30,8 @@ There is a negotiation done between the SMB client and the SMB server to decide
 
 |   | Server – Required | Server – Not Required |
 |---|-------------------|-----------------------|
-| Client – Required | Signed | Signed           | 
-| Client – Not Required | Signed <sup>1</sup> | Not Signed<sup>2</sup> |
+| **Client – Required** | Signed | Signed           | 
+| **Client – Not Required** | Signed <sup>1</sup> | Not Signed<sup>2</sup> |
 </br>
 <sup>1</sup> Default for domain controller SMB traffic</br>
 <sup>2</sup> Default for all other SMB traffic

From e0c6d39e7f96548fab13dd7fac86f8e97c964334 Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Fri, 22 Jun 2018 10:37:34 -0700
Subject: [PATCH 12/34] added default info

---
 ...-platform-module-services-group-policy-settings.md | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md
index fe5000ea4f..142bab2ed6 100644
--- a/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md
+++ b/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md
@@ -52,7 +52,6 @@ This policy setting allows you to enforce or ignore the computer's local list of
 
 The local list of blocked TPM commands is configured outside of Group Policy by typing **tpm.msc** at the command prompt to open the TPM Management Console, or scripting using the **Win32\_Tpm** interface. (The default list of blocked TPM commands is preconfigured by Windows.) 
 
-
 If you enable this policy setting, the Windows operating system will ignore the computer's local list of blocked TPM commands, and it will block only those TPM commands that are specified by Group Policy or the default list.
 
 If you disable or do not configure this policy setting, Windows will block the TPM commands in the local list, in addition to the commands that are specified in Group Policy and the default list of blocked TPM commands.
@@ -65,9 +64,9 @@ This policy setting configures how much of the TPM owner authorization informati
 
 There are three TPM owner authentication settings that are managed by the Windows operating system. You can choose a value of **Full**, **Delegate**, or **None**.
 
--   **Full**   This setting stores the full TPM owner authorization, the TPM administrative delegation blob, and the TPM user delegation blob in the local registry. With this setting, you can use the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios that do not require you to reset the TPM anti-hammering logic or change the TPM owner authorization value. Some TPM-based applications may require that this setting is changed before features that depend on the TPM anti-hammering logic can be used.
+-   **Full**   This setting stores the full TPM owner authorization, the TPM administrative delegation blob, and the TPM user delegation blob in the local registry. With this setting, you can use the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios that do not require you to reset the TPM anti-hammering logic or change the TPM owner authorization value. Some TPM-based applications may require that this setting is changed before features that depend on the TPM anti-hammering logic can be used. Full owner authorization in TPM 1.2 is similar to lockout authorization in TPM 2.0. Owner authorization has a different meaning for TPM 2.0.
 
--   **Delegated**   This setting stores only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use with TPM-based applications that depend on the TPM antihammering logic. This is the default setting in Windows.
+-   **Delegated**   This setting stores only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use with TPM-based applications that depend on the TPM antihammering logic. This is the default setting in Windows prior to version 1803.
 
 -   **None**   This setting provides compatibility with previous operating systems and applications. You can also use it for scenarios when TPM owner authorization cannot be stored locally. Using this setting might cause issues with some TPM-based applications.
 
@@ -88,8 +87,10 @@ The following table shows the TPM owner authorization values in the registry.
 | 2          | Delegated |
 | 4          | Full      |
 
-A value of 5 means discard the **Full** TPM owner authorization for TPM 1.2 but keep it for TPM 2.0.
- 
+Beginning with Windows 10 version 1803, the new default value for this setting is 5. This value is implemented during provisioning so that another Windows component can either delete it or take ownership of it, depending on the system configuration. 
+For TPM 2.0, a value of 5 means keep the lockout authorization. 
+For TPM 1.2, it means discard the Full TPM owner authorization and retain only the Delegated authorization.
+
 If you enable this policy setting, the Windows operating system will store the TPM owner authorization in the registry of the local computer according to the TPM authentication setting you choose.
 
 If you disable or do not configure this policy setting, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is also disabled or not configured, the default setting is to store the full TPM authorization value in the local registry. If this policy is disabled or not

From 7e7674e48ce3e020a7e99fcf5993a53be6d94afc Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Fri, 22 Jun 2018 15:57:14 -0700
Subject: [PATCH 13/34] revised description for owner authorization

---
 ...m-module-services-group-policy-settings.md | 20 +++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md
index 142bab2ed6..7936b618c3 100644
--- a/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md
+++ b/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
-ms.date: 08/16/2017
+ms.date: 06/22/2018
 ---
 
 # TPM Group Policy settings
@@ -58,15 +58,22 @@ If you disable or do not configure this policy setting, Windows will block the T
 
 ## Configure the level of TPM owner authorization information available to the operating system
 
-Beginning with Windows 10 version 1607 and Windows Server 2016, this policy setting is no longer used by Windows, but it continues to appear in GPEdit.msc for compatibility with previous versions. 
+>[!IMPORTANT]
+>Beginning with Windows 10 version 1607 and Windows Server 2016, this policy setting is no longer used by Windows, but it continues to appear in GPEdit.msc for compatibility with previous versions. Beginning with Windows 10 version 1703, the default value is 5. This value is implemented during provisioning so that another Windows component can either delete it or take ownership of it, depending on the system configuration. For TPM 2.0, a value of 5 means keep the lockout authorization. For TPM 1.2, it means discard the Full TPM owner authorization and retain only the Delegated authorization.
 
-This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local computer. Depending on the amount of TPM owner authorization information that is stored locally, the Windows operating system and TPM-based applications can perform certain actions in the TPM that require TPM owner authorization without requiring the user to enter the TPM owner password.
+This policy setting configured which TPM authorization values are stored in the registry of the local computer. Certain authorization values are required in order to allow Windows to perform certain actions.
+
+|TPM 1.2 value | TPM 2.0 value | Purpose | Kept at level 0?| Kept at level 2?| Kept at level 4? |
+|--------------|---------------|---------|-----------------|-----------------|------------------|
+| OwnerAuthAdmin | StorageOwnerAuth | Create SRK | No      | Yes             | Yes              |
+| OwnerAuthEndorsement | EndorsementAuth | Create or use EK (1.2 only: Create AIK) | No  | Yes  | Yes   |
+| OwnerAuthFull | LockoutAuth  | Reset/change Dictionary Attack Protection | No | No | No   |
 
 There are three TPM owner authentication settings that are managed by the Windows operating system. You can choose a value of **Full**, **Delegate**, or **None**.
 
 -   **Full**   This setting stores the full TPM owner authorization, the TPM administrative delegation blob, and the TPM user delegation blob in the local registry. With this setting, you can use the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios that do not require you to reset the TPM anti-hammering logic or change the TPM owner authorization value. Some TPM-based applications may require that this setting is changed before features that depend on the TPM anti-hammering logic can be used. Full owner authorization in TPM 1.2 is similar to lockout authorization in TPM 2.0. Owner authorization has a different meaning for TPM 2.0.
 
--   **Delegated**   This setting stores only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use with TPM-based applications that depend on the TPM antihammering logic. This is the default setting in Windows prior to version 1803.
+-   **Delegated**   This setting stores only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use with TPM-based applications that depend on the TPM antihammering logic. This is the default setting in Windows prior to version 1703.
 
 -   **None**   This setting provides compatibility with previous operating systems and applications. You can also use it for scenarios when TPM owner authorization cannot be stored locally. Using this setting might cause issues with some TPM-based applications.
 
@@ -87,13 +94,10 @@ The following table shows the TPM owner authorization values in the registry.
 | 2          | Delegated |
 | 4          | Full      |
 
-Beginning with Windows 10 version 1803, the new default value for this setting is 5. This value is implemented during provisioning so that another Windows component can either delete it or take ownership of it, depending on the system configuration. 
-For TPM 2.0, a value of 5 means keep the lockout authorization. 
-For TPM 1.2, it means discard the Full TPM owner authorization and retain only the Delegated authorization.
 
 If you enable this policy setting, the Windows operating system will store the TPM owner authorization in the registry of the local computer according to the TPM authentication setting you choose.
 
-If you disable or do not configure this policy setting, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is also disabled or not configured, the default setting is to store the full TPM authorization value in the local registry. If this policy is disabled or not
+On Windows 10 prior to version 1607, if you disable or do not configure this policy setting, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is also disabled or not configured, the default setting is to store the full TPM authorization value in the local registry. If this policy is disabled or not
 configured, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is enabled, only the administrative delegation and the user delegation blobs are stored in the local registry.
 
 ## Standard User Lockout Duration

From 603ac930e2edabf805d8ce41a9ecf682ee26ff10 Mon Sep 17 00:00:00 2001
From: Mattias Fors <11193779+DeployWindowsCom@users.noreply.github.com>
Date: Wed, 27 Jun 2018 20:39:14 +0200
Subject: [PATCH 14/34] update autopilot pdf url

to https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/media/ModernSecureDeployment/Deploy-WindowsAutoPilot.pdf
---
 windows/deployment/windows-10-architecture-posters.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/deployment/windows-10-architecture-posters.md b/windows/deployment/windows-10-architecture-posters.md
index c959b13af5..ec1efe188a 100644
--- a/windows/deployment/windows-10-architecture-posters.md
+++ b/windows/deployment/windows-10-architecture-posters.md
@@ -17,7 +17,7 @@ You can download the following posters for architectural information about deplo
   Learn about the options and steps for a new installation of Windows 10.
 - [Deploy Windows 10 - In-place upgrade](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/master/windows/media/ModernSecureDeployment/Deploy-InplaceUpgrade.pdf)
   Learn about the steps to upgrade from a previous version of Windows.
-- [Deploy Windows 10 - Windows Autopilot](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/master/windows/media/ModernSecureDeployment/Deploy-WindowsAutopilot.pdf)
+- [Deploy Windows 10 - Windows Autopilot](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/media/ModernSecureDeployment/Deploy-WindowsAutoPilot.pdf)
   Learn how you can set up and pre-configure Windows 10 devices.
 - [Deploy Windows 10 - Windows servicing](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/master/windows/media/ModernSecureDeployment/WindowsServicing.pdf)
   Learn how to keep Windows up to date.

From 84fbda6dbf54104aabdb5e7c81783c4ddaf7fdc9 Mon Sep 17 00:00:00 2001
From: Skatterbrainz <Skatterbrainz@users.noreply.github.com>
Date: Wed, 27 Jun 2018 15:39:36 -0400
Subject: [PATCH 15/34] vNext changed to Current Branch

References to vNext and that it will be coming in the future have been replaced with Current Branch references.
---
 ...ndows-10-with-system-center-configuraton-manager.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md
index d2a54d8df5..dba4b1b866 100644
--- a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md
+++ b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md
@@ -107,13 +107,13 @@ Figure 2. Upgrade from Windows 7 to Windows 10 Enterprise x64 with a task sequ
 
 After the task sequence finishes, the computer will be fully upgraded to Windows 10.
 
-## Upgrade to Windows 10 with the next version of System Center Configuration Manager
+## Upgrade to Windows 10 with System Center Configuration Manager Current Branch
 
 
-With the next release of System Center Configuration Manager (currently planned for Q4 of 2015), new built-in functionality will be provided to make it even easier to upgrade existing Windows 7, Windows 8, and Windows 8.1 PCs to Windows 10.
+With System Center Configuration Manager Current Branch, new built-in functionality is provided to make it even easier to upgrade existing Windows 7, Windows 8, Windows 8.1 PCs and Windows 10 computers to the latest version of Windows 10.
 
 **Note**  
-For more details about the next version of Configuration Manager, see the [Configuration Manager Team blog](https://go.microsoft.com/fwlink/p/?LinkId=620205). An [evaluation version is currently available](https://go.microsoft.com/fwlink/p/?LinkId=620206) for you to try. The instructions below are specific to the Technical Preview 2 release and may change after the next version of Configuration Manager is released.
+For more details about Configuration Manager Current Branch, see the [Configuration Manager Team blog](https://go.microsoft.com/fwlink/p/?LinkId=620205). An [evaluation version is currently available](https://go.microsoft.com/fwlink/p/?LinkId=620206) for you to try. The instructions below are specific to the Technical Preview 2 release and may change after the next version of Configuration Manager is released.
 
  
 
@@ -139,7 +139,7 @@ To create an upgrade task sequence, perform the following steps:
 
 ![figure 3](../images/upgradecfg-fig3-upgrade.png)
 
-Figure 3. The Configuration Manager vNext upgrade task sequence.
+Figure 3. The Configuration Manager upgrade task sequence.
 
 ### Create a device collection
 
@@ -190,7 +190,7 @@ In this section, you create a deployment for the Windows 10 Enterprise x64 Upda
 In this section, you start the Windows 10 Upgrade task sequence on PC0003 (currently running Windows 7 SP1).
 
 1.  On PC0003, start the **Software Center**.
-2.  Select the **Windows vNext Upgrade** task sequence, and then click **Install.**
+2.  Select the **Windows 10 Enterprise x64 Upgrade** task sequence, and then click **Install.**
 
 When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers.
 

From 2f30fcbe48b3c6704e12fad6ccd35a83d07ad2d9 Mon Sep 17 00:00:00 2001
From: William Teder <wteder@hydreon.com>
Date: Wed, 27 Jun 2018 14:14:09 -0700
Subject: [PATCH 16/34] fix typo in install precedence listing

---
 .../provisioning-packages/provisioning-how-it-works.md          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/configuration/provisioning-packages/provisioning-how-it-works.md b/windows/configuration/provisioning-packages/provisioning-how-it-works.md
index f2a10c563d..a94b851110 100644
--- a/windows/configuration/provisioning-packages/provisioning-how-it-works.md
+++ b/windows/configuration/provisioning-packages/provisioning-how-it-works.md
@@ -43,7 +43,7 @@ When multiple provisioning packages are available for device provisioning, the c
 
 1. Microsoft 
 
-2. Silicon Vender 
+2. Silicon Vendor 
 
 3. OEM 
 

From ac9e4b7ad14379d5d474d59313a8e8084e5595d4 Mon Sep 17 00:00:00 2001
From: Arjun S <arjun921@gmail.com>
Date: Thu, 28 Jun 2018 15:58:02 +0530
Subject: [PATCH 17/34] Update event-4624.md

---
 windows/security/threat-protection/auditing/event-4624.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md
index 5fb9a858c9..bb4d0dfde8 100644
--- a/windows/security/threat-protection/auditing/event-4624.md
+++ b/windows/security/threat-protection/auditing/event-4624.md
@@ -214,7 +214,7 @@ This event generates when a logon session is created (on destination machine). I
 
 **Process Information:**
 
--   **Caller Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that attempted the logon. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+-   **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that attempted the logon. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
 
     <img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
 
@@ -222,7 +222,7 @@ This event generates when a logon session is created (on destination machine). I
 
     You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
 
--   **Caller Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+-   **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
 
 **Network Information:**
 

From 12d85d3b3134b6842143485904932318fd66a2a6 Mon Sep 17 00:00:00 2001
From: Patti Short <35278231+shortpatti@users.noreply.github.com>
Date: Thu, 28 Jun 2018 06:10:31 -0700
Subject: [PATCH 18/34] Update
 upgrade-to-windows-10-with-system-center-configuraton-manager.md

---
 ...ade-to-windows-10-with-system-center-configuraton-manager.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md
index dba4b1b866..8bc47524c0 100644
--- a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md
+++ b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md
@@ -110,7 +110,7 @@ After the task sequence finishes, the computer will be fully upgraded to Windows
 ## Upgrade to Windows 10 with System Center Configuration Manager Current Branch
 
 
-With System Center Configuration Manager Current Branch, new built-in functionality is provided to make it even easier to upgrade existing Windows 7, Windows 8, Windows 8.1 PCs and Windows 10 computers to the latest version of Windows 10.
+With System Center Configuration Manager Current Branch, new built-in functionality makes it easier to upgrade to Windows 10.
 
 **Note**  
 For more details about Configuration Manager Current Branch, see the [Configuration Manager Team blog](https://go.microsoft.com/fwlink/p/?LinkId=620205). An [evaluation version is currently available](https://go.microsoft.com/fwlink/p/?LinkId=620206) for you to try. The instructions below are specific to the Technical Preview 2 release and may change after the next version of Configuration Manager is released.

From bf330524698ed802cc435ae524edfbd89d6072b9 Mon Sep 17 00:00:00 2001
From: Jeanie Decker <jdecker@microsoft.com>
Date: Thu, 28 Jun 2018 17:09:22 +0000
Subject: [PATCH 19/34] Merged PR 9432: Change update behaviors for Surface Hub

---
 .../surface-hub/manage-windows-updates-for-surface-hub.md  | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
index a01bbdbab3..6dcce110f5 100644
--- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md
+++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
@@ -111,9 +111,10 @@ Once the Windows 10 Team Anniversary Update is installed, you can remove these a
 To ensure the device is always available for use during business hours, Surface Hub performs its administrative functions during a specified maintenance window. During the maintenance window, the Surface Hub automatically installs updates through Windows Update or WSUS, and reboots the device if needed.
 
 Surface Hub follows these guidelines to apply updates:
--   Install the update during the next maintenance window. If a meeting is scheduled to start during a maintenance window, or the Surface Hub sensors detect that the device is being used, the pending update will be postponed to the following maintenance window.
--   If the next maintenance window is past the update’s prescribed grace period, the device will calculate the next available slot during business hours using the estimated install time from the update’s metadata. It will continue to postpone the update if a meeting is scheduled, or the Surface Hub sensors detect that the device is being used.
--   If a pending update is past the update’s prescribed grace period, the update will be immediately installed. If a reboot is needed, the Surface Hub will automatically reboot during the next maintenance window.
+- Install the update during the next maintenance window. If a meeting is scheduled to start during a maintenance window, or the Surface Hub sensors detect that the device is being used, the pending update will be postponed to the following maintenance window.
+- If the next maintenance window is past the update’s prescribed grace period, the device will calculate the next available slot during business hours using the estimated install time from the update’s metadata. It will continue to postpone the update if a meeting is scheduled, or the Surface Hub sensors detect that the device is being used.
+- If the next maintenance window is **not** past the update's grace period, the Surface Hub will continue to postpone the update.
+- If a reboot is needed, the Surface Hub will automatically reboot during the next maintenance window.
 
 > [!NOTE]
 > Allow time for updates when you first setup your Surface Hub. For example, a backlog of virus definitions may be available, which should be immediately installed.

From 498e2267c3445c01fb5fbb2c5d0c654bc50c3ff2 Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Thu, 28 Jun 2018 10:40:20 -0700
Subject: [PATCH 20/34] added exce rule

---
 .../create-wip-policy-using-intune-azure.md   |  35 +++++++++++++++++-
 .../create-wip-policy-using-intune.md         |  35 +-----------------
 .../images/path-condition.png                 | Bin 29098 -> 36046 bytes
 ...nd-windows-defender-application-control.md |   4 +-
 4 files changed, 37 insertions(+), 37 deletions(-)

diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index a9c46de01c..e7659f76d0 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -198,7 +198,7 @@ Path                   Publisher
 Where `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the **Publisher** name and `WORDPAD.EXE` is the **File** name.
 
 ### Import a list of apps 
-For this example, we’re going to add an AppLocker XML file to the **Protected apps** list. You’ll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content.
+For this example, we’re going to add an AppLocker XML file to the **Protected apps** list. You’ll use this option if you want to add multiple apps at the same time. The first example shows how to create a Packaged App rule for Store apps. The second example shows how to create an Executable rule by using a path for unsigned apps. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content.
 
 **To create a list of protected apps using the AppLocker tool**
 1.	Open the Local Security Policy snap-in (SecPol.msc).
@@ -273,6 +273,39 @@ For this example, we’re going to add an AppLocker XML file to the **Protected
 
 12.	After you’ve created your XML file, you need to import it by using Microsoft Intune.
 
+**To create an Executable rule and xml file for unsigned apps**
+1. Open the Local Security Policy snap-in (SecPol.msc).
+    
+2. In the left pane, click **Application Control Policies** > **AppLocker** > **Executable Rules**.
+
+3. Right-click **Executable Rules** > **Create New Rule**.
+
+   ![Local security snap-in, showing the Executable Rules](images/create-new-path-rule.png)
+
+4. On the **Before You Begin** page, click **Next**.
+
+5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**.
+
+6. On the **Conditions** page, click **Path** and then click **Next**.
+
+    ![Create Packaged app Rules wizard, showing the Publisher](images/path-condition.png)
+
+7. Click **Browse Folders...** and select the path for the unsigned apps. For this example, we’re using "C:\Program Files".
+
+    ![Create Packaged app Rules wizard, showing the Select applications page](images/select-path.png)
+
+8. On the **Exceptions** page, add any exceptions and then click **Next**.
+
+9. On the **Name** page, type a name and description for the rule and then click **Create**.
+
+10.	In the left pane, right-click **AppLocker** > **Export policy**.
+
+11.	In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**.
+
+    The policy is saved and you’ll see a message that says 1 rule was exported from the policy.
+
+12.	After you’ve created your XML file, you need to import it by using Microsoft Intune.
+
 **To import a list of protected apps using Microsoft Intune**
 
 1.	In **Protected apps**, click **Import apps**.
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md
index 2200e5ac5c..a2d2b485a4 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md
@@ -193,7 +193,7 @@ In this example, you'd get the following info:
 Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box.
 
 ### Add an AppLocker policy file
-Now we’re going to add an AppLocker XML file to the **App Rules** list. You’ll use this option if you want to add multiple apps at the same time. The first example shows how to create a Packaged App rule for Store apps. The second example shows how to create an Executable rule by using a path for unsigned apps. For more info, see [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview).
+Now we’re going to add an AppLocker XML file to the **App Rules** list. You’ll use this option if you want to add multiple apps at the same time. For more info, see [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview).
 
 **To create a Packaged App rule rule and xml file**
 1.	Open the Local Security Policy snap-in (SecPol.msc).
@@ -260,39 +260,6 @@ Now we’re going to add an AppLocker XML file to the **App Rules** list. You’
     ```
 12.	After you’ve created your XML file, you need to import it by using Microsoft Intune.
 
-**To create an Executable rule and xml file for unsigned apps**
-1. Open the Local Security Policy snap-in (SecPol.msc).
-    
-2. In the left pane, click **Application Control Policies** > **AppLocker** > **Executable Rules**.
-
-3. Right-click **Executable Rules** > **Create New Rule**.
-
-   ![Local security snap-in, showing the Executable Rules](images/create-new-path-rule.png)
-
-4. On the **Before You Begin** page, click **Next**.
-
-5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**.
-
-6. On the **Conditions** page, click **Path** and then click **Next**.
-
-    ![Create Packaged app Rules wizard, showing the Publisher](images/path-condition.png)
-
-7. Click **Browse Folders...** and select the path for the unsigned apps. For this example, we’re using "C:\Program Files".
-
-    ![Create Packaged app Rules wizard, showing the Select applications page](images/select-path.png)
-
-8. On the **Exceptions** page, add any exceptions and then click **Next**.
-
-9. On the **Name** page, type a name and description for the rule and then click **Create**.
-
-10.	In the left pane, right-click **AppLocker** > **Export policy**.
-
-11.	In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**.
-
-    The policy is saved and you’ll see a message that says 1 rule was exported from the policy.
-
-12.	After you’ve created your XML file, you need to import it by using Microsoft Intune.
-
 **To import your Applocker policy file app rule using Microsoft Intune**
 1.	From the **App Rules** area, click **Add**.
     
diff --git a/windows/security/information-protection/windows-information-protection/images/path-condition.png b/windows/security/information-protection/windows-information-protection/images/path-condition.png
index a70854e0071e70a245e647ac8451b01ab4f7eb68..6aaf295bcc4f5860eebd50f5218611b765d627c3 100644
GIT binary patch
literal 36046
zcmc$_XH-*dxHgEry}+x8NLN%45KyWRiUNXkq)Hc&-b;uiB-l|v5D}2xdkHmxKnRNT
z-U1{fi1dVj5RwR?Oz@oVJLjyKH9uy}tXV5rdnbGEr``8+x9i#;OpSHf&+?sRV`F32
zd#G*3#&&d#^$k9KlJ$@2LXtJ>aNPaA(S0_y>bP^e&L>#E&jdWQ31(yC_<s03!hKW!
z1?x}VkOz-L%>CU$K+Zv~Yyr-mej(C+t|3?CrEg2i-r2a~naIW#W1y#f-{QF=g>df4
z#c{&H!Qk5BJKJx#b9%*Z-jqe<B1UwX@S6`!rET%0#c?LluarvF)w6xaulQD|+e#sF
zPfMJ}6+vwu+;2atU5WuqIhy{~srhyefwiroi#M*W9i&f9JqxX^oqEH@`y4|GO-TtJ
zNLQAtWo9JE)n3&*Lp{nG=+JBBmre2Me^2M$XkL9wh&aajd->bx=_71xFW9aGoMQb9
z&4tpZbiF4k>*vM^$}5hrZC47KL5ymDx|V+3<fmg%V;%!bgwV|3j*AK;9x$M#tfNJv
zGMX`E2blslz@x2x)b*B*##YP(qG*)oNdQQ&RBvG!9ydi}wVo~ZxZW!<R!~hxrsdDm
zrk{k96enR|xlqJz;M=wp=xTQfs*w-P2tb23B6r9$`<0jjLbG2o3^PJ(B;`+XIGnjX
z=S2)HhVAaoY*kl8hxM1l-t_S=AmnUTlvOw-JPicN8dbVZJ@X;^?>m4pgFe87XEId|
zdoEJh?7Bw#<06SWv0jo5ZNJ7zE_2!|4c016=4u$sP|-TJ&Mfmwc>;kMSeQL^)RGxF
z(HUuYQj8F~?Dc}z>VCW(4^?7X{53e#^7iT!_KX-=Bh_ix4!9=5YJJtp#{}&5dw;}0
zrr-o6{^1WJLdTiN2<E}S$d3)Q#k_-1)XiVFjOdysnB~Wm`iTd&&bhcZqgq*f#Myyb
zaT#KfZ*l(vNkg_>NCJZ&B}b2O6Y?4XP!097b{lU*ZVE7ZkqK=Ng)onq0wC|8yK(+u
zD{T><wM=Cp<L0Aro;ySe83#*KRiKrF#$=|!uB25&CD?)yv-_^YDkZuwG~!6t2G7fK
zayMen4}3Ua*_3b015jUa`u(PbH;dJ9f&BaD`ER<pKytE1BrTDoJWT&1;Il+&<@pGO
z{V5E|e_$xK!LI>L<TaC9ER5Si#!-fnW|n8xcl`;7z&aRx*nf-A_0WOweP(MT-7EM`
zl^G9n-h`1ZjXV<KeZ@A1YPB18(g_wV6sJ+Ro-v&d5mq*_Y+0Df1~%+7ez@C39$b&a
zKcklx6?QH!VqCEbUtH5J_zn4xK+tH|_C(y)MpmWe>ZWHZUOHRxWvDw6=vlAs2(5mX
zx;MNp!v>2u|J!D8J))BL*!pOsFtnK~lAop4SA-Rx%ScF=nVTn2YYqkkCe{+|H^1|j
zDh)qtdR{Ybz4ejnT`C*ObQYyV3z{3<`DRU@aA)96m{7>e%y62NyN~go552U;J&m$G
zIuo&`DCw{F#`3Y*buMYq$XAma(#o4f%qW=GF%SOt`vk|^+J?MbTfH+sLV8-n$~Ib*
zQ%yhTsRQFkNRy0`gB{|_LgMy6$Zj)h0Ft1nT+42b!54Z@I-)Ite%?U+TGjB<%J9@$
zcMA!%>p#&t3#u40&k*F9M`j*52K<xTof@#zBq2exY5T~M;3rN%A#^M-uO7TGx6{T|
z&j;O|ELSQoyqhyE?qpNEASw51K;F5CG39*W#+KmTqQ9Rhnr6O7#Rf)c`;U6y&+X6Z
zy6s1!W^ZN@9Wc9;3y{u+G&Vwp_2cUbzTTgsro&(hDUH<);%zI9Ya)Q%AD}eDskia-
zPU4#EQ7z~FXJ8owtKcI6OEmZj#vktOWF-wF^KPlBRnyi{MoVNl=4!hsFUzn9iBNUM
z;;-qtp`FKjKR{*nzeOxp`iJYxK>D~QQ?h|;>qhs!rWAR7;uule*>+ejX_#a$_qAT@
zpn<)9n6lTmsSzVIdmXzzPi*#PC3gZh#Lw)lC7imrPcHyZtB1A2n@a;#T<1jy0r-v>
zu!ZMx*Afkkw!?G^V+o6D<h^2L<cc!k;HzCI;Vj``6{K*L>P8&!^S+szlWbpkRnEN4
zZ?n8?25cDiU~xuE25dNZ@aHyqClsB=(jT@aeYYXM&N}xdX9c<Epxmym55e^`6OG}r
zqSZ2}nbK2Z&ynR}QF`yH0EZ<xnOteTyLsN%lVX&XCxfNMuakd6>9S!?<Js4IY}1^}
zMUBH8tz#wuVQubDedxOs)GM^hG^IaFa;taFc*H;h^_YvEnr{%X8PyWFYmcT_J3h^p
zhW$eFky5f&1BHrLH2%b1%G^wuH%c=|3rVs82Fb~hNKHmqYx$5ic}gwPCUnS^Z!68o
z%l`h|J@q3PM9(lqFe<&+0PZ{7N9{wjmj#WDxB08ZK?h4_9GP3#^D`Qz2SAvslIo4q
ztm)$Cit}Q7z}HHZo*&>QS_+@5qMNYq0!6<n4L=bnEbLfB5T^rjqM}z#|AlBhi~ipJ
zz)KMLIYrSd|MT}xPmMl$A>`W5yBF&>+)fcAHX9kyBeT*&7HzM3!~9L^AY6q2S7q1s
zzUGJ3QHD8ZsOue%uiNO(Y>xDPxY#(?JlBs~wCEa;2YyUJq43F$))-%X#D|oeuaF`S
z@2LS5HA><Hq7dniLu_Le;%M4WeZ!1gqirJvSb}<DJ%#YK8{mKB+v?|URiAg$Y*mhs
z@ks`MnU6IsHnrF6(<?6yo%qogt%9t>X||&v*5L}<|L}hQe_nj?DeT669sPz{OR3cd
zZ4qVUDZt_ZK;KFIR{%FRxA?`H@xT7rUvUk1l#yi*%Ih%M>5xA6W@(1`K6v;xrF_F!
zFvv)w#;0UpZw=#(*`o))I-KGY&;(z@!7}au+dZQSOg^zz{dhVoPW$sUP>_+#9>G6^
zq-0_i7S>3gau;@2XFX5_@aAcdLHUQp2}x54wW2F5Phnk@F7N2HGm>1l-oiu~u<m+6
zux@JIt8C{amGYW@c`tS`t}`QZ?eX{K)w*qD29MH#@z*fAn%}E%{$)UQ3lv#UNNk$=
z&P-ZKuQd@p3^iJXI!~@qG9|dg-xs$sqw+B#P0NP@TJ3%=aGiDhmyPnSC*SY1(Ht+c
zrc9@`^XZ)ortr*@;(u5d>31m|4I0epb2|)kF<|egYs*0%eoG_5?~%wC)5*$?eRpe*
z%5&eHscU^TqgUNgz{Z3Q={tQGiU{D2;z)kUaaOR$HhFC7vT_B4Fz}FnrbSSO->35e
z{Ur9&(?TESz0R)}+%m(IxT>EAwLt5?hJ>~lC4{Ghi~d9&)UJ0&-aibZAeEtWPd}S{
znA%SU;&{%5;CMt-Xw>siX7FNtg!asi&*P$1o)M*;hhmH*;~hiI1o|B~dM<THvT);u
zluC8+1F?$;4}0g@(rfhbFRL#P#Y;C;6!H_4piWaGMy85@gQh9H?t|kr1)dv`-$GtL
zz}S|;V|UMLxw3Ap>hx5y=-8yEVt)64m+C_aWUwb84ZKjVRPWcOQxTD8%ug(xNb^@(
zrl3F;JW%W5cZ|_Z(cUP@^Xr+`AbUer8*KN-S-L@+tEe~v>X|*oIXc@G>G|WER!G;k
z*Ydlq_f?*I6ue^>%Fa0^DPK%tvt(Z`I<nV0e(=IfX(E<7JfjhK@K<Cuw#OJ2eQOj2
zWX3ci3qT{iSAs+R@<BT$WW~F1o(XhLvJ=#RjKvgKJHbcaDUoSA_($mazyw7srflaO
zW30+E*w&G$pS0dg2_!AXvLej&0!Os;NYvwLMPGb#wAEdVPnv=I2y5B1-FuWR+$d#m
zvB>UbFV?pL$WO$2`+vR1tSBZ<e&rLTX6B|5CkjF84|~&Wu<u{Ly9?Lis8M5Bs(5%L
zatPSxTs_A04sb19YBAiySd_}pm`_=q<6KFLURy+nH{20z_;Z?$@_1kfkUVMpBXz97
zHx1$I9hy~TUc`-o>f`rmGQLeNDMCo!`M$wIIZu}T88Tn^XPQ$jpo&Ayqv}lEDbi2p
zL=}&Rtksi!89IK1PyVMtY57g-_9F!<*-lP0$pcMWVqcBQXs~}66*p1&`%gR5WBv7k
zx%dA1!Iq3zfFDF*eZ<|u%4=26NiUXp5XYs^(F~yA!12Rax%IS5EZMyrkq%&-O}ipP
zt9j|93%7R!Q;e2qJz#vWQ_(~^zdirfVuum9Onp2UW0OYQySLuL;8B{Wbcsw(S7mh)
zfk=kTv)eLExS9{hPTdn)=G-fVMGGND4_`~eG_!Cj{rqrEq%=?xR#t>a*{P@Z*-eeI
z*8j@mAbJBxagx5+e~bL-*ePZBY+Gr_@1Y|qLyg~PZ0x1GpHEulzw6!_Pwv4KZ`KSJ
zE!4v^$btPS8~F%@G#V}&+8;ssi3XSC=U?AWy={#t<`9b*AJ>Cb(*rxQk?aM$v}mN7
zmM2Lbv_-_>zs$zSMXW+Hw}`}z>qSK~h4sC<dz$_!uVn3>EJVPpm=U2G6wq!3D-{_Q
zkN6XzR^aAd03v^Z(y@-B>v*@Fjk>zb&!}3WO%E=m?E`D!LP5&M7_)6BRb-ggQ(nKb
z@R-a#%U&Y;lKui#O3GsC&jXqy^Hq<&Msku;?JfSf&_eh`+C)oeX=k!0EMYIh+OvmK
zdiZ7gi4`CxPw9}avRGGUNZS5(#DPA)K6NZ+76$>7+=kw;{9(5%D7_qNj3OlLb7ZKZ
zq_PnU86iv!TEsz6FWBo{OW?L#l)HB8h8w7{q=-Gscl%?-9O$W+mqSvDVu>Bu_cguF
zwR@sc(D*oO!$Z2giwzOZccvU0n`>r$m+IGm_+a7jlS?NjKwF`EO}NQVq{f3<BJ@B8
z96@y=*f;4A(#VF(X&1%c|8WW!>mLV#b`1`^<V%WFKMBNc!XsAd(_&?-gA>k#!bhh+
zE`Dz_T6>>S-~`?MaHh{`)JS*A5yJIMqu!C9aw5vk(Ir|hSz<j)W(5VGgvR$}IwVTl
z?v-HoR&O#+!3&pPni&1YEIwsd9HrER2BXQu@Tta|9u9CozQ@{`cn%Uf%V~r!tOg>r
zo~dy8K&Wm>z~4g>>`L(0k(17{dkSM=sfHSsmS4&?UyR*OktuH8qDoMjA`Z7^io_|Q
z<^8f_{1fCjsX`cE3BPn&F?xDd{*>{bq!uq3x2F+fV1718na091qbe;ueU7m={!oRm
zZ(K;%%Qn5#d@8qDezA7@31_8;am8I6E8?4t%gc*kP7hx=BxGmlKZ5=Pns$yzV=2qO
zyfE&bnuGnW8aRP(3@Kb9wuBZ8wL0^8lAZUVjJ7zY)7`Jz-NRR$xxZ#B-?$jtz|L>N
z39EQG>2S$xau;BP-K@#SI}+^IO=&W;6%FCBv4@)dYqwJX#zfuDy%B(;5K9a3*W9%y
zGrrML?ELj>w2xrcry`>EJ{&{HRw5I}JC-4(_^lQ`;`Y7uW(E%$xvk~9|MQyCgtYAM
z<52H>f~Yv+=Q9cw-8lkl=u!_{gka(%9Tmpde`k$yBX?VX0$_p*=dv=_Hcp6=W7!>~
zvZSo`ds0W~Im{kuzv0t#XRWbf0uNl%s9jkDN1n4Zlf56D;Vj#oBmZI17feFNsc3n!
zhFP^2baIWr>jQFM-{aun%a6`_esAeb+gW9o7Ng&5VNZMRA2jNGloGvCky<HiSbfCL
zzMqO85eP|Ph9rw?3~k+4yf-j9X%Nz8P5HCYkeM0wp7|{00}5&vEqA@(n&oSbpaWXD
zv_?LqM3%D2u}TC_05E;1I6A>!gMyqnzq4PvnA>rYnwZd0T1vH+VvVRv#QkSW5l3Qm
z+kKG--9q!${wn&j+QGO{GrlxT-Uk;WwYKvacNwf)=UYkC^O4D-Cd07SJ`6NBN=0r6
zpsJm$x)J5Kt5j=eJ6+V6zTu7Ds*MQtSLyHPunGH_{_N+>w8thmQzSuj3{CT6x>_^6
zLNZ0=Hs1klgI7#D8d*h?5H5bJ8?X>c1iARpc<IcaB;$jQ2EQ}u@Rl{>{{4Mr<5s^Z
zBBTjn+I2E%(e>$Q)tPV#C-2)n$zOf7ESr;7MSZRZcanh`CLTLQjx$j$G&kmh%RpBQ
zaG)6|p#Tue^#%7({v&$3wu(|J=J(2JsYJqewLiB+S0~jhy;DM^T|3I+m$Zi@-Y!$D
z!gYiv(hgTp8}~fKidWjAdP#H)yPee3$6?o<glHo99!SJb>CArrHQ-RkTD{if(MDe)
z^caJ31|fHh@mys479-r%QFXQSZ(KY%?&C9!L#Fm;0xS+oVaqlw@k3V44<n8jLZa?J
zi5W*}7OcFEEjx0`^CjSKDDt8b&pJK4qq5ck?`e|wA!KxrjI8@%Vft@i5yI)#CF}9*
ztE!fV4MGImEuzBw*{2~YcFuoe@KsM%^g!cxoEV7|vJ#0O<Rq`#b_z3q(6!(!b5G9_
zI?h`LB+YuXis{8Z&CkzI+vpVb?oE>N^7GS^rsRNW62tBqOdHx7!7lzGgT0;Qj@iJa
z*j6>6xUzzR2Z}G^+D9UeVv59X-Za(IJ9GbVr1Z-bFCqWF>tda<K_vJasCOT-&i-Fd
z2M&XJgwNFH^rPSgA{qi%w?p~?iL3$Ak3)C1aytK}B1iwfO+~_wGHe|lITntzK*uMb
z{f~LgRcEE?=8(5Nz53&zUDa{m*M?v(_|1tQ+rSlI6}c%q@hKi%DeVW(T0UwdkyZ>K
z{UQ;qSj*Fz*&`MZR~Cl9zvJv{!Jek*IhtBlw_m<qrkE-Dufn%=UJ&^rm%Xm=*V3MV
zu8bKqoebtN1t(xy5yvB`hOms5h=H4Lkq`%mDWZTx;WB8L3G{P)Ou!#jVJFQOE=zD(
z-G5Xa72WUM^)I_`m?b~|^aGoepUAK`@7Tp3=>_KFk70keo(ox-zp=BO@#uz+yaOby
zlJAdNhEi1%c6^G`fA!*{M}hGo+7woc%c9#K10#MhQ0sls3I!rx{`s7dbEPEbhFqO2
zLO(e<tE9cUzEl}y$hFw0Wjitw7MV4fBhIA|+;KcHX+VB^PQOl4E)R)6-sVy?aTDQ_
znEL_Dnnb)YKdAYvk3ZxTIb}xW*^OYFZX}+($mkQ+@XvHhD(InCcJ48nQzUBJ-lx~`
zYQb0|dBHJ%dfMn;*cbltOl*0Rzd)I0(YdMPxw=y0la|0Job!!ybEt*NvwQh|IRh~Q
zIX2$8;3r-M->;^v>9c>uJfg9e%!-M5-$%2%QHH*_*H!+~8P|o6E_d-kF%Bv0-I+kn
zq6uigM?a_E5Vaxuyy%XL^VON6?Y6z$>2y*b9fztgwp;JFt$cvz8(;lGaWDz8gNM)E
z^(~K1-7Q+#PQ}-u%Gv^0BdyZyIo}{$$j9{t;L?)CR~mM#C4TjOY)b|3<DfUa_(<vU
zjMLs=i>`@(v2}j2>3L9tUOfBrjF2Mo8`6cuFO#!kJj<U)v&PeCXOymJ7;<%TDE1ou
z&ZzJEDC(f&;SC{}+;xbCR}N=K5017rV-w&5KJb#X42@kchr5-@;1n81=8js%`Lo;d
z#p29YbK_;!AEL@S$uW~Vm7Hy?ZPO|wK6q!Xll<m&)-b>EZ6C+f@(1jGpO{29=<nJ)
zQO}51Ncra^(`{d$L7fv3{nwAZu+2AYQ)={d951}P`aGY?Bps2)D_AM!lrim?aP7SG
zZJ^;I$Admh!a?8nFB$qC5`1@V;0_LD7QS$LT8+<(wj3SlnJq|F%hqqx#9*h}(=5N7
z4LMhHaW22fByJq{bHY%U$7A5LoF%ke{F<E5Akwh+On95G>%9FS8@tNW3Stzh*GqU5
zy{NYKtnX?TrJg!5FhVJt8+cAzex+>t)M~_eiq+pe9+r-%xwPo2X9t={PlO%wZB?~Z
z+7C?nrJ!5VEFUK4F~ci~*DxR$F?MYBKCkEy;UtY+!%iNzFzu%;u5JmzYKf_#Qz@vy
zTavZCNlIi3E_?TxWn(}8Uv~)&&ufwzT%E@3D@ObIg5__r`Wtc`c#<Gxhqzv3+de)r
zS^gE^n!tTAOvwN1`;wB90^d5_eAD(5vSGFtH;tC0+LE#)D`vl>Nd2>R(_hD7PRh$C
z6nXu^qwAMU2Fc4k^i)(>4+px*R7`LiCB651iO(A+g0=1J+i@$=*u*x0{Fk6)Y{dY}
z^0sDXn`EiOUIJ9gLKk^}q+V;*K61*xZ_}}u2l=<*7~2cAc=l=DsbSYgQeQ2S1YV6I
z;l@o&ylvg8s^$4QmiK*fD!UWidm&0efi=wCn6uI68ZO|zEeEplXNU-R8fow_e$3o0
zo#(He4;6T7#G38@Bg3B6ing-;l3Y^fzqz!_qzl5sfPwY<4?RH9(nI+*A5eL6<YoQC
zQ0_`L%f>dOA_en>u{z^bo(WicZu9;d=PZP0?q3aRzqlt2#tc;aBRM}nGPT}hgL%PC
z!)!_*IVxI`E{)QsDQ_v-{WG&X9|7KKfXAi2orC5M)*4#$_ve6v`vdi8K(kb6!kk~z
zg4ZdGD~$O`@x+i?&_9W1%3AmI4zBXpmv#@T<tGmRh}|AK^T5KwKL4S+$nVPeBQ@1d
zRSEnG5iaQ99F(U~B5C65v0la#BoD$U3b^uY+3<Fi8o3&*S@nbz&_Pgfg=OS&8d|zG
zM2oEo1?H?x&3NL|s)d`-QmDBG@|jLsQ13Vgtaq30Y>ksID5|HdHNao~?DCF*+%(I6
zs9LB^x&;JZFw^ohLnm}6ge}ILk&w#pT&x&bpwByoMT(+4-OFQ2VEfk-8`aY0md3@W
zjx6n6dGGZtUp6sOG;(E9bwe8w#w#r33Dhsx_@d_TmPB)toEYd7D%fXN3+{TtE-n7(
zL!+sbkgU;?5Wks6r1pD<Gbd4{O}*r^=8=o%`4oR3eDldK7c)b1G7)HAW;Gt43y4j~
z3@E4FCLprFw)h(OO9ydys~YM_Y?6Tb{k&6OpLCr3{=e)nvHNWxA;|jm8IsH5Gnfup
z!p{P_rSdWMp_JQBPnunbmIIpaQf6VhJ8g7p@xaOf`nnsGnh9?-Dw|XMO%MOKyv4}c
zQhG=yt>a4sTKwj&c2d~Y^~lJI(L}!65qTtjpSTrE+X!s8t!b77er)dJTwS$vY6}tP
zvw+*I(p5&-x;KY^l+JL<Y7UTdYKR|8iKmGuy!KD+JJ*(&Y7<&`snc<2TsLJ)&PoCc
zF7S}K4NV$HCeDNod(M~JxrI^X{WVkEDmU%ZaaV6~EtN^Ppa>5__sM~-=m6t!=L)Y_
z>Cxl<DI87H{^)L3iptUSb2R$)>P`*l>}3Bff5IuK9e&(y|M*8?C(@{*C%0m_G`-dj
zW3-M{@a}v$+pPp6;(e*++axPjWjCv)-s!!eaUj4abwChA!H;4)i~d2P!|{kb6p~JI
zGZvdd*%NI;b@=S)3uWBv?`U_!8HvJ}n$>U<K*4xL9`&xB&^rCu=K7Ww0NJ+_PWr@X
z8E9l@Lz&0662hl&T%+mluSJ-ayzL#BxQ7S+3$-KjWlgL;I%YA9!R%x~<1&d=!<3JI
zos5;9-b=gR&ZUiEsqeNV9tF~#8~G_e78CMM<^hbl|G;{?yiTYxdQiZD_Kz|~FG0C4
zahJ7T8q?@il_@el^j)8yO=(FF-6+y1QzCO!&`KMBKBondhf&1Xp7zYEsya$&M!vB<
ztgfe5wq>l=F&~WiygM=}(-$#1GG|>P?X?Ktd6x%t2#Nns_wCgHt82XX&_O(Qq@FgF
zltTTz<jaHc<!OSEjgqh}%_XTSdw7(4JF71^G$f}b>>J49ynepZv$S(FkNa<|z4g~6
zSNo*;@C-Ojn5Y7uKk;(ycv}s5lmTQ(Zbk4&$vIj~xH8~`p@F>}ytrbb@U4pPh5%vZ
zpKWT=!HXo=x<wXZ!|E<xy`F~&!_OcDZ2%myIEtHEIWt`#soxz5`U1nPebsB|^+8ou
z0t#w79T0R?QD2QB;R){4pq!aNhW06-iEmz_a)!Lu7P9W9Whf=j7W5<`sWL{T(>-M2
zwO8rgR{Qs$F&#m;SZ&5ABQeXzb;`w~hR;`dVk)%8cPNE=H?h+n(!3jMZ6~wdSg$j~
zDA9s3QF*>>Lm5GDN<}B@#R`?r&p;2{GA7Gzr%a}QJY$5-eK%iYwC;;NrNKW3GmTUe
zp0s*=;_X^iXPa9Js8P;$V6`uyDJWG4wk}A>HyDSP%kyfpcgYT>4VIWsUP`$bRea^C
z`VZUDui$)?DVp4msO;N$!ucdN?$=e7h!s%<RcFj`<_*Y3kYhe-cSKuw;<ZUu>B<tj
zo}=L<{5h?rOwA?LfHh&gCbKQOB-jQXJiKCuv{;bsjlL<1wO5s~$q`GZ7FfkqVr)k{
zQ{@N5S8U=Mf1^V-gS*eoa7?)Tal9LOQQWIc>k;<OF?BL9YH;=RZ+-t{`;4QrV%`?Y
z*_wOItO`h4>ez@a&0_n3M9-9B<#Nw0=GXuOzmK4F;R2sf*)g^}vE%|r(V3qmGo!qV
znpdHAd$H%NttSXQ@ZBwXKOwV`<PpolcYK$N*96a5vyYz+R>hT8z(UX+2TRA>lPk>R
zAHfqj+vS}N3pCmJkr1_QN?EK_)1RAM4>fZ5J17N?Z$*){2P(lrMVs^0YOv0-wqU=7
zVl77|s_n0U!q*za3I(ZltJ}W>ObeWIoV?e5^-JhWnJ}}7#sdxanBSgbyx;<rG~nVj
zWxT4`W~ed{#fpef!uG=_Qfuc8EkW|e%HEBWa#L4E1$q|^0tUw064c%pbLP!FDD4#p
zuo?Zz!WWez5s(*U;@2p@CIo)cFEi}?ac_g){l07jpUPGSJ+Ra`aH|k@swl<ogkibB
zx@p89nWt2nxCGIOx53h^^?feAh41#^F|qXrOliy_iO+YxxCwij7e1%Xd+}R~WJ0q-
z8}=0Anr;URzdL6r_&GWq^5OGApA%~-bNc8&>Vl7nFw7V4OrV;EH5=>SnkZfNQmcVA
zmv+XE=Ko2H!euKc-ghbceiqmX_Tj}h!RxH57hluD3CzV;Lk^ARNaM`TZNIpg4bpD`
zCJZ<k;?7cWNjzJ2Z%t;T@>?BphsJ<e^Wx1!B)<}l-AYVY(ApOEq6OA(YLsP`GsI=H
z7<MfPX$;RAm$4~|XO!)5YK(5Y6;uUY#iRa|Pf^FDhhB|wB^dtx6Ui;(rEMAUcC+yz
z%|Px+j3{hdoe<={IY=i|8t@D`vkNHQm*ON8HX5WUz<d(jmwRlbf+H_aW};kW(hCCV
z-<8%Cm%qQQZF5HxfI`?XKULyxzE$(`+EQpx{l{MatWY4+x23)|gh^@$uKqP`@a$}t
z+O9}jXg!o?o{;IN?weM-c1(WxeLc80Gda|T;)0rJMtY~2CYFkI)U93!z8~=Gv8B$*
z)Rl?)UkIg(X-}m8U5!Gys1d5+AzwxJew~*(v)5$YGK$XXD6tb8oC{}!wPf9g0e=(g
zvb>#`ep(fSmm}ElZA)CNkhLnTv2cob7G%sHd_rUXs1$^eF+W}pRi2yHai8zLb#0<<
zX{OV$Y{z5M?GZqG=}qo?&AggEgWjz2QLT0P>*TF9S%<sjU6k|P)kGh1(8!ZG*-}k^
z0n19+rH<109p`ZosWi7&(Z9dO%9!m*KjTVNIhbwdvkwj-@6MZ+&&jWq^C*x#20uDf
z1WEONnm7@{+|;yOB9DACsC)LiJu~>bis9>-=DXX?w0I4R@mzj|j_~bwn>HraGU<XW
zwM_Oy&J9eIcPZ@HHi{qQvX}BXmy)G>=4TY8xvskrib%ic_)t4l8v{di$g!Uf`o~oW
z^BxB|>2nQ}l?aoSAAw8w%*Ng>9737wSmK$SQNo-?tTZ*-6s0cLLh)}bEY%)WySt>C
z`pTSM-8%03co!ua16(gzj-}0`;X!94%^v5I_$NH3wH7a@-ZcR(Qd_YV=1bLSMQzYE
zP_x^bBNB=mpZ%)Js9#r{JZ1H)$%(C%UbW=>lvP*h7SE0(6Pl3J79iPb2@U!2pZP(H
z10IaNa7RI*zK(WTx%b%!@}|YSI!Vf#FHHkI{m?lm#<RKLQGaM5NUd_qm6sgY)9a4*
zt*P)HcV&7{O=@@>19R|Y&HBldh`f{Pd!Gs|-lTKBwQvv&D;HBUdUyf`G*0kFr))Qm
zHYT|mi(NGM=*{_{uRYxUDwk@#%(W6I{#ng7ZhdqYso|nR%++x}m12M5#98EzY1fsN
zAR!(H2c+(PXND8REh#=Q{IU%mi(GqG<a_ZBIVuI{S^}ww`6^Q4nlfsYj7?Z?336*}
z4%^+QAac%HJOf0JkldbmVnTh>ydfi#G&dnQFW%L)LhI%MG(#a`G4S{k2yJDwGks(6
z%e4Sq)77u7P|gbu*=KnCMvZ!lyx(s>HP$~l^g7cnhk7csuqYHlDW&an;S`rI)k(4W
zDDgKS*DoEZ;t$GN+8t+FLaEz)+P~-T<5%ypE{BLQ#r5L=M_&suD)rd|yXfw;TM;TV
z;-TYUxdktNA7R`jHq<$_wN{}v=(H;~>j`IBwq1m#hEtOlIwh!{9l_~)j*al){|?t~
zB}#v}*+}|0e{rY{ssed0vKW+5)Wgbh)%3`mw^x{Ou_ZP&``&u3Gb}P#t59U;Ux4$-
z@co~T<@_y5+6Roet2@b1hh1esZv9yJiV&0Za*BJ$#>qTh24+l#S>&XxVh9DSy>iGY
zqqFS?R`K5w-rBO;nT{ilz-s%+`=43@-=CRo+K7~oI;$B3JHc$jtVn9$^4AaA_cL?F
zvXLJ~l2{o&8$^hecRf~0M_`C{^rV*UAkBk`^dZD0DsDF(_NVkrCYN8$+LwpL!{u$|
zJ;QuMcD%i;r(UQT(OdVTnO@&{G{)ORJ^W)DskgZ9DHWlbGlarGr$2_N$$!7NcpT^F
zzrEqQqXF9X?&N9e{l}!GZo2}#$|QXgPV};Gcswe@mm85;4HwCY5&9!t0f0`L*d3;L
z*-O1b4QVeFcafrK5<716E8BMN9&Nt{S%(qSky~Hq+w4C}_|yLE<%1J9P(P0EXB|}A
zAhyiemE9sTTzdX-oo_N_E<aCD=hhH|Olb_SXzbJq#VL{KVWI?o^+&g6DKFQ5p*W|U
zl6Ut8cbWmKOL%hVkQ2w@%mlAMe)>_I@|{cGtBmqQE0q5<mx@r%iI{ShPdg~JBi<VR
z)Z&(sQ1pnJ`R97$>OzEvYw_b#uy40&wh_Ay2YY6+GY58i)mEuLmE~Z5UV3+3rd&jy
z&Lo9xu)_C)dK>n(9a7_?2VSxZigz9#&h^M=wSa?OG4QH?*6?)<i&DXf2#YRwHKVO5
ziZwRCqxzch5h}et>S<VqOL1bywv1OusDs^jjucnOwgD|}>YqfG9Pd><<DBODn7aK#
zL!O?dRkvko@`BkuxN;J(=bT5nkTv|n;)(yFQ_xS1t*$a-0m{0J=*)iB_(I`7Y5w!e
zgQd7;kOU0j8sbWD%Rzsm9aIqWxeg}tuV%@tO@mqOzi{XR6&q3|)9T@Ju<-Z$DX8;X
zTc3o&`hT=;m~4H-t7BWoYSy7TCetl8=WP3Al_IRpB&@$QQ5fh)R{hMf^>r6Z28ZWH
zI>}()R<P8hR?1Gt8VmJEQCC<wP=-_q9e@-3pt<pP4w(X{|KYzNwzW5rV4k9Rm0NcN
z^22;?P%e3DW4Yh&ijV(wqd!KGS`vXWJQoVH-)w`tQj{EiXp`R>Q$Ej4kM=D0po}ud
zz!h$_f-MYUZl_mcXt9W!h93bnp26BKRZQ||kx6WtxfJO62kJi{Mk1ejX5%gHn|6u~
zjEq?1f~WieU7EU&Z@e>J7@SA0lSS3|4T34r*@xBR`=0@SiJL>$4vQx&;obXrs5Qsg
z{ubo_Wg7^#+ut0XNie_1$#}cRyu1Fl48N+!D(R=ULJzII@;%Op!wOBtp#fRdQ-S@Z
zU%U`{`G03no}4<qR*%YUHY|WLOW{<$!`jG=>4NQQSHrPg<E6uqgqi@Z{LgA}zvZ2A
z`<i>S4g0Il-Ln09J<MW?59biDnw=x-%zcr&tfAqtmUM$fLKftqWZnk>^wMz>>-s%u
zK=}WvGQ8pcGU52Bvc?Q_xj!Z`s@<9#wJBGBm;S0!z0|N^KvgMlk5#lb;ArC2fEz0V
zD2J*-nB?G`&O5j0(LKv055Cv6oq~NdftAEn>7^-3jd?~dEe|Z;+0ok*$>3Giti@`N
z2kdz~_^!BMJHFfeKxu5e%z4%m+_I=x5i7TNI9^Dh;KhctY&<=aK`D#ZC?5Ony5#-j
z$H_Ujw<g%)pnGq37#emAMTL?Z=dJDs=7^NcDx4^h5G+hhEAo5@zrbxBH^Ey?!%hB_
zKBSS*Zv$=yDBVX=)Mo1R)>|TKjaMzd+CK_;DQe_5w)>IhHf5d)&1aw3`+BeC_OGoG
zNdd)|P|Xk|YmJ|n)W1H;K%|*RN1wx4nH{{#RDM=<GWkpKGirkE#?wlEt3!*Lzna}j
z=&WAywwmXIRy12cWpLT0=k@8u<hvgM<OlsKDszh#toztF_?5)|q7|e|f%Wo;n-&(=
zL64hsHSf6FH*LG$%zdxNFJV|1jg&7{c3advYiXYyBO8?XK}~O+h|XYC*dbNcS*<``
zsY7>G-?s`*1|E{DS~I&&t^q)QX*(~ZS&+xe8aeQ^lFwxJLT@s;e!?*rTgxI9k+NTN
zjQse(mBBE5zhTRo+S1eFe~!BAo@DWr3_;U@k$il7@}48t1;NWXIDgFEv%xqZ8M~4b
zDKv8Alt8xUXkkfJ)lff+j#4#u$KvGguK-Zx*|TT2qMdd%#nJ;__4M}EGl-C~@^ZuR
z@$rFh=6mxr>G&?%d>#uN$=p3s(=y=Qyg0r<EyF0zX!j4MVr%>Mg*2zM3A1)?l|d{e
zG(F#N?46(xbpWuw{MkS{@D(-S?zGDFju!k%Zmx*?Hgg>Vr;#U?P7@C~%Aa75({|6-
zC|I{!1a}`D2mSeKo(9*eF7H<D{a?^WL5WL{^E>+mmWF1F1e}U-?M+f{b5Y?t>H?WJ
zQCYdJw)?wnO+dp}LsN17m4U)`V`QBy&Pe0#rKsZKuey0h*{X`JvK~uzg4tZtjqM|M
zjLJl8_ktG^tyL~dkBVLtH@z+-w?eU4yq$Eb&6Y$l{W@=&wm~J0wd4`g#7a*j^jKJ>
z3M9$7xRy(yos<Vm)5c6Qd2M-X7q0iFE4#eXH*iN$Sra$W{K;`yIAXV&J`)iEl0Xi^
z=(QOrWySwpM0<15ODX0?Fu1}CM$F|Wk;bbQCEC5DhhOdVUBM-|(|l2-K`#}tN*<$y
zMkrW_w(}CM&3xed=vH{YudN{H*j8SW*J`QC1EU?Izd*>z;78}>T-Eb{+$<tII73Hw
z_ucHF#edr>czbo!YZHnxBb|?LOljRNeg>y^30rv0)=(90!>gqtOBNSB`9{jL+gatD
zf`qJ577&3%sz*oZ3xa1ZW`GBo61OC*?vr^b;zi)*f%g>?9Vg`gI|!_TI(#bcWN~gp
z1Wkh}q=t6Rv)gx0y&GDkuYdN>6PEu!^^3`Sdo@q^V5>-DL1A~HAlY%`+bQAcZ&iF;
zcj0=(^qn=P68VSY+ptU@mMPQuj3(rO>Q<x%hmw6HidJSB#9<?p#a@rTnwG2T!kf0J
zNp%Qd#>YuBp}zR44e~!r9(nIajr>P$G?9<6-Q(0|Ej#_)Xn{ep%3#po4WT&l%Tq!D
zuo!XV-yM%uoBYpgj9Bb-Yz5aD0uPH5<KgqJ_i>ePyoECBb-ZgZ7t5X!{bqh7G@aiv
zTH!fquM{2BfSs7~1Ex)NzK~!)w`Uv7<8Sq-6y{6VI-Dl{$jl^sd7xy;i`2M8vS%n9
z6f`i4{$wl<N^a$q)Y7^Z{lK43g?b}Sp`9==6b);a@l%x_&wtSCv_BG7$^1RrMn%Qf
zqxFrNRt*UtE6hB5L2nwcR2)gsRy|Ca9xu2SkN}&JrM4k?9ba2<AfqyPz(`V(a5mgY
z&SJF4V!qPaqt0)4?pC{ZtXU&O%bNv!aQ9ACaI#R{qfGXheoXq#=e0ir$0V35aSA0)
zvOiDjo-KHsXIs;$Mfl-(TeY}mN<k&(R=%l7Wzyq^?GSE*e$`PhsQOxja(#96BkIy1
zD039H*)2x?-Np%m74%j1a>P}uZ59+149FBEefiSRSaYY7MR(DBpdRNFgDkF|qD;kU
zU;NNcsOt`onsf>@5~_;-KGp#APsxlBQ*}*=d2755TilT=<ocT(ISi#zN1yd}u`D$B
z0)N6?r#XUfgUooc-=7lE@ah|kKhu8oW!UHpPnLB{5|nU>uwRMS6$&J3Y|nE+7v-{s
zS#mDknCk?nQRy~^@dsek_@C*6a&8Tj?V#`-I|Z>M@wzo*BWRUjt+%nM&9clu%_*WD
zho|yp?slq*NcoVH)v~VjjEtP!had5&El)~y-b}1W<I7;P$+Yj&1>lMNb;d_wPwWR_
zQl%$mY}Duu^PKWoC{0A_u2Ozek=hvcn1AFz!-7o(`Anl4O)S}S<@F$-?doUORPejc
zG(T%4@O4m%pkRX?{c_cjW++kyu=S%wB>p{>6?;_GPPIZ$5fbUKYX{#z@(by~zyW0{
z&20A^AG3{WvD4~e%LCH`?aLOHSjSo){E9Pt5}uf;w&m5|MD-&;83fetE=P%&uTOSL
z-4%Y303k&w$N=zTPWaBl9Bsqu#bOxpR(|jjA*Trz6t&fwv9lK$xeP!$WXI<m+v*pd
zDQS|qYldE37681-&Ne;IpYBAngThFvgs^0rxNgR`X>ZzOmhU|wlcdJ&(*(bsW@hfS
z`jvg|!c5T@5Z6W+<829QZ=gvP7_4-@Ns2!m?+9c{mOgm!V4x{O)PsdGHH~nboyO!R
z7_mW<*-<=>#n&JyKZ||_WCY)j_ETe6)f)n=uQ8%-(g(7(?6*!EsW$50IM1coIp^i+
zXVJUJp!xNRs@-L(W&m8H3a58;ePjHrUUJDt=*@gpe8dgm)^idl`r!0|w1>G^()F=e
zOR+Udp{%-{VvF4O>19Ug?Bg8={`_p{R+{al;dZUL#sFswQ@C1k(NX6v3J1Q4jltw;
zL|nG|LoJYi>~rjGRrg1=PopS9fjcZ!x);idHaNwf9$S8M<}(Y&^YeK$T`uwT6*Xz`
z>-Y8>XO-~I@@`=wxv!3LU4*O))oWecvUGSp;b8nbg7F<vH=ipbc>ytAuXRb&*dHvi
zm9xM3Qd}-`E-);~+);Zrpl__xFw)ReNdG1_RmR3G`piIvt0?f+d8^`8?fz8Ey`{H(
zz4kt<pNr;LV`1xHEo5!j1JFRC^yAwOvrYpO28v(T0GdwQBeme=S<aDTzgh|;MuWkB
z7!i-YA0I`CsS`hw9z^I4qUQ?_s0QHujQE|+S<#&V?gqeuT3)?Os-bZUw=I1-UL{=n
z)VATjPNx52d14Q8yo@DA7dbT)c{tZ(SsgzSt8pfCG$_+9sR>uRyh;e(fzF9Q7fg_(
zMlE-;Zjn%SKc?(azvMOATv;iteKHzFZN}4H>G`;j=Gn8&cG0?9dEP=}OuwriuE~tN
zDmf$dXU%M7`RLxtHYoA-k-ga^LdiO`;^BuvQFH)P8RhG%&FATFT<<9y;{Vy#j0z}h
zp5k1A+F3OlCR8@+6#XN+&F3^k@l+ZG`&ANDO_m0r1APWJg#h+E)6nWziT5Qb?gneJ
zfWLv-i%hpuYL*?u)fCf)y9%)BQ2Vq91%Gpc`!d{RHXr-@qu%P*SqEzN8})l_<oiPx
zn*_~;63#~Vop>Sj<IAIBo~`IwAyW()md~~G&f?!Q1!~vSg}kjq?90DvrXg$&81RO(
z4CzN*>YaqxEPtuNdCB)TXH{ni*oi)q0;;jnz5)K1GdEyvsf`{u;bs{+$r;Lh$Y7}w
z!`(MYWHG?BuL7Feq3yOl*?x=dsbd!nSb^)k6FHX@6xyFf$c?16&`z3yzD7|jO@t*}
zE<G^ZuUc}mQu>Uz-yBRWNx<$`8b00-WppNw^hB53P?)j7h-H9qV~s=h0@sn(6s&|<
z@|)bgT+QMWvK_zIdX%9BTzkd$k=ZO5y*6+Z{23={;b>Lb0%fL7{8JIro&iy+DI4cr
z;8MUyTc@sla#3TIr!5p8fmVO3JP%>0$n_dfUT;t>lButsy4OdvsM1yj6mi_l%T1F5
zs)(kl%I3jg0R*FgShDoii66*-;Zm4_P5P}zL4cTod(MnP>ulX>r{n(twDKwXjua|b
zmO8m`Sk0IWu`uC+cOF2iO3vjzS7ogEod=j`B0N~Kts9~j`aWid)%|FX99d<~FGCh%
zJbbFKRF=|~%SEX%cuuNy@U44|2Yixcpsg!in>4LSwUTj^fy&;oafSfp4MnXIL<*ao
z(7`ulg)YE4E5DoaW;cyta@;w1%fH>YAt5epweiVQg)zwibII-vg5CrDY6JWSJqECq
zCYh&BKo8Vy_MuXBJtqHc;uPU^>N>JxhObn_eWM6IY@|a?0MaP4EH*(rqOxVlL(FGA
z5N*do)p6^~(#O~Cf&Lp@DbVBEa@jVExxQ<IFf3?%H}t3Q!+*fKxNWF{%YuIYEr5Bn
zi_9`9&v1w3%)R%5Ybh@`Y^-Li_Wy(d*8=4H<BS%;Pbrc41>?hM9a8QKf~j8-vEw!*
zm!&Z92Nj86qG4iVTO5u=NyNRg^lK`&>>qYb{gi~Lr97Rl9%QkX{C(jq6|Ot=ZxgO{
z%EHGKw*`-ND|%t}1qsA%aG(8xvf^r0<OgbkmXL}>6A&U>l(0(wZ}_CrxnKmOX~*3=
zVa(Py^Hy&-@|rnf?{j%)A1{}Mt%_XO^dA9(Z3?Du=b2EnI{pc8dvaj<oh3@uH=@xu
zqxwJ~Y+PYZfabe?%h%H#&<tE&uI-J`C=hh2@KqQLPs&efT-hBshoKlru2W)mo_Qd%
zRPGLbmYYVb4(!EVVZD2aGI$>22VU39XxQ~gOm+?57O1yyu^t!qiX6HXLr!Yq`|^-E
zeg`8@KejtlxAn)eG&*(LZHktsOGYjK_q;Xu<tLINUx7EdR!Yw4i-!L&JCNq}`1yar
z)O0QUs7vjRqJw4QJ$^F(G)-IfUBQ%!W62S!QfbRKjuR+-@}P>%Ig<H;YM!Kj=!A0;
zE0Dj_8#`=*8yA~hxzUr?rxZKdfhzXo@<*f1@VE6fXm!2E%q7)m>po3?C~?m`#q%mF
ztjDmBQOyj*^Vqc*oRcTrJKCNyk2IpsOvS#OZ}I#q78cGpiv$iviP^@@;B<LNX*}V&
z+&N+@HvyKXB!g8v$Cmv)AC<1+bnDkzMWq~gfjBkP=6wZAfhW@MwHonghrQZ*JyL5|
zsQo;SLk4pwEL0S~r7+q!@0#}(G|NRCv*%7uAU~cy-x<27_)scr6*Iq)7~znx<k8vr
z%ucPj%~thLP-TkvpmoLkiCH(PiCo{0UZF`h$e;F_f8!m4k0e<U+faj3sXnUA5*qa<
z8<cSrL%lUo-GpWe-e;9sLei?vMnx{~7Nm{+ezUi^lDw)G^MApXn*6%|awS=Gr$H!u
z$HGX%|GmC`l%>6W`Kv02xIMx#s^hao?&l^h7}x(wV8-WwIzDJc#fE4z2?^jb)I5Zw
zwq7<gZzPEgB0WbL7fb75UAs=8=C|BwZs;?q>AoA~ZMT|OK%|?^!*~%4if{W%*tZQ*
zVi~bw1c|;$@&B3O!!rX-+Lz*i)#xN1lNiGsOrek^dTU(XAANk|%QDP*Yu;D(1^siK
zr``!O6N*AKq5Jm*0FDXC<wIPeuh~xuIYiVK#wn0}mWx+o-<G}edgJNd)H5DeIq~Np
zJ^N3MWt1qXelzE*XiQ1SyUYb2MksA?T+}8BIH^-9z--65{F?mc27CEkIkupg?iAVi
zG)Xm<0zix+zGaN&7-Pqkbpbx>s-)pzck2UHb^JT0igTSbGa2*9Z|0aHxxSa!q`oDV
zT!<XK)E;`+6WgA3RqwsW_(x1ZH3$0K>3cj=_Y}4l<d#UY-9lVNNSB&R3fc)u6)i{`
z;a#7YqKUx(_4L~OJHal2)Njp%V|R>r>5L2M5$`gBC=s6jBTK^{G)|ScOuCtzePD?0
zL(~^;lwaG5RYWJoYovwu7=BdREMtUjc=BNOW(n@}!GQ{;YZ?Vpx;XgI7kl5~?$8>I
zv&odpU5zkd!Z306PO4+={ou8zQrLdKtwxKjCBjcIDI>CH4runY(dvOUIi5CWsTP_p
z+CF13cCx$r44)mhRdHVE3~}zp4COaohNE_EtoqlN<b}t$Lx6EmCc-v3NHKG+4}U2v
zd1>lhIIy77ICHx5StO06(2`k$h=7+iCP5?nR)(Zg*Av2HB{7ux=%A#fg((x_;4uuf
zTnpbcGd$|Lm(DhHqW)Z6>vjU#S^dR9)vpI1i%IaI|4I$x*-4a-WhoBoFwc`Q!#`wZ
zitN@5Id~>>`gq*pZPtI5Fv{pXv$jsj*l`keLtV|v8!?P+KW-YFlwLx@@&`<Kr2xvm
z(RHLDv$sBymlvlwdZ!<3PPr4);*~T?xMfgGVtkpD%9Jsz^WFfBxtv7j@c!9w#w%=D
zvEKn#zTr~#x$QzwlG?r3v5(7;tJ}`W<LZTwen?Z!u^b6YlNisb8=|Jlf#nj{j`eSm
zZ3FTAQAW34Mms#RMl{K7`sRfX8ev?-XDD4uk5^-)6O)(r$@){<2#~ZOG}P5$&C}N|
z@;@+7E_q#^zTpezDI5_2!~PI}W#-J%%fT?LrNflca{Q$CJrJ*Dj#8|IbxQEu;KRKt
zulOV*Ibp=?9n?l#?M1k<{sP6XIQXrOyGcUv*fysO_GfCI-I5q2I(D?7)^V&nPtH$2
zXx=udjWl1IXwb_!Gy&%=T``v!!Q3UNw7{$|&m8_YsjsjjL#XhZzhip1I<-r<)NA-7
zpG(VS%|_Cwa|)q^i}DMp(Hs`5=2R;(vFyFz2Kigj6HROC!bqvuCcQo5Rx5NYZx@T1
z!vidUEz*L`+6E_`$~_T0(<v!stN)RkyC*3totE~;mWY~p9-O#nW=Yd-&;01AS<i0q
z-ylVsuBkPcN?^;^U`e>*CSE2bGI6Fl#4wXNSYa~YQr#3s3EiBIa1d_-#CFH3H%%{f
z6v;5IR{<Zhu+3>oQ*onhQCdCd@|A60IKiEzs|R79XsQOac?<wp1R`+#|4fdCBsJLb
zrEv!rT@?2r4?p}dHa0eb?VP)npf{6i8qa)KQ|{@rzZG=tZTFqjjU*ifd<v1)Fp}(A
z-YG7lK-mW6KKN)XDw(U9P)*=5vK7>l@Q?~ll*S+Eu!rwlH7Yr+EPSg3Y^zM3vnxbq
zP8FJmBgCYP%=RfyMWGB`ea-5zKP1y1b&u_HG}Dx<?O5{i2CRlG-ua2#=RgEE;Q^li
zg=RY2nPmG<=}ZTQKQM&46t+zDg!a4_|7@G2Ou?@;lCuuBpC&EfV&$jk21%g?l7j(Q
zuAblnS8V5U06&5;IZ(si!i4kp&{<J~r(IYQaBFIz0z%%5sZsOPT$dix(`~6V(AaJ4
zNJYdHj9(q3(2}g5U?(p0)(Cdj7$#l}Uf-g@{A_Io<>J-|>&q)UTPt(n{?E=#I}K-;
zN0hi@g5noV1ZTIvb^Q^huC?AFnl_sTrzTUtp+8&13{K|%Ct8_X<b(WD#-bR8MoAC7
zIfq;+To_gOaXh<qE&qQoH1P`Ru7JSItE^XPq0;rgq7;%#*O{2HT;SEgKWcy(dmQ)k
zb)S=LtGv@o&Ji@2<xF_X$@7L!kUxbc*8crGy0(wFBn6NOGijIp7Ird%?$I?ew|`j2
zF-vsX<wjREKOS`#gbxDr5~!GvHWP)}XemnP<`KYUwKZ0<ll6?@(TEdSrhMTm{OtYb
z^uO|%v(_A0Ij;chOT0C`!*iJzr8V>tcJ_6Ud;4wWpngoyl7&$QxN<;^VV@y)aD%H0
zuN``~-$!j{<XWolBHoqi6h(fm8<Fqnhw~PinzkZlSug9B$PT2yll#WmCXU@3dShAD
zc~B11uSA>%0~+H1u1+q<&nlJXa0lKxyL9*8$;`=r-U5G&of~6BtPjlz<Gfo#+Axr`
z#eR$(>qU-u9rY&rvVA^T&((m`|0-HYtC$TEz?p0BBdl3PjDn{AtwN@?M}|%C_mkV!
zYGvoGXL11REq3RMB5A)%<1UH>9ljSj67u{JZ>&INu*{#_eMUS`G!U#U2%`u&+@=T^
zr395_`gvOYAMKraG~4^T?{yxO?$&O#6diVHX{nk@khY2rhN7q;v=lYOoT#}IwkoQM
z8bZ}92ttgZtyXGE5Mqe2=0way5|R6*?H+z--+S)4>)dtjy6gPa)n$o%r_cBKJn#4G
z{h;^uA?u{31c{=#R;ZKqpARtI^8i|OfvcyXJYMzUdc^wL{ky~9T9lWW{M5&uiK)J`
z2C`!$u!FTHdhc3b4p%p}Jn}3R6p&2W3R=kntgpHqYn6{;Yh%4*)%hRl1Fi5VIYbQd
z7!W>yvwZgH1z?~Q!!C07m+DNZnFsW|_i(9F^Xm7{*AcqcUb=omEdBTRLWN?{tD=|7
zMn+l^k|u(bh<m;qgck@MUfk>{WWKC|{cI|<Gx;1o%rtM$wd>0_81FjE{BXxGIA!<4
zApzq>jHriBRkZzII_HDLJMJ++du<`?Rh><O>&$Q1#jpw=(zO{poigrqh{ig-JczuV
z+9Cz)$G;&spJ-;e7ge%C0y+Grt=zthjCZ!@)yMJ%qV{$3yuDodgD)szhf?~LU10&(
zSJH_9<ztu(A)g3p5}WM1F*cqug9;2kf^xYg+#17~hxpT1w3%1q&*q^mzos5YV2&8P
zSsfIa?1L**Y`qe_e!YlfsplE|`<tAOb$tlc4|Hx+>wH8$uxlCr^k_i2<s6#0u^W0_
z`?Sp6HeS*)hIzXF<^A6<%}vIMVg1iH_A?MWvefWtA|XloN=AlEX}kFmv5?$!iu5T(
zLTqOv1lI_XZPQi=uz;*AmnF(m$c-*d6JsqSM59<sMH6a@4XA$<kn^0KvJqo$uU2*%
z<hafr3`!vTaPiF_{&FYX;`ELe3JSSBszhwz^&P{7pF$6RIi<e0)Cq{nP;jv|IZB)_
zH%+qI`#Ml{zvi8Xq^l@U@l;#nvphtOl%!zBBrNTav~f{`<p-H3fcv5s^X^JlWayc`
z!pmYJi@u1pC4KFwGJTmwXVQnPSo_{rC)G`by8<hS2D|u?*(=~qI-PI%V|Zq@oDA#}
z40Us`T01hyI76Gep87Oa(P!!Dl@&Yo>)Ir{r`=7po=9Fl+loxXPD<?x7(%rJXY3*f
zrGI-Zw*0I;W$G4kwyR<#3+)*A&ZPzfY09hwpPDTM^Lkds9#b^aRdtOJSLn})u33Lu
zGygIt#UPm;@~j&C+Z%IZ97CBi;2Fe}Bsd{oE~6^0ve(lt*D{AR!b9`g=x9={j*O~8
z4;oR$wEqP-l}8kXcO8`nboejY+h^El|1;)8Ye^nx8E|?b`=}+~?>Ou8#cuGvJ<T$U
z@C!nFk?)Q>N$x!&{_HW;GDmGT@x8&U_n`Ujm0&ZW4J)f|*Pc#blYSQ1q;q>VOc5w8
zKCE)o)%e>MJ4B&+zrBC@4P(!e=@`yU6)3u&CZHva6oH`TIf_^2ZIHiecQ}rzNoyZ5
zu;*}P&PB`R9=n~o&L)ts<JAtnhvzqi3lo&0F2YCoZ?XooQKy7OCH*wYx>0<lMkll&
zd?q5h5(}ak;>9H~bp|@ij}QmUP~n&@e$<p^VkH885Rg!R9rU>Dm6MbiGU%(RFr~jN
zApr{s?DoB?^-Ho65qQKSKQHcn9{!INt!$<K{(8}ec{FcKou;UQ!+O1soRiN@bYw|t
z;ERguI<PFz@>_u8(2I7Cmd9?^>RRLlqw!Cvtr2AkS7#p*&5}=?Q-oc#Bw>oVmB-#{
zgmpiWf(PK4z8F5>s~vd)YK0^vO8rIOkh`SPRCkp=Rb*O5@7dnFS&Le$>9~07{Hz%j
z9ND4PhDVP+%(U!!K_0m6bQQKRQBECfl?mBL8hU*&#wkEw!lGo0^Wkl|S}Fng6=4d<
zuZ;VV4^RQV8wyKDKK17Ljgr=bqV&BqeLn;5*sM&+gY|0*r{gfu`T50N%4cVpc1L~p
zbA51r`ax(?az>`-FSXyVdn4Pz1Cuhk2$U>$-&5mXS%&P8l&RHEPLbD?bw=<$dgusA
z4`-e5`0VmrpZ8XTdfC*<oA>#47#r%g27f_0e!A=B#QaxjS5#EzaIB<kZ;od5c=iL8
zX`bYKg<>C}?*%1h?Po!`b@Y|E9IaRemeRvJ5!^o3qSSe93Mz6ufZ>;iZ#Swac(70a
zj(oG7Yr1Ay!6r7*;7M|h=3tV5i=Op@q~59bpE?M(VgRh{;O6^SP5jJFm4ng+vGs?8
zOtYW|X2LV0K0Symj#kLLF0MUZa#k)@piB70+tT_&;w4SJaR`h3r%EG?8U%HA{d9tb
zjB2MfWZ0AWrKuN<4>v4CQ!h#wH;2C^FL+aj8D1yN%xp-C)=G}-7!V)@RqgTh$X$e8
zABuQ4+4jVD$UEiN=(IB6-8Ai~m@E#w8i25=4YB!ZBrD?c1wKHD5%=la^60tYZLL;b
zK+{zJyG>#<5aKe|KYJ+tlYe;mYxO}hjMELBEh^@JD(9e2!90Q`ehhak06gM-R{Fgx
zg*;oYBwTWPzbL%7hX}xv_a>%@S^J-Wp4$8$$>Kd95UCd*JI?e~h@UyrDitu#jd1<6
zM_fv(3y53DFD|}lXlx8x3=0cGc!pm4)DokeUvNgsz<#iXLanZMw1AjbxR=;9z0GDI
z@IXxhH{L$;_<jhk8W6-QM_=Dc8uDvNkYmyVIbK2@&C*KLJoFtiGwM<?d2F_pQ$s>o
zrkr~8H+b+5J4nP+f0sY)AmxB-z`Cc{20wQM5MSQ0bCCt@i7qucf$NJYKGgiOq$xwB
z(b<Eclj+eq?RERX)8k8<+@QyS3xCMu318cMb>0DDl>4ba6>?8!Wk}(@CkY7&roJ6C
z-&?oBW@=c@6N8rP3vtVh5-86L=9$`?EQ@WsSe7H|jIl`$=%sD_%`e}OFm*<}=`r6c
z#v+E9`gX~Q<pEDbV@`+kzf1w5Q4lM@wJFp1i%LE*m?#f*ACSoy4_rZ~&^lU*+ID!9
zjLz*5P&q!@$D>N=^-&j;k6$=UDf!~zX}5HQogVO4cHrdwME5_{^f_4-OOHe&+)+SY
z`;h$Ny9%zaYh0|5VH=&0;&bhRv*;uS;2KyCqx;26U3(Y;M{cNUTwHq)F23tdb|420
zb1{fEJqYO1{Nk?#EDT;Lo!@WJ(n6F?|H;?+K%HFqw*WRe-Y1}Y-J0O_DcwN#;Myb)
zyyD&va*Dtp1MiiTDl3Iudd;i4I>ehi;r!H@>|0|W4a5y>`uDwyfg-VeRHJ3^u1l=S
zMlZy*KXT6~_bDAIY|g7a(|qr%gn-ZI-}rn%oj6GdMY+kp`K@$<iZ5p8z9U1*!o~03
ze~K4Ya8Bau2G4!ihL4mUBf&i!+}y5^Lyi8~+tLd>u)(w|vt6hZXY8_(U9V~x+qjk)
zlkB%}gH7P9MJ}3qk-7h(O;@dO=i-u4CQ*({r3?DY*oV(@HGT`MxvTVJvBj4w9s(dW
z8|$3`iie*3ha}@rWJZyC>id%wb-gMFUnq|Bwt&?RsB87!zJC$2;fs})0qbXf+iLSB
z3JGMd6jq_7_dEe@-FTG$9Ss=13Pcioz+W4R_|Vh#q{;?YMCKZ(A;$?Fw6<Kq#Z}5G
zZ>$X<;PIB8xxDkA1j~az%wYeqh0L=m`>>X{fr-84GR@IqWFkj0*)?tl1XvYPvKcV9
zF|2y2advf{>?-XS$h#Xhd@xN1GL~$p0QNUg^;`5x4X+ZP^^ZpC0Qo;PmHN99C*1R2
zRCxQWxmAXd6))gkcnK+z%1#k#n+Y!@dyYbbjsqr`%IL)>Y?ofw0gX;|1$(0CVx@^G
z`#D?PNI^Sp`T70@Kv9u98|$@03qdG1%W6g$EIrA|-M4F1Gw-LX#^!EnGc8vchdw7#
zvEYRXugaBSi5er|M*i4~grI_skK^|89G4x#m->_80DX$z+g|hy5;DlVh{>uV)Rqul
z_`z_};VN5zq5}Hf)O9{4*Zek$BU~2e6Z0#wyt{g*Zl@wHxP%R^7Wlm1-C$yaJ4?TI
z`b(6KU+D7X)Zbsc2>aDd{-kwPd+eCC@1j@8@!7-~RepHdh%Ax@G(qzHzyBr4n67@D
z?8Yj3*(<c5;~62Tz|H#Bog;1&CgW<#-;(Sbgk$1mM6*jgGmUz|Z6K8;8}U*#2PXbH
zkQfN;4+I@#tTU|UJ4I)IEKD{(0s}2*O%8D<(=3pl-lhayTisWh_+_#m2JdL-;TbR5
zjEqK8N|XUv#^#(N*o@WPQxH*h%Kvx$V)L>YiP_d`UWgHcW!K`>POzp43@M8~=TSAi
zK9AAEtl_twGOKzpPXB5x;#H%K?)=!ia$fA2SpTZGOIB8csb#ItUFRz1bXqlG2Xeqn
ziV%Qr$U1+lfqls%CQE4gmoPwmsZ&>aNRJ?#NE!LfQP6fyJKALYCjC)MyG23YM651r
z)!BEaZY2$D)DByVf2EC~O-(c6sB4&N7Wq3<t>%#g|Eer+0Hb`Crd4r@s(|Ia^47_M
z?qM~<LwguY*L#Fx{>DdhvNHs#a&`1T>9+UH%lbNp_T?OfL9y?7;Mpxd^a<g#ln$x(
z_^4B|j@oy4x+3NIx9LvqO<4oZ<IM+tAM8lC9Bxn<^VB^TE#(!vz&E>mC~F@&ZU(8z
z6TWkOPz1?5W7!Uow_|zbmKa)iD$sVu73APTG>qXcDXRIH-jhyk34X5Da1m8qvFRuL
zm?vfA5n82M%Op#UZ8Bt~yj~6xO_;hfY}teg$R1rm#+a9b{R2mSmjF~mZ#U&;A{;*W
zC?l)NWIt8aPCLh@ha$L`6B6SnVnd$o!S66j*z-AHCbsD3t3rmFtc}6A^5<MNkX*ye
zn9M)#34U;+G*YrdL25NZ{OZbDQ|F9#lA1}RNv-^n?aHlaTDM?6RT<}K=3Cm}@4TFD
zeHwyGf%bUTG0J?LW7*@jZjb0?zJ9fCN%ACh?V~*rElWx;KP^@%q*!)(V0Yh>nWb-J
zhYKmm>nSNA_CTW_*xcN{^pDo6#T`O_S0K)Z0xAl(O^xuK+jsK5ZS|mxf1T~DIp=jn
zKo{GmC`55(Pr)RM0~O#4Nd<hlx0)-P;rl8s$0e=j4df|6#~&=B00_UWRzGAwK|O0=
zv1V@z(~0l&ABIai|2Ulh$qL|fYyQc5k&3#_Vq<Kos;4b2Fk-dFs;u%`(1Z+Lq1ch)
zsqe~zd+;-!?>zeHrj>jY<Sq5cVvnY%rNzWm+oON#GwzM;hx4z#cqxQxxMeiC$Ka^o
z1(nKm2W=6@c7;(Otmgs9)&rB;B&AKV?m}UEM^(#;O9+xGM!lo-p4hWZE35O!v{}1w
z5f3K|*J>YzaN-n<GWT``T2(E;wWVu#c;|85ZS@bo4bvUI@Kw~5*FmumQN2yySnf`;
z<H8U2-Ko+b`upZehI6(>wLKuoZa8j`yll-$O3*bK@EMaxS+;Xucy41AntuD*j;Qi1
ztRE$c0KcO{teeHAC3@yCV`6;P{h&4bxcl8IHqC2ZHJ0p_zPo*+4a-5vVeF=+l~H<Q
zR(Mr!X1vlloDDIETPwby;r8b>5QD%=Nkj^(va(MMj&v=&xi9}|Mw2xN=Z<V!O5jQG
zFut?A=t5%7cj7HO7o1V%#lq-{-qx|W`excvQ5@awxn>R7nFwPQeWTpOf|^hfh7$}w
z(rOXwb3P<1LOaD;$&P&AtBZzHEX3_KoLXzbw_@#9h+_lNMdRGI9~~C2Br>l2h0%ZD
zYcd_4hspX2I@~ZWR{BkybpjD&8G!O@x+(KRQAj~Rzipc5bl1Jfr#4SgUlz`xzgU~x
zY~r4o3##;1NTFT$s1}t|_lMeHSC#3MTWX5ANGWj1h{d|b*7qzkItMKt`)@#5S&3O_
zi~?{^LHj!8Ti&=R%J=u0RQkjE6zex^$e|5G$3z$%3KA*)9T_7E2Kk)TvFhh?u6^4}
zl|2*3C85B98#dfOph%V=c$^_io9V?*sLp0umq|dYZ$%z5E;}YDG>5b%5fTs&eaXB}
z>XUa?hO^O3Z6Er6V+Xbg`%ZGDJ>|WvkjG1tgrnE~fY7orB`cZf)<3u;@0^CJD~6|>
z8c1#eUZk)DSc&hV{<rdJ1{MOw0r$eKj7$hTb4G?d)aO^aK^{qw;Ub3v07Y+kblh8|
zQ}xuW@v=xj<_I_Fk&~$^c~~{BqGXNBpPi7JpqlZiq(U3^c4w`(+d_QHsle=9bp?l)
zjMv<ZPOx6iqKHM_M>)+h{A{^qOP$3Bs4j3tddrc}gtLS0PL*GxOFyfqN;(vfrbL50
z{6-B1^ZZt#W&;S9_}yb?WooMV{(@p97>!{x@hgps#~R_y!MIT@VG#`XC^0rxJp~^x
z`i4E)jl7itMT{Eb4CCw=d2WlICSnm&eq`RN)4tjN5YFP8eoaeT`#cm2PThLwP!HIv
z9>AXf<zYhle!TsuAaTjvXJZ9WM_-(=S_s-3?fvb1xI;undpxQ(kAWS&@~JFO-h^_<
zMK29~@|4xW7cEsgZ;f8wuE93>kUOoF=Wg{Hc{_!a;YHQ&7YT_}{hfuXzMg8QmFvQW
zLJ~Sn6QXfuKoXK|BEET6=aTyv;V$XEpdiG7c&=&TJdQ|8-AcrtFXE*jk1c;Kja;Mq
zGAmx01VpSj*-YRL!6W!;WuZn8Ol>T1V~pS7$MpX`Nwx@{ReX~)_SL6ZfKhUvBn!Ak
zAcpmJnn=k2jp=mj40t{N(vaKi)P&e05^WAy=EV+R$$11sDECkvs&W_4lo?e}UMcpA
za;$r`m@|RX_)Wz@<6!xz3tJDAr|r72Gw8dfV7s*QeaP+)s(%#}%<o#;<#fK3QqGp1
zCFsHII8V1v2RjYn$AB;)lL`WL9q^{sF#LE<J{)Y&m|}XlknTQ(zl%}fpLEl_*E$k`
zpXZ=ueO@G2N9xx}Ukv`p^+ED-B<OL!`Q07;41@9REj|mXd(VDTE`4Ub`!eBA3ZfO!
zhpSo^0;AX?P3@yTn57j}FQxrIJV2MIa|HyKeo&!KJT%rz5T1o71^y#M?un;v<(l3H
z)MjPUPuhW4n>P&D3)KsTF^Yj-B)iZVWt<A4Q109JgX%!@F=i!GYL>Z1!lqH)^w{cp
zzUM(tITTi=VL)hAP_7XAZy%<=xSK~%|NUz#x?Qes?ko0KZSn<Y1#}ChjK|ls@aEh;
zu1VF6KU=7Rv~zHC+JyF>d&3$m8$E;5H`>X?5Gv}3s7LyIx*&L#wj^tB)7;wlmWI_{
z8O49^7597JC^ddVT`<g9ez3IKTP$gr|Hu#4<&#OpE_;@>HJai)F&22#^<G&#YOP1<
z5!nd{u7Py~4;1%nE?3y#?^d+8Z~&g7F<qDa`kiF}VGRyV&gqAXb*Z3B5#jLKxwlH9
z7b(`T3LzOfOB|An5s_IbGZtp;=4wR)Ci#A=HwF2Y=`yD@ACeNXh2NUyxPINPrwRFP
zGPxfupI`CAWrE&ro$RSVz29%A|Jf|=dm4`OMVp_7m(Ly5w4?dRa=qm?s;pA`O45j4
zT5X29MDhjuW>W`|&dP0xC7w1NT8Z7zO&<O7URZ`$_x6q-u9pksgUE`{{fBFnDtpW~
zO(~eVAE5kE6%FtWM|4i5WI{d<ItIFJ;wQ=9)R#`xjMQlw++aYaTNCpbE$Yu)673o>
z{ktZs`2Ec2>AgMKKbieDCV65Ccdb|z9-mbm^gT*PDcJ?o%O3Ba)xXsnutY{NXs5U?
z6M*i3CpYVQ)m8OrUm)XX`pBC}vT4_*k3;XqjiMJJ=I?Il1RA-J#M-xsCOWTnR=S!?
zEnl44smo5rU-+2f;jU!!_hv5OQBUMt&^`w0euG%|Aa8Vv@3+go4MhDj1fKuV#_rfp
z1jWuw60v6PZstdQD|{$8B~Nec@!sXxK+Fs*IULbrdmu%=Ss%XSrn0(}lMpcQ>H+yM
zIR&OGMPM*o2G<mOs}W9QD8_F3k+wzgRo%C=k}LEyDvGpJWXsOiPRvl{)%E^S9`zz(
z>_AK!J!wHwkgGL%j9sz+U3Ai8$#Z<VqCr~s1VXE>l!a*XOWyvh&Hv(UpcrQ=R@x*?
z;JrhkO2&^AfR(=Be)_%`95wwjuz@TfoucB9KGT=9U)1J2^vn=`somP0Td=-2b<bs>
zZkhOAx4gZMSE`)85Z(};P+K&R?!D1$9(EF5Ym^7P9|kEAJEvIV3Sn!#)j}yW-hVAo
zavQ0cTXen0hYHD7oF=4@kSa?huDWR_*V2RSGan)@ZX^M1w3hi~dp<O8NBw9n-=xlA
zrbwI7K023=KrU$B(%Na)9c)mKlJlCkJ=9}CwsIllNB*Rx`LvQR8O20Bv1P*Y%V|7c
zMBfe-H+}5gK(_n7nr}b1(OO26U+W6}o0jyG2f%R%U(n#I^-FQCAm&GkY+jO$BMJJK
z8lt!0Qn>`n^gAXXK@qktjhwPr9B>BtH5Jf$vAh6N@jlIE2N&d!K)xX7(k*~O*Bx8g
z+4u*CepF>ZzW-Z;sa1QA;CZPZFJ$*ho6n9BH)HR+oLd?geQS8#u#@kQuYBg7PWiVb
zM81;y^VEb3qzFN;Xjt!kfwl234R(2vYpJ=1`?IA*SGmUwaMpw$Xmo>b+fKvq!qVnv
zmOY_25u7<Io&v>6SinO4;7<gbZhKn>p;8+^+ci#Gbt*GCn5$$N$7}Ka^fM_^NnT*X
z*KFMaHYvj&@&l8mO>Sb+yKDO4tFh48n4ug6u3vs#@f9rs_?iv=708Jrdk<E^kc$K8
z4YYal-5wVD7HA9h4K%;nYZ_;h9uAoP6>a&?+`0YE^;RC##Pq1fMjVnut)!Hgu2xjZ
zMP;HrmCh>Dj(eTtf{Xs#cScJ8Aua~QS;|RM@Y6ao{?bu_vrk=1+AU}=I$x@Z>EDF0
zPmFOY#V|jc35?0wh$Af5&7lLi&uH?0c}v@3&)h`mjt4Y#5Ac$uZ?PU>)D93a(nJh?
z!LM;<=+aiMr6WLY+zD6B!lmgCLcU2rKwG(MqO++gL~ZZyep|Re5j=fZh$7eH>T<#>
z&L3~oU0l=Km&#Aw241CvR|3otq4n)tA0pHuL0q0Ut{<3~I=7w1^%xQIzXJaL@5W~T
zb55Sua~?tYhm3_WA7Exe((-iGY>m?7yJxa)->yxl{92p^IDkLk0d`VktJn6Xh<$z5
zMQ>-yM|kCAWgoVu-%wg=RVy6~U^OI*0NGPSwf!pT+juWs1{frR`}b25xq+S;4!xOR
z*wt6zVR-xYJIl3i{7S>m`R-U)6aYgn%xr9IatjIo69hj$XzF0-^F)cnza;5}1Fhdj
z8?fPKLf*|w_M#3oi?e>7^4OFaaiBpy?ewn=a^+*ZWxSz9v+&C7?5`&4>#SKvHgj3=
z>EE)W<m0>Ab7J=H|5;pQI*DmVTX|~|5Zbd@RgD192NDE&sOQWu%}0faZND5Lp9*Zh
zAvQG}A_AXS-Gh9W-CeP}5cU4|iru?6(x850=>qH&egiQ3XHqO$JL0~$9_Xd0T(xbm
zQN3Sq@ufQG>#3w+1?Ts@5{-sN6yBEjB7JGQD|fg>V@mNUMHfj411LahY4rf!_VqZC
zz&tj6a1hZ*L#MEvgcWcFhAn!~k-q3F=)ntz_*zANI$25IU+m36PpZme&Mr=zuS_kl
z;NjLKF3OeJ!<3H>MOI=g+IE7@*`?~3DQkLZ@ZJ0osZ`J0X;+S4PCK<1)OC7&gP2PW
z`#TH<Z1&}#)_vrs<LBPHI6_7i6I2`?i!<rQKwftnQBdA?s!hRWKv`SOCnmf62l^E}
z`ueZpskXL5k%`2gUdzJlyF2pjssa@^@NeM!?PE>i!0ahqZ=OK!sf;+!xsSWNF64>&
zzw|Y0O$sux+t`wS<XIXd=j{)W*NB2g)tp6N_@-QEI9zxV6WM3f#fy&b%Vr2twb!#`
zS=T+H?h*gK`3`PeeY3#~$!_)fP^ge3390Pxj`fwCe`LO2dG7I|wN}6F<(S~0?_%Vc
zL(>y4mt;Dye>lE-HsU-UN^RdaVcTuRlkD>&o&{ru*bQ{vHxR>p<YxmYOK?9Rqv*IM
zhttA2V^V=r%3c1ebHn{~?%dS2zj)a$wA8u%3p3h~a*agUwAZ&UY+G7(40d3?c`<{O
z0Sx(5(`A=xlU{u2j;c-S?e5NIEKYz3_5jfo4O<-!0oCf;cG-mBx`i3-?fMgO2DfhB
z>@)BAzWnNqr-@(}W!it+&=T#b`y+p~U8=N;okHlG*%S@WSj7hIZCSe(CXi?lc;)x(
z!txL1ITPZz8^FW@pW^^ubz&Q!iCO*ojr1Qd6(7)cx6|AOwA~L{Z+paYwuC<l^;bW6
z0GI><ybwR_oO$WC>tZ($0iH{?)H^RO?mj@1-3XKGj`=?t7Vr+#X_2~6tiMbncU9Xy
zv^iJsyeb<DEF`LWi&XcFDPBbq-}nAGju-Vz(+eeouI^Ah0@j7iBQS=O2P$24XtB7k
zETPIpKk{%2fB#y1xrFMVQn3NG1YKiYD6>&=e+f9QyGaW>beG&nB;Cmg(7wK&^43kx
z#Zf=+R!Vk->MI$*J*xXh7##?lR&D*DBde+_-YD6m>n~fJ;dh*eMs_QU1tdNSvB$%~
z3uK|MOe=&;nANM&RtRCu)|nD1p^6bzka-3v3Zb9%hQ^4vvLUE?#xWI^nom5FE8l2{
ze-Zy4)Ycxs_}FPK@)faK$h#R&_m!8uvmsj-IM94$birnB+sw1CI;&QFZI$-m*<V%i
zRT<s=5pm}*RKKR~tp0WHHX)o=#6|d*2{TRjO++DRqwCvL)TuNw=IA-K=A#(srXbQ9
z)p2xu&Aa4(4?y6nrLq425E_&+mk-+%h>d5?Uq_}Xgqz_3bB#1q2#M~%;TM-~!|sd&
zfu0^ABBh;ViBcY9AKV0)kk%x7;yl!y3<Rz@MGKvjb_;NSbWIcXkfz;~q?3z%Zyr|`
zi-@X^^=CMIX}Ovx*;(UnMh_o^+d5YL1u^hP{D~N>WyEyBwJ?LcDV0p1&o&@x5x;Dj
z(L`LiqT%a1W*(T!BNM?tDBs+!3dbNlSn}~W3A=UpM9c>9Af*6tWIX^A7Rg!t-ZQ<j
zsyHtaA=i&O2?_NggP4BQcX*RBIh_2ZH3HfRdMRK)dGTnhDJh=$D1uh9Fo5sYnC9K+
z;T{xDOC0dk7n1~=j@cZwwE7v1cS80%nS1)+fbJcDLU_jccPWILqu(inj}3%BqVpyk
zor#ok_B;C0;r#DmdBDo<rE(x6@>n6PT7TQP%N_q`LVG=9NGY)5!yQ?T-WtXO(*<?s
z!aB{ZVujLDN|3srh-xvK@h-=*!eM$u(E%Ud49xvE0TlbVU71Ec6wB1J`~hb4yhra#
z`yE9f*)A4yLWa+iC*Sc743soarEl&abBZ1RvU{9ui`k!>^Nq{n1b=(BBlS=zwY%hY
z*7@W#5D-B?j?bsL(<aQx!!fkC#VjS0$UmrL(j?0y@&<YZPL9eiz^L{t`r5egp_+Ye
z0HgsQ$D<LF)E3+@k})z;lrKD`CZts6B16Bii$O*hLzf$Bnw!X~0W8%)|6as|vmF?@
zke}v-dW6B&5z5SAD`XOC!Xglgf%(uieJT_jD-J^)@1W6nY0L*8OiPfKsrQBs;BwCk
zV6*?uAl#dcn+^*9M+QOo!)ivTYQe4)RYM{{@crx8R)_fck;k3749+YbdiV6C4C;fg
z0P8$ROHM(T_{!q6c!4lV#)?{6^bzt#U+<@h$udaP#k45a07ryfh21EY{3AF|`|+?-
zn4OSq4**`vG+ll1E2FdXYgRLNgfYr|**T_$rfwe?Cck{-2T+iCkM)H<$wbQe=iL}=
z)e}-WTp*Bpz&5bwe-dLR^FaJx1Z~qM0tOMlYHuvgtHXGz8`~;o_Ss|#Z=}vHa{mfU
zAK^2>)S)&m45KVGF3Vyji5HkQwWI{X-4e#7S*ie6q+eZFaj^`9Ql1EzEk5Ty&8l9>
zF&2i#_*StS=}rb3H9B2w$TWgNh%Umvtn?Y7Y~9;0llMnFTV~&PE@79tS+V(Y!-{{K
zo_DuUA^3^24ft!c$h1d+aPssp%;&nOqn?_qH<99-xcre&pH6Rn>r$C#-wbrt{mwek
zA73}nNCgFVZC}Tjvn&%D?R{3UUY^mChPB1*D}guRlp~m)=&J_|q|nfOdu8fwY?`)<
z%_u=M<)Xnz_!<R)`ZsB5;^YD$(uw{5xM$Ahd1J*VixJOz#pZ)kTbgw3SE5#^su_Y9
znL*n1&mPANZ2NOY+RsWgNmoqakCBG~6~VV}!ii5x7rPKcV9LO{gH@Ni2mHx;0fUR;
zUB&0tR{RH8A5TSMD816O9#NN?f{vf(4Af^N!tl!s=5CgbN!quWv+FsQtBaZCMxU_*
z&Q&_E8W$M}e{wi|z1gMa+W!JSkop^bPzB%zae9Bl58BR8cKm@K_(kD2TK8ryA0SAZ
znYmxc=(6b`v}{3Iq6g?48uYLG<OXoeL|)zZxZYw`rzFx}i=IG-2m0_D=J;4?HAzbI
zZx@R&w0ZC@J^&)&?5kF^XMF3&g0H@d3!9<>{qB?`17lNzdow5<KMP+Sqf_(~M=Nv}
zOae3g$QOt!Gvp+O2f`SkJOP|6W6EGBhLT%Ja~g?I9dw_fU~C~-StLx~4-TPqlS4p1
z<qg5C3Xv6?klG?<ksl~S2Kz1#Xc$h0r!^Xm_nni~2j`il+Yq%}j|iu2Y~JS+((WX~
ztz#xeWMq|m6Ru_810NOb>^j!31nzP4NUBFH1Bw8G7MyL~<bD_7mkhIKY+*9x)a3kc
zsx#wWo8bTxT3lY!9~QKZyMuMIt1V&CgwMhZHN*3jde+TxH_jOQE1g682Ib<rGM>df
zY#0iYYgu^;lJV$F)h9}V4CwJTcplpg;-7KSiSzO3pI8C*c;O$-0U^i0X-2}K3JpsM
z1)9fZ51>M+J(TSf5nA2bZvNl_IJ0l;YyfUlI)EI7RaJ~+NtWJ7W_?DjSKvbmgd-un
zypc%^HXa!fYcpInt2tJoTgC2cf%(~8D&U4KQ6?A9$0d;ytl2Xz+tX1*w7%I4(8c&B
z+{7<uO!YLd3V9MgSOg^~4lYz%Qx7~?*?rTgr}(tujwM&DFC9Km=G;%Irk?{sP~;`X
zb<XN{lj`C&W0CW->P$qVYt&Ou(%bHt5WCl=#x(XuTb~{QQ~-<&mg<%v)pR$~z`~(-
zaTcgo5n4vqf<&!-ay0&TL4-uZI2y{vnv<v483a|xVvs)m?%R8MBWRgmQDdN?71dGP
zY;WLmP7bd4piz36_fW4*MVSnT?X(FRz=h&*cVaQ$QG<n^hzN>x33+F&{0&L%Mt!M4
z|JPBNx@E7DmWl{XQ~`}FAFy##R>XRDMd$Ozvjzge)7>6r&lZRaV`iEuZ1V7g*)G^h
zKj|2iE}WH5Z9dZ#ExI&w72!Ebtz4>0am=$1yF0KftxsL~4kmakK5!O!nhoST<12Ik
zx5{MC6ISxMqu2KNI0xZHx`BZ?h;x;f`6T-?6JvF|e&Kt(RmH4eQT+JCu>~W*c&4;G
zhFor*m1=+IMAyF;X}68O#I3{CeZGQV@TWMitFS2pJi#uhs?Aq#!rvO;+qPP$xl3hc
z_dcIK-`wPNyY7yZ9uFRoEj|h66Nl79o)To%aKkd!4!8oTFi+GrTz@OqHWRA2wgQGs
zz$f_s-YBsD=Vp`r_ZRx_+vLBW6|Vov@qqtdK7vKNn0JiL4YS$@{c`VqLW~_?*HwvE
zEkIgW$Tv3gyjIkug7Mi7*f=t)v&A4Ka=qY&tz~~yzH<eT6#2{L?K9n{<jQ`f4DDYp
z0D&9#QB*sjwJsgC34A8cm_j)f8C6|9{#(50T~JmD$&RDS?4J%$qI>9{@$e;Xe1ISD
z0oFpRjOW6B`8W2sT&^58==YdYRU%&Vsj6#eBW|5>=HHu>eLVel!T2nwOFa-A@-zbI
zy62rpqZ5a4oB~t6$<x+Y(ermZ(~*&6%^moXrlan9S?waE9F%v<BkdQUqpww}Wdauq
zZlc!0jOw)&?d|)$bxuGX0?o26M%Tx7DtMIRL!b;CxNWom2kcRySW3>6t{kz$-mTAx
zkmOYN^dfaVN0MNw!(wK2oo2}^LA{YZ_+}=&L`ZinqZGP^0Yd}uw3hB*$$YZiMw4pC
z?!F@2-XL%qUkFD{LjLUs{7!2T|J+?8tZXK?j$MA!c9@4M>9LD(ZU8((-X9f7;!q&x
zT|>HM%VZt;*DY_e<t$q#=dzgVNr4Zi)ni_)e@$0WNi|Duo@`UlKv>0+ivyN+AXZ*@
zmFq-17>Rk-$;CKapoXff^LwcXb)LW)t0-b41C&_YN;2l@CPZ!T!QLzg!NaFNBQ|fW
zoG;%AqSUJ)I9-FxsAJ~fd+;|Qfv*^adtiOB#_QfLP+4;A)Dm{Nx+42xOPe#xMV?5H
zUmExM80F|o#-xT(2j;vWHoXt6d*R&+8$lqz;c5!X_<*6=?5g+UgUA-vyO9-xm_5y=
z*67HDk^*lR#0BMz@uV+U0Y-7h`mz-`R!^10j-PA)Jp2V;To{eHfp*C^R@cTdIfN`9
z<~F_#r5&YvY8k2GcJX6!A`}b0y9pd~^;|_5n8&TlW6BjcOwx&}tst$>{!$puL!5z^
zmrlq+kB09SU`Aa+fL8Ie6*^$i(gJGYF|A6miQ^g6wEIn<bl%0ehRvG%q;?fw{1G>u
zC8OmX55rerArSh+Uf5*iei()0Xp~xU&=mtr!GJsm?zECQe$})+^MMaLnYGmM{mjXy
z&t&SaCBDPg!}76tC-|!4(e;8C$}+v$XVTO$xV{w)PWerdq=YsiG{mtlv31QvUK`vZ
zsSV!4tz{+Voo$l1PT_6(n#K!>F)H&LMTd)q)5b6`t&!0dtWdtUmVnp_1_<_ymM@KX
zb@n(Fc3pDg%h8E-;DQcqW*8H)G1B)#K@6jF@3hHPb)`VhD2IUMq6A*%%bl59tKJX}
z+25TsP$4NLjn5`5Hmc^TwuZ9XE9@uMi%ir-8%tDLXg&d8rw*AEsrI2yuWn-23?!T)
zQB_}grA=ZhO;*x$OQ)at%i;^f?1Wy(PKIgwP}RJ8f^}^QxJ^T%Mx_Yu3qAD&T3V<-
zxbuAA*CSVn@tCDz#`=O+e~s!<SxwHI*ZBscGV{txXLRepkkabgfLxV=+f+{PsN@Dd
zamp1ZEag5IP{~~Mr50O<^+sCq($WN_dUR2oT%EC%`Y(x`RLZQs9xm}-DWrNLGaS6`
zd@&!JD!rK5dY@%)G&##mfUF}$4SVL7W=;w!?_Y1Syb}-uAq*PAnEZ0}NvWwxuruu?
z(yU2UbaO?~!l9`<2Ko!1<)3g)XeYpKQEavCG9%5$9s%cm#p-K^%UmNyR!6rqM|S`^
zWz(hT?Q-6Y3fF5IQ0i}X<_yPJ`-0FSSW+VUetVpSAqs^$*S^F-o$-1H@I<^1YM=fC
zM*^{N`MgiPH`wy?wC5G_-Pw|{(B}zO<L4{B9>u?Ij5E=(H5DAQS-DPzm6mfbVfqZH
z$;wNu9Z3gd&@e4ngi^OnxNUr0b6B@k-<X@hU3ANv4B;NijImC^%2y+d&0_is$Nt!3
z<S3JrW>_ZW@I}zsV+4z`W?GBkY&8k0Uxo?Qn^e>Qp3Hc_9i%oCac`<%qjWfa-DyZ?
z;s8)@|HAbjv!MgO@<*EKfAVks3yISo2&ik*idR#A0rZ5^hss@mgjR1r$?N7@nj(gz
zZUjeN{^h?A5#oC40w6Xwe>*tyYw=Mzhc{PGuwwc%*D}Ep8tAd5^}uDr->^L;&izUe
zWxU7Szn-8)DBy_^HXz+9gA`T&-F*kn0se)VEDXlzl*Y^MRLe(KR)C51Q{C2)&@NRL
zhYn=A3aye4Wze?LH>5(=G&&L#q{Ugqfs2zPld>uph^&p6>5W~~bb!-kS3ua|`(^cR
z6&#BHz+TSrE#=msd)6IZOCic{pFzY)xK1c9Pk1H6#RSV`>H!IgOCn;f(QiwY#Q${Q
zS)rh}K027E^VP>^a^2pDT=ll{%CTXI#KVpYt;8x+wQwC2jZD6MZl?bth~wFhCPQZ<
zTC*c5BuBOn-H;v?|Ey2me*S?+ACDWM(}4eM0(^~j{i6zIBi6bq3J4YmnW~M&zK5Y|
zazpIuVKh2FG8MG-={9`FH{;mJL5WZJQ$28z26;iu{RCT;qsC?iJ&YE}qtQ{}!*dD&
z>6OcZ%P4|S_O|_=mScPT7ecH2s{G#5<vXU*`f1`HDt4<{xcJdeV;35cKAlNO)Vge{
zSjuZSKJ8nTkJGFVaQ8m`;O$O&&`%uVKN4)XVRrsz#gpLvq^4r!0Q<gy73<m8+t-4=
z1XWF?@z*7|uJ6OTk+Hoc{ZR%5@4l`SlP34i_n*#o>Cl{ItE;nl@6-;Qn9zHSM~-?h
z`)ZtD(;fsaJ)}QG{_3&MeBOGwcFYDMQyF*j=IaRux6U3VDhExQ5LGkU_#Q)#++%}z
zgx=$7FxTylwYm|!&K%VHygjtRV)TLTT&FQ2^Mo3p07>&HE2#vk^`*)g$9wZs+AZ9M
zU`0u!MW-%rrpk+Y&N~4YU3b%gkCl|rJIT$$cC(($xyKmgDvNT57kE^q(V%7fE3A$x
z6vll2@FJF|lQq?G!eE&S1gc?_$a9I?JjcK3nZkyi2=qFeaLEO{KhNnk#?s}sWPv2k
z$|0tu181>H`Ieky)uKe|QfpRlXZfO2BVE3Pr__6v&m*t9de*_wDp9rXZGzqE=>C`5
zj!SdggRO5zZr+*n_spue5K*o-6^#zIf9SAVo9gy0Su?CaeuD6eT~AJqHDTDpxfJC5
z%)jkA&=#0v=v&rA`fE$oti1@3t-KrL?e`37>Q@!uF?q=!Tg#K~q&vsmdwbp*yViJ4
zh>sCindwuZ0bVV(C<@F?No=k5<x?6-ie91`>Xxoov!W#eGj2?1k+!5hx5`&(5dA%S
zy@*Nhz9EH@@fJzWQ6K<`ScuxK4^}SuW^!EP0`%R&EPT8XGRi{<)+hJU-w12)T@qrA
zROD8!uuR)$P)Fgu=#oyA+S_Bgv!v*Gx!m~PJjJlX)B#x86glcZr4>WM)T>2W^vI&~
zz3Wk*^b(d|n85oSggl2@g<<pUr-4K;e9?Zs&_H`Lw+de6LUUHI)&+|)b(T>D0F|6x
z>Z(1B`#5c;+AQQi)MYudk?W*#RAb1p!R+l&RTpC1tfMIb9C+`y=AfliHQD2@y^DzB
zj>d^2&B?|neCOHP3dpUb+P9|(gCeyI81_L#it$A9dwvwQiA@dX>BTuP-1aAUkjHN!
z%z7foUZw=v2JOSO^hkGLnNOt_nk~tiDH7EY*SmsuLB%Z_kjbD&h4sw^t@)fqAwx`r
zi{dr0m$?^hemzs2V<9NeMPY`9P+kq!$*n!*v@N<^J0vV;G`Q9xt}?by?~%U5;M<%W
zobA3Sw}k*TYmK<yI33`JFYw?oU7xCtqYa1n0ABi8AP6$ZZrKF{!p__S!E0PUK4d?1
zjw!&hZhXPEl~|f7PK_wdzRPi_w29RKWRkDEVmEn=8!MmK#tR8ZQ>vJ#ZHY@@qU{df
z$z}}Hq1l9SaCxBYH%3@OczEyO!OZ<s`G<8o7kyli>&vM6Q4D9qAL~2;eWYvFKP;VN
zIjqI|QJV8L27KKjhX|UHx8)09W(l}Wo)A!7+sbx{rk`B>1)@53ce$AVRvM0CR;17|
z7ZDHjolgPZAg){ArnU-Bv^M$lktS3%eJ=qE>g7m!X@YU-a7*GH&*hH-O6h4}uS6*?
zGMPm|`atVS1<dp(8O6YGJjxdM)({u_0vfv%>qfQg5(EopT>n^<;KN9)WDjUNl-m^y
zWUJz*gn+V8ZrDEe9?Ne1_Z$PwEmyt-PAX6>iKU?;lOIymeD1lR_vC7(q{X{v5#<I1
z4cWco$MmkGcJy_hJCqQ1Lc!a4=2h_hLE}{>k13~DPD%7&t6)GF-Ej7GelIf;KmB=t
zqR>o}2G1QA>Tt0Pnx2dE;uH58H=N==?cAPMJn9v<{VK=W^HVAZX{Z}-EpCSHsVzW|
z(-oz9tZ91eq2GVEV>Qpm3+P(w)cmd}j=1O~70{RbtOrkY!a<Km%I^ZGw|6*h{%(sB
zaRm0W-xd@|2f1HKEzCc~w0#pSjJQ`E7_>7)xD`>$K)=wRLO53zifcw1Oh;9Db}ej4
zSP|LQyWh@jVciIs;<;@XpHts@q6_uX#CYX;uE2b;d@p#GY@=I1;wWu-KHN8CnwN`?
zd)V{x*-|DE(p~plLT;=w-p9I^!5qA!Tkc|}l4CM)+LILw`nBdBCV9GWqHib7INN6B
zmXA$8Y6)=#d*`*I$nv8v%)SX<YP6Taq{{3)55C_6-vGmLG5uG~mfLXJ&Qd<PV*R{X
zz$i3?Gc!cBCsu19!gBri9-dY&NoMT2SMQVD`GH$j_|z|f7bb2joyWSiUgnV{n=VY)
zl`I^h_ceU6*mrEjti`POEZgb>y_~1uUY9Ue;jW^QG+Ny38OUPeK}0Dw(q^AfnurQK
z=pZ<sRQOVG`0BQZ&OP&%)WDq)q--bbN9TbuJm^BaSF@VH;#?%mDOKAnl~X=RX6BoW
z_uZr4MeE3ad~Q%L@>-#b_bB{Ty(Rd%0YUlQuALT{2xR7DWqjQsT|-Gnv-9omiTE~V
zQw_51G>)1Sk8<pdUujF^q(p$04?z_0v*R77nft}=4XPx!@=^MAcNzIxkhSIp;2!o@
zQyQ3e;{7{O6z-dAHfdrsv76H@Z+{CBhcp?iwrH?dkD#TXib581)XQMkGsT(+cBqB#
zqu>E81bF39LR(&1g#4}AbqM4@g@xEYL920W>Xy0|#^m^tjnvKnkE)&Pp5~6;cuVwX
zV8pH%XxQi2^JcGs82!z#{O{uo9}gk(^E(0O)y$HxGuU^VnO5q1rz`hkZ2&i6qG|I%
z<MdWq)U7k5zVz7J4!w<EQ)0VT7JM5w-G#AhW&Xw5&D%xb-k)SFF?8(6z<8-+7v;}t
z4BtJ-T%`Bnxi0x8p0;YanAnAZ(0X$(@38g#Hhl6>!gd|zqr2)s2Tq#`j5*ml`p%fg
zEUpvm6Kf%Qy#-K<0EP_>O;DY=<K@Pw{1(+~i4T7@J_zmns+Bk`=i*iOKs+)&#r!n|
zLP)NyS{o7JwElkJlveyy5Pa6#;eoL3@YacLX-)lwJ~a2I@jhu{>Q>)<w!&FGnTee~
z@c6K`(VQgOF=LW-fbS|$7v=z6|0Q4o0bFdQUb9we<Xlr<szk$mxdCt*kd<eD#ZF_r
zr26Ps!twNcExw`5Sl<cy+Y={y$mbqxJ2prwCEGj|Cu+z))RmN<LVRd)wiRzlK4{xL
zq{xo>rd7q!Y1E?PwG-_u8hYSQKm^1}gUF?LT(s|WH|^HCO$%OTLgzl^NVBpITDuG|
zQHa}taA=XmD}`A}dK*RiJHR3X{QGk@!egQSx|W>X`<!)lz`^|iM6z>c8jzun1q<%i
zO!E!-hObhD(Tj-AI{huvd5H$lsqKKgu+{4x-Fn;Br&|I6KNe2NE6HVuH!$Fd@2kLt
z0J}NvK1E&j-|FLOeqnd+vh{0@iS>t{5+Z)(FWLY8(tuJd?NM64Qfz*I<%SJu({ec-
z`X~bE+;IK!%Rg>!9(#B=ETjNG=kgJq;_SLR=I{iGb={cZ$#p|r=UTzldr$udHkiES

literal 29098
zcmd422Q-{(`!77%(gk}HBm_ycL>JLpn&_k<j3IjO!;CsfBy2>B=!_r;qL<M{CtCC}
z>L{a+G0f<5o{@Lweb0CPXMO8@=d5oXYhjpq?sDB%{awF1=!upx%|(`rAP|T~Rprq$
z5a^Es;2UxN58yvGjUgkzuTyT%lplcdd#)`5f1I|uuX!H?Dhj7QG&uwOeZg5p-wgz!
zZK8aiYIFK(4g$F-sy@2^0&cWE=?%TM5Rdcb%m#ndKS(09DI9nZr?6}2aWYc=K5Q(0
z%+5lv_(2cXz2d0Xg45>l5vSX^5+gd_T_1}vKOZsQmDFKw>Dq9`=Py->8}HuP{Vh6L
zY(>=|aivM)eEFA+7>BNwktC9DN><KvevV_=ml%uK`jm__L)x`F!{DL3d}F=nA!=Ze
zz*odg1n^UZvs>nY9q?i~O<&oX1_Zhexx0Ek?-U61CB%{~RU8C*4ek5JS$Y<DKq$fe
z-7xUcex;JIpDZBIchBX1b>Yb}yOFUHs~wkDy-0a#W+6G>{ZfT6$}_r{@37<5#`oQt
z!v{FOJq_rYGD1kNQO>HU!qLxVX+xb0B~yxf9?&NGkiUlLDiWrEAqSD3i}8r9`eUca
zpJte_+X_e919+~>{lIWc#Wq=$xVE-wKP+T5qq_dc`F;M6>@7H%Ail$fQY^@o@qC<H
z_QVrpSqp)!hjeKQJcd&pt2&i0?{CFt{TjU|Nt)q;yvani^V_zcz?hk|K3MGpT}9`^
zT4#JomUb`K-!D9CQmS7*sl+x{4qa-sb6d2k-I;`~rwsD}%hT9RwIXdy4mGnq1Z0pP
zwYg5R(me`~!q1h;Teu!&kt-_4ARV`jcKWGhTSDZ^H#e<>9c*7diM6@3*fxIdX3_WZ
zgD9s;F|k?cgm)I4++=8&2KjLRJvY@YHl)qc@Ii^wQP3(+g)^2WGvO2&vu}@O6Hb<h
z!k>y;zE~T*&IST~VhBL0lRL=IG$%wUM-`;Ev9VDjw%q(q+D{TXjmMyINpfbiE7Z)>
zsd^s6hj^5+Xm@WCbR=Uf8c9Ofk+T^rALJj8^6Ok!rz%H(>)`g<R`gwI*4|IZC+{t%
zATld)Z|2?OD}L5URnRXAz4IJ<ki|*$_od!a=qhAevqT<O2Umv8ahy|H&Z;_9u(ynd
zX?ybToO@D)3M@cn^%*vV(t<!QETGWRB2SadqUA~~GItTlN>Q{%E~JKWzvnr(!;J_A
z7KGGhp3>}7MX)hy->SS4snjtnytHfCfv?l>wx||V73N7gG}k0Fwod&O%Y*5x+sdOz
zd;T43(AKa{5;0_>OC1VlL)Fg=!-?DErS5M<=xYMcx?daDq>H&t_PPhu=Q~&VI33{D
zx+IS9lNJSmr$DbOHm8!;(WuUayxR}MDJt&bL6(#)nT?#7V;j`u%Q4Qt-s1W?Iw0hm
zZ~FH2#Q3u!-^dikKQeV;syKhgOLz;13@(3-zoazswl)oOR!Zd0w%DHaA#SU~1oq8p
zKP`}$v|@4VYs(D8FlTSo&|CvR7ESd!(tez7(i8*wBtIAFuoc#Pu8zQV;8a%QzdshZ
zzakcL^!zfNaqM!1TY;y&6V-~VUJGBj@K(v&-4-hc8PCrJdtwr>mRR?A4I#}lMs>Mj
zQldK{t0nG`z9@~3CcBqhFg9i<$VH}X$M2TfJK`M+g~3#}1`>nhc@TmL1Be4U&^^9p
zvW0GRsxqLt21{KXFyk7tr%@C7=)uz6MDO(lZsB`zO!c+t)kXTOan4ZN0tKTQFCFiZ
zWa5k;U<AZE6PVq`vh@Mx{uB>gEyfIY-ERqu=pU?|MP>CM$Ls<&d3m&&W98k(r&iM$
zN8&T@9>6tm!RlNCa4MB6NPQ<|+zLrD(bmi|+VDQVqnSOG`dPyXx^m-0&mJzC&pu9y
z<PQ_d4#S6YA3FgDdi{;GQJa%a%ulnhEJjC@VZd4!-C`l1*gtC0ZqfGmQF-_A!hJCF
z9SkjJ1S+{MJ8)cdyzQX{to(tVS?n#XGte>2v%bcTs9CAnQ_X=^mgDF0S;E?xEXIPV
zXvcT`HLl#-n`&&$fKY*6KU$2i*$P$Ij7y8pp!;Y&{Feb0;2N3#zq`hJRsUBEV(@BY
z3F-b2_KmH^x6TiF+)X4+dE?f`N@T7Bj{PddNi$t}S#Q$oM0a?kUeMFmn^k|9x9V64
z){T^MIP1K-Im^JSwe%Wr`j(F<YBN(__OKV{z5f2FptrAgx*q!T@I{;i)hNno8thb?
zK?MZKxW6c3JEba@LLNss?ypQ@kK4YDUz%xQHkR|+{z`iu1bX$D;<(Om;U_j1WO*+t
zx49|PhBNyiZjr*B!s>~wqq$_~rRWjAdh(DYk!`mv*628pnN)w=ST};4J{TtmvmK@^
zVo?RhM{9mvYN~P|&}ZF~5gVJIOL^2d&*vG=E{!(NCz|a|v;8<~Vx22EnwzC6u-h2(
zo`DJ1ZiUzT?r|Whr@y2i;4Uc_?v?D{zyktdISDh@DKDXv=)iQIp%+{40qf}1+u?P^
zYSJJSV4afxF&`J+hjcD++Lu&InvxZrOku6}!73UT&8FmCJ7(sWJPgrcJ+{EDlXGxH
zgzqF9d2s-Ch}K3B$cJ6Y<PA62Q8nwvK1p)wh{JJz7;#wQMCK(B-s29j!hTpqG70As
z(+nu0?TN+Sqwh5)J9lP3&(hMK4mGYMqzG{wXYorM;(&=tfQj^R0f@SNB4P~IR&PM)
zCeIB_AC9C{5~h8KJ&1$K>f-`d+%ZhjcXgUPhB|IyuG`_L-&`kePj}M=odbaeKLXCM
z>|PvP3n^#wpcfk7>~<7e7k}s$a_p1YMW<H=0^Osr0ZfDXT@bc8h=FHYBUV)o7r&sD
zoY2q<LlnlJtd)`*7+lwoBMPx&C1pu*DOMgwy;iW=LN^k1_3?3rd@t_kfSFXgiH=27
zlfF+K6>K2(#BFTinhB1DGtl_xk8oh3Jc{{H$9=~y5$nktbP|C<*h$#5*p0`2KO$pV
z1sHnGdJnbf=|G^b7f!T|LCSB3H4#4LPJU@u<#@Q2j5|%e(vg}RtwpP<ZbILijuswl
zcAJqUyU#W*W@c(DLifAIHd7VUL@WRSi>Ol^^B*P{Pb?b)M1a*0IWV(j7(a7UkR}Q~
zMay)TVe9#u(#vjf@V9dGIiCISg^i8<Ds?7-CEuSOJ~L=s@2K*Q-H&fpKY%ppRr$YE
zkw8Qz=!DfDl^?#iP8mo;-B(1@?GxM&Kc>zsVX*>ri#{F2!lx-`MM9JeC>Y`gqKXri
zZYRG4R`kTqYmnK1x|yN3bT<eq*}L44%C?{l>_wD0sEsRh@xz6i)J&x`iewLGwPoH~
zJ9Zhd*dQ#Om3B%YKad73p3Q;=-{<cK>~=6oUFKBYnZ{<f!wTeZHcy3$dJ`8C_4Z8n
zyS;1;gJ5YDx%yp==l<QYJR3FMIdRTCNdi1H-WR{ZYgdn8_1CykXVgZsIAo3py{8@2
z@&g!|eaVxG)g`$-op)tAJxIaJS<?L2xRsLpBK@|emb3Q}V(hBRZ@C|y2F=`Dq^&!d
zn=lM!(F?2HiJ?r%!h?@%-G7x}n*#T9@g2^LIK%JfgMmIfU-&e&$cX6wwe#-T$Qx32
zX3x|l?4PFq(;YxQi*!neTMr4u46Rxw!2Rl41=09!Un`?wzX#=TVyY?Cx<dfx?W=)0
za^a^z-&-{4LLb<@fn(yC6!GmHsq2gs(LE&q8UPOAvf~PTO*Oq|M)QcXZSqV3Gj6FA
zYqP>!dF!wFOUZd+%!7Hy@yh~L_9Buu@JZ6XH<Q*4s<#)!rDPK$Pou90biBU<)B}s7
z`d=u<62>+lCR^|6vGPk<!p>4B1l|5M7co^q^<qa5c6N25R@|XUc;!sNjECt3@%ueL
z6GQyt`}Lt?{gsjT7^*wlZrO;0L?-n)Ku0<&zMKKQR!$4+H@J?3XEGWdHj6>Z>T`Cs
zAoMgJ$uw}T=qua}TnW$A*xO=4OOZyH_->V+q*9n^bz8s%h2uP+6fx|YC=&f#c25qk
z5t0JWba!q4>WjJ18xVJWCizHeGnu>}AK07JC-)+@Qp@TLIW1>Btaj0*B`Ni4M*e|N
zZLYFYB&`8p+sQCBf{Opxhh`7U=i2bw0@oNoAZF=U=pQGF`QBTn^AU1@_bq|LYpl(-
zYjCX4d2yQ@;n^VY9OeB8=awHQ*0Wao@S$2d_-;-5ORzG%wzF@yIE>dsZNpGOmJoTG
z9F|-01RW4d?=)~0G-GNO9&#h^3?>NsM_rD^7=dHfx8+nVXXbWrgoP7G;RfnhS3^!h
z-Lp3TisvzrmULYjA1BT@G8Y_)$Q7T9JUzg-)w_8LR1vq__taYOPi?sYS3k(m#if)3
z{;gyAD8s)l!o}XcfBS5^Xgaq;JHxF^5698M3_OoNE5;fmdA<`z2YMZnbm9f&@P_Ra
zkN3Sr{luRk;X<2~Om60822dvbYjC3>AlxzEpg5p6EIjP_wm^32`GxZSlP2KQxYz+Z
zet6<pC@&*u|K()%61~fNX0Qcy2*j6XN8$RnPrPq1W!~3Z$h}{o$lxS4@2;zRpBr{s
zGM1DxR+RNvlX9N<j&`cg`*)mu1H|WRGEi&WRBf*!xv}Q3X6pz4p3m|2^1y$@cqwn<
zT1OP`wAX4LCt-dUKi3Qt5+dG|1pzMNpL*{9kEG@3hwJyq*uND3Q9j6|RGiK#a-i3P
zlxTZa3J}vh+mpoU8sOWni&GrwDOx~05iBQ54Fn>L3JpcxuODJgfxZM#()aI_(EW^3
zj<L){0I?%G_5Z}MW#*i|u|oEa&vMJ>siR~#)mS`e!eSgm#RuBbObVz7@SWkUT!E|=
z(YE!mLilW2>X?1g`|#iE>nP9v>a;xVx3oDrIvVyStaa+nDf2G{w@c=cl60X9R#A)>
zWzUV5@cZkmjs2YLBilRfv*}7Naz*Xoi}3mm|J_g;Ue@6HPVRsX!Om55XHrwq4YSFf
z9DgP0sJ#QPVu)*)#TS&zSgn{Ehfdhlj^E;p=~AcT%q>>;KW|!a+#a2-1KtAb8IO+^
ze$KzaYB<Q(LnF*LMy*?$Ta}pT?T~7Y|0rduO&D!2@qP%iT=r#P^r99*C<(vUk+hVQ
z{0gO^B?^7gYMh#Qce|R~5>~YF$L}L3Gv|@NYhEnDbJxOa<7$+h2B&X#GL`F?^+52(
zEMzVax9-CHaY9K@OcL$Zo9Izq`;`mTGU_*e7AXyt()(Meu9{0jV-W|Qs<5^8RZcYQ
z;~N1-*r;VHiJM9APcjh?*Iwym=DX*ubFFo|7u!cA*JkrZL9VJ=-hTX#7L=JUe&?8C
zD5(Q)tW1gxK4pF!ykBLJNO&*UGHQZd8M_LL<|}CoID_u}?zUmB-iYDWPb;kCP3#t!
zT+-_Pw4UdR$u{k(J|}CiBXI-mBD(aBK~M&L>1&<uk&;`?zxA%8MozTS&cUw9l|jmb
zu6#srY)Py7W#t1^F<DfcY1fAZ;{7l8&GFA9OishjXpSY;+b-zveHeQ&-n7uDgkd<I
z2>Ii;I)C&$cOc&cp%Jvx{Idu}WhJBT=zveCtlZG}Q2Ugpf|YmtGZg>#ZEseHuypHX
zWnGKa@rg6pPu$HUqGwE_*QI82bbqRLK=&j6QF_66>Ctn{{>AG@Xu3`d<V4sTqJ8>=
z=Gq1oG2gbbk}b5`BOhWeS8(*{?k$MiNA9#xv)W3;05_Weu9En1xL@koLL8w|b6gc$
zb<FKv-0D1ZeC2R?oAV$0GAMqaB}An^rO1dvpm<&htH)agxiy(qo>kQ=%iQQ@)f3X|
zAI)*?Y6+ODJ}bN8wb2`|!H_@B;jftN_uI6q{|?=jkSM*>b=-R)gX*_1gk)Okd!w@J
ziO7cxcsEUE-ro)Y0?n)__2|3#&no^;TKRwNJOsy7rZcuQFFhWau@<cJ`r%jIl$LtC
zI;Z%mZRme#;S@o`1nK`i@(ARs3$FQL`L&FN3u&rlRK}gM8!RfwL^C4LGhB{hiA)yB
z3%|hp><1mu6BB1wegnH8ChHIc{!6$OW+NlP5obm5b06cI2g?0okD?R1rbnWdzjfQN
zC$(87!n+RK=ZZs}#y`oGn;rcu@921^r-66Zd4HSk%D_su)VXsXBkMA|K6+2d-IYlG
z>31XJ@Kp+P+uHh&zC-&Z<e1y$yPn4w-R2NH#9(1D#I2H{hrmYriQ;-=y2#Ol%=N54
z_bv-_VAh52;c_+>7pDaG@^ZU{n_^Ox^54YQdcQ=U<$yI!$EXNL22Kg<xM;!qzjw2(
z39d`a2y}h7XXq`Dj*oGdwZLgF5;~^)Wb#m3&8-$j@jCI22UkUM&yybTwUA8mh&j{R
z(Z0jBLvCCyaJ;E_^u?Y9EveYmKP*pTZ83)5yEkA%L!InKOm9;$cEi4|9uzOPQ6g<_
zG|tB`?$9_;^<I-n;vZFFxx;4H?O&uRKi0aaC25l>HWn=uc-q%-m8SR1C{Bpuw(m>B
zGJQySn~$M{o5v;S-5+~Ks2Gbxd+{~taVksG@}R83F*%OD5a~Vv10M)?%ZvKb448>o
z)7z?mZyaWtQ#&Dx3nS%zB>`)goG7Zo`n8!?q{gW{qXG#tCj#fei(2Ux{W}E}!Tm=w
zx__>ZF{vvEj=HL<4_K|4`8&)O^si=B=jKY6KW(|sWv>c7%nSt!><6Wd7TY-=6<5uS
z4CKGETOKIQs~BF9MRk44PSGD|U+w$WY5Ya%=ey)5jv_5#>K-wkH3qVH%XlqaC;qq&
zTW@uEnYXOSeC?bP^WEt8-Nj)TwGi;?uuc^Ned}V#w&}=~n)7BU@(`SnaS<C*j%&t;
z5)cLBshJj|CkH<{y!7f#y}-&vyyQM;Q*`^eG0MKg+syW=vrW5Te?R$yoeiy@$)pyl
zfP@HD9zj{MR5y{T+nWmGA(Q<FJceTs1F#7qcftVK9ld>R{gjv}y4meZ1S`6zJU6>i
z+J~(Ep}hg@361eQuwVJ)-DdA9Uh8nD;3oK1>!?a!t(t!X+v!z!FW!Q%xbq2e_1b{0
zMeLL;5+$7X8HMS#TksOY1j$MM^(}2XP1m%ye96}!V)9wBk}3!5nx&Mbhn|h%+}s6L
zZYq(R)gv!3b986_+<P=z=HpSw|9qrMH_*1#aAJPu>V=ePK3V1=xsphS@NWjAu;5Xx
zTas6<=FDn?7xR>4uj&u=^$*WZfr*!3W#|DII%h*LNoC?qD%?B%3R}!-Gf{qMTVx^E
zAfcs=DY*V@S8yY<Nh2TM#-{7TKYEyd+356X(vNas(#*O!>6P~+y?kui!lvF}oU2S+
zVQg-<({bAS?u`NU)a_LH%?e8ocL|*iTx7NoiteLV81xqPs|3qr_$89YD9V8Jh)da=
z^r^*aoqfgjmi*(`n&1bK%&$3$A%~hTZARaq>^nsB$kME-wNs7nAgQS0AUT(=A|%9v
zq#)S-%t*aj2_H^Fyf>!+vsz&;Jq>_?Op{+<OB*VCIE~@k6rRS#<QbIEgggw@xY7XK
zNk(Tp`jRp#W|zrOE^o;7=k$f=iqDJux&m)8yOrmyT&Y0S=M8WLPV#Jy9?6AHy$zaY
zyAoUmV_-`TWjjK*5%Pl|HjD);^F@`qj}OIP#nKqb1?7G%Y~rW6ASF!6-P9LriyuaT
zV@8xWOo)k^(vbcvX^D+15wPg?rkT%6x>@x_#Quaso>;JY=|c@YLHcm9c!bAi@e)%z
zKdA56-`BKzGfs`%_VlA#Faj-j3vHp9J!qj&y6`Ys7;Fh#r#MoVjP84}<goIHU2Uau
zOSJgQl4hdzve%iBno+b_NV6p0pVPI^!xiHs1TA#@L`~A5k$kc+nj}{@|K;1|@|V#U
z#IAJB=a;QR9;So!pqJLV)(z2hrmIU&vZ&<-mIdQfrrxB!^p@@WIlfi5Z*l)s5q};=
zCs|H{^!--y>Z2Gzh|&U^k&ViC&-;|x;0`Vt@}hmrZ7bB(WCT)mUijIS<C{SP4b2j@
zQb`UktNM~%g*;!{JL!$|jjk=0olEhcXn?hq$vEKBA4}Mea+2jb{bKC(t4p4Y8cN)3
z8z_-(Ew!AN(fp3cf2b-9Lde{R4OEkXo-2#yml=O+|7uYJ+TL-RWHZXMcCl77x&5K4
zd~E5ZEQXM&?co`sGg=#6wR967da)Viw3Bj6qjRS5qr*#Ao!rBl1A7&iPl>D=+GXph
zOIj-IT}%7J0SnKr=||_;@z?gx?=NlGm%v04mcyd?V^K6~rIVWJs8{d~S&_?*?-l#*
zY<A6h$4V}D-*?P-UY`@y#`JgnS<}v#Z#NH7=YwSBOjH*0<Z9wC#34>hgwZvK{9_PO
z_C#XvpgS{(mIsJ32Zn!oE(wDTAuY&s`ByxE2rhzkC8}riYj$!UJPPaOn{Sg8bh7^#
zTrHztNO~ao*fC@~B<PLolpCfvYH`SYddohO_fiK@WT50*?wGlK^%*nQos0)g&$+jr
znD+X0I?EI-X)=4PSj)r;)(X`9eH49r@@vE%BzR*gyOl$W*>xlH=0KqvgiK$HFPD;B
zzM5S}`1zvOzOkIQ?g2*jhKmR>CtRVZ(>uTROBqx|XzOmp_qj~jJL`Aklc)G_-=B;M
z$VB#5vd*mu23r;<=#@Dzv4U?Mvz#BX9$n|tSIXa_4X5is48PvXIw?aaVOutHQA^lU
z_wV*T{l|B!R_6Mztuoe5WiII}$=t<}rm|igY}9XzHMz#rRT%C~)#$4>-BMeVcG(P4
zLdd*afD1{o8#nV!-b%5_hF*I9VLFkPiLDpwZ|aiYQ=04*@?zTadSwa*>VrN~QhNk@
z(D(}IxM3=HUrpS+-<Kkhv)+vkewB}+dT3Iz`wko>nXQJ>JBTsGj0V4Tu_ibxX+aqq
z=3Hgv#_LKYU)50nKB^>rUL<ull4g?4OEKHbtz*LHL2@<HEREIusVOh$I{x$9klXmR
zB81A9A_!SLqUtAuHs&$Je)Iz9(@8~E8Al(U6c(QJCZ*bK3%h8K_<z0&6n6{%YsH=Q
z{)&R%?gfNa%1OERpd@U+--z;$U-iz{bkjCDKcPjAUuomY*HKYnqMP$B$!c2Kod_Wi
z79U{+y@i7$zHVVjoV-)DNBOnxFfBR6)}(CLJ4MN&_Fif7uR=0CESQa;=4bz>^g)T>
z0h3?%Bo@Cu5uoY4>KG)RyMiUrAw6;V)!mo_mij7TGuaDwBI3aUTVg4SzjEBcr$uH+
z5-@jn37x~_$aeH+*Uq}G*rv*XqYL!f85b1^hrcSP$83zUi;Reku3G5gXjXj!^lE4F
zLD5L1R`OAYuj_DIa-rw;l5GAlCjH#bizh#~T9n=BlB0b%vpoFBb5T~><XO5b?G#_q
z-t@>cCK;DqPQWabf4-_%a`Yb?308zH5JRy{+!GaqgUBc=MBNZ%W#7YZ`gSFG5!lLJ
zQ#LaKk$u}y!DD5+Z%R1vOo$+};{H^232t&7IK^?B{gp(zWKSG=dJOdw`S4;d>BZz;
zt+IB_Zf2g3yRpZj6>|6X-hVeE4*;8$kDrb0-%qZrweojUM6FeCv?$71YZr~SZ>>93
zN8L3(t_`{aOZZ}H5QZi1@|Rmo#yZqRYA^(_;&OCFAih`_mY9Oq;=w-;`Hv$l*mdh{
zsBYzU{xqyfFXR19Smi;j@Zqc#$?jHAEAxP>z(}4|P~%yAP`^^n+Qj5q&2ArTTA@QH
zFX8AHGVoNnCCu|!d-2$e_o&)@Bk9UiDQcs$o;((R{lcU)K5c3>>WZ2lxn#f!v0_ku
zv^CkTlQ-XN#*|&`CfQgejPoYX;nuykU&#k$G5yDJ8+G)?E?BbEhVM>3tRz*dzW^YC
z@u|O~ibA6vs(O@kYh*5{hhy1kHw<a9`JQ+>UVquxkdPN+dztBNlc8O_J=YF2FzZ8y
z8suM<W~dCGM_0&kMTqh&NvN{x>9b4ZzqKS>#?5&~zTrC$8cn61k{KmOj#f#Sn>rrs
z+xC7dkmQsx@_%gd(6H-27Rav1OrU`L5iBh3FV^DPdRzWe2k~yA|C2}mGOJXj7@7Ul
z$pKU1-T!|1B`(qrTW(zB=@XYSh#T}eV;QN`q*K-`{or>o&oWw-R+oV|NNqARlRZ0L
zGWpQr<A)U2uA2_4ut<0h=kH=N_l>Df{7I1{;Fi#)EzN}_{2MN^y)OOZa)Eo^_(x&;
z)#}nBllzc|y6lcc-4b+y2G)r$Jh?Bq1^=$+#GhzLdrLsA4E9qx(TC64L!}b|aOGio
z<pr@D%=NBkP$~~I&DO;NX%k&}s{7wvztem8yCgNBso4EkX605)qmGllYeFBI!RvWv
zhuUCxT<)?o;~*ug)*qdCK3#__kt6)OgcP5_gjBnE+IJzp7ZL4WPE^>>C1zHbeJ-0k
zldOVKO=_+AWmc3dgN92f#(`f<aMdGW966gGQ0@-wmHl`5Y<vB7@nsL%QY+TP!~{y{
z(^zDZAek43P9=8&AH4AI4}OkdWra!dAMg<7Hd+_(hK`2VmD(<1V{E+&1|v1{8$SA<
zpmAC>486p4v{U6m3>{*(DTG<L4in7pShu&BmEz~+`jI~t^xBQmDrA`%<igJr_S{#8
z^Necu8_sbYPU8Gvhr4*mDfnD!Ap6SdD!AHXy}9{aITh%Y(67Lgz=cFRRy)AqyOfTa
z+hP~MEYS>Hthd|;I!>r*zk@u~l)<8g_KtCV%5L7leV5*V7HVd0-zW#nGXO@U^zY6}
zm1xVMQBKBXw$T?P`*oUuj+vLYcc<ahxWVKIjx`9;dHvQn;(FXJ?s%8_JjmJQgx@0d
zQGL7NgU_<M@&2+lf-lR1UVeARKT|WlIX&nL26&E<Aza}DfQ5W-IibJIsNCv1C+51h
z5E~vEs;U@7%b{@CK<8KZ<fqe3{B96e5>Z&`{eYw6HkdRQGP(+OP3}5w=<I0Dn1H43
z=1pLJ;ck1jU{J;9lf7TNz`g(Ku>lyYouVLk#3kdoWo~6<wa`50d*lb?G>JhoU{VP4
z_rpp@Q*eP_Zld2nBI*UcdS7`zLH6AI!Hh)S68jV+Zo)L7j3!REVWjC4NJ!%ZHdTHQ
zq!1TL=QBf9X{fcYdRJ7`1z0u!@Z$@n>D)djI`F)8nuIZb*L|1e473}n>cj^|AvF?<
zf{cE8WMpcX48-PnW}V}hC24_IkV?n_7})wh1{U_2rKVFnbbfyTXZM`{YanwgxwEBU
zS~&9>VqAE<%hX>@4qt(j^7L@-Yg}B!=;W#BRi8tz#w-P0hvZFP0y&==I5{?YHQ)da
z_ebhCR##=+S3W@*T^76I#qEaW_U5CaafZYX`A!Zmg(L?*eETt6mRClj(HTJN9o%}F
zVh<T4O_iri!pm*VNH(fGHll`hzvPIPqrMSGrLv6670_#H3fH5I1-?ZLha45<4sFgY
zzDyIdwVBTBMXY6p3U{kci*Us*`Ck=%nps~@?vcgaoqg;@oh<K7%&*?4S}#X`6tcM*
z^t8#S%yqhcda$$xJFad3p&BU8u+rCab1SI^NyL<Nz6&|WfZoO(#PP7ME9#LB=(4D#
zy?G<PT|bUK1{M+bYY{$6oGC|r>dIm4B|w9418*i{Hmng-wQQs+9rfPOaVrlt<+=K`
z>p`gMT|mjiB_u2#^d^YgvHR`L;_>(>UTrN64Y{p$&JhSKIY>5;j$_#4sYRWlalHe=
zULcm5Wi+NT$wwFgKP6x&7k8d{kjKQoe|d)bSP=cw=`5(?HAUfaPes8MV7Sh<@F9he
zE=cd+IjR`Zt-ZtN+Vbv%Zb@U87Dm9jkADU#Y_|ye;e&XQBB@GXpl#4b$=rtSamB(%
zQi8G8_D}PDmMw(Ag>(f~Y8UgD=UAOw9UMzT6kQJ5@~gJA6<rr}^o+|I?uyd+6XY9;
zA3OimEm-H$)Hb0uff>&?&$v~f8`Kt;lyrB`($v({$7kYjM1yy-nhNyY@PtK1#e?^m
z&&jnfbjD{y^d8yn<~S*MZsXAf>|R{3?RA*Z*!Eto({2M{k8{?dfY+&hKY&AR7LO*|
z6Zn;RIK+|-JqK#*yBESYs!6T63W(|B2aXs$9(4zw<@Tr5T@3g0?{pef9!DnC2AAWe
z67!EsG`+iL2g7E6(1b5+y*CS|Lu~($Map@ZZ*|b<(Wq6A8`-I60SzAzXfgKWJVk6c
zYr>V&lx~o7XTyEF=0gwrU|}3+)N*ThK6$7QHBF0a7=z(xcs^G|KzDRFjs{YB!#Tu)
zuqBG)2g7JwjXSh>b7@8y2mi4>mm+^Llay#NqDUN;b&5azyuV+_aoEFrt8a&+a`sp+
zjLml$*=uBz7De+Yj{e_%{d+I>o3=oO{mAf3ipvjrrb1H=+BX?mYB-}CjM=35BxS4P
zE+ZR7OB}AV6jO6?BYnAR<8!<t2Demh#PYAzlL;K;D*%l9Z$zDCb07fTZ`7NxJG8Dh
zz4xg$dk&?zzZNYyN#2SSann$c*o_RITGF%UC3bzFmLn$pOm73U_N8f9QRftX)l9j&
z_&{P3x=>}zc6*>d)T%hb8;|Urgp*G>!By`4JJuJPC~eG%I!^5FwkGE9Pmqk|wt9+U
z{ov`<-I-4cVMN1)$w!9m^_%IeZ!IQjJBc~NKLZlil3Vp4l^c<7tMBQ+p-0M^oG@&$
z&2{NkL4InZy-E%_V|b^Lvbvg__QbIZY;G%>148QTm^+r{Y5onD=bgQ{7j*c=Fh#~=
zO^`v5hp-jvHZlEEdgC}it0;8pkv*32re2xEhWxWQfy%y@%q8LB^Sl?^=5hGTvA*hF
zFdF~L*==)Z^4HhDlL&0cNA;&tq~Af*qwYGsOYAq4oh%H@c+J@QZup`g{=*XNRfis!
zyY{q3h*HzBq+gHPGbe8e0iz1*ua>#zyE4HD{V^p7_q5ka_WE(Qz{`;jk`7@W;+anf
z%&P8eTKIm=JCk}U>&8#<nu*<0xqC?EvXh#s=a7q?;5bCdCIV@J;I#fyu~ZNrE_N_Y
zC6m!iVy=%HOgws<XW*M2gUTO+f(<=>H>URFHOrLTxL=NJOXNL1nD-G~u(QwCsmz!5
zjeId+f>DR@4fwtvJZ5B^E?wTJm7XMgjX5d!;!~PS94s;|Cbc{z<GQd6^)G$BoUR6i
z9$^gYPYu-|223i#A7EWWe8j*bmDgsaBPyh^vn4Z<xqF*A%Rftl>Y=>|U>6%x1hh6x
zfAGUUgFYXfi0XLU>xmv1bWK&yck^_*+NU4cA2annl!khRrTCcp4#Bfi*s-YAf!$!9
z>7p*1ACLOWH+(%8tSU3gcOee^kXX+vK7;(I-B$&l%y^G2RKQJwTP!b1l!6Y_;uq8d
z>8Jm+VH6JNeSb;2Dl|X4lx(ohfUbhs6>`t+ce<yA><|1W{(6~5GrLrHB-30jvO6+N
zv!vg&@vBeEm}5Rf{RA;LI=FRbU}s~8k@eoUT869rP-Cv+i1K``(UfQee<%h7b#JjW
zkwpj|zby`S^$!_rBDP3F{1>I8(h^w_N-YOMLe+ly5U%u!P{A?pa`(pEryO0Dz3G<!
zoGX&^{lsWk8AP+Ydlq*@!N$LPz>@7KeYVN>s-&13%416cgz~<@G2x6N!-nnh?5w&L
zCfC`$G?l&@PjPdZVFk08F>}nY8ftuI-5cx#kIWl=W1*Y8UfI??Ci=7Q7KsK9S-)c4
z>p>T~$dk5uQQ6264*=$6QXeA(z-vFN?>y;dY9U1n*~cv;1Gszs9oA>5x4@UR9wFbt
z$z|ibCp}4i|I%W<>g_3fjr2G->}IaWp-rc`{kplij<Py9Q1*}Ys~fg3?9GoPjSl$D
zM9!PNDwwYi@bZ=;{SvQ;rJkQQn{_5q7LZHr5fcF#b4nPxj_JTzC_s1wO{hz{r0m*V
zI3pi>U~w&I@F;SL56QOnW3ViL$fXr91yLt;1BrQ=+k239Y*)!&zT#?g`Wv4AXjE3S
z+34!#hGyYd08;)Tn>)=_0=~U{a6}OOjpJh%>l2^hjnw?JxV+Yj)5ku3eHy53MKP0U
zzV5z)I^SBvhij1O1e-Nl#lZJ#Ik8icvp<OKiTWnfsG5AW;Nz;s$XNZuu_QqzW%`Q;
zc-c!z!}RF1caux*uN2;ohsVb6pAl?$dc)-*pFKpxr18P_ZI!iYjywUWBj0Bqb@x-m
z@_u;GgOigzx}L9@_LS?eQIUu!_XJLyBLn;_(k(Hf!YXYpXvfC0W&SCEy*9F!*!7*_
zQgC4;T4nH#b7VnUphjF%5ot&5P?4t#ppT@W`j{t$FDi{&ttVMka~1SFXj)uakqx_X
zFghMVR@dZ5e#~1%dS*{WxRQ~J1-!Puvi2@xj0+E;m$uYW*S<SE->CqcmNIkcC}Ms}
z!GrFx)tK7+WFw;Bg3{D$%s|6Cb>m)IA%oF1jNYjFa<Ing0`bjsv@e~T;K%(GFBgQt
zyXakk^oimIsE_e`;yYLf?uxZTc-~EyhZrS5-!)4zmlQqkKhHBw0g9J@Fy3|-*R#nQ
z8wThp@w-*-N^ReJCVI-&`OCv--PLBYUFR=QiPe~HeVw4<tZPf_j8SljR%UcEo(~tZ
z@sjA&LPhoGNr;*DzPNQO=D^~^aBXD!Mo}a3NCz&+X{Kc)F|XG+{eCpJ=$1{!F*GAN
zAmLZ`Pl)<A7Q5weg2mR<C=BRtH3-2I<0j~nEy9fQu2vrYxjAk8;Cbz-Xd#QKr`<(L
z`LJ6k+oLaaRu5s174i}?SY+k}-W|-aUp706g~%y<eDX4=_s$PNR*g22&aE2oL|COm
zaz3zsKnW_+MxRGaAhynDRcdqPe>3ds%M6U0*LpmHk`Rc+wCC7Ez{`vmN0eb!;QHl8
z4cIrs${L4PS?l>fB6(@PnU{8?Uwq-$*P2rCBRyyHQS1jXo2qdO1`_tJtm+i+vB3lG
zmUqUF+j7rgUw8Ap4S5V4f3AUv(?VNPjeWbo6*A=ST9%NHx+~gx<2GNfo{%cU6oH1A
zg+<9kT`Z+dbi;cE6;Y!1gB8+Oz0+G~(QL)IHJ2D8DWTfpJHtQfoyy9IqS|jMl;rdg
zyU0_%ET3k1msLGqc2oy;SEAYzXhXLV%B^E;m-UB-?0<Odnl)q-cB_5}vU8~3l90#?
zxsAG2SMZj$OZj<xU#0!B#Vj9&^;!OvtI^WipA^pQo%j>tJ=h84>*Go<Tg1!`9f&0v
zdaK%fVetNJ>-?ro6J|bcQPqVE3b*<(@>0R(Md~O!zx2>w-Wb<tQWiu{^<e&nCPC?0
z@odn6TUD~g9yIW+X{GVw+E!*jGwl0aJn~nK(_kD2xtj)$+txNZgM?V`P`4tOC&F%f
ziU(MhV4sSelsZ;^^x=Emv4pC}aNCh<f0c464e-F#gL>`+%d6byh(+Ea1{*oGEWdhy
zzM9d=+M*K}f+iKX_p--4ADI24V^!_tL?ZZ(V56E(j75&_n4sE(-px2sWM`=QTr-WT
z08f}&n`wn5{@9->vQNu9<)!6IZmb5q4F2(_PHw0v^M&AJXk&X+Tl!?|+EBkK=4)^x
zUeyhVBgJ=Q6>?lxb40ihj8o7t3-!P+Z1EDa$4P#?K%^-ueRDB*RxJwkBcf_VRm9F`
z<drg{_lOui?&Ws0yc^eKLD(Dpy7tx*r%r{q+oxxCPqsuemmOrQNr4=Sd7a2{ew~#}
z_6wQb#%lWq&MNOc)#RA(CSFieq&E6YFF9W`Q6<k>CA&@g{Bu&|RBJ%YDev3PT6kNz
zdP;?%PTc*etZ)#|nt!+$rTq3o6Uiv!T9DPgiX66|{otGi3wkG|7W8z35hHZjVx=J3
zZr&|GZ|=-J%H($voi;qzlqDxh_o6ws!jv(p()7LCd)QoI>mXLwI)`M#vnp-0ZH7{@
z%)xMRBM>D*a=YzWl8clB^Q)GRk2daVi{j-x584!nMY*B5+r_cfGdn<vY2R&h5$%n`
zDsHe$RESnwDt8*dT139On&k95Ym3n!bVoK81my1@9vy^hcm-ueq_k_Z1N<xeEWcv?
zo<;mlB)?M?2~~O6*A`e%wPGeYMQD6<{5783$B%<=eYM$~2U6zECM-dD?E#9c4<A2|
zW%!*1a#IsDZ#doQl}wTGnlBQ;$AJhg-XF0!;fIPTlh*v1cq>FHDGxR6xw<r;zN)x2
z=1pQl90*21yS8aa^{#76b>2=QK-}{V!>;5i>}NgHW>?J2ZP=Tu(URN3Jq?*wbyE;A
z<MWHw0&tGp!$=&{pF!%UK(-nuhl;tH%=v!$c(XOPes9psAF;xBAnAL&(xA+9Q8_&R
zx?7WPfePjV%K>%3z=4F{2B&|$jO+H2D0UZ(qxbAl#JXUvF5CSOsKjcLcI2?yreEQx
zg4!P`@K8l@Nm;7zo+qkvN3lYK$>?r8uT(l=cT-uh#D$D@Vmm2_0<dsC9wcWtjo*B_
z<dl=}>)9H2c3$=<`uXslAKRWEuki7(`(9DToO<o{tG%XJp|ZF)p?tjUmZ)K|g;K0(
zF#24z642m2g7A1Qj)jLYZ3!PP1?0{b>%!~BdV~p|;KAh2FUT9#Mc1Pv>(p6UnFhtp
z6RXai^JZQtjYnm`W>;o%Lqd4{x-hvY#tBnD;r>jR4$RH1!1o&1;k$d8g>_^itKnn9
zzOYvHTCsHholAF3O4<|XV}o%4{e4wDpw}xW>aE+ZeL1X_&;$Mmw_og7xY#yT&M4`*
zJz9hc<52Wy{xo&xP3CAt7qswCy|NxKCBk^^sMGJHM1^gOTX}D|oH>wOW~Kr1tX7Gg
zLDaUB;$2HJQ;rr#597sSJ!VvCha_%|k||~RU)(?ULUPA^f&YWXptUtCyj93%q+j}#
zOc6m3N{1ufdG8Rj{L*eb{#2<|wZBCZgV-!|A*P|Zy#1_~y2Hwax(;3iq~MhGDbT<#
z&fOv}9spCi?|Lw6y8}FcGl<ejzxZ&UomW>lFFB11to}#-(O!f;&3>d?|Ce+}RJQR?
zdY{x+Aw9)*Htpu?R~g0Xx4pkPh#lpcKEDLCIbPi?eslbcr+5g3cH-5z60R!OK$-Jb
zCk&XgqJC~?Z3bwJcN1NEHX1yHU&lcUClt<`y&HUML+Wn%ANsMUk@BoetJ%>2q_fWb
zSF?ciNbw`>n$uXLKaQ*H>0Q!QuiXRo`N*7#p<3-qIDjRIIQ;h3X3ySS;34{Gnh>_U
zr1edm9F}|9_mE#c&BT;MW>pXPQkNgmuKlac$@{oGudBVb$2*{!Wqf#yIQ2FP++`pW
zf`#~G>OTyW$D5vg6%&2x7XX#cLTQ&$Yq7L|1MKi^%MPDw4H?lf@9?`J2e7|RfpSi6
z(m4bBT`J4Uv~TJUB^tXiyAp}XmU_0hX$2%I^sotG;-<}m{wldU-aat%M|g-LTf9fS
z!n0B7pGb$hwNN3jSG)kYKS)2M3pH<KVv$g`EwE}U@leF9%Bss({d28tM)$8s_|v4u
zq9W#%DcGFq$mHDs9?x}#Q<etwmBJ?#{|*#p3=^*mYs%+^sHA77OK$JI<%K**K({ss
zAY|4o<YHN4O_x!R7)L%j>)1_}1TOsX+(k>O$53dg&BNMjq`3Uj2))KTYTKy7`^!+M
zoJ9h#z4VjDCa}FEm{jT?Ae+zs;#*RX_kN1=rnCsI3Een#kLCXkF6V#E^7>z5o@NCE
zSsf79Q4_A6fr^K-Eg{Sld`xoMhcKY6C@(FYU2+N(XLh1{Sv*0!DZK??l;h6I5S_yA
z49<^KJ=Ydqk8fqAliz+~Y&<<)X2;9JQwnf!-BeHH1wiE!9%zTArY0PKd&i4e^&sW#
zWbTs12Y9uTDvpR~C*c0(9V@TL`$CY>39hQM%G5eZw0A-TSn_kYK{IK;j>IwrUhXtq
zXFJ5l;HaS(uCTu(K4Mq`$78g8SDx1&E(mLGNV~7RaB^~r?*xPOPFxNYZg1aq&%50F
ztHwwC^DzA{4o5<iNcHBI`uJk@`eW<12U3m)-zBzjAZpUn=ZZUpyr&PQtd7yc!^C#Z
z@VI?{ItA<TPpWb(#ykYlj=4-{(jxvjMID~}3m)*rR32`1wzalu@TTk!W@!xLeK8Cv
zQUJa`+Z3p{+d#*3@eJhit^e144ahn27gHF3`1A7efcB?EGSuDOrvCyI3XN-a+nVp_
z>FN0qWc4osnP;N$Md_%|A1IY-YTv}W_=pf==>dQJFE<8?i17~tHKn5<HV^)cKL@)0
ztHfSo=sl;f`NmMlN@j1jO)+1U*Li11FR@wdH)c)~|4lwI>KBX3A@zUW=K;Nb{ab{M
z%ypZaO>`*$mdsqgtE8?T62OK9IwE&>l-WI-OS65jTcdIEZ_EHHafQoRtE8q&+daE#
zYMIF9C@J7dZqT`fZUy|mk?}!5LD;>PQgaLHs`B#Ib8_?VxL^UocV>lUcLHyUPcZ<%
zE1`8Q4Tjh6mQfg{4y%;hCg-HhkTk~2&S0^BaDb~JXfZf`0KjCVluILkxl)$*A5gby
zWJaOeXL<DK#NZ$$JHLYh2(wWR+Z%>F02TAsB{|AqX7=`7?~oLj{&2HtZf=feL*su0
zrvccaqFR4UGM)paSJ~R?R_T(QOS*%mHU_9NAygnCqkl}NtsP6ymfsod25hT^QBT0A
zX7?e-{!c(`Exbth&Dc&G;QI0+1x6SDo~?rs<>BSktc#C}yTZXC37Cs2X#+s0^-c~G
zXjK6hga{N;;s1Wq@;?dZ@gvP8R!x}q)QO4T@*DaH+tkGr!@MiEFr&d=!i`1ij<VHQ
ztF&GYbB0#D{B}Ln*S$K;>-kz~^U#pjr3*QR?`_Jx?54yMO&>1yT*HOlF6Vby7r*vw
zROeaB?5HJSe;aW>N2iIVIq8?O6Jp?N-kJkjp-${FYjt9)V-2$oV!I68*qO<!1ROux
zuY9cgp&52;#Agh5E2@B<@c5;GZp3I^x$&gTf|k1B<TYR4Z{!C#u8f&uTip`)uDKG$
zyjsyo;}}oG+s1s1@9@%&{t)i1sDJFa#n4}hn?>1W+8V$(4a4pfd9HTw`ql1V?rEsj
z7S9!N0F+BEW%_iMY-2OAY!dyP_O^?A8Qa5lT=@^3ILnXlu4W(kgMo3@0b6^GN=Oi!
z7EF-w9i-(z;~JPok8PGD2eZ5Ha1tMq_EhC4fj4GK@-M_lVM>OVp1Y(Z$x*b8-kaSz
zwR)xOhXS-@p@{!?7gr*V!;XUwB65e<aBg_0McZ{YO9n?H1aO(31*T?^L%JJ1jtv^m
z@PFVd=8=pOd>CSw2amjABBx3n=C}@73jeu=au#Edyj`qha&Q~={&^B(Pl%JBIb)DI
z_qY5LZl<f*-vuqs-q*`lHHN_Y^Y2Sr@?mcFPRjAK@y%vNVi~NaW05;6jKXYhll3fn
zn~hvkmzY{FMyLE$U&`%6a~Ug}QGN4U;#Q^S+h9}93kM|KFEmF*I)wcX3bdm)DlI0P
zUlrWt^X(7Gb)$~;^!x;->XH7Z0=EL_gm#!LWdd^Or^IGgYE$J~&vcuOYoi<aUJeF*
z@-^tY!t)c{g%sNBFQ*3FG>~-AAbcUF_MbVDK4v+R9CnsTx;0Y23=W*tA}3moA-yMt
zs@SO5LS18D*T<w4r?V_O7-ljbPW<74*Jv{+saY<ON9Vx=AGMiHK@(-xHwu%1i%bp7
zuurTe6-s#GO^T$P(;D;hT?x4pHnS_xjS_!IeARGShnYxV+OAf4ZrFNNJ2Jc`qDDz#
z$Gn)o^V)X}u_*Y>16_dGzuJ+1$#F|R8sde6PkrfCLtF0-Xl+|WRCFvLBip0E6SElw
z4X(nCZp71!EsyDm9AjdUMJ<Ufy0s2E%g9T6of76T4#f^>+Fs@(l`(y>%06c9CP}}p
zuUJjdYd39up$hVpw7ClJVUwW{TgA=0uzZ{Vw^hR_-kF0+4CuvARNL+b=w$lds(RH9
zPM-$5$i#geM3`S`SmyVh>HJoRUM^^P?)V~o6)YAy*+Q4#fj_q5S@U)uwepdx4y<CC
zDAHjnHU-ZzPsW$`6H~tsTh4Uif^F>UP{GCOXL9Y<5faQ@0<ve_?r9pT+mFOEF&e2H
z-+bRKzq7s?BK_Se;k{m2qXm`a{ZKj1Tp0lF^Dn3g^@x9|7#VwiizjxBHQMM>2H%nG
z>2-d(sjlQbhWXnEUz(LS^h~=kxl?8N+su6P!ss+~#O4=eU1o1jE_-{Zrj*rhWVi!j
z2NvUR95_~*k_}N+a#wGZO<Y$NBV_9+W&?n(gRp0~x;=;5OOeZ-!Xet{7#R1%Y14ND
ztSl?i)27`%H-25CiC&!Bq9o@Vmn-WleBH|U{|?WB4rx_<o_;8j{8Qo6V4Zoxo$9px
zZj#<p&)Z_C3hx?IfRUERJ>ed0tYVSH+4XHJ2&-a(y{AmtTv~F51zwxani4DWyD98{
zG4Wc8PL&L=O_I*B?F;srcv%APttZQ>LBdNXI}AI1P^s{(S!Z`3ZDQh;jER}3(?45d
zCp{HGFV!BbjTJT=g9UMu=B}Mv`x;r~B75|Y4-<LT+FGS~CEa}Gbld`0wx;X5tX5_Q
z2Tt&_j&t1?kJ<uKdFhGvOFiwpW(dJIYU#yY)uo;|T%lcQES1dsb1OLY3m-Wl<rpJ&
z>XB8t>l114gD1}pFmD%NN;`=-W`1Fd#k0(GYZ{f-A4LLO?Sj^;eh7b=UydBrl(5u&
z-)xo=O3bHFGq=Az-jd*{n^(JReD-~}g`{+yBwy_nIbg$GvkaHNZhvWJ-sUf|ypUU7
zV|*)*O91@rQZzuujMe8{eE*NjHB+F%c3D-1wJuu1cq+2plI01;TaM4#$5@3~%HCX1
zu1wyqa2xCI{GxwSK-`j~UQAzaLU9m0WdX%DPG1zM-rYjl3EQ~u6yCR&YjI3#8eacV
zPI8Jxge^**e{m%mIpy?2LSWKbSR<|l>=olKo@k`Gj1-mLV`tUAp;%|*X%_Wj0@Sp#
zPjx=4`^NSDsU8n{bRYwxhtg1@@w0C=FK(bzQ(}AEkJPtYM|ZEhRhRP^i&*9=U!^D3
zkRNOvTxk1q`t<YcPw=%|8&8RWIpjTl7gh#i*EdU@pBs7FtXhmO9ZQ_$&nD`n4{JY>
zyT|i^YfZ5(@JOvj-+l<J7rW8%1jBb|Bf8MZSywdGFNON02Q}R6P06;p`x54^5u|{5
z$wJ;>|F*fx3AoECbuCV1bRa#`rBC@!tHnaFZ>vT=+mjap*qGE=ziy>p3{1@}a{9K4
zlo!Buh1h9b(KhdJu000b9LO>E|A_W(DW>SOu%NEd4~>-?pFL5od~TPKGwM9`5r=+_
z%W!Pw&7&5p+a-?DSJUXr`ve7pg)8q#@k==K-x*vI;H;`qpp|i>_fY!2I-zo<X5{)y
zooMYR&XOp*Obq7*bZl7j7Qbru&0Gn$7ags!`tKF<O8xuuZpDW=3j7mkdz<}jTNI&b
zY6R3Opr{)^y-l9}ILoeh@egszbwWy|!u$t)?}zTre6$%^Lfx$TIE4KX<J$qVd+R4j
z-8K5&_t$6d%I1g(S8L@vZ+<#O_@@y2uP(#^3B|neRE*!7P~PJLz0hXNhf!9+dEtdX
z-&WazmK6<-S<C%_vKQ#c5z}1t!J3DlTfdU1uIInOA9D5IYTQ%K2G!M1)<c<G6O~4-
zY6xQmJ=0ycC8g8$KZ_hh9;_xD=_>#CkBchb-=oT1;9}>&Vn(kLui|`&xnlC~5|_30
z()Y`H{pS4+mW5<95@6>+7QfQfJrz0NCZ2?Zz*oEWvwH9e#l>hvJ(k0=XE>3oUF$4{
z^%~@)-1@%-OnRSf=dU<AZqSe?vTx_n*40(PX`2Kpyuhi2f?wb92Xn+hEC@euLcE>p
zxT{ufmasU9b@4TJUt5E`bc|}!I_!@rtnCR$(eZItE43&)f=L0!=8Nle<Yi~yYQ@{K
zp?T%LXT1GZS4`_?W$2MVUh;yTu>JxY6zH{YNK#sD8Hj4bSpXjEAx_NIz3)Bd_O7hu
zk<(zpD#(sz7>}8SBvYX$NyL*V4zBaeahL&WkPrkmeFov{uAb<V(gRRgJiIfx51->_
zgKMZt?nDOw;dvnY>Pzo(Fzz5I-vG>N*_8CJ$p6Sij8LQ*1~o0d_dF|p{aC^||H*`s
zqd#UH#l0T$#An{~Kps>qsR83g;3bNMoW?Ze8%DTwMs3jwql9CHOIb}pYSpwLTYyXp
zWXN607}1)C=|>M%XXpyYovwZq7P!O`SDCjTXt&-~_;MtoW8CeGX1o_Eqlc%VbV*Ml
z;PFW3$XQ45kf^g00-U8PP^~%R(v4{|b5i;7!eBeR{XLcX%QDnE<b21Vu(iuy&A5TY
zFj%qo*W4RhRwRBDhsLO&qbRS<yr&|FSnVWAt<-u|!0wKjZ}kyVj~dtkea>5<KV0J+
zLo|#HH2C(Hha@+bco$B}?#Ex<SiS0h*3!}2`4UZRafra!QqM(wFUy-tBJ*{%Ue?gn
z;IKEzmC1H!J$p8`l~3QF+jFFx-(&QyC{NdT>HZ4fjfHkjd;@@`JJ$8*oMfg{m$jTT
zZ8@d|H{L|u-RfxUc@wrV+t)X{5oRqRAlBnt)u^joX|IzEy7y1ksx3#k<<RNL#>!G9
z=32*V{c7>7o-Pn3eCC*zFFA=89hy0`D<L;}%KhA4OAfH{>j^orjxN&@i{@M&&}H`j
zG|_g6dqV>guXw}#O{UPn;<2M<c_?~V>0mo^E;+8R%u+*!UpLb_r4$TBM&5P(Z|$9V
zR8v{I=BctQyF{Q0M3m7InS}r{2@yU;8DtWXNrs3(kQo`n5Ks{)h=_oOnW!izQ<N|m
z83GC-lL&}`gan8{m>~oRkc9Lh@Kt~J-gWO<y;gPK?zM_PVUe7(&)Ivw@ALkicawlm
z2(7-j&kB1haX`5C-E%gV-e0-;V26i#oIibO`uRlc37+h;yP+fp*o%Mn3LN#W)vksT
znRRJYGttBIeDbN`&>e$c6r$4Qxl5@L3|A5E;E_h-Q(1mH^T52`Jeu7ucfPp4e+RHX
zq)dFhTBsKByL{8^_2l=K1>8anO`kmjlS^Q26i=pFT)EY_iyE#Rm-1a&?7Fo-u<o9q
zaX|RF?WW0L^WKj`c&UxK6^4h-)QXc!mCL$dZtXR4$bw8orR&qo2`@e#=#DZCynr?o
z1$M3Urs#<-T!B_L|Kb73ItJ(GHp+=$`19%ymuX9jk1R!qz{S;Obj?Jih`2o~<KKUJ
z{ya_JjA=F9s&V<sm-dz8Wc{12RZfpw?B9QK0h_Y=eF9y=hwrInk$iCQp>*#|-dSN?
z1(zc{&>f|k`>ic8Lzt)ahD#AY-@dv_5S}bV#52uwQWv(;Uh^D(!QFxQlc|*B_{_KW
ze)`{K*Z<=5^G_)BFUV?bKD1)s%yp*#?BoZj?PW?E0{xbfk{8&tIa7iv%+LQi%)`^I
z#(ke`GFvlysrU+~x~R3;15z=|5jZA^_Pu=+_B}O8GU_E79k@WK5fTz2@blcp?(SPY
z8L)u*h1&7)@twXi-GFY<Tc|0K%gLPqZ0jSj%!N8~lyA=IvwL1^m-wOtlGqWDvxdgC
z>}t#rK4S90Qg0z`%nQJ0&$IhhGr1RRTV|INB<*rBUpK6@uCA_ovZ6w1)@iFwN*4@G
zrOKt5PqmXcr1ILedPQo6523ZkPl2bITUinvGf@GUx|J6o_)Lib`&B-{bagCVAXm#%
z&<eYJ4&ai^^SDb*`sHT=(212Ukd&BMW~`uue#}O^6zlra%U|}VP{ySjCMJ3a7&qE^
z>_&}`898vC;0GWmQv}3~09V?T9IdodsD{Hl$M<vJod@>>;i}TRiWM?eumBucg~4FV
zDS(RZqD%Y!2cPbEE7$4hyh*5j77eQtxjaIV@I|Se22}qlC7H3q!HXwy6g=zamCq5Q
z#IpQj2Era<3{6}Q@;v;Jy9xcLjAt7Yc30<0E^H?)+W$(P>-WpD8lm)>4^1A-i=HLo
zyEaA7a<%=cZ>y@i@FzIS1_}&Vf)#g)a7ovd1c37#Pm-z(lIoRC1K%KAjgYcBMVpuO
z0|<eVn|B=!FN+8iGyELNOG3jBRo4<z8pWdKhg&WJDv6nu^u;KkFU9h|3<hp{4b9xz
zvMkV*0UqO-5J0-pw9?<4I3(0Nft*~+`8-kYpHbEIjcX~j@b3+>HzdA$5+W3B{^RUx
zwx6j(XUz{h&eOY}II%OlvYo38#%Lt9Kz76=@F~WtmmG$7sUw9u^~)$rOX|G8q+|VQ
z2W`>nZ2a_sp~6HQ7)U4}yxWPUojvo&9bB{4b{FIMi+K&6vAerfi<7z2@j0SmVyB;a
z0T&2huFD%68$c@sK)(fG*Yvr{`p>NeACd%o>tCL?<ZM~Wm%}h4o(i_Xwp|c#KL52e
zYVh~U8&mR*I=2*f_5|_#+>?^hs9uA$uQodhvar4L8$hHLfKMAjSQHTyjFRlEQlboW
zQrZ)g|4TgbXB|y*paD`hh&w(0^yL2qnm3SH_x=$}vYn`}0vESE8*fGbT9Evl43O##
zL4B8d?0(C(sN1fpLcGhs83~7!zsnlk+!o*Or1l-}(GzQ2N<<}3O*5+V3Fv?$#0N9G
zj4x0G>yEy(<6@T71#4+>eax)}pTQOAP4gHl8p5=3cxkM3kl_<Kmupei<_W;f>Sl|P
z^e;n^8*LDq#RY6Q|2Ny7uBDjR2Nzxo4@6shn{IPn(Xic|%U|vO+_&U?rpCD-`<v4-
zu9+BE-mNIZwdw;^0VNIl%%|wdkaGRTy5!c6v9~HmLw(4&8PySEYMugP-C6IzTq#tT
zN)I^+tu6AYiDt)^&SUJ#RJ<ygRvI9sM%Z3FY6=FD`W(O2E4R<)oDz9Ap_|3f`mI1%
z!GFeOh}&FY4sznO)D(+ygh-rvdNJVX^}+E2P4|RfQu2e4PCkgy!P@??oTL`&r(lG@
z`lU1BXD=jHYmS^i-&rV&D650_y~(OPpG7ZGro(E&DLv{1<zzc~^V}=mkV=b=o6=%R
z5_!-UZTGA<Q!pgwdL-GF)YH?rZtYP#N19X8y6wQc>=$x=TeJ?K&RiZtViUa`x5Q=q
zs&L4lmW`Jqm%5rxc2<KT_g^Z5sf`@ew%2<QVCBuJiBijRj5SEc-F|E@u`bNtG;-Pn
zdbIBc<HW-%QZri4F1IZ4Pi9<FY$}ze-@TpR@&xP$Av<lUxFdW9uuCjB5C^}Gh&P?R
zzp5F*?-zl`?g8ncf$1wyi2_fuS*|Ygg$7b7o4ix*96GN8h8$MNt=k4dT!L4(dY<{n
zwHZ4xae>;kM3LbX2?yxlj&7CDm94@?=X|(jiklkRzq#1!tf(VEM31tz^m`t|H<HNv
zGdo!Dv%`<iUE33x8uaAQCt{M;N|ZCTYBJMpC6xUo7L}ucRis|e(QQ2!^Gc3r3$0F1
z6;5v~&?&t<F>_kD9$EVX#<-_wV?g4Vtq0F93x;oce%bUjA8{GKfZayq%@-C0TU~gI
ze5M#4{8~^B3-3^ReO|5V46OhX$w=fylA6_}L5rv-s14BdN!z5mYLD1wEyRstnmxCq
zl0)-ecl7dyd(K|N&lZ|H+fQ7qQucPt=iSX93I)^L(8&6TXHc=IJ^jiHw4-17VPfSq
z0)=RfTnTF2wO;+bwgL*GF`&!_7I1BikZyD!WJyW@fQA64wweA@-S9!PrMw`|JZ*KQ
zd14;k*0c}89WH}BOdG}IyqiI6(w&Uzeop>O(Y)e~_%{O&h8_OJ`74eM&uc!toKHke
z36-;*b9YL<4Y+pWJPj>eHdqngsY+8Ep8?3TR#X7S<NZrkSQ{bf8E;~PCeqJRN5cH-
ztbzLd397CGqNKE7-qa7Ze6W1E>X58pc<c>MOSrJesroy%4cVT$+q@2ugHNA0EHbX@
zrX4DpzwOR8uID3UOJ1w7C*DzU2yjVfyli>yc}rzaBsK$o_Shc2^Q}9jVzX~;A<S$w
z1R4AFAUR?WOZ$XeHL|;64%kecx1x5u22c^)d)G_$9@jv10<6k;rvl&fubi(4=D>;a
zR<C0T1^XmOABu`TkR*bS7qlqKMpXD~qe|*3r;iTh5V5uJwr_n;Eq?(|(Q&Z^lG+!7
zq?nP8#N5D2N=H$!!2M1uRDsi0sJ*0Z16<y%<st4D!18+`VY}$VOV)*-N=Y4e6bN!n
zKYnk!exiw9Cf@s1Y}yLJbs*bG988&vwGz@pZy!qzpIf^eGkA}8>nu$9`;zr9T@>d%
z&HrC`w257B@Gg%wqx?@EZMfpt8Jv_!jFo9rpkj`SV`sxs4#Nf8Su|2gGB%994hUYx
zMwqLHNii3~P}%V}$~jetc7RP(qB$ZFN;|p4OiuiSZMHxKU)KwrDn%!}T~ySEwLa4D
zx4?I*|IAms>v@;t>xhH3D!TVO-RZ#H1Jv0T#VTUbx{WKkYyxCr{oS910pKr_UBkWg
ziS=Z3^Fa{61N_^2uK*SoMFm+_p=`J-`!oec`q?YXLZHP~iFl4yYPa(4(rA%jmV^TN
z_j_mlEHWRiE%&RXR^{b#%~c*&VL&B)D&ENcQ6A?#6Gp)t+@x7_iRC?~=p%*a8^5Hs
z)&DGkJGu_Nx8w*|u+P*47-QZ{+{3wq8M|Zh@MIhu9EgCvLKb?u^c4Fg863$Udw?z*
zq0rLr-Ebd>x~?9_#m&T_6vg?-P?8(h2&~zkmJ0qeKO)+gR2Av%*o*b=2Ss%@7Fdbe
zeiC;+VTHmWhXx7|X^QVE`?HKypWoYCKH5^1iE*ZKHv0HGJ`uskv2d2KL*-G&i+)t9
z(h_;NAzO&4b{F|e9&)4qAR&vpXi#ovZsC=D-RfKg@>Uc2u$6JiWVmy<%L`Bj>uT4H
z%0CMyQ+z<!Av*5)Bi*iCMj=<LrT$td(t7^f!7ZKn9@>9k(&{R9n6%SF|BgvhFUv|R
zQ*;v!@J{cNS#{^~W<z+ud92bl(dWbPWQ6Bf3nzTfoZ7y|^7IUkxjOkx_}G>AcklFT
zCVo&@R6(B`-tOYlJB8G`OtaqXp&(j`z{@X$a0^VgmB*iQ19|i65uJik_*P47gALkd
zI)TJ(A*|3^z22Ofyw7shfKY)q{F6^RBN9;TkcCe@UD$h|hvliZTh99omMP>VG{jye
za+9?`TH6$9!a8VBSGCxTzu(PcuSLd!$h%R-$-<dDv|*PdlW`Vc%%mE|C>JSbv_}H-
z>#sb1g|n+{`p(*o?o7Y~+K`gs$%ZptZRr~aCsIs%+R#_WfBYxX@c&|Gs=pwz`(OQx
z{<W<6SLT&}WgPnV)dF4G{vL$C2jTyE6TH8d8m<!b_reIkHh&MoUoi+?M#<FFrr!Hn
zoI$ZoQ~0TM)<i-A9;dp|nclxLpEKB~>dXvK(#ulf`xZ7<(+2$Iu%q{l-*_JGnR8Cj
z${px2T@~pcmc<%T<gkueD!$2??v8OGZRJGhVdmAl9$T8duI%WbjXdv4Cubur@-!dj
zie#Vf3t9DYm@)19z9%f3G{7P2pmi6bwupjTZL*gUqSu(xm-G?qtjF^_X}8pJi{e<f
z6mb^6FnaA_(aJ_5v2baW@v%ykHsq^T)Ps`r-&&n6ElGQO-J{oOb$gJv2fs9W1F5JL
zB;YUSGl4c1aSasl>*w`aT;{C$BAl6(s?f)d7lU+-i$|v$W2@cPDid!6zL)A2D=RX~
z@dkxFk}4%F-|0)(KH8Z&dxu?RO`}De4N@HnOm^o_x(cVhvHqdCZMOwQw+<~^dX*jb
z#`lHflt4HsY8m@ptV>fS`@{0hUZKn+S=sjWCIZbHyX}c24AzEqALgxXq3;7(NPf0>
zaJB}`Y$s!%NgE&B>`=4mWmmR4snS#9d*6}?=z$wKwm+%KWEZNk%Ojgc%axX*>}BGU
zL6c#&ZZEYQLIW@b**{SI8s`(ewpUWMEoiUcIddnqgq`%6&Ga07tmsQ6WeJQy#;opW
z6OIOo^HS1P<az6`8?O(aEM#rl>jgynhpv38U3#Dr?W1mROgv9Oe14i30U?X0E%?hb
z*lm@<T1SVm`<O0$T0@U-$^D*NNwj5Tz0f`vI2!j#&)pgwv440!laYIqvSt@6tRjAN
zyc%*SGG4*^SEthVmn}X!VV21G_>fKOwWUmom~3acwrN{6Ypbl6V4<t-_<FNA^rfj`
zX%jt5pw?BJumB19={6#M_n})*a`MF?(Q|Y|E8Mp=zB8}`YxexLj0K{&GY?^lvv6&D
zu3v{D>L(r{XW5+=w?5hIi!e~eeEhjdWub9@+I<1IJ6?T&_^3=?Wm3d2S(!a^{n`7=
zX6@H)4HO4fzQxyvb_`uY2$4r-^&+(O44BQlyl86ak=qFFX(P=!wv;o$CpmNQRN(y@
z)^%+d|0sED)S=1f^FM}u8h{t%=PW<ysXXUJG5uqKsSYuCJD>u4?b}12^NYreRX+F)
zKU84%rcnlcBZiHSP|l*P!-xCLF1{#RK?rA+s$Lb^Xlg2hK^~}0CNfE`+KTv}7{CMs
zn!Hp2-B_>%`s$9^BX25J7lV0B^mfY)U9BM=!G2?NOs!$VK-05cfg0)2ehX~*#cq=h
z+K|RgoMqs9Wo*e%C~WSfskKGjg3}hYpR6)O&jM-Go4J^wzC_z(*trQg*ln@8C<fw0
zmPmaSbhuwHi`{Zk*|ti#!%&lVDz?tK{fU=NF(C*|ECF0;M1GazimzfJ9VVr-EbS;q
z)q3ct5$Bm0&+~%a$7D@8lR@7;Z>~>We0?h=EW)jgblcf)1~jQHkG(pf`zUINY(B9X
z4qdVvd2XBi?CQsrwzf69>HeAvKMO%hhn}!5^9`6oXPSX;#5s9uxtch<GJwXVm+A^=
zw@3Q`y_k11ASe>(Evh51#~A!Kx8(glwg;sH{_TGp1g2=zlYQcm$<sjpbrlb;F!%pQ
z)IGEQU5c}D=TR<DuS*S8VH28)(ZzH*NYzv0LclyOXQQ~1?+QkfxyKvq^mTbo{PgKl
zOZ)+dnFPiq-Q9?-94!)~P+*YWN^cdin!i*8klx^b|37(=fpGR3p7VQHr%YiZdiz7y
zfdRU-SeTkzA!1_CiQDKJNK@iN>xTq;TSEPnl9PZY*n7hmA1Y0A{$c_KGV{F(tK@UB
zWa?cb%I`GuohAx95BE3;;9N8W1(Lnqad#|$AfM4fxPMGTD*FZa9QGfDQEGBlSFXl+
zg|r{as(2Zm-0nY>u_SfsLElx~fV_CM-sX{$g`?mYj=)#80LKVHM}JFhZ`#P65C#w6
z10yj}=?`J51}0#WI!E!-u|fW9Dfpxaa~;Q80pSQ4{-{2+?`!b~T=i8&s4hNPuzBcq
z7Q-`(b-Wu~96XGdLPLG2V6j1c+S_V+bCKTQfB|RIUDr!jl1UTrMLqV(f%y@<8>Y~V
z1#J-Id!JJv)6Kv4h%M)Y=|3nftmDA_m4czHn~qd}D<g6fVrd2~1)K%}y+);6?YTdw
zL33WO!EFbdIURK=HOQ8!)i^*blxniegWJxvy3-$|>TP{lE-7OS?K610M5P8&B1>`7
z%#Ni+_~a9PE%aDCdd4I5AuQ;J6TlZ0>qFm`>EdISCinFj-sKcZS`sm$W?9wRn#wi!
zJ1KZRWDI94vo1^v#Mk?1dL~V3{hrsk2E?J3izhkaraCVDuhx&)5L@YM?fk5s5>aB9
zJUOvl>oTZsxTUsE)01ndlHLbrkKMsJ5yY`qv<x*Z!MM#$_-NeNn|t@&dxu#Y?F`P?
z0fX8Qgni?Pp*B%z$as{q&4^F>Wx=Z$noNB~B#3SkN5xHsm{XAhN;O;aZ|zCiNG+_~
zaQ(V)^lwJICncS4?>wwa?S~?Ta8uFD^`$t?aiJjES@x^#^=>KnnsuJ6`J3@7G&>mO
zLNV^jb;3=lL^rY;eJz}ImbFp;1H{k1>AfyA8a+8S=O$NtYdtfr#$F|(M(a}WvVd62
zsz9`;!I}$xaq_wKD^a<^c8K1_ETgio`+FKTbRT4M&R5jpCG(usfaWOB^g;;~x0D$?
z4$}RCchy9&NEyTJg#@|637gYtXP4uF*oa;dK{%~1`{mQb=Yll-C-}+{Y32}V10dp~
zO>*UGQR%rdg>r%Zk)tRBWc4UX$Q||B3Mxa+roQ`~{%UD~1ay^AcZ_`34KlKsv!6`P
z5^<Y&ygcEHjvI}hu@p-_K#vDzS6NW^hP9RZ2N@0{D{jpvC&E8M^%KFWW;oG`H5hy5
zfJaK)s%92^d;C>k^|wK@_>bmrQpxt>SXms?G!<-cjj;9D*uVW;)a%svG}7XU;hOa!
zK`8Icu!R9_jp13`<oj|enHm<Np^?*G`1~M0l*U($ohHbNkzB*0d!*vJebeA;@G!op
zUkjdwgg+>OJ?^Z%MGY)p@}-ZR>}6P}RP_}57)aNcgZc0$m%_P)<z?fz0F(~>&~~5w
zg#B0zj_CpKs+bC+TK+ctRt0hN7xYhp0xJIimL;bI_e5p`bGkyJ$D+gQ#7Ijs=Sf-H
zSSnfEes(*rFtty1>i8%jmMCO3@{L^jM*e1?7;#@hdD~U=8-WJ$d*nKldg+5;$U~UN
zhAf@6P%`^o%~<P;Cc1tiGfrtAy?rSY<5dy2ZHDn%W%X8n)uBB~1*iW6%;jEeh!*nI
zbdP~vgg*OWp>*j`Y_Sg#<{HQ99nHel!jz(#!OE$qt;)u{%`6BUf{3PMxZZhzwpAK`
ze0lK|`rzKf$(zj{UrA`>5#neYCoj#o($<zBHYo2JsT5D7=L1b;e=}rt%u4hYsQT`D
z<r_V;v`B~k_-6(f82bHEALFVuoEZ9yH^jA&<=bcEFX}RSfR;RE@UI?)e)0J{CPU3q
z%D(TW>X}W^7Vc?!g|dq$LYx;i-u38eZW#O2Sc2>4*W@|jd81&~Yj)i=*Sl{9MnPB|
z;m_6MvPc+Z!K*YpLWPL=W7r6!W-vI)`GALTS~9w&uw^dmr#^eOoGDyBb_i0YrTUl^
zy?)RBJjDj0EGRH_09c0YNNV3}?1lJyfxC*O)z~i>I0Zh^JGYi-DHf^DC%Zfy>=sRY
zThm8k<}}Wi;b3j-)1qh9huhGb6YZc#l>eq-BUXdBoQ#Wo;RnsmYn9HS!o#vm)>Hh(
zw43@0{omOCK*Ao6mdj`ad!fS~<=<ELu7Glm<EE0^$r<!jLq><D{P)-n<=DH!w*AeC
zMPoF!0QlFD10F|SJBOy!pq>(BBpE6EkU*n36w$YQDl)SKvt|QS;uhQNR_2oirjD`5
znk`j}*i_tCY-s}TuRB`{-Q6hokfL(uu@g`21D#*NWZHcpe)DVBrx5m#L8RLY%Gwix
zOyM;2o!iHDzr>I);D^U*=LN#;>?;*>;#=LP*W|2Ebv&AczMOUsyfeMeSn;%VSF8I*
zZ-GAQ+)Q&B+DCB>#r{;i0>O78pMmncf2UoKeF%FPfYF8Kw*&jjXWx)a*k>DH<)o_Z
zjk6I2`y?F($kIE<Ozd!<Cfb6%`%_yDDLE>81^#pI(qSq$Pf7~*hW;}y>tDEG22O>T
z4yFyC5KPmbR5-u4-*iXM?enhoC)T#MW&$2virV<`$CPAa)KX|NF3Q)0Tfg18qJ-6c
z<wN%;We2v3oQ{53u#zUdzil^QQWwO}O<ew4PGbNLrT~84K2&yC=IpCFDf%7lOWNM~
OmFY#x3zg@u-~FG58$%iZ

diff --git a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
index 9c425537a1..31e6351c21 100644
--- a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
+++ b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
@@ -1,5 +1,5 @@
 ---
-title: Introduction to Windows Defender Device Guard - virtualization-based security and code integrity policies (Windows 10)
+title: Windows Defender Device Guard - virtualization-based security and code integrity policies (Windows 10)
 description: Microsoft Windows Defender Device Guard is a feature set that consists of both hardware and software system integrity hardening features that revolutionize the Windows operating system’s security.
 keywords: virtualization, security, malware
 ms.prod: w10
@@ -9,7 +9,7 @@ author: mdsakibMSFT
 ms.date: 04/19/2018
 ---
 
-# Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control
+# Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control
 
 **Applies to**
 -   Windows 10

From 45d6990be0bc3ca6ede1aa225814c14423c7d040 Mon Sep 17 00:00:00 2001
From: Maricia Alforque <maricia@microsoft.com>
Date: Thu, 28 Jun 2018 19:08:42 +0000
Subject: [PATCH 21/34] Merged PR 9446: Removed three TextInput policies that
 are not shipping

---
 ...ew-in-windows-mdm-enrollment-management.md |   4 +-
 .../policy-configuration-service-provider.md  |   9 -
 .../mdm/policy-csp-textinput.md               | 165 ------------------
 3 files changed, 3 insertions(+), 175 deletions(-)

diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index bcc6be8e18..15342170ff 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -1652,9 +1652,11 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 <td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
 <td style="vertical-align:top"><p>Recent changes:</p>
 <ul>
-<li>System/AllowFontProviders is not supported in Windows Holographic for Business</li>
+<li>System/AllowFontProviders is not supported in Windows Holographic for Business.</li>
 <li>Security/RequireDeviceEncryption is suported in the Home SKU.</li>
 <li>Removed LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers. This policy is not supported.</li>
+<li>Start/StartLayout - added a table of SKU support information.</li>
+<li>Start/ImportEdgeAssets - added a table of SKU support information.</li>
 </ul>
 </td></tr>
 </tbody>
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 467a33fee4..c3adcaa9ae 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -3097,15 +3097,6 @@ The following diagram shows the Policy configuration service provider in tree fo
   <dd>
     <a href="./policy-csp-textinput.md#textinput-allowlinguisticdatacollection" id="textinput-allowlinguisticdatacollection">TextInput/AllowLinguisticDataCollection</a>
   </dd>
-  <dd>
-    <a href="./policy-csp-textinput.md#textinput-configurejapaneseimeversion" id="textinput-configurejapaneseimeversion">TextInput/ConfigureJapaneseIMEVersion</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-textinput.md#textinput-configuresimplifiedchineseimeversion" id="textinput-configuresimplifiedchineseimeversion">TextInput/ConfigureSimplifiedChineseIMEVersion</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-textinput.md#textinput-configuretraditionalchineseimeversion" id="textinput-configuretraditionalchineseimeversion">TextInput/ConfigureTraditionalChineseIMEVersion</a>
-  </dd>
   <dd>
     <a href="./policy-csp-textinput.md#textinput-enabletouchkeyboardautoinvokeindesktopmode" id="textinput-enabletouchkeyboardautoinvokeindesktopmode">TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode</a>
   </dd>
diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md
index 52aedcfba8..2b295a2044 100644
--- a/windows/client-management/mdm/policy-csp-textinput.md
+++ b/windows/client-management/mdm/policy-csp-textinput.md
@@ -57,15 +57,6 @@ ms.date: 06/05/2018
   <dd>
     <a href="#textinput-allowlinguisticdatacollection">TextInput/AllowLinguisticDataCollection</a>
   </dd>
-  <dd>
-    <a href="#textinput-configurejapaneseimeversion">TextInput/ConfigureJapaneseIMEVersion</a>
-  </dd>
-  <dd>
-    <a href="#textinput-configuresimplifiedchineseimeversion">TextInput/ConfigureSimplifiedChineseIMEVersion</a>
-  </dd>
-  <dd>
-    <a href="#textinput-configuretraditionalchineseimeversion">TextInput/ConfigureTraditionalChineseIMEVersion</a>
-  </dd>
   <dd>
     <a href="#textinput-enabletouchkeyboardautoinvokeindesktopmode">TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode</a>
   </dd>
@@ -688,162 +679,6 @@ This setting supports a range of values between 0 and 1.
 
 <hr/>
 
-<!--Policy-->
-<a href="" id="textinput-configurejapaneseimeversion"></a>**TextInput/ConfigureJapaneseIMEVersion**  
-
-<!--SupportedSKUs-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>Mobile Enterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
-	<td></td>
-	<td></td>
-</tr>
-</table>
-
-<!--/SupportedSKUs-->
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-Added in Windows 10, next major version. This is only a placeholder. Do not use in production code.
-
-<!--/Description-->
-<!--SupportedValues-->
-
-<!--/SupportedValues-->
-<!--Example-->
-
-<!--/Example-->
-<!--Validation-->
-
-<!--/Validation-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="textinput-configuresimplifiedchineseimeversion"></a>**TextInput/ConfigureSimplifiedChineseIMEVersion**  
-
-<!--SupportedSKUs-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>Mobile Enterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
-	<td></td>
-	<td></td>
-</tr>
-</table>
-
-<!--/SupportedSKUs-->
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-Added in Windows 10, next major version. This is only a placeholder. Do not use in production code.
-
-<!--/Description-->
-<!--SupportedValues-->
-
-<!--/SupportedValues-->
-<!--Example-->
-
-<!--/Example-->
-<!--Validation-->
-
-<!--/Validation-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="textinput-configuretraditionalchineseimeversion"></a>**TextInput/ConfigureTraditionalChineseIMEVersion**  
-
-<!--SupportedSKUs-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>Mobile Enterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
-	<td></td>
-	<td></td>
-</tr>
-</table>
-
-<!--/SupportedSKUs-->
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-Added in Windows 10, next major version. This is only a placeholder. Do not use in production code.
-
-<!--/Description-->
-<!--SupportedValues-->
-
-<!--/SupportedValues-->
-<!--Example-->
-
-<!--/Example-->
-<!--Validation-->
-
-<!--/Validation-->
-<!--/Policy-->
-
-<hr/>
-
 <!--Policy-->
 <a href="" id="textinput-enabletouchkeyboardautoinvokeindesktopmode"></a>**TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode**  
 

From d40a50beca3f1b0a680d3f8113465a6c23929696 Mon Sep 17 00:00:00 2001
From: Greg Lindsay <Greg.Lindsay@microsoft.com>
Date: Thu, 28 Jun 2018 20:18:42 +0000
Subject: [PATCH 22/34] Merged PR 9454: Update downgrade path doc, add
 redirects also for Autopilot

Several updates to the downgrade document, and I minor changes to Autopilot reset and a redirect
---
 .openpublishing.redirection.json              | 11 +++-
 education/windows/autopilot-reset.md          |  6 +--
 windows/deployment/TOC.md                     |  8 +--
 ...hs.md => windows-10-edition-downgrades.md} | 52 +++++++++++++------
 .../upgrade/windows-10-edition-upgrades.md    |  5 +-
 5 files changed, 52 insertions(+), 30 deletions(-)
 rename windows/deployment/upgrade/{windows-10-downgrade-paths.md => windows-10-edition-downgrades.md} (50%)

diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index ae1b99510e..4b17493739 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -13680,6 +13680,15 @@
 "redirect_url": "/windows/privacy/windows-diagnostic-data",
 "redirect_document_id": true
 },
-
+{
+"source_path": "windows/deployment/upgrade/windows-10-downgrade-paths.md",
+"redirect_url": "/windows/deployment/upgrade/windows-10-edition-downgrades",
+"redirect_document_id": true
+},
+{
+"source_path": "education/windows/windows-automatic-redeployment.md",
+"redirect_url": "/education/windows/autopilot-reset",
+"redirect_document_id": true
+},
 ]
 }
diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md
index 906a44a391..8a5441c5cc 100644
--- a/education/windows/autopilot-reset.md
+++ b/education/windows/autopilot-reset.md
@@ -8,9 +8,9 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: edu
 ms.localizationpriority: medium
-author: CelesteDG
+author: greg-lindsay
 ms.author: celested
-ms.date: 03/08/2018
+ms.date: 06/27/2018
 ---
 
 # Reset devices with Autopilot Reset 
@@ -102,7 +102,7 @@ To make sure WinRE is enabled, use the [REAgentC.exe tool](https://docs.microsof
 reagentc /enable
 ```
 
-If Windows Automatic Reployment fails after enabling WinRE, or if you are unable to enable WinRE, please contact [Microsoft Support](https://support.microsoft.com) for assistance.
+If Autopilot Reset fails after enabling WinRE, or if you are unable to enable WinRE, please contact [Microsoft Support](https://support.microsoft.com) for assistance.
 
 ## Related topics
 
diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md
index 2c3572608c..a22ca17807 100644
--- a/windows/deployment/TOC.md
+++ b/windows/deployment/TOC.md
@@ -22,8 +22,8 @@
 ### [Overview of Windows Autopilot](windows-autopilot/windows-10-autopilot.md)
 ### [Windows 10 in S mode](windows-10-pro-in-s-mode.md)
 ### [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
-#### [Windows 10 downgrade paths](upgrade/windows-10-downgrade-paths.md)
 ### [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md)
+### [Windows 10 edition downgrade](upgrade/windows-10-edition-downgrades.md)
 ### [Windows 10 volume license media](windows-10-media.md)
 
 ### [Windows 10 deployment test lab](windows-10-poc.md)
@@ -223,12 +223,6 @@
 #### [Configure BranchCache for Windows 10 updates](update/waas-branchcache.md)
 ### [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](update/waas-mobile-updates.md)
 ### [Deploy updates using Windows Update for Business](update/waas-manage-updates-wufb.md)
-#### [Onboard to Windows Update for Business](update/wufb-onboard.md)
-##### [Windows Update for Business basics](update/wufb-basics.md)
-##### [Setting up automatic update](update/wufb-autoupdate.md)
-##### [Managing feature and quality updates](update/wufb-manageupdate.md)
-##### [Enforcing compliance deadlines](update/wufb-compliancedeadlines.md)
-##### [Managing drivers, environments with both Windows Update for Business and WSUS, and Download Optmization](update/wufb-managedrivers.md)
 #### [Configure Windows Update for Business](update/waas-configure-wufb.md)
 #### [Integrate Windows Update for Business with management solutions](update/waas-integrate-wufb.md)
 #### [Walkthrough: use Group Policy to configure Windows Update for Business](update/waas-wufb-group-policy.md)
diff --git a/windows/deployment/upgrade/windows-10-downgrade-paths.md b/windows/deployment/upgrade/windows-10-edition-downgrades.md
similarity index 50%
rename from windows/deployment/upgrade/windows-10-downgrade-paths.md
rename to windows/deployment/upgrade/windows-10-edition-downgrades.md
index 8f56af65a7..d09ca77718 100644
--- a/windows/deployment/upgrade/windows-10-downgrade-paths.md
+++ b/windows/deployment/upgrade/windows-10-edition-downgrades.md
@@ -1,39 +1,54 @@
 ---
-title: Windows 10 downgrade paths (Windows 10)
+title: Windows 10 edition downgrade (Windows 10)
 description: You can downgrade Windows 10 if the downgrade path is supported.
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: high
 ms.pagetype: mobile
 author: greg-lindsay
-ms.date: 06/15/2018
+ms.date: 06/28/2018
 ---
 
-# Windows 10 downgrade paths
+# Windows 10 edition downgrade
 **Applies to**
 
 -   Windows 10
 
-## Downgrading Windows 10
+This topic provides a summary of supported Windows 10 in-place edition downgrade paths. A valid product key for the destination edition is required to perform the downgrade. You might need to downgrade the edition of Windows 10, for example, if an Enterprise license is expired. 
 
-This topic provides a summary of supported Windows 10 downgrade paths. You might need to downgrade the edition of Windows 10, for example, if an Enterprise license is expired. To perform a downgrade, you can use the same methods as when performing an [edition upgrade](windows-10-edition-upgrades.md). For example, you might downgrade an Enterprise edition by manually entering a valid Pro license key.
+To perform a downgrade, you can use the same methods as when performing an [edition upgrade](windows-10-edition-upgrades.md). If the downgrade path is supported, then your apps and settings can be migrated from the current edition to the downgraded edition. If a path is not supported, then a clean install is required.
 
-If a downgrade is supported, then your apps and settings can be migrated from the current edition to the downgraded edition. If a path is not supported, then a clean install is required.
+Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 by entering a different product key is not supported. The only downgrade method available for this path is through the rollback of a previous upgrade.  You also cannot downgrade from a later version to an earlier version of the same edition (Ex: Windows 10 Pro 1709 to 1703) unless the rollback process is used. This topic does not discuss version downgrades.
 
-Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 by entering a different product key is not supported. The only downgrade method available for this the rollback of a previous upgrade.  You also cannot downgrade from a later version to an earlier version of the same edition (Ex: Windows 10 Pro 1709 to 1703) unless the rollback process is used.
+### Firmware-embedded activation keys
 
->**Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions.
+As of October 2017, computers that are supplied by an OEM include a firmware embedded product key that can affect the available downgrade paths. If this key exists, you can display it and the pre-installed OS edition by typing the following commands at an elevated Windows PowerShell prompt:
 
->**Windows N/KN**: Windows "N" and "KN" SKUs follow the same rules shown below.
+```
+(Get-WmiObject -query ‘select * from SoftwareLicensingService’).OA3xOriginalProductKey
+(Get-WmiObject -query ‘select * from SoftwareLicensingService’).OA3xOriginalProductKeyDescription
+```
+
+### Scenario example
+
+Downgrading from Enterprise
+    - Original edition with firmware-embedded key: **Professional OEM**
+    - Upgrade edition: **Enterprise**
+    - Valid downgrade paths: **Pro, Pro for Workstations, Pro Education, Education**
+
+You can move directly from Enterprise to any valid destination edition. In this example, downgrading to Pro for Workstations, Pro Education, or Education requires an additional activation key to supercede the firmware-embedded Pro key. In all cases, you must comply with [Microsoft License Terms](https://www.microsoft.com/useterms). If you are a volume license customer, refer to the [Microsoft Volume Licensing Reference Guide](https://www.microsoft.com/en-us/download/details.aspx?id=11091).
 
 ### Supported Windows 10 downgrade paths
 
 >[!NOTE]
->Edition changes that are considered upgrades (Ex: Pro to Enterprise) are not shown here.<br> 
->Switching between different editions of Pro is also not strictly considered an edition downgrade, but is included here for clarity. 
+>Edition changes that are considered upgrades (Ex: Pro to Enterprise, Pro to Pro for Workstations) are not shown here. 
+>For more information see [Windows 10 edition upgrade](windows-10-edition-upgrades.md).<br> 
+
+Switching between different editions of Pro might not be possible if the source OS is associated with a [firmware-embedded activation key](#firmware-embedded-activation-keys). An exception is that you can perform an upgrade from Pro to Pro for Workstation on a computer with an embedded Pro key, and then later downgrade this computer back to Pro.
 
 ✔ = Supported downgrade path<br>
+&nbsp;N&nbsp; = Not supported from OEM pre-installed<br>
 
 <br>
 <table border="0" cellpadding="1">
@@ -68,8 +83,8 @@ Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 by entering a
         <td>Pro</td>
         <td></td>
         <td></td>
-        <td align="center">✔</td>
-        <td align="center">✔</td>
+        <td></td>
+        <td></td>
         <td></td>
         <td></td>
         <td></td>
@@ -77,7 +92,7 @@ Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 by entering a
     <tr>
         <td>Pro for Workstations</td>
         <td></td>
-        <td></td>
+        <td align="center">N</td>
         <td></td>
         <td></td>
         <td></td>
@@ -87,8 +102,8 @@ Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 by entering a
     <tr>
         <td>Pro Education</td>
         <td></td>
-        <td align="center">✔</td>
-        <td align="center">✔</td>
+        <td align="center">N</td>
+        <td align="center">N</td>
         <td></td>
         <td></td>
         <td></td>
@@ -126,6 +141,9 @@ Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 by entering a
     </tr>
 </table>
 
+>**Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions.
+
+>**Windows N/KN**: Windows "N" and "KN" SKUs follow the same rules shown above.
 
 ## Related Topics
 
diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md
index 73052174b6..bfc4a64f74 100644
--- a/windows/deployment/upgrade/windows-10-edition-upgrades.md
+++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md
@@ -8,7 +8,7 @@ ms.localizationpriority: medium
 ms.sitesec: library
 ms.pagetype: mobile
 author: greg-lindsay
-ms.date: 04/30/2018
+ms.date: 06/28/2018
 ---
 
 # Windows 10 edition upgrade
@@ -20,6 +20,8 @@ ms.date: 04/30/2018
 
 With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. For information on what edition of Windows 10 is right for you, see [Compare Windows 10 Editions](https://go.microsoft.com/fwlink/p/?LinkID=690882). For a comprehensive list of all possible upgrade paths to Windows 10, see [Windows 10 upgrade paths](windows-10-upgrade-paths.md).
 
+Edition changes that are considered downgrades are not shown here. For more information, see [Windows 10 edition downgrade](windows-10-edition-downgrades.md).
+
 The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer. **Note**: The reboot requirement for upgrading from Pro to Enterprise was removed in version 1607. 
 
 ![not supported](../images/x_blk.png) (X) = not supported</br>
@@ -56,7 +58,6 @@ X = unsupported <BR>
 | **Pro Education > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
 | **Enterprise > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
 | **Enterprise LTSC > Enterprise** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
-| **Pro for Workstations > Pro Education** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) |
 | **Mobile > Mobile Enterprise** | ![supported, no reboot](../images/check_blu.png) |![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) |
 
 > [!NOTE]

From a73d9ddc43d02dae66944ced3c3346afecf06f09 Mon Sep 17 00:00:00 2001
From: DawnWood <dawnwood@microsoft.com>
Date: Thu, 28 Jun 2018 13:19:21 -0700
Subject: [PATCH 23/34] adding redirects to new WIP topics

---
 .openpublishing.redirection.json | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index ae1b99510e..f36f37a5b1 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -1,6 +1,11 @@
 {
 "redirections": [
 {
+"source_path": "windows/deployment/update/waas-windows-insider-for-business.md",
+"redirect_url": "https://docs.microsoft.com/en-us/windows-insider/at-work-pro/wip-4-biz-get-started",
+"redirect_document_id": true
+},
+{
 "source_path": "windows/security/threat-protection/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md",
 "redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set",
 "redirect_document_id": true

From c0b56f49f95a1010dee24e1664a93b82acff4034 Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Thu, 28 Jun 2018 14:20:13 -0700
Subject: [PATCH 24/34] added redirects

---
 .openpublishing.redirection.json | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 8dada868e0..a599d1c187 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -11,6 +11,16 @@
 "redirect_document_id": true
 },
 {
+"source_path": "windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-if-server-agrees.md",
+"redirect_url": "/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-if-client-agress.md",
+"redirect_url": "/windows/security/threat-protectionsecurity-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees",
+"redirect_document_id": true
+},
+{
 "source_path": "windows/security/threat-protection/windows-defender-application-control.md",
 "redirect_url": "/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control",
 "redirect_document_id": true

From 6f918f68b76e43fbdbc783741e9d8930e01434bc Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Thu, 28 Jun 2018 16:31:14 -0700
Subject: [PATCH 25/34] edits to parent topic

---
 ...-client-digitally-sign-communications-always.md |  4 ++--
 .../security-policy-settings/security-options.md   | 14 ++++++++------
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
index 8792852d43..779be1af43 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
@@ -6,8 +6,8 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-author: brianlic-msft
-ms.date: 06/21/2018
+author: justinha
+ms.date: 06/28/2018
 ---
 
 # Microsoft network client: Digitally sign communications (always)
diff --git a/windows/security/threat-protection/security-policy-settings/security-options.md b/windows/security/threat-protection/security-policy-settings/security-options.md
index c33e590f5c..58d123a11a 100644
--- a/windows/security/threat-protection/security-policy-settings/security-options.md
+++ b/windows/security/threat-protection/security-policy-settings/security-options.md
@@ -6,8 +6,8 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-author: brianlic-msft
-ms.date: 08/01/2017
+author: justinha
+ms.date: 06/28/2018
 ---
 
 # Security Options
@@ -66,13 +66,15 @@ For info about setting security policies, see [Configure security policy setting
 | [Interactive logon: Require Domain Controller authentication to unlock workstation](interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md)| Describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Require Domain Controller authentication to unlock workstation** security policy setting. |
 | [Interactive logon: Require smart card](interactive-logon-require-smart-card.md) | Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Require smart card** security policy setting.| 
 | [Interactive logon: Smart card removal behavior](interactive-logon-smart-card-removal-behavior.md) | Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Smart card removal behavior** security policy setting.| 
-| [Microsoft network client: Digitally sign communications (always)](smbv1-microsoft-network-client-digitally-sign-communications-always.md) | Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting. |
-| [Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md)| Describes the best practices, location, values, and security considerations for the **Microsoft network client: Digitally sign communications (if server agrees)** security policy setting. |
+| [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md) | Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting for SMBv3 and SMBv2. |
+| [SMBv1 Microsoft network client: Digitally sign communications (always)](smbv1-microsoft-network-client-digitally-sign-communications-always.md) | Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting for SMBv1 only. |
+| [SMBv1 Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md)| Describes the best practices, location, values, and security considerations for the **Microsoft network client: Digitally sign communications (if server agrees)** security policy setting for SMBv1 only. |
 | [Microsoft network client: Send unencrypted password to third-party SMB servers](microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Send unencrypted password to third-party SMB servers** security policy setting. |
 | [Microsoft network server: Amount of idle time required before suspending session](microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md)| Describes the best practices, location, values, and security considerations for the **Microsoft network server: Amount of idle time required before suspending session** security policy setting. |
 | [Microsoft network server: Attempt S4U2Self to obtain claim information](microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md)| Describes the best practices, location, values, management, and security considerations for the **Microsoft network server: Attempt S4U2Self to obtain claim information** security policy setting. |
-| [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting.| 
-| [Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (if client agrees)** security policy setting. |
+| [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting for SMBv3 and SMBv2.| 
+| [SMBv1 Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting for SMBv1 only.| 
+| [SMBv1 Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (if client agrees)** security policy setting for SMBv1 only. |
 | [Microsoft network server: Disconnect clients when logon hours expire](microsoft-network-server-disconnect-clients-when-logon-hours-expire.md)| Describes the best practices, location, values, and security considerations for the **Microsoft network server: Disconnect clients when logon hours expire** security policy setting. |
 | [Microsoft network server: Server SPN target name validation level](microsoft-network-server-server-spn-target-name-validation-level.md)| Describes the best practices, location, and values, policy management and security considerations for the **Microsoft network server: Server SPN target name validation level** security policy setting. |
 | [Network access: Allow anonymous SID/Name translation](network-access-allow-anonymous-sidname-translation.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Allow anonymous SID/Name translation** security policy setting.| 

From b6563bde0cdfc0eacdccc0dcfcf18a234b2c5964 Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Thu, 28 Jun 2018 16:35:03 -0700
Subject: [PATCH 26/34] edits to parent topic

---
 .../security-policy-settings/security-options.md                | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/security-policy-settings/security-options.md b/windows/security/threat-protection/security-policy-settings/security-options.md
index 58d123a11a..b4d90dc74c 100644
--- a/windows/security/threat-protection/security-policy-settings/security-options.md
+++ b/windows/security/threat-protection/security-policy-settings/security-options.md
@@ -72,7 +72,7 @@ For info about setting security policies, see [Configure security policy setting
 | [Microsoft network client: Send unencrypted password to third-party SMB servers](microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Send unencrypted password to third-party SMB servers** security policy setting. |
 | [Microsoft network server: Amount of idle time required before suspending session](microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md)| Describes the best practices, location, values, and security considerations for the **Microsoft network server: Amount of idle time required before suspending session** security policy setting. |
 | [Microsoft network server: Attempt S4U2Self to obtain claim information](microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md)| Describes the best practices, location, values, management, and security considerations for the **Microsoft network server: Attempt S4U2Self to obtain claim information** security policy setting. |
-| [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting for SMBv3 and SMBv2.| 
+| [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting for SMBv3 and SMBv2.| 
 | [SMBv1 Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting for SMBv1 only.| 
 | [SMBv1 Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (if client agrees)** security policy setting for SMBv1 only. |
 | [Microsoft network server: Disconnect clients when logon hours expire](microsoft-network-server-disconnect-clients-when-logon-hours-expire.md)| Describes the best practices, location, values, and security considerations for the **Microsoft network server: Disconnect clients when logon hours expire** security policy setting. |

From 03695484d5ef3ca456d861ac6475a471b1811da1 Mon Sep 17 00:00:00 2001
From: Dani Halfin <daniha@microsoft.com>
Date: Fri, 29 Jun 2018 00:06:27 +0000
Subject: [PATCH 27/34] Merged PR 9471: Consumer endpoints added and security
 statement tweaked

---
 windows/privacy/TOC.md                        |   2 +
 ...ws-diagnostic-data-in-your-organization.md |   2 +-
 windows/privacy/manage-windows-endpoints.md   | 254 +---------------
 ...-endpoints-1709-non-enterprise-editions.md | 273 ++++++++++++++++++
 ...-endpoints-1803-non-enterprise-editions.md | 148 ++++++++++
 5 files changed, 431 insertions(+), 248 deletions(-)
 create mode 100644 windows/privacy/windows-endpoints-1709-non-enterprise-editions.md
 create mode 100644 windows/privacy/windows-endpoints-1803-non-enterprise-editions.md

diff --git a/windows/privacy/TOC.md b/windows/privacy/TOC.md
index e3d3190996..05709993b8 100644
--- a/windows/privacy/TOC.md
+++ b/windows/privacy/TOC.md
@@ -14,4 +14,6 @@
 ### [Windows 10, version 1709 and newer diagnostic data for the Full level](windows-diagnostic-data.md)
 ### [Windows 10, version 1703 diagnostic data for the Full level](windows-diagnostic-data-1703.md)
 ## [Manage Windows 10 connection endpoints](manage-windows-endpoints.md)
+### [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md)
+### [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md)
 ## [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
index 3fda54cb26..17d45d542b 100644
--- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
+++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
@@ -25,7 +25,7 @@ To frame a discussion about diagnostic data, it is important to understand Micro
 
 -	**Control.** We offer customers control of the diagnostic data they share with us by providing easy-to-use management tools.
 -	**Transparency.** We provide information about the diagnostic data that Windows and Windows Server collects so our customers can make informed decisions.
--	**Security.** We encrypt diagnostic data in transit from your device and protect that data at our secure data centers.
+-	**Security.** We encrypt diagnostic data in transit from your device via TLS 1.2, and additionally use certificate pinning to secure the connection.
 -	**Strong legal protections.** We respect customers’ local privacy laws and fight for legal protection of their privacy as a fundamental human right.
 -	**No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows diagnostic data system.  Customer content inadvertently collected is kept confidential and not used for user targeting.
 -	**Benefits to you.** We collect Windows diagnostic data to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all our customers.
diff --git a/windows/privacy/manage-windows-endpoints.md b/windows/privacy/manage-windows-endpoints.md
index c9bc42d287..c5fb0c11f5 100644
--- a/windows/privacy/manage-windows-endpoints.md
+++ b/windows/privacy/manage-windows-endpoints.md
@@ -5,10 +5,10 @@ keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-ms.localizationpriority: medium
-author: brianlic-msft
-ms.author: brianlic
-ms.date: 11/21/2017
+ms.localizationpriority: high
+author: danihalfin
+ms.author: daniha
+ms.date: 6/26/2018
 ---
 # Manage Windows 10 connection endpoints
 
@@ -482,250 +482,10 @@ If you disable this endpoint, Windows Defender won't be able to update its malwa
 |----------------|----------|------------|----------------------------------|
 |Various|HTTPS|go.microsoft.com| 1709 |
 
-## Endpoints for other Windows editions
+## Other Windows 10 editions
 
-In addition to the endpoints listed for Windows 10 Enterprise, the following endpoints are available on other editions of Windows 10, version 1709.
-
-## Windows 10 Home
-
-| **Destination** | **Protocol** | **Description** |
-| --- | --- | --- |
-| *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
-| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. |
-| *.1.msftsrvcs.vo.llnwi.net | HTTP | Used for Windows Update downloads of apps and OS updates. |
-| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
-| *.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
-| *.dscd.akamai.net | HTTP | Used to download content. |
-| *.dspg.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. |
-| *.hwcdn.net | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. |
-| *.m1-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
-| *.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
-| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. |
-| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). |
-| *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. |
-| .g.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. |
-| telecommand.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
-| 2.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
-| 2.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
-| arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
-| arc.msn.com.nsatc.net | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
-| a-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| au.download.windowsupdate.com | HTTP | Used to download operating system patches and updates. |
-| b-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| candycrushsoda.king.com | TLSv1.2 | Used for Candy Crush Saga updates. |
-| cdn.content.prod.cms.msn.com | HTTP | Used to retrieve Windows Spotlight metadata. |
-| cdn.onenote.net | HTTP | Used for OneNote Live Tile. |
-| client-office365-tas.msedge.net | HTTP | Used to connect to the Office 365 portal’s shared infrastructure, including Office Online. |
-| config.edge.skype.com | HTTP | Used to retrieve Skype configuration values. |
-| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. |
-| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
-| cy2.licensing.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
-| cy2.purchase.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
-| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. |
-| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. |
-| definitionupdates.microsoft.com | HTTPS | Used for Windows Defender definition updates. |
-| displaycatalog.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
-| dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
-| dual-a-0001.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
-| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
-| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
-| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
-| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. |
-| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| g.live.com/1rewlive5skydrive/ | HTTPS | Used by a redirection service to automatically update URLs. |
-| g.msn.com.nsatc.net | HTTP | Used to retrieve Windows Spotlight metadata. |
-| geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
-| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. |
-| img-prod-cms-rt-microsoft-com.akamaized.net | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). |
-| *.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. |
-| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. |
-| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. |
-| login.live.com | HTTPS | Used to authenticate a device. |
-| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. |
-| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
-| msftsrvcs.vo.llnwd.net | HTTP | Enables connections to Windows Update. |
-| msnbot-*.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
-| oem.twimg.com | HTTPS | Used for the Twitter Live Tile. |
-| oneclient.sfx.ms | HTTPS | Used by OneDrive for Business to download and verify app updates. |
-| peer4-wst.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
-| pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
-| purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
-| ris.api.iris.microsoft.com.akadns.net | TLSv1.2\/HTTPS | Used to retrieve Windows Spotlight metadata. |
-| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. |
-| sls.update.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update. |
-| star-mini.c10r.facebook.com | TLSv1.2 | Used for the Facebook Live Tile. |
-| storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. |
-| storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
-| store-images.s-microsoft.com | HTTP | Used to get images that are used for Microsoft Store suggestions. |
-| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. |
-| tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. |
-| v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. |
-| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. |
-| wallet-frontend-prod-westus.cloudapp.net | TLSv1.2 | Used by the Microsoft Wallet app. |
-| watson.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
-| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. |
-| wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. |
-| www.bing.com | HTTP | Used for updates for Cortana, apps, and Live Tiles. |
-| www.facebook.com | HTTPS | Used for the Facebook Live Tile. |
-| [www.microsoft.com](http://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
-
-## Windows 10 Pro
-
-| **Destination** | **Protocol** | **Description** |
-| --- | --- | --- |
-| *.*.akamai.net | HTTP | Used to download content. |
-| *.*.akamaiedge.net | TLSv1.2\/HTTP | Used to check for updates to maps that have been downloaded for offline use. |
-| *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
-| *.blob.core.windows.net | HTTPS | Used by Windows Update to update words used for language input methods. |
-| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
-| *.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
-| *.dspb.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
-| *.dspg.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
-| *.e-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
-| *.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. |
-| *.s-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
-| *.telecommand.telemetry.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
-| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. |
-| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. |
-| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). |
-| *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. |
-| 3.dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
-| 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
-| 3.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
-| 3.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
-| arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
-| arc.msn.com.nsatc.net | TLSv1.3 | Used to retrieve Windows Spotlight metadata. |
-| au.download.windowsupdate.com | HTTPS | Used to download operating system patches and updates. |
-| b-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| candycrushsoda.king.com | HTTPS | Used for Candy Crush Saga updates. |
-| cdn.content.prod.cms.msn.com | HTTP | Used to retrieve Windows Spotlight metadata. |
-| cdn.onenote.net | HTTPS | Used for OneNote Live Tile. |
-| client-office365-tas.msedge.net | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office Online. |
-| config.edge.skype.com | HTTPS | Used to retrieve Skype configuration values. |
-| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. |
-| cs12.<span class="anchor" id="_Hlk500262422"></span>wpc.v0cdn.net | HTTP | Used by the Verizon Content Delivery Network to download content for Windows upgrades with Wireless Planning and Coordination (WPC). |
-| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
-| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. |
-| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. |
-| definitionupdates.microsoft.com | HTTPS | Used for Windows Defender definition updates. |
-| displaycatalog.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
-| download.windowsupdate.com | HTTP | Enables connections to Windows Update. |
-| evoke-windowsservices-tas.msedge.net | HTTPS | Used by the Photos app to download configuration files, and to connect to the Office 365 portal’s shared infrastructure, including Office Online. |
-| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
-| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
-| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
-| fe3.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
-| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. |
-| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| fs.microsoft.com | HTTPS | Used to download fonts on demand |
-| g.live.com | HTTP | Used by a redirection service to automatically update URLs. |
-| g.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
-| g.msn.com.nsatc.net | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
-| geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
-| geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
-| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. |
-| gpla1.wac.v2cdn.net | HTTP | Used for Baltimore CyberTrust Root traffic. . |
-| img-prod-cms-rt-microsoft-com.akamaized.net | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). |
-| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. |
-| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. |
-| login.live.com | HTTPS | Used to authenticate a device. |
-| l-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. |
-| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
-| msnbot-*.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
-| oem.twimg.com | HTTP | Used for the Twitter Live Tile. |
-| oneclient.sfx.ms | HTTP | Used by OneDrive for Business to download and verify app updates. |
-| peer1-wst.msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
-| pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
-| pti.store.microsoft.com.unistore.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
-| purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
-| ris.api.iris.microsoft.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
-| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. |
-| sls.update.microsoft.com | HTTPS | Enables connections to Windows Update. |
-| storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. |
-| storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
-| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. |
-| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. |
-| telecommand.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
-| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. |
-| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. |
-| v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. |
-| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. |
-| watson.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
-| wdcp.microsoft.akadns.net | HTTPS | Used for Windows Defender when Cloud-based Protection is enabled. |
-| wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. |
-| www.bing.com | TLSv1.2 | Used for updates for Cortana, apps, and Live Tiles. |
-| www.facebook.com | HTTPS | Used for the Facebook Live Tile. |
-| [www.microsoft.com](http://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
-
-## Windows 10 Education
-
-| **Destination** | **Protocol** | **Description** |
-| --- | --- | --- |
-| *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
-| *.b.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
-| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
-| *.dscb1.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. |
-| *.dscd.akamai.net | HTTP | Used to download content. |
-| *.dspb.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
-| *.dspw65.akamai.net | HTTP | Used to download content. |
-| *.e-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
-| *.g.akamai.net | HTTP | Used to download content. |
-| *.g.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
-| *.l.windowsupdate.com | HTTP | Enables connections to Windows Update. |
-| *.s-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
-| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates |
-| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). |
-| *prod.do.dsp.mp.microsoft.com | TLSv1.2 | Used for Windows Update downloads of apps and OS updates. |
-| *prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Used for Windows Update downloads of apps and OS updates. |
-| 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
-| 3.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
-| a-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| au.download.windowsupdate.com | HTTP | Used to download operating system patches and updates. |
-| cdn.onenote.net | HTTPS | Used for OneNote Live Tile. |
-| cds.*.hwcdn.net | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. |
-| co4.telecommand.telemetry.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
-| config.edge.skype.com | HTTPS | Used to retrieve Skype configuration values. |
-| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. |
-| cs12.wpc.v0cdn.net | HTTP | Used by the Verizon Content Delivery Network to download content for Windows upgrades with Wireless Planning and Coordination (WPC). |
-| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
-| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. |
-| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. |
-| dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
-| download.windowsupdate.com | HTTP | Enables connections to Windows Update. |
-| evoke-windowsservices-tas.msedge.net/ab | HTTPS | Used by the Photos app to download configuration files, and to connect to the Office 365 portal’s shared infrastructure, including Office Online. |
-| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
-| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
-| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. |
-| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| g.msn.com.nsatc.net | TLSv1.2\/HTTP | Used to retrieve Windows Spotlight metadata. |
-| geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
-| geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
-| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. |
-| gpla1.wac.v2cdn.net | HTTP | Used for Baltimore CyberTrust Root traffic. . |
-| ipv4.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. |
-| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. |
-| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. |
-| login.live.com/* | HTTPS | Used to authenticate a device. |
-| l-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. |
-| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
-| msftconnecttest.com/* | HTTP | Used by Network Connection Status Indicator (NCSI) to detect Internet connectivity and corporate network connectivity status. |
-| msnbot-65-52-108-198.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
-| oneclient.sfx.ms | HTTP | Used by OneDrive for Business to download and verify app updates. |
-| peer1-wst.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
-| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. |
-| sls.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
-| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. |
-| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. |
-| telecommand.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
-| tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. |
-| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. |
-| watson.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
-| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. |
-| www.bing.com | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
+To view endpoints for non-Enterprise Windows 10 editions, see:
+- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md)
 
 ## Related links
 
diff --git a/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md
new file mode 100644
index 0000000000..601a236c61
--- /dev/null
+++ b/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md
@@ -0,0 +1,273 @@
+---
+title: Windows 10, version 1709, connection endpoints for non-Enterprise editions
+description: Explains what Windows 10 endpoints are used in non-Enterprise editions.
+keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: high
+author: danihalfin
+ms.author: daniha
+ms.date: 6/26/2018
+---
+# Windows 10, version 1709, connection endpoints for non-Enterprise editions
+
+ **Applies to**
+
+- Windows 10 Home, version 1709
+- Windows 10 Professional, version 1709
+- Windows 10 Education, version 1709
+
+In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-endpoints.md), the following endpoints are available on other editions of Windows 10, version 1709.
+
+We used the following methodology to derive these network endpoints:
+
+1.	Set up the latest version of Windows 10 on a test virtual machine using the default settings. 
+2.	Leave the devices running idle for a week (that is, a user is not interacting with the system/device).
+3.	Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.  
+4.	Compile reports on traffic going to public IP addresses.
+5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory.
+
+> [!NOTE]
+> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
+
+## Windows 10 Home
+
+| **Destination** | **Protocol** | **Description** |
+| --- | --- | --- |
+| *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
+| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. |
+| *.1.msftsrvcs.vo.llnwi.net | HTTP | Used for Windows Update downloads of apps and OS updates. |
+| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
+| *.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
+| *.dscd.akamai.net | HTTP | Used to download content. |
+| *.dspg.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. |
+| *.hwcdn.net | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. |
+| *.m1-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
+| *.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
+| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. |
+| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). |
+| *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. |
+| .g.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. |
+| telecommand.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
+| 2.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
+| 2.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
+| arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
+| arc.msn.com.nsatc.net | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
+| a-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| au.download.windowsupdate.com | HTTP | Used to download operating system patches and updates. |
+| b-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| candycrushsoda.king.com | TLSv1.2 | Used for Candy Crush Saga updates. |
+| cdn.content.prod.cms.msn.com | HTTP | Used to retrieve Windows Spotlight metadata. |
+| cdn.onenote.net | HTTP | Used for OneNote Live Tile. |
+| client-office365-tas.msedge.net | HTTP | Used to connect to the Office 365 portal’s shared infrastructure, including Office Online. |
+| config.edge.skype.com | HTTP | Used to retrieve Skype configuration values. |
+| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. |
+| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
+| cy2.licensing.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
+| cy2.purchase.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
+| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. |
+| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. |
+| definitionupdates.microsoft.com | HTTPS | Used for Windows Defender definition updates. |
+| displaycatalog.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
+| dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
+| dual-a-0001.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
+| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. |
+| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| g.live.com/1rewlive5skydrive/ | HTTPS | Used by a redirection service to automatically update URLs. |
+| g.msn.com.nsatc.net | HTTP | Used to retrieve Windows Spotlight metadata. |
+| geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
+| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. |
+| img-prod-cms-rt-microsoft-com.akamaized.net | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). |
+| *.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. |
+| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. |
+| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. |
+| login.live.com | HTTPS | Used to authenticate a device. |
+| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. |
+| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
+| msftsrvcs.vo.llnwd.net | HTTP | Enables connections to Windows Update. |
+| msnbot-*.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
+| oem.twimg.com | HTTPS | Used for the Twitter Live Tile. |
+| oneclient.sfx.ms | HTTPS | Used by OneDrive for Business to download and verify app updates. |
+| peer4-wst.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
+| pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
+| purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
+| ris.api.iris.microsoft.com.akadns.net | TLSv1.2\/HTTPS | Used to retrieve Windows Spotlight metadata. |
+| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. |
+| sls.update.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update. |
+| star-mini.c10r.facebook.com | TLSv1.2 | Used for the Facebook Live Tile. |
+| storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. |
+| storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
+| store-images.s-microsoft.com | HTTP | Used to get images that are used for Microsoft Store suggestions. |
+| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. |
+| tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. |
+| v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. |
+| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. |
+| wallet-frontend-prod-westus.cloudapp.net | TLSv1.2 | Used by the Microsoft Wallet app. |
+| watson.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
+| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. |
+| wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. |
+| www.bing.com | HTTP | Used for updates for Cortana, apps, and Live Tiles. |
+| www.facebook.com | HTTPS | Used for the Facebook Live Tile. |
+| [www.microsoft.com](http://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
+
+## Windows 10 Pro
+
+| **Destination** | **Protocol** | **Description** |
+| --- | --- | --- |
+| *.*.akamai.net | HTTP | Used to download content. |
+| *.*.akamaiedge.net | TLSv1.2\/HTTP | Used to check for updates to maps that have been downloaded for offline use. |
+| *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
+| *.blob.core.windows.net | HTTPS | Used by Windows Update to update words used for language input methods. |
+| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
+| *.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
+| *.dspb.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
+| *.dspg.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
+| *.e-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
+| *.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. |
+| *.s-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
+| *.telecommand.telemetry.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
+| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. |
+| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. |
+| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). |
+| *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. |
+| 3.dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
+| 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
+| 3.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
+| 3.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
+| arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
+| arc.msn.com.nsatc.net | TLSv1.3 | Used to retrieve Windows Spotlight metadata. |
+| au.download.windowsupdate.com | HTTPS | Used to download operating system patches and updates. |
+| b-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| candycrushsoda.king.com | HTTPS | Used for Candy Crush Saga updates. |
+| cdn.content.prod.cms.msn.com | HTTP | Used to retrieve Windows Spotlight metadata. |
+| cdn.onenote.net | HTTPS | Used for OneNote Live Tile. |
+| client-office365-tas.msedge.net | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office Online. |
+| config.edge.skype.com | HTTPS | Used to retrieve Skype configuration values. |
+| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. |
+| cs12.<span class="anchor" id="_Hlk500262422"></span>wpc.v0cdn.net | HTTP | Used by the Verizon Content Delivery Network to download content for Windows upgrades with Wireless Planning and Coordination (WPC). |
+| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
+| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. |
+| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. |
+| definitionupdates.microsoft.com | HTTPS | Used for Windows Defender definition updates. |
+| displaycatalog.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
+| download.windowsupdate.com | HTTP | Enables connections to Windows Update. |
+| evoke-windowsservices-tas.msedge.net | HTTPS | Used by the Photos app to download configuration files, and to connect to the Office 365 portal’s shared infrastructure, including Office Online. |
+| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fe3.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. |
+| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| fs.microsoft.com | HTTPS | Used to download fonts on demand |
+| g.live.com | HTTP | Used by a redirection service to automatically update URLs. |
+| g.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
+| g.msn.com.nsatc.net | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
+| geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
+| geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
+| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. |
+| gpla1.wac.v2cdn.net | HTTP | Used for Baltimore CyberTrust Root traffic. . |
+| img-prod-cms-rt-microsoft-com.akamaized.net | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). |
+| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. |
+| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. |
+| login.live.com | HTTPS | Used to authenticate a device. |
+| l-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. |
+| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
+| msnbot-*.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
+| oem.twimg.com | HTTP | Used for the Twitter Live Tile. |
+| oneclient.sfx.ms | HTTP | Used by OneDrive for Business to download and verify app updates. |
+| peer1-wst.msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
+| pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
+| pti.store.microsoft.com.unistore.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
+| purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
+| ris.api.iris.microsoft.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
+| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. |
+| sls.update.microsoft.com | HTTPS | Enables connections to Windows Update. |
+| storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. |
+| storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
+| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. |
+| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. |
+| telecommand.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
+| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. |
+| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. |
+| v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. |
+| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. |
+| watson.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
+| wdcp.microsoft.akadns.net | HTTPS | Used for Windows Defender when Cloud-based Protection is enabled. |
+| wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. |
+| www.bing.com | TLSv1.2 | Used for updates for Cortana, apps, and Live Tiles. |
+| www.facebook.com | HTTPS | Used for the Facebook Live Tile. |
+| [www.microsoft.com](http://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
+
+## Windows 10 Education
+
+| **Destination** | **Protocol** | **Description** |
+| --- | --- | --- |
+| *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
+| *.b.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
+| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
+| *.dscb1.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. |
+| *.dscd.akamai.net | HTTP | Used to download content. |
+| *.dspb.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
+| *.dspw65.akamai.net | HTTP | Used to download content. |
+| *.e-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
+| *.g.akamai.net | HTTP | Used to download content. |
+| *.g.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
+| *.l.windowsupdate.com | HTTP | Enables connections to Windows Update. |
+| *.s-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
+| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates |
+| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). |
+| *prod.do.dsp.mp.microsoft.com | TLSv1.2 | Used for Windows Update downloads of apps and OS updates. |
+| *prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Used for Windows Update downloads of apps and OS updates. |
+| 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
+| 3.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
+| a-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| au.download.windowsupdate.com | HTTP | Used to download operating system patches and updates. |
+| cdn.onenote.net | HTTPS | Used for OneNote Live Tile. |
+| cds.*.hwcdn.net | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. |
+| co4.telecommand.telemetry.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
+| config.edge.skype.com | HTTPS | Used to retrieve Skype configuration values. |
+| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. |
+| cs12.wpc.v0cdn.net | HTTP | Used by the Verizon Content Delivery Network to download content for Windows upgrades with Wireless Planning and Coordination (WPC). |
+| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
+| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. |
+| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. |
+| dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
+| download.windowsupdate.com | HTTP | Enables connections to Windows Update. |
+| evoke-windowsservices-tas.msedge.net/ab | HTTPS | Used by the Photos app to download configuration files, and to connect to the Office 365 portal’s shared infrastructure, including Office Online. |
+| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
+| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. |
+| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| g.msn.com.nsatc.net | TLSv1.2\/HTTP | Used to retrieve Windows Spotlight metadata. |
+| geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
+| geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
+| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. |
+| gpla1.wac.v2cdn.net | HTTP | Used for Baltimore CyberTrust Root traffic. . |
+| ipv4.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. |
+| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. |
+| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. |
+| login.live.com/* | HTTPS | Used to authenticate a device. |
+| l-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. |
+| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
+| msftconnecttest.com/* | HTTP | Used by Network Connection Status Indicator (NCSI) to detect Internet connectivity and corporate network connectivity status. |
+| msnbot-65-52-108-198.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
+| oneclient.sfx.ms | HTTP | Used by OneDrive for Business to download and verify app updates. |
+| peer1-wst.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
+| pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
+| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. |
+| sls.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
+| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. |
+| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. |
+| telecommand.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
+| tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. |
+| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. |
+| watson.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
+| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. |
+| www.bing.com | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
\ No newline at end of file
diff --git a/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md
new file mode 100644
index 0000000000..0e3da94eee
--- /dev/null
+++ b/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md
@@ -0,0 +1,148 @@
+---
+title: Windows 10, version 1803, connection endpoints for non-Enterprise editions
+description: Explains what Windows 10 endpoints are used in non-Enterprise editions.
+keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: high
+author: danihalfin
+ms.author: daniha
+ms.date: 6/26/2018
+---
+# Windows 10, version 1803, connection endpoints for non-Enterprise editions
+
+ **Applies to**
+
+- Windows 10 Home, version 1803
+- Windows 10 Professional, version 1803
+- Windows 10 Education, version 1803
+
+In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-endpoints.md), the following endpoints are available on other editions of Windows 10, version 1803.
+
+We used the following methodology to derive these network endpoints:
+
+1.	Set up the latest version of Windows 10 on a test virtual machine using the default settings. 
+2.	Leave the devices running idle for a week (that is, a user is not interacting with the system/device).
+3.	Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.  
+4.	Compile reports on traffic going to public IP addresses.
+5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory.
+
+> [!NOTE]
+> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
+
+## Windows 10 Family
+
+| **Destination** | **Protocol** | **Description** |
+| --- | --- | --- |
+| *.e-msedge.net	| HTTPS |	Used by OfficeHub to get the metadata of Office apps. |
+| *.g.akamaiedge.net	| HTTPS |	Used to check for updates to maps that have been downloaded for offline use. |
+| *.s-msedge.net	| HTTPS |	Used by OfficeHub to get the metadata of Office apps. |
+| *.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/	HTTP	Enables connections to Windows Update. |
+| arc.msn.com.nsatc.net	| HTTPS |	Used to retrieve Windows Spotlight metadata. |
+| arc.msn.com/v3/Delivery/Placement	| HTTPS |	Used to retrieve Windows Spotlight metadata. |
+| client-office365-tas.msedge.net*	| HTTPS |	Used to connect to the Office 365 portal’s shared infrastructure, including Office Online. |
+| config.edge.skype.com/config/*	| HTTPS |	Used to retrieve Skype configuration values. |
+| ctldl.windowsupdate.com/msdownload/update* | HTTP | Used to download certificates that are publicly known to be fraudulent. |
+| cy2.displaycatalog.md.mp.microsoft.com.akadns.net	| HTTPS |	Used to communicate with Microsoft Store. |
+| cy2.licensing.md.mp.microsoft.com.akadns.net	| HTTPS |	Used to communicate with Microsoft Store. |
+| cy2.settings.data.microsoft.com.akadns.net	| HTTPS |	Used to communicate with Microsoft Store. |
+| displaycatalog.mp.microsoft.com*	| HTTPS |	Used to communicate with Microsoft Store. |
+|dm3p.wns.notify.windows.com.akadns.net	| HTTPS |	Used for the Windows Push Notification Services (WNS). |
+| fe2.update.microsoft.com*	| HTTPS |	Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fe3.delivery.dsp.mp.microsoft.com.nsatc.net	| HTTPS |	Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fe3.delivery.mp.microsoft.com	| HTTPS |	Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| g.live.com/odclientsettings/Prod	| HTTPS |	Used by OneDrive for Business to download and verify app updates. |
+| g.msn.com.nsatc.net	| HTTPS |	Used to retrieve Windows Spotlight metadata. |
+| geo-prod.dodsp.mp.microsoft.com.nsatc.net	| HTTPS |	Enables connections to Windows Update. |
+| ipv4.login.msa.akadns6.net	| HTTPS |	Used for Microsoft accounts to sign in. |
+| licensing.mp.microsoft.com/v7.0/licenses/content	| HTTPS |	Used for online activation and some app licensing. |
+| location-inference-westus.cloudapp.net	| HTTPS |	Used for location data. |
+| maps.windows.com/windows-app-web-link	| HTTPS |	Link to Maps application. |
+| modern.watson.data.microsoft.com.akadns.net	| HTTPS |	Used by Windows Error Reporting. |
+| ocos-office365-s2s.msedge.net*	| HTTPS | Used to connect to the Office 365 portal's shared infrastructure. |
+| ocsp.digicert.com* |	HTTP | CRL and OCSP checks to the issuing certificate authorities. |
+| oneclient.sfx.ms*	| HTTPS |	Used by OneDrive for Business to download and verify app updates. |
+| query.prod.cms.rt.microsoft.com*	| HTTPS |	Used to retrieve Windows Spotlight metadata. |
+| ris.api.iris.microsoft.com*	| HTTPS |	Used to retrieve Windows Spotlight metadata. |
+| settings.data.microsoft.com/settings/v2.0/*	| HTTPS |	Used for Windows apps to dynamically update their configuration. |
+| settings-win.data.microsoft.com/settings/*	| HTTPS |	Used as a way for apps to dynamically update their configuration.  |
+| sls.update.microsoft.com*	| HTTPS |	Enables connections to Windows Update. |
+| storecatalogrevocation.storequality.microsoft.com*	| HTTPS |	Used to revoke licenses for malicious apps on the Microsoft Store. |
+| storeedgefd.dsx.mp.microsoft.com*	| HTTPS |	Used to communicate with Microsoft Store. |
+| tile-service.weather.microsoft.com* | HTTP | Used to download updates to the Weather app Live Tile. |
+| tsfe.trafficshaping.dsp.mp.microsoft.com	| HTTPS |	Used for content regulation. |
+| ip5.afdorigin-prod-am02.afdogw.com	| HTTPS |	Used to serve office 365 experimentation traffic. |
+| watson.telemetry.microsoft.com/Telemetry.Request	| HTTPS |	Used by Windows Error Reporting. |
+
+
+## Windows 10 Pro
+
+| **Destination** | **Protocol** | **Description** |
+| --- | --- | --- |
+| *.e-msedge.net	| HTTPS |	Used by OfficeHub to get the metadata of Office apps. |
+| *.g.akamaiedge.net	| HTTPS |	Used to check for updates to maps that have been downloaded for offline use. |
+| *.s-msedge.net	| HTTPS |	Used by OfficeHub to get the metadata of Office apps. |
+| *.tlu.dl.delivery.mp.microsoft.com/* | HTTP | Enables connections to Windows Update. |
+| *geo-prod.dodsp.mp.microsoft.com.nsatc.net	| HTTPS |	Enables connections to Windows Update. |
+| arc.msn.com.nsatc.net	| HTTPS |	Used to retrieve Windows Spotlight metadata. |
+| au.download.windowsupdate.com/* | HTTP | Enables connections to Windows Update. |
+| ctldl.windowsupdate.com/msdownload/update/* | HTTP |	Used to download certificates that are publicly known to be fraudulent. |
+| cy2.licensing.md.mp.microsoft.com.akadns.net	| HTTPS |	Used to communicate with Microsoft Store. |
+| cy2.settings.data.microsoft.com.akadns.net	| HTTPS |	Used to communicate with Microsoft Store. |
+| dm3p.wns.notify.windows.com.akadns.net	| HTTPS |	Used for the Windows Push Notification Services (WNS) |
+| fe3.delivery.dsp.mp.microsoft.com.nsatc.net	| HTTPS |	Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| g.msn.com.nsatc.net	| HTTPS |	Used to retrieve Windows Spotlight metadata. |
+| ipv4.login.msa.akadns6.net	| HTTPS |	Used for Microsoft accounts to sign in. |
+| location-inference-westus.cloudapp.net	| HTTPS |	Used for location data. |
+| modern.watson.data.microsoft.com.akadns.net	| HTTPS |	Used by Windows Error Reporting. |
+| ocsp.digicert.com* |	HTTP | CRL and OCSP checks to the issuing certificate authorities. |
+| ris.api.iris.microsoft.com.akadns.net	| HTTPS |	Used to retrieve Windows Spotlight metadata. |
+| tile-service.weather.microsoft.com/* | HTTP |	Used to download updates to the Weather app Live Tile. |
+| tsfe.trafficshaping.dsp.mp.microsoft.com	| HTTPS |	Used for content regulation. |
+| vip5.afdorigin-prod-am02.afdogw.com	| HTTPS |	Used to serve office 365 experimentation traffic |
+
+
+## Windows 10 Education
+
+| **Destination** | **Protocol** | **Description** |
+| --- | --- | --- |
+| *.b.akamaiedge.net	| HTTPS |	Used to check for updates to maps that have been downloaded for offline use. |
+| *.e-msedge.net	| HTTPS |	Used by OfficeHub to get the metadata of Office apps. |
+| *.g.akamaiedge.net	| HTTPS |	Used to check for updates to maps that have been downloaded for offline use. |
+| *.s-msedge.net	| HTTPS |	Used by OfficeHub to get the metadata of Office apps. |
+| *.telecommand.telemetry.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. |
+| *.tlu.dl.delivery.mp.microsoft.com* | HTTP | Enables connections to Windows Update. |
+| *.windowsupdate.com* | HTTP | Enables connections to Windows Update. |
+| *geo-prod.do.dsp.mp.microsoft.com	| HTTPS |	Enables connections to Windows Update. |
+| au.download.windowsupdate.com* | HTTP | Enables connections to Windows Update. |
+| cdn.onenote.net/livetile/*	| HTTPS |	Used for OneNote Live Tile. |
+| client-office365-tas.msedge.net/*	| HTTPS |	Used to connect to the Office 365 portal’s shared infrastructure, including Office Online. |
+| config.edge.skype.com/*	| HTTPS |	Used to retrieve Skype configuration values.  |
+| ctldl.windowsupdate.com/* | HTTP | Used to download certificates that are publicly known to be fraudulent. |
+| cy2.displaycatalog.md.mp.microsoft.com.akadns.net	| HTTPS |	Used to communicate with Microsoft Store. |
+| cy2.licensing.md.mp.microsoft.com.akadns.net	| HTTPS |	Used to communicate with Microsoft Store. |
+| cy2.settings.data.microsoft.com.akadns.net	| HTTPS |	Used to communicate with Microsoft Store. |
+| displaycatalog.mp.microsoft.com/*	| HTTPS |	Used to communicate with Microsoft Store. | 
+| download.windowsupdate.com/*	| HTTPS |	Enables connections to Windows Update. |
+| emdl.ws.microsoft.com/* | HTTP | Used to download apps from the Microsoft Store. |
+| fe2.update.microsoft.com/*	| HTTPS |	Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fe3.delivery.dsp.mp.microsoft.com.nsatc.net	| HTTPS |	Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fe3.delivery.mp.microsoft.com/*	| HTTPS |	Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| g.live.com/odclientsettings/*	| HTTPS |	Used by OneDrive for Business to download and verify app updates. |
+| g.msn.com.nsatc.net	| HTTPS |	Used to retrieve Windows Spotlight metadata. |
+| ipv4.login.msa.akadns6.net	| HTTPS |	Used for Microsoft accounts to sign in. |
+| licensing.mp.microsoft.com/*	| HTTPS |	Used for online activation and some app licensing. |
+| maps.windows.com/windows-app-web-link	| HTTPS |	Link to Maps application |
+| modern.watson.data.microsoft.com.akadns.net	| HTTPS |	Used by Windows Error Reporting. |
+| ocos-office365-s2s.msedge.net/*	| HTTPS |	Used to connect to the Office 365 portal's shared infrastructure. |
+| ocsp.digicert.com* |	HTTP | CRL and OCSP checks to the issuing certificate authorities. |
+| oneclient.sfx.ms/*	| HTTPS |	Used by OneDrive for Business to download and verify app updates. |
+| settings-win.data.microsoft.com/settings/*	| HTTPS |	Used as a way for apps to dynamically update their configuration. |
+| sls.update.microsoft.com/*	| HTTPS |	Enables connections to Windows Update. |
+| storecatalogrevocation.storequality.microsoft.com/*	| HTTPS |	Used to revoke licenses for malicious apps on the Microsoft Store. |
+| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. |
+| tsfe.trafficshaping.dsp.mp.microsoft.com	| HTTPS |	Used for content regulation. |
+| vip5.afdorigin-prod-ch02.afdogw.com	| HTTPS |	Used to serve office 365 experimentation traffic. |
+| watson.telemetry.microsoft.com/Telemetry.Request	| HTTPS |	Used by Windows Error Reporting. |
+| bing.com/*	| HTTPS |	Used for updates for Cortana, apps, and Live Tiles. |

From 90ca7c0b5e6ff153f7716e3da2fa8f9eb7126443 Mon Sep 17 00:00:00 2001
From: "Andrea Bichsel (Aquent LLC)" <v-anbic@microsoft.com>
Date: Fri, 29 Jun 2018 09:09:44 -0700
Subject: [PATCH 28/34] Added new beta rule.

---
 .../attack-surface-reduction-exploit-guard.md     | 15 +++++++++++++--
 .../customize-attack-surface-reduction.md         |  4 +++-
 .../enable-attack-surface-reduction.md            |  3 ++-
 3 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
index 3cc13b3320..8077146f92 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 06/13/2018
+ms.date: 06/29/2018
 ---
 
 
@@ -82,6 +82,10 @@ Windows 10, version 1803 has five new Attack surface reduction rules:
 - Block process creations originating from PSExec and WMI commands 
 - Block untrusted and unsigned processes that run from USB 
 
+In addition, the following rule is available for beta testing:
+
+- Block Office communication applications from creating child processes
+
 The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table:
 
 Rule name | GUID
@@ -98,6 +102,7 @@ Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d3
 Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
 Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
 Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
+Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
 
 The rules apply to the following Office apps running on Windows 10, version 1709. See the **Applies to** section at the start of this topic for a list of supported Office version.
 
@@ -123,7 +128,7 @@ This rule blocks the following file types from being run or launched from an ema
 
 ### Rule: Block Office applications from creating child processes
 
-Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, Outlook, and Access.
+Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, and Access.
 
 This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
 
@@ -203,6 +208,12 @@ With this rule, admins can prevent unsigned or untrusted executable files from r
 - Executable files (such as .exe, .dll, or .scr) 
 - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
 
+### Rule: Block Office communication applications from creating child processes
+
+Office communication apps will not be allowed to create child processes. This includes Outlook.
+
+This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
+
 ## Review Attack surface reduction events in Windows Event Viewer
 
 You can review the Windows event log to see events that are created when an Attack surface reduction rule is triggered (or audited):
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
index 7260ed4758..345e29bb18 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 06/15/2018
+ms.date: 06/29/2018
 ---
 
 # Customize Attack surface reduction
@@ -76,6 +76,8 @@ Use advanced protection against ransomware | [!include[Check mark yes](images/sv
 Block credential stealing from the Windows local security authority subsystem (lsass.exe) | [!include[Check mark no](images/svg/check-no.svg)] | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
 Block process creations originating from PSExec and WMI commands | [!include[Check mark yes](images/svg/check-yes.svg)] | d1e49aac-8f56-4280-b9ba-993a6d77406c
 Block untrusted and unsigned processes that run from USB | [!include[Check mark yes](images/svg/check-yes.svg)] | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
+Block Office communication applications from creating child processes (available for beta testing) | [!include[Check mark no](images/svg/check-no.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869
+
 
 See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
index 8541457872..de3f852b51 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 05/30/2018
+ms.date: 06/29/2018
 ---
 
 
@@ -64,6 +64,7 @@ Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d3
 Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
 Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
 Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
+Block Office communication applications from creating child processes (available for beta testing) | 26190899-1602-49e8-8b27-eb1d0a1ce869
 
 See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.
 

From eddcec4aeb6316ea54a5545d38131a13f2c68425 Mon Sep 17 00:00:00 2001
From: "Andrea Bichsel (Aquent LLC)" <v-anbic@microsoft.com>
Date: Fri, 29 Jun 2018 09:34:32 -0700
Subject: [PATCH 29/34] Add beta note

---
 .../attack-surface-reduction-exploit-guard.md                   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
index 8077146f92..1e25be6fc4 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -102,7 +102,7 @@ Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d3
 Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
 Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
 Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
-Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
+Block Office communication applications from creating child processes (available for beta testing) | 26190899-1602-49e8-8b27-eb1d0a1ce869
 
 The rules apply to the following Office apps running on Windows 10, version 1709. See the **Applies to** section at the start of this topic for a list of supported Office version.
 

From 751985fc28b382e0bf701ef0d9959e10adc1093d Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Fri, 29 Jun 2018 11:03:15 -0700
Subject: [PATCH 30/34] dates

---
 .../trusted-platform-module-services-group-policy-settings.md   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md
index 7936b618c3..41d6404f4b 100644
--- a/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md
+++ b/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
-ms.date: 06/22/2018
+ms.date: 06/29/2018
 ---
 
 # TPM Group Policy settings

From f3ab131595dfeee8ca29fc620d6d6ab63804b8a5 Mon Sep 17 00:00:00 2001
From: "Andrea Bichsel (Aquent LLC)" <v-anbic@microsoft.com>
Date: Fri, 29 Jun 2018 11:03:34 -0700
Subject: [PATCH 31/34] Added notes, incorporated review comments.

---
 .../attack-surface-reduction-exploit-guard.md               | 6 ++++++
 .../customize-attack-surface-reduction.md                   | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
index 1e25be6fc4..a977673685 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -179,10 +179,16 @@ This rule attempts to block Office files that contain macro code that is capable
 This rule blocks the following file types from being run or launched unless they meet prevalence or age criteria set by admins, or they are in a trusted list or exclusion list:
  
 - Executable files (such as .exe, .dll, or .scr) 
+
+>[NOTE!]
+>You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
  
 ### Rule: Use advanced protection against ransomware
  
 This rule provides an extra layer of protection against ransomware. Executable files that enter the system will be scanned to determine whether they are trustworthy. If the files exhibit characteristics that closely resemble ransomware, they are blocked from being run or launched, provided they are not already in the trusted list or exception list.
+
+>[NOTE!]
+>You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
  
 ### Rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe)
  
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
index 345e29bb18..0732ac1826 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
@@ -76,7 +76,7 @@ Use advanced protection against ransomware | [!include[Check mark yes](images/sv
 Block credential stealing from the Windows local security authority subsystem (lsass.exe) | [!include[Check mark no](images/svg/check-no.svg)] | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
 Block process creations originating from PSExec and WMI commands | [!include[Check mark yes](images/svg/check-yes.svg)] | d1e49aac-8f56-4280-b9ba-993a6d77406c
 Block untrusted and unsigned processes that run from USB | [!include[Check mark yes](images/svg/check-yes.svg)] | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
-Block Office communication applications from creating child processes (available for beta testing) | [!include[Check mark no](images/svg/check-no.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869
+Block Office communication applications from creating child processes (available for beta testing) | [!include[Check mark no](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869
 
 
 See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.

From 73509af7ca3385b865da6e842351d5a15697edfc Mon Sep 17 00:00:00 2001
From: "Andrea Bichsel (Aquent LLC)" <v-anbic@microsoft.com>
Date: Fri, 29 Jun 2018 11:22:44 -0700
Subject: [PATCH 32/34] Fixed note formatting.

---
 .../attack-surface-reduction-exploit-guard.md                 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
index a977673685..8cecfe7be5 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -180,14 +180,14 @@ This rule blocks the following file types from being run or launched unless they
  
 - Executable files (such as .exe, .dll, or .scr) 
 
->[NOTE!]
+>[!NOTE]
 >You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
  
 ### Rule: Use advanced protection against ransomware
  
 This rule provides an extra layer of protection against ransomware. Executable files that enter the system will be scanned to determine whether they are trustworthy. If the files exhibit characteristics that closely resemble ransomware, they are blocked from being run or launched, provided they are not already in the trusted list or exception list.
 
->[NOTE!]
+>[!NOTE]
 >You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
  
 ### Rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe)

From 16253f9f1697a27e87472dd1db23b7e57cf04fd4 Mon Sep 17 00:00:00 2001
From: Greg Lindsay <Greg.Lindsay@microsoft.com>
Date: Fri, 29 Jun 2018 21:44:03 +0000
Subject: [PATCH 33/34] Merged PR 9484: More updates to this page to resolve
 licensing conflicts

Removing some sections
---
 .../upgrade/windows-10-edition-downgrades.md  | 39 +++++++------------
 1 file changed, 13 insertions(+), 26 deletions(-)

diff --git a/windows/deployment/upgrade/windows-10-edition-downgrades.md b/windows/deployment/upgrade/windows-10-edition-downgrades.md
index d09ca77718..42e55a7327 100644
--- a/windows/deployment/upgrade/windows-10-edition-downgrades.md
+++ b/windows/deployment/upgrade/windows-10-edition-downgrades.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 ms.localizationpriority: high
 ms.pagetype: mobile
 author: greg-lindsay
-ms.date: 06/28/2018
+ms.date: 06/29/2018
 ---
 
 # Windows 10 edition downgrade
@@ -21,21 +21,12 @@ To perform a downgrade, you can use the same methods as when performing an [edit
 
 Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 by entering a different product key is not supported. The only downgrade method available for this path is through the rollback of a previous upgrade.  You also cannot downgrade from a later version to an earlier version of the same edition (Ex: Windows 10 Pro 1709 to 1703) unless the rollback process is used. This topic does not discuss version downgrades.
 
-### Firmware-embedded activation keys
-
-As of October 2017, computers that are supplied by an OEM include a firmware embedded product key that can affect the available downgrade paths. If this key exists, you can display it and the pre-installed OS edition by typing the following commands at an elevated Windows PowerShell prompt:
-
-```
-(Get-WmiObject -query ‘select * from SoftwareLicensingService’).OA3xOriginalProductKey
-(Get-WmiObject -query ‘select * from SoftwareLicensingService’).OA3xOriginalProductKeyDescription
-```
-
 ### Scenario example
 
 Downgrading from Enterprise
-    - Original edition with firmware-embedded key: **Professional OEM**
-    - Upgrade edition: **Enterprise**
-    - Valid downgrade paths: **Pro, Pro for Workstations, Pro Education, Education**
+- Original edition: **Professional OEM**
+- Upgrade edition: **Enterprise**
+- Valid downgrade paths: **Pro, Pro for Workstations, Pro Education, Education**
 
 You can move directly from Enterprise to any valid destination edition. In this example, downgrading to Pro for Workstations, Pro Education, or Education requires an additional activation key to supercede the firmware-embedded Pro key. In all cases, you must comply with [Microsoft License Terms](https://www.microsoft.com/useterms). If you are a volume license customer, refer to the [Microsoft Volume Licensing Reference Guide](https://www.microsoft.com/en-us/download/details.aspx?id=11091).
 
@@ -45,10 +36,9 @@ You can move directly from Enterprise to any valid destination edition. In this
 >Edition changes that are considered upgrades (Ex: Pro to Enterprise, Pro to Pro for Workstations) are not shown here. 
 >For more information see [Windows 10 edition upgrade](windows-10-edition-upgrades.md).<br> 
 
-Switching between different editions of Pro might not be possible if the source OS is associated with a [firmware-embedded activation key](#firmware-embedded-activation-keys). An exception is that you can perform an upgrade from Pro to Pro for Workstation on a computer with an embedded Pro key, and then later downgrade this computer back to Pro.
-
 ✔ = Supported downgrade path<br>
-&nbsp;N&nbsp; = Not supported from OEM pre-installed<br>
+&nbsp;S&nbsp; = Supported; Not considered a downgrade or an upgrade<br>
+[blank] = Not supported or not a downgrade<br>
 
 <br>
 <table border="0" cellpadding="1">
@@ -102,8 +92,8 @@ Switching between different editions of Pro might not be possible if the source
     <tr>
         <td>Pro Education</td>
         <td></td>
-        <td align="center">N</td>
-        <td align="center">N</td>
+        <td></td>
+        <td></td>
         <td></td>
         <td></td>
         <td></td>
@@ -117,7 +107,7 @@ Switching between different editions of Pro might not be possible if the source
         <td align="center">✔</td>
         <td></td>
         <td></td>
-        <td></td>
+        <td>S</td>
     </tr>
     <tr>
         <td>Enterprise LTSC</td>
@@ -135,7 +125,7 @@ Switching between different editions of Pro might not be possible if the source
         <td align="center">✔</td>
         <td align="center">✔</td>
         <td align="center">✔</td>
-        <td align="center">✔</td>
+        <td align="center">S</td>
         <td></td>
         <td></td>
     </tr>
@@ -145,14 +135,11 @@ Switching between different editions of Pro might not be possible if the source
 
 >**Windows N/KN**: Windows "N" and "KN" SKUs follow the same rules shown above.
 
+Some slightly more complex scenarios are not represented by the table above. For example, you can perform an upgrade from Pro to Pro for Workstation on a computer with an embedded Pro key using a Pro for Workstation license key, and then later downgrade this computer back to Pro with the firmware-embedded key. The downgrade is allowed but only because the pre-installed OS is Pro.
+
 ## Related Topics
 
 [Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)<br>
 [Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md)<br>
 [Windows 10 edition upgrade](windows-10-edition-upgrades.md)<br>
-[Windows 10 upgrade paths](windows-10-upgrade-paths.md)
-
-
-
-
-
+[Windows 10 upgrade paths](windows-10-upgrade-paths.md)
\ No newline at end of file

From 06eba234ab769adbc4357f5ba84456e291709cb2 Mon Sep 17 00:00:00 2001
From: Greg Lindsay <Greg.Lindsay@microsoft.com>
Date: Sun, 1 Jul 2018 19:02:33 +0000
Subject: [PATCH 34/34] Merged PR 9514: Remove one cell from table

Remove one cell from table
---
 windows/deployment/upgrade/windows-10-edition-downgrades.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/deployment/upgrade/windows-10-edition-downgrades.md b/windows/deployment/upgrade/windows-10-edition-downgrades.md
index 42e55a7327..6e86af6b87 100644
--- a/windows/deployment/upgrade/windows-10-edition-downgrades.md
+++ b/windows/deployment/upgrade/windows-10-edition-downgrades.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 ms.localizationpriority: high
 ms.pagetype: mobile
 author: greg-lindsay
-ms.date: 06/29/2018
+ms.date: 06/30/2018
 ---
 
 # Windows 10 edition downgrade
@@ -82,7 +82,7 @@ You can move directly from Enterprise to any valid destination edition. In this
     <tr>
         <td>Pro for Workstations</td>
         <td></td>
-        <td align="center">N</td>
+        <td></td>
         <td></td>
         <td></td>
         <td></td>