From 2e384f69c95a2bcf262d36c9361c8a699623f3a0 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 22 Mar 2017 14:10:56 -0700 Subject: [PATCH 01/33] add new event IDs 9-69 --- ...g-windows-defender-advanced-threat-protection.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md index e95197be01..d071f08968 100644 --- a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md @@ -151,8 +151,21 @@ Event ID | Message | Resolution steps 5 | Windows Defender Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection). 6 | Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md). 7 | Windows Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection), then run the entire onboarding process again. +9 | Windows Defender Advanced Threat Protection service failed to change its start type. Failure code: variable | If the event happened during onboarding, reboot and re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md).

If the event happened during offboarding, contact support. +10 | Windows Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: variable | If the event happened during onboarding, reboot and re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md).

If the event happened during offboarding, contact support. 15 | Windows Defender Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection). +17 | Windows Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: variable | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md). If the problem persists, contact support. 25 | Windows Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: _variable_ | Contact support. +27 | Failed to enable Windows Defender Advanced Threat Protection mode in Windows Defender. Onboarding process failed. Failure code: variable | Contact support. +29 | Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3 | Ensure the endpoint has Internet access, then run the entire offboarding process again. +30 | Failed to disable $(build.sense.productDisplayName) mode in Windows Defender. Failure code: %1 | Contact support. +32 | $(build.sense.productDisplayName) service failed to request to stop itself after offboarding process. Failure code: %1 | Verify that the service start type is manual and reboot the machine. +55 | Failed to create the Secure ETW autologger. Failure code: %1 | Reboot the machine. +63 | Updating the start type of external service. Name: %1, actual start type: %2, expected start type: %3, exit code: %4 | Identify what is causing changes in start type of mentioned service. If the exit code is not 0, fix the start type manually to expected start type. +64 | Starting stopped external service. Name: %1, exit code: %2 | Contact support if the event keeps re-appearing. +68 | The start type of the service is unexpected. Service name: %1, actual start type: %2, expected start type: %3 | Identify what is causing changes in start type. Fix mentioned service start type. +69 | The service is stopped. Service name: %1 | Start the mentioned service. Contact support if persists. +
There are additional components on the endpoint that the Windows Defender ATP agent depends on to function properly. If there are no onboarding related errors in the Windows Defender ATP agent event log, proceed with the following steps to ensure that the additional components are configured correctly. From cc72c58bd4da00923d056236d5dfdfbdab963407 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 22 Mar 2017 14:53:09 -0700 Subject: [PATCH 02/33] fix product name --- ...ot-onboarding-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md index d071f08968..d674dbcf62 100644 --- a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md @@ -158,7 +158,7 @@ Event ID | Message | Resolution steps 25 | Windows Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: _variable_ | Contact support. 27 | Failed to enable Windows Defender Advanced Threat Protection mode in Windows Defender. Onboarding process failed. Failure code: variable | Contact support. 29 | Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3 | Ensure the endpoint has Internet access, then run the entire offboarding process again. -30 | Failed to disable $(build.sense.productDisplayName) mode in Windows Defender. Failure code: %1 | Contact support. +30 | Failed to disable $(build.sense.productDisplayName) mode in Windows Defender Advanced Threat Protection. Failure code: %1 | Contact support. 32 | $(build.sense.productDisplayName) service failed to request to stop itself after offboarding process. Failure code: %1 | Verify that the service start type is manual and reboot the machine. 55 | Failed to create the Secure ETW autologger. Failure code: %1 | Reboot the machine. 63 | Updating the start type of external service. Name: %1, actual start type: %2, expected start type: %3, exit code: %4 | Identify what is causing changes in start type of mentioned service. If the exit code is not 0, fix the start type manually to expected start type. From d23d16f86ca5b1ddb0b325d457ef7941cf351a7a Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 23 Mar 2017 13:47:50 -0700 Subject: [PATCH 03/33] update event 10 --- ...ot-onboarding-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md index 7f6b2fda10..1569534348 100644 --- a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md @@ -152,7 +152,7 @@ Event ID | Message | Resolution steps 6 | Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md). 7 | Windows Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection), then run the entire onboarding process again. 9 | Windows Defender Advanced Threat Protection service failed to change its start type. Failure code: variable | If the event happened during onboarding, reboot and re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md).

If the event happened during offboarding, contact support. -10 | Windows Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: variable | If the event happened during onboarding, reboot and re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md).

If the event happened during offboarding, contact support. +10 | Windows Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: variable | If the event happened during onboarding, re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md).

If the problem persists, contact support. 15 | Windows Defender Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection). 17 | Windows Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: variable | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md). If the problem persists, contact support. 25 | Windows Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: _variable_ | Contact support. From d2f42e3f4398b483bb7c9d96e2188dd923241a78 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 29 Mar 2017 13:55:39 -0700 Subject: [PATCH 04/33] new troubleshoot topic - get secret --- ...ows-defender-advanced-threat-protection.md | 1 + ...ows-defender-advanced-threat-protection.md | 1 + ...ows-defender-advanced-threat-protection.md | 1 + ...ows-defender-advanced-threat-protection.md | 1 + ...ows-defender-advanced-threat-protection.md | 1 + ...ows-defender-advanced-threat-protection.md | 52 +++++++++++++++++++ 6 files changed, 57 insertions(+) create mode 100644 windows/keep-secure/troubleshoot-siem-windows-defender-advanced-threat-protection.md diff --git a/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md index d551629b2e..b3c77c715f 100644 --- a/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md @@ -78,3 +78,4 @@ Portal label | SIEM field name | Description - [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md) - [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md) - [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) +- [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md index 21b8b172ec..24a44e8c0a 100644 --- a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md @@ -183,3 +183,4 @@ Windows Defender ATP alerts will appear as discrete events, with "Microsoft” a - [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md) - [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) - [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) +- [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md index f40c7d579d..976071237b 100644 --- a/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md @@ -138,3 +138,4 @@ Use the solution explorer to view alerts in Splunk. - [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md) - [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) - [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) +- [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md index a645f8ccad..d58165e02a 100644 --- a/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md @@ -53,3 +53,4 @@ You can now proceed with configuring your SIEM solution or connecting to the ale - [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md) - [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) - [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) +- [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md b/windows/keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md index 670143cd10..785b003629 100644 --- a/windows/keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md @@ -193,3 +193,4 @@ HTTP error code | Description - [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md) - [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md) - [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) +- [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/troubleshoot-siem-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-siem-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..a032c56479 --- /dev/null +++ b/windows/keep-secure/troubleshoot-siem-windows-defender-advanced-threat-protection.md @@ -0,0 +1,52 @@ +--- +title: Troubleshoot SIEM tool integration issues in Windows Defender ATP +description: Troubleshoot issues that might arise when using SIEM tools with Windows Defender ATP. +keywords: troubleshoot, siem, client secret, secret +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +localizationpriority: high +--- + +# Troubleshoot SIEM tool integration issues + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +You might need to troubleshoot issues while pulling alerts in your SIEM tools. + +This page provides detailed steps to troubleshoot issues you might encounter. + + +## Learn how to get a new client secret +If your client secret expires or if you've misplaced the copy provided when you were enabling the custom threat intelligence application, you'll need to get a new secret. + +1. Login to the [Azure management portal](https://ms.portal.azure.com). + +2. Select **Active Directory**. + +3. Select your tenant. + +4. Click **Application**, then select your custom threat intelligence application. The application name is **GET FROM SME**. + +5. Select **Keys** section, then provide a key description and specify the key validity duration. + +6. Click **Save**. The key value is displayed. + +7. Copy the value and save it in a safe place. + + +## Related topics +- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) +- [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md) +- [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md) +- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) +- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) From 04a732cc64812b33c9ee2f9ddd7613e8e0d762f9 Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Fri, 31 Mar 2017 14:11:51 -0700 Subject: [PATCH 05/33] waas-configure-wufb fixing tables --- windows/update/waas-configure-wufb.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/windows/update/waas-configure-wufb.md b/windows/update/waas-configure-wufb.md index 0bfbe6c026..81026e6493 100644 --- a/windows/update/waas-configure-wufb.md +++ b/windows/update/waas-configure-wufb.md @@ -239,9 +239,14 @@ Enabling allows user to set deferral periods for upgrades and updates. It also - +
MDM keys
Version 1511 MDM keysVersion 1607 MDM keys
**RequireDeferUpgade**: *bool*
   Puts the device on CBB (no ability to defer updates while on the CB branch).

**DeferUpgradePeriod**: *0 - 8 months*

**DeferUpdatePeriod**: *1 – 4 weeks*

**PauseDeferrals**: *bool*
   Enabling will pause both upgrades and updates for a max of 35 days		**BranchReadinessLevel**
   Set system on CB or CBB

**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days*

**PauseFeatureUpdates**: *enable/disable*
   Enabling will pause Feature updates for a max of 60 days

**DeferQualityUpdatesPeriodinDays**: *0 - 35 days*

**PauseQualityUpdates**: *enable/disable*
    Enabling will pause Quality updates for a max of 35 days

**ExcludeWUDriversInQualityUpdate**: *enable/disable<*/td>
**RequireDeferUpgade**: *bool*
   Puts the device on CBB (no ability to defer updates while on the CB branch).

**DeferUpgradePeriod**: *0 - 8 months*

**DeferUpdatePeriod**: *1 – 4 weeks*

**PauseDeferrals**: *bool*
   Enabling will pause both upgrades and updates for a max of 35 days		**BranchReadinessLevel**
   Set system on CB or CBB

**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days*

**PauseFeatureUpdates**: *enable/disable*
   Enabling will pause Feature updates for a max of 60 days

**DeferQualityUpdatesPeriodinDays**: *0 - 35 days*

**PauseQualityUpdates**: *enable/disable*
    Enabling will pause Quality updates for a max of 35 days

**ExcludeWUDriversInQualityUpdate**: *enable/disable*
+MDM keys +| Version 1511 MDM keys | Version 1607 MDM keys | +| --- | --- | +| **RequireDeferUpgade**: *bool*
Puts the device on CBB (no ability to defer updates while on the CB branch).

**DeferUpgradePeriod**: *0 - 8 months*

**DeferUpdatePeriod**: *1 – 4 weeks*

**PauseDeferrals**: *bool*
Enabling will pause both upgrades and updates for a max of 35 days | **BranchReadinessLevel**
Set system on CB or CBB

**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days*

**PauseFeatureUpdates**: *enable/disable*
Enabling will pause Feature updates for a max of 60 days

**DeferQualityUpdatesPeriodinDays**: *0 - 35 days*

**PauseQualityUpdates**: *enable/disable*
Enabling will pause Quality updates for a max of 35 days

**ExcludeWUDriversInQualityUpdate**: *enable/disable* | + ### Comparing the version 1607 keys to the version 1703 keys | Version 1607 key | Version 1703 key | From b01f05cee502e8d2dd9e431336ada4bcc49411b6 Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Fri, 31 Mar 2017 14:38:26 -0700 Subject: [PATCH 06/33] waas-configure-wufb more table fixes --- windows/update/waas-configure-wufb.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/update/waas-configure-wufb.md b/windows/update/waas-configure-wufb.md index 81026e6493..06b0e20910 100644 --- a/windows/update/waas-configure-wufb.md +++ b/windows/update/waas-configure-wufb.md @@ -234,18 +234,18 @@ When a client running a newer version sees an update available on Windows Update In the Windows Update for Business policies in version 1511, all the deferral rules were grouped under a single policy where pausing affected both upgrades and updates. In Windows 10, version 1607, this functionality has been broken out into separate polices: deferral of Feature and Quality Updates can be enabled and paused independently of one other. - +
Group Policy keys
Version 1511 GPO keysVersion 1607 GPO keys
**DeferUpgrade**: *enable/disable*
    -Enabling allows user to set deferral periods for upgrades and updates. It also puts the device on CBB (no ability to defer updates while on the CB branch).

**DeferUpgradePeriod**: *0 - 8 months*

**DeferUpdatePeriod**: *1 – 4 weeks*

**Pause**: *enable/disable*
   Enabling will pause both upgrades and updates for a max of 35 days		**DeferFeatureUpdates**: *enable/disable*

**BranchReadinessLevel**
   Set device on CB or CBB

**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days*

**PauseFeatureUpdates**: *enable/disable*
   Enabling will pause Feature updates for a max of 60 days

**DeferQualityUpdates**: *Enable/disable*

**DeferQualityUpdatesPeriodinDays**: *0 - 35 days*

**PauseQualityUpdates**: *enable/disable*
   Enabling will pause Quality updates for a max of 35 days

**ExcludeWUDrivers**: *enable/disable*
**DeferUpgrade**: *enable/disable*
Enabling allows user to set deferral periods for upgrades and updates. It also puts the device on CBB (no ability to defer updates while on the CB branch).

**DeferUpgradePeriod**: *0 - 8 months*

**DeferUpdatePeriod**: *1 – 4 weeks*

**Pause**: *enable/disable*
Enabling will pause both upgrades and updates for a max of 35 days
**DeferFeatureUpdates**: *enable/disable*

**BranchReadinessLevel**
Set device on CB or CBB

**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days*

**PauseFeatureUpdates**: *enable/disable*
Enabling will pause Feature updates for a max of 60 days

**DeferQualityUpdates**: *Enable/disable*

**DeferQualityUpdatesPeriodinDays**: *0 - 35 days*

**PauseQualityUpdates**: *enable/disable*
Enabling will pause Quality updates for a max of 35 days

**ExcludeWUDrivers**: *enable/disable*
- +
MDM keys
Version 1511 MDM keysVersion 1607 MDM keys
**RequireDeferUpgade**: *bool*
   Puts the device on CBB (no ability to defer updates while on the CB branch).

**DeferUpgradePeriod**: *0 - 8 months*

**DeferUpdatePeriod**: *1 – 4 weeks*

**PauseDeferrals**: *bool*
   Enabling will pause both upgrades and updates for a max of 35 days		**BranchReadinessLevel**
   Set system on CB or CBB

**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days*

**PauseFeatureUpdates**: *enable/disable*
   Enabling will pause Feature updates for a max of 60 days

**DeferQualityUpdatesPeriodinDays**: *0 - 35 days*

**PauseQualityUpdates**: *enable/disable*
    Enabling will pause Quality updates for a max of 35 days

**ExcludeWUDriversInQualityUpdate**: *enable/disable*
**RequireDeferUpgade**: *bool*
Puts the device on CBB (no ability to defer updates while on the CB branch).

**DeferUpgradePeriod**: *0 - 8 months*

**DeferUpdatePeriod**: *1 – 4 weeks*

**PauseDeferrals**: *bool*
Enabling will pause both upgrades and updates for a max of 35 days
**BranchReadinessLevel**
Set system on CB or CBB

**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days*

**PauseFeatureUpdates**: *enable/disable*
Enabling will pause Feature updates for a max of 60 days

**DeferQualityUpdatesPeriodinDays**: *0 - 35 days*

**PauseQualityUpdates**: *enable/disable*
Enabling will pause Quality updates for a max of 35 days

**ExcludeWUDriversInQualityUpdate**: *enable/disable*
+ ### Comparing the version 1607 keys to the version 1703 keys From 82bf49deac55d5247669088a110a61e703d4b606 Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Fri, 31 Mar 2017 14:50:03 -0700 Subject: [PATCH 07/33] more table fixes :camel: --- windows/update/waas-configure-wufb.md | 6 ------ 1 file changed, 6 deletions(-) diff --git a/windows/update/waas-configure-wufb.md b/windows/update/waas-configure-wufb.md index 06b0e20910..e3b47b2f2f 100644 --- a/windows/update/waas-configure-wufb.md +++ b/windows/update/waas-configure-wufb.md @@ -241,12 +241,6 @@ In the Windows Update for Business policies in version 1511, all the deferral ru **RequireDeferUpgade**: *bool*
Puts the device on CBB (no ability to defer updates while on the CB branch).

**DeferUpgradePeriod**: *0 - 8 months*

**DeferUpdatePeriod**: *1 – 4 weeks*

**PauseDeferrals**: *bool*
Enabling will pause both upgrades and updates for a max of 35 days
**BranchReadinessLevel**
Set system on CB or CBB

**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days*

**PauseFeatureUpdates**: *enable/disable*
Enabling will pause Feature updates for a max of 60 days

**DeferQualityUpdatesPeriodinDays**: *0 - 35 days*

**PauseQualityUpdates**: *enable/disable*
Enabling will pause Quality updates for a max of 35 days

**ExcludeWUDriversInQualityUpdate**: *enable/disable*
- - ### Comparing the version 1607 keys to the version 1703 keys | Version 1607 key | Version 1703 key | From ab0bc46782b5c2e3275fbe24baf30ffc2116282f Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 3 Apr 2017 10:32:51 -0700 Subject: [PATCH 08/33] updates --- ...el-windows-diagnostic-events-and-fields.md | 168 ++++-------------- 1 file changed, 30 insertions(+), 138 deletions(-) diff --git a/windows/configure/basic-level-windows-diagnostic-events-and-fields.md b/windows/configure/basic-level-windows-diagnostic-events-and-fields.md index b4ab6e6bbb..3fd905b836 100644 --- a/windows/configure/basic-level-windows-diagnostic-events-and-fields.md +++ b/windows/configure/basic-level-windows-diagnostic-events-and-fields.md @@ -177,7 +177,6 @@ These fields are added whenever Ms.Device.DeviceInventoryChange is included in t The following fields are available: - **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. -- **objectInstanceId** Object identity used within the device scope. This is commonly going to be ProgramId, FileId or DeviceInstancePathId but is typically something unique to the objectType and in some cases is artificially created. - **objectType** Indicates the object type that the event applies to. - **Action** The change that was invoked on a device inventory object. - **inventoryId** Device ID used for Compatibility testing @@ -307,27 +306,14 @@ This event sends compatibility information about a file to help keep Windows up- The following fields are available: -- **objectInstanceId** A hash of the full file path including the file name. - **AppraiserVersion** The version of the appraiser file that is generating the events. -- **AvDisplayName** If it is an anti-virus app, this is the the display name for the app. Example: System Center Endpoint Protection +- **AvDisplayName** If it is an anti-virus app, this is its display name. - **CompatModelIndex** The compatibility prediction for this file. - **HasCitData** Is the file present in CIT data? - **HasUpgradeExe** Does the anti-virus app have an upgrade.exe file? - **IsAv** Is the file an anti-virus reporting EXE? - **ResolveAttempted** This will always be an empty string when sending telemetry. - **SdbEntries** An array of fields that indicates the SDB entries that apply to this file. -- **SdbEntries_item_MigShimCommand** The command line to be passed to the MigShim if one is applicable. -- **SdbEntries_item_MigShimName** Example: DevenvDotnetCacheRebuildShim -- **SdbEntries_item_MigXmlName** Example: MicrosoftForefrontEndpointProtection__4_6__PART -- **SdbEntries_item_MigXmlType** Example: MIG_XML_TYPE_REMOVED -- **SdbEntries_item_ReinstallUpgradeMessage** Example: Resource: 10022 -- **SdbEntries_item_SdbAppGuid** Example: {551f8360-14dd-4ea5-bd29-74b0c21abfde} -- **SdbEntries_item_SdbAppName** Example: Visual Studio -- **SdbEntries_item_SdbAppVendor** Example: Microsoft -- **SdbEntries_item_SdbBlockType** Example: ReinstallAfterUpgradeInfo -- **SdbEntries_item_SdbEntryGuid** Example: {84e92468-a463-4c02-93a6-20171694b8a8} -- **SdbEntries_item_SdbUpgradeMode** Example: Swap -- **SdbEntries_item_SdbUxBlocktypeOverride** Example: SDB_UX_BLOCKTYPE_OVERRIDE_MIG_FIXED ### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove @@ -354,7 +340,6 @@ This event sends compatibility data for a PNP device, to help keep Windows up-to The following fields are available: -- **objectInstanceId** The Device Instance ID of the device (uniquely identifies a device in the system). Example: pci\ven_8086&dev_0085&subsys_13118086&rev_34\4&2dded11c&0&00e1 - **AppraiserVersion** The version of the appraiser file generating the events. - **ActiveNetworkConnection** Is the device an active network device? - **CosDeviceRating** An enumeration that indicates if there is a driver on the target operating system. @@ -363,13 +348,6 @@ The following fields are available: - **CosPopulatedFromId** The expected uplevel driver matching ID based on driver coverage data. - **IsBootCritical** Is the device boot critical? - **SdbEntries** An array of fields indicating the SDB entries that apply to this device. -- **SdbEntries_item_SdbAppGuid** Example: {0ba2f09d-5288-45fa-be32-001857cc020f} -- **SdbEntries_item_SdbAppName** Example: Virtual Machine Manager Self-Service Client -- **SdbEntries_item_SdbAppVendor** Example: Microsoft Corporation -- **SdbEntries_item_SdbBlockType** Example: ReinstallAfterUpgrade -- **SdbEntries_item_SdbEntryGuid** Example: {2a1cc617-9ee0-4dff-b3c0-a09cfc13543a} -- **SdbEntries_item_SdbUpgradeMode** Example: Swap -- **SdbEntries_item_SdbUxBlocktypeOverride** Example: SDB_UX_BLOCKTYPE_OVERRIDE_REINSTALL_BLOCK - **UplevelInboxDriver** Is there a driver uplevel for this device? - **WuDriverCoverage** Is there a driver uplevel for this device according to Windows Update? - **WuDriverUpdateID** The Windows Update ID of the applicable uplevel driver. @@ -400,16 +378,8 @@ This event sends compatibility database data about driver packages to help keep The following fields are available: -- **objectInstanceId** DriverPackageId that is used for uniquely identifying a driver package on a system. - **AppraiserVersion** The version of the appraiser file generating the events. - **SdbEntries** An array of fields indicating the SDB entries that apply to this driver package. -- **SdbEntries_item_SdbAppGuid** Example: {5f29791d-ad69-40a4-9783-6edbdf66bd4b} -- **SdbEntries_item_SdbAppName** Example: Microsoft PDF/XPS Printer -- **SdbEntries_item_SdbAppVendor** Example: Microsoft -- **SdbEntries_item_SdbBlockType** Example: BlockDriver -- **SdbEntries_item_SdbEntryGuid** Example: {380213ca-97c8-4fdc-b194-b4f714006796} -- **SdbEntries_item_SdbUpgradeMode** Example: Service -- **SdbEntries_item_SdbUxBlocktypeOverride** Example: SDB_UX_BLOCKTYPE_OVERRIDE_NO_BLOCK ### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageRemove @@ -436,16 +406,8 @@ This event sends blocking data about any compatibility blocking entries hit on t The following fields are available: -- **objectInstanceId** This will always be BlockingMatchingInfo. - **AppraiserVersion** The version of the appraiser file generating the events. - **SdbEntries** An array of fields indicating the SDB entries that apply to this file. -- **SdbEntries_item_SdbAppGuid** Example: {4cca1f6c-74f8-4bfd-9fb4-3d4b65f23f98} -- **SdbEntries_item_SdbAppName** Example: Intel(R)DynamicPowerPerformanceManagement -- **SdbEntries_item_SdbAppVendor** Example: Intel -- **SdbEntries_item_SdbBlockType** Example: BlockUpgradeUntilUpdate -- **SdbEntries_item_SdbEntryGuid** Example: {4be49993-88ec-4003-b9a6-9f8812e94c50} -- **SdbEntries_item_SdbUpgradeMode** Example: Swap -- **SdbEntries_item_SdbUxBlocktypeOverride** Example: SDB_UX_BLOCKTYPE_OVERRIDE_UPGRADE_UNTIL_UPDATE_BLOCK ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove @@ -472,20 +434,8 @@ This event sends compatibility database information about non-blocking compatibi The following fields are available: -- **objectInstanceId** This will always be PassiveMatchingInfo. - **AppraiserVersion** The version of the appraiser file generating the events. - **SdbEntries** An array of fields indicating the SDB entries that apply to this file. -- **SdbEntries_item_MigShimCommand** The command line to be passed to the MigShim if one is applicable. -- **SdbEntries_item_MigShimName** Example: MigrateVCRuntimeShim -- **SdbEntries_item_MigXmlName** Example: Intel_Rapid_Storage_Technolgy_Enterprise_Filter_Driver__3__PART -- **SdbEntries_item_MigXmlType** Example: MIG_XML_TYPE_FIXED -- **SdbEntries_item_SdbAppGuid** Example: {03760bce-35d7-47a3-b83b-de673fdb6ab4} -- **SdbEntries_item_SdbAppName** Example: VC Runtime -- **SdbEntries_item_SdbAppVendor** Example: Microsoft -- **SdbEntries_item_SdbBlockType** Example: BlockUpgradeUntilUpdate -- **SdbEntries_item_SdbEntryGuid** Example: {00b0c9b2-3f04-4795-a8ac-5b7bd5ea2ea8} -- **SdbEntries_item_SdbUpgradeMode** Example: Swap -- **SdbEntries_item_SdbUxBlocktypeOverride** Example: SDB_UX_BLOCKTYPE_OVERRIDE_MIG_FIXED ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove @@ -512,17 +462,8 @@ This event sends compatibility database information about entries requiring rein The following fields are available: -- **objectInstanceId** This will always be PostUpgradeMatchingInfo. - **AppraiserVersion** The version of the appraiser file generating the events. - **SdbEntries** An array of fields indicating the SDB entries that apply to this file. -- **SdbEntries_item_ReinstallUpgradeMessage** Example: Resource: 10022 -- **SdbEntries_item_SdbAppGuid** Example: {0ba2f09d-5288-45fa-be32-001857cc020f} -- **SdbEntries_item_SdbAppName** Example: Virtual Machine Manager Self-Service Client -- **SdbEntries_item_SdbAppVendor** Example: Microsoft Corporation -- **SdbEntries_item_SdbBlockType** Example: ReinstallAfterUpgrade -- **SdbEntries_item_SdbEntryGuid** Example: {2a1cc617-9ee0-4dff-b3c0-a09cfc13543a} -- **SdbEntries_item_SdbUpgradeMode** Example: Swap -- **SdbEntries_item_SdbUxBlocktypeOverride** Example: SDB_UX_BLOCKTYPE_OVERRIDE_REINSTALL_BLOCK ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove @@ -549,12 +490,8 @@ This event sends compatibility database information about the BIOS to help keep The following fields are available: -- **objectInstanceId** This will always be BIOS. - **AppraiserVersion** The version of the Appraiser file generating the events. - **SdbEntries** An array of fields indicating the SDB entries that apply to this BIOS. -- **SdbEntries_item_SdbBlockType** Example: BiosBlock -- **SdbEntries_item_SdbEntryGuid** Example: {b77118fd-0d87-4f63-a836-d5c6bd8eed4c} -- **SdbEntries_item_SdbUpgradeMode** Example: Swap ### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosRemove @@ -581,9 +518,8 @@ This event sends compatibility decision data about a file to help keep Windows u The following fields are available: -- **objectInstanceId** A hash of the full file path, including the file name. - **AppraiserVersion** The version of the appraiser file generating the events. -- **BlockAlreadyInbox** The uplevel runtime block on the file already existed on the current OS. Example: FALSE +- **BlockAlreadyInbox** The uplevel runtime block on the file already existed on the current OS. - **BlockingApplication** Are there any application issues that interfere with upgrade due to the file in question? - **DisplayGenericMessage** Will be a generic message be shown for this file? - **HardBlock** This file is blocked in the SDB. @@ -627,7 +563,6 @@ This event sends compatibility decision data about a PNP device to help keep Win The following fields are available: -- **objectInstanceId** This uniquely identifies a device in the system. - **AppraiserVersion** The version of the appraiser file generating the events. - **AssociatedDriverIsBlocked** Is the driver associated with this PNP device blocked? - **BlockAssociatedDriver** Should the driver associated with this PNP device be blocked? @@ -639,7 +574,7 @@ The following fields are available: - **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update? - **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device? - **DriverBlockOverridden** Is there is a driver block on the device that has been overridden? -- **NeedsDismissAction** Will the user would need to dismiss something during Setup for this device? +- **NeedsDismissAction** Will the user would need to dismiss a warning during Setup for this device? - **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS? - **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade? - **SdbDriverBlockOverridden** Is there an SDB block on the PNP device that blocks upgrade, but that block was overridden? @@ -669,7 +604,6 @@ This event sends decision data about driver package compatibility to help keep W The following fields are available: -- **objectInstanceId** Used for uniquely identifying a driver package on a system. - **AppraiserVersion** The version of the appraiser file generating the events. - **DriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? - **DriverIsDeviceBlocked** Was the driver package was blocked because of a device block? @@ -702,7 +636,6 @@ This event sends compatibility decision data about blocking entries on the syste The following fields are available: -- **objectInstanceId** This will always be BlockingMatchingInfo. - **AppraiserVersion** The version of the appraiser file generating the events. - **BlockingApplication** Are there are any application issues that interfere with upgrade due to matching info blocks? - **DisplayGenericMessage** Will a generic message be shown for this block? @@ -736,7 +669,6 @@ This event sends compatibility decision data about non-blocking entries on the s The following fields are available: -- **objectInstanceId** This will always be PassiveMatchingInfo. - **AppraiserVersion** The version of the Appraiser file that is generating the events. - **BlockingApplication** Are there any application issues that interfere with upgrade due to matching info blocks? - **MigApplication** Is there a matching info block with a mig for the current mode of upgrade? @@ -766,7 +698,6 @@ This event sends compatibility decision data about entries that require reinstal The following fields are available: -- **objectInstanceId** This will always be PostUpgradeMatchingInfo. - **AppraiserVersion** The version of the Appraiser file that is generating the events. - **NeedsInstallPostUpgradeData** Will the file have a notification after upgrade to install a replacement for the app? - **NeedsNotifyPostUpgradeData** Should a notification be shown for this file after upgrade? @@ -798,12 +729,11 @@ This event sends decision data about the presence of Windows Media Center, to he The following fields are available: -- **objectInstanceId** This will always be MediaCenter. - **AppraiserVersion** The version of the Appraiser file generating the events. - **BlockingApplication** Is there any application issues that interfere with upgrade due to Windows Media Center? - **MediaCenterActivelyUsed** If Windows Media Center is supported on the edition, has it been run at least once and are the MediaCenterIndicators are true? - **MediaCenterInUse** Is Windows Media Center actively being used? -- **MediaCenterIndicators** Are any of the signals indicating that Windows Media Center is being used, such as default launcher, watched folders, extender accounts, etc...? +- **MediaCenterIndicators** Do any indicators imply that Windows Media Center is in active use? - **MediaCenterPaidOrActivelyUsed** Is Windows Media Center actively being used or is it running on a supported edition? - **NeedsDismissAction** Are there any actions that can be dismissed coming from Windows Media Center? @@ -832,7 +762,6 @@ This event sends compatibility decision data about the BIOS to help keep Windows The following fields are available: -- **objectInstanceId** This will always be Bios. - **AppraiserVersion** The version of the Appraiser file generating the events. - **Blocking** Is the device blocked from upgrade due to a BIOS block? - **HasBiosBlock** Does the device have a BIOS block? @@ -856,25 +785,12 @@ The following fields are available: - **AppraiserVersion** The version of the Appraiser file that is generating the events. -### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorAdd - -This event sends defunct data. It always reads false. - -The following fields are available: - -- **objectInstanceId** Will always be Processor. -- **AppraiserVersion** The version of the appraiser binary generating the events. Example: 10014361 -- **Blocking** Will always be FALSE -- **ProcessorRequirementViolated** Will always be FALSE - - ### Microsoft.Windows.Appraiser.General.EnterpriseScenarioWithDiagTrackServiceRunning The event that indicates that Appraiser has been triggered to run an enterprise scenario while the DiagTrack service is installed. This event can only be sent if a special flag is used to trigger the enterprise scenario. The following fields are available: -- **CensusId** An ID for the system calculated from the CEIP, WER, and RAC IDs. - **Time** The client time of the event. - **PCFP** An ID for the system calculated by hashing hardware identifiers. @@ -899,7 +815,6 @@ This event represents the basic metadata about a file on the system. The file m The following fields are available: -- **objectInstanceId** A hash of the full file path including the file name. - **AppraiserVersion** The version of the Appraiser file generating the events. - **BinFileVersion** An attempt to clean up FileVersion at the client that tries to place the version into 4 octets. - **BinProductVersion** An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets. @@ -941,7 +856,6 @@ This event sends data about the number of language packs installed on the system The following fields are available: -- **objectInstanceId** This will always be LanguagePack. - **AppraiserVersion** The version of the Appraiser file that is generating the events. - **HasLanguagePack** Does this device have 2 or more language packs? - **LanguagePackCount** How many language packs are installed? @@ -971,7 +885,6 @@ This event sends true/false data about decision points used to understand whethe The following fields are available: -- **objectInstanceId** This will always be MediaCenter. - **AppraiserVersion** The version of the Appraiser file generating the events. - **EverLaunched** Has Windows Media Center ever been launched? - **HasConfiguredTv** Has the user configured a TV tuner through Windows Media Center? @@ -1006,7 +919,6 @@ This event sends basic metadata about the BIOS to determine whether it has a com The following fields are available: -- **objectInstanceId** This will always be Bios. - **AppraiserVersion** The version of the Appraiser file that is generating the events. - **BiosDate** The release date of the BIOS in UTC format. - **BiosName** The name field from Win32_BIOS. @@ -1082,7 +994,6 @@ The following fields are available: - **Time** The client time of the event. - **PCFP** A unique hardware identifier that is calculated by hashing hardware identifiers. - **IsOnlineRun** Was the device able to connect to Windows Update to get driver availability information? -- **CensusId** An ID for the system calculated from the CEIP, WER, and RAC IDs. ### Microsoft.Windows.Appraiser.General.IsOnlineWuDriverDataSource @@ -1095,7 +1006,6 @@ The following fields are available: - **PCFP** A unique hardware identifier that is calculated by hashing hardware identifiers. - **IsOnlineRun** Was the device able to connect to Windows Update to get driver availability information? - **TargetVersion** The abbreviated name for the OS version against which Windows Update was queried. -- **CensusId** An ID for the system calculated from the CEIP, WER, and RAC IDs. ### Microsoft.Windows.Appraiser.General.RunContext @@ -1132,7 +1042,6 @@ This event sends data on the amount of memory on the system and whether it meets The following fields are available: -- **objectInstanceId** This will always be Memory. - **AppraiserVersion** The version of the Appraiser file generating the events. - **Blocking** Is the device from upgrade due to memory restrictions? - **MemoryRequirementViolated** Was a memory requirement violated? @@ -1167,7 +1076,6 @@ This event sends data indicating whether the system supports the CompareExchange The following fields are available: -- **objectInstanceId** This will always be CompareExchange128. - **AppraiserVersion** The version of the Appraiser file generating the events. - **Blocking** Is the upgrade blocked due to the processor? - **CompareExchange128Support** Does the CPU support CompareExchange128? @@ -1197,7 +1105,6 @@ This event sends data indicating whether the system supports the LahfSahf CPU re The following fields are available: -- **objectInstanceId** This will always be LahfSahf. - **AppraiserVersion** The version of the Appraiser file generating the events. - **Blocking** Is the upgrade blocked due to the processor? - **LahfSahfSupport** Does the CPU support LAHF/SAHF? @@ -1227,7 +1134,6 @@ This event sends data indicating whether the system supports the NX CPU requirem The following fields are available: -- **objectInstanceId** This will always be NX. - **AppraiserVersion** The version of the Appraiser file that is generating the events. - **Blocking** Is the upgrade blocked due to the processor? - **NXDriverResult** The result of the driver used to do a non-deterministic check for NX support. @@ -1258,7 +1164,6 @@ This event sends data indicating whether the system supports the PrefetchW CPU r The following fields are available: -- **objectInstanceId** This will always be PrefetchW. - **AppraiserVersion** The version of the Appraiser file that is generating the events. - **Blocking** Is the upgrade blocked due to the processor? - **PrefetchWSupport** Does the processor support PrefetchW? @@ -1288,7 +1193,6 @@ This event sends data indicating whether the system supports the SSE2 CPU requir The following fields are available: -- **objectInstanceId** This will always be SSE2. - **AppraiserVersion** The version of the Appraiser file that is generating the events. - **Blocking** Is the upgrade blocked due to the processor? - **SSE2ProcessorSupport** Does the processor support SSE2? @@ -1318,7 +1222,6 @@ This event sends data indicating whether the system supports touch, to help keep The following fields are available: -- **objectInstanceId** This will always be Touch. - **AppraiserVersion** The version of the Appraiser file that is generating the events. - **IntegratedTouchDigitizerPresent** Is there an integrated touch digitizer? - **MaximumTouches** The maximum number of touch points supported by the device hardware. @@ -1348,7 +1251,6 @@ This event sends data indicating whether the operating system is running from a The following fields are available: -- **objectInstanceId** This will always be Wim. - **AppraiserVersion** The version of the Appraiser file that is generating the events. - **IsWimBoot** Is the current operating system running from a compressed WIM file? - **RegistryWimBootValue** The raw value from the registry that is used to indicate if the device is running from a WIM. @@ -1378,7 +1280,6 @@ This event sends data indicating whether the current operating system is activat The following fields are available: -- **objectInstanceId** This will always be WindowsActivationStatus. - **AppraiserVersion** The version of the Appraiser file that is generating the events. - **WindowsIsLicensedApiValue** The result from the API that's used to indicate if operating system is activated. - **WindowsNotActivatedDecision** Is the current operating system activated? @@ -1408,7 +1309,6 @@ This event sends data indicating whether the system has WLAN, and if so, whether The following fields are available: -- **objectInstanceId** This will always be Wlan. - **AppraiserVersion** The version of the Appraiser file that is generating the events. - **Blocking** Is the upgrade blocked because of an emulated WLAN driver? - **HasWlanBlock** Does the emulated WLAN driver have an upgrade block? @@ -2084,7 +1984,6 @@ This event sends inventory component versions for the Device Inventory data. The following fields are available: -- **aeinv.dll** The version of the App inventory component. - **devinv.dll** The file version of the Device inventory component. - **aeinv** The version of the App inventory component. - **devinv** The file version of the Device inventory component. @@ -2113,8 +2012,7 @@ The following fields are available: - **InstallDateMsi** The install date if the application was installed via MSI. Passed as an array. Example: 4/11/2015 00:00:00 - **InstallDateFromLinkFile** The estimated date of install based on the links to the files. Passed as an array. Example: 4/8/2015 01:06:11 - **InstallDateArpLastModified** The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015 00:00:00 -- **PartB_Ms.Device.DeviceInventoryChange** This field is replaced with the following fields: syncId, objectInstanceId, objectType, Action, and InventoryId. -- **objectInstanceId** ProgramId (a hash of Name, Version, Publisher, and Language of an application used to identify it). Example: 00000144865763f3de24c2ae5a289fde6db300000904 +- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. - **PackageFullName** The package full name for a Store application. Example: Microsoft.Hexic_1.2.0.36_x86__8wekyb3d8bbwe - **InventoryVersion** The version of the inventory file generating the events. - **StoreAppType** A sub-classification for the type of Windows Store app, such as UWP or Win8StoreApp. @@ -2126,7 +2024,7 @@ This event indicates that a new set of InventoryDevicePnpAdd events will be sent The following fields are available: -- **PartB_Ms.Device.DeviceInventoryChange** This field is replaced with the following fields: syncId, objectInstanceId, objectType, Action, and InventoryId. +- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. - **InventoryVersion** The version of the inventory file generating the events. @@ -2136,7 +2034,7 @@ This event indicates that a new set of InventoryApplicationAdd events will be se The following fields are available: -- **PartB_Ms.Device.DeviceInventoryChange** This field is replaced with the following fields: syncId, objectInstanceId, objectType, Action, and InventoryId. +- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. - **InventoryVersion** The version of the inventory file generating the events. @@ -2160,8 +2058,7 @@ The following fields are available: - **DiscoveryMethod** The discovery method for the device container. - **ModelNumber** The model number for the device container. - **Manufacturer** The manufacturer name for the device container. -- **PartB_Ms.Device.DeviceInventoryChange** This field is replaced with the following fields: syncId, objectInstanceId, objectType, Action, and InventoryId. -- **objectInstanceId** ContainerId. Example: {552dd320-0dae-2794-2b41-df42fee22488} +- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. - **InventoryVersion** The version of the inventory file generating the events. @@ -2171,7 +2068,7 @@ This event indicates that the InventoryDeviceContainer object is no longer prese The following fields are available: -- **PartB_Ms.Device.DeviceInventoryChange** This field is replaced with the following fields: syncId, objectInstanceId, objectType, Action, and InventoryId. +- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. - **InventoryVersion** The version of the inventory file generating the events. @@ -2181,7 +2078,7 @@ This event indicates that a new set of InventoryDeviceContainerAdd events will b The following fields are available: -- **PartB_Ms.Device.DeviceInventoryChange** This field is replaced with the following fields: syncId, objectInstanceId, objectType, Action, and InventoryId. +- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. - **InventoryVersion** The version of the inventory file generating the events. @@ -2229,8 +2126,7 @@ The following fields are available: - **audio.captureDriver** Audio device capture driver. Example: hdaudio.inf:db04a16ce4e8d6ee:HdAudModel:10.0.14887.1000:hdaudio\func_01 - **audio.renderDriver** Audio device render driver. Example: hdaudio.inf:db04a16ce4e8d6ee:HdAudModel:10.0.14889.1001:hdaudio\func_01 -- **PartB_Ms.Device.DeviceInventoryChange** This field is replaced with the following fields: syncId, objectInstanceId, objectType, Action, and InventoryId. -- **objectInstanceId** Device Instance ID of the PNP device. Example: hdaudio/func_01&ven_10ec&dev_0262&subsys_103c1309&rev_1002/4&12f2dd06&0&0001 +- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. - **InventoryVersion** The version of the inventory file generating the events. - **Audio_CaptureDriver** The Audio device capture driver endpoint. - **Audio_RenderDriver** The Audio device render driver endpoint. @@ -2238,11 +2134,11 @@ The following fields are available: ### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove -This event indicates that the InventoryDeviceMediaClass object represented by the objectInstanceId is no longer present. +This event indicates that the InventoryDeviceMediaClassRemove object is no longer present. The following fields are available: -- **PartB_Ms.Device.DeviceInventoryChange** This field is replaced with the following fields: syncId, objectInstanceId, objectType, Action, and InventoryId. +- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. - **InventoryVersion** The version of the inventory file generating the events. @@ -2252,7 +2148,7 @@ This event indicates that a new set of InventoryDeviceMediaClassSAdd events will The following fields are available: -- **PartB_Ms.Device.DeviceInventoryChange** This field is replaced with the following fields: syncId, objectInstanceId, objectType, Action, and InventoryId. +- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. - **InventoryVersion** The version of the inventory file generating the events. @@ -2286,8 +2182,7 @@ The following fields are available: - **LowerFilters** Lower filter drivers IDs installed for the device. - **UpperClassFilters** Upper filter class drivers IDs installed for the device. - **UpperFilters** Upper filter drivers IDs installed for the device. -- **PartB_Ms.Device.DeviceInventoryChange** This field is replaced with the following fields: syncId, objectInstanceId, objectType, Action, and InventoryId. -- **objectInstanceId** The Device Instance ID of the device (uniquely identifies a device in the system). Example: pci\ven_8086&dev_0085&subsys_13118086&rev_34\4&2dded11c&0&00e1 +- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. - **DriverId** A unique identifier for the installed device. - **DriverName** The name of the driver image file. - **InventoryVersion** The version of the inventory file generating the events. @@ -2300,7 +2195,7 @@ This event indicates that the InventoryDevicePnpRemove object is no longer prese The following fields are available: -- **PartB_Ms.Device.DeviceInventoryChange** This field is replaced with the following fields: syncId, objectInstanceId, objectType, Action, and InventoryId. +- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. - **InventoryVersion** The version of the inventory file generating the events. @@ -2310,7 +2205,7 @@ This event indicates that a new set of InventoryDevicePnpAdd events will be sent The following fields are available: -- **PartB_Ms.Device.DeviceInventoryChange** This field is replaced with the following fields: syncId, objectInstanceId, objectType, Action, and InventoryId. +- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. - **InventoryVersion** The version of the inventory file generating the events. @@ -2336,8 +2231,7 @@ The following fields are available: - **ProductVersion** The product version that is included in the driver file. - **WdfVersion** The Windows Driver Framework version. - **Service** The name of the service that is installed for the device. -- **PartB_Ms.Device.DeviceInventoryChange** This field is replaced with the following fields: syncId, objectInstanceId, objectType, Action, and InventoryId. -- **objectInstanceId** Can be used to join with InventoryDevicePnp (on driverId, upperFilters, etc.). Example: 000038dbe54a022b6c73edbdb8bf5cba32a882d2df2a +- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. - **InventoryVersion** The version of the inventory file generating the events. @@ -2347,7 +2241,7 @@ This event indicates that the InventoryDriverBinary object is no longer present. The following fields are available: -- **PartB_Ms.Device.DeviceInventoryChange** This field is replaced with the following fields: syncId, objectInstanceId, objectType, Action, and InventoryId. +- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. - **InventoryVersion** The version of the inventory file generating the events. @@ -2357,7 +2251,7 @@ This event indicates that a new set of InventoryDriverBinaryAdd events will be s The following fields are available: -- **PartB_Ms.Device.DeviceInventoryChange** This field is replaced with the following fields: syncId, objectInstanceId, objectType, Action, and InventoryId. +- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. - **InventoryVersion** The version of the inventory file generating the events. @@ -2375,17 +2269,17 @@ The following fields are available: - **Version** The version of the driver package. - **Provider** The provider for the driver package. - **SubmissionId** The HLK submission ID for the driver package. -- **PartB_Ms.Device.DeviceInventoryChange** This field is replaced with the following fields: syncId, objectInstanceId, objectType, Action, and InventoryId. +- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. - **InventoryVersion** The version of the inventory file generating the events. ### Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove -This event indicates that the InventoryDriverPackage object represented by the objectInstanceId is no longer present. No object attributes are transmitted other than the objectInstanceId +This event indicates that the InventoryDriverPackageRemove object is no longer present. The following fields are available: -- **PartB_Ms.Device.DeviceInventoryChange** This field is replaced with the following fields: syncId, objectInstanceId, objectType, Action, and InventoryId. +- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. - **InventoryVersion** The version of the inventory file generating the events. @@ -2395,29 +2289,27 @@ This event indicates that a new set of InventoryDriverPackageAdd events will be The following fields are available: -- **PartB_Ms.Device.DeviceInventoryChange** This field is replaced with the following fields: syncId, objectInstanceId, objectType, Action, and InventoryId. +- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. - **InventoryVersion** The version of the inventory file generating the events. ### Microsoft.Windows.Inventory.Indicators.Checksum -This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. +This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events. The following fields are available: -- **CensusId** A unique hardware identifier. - **ChecksumDictionary** A count of each operating system indicator. -- **PCFP** Microsoft.Windows.Inventory.Indicators +- **PCFP** Equivalent to the InventoryId field that is found in other core events. ### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd -This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object. +These events represent the basic metadata about the OS indicators installed on the system which are used for keeping the device up-to-date. The following fields are available: -- **PartB_Ms.Device.DeviceInventoryChange** This field is replaced with the following fields: syncId, objectInstanceId, objectType, Action, and InventoryId. -- **Value** Describes an operating system indicator that may be relevant for the device upgrade. +- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. - **IndicatorValue** The indicator value @@ -2427,7 +2319,7 @@ This event is a counterpart to InventoryMiscellaneousUexIndicatorAdd, indicating The following fields are available: -- **PartB_Ms.Device.DeviceInventoryChange** This field is replaced with the following fields: syncId, objectInstanceId, objectType, Action, and InventoryId. +- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. ### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync @@ -2436,7 +2328,7 @@ This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd eve The following fields are available: -- **PartB_Ms.Device.DeviceInventoryChange** This field is replaced with the following fields: syncId, objectInstanceId, objectType, Action, and InventoryId. +- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. ## OneDrive events From 1d6ee80aff835e1fd4ef301543d45aea7cd47c0f Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 3 Apr 2017 10:36:02 -0700 Subject: [PATCH 09/33] more updates --- ...el-windows-diagnostic-events-and-fields.md | 346 ------------------ 1 file changed, 346 deletions(-) diff --git a/windows/configure/basic-level-windows-diagnostic-events-and-fields.md b/windows/configure/basic-level-windows-diagnostic-events-and-fields.md index f1d4d44605..3fd905b836 100644 --- a/windows/configure/basic-level-windows-diagnostic-events-and-fields.md +++ b/windows/configure/basic-level-windows-diagnostic-events-and-fields.md @@ -177,10 +177,6 @@ These fields are added whenever Ms.Device.DeviceInventoryChange is included in t The following fields are available: - **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. -<<<<<<< HEAD -======= -- **objectInstanceId** Object identity used within the device scope. This is commonly going to be ProgramId, FileId or DeviceInstancePathId but is typically something unique to the objectType and in some cases is artificially created. ->>>>>>> master - **objectType** Indicates the object type that the event applies to. - **Action** The change that was invoked on a device inventory object. - **inventoryId** Device ID used for Compatibility testing @@ -310,35 +306,14 @@ This event sends compatibility information about a file to help keep Windows up- The following fields are available: -<<<<<<< HEAD - **AppraiserVersion** The version of the appraiser file that is generating the events. - **AvDisplayName** If it is an anti-virus app, this is its display name. -======= -- **objectInstanceId** A hash of the full file path including the file name. -- **AppraiserVersion** The version of the appraiser file that is generating the events. -- **AvDisplayName** If it is an anti-virus app, this is the the display name for the app. Example: System Center Endpoint Protection ->>>>>>> master - **CompatModelIndex** The compatibility prediction for this file. - **HasCitData** Is the file present in CIT data? - **HasUpgradeExe** Does the anti-virus app have an upgrade.exe file? - **IsAv** Is the file an anti-virus reporting EXE? - **ResolveAttempted** This will always be an empty string when sending telemetry. - **SdbEntries** An array of fields that indicates the SDB entries that apply to this file. -<<<<<<< HEAD -======= -- **SdbEntries_item_MigShimCommand** The command line to be passed to the MigShim if one is applicable. -- **SdbEntries_item_MigShimName** Example: DevenvDotnetCacheRebuildShim -- **SdbEntries_item_MigXmlName** Example: MicrosoftForefrontEndpointProtection__4_6__PART -- **SdbEntries_item_MigXmlType** Example: MIG_XML_TYPE_REMOVED -- **SdbEntries_item_ReinstallUpgradeMessage** Example: Resource: 10022 -- **SdbEntries_item_SdbAppGuid** Example: {551f8360-14dd-4ea5-bd29-74b0c21abfde} -- **SdbEntries_item_SdbAppName** Example: Visual Studio -- **SdbEntries_item_SdbAppVendor** Example: Microsoft -- **SdbEntries_item_SdbBlockType** Example: ReinstallAfterUpgradeInfo -- **SdbEntries_item_SdbEntryGuid** Example: {84e92468-a463-4c02-93a6-20171694b8a8} -- **SdbEntries_item_SdbUpgradeMode** Example: Swap -- **SdbEntries_item_SdbUxBlocktypeOverride** Example: SDB_UX_BLOCKTYPE_OVERRIDE_MIG_FIXED ->>>>>>> master ### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove @@ -365,10 +340,6 @@ This event sends compatibility data for a PNP device, to help keep Windows up-to The following fields are available: -<<<<<<< HEAD -======= -- **objectInstanceId** The Device Instance ID of the device (uniquely identifies a device in the system). Example: pci\ven_8086&dev_0085&subsys_13118086&rev_34\4&2dded11c&0&00e1 ->>>>>>> master - **AppraiserVersion** The version of the appraiser file generating the events. - **ActiveNetworkConnection** Is the device an active network device? - **CosDeviceRating** An enumeration that indicates if there is a driver on the target operating system. @@ -377,16 +348,6 @@ The following fields are available: - **CosPopulatedFromId** The expected uplevel driver matching ID based on driver coverage data. - **IsBootCritical** Is the device boot critical? - **SdbEntries** An array of fields indicating the SDB entries that apply to this device. -<<<<<<< HEAD -======= -- **SdbEntries_item_SdbAppGuid** Example: {0ba2f09d-5288-45fa-be32-001857cc020f} -- **SdbEntries_item_SdbAppName** Example: Virtual Machine Manager Self-Service Client -- **SdbEntries_item_SdbAppVendor** Example: Microsoft Corporation -- **SdbEntries_item_SdbBlockType** Example: ReinstallAfterUpgrade -- **SdbEntries_item_SdbEntryGuid** Example: {2a1cc617-9ee0-4dff-b3c0-a09cfc13543a} -- **SdbEntries_item_SdbUpgradeMode** Example: Swap -- **SdbEntries_item_SdbUxBlocktypeOverride** Example: SDB_UX_BLOCKTYPE_OVERRIDE_REINSTALL_BLOCK ->>>>>>> master - **UplevelInboxDriver** Is there a driver uplevel for this device? - **WuDriverCoverage** Is there a driver uplevel for this device according to Windows Update? - **WuDriverUpdateID** The Windows Update ID of the applicable uplevel driver. @@ -417,21 +378,8 @@ This event sends compatibility database data about driver packages to help keep The following fields are available: -<<<<<<< HEAD - **AppraiserVersion** The version of the appraiser file generating the events. - **SdbEntries** An array of fields indicating the SDB entries that apply to this driver package. -======= -- **objectInstanceId** DriverPackageId that is used for uniquely identifying a driver package on a system. -- **AppraiserVersion** The version of the appraiser file generating the events. -- **SdbEntries** An array of fields indicating the SDB entries that apply to this driver package. -- **SdbEntries_item_SdbAppGuid** Example: {5f29791d-ad69-40a4-9783-6edbdf66bd4b} -- **SdbEntries_item_SdbAppName** Example: Microsoft PDF/XPS Printer -- **SdbEntries_item_SdbAppVendor** Example: Microsoft -- **SdbEntries_item_SdbBlockType** Example: BlockDriver -- **SdbEntries_item_SdbEntryGuid** Example: {380213ca-97c8-4fdc-b194-b4f714006796} -- **SdbEntries_item_SdbUpgradeMode** Example: Service -- **SdbEntries_item_SdbUxBlocktypeOverride** Example: SDB_UX_BLOCKTYPE_OVERRIDE_NO_BLOCK ->>>>>>> master ### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageRemove @@ -458,21 +406,8 @@ This event sends blocking data about any compatibility blocking entries hit on t The following fields are available: -<<<<<<< HEAD - **AppraiserVersion** The version of the appraiser file generating the events. - **SdbEntries** An array of fields indicating the SDB entries that apply to this file. -======= -- **objectInstanceId** This will always be BlockingMatchingInfo. -- **AppraiserVersion** The version of the appraiser file generating the events. -- **SdbEntries** An array of fields indicating the SDB entries that apply to this file. -- **SdbEntries_item_SdbAppGuid** Example: {4cca1f6c-74f8-4bfd-9fb4-3d4b65f23f98} -- **SdbEntries_item_SdbAppName** Example: Intel(R)DynamicPowerPerformanceManagement -- **SdbEntries_item_SdbAppVendor** Example: Intel -- **SdbEntries_item_SdbBlockType** Example: BlockUpgradeUntilUpdate -- **SdbEntries_item_SdbEntryGuid** Example: {4be49993-88ec-4003-b9a6-9f8812e94c50} -- **SdbEntries_item_SdbUpgradeMode** Example: Swap -- **SdbEntries_item_SdbUxBlocktypeOverride** Example: SDB_UX_BLOCKTYPE_OVERRIDE_UPGRADE_UNTIL_UPDATE_BLOCK ->>>>>>> master ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove @@ -499,25 +434,8 @@ This event sends compatibility database information about non-blocking compatibi The following fields are available: -<<<<<<< HEAD - **AppraiserVersion** The version of the appraiser file generating the events. - **SdbEntries** An array of fields indicating the SDB entries that apply to this file. -======= -- **objectInstanceId** This will always be PassiveMatchingInfo. -- **AppraiserVersion** The version of the appraiser file generating the events. -- **SdbEntries** An array of fields indicating the SDB entries that apply to this file. -- **SdbEntries_item_MigShimCommand** The command line to be passed to the MigShim if one is applicable. -- **SdbEntries_item_MigShimName** Example: MigrateVCRuntimeShim -- **SdbEntries_item_MigXmlName** Example: Intel_Rapid_Storage_Technolgy_Enterprise_Filter_Driver__3__PART -- **SdbEntries_item_MigXmlType** Example: MIG_XML_TYPE_FIXED -- **SdbEntries_item_SdbAppGuid** Example: {03760bce-35d7-47a3-b83b-de673fdb6ab4} -- **SdbEntries_item_SdbAppName** Example: VC Runtime -- **SdbEntries_item_SdbAppVendor** Example: Microsoft -- **SdbEntries_item_SdbBlockType** Example: BlockUpgradeUntilUpdate -- **SdbEntries_item_SdbEntryGuid** Example: {00b0c9b2-3f04-4795-a8ac-5b7bd5ea2ea8} -- **SdbEntries_item_SdbUpgradeMode** Example: Swap -- **SdbEntries_item_SdbUxBlocktypeOverride** Example: SDB_UX_BLOCKTYPE_OVERRIDE_MIG_FIXED ->>>>>>> master ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove @@ -544,22 +462,8 @@ This event sends compatibility database information about entries requiring rein The following fields are available: -<<<<<<< HEAD - **AppraiserVersion** The version of the appraiser file generating the events. - **SdbEntries** An array of fields indicating the SDB entries that apply to this file. -======= -- **objectInstanceId** This will always be PostUpgradeMatchingInfo. -- **AppraiserVersion** The version of the appraiser file generating the events. -- **SdbEntries** An array of fields indicating the SDB entries that apply to this file. -- **SdbEntries_item_ReinstallUpgradeMessage** Example: Resource: 10022 -- **SdbEntries_item_SdbAppGuid** Example: {0ba2f09d-5288-45fa-be32-001857cc020f} -- **SdbEntries_item_SdbAppName** Example: Virtual Machine Manager Self-Service Client -- **SdbEntries_item_SdbAppVendor** Example: Microsoft Corporation -- **SdbEntries_item_SdbBlockType** Example: ReinstallAfterUpgrade -- **SdbEntries_item_SdbEntryGuid** Example: {2a1cc617-9ee0-4dff-b3c0-a09cfc13543a} -- **SdbEntries_item_SdbUpgradeMode** Example: Swap -- **SdbEntries_item_SdbUxBlocktypeOverride** Example: SDB_UX_BLOCKTYPE_OVERRIDE_REINSTALL_BLOCK ->>>>>>> master ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove @@ -586,17 +490,8 @@ This event sends compatibility database information about the BIOS to help keep The following fields are available: -<<<<<<< HEAD - **AppraiserVersion** The version of the Appraiser file generating the events. - **SdbEntries** An array of fields indicating the SDB entries that apply to this BIOS. -======= -- **objectInstanceId** This will always be BIOS. -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **SdbEntries** An array of fields indicating the SDB entries that apply to this BIOS. -- **SdbEntries_item_SdbBlockType** Example: BiosBlock -- **SdbEntries_item_SdbEntryGuid** Example: {b77118fd-0d87-4f63-a836-d5c6bd8eed4c} -- **SdbEntries_item_SdbUpgradeMode** Example: Swap ->>>>>>> master ### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosRemove @@ -623,14 +518,8 @@ This event sends compatibility decision data about a file to help keep Windows u The following fields are available: -<<<<<<< HEAD - **AppraiserVersion** The version of the appraiser file generating the events. - **BlockAlreadyInbox** The uplevel runtime block on the file already existed on the current OS. -======= -- **objectInstanceId** A hash of the full file path, including the file name. -- **AppraiserVersion** The version of the appraiser file generating the events. -- **BlockAlreadyInbox** The uplevel runtime block on the file already existed on the current OS. Example: FALSE ->>>>>>> master - **BlockingApplication** Are there any application issues that interfere with upgrade due to the file in question? - **DisplayGenericMessage** Will be a generic message be shown for this file? - **HardBlock** This file is blocked in the SDB. @@ -674,10 +563,6 @@ This event sends compatibility decision data about a PNP device to help keep Win The following fields are available: -<<<<<<< HEAD -======= -- **objectInstanceId** This uniquely identifies a device in the system. ->>>>>>> master - **AppraiserVersion** The version of the appraiser file generating the events. - **AssociatedDriverIsBlocked** Is the driver associated with this PNP device blocked? - **BlockAssociatedDriver** Should the driver associated with this PNP device be blocked? @@ -689,11 +574,7 @@ The following fields are available: - **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update? - **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device? - **DriverBlockOverridden** Is there is a driver block on the device that has been overridden? -<<<<<<< HEAD - **NeedsDismissAction** Will the user would need to dismiss a warning during Setup for this device? -======= -- **NeedsDismissAction** Will the user would need to dismiss something during Setup for this device? ->>>>>>> master - **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS? - **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade? - **SdbDriverBlockOverridden** Is there an SDB block on the PNP device that blocks upgrade, but that block was overridden? @@ -723,10 +604,6 @@ This event sends decision data about driver package compatibility to help keep W The following fields are available: -<<<<<<< HEAD -======= -- **objectInstanceId** Used for uniquely identifying a driver package on a system. ->>>>>>> master - **AppraiserVersion** The version of the appraiser file generating the events. - **DriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? - **DriverIsDeviceBlocked** Was the driver package was blocked because of a device block? @@ -759,10 +636,6 @@ This event sends compatibility decision data about blocking entries on the syste The following fields are available: -<<<<<<< HEAD -======= -- **objectInstanceId** This will always be BlockingMatchingInfo. ->>>>>>> master - **AppraiserVersion** The version of the appraiser file generating the events. - **BlockingApplication** Are there are any application issues that interfere with upgrade due to matching info blocks? - **DisplayGenericMessage** Will a generic message be shown for this block? @@ -796,10 +669,6 @@ This event sends compatibility decision data about non-blocking entries on the s The following fields are available: -<<<<<<< HEAD -======= -- **objectInstanceId** This will always be PassiveMatchingInfo. ->>>>>>> master - **AppraiserVersion** The version of the Appraiser file that is generating the events. - **BlockingApplication** Are there any application issues that interfere with upgrade due to matching info blocks? - **MigApplication** Is there a matching info block with a mig for the current mode of upgrade? @@ -829,10 +698,6 @@ This event sends compatibility decision data about entries that require reinstal The following fields are available: -<<<<<<< HEAD -======= -- **objectInstanceId** This will always be PostUpgradeMatchingInfo. ->>>>>>> master - **AppraiserVersion** The version of the Appraiser file that is generating the events. - **NeedsInstallPostUpgradeData** Will the file have a notification after upgrade to install a replacement for the app? - **NeedsNotifyPostUpgradeData** Should a notification be shown for this file after upgrade? @@ -864,19 +729,11 @@ This event sends decision data about the presence of Windows Media Center, to he The following fields are available: -<<<<<<< HEAD -======= -- **objectInstanceId** This will always be MediaCenter. ->>>>>>> master - **AppraiserVersion** The version of the Appraiser file generating the events. - **BlockingApplication** Is there any application issues that interfere with upgrade due to Windows Media Center? - **MediaCenterActivelyUsed** If Windows Media Center is supported on the edition, has it been run at least once and are the MediaCenterIndicators are true? - **MediaCenterInUse** Is Windows Media Center actively being used? -<<<<<<< HEAD - **MediaCenterIndicators** Do any indicators imply that Windows Media Center is in active use? -======= -- **MediaCenterIndicators** Are any of the signals indicating that Windows Media Center is being used, such as default launcher, watched folders, extender accounts, etc...? ->>>>>>> master - **MediaCenterPaidOrActivelyUsed** Is Windows Media Center actively being used or is it running on a supported edition? - **NeedsDismissAction** Are there any actions that can be dismissed coming from Windows Media Center? @@ -905,10 +762,6 @@ This event sends compatibility decision data about the BIOS to help keep Windows The following fields are available: -<<<<<<< HEAD -======= -- **objectInstanceId** This will always be Bios. ->>>>>>> master - **AppraiserVersion** The version of the Appraiser file generating the events. - **Blocking** Is the device blocked from upgrade due to a BIOS block? - **HasBiosBlock** Does the device have a BIOS block? @@ -932,31 +785,12 @@ The following fields are available: - **AppraiserVersion** The version of the Appraiser file that is generating the events. -<<<<<<< HEAD -======= -### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorAdd - -This event sends defunct data. It always reads false. - -The following fields are available: - -- **objectInstanceId** Will always be Processor. -- **AppraiserVersion** The version of the appraiser binary generating the events. Example: 10014361 -- **Blocking** Will always be FALSE -- **ProcessorRequirementViolated** Will always be FALSE - - ->>>>>>> master ### Microsoft.Windows.Appraiser.General.EnterpriseScenarioWithDiagTrackServiceRunning The event that indicates that Appraiser has been triggered to run an enterprise scenario while the DiagTrack service is installed. This event can only be sent if a special flag is used to trigger the enterprise scenario. The following fields are available: -<<<<<<< HEAD -======= -- **CensusId** An ID for the system calculated from the CEIP, WER, and RAC IDs. ->>>>>>> master - **Time** The client time of the event. - **PCFP** An ID for the system calculated by hashing hardware identifiers. @@ -981,10 +815,6 @@ This event represents the basic metadata about a file on the system. The file m The following fields are available: -<<<<<<< HEAD -======= -- **objectInstanceId** A hash of the full file path including the file name. ->>>>>>> master - **AppraiserVersion** The version of the Appraiser file generating the events. - **BinFileVersion** An attempt to clean up FileVersion at the client that tries to place the version into 4 octets. - **BinProductVersion** An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets. @@ -1026,10 +856,6 @@ This event sends data about the number of language packs installed on the system The following fields are available: -<<<<<<< HEAD -======= -- **objectInstanceId** This will always be LanguagePack. ->>>>>>> master - **AppraiserVersion** The version of the Appraiser file that is generating the events. - **HasLanguagePack** Does this device have 2 or more language packs? - **LanguagePackCount** How many language packs are installed? @@ -1059,10 +885,6 @@ This event sends true/false data about decision points used to understand whethe The following fields are available: -<<<<<<< HEAD -======= -- **objectInstanceId** This will always be MediaCenter. ->>>>>>> master - **AppraiserVersion** The version of the Appraiser file generating the events. - **EverLaunched** Has Windows Media Center ever been launched? - **HasConfiguredTv** Has the user configured a TV tuner through Windows Media Center? @@ -1097,10 +919,6 @@ This event sends basic metadata about the BIOS to determine whether it has a com The following fields are available: -<<<<<<< HEAD -======= -- **objectInstanceId** This will always be Bios. ->>>>>>> master - **AppraiserVersion** The version of the Appraiser file that is generating the events. - **BiosDate** The release date of the BIOS in UTC format. - **BiosName** The name field from Win32_BIOS. @@ -1176,10 +994,6 @@ The following fields are available: - **Time** The client time of the event. - **PCFP** A unique hardware identifier that is calculated by hashing hardware identifiers. - **IsOnlineRun** Was the device able to connect to Windows Update to get driver availability information? -<<<<<<< HEAD -======= -- **CensusId** An ID for the system calculated from the CEIP, WER, and RAC IDs. ->>>>>>> master ### Microsoft.Windows.Appraiser.General.IsOnlineWuDriverDataSource @@ -1192,10 +1006,6 @@ The following fields are available: - **PCFP** A unique hardware identifier that is calculated by hashing hardware identifiers. - **IsOnlineRun** Was the device able to connect to Windows Update to get driver availability information? - **TargetVersion** The abbreviated name for the OS version against which Windows Update was queried. -<<<<<<< HEAD -======= -- **CensusId** An ID for the system calculated from the CEIP, WER, and RAC IDs. ->>>>>>> master ### Microsoft.Windows.Appraiser.General.RunContext @@ -1232,10 +1042,6 @@ This event sends data on the amount of memory on the system and whether it meets The following fields are available: -<<<<<<< HEAD -======= -- **objectInstanceId** This will always be Memory. ->>>>>>> master - **AppraiserVersion** The version of the Appraiser file generating the events. - **Blocking** Is the device from upgrade due to memory restrictions? - **MemoryRequirementViolated** Was a memory requirement violated? @@ -1270,10 +1076,6 @@ This event sends data indicating whether the system supports the CompareExchange The following fields are available: -<<<<<<< HEAD -======= -- **objectInstanceId** This will always be CompareExchange128. ->>>>>>> master - **AppraiserVersion** The version of the Appraiser file generating the events. - **Blocking** Is the upgrade blocked due to the processor? - **CompareExchange128Support** Does the CPU support CompareExchange128? @@ -1303,10 +1105,6 @@ This event sends data indicating whether the system supports the LahfSahf CPU re The following fields are available: -<<<<<<< HEAD -======= -- **objectInstanceId** This will always be LahfSahf. ->>>>>>> master - **AppraiserVersion** The version of the Appraiser file generating the events. - **Blocking** Is the upgrade blocked due to the processor? - **LahfSahfSupport** Does the CPU support LAHF/SAHF? @@ -1336,10 +1134,6 @@ This event sends data indicating whether the system supports the NX CPU requirem The following fields are available: -<<<<<<< HEAD -======= -- **objectInstanceId** This will always be NX. ->>>>>>> master - **AppraiserVersion** The version of the Appraiser file that is generating the events. - **Blocking** Is the upgrade blocked due to the processor? - **NXDriverResult** The result of the driver used to do a non-deterministic check for NX support. @@ -1370,10 +1164,6 @@ This event sends data indicating whether the system supports the PrefetchW CPU r The following fields are available: -<<<<<<< HEAD -======= -- **objectInstanceId** This will always be PrefetchW. ->>>>>>> master - **AppraiserVersion** The version of the Appraiser file that is generating the events. - **Blocking** Is the upgrade blocked due to the processor? - **PrefetchWSupport** Does the processor support PrefetchW? @@ -1403,10 +1193,6 @@ This event sends data indicating whether the system supports the SSE2 CPU requir The following fields are available: -<<<<<<< HEAD -======= -- **objectInstanceId** This will always be SSE2. ->>>>>>> master - **AppraiserVersion** The version of the Appraiser file that is generating the events. - **Blocking** Is the upgrade blocked due to the processor? - **SSE2ProcessorSupport** Does the processor support SSE2? @@ -1436,10 +1222,6 @@ This event sends data indicating whether the system supports touch, to help keep The following fields are available: -<<<<<<< HEAD -======= -- **objectInstanceId** This will always be Touch. ->>>>>>> master - **AppraiserVersion** The version of the Appraiser file that is generating the events. - **IntegratedTouchDigitizerPresent** Is there an integrated touch digitizer? - **MaximumTouches** The maximum number of touch points supported by the device hardware. @@ -1469,10 +1251,6 @@ This event sends data indicating whether the operating system is running from a The following fields are available: -<<<<<<< HEAD -======= -- **objectInstanceId** This will always be Wim. ->>>>>>> master - **AppraiserVersion** The version of the Appraiser file that is generating the events. - **IsWimBoot** Is the current operating system running from a compressed WIM file? - **RegistryWimBootValue** The raw value from the registry that is used to indicate if the device is running from a WIM. @@ -1502,10 +1280,6 @@ This event sends data indicating whether the current operating system is activat The following fields are available: -<<<<<<< HEAD -======= -- **objectInstanceId** This will always be WindowsActivationStatus. ->>>>>>> master - **AppraiserVersion** The version of the Appraiser file that is generating the events. - **WindowsIsLicensedApiValue** The result from the API that's used to indicate if operating system is activated. - **WindowsNotActivatedDecision** Is the current operating system activated? @@ -1535,10 +1309,6 @@ This event sends data indicating whether the system has WLAN, and if so, whether The following fields are available: -<<<<<<< HEAD -======= -- **objectInstanceId** This will always be Wlan. ->>>>>>> master - **AppraiserVersion** The version of the Appraiser file that is generating the events. - **Blocking** Is the upgrade blocked because of an emulated WLAN driver? - **HasWlanBlock** Does the emulated WLAN driver have an upgrade block? @@ -2214,10 +1984,6 @@ This event sends inventory component versions for the Device Inventory data. The following fields are available: -<<<<<<< HEAD -======= -- **aeinv.dll** The version of the App inventory component. ->>>>>>> master - **devinv.dll** The file version of the Device inventory component. - **aeinv** The version of the App inventory component. - **devinv** The file version of the Device inventory component. @@ -2246,12 +2012,7 @@ The following fields are available: - **InstallDateMsi** The install date if the application was installed via MSI. Passed as an array. Example: 4/11/2015 00:00:00 - **InstallDateFromLinkFile** The estimated date of install based on the links to the files. Passed as an array. Example: 4/8/2015 01:06:11 - **InstallDateArpLastModified** The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015 00:00:00 -<<<<<<< HEAD - **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. -======= -- **PartB_Ms.Device.DeviceInventoryChange** This field is replaced with the following fields: syncId, objectInstanceId, objectType, Action, and InventoryId. -- **objectInstanceId** ProgramId (a hash of Name, Version, Publisher, and Language of an application used to identify it). Example: 00000144865763f3de24c2ae5a289fde6db300000904 ->>>>>>> master - **PackageFullName** The package full name for a Store application. Example: Microsoft.Hexic_1.2.0.36_x86__8wekyb3d8bbwe - **InventoryVersion** The version of the inventory file generating the events. - **StoreAppType** A sub-classification for the type of Windows Store app, such as UWP or Win8StoreApp. @@ -2263,11 +2024,7 @@ This event indicates that a new set of InventoryDevicePnpAdd events will be sent The following fields are available: -<<<<<<< HEAD - **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. -======= -- **PartB_Ms.Device.DeviceInventoryChange** This field is replaced with the following fields: syncId, objectInstanceId, objectType, Action, and InventoryId. ->>>>>>> master - **InventoryVersion** The version of the inventory file generating the events. @@ -2277,11 +2034,7 @@ This event indicates that a new set of InventoryApplicationAdd events will be se The following fields are available: -<<<<<<< HEAD - **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. -======= -- **PartB_Ms.Device.DeviceInventoryChange** This field is replaced with the following fields: syncId, objectInstanceId, objectType, Action, and InventoryId. ->>>>>>> master - **InventoryVersion** The version of the inventory file generating the events. @@ -2305,12 +2058,7 @@ The following fields are available: - **DiscoveryMethod** The discovery method for the device container. - **ModelNumber** The model number for the device container. - **Manufacturer** The manufacturer name for the device container. -<<<<<<< HEAD - **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. -======= -- **PartB_Ms.Device.DeviceInventoryChange** This field is replaced with the following fields: syncId, objectInstanceId, objectType, Action, and InventoryId. -- **objectInstanceId** ContainerId. Example: {552dd320-0dae-2794-2b41-df42fee22488} ->>>>>>> master - **InventoryVersion** The version of the inventory file generating the events. @@ -2320,11 +2068,7 @@ This event indicates that the InventoryDeviceContainer object is no longer prese The following fields are available: -<<<<<<< HEAD - **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. -======= -- **PartB_Ms.Device.DeviceInventoryChange** This field is replaced with the following fields: syncId, objectInstanceId, objectType, Action, and InventoryId. ->>>>>>> master - **InventoryVersion** The version of the inventory file generating the events. @@ -2334,11 +2078,7 @@ This event indicates that a new set of InventoryDeviceContainerAdd events will b The following fields are available: -<<<<<<< HEAD - **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. -======= -- **PartB_Ms.Device.DeviceInventoryChange** This field is replaced with the following fields: syncId, objectInstanceId, objectType, Action, and InventoryId. ->>>>>>> master - **InventoryVersion** The version of the inventory file generating the events. @@ -2386,12 +2126,7 @@ The following fields are available: - **audio.captureDriver** Audio device capture driver. Example: hdaudio.inf:db04a16ce4e8d6ee:HdAudModel:10.0.14887.1000:hdaudio\func_01 - **audio.renderDriver** Audio device render driver. Example: hdaudio.inf:db04a16ce4e8d6ee:HdAudModel:10.0.14889.1001:hdaudio\func_01 -<<<<<<< HEAD - **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. -======= -- **PartB_Ms.Device.DeviceInventoryChange** This field is replaced with the following fields: syncId, objectInstanceId, objectType, Action, and InventoryId. -- **objectInstanceId** Device Instance ID of the PNP device. Example: hdaudio/func_01&ven_10ec&dev_0262&subsys_103c1309&rev_1002/4&12f2dd06&0&0001 ->>>>>>> master - **InventoryVersion** The version of the inventory file generating the events. - **Audio_CaptureDriver** The Audio device capture driver endpoint. - **Audio_RenderDriver** The Audio device render driver endpoint. @@ -2399,19 +2134,11 @@ The following fields are available: ### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove -<<<<<<< HEAD This event indicates that the InventoryDeviceMediaClassRemove object is no longer present. The following fields are available: - **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. -======= -This event indicates that the InventoryDeviceMediaClass object represented by the objectInstanceId is no longer present. - -The following fields are available: - -- **PartB_Ms.Device.DeviceInventoryChange** This field is replaced with the following fields: syncId, objectInstanceId, objectType, Action, and InventoryId. ->>>>>>> master - **InventoryVersion** The version of the inventory file generating the events. @@ -2421,11 +2148,7 @@ This event indicates that a new set of InventoryDeviceMediaClassSAdd events will The following fields are available: -<<<<<<< HEAD - **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. -======= -- **PartB_Ms.Device.DeviceInventoryChange** This field is replaced with the following fields: syncId, objectInstanceId, objectType, Action, and InventoryId. ->>>>>>> master - **InventoryVersion** The version of the inventory file generating the events. @@ -2459,12 +2182,7 @@ The following fields are available: - **LowerFilters** Lower filter drivers IDs installed for the device. - **UpperClassFilters** Upper filter class drivers IDs installed for the device. - **UpperFilters** Upper filter drivers IDs installed for the device. -<<<<<<< HEAD - **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. -======= -- **PartB_Ms.Device.DeviceInventoryChange** This field is replaced with the following fields: syncId, objectInstanceId, objectType, Action, and InventoryId. -- **objectInstanceId** The Device Instance ID of the device (uniquely identifies a device in the system). Example: pci\ven_8086&dev_0085&subsys_13118086&rev_34\4&2dded11c&0&00e1 ->>>>>>> master - **DriverId** A unique identifier for the installed device. - **DriverName** The name of the driver image file. - **InventoryVersion** The version of the inventory file generating the events. @@ -2477,11 +2195,7 @@ This event indicates that the InventoryDevicePnpRemove object is no longer prese The following fields are available: -<<<<<<< HEAD - **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. -======= -- **PartB_Ms.Device.DeviceInventoryChange** This field is replaced with the following fields: syncId, objectInstanceId, objectType, Action, and InventoryId. ->>>>>>> master - **InventoryVersion** The version of the inventory file generating the events. @@ -2491,11 +2205,7 @@ This event indicates that a new set of InventoryDevicePnpAdd events will be sent The following fields are available: -<<<<<<< HEAD - **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. -======= -- **PartB_Ms.Device.DeviceInventoryChange** This field is replaced with the following fields: syncId, objectInstanceId, objectType, Action, and InventoryId. ->>>>>>> master - **InventoryVersion** The version of the inventory file generating the events. @@ -2521,12 +2231,7 @@ The following fields are available: - **ProductVersion** The product version that is included in the driver file. - **WdfVersion** The Windows Driver Framework version. - **Service** The name of the service that is installed for the device. -<<<<<<< HEAD - **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. -======= -- **PartB_Ms.Device.DeviceInventoryChange** This field is replaced with the following fields: syncId, objectInstanceId, objectType, Action, and InventoryId. -- **objectInstanceId** Can be used to join with InventoryDevicePnp (on driverId, upperFilters, etc.). Example: 000038dbe54a022b6c73edbdb8bf5cba32a882d2df2a ->>>>>>> master - **InventoryVersion** The version of the inventory file generating the events. @@ -2536,11 +2241,7 @@ This event indicates that the InventoryDriverBinary object is no longer present. The following fields are available: -<<<<<<< HEAD - **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. -======= -- **PartB_Ms.Device.DeviceInventoryChange** This field is replaced with the following fields: syncId, objectInstanceId, objectType, Action, and InventoryId. ->>>>>>> master - **InventoryVersion** The version of the inventory file generating the events. @@ -2550,11 +2251,7 @@ This event indicates that a new set of InventoryDriverBinaryAdd events will be s The following fields are available: -<<<<<<< HEAD - **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. -======= -- **PartB_Ms.Device.DeviceInventoryChange** This field is replaced with the following fields: syncId, objectInstanceId, objectType, Action, and InventoryId. ->>>>>>> master - **InventoryVersion** The version of the inventory file generating the events. @@ -2572,29 +2269,17 @@ The following fields are available: - **Version** The version of the driver package. - **Provider** The provider for the driver package. - **SubmissionId** The HLK submission ID for the driver package. -<<<<<<< HEAD - **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. -======= -- **PartB_Ms.Device.DeviceInventoryChange** This field is replaced with the following fields: syncId, objectInstanceId, objectType, Action, and InventoryId. ->>>>>>> master - **InventoryVersion** The version of the inventory file generating the events. ### Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove -<<<<<<< HEAD This event indicates that the InventoryDriverPackageRemove object is no longer present. The following fields are available: - **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. -======= -This event indicates that the InventoryDriverPackage object represented by the objectInstanceId is no longer present. No object attributes are transmitted other than the objectInstanceId - -The following fields are available: - -- **PartB_Ms.Device.DeviceInventoryChange** This field is replaced with the following fields: syncId, objectInstanceId, objectType, Action, and InventoryId. ->>>>>>> master - **InventoryVersion** The version of the inventory file generating the events. @@ -2604,50 +2289,27 @@ This event indicates that a new set of InventoryDriverPackageAdd events will be The following fields are available: -<<<<<<< HEAD - **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. -======= -- **PartB_Ms.Device.DeviceInventoryChange** This field is replaced with the following fields: syncId, objectInstanceId, objectType, Action, and InventoryId. ->>>>>>> master - **InventoryVersion** The version of the inventory file generating the events. ### Microsoft.Windows.Inventory.Indicators.Checksum -<<<<<<< HEAD This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events. The following fields are available: - **ChecksumDictionary** A count of each operating system indicator. - **PCFP** Equivalent to the InventoryId field that is found in other core events. -======= -This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. - -The following fields are available: - -- **CensusId** A unique hardware identifier. -- **ChecksumDictionary** A count of each operating system indicator. -- **PCFP** Microsoft.Windows.Inventory.Indicators ->>>>>>> master ### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd -<<<<<<< HEAD These events represent the basic metadata about the OS indicators installed on the system which are used for keeping the device up-to-date. The following fields are available: - **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. -======= -This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object. - -The following fields are available: - -- **PartB_Ms.Device.DeviceInventoryChange** This field is replaced with the following fields: syncId, objectInstanceId, objectType, Action, and InventoryId. -- **Value** Describes an operating system indicator that may be relevant for the device upgrade. ->>>>>>> master - **IndicatorValue** The indicator value @@ -2657,11 +2319,7 @@ This event is a counterpart to InventoryMiscellaneousUexIndicatorAdd, indicating The following fields are available: -<<<<<<< HEAD - **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. -======= -- **PartB_Ms.Device.DeviceInventoryChange** This field is replaced with the following fields: syncId, objectInstanceId, objectType, Action, and InventoryId. ->>>>>>> master ### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync @@ -2670,11 +2328,7 @@ This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd eve The following fields are available: -<<<<<<< HEAD - **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. -======= -- **PartB_Ms.Device.DeviceInventoryChange** This field is replaced with the following fields: syncId, objectInstanceId, objectType, Action, and InventoryId. ->>>>>>> master ## OneDrive events From c64c842f0f34333b2113e883fde47fff279b1ac9 Mon Sep 17 00:00:00 2001 From: Michael Niehaus Date: Mon, 3 Apr 2017 13:56:39 -0700 Subject: [PATCH 10/33] Update waas-quick-start.md Changed Windows Upgrade Analytics to Windows Analytics Upgrade Readiness. --- windows/manage/waas-quick-start.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/manage/waas-quick-start.md b/windows/manage/waas-quick-start.md index eef6aed2a3..7bc29a379b 100644 --- a/windows/manage/waas-quick-start.md +++ b/windows/manage/waas-quick-start.md @@ -42,7 +42,7 @@ See [Assign devices to servicing branches for Windows 10 updates](waas-servicing ## Staying up to date -The process for keeping Windows 10 up to date involves deploying a feature update, at an appropriate time after its release. A variety of tools management and patching tools such as Windows Update, Windows Update for Business, Windows Server Update Services, System Center Configuration Manager, and third-party products) can be used to help with this process. [Windows Upgrade Analytics](https://www.microsoft.com/en-us/WindowsForBusiness/upgrade-analytics), a free tool to streamline Windows upgrade projects, is another important tool to help. +The process for keeping Windows 10 up to date involves deploying a feature update, at an appropriate time after its release. A variety of tools management and patching tools such as Windows Update, Windows Update for Business, Windows Server Update Services, System Center Configuration Manager, and third-party products) can be used to help with this process. [Windows Analytics Upgrade Readiness](https://www.microsoft.com/en-us/WindowsForBusiness/windows-analytics), a free tool to streamline Windows upgrade projects, is another important tool to help. Because app compatibility, both for desktop apps and web apps, is outstanding with Windows 10, extensive advanced testing isn’t required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps and CBB has been declared, broad deployment can begin. From 2b9ea88bd462f4cc997ea87b827560805f76c69e Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 3 Apr 2017 13:57:59 -0700 Subject: [PATCH 11/33] feedback --- ...dows-operating-system-components-to-microsoft-services.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 86503c42e8..9ea87f1c09 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -420,6 +420,7 @@ You can also use registry entries to set these Group Policies. | Turn off the flip ahead with page prediction feature | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\FlipAhead!Enabled
REG_DWORD: 0| | Turn off background synchronization for feeds and Web Slices | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds!BackgroundSyncStatus
DWORD:0 | +To turn off the home page, enable the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Disable changing home page settings** ### 8.1 ActiveX control blocking @@ -445,6 +446,8 @@ To turn off Live Tiles: - Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications!NoCloudApplicationNotification**, with a value of 1 (one). +You must also unpin all tiles that are pinned to Start. + ### 10. Mail synchronization To turn off mail synchronization for Microsoft Accounts that are configured on a device: @@ -495,7 +498,7 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** &g | Configure search suggestions in Address bar | Choose whether the address bar shows search suggestions.
Default: Enabled | | Configure Windows Defender SmartScreen Filter (Windows 10, version 1703)
Configure SmartScreen Filter (Windows Server 2016) | Choose whether Windows Defender SmartScreen is turned on or off.
Default: Enabled | | Allow web content on New Tab page | Choose whether a new tab page appears.
Default: Enabled | -| Configure Home pages | Choose the corporate Home page for domain-joined devices.
Set this to **about:blank** | +| Configure Start pages | Choose the Start page for domain-joined devices.
Set this to **about:blank** | The Windows 10, version 1511 Microsoft Edge Group Policy names are: From ac66a703eeb8f4bc6782ef25b354980f615e276d Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 3 Apr 2017 14:09:37 -0700 Subject: [PATCH 12/33] update insider build label --- .../preview-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/preview-windows-defender-advanced-threat-protection.md b/windows/keep-secure/preview-windows-defender-advanced-threat-protection.md index 0306678e79..fb768346fe 100644 --- a/windows/keep-secure/preview-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/preview-windows-defender-advanced-threat-protection.md @@ -49,4 +49,4 @@ The following features are included in the preview release: - [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md) - Create custom threat intelligence alerts using the threat intelligence API to generate alerts that are applicable to your organization. >[!NOTE] -> All response actions require machines to be on the latest Windows 10 Insider Preview build. +> All response actions require machines to be on the latest Windows 10, version 1703. From bb43e5b5f8c4dd8270bb2c939f5a34f2dca5ab10 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 3 Apr 2017 14:13:02 -0700 Subject: [PATCH 13/33] add link to trial link on min reqs --- ...equirements-windows-defender-advanced-threat-protection.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md index 5498802fbb..9a231875f8 100644 --- a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md @@ -23,6 +23,8 @@ localizationpriority: high There are some minimum requirements for onboarding your network and endpoints. +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=technet-wd-atp-abovefoldlink1) + ## Minimum requirements You must be on Windows 10, version 1607 at a minimum. For more information, see [Windows 10 Enterprise edition](https://www.microsoft.com/en-us/WindowsForBusiness/buy). @@ -114,3 +116,5 @@ When Windows Defender is not the active antimalware in your organization and you If you're running Windows Defender as the primary antimalware product on your endpoints, the Windows Defender ATP agent will successfully onboard. If you're running a third-party antimalware client and use Mobile Device Management solutions or System Center Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender ELAM driver is enabled. For more information, see [Ensure that Windows Defender is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-is-not-disabled-by-a-policy). + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=technet-wd-atp-abovefoldlink1) From 6e186ba63d96df28e4457a6f1d81d9b5dd75a8f6 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 3 Apr 2017 14:14:41 -0700 Subject: [PATCH 14/33] update insider preview name --- ...d-file-alerts-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md index e9d223c9d6..e3a74e76dd 100644 --- a/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -34,7 +34,7 @@ You can contain an attack in your organization by stopping the malicious process The **Stop & Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistency such as registry keys. -The action takes effect on machines with the latest Windows 10 Insider Preview build where the file was observed in the last 30 days. +The action takes effect on machines with the latest Windows 10, version 1703 where the file was observed in the last 30 days. ### Stop and quarantine files 1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use the Search box: From 65c17538d14facd7b78abf85b1e3e5f6089c72c2 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Mon, 3 Apr 2017 14:33:50 -0700 Subject: [PATCH 15/33] Janani feedback --- windows/whats-new/whats-new-windows-10-version-1703.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md index 73a74e3409..772fb8f1ba 100644 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -36,9 +36,9 @@ Both the desktop and kiosk wizards include an option to remove pre-installed sof [Learn more about Windows Configuration Designer.](../configure/provisioning-packages.md) -### Bulk enrollment in Azure Active Directory +### Azure Active Directory join in bulk -Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](../configure/provisioning-packages.md#configuration-designer-wizards). Bulk enrollment in Azure AD is available in the desktop, mobile, kiosk, and Surface Hub wizards. +Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](../configure/provisioning-packages.md#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards. ![get bulk token action in wizard](images/bulk-token.png) @@ -209,7 +209,7 @@ Some of the other new CSPs are: - The [CleanPC CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cleanpc-csp) allows removal of user-installed and pre-installed applications, with the option to persist user data. -- The [BitLocker CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/bitlocker-csp) is used to manage encryption of PCs and devices. For example, you can require storage card encryption on mobile devices, or require encryption for fixed drives and removable drives. +- The [BitLocker CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/bitlocker-csp) is used to manage encryption of PCs and devices. For example, you can require storage card encryption on mobile devices, or require encryption for operating system drives. - The [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) is used to configure a proxy server for ethernet and Wi-Fi connections. @@ -217,6 +217,7 @@ Some of the other new CSPs are: - The [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM. +IT pros can use the new [MDM Migration Analysis Tool (MMAT)](http://aka.ms/mmat) to determine which Group Policy settings have been configured for a user or computer and cross-reference those settings against a built-in list of supported MDM policies. MMAT can generate both XML and HTML reports indicating the level of support for each Group Policy setting and MDM equivalents. [Learn more about new MDM capabilities.](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/new-in-windows-mdm-enrollment-management#whatsnew10) From 956783552a54d0477ecb0725300466a5123a2481 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 3 Apr 2017 14:43:31 -0700 Subject: [PATCH 16/33] fix spacing on list --- ...ows-defender-advanced-threat-protection.md | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md index e3a74e76dd..dd8664c459 100644 --- a/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -39,7 +39,7 @@ The action takes effect on machines with the latest Windows 10, version 1703 whe ### Stop and quarantine files 1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use the Search box: - – **Alerts** - click the corresponding links from the Description or Details in the Alert timeline + – **Alerts** - click the corresponding links from the Description or Details in the Alert timeline
– **Search box** - select File from the drop–down menu and enter the file name 2. Open the **Actions menu** and select **Stop & Quarantine File**. @@ -50,11 +50,11 @@ The action takes effect on machines with the latest Windows 10, version 1703 whe The Action center shows the submission information: ![Image of stop and quarantine file action center](images/atp-stopnquarantine-file.png) - – **Submission time** - Shows when the action was submitted. - – **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon. - – **Pending** - Shows the number of machines where the file is yet to be stopped and quarantined from. This can take time for cases when the machine is offline or not connected to the network. - – **Success** - Shows the number of machines where the file has been stopped and quarantined. - – **Failed** - Shows the number of machines where the action failed and details about the failure. + – **Submission time** - Shows when the action was submitted.
+ – **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
+ – **Pending** - Shows the number of machines where the file is yet to be stopped and quarantined from. This can take time for cases when the machine is offline or not connected to the network.
+ – **Success** - Shows the number of machines where the file has been stopped and quarantined.
+ – **Failed** - Shows the number of machines where the action failed and details about the failure.
4. Select any of the status indicators to view more information about the action. For example, select **Failed** to see where the action failed. @@ -108,8 +108,8 @@ The Action center shows the submission information: ![Image of block file](images/atp-blockfile.png) - – **Submission time** - Shows when the action was submitted. - – **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon. + – **Submission time** - Shows when the action was submitted.
+ – **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
– **Status** - Indicates whether the file was added to or removed from the blacklist. When the file is blocked, there will be a new event in the machine timeline.
@@ -129,8 +129,8 @@ For prevalent files in the organization, a warning is shown before an action is ### Remove file from blocked list 1. Select the file you want to remove from the blocked list. You can select a file from any of the following views or use the Search box: - – **Alerts** - Click the file links from the Description or Details in the Alert timeline - – **Machines list** - Click the file links in the Description or Details columns in the Observed on machine section + – **Alerts** - Click the file links from the Description or Details in the Alert timeline
+ – **Machines list** - Click the file links in the Description or Details columns in the Observed on machine section
– **Search box** - Select File from the drop–down menu and enter the file name 2. Open the **Actions** menu and select **Remove file from blocked list**. @@ -173,10 +173,10 @@ When the sample is collected, Windows Defender ATP runs the file in is a secure **Submit files for deep analysis:** -1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views: - – Alerts - click the file links from the **Description** or **Details** in the Alert timeline - – **Machines list** - click the file links from the **Description** or **Details** in the **Machine in organization** section - – Search box - select **File** from the drop–down menu and enter the file name +1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views:
+ – Alerts - click the file links from the **Description** or **Details** in the Alert timeline
+ – **Machines list** - click the file links from the **Description** or **Details** in the **Machine in organization** section
+ – Search box - select **File** from the drop–down menu and enter the file name
2. In the **Deep analysis** section of the file view, click **Submit**. ![You can only submit PE files in the file details section](images/submit-file.png) From dbadb4abd23d93bb42398ce26dd4241a51b82d74 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 3 Apr 2017 14:47:09 -0700 Subject: [PATCH 17/33] fix dash --- ...ows-defender-advanced-threat-protection.md | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md index dd8664c459..c768906d08 100644 --- a/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -39,8 +39,8 @@ The action takes effect on machines with the latest Windows 10, version 1703 whe ### Stop and quarantine files 1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use the Search box: - – **Alerts** - click the corresponding links from the Description or Details in the Alert timeline
- – **Search box** - select File from the drop–down menu and enter the file name + - **Alerts** - click the corresponding links from the Description or Details in the Alert timeline + - **Search box** - select File from the drop–down menu and enter the file name 2. Open the **Actions menu** and select **Stop & Quarantine File**. ![Image of stop and quarantine file action](images/atp-stop-quarantine-file.png) @@ -50,11 +50,11 @@ The action takes effect on machines with the latest Windows 10, version 1703 whe The Action center shows the submission information: ![Image of stop and quarantine file action center](images/atp-stopnquarantine-file.png) - – **Submission time** - Shows when the action was submitted.
- – **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
- – **Pending** - Shows the number of machines where the file is yet to be stopped and quarantined from. This can take time for cases when the machine is offline or not connected to the network.
- – **Success** - Shows the number of machines where the file has been stopped and quarantined.
- – **Failed** - Shows the number of machines where the action failed and details about the failure.
+ - **Submission time** - Shows when the action was submitted.
+ - **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
+ - **Pending** - Shows the number of machines where the file is yet to be stopped and quarantined from. This can take time for cases when the machine is offline or not connected to the network.
+ - **Success** - Shows the number of machines where the file has been stopped and quarantined.
+ - **Failed** - Shows the number of machines where the action failed and details about the failure.
4. Select any of the status indicators to view more information about the action. For example, select **Failed** to see where the action failed. @@ -108,9 +108,9 @@ The Action center shows the submission information: ![Image of block file](images/atp-blockfile.png) - – **Submission time** - Shows when the action was submitted.
- – **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
- – **Status** - Indicates whether the file was added to or removed from the blacklist. + - **Submission time** - Shows when the action was submitted.
+ - **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
+ - **Status** - Indicates whether the file was added to or removed from the blacklist. When the file is blocked, there will be a new event in the machine timeline.
@@ -129,9 +129,9 @@ For prevalent files in the organization, a warning is shown before an action is ### Remove file from blocked list 1. Select the file you want to remove from the blocked list. You can select a file from any of the following views or use the Search box: - – **Alerts** - Click the file links from the Description or Details in the Alert timeline
- – **Machines list** - Click the file links in the Description or Details columns in the Observed on machine section
- – **Search box** - Select File from the drop–down menu and enter the file name + - **Alerts** - Click the file links from the Description or Details in the Alert timeline
+ - **Machines list** - Click the file links in the Description or Details columns in the Observed on machine section
+ - **Search box** - Select File from the drop–down menu and enter the file name 2. Open the **Actions** menu and select **Remove file from blocked list**. @@ -174,9 +174,9 @@ When the sample is collected, Windows Defender ATP runs the file in is a secure **Submit files for deep analysis:** 1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views:
- – Alerts - click the file links from the **Description** or **Details** in the Alert timeline
- – **Machines list** - click the file links from the **Description** or **Details** in the **Machine in organization** section
- – Search box - select **File** from the drop–down menu and enter the file name
+ - Alerts - click the file links from the **Description** or **Details** in the Alert timeline
+ - **Machines list** - click the file links from the **Description** or **Details** in the **Machine in organization** section
+ - Search box - select **File** from the drop–down menu and enter the file name
2. In the **Deep analysis** section of the file view, click **Submit**. ![You can only submit PE files in the file details section](images/submit-file.png) From dcda1d762adbe0224da58c767e3633eda3be98e9 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 3 Apr 2017 14:50:01 -0700 Subject: [PATCH 18/33] update SIEM section to remove product name in TOC --- windows/keep-secure/TOC.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index bc1d1edae3..e249568df7 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -781,11 +781,11 @@ ######## [View deep analysis reports](respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports) ######## [Troubleshoot deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis) #### [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md) -##### [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) -##### [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) -##### [Configure HP ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) +##### [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md) +##### [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md) +##### [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) ##### [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) -##### [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) +##### [Pull alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) #### [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md) ##### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) ##### [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) From 628d96ee6119b47389ae59d7fd8c92b75e27dcb4 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 3 Apr 2017 14:51:18 -0700 Subject: [PATCH 19/33] update link title in table --- ...figure-siem-windows-defender-advanced-threat-protection.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md index 011897e94c..31ea81e97e 100644 --- a/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md @@ -51,7 +51,7 @@ For more information, see [Pull Windows Defender ATP alerts using REST API](pull Topic | Description :---|:--- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)| Learn about enabling the SIEM integration feature in the **Preferences setup** page in the portal so that you can use and generate the required information to configure supported SIEM tools. -[Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Windows Defender ATP alerts. -[Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Windows Defender ATP alerts. +[Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Windows Defender ATP alerts. +[Configure ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Windows Defender ATP alerts. [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) | Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal. [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) | Use the Client credentials OAuth 2.0 flow to pull alerts from Windows Defender ATP using REST API. From b244e17f42227771b8fc3c41d2cd0fdb89d90fb6 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 3 Apr 2017 15:05:15 -0700 Subject: [PATCH 20/33] updates --- .../basic-level-windows-diagnostic-events-and-fields.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/configure/basic-level-windows-diagnostic-events-and-fields.md b/windows/configure/basic-level-windows-diagnostic-events-and-fields.md index 3fd905b836..822204598d 100644 --- a/windows/configure/basic-level-windows-diagnostic-events-and-fields.md +++ b/windows/configure/basic-level-windows-diagnostic-events-and-fields.md @@ -1984,7 +1984,6 @@ This event sends inventory component versions for the Device Inventory data. The following fields are available: -- **devinv.dll** The file version of the Device inventory component. - **aeinv** The version of the App inventory component. - **devinv** The file version of the Device inventory component. From d4a68599a690585f70f503efba9bb07052027e54 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 3 Apr 2017 17:06:25 -0700 Subject: [PATCH 21/33] fixes (#531) --- ...asic-level-windows-diagnostic-events-and-fields.md | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/windows/configure/basic-level-windows-diagnostic-events-and-fields.md b/windows/configure/basic-level-windows-diagnostic-events-and-fields.md index 822204598d..f62ad1e526 100644 --- a/windows/configure/basic-level-windows-diagnostic-events-and-fields.md +++ b/windows/configure/basic-level-windows-diagnostic-events-and-fields.md @@ -342,13 +342,8 @@ The following fields are available: - **AppraiserVersion** The version of the appraiser file generating the events. - **ActiveNetworkConnection** Is the device an active network device? -- **CosDeviceRating** An enumeration that indicates if there is a driver on the target operating system. -- **CosDeviceSolution** An enumeration that indicate how a driver on the target operating system is available. -- **CosDeviceSolutionUrl** Empty string -- **CosPopulatedFromId** The expected uplevel driver matching ID based on driver coverage data. - **IsBootCritical** Is the device boot critical? - **SdbEntries** An array of fields indicating the SDB entries that apply to this device. -- **UplevelInboxDriver** Is there a driver uplevel for this device? - **WuDriverCoverage** Is there a driver uplevel for this device according to Windows Update? - **WuDriverUpdateID** The Windows Update ID of the applicable uplevel driver. - **WuPopulatedFromID** The expected uplevel driver matching ID based on driver coverage from Windows Update. @@ -2005,13 +2000,13 @@ The following fields are available: - **MsiPackageCode** A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage. Example: {1BCC5142-D98C-430B-B74A-484A0328A7CE} - **HiddenArp** Indicates whether a program hides itself from showing up in ARP. Example: TRUE - **OSVersionAtInstallTime** The four octets from the OS version at the time of the application's install. Example: -- **PackageFamilyName** The package family name for a Windows Store app. - **RootDirPath** The path to the root directory where the program was installed. Example:  %ProgramFiles% (x86)\Neudesic\Azure Storage Explorer 6 - **InstallDate** The date the application was installed (a best guess based on folder creation date heuristics) Example: 4/12/2015 01:27:52 - **InstallDateMsi** The install date if the application was installed via MSI. Passed as an array. Example: 4/11/2015 00:00:00 - **InstallDateFromLinkFile** The estimated date of install based on the links to the files. Passed as an array. Example: 4/8/2015 01:06:11 - **InstallDateArpLastModified** The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015 00:00:00 - **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. +- **objectInstanceId** ProgramId (a hash of Name, Version, Publisher, and Language of an application used to identify it). Example: 00000144865763f3de24c2ae5a289fde6db300000904 - **PackageFullName** The package full name for a Store application. Example: Microsoft.Hexic_1.2.0.36_x86__8wekyb3d8bbwe - **InventoryVersion** The version of the inventory file generating the events. - **StoreAppType** A sub-classification for the type of Windows Store app, such as UWP or Win8StoreApp. @@ -2047,7 +2042,6 @@ The following fields are available: - **ModelId** A model GUID. - **PrimaryCategory** The primary category for the device container. - **Categories** A comma separated list of functional categories in which the container belongs. -- **Icon** The path or index to the icon file. - **IsConnected** For physically a attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link. - **IsActive** Is the device connected, or has it been seen in the last 14 days? - **IsPaired** Does the device container require pairing? @@ -2058,6 +2052,7 @@ The following fields are available: - **ModelNumber** The model number for the device container. - **Manufacturer** The manufacturer name for the device container. - **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. +- **objectInstanceId** ContainerId. Example: {552dd320-0dae-2794-2b41-df42fee22488} - **InventoryVersion** The version of the inventory file generating the events. @@ -2123,8 +2118,6 @@ This event sends additional metadata about a PNP device that is specific to a pa The following fields are available: -- **audio.captureDriver** Audio device capture driver. Example: hdaudio.inf:db04a16ce4e8d6ee:HdAudModel:10.0.14887.1000:hdaudio\func_01 -- **audio.renderDriver** Audio device render driver. Example: hdaudio.inf:db04a16ce4e8d6ee:HdAudModel:10.0.14889.1001:hdaudio\func_01 - **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. - **InventoryVersion** The version of the inventory file generating the events. - **Audio_CaptureDriver** The Audio device capture driver endpoint. From 67c8fdd740b29c83ac30850b54e70331fbd04df6 Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Mon, 3 Apr 2017 17:52:26 -0700 Subject: [PATCH 22/33] Fixed a bunch of typos and added to what's new --- windows/update/waas-optimize-windows-10-updates.md | 2 +- windows/update/waas-windows-insider-for-business.md | 4 ++-- windows/whats-new/whats-new-windows-10-version-1703.md | 5 ++++- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/windows/update/waas-optimize-windows-10-updates.md b/windows/update/waas-optimize-windows-10-updates.md index dba3ee72bb..0c618399e9 100644 --- a/windows/update/waas-optimize-windows-10-updates.md +++ b/windows/update/waas-optimize-windows-10-updates.md @@ -49,7 +49,7 @@ Two methods of peer-to-peer content distribution are available in Windows 10. Windows 10 update downloads can be large because every package contains all previously released fixes to ensure consistency and simplicity. Windows has been able to reduce the size of Windows Update downloads with a feature called Express. ### How Microsoft supports Express -- **Express on System Center Configuration Manager** starting with version 1702 of Configuration Manager. +- **Express on System Center Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or 1607 with the April 2017 cumulative update. - **Express on WSUS Standalone** Express update delivery is available on [all support versions of WSUS](https://technet.microsoft.com/library/cc708456(v=ws.10).aspx). diff --git a/windows/update/waas-windows-insider-for-business.md b/windows/update/waas-windows-insider-for-business.md index b25fa5f18b..bf612c952c 100644 --- a/windows/update/waas-windows-insider-for-business.md +++ b/windows/update/waas-windows-insider-for-business.md @@ -22,7 +22,7 @@ For many IT pros, gaining visibility into feature updates early—before they’ The Windows Insider Program for Business gives you the opportunity to: * Get early access to Windows Insider Preview Builds * Provide feedback to Microsoft in real-time via the Feedback Hub app. -* Sign-in with coproate credentials (Azure Active Directory) and increase the visibility of your organization's feedback with Microsoft – especially on features that support your productivity and business needs. +* Sign-in with corporate credentials (Azure Active Directory) and increase the visibility of your organization's feedback with Microsoft – especially on features that support your productivity and business needs. Microsoft recommends that all organizations have at least a few PCs enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub app. @@ -126,7 +126,7 @@ Go to **Settings > Updates & Security**. Review available updates or select **Ch ### Make sure Windows is activated Go to **Settings > Updates & Security > Activation** to verify Windows is activated. -### Make sure your coporate account in AAD is connected to your device +### Make sure your corporate account in AAD is connected to your device Open **Settings \ Accounts \ Access work or school**. If your PC is not listed as connected to your account in AAD, click Connect and enter your AAD account. ### Make sure you have selected a flight ring diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md index 772fb8f1ba..354c4d0d13 100644 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -180,7 +180,10 @@ We recently added the option to download Windows 10 Insider Preview builds using ### Optimize update delivery -[Express updates](../update/waas-optimize-windows-10-updates.md#express-update-delivery) are now supported on System Center Configuration Manager, starting with version 1702 of Configuration Manager, in addition to current Express support on Windows Update, Windows Update for Business and WSUS. +With changes delivered in Windows 10, version 1703, [Express updates](../update/waas-optimize-windows-10-updates.md#express-update-delivery) are now fully supported with System Center Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](https://technet.microsoft.com/windows-server-docs/management/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS. + +>[!NOTE] +> The above changes can be made available to Windows 10, version 1607, by installing the April 2017 cumulative update. Delivery Optimization policies now enable you to configure additional restrictions to have more control in various scenarios. From b8332348e77f4b05df7ad6e50735dd5849d515eb Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Tue, 4 Apr 2017 07:09:54 -0700 Subject: [PATCH 23/33] add MDM diagnostics (Deen) --- windows/whats-new/whats-new-windows-10-version-1703.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md index 354c4d0d13..2549666eae 100644 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -230,7 +230,9 @@ The Windows version of mobile application management (MAM) is a lightweight solu For more info, see [Implement server-side support for mobile application management on Windows](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/implement-server-side-mobile-application-management). +### MDM diagnostics +In Windows 10, version 1703, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](https://www.microsoft.com/download/details.aspx?id=44226) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost. ### Application Virtualization for Windows (App-V) Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10, version 1703 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Addtionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart. From 18eea7f2d284acd1b1d16f152cc641e7463c1775 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 4 Apr 2017 08:59:30 -0700 Subject: [PATCH 24/33] added links to what's new * links to diagnostic data content * fixing links --- .../change-history-for-configure-windows-10.md | 4 +++- .../whats-new/whats-new-windows-10-version-1703.md | 11 +++++++---- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/windows/configure/change-history-for-configure-windows-10.md b/windows/configure/change-history-for-configure-windows-10.md index aa5be0aab7..7f36bcbec3 100644 --- a/windows/configure/change-history-for-configure-windows-10.md +++ b/windows/configure/change-history-for-configure-windows-10.md @@ -21,4 +21,6 @@ The topics in this library have been updated for Windows 10, version 1703 (also - [Use the Lockdown Designer app to create a Lockdown XML file](mobile-lockdown-designer.md) - [Add image for secondary tiles](start-secondary-tiles.md) -- [Provision PCs with apps](provision-pcs-with-apps.md) \ No newline at end of file +- [Provision PCs with apps](provision-pcs-with-apps.md) +- [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md) +- [Windows 10, version 1703 Diagnostic Data](windows-diagnostic-data.md) \ No newline at end of file diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md index 2549666eae..495d1090f2 100644 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -230,10 +230,6 @@ The Windows version of mobile application management (MAM) is a lightweight solu For more info, see [Implement server-side support for mobile application management on Windows](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/implement-server-side-mobile-application-management). -### MDM diagnostics - -In Windows 10, version 1703, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](https://www.microsoft.com/download/details.aspx?id=44226) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost. - ### Application Virtualization for Windows (App-V) Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10, version 1703 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Addtionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart. @@ -243,6 +239,13 @@ For more info, see the following topics: - [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](../manage/appv-auto-batch-updating.md) - [Automatically cleanup unpublished packages on the App-V client](../manage/appv-auto-clean-unpublished-packages.md) +### Windows diagnostic data + +Learn more about the diagnostic data that's collected at the Basic level and some examples of the types of data that is collected at the Full level. + +- [Windows 10, version 1703 basic level Windows diagnostic events and fields](../configure/basic-level-windows-diagnostic-events-and-fields.md) +- [Windows 10, version 1703 Diagnostic Data](../configure/windows-diagnostic-data.md) + ## Windows 10 Mobile enhancements ### Lockdown Designer From 7772b61ec1b8f209aa822268ee926a76401ffec5 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 4 Apr 2017 09:15:36 -0700 Subject: [PATCH 25/33] added MDM section back in (#536) --- windows/whats-new/whats-new-windows-10-version-1703.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md index 495d1090f2..73e50ea512 100644 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -230,6 +230,10 @@ The Windows version of mobile application management (MAM) is a lightweight solu For more info, see [Implement server-side support for mobile application management on Windows](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/implement-server-side-mobile-application-management). +### MDM diagnostics + +In Windows 10, version 1703, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](https://www.microsoft.com/download/details.aspx?id=44226) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost. + ### Application Virtualization for Windows (App-V) Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10, version 1703 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Addtionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart. From 5f80ed4072d891472219beb603478f8a5eecf294 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 4 Apr 2017 09:42:22 -0700 Subject: [PATCH 26/33] added diagnostic data links (#537) --- windows/configure/index.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/configure/index.md b/windows/configure/index.md index bbe9b61e15..41f72b3b92 100644 --- a/windows/configure/index.md +++ b/windows/configure/index.md @@ -19,6 +19,8 @@ Enterprises often need to apply custom configurations to devices for their users | Topic | Description | | --- | --- | | [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) | Use this article to make informed decisions about how you can configure Windows telemetry in your organization. | +| [Basic level Windows diagnostic data](windows-diagnostic-data.md) | Learn about diagnostic data that is collected at the basic level in Windows 10, version 1703. | +| [Windows 10, version 1703 diagnostic data](windows-diagnostic-data.md) | Learn about the types of data that is collected at the full level in Windows 10, version 1703. | | [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro. | | [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense. The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10. | | [Configure kiosk and shared devices running Windows 10 desktop editions](kiosk-shared-pc.md) | These topics help you configure Windows 10 devices to be shared by multiple users or to run as a kiosk device that runs a single app. | From 811d6a560733a03fc2bbad8aaf2a85c893f85a10 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 4 Apr 2017 11:23:32 -0700 Subject: [PATCH 27/33] replace code blocks!? --- ...ows-defender-advanced-threat-protection.md | 66 +++++++++- ...ows-defender-advanced-threat-protection.md | 114 +++++++++++++++++- ...ows-defender-advanced-threat-protection.md | 114 +++++++++++++++++- 3 files changed, 281 insertions(+), 13 deletions(-) diff --git a/windows/keep-secure/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/keep-secure/experiment-custom-ti-windows-defender-advanced-threat-protection.md index b7f9bce85f..df1301d438 100644 --- a/windows/keep-secure/experiment-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/experiment-custom-ti-windows-defender-advanced-threat-protection.md @@ -45,7 +45,71 @@ This step will guide you in creating an alert definition and an IOC for a malici NOTE:
Make sure you replace the `authUrl`, `clientId`, and `clientSecret` values with your details which you saved in when you enabled the threat intelligence application. - [!code[ExampleScript](./code/example-script.ps1#L1-L60)] + ``` + $authUrl = 'Your Authorization URL' + $clientId = 'Your Client ID' + $clientSecret = 'Your Client Secret' + + + Try + { + $tokenPayload = @{ + "resource" = 'https://graph.windows.net' + "client_id" = $clientId + "client_secret" = $clientSecret + "grant_type"='client_credentials'} + + "Fetching an access token" + $response = Invoke-RestMethod $authUrl -Method Post -Body $tokenPayload + $token = $response.access_token + "Token fetched successfully" + + $headers = @{ + "Content-Type" = "application/json" + "Accept" = "application/json" + "Authorization" = "Bearer {0}" -f $token } + + $apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/" + + $alertDefinitionPayload = @{ + "Name" = "Test Alert" + "Severity" = "Medium" + "InternalDescription" = "A test alert used to demonstrate the Windows Defender ATP TI API feature" + "Title" = "Test alert." + "UxDescription" = "This is a test alert based on a sample custom alert definition. This alert was triggered manually using a provided test command. It indicates that the Threat Intelligence API has been properly enabled." + "RecommendedAction" = "No recommended action for this test alert." + "Category" = "SuspiciousNetworkTraffic" + "Enabled" = "true"} + + "Creating an Alert Definition" + $alertDefinition = + Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) ` + -Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json) + + "Alert Definition created successfully" + $alertDefinitionId = $alertDefinition.Id + + $iocPayload = @{ + "Type"="IpAddress" + "Value"="52.184.197.12" + "DetectionFunction"="Equals" + "Enabled"="true" + "AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId } + + "Creating an Indicator of Compromise" + $ioc = + Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) ` + -Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json) + "Indicator of Compromise created successfully" + + "All done!" + } + Catch + { + 'Something went wrong! Got the following exception message: {0}' -f $_.Exception.Message + } + + ``` 3. Run the script and verify that the operation succeeded in the results the window. Wait up to 20 minutes until the new or updated alert definition propagates to the detection engines. diff --git a/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md b/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md index b41b8bdaae..9bf4342870 100644 --- a/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md @@ -36,19 +36,43 @@ The following example demonstrates how to obtain an Azure AD access token that y Replace the *authUrl*, *clientid*, and *clientSecret* values with the ones you got from **Preferences settings** page in the portal: -[!code[CustomTIAPI](./code/example.ps1#L1-L14)] +```powershell +$authUrl = 'Your Authorization URL' +$clientId = 'Your Client ID' +$clientSecret = 'Your Client Secret' + +$tokenPayload = @{ + "resource"='https://graph.windows.net' + "client_id" = $clientId + "client_secret" = $clientSecret + "grant_type"='client_credentials'} + +$response = Invoke-RestMethod $authUrl -Method Post -Body $tokenPayload +$token = $response.access_token + +``` ## Step 2: Create headers used for the requests with the API Use the following code to create the headers used for the requests with the API: -[!code[CustomTIAPI](./code/example.ps1#L16-L19)] +```powershell +$headers = @{ + "Content-Type"="application/json" + "Accept"="application/json" + "Authorization"="Bearer {0}" -f $token } + +$apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/" +``` ## Step 3: Create calls to the custom threat intelligence API After creating the headers, you can now create calls to the API. The following example demonstrates how you can view all the alert definition entities: -[!code[CustomTIAPI](./code/example.ps1#L21-L24)] +```powershell +$alertDefinitions = + (Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) -Method Get -Headers $headers).value +``` The response is empty on initial use of the API. @@ -56,18 +80,96 @@ The response is empty on initial use of the API. ## Step 4: Create a new alert definition The following example demonstrates how you to create a new alert definition. -[!code[CustomTIAPI](./code/example.ps1#L26-L39)] +```powershell +$alertDefinitionPayload = @{ + "Name"= "The alert's name" + "Severity"= "Low" + "InternalDescription"= "An internal description of the Alert" + "Title"= "The Title" + "UxDescription"= "Description of the alerts" + "RecommendedAction"= "The alert's recommended action" + "Category"= "Trojan" + "Enabled"= "true"} + +$alertDefinition = + Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) ` + -Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json) +``` ## Step 5: Create a new indicator of compromise You can now use the alert ID obtained from creating a new alert definition to create a new indicator of compromise. -[!code[CustomTIAPI](./code/example.ps1#L43-L53)] +```powershell +$iocPayload = @{ + "Type"="Sha1" + "Value"="dead1111eeaabbccddeeaabbccddee11ffffffff" + "DetectionFunction"="Equals" + "Enabled"="true" + "AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId } + + +$ioc = + Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) ` + -Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json) +``` ## Complete code You can use the complete code to create calls to the API. -[!code[CustomTIAPI](./code/example.ps1#L1-L53)] +```powershell +$authUrl = 'Your Authorization URL' +$clientId = 'Your Client ID' +$clientSecret = 'Your Client Secret' + +$tokenPayload = @{ + "resource"='https://graph.windows.net' + "client_id" = $clientId + "client_secret" = $clientSecret + "grant_type"='client_credentials'} + +$response = Invoke-RestMethod $authUrl -Method Post -Body $tokenPayload +$token = $response.access_token + +$headers = @{ + "Content-Type"="application/json" + "Accept"="application/json" + "Authorization"="Bearer {0}" -f $token } + +$apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/" + +$alertDefinitions = + (Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) -Method Get -Headers $headers).value + +$alertDefinitionPayload = @{ + "Name"= "The alert's name" + "Severity"= "Low" + "InternalDescription"= "An internal description of the Alert" + "Title"= "The Title" + "UxDescription"= "Description of the alerts" + "RecommendedAction"= "The alert's recommended action" + "Category"= "Trojan" + "Enabled"= "true"} + +$alertDefinition = + Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) ` + -Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json) + +$alertDefinitionId = $alertDefinition.Id + +$iocPayload = @{ + "Type"="Sha1" + "Value"="dead1111eeaabbccddeeaabbccddee11ffffffff" + "DetectionFunction"="Equals" + "Enabled"="true" + "AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId } + + +$ioc = + Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) ` + -Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json) + +``` ## Related topics - [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md b/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md index a67b250923..dc44b7cbea 100644 --- a/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md @@ -38,20 +38,45 @@ The following example demonstrates how to obtain an Azure AD access token that y Replace the *auth_url*, *client_id*, and *client_secret* values with the ones you got from **Preferences settings** page in the portal: -[!code[CustomTIAPI](./code/example.py#L1-L17)] +``` +import json +import requests +from pprint import pprint + +auth_url="Your Authorization URL" +client_id="Your Client ID" +client_secret="Your Client Secret" + +payload = {"resource": "https://graph.windows.net", + "client_id": client_id, + "client_secret": client_secret, + "grant_type": "client_credentials"} + +response = requests.post(auth_url, payload) +token = json.loads(response.text)["access_token"] +``` ## Step 2: Create request session object Add HTTP headers to the session object, including the Authorization header with the token that was obtained. -[!code[CustomTIAPI](./code/example.py#L19-L23)] +``` +with requests.Session() as session: + session.headers = { + 'Authorization': 'Bearer {}'.format(token), + 'Content-Type': 'application/json', + 'Accept': 'application/json'} +``` ## Step 3: Create calls to the custom threat intelligence API After adding HTTP headers to the session object, you can now create calls to the API. The following example demonstrates how you can view all the alert definition entities: -[!code[CustomTIAPI](./code/example.py#L25-L26)] +``` + response = session.get("https://ti.securitycenter.windows.com/V1.0/AlertDefinitions") + pprint(json.loads(response.text)) +``` The response is empty on initial use of the API. @@ -59,18 +84,95 @@ The response is empty on initial use of the API. ## Step 4: Create a new alert definition The following example demonstrates how you to create a new alert definition. -[!code[CustomTIAPI](./code/example.py#L28-L39)] +``` + alert_definition = {"Name": "The alert's name", + "Severity": "Low", + "InternalDescription": "An internal description of the alert", + "Title": "The Title", + "UxDescription": "Description of the alerts", + "RecommendedAction": "The alert's recommended action", + "Category": "Trojan", + "Enabled": True} + + response = session.post( + "https://ti.securitycenter.windows.com/V1.0/AlertDefinitions", + json=alert_definition) +``` ## Step 5: Create a new indicator of compromise You can now use the alert ID obtained from creating a new alert definition to create a new indicator of compromise. -[!code[CustomTIAPI](./code/example.py#L41-L51)] +``` + alert_definition_id = json.loads(response.text)["Id"] + + ioc = {'Type': "Sha1", + 'Value': "dead1111eeaabbccddeeaabbccddee11ffffffff", + 'DetectionFunction': "Equals", + 'Enabled': True, + "AlertDefinition@odata.bind": "AlertDefinitions({0})".format(alert_definition_id)} + + response = session.post( + "https://ti.securitycenter.windows.com/V1.0/IndicatorsOfCompromise", + json=ioc) +``` ## Complete code You can use the complete code to create calls to the API. -[!code[CustomTIAPI](./code/example.py#L1-L53)] +```syntax +import json +import requests +from pprint import pprint + +auth_url="Your Authorization URL" +client_id="Your Client ID" +client_secret="Your Client Secret" + +payload = {"resource": "https://graph.windows.net", + "client_id": client_id, + "client_secret": client_secret, + "grant_type": "client_credentials"} + +response = requests.post(auth_url, payload) +token = json.loads(response.text)["access_token"] + +with requests.Session() as session: + session.headers = { + 'Authorization': 'Bearer {}'.format(token), + 'Content-Type': 'application/json', + 'Accept': 'application/json'} + + response = session.get("https://ti.securitycenter.windows.com/V1.0/AlertDefinitions") + pprint(json.loads(response.text)) + + alert_definition = {"Name": "The alert's name", + "Severity": "Low", + "InternalDescription": "An internal description of the alert", + "Title": "The Title", + "UxDescription": "Description of the alerts", + "RecommendedAction": "The alert's recommended action", + "Category": "Trojan", + "Enabled": True} + + response = session.post( + "https://ti.securitycenter.windows.com/V1.0/AlertDefinitions", + json=alert_definition) + + alert_definition_id = json.loads(response.text)["Id"] + + ioc = {'Type': "Sha1", + 'Value': "dead1111eeaabbccddeeaabbccddee11ffffffff", + 'DetectionFunction': "Equals", + 'Enabled': True, + "AlertDefinition@odata.bind": "AlertDefinitions({0})".format(alert_definition_id)} + + response = session.post( + "https://ti.securitycenter.windows.com/V1.0/IndicatorsOfCompromise", + json=ioc) + + pprint(json.loads(response.text)) +``` ## Related topics - [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) From 8106da2644d2e195b731d6ae73081df6aee4c1d4 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 4 Apr 2017 11:34:54 -0700 Subject: [PATCH 28/33] add luba events --- ...g-windows-defender-advanced-threat-protection.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md index f05e878db5..a02feda9ea 100644 --- a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md @@ -151,8 +151,21 @@ Event ID | Message | Resolution steps 5 | Windows Defender Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection). 6 | Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md). 7 | Windows Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection), then run the entire onboarding process again. +9 | Windows Defender Advanced Threat Protection service failed to change its start type. Failure code: variable | If the event happened during onboarding, reboot and re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md).

If the event happened during offboarding, contact support. +10 | Windows Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: variable | If the event happened during onboarding, re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md).

If the problem persists, contact support. 15 | Windows Defender Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection). +17 | Windows Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: variable | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md). If the problem persists, contact support. 25 | Windows Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: _variable_ | Contact support. +27 | Failed to enable Windows Defender Advanced Threat Protection mode in Windows Defender. Onboarding process failed. Failure code: variable | Contact support. +29 | Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3 | Ensure the endpoint has Internet access, then run the entire offboarding process again. +30 | Failed to disable $(build.sense.productDisplayName) mode in Windows Defender Advanced Threat Protection. Failure code: %1 | Contact support. +32 | $(build.sense.productDisplayName) service failed to request to stop itself after offboarding process. Failure code: %1 | Verify that the service start type is manual and reboot the machine. +55 | Failed to create the Secure ETW autologger. Failure code: %1 | Reboot the machine. +63 | Updating the start type of external service. Name: %1, actual start type: %2, expected start type: %3, exit code: %4 | Identify what is causing changes in start type of mentioned service. If the exit code is not 0, fix the start type manually to expected start type. +64 | Starting stopped external service. Name: %1, exit code: %2 | Contact support if the event keeps re-appearing. +68 | The start type of the service is unexpected. Service name: %1, actual start type: %2, expected start type: %3 | Identify what is causing changes in start type. Fix mentioned service start type. +69 | The service is stopped. Service name: %1 | Start the mentioned service. Contact support if persists. +
There are additional components on the endpoint that the Windows Defender ATP agent depends on to function properly. If there are no onboarding related errors in the Windows Defender ATP agent event log, proceed with the following steps to ensure that the additional components are configured correctly. From 82bf9dd09f8daa6e2f2ffbbf76b462c2a8abd882 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 4 Apr 2017 11:35:59 -0700 Subject: [PATCH 29/33] remove code folder --- windows/keep-secure/code/example-script.ps1 | 60 --------------------- windows/keep-secure/code/example.ps1 | 50 ----------------- windows/keep-secure/code/example.py | 51 ------------------ 3 files changed, 161 deletions(-) delete mode 100644 windows/keep-secure/code/example-script.ps1 delete mode 100644 windows/keep-secure/code/example.ps1 delete mode 100644 windows/keep-secure/code/example.py diff --git a/windows/keep-secure/code/example-script.ps1 b/windows/keep-secure/code/example-script.ps1 deleted file mode 100644 index e6563c2378..0000000000 --- a/windows/keep-secure/code/example-script.ps1 +++ /dev/null @@ -1,60 +0,0 @@ -$authUrl = 'Your Authorization URL' -$clientId = 'Your Client ID' -$clientSecret = 'Your Client Secret' - - -Try -{ - $tokenPayload = @{ - "resource" = 'https://graph.windows.net' - "client_id" = $clientId - "client_secret" = $clientSecret - "grant_type"='client_credentials'} - - "Fetching an access token" - $response = Invoke-RestMethod $authUrl -Method Post -Body $tokenPayload - $token = $response.access_token - "Token fetched successfully" - - $headers = @{ - "Content-Type" = "application/json" - "Accept" = "application/json" - "Authorization" = "Bearer {0}" -f $token } - - $apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/" - - $alertDefinitionPayload = @{ - "Name" = "Test Alert" - "Severity" = "Medium" - "InternalDescription" = "A test alert used to demonstrate the Windows Defender ATP TI API feature" - "Title" = "Test alert." - "UxDescription" = "This is a test alert based on a sample custom alert definition. This alert was triggered manually using a provided test command. It indicates that the Threat Intelligence API has been properly enabled." - "RecommendedAction" = "No recommended action for this test alert." - "Category" = "SuspiciousNetworkTraffic" - "Enabled" = "true"} - "Creating an Alert Definition" - $alertDefinition = - Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) ` - -Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json) - "Alert Definition created successfully" - $alertDefinitionId = $alertDefinition.Id - - $iocPayload = @{ - "Type"="IpAddress" - "Value"="52.184.197.12" - "DetectionFunction"="Equals" - "Enabled"="true" - "AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId } - - "Creating an Indicator of Compromise" - $ioc = - Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) ` - -Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json) - "Indicator of Compromise created successfully" - - "All done!" -} -Catch -{ - 'Something went wrong! Got the following exception message: {0}' -f $_.Exception.Message -} diff --git a/windows/keep-secure/code/example.ps1 b/windows/keep-secure/code/example.ps1 deleted file mode 100644 index 6941c80627..0000000000 --- a/windows/keep-secure/code/example.ps1 +++ /dev/null @@ -1,50 +0,0 @@ -$authUrl = 'Your Authorization URL' -$clientId = 'Your Client ID' -$clientSecret = 'Your Client Secret' - -$tokenPayload = @{ - "resource"='https://graph.windows.net' - "client_id" = $clientId - "client_secret" = $clientSecret - "grant_type"='client_credentials'} - -$response = Invoke-RestMethod $authUrl -Method Post -Body $tokenPayload -$token = $response.access_token - -$headers = @{ - "Content-Type"="application/json" - "Accept"="application/json" - "Authorization"="Bearer {0}" -f $token } - -$apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/" - -$alertDefinitions = - (Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) -Method Get -Headers $headers).value - -$alertDefinitionPayload = @{ - "Name"= "The alert's name" - "Severity"= "Low" - "InternalDescription"= "An internal description of the Alert" - "Title"= "The Title" - "UxDescription"= "Description of the alerts" - "RecommendedAction"= "The alert's recommended action" - "Category"= "Trojan" - "Enabled"= "true"} - -$alertDefinition = - Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) ` - -Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json) - -$alertDefinitionId = $alertDefinition.Id - -$iocPayload = @{ - "Type"="Sha1" - "Value"="dead1111eeaabbccddeeaabbccddee11ffffffff" - "DetectionFunction"="Equals" - "Enabled"="true" - "AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId } - - -$ioc = - Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) ` - -Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json) diff --git a/windows/keep-secure/code/example.py b/windows/keep-secure/code/example.py deleted file mode 100644 index 6203b5230b..0000000000 --- a/windows/keep-secure/code/example.py +++ /dev/null @@ -1,51 +0,0 @@ -import json -import requests -from pprint import pprint - -auth_url="Your Authorization URL" -client_id="Your Client ID" -client_secret="Your Client Secret" - -payload = {"resource": "https://graph.windows.net", - "client_id": client_id, - "client_secret": client_secret, - "grant_type": "client_credentials"} - -response = requests.post(auth_url, payload) -token = json.loads(response.text)["access_token"] - -with requests.Session() as session: - session.headers = { - 'Authorization': 'Bearer {}'.format(token), - 'Content-Type': 'application/json', - 'Accept': 'application/json'} - - response = session.get("https://ti.securitycenter.windows.com/V1.0/AlertDefinitions") - pprint(json.loads(response.text)) - - alert_definition = {"Name": "The alert's name", - "Severity": "Low", - "InternalDescription": "An internal description of the alert", - "Title": "The Title", - "UxDescription": "Description of the alerts", - "RecommendedAction": "The alert's recommended action", - "Category": "Trojan", - "Enabled": True} - - response = session.post( - "https://ti.securitycenter.windows.com/V1.0/AlertDefinitions", - json=alert_definition) - - alert_definition_id = json.loads(response.text)["Id"] - - ioc = {'Type': "Sha1", - 'Value': "dead1111eeaabbccddeeaabbccddee11ffffffff", - 'DetectionFunction': "Equals", - 'Enabled': True, - "AlertDefinition@odata.bind": "AlertDefinitions({0})".format(alert_definition_id)} - - response = session.post( - "https://ti.securitycenter.windows.com/V1.0/IndicatorsOfCompromise", - json=ioc) - - pprint(json.loads(response.text)) From 5bdb8c63b6932eef60b63892a04321235080e4e0 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 4 Apr 2017 11:45:05 -0700 Subject: [PATCH 30/33] add example email notif --- ...ndows-defender-advanced-threat-protection.md | 4 ++++ .../images/atp-example-email-notification.png | Bin 0 -> 77772 bytes 2 files changed, 4 insertions(+) create mode 100644 windows/keep-secure/images/atp-example-email-notification.png diff --git a/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md index c4a85d0274..1853b3421a 100644 --- a/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md @@ -46,6 +46,10 @@ The email notifications feature is turned off by default. Turn it on to start re Check that email recipients are able to receive the email notifications by selecting **Send test email**. All recipients in the list will receive the test email. +Here's an example email notification: + +![Image of example email notification]() + ## Remove email recipients 1. Select the trash bin icon beside the email address you’d like to remove. diff --git a/windows/keep-secure/images/atp-example-email-notification.png b/windows/keep-secure/images/atp-example-email-notification.png new file mode 100644 index 0000000000000000000000000000000000000000..e11de0cba9083882a757065dbe25e36fc4c0c15f GIT binary patch literal 77772 zcmb@tRZv__*fpBq5}e@f1a}|Y2^t)NI|TOuf(3W?;32rXy9al77~K8e@AsYm?p&OU z(^XSbGgZB7@0sqW*Rv!{Sy37Vi2&)thYu*SG7_pEK0pP3`0()p0SfrWKq0^uc>CzA zDlPV*VuI)h_yA)e`c?G9hw2#Q7b95UGopixw)2M%sJ;KaJ`URdG5zr2y--#{^qa?b zNER#@djV?@&7B@+b#1Mj7u((4J-ksy-jNAAg`yvGb&WUxR`w@4QG6_n`?KHu{^EBQ ze>ge0E#b~dbhnKOZ~N>wbGQ35Mtf|eV6j|f@DDsNWNWKhI#-zv8>#=GYbsyb4m>to zs#(eF;R0C<>?8m;W8)^i`+v z7h4;G9v4@8qaxs!i><3vHe4OX2=#COGsIL4SInmJJDdI9iNP=9JR^hu&qO9T(!tPN za9Q4e|8~KYcS_KA!|JhGt$ld8ci|Mtc~Gu}#340&u%C1v+?#PsZ{d5> zP}|cEa@`AQ_>x1&O$?5H?w9w2E5GhR+r$Z@-U|5~U(H~ojO)E;zZISh%1_Kfwd86= zS$iW>d_yfRN15UwZpz43-H}n+wW z4-I*exFJY;4!7d{TDe9&W%3!xP>tAhzZt&my{o;^lV;?q$6A*$tRCF+P89|4_GdbY zj1=F-Roi)%Y2jLo{kD1wLG!CXzYv%75^q@$J*3dNoNO!)&J{a-Ium%Ols?4oK5h5r zF&(~QamQe4Iff{l@@Q0k&!QUc6c%Aej6+NJxDnpw^5#zN1Yeo@Jl*8Dt-o0WYp{e7 zJwmFCIA1PrPaK?M)l|0EHW6MYxm}E|Op)50uc(mkawbnFnd^FT((m@VD)g3alOB$@^`ifvP7Kt9`-Nj^X0bw(+*m?oA*YCpI_@cLM~6TL?qqX zGw$PAYnIvQ4+d4!ui@BrCpmS&ZG^R^mn)4iKRkU8q9+^dcp2{3*4)+09$2oC)?(=soSPg_H8-duF(|+rO$Of>^JNQlulAF&H!=n8w|}=u&9}1AnT@dKyd$ecTV2P2 z6=ZbxOOEGC&ELm61mN~7yt4w9^fCSu>H~&h6 zon`S|@88}S!Wi@U#2`Bzj&w37hMZ@Kt+4sMQ!o=N${?)*IA;G|i@>Id{tCT>LR46^vA`QbO8vq^=0)tBoyXUG?5 zF~SSosDefsaa$;cS`PoziidP~J>AS*AG9*4i*>&pcanX=X?P?Rr1P0zTvPqsCDuyo zNJm!VVIbt)05TbP@7XRS6b6B$8gN*;d_G%!+?{8_gavk;Rx;hxpbC4$uEbnB&e?2QCG^TM_L8mjW5V&k@f?MMevaMB;=|C@>_W)^a2Wg!5PGLl?vs^U!vRZLC4nGNT4M3}9p)NyrNWOaFSn}%15Z0V2yO~m>;pk$mk zHQP-jSTyvr54NC@{4sc6t?UHx`mG<%^Vn}f(>+o?g-bd;9pun|49ViUo^resPMI7U zoWP)5U#<)LTgj|*b8%&c>OiDVA<1rWq1cXjEVP0CRs;oGRCF%W}>l@P2x8A`dY z-sjP4vae9_#`B1W+=$CCAlKbA&7BQ|5#i2FW9<_Qm7I-UW zwa_{3Dy^tO63O6+P8TojPhV)o^l80r<6G`DDt{Q@iu+YLnz%WcI-jk+zqS09NprMDyT~_jQDA5}S{i6QD@#fH@$<&hsy^7psUebP}ZWnXcdKK&o?9b7Z zmv--`n|K6_v0-V8a)nrtrcA^y?SWnVwPk*iDC8>1%!AmYAB!n&erx}3=lvrp$a$p? zRzOTNsf<}nVMLP*O52Iiufn`VhvW4`%D*F7#pfVxwd3%pM>aiSzt zDVs>c!Jz+xmI7Cjh(cv#4)W^2Q$nc!>_o9|D{Wv=5S2d zXcduvyR#jOWQ1aQ?Wh#$@=<#A3ut8!vUthuot5W1jE~Nnwa&CNkx-H!J<&*K$Wf)j zsfz;ilJ3&OLQ|u73n=6Jb1A%Yr(+IG@;g|K?lelS2=*2#mr}I~jbVJMX{=Pew)PTe zB?c0Qi#lsC%;>U|SkpQU8Au}i3mOucnt1HFYJf$;<_ z=R$#uDB2EDlSHUU^`h0uK=|jz-BIbNJ9A3xi2MOE)s#PWOy5HLBIYeZP{Cs#=YNbP z+W|;x+TQz%dLB|y8K=Z7s|kP==oq6g`dDn;KC#Y0A>WRyXh{srdRupW zc)GqlSwL-P5@SkiSbF*uYUH^$G8VE|Z9*vjbZZkBQ{G70h{HUl4wsJV_$Pgfo8Wu> zmo++}-k{=?RBtVtMZNkj&Pw}ZIiBLdIvF%5Ym%)pgAx6LDn%>R(q6-5!6vF2eNi@y z{&GpmJ1nE&*xp~G)3#<6$@i(cAE@If(smfca1I={8gS?gSJUd;AoF>WR*!t{a{DA?anXQzMyM z6;++W?VAMsrGK2CFE8lyc!;GQqjql9!WRa;+S_={{k=)Wo-lw(ag;uqW`DJ0fgU8V zm>TxLN1|7&37=F-y|_A38@bP9mxL5pB{E9p+TMI$Z*v*Vww^Oxr4K2wysHXj6Yu$D zMw>WC%T+@^MT>0=mZ`CxlXu>iX>xTtR4zeA#+S=avzj5WX>-~Gkeuus#jNqz)^>lC zae4m0#}i}qo}fR&7vw}$?aoQzyoH?BJU8Xf988kk-%uI#df>Kpt^o*Tvm+H)u-?YE z_-BgZqzBs*m()3OY2Zw=B)$yQ+G0tyXbA_uhPY6U4=jNdSe;;0^ZudW+hDXP4ts}< zLEZ(hDPf+I`y=VkvNzV-A-t-W+f_zrvz1EQy%D%aAajzzf4|yxe~CE#czud{7@Lf_ zrI9RGjNk3J&+nLohK>qI-|7jOmNXR z2tU%cr9BS-?tsUh z`RQOFiX(*x3)OGCBnItB6PJZ1)gcTMwwP=4P(=l2mCrYm+K6C>te`U_2E*$Y-)^f7 zE|QXu&;3F zpQF4S-#bnNK6~5@wz%pN&_<8xTkj^im{=VB^OrN5Mkev{B(_?ar#4q`{ux=AD#$m> za887*_$1MLWoJtzgn}Gg+(i&c5!?(@Msr*U7>c zT+Af*AhZ=fKQ_Ym*@sRi$(Le^!gsc7ap8=eLB^tGFFmyYjg(>KeS9vtdV0J@PM}%S zYdo8az`bBwpPDAb5n>>WB)hKLYy!Cf!)uEsUjCwmnJPfK(E!{&MOwIlg7GLt(c{y z!HvR@z1rckpJD*XiE-+>^C^>08C~1e=l1 zsNIbE0*}ury1rdLPtqi!cmv`t+?D7+%I8#)fF=L)i)l7Yn2+o6Z}9_0i}~Ag79N_f ztm=yIFV|O%YZPwG5rp?z2NUjVtG03)4?QUAr4wkR*=hFjPYf59^2I5hDET?*#c z`04d&90qSYXdzL-kDi|0P;I@E_6L|n-}PG(QP8@d(nTRYsOdX3Ue00DZz$I zT(SL7>uB09R)c;#bdCDLCo=-E_9nk1y=2qWmhlZijf<#f`kty{IhI<}TO*cw$p{_2 z^jv_eY$!Rbfp>AYgTiU0o+ptRKVNW#oXR#nkWx30p(aM|p8_qHU=?pp-JUE?u3igxDCeP+EhkbAiZQtN zxB*z&>+%o-B?V=Bs@}$h9i?vH_j-4}9EJ5zH_yz1EhIy+qr(_>B3!|WKj%W8zi(9u zA8OKShFKxwS5ZOL`KZOWNT}Xl{d@6{NOq}ptyT>JI%K4f&6z7U4pBiwZWM(U3m-aY z%YN09jQ0VFa9kx42W7H`?vDztg5-j%I)h!+7{eA=OfOu@QSx5gLAOCV#JpJM3_GgWG!1&DhO|K+055Sg#Cef z&*tjK`BIAzV*rux566Q_S**U~qQ*@K%G&CgErG;BDhl+po0MNPA${uo?Y`8tQ9el)v-C@NMxc_Dp55UwkvsH8QoqCnsv`<35FBgixaafci)S(+ z$A*h6bTn~byxH(?#uL~OrF3yY@u(tku=9BOJy`SO*Uk6~HeGlSb!)OMd-2o#L88t- z#IZrD3fVN(JAO#<93#pkK1Wp)wnLjP&p{}LO1{WaR_JPwJ4QIy9Vdffwb=%k@^zS? zdqZTpwWu{QDaadm9lB0HClE@i}Y$uZpUm&SB8F;$3Y8X%JCBO_fNrx zqm|`be5EBlUnCE+L?VUO>8b0|G>fiKjN6`uEZLW-`B&-kr(gno`^23h#Y-d52Ad1( zqm`!%Bwke0oztnyk<8*kF`#_nQP{(>qwr{&88ZuFyBbguw}a(ghU} z@vr_N5q=#cW%Knt{HK7c7={-b8_J@MhgU^ox12%99Xm0-tXW%>YgIi~rKNaxB%b$r zZDOsBPBV6t<4ZyO#3$_gQp4+55PQ2+Bg>2W5xx5#Gy<5>2jOrf(T=cK`q8gIA`E)!d^;2x2P|nrrOs{0k=f-lMFPJe5U9P)7qRCWHxB)fo@g?;OU2I?=3PEUPFM645N;IhZuUWM*K2})! z&8>~Cx%#vzs%h0(Q!}yE(lno~7SfV_d&}ysz+wU7GoEYpe4l2%@af5RB{V4^B?+jl ztxsH%vE7bZ&X858ORVc1-5>;!9`unLffU+}iPtqNY2Q7O$;R7$|It~4`ZM268^WAQ zXjF{fdlp|+&#>$dBzB_)En#udIaDxXvxAZm4#Y@%D`r}9QK@fiMDj5#1`S7*1zDP# znfv4A^DwGzntQxq$lN@dQv8pBnG1w6xxBz`iqxB!2Ru=q7RX4qg~X@~r0FE_veE111v*6UCI~xFamQxy zA^F9M;dKWj=5Aw-G=;z@>0yGTESH1n)nv#!_-4z}#_)Q%Yl4vaUy`#>7vkkdclrhF zZyE4EHJg3iYVCZE#@Xm#EhH=S%v}w^%6=NqR*24@2_@?ojj=P5Ct1L% z?vSCSV>yjR1gTIFKO;>AEAU;}eO+uL7l*sP#h=Fgg~|jOU2ox*M3Ni$B%4bPPrywj z&>yZW8QY^}QjWe`&8*+IB{^>~!FccF0A;9l?qr&bc5pM;l1)`m@nl*Oq~gtvkANH#!OEni;AD0`W$LogUz4>wgX4n*!#=`wExr@ znxJmLOS5ueA5C@9O7jRve72ZKUH_1NSnJvnLv%z0dYK-I^C`PN?r3e5f4EQ}{5yb& zs+{o9`@ku2_^-??08w%2`J%Ld2uUK%D8AD5dH0en0v9Ub;N&niZg}#nn|ktSMpi-r z^vh%7ACvf7axYTi1D$!TYQe116HK7d@0$3SV{g3BG_4O)8QUH zcI!;Rw8%e~?%vhLHCv0qnO-Ts4X-Ze3gz83DpAv#dw$yo7PtQRu_Bk$1J}2^Qw##_ z#`|}%1{GD$Qz3uE?~j*xr28#Z_aVh0?6!l#&6e4S);pkSh&Q?@OX^)B%*pZi+jN@Y zL-#-05rn#t*`z4kPE&w%OH@$kp%=Kz-5;NdlcSFsk5XCGXks-_@XfPO+S(CP|GRjP zm_qcBs*(?F=Jsg2Hlm>v62UH6E|&~xsE7X!0?TZf(yBb*5z>Ww$|H?n_ursjt!uZ` zQNiIX%SY9~dcM91)JCuyk#5nq2?=VdLS0vjuAB|%i_a637cnU3tHK3*m~7&^f4ZG; z+QZQy_Q@zdJfJ1SK=z+7+LF&<9gozVH|kZLNH-ncJ%eIw5cG06n(PvLqTMu^J=4)g z-Igp;F+0B>6|BYc}BcHxn!*m62@N;Z{V91O*BwQ ze!`9KGP^Pz_~j5nJ${5`fBrnr8XfHxhL80%HHHm(%qm_spbQImwB)3&jV^GcdWddAqU9%P zU*{6lyWq^jHC;V1%P@#3+nJ_rhE(ez&J6cHTQ|RJ~Wrw>lz0nfnnb|qu+9Jj_Jl4SfR zd!?5A_A({p>o##OQik(BCu8*lsi)3xPvEzLe01h1q(>a&7q~4G%%zMV59aY~CQ?tT z%k*0#JpJ}BqEItp;Q^wEfek5)RyKygNLM8=Gep6P9FD)~CexY9_JvwV zM{Z6R`}u-jcrz-k`0%y=vX?IXwxTq?VneZju4f5nHtWDA+&)=gT(>hDNyYNeU8<25 zaQ8K@@3xsB!k7NC{c}$tsB7di7fu936PHF2o9oS&lT_eme?O=zbdWZ&Xd4cz~69@?*LCjn-^w|96F$bK?5I#)-Os!drs!}W_@RsSv!OVylfIw z$OMpj206cG6NJ*J*Uk+^AvI8@gktpL!RI>c59ff11h|Wv)~@tEa8y}~rm{Bl+YAo6 zq$_aWV^EI0#nIPQDiYrjF~`|x&;G$4dZV{9jiG?_VR}xW5RM3-Fp_TlOYnK_@O{hd z$jc9SDPqOo6#huc5=C%Zk=tq*3b zv}`B+CQWY2_L$l=>np0-R6K`ofxNEWAs9Joo9z82E#MN{qClSidJq$}K9Qvhr+KCd zgXl)L#E8DN!!R+Skn8SR(#|U#PL<;`cw*emFazDS21<<%&&{|K#`H^lB(FmhobFfI&52Y6D zo_Ms9NdfInqxCj9sh7`76!-+p`tN2)|Mr4hIWnQVb{c3-b{itmxJFpKCt7sv ztHbQ6%{Ll5l4}1<41*aSEXXHwA6kcQ6QSTE`u*Xg&G_C#BSURMl#b&8tPtK-(^a#cR zy=JFId(V##G8x=?^do?YqT1wJ_lJD?36`l(NJZ?Lftx#Rp43P|F~t0#awwn%?r!f< zoJ5u1FpsvMD)5m#Q`@(w(9bQb=ZRLh5Fy$8DlEc;03k)q>v+H^Byu1@p^3?cC5IF#9IEFAtXx z0Y-SJf0A20#OAmj7e8fd0Ifnr#DRv)!$#enBvW9pfXmB!iG7JPaM$D-r=@ON2?TPF zMwCjk_=Unzv|XxszHL&&k+9d!YJPRQHyQ}h)nM>6`qA8d=zg);IXLL|3PNXp8y*}@ zHWCJ^?G^%(IUmA~+3IhoN`sm9^YpGV+U-@lCWq)V|H@3g*cWR;9nRSSgKr zpTCFLZ*tr^Nd7%B216&hs4t?i!PY3>$hYfv>lclJV1(dJXZ*^>cHi+oLkXHs*k5b% z$%0?7KvFXo8f6(xfES`5bwr9%`_wH**qqyTBuO4>zH~I1?;o@#kLd*C6l*?(T8LgG z=^cmF1S+ZTZ&Bz9OrbKxlxSCq>t5$47d_!#7SG44u~_muXH*m3J(k^FKF=C0RBA~1 z_q9yxJ26*awNXp}evFaz(^i{>7TYDQO!%;vauA4<@AMRBlgym&e0#@4za7v>8v|K=P>cl8l6e(_m> zXxk=N*@MUpEy@qNDdhrj^qP8lra0{$4-Of(Cj@lL>%RiK`UL4imYYpiHyUbb{tG@H)ik4K@;0oPr`hMXr^^R|z66yR- z>p+&=LdUBF4!D8M+wGae+>$Q5Q*|HyvifE5<4%ulqdiSPz@?S!2?`-tqk1>tn(gRi zO}nFQ^=zQsJg~45^0?>`X~q>u&3M9AB@;y_5Q5|iAnUC){k;+WMqdvY&0og|V+A-A zCOi4~_vbSz-d{9*frSTi4f;r$A6O)4-Gi_cdfwbRO8rKFH99Q2{>RvOxEASMJfv!j z6E(|kXi!4l7~00_WJU9QsAsWKF@4qz`StYL#0`GcNcAim)c(cQI2o4|BzG_Roi> zA1peFYBRQ|5IYfG6cFi5I5oh5>ESs%u+B{TLrO*gaWsrLpM`HSuDVj>vj1|mk$kq`eHq$Y1(QJsyEZ$ddqR9X zeV8FRM7K`F08)@VSE9DF77w8K^;jAirg#iW`qd?!nl>0z6^zju5eY2f{V!P!15f3m znd}^P1-cDo+PHqr*bk3vC~>;+dODUq(e(9%@EDZK$%_fJsOQc;Iv|`CJPjOdK_uB~ zpDl$9pv*D^8vvB(`V||pguhyliR=~&c_G+_P&eE(2udqeFNw{JCAj!P?Cs8+D$jrkbE{6>>m2_A~aYkJqWD>-t!C#46xZn%X8 zJK2vCR5q%G#^Jx4>m7`)-T&;qS|_GR#P|Yqy)2dTVk`%3e+?cWZP0*IUY9-O^SoS- zKC(?dkilR-yzqVh%#_r~Iow~C)G&HQld1D`hm|RxFSTa=TElurshDzVgMry#(3=)(}CLRA8&WM0k-trfLh=>Z@@U9_~o|dhc#r4Gi@B9-N1#a97IG0fgn+0G;H)ut2*TydzStPMrr20QMX6 zacyH%I5@?hLeq3KJ5sI=`yLZ9XSQAbv;&+}WFPYA2B5~(=ULvD^-D0J?H2KAA|KW9 z9^h@aZ-nb@Co=ADSUQIe!B>+4ui~KnFDExGT&mr&{9J}z$BkI2on^#_{(K6Ebqkv& zHVmnJ5oH^kBHPm*mx^cv5(lwo=%f)jUe2dF<}8IZI4C)A~ofXbm)}TF;a1 z(yl8E%>h6VCF}Yjgy@y36}dcb!Cz8d_Gr?4mD`9X!2~m=0Avcq#yiUZ2h&#&x0Cky z*i?wLPQ6YNBfiwMRt<;$(#YbgmV~98N+`G|KtHil8QSLSF+a}_BB3sc_^sA`)f_J6lXsiYM$ezLEc{8Lzon+evyF?Z0jQ}wSItU zW**okslXyK+jE(A7N{a>4*s;25Sh z6(@f{;T$xXrNhT{%(O2vU;&T)teA`sCZWWrqS>OdUDR!4*4;I+N$qiopUQP0BxTWW zIbJisAPZn0#WTZ;j#^(g$4HaWT=yN0X6wrpuT+SanCHG&t37ZSP4)=6N`q>kH5ZUy z-Zh~&m7V=_HAOGl6^6CHqNV4G`dRKw+<4$9$8TM|di!i7X>Y;&Q=2cb1o&mU|M_uI z85Q@;^7*c2^j~4h{)CWn<@)e?``$c$Ei61j{ahHcs1|8KNxKO3OgoQ z0$3$8L~iic$V8UB$UzOGy^>o)N<)KJV?A5_U=W_3g++NKeAZXDKYXNwn@2#REo&C zK^-o`aWN+gDTJSa|3yoic?tPC#3gMv#eDKR22aIJj9y+{Lc3Sk0@R^;LJWp^L@a~a z-c$Hzyy0D=dlP|pGs_N%0Cwc1hk2P&P5A89CjSUBNeuWA5ZaJToArB14jC+^FbZk@ zKsbBIKaV?&Ke3!j*sK`hX4kN2f=ZvWlJOVA#Zo zTqWz}H_e_1bQzMY1tZ#QIYT|(D`?N>p@WwrLuSvuEv)FMe`Hpndc$53{b z*boKJOc&74oigP*cya^;H=eYf7dY@Ih$gbovWvR2<%V7H4cJ~&3Yi*-VU=VkW(%EV z^VL3{(y~1;od0HrVK~KOs50ydr;^=e$RVSBPN{_i?_=?g##X~}*jo_@)PtqENP-w~ zi!Z42p69-#^FtXeB+A1nN$5BKQm6xlX*Bt4Yq68rrL6+d z>FUzADqNbe?q4X92l|r*5|K=2r}t)J@0k0`$a~_ADY(p>JW5zi^d5PH&U-a1IZ~n| zcUvFvFYo9EfA4PhFJ1P%z9N6`G+!|5m-SQKjCR^HG!BVEzN20=JTJtVJv`>MAj{(CwuFkhY_s8$QVg+(&lv0R@v&3=>WIPR4IP5MKvLT{f=jfIjS z7k0I?=V^}LY4|%`kjrK2QfPALt8$>{=b~8J)SnNoKEFPx!loS3y`Ul95nc2=eXSln zJ@cgm{PkS-bQ{D18d}1-W^_SFW={$br@PL(2WIkx;w_W>;H_R#>t$?QLL=5b4K-0~ z3VrO0Wr&}z3ihJf#3%e7buo3-COPPfJz0Nmt>mJPTq0W3XVer2+wqoNL%^7)kUo07 z?>GmLnY<=eiF6*SdA1D*U!yPM)}HQZQ+K}fka+!oXc@DVNCGUJ*+Uq&#I?iq{#|Vl zisH26C(XsRezB0MU*i!pn_eq_@r1LPST2@1f}xI3=93bwkUWKGl|TaE2hxFMNtB1mis2Iyc%?ki<^d2M!;ONOVOqp3ZFkq9+~SGL~}pO;2BSUFE* z9?&XEc>1liF#G?|h=^_CSE0Dy>QxaCFb;ay#G|~o>c{j7JZk*nxE%$!a#GoY|GDiM z2z!Z=e`1S68KGm0z!~5AQtTqY&~w<;ACX4bBn<=#=Ih1bqm|w+pzU%Qv}gcleBPEr z;A^9`8k7(jGLpf}8wmmRd8zh{$rv6pd7>Y1*t*VFF5nQu5Yyl#EM-1MA_ThrH4ttP zwq}#x@eogDRN%7}iF(|euO#i2`14hhwUP+ODOQZ!w3*cklbYy!3Cri1k*HP}6YMrfRRD##Z&d(M|#0fH|cnF}@a zfUHM;%=v__>YKJ6e7QUFgH5thyUP{e92$dKQUH`Pg%-L+4wrt@}$yoP8onvl5It+e~=#O48% zOQ+Kgbj7tRk_k!jLkt2ROrkd0R-VEud~%ct92+3E-<=QGnQh}!`_{!M#KugH8A75T?JJl2I8GCg9hTY4U5{e=8k$ z3k(=MoMM1}J%lApuYMlSj)Lkr&R5lu4pB?gPX8A4n%4lpk);&$16CtEGFgjCkN0^h zF_oNOF_MSMQW%I%8b&BbdFZ<^T%RG8@pRfmjBH8J3;mmEpUK(BR22=)!s|70h@aDp zSj-DU#j*a(j-ACWfKp0KCaT;KoB#BHQt16MgodQZQGMvR;T3Ta70Jy@p;O2PI!jg6 z3QDQj92()55EGC7fv2`AeT-v`xsP8*_G2#>IEQn^d1+wd)Zj-ko|EA^!eN+W8K-fg zzjD=Pb_L70d7EJ%Int%I5V?$TFU!ZK`=3&=Pz<7uoMTQ&ug_gik9EPqO~{1bOt*$( zIJ{j(7Q(g=?3Illuo7_fOng@_%CzLpnlD4-Kpd)Y<$Y z8el7L_?6M+58F`7E<8RpwL`U@6CL-^a-kM8->jw1Z6oosFV{>@m->+U@DHS7R3WSI zk|X7mB@R&y3@yv$;@$rZf_+YkLI3|d6ZZchWQI3tn0-rI?$Q9{&A`k+*zD0SMG|Ke z2;$r=l)5*mmwxtpUE=yLsOI+-h^KWp89~WIB48dzZRh|;io9={pKct5AB^h5eLv^o z_uY_{_1hgsgUn4h*@%7kmV&&icX}Y-W>8yoR0-HmMP8qzm+M4%Q3Z2k`TjLs&a5=1 zJpyXj3j_=y;=g(0ckSC0E_6MCMj?Qd=y`svG1Yn~tdtuF_OUQHU4A~9TLIXwUiHsO z?@IsOYI^YEiN|ENf|dVsD29B#q;u*t94U|O!|VcXF#5Jhn0p}BvT-CJ8&AHx_8Y>t zd0cD)zzMJfxQ5|f<}fN$9~fK+QXv#EhmfVtplH{$`QC<0>8A-B@Zf*`92EQ;Ty`~w zgzYicA58yxyu{)5F1=7;HXPRU!l?gbfBHyk4AVW8 zPinimSZ}vtCmFtI5D>$&H$*;uxzv%R;U}T{?OO-?e-CUOT+&MI_x4OeQfbi9R_}S8 zpxYSPtl!K|W!L$fkK+Vp{4CU<;qzm)2_R$I{6rn+c1_MtSF*%|pVkNrDimT34c1yL zetq&hJ{Y9daj8)vMS52z$bSJWju7KP}E**4p-BM>|And28uZhD{(}=^N zK`rCp+Y^MGKuc;py-P^|CknN)SZT8hCZzC#tlHbg@oHCH{Nc@E#Fw6`p zm0kXsoX8sNe1DSxCh9bP#}V?14HB&uy{h(1`a7wVDFcoSIH<|q#3$3R*H!RbB>`7c8yaPJOk7B!{4R@{ z#S_c3CB!m{k-1V{la@};cYuVws@@^UU%(Q9f9J+xrTTKggI6?<|pPexn4@&t<0G$acr{#x!orrg=b=}6ZausN`k{@Pm z9u2c1yzA}H+se6g)<7Q{qT5)+)PQX7=)Bef!~zlOBeD<@JqO3fi;VgK+W??@@JmOv z0D%i#RkE%dm#e2p{Jop$)#hoKH~tWm)>_*o8~KzG{U2Blq(Ds3mPuo*z*KHgrG_d6 zNGsOX>NOMEEQA+rW{1F+%cZb1OmL^;GO{=AXiFroj}OLZ9Y11RI^xZf4(9e zzL6^)WJyEJ-V1$QEtJ(8eJ~i~PRM&P_AeLmR`6dDV#QX)rMP^0yD?zZ~@@6Xo4!=q|NNqEZbk##ZuWP#^kJc3}Gh#vFDxV%ji3n{3r z!}_zzv)u_Q)P*LHA@O#DEXrT+w}W3&vGw4;h)tjpk2w4rKAA2Al4V_m5gZnBJXh|{ z*@9@y-|LbuX@F!v3?f#Q#uL#dwJp7>1b+}FLVzsz@*+2K4RGfR`aX{X;$i7oMhGs; z4;GEF-1~3e-bQ;|)Pb6~95n8uz1q~#>duii`EoTntyP^m0NDg^Q9P8r9fRubE4YnQ z>eKMsztI!JK)8Rkf^Vxp!VFVjozE8xoG?AXJ%dzGe*+)rjl>5c(TfF{enmC8xb-27 zJT@H+-XY0TNHo=Zav&+M$$ZWGTj_G@Xsh=!6kLWJbMZzY_Dm}zQD?i_$eI4lup2!tXfLa@QURUOV zvmgdP2lM9MAB0BCuxIS z04u`g+eUf1Zs#kG#=yc>{QdqoFV0Qi@Ze^DApEC~a5F7Q!wG~V8Xk&iVs6jtYATN` z$jG8V!M4HTc3*Hi4V5$K^r)s+BH{fhVScrKJQpk(N|quO!|a^Vi3@g8vIA@H>t--f1kE66o|FL-^vHlVR0DZ!YN{E9>rhixN#@krPAz zk6J9~ghAu?#nn{)o)Buy1V~X%({An6AcL$r+^S3zax77 zhYT&|JieI}j^Hs#Zsyf%0%Q)y+qs!yi;z!Se}@MX{i=+_9T5t4fdIc;$WHx#HA=Kc zOc~fje}hiF^&4zI4#sdKoM(Z2j*D~jT3z_elPI(JABlNI_^Y!XMNQ2;3_%^{K9cfh zaUIARPWyESI~KmaCs6H$)CE_FkEv=vZ$PCL6b?jihpm2=G8CVG`IwmRv-ge45M^9lo#W|A)4> zjH)~NwncH*4Z+MkG%U z>}_}KzKHb?n>}}~c4STjjNY*^4D1nT18KKP-uw4eohElz&KIY9m7p=nnUc%c?C#34 zo9m^>#pNU6RXW@|dgVLNkc)qqC)mj9<+5F6bd)W`jO3x5LlRPN0{wn}Riw)CsVymP zy)VhVB-g_`FOUC(Bea!mTPltsIpDJgOkRB4yWUt|&sB+{i_254W8fN0eB3axKf3?B zmv!U6x~`P<1f8k={kG<8e4h$tKu1|q965SIdUuHrX}^Z3==GuEKMQQU8I~4D*%QH2 z*4P675eEaJC~`r>X9rB)M+T~TzSy8s?86r%EFZIb{&;{I*l}r^LeRJEG1I82qtmwA zvEcGD=i@&Rt#-82oadiyvMsWm#L`A4k_kN{*R;h>V7i7#embXtk$E^E> zCfGS%A-h8_*&LSuF}(F7@SV9fYls&_nDXm8d!v~u+e0iLMfS#a-%aWh&{?9!shz4o zCaDmCg8^7=+szJ;2q2U|wWH8t5|tI%;s{gQjkWKn_l;tvGBml^Pe!7|Bk1tFzu7F3 z@wWK^`esI_240sc>Cp78m^{~CTxgn{y~!{ctYNi&6Xe&dymsZ#`;D2cP#m& z&)@UijILn0WD;iNQQ^0xU`|7>1_W49+N*r8<3#yWz5_)7Ydp?sE(|1mSlC1Sp&i+S zAHxirZLZJLj%|Ng3`?WF`39 zgPa%4x^9Ld?~_V%^RX2l``1NSDR;pA~UA<~S51VfH=4n6o!f~UI&(Xd% zK3puhZVDBw_RGxyBfrYjV2A$zcEXPP2W!pUR5--gI$JBhb?9t?WKK^QF9ympYd}Yh zmm38CJsx`2Q#DgP7$nvvsE{Ty_5Cj(<#T#Mi=@xxl09;erWEIFX7G6b6iyVlC$lo= z4&6I%Uuc##fLxfVDDZr(uV^~9&Z@RlPk@Q6W+9$_xYS~NqWAACVD}RT64Z1v_)kFk zH`I=ZZ`|c01+uM>?i2%U~W#|0%s%QLcaKAU)hU9^h^y-Ni_`Q0w2K;&t~Hw|bnT zlmd2ft;L&<9j*;waqep7#+NF>xiqWv53#^Ai-D0_c=&rEC_Qs&nFAlnbpZ=%S zapQh1+oLZ<8kVRgFPq=AvvQ?=IjtW0O^wqzshpGExw0Qmt+2$M8l3NDx4^F^_^V{P z`*`*8X9e3Nh3;LRpvPBLWZk+Z=d}>aIe2cj+tu(-%RZ87Z>X2kuEAuD>l({invhbI zP4vD@DhHPde52+r=y*A$FIF@NJIi_<50=natfNr1zC-5 zvRp0S&f9L^YuM6x?@N}aL}kn>_Ef4#rkA!1r7`jcGiuVy_uN0F&v}@%pm=_&4w0Lrz$DVexOi@q`XQuvdUQ<`gXK@Lt{W2sD|f z@;K-GS$@>|U2&Xxg;_WVTLVr}El>}O$?R;-56msV3q9DLvJ=vr8>PKCPQ2;1uX%yc* zt&HKN>Ci7ke89%+zh0khF%Br*)vJjPmYsic+yX^r>KLduC7+s z371W6?B!-A5?f2a8%)|n=hP4W`vw4Yp@uO%ed22r$!jfoA~4?R=`S(B!!wLHtp?+) zLO8){22l?|pFXks|Lz~i4xF7tJ$v3CP3(Ly$2;G=Hkvh@#sQjd#~&UZ8qWL!ZZD6p zDMjuE5@;(8IvVJGMaYCa947L`+uPe4oS#z&du^<(al8I`Gw*qfgM-8Ad*fnZVKIL# z+H<(rqT6VhksQodf#-6>ZiT8HJXJA zp$qs9cgA&FbS|03u79}DY@&ckF(X2BQt&jE=kHJ|K89j8KbP0}&f(!9_?7JMThm4T zA2fkOm6=we+L%Z=5@VuVw=t8~Mp}M*EC-v6Uu>w&`|{@EAWPWWE&M(wY$Tn_z{>RyMmGPM0~xvLr_oFp^vNKlshk4k(stvd%|D-91o;dNUgJ+T%kH@FK!~VQ*BXookQzI=I$3wjH)H3@xTnn{TXmftGi6*&rljU{g==Ce=bFi=L@J<@)xavjSS zh@%j;7Q~k097lh~(%Ud*hyL~Vg5HA$m5*F1YergH+QA*=3izrS+-8}4_PM@1+WV^d zryGObfB(D|{ZXck*8nEJlpHu6!`QqM5SUdC3J1)BIx~C1!9rBZ^LL+B@*WnNoyl%* zZyT+qLAzlcx7f4inq-`YFg}q`)goz3b+GX?YfJ~9zpKb^^?!W8Am%R9K1*As>_KFG z`|VA$)28iqS10%eXB&f(goDgTFYFeyVhP#xBBrG&hjuNxmfF0H#9ImGuMJ>T7?ra< zW~z+9;=#AYY*)MNs?U3J2DtNs)EJSsZaZ58nxf>UPP~amN3-~btqfNtdZV7%fQRQa z)bzq?N-Fjl);}i;AuCSMWe28>UM|tJHv;!*)#e)QRgAyADcKs!dCpAs1Dpe^>CdXX z8nO6S{O*SfRaZ0BCcn#dWzeW`p`?6vbz2@ho~Nc-Nx`%-v8w2^fba9}7Ezy(i!?_u zW{MZfjxJVZezpHiL`38l+=JBLKRA%|3v>H&}6RRgF>>3+KdWQ57%n@@p3RS_6o$Q-fmIn zDkUKCmzq7JHuzBtKq|Z`}G#7v+CX5-DjmN2J^d%d3&wbR$Kg2 zF)#9{sS^CmpMUW=t>KmVNKpR1&Fj3ivXUcPJWj1By-VwS?{{3GESLQq7}z19a^7)& zp&L7!s2YLC7~9+@ImJnX#4ji)>UAE0@5K-JB1n>_mlxQmxvLF-NDMX44;Qm4f(v)( zlP8I}O$UnQlB!IHl9_kJ?8%%{Qk~?_FBaXGCrPhQH%-bSx2xh&YD}Q9SuZ~nBJ5gs zI;_`Epe8dgGbrc0dd<_^+o|8?m4d$j*Da&|)n@XkC$2J`FDjMCKh+gMbiMudN z(&Q!D$}iPS{$7MGm$Z;>utyEso12?g$+_99xUHkHrX$4}6WppZEwK!13JlrCkr))a zf)K$n53Nio3YE*JuuLj|>2zHf3*u+hp{1pzWj3}TjHS{&bo?6u!}P%xR0s3-tbcw( zJ*nyjvkJ%j68P-jyIHH7kLT()g85oj9=N%w*I>q5rm1e3e#^@@(6PP;S)pF8Hwg?% znP3WHt!FiQm0Uv3L85A8dA6^>`&JJo$-sTAea+WV_yssFGrXK~mbzjg2`{YFZL4xR z5J{O<@mroX4~$)ii%GxwU}OP(Gga~lEa#7IF7}QIQg6NUoyl21x*g@x%3!^85p%9F zAJqXzcfQeH14Wn9N3kLrwAE!Tw|NtC_dI~$)gxJ~0q4^9r|4&K5BvS?rA3wrEglcT z1ZkENh~tr#yT}snwPGR&Y}Wf@6vib7t7siD!U{$-2O2(d-(v)JSu;>d+S=y7q5i_a zgsI7}*2|(3XhR>}*KS*_#k38j^el%6litT3cvA|oFOK(wOm_1PXHzk^|p zQZCY$fT=Yfby``s`CY+fL}zOpT%l9X@*!D49PTuq=45gBCkR0hQOY=tllke@tCw5!ISR?B|I7I$Wru`(0!PV?8Dt34}+c8VEtftI4c_<&)6F!R&Qya@s^o=}sUDo7H%*$1s=~vgZ9u2aFBu?cnQn*pE@OLyEVer4(3r$Q@m;Iec-!ZVqER_z+#f-C3o)fUsjfCaxdY4;TfmEMO&EMKB^f917AQbNn?bSC$c;!Yh?rp^!Me(3u%e`kbp2UwM9y;Z!#8 ztHCgn7Ckt!+K#H_*|BA~tU>xq_yT19tb^d3LXd{jsVhr6M{VWy-N|Y%tCPB|r7|3X z7g&l1je5f9^|sPSNstnu=3D(rCbPpc_X6fn(?>`UD-cLX2^=v3$!{lXEyiW(UWQ6- zR+I&7%9)Jf>nIJ*z!(Aatw~136lfQCN=<=ZT>7p;Pp-}X?j(E=%Cw?e_3qU|7(HAM z=Y^&~sHGJm@(h`Plj((TEUMNno)CPj5eLz4)%u%P=WP80%;bH_Y}m{*mNO9? zc+Qqg`^6B%LyShL&a0d<{H?4XV=RWzvKCl8_balRIHrmQT$^RhF;K}e^mAe}qJ-*r zmpQDB^!I&4p9!AhlBW_yN*(i4j-XBAiiP7)BV)YsVP!|8Rpv{~>DKt7%%)`iea)1} zv&>!aSmTquI~b7@q2R2@xi=7jP4~s4tqBFPv+gia{UYhDip-!AqNXK?TO(t49YLqn z@|+uzS45&|_p!XJmr1Lf1fu9Eyv#lrgG!k%P;a{4GNyy}=Wgi!ilT&D%wmf>9)C?` z^|%uT53bR0j&3uuf{$1r0C*PuMve5*w2M_MqofzyFA>v`$c@q62qf^D5ws2*%I}p~ zI-gKi7T?g!7)tsK4K>?-a(SLqREnUj6wkf^nFbXd+rETeceSmj7MLQGP^-TtY^YM9 z*F4i|y1d#1a%+wD^eeH0fXy2*`b{nrl}7A;B(@bj4JlOLF=NcF%;NC%uR*x_lX9$ za7C{sNx|kwE~Ay=ejJ8$;u-s{7E=hiv6}Qp10=u6@-bH8_}y1T@~hnFGV)&xcv@kk zqA&&%4}QFcD?6Uwc7BzUDp4&!2lEk5cx7TpQW%s-?uc$+v$U&RXm^jfdZ-nmFVriq zG2RDYM=3D!ASbiDje5qy0Tq8dJ~^0goPDlUi$VNz(zQ%GHE!q8;Gg^lB8_4^tU?UA zAc0KNhxrDaKLDy@QHm&Lv-pgh60jK0;%Unl9-jcPsQtCfjX>14tD!mCL}9@V zrmb3A%!ICHa}c?DL*(1;+_acHfk-N{{r=SiTlq>lX4)?>Fn7mxXkTzfvU*<-vNDBA z#C%IzZwT|Lnz9;O-Y~>{trL1osr#~p6Bk2QXz~n{J`N-+Cea0ZGtWytSxy$>1KKDV z`?=upNfM*VvB${7uaMrREe){-zg9FP{EAN*6GV}{Ll^|>a9v`LA<>1=SY;EX?>GeX zYt1qB*#s;3jikcKkYnR^>A&h+r5_gZ&D3uu!gIoiBzdziPzlKQb5!T(=83FW%c`PR zg%BIJx7T@`tO1RR8y@w6Q{>7AV=>Cf5EKxV4y)ZBu604_DYzD=@yf{D>If}A`Vh=b zGmfLVnH9}_@Ub>x(G9J{K7op8Qq>QP}+|kWg^?25Va)qb(TDA?O%^x3UJ05OIn<0;tIEg;l zg(dWICJND+saJo=IZAxApVEM}fvV#cT}<(*&B=iGM5^&>%aYvjHxYUH`k7 zl~YG%4wp`y<&+j|vZN3rU(#+izvJ43ci?sUhfLwj4+#W=7K*baY7DP0RAEo_LQrt& zzJd-$+Y^LKBC!`7k;Gc}6P}F18V`Y?m+ilH>Bn&dU>}+lV&|$6Uz|z~p z)z({AX3!x51=kWck;*8-`rL_LDf11`mJcTce5A*-d@!mOS`9t~aixf5 zn9#h*7P#Gp!cfL4o8)q0rdKG+Zeb^bF&bA|snnRDHv7bzRPD0_&=#Sv$>XnQ zU4tEA1GDYgU*m~Mky~1AgAkDSHEeZl`BGjefY!%`>+AD7;_59-4ltCpMP2o_d&K}dG}tefQ69>lSG;NvJmJnUM(4Hb3QYl$9I(d(wY*ZAK&UK^qgotHHc0N8n`JPYf z$ySoDQsW~!P@Fa3o(D~uR=`Ok&}L*ewJH+%!~#Z#rwwpaBlz9!)Phtr7G=yyauOLt zgURL(1J9Q)It_X~x;0{vvB(Cv%s;xL$nnseHghi^raFI;Pf1@=WH~#7UQG{zsb!bl z2=L(?-RgaD#XQA&U_alX{LJNf?;U&c(gyF5T!ov4md6Mxvnak`LS~*SiEWYk?;8v?NqR?KS{Jy>i>vxJA+N@v}t z!bkMPx$A=6|I)1s^FT{rp};RMv`YIBK1U8|L(DO1jnYN|$69Mi<4LGIqQr+#edwPuHM`C#CPiu}veACX{o# zFkXNY2wSv5e>-jE!FEMgv zB{N0eYVxqcv+AmSc8>~@BxZ7TxN?#7*_h}Bj}cSg6sOkGfke1;iNBwI#N!mrz~yYZc5oY zWGp<95FfNVz)6y2+2Og2iG8#g{sclbw{W`Oi1X*Vru4c5E2`N8acm8a^@tKyCTqf2 zi*L>>JlTcE@V$m;X?!mqmY?=lv12mE2QO^b2hY22cos2g#N3Wbj|mF8e{*umeI8SN z%?Zmz_|oCuoaV)%JZ;qa1LGj*cZNB8LP7hX^Vb6&Z!sOASOn5#0iTl%0-ex$P^qyA9J z#l!c$;~5T{v#vs+G{F}n=BNv=>pwrg?(TI^w(bmJin3!8wG_%Haana7!1KA^ni)l7 zeCQur*xB=cgs!r$n}2BEb#8PEA4H7|w!@rLnBAEAB zQz5A#m_qDJIvw|>Uz10p39HD5-d$ry{TDGWLQHwP>^WmHu;$S$DA^yb;uWeg4Uum+ zIf1!q+P+7Q(_ds~GjR9lQEp7*Fd%>B#|4Ibr_uZum49{a<8$1!U4TbOe#QT`I`_ey zqHMvZY4_R`2-o zG7nI!`(mQopEy?!4i-E7{cn$6s`;?{@KZ9{Kp4!! z=(pAEbBroFyAX-trH)IIE%oZYO0L=l`w3T_UrzTiQxHDu2{WC_Rra><796=W+kAt$ zznikhR~~Ph(Q6kjnLLgy*{ntZOE0BWN@0WyN` z-Bop5oXXKso0&9PKk&E#1jq=82_R+cOcb!`)WzFVz<@H1T)?T=XBlOd^o6Brxejks zVIincv57bXOfW0~)nBet&wn^mO{+T&sDA=>y{kVzOO>)-{ymug&59XK!W+e%C+hD9 zKE)4=;++gs7?529W#cFZBdW;C4**7cfFZlzt4@t3_x))^t+EZxI5~+N@ds2v@#TYJaq($3PZ4u+yG->ON%$q z8bn>F@Tmi_w@nf}{zh|L;=JS)Nn4nKoE==g>6zfNCV@0ooO~y+E*`c>>nJg6p);tk zO8tCFnYMCr0un2=EKL=_l_{V^Gnv6hvzo2h~E+^w)bQ$3m&2oK(}P_gL|Q0+vD{otd9 z8y!(kx5rgzE(RKr{h6$Pl|^=47}$_0c0vIOuAIV>a__F=i*T$Dp_9eA(uGK(V7LIS zVQl7}qyj!77t~vJf~XV@HgokhP{k*uWru4EhSm-&VHbcU z*01rbnE>akXOI4&mXIfZQcn(AZLqA^88L-^|W4E#n;O)>Q zE!t2jo5G5Mkh~U5hBzZW{qm{|-RKGP9ySR9o6e8BIa6<(Oi9#>ojk`qE;vc)S`$^luA5C<>(gG3Oxapy*S1o@Z%EGrXsq@+i^&vKqbs36yt5AB6_R@ zo>9b@T<<&CWG37tq*W43pNsvBj8d<^e@sH_L8Ko(hm}IsawN- z?BZOnVu}NV%3KV9-08uD;ltfEI6m~%GI115go!99myscWb(UBqlD29<|8;~RlP7hS z76+?oL>jr(sHV>0_Y9Y12n-~5zY>QNa|H|g*=?UXI@r!E0^EP0NWBq6uCJ$Oi5o5P zh$oiBZ`_OG0v`W#lcNdqZ1f`>92}80WVaL){_Cq;AC6OH6DqYYE-s|=G)^-qrGWn< ziq06RKV1}b-tZ+@MZ#SSyes1&I|pNu?@`;WoW^s74>~S!MGco)J@t&Y9OP$4BL?1? zbHfuGmnh^Ss`5W9L-s0_7FyinU{jW(mRj67njH|-Qt@HwCkW8&r;1T8W|s90nj8u+ z2r8(*lqDq6D@aE|=$*Gl^jqBe{`MMPAG)9&feLxV!n|8W^j-=LTE@y1hm}yt-{!ja z3+S3emft@C%>jeva9?$AJj&4d_TpglXyDD=@IQhQ$aCHv9>pqoxjEf#cK6THKxsDX zPt6uc;>d!(dF(p0Pq@Dl($H|mXV0QpHXs5=S!+>^TkA;3td1ZN%DZ`qpd?~WnZSBs zD5#J~7wIEj9YAzxf1Mr*<6a}UJ(vW&%Ulb?ByD)oqzWX!E^unHU-<57lN}76XLV)u z<)FJZ-eh+^5vp&^Ulky00-f+hfkB6#6ExQ@@W?9Rt`iBP*Sh$tYyyoMRtryoXlv-_ zW5;MPcQjtP$Q!7^Dl1qelB77#M&ujCgy$Z<#69)aYJgW zlls@%L8QP{4i$bM}__FMG5O(pGjrPmt+!Hu1{6J#D(l@OgM|0}RK}5qB z3!Ib#VI17ou|cRxWVuVGV>E2IX(EkgW46D891FC-k6+#vNFas<7aA&!nEzPek*)&e zpQSOjMr^^VmLF57vWd&cQ6&-(`HElTN5F?G$RH107II!z#V}xy@yGuSk_5pL@g|U< ztMZ44^OhohZX^JQ z_OFnm$)^Lb(k#TH{3(H#qAT9NA9{@GNIlQDF~soNHc%Pp^s@%GB=)eBwTbq3ivfphvLRk%>f@v_9)Y5(}LIgrW z$QG6XKO(Ng`2KI3@{X@@9T1N9LJ{%N=086YuoX)GF&mC0V9WGe@1iiJuEEcR0ku^( zV?Z%#5NbCa?nUSuA0Hng-tX@qvt>pavYCI3`=gmv@-L5;<4Us1J09q$2u!P1NCoIq zKgH}nxS){Hb~MQ8QXws%#1_zBzcv-)glZ{-i+#o6X>&i{Q43S?-bJQR= z-(*vUO(4w7$c{!RNEQRn{Pg@hWN^o`^gAZlzEI91y4DP{7))hl> zoeP!cdiwf~SsTCUkTHl{%kQPHTuQEsIF$}kOgd>bI6zHas%!ZN!9|RuO<3xA- zx7eT;0sJTW4s(XS<|Mun#ltJy>?2~6MpK{=OQohlu<(`hh#6&y$2GeXV$!s;U%6LZ zUx&t7A=-s6WEyK~pqoHn3}^5#1~#=0iN#7I%l93&;*7*a^@F5p@Q)S~ z7>hs($Ra|NX^m;s>^8dnFe3JVFyM!H9ki?S%Zv<#;*p(QbanM2&}b5 zlU4g&H-Zww8XXS4FUgv^HU z*>MAB*|nC*X^laL&A)SexP6~tN{gnqx~MhdsJb-HH~qN z_UhL7heUfGH(po$T3lS*Fj>I&NG@Da@Ji%QAM3sC3dS`XihTC`SH5`gMAxlRKC?fF zvErU`S48<3jg#JFJn$Le>6p!H zoZ@wbJitc+RJU|K9RwG+AE6?%8J`qWK>9=b9RzOoo60+;nTFpoiI6k>Hl1`jJ?0=( zXD!->IHHmoE!0KNVIqGQ^Ssk`HJzeor9|TkMB0R{yk|ZhItUXBrTc6Kz=Z$9wFO3g zb@q_1H_$s@{6_pB4t$!p$6R(e8v0YKCaDnVnuufgToGTE-G76$%KaS?jV_)$!`}b3Sv?oolXM7~)R6Dn#nc;vR5i zN8h~Rea1Ywpj#)@X&UreYW`4YVpStah=QjC$vR^tPSg4B{&E?w*eSZ}n5%^}@&~Wm zzE+d`;U=1Rg+T|!P4exy?Q9j+D@(WCDSCdN=uOU1P*FrOZ>9>)b7eF7uu@@t1Vc!D z8=x3+U>1;-$KSX?1p zkRFgILKZ(Okv7wHns@v9pvPv2y6~H+pDu%8p^v~mGKlW~kt6iE80n@+FCeFk|9RBqT1<+>qmfdA|8C;tHoxH%>?w z0*o>}!Bg}jCD6^KgP>LA;L76CDdh^yrk;&v0smRerLfOcJR1i9lIvv62s`~eA9#J|RFWBtT3l*o)>5@qY4U&UW?es5hI6LF+tXrM8vDBz;3VVoF1G&if-JB@1 zP$&ok^>C!Y$=G!`-<38eVGr5}axcMpL_#AR2e&{b*5Mb{lUTyvOK-2Y=f?ws6A%r$ z-bZtE(VwZhL`-IoUR;*KViNN^bs^gDoeo@Z(n#0~_+y4KSV%@iOzkaSG}zSaVmM`vV7GFIJu z11=FAjF_hNzdhfTyZ}a-waxTgrdKY4Sd_82^gPecp~a$v|9C1Xf!GXgzpErrhE(~2 zBWuBPh@IVizZS`bv+^p6u8z^FD7M+CbQj}mM(=r>A#rbdIIK%dbad2Rx`g}86*;(kASoA^EO9Ra){$X0iOf(p z`-K%Gv`n`Vi*}QlV>GaoDSJS&TeI6houB^nGjf$)rpo&>_%}1s)FEG-Sj32(XqHl3 zVo%Rh&V6;0t)cbrM=*BbQRQqmY))VX_LmL8&>mUAU|Hgg&$`-_yJl% z6AGJ%FPo_vr+3Oid@rUz|GU-m%(N_nqRFlp2MzC00AV6P!XaHXfL4tvG^#2)k`B#< zTr+{`3qv|lFVu-oODv`?0wjP8o&fg5i?t9gi{esh2_!X|ciyUS!py$iL`K2aM4|A+ zN&%I$kym6yDvbj|7EWvHL*KeaH;E8S3t@HmK-#M@$ql*1AVZg-IEVQTN4uE}myvWq zd9Hq!^>1MX2)*YHRNvhWbjq~2lH8v~si6F8n>F%X<^&gBV%di?t^20f z5bU4Rtp7#-T&xsrTtb5gjfv5LSQS4sZ!T}HgM$kc zH9vqB097qfa3$J_eCn9kZ=}({Z*R&Oh^?EF{f8KlehF*$(#-|n3YQSrJzB>&X!bqQt zp8QX|)Gj#wb@Xk7Aj2`M7eD!aL443@u$={H7Z{pnE11ER!tbK6S52Nrrdsp=`J?n$ z&BIr}!@D;T`B5}hkAxlQJ!^o+_G-w_fLGhnLgR{PXzwd&ceD-Z(But~YL+J$r1+xT z>ry`Sf+VM7jw3a_o;&pcwsh_?%OX-AsuNUiN^959KY>a@^o8Xy=*f}l`p2|dD?2;; zrR|KNg4dZj_@aQMpdpW{2j3I~m(g6|+qJ%rpsH^J{24qlmXO!^fSVH7L+$E-fMB#D z6ZtTlpz(Vd%LB$nr@bVn-E>(m#Sbl|$?@t3+h?{J$CdQ$hoan$(OEd{{^3Q>zRxDS zb4nrKip*_q&#qFEwm#I-S>p>x?!DEGrQ|=9^H{V=M<*lWc(*<1Z@bOHby*W5GyH-= z*lz1{J8i1w2Z4uVXg#33J@wn#tcR;9WjJ!U{ad<*PWBj?kM9@EZoRPGtNTW=+`joZ zp}wSa2TUt?9Dp?d{@?(%-O(&SK5m0vaKOa^DkdR$Fo}_n1>BtnWF6oyeG37$+8f!hnve0;VuRnjpeYAZXF zMS%O&E!AX;1%6u!92`Tor*q#9aWx3)p`&-Tl8B0wD=U+-09_L+P?bZISWek z6Mba1)=lq5pQ6b@G}rBw>$9{m8|=4V`GN+n8XoU+kcHK^_U3?o09DBy)oa~r@#@)g z%RJpVncfmM2M;O*C_ZVG?=f?m<|2ku;vNyfV)euVmggHl6`^R)l=DQChQN)spa`D> z)&wDNgGf{HNVWhEFi-`vXepKV(=a(?EyqznDF+Pka(ZwL?`17NA@5I@S+fGkV>nj8T z%pi9MjmyeeFUt+Pf&h&}{|TgM92Quv6X4LY1?1j`(wi*6#TR()PJP0qm45R6?YIHz z8Em!ibOCnV2HRjH%=A>z$2;e02T2fv8Nd3R*(JHTunv>rM{bqkMqdsZ%a zb${iuTYU4{d-jUoPJeC18=Hc3JPz+gM0WM4y>sKCYg;^(!EX(U-xxR8k&P{HgOagV z*WnP+JUl<)@au+}$rhq`+$hr9EK{ei*yPXGPF;P_XKAeM&DI50iUwe7pm823VBw z9KrDJ*;)&50Gl0FC1M{_<08Mw#FEJsc69isvT6e|s^`hE#e4x&l+AyR5Q+~KP;{(Y zUvIuyhO~XAmn)i8xXeB~Rn~94yjEDsa?h*y>8D<=xjy`oBB$ka9JEcXZS8M3p8Sdp zKKwGSpVwkrNpBPk_tU@G`ADr}a=5hdq1?Lku7JH?|p>uJaC5U*Id6rwYC9#dcn?Q$cRJ6a zQ2Z?wB_+B;4GbWC|IU|h|1K$x!{AJ}adBmR#LN$zfXM*I=Nl=uFQ~5=Rq|SLzvFXw z%d~0VAIVi+KN;kt+H!Mqfpxm7&zP9Y7$M2}$ycjhdF6fwpDeM=#o%0k;LA7@Ln->eppqs@R zgVJIk-Ux(lGSI%%M;Hh;TCq|$y}f!#UnT4%1-Zzs>;8F4mWVsrPa=qj+`9c4W)n8xL;6p+7e+EcT&(n=&=WX_P6=bv2_E+g*%^>Sq-dtVb z1mQ_LM{{R(Pyc66z#qM1v{FpgtGk%6{=o3&gK*bXvcug?|D^@Jb#mj-c<~#XGt#uv zx8(RNuX$cbezDaoT#CqkhD<^{nA?Ply!?wa5DTsz?^Igxca&32$`Qw=4mcC_b2@Brfm-pE=+tA4CXQiN3_rYkrVi`@yTOu7$V$ ztDc_b!eF6`Ic;RWxYsW$2fisAe~5aCw|1b!xB5=$2dDC{3!WVJJeLjvj_{?j2X}zV zo|@mH;v^@0$ari7*W1{3jyq^i{(NGa+-`V;Uzg)KXFaJN>Y$zc7MD@-pH8`m{Og&k z8@59Ay)>iycXaRDRGBl)pD&AQ7aU689pKA~({Iq}eM*@ArOO!o4`fCF2pnKKkcig2 zriOnWO!>%a2pwt>Q4E{2ae?t8qYm)g8~eKddh-~0FmYt#O|QYrais`!bZj^2*vRp}FkW{&d`Ihuvh#E*cU}%S>NNjdN$_aBC0_K}H7^nuG8!qc< z_5buKN`O8^gElYU{d2SRG&~irlCMNg=iTM=?&beaqvA|v1z3Bu(6wbr9G|G|M@gIBCfeyl3V(k=YW=@+i`8WHua(bb##cE$hH zF!v&9eoJzj9EExA>Q8_0f3Lp!9~ESj!_fZmwU-TYH4L%ulvW{`SdlCS+5gpM2?`Uf z0j=01#~VBOhTm_loiH42CZt4X1?#gNjMs z_?QbwNr37{&Rbkv2liDkp5p$gz@Y<~s&5Vc8f2=k#Ph5=zQ?IYixBXPIp!;^_f9N? z?frD^LsH^M!{v?M29x0NMkiK}j`X$o-XF>+{?3g40?1Z?7b=$PDuy*mEvv`RTK$PJk~0 z$aY;ix>H$v0KwL1v4SK_@6tez2oEAtrTV8RQ!CJ58iqlv3ED4ujNIq^Ku}VH_n&9S z_q*OCWMpK#)q}fjCCmCk2FzBB;z0;=u^l-;ox4UpOAVl%&>V1D2v) zg^QSs0;Tw)1kWquG%_EJ{yhB#qjaG4k7Q=t)P@!wn)o37Pox= zPQa>F1=@Vl9d{qvm`*{q= zC0q{x5|M$HP9!tK{&orq3edUQtI_px3hX-1qa|TmT2o+U5sH;~+Qe;b%*_C53pi~s zsTZT5nU-l)7vh7ITM8g_(o?6i5APL@i1HM_&z~*PXuUrN-W-mBcB#F;kb8~|_UF{5 z8Z-Ib_b%=&oPGI@TejBk;3yjQc?6wj{n%}=7tfnDzHY^1gnoyPFPi1;g%*8b-)1>8 ziD|&IM;7`z?dTMwm(zG8*s}cB=lZjW@^^zapG6MeRSMKIms!^xvXPv|k+^z6<%^D6 zhlOZNu9~{Mwq8z`ZP-h_<%^O9>%04Kl?Sc%aY(KC=P6O71@Agg&#YH8ojS?_n^Afv z)*qUI+MJHiv^2tA_&qUKP#J(emXg|9o?Y;pV{oV?z(bMac>4{17d)+1euH+OV@%Vn zt*um`<^dy1OHCEJ#LT0qPw2_5UVp7oNbP9>3aW#P6?NMu`T{ubUReU>eBGUK;2F6G zB{(ph_5BXSUSCJq)rrY#yUzYy9>Qu_L-Fy| z={h1F=c3S&utO>9oH9Di%1n4^+Q#56DIURj~LjXc<127;sjf4cRX1@F|q!{eGngUK` z(o(rD-+($wVm?k{@O(Z!zZD?A>AK}WL!A@GE@+B%>x+6u=I!MrU)*Fm2uVlH+yJqA zs5cpS00Jd|aPNJ9dAB!bo__Y8w~S*pJBQ@rbMP zA->S5bQ029Ayu|Z2vGrn3^O@V#5ti(DN!V;*n*wa34(=At4J|(e=N{udr0qc#y^e@nI72c~Kl`{%Ui9L~5GFM0*M!rCGi@OE z+RLZOT?@PbibKB%E^$QLcTgV)DDCA*hn{;`Fg)^s5e2Oac2@A_CrC2Y!M^l|u2tmS zp4fCp)I+c+vS<|1Y01!(V5xNM&O&aT0fOX^z2iW1OM(XmMh0m?)TfZDDxp^5-<%FE z(2~Fs{`kf>eR0bre45r99J*_S%4GC%H|oLa+ZObXW*Mx9G+`t%dUxuHBEhkDuc77T z-vIaGH|^pskLm>zK0_WV*=&uDH9b4i878s+dRC@q=M*I9&Axoss(W9BCv+#?`j1VD z?^BttKc2_0-RE6L&M$a8mi9q2x))r#?wNEn)X}OrJzJ3ZT79O!U3;0aP6$tE?~+#f z7;U&?Ur8+`RAul$77K-knDpFgnw@#XlUy5m_V3HiwkNm6Wg6)Wb-Lxf)>dT6MA2rS&<-Vk{&q_1&T z$OK-+Zvq)Z&!4B7O}ec+S?k^SUB70Fv*owMTS_lF+3>bT7Y>6ae;Djs+}zCn zb5r6#GT??Jejj&b|0o3O2N|#aN6F*LM>>uL9*dbAODnmpjTxrH>oGn`Ng_!_dT!-B zk4E?77FRv%T*jyM3Hz0_zKupvT&OHq^Qn(zQb}nT49Kb#g+igvD|h3?+%tRMaQDV^ zGphgzmZ=+s9Uo(RC{x0 ze-yZozi|W9O!Xc~*bG7BoHO9L?UuaG!AY=zZ^T0>5rsj*(U8!9FQ z7#O;vAH~_&`{CZ7GMzT$>P`@fku1kAqGOvQ{|QS9B$oC7G=j5Iw?Gdqz`O1$L&Yy} z0aOXlg-j^%cn71|P@hmv)_Ect*q*1LN2N&EOadwaT2A$c@`n*>MZ$nI z&dz`T$VM1an@;|4+(Ce$0SmppoEV??HzBh73nwj5(=MK#o*k{b5AJ{MiQ{9B;cw9h zAY)IwTGU9c7B!8CKe7}i%%huInEAUg)go+ThZ(<>jhcO91br|>ST@YuBufL#h( zG(yZ6VsJ@?CH}LzDK-#9{qKze)+@xC`zc#;f!|^mpoxF$90JBLqmpi>{D3d-3%R>? zl@h%qVAF5>dq?`_n7iaL{^i1W#*C4bG)mZW{)6bOA!~qc-CN7q*hxSw%wsYR1+V5+ zfRs6cvI^*f@V2GK6BEYjsb>Oa`@@0E2fwK`AfZ#npiacOxfNWlUL_Mm2qIR~ zc%xX29G}mGk)O+;^3~mE=VAuwT%rsQ`$cp%x|NN8%qggluE*w9+d7XNE!oUGrJO4< zrsGsh=LIjn{qon%Hq+H&kI^de;=(f2W~X||Z;Wq56o}OD9cnkP`#X`a;`OR!@mAa{u#qfu}V7e&+pq=zhBisr10ZnU_6+Riq(4gfoq$S z7i^31+1EqZwaS0dM+RgiqX-4&)jMwhod%eCcWdjx)=gt47Mg^e`6uP?6+cVj()rji zJz4WpDfF(KBW#^(zSc2EKKuN$-1|SVDc6?6z0Qg0AE^Ra&V!5(4SUlPY(87V(v+E~ z5K$0iC>x+V8I2)rCr@)?xAI0rYNr1uooRo{zfJtCZ8L|?ud>*Vb&jVKJHgU-el|rO zyy8xtvowp8HKo+d#*Qg+Ez>0(->cEAOy2J@Bc2QIV2lA->Pk99p(6uBMFZ%#CvfF- zvo?EGK#Dos-Kt)89B>X@b!EJ6PGfp|{#W?7Ck@rwW$Qx4n@c_gEzWPvZ79S4tAOZJ zPiw3HKCV3|Y4A9)yZNAL{619rl5cLasxU}*<<$2}+;!&mGW5%4NqY5P3hB1SG5LpZ zA|4Ja+n_efb-lp3^KYyy2*&@FLV$F`j@191aQHu}LBjYNnrdWah~j)T^Asdj$vnY# zzS}A?K)oenP@{LXZreFxnVdIV6*3w8J9a!U{%@KD0}1SAmqL=zKkJ)6ehkf}Uw)Ks z>0!B|K4`r0(Gi+`AojvFJafA$cM@?8`@R+`yXzqPx}Xa5)w`pe>Sv4W=vNg{GZC~) zi>(BGWkpR{mS^S3fmnojf8mb)Z&KykvAXDH+74N7j}WMa|9=-eeF~kKZ3<=$n80eq zRl83Yt12pM*t&NpSH$4i-pnbUl8KKBOOgMmP|O_v5%2NZr3#V&!95Cw;nf4yHn8;q>6i_3>hb9*l!zR{_+l6J5yB912729z zoQ6+<0fBi_zL3fP>-tv`h@#wq$2lR(QuY;W=-vhjhWsRtf1$9B~Uh)2? z*fP{)$c+twhqxtlmKL%jP3ZythzHc={$Uesf5HqBRx(%y?fW)V)K?t`4uQtW<~tXd zs9toa z5K;lo``+o%6`wHI76!v9fFf3{a%FNWki&qYq2UC=24*0W))=j83(%$Y6sQV)AB|#T zqpq(cKcTZKU#I4^Kj{IaFf^bcN|s&u+b@vIWzy7F%>JgydZA;!iN4_?0+QN~55TJ1 zWCE4$;o)INqD-tB^H7Zqum*7O;gV)yDKo91bx__UTXLHetZhgj6^MiMuTtM4YA{?g zLrqQOGSG5zCy;|yf6@Y~RlxN$8T%LCpGg@2-T^7jVy6VNvJxV@JjWo6hKmQowkr>z zh~)!e1$&5qhzq!Im(o3KlL-ccD^X&4)zT;y2@7yCAaXUlRG2Oy`z-*2F_)l2H~eMv z^xz_asUuYc;$wlHUU+k}-gjmemuFU;J?9rvWw9N4l#4cNQ_1osv5q|ch^MH_g+HBs zQT6~QIH87?;L%Ak(c{h+rAhgh=fPD<&0WLH1}mh0D4w$yI>KXMS@>8uCPx;~q*Vwqw)F`phJ*n9r4U)C30pBIreT|mQwL^T zr4-L9XD@eH<#XJ926Ho>N7B-3lJzoSEEkBYdt^Ze>@-fEOM_`*^*}em7<==+9Zn&* z>%3*14!1 z(H!EqO%(0)hago$M-b>W2PrN%6mwGSbvTCq7y6C8t*ti5+JI19U0v;qhuD~#b2vM) z?fuYLPE7k0r#g7`Uw%XbOL1s1GrGz4Rz{{ zKngVP*^L_;A}9NYT`fwoEk9x_IzwBPbRm&?XANm|QQEg?jqhdn>mrrx)@A9to-li2 zpDtBRg=<{wy{6dFXiMRH4OB?iN7I`S zKphg*KZw2(>g~p@`!@PM{|F8R_&WbL!7UVcqk(eb48>ZOj~nBj!iL*<)s4hOfB4D8AuGgx+kbg*=2X)}{Wn zvzY%hdp&yxNr{K5S>AqV5*Z3{q!i%((kQplpEeZt)VlI{*r0&t_D4-O_^4kedv-0j z2Q9U6@`zF^fyXplVs!Zj_$y}9Eheh(*69NYPAC2gLZodGjCj+Jr7&evKT}KGQd3hC zzfzHJ`Gp32ltRN^M>tk?|#1g(d@*ioThoZCkHf1bshgO6cFne<>TCd3;+bsV=eF zCX_t$HF3TW<<3Jb^S5JK3DtSWY#N?Tg!wu-l=nm9_eR|2P!_ABs@}< zGPaFgG3w{iBD5O8lt`oT!ag;Q{c}`&#!gSI$6-e2q+;-DX%fG~825{_Tefx%BbA$- z^|NHO&DoogRnSb8p=K#y6`)+<5tGU1zWMjZTTBW?LR2 zKr~_r*e__6yoKIKtnvz|!h^QV@VG)Knu%|~=QM2b-j#p#{uwpnu5a-as3MYn09XLQ zp>6XB7eb7;0t!g42Z6Wii6X>_5Oi=HwNP|F6DJohlkZ6o&Tl#` zpIFjpgK#wmyTNLGBjaK&mYUU3J%9}-XUD1%t5exoTzi9ABR09t*UQiLfY3e!v)Xhw z0Q34*2!@A5SFCTcRka%gXohCZ&MlR{9eBc|a^wQ;i8dkmEYce-xnjp3k6g|}BC2rT zsi(Z8?Vl+B-NnT6VgN`k0u$?@WnT|~l1U<-9}aEmf1mC+iX!Sx&s$iFn^cgv_dXn# z!v+coFE3lm#aCP#KyB2bj^&?vvtTTPTco8{=?|t7hmfrGXek_QND`nRb?4U`?-Bga z>N3Z>Z5@_gQnnWUfLwh~R5VPAhW)rnwVn`xIw71q( zt#J*pIVCjRtV|H_be~l$1N2UWo`iH30iMVhQkA@lq{J(7wslV)+1ZxcZMBlGniXg{yegHTYnI z0@RyEgQ2=%8fSgu3Fg6JFty$hVZ(zn`hp7xS$T6`D>MdAB<5^qOztJezdGkd?hi|Mr3#V&`E=l<4@h{S4!VG|qFSV}^*zyhvg?*)>^kuw&Arq8A3|-f zFEJI_W!!AztE#8;B$!XEuOqFrh@K{901ZT$hAVo*M}6)3Mqzi$((6aI&>p zi;oYtXPmoQeH43hWDjH2tdG>ti4<2000~{0~X`0eVxeA&RRL5W-tj8;F zKKzA%Vh&L7;zitehv7+-O2cU66bdj;cH*w2w+7%sL?2nigZyPq~8pOa` z`r-F9NrUvx73gJ|A&iuuKBIpPyW9^~w_&ORvgQzo=|R#TdN;nKcRs+r4X^X@?27Gw zuI|OPZ$M?c0?h&b4u!EYP{CHH?lRMaxr9a2r2U`}2D#6OfXGsi8C?=CK6FD?Px*aX zKmjw_&1Y=7wZgrkXVOx8n5;4+22|e9Gz)^?M)6)(Qc_x~u$^t`AE?fejncVGgID-$D@pad-97Q?9GN>Y~Ich*9Cr|_>H;LD+e&3tB5ravC@!}J8Uhho$nAB~zX8Cd z+#W|D9rC59``;x}pXWIP+7j&8)319qN>09kH`ql$h<$SIUEkuyck{C3#S-}lXaq;lo@Z84y1 ziw{DK=3LgvKf>^W&{YUEfvKzwk*)7EClOXu&ygMK?=p?i{}`WcrYMo}=B-2!#yqC0Y#LKYuGH}T zRO|EWpUVf|aZ;!RXYG49KETfc3xF%i&K-uQ;#?I<;S37r}>wJcA-Gc3C2dxeq{8*ms)yRDvbh~#>B&<&h) z9b6g4=bwnZnn-?8y&`B$li~R!u9u#njuYXK#Srrmt*PTccZ~!eU(E5v*M9nMg~U=d zFo!{0^4W(u`tdbl^)wv=-frbjjc0`CuU2mrNef)gR~%1{q<%f>&A9sR_o?>8;lXreBmnISY$6Lxg0K$52PO6fyCZWjDrej<~s`)cyHrU4W6FB~Z?k0eo z4`sE>@iVD;rRhmsPcoUS>`)TvlPyk){L67a4>Y`&FD+&~FWXgSV?JJy+XUj^Mzl>i z(@ssZBA}O`0Fr#>-=$^V#acD|&E5~Z7G{6Mj;PNJa(j3wOWh23X|(q#_`kh>e^5E# z>N^fvT1@y4&isEAi~1kg_WrMeS0F3!YY@$roe?r`UoJ}hS4<1h-P->39^J~z$uMc6 z$6SOJZ<3CvWC!UiR!9S|Q3w#F{2b&OZh^;~RW|O7UVEOqgRG$y4Gj&*D_9+3*Uxml zLqkK8k|trMv{;1evi$*`Z^c0#hYsVcg+trj17g|3QBdNx*8%!JBj zz@-2>60{2ITaAW$1w$x93m76GCUS^0{|YGsq6WXgEdEfp=uMqE4|ia`!3E^*Jr6Ts zP$Pt&8hl~W683CAZ4Qb7sET{#D})NnnWu2~+!ZpP-6dnkOWMOqN~dRj`h}vdmVk3N zMy1^&d_yQ-#3H^W*Su*ElcJ@2*fe@~!}7FyA@8i1UY2&2F#7XNPK9ua z@zN$e={Xj}BV7!{;ZiRxxR-!ADM-+S@+NJtrvce9Uh6&@O)RVhF$$oJ!BzH9CA|~4 zdCSaAF_@l#={+_*{?a@Ip$iD;c>K8f6Xcrwc5H8CXeC&?+&-FgUvk=bUDCOZlc(@! zDlX@~Vp5f2%BfErL0>6P8<(u1!Puwoo-!IGCQyd6cXDCRLdSkD`fg7qa&x?jQE<-7uH2iU zo{8DJ*v`V&7obv_Op2@K5vb=dpF+o2I=bRj$P`s=HC_o3nM5#4d%aGP53m&w3uXnq z{0;S6hUV9u6j+jel6ZKb@DtArAkYTvLL~U+fOpmlr5m|1%7hhhqzR-mFi)6>KDI(E z3dx8-j`vxZPQ9&C59R^E54o-mKI%ntxUbgk@0Ip>6*z{Mk{Q!P-^56RW$~m8~bJN#9dAYI*!u6kQy}iqs;|fOvf;4S?I+;IiTV#7% zNWW2w#B;_0%+Ew7`A=m=xwIO5rOfWsIP4$z$RQ!>v`U|C8{)Cb=yH%#BEMTRVVTZJxO@KC)@0@3r&gc1 zn7r}yvoEouKC(j`x=~MF&e=}i3aG+M3ibPWQXp`Z${PdR2Jvek_c;M(!mUKXX&?#r z9KSCE$UHcA-gJF+1gf?n5<+g^&S&!O1yl+bL&6l|4NTCY{@fID90J`Dj6L9G=-u1h zHJ_{%VFrSh4MYiOUy<=v`wBb_G_k_8qMG}fr1BomTgZl9^E7PoFMQie;~FhLjsEqs z0z|5yvr3}yO~7651*jPKvh`;O91_#x@P=^U1@OL#cH3mPQ^0l!cR6l&DAd6}>*HWH z>5ivVZU(sofkc7JPrBpwP=WiY(>?5hEVxO4^oiyLGiMcu4FGZ$)xE6wztpDibbiy6 zX)1u}IXp}bsKyz>#3w)^8a4+?odE6GghK>qHI+{}6^jykBuMl9U1AxUaqNV?lqAm! zpieqqe&~V*OQ6be>qT1U#!D?JqDBH$AVJDD#01J6b?<;?Xk+TCQ#{>VaCq{5w**z5 zRSfTjozSw!W_WM({MhgPDoX^}?xPEXh+_z;)u4 zmmZ?dEhhg|ViCOy+UmNsOZna{IN8T+hE0`UKrt_nCiCt5Hx(BUjWW0@L@vbl5c?{1SpiR z$|QbVUyuWpDOf7W>8hv1KNg>Ku$AILAU%uE&FSY^zR9Mv%|#4_Xl3tTDI>IHl?T9dbZwo@ovnlw{pdOw9RCJ-k6)ohaYgeI&A z&2OO2I-?--+1&Pb!#QRgrsC;YobMi6b*Fj&38JmdzO#%3y>;0^jAm}E+^LI-3pHjP zOH~f8A3aEDCgHG(Gxw*wa%x;@d83uWo8IR7S^~zY)=(k*2}4yP#e6X5L$Kag*ck19 z!szFn+*CzLbY1*|9ge2M=0t)(JLeo)Asj?`&(7x+HAj(HrQKnitNb+ZI^B`X5t2RN zcxS-!P7`Rk@u2$Y?GXkRpJiD{gEDzPi}mj1;ETr+s;q!LGJFmqYEncS7K)*~o$XSiND`w-BKgV!dzrU~cIrh)JDh?g$;3N*Z1B{mf z*tB7!nCgb*f3YJ9n^(K&4JIoarTimkFQ6}9R2P%#%TUT#Ux+Xkv;@!Q4_T}XFv0(l z*xBFr37s}x<};fnXZIrnDOq+=Y+~>_q^9cbL{Hz|-ToPO0Y-6|SLL^J1Rz5T%O@3b zI_iP-KO+jQp7=Tf2BYFF)7Oe$%c6#2rUuxj>IK+0$u&kpLFp~WzGKT^Wr2Fd@>F4Z zRw^6s^~^u;X{`44#lXb3@~hRund(z~=>%aJTVc^Z)yaU}()9CEKKk2Z?k*cMk0h$A z7xVeQp(u+WGKs?-i^A#c;QVlZn@O@^5bvRUf?$+Q1yqCC;Hf>AfHOL|zP1u$JR;at z&3r)*Gz)r>WDnGO&ahbAX|>TyQOnnXe+)a!p1zvDff$T4bVIVe%K5UzSSsiu#US?co&9#F~? zc^}V_-~2*25A}F`PiOwsx}OqSj_z{qDdEdU!|@|Ceb56o@#7a(^dnBTF4v>2WJnQH zT(=4gCmumUX$)ljo)d?0CSs9d-R_ffxpD2E-vkjh348#dp>wmQ*v_D1Nu}jSvw9Ev+A%C8@_?s*7M`sF z=p%2uQsSDW?4N5${>ajZtS29Dp~ooS*Dv(*yG?m3 zK_a{9s@O75EkCh(7`;nO*oIu5cAN9L^=A~0ZpW%(Q)?O#0;uhKxY06#95%!t+nUtk zND+ZXiebqt0G(Fh*k0ZXn1i;oFuMnKHJFtX;Af15Fd%tTUHQqa(jTSS!zmNq}YE3nyqJ^{dz zcI{mi99T1?gp#LISa-lMM7!PCwY7aX>6w3Jv3!c+KuG-Xt_DpLFDYHBd7;HpE9M-f%UzN>QQ)M&GPns}z`EKn-GhWioVUQwX#N)=TqEwC5ph}(Lvm|3 z4awa2oSO6ev7Uvor1&$vilmXcDWxnK_|1Vh2ZKog9Y^(K<8N394;n@ESY7+&?uNxg zjvkKG*xUjt>2TP@V>j+<6OG*!S=83T%Zc>Z7B(2m>3jCrwErZR?9{`iNos#E=k)sR z+1c}+93k_G9cSsewRdOt%bj|Ql(x1D=~q4XyUHvpaT{BuwfD9H2a=rJ*OlB7TozY1 z72_kTel#`X#V~2qH5uK(6<(bJ7X3v~ zz;-@ER_C&sTgGL-^HBRnLCk>^nYQ=e7jaCi&C<4*8$gA-fMvpI#54me``_YW7u$e? zrrtqky4et*4ut#O^LQTp26TIHPy`tDS$io7E~jZ)*F;gC1^*+Gf++A@6OmG9dwU`2 zbXLn4ipfcq=?63nBF14@+RP%L23KNP3NC^?$|!~EwG2fh-*#(4ZgV@6mKvZtDdZr9yWdFS91KI!bjKQ9baj3zD1#-m4^ z#~sPcWGBUgj$Fi-T76;#JkQO+X>&)}$Slsvpfp&xU=|V?1f^Nq-b9N0i}Ch=c|K<2 zh`nBxGu9G6vhNY`dtjTT1_+pkexQS88J@=7eLt#qGB=a5Isx!xxettuAUuw!HyCf@ zo1BoTmv_+~V*>s;n+am4L(52fw*sv(I5xWY6>6|AimbS=WM+iFdL^*(BegT?Hr=hC zCGt|0?{A7c<9~DGz$f%4R1~I*m~>PA{ToOO4|vVr$%m%F!p6X4p&T)= zD*Fi#?b+^|Au!lorR5y%rL&WtrQL{aQ*Y20`1)tJ<6(YDiW98y_@#5cKVa@PXS{Rc z!>^vuM{~1hcr9IL1Z?XcA71{Oypa6&^xT8x>*Z;|isxqM=4Es8fQO^{ekX#k9ieh$ zS*oybC{)LOImPlr`(ylGyNukdFDbvH1!dz&*H_QbWF)jK`FKRTXXu;N6RTog$kAe4+ojy+fYN;eu#I~_y_ z+S-&do+~H>=ltkIoU|b_85KCwx84Vj3@ep#BS)8uhf&o6GIdz%prF*-KfuR8FAWc! z-Ay_;mOU;9EEuEnZW#)Mu@Y~55PN`+qD<;KIZH!P>IUAr{^3_T1~R0_80GN-iHrWf zf9Vwp|5s0l_J|)Dw~hH9-&+4PHG5>y!g$1g^#Sl>226Ue=KlaM1cWcMZ>{E}i1wsxm)A01U~UU1n@?2Kv1*_*HjDWSNM z?gstKIi;D@zxqD~+FOm6iRKxEWn`!B6`hwa`H|b($Lo$t&Q$T699LIji0w!p2@keV z;JQlfl;?Z$q@y+U%7LJ(Mc_ff{q05+Pr0|e&}*L!)3tW z_N$Jw$yg7#DW05$D%dW%ZBv?u0)YB7n^5(+WWZuAS;_NW-{DK$h-d1lv zTt<<*GnSACmnt+sd6Gp5IQcN@kZI6CfpQS`E6%2mh^rfoR1P8UURnIDuy7-9`$6+Eja zzjZHO{MpaHgUbPH@zshyRe=vndNB+=d64Iua?Rd?rj2f3QD9oR+4JGoL4EYrc74>< z!`rGmu~q(?;%w$m)|Z94OXc;U@cq!b6n$S)+^oHz8C5*t(+QP4tFzw{+3U71){FD3 zootUY*s}K=+BIKOsqBQ|7$*OsTf`d(DKD6a{T_EWNf3{}*y^6EVk~2K#kQ?w(kz>G zd1KgPMfQQY20JC4cfb2i4h7aX>K;b3FMhV)==qdCwh|urDl;j$W$&O>^tS57!1O?9 z<@7r*|wQ)#XhCha7(Vgt|#mrcf0U%O8N@Rk~9|r zit{|z%B26vyB$xMd>o_ep|LfS(ZZO7 z;sV!Ye%(do)N#g*c{oW)%GKogpZ(B6P-S*|L@z^xHiqKsrEsaUfh3f^@7VuTCx!!c zv;|42I*2RZ?7778{&oPXKC$p3Eh8grBi*iB^|yZxH@&Yv*6V@bsUl+*I2GC;Vq<%$ zrt2Oh%6wz^m)mAd%q`EoUg>w$3H-Jx(t!|&W4&`DW(HpOA24HYi}%|6b{37q{HJml z@930SB`hxw0Nzt!Y+i~G%nYl33v6J?-&s{&-RWPjmG{ZA=Drw&gB~3cG-7wiX^S;w zutvp!8v9Gy`D`JDgnl1lRw-NeW0CHa-C(kl9pvlSdLzIVQ)6D$EIYvS<^IxwO`i;} zJ|C#Ao1!<{VR+BT9Vc;^Z+v8*%2)Yzj}p4XpGsf3M(+h``)qn~Hr=axKK(?5khcT- zd#S~eqNSpfc~sZJ?D@kDyRrM8U-?ZYW>o8tGq2=}PXm5t^ypOXMD*Yy7i$epqt!4D zThl{`q&a>A8=tkut*TnuCosix)t1cm(S6o za8fIV`J}I`&oq#8<#hbFj>h+a7>e48%K+p}6zbQbI+2r7T#-rL^1X;uHdi`s<0LFU z?X9VY=dGh{PZouhxAw1@$||OZ*B+Oc$FaUXkuCctO{Bi{_B)TqWJC8?EX>Xn%jBZA$>Bxp^215z<-Y4#E7r+cyiDeX5^FzG%7m&y{ zYYr#a)a!$i?pfFD4?=LLHn@2V&nwredb39hD zyvEj<`;@N)uE1QZNg}h$g$c}kw=X7`8doQ3PGuPr=-6m)cw7O(q%WaDo7E~?32?@4 z=8Nwkz~s<|@Hf2HxU!B~f^dr~xb%(Z=zENg_{2ms;E!3f+my&yfb}1Tn zz9$al>xw2Ut(VV+i~>-4VFE^%Fw#1+vGVO+X+*9c-W3<6)vb5t&?`l@T;j9aErds~ zB46OFpA5NcI2-fu2+nCs0+4@9qeLeyD)h$nd^sa&Lf`K`xr$Zfy9;K>ogVy=z`J^f z#Y8u@J1QCR?~_5>s)erv%lq5Y&gOt8D*K_4N%YwYsUPIgBE4u zPP4a$vjeT@i4>!~EvD;7ilXJ%YhGrITXtKH5F(L3{^nmOuh+KfXw)3+HnO{5Y_Gl3 z%8fEdo_fMCAX$ahhAE=dt?6Ab5Td%_*;^3wP*~OCFwRNf-~f-IQ={tQcPhKxk|9P;ph zjH1@Hz;&`yFS1(6=VN!R^;!Qh0>z&(6!LG=b3ufA@ljG_)t0lL8sB>^vMA3NVYx2j ztC3YQ65m_32dBIr-b+*~J#IFNi^=LWp4szB*K$(Xon^OvpXJP-^0Ynhk-K6|I%jF= z35n`!+3Oo_XKtvm(or{i(j4KP89#0mN_k!v;jubRhKxKGe3yjf7XMOnS!?F+NsOwg z`|}FML!nu!z|2iDR*i`1+536pnN90tV`DS#i&uc_-N`$EQvia}y6oX5&jbcpp* zDlbp?wdMz!4BjEfXUCZx5BAkLNjSG4Wu4IgE!uar##0+aa)0RXg(F8MI>tyMH@=KD z+@$SVCs{ZcGQ?ApYsf|?C@$JF9(NEJ?=10liyKts8;YS4-EB3-=z0An@cO|QwgTyC zw}0Bs>wmuoDSYoAWx-;%?;~gC&C+8dT4tCrX`0tH{N4NK+Bac!?NLdzn8bJLJu<2x z+A3e(OmoEv2P`8{TOWSj!XbYk4|m15#(4yN^X*dlK5;r1qxav~#TK#KB2}22gZ zw$*qq3ANLHyqMI}^GGrRo)nt4G}r5^a5!=$;OvpTF&JlwnqMm>9zq+fIW5&WtRNlo zM-=$U-c$Skbe&Q0bD^GRvrlEI?=ua8wbyGAC4)e?tra!}?WxV!D-Qm?*F=RUv{nGk z>-_v$;kDOnz6xH=-BrI@!*LYD2@d(n@6)wC$4cByCRE^iT?PK+C6+Kg+O$vlu=`6> zxz53Y8JEjEU(R%AQcgleiL_g$NyY?gV`11N>5=Y}*kSwQ46&95f)KK>oJ2uz^C*MU zIL@jvK*W;Hapargi5!S!gydxrz#SN*B#QAu1LMQ zlAUk$H!YxX92d1#Z0$3dWcROQAPG5cy2Xx{_hP2#WL0#u05xCf{8XOZNpF5!soK8& z@8d^;IA;U;1KZnKN=OO6*er+qxI^Un21&N)ePNbEvgYgyyU9Q`H8K`x~cyqNisM(M1JJre`fr)?Jn7-M$_qp7#dE?uw?nu0ItCI?vmikMevUnzSm| zS#TXWk%8K_-;7bmxf`XqR+q=>W^$?|I>}+YQ{5i1@JO>TZ}LyO8>Ra4TsA_x+(Ds= zs?mAq*mtq=j^^dC+CNpdbg`+r-zLS!= z!z6EdM53leE!ZZqUxk;xR??@~BXSsDKyNb!WRI1XqO*HxfXCIB6&$)W&8i6a=9!fIP(j}ri4o;Sf%rcsa>o)O9fd&Oh_N zm-{yNH+!9y-s4_{r_a+h_tff6NSvPk#S-35c^^ccK0E$r!VWu7Ysy!^C(^Py~sl6(Gr4ZD^2twZU;P1V~xz$;?ZBf9IDxB!2YR`1AZcu?~X5h zhb*cylmFVRrq`=?bd)RHZuMC4Ds@y7zaRAxjLKbLc}Asjfb_Fo(mp48bVFZ;*yZKD z2r*0aDW1o34{^(&@{oCVs)oW{h=p74#ZzOV>BQtFopUboQAtBn@`B=zw1XNp7Tu;% zbfm6n7U87_KJS^0f4}&_!-uV99{R&;v^Z2-Gvty(4SYg8Yrpq+)L9lz__a=(bILVV zjIjfrTPP$vqc^A4YfUgVs_$0Rb=TcGPsN{5s4a5k35H9He%~#rpLEf&*wzmNj>? zgzL!CSIDs0*&gI&<&HZ$>FDwaww2k33r(kcB?O2%QL9&llaXBCCGro+*iPs07Dd$y zH?U<6Q|uo7nYh32rsqI%KtMLAS#EJBm!*GMY{ZIj%ybziX4B5FaJ(Z?r_%IPXY;ZL zk+o@ecAuAj?&FxjrTzNC);9Ix*kwk5{iLhsyFy(p)sxc2FWcX15yTIjmV~RO3-a)P$(0{fd^ekEYHbLln7{ruRdxMkA$_^% zhAT@t=(8;SSSO*P7v&tuhL zt9YGB$)n9CZ&~FAz`5!1J;EjNbk8H&and5oxz7@~vJ_!)6uwhN)KS5Lt|x1HQOYSg+;TRm)Q z6QJPRA;QBkd%UQEOs;N+3SrY67FRo+l=>j{TK^it3$WJBxU{3_DsPnXNb!UW0I4MHELwl6{ML!Xf+%nVi+J(p*p8bw&s;kz~;>HcU; zS?Ftz3S_CQzdZeLn@TJtg`(k`Xh>@piaR_^F)vk>QbhviS5BqYS`4P2SF;a-`MOP`c2 z4o;n-9p11;P<w4lCym^p95L73R1VB`@eSf09av3#RE_Gl2>Y?2pBh zx9HUy*#26_EVTp!|EXYE>w&iOh>Kx^UWK!Oj@BneGbVyHb{Doq24ZJca~GTiBezab}C-T=id%| znxJ!6K)|_|{Zjdk#!PYps`@a~nby#U7PB=vr|xL>r}N{D@2_4}bbr0HUC=eXf7FP| z89HCdwoY2-DzR8UP)8YbH>9$?(NpQX(%Ec{ zo2a#R$VWDMo=zCUt6sep!K>{@*DX7FI%t@~t7$erG;Vww|`@>nqdGk|n!?(#cq+mzNUa; zr3tbM2&Lb_;6Jt80#v8uk3C%D<{V{Y;2^eZ=QQ0pPdpgR7j%=5o=#>xiq=1#0YLQ` z$Q5El)1$AKu|?|lB2^R#EHwfet{ZXP%#z5)_}c_b%qV#>kze~^Zrs~%99ywWPrbb0mud( z8nVpo*js{c@ENVldFgGqL)N*;c4(_@Y;maWD;($&zNZ4HoK5hfyYWSuDTtWTjJe(y zJT3Z}aS64&xjJs^k6(s;S2A{mDSEA0W3|i{W&IJNr_Y~Zt+Gz#YLIE!pm}gLySCr! zbKoGH%*dA)qvVsPO6{^&|0pNK97?IarQn*jGK{vZPEmH#Bnx3~z+nCTx^PFm5iM6z zm?`JYB>g;vV}5r>9Ldb&goM<+B{Tdu^*h*q0R;wjSJ9NwnZ(09Totvw%Q59dt^ z6=+F^R5CnB-Cc`@$cphJ@(L=g8!u$ zG0SzicQUoPyS@2)9VXJ{;^-Ms)L_9toG$8Ep@vbnDrwKd&WABv{h3p zkdgQik2GqX?7AD05p%}q8=i8;1!$))`M1{G2uv1)7RP*Ecn`AUG9Og^mDbj>-tda5 znWT!L9uct?k1vUmp!BGR2PntGek-jrX7u#s(BYojt%iRLt zW23hU$-}J5DMiQ4D49_~xy(6rKnVC8t7CAphJDtfvq{_RI^!`1G-=V79()ufT6!(7 zY>3+UJNv2_d2`FW=Vx!_=lZV@oFGT!&vPZ zk?9{*B`epgzc4N289YGaImeaPr*JNXiS!k?P@l$gN2^gk=bPnPF(=Yv{&+}$HN$Nhd%8JQBxdkz4wEz z(Yum7u}og=GHdU@Zz)U;t&;DdE|ERu+D%~6NsflXj6aSI>L2?X<{2r=?h;pFw#Oy-ID_Oe zzbt54T0Ho$dVr_VrR0zZZEN}`!fWKGd^kTs=GBIo`0%q3!AT>8EV=d`RQ(N*ft;xi z{!ZX$B8waCyi*H{L%^WlrEl5c7XMfhn?4&Ofy-5lwl=wbDU%`i4UvFRjZw4eC2Q9( z>xuQnLP8;p*Ylt&-}3n=nzk9=xBt62(Wqw4l;LhtXBZfm&M&|*C{yz`bfmtsdCf^X zVo%_4vxFDV=>@2d@zuKCPYhETeAb;c>QY)a^+D2OUd9=^)iw{_H+#BX+POOOBfdM~ zVhVbyaqZr^{0{$)4LrABK6E^)cDOudsk`pKb2kJ*z>AQ>ULVbema5UOzLyJ6qmP94 z3j8$QAALm(OPCA5l@%k_#TE<7)q7hI&2N zH)Z?ww&FgC-KlwxXu;GR@f%$9TaGtvR2noVJbipzB3|m~FA~^o7E-}wv--nan)qb; z3tQ?=oB}Bp%SJ2w8XiiN4fg6G97Pq01JwZ& z#Gf!^A>IV$A|97$Cr1JL#F;=L{3nd+{`gd*PS`u*;r>mCRfELqqb21}*&kz&ey>BC zc2XYeRpVW-AW^W>a2umT{d5u-yBTj*k|`BP;|0Wcq~Tm;nwxAEsk^~Ur#mq(FYp*J8(#gQqMVd+ zKi^)JdCUOq-InyK0+f=p+e;Vejryx|ZW_+y7)a@+RN$eJQW=YrV&cY;fj;G^%iqj44>P%-dE({{0m?eHvRfFT*rMUA+Vhtm*0b3&TOf!tWGl}9cOuZ zT23$nLYCpNR_x)B*L&mGrir7frt4)tw!P7q(xh6A|DSx~u@}MG>*P#7ETL$#0-7O_ z&VkZe(3$gnIkoYQsO>hE=5+$crs+LBKh-(T2SMmK`Y)Jxa%;jEK{I9NA9>(x zTB&0g6|ij3E%O}d-}lEnAr40w4!@cM4%#tT1x)9rUY><(U$|=)(NEZP7fZEYc6^Cc z5ou^+ECr@yw3kY)Uo2_szBrf6`>fvFOsbuPAEkOfon+w&E+La)EtQQ#iml!*Hlqvb zG(JyU5nf}}lMJL>C7NP&^?R;*JvgWM&f5V>AP(i6QbW~pq5mSg>0Iof`;V{_O_mp_ zk*Q@IJ2bkMf|C920@(v;8 zuAdCL=bdr?igqs+$lqjAroe{m{&;#wEh#a*oDkD!(>eYN?e(wOkoBc?x-iREr9@%e zvbd(Ls!OSF!oBB@dT*GvdYkO7uI!xk11n?wb^Y42E%6eN;oV zjsga_ST;C0rj~OdAVQ)9zywXa^x@f7utkzUd4~;Gy|sQMeVNm=opp&v3yEK91&1bl z8e@m^RnIeZB)kn}ybpF4mC|D|`MyDY(|M}*d(6?Q%i+cN;Y<{8>rmEE8B0ks5rU@e z5-?JEv)0i&IA2Twi|W3Su&-q|)spLH$Z;O_#N^S3r%AXhr@2M^AnEi`^TyzqMS8tz znCjSYTI(U1jWF!MmCO0@9!q!RL+1p5LEI_BSMcSbL=uL;ljOIKU~`0Nvd?t-oQD)& z16{xzYZ*fvL8jW3_s)o_Mkd@WAUjTFf$a$?&9j++75Ry4Fe0vxg-Po9GO0cOqM~eP zsy7M#4^xuVqj5*q%s%_;V0UagN5Ml+$!he{s-r(suAR1v=dJ%th7G80h{g{15<5N;$L2EPY(x$wbS)t>A_1^6gFEru=Hq3sw7mF0fwjO62bwt0WSp7CutnpCj!Js#=@RM>d{}S>f$3^PIOOzcOvs z9Nm^q&oKWX{GMqSoGZQ8yJ|x(@L{Jh-QXoF(3LM2sazSx5UC^$}M@!l*eRTod=Xx$%)h?ZoDj8%Y7g0 zB4fTsrSP2%MxF^Q=o2epJdQep?L(K28cJ86DHLo1M+zpt6?pl+Bv+9^kkSq)nTY8MkOtXSDp6ZfRi{2r1`eD=*Z+9;!Uf7iUn z_U(sg46stgOmeuVZsv^p*o9&(`f|gDoWiL)+`(glG&f~HYg-&b`D?kiVxQIno0LY# z=bAugdm@bAgi5QQaJ|3SeS^7zt12QQBKDiXs$h=WA(y*NdlspD^POor5|ZX{gFY1~rDnDrkS>%%^YaR-(hV$f zl0j>noM#3!Ejui7>_m8D)O(OmF{+4|dIpLb3`#>IQ z+-K#yUsd70u{I_&HQ{7{jzjfFmWR?P3rVOec+uF_oZ-@56gOpVDyqw!b^UpyagL+jSh}lXMcv0jdDN6L~TS~BU*%+)ebUjk=SrX}ya;rDN`jzFU z(NL{o{92h@^69)1?9OmqH5XYjg({KSJjm+upDs)Yf{Yy=`bv&f>U!F^cj%-UmvzO6 z7S5gtb@0Qo*C4Q00IXLSlfIgtN%+6nDJ`PS#>tI?mZtfKtn7=TIo5v=ckjXd^0;vw zg22`uKgvWpEmm7>dUkoQiPWp7)x=w=f z=lPEYaO146xnLgNKO5G8vc2UjYg5lE-7mK6TsIg#%lp*_ch?e6c&#h@EK6}b)hAYR zpG|*Wq-4s77RYrjMI;V$K38`5K8^2QRBCLWcwGje*N*`RO+LS_-g&~ink>oRDde7ClST1eCL2bA))gs_@9f#< z*b%-n_W>snLHVK4JWtXQ--+DmmxGQC>nhE8o8`L-o{FeQd#or1IY$W_9KdE>dvMt%>{I84cUJ3#@z?aksIty)#S^3tnk=(rKndc)Q>haZ_izUpx?Jck_p>sp}rxo1?E=u>M zaYS*KssrA^PwQ0QI&K2mamPvjbGa>Ku6=z6jAL*9?>gK5PkyccD?8j4aH{=4e0c<( zP>jcwn_d?tyjN>mFQe@$$raVmt0%7_;~diK-_6IDvmo9@9o5spVOoBI*DuOXYh}6f ze8H;%ZZ+6{HU9?(9Lax1Jcw^OV(0d+o<9hYsQ=t}uux%y|2f!DU@`drv*Zz@P_3YxJ z#0Q;ceTqR%n!o;8Ux0=pTC85#=l2gm*Q7~bxz z9F?Wv{lPyEGagP1rPACZG-=$0_{|G^b<^L@w_ANoW~bL>X$T84t>2QooW>j$Li2JB zG3**%7=sl*V4f5K>llcr6S;54fb`|f$#eZ#fc~wAxyDQWm`2K;h?7pmi)dT2@nclYx*3w+q7U0+YeimT=mY224Q=~^% zbbX(0kO+9p@?z4Ed7=PXxN$Gj(Cfs1mEoPtv25O*JCs?hw|Mz4U*HLE z@dg!kX^K^uU&w)DuneLanUL=eNWaTX;+tp@_}rHfA6JvXypRY}PxO{(9ZivCbqSQo zRx*}khRn2id&0kno3ZlW_X(jzV+QSTLIvCd*1VX z-UEgvV2*$M-F({gYL7M-0G(d!j^HQJ27FDj#!rBIJ712eU+uW!LQ$JD@v}g5s+&2A zW<|>IAN}&#KlV?NqRJa$C&%KM+YBiW_eV5^>5A1RGKi^aKhPh|u~pdco6TZ^LgyqQ zS}DSy_yJXX5qNX}`{ZXFd$~Ip-`AX`WxVz~-w|z#=A{@kiCA-T3`nO&N6#un1)W$z znrHbu(7blMdI7^6DsxJo{F1D$*F`V*C|AdLKbK2HE!vhzK6)7cjz1LR2~^~D2qW{8 zn^$-!b~`nhGjqWa#;N51kEigluT+s#XDP7?e%oTFJLd5E(6>ykVdKL0bVK->|_Y1?Dutbyxpb7 z@RcypdM#sJdpiu>4=K2}X7F%?(>nX<&X~--no(FoW2ExFxY8;fsg}v2Xs0m*id6d& zR6A4(2S(Kh2kcyB`ATW{;u)eEUCdF79yK!3QM-zi*5n6?fJEe*nu&D-t8;HI&6@pn z(R|DI`6?@c9oQ?MfWM7zcd4Ocpoi6Dku~LeT7E`d^q9gxVl8M?Rqf247OIQJ$hMeT z$aR@wHjj0QfpMFGft+&K_63`6g8`6G{MClG(-2%6t5&I9;c<|k*eZRpE;*`mgBx#l4~U${ zFt|#9zX3+O%HRHqvL}4;d1{~K00<|8QGpWZlAk*dla&yIxx-yGHlK5&1P&E47^H{0 z>{@V@H~xTT5h1Q`7d#OM3)NKb&`{kR!ClepeAMS`GMajGw-x2Nlq-g8n^B@ij!S6Y zg9?US|F;g6i42YFU5gs6N0^+zGGRCxXmtkW;2~4`r zz;0lSvhbc?7pzDGhT6?7t0jeblvF}N()QLtH*66DCPS>SDYZAdz_{e_qTDcwNDQM#$HFpQZxE~x zzO?SOaSe#(LnKa zs+nkSrBL0$E9&&Fuv%(8gyOe_-ASd!WPIN|D+Iagj`wQ`DjD#`t&>GC?9?JVI5TR= z&gblvVkzrHRd~=XF$=qM#q~(Vc3~Cir3B5B= zYVBPn#*r|_1_yt#0so7;#&g2Z02P}%@A%&^WT(^R6x=CYsbA+HZi)J?-(Z%)HA77LUY`16*mW3b+jO z{W5tyT^{RBbF?v7O0FT7ldr+;ycl)n?v)_H^hH!h97< zRt<`^wHEt2c4Sn-T@-(6dDhDQ?|wJUiNR+|v|fl^2dTgFXmhn>ngyYC&E3aXtQ1U4 za(!@K2}_Q)#Z^XtDpQ-0+scIi@w;&sH{<;nYZ7@-v5hXB5QjbAgNdg8A?A0?5b(npU)V z4y1v5{sm-v{v!L{1;7J;{Ww-qMpJ|1AVrcE&{oa-e6#Gj;D+Sq2PycDE4sJ+A|?NI zJp^4~zRd^NfPMnkbWCWBq_7`9P`_%~LzB>~xn9@-!T)%xup+0^6;nsG1-M^DyuL~6 zHyxEX7ylgR+6o7jlMGOKpXlP*h#=rHXl_Q<1r^%>{x`}XI4jT^X@Pq<{L^tLRi+w% z`?u}u5O|$;;*X($ySG8j1a2Ni_tI7>ZHLF*8TeooV%rmGRp2|Dm0j{W4`PDJCtZra z{+5jZ>e&gfCv9{-XbZ&zu2oYhAxxjHW_q5wgNGig0#MJSov6blvh|D@G^+{Ha;ovV zkjlT43FkOfBq{H+g>2)nv2;P7|La6AXzB`99ODWC*ZTjX;0UT374k z5asM}0sRJUz<^tsoSYy0IsJpoekgX2Dv4+}rwC$qa%61cF0G5jaKURT&Oh=5gGon= z3f=rl@pm56j0+E6+!+fjqIxC-O~SR3UKLY;o^^qt>E5e^)qc16BQl_?rB|+e;Avoc z)8P&!yUB+5 zP$_1R&IdKR5U8;rm$r@aGkqBKh|y8wZ6`}3gt9@t5#63_CE#BXb0fyTD2( z!YoT)uK@#h?TTb1`6jPAcZ5&j;7JD3njR5!zGZKqvUzDwoO=u+D|B%D2UdaLJWlI{ zXb6)^&Lm(r;T58;A20vI+AXaq12pEj%XB9|3K(Mmq%ggGaZoo{Xn@8+g6-@)&Z3jj5+Y;V5xC zq(rdyc7`UV?=_O1Nu#=V%x$vjmj`zY7~zNS@qblpl`ce=4Qz}buUkwflEJxR*o9J$ z@M}?Y1}n7!UwXI+ZJ{`@47PdI3=ENr2Tpeu?Je*eaMI7y z=IeG!sbWq_o)Q-u78|Wir@3T$ws1Z*Ao2W39$d$%9ni(*GoG63R`PYkhYW9F&r?6ck2TQ3Rp{0ijrCoHg>DahM z@_jB^0bqO!3p&Nj4TZim%TTQmQ_w8)vmbP&3lSkFzp`z!6uXx8Dvf0MVKko^GmV2v zT^{;@-fI5XPyup4Uv7RWHz*{VE1QA9E}T&8Q`>%D7h_t*z}RVHAp3V_rEMZGR#1%E z=Lz?J8abW3XU+bTksP}?^}&M&m##pUl$ljwJDZv^CkWPTSZkml9132%Odjb+9Y3n_`pTMr!c=U^$# zjXyf?P~AZ+|5zFp-JaRm=)vVn3^_iVfT^Af{@Ij0Bwl4An}bCGFQx1$ zLv7KwKBuaH18Q|hG9I#}`-h|7aC;245 z6tM<<=N3cfb}aMU4vk>+N>9MAudYBaF;Wb+9RBWUOqPgcdi~>gBocRpBRH)q5~DMe zZs5fIi)p>>Zs8zUmA#J zI^E-JH<2EF;FfCD$A6==(&vsHZCOdBXwNVv32Y%R`_)ckV!;pC8@Zfhm;K3;KyO~(P)?9mi;1eVa}YwyYwyZF zDGccFDvO8IJ}Cnv>=Q~)N;fPs-OhhJ?*Dh&J${1DA;ni|9VzHN}V4w5NHVUJrMBmh0%}>yv2i=&I-KtG{D>*`u}VvS;QAm6R(#;)V++d@oA|sj5VkcW{R#d2#PQq$^5isvdoWKuMtu! z8gfv@J-LiRfOBdT6&>1M=s0kCYqzI=6GIGjh~|^EN7GB9xEKAUgR#pU7#=75j(X}F zDBsoU!u0l2R$(G)li-sHV#>ET=!@_FsU#zGU{FY93A|5U^UP~clOTFhHn2mIL2u~_ z#eqWngRm9iL8(Z2!9wZ;PsxM(h^AQSU*V5hCRHjgqFiinfkQ$l;_m50k>0js+%mlN zz*4LI1J($hLbj(dI-oWE!_JBwE^EUZk{Su((xd%eNg-;#^Y;Y|84L_FP1~EWWJ^i- z%PJUEMH^iBC^Gm9pdzag@zB|Y6u~eoxqyHdFZO?*`qv8OBl(=f%=Vcjx|`p_95hcO6zY*BQ#0} z^1&X@KzDWDj+=10vLy@S@ha=ZsyYnWQ=dW;>q$hS%R25XW#{lG%Bnby)E_Pv)WuJb z`byH7or5@WRO{li)t{pHj+26;#~}%HAB>?=EM(qUV@}4|Feb^;@xcDL?4T!llz97h zz~Ox_7mQiM7bMxm4b`UNQ=|_vURH@R>ad>`HHrI-j{kuXhrH_D2N|AC*nQvysg-H# znRY9^@bdG*+SQOAP5NcsGVO#?Cn4u$#azb48K>b-xtoJ;n?XZH2x?%o>Mg%J|4>Hd{u$Ixs|fDXIrOnkDzl@yxbD_Su1#2+bYeRE0opI0 z=2yd9hI&^%q9&qW`RFhj+8w#k`otzpjA~E)Rtg~*%@vCHjj$h@*~nT@S#G)I5KH;} z;KN&`yNNSOaX%>5`Vj9w5x<8u;f!z~@xzAA$*zrbH2Y8rszcMZII99aQBK%-^Qb9s zp=97Jv~54yAn=R8zxx?Bb>@ftjgl4eqL-q+JeOU^jCqxrM)?70p$v=bJFNvo%n>&ZlpmI9h&BnBos>Kh;rwbkcgihJR5!}n5{Rp^IKh|YO-9usB{NLJFx9GHY7*%YJyUiGM4<(H5?kLCywjd{HCpeE|k?tj+DZg5BhIq--JT0QG-BO($>i*5M7zMeun*jukaPa_N5>5Yv;9&FhZXQm{5R8{#J=H-_63)<=&hErsHLC& zpy9$acI40L+S;6EIduD=m_Q_(^>ElcJ6hZ1VZD!wbERVg^r8~CeBhw0Mu?y9pVs>w zfh4IbuhFcl6lvS-H%8LyE8RJ1H%Osl=9fL#-IffZ4^+W&C=`3nd_kd>P-X;EE1H60g|2Ib!c*e6 zvJ_UWx54zhH%}vtf#IjyNeQ_&S&FBBvu(?y(`9D7K-Lj<2BjDuB-J{;SZs0PeU2WH z3i)(EkB{g$DIbsOu}qqHJy%qMup<0HIJrW}fT6JST{7%S7+JY7Yw0I?rQ0~j3P?-& z1Xl89?RcjKgUZes6MmuZcwLj>Vvg1e;&`aKuuj*r(n(lhFz9&P?E9Y| z)J$VxL8TjZ2f0(2u`OtzqK9gqOHq$>NFi)%`wwfvHLv&5hT&>ec&M}_2C;0^cZ7m+ z7y-TL>jC70^_Zhe#5$QyOG9mW&w;{q&q^)LI@JbIffM%XkYvfRO)(x&E-8x>X) zXm#rq_&B<(8K#SYmSaIqb_?zTM4U;T)Avm+Am3pCg;<{X%#VtUA)&asjyd0}Le9(; zTuHWP>G}^{%TYl18#p741D`|AkvKp~cId zUfLa(%&ty3Vn`G|DTiXi_4FisBww4J>`y^fKfd?GodZt65z+zG)?^gNxU_;1Gccz| zth{`gwC^R*xS<9Q%0%K`CZml$bUW;7C?IdBmtEuOVFtvFnUiC~Nod*^+mX?vdy|KG z5DxC?7b!*gWI!nrGl-S23$(JbG8F6Q$ez@c`%F~@R6odPb}E@_jLA(SiZ=%sDLTfX zz~_lMu2_()Vs2hn>DjJG2*uW!J7?s@m`A-g<}NP4RC==Z%c4)z?k&mtnb9Owo@3Ua z-wo6KUcBq`lGYYn;roDS+XSz&m*+KJ3I&OX@c!+r+}f$7V+;+r(VSS36Dg|upaq|e z3!c_4&7yS7&lLzSKVb${CAz64C|D7L$osLo0%5FTYA$KHqu#zxs|~OJlq%aTZB(BJ z2S=Wk%;CU#2MTB`!qZ`dlcBF!SP`YB2PIfrNk1bM?@HClK(@%3>Pst*jI(FDPaEQ< zq%-s5>LrR1f0M+@Z&%0Q{F56aZ5jZhx#$Erg<*SeP*(SLu|XzJ)v_w#BAP&2pmIU1 z1TRaQ+FT@?;@a~Xe##^t15NCUF*&&|ws9y? z68t<=#!e6BeuVJTVo`77H<}z!jf47+XNMOhc~c^TFa{n-6pE~|5@NgZaL!a%b744~ zER1HK$KM8U#RDTY>31?^3BL0VNHkIR^zU>8rtAHkHWncOpHy(2pZ&KmpgCUAp>RtU z>)M7$4Ph8Qr0X3M!~P1C4ab^1qxeWnC2pXBrqgU7@`V}iia*8~JfRQ9ZOH95kzjyz zJ#75o;2>%SFmc?FnO5H0H4MpwYJ=ykg2?ByTc}eUP#PooTo}{i2jmy!Vr7Z^kd#=% za}@Vj$*&^f_w1Lti0LPRA9UmcEis&|F#%1kL`P0n7xNmX4(FxZEB!jrm&Qr4OXZyO zJXi1IWL)FFWx{^Rg66}zm-jZpZ4v*b_u)jt4z$3r{3T5YH)bgH#CnMV!Z_BzBHO>* z8YZQP^3i<&yEK`$+Sg*K)Miu8r6S02;~xJwOOl#aK0Jsu%6f*Gu5g|E9G%2{vYqIE z*3jp^aR0wqQU9-{`BG0m0JZ9Z#1(*r*2HDY3EY3#1FKrF)s5-1;(!HxB9jj{M__BJ zJ#lk}oMu48`yfWSBAwg@TBZ8la+*>{S+zwNd?doEN^iC54KtzF{5RPY^`TTZ=AK?V z{y^es_yd#L{wA*W zFF$#2`6@aAsp1b<0%}dvs(ktm>=Q=mAZp5Cv&=& z-esh0isbLTt10S_yAMqN2s}e~3|1=iZSMCwNmMea+hr{KMDNJWB}y-7WuKrd3Vryabrce6!k2H3lu#x7 zZ}+l%%b$SQ0+!GI5b82c{_lx-lLQL#-kS4fPiuCU4nwSJXe?=YP*P00p@qM8jDcej zISZ&Bn6NcU&1{pMfGpaSj-rh9Yc%G3sE++c-6y!89RP~y+{d{0z^XiT!M^&r6jgCD zoynP>L|uuB+oNV$hfip+K-O}Smd*Of1Mw-yJWW>IqnE`7{FvVnx^>V!7(qkqOoQ}K zLJ-A39v)m?nbw2C*1XB7{oidV4Qav44H`_I?XhIGmuXCdkEJ?XcFW7bI+-jci!I}- zCfG=HxlJ60EB_35CRh8V;D>Y*oHmtJIB-Rq#Q&YJIF6ffwi^97z+Bo9_&ZkmY`ABz zv#fpb^rYEg8}QK5b=wF8GWu6j;P$n<1*KV;UY8P4I;ck~V2cNI{Z;Ud zkOlvpgY}#Ur}NPq|GFO}WAkwpNP@_)e-tqX8^vlcU4+Eqewpkk0a&ZSYe33XkHl4@ zZS87SDv&OUK~^CM!sc=MrE=Q#cuCOB-K+el8s|S!9tNC(*Q+@pD0~5>ZbS`^Rl@kS<3qYxR z4aow}3da#J8xe3?{Q(OWF(2UnI0H+Nw~#RMzd^E^y)g4)5ikZ)@;b3&F)`-po-o(dnkPVz6MY`U)am8_26w zkY!-kUu!d4)xVnTe!Dd-Dx30mb3(nJBUPh)T>99}GpU8@arF3h^_cSaxYgg&uy+}$=ZQ|T-Lr4kNde%phY4L6hHi!0^6BiC|||_dJ1)PavW@pLK|C~fbDrGiOKh*c3uat zQ@9TD;$)k^)-EP1`%3+YA>%qJ*Bj_yft{cPvfd^zhfZJpw`P-Pi8dKCGGGqte?lKnuY$$sVHO4Edrp%JBwia}4 z`z%Lg68ZkK_X;=jyx!LbfLp;q7&|x>`z0Vyc>&+^WcoH(5T~Mw*Qw9a!hxdmuf&^% zIaUi{yRkH=_b0Z#mLl+enZW6{GzM&cIg=p8$ZpF6ZzSQ8-Ke5AqL;pB4SJvzS>OZj zu}9Maqf(3k6gWgnqaz3dkKHW#mCeYia9AUgy8jvwJ6S>HyXZmhDYnsd-@(M=14x-A zfD7a$NDrNfBUS6_Qx~2y&<$Fc2iNi5%t-GJ8qxxGz^ftU75%q0fpt+G&^iz&{kr}s z8~8o)+udSa3;;eW7^!+X^?kgvWNm#hQD>8h6H_gv-k4EQS&)O@ty z>3MbVaphy6k(SSSYYIz7&`8ty;DHM7HsO+)#pCDdh~=Bp!Fj&4>Tz!+BN%1=^EMi% zj%BG=Q(ecLLE4>KM=usc>#rwpZP5<%h3(4m-^BBb$SwQ*c`YoNVy5d;Q8yqEp&~hC zv(nF_mHE_90U!*k;8#i#VrcxYutw!rHcNmYgIHwt=R{Og3_3hGW1xB{3IDjkhIpHN zxgLN_iWhH^01QUBOpqPIrWwwvK`;Q91{jXS=;JZB;F|oYSz5q2(_sNh{@h-k{!Wr_ zSbWC(Nvcv*sMf=;7WO$0dH`)npBPO(p5fQa%#W}!@LXk)-84+;2d50Fh73iR`^q5J zq*q_eQO}T%qMCcem3W0c*^@HQ%l){os)Q78a(rM}iG|#4zyCEi;J>ioD_tKiD0Ov) z4`BWTppxtDI5`t9(-{zYUJ}c%ONrCi4!eX)9Q(Brwoy3;U9%56N?f_3^yLsg12vxB9pGThQ-(DPq}x)>kpO+t*Ls9c8Y?$&hX@yDY@PHq|9EO(Wo z^f6)665fly#&R-(+dqpMP>9+;+MnvqF)4rY^s>BOmLzagnLSdaPyQ%)W$f_6;yCc- zms|_?w9p=VmdU@IKq7aq?Ed%U7DL{xm*uu;ypE@0d$q|rP0q4U0&FhjY>nds+-`r1 zeAtM*t#{udOXF}DuLdxUb3I-hh|OhrSalb1=ngHNJ=1&@WFvU1J8#lt@Q`ZiFkv?< z+c+&0Z4c89Gy_e%jX10UG&gxnuoFkb5ljtj9PzG1}VX@d{W!!f`t zHMv(??;`>QWu5r1h*WM6;r+b11(^TY?#i?eWM9cHD$OFf9UL7m%6X83H@+IM5E;0E zXVc)vNj+)1Ud*q*0>JTWk3pwXPMiQT-|6#bY202)>102Gi28EQNRrPmdI1*lPHuM_ z!RV1TPhYm*=S0%06l0M1cqk{+Qk)P}k~pK=b8r2!v0n276OMrm2dRmH!It$Lvol}w zPe!bBrA|pXoFI7K3zo5JU4#u;cbGs>n-&mDAhv1vw7(n~Zo~+lau+OHX08WQB7iN$ zUf3OeNz%(NDOzrtZV!`^otWUhu1tSKY$Sqlo@jI*Y=9e64VT7CAc3q=tNth%s=R3^ z$!fT17_3;L$}pGs>Q@x^&O_iF&?Kje7fUg#x)WAnG-r9rBxEZXOJ93xd#c1dQ6PLVgG;+GBzO<5uV`_q?l&FkLcKuq3k)sy(b zK9T$$hv}#!`a6@+u6Cc+KlJ&x3YDZi~_2GM2faUI8idqPx&oD-fU~p z(}!)D?rggw?YAlEiz}BQtp(1queRPlqE_fcbZ1{IC~N`WN5lduG)`XV_VEy$JhaI5U+|M`1*O_>pUTcn;tF14|f$>`qwJ z1ypgaA1P*aY}68%W`cvo3&K-xfJa&>${?2=l`Y094?N^>bbcZ(1o)JcFxmS8133#8 zR^{h^R3aVjA6J~v>s0HC%Vd7yIS9=TDU~{cQDsT$K^AX=#4!3@b`!7>&YW5)Wke*D z{n}3OH~Y842Wh=EB|03%*V6?4J?@8w*Wnxhf6$ugk zk`Mfv1#BwPM6F(sh z`p|h;vS{*1G@$4${vJ%50x~cR?CC)02sq2S<+FBE5Gs`BFg!Igzt{JoAHabv~@98fpV^$8854~zO;E}mXX zts-LB9)_3VTPZr}n3`B+4-&iz#!>zpq8~$?GYy=U?`z{?K@q2jxKS|^e~wG+V5N5i zpc#>sfzIt=A#o+$DH-=6B=H}TBmS)Y5qSNv`_V-i;^1H%{ZXLKRdj!~wK-_(TxoPj zHPPpG!PHzNRf(An=W}ci()%L?q#BRZL+qwqX}*URM$L11|XdxF+~blT_Yokz5J~KZMy{Ff6+d19i(a zxL90$3Q1CYJ9@`4vXx9mbgTBsL=LxG?tP!EV*GEOGuaMr2SBk(Ai`=EJ2KPiEVu1t z`2AUUnr6%D%*SW;{)!tqtmxZ^tlgQD6xXlwEn*KNS~cgnA_xK=4=3v2@+4P9lW&&N z0iQR!Bah;};eJ`*Jbi<_%kJger>%V%p2B-Zrd)PT@X?#_M*e65dC$eymUEB*X0+`w zzoofpXEZhK{+;nzcviE=f`1a`_0}Fz8rSawJhrsLf1kf5s{d6k z?;k^0DRTHXWa_(5Z@TRJcoUo=^pP&2qE_IPiqJuolC^LvL6Z8pmaD&QnI_wC;d3Z` z0=%}0DZjW>Ykp$!3_#A<-TNavJ5uJ<43ZPE|4M>UqeJY72c$s78&VR_%EU&Pb*YnM zvgl|ZXv<`6HxA1=`h0RBW2LQ|YQMMaB-|YG#Be?y&69^Ng%PuMX~i|biWWqHM@jZ+ z4pvn+L{VOKK3&G?#=N#6qz{V*CpS0puM^EX9f3oV zy}u+=1)y7Bp4BSJub^)jtl8GCZHC{GQ8Jd!asM_5j#zsxB`R?pAmH_0RlITgZzOs~ zzGSgh`6V8|3$3k*By`?%$%t7B{we>io1?i-Eg|I;$tmlYtKTr1>W%DIg`87aGk1bl z>eo;05Ln>VYC_pRzu^Aw>YZ)y{}RpqKbG{ z@uHXVZ=I)Zpkct#EVK&9I-0aU*TU~+Y5r|vIuVdd%!q*YSMOuA(ydceLlL!sf#zwFEOXWoab%$%qM+vK2 zPzqks0+5AEU?iObKLt>50XR`}nug*NZO2u^7JIqior9(yMtXEtTtkLW`4aD}C1ZfYm z9at-KIslSc2RJxi(Z7HgENC`CyvzsgV94^u-BbWb2dYc+>$VouD_y_pBs>XqV7FAN z4zg$={Q$K(O{;^tsRCML0bt%0m{v1DLIAvvC7_{zuRG4<_uRYzy$S5*Q$5M!m*2$f z^DuAXX;mb(Wo1D(0mdmM`0u>-ObO>Uud3M=5!0hOnJ3n(a@&WFk^k&~~Lkd@iw zaPc^xVh8YL8^J(Zaszy@-ai%xl;rsHUwa;*fOq{TD8Rq~B?;{Ougp}4+}AJ^aYgMP z4}rcPpxvYKwCRYkVI2aK_K*imJz(nE1qWU*?_ji&%!Bh6hU`ae4ccOuLNe?@J&tB z@O7XvP6L&(YYJd)bMw@Ty`C`GT!CK<1nFvMbYY0dapx9WQAU+N9YzHJng`=2uEC(Re1m zW=2`DXap>#3fKbxT0Bri92^`h03raCk$}tdy|K-oinrdyd2pZ+*alqUw93Eq-mGS@ z7{aLbJz(rFRPV9$;|D~&N;zqYzo*4w%Gz{WJ)FT~W41X&b+Dwt7iiYiUS6Ptqt13M z6T(D&;0}m%3Q@6OBo^HONgag$!SHhebpgAcM390BR|$pASEZa9D_?&T1aRKn=(sEx zi{lc2!iA!3P^EJNr~oa8#U6V=4c7@Y_axq5u)-PH;Q@nYlig2JJcJ z@{te!1q+uV!IBIb0c#}fBakdtJ;7CLGL{}n9FypwjL8d5=GO5+6`nVTfwRo%vRY>F z=8K0jfbFc?n39%e*#VeX!MKCu6LjRoGn}z%-(|+=ezz!sCc})r{eEAN%wR!_2QM?v z4SerdVWLCzr&p-BE!OGGZzJ6nHx@+AT8sSM+mLzVH(WPcQG%K5=4ce=mq4;n^Z~aZ z?xCkpNKTz{2fcexI%M95!>vlgev9p$ok`jhivMDfW!MLHZ=hJ=uP22ok+*piTP>`RFp zMb@O4G)(he&-DHa@8|ROlTW|Q%=3J|_jTRNb={KMQ_dA+k@)U9pv>YoR!zb`Xc6T) z4Ck=|TDH8T{;SBOC*Pcr?dEyWIjLx5C@ad9@t&pq^XG2&uI4>f9lPU!Rdj^+gX@?{ zCam->NdL4*o{m{gF*yc~QeL^|cI}h7`8`8;Ro~&9C70aR= z^p={bzs&hIXu3G_CGr0&f4*bwk+`zSR;0LI?h>)a;lPNi&|qsbqLNc`Eb7dAU8<`x zzh9w-(o({;E^-|8mVb}Ux@1CSitaL3%$GoScL-nHXDK9xT+ z2QP4erw91}F}$CQxp~Oyw2*aP;c;PcZczZ1!2!3oO7urO1BL}$?AD~TU)yF>3@idDTISS?txRd36Z=a zJERS}*@DicZ)J-i(e(h#0H84T7v-a2MbsLN`(imLS*=!lv3Vc*+ox~30;lOS2s3k) zbxdz;E7CdyZ3>p7^y5(k%ndW~#r2vTxCX4H_>9kN^55N99<|t)9oIPZyr}G4I;npF z4UF#?%O_d~uVDoI{gZ0^$Nqb7MNX%6<{y;^e5wKDd*j>uJ9DvLyj^p8k2Z96UbpY; z9$$#9R@tNXgHH?!A^9@&ht3k`-3NTcg6JuA48voNg`%6*uUw zoEfZ`g+qA|F4o=Iw6rwj+Jo<4vaWyl!9y+;GNN4=JjuM~-vCBZFxKy3ZJ9c@ z!C1&QAc~#<==T;4^du4h^!n|}xZ3r%gHUzE;J8r#9fCGbHUMxo3`Nz-8B4!Txs-v| zk{yv7G!khUY0i&6gS3S}DMljYegOZPhwXy2j;(}U zk^MZ{TvY%FvxCD0OuWGUD>`L+EO+;y9?wA0UwbUk>Q}ccrIW1_W#@=ei7ctarG|m# z(%70LV(3?}?b6WHdtJsvHk62WpJHE9`3@HAMin|&sL{lz&~E)XImQRbwGK}$*wr*9 zWt>=mRv1KNy}_UxR@XHg&|-oR|5DdSw`sAA=NEsC+&D+JNakK4Fr> z*bD(c!;aXM+Q1_Z_UQ{R$|ZHhc?A0nI!hz4LNkaW_knFC-`d1O8bfRdMQ6i!5KuQ7 z+)Ev`X@?G{fc`s7V>c?l-e>8w{m>*S ze0M4Nm^*pQp~eiHLY8-;4J?-GFA+4cUHdh7Q>DXXs`oS5VO25K5Da%j&$upnLVHN5 z=I+B$;hQ9lf%0azG?kIy@#C_!C*RlZF z#R|`9C{mT7uQGE|t=V=csT6qEp|{Th6#Qz2lya~`|_owas^QhiTB8< z^F3ZVNI=7y3TgDh1n!6N?_~bYpB6bR_~g}3Ijbji!;IZuGSpdfhveH?uA)v2Zts(4 z?H=UGXqG>SzfjV~Iy*2m6jHdBC1S&vOYaKfro7LO5ZoTq?yAAbY|QgcAO|syrp7-+ z($liaT<4p|v&zJVTj5?m5aTFWR)QtLIbPvgeqTwd4g zy$%88y5Wt&PA{A7k9+`yIR9Uc1QcOn1-yXj=IEuZr9F*N0@J-TwO~57GzC@ud_4@M zRO}$`H#eCe@(HjJHM9-!!UHC|#$dJgEDTVkJcB@x4)P7GA-Z{z-Ga2Og$ckq+)~iW29G z8sr%}b6oA}FrI<_lHhhhg=vs87{3=^t*39rccR+Jy1(QmP~XjpEF~d*E_h|WnOMz6 z?2dpG5KR8I@@ex571Q4QR-jK^V+io&^UDb#TdLbU7&@ zuuT)fK@dAbljXuU+f+O|FnjU}!D2yJjcCy0!jO?%Xf8&J?Wd!5ydMdYpPyg1V3%p! z0j+QE6F?=7JoX%H1a}`rlszzu%@b;NQ-s+(0Y0ccKKoO+xdRcoxv+{3CEp|bJnsNZ z4p`@UFa+)_^b-|4pXzyoB61KijICk^U_1EB9dEN#v-}zXOFQ zf!U`qWdO*$d+a=_n1r6V>k}Mu(zOEbhi{q9qG9$$MzicQu<_bAq6xg9QiL25&fhi` zQ+5w-=e}3nXtkpPhU0`Acwk^4nrar|8KB)kMLdG_6A0i+UC!1q(Q+O^7!zrE5>iEn z!^)%Cib41Vq$F+|xgdD|}09 z99$PGzYEEj1R6)eSg@J!D1b&YBEHNLjvDi_4NV8`)zC#hAAacRGc!;|b>R!?1Am0l zbVHOV(HbQ{0c8rypxY&$bWeMH6U%oX-f^|2<|fi&rI}A|EtNHkTlM2meMRza8)x;@ zd2OZh6DNOKfz6K8g1oSIF>1GefbHiLF8j7}v5l`-Vk#&hT$ovM-K$W|M&+ z^dtZo=%L8gBQw{0vD(;=(1(KgMr_wDFQRHPkI_+?5Z5@r^SnOIUSYBnLuytEOxR3> z^Pn%Uy?F5&w~*ldzAhtey|Y1}ltSHkOW#0`3;v)~x4uCkrd4{z($}Y&qkjY~W0`rI zmFur)VBVu{jix#`#FRYNbM^dUM(xZx9EpT67+jb4Zl;}tZJp!iO|XBpI}V>Qp{B=+THpD^M~dEI)JG{(I-e%pv6 zw`?n6BZS+~+5I?vmD2L!^yyY;>0S_yHSm>Lc_c&c&I5>9orb&-Ji;b zCZQ4MzkN}x--z@x1Ey6S?6cwF)C*>n7Dd#l1!?@_!2@{-{ z-KaZB08D)z_@{Y&fTscH7nx1)qeXIprxHv{SG(}&#( zN|ZXU>WtyMx|G}k8?_JeE~^d|#aEojQOsL1x?jnVI}&@d2Xtd{9`b=f^+#f<%oE@!Ou z6y7)f4#9kHoi6)H*0--)S-z-qN8v#){smt2K^M*8M@C5PO?{{wX2p#cB@ literal 0 HcmV?d00001 From 4efa259125f1ea25089f47d72bc6996ed0924769 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 4 Apr 2017 11:45:29 -0700 Subject: [PATCH 31/33] image of email notif --- ...notifications-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md index 1853b3421a..37f79222e6 100644 --- a/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md @@ -48,7 +48,7 @@ Check that email recipients are able to receive the email notifications by selec Here's an example email notification: -![Image of example email notification]() +![Image of example email notification](images/atp-example-email-notification.png) ## Remove email recipients From 87be421f483a091733e65f4559d73f651de21a48 Mon Sep 17 00:00:00 2001 From: Justinha Date: Tue, 4 Apr 2017 11:46:25 -0700 Subject: [PATCH 32/33] added links and fixed terms --- windows/keep-secure/bitlocker-frequently-asked-questions.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/bitlocker-frequently-asked-questions.md b/windows/keep-secure/bitlocker-frequently-asked-questions.md index 5761c7318a..3e39f7390e 100644 --- a/windows/keep-secure/bitlocker-frequently-asked-questions.md +++ b/windows/keep-secure/bitlocker-frequently-asked-questions.md @@ -116,7 +116,7 @@ The following table lists what action you need to take before you perform an upg

Decrypt

-

Upgrade to Windows 10

+

[Feature updates](https://technet.microsoft.com/itpro/windows/manage/waas-quick-start) for Windows 10 (example: Windows 10, version 1703)

Suspend

@@ -129,7 +129,7 @@ The following table lists what action you need to take before you perform an upg

Suspend

-

Software and operating system updates from Windows Update

+

Software and [quality updates](https://technet.microsoft.com/itpro/windows/manage/waas-quick-start) from Windows Update

Nothing

From 7604d2b7209fc09ddc44f721cf725b520e1fbacb Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 4 Apr 2017 12:39:24 -0700 Subject: [PATCH 33/33] add siem troubleshooting topic --- windows/keep-secure/TOC.md | 1 + ...e-siem-windows-defender-advanced-threat-protection.md | 9 +++++---- ...t-siem-windows-defender-advanced-threat-protection.md | 8 ++++---- 3 files changed, 10 insertions(+), 8 deletions(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index e249568df7..a6e97434bf 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -786,6 +786,7 @@ ##### [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) ##### [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) ##### [Pull alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) +##### [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) #### [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md) ##### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) ##### [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md index 31ea81e97e..5bd33553ac 100644 --- a/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md @@ -34,8 +34,8 @@ To use either of these supported SIEM tools you'll need to: - [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) - Configure the supported SIEM tool: - - [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md) - - [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) + - [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) + - [Configure HP ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) For more information on the list of fields exposed in the alerts API see, [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md). @@ -51,7 +51,8 @@ For more information, see [Pull Windows Defender ATP alerts using REST API](pull Topic | Description :---|:--- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)| Learn about enabling the SIEM integration feature in the **Preferences setup** page in the portal so that you can use and generate the required information to configure supported SIEM tools. -[Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Windows Defender ATP alerts. -[Configure ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Windows Defender ATP alerts. +[Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Windows Defender ATP alerts. +[Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Windows Defender ATP alerts. [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) | Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal. [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) | Use the Client credentials OAuth 2.0 flow to pull alerts from Windows Defender ATP using REST API. +[Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) | Address issues you might encounter when using the SIEM integration feature. diff --git a/windows/keep-secure/troubleshoot-siem-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-siem-windows-defender-advanced-threat-protection.md index a032c56479..c782fef5df 100644 --- a/windows/keep-secure/troubleshoot-siem-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/troubleshoot-siem-windows-defender-advanced-threat-protection.md @@ -27,7 +27,7 @@ This page provides detailed steps to troubleshoot issues you might encounter. ## Learn how to get a new client secret -If your client secret expires or if you've misplaced the copy provided when you were enabling the custom threat intelligence application, you'll need to get a new secret. +If your client secret expires or if you've misplaced the copy provided when you were enabling the SIEM tool application, you'll need to get a new secret. 1. Login to the [Azure management portal](https://ms.portal.azure.com). @@ -35,7 +35,7 @@ If your client secret expires or if you've misplaced the copy provided when you 3. Select your tenant. -4. Click **Application**, then select your custom threat intelligence application. The application name is **GET FROM SME**. +4. Click **Application**, then select your SIEM tool application. The application name is `https://windowsdefenderatpsiemconnector`. 5. Select **Keys** section, then provide a key description and specify the key validity duration. @@ -46,7 +46,7 @@ If your client secret expires or if you've misplaced the copy provided when you ## Related topics - [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) -- [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md) -- [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md) +- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) +- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) - [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) - [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)