From 198ed2f5184bd25cacf7c482ff452871afa134e9 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Wed, 14 Oct 2020 10:14:25 +0500 Subject: [PATCH 01/37] Syntax update There was a syntax error in the document while using the? wildcard. Updated the example. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/8259 --- ...re-extension-file-exclusions-microsoft-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md index cad89f1643..0fd5be3320 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md @@ -187,7 +187,7 @@ The following table describes how the wildcards can be used and provides some ex |Wildcard |Examples | |---------|---------| |`*` (asterisk)

In **file name and file extension inclusions**, the asterisk replaces any number of characters, and only applies to files in the last folder defined in the argument.

In **folder exclusions**, the asterisk replaces a single folder. Use multiple `*` with folder slashes `\` to indicate multiple nested folders. After matching the number of wild carded and named folders, all subfolders are also included. | `C:\MyData\*.txt` would include `C:\MyData\notes.txt`

`C:\somepath\*\Data` would include any file in `C:\somepath\Archives\Data and its subfolders` and `C:\somepath\Authorized\Data and its subfolders`

`C:\Serv\*\*\Backup` would include any file in `C:\Serv\Primary\Denied\Backup and its subfolders` and `C:\Serv\Secondary\Allowed\Backup and its subfolders` | -|`?` (question mark)

In **file name and file extension inclusions**, the question mark replaces a single character, and only applies to files in the last folder defined in the argument.

In **folder exclusions**, the question mark replaces a single character in a folder name. After matching the number of wild carded and named folders, all subfolders are also included. |`C:\MyData\my` would include `C:\MyData\my1.zip`

`C:\somepath\?\Data` would include any file in `C:\somepath\P\Data` and its subfolders

`C:\somepath\test0?\Data` would include any file in `C:\somepath\test01\Data` and its subfolders | +|`?` (question mark)

In **file name and file extension inclusions**, the question mark replaces a single character, and only applies to files in the last folder defined in the argument.

In **folder exclusions**, the question mark replaces a single character in a folder name. After matching the number of wild carded and named folders, all subfolders are also included. |`C:\MyData\my?` would include `C:\MyData\my1.zip`

`C:\somepath\?\Data` would include any file in `C:\somepath\P\Data` and its subfolders

`C:\somepath\test0?\Data` would include any file in `C:\somepath\test01\Data` and its subfolders | |Environment variables

The defined variable is populated as a path when the exclusion is evaluated. |`%ALLUSERSPROFILE%\CustomLogFiles` would include `C:\ProgramData\CustomLogFiles\Folder1\file1.txt` | From 9d551d5966d5cf44e5c4308c275f36bf078aeea6 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 14 Oct 2020 22:32:45 +0200 Subject: [PATCH 02/37] BitLocker recovery guide: format & spacing edits As reported in issue ticket #8460 (Wrong section), there are a couple of sections where the last line of a bullet list has merged with a following paragraph due to missing whitespace or insufficient line breaks. This pull request should mitigate those issues. Thanks to Eddddeee for reporting the document issue(s). Additional changes: - doubled the number of blank lines before each new heading (H2, H3, H4) - squashed double or triple spacing in bullet point list and numbered lists - added an inferred colon at the end of a handful of paragraph/section headings Closes #8460 --- .../bitlocker-recovery-guide-plan.md | 216 ++++++++++-------- 1 file changed, 125 insertions(+), 91 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index 799e432faa..9e81cf3812 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -20,9 +20,9 @@ ms.custom: bitlocker # BitLocker recovery guide -**Applies to** +**Applies to:** -- Windows 10 +- Windows 10 This topic for IT professionals describes how to recover BitLocker keys from AD DS. @@ -32,56 +32,58 @@ This article assumes that you understand how to set up AD DS to back up BitLock This article does not detail how to configure AD DS to store the BitLocker recovery information. + ## What is BitLocker recovery? BitLocker recovery is the process by which you can restore access to a BitLocker-protected drive in the event that you cannot unlock the drive normally. In a recovery scenario, you have the following options to restore access to the drive: -- The user can supply the recovery password. If your organization allows users to print or store recovery passwords, the user can type in the 48-digit recovery password that they printed or stored on a USB drive or with your Microsoft Account online. (Saving a recovery password with your Microsoft Account online is only allowed when BitLocker is used on a PC that is not a member of a domain). -- A data recovery agent can use their credentials to unlock the drive. If the drive is an operating system drive, the drive must be mounted as a data drive on another computer for the data recovery agent to unlock it. -- A domain administrator can obtain the recovery password from AD DS and use it to unlock the drive. Storing recovery passwords in AD DS is recommended to provide a way for IT professionals to be able to obtain recovery passwords for drives in their organization if needed. This method requires that you have enabled this recovery method in the BitLocker Group Policy setting **Choose how BitLocker-protected operating system drives can be recovered** located at **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** in the Local Group Policy Editor. For more information, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). +- The user can supply the recovery password. If your organization allows users to print or store recovery passwords, the user can type in the 48-digit recovery password that they printed or stored on a USB drive or with your Microsoft Account online. (Saving a recovery password with your Microsoft Account online is only allowed when BitLocker is used on a PC that is not a member of a domain). +- A data recovery agent can use their credentials to unlock the drive. If the drive is an operating system drive, the drive must be mounted as a data drive on another computer for the data recovery agent to unlock it. +- A domain administrator can obtain the recovery password from AD DS and use it to unlock the drive. Storing recovery passwords in AD DS is recommended to provide a way for IT professionals to be able to obtain recovery passwords for drives in their organization if needed. This method requires that you have enabled this recovery method in the BitLocker Group Policy setting **Choose how BitLocker-protected operating system drives can be recovered** located at **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** in the Local Group Policy Editor. For more information, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). + ### What causes BitLocker recovery? The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive: -- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality Administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) (also configurable through [Microsoft Intune](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/microsoft-intune)), to limit the number of failed password attempts before the device goes into Device Lockout. -- On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 do not start BitLocker recovery in this case. TPM 2.0 does not consider a firmware change of boot device order as a security threat because the OS Boot Loader is not compromised. -- Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD. -- Failing to boot from a network drive before booting from the hard drive. -- Docking or undocking a portable computer. In some instances (depending on the computer manufacturer and the BIOS), the docking condition of the portable computer is part of the system measurement and must be consistent to validate the system status and unlock BitLocker. This means that if a portable computer is connected to its docking station when BitLocker is turned on, then it might also need to be connected to the docking station when it is unlocked. Conversely, if a portable computer is not connected to its docking station when BitLocker is turned on, then it might need to be disconnected from the docking station when it is unlocked. -- Changes to the NTFS partition table on the disk including creating, deleting, or resizing a primary partition. -- Entering the personal identification number (PIN) incorrectly too many times so that the anti-hammering logic of the TPM is activated. Anti-hammering logic is software or hardware methods that increase the difficulty and cost of a brute force attack on a PIN by not accepting PIN entries until after a certain amount of time has passed. -- Turning off the support for reading the USB device in the pre-boot environment from the BIOS or UEFI firmware if you are using USB-based keys instead of a TPM. -- Turning off, disabling, deactivating, or clearing the TPM. -- Upgrading critical early startup components, such as a BIOS or UEFI firmware upgrade, causing the related boot measurements to change. -- Forgetting the PIN when PIN authentication has been enabled. -- Updating option ROM firmware. -- Upgrading TPM firmware. -- Adding or removing hardware; for example, inserting a new card in the computer, including some PCMIA wireless cards. -- Removing, inserting, or completely depleting the charge on a smart battery on a portable computer. -- Changes to the master boot record on the disk. -- Changes to the boot manager on the disk. -- Hiding the TPM from the operating system. Some BIOS or UEFI settings can be used to prevent the enumeration of the TPM to the operating system. When implemented, this option can make the TPM hidden from the operating system. When the TPM is hidden, BIOS and UEFI secure startup are disabled, and the TPM does not respond to commands from any software. -- Using a different keyboard that does not correctly enter the PIN or whose keyboard map does not match the keyboard map assumed by the pre-boot environment. This can prevent the entry of enhanced PINs. -- Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile. For example, including **PCR\[1\]** would result in BitLocker measuring most changes to BIOS settings, causing BitLocker to enter recovery mode even when non-boot critical BIOS settings change. +- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality Administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) (also configurable through [Microsoft Intune](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/microsoft-intune)), to limit the number of failed password attempts before the device goes into Device Lockout. +- On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 do not start BitLocker recovery in this case. TPM 2.0 does not consider a firmware change of boot device order as a security threat because the OS Boot Loader is not compromised. +- Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD. +- Failing to boot from a network drive before booting from the hard drive. +- Docking or undocking a portable computer. In some instances (depending on the computer manufacturer and the BIOS), the docking condition of the portable computer is part of the system measurement and must be consistent to validate the system status and unlock BitLocker. This means that if a portable computer is connected to its docking station when BitLocker is turned on, then it might also need to be connected to the docking station when it is unlocked. Conversely, if a portable computer is not connected to its docking station when BitLocker is turned on, then it might need to be disconnected from the docking station when it is unlocked. +- Changes to the NTFS partition table on the disk including creating, deleting, or resizing a primary partition. +- Entering the personal identification number (PIN) incorrectly too many times so that the anti-hammering logic of the TPM is activated. Anti-hammering logic is software or hardware methods that increase the difficulty and cost of a brute force attack on a PIN by not accepting PIN entries until after a certain amount of time has passed. +- Turning off the support for reading the USB device in the pre-boot environment from the BIOS or UEFI firmware if you are using USB-based keys instead of a TPM. +- Turning off, disabling, deactivating, or clearing the TPM. +- Upgrading critical early startup components, such as a BIOS or UEFI firmware upgrade, causing the related boot measurements to change. +- Forgetting the PIN when PIN authentication has been enabled. +- Updating option ROM firmware. +- Upgrading TPM firmware. +- Adding or removing hardware; for example, inserting a new card in the computer, including some PCMIA wireless cards. +- Removing, inserting, or completely depleting the charge on a smart battery on a portable computer. +- Changes to the master boot record on the disk. +- Changes to the boot manager on the disk. +- Hiding the TPM from the operating system. Some BIOS or UEFI settings can be used to prevent the enumeration of the TPM to the operating system. When implemented, this option can make the TPM hidden from the operating system. When the TPM is hidden, BIOS and UEFI secure startup are disabled, and the TPM does not respond to commands from any software. +- Using a different keyboard that does not correctly enter the PIN or whose keyboard map does not match the keyboard map assumed by the pre-boot environment. This can prevent the entry of enhanced PINs. +- Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile. For example, including **PCR\[1\]** would result in BitLocker measuring most changes to BIOS settings, causing BitLocker to enter recovery mode even when non-boot critical BIOS settings change. > [!NOTE] > Some computers have BIOS settings that skip measurements to certain PCRs, such as **PCR\[2\]**. Changing this setting in the BIOS would cause BitLocker to enter recovery mode because the PCR measurement will be different. - -- Moving the BitLocker-protected drive into a new computer. -- Upgrading the motherboard to a new one with a new TPM. -- Losing the USB flash drive containing the startup key when startup key authentication has been enabled. -- Failing the TPM self-test. -- Having a BIOS, UEFI firmware, or an option ROM component that is not compliant with the relevant Trusted Computing Group standards for a client computer. For example, a non-compliant implementation may record volatile data (such as time) in the TPM measurements, causing different measurements on each startup and causing BitLocker to start in recovery mode. -- Changing the usage authorization for the storage root key of the TPM to a non-zero value. + +- Moving the BitLocker-protected drive into a new computer. +- Upgrading the motherboard to a new one with a new TPM. +- Losing the USB flash drive containing the startup key when startup key authentication has been enabled. +- Failing the TPM self-test. +- Having a BIOS, UEFI firmware, or an option ROM component that is not compliant with the relevant Trusted Computing Group standards for a client computer. For example, a non-compliant implementation may record volatile data (such as time) in the TPM measurements, causing different measurements on each startup and causing BitLocker to start in recovery mode. +- Changing the usage authorization for the storage root key of the TPM to a non-zero value. > [!NOTE] > The BitLocker TPM initialization process sets the usage authorization value to zero, so another user or process must explicitly have changed this value. - -- Disabling the code integrity check or enabling test signing on Windows Boot Manager (Bootmgr). -- Pressing the F8 or F10 key during the boot process. -- Adding or removing add-in cards (such as video or network cards), or upgrading firmware on add-in cards. -- Using a BIOS hot key during the boot process to change the boot order to something other than the hard drive. + +- Disabling the code integrity check or enabling test signing on Windows Boot Manager (Bootmgr). +- Pressing the F8 or F10 key during the boot process. +- Adding or removing add-in cards (such as video or network cards), or upgrading firmware on add-in cards. +- Using a BIOS hot key during the boot process to change the boot order to something other than the hard drive. > [!NOTE] > Before you begin recovery, we recommend that you determine what caused recovery. This might help prevent the problem from occurring again in the future. For instance, if you determine that an attacker has modified your computer by obtaining physical access, you can create new security policies for tracking who has physical presence. After the recovery password has been used to recover access to the PC, BitLocker will reseal the encryption key to the current values of the measured components. @@ -95,26 +97,28 @@ If software maintenance requires the computer be restarted and you are using two Recovery has been described within the context of unplanned or undesired behavior, but you can also cause recovery as an intended production scenario, in order to manage access control. For example, when you redeploy desktop or laptop computers to other departments or employees in your enterprise, you can force BitLocker into recovery before the computer is given to a new user. + ## Testing recovery Before you create a thorough BitLocker recovery process, we recommend that you test how the recovery process works for both end users (people who call your helpdesk for the recovery password) and administrators (people who help the end user get the recovery password). The –forcerecovery command of manage-bde is an easy way for you to step through the recovery process before your users encounter a recovery situation. -**To force a recovery for the local computer** +**To force a recovery for the local computer:** -1. Click the **Start** button, type **cmd** in the **Start Search** box, right-click **cmd.exe**, and then click **Run as administrator**. -2. At the command prompt, type the following command and then press ENTER: +1. Click the **Start** button, type **cmd** in the **Start Search** box, right-click **cmd.exe**, and then click **Run as administrator**. +2. At the command prompt, type the following command and then press ENTER: `manage-bde -forcerecovery ` -**To force recovery for a remote computer** +**To force recovery for a remote computer:** -1. On the Start screen, type **cmd.exe**, and then click **Run as administrator**. -2. At the command prompt, type the following command and then press ENTER: +1. On the Start screen, type **cmd.exe**, and then click **Run as administrator**. +2. At the command prompt, type the following command and then press ENTER: `manage-bde -ComputerName -forcerecovery ` > [!NOTE] > Recovery triggered by `-forcerecovery` persists for multiple restarts until a TPM protector is added or protection is suspended by the user. When using Modern Standby devices (such as Surface devices), the `-forcerecovery` option is not recommended because BitLocker will have to be unlocked and disabled manually from the WinRE environment before the OS can boot up again. For more information, see [BitLocker Troubleshooting: Continuous reboot loop with BitLocker recovery on a slate device](https://social.technet.microsoft.com/wiki/contents/articles/18671.bitlocker-troubleshooting-continuous-reboot-loop-with-bitlocker-recovery-on-a-slate-device.aspx). + ## Planning your recovery process When planning the BitLocker recovery process, first consult your organization's current best practices for recovering sensitive information. For example: How does your enterprise handle lost Windows passwords? How does your organization perform smart card PIN resets? You can use these best practices and related resources (people and tools) to help formulate a BitLocker recovery model. @@ -125,26 +129,29 @@ After a BitLocker recovery has been initiated, users can use a recovery password When you determine your recovery process, you should: -- Become familiar with how you can retrieve the recovery password. See: +- Become familiar with how you can retrieve the recovery password. See: - - [Self-recovery](#bkmk-selfrecovery) - - [Recovery password retrieval](#bkmk-recoveryretrieval) + - [Self-recovery](#bkmk-selfrecovery) + - [Recovery password retrieval](#bkmk-recoveryretrieval) -- Determine a series of steps for post-recovery, including analyzing why the recovery occurred and resetting the recovery password. See: +- Determine a series of steps for post-recovery, including analyzing why the recovery occurred and resetting the recovery password. See: + + - [Post-recovery analysis](#bkmk-planningpostrecovery) - - [Post-recovery analysis](#bkmk-planningpostrecovery) ### Self-recovery In some cases, users might have the recovery password in a printout or a USB flash drive and can perform self-recovery. We recommend that your organization create a policy for self-recovery. If self-recovery includes using a password or recovery key stored on a USB flash drive, the users should be warned not to store the USB flash drive in the same place as the PC, especially during travel, for example if both the PC and the recovery items are in the same bag it would be very easy for access to be gained to the PC by an unauthorized user. Another policy to consider is having users contact the Helpdesk before or after performing self-recovery so that the root cause can be identified. + ### Recovery password retrieval If the user does not have a recovery password in a printout or on a USB flash drive, the user will need to be able to retrieve the recovery password from an online source. If the PC is a member of a domain the recovery password can be backed up to AD DS. However, this does not happen by default, you must have configured the appropriate Group Policy settings before BitLocker was enabled on the PC. BitLocker Group Policy settings can be found in the Local Group Policy Editor or the Group Policy Management Console (GPMC) under **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption**. The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used. -- **Choose how BitLocker-protected operating system drives can be recovered** -- **Choose how BitLocker-protected fixed drives can be recovered** -- **Choose how BitLocker-protected removable drives can be recovered** +- **Choose how BitLocker-protected operating system drives can be recovered** +- **Choose how BitLocker-protected fixed drives can be recovered** +- **Choose how BitLocker-protected removable drives can be recovered** + In each of these policies, select **Save BitLocker recovery information to Active Directory Domain Services** and then choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS). Select the **Do not enable BitLocker until recovery information is stored in AD DS** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information for the drive to AD DS succeeds. @@ -155,24 +162,28 @@ The BitLocker Recovery Password Viewer for Active Directory Users and Computers You can use the following list as a template for creating your own recovery process for recovery password retrieval. This sample process uses the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool. -- [Record the name of the user's computer](#bkmk-recordcomputername) -- [Verify the user's identity](#bkmk-verifyidentity) -- [Locate the recovery password in AD DS](#bkmk-locatepassword) -- [Gather information to determine why recovery occurred](#bkmk-gatherinfo) -- [Give the user the recovery password](#bkmk-givepassword) +- [Record the name of the user's computer](#bkmk-recordcomputername) +- [Verify the user's identity](#bkmk-verifyidentity) +- [Locate the recovery password in AD DS](#bkmk-locatepassword) +- [Gather information to determine why recovery occurred](#bkmk-gatherinfo) +- [Give the user the recovery password](#bkmk-givepassword) + ### Record the name of the user's computer You can use the name of the user's computer to locate the recovery password in AD DS. If the user does not know the name of the computer, ask the user to read the first word of the **Drive Label** in the **BitLocker Drive Encryption Password Entry** user interface. This is the computer name when BitLocker was enabled and is probably the current name of the computer. + ### Verify the user's identity You should verify that the person that is asking for the recovery password is truly the authorized user of that computer. You may also wish to verify that the computer with the name the user provided belongs to the user. + ### Locate the recovery password in AD DS Locate the Computer object with the matching name in AD DS. Because Computer object names are listed in the AD DS global catalog, you should be able to locate the object even if you have a multi-domain forest. + ### Multiple recovery passwords If multiple recovery passwords are stored under a computer object in AD DS, the name of the BitLocker recovery information object includes the date that the password was created. @@ -181,10 +192,12 @@ If at any time you are unsure what password to provide, or if you think you migh Since the password ID is a unique value that is associated with each recovery password stored in AD DS, running a query using this ID will find the correct password to unlock the encrypted volume. + ### Gather information to determine why recovery occurred Before you give the user the recovery password, you should gather any information that will help determine why the recovery was needed, in order to analyze the root cause during the post-recovery analysis. For more info about post-recovery analysis, see [Post-recovery analysis](#bkmk-planningpostrecovery). + ### Give the user the recovery password Because the recovery password is 48 digits long the user may need to record the password by writing it down or typing it on a different computer. If you are using MBAM, the recovery password will be regenerated after it is recovered from the MBAM database to avoid the security risks associated with an uncontrolled password. @@ -192,6 +205,7 @@ Because the recovery password is 48 digits long the user may need to record the > [!NOTE] > Because the 48-digit recovery password is long and contains a combination of digits, the user might mishear or mistype the password. The boot-time recovery console uses built-in checksum numbers to detect input errors in each 6-digit block of the 48-digit recovery password, and offers the user the opportunity to correct such errors. + ### Post-recovery analysis When a volume is unlocked using a recovery password, an event is written to the event log and the platform validation measurements are reset in the TPM to match the current configuration. Unlocking the volume means that the encryption key has been released and is ready for on-the-fly encryption @@ -199,8 +213,9 @@ when data is written to the volume, and on-the-fly decryption when data is read If you notice that a computer is having repeated recovery password unlocks, you might want to have an administrator can perform post-recovery analysis to determine the root cause of the recovery and refresh BitLocker platform validation so that the user no longer needs to enter a recovery password each time that the computer starts up. See: -- [Determine the root cause of the recovery](#bkmk-determinecause) -- [Refresh BitLocker protection](#bkmk-refreshprotection) +- [Determine the root cause of the recovery](#bkmk-determinecause) +- [Refresh BitLocker protection](#bkmk-refreshprotection) + ### Determine the root cause of the recovery @@ -210,15 +225,16 @@ While an administrator can remotely investigate the cause of recovery in some ca Review and answer the following questions for your organization: -1. What BitLocker protection mode is in effect (TPM, TPM + PIN, TPM + startup key, startup key only)? Which PCR profile is in use on the PC? -2. Did the user merely forget the PIN or lose the startup key? If a token was lost, where might the token be? -3. If TPM mode was in effect, was recovery caused by a boot file change? -4. If recovery was caused by a boot file change, is this due to an intended user action (for example, BIOS upgrade), or to malicious software? -5. When was the user last able to start the computer successfully, and what might have happened to the computer since then? -6. Might the user have encountered malicious software or left the computer unattended since the last successful startup? +1. What BitLocker protection mode is in effect (TPM, TPM + PIN, TPM + startup key, startup key only)? Which PCR profile is in use on the PC? +2. Did the user merely forget the PIN or lose the startup key? If a token was lost, where might the token be? +3. If TPM mode was in effect, was recovery caused by a boot file change? +4. If recovery was caused by a boot file change, is this due to an intended user action (for example, BIOS upgrade), or to malicious software? +5. When was the user last able to start the computer successfully, and what might have happened to the computer since then? +6. Might the user have encountered malicious software or left the computer unattended since the last successful startup? To help you answer these questions, use the BitLocker command-line tool to view the current configuration and protection mode (for example, **manage-bde -status**). Scan the event log to find events that help indicate why recovery was initiated (for example, if boot file change occurred). Both of these capabilities can be performed remotely. + ### Resolve the root cause After you have identified what caused recovery, you can reset BitLocker protection and avoid recovery on every startup. @@ -231,18 +247,21 @@ The details of this reset can vary according to the root cause of the recovery. - [Unknown PIN](#bkmk-unknownpin) - [Lost startup key](#bkmk-loststartup) - [Changes to boot files](#bkmk-changebootknown) - ### Unknown PIN + + +### Unknown PIN If a user has forgotten the PIN, you must reset the PIN while you are logged on to the computer in order to prevent BitLocker from initiating recovery each time the computer is restarted. **To prevent continued recovery due to an unknown PIN** -1. Unlock the computer using the recovery password. -2. Reset the PIN: - 1. Right-click the drive and then click **Change PIN** - 2. In the BitLocker Drive Encryption dialog, click **Reset a forgotten PIN**. If you are not logged in with an administrator account you must provide administrative credentials at this time. - 3. In the PIN reset dialog, provide and confirm the new PIN to use and then click **Finish**. -3. You will use the new PIN the next time you unlock the drive. +1. Unlock the computer using the recovery password. +2. Reset the PIN: + 1. Right-click the drive and then click **Change PIN** + 2. In the BitLocker Drive Encryption dialog, click **Reset a forgotten PIN**. If you are not logged in with an administrator account you must provide administrative credentials at this time. + 3. In the PIN reset dialog, provide and confirm the new PIN to use and then click **Finish**. +3. You will use the new PIN the next time you unlock the drive. + ### Lost startup key @@ -250,22 +269,26 @@ If you have lost the USB flash drive that contains the startup key, then you mus **To prevent continued recovery due to a lost startup key** -1. Log on as an administrator to the computer that has the lost startup key. -2. Open Manage BitLocker. -3. Click **Duplicate start up key**, insert the clean USB drive on which you are going to write the key and then click **Save**. +1. Log on as an administrator to the computer that has the lost startup key. +2. Open Manage BitLocker. +3. Click **Duplicate start up key**, insert the clean USB drive on which you are going to write the key and then click **Save**. + ### Changes to boot files This error might occur if you updated the firmware. As a best practice you should suspend BitLocker before making changes the firmware and then resume protection after the update has completed. This prevents the computer from going into recovery mode. However if changes were made when BitLocker protection was on you can simply log on to the computer using the recovery password and the platform validation profile will be updated so that recovery will not occur the next time. + ## Windows RE and BitLocker Device Encryption Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker–protected drives. + ## BitLocker recovery screen During BitLocker recovery, Windows can display a custom recovery message and hints that identify where a key can be retrieved from. These improvements can help a user during BitLocker recovery. + ### Custom recovery message BitLocker Group Policy settings in Windows 10, version 1511, let you configure a custom recovery message and URL on the BitLocker recovery screen, which can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support. @@ -281,6 +304,7 @@ Example of customized recovery screen: ![Customized BitLocker Recovery Screen](./images/bl-password-hint1.png) + ### BitLocker recovery key hints BitLocker metadata has been enhanced in Windows 10, version 1903 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where key has been saved. Hints are displayed in both the modern (blue) and legacy (black) recovery screen. This applies to both the bootmanager recovery screen and the WinRE unlock screen. @@ -302,6 +326,7 @@ There are rules governing which hint is shown during the recovery (in order of p 8. There is no specific hint for keys saved to an on-premises Active Directory. In this case, a custom message (if configured) or a generic message, "Contact your organization's help desk," will be displayed. 9. If two recovery keys are present on the disk, but only one has been successfully backed up, the system will ask for a key that has been backed up, even if another key is newer. + #### Example 1 (single recovery key with single backup) | Custom URL | Yes | @@ -316,6 +341,7 @@ There are rules governing which hint is shown during the recovery (in order of p ![Example 1 of Customized BitLocker recovery screen](./images/rp-example1.PNG) + #### Example 2 (single recovery key with single backup) | Custom URL | Yes | @@ -330,6 +356,7 @@ There are rules governing which hint is shown during the recovery (in order of p ![Example 2 of customized BitLocker recovery screen](./images/rp-example2.PNG) + #### Example 3 (single recovery key with multiple backups) | Custom URL | No | @@ -344,6 +371,7 @@ There are rules governing which hint is shown during the recovery (in order of p ![Example 3 of customized BitLocker recovery screen](./images/rp-example3.PNG) + #### Example 4 (multiple recovery passwords) | Custom URL | No | @@ -373,6 +401,7 @@ There are rules governing which hint is shown during the recovery (in order of p ![Example 4 of customized BitLocker recovery screen](./images/rp-example4.PNG) + #### Example 5 (multiple recovery passwords) | Custom URL | No | @@ -402,10 +431,12 @@ There are rules governing which hint is shown during the recovery (in order of p ![Example 5 of customized BitLocker recovery screen](./images/rp-example5.PNG) + ## Using additional recovery information Besides the 48-digit BitLocker recovery password, other types of recovery information are stored in Active Directory. This section describes how this additional information can be used. + ### BitLocker key package If the recovery methods discussed earlier in this document do not unlock the volume, you can use the BitLocker Repair tool to decrypt the volume at the block level. The tool uses the BitLocker key package to help recover encrypted data from severely damaged drives. You can then use this recovered data to salvage encrypted data, even after the correct recovery password has failed to unlock the damaged volume. We recommend that you still save the recovery password. A key package cannot be used without the corresponding recovery password. @@ -415,36 +446,37 @@ If the recovery methods discussed earlier in this document do not unlock the vol The BitLocker key package is not saved by default. To save the package along with the recovery password in AD DS you must select the **Backup recovery password and key package** option in the Group Policy settings that control the recovery method. You can also export the key package from a working volume. For more details on how to export key packages, see [Retrieving the BitLocker Key Package](#bkmk-appendixc). + ## Resetting recovery passwords You should invalidate a recovery password after it has been provided and used. It should also be done when you intentionally want to invalidate an existing recovery password for any reason. You can reset the recovery password in two ways: -- **Use manage-bde** You can use manage-bde to remove the old recovery password and add a new recovery password. The procedure identifies the command and the syntax for this method. -- **Run a script** You can run a script to reset the password without decrypting the volume. The sample script in the procedure illustrates this functionality. The sample script creates a new recovery password and invalidates all other passwords. +- **Use manage-bde** You can use manage-bde to remove the old recovery password and add a new recovery password. The procedure identifies the command and the syntax for this method. +- **Run a script** You can run a script to reset the password without decrypting the volume. The sample script in the procedure illustrates this functionality. The sample script creates a new recovery password and invalidates all other passwords. -**To reset a recovery password using manage-bde** +**To reset a recovery password using manage-bde:** -1. Remove the previous recovery password +1. Remove the previous recovery password ```powershell Manage-bde –protectors –delete C: –type RecoveryPassword ``` -2. Add the new recovery password +2. Add the new recovery password ```powershell Manage-bde –protectors –add C: -RecoveryPassword ``` -3. Get the ID of the new recovery password. From the screen copy the ID of the recovery password. +3. Get the ID of the new recovery password. From the screen copy the ID of the recovery password. ```powershell Manage-bde –protectors –get C: -Type RecoveryPassword ``` -4. Backup the new recovery password to AD DS +4. Backup the new recovery password to AD DS ```powershell Manage-bde –protectors –adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692} @@ -453,10 +485,10 @@ You can reset the recovery password in two ways: > [!WARNING] > You must include the braces in the ID string. -**To run the sample recovery password script** +**To run the sample recovery password script:** -1. Save the following sample script in a VBScript file. For example: ResetPassword.vbs. -2. At the command prompt, type a command similar to the following: +1. Save the following sample script in a VBScript file. For example: ResetPassword.vbs. +2. At the command prompt, type a command similar to the following: **cscript ResetPassword.vbs** @@ -466,7 +498,7 @@ You can reset the recovery password in two ways: > [!NOTE] > To manage a remote computer, you can specify the remote computer name rather than the local computer name. -You can use the following sample script to create a VBScript file to reset the recovery passwords. +You can use the following sample script to create a VBScript file to reset the recovery passwords: ```vb ' Target drive letter @@ -539,23 +571,24 @@ WScript.Echo "A new recovery password has been added. Old passwords have been re 'WScript.Echo "Type ""manage-bde -protectors -get " & strDriveLetter & " -type recoverypassword"" to view existing passwords." ``` + ## Retrieving the BitLocker key package You can use two methods to retrieve the key package, as described in [Using Additional Recovery Information](#bkmk-usingaddrecovery): -- **Export a previously-saved key package from AD DS.** You must have Read access to BitLocker recovery passwords that are stored in AD DS. -- **Export a new key package from an unlocked, BitLocker-protected volume.** You must have local administrator access to the working volume, before any damage has occurred. +- **Export a previously-saved key package from AD DS.** You must have Read access to BitLocker recovery passwords that are stored in AD DS. +- **Export a new key package from an unlocked, BitLocker-protected volume.** You must have local administrator access to the working volume, before any damage has occurred. The following sample script exports all previously-saved key packages from AD DS. -**To run the sample key package retrieval script** +**To run the sample key package retrieval script:** 1. Save the following sample script in a VBScript file. For example: GetBitLockerKeyPackageADDS.vbs. 2. At the command prompt, type a command similar to the following: **cscript GetBitLockerKeyPackageADDS.vbs -?** -You can use the following sample script to create a VBScript file to retrieve the BitLocker key package from AD DS. +You can use the following sample script to create a VBScript file to retrieve the BitLocker key package from AD DS: ```vb ' -------------------------------------------------------------------------------- @@ -697,7 +730,7 @@ WScript.Quit The following sample script exports a new key package from an unlocked, encrypted volume. -**To run the sample key package retrieval script** +**To run the sample key package retrieval script:** 1. Save the following sample script in a VBScript file. For example: GetBitLockerKeyPackage.vbs 2. Open an administrator command prompt, type a command similar to the following: @@ -882,6 +915,7 @@ Function BinaryToString(Binary) End Function ``` + ## See also -- [BitLocker overview](bitlocker-overview.md) +- [BitLocker overview](bitlocker-overview.md) From 214e69ca3813b522e0b82e8c2f1fb9f087c6ea00 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 15 Oct 2020 08:12:15 +0530 Subject: [PATCH 03/37] added intelligence to the sentence as per the user report #8463 , so i added the word **Intelligence** and also i arranged the sentences in order as per GPO admx file. --- ...otection-update-schedule-microsoft-defender-antivirus.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md index 9565e809a3..19538d2d93 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md @@ -61,10 +61,10 @@ You can also randomize the times when each endpoint checks and downloads protect 4. Click **Policies** then **Administrative templates**. -5. Expand the tree to **Windows components > Microsoft Defender Antivirus > Signature Updates** and configure the following settings: +5. Expand the tree to **Windows components > Microsoft Defender Antivirus > Signature Intelligence Updates** and configure the following settings: - 1. Double-click the **Specify the interval to check for security intelligence updates** setting and set the option to **Enabled**. Enter the number of hours between updates. Click **OK**. - 2. Double-click the **Specify the day of the week to check for security intelligence updates** setting and set the option to **Enabled**. Enter the day of the week to check for updates. Click **OK**. + 1. Double-click the **Specify the day of the week to check for security intelligence updates** setting and set the option to **Enabled**. Enter the day of the week to check for updates. Click **OK**. + 2. Double-click the **Specify the interval to check for security intelligence updates** setting and set the option to **Enabled**. Enter the number of hours between updates. Click **OK**. 3. Double-click the **Specify the time to check for security intelligence updates** setting and set the option to **Enabled**. Enter the time when updates should be checked. The time is based on the local time of the endpoint. Click **OK**. From 836f00270575fd48c914aff89f8d7da6705ee9a9 Mon Sep 17 00:00:00 2001 From: Reece Peacock <49645174+Reeced40@users.noreply.github.com> Date: Thu, 15 Oct 2020 11:09:03 +0200 Subject: [PATCH 04/37] Update exploit-protection.md Added link --- .../microsoft-defender-atp/exploit-protection.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md index e4174dddea..fcd55deef2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md @@ -136,3 +136,4 @@ The table in this section indicates the availability and support of native mitig - [Configure and audit exploit protection mitigations](customize-exploit-protection.md) - [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) - [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md) +- [Optimize ASR rule deployment and detections](threat-protection/microsoft-defender-atp/configure-machines-asr.md) From 484399f709fcebddad47ae4c40c7af3f6b2908ae Mon Sep 17 00:00:00 2001 From: icyfire0573 <40814526+icyfire0573@users.noreply.github.com> Date: Thu, 15 Oct 2020 15:33:39 -0400 Subject: [PATCH 05/37] Update hello-hybrid-cert-whfb-settings-pki.md Grammar correction --- .../hello-for-business/hello-hybrid-cert-whfb-settings-pki.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index a0855330fb..8bd8f3e995 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -39,7 +39,7 @@ Clients need to trust domain controllers and the best way to do this is to ensur Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the *Domain Controller* and *Domain Controller Authentication* certificate templates do not include the **KDC Authentication** object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the Kerberos Authentication certificate template. -By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the **Kerberos Authentication** certificate template a baseline to create an updated domain controller certificate template. +By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the **Kerberos Authentication** certificate template as a baseline to create an updated domain controller certificate template. #### Create a Domain Controller Authentication (Kerberos) Certificate Template From 40cadbb183cae6c7d6fca1bc2070dde9978113b1 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Fri, 16 Oct 2020 10:01:13 +0530 Subject: [PATCH 06/37] removed wrong values added correct values as per the user report #8474 , so i removed wrong values, added correct values. i enabled this policy , and i verified on registry --- windows/client-management/mdm/policy-csp-update.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index fb0f2d5519..bf0571809e 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1110,8 +1110,8 @@ ADMX Info: Supported values: -- true - Enable -- false - Disable (Default) +- 0 - Disable +- 1 - Enable From 3629c5cb32112a858b278455c6f8fc736ca1cbec Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Fri, 16 Oct 2020 10:57:23 +0500 Subject: [PATCH 07/37] Addition of release version Updated Windows defender release info for Windows 10 v2004 Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/8232 --- .../manage-updates-baselines-microsoft-defender-antivirus.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md index d352e882bd..2ddb595a1a 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md @@ -319,6 +319,7 @@ The below table provides the Microsoft Defender Antivirus platform and engine ve |Windows 10 release |Platform version |Engine version |Support phase | |-|-|-|-| +|2004 (20H1) |4.18.2004.6 |1.1.17000.2 | Technical upgrade Support (Only) | |1909 (19H2) |4.18.1902.5 |1.1.16700.3 | Technical upgrade Support (Only) | |1903 (19H1) |4.18.1902.5 |1.1.15600.4 | Technical upgrade Support (Only) | |1809 (RS5) |4.18.1807.18075 |1.1.15000.2 | Technical upgrade Support (Only) | From 3f473741494d0145044067b95368cab4e2bdadd3 Mon Sep 17 00:00:00 2001 From: Jordan Geurten Date: Fri, 16 Oct 2020 10:00:24 -0700 Subject: [PATCH 08/37] Initial commit of recommended driver block policy --- .../TOC.md | 1 + ...icrosoft-recommended-driver-block-rules.md | 383 ++++++++++++++++++ 2 files changed, 384 insertions(+) create mode 100644 windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md index a8f8114e8a..79c0d8087a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.md +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md @@ -14,6 +14,7 @@ #### [Authorize reputable apps with Intelligent Security Graph (ISG)](use-windows-defender-application-control-with-intelligent-security-graph.md) #### [Use multiple WDAC policies](deploy-multiple-windows-defender-application-control-policies.md) #### [Microsoft recommended block rules](microsoft-recommended-block-rules.md) +#### [Microsoft recommended driver block rules](microsoft-recommended-driver-block-rules.md) ### Create your initial WDAC policy #### [Example WDAC base policies](example-wdac-base-policies.md) #### [Policy creation for common WDAC usage scenarios](types-of-devices.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md new file mode 100644 index 0000000000..f934ae0258 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -0,0 +1,383 @@ +--- +title: Microsoft recommended driver block rules (Windows 10) +description: View a list of recommended block rules to block vulnerable third party drivers discovered by Mirosoft and the security research community. +keywords: security, malware, kernel mode, driver +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +ms.collection: M365-security-compliance +author: jogeurte +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp +ms.date: 10/15/2020 +--- + +# Microsoft recommended driver block rules + +**Applies to:** + +- Windows 10 +- Windows Server 2016 and above + +One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Mirosoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they are patched and rolled out to the ecosystem in an expedited manner. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy which is rolled out to HVCI-enabled systems and Windows 10S mode devices. + +Microsoft has strict requirements for code running in kernel. Malicious actors may exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. Unless your devices explicitly require them, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. As always, it is recommended that this policy be first validated in audit mode before rolling the rules into enforcement mode. + + + +```xml + + + 10.0.19565.0 + {D2BDA982-CCF6-4344-AC5B-0B44427B6816} + {2E07F7E4-194C-4D20-B7C9-6F44A6C5A234} + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 0 + + + + Microsoft Windows Driver Policy + + + + + 10.0.19565.0 + + + + +``` +
+ + +## More information + +- [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md) From a7aeb696990ab838addd6e0feec8410d0a259ce7 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Fri, 16 Oct 2020 22:13:18 +0500 Subject: [PATCH 09/37] Added Server 2019 This is already supported in Windows Server 2019 and it was missing in the applied to the section. Added this. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/8205 --- .../windows-firewall/windows-firewall-with-advanced-security.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md index 9718aa85cf..dcaa6efae5 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md @@ -22,6 +22,7 @@ ms.custom: asr **Applies to** - Windows 10 - Windows Server 2016 +- Windows Server 2019 This is an overview of the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features. From fb51b44174e9180018dc47b8c6aa03c9a2ffa3b8 Mon Sep 17 00:00:00 2001 From: Jordan Geurten Date: Fri, 16 Oct 2020 11:03:31 -0700 Subject: [PATCH 10/37] Updated recommended driver block list to recommend enabling HVCI or 10s where applicable --- .../microsoft-recommended-driver-block-rules.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index f934ae0258..f07cf6b43a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -24,9 +24,16 @@ ms.date: 10/15/2020 - Windows 10 - Windows Server 2016 and above -One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Mirosoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they are patched and rolled out to the ecosystem in an expedited manner. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy which is rolled out to HVCI-enabled systems and Windows 10S mode devices. +Microsoft has strict requirements for code running in kernel. Consequently, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Mirosoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they are patched and rolled out to the ecosystem in an expedited manner. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy which is applied to the following sets of devices: -Microsoft has strict requirements for code running in kernel. Malicious actors may exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. Unless your devices explicitly require them, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. As always, it is recommended that this policy be first validated in audit mode before rolling the rules into enforcement mode. +- Hypervisor-protected code integrity (HVCI) enabled devices +- Windows 10S mode devices + +Microsoft recommends enabling [HVCI](https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or Windows 10S mode to protect your devices against security threats. If this is not possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. + + +> [!Note] +> This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. As always, it is recommended that this policy be first validated in audit mode before rolling the rules into enforcement mode. From d47a92c6d506a96d3c254314b477d2861b7ea6e8 Mon Sep 17 00:00:00 2001 From: Jordan Geurten Date: Fri, 16 Oct 2020 11:08:19 -0700 Subject: [PATCH 11/37] Update microsoft-recommended-driver-block-rules.md --- .../microsoft-recommended-driver-block-rules.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index f07cf6b43a..778697d2d2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -29,11 +29,11 @@ Microsoft has strict requirements for code running in kernel. Consequently, mali - Hypervisor-protected code integrity (HVCI) enabled devices - Windows 10S mode devices -Microsoft recommends enabling [HVCI](https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or Windows 10S mode to protect your devices against security threats. If this is not possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. +Microsoft recommends enabling [HVCI](https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or Windows 10S mode to protect your devices against security threats. If this is not possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It is recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events. > [!Note] -> This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. As always, it is recommended that this policy be first validated in audit mode before rolling the rules into enforcement mode. +> This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. It is recommended that this policy be first validated in audit mode before rolling the rules into enforcement mode. From 3d423fb5480beef976597672b1ced7e55fd6050e Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Sat, 17 Oct 2020 09:06:41 +0500 Subject: [PATCH 12/37] Update windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../windows-firewall-with-advanced-security.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md index dcaa6efae5..8a0b17a719 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md @@ -20,9 +20,9 @@ ms.custom: asr # Windows Defender Firewall with Advanced Security **Applies to** -- Windows 10 -- Windows Server 2016 -- Windows Server 2019 +- Windows 10 +- Windows Server 2016 +- Windows Server 2019 This is an overview of the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features. @@ -49,4 +49,3 @@ To help address your organizational network security challenges, Windows Defende - **Extends the value of existing investments.**  Because Windows Defender Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Defender Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). - From 9717cc684303beb1569976572301b3e7f58e5df1 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Sat, 17 Oct 2020 16:55:44 +0530 Subject: [PATCH 13/37] Update windows/client-management/mdm/policy-csp-update.md accepted Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- windows/client-management/mdm/policy-csp-update.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index bf0571809e..78b7cb262a 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1110,7 +1110,7 @@ ADMX Info: Supported values: -- 0 - Disable +- 0 - Disable (Default) - 1 - Enable @@ -4525,4 +4525,3 @@ Footnotes: - 8 - Available in Windows 10, version 2004. - From d0b9c31273ac60e4370df4f5c0234994060d98fc Mon Sep 17 00:00:00 2001 From: Jordan Geurten Date: Mon, 19 Oct 2020 15:40:32 -0700 Subject: [PATCH 14/37] Update windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../microsoft-recommended-driver-block-rules.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index 778697d2d2..7de5633c5b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -36,7 +36,6 @@ Microsoft recommends enabling [HVCI](https://docs.microsoft.com/en-us/windows/se > This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. It is recommended that this policy be first validated in audit mode before rolling the rules into enforcement mode. - ```xml From ab729bcddda7cc7dc437d068a9def16439b8e9c0 Mon Sep 17 00:00:00 2001 From: Jordan Geurten Date: Mon, 19 Oct 2020 16:36:09 -0700 Subject: [PATCH 15/37] Fixed references to Windows 10 in S mode --- .../microsoft-recommended-driver-block-rules.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index 7de5633c5b..11bc4ac368 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -27,9 +27,9 @@ ms.date: 10/15/2020 Microsoft has strict requirements for code running in kernel. Consequently, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Mirosoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they are patched and rolled out to the ecosystem in an expedited manner. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy which is applied to the following sets of devices: - Hypervisor-protected code integrity (HVCI) enabled devices -- Windows 10S mode devices +- Windows 10 in S mode (S mode) devices -Microsoft recommends enabling [HVCI](https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or Windows 10S mode to protect your devices against security threats. If this is not possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It is recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events. +Microsoft recommends enabling [HVCI](https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this is not possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It is recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events. > [!Note] From 1de678d0cc785d8001a80bc5b6a3c4212175a3b4 Mon Sep 17 00:00:00 2001 From: Jordan Geurten Date: Mon, 19 Oct 2020 17:07:48 -0700 Subject: [PATCH 16/37] Update microsoft-recommended-driver-block-rules.md --- .../microsoft-recommended-driver-block-rules.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index 11bc4ac368..5c960685b2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -1,6 +1,6 @@ --- title: Microsoft recommended driver block rules (Windows 10) -description: View a list of recommended block rules to block vulnerable third party drivers discovered by Mirosoft and the security research community. +description: View a list of recommended block rules to block vulnerable third party drivers discovered by Microsoft and the security research community. keywords: security, malware, kernel mode, driver ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 @@ -24,7 +24,7 @@ ms.date: 10/15/2020 - Windows 10 - Windows Server 2016 and above -Microsoft has strict requirements for code running in kernel. Consequently, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Mirosoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they are patched and rolled out to the ecosystem in an expedited manner. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy which is applied to the following sets of devices: +Microsoft has strict requirements for code running in kernel. Consequently, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they are patched and rolled out to the ecosystem in an expedited manner. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy which is applied to the following sets of devices: - Hypervisor-protected code integrity (HVCI) enabled devices - Windows 10 in S mode (S mode) devices From 0027320431f4aa6429462242dcd016e912bb86c4 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 20 Oct 2020 13:02:15 +0200 Subject: [PATCH 17/37] copy edit Overlooked typo/redundant word Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../bitlocker/bitlocker-recovery-guide-plan.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index 9e81cf3812..e999c45466 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -211,7 +211,7 @@ Because the recovery password is 48 digits long the user may need to record the When a volume is unlocked using a recovery password, an event is written to the event log and the platform validation measurements are reset in the TPM to match the current configuration. Unlocking the volume means that the encryption key has been released and is ready for on-the-fly encryption when data is written to the volume, and on-the-fly decryption when data is read from the volume. After the volume is unlocked, BitLocker behaves the same way, regardless of how the access was granted. -If you notice that a computer is having repeated recovery password unlocks, you might want to have an administrator can perform post-recovery analysis to determine the root cause of the recovery and refresh BitLocker platform validation so that the user no longer needs to enter a recovery password each time that the computer starts up. See: +If you notice that a computer is having repeated recovery password unlocks, you might want to have an administrator perform post-recovery analysis to determine the root cause of the recovery and refresh BitLocker platform validation so that the user no longer needs to enter a recovery password each time that the computer starts up. See: - [Determine the root cause of the recovery](#bkmk-determinecause) - [Refresh BitLocker protection](#bkmk-refreshprotection) From 415d0b866f83ce670d4882a305a71ed1d99e705c Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 20 Oct 2020 13:03:00 +0200 Subject: [PATCH 18/37] Copy edit Add missing period dot at end of sentence. Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../bitlocker/bitlocker-recovery-guide-plan.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index e999c45466..8ab81b0b1b 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -257,7 +257,7 @@ If a user has forgotten the PIN, you must reset the PIN while you are logged on 1. Unlock the computer using the recovery password. 2. Reset the PIN: - 1. Right-click the drive and then click **Change PIN** + 1. Right-click the drive and then click **Change PIN**. 2. In the BitLocker Drive Encryption dialog, click **Reset a forgotten PIN**. If you are not logged in with an administrator account you must provide administrative credentials at this time. 3. In the PIN reset dialog, provide and confirm the new PIN to use and then click **Finish**. 3. You will use the new PIN the next time you unlock the drive. From b17923a18bac778b43abd7b15764bf149cca84f4 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 20 Oct 2020 13:04:19 +0200 Subject: [PATCH 19/37] Copy edit Add missing word in text added by previous author. Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../bitlocker/bitlocker-recovery-guide-plan.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index 8ab81b0b1b..ef656dee40 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -276,7 +276,7 @@ If you have lost the USB flash drive that contains the startup key, then you mus ### Changes to boot files -This error might occur if you updated the firmware. As a best practice you should suspend BitLocker before making changes the firmware and then resume protection after the update has completed. This prevents the computer from going into recovery mode. However if changes were made when BitLocker protection was on you can simply log on to the computer using the recovery password and the platform validation profile will be updated so that recovery will not occur the next time. +This error might occur if you updated the firmware. As a best practice you should suspend BitLocker before making changes to the firmware and then resume protection after the update has completed. This prevents the computer from going into recovery mode. However if changes were made when BitLocker protection was on you can simply log on to the computer using the recovery password and the platform validation profile will be updated so that recovery will not occur the next time. ## Windows RE and BitLocker Device Encryption From bb9b6d8c41655437c2c0250df483f54ca120161d Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 20 Oct 2020 13:05:07 +0200 Subject: [PATCH 20/37] Copy edit Word partitioning and missing particle/article "the". Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../bitlocker/bitlocker-recovery-guide-plan.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index ef656dee40..f31dcd8374 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -307,7 +307,7 @@ Example of customized recovery screen: ### BitLocker recovery key hints -BitLocker metadata has been enhanced in Windows 10, version 1903 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where key has been saved. Hints are displayed in both the modern (blue) and legacy (black) recovery screen. This applies to both the bootmanager recovery screen and the WinRE unlock screen. +BitLocker metadata has been enhanced in Windows 10, version 1903 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where the key has been saved. Hints are displayed in both the modern (blue) and legacy (black) recovery screen. This applies to both the boot manager recovery screen and the WinRE unlock screen. ![Customized BitLocker recovery screen](./images/bl-password-hint2.png) From 06c670f2dd54f42d69401a15c58aef23ab5d39ef Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 20 Oct 2020 19:39:06 +0530 Subject: [PATCH 21/37] Update windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md accepted Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- ...-protection-update-schedule-microsoft-defender-antivirus.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md index 19538d2d93..9532a74ee2 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md @@ -64,7 +64,7 @@ You can also randomize the times when each endpoint checks and downloads protect 5. Expand the tree to **Windows components > Microsoft Defender Antivirus > Signature Intelligence Updates** and configure the following settings: 1. Double-click the **Specify the day of the week to check for security intelligence updates** setting and set the option to **Enabled**. Enter the day of the week to check for updates. Click **OK**. - 2. Double-click the **Specify the interval to check for security intelligence updates** setting and set the option to **Enabled**. Enter the number of hours between updates. Click **OK**. + 2. Double-click the **Specify the interval to check for security intelligence updates** setting and set the option to **Enabled**. Enter the number of hours between updates. Click **OK**. 3. Double-click the **Specify the time to check for security intelligence updates** setting and set the option to **Enabled**. Enter the time when updates should be checked. The time is based on the local time of the endpoint. Click **OK**. @@ -107,4 +107,3 @@ See the following for more information and allowed parameters: - From 2d57badd16153e641816282b3ec5dbd656c44c36 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Tue, 20 Oct 2020 21:25:30 +0500 Subject: [PATCH 22/37] Note Removed As suggested by the user, if everything is properly configured the note device should come up in mins. So removed this note. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/7921 --- .../microsoft-defender-atp/event-error-codes.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md index 54be37811e..5a912581c3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md +++ b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md @@ -36,9 +36,6 @@ You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/librar For example, if devices are not appearing in the **Devices list**, you might need to look for event IDs on the devices. You can then use this table to determine further troubleshooting steps. -> [!NOTE] -> It can take several days for devices to begin reporting to the Microsoft Defender ATP service. - **Open Event Viewer and find the Microsoft Defender ATP service event log:** 1. Click **Start** on the Windows menu, type **Event Viewer**, and press **Enter**. From 16e2f1495cc677a46928c8ae432fd9fd79bd3319 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 20 Oct 2020 23:49:56 +0530 Subject: [PATCH 23/37] Update windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md accepted Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- ...protection-update-schedule-microsoft-defender-antivirus.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md index 9532a74ee2..694c39157f 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md @@ -103,7 +103,3 @@ See the following for more information and allowed parameters: - [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md) - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) - - - - From 9d7780f0a967297e564fa2c3e64b031af319924f Mon Sep 17 00:00:00 2001 From: jaimeo Date: Wed, 21 Oct 2020 11:32:35 -0700 Subject: [PATCH 24/37] initial import --- .../deployment/update/safeguard-opt-out.md | 33 +++++++++++++++++++ .../deployment/update/safeguart-opt-out.md | 33 +++++++++++++++++++ 2 files changed, 66 insertions(+) create mode 100644 windows/deployment/update/safeguard-opt-out.md create mode 100644 windows/deployment/update/safeguart-opt-out.md diff --git a/windows/deployment/update/safeguard-opt-out.md b/windows/deployment/update/safeguard-opt-out.md new file mode 100644 index 0000000000..8a19114d16 --- /dev/null +++ b/windows/deployment/update/safeguard-opt-out.md @@ -0,0 +1,33 @@ +--- +title: Opt out of safeguard holds +description: Steps to install an update even it if has a safeguard hold applied +ms.prod: w10 +ms.mktglfcycl: manage +author: jaimeo +ms.localizationpriority: medium +ms.author: jaimeo +ms.collection: m365initiative-coredeploy +manager: laurawi +ms.topic: article +--- + +# Opt out of safeguard holds + +Safeguard holds prevent a device with a known compatibility issue from being offered a new Windows 10 feature update by using Windows Update. We use safeguard holds to protect the device and user from a failed or poor update experience. We renew the offering once a fix is issued and is verified on an affected device. + +## How can I opt out of safeguard holds? + +IT admins can, if necessary, opt devices out of safeguard protections by using the disable safeguards policy. In a Mobile Device Management (MDM) tool, use the **Update/DisableWUfBSafeguards** CSP. In Group Policy, use the **Disable safeguards for Feature Updates** Group Policy. This policy is available to Windows Update for Business devices running Windows 10, version 1809 or later that have installed the October 2020 security update. + +> [!CAUTION] +> Opting out of a safeguard hold can put devices at risk from known performance issues. + +We recommend opting out only in an IT environment and for validation purposes. You can also validate an upcoming Windows 10 feature update version without the safeguards being applied by using the Release Preview channel of the Windows Insider Program for Business. + +Disabling safeguards does not guarantee your device will be able to successfully update. The update might still fail and will likely result in a bad experience since you are bypassing the protection against known issues. + +> [!NOTE] +> After a device installs a new Windows 10 version, the **Disable safeguards for Feature Updates** Group Policy will revert to “not configured” even if it was previously enabled. We do this to ensure the admin is consciously disabling Microsoft’s default protection from known issues for each new feature update. + + + diff --git a/windows/deployment/update/safeguart-opt-out.md b/windows/deployment/update/safeguart-opt-out.md new file mode 100644 index 0000000000..8a19114d16 --- /dev/null +++ b/windows/deployment/update/safeguart-opt-out.md @@ -0,0 +1,33 @@ +--- +title: Opt out of safeguard holds +description: Steps to install an update even it if has a safeguard hold applied +ms.prod: w10 +ms.mktglfcycl: manage +author: jaimeo +ms.localizationpriority: medium +ms.author: jaimeo +ms.collection: m365initiative-coredeploy +manager: laurawi +ms.topic: article +--- + +# Opt out of safeguard holds + +Safeguard holds prevent a device with a known compatibility issue from being offered a new Windows 10 feature update by using Windows Update. We use safeguard holds to protect the device and user from a failed or poor update experience. We renew the offering once a fix is issued and is verified on an affected device. + +## How can I opt out of safeguard holds? + +IT admins can, if necessary, opt devices out of safeguard protections by using the disable safeguards policy. In a Mobile Device Management (MDM) tool, use the **Update/DisableWUfBSafeguards** CSP. In Group Policy, use the **Disable safeguards for Feature Updates** Group Policy. This policy is available to Windows Update for Business devices running Windows 10, version 1809 or later that have installed the October 2020 security update. + +> [!CAUTION] +> Opting out of a safeguard hold can put devices at risk from known performance issues. + +We recommend opting out only in an IT environment and for validation purposes. You can also validate an upcoming Windows 10 feature update version without the safeguards being applied by using the Release Preview channel of the Windows Insider Program for Business. + +Disabling safeguards does not guarantee your device will be able to successfully update. The update might still fail and will likely result in a bad experience since you are bypassing the protection against known issues. + +> [!NOTE] +> After a device installs a new Windows 10 version, the **Disable safeguards for Feature Updates** Group Policy will revert to “not configured” even if it was previously enabled. We do this to ensure the admin is consciously disabling Microsoft’s default protection from known issues for each new feature update. + + + From bdee74fad286a1926e3f62089eda34ea73d267e3 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 21 Oct 2020 11:37:24 -0700 Subject: [PATCH 25/37] Update configure-extension-file-exclusions-microsoft-defender-antivirus.md --- ...ure-extension-file-exclusions-microsoft-defender-antivirus.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md index 0fd5be3320..32440c3262 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md @@ -12,6 +12,7 @@ ms.author: deniseb ms.custom: nextgen ms.reviewer: manager: dansimp +ms.date: 10/21/2020 --- # Configure and validate exclusions based on file extension and folder location From 27cff86ad437310bb3016e6763761b0c81341b6f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 21 Oct 2020 11:39:02 -0700 Subject: [PATCH 26/37] Update windows-firewall-with-advanced-security.md --- .../windows-firewall/windows-firewall-with-advanced-security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md index 8a0b17a719..00b1374150 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md @@ -12,7 +12,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 10/13/2017 +ms.date: 10/21/2020 ms.reviewer: ms.custom: asr --- From 8f83290f03714a0103d3f88beb16a763371f4991 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 21 Oct 2020 11:41:49 -0700 Subject: [PATCH 27/37] Update exploit-protection.md --- .../microsoft-defender-atp/exploit-protection.md | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md index fcd55deef2..7ba2b8b2d1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md @@ -11,7 +11,7 @@ ms.localizationpriority: medium audience: ITPro author: denisebmsft ms.author: deniseb -ms.date: 04/02/2019 +ms.date: 10/21/2020 ms.reviewer: manager: dansimp ms.custom: asr @@ -65,7 +65,7 @@ DeviceEvents You can review the Windows event log to see events that are created when exploit protection blocks (or audits) an app: |Provider/source | Event ID | Description| -|---|---|---| +|:---|:---|:---| |Security-Mitigations | 1 | ACG audit | |Security-Mitigations | 2 | ACG enforce | |Security-Mitigations | 3 | Do not allow child processes audit | @@ -100,7 +100,7 @@ The mitigations available in EMET are included natively in Windows 10 (starting The table in this section indicates the availability and support of native mitigations between EMET and exploit protection. |Mitigation | Available under exploit protection | Available in EMET | -|---|---|---| +|:---|:---|:---| |Arbitrary code guard (ACG) | yes | yes
As "Memory Protection Check" | |Block remote images | yes | yes
As "Load Library Check" | |Block untrusted fonts | yes | yes | @@ -131,9 +131,6 @@ The table in this section indicates the availability and support of native mitig ## See also - [Protect devices from exploits](exploit-protection.md) -- [Evaluate exploit protection](evaluate-exploit-protection.md) -- [Enable exploit protection](enable-exploit-protection.md) - [Configure and audit exploit protection mitigations](customize-exploit-protection.md) -- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) - [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md) - [Optimize ASR rule deployment and detections](threat-protection/microsoft-defender-atp/configure-machines-asr.md) From e41ca707ce43195983823bcf849b1d0d090c95f2 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 21 Oct 2020 11:43:47 -0700 Subject: [PATCH 28/37] Update manage-updates-baselines-microsoft-defender-antivirus.md --- .../manage-updates-baselines-microsoft-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md index 2ddb595a1a..2b26a44de5 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md @@ -13,7 +13,7 @@ ms.author: deniseb ms.custom: nextgen ms.reviewer: manager: dansimp -ms.date: 10/08/2020 +ms.date: 10/21/2020 --- # Manage Microsoft Defender Antivirus updates and apply baselines From 440930367127cde1c6817ae722447f1b90d305b3 Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Wed, 21 Oct 2020 11:48:01 -0700 Subject: [PATCH 29/37] pencil edits --- ...e-protection-update-schedule-microsoft-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md index 694c39157f..77547b633c 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md @@ -61,7 +61,7 @@ You can also randomize the times when each endpoint checks and downloads protect 4. Click **Policies** then **Administrative templates**. -5. Expand the tree to **Windows components > Microsoft Defender Antivirus > Signature Intelligence Updates** and configure the following settings: +5. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Intelligence Updates** and configure the following settings: 1. Double-click the **Specify the day of the week to check for security intelligence updates** setting and set the option to **Enabled**. Enter the day of the week to check for updates. Click **OK**. 2. Double-click the **Specify the interval to check for security intelligence updates** setting and set the option to **Enabled**. Enter the number of hours between updates. Click **OK**. From 183607578790577ec823d399b4d7382debe526f2 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Wed, 21 Oct 2020 13:14:18 -0700 Subject: [PATCH 30/37] safety commit--new article on optout and edit to UC article --- .../deployment/update/safeguart-opt-out.md | 33 ------------------- ...update-compliance-feature-update-status.md | 14 ++------ 2 files changed, 2 insertions(+), 45 deletions(-) delete mode 100644 windows/deployment/update/safeguart-opt-out.md diff --git a/windows/deployment/update/safeguart-opt-out.md b/windows/deployment/update/safeguart-opt-out.md deleted file mode 100644 index 8a19114d16..0000000000 --- a/windows/deployment/update/safeguart-opt-out.md +++ /dev/null @@ -1,33 +0,0 @@ ---- -title: Opt out of safeguard holds -description: Steps to install an update even it if has a safeguard hold applied -ms.prod: w10 -ms.mktglfcycl: manage -author: jaimeo -ms.localizationpriority: medium -ms.author: jaimeo -ms.collection: m365initiative-coredeploy -manager: laurawi -ms.topic: article ---- - -# Opt out of safeguard holds - -Safeguard holds prevent a device with a known compatibility issue from being offered a new Windows 10 feature update by using Windows Update. We use safeguard holds to protect the device and user from a failed or poor update experience. We renew the offering once a fix is issued and is verified on an affected device. - -## How can I opt out of safeguard holds? - -IT admins can, if necessary, opt devices out of safeguard protections by using the disable safeguards policy. In a Mobile Device Management (MDM) tool, use the **Update/DisableWUfBSafeguards** CSP. In Group Policy, use the **Disable safeguards for Feature Updates** Group Policy. This policy is available to Windows Update for Business devices running Windows 10, version 1809 or later that have installed the October 2020 security update. - -> [!CAUTION] -> Opting out of a safeguard hold can put devices at risk from known performance issues. - -We recommend opting out only in an IT environment and for validation purposes. You can also validate an upcoming Windows 10 feature update version without the safeguards being applied by using the Release Preview channel of the Windows Insider Program for Business. - -Disabling safeguards does not guarantee your device will be able to successfully update. The update might still fail and will likely result in a bad experience since you are bypassing the protection against known issues. - -> [!NOTE] -> After a device installs a new Windows 10 version, the **Disable safeguards for Feature Updates** Group Policy will revert to “not configured” even if it was previously enabled. We do this to ensure the admin is consciously disabling Microsoft’s default protection from known issues for each new feature update. - - - diff --git a/windows/deployment/update/update-compliance-feature-update-status.md b/windows/deployment/update/update-compliance-feature-update-status.md index b58012dcad..4cc53cea88 100644 --- a/windows/deployment/update/update-compliance-feature-update-status.md +++ b/windows/deployment/update/update-compliance-feature-update-status.md @@ -47,16 +47,6 @@ Update Compliance reporting offers two queries to help you retrieve data relat Update Compliance reporting will display the Safeguard IDs for known issues affecting a device in the **DeploymentErrorCode** column. Safeguard IDs for publicly discussed known issues are also included in the Windows Release Health dashboard, where you can easily find information related to publicly available safeguards. -### Opting out of safeguard hold - -Microsoft will release a device from a safeguard hold when it has determined it can safely and smoothly install a feature update, but you are ultimately in control of your devices and can opt out if desired. -To opt out, set the registry key as follows: - -- Registry Key Path :: **Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion** -- Create New Key :: **502505fe-762c-4e80-911e-0c3fa4c63fb0** -- Name :: **DataRequireGatedScanForFeatureUpdates** -- Type :: **REG_DWORD** -- Value :: **0** - -Setting this registry key to **0** will force the device to opt out from *all* safeguard holds. Any other value, or deleting the key, will resume compatibility protection on the device. +### Opt out of safeguard hold +You can [opt out of safeguard protections](safeguard-opt-out.md) by using the **Disable safeguards for Feature Updates** Group Policy. This policy is available to Windows Update for Business devices running Windows 10, version 1809 or later that have installed the October 2020 security update. From 1d7e0b17e1e0b680dd577d9eedae2e4dc7fc71e0 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 21 Oct 2020 13:41:30 -0700 Subject: [PATCH 31/37] Correcting path in a link This (should) fix the issue created by commit https://github.com/MicrosoftDocs/windows-docs-pr/pull/4048/commits/836f00270575fd48c914aff89f8d7da6705ee9a9 --- .../microsoft-defender-atp/exploit-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md index dd69f3115f..f9bb51fa10 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md @@ -133,4 +133,4 @@ The table in this section indicates the availability and support of native mitig - [Protect devices from exploits](exploit-protection.md) - [Configure and audit exploit protection mitigations](customize-exploit-protection.md) - [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md) -- [Optimize ASR rule deployment and detections](threat-protection/microsoft-defender-atp/configure-machines-asr.md) +- [Optimize ASR rule deployment and detections](configure-machines-asr.md) From df6972939966b42cb211b52d4641c9ce9ac47bd1 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Wed, 21 Oct 2020 15:16:59 -0700 Subject: [PATCH 32/37] main import of main article --- .../images/safeguard-hold-notification.png | Bin 0 -> 36715 bytes windows/deployment/update/safeguard-holds.md | 42 ++++++++++++++++++ .../deployment/update/safeguard-opt-out.md | 3 +- 3 files changed, 43 insertions(+), 2 deletions(-) create mode 100644 windows/deployment/update/images/safeguard-hold-notification.png create mode 100644 windows/deployment/update/safeguard-holds.md diff --git a/windows/deployment/update/images/safeguard-hold-notification.png b/windows/deployment/update/images/safeguard-hold-notification.png new file mode 100644 index 0000000000000000000000000000000000000000..68714d08dc488c1a9581435fdc382c5a1c2dc9d9 GIT binary patch literal 36715 zcmc$lcQ{+|`}Y%sqG+qNR~M~O)FucWsM*?ErE0HQiIt#=nypQ(+Iz+xQLCj!5hM1l z5qlG!==b-1uHV1UU(Y$0NKURR=iHz3x$n>WzVFuw(NI&MqF|x`002}zD?%r+sG9dN%sO0iu!)0c1(aE7(m23S7ye@I{t?6ju$fsosYrBP4 z|MDvPO}-X)?5pf$ee%KoydxZ-iQ!23?>7gK|MxGXNmu*&`VvI#4OCJjQ5P!8|J@9~ z7H4K=hQ6Z@^SnN&nWGZ2lIry&)pIQ$cDkB7H2B{wPS0yO(Q-aJ-ozkXVCsI=QlQTwRCp$7o`j_OiEa^Bwf28`!}p=e_MVny&ki;N2u&9j<}v z?l_lOKeEn9-~CMSz28C$vAQO!*h0%U5riuTA5MF1iQ}q<=6AZ-x3Cq9zv|Mx>GX>6 zQf_O*u#NJr`3R}a;OQo>QG1jyAI0!`KjOlrsAk%8CwbSl~0=X z2akVS%Fw1=p08x;mYNv1^yxRkE|0rp=RI1^j3<4Lri@z-jgW^)wk07m7l$>@d%a?# zp?RqkACGVoVux7U(lN&t{91?n&7aLnafaqKQ|^T|0j)$hz)nG7$!F=KNg*}yxsUZG zL2RB@(ih16!qR4gtx-)NEHv)&y#F#RToju}dh$>eOD1kuyJm=Y-fB8>x3}kY;Cqky z%_TqlTIAn#Lu*oiCBz z51R2f$I<8-_0%7&0c0LH2~CKZ`}~QWM+lpWpI<2gzrKSi_2DaNK3#)T(^%EC%orea zJK?HcZOOW?2EVG_<=n-p8wAl%$Nm!Zn1)+=FY%a$(D-f#9L(nh>mHA`T)3T&BJjFRz4FBn zDKwTatPA)p1cGpb*#ti<{$!B#^~Q~-3cUT{eU#Yowx`8#Q6etL0atVR^#$i zeT$%2uFJED>kI-M7yG%g9Y@VaO~+f87h9*^j~0IHaCo*+iG^LwvGU0eJs4=$jIYbZ z@BDAo{k;;{`u<6l(G->mFg0I7XE-xGF&T9c{rVJqXhkdjUp%0zUZ%`CJKAC|EUq?a zTsPkOZ0s?GO3ed)Rd*Uey-!{Oh*cgtnn7HK!Cpo4N8amC>6v-J3rSpp8j`=b zSpYGQg1@@FIBMx4xQ@}*#FHoEBqcJ3SAI4h!j+n^Bej(XhX0NQp6h7X zGN*rS0lGd8O$Q^ji(i%3c2k@?8OzrS3P;=*!o^0;0LrV1&kVo+ zW6lWSsi@{)b;z>%?!#R}k14kW)5`SovXBLW<$YDb%{524>@Yu@+n`Ih zUd>>)mVUL)!fF?jN6@_lCkMu^ZpS(KYM%JL!*4Eq`4eSTKx>x_(}*GUYAF*|_)osh z*w=V_9(`>Z)RMeycZ$!&l%tM(kmuAwd{mD z4zuw){ZTUmg0FSW-UUtDmejq+>61)>E>ymA%%06$`lc+e6_&D{ZB(jD|4Cx;6Hyn7 z@;aNCVdE*Tdc)#2{8~gf#cf2typ@!>y_JmJNd4m7kEPyyDHvBepJ`P2LWI=F(wAIv zW@O?3;;=FeV_^gh7g@u9)Cs0?h0!CQ+dGj^4|HjcS1 z7-EJV=4&yc18QAtUUpM5JVj;ltQBPhfA8udgvNU5DthZ9Vrubp>df-eU4IKo21o%| z_T-oPe9D%$Wh245qG!)Oz5+-o@X<4e6ON|*=2^MmHEK2TZz0wg z51x`*bK^tyi|rt1!i*kq8dXE8Uixf6*$Z141%QUQj6OPL_S1nN8!Ixi&M$%O+=WGN z;z#F6#!|d@f4QXr1qZvNwi;c0zKLQT8gOe*t+_0CIr3T2bp4_Nm`_Me>@Fr1kl;-r z=!62*zUse+t|k7lX0?GoUy)6lW34{E;hv$&YZLZ%L2g4tkt}sE_S4QTrqmbpBuMZN zOTi!Bg&48Z_?B}E=?Iy#@%|CKrQa)T5WT@!z~6fdr?u48DH^}|2E8H<)iTSXPCCcwm0+k(=<^U_{CG=2)m17)bQQ%nlbEJjFur)r8A=AomDkP1$M*-Ml`lc za0qvvJIn!R<*EdUJHw5kOgGl)S3ggn07G6v;VY{!g`4?yMuz*z& zbF{pH5xElz=v@%)$#BV`FRPrX4W8*l9adcfq(yjGw2noysiO|9o0As0KZ}Z{Vi4|M zgE~S6m=AVo`4J~Q2ghYU&)e89 zG>-VUTK0hZl3TnQ;l!6h`-#;q)cU^-o?G#7vM!&yL_Dfo_~rtb^zTm??mE@^o9NQ6 zT|9sAPpR7Yip&TOa{O6>M>EmH{i4%qc-||u_O*`uwpK#BY6Xdalz;{Xxb%ANzWXPz7sfW)YtCD^JTGc9flad~zshWxQdR_}M~@4Pdy zGg`Ht({`FK%1oa0Hlzu*oCo`@GMg?}*S(ed?ZYdoY_JEX9fWv*4*;MB5Lr2pkR+u; znDaA5pU&}=b`a}1OPIh>cO!)!vp*s(Un7@U`UPmNp2v`QV)YWwNnfIBK7`t@pkm^7 z&w6*j4LA<92|q;vBDzpZU8dceZM_o(4s@iA{=1}3jbCwtBBw-UtPfcw_w+>^_p@hwT3Oi;!ix?Ti;5Kfp~(xFA5IE?AUIZW7X*?l^bX}-k{B@oA&Y5t{jA`XD)!XgAqw)R_mV2-Ga3I?y)onl8H z+otUs)$`tea{K%wI+&Fyqlm59tXHDSZO;{JPF^9mNmufBa;ROtRxq%iX2VVcKOikA zud$iU0L!au^mbYx4F;|Z_pvW7cLkW)>Eb&pI%@Xh5%`G~yx~+@H%$!2SbD#3Zw59@ zBmb@{*H@&Em*G5zKTL?yKwzsoq$*_sn?m3C5q3P2)q?5yaqr){0?IfcvZj3qz{ev_ z;;}qdU!mzV=P`Q5(RsgaBmHD(1;l~foGPg=*k*1$BPWGx!RuS)L#RmKp((&IWkhVk zXcCT(*KS9V2B&wv`+fFeHlXYJ?VV3_dcX>BUOF-;euefok>tS#>-zCFT}V=px_7Nqj zLwCA%b7LLdt%n<*bZ-LIXf(bX$0(ioL87u|hBLJr$Ga(CZfKe(wI=&k{C)IRgv18$ zT{Kpqf$JrJKa_Ra#4H;T7`BZy2+j`;yj?1>O_Gjn7$z$tvOX9wT`P{n7~)^Sh}9no z=*n7Ko8r(5m%_m@iyI<}d0SN93iGpw6-CraO7-_f6iG70krSjq^R>i!jo6 z!pNKMybn-~D(MfG!rM9nPQzB*LnCzbVG{jSkuEP;4|4aAmbHvod_QA)^%ls}qK7s0 z!YX!V;{q9JS^^{MZJ7@$28NHoKl+&2)`*HuRT}h){)(+Q=O7C~21YxgSXx1pUqO7Jx7X zSOzPj9;Mn6eF1xOyh-+Zn=0ZocwMd|(^4*j6;O0OtZJwa1{if2yu0@LHJ6E^0QtK> z_8VjK#fz*pvIC&IYk4K$Q$X$%bn&C}Pnrj@38n{_6{J>uZ+iaL0T%-?tk`)u>l@(u zEa1Ta_ctV0QZ8$hjg$ommd^gk5V0B&x|oA%dcV|Hm^37w_I#pWJ|u`KebuEb`w7Y6 z0ZLTUJ(TRAQUegzYhn(i+ovxrJ|vy#tT|;ml6Pcr1Of&QDsiXJ605%W0J(pVPefUq)kC zh=(C@zhclgt(+34o6{R(`m=r0Anl7LBmjF&69G+dNB7_5M;bJ#Rb(_0us8IP89Z+s zo!H+AYGK#Fk z7o;S?cP8t}3tbEI)8-&WQYx;S>YRewnbR8gzysaOLqup*ug=H%*8ndTAc{cs5(ZB; zZ@m8DeLM#Zo`Q~*r({&V_ulp2Ok3UP1qw-2n!8PeUv=%=9O%p7o0kJyN1Iv@EPP;N z71NI#{E;W&-Kr;I@^L)IS(b~jhK>R|We)LS;m`UEsgTrvU?_ZQEYtaAr#-;_oH_0E zwviz~gt$m1F2ZFR{^Y^)OM~l%w`=F2e#;F$7e|Q88WSh|cXuSj!i5&Ph&q}(KfVZX z>8^v&rD40_iEq(@BJtXuwGt!0V2T{aj8lWTi36>u3^Tx~M1H8N3gTJ_5K) z8IkiRL;%PquHS;l5|y9tZY^U-7&#Hs@8DQ^-nu`kFn?E-jmCmTG8^vnuTdCaCgzbrx6#`bdl3d^db2Ugi@Uc9 zOJu7unn_%H<9m~}!Gq@Nt>I;Cp$T8bqJR;zn$zGiI!qxrQESTr8ab-UV-Yg5 z+QXd=Nmapvqagnn)W=(TDksM5dC7-Fu2~Uu;w4VC8>Q-DX>Vl8EZ;6fd+14g{D4%V zq;*@ETa?3itdXG)*sZiJ?Wq^hX$x{WFZ>0~$}_^kj)sqQbbQS1cGQ^F&Gu9sJvDK! z-Hbdw6p6m!%wf;}XuwF;nFV6B(zW#IV=nCtv(QzBxhzeo(HUc>&Hw1ROk2~sJ#;G@ z6KLK~+j$FC)J*Lx-D5H1xvwGG{AxyG>!7LJawn&+kGULk!T)pOI{>}TA8H#4Z1J;O zB}l<~{o&)8yY7bYD!&exgd?yyFy}N&LGo%rrF^wVHHZWm?Hr@_-X(3rf>n@>qm3?& zet>H#pRGwa8Y2$NsbI)zLJer@pq-3?ygk86S^~feeAfb0Yl$B-jV`?bK$F`bABTjK zESu#*=zt%hOUP&3w<%(>+U|4XM?yvgpBx2%qgr`#)i`ZKi8!cqAdrxU+V9aEt}jd? zqWRGvwMOUJ2(j>$H=bxyPb@IX-}){fojnG~DJJ-8#++#5F^^+04*SXkt%CrvIscly zR^@N*^IZk2gs7s0yp|E$09qaZQ~)tux9qqxw{Oe=(iIH)XD z9P=VExmj!+e`>e)DJcVPy?mCg+Q1VntjHePWHB3p6doWQJk>Hrmx;Rb@;`m#3L-|5 zYY!qI>cJlcHRu8wtGXX$wT;yvc{51CC0H$eIp>g3GTg493{V<&$D^ne@`PXfr-%$M zY2YJQvf37{w~cil@b3dc#j!iArIa7^Q0=d!;993WeQwSPq;^0qXF& zr^HoDwsRSXZ>4>VxWDJXW_bv*%DJTYyjVb;ahRU}joX!zC9TTgg*KDB4hJ zXG}`rfR$&ZsG@E+-7#D))XDlzlsg99jP1Oab>RI^Cl_!f@kfc0CyT?EV4GOKs*tdt zU%dgGnl~sv!1^Y?z1t=BLH1<*b^)z5G7z&6r#%G{)18QqEcQO@q+Iftem-FKUF3vV zI`#3iSyz;gAN@9oUoR2;!sQzPu(KG`3UiCqMg8l~%U) zH6qpOOgMn&Cy36BLWS7>Yibpo1sIp$U=L`_!gWf-H)fkQMnhVO+8wdaVdRm`G9M(2 z&j3;L*_A0CbrRkg`rwjNxn%B^8@JzbJ?Xb)cbl66sbT{Z;*J_5rW;bS3V*LNSdsPaRi-CmrNKeDPtlR?1tXx`?W{sKb$+WJ7Pfe=&v#W;Z(VlKr#)k zP&xaeCJYUl$+o0gI9|IxqB2c`it+(b({6eChb6fb6th|Nqrn+Easj!P*Wt!)_K9ZlKn5A6ZHqo=*iNzziOvyK7f)v#Y-Nqn|X9D_Q|5cofu;& zNikkJUb`@8sQf~WVp@PBbl?)S(tLrL>0a#)6{Ty|!nXbRNQS+<1}zE`Vq3elIXCp9 zuUx*9LUHet)K=`X6xu9JLKH@E2%BZ|e0Z9ec-=4b7uDEj3lP&11LRGr z{M#RKY$6veGL3p1Bh8@Z#oR_fVM@H#M)3e3T6_UdLYtnO z0?7xr=lIidT<7k|wx3YN0{RyDITJ_UuquxyPyD`E>y4(+fJMa`Hz6TFp;Vcf?6#i2 z4DdppV;*awTh>-Q)^W$q0`2Qv%47n8ZC26C7gk(ilAiN{xms1t@WJv^^)qD}#oi}< zHTu{o*Z`+IYZCpt(>uq+8kAyAIuAAtqej)yD@j%R&Xc{T7KDvzzBCuc8lRuoC5>qWuIp1ic6nFt_;n-k~P#q z^JN#0?#)>d_nx{O1pd99jTkF_$lcj)d2Qe+`i$^lQYz&@}R?E(n*7NjpNC*r%@$Wd{kWcN@vl+4>&4VUd*y!{0KCi32y@a2dDJGVWizSrYmqeQko+8dj#;H%pL zkF7G8C{r|at0`vD?S6A;(QCi4HK<-}Z+gi8mCkl5@|9tqS~hPlw{`Wa#Ba1yQ(@yN z^@Wy|`?fAkKQZhXx50yeYRKA#a0B@BD`|thWMc_bkf&4$%HG=}tlu5(F-mjD*Com> z*6<yFicFc88MVhnV(%3lj;lb&Mx1Xy`-@K}OqVY9QzY{k~ykmX6 zJ6MCoc^>^V_Em3_WP!^vp<@-ik_wkhg|GekB%KmBQkJVP!kOxGx(YkVrngO3Yif?= zXo_08h2rw7echdXtYzc;DmX}k)P+p?t9ML+CdKXyRX`wLaSA-r-b zxC*P#`*|gTZ@n3~I(v8+Umn%#{NGE_iDH|$Loa1_yv+c9r*|C&)4T3%rFXqRCY0)1 zfW)$hPWBFyZH=jvZH=R?LGMWY)<)6P&eV87v8e0e;lQ_Igj8XKeRZ{Uzj6e^>sOTR^A^-(|$oO z%RpxQgDnq-*59}o9lPjw;!qKa9SfWqpG|a^vsm%)F%hu(g!Ax?P7xCmEi1;IMRJ~b zRZ_udPy9bSAv$8fxBJ_S$%1Mz&CgHReaZZ7iEd4$p0)@!8{> zzTr4`>{R*CW1ofil}YB&BOh^2t%bMqVsCrKKEnBem zdK7rR_7}s!HPdRo!0)GxKJ?movF8#bt%MF`YMkqz_|+)V%iQ0nm({RxtPa>6QuKjk-E>0NcgF6h zsk7N=W6aAED=1{YWZq(1p2<`__?lorOYw%-#wKI+{1?^3_2x?KO(FY0#*y4&J_Kwl z(Ou6Xh_0cqdMOE~%jf#O<|)^$8)~|=3NvHB9|iAH2ee!!`0m-Ixa{UFCA`oS5QX>x5krd^YYBo zUYi#CvE4i3{pNR`^CKQKczxnKTIVc;!0DvCb9}5n9axXOt;EvvSf##gv8isbIg_ts z9W=iqUfEB7_OJn(qn-X+M%NJ3-odT+QSzNf1P%$FNpgGyYO8@SkJ zsm)rb_upsipK;X_CBC%jqtutPWU_g{^SsOmPgU_?Cu)Jq>7(WvQtQ%%!_V{oRvNl2 z134yP)uN5BGSAHML!@1wyRHXo`^pM5Uv&AEpR$t;AEIQ1$DQ$}P*c9cv$OZuav^(^ zdDo;=p*Ff#N4kEd=&*s{IAz)qHWf3|(uMf1Qa+iqXxLnLQ@IgEc1>EVqw5=VPlm=~0=dhf(bd4kYlJ;1h64F|?O zP|Uq*|I69Bb2PQC20*i+WbFlARAC|)TCMwOq{BMM`fAyIM7U4!nDbF@6-7>H@5gm7 zOB6-UxJ}o7GKM?BVN6=6h_OIddTmp`*nibr2-x7*MmStu$}(=5qb(pk~Adf}6qDfpX@=b1{xChRK5T>7QgamfhcGu4GEJ#8TXOK6==V0 zDd)@5rT;VoM)GCKlpxb^`SvA`md)i$BFofaRb^ zQy!%V+0(z7mT*;3hUGdsiuruz)V{gS9|6>oR&-I#gy#1;%tlPa#HCl{KsCs`1YX%; zMM-({<^20D)ToKn=^>7pzj0fhRsQRhOd0mq@OPzu&Tk&&K)SNTW4Osdn!tScqP%zh z8%#`hi{`aF?`9=Ow*GmLk z!1tm?!MqT0Jyf;NTYN;kz>(g2<{L*!Qsy#qR)=I7p?7*!%P))wn6}PMc@Gixo5UYZ zlv3lwH_F=9YM1X#FY){CgdX&M6r1sOIVZ%gQt3hPSTv{V8nzHPIiI6z>T|$UD}8fu zhR|7CKwKUn)}yF1?z2T7T^%^klwsLgR*0PZk1~*Z^zU8>DE50+&asvgS;=G(&8^WY z68~NDg&TtUYdYw8&fZuw_VWb$lpN~U5p9-gS^J{8Ee~c6LmXLrJiHrhDz|j)oBPO# zp#hqkk!j~k8BB3vvMYa>5^9>9U>i<5KgU)pUYGAJWkQd5y4p=f!y@hb*x6=^u-Bg> z=IFy=tAu;GK}eZ!4<8YN&3mdka1Q~XV7FEOP|3w0PW(=NYWqRNTwBm+OQ<3p|mRE(+lq}Q>;zHTYb z_UvQizaZ^dK(hKII8{B$B;SAK4iD^!`m)|!RHFKv-sUVtLPHT!xPL#s5UL~5=uxDz zbc8Cfv(<4sQNui$x!gk@{|N~&571=Kdkc@QWDDu-D>gf6?BdpAd)>MlJhn6VrMzb; z(|nZYrEXd#bktloEWc&6MH{i@yEHboyVW+&tlc0CIb9|g%z}YN9X_WL>@$yt`*%F2 zVSJj^To*-epcu4GaYo(+Xq?aR6B~2aoR2ef(D#aplvqw+D#CMqT%a^PmOsZiA_}1? zWY-yPG;CBT6HtV--~bw#+P=0P{XRnHQT$+7b0J1kEkEtzZqcGFf$mrvh`Q>FA3Ej! zw~llbG^SV;bae-g+*|iwzQb*Jq3c1Ye)+Fp_q@HDs00w%SdUolaE$Me zl#XnHW0Cv2*v&bQ&ZMqMT3JbJ4LjIrK>3a-TSQt4UeV5^b$7(<#Q#bEZg!^m3bw%r z=t9*EHLszFVBWs|T>*nO+Jeq>vs7w=#-)r0#iyGMzex$pNs6ei2`YL~5r8Llwk^-m zhIu|mxHA6yeR{*Fi5F&$^@qeq2bc<*Q*|kQ(YBEz3ZsMaNYovt3V3+?BN^lEv#IdF z`Sejk$0kWStRd}I?Lq`oZ4>#;2gGh^jnnA{dciQ;QVvA+X;A!s9GZ|u&_5?MB9JEe zMALVu*DIbeqZ^5ko4Ycjf&-0%cbrO3lVx^L+*=|A6+V>(Jsy`%rsv!J#O71cq@$@z zX{jepcDpqS1v3Ti`G>|wi>>8TFWR8-6t019k0*;Org$_+dr-!|3MY}v#_#=>zLY~j z-7Xb`X9sFvJtor9@ z!@VQ?{KTC{h!&erlp4$J_0*@ebNUzSZ9A2fpW5HwsdaFhE*snQ?=lYxeL1W_83vCK z1LH2RLQSpKH0>pKIJV%uwM^gFox+~zk)n$=CTW$U)DE=%=>b1tvJrkmiG?tswHuU< zkM?>0(yEDPQ1_NKA%(-)r0abTD-*1vrltxTrJt%BRf%zW&QZ_^@w^zolx0Z=>z5^)|MG@olJb1OM@&&uxP zD5KmB)IDJ$40f-5_Z);aj{^!ierSs}LX6yH3}?PX?vq05xw|}bCr#T*@CHDboW8$n zL2goMGS!sUBUj>|L{mDI#oE4=y@HiPlbgC)-9L8AJ+6x81_Q669EeuC8&8=v5TymV z%;(iDKYM+Q&AOr9jQ!5U5tNVmw>drFF+OqPOGK#ZEj{4TX)bk%oaYopR!!-kYLpsZ z2%&KIpVdwOwZAK^qAmdUQa;T#P56;}BkcJG95W{AP&a4q4mGtft9zO**@i{hRX$YA zjpHP|T-`|#`d3k@ce12o+lC}ZB%RId5P!BMs}srUfxmHnZVtS1k|^QFa{p?;`E`W# z$SaDDxd|5-i7~N)V5zlMI&NiYDn}Dut}IHTe5lAp*mDhH|AWU48$FVfyxK8@==X2z zm*vR^ul9VM|8)UsQG^}E{l8A*?@Aa%?f>CwdjoG}(Gqse;{PE~ZJrSD+pFD1`~N1x zB!qBII7i|C+oen)_e1U|ni6hqKE##lhPO2+x7eLr+~FyD%1(8{y{_n0uKxtl;Cjj_ zWWz~tfK{l+mvYd(-qkhbf^LPHFgttyx9$BDgFNnj`&cfj&#e4xH@%ERMBNL`Tt|C& z9{Gfy_=qmoK8dC--6zeRVlQOJh>ghNTCo#ND=$eM- zYvzue9X%h)Rga7}@yxG|h=?dLy`Q6+th2(8e}A%hL~rUXm`Y%UU@n zqC18y-bYS}u`0XTYNWDX#;^uIRt{aSsE&r3z~%z$rIRK~e>z5>B1Mg(zLp67F=kw{ zJlmdYTleK&8k+8xz4Q)a6v~-CJYI-w$+7Ef`}-$zedqm*`jxCk$_D{JU zn=)Eb*7q7@hpmQ9PQrlkwvi;K!PcdYfFT=lft%Zsy2 z(-vP5y(2ATzT-@@GyY(->mxaBy>B>ESxMt=HzBl3y$5_EH}$>3HNofGZO)^{9v#Is z(*^-Q8!3*J3?-$3JD|HK)Xbv14g@T)UacRzr!pFsH!)AZtV<`(j#@5#t}+#o>owi} zoxTK=WM<-!II4*NBF+yg^A}&5XjI&Q|IG-R->B@5Ae`<=g!JK9?c68k`PJOC)bgq0 z;~vwCTZFWw^dD6UCMZpjEPn+bkM760?XMMBwGoF~Gl-Y6V1hz%?%}KXt$0L`##R$u zyY+z4Rkv%j>yzxKcInM)&0So9-$t^pe1&mC}C- zeMa}I(`=7{hcZUXMqkr^UnT0|g9Q)!bOY(C<3+P6RTFdSj#&}nl(_uD8n%-{Vo>WMkRs%>_v**LDdL)TNlk3{nZ4cFE2 zP)ysV-A8w=ID!<7CNS^dZ~%^gLq}4Hj&U>-$hmekDco(u=}_8QNDD+X0hbSZ<99+p z+jQDAcR2jpuF4AKSBv%Z)2DOvwL~V6Ephqn?@p~5A_JhpXe1F+Np1ua=>&9tYNmV zdTmEQE(KxRvn8f0rrmin2bYA5iS8;@->6$j{YN;@<{QxgT8=yT%?UViM2g3>M1<_c z@hL?Yffrw>=y_5|Z@GqQqn2vFLUsAMe~w8W&jzfY3PGRA0yp04+x=n>77M5b1vV~? z(u!j`>5W}q8#fa$?tZ!~oRsU|fqK3eOOxzL2zDowGV4GIXg!TcwTAYZ--|UEiQ$kg zRHz@bX~EIjvbd-h!8fGKUzV?(@w)F%RbsdFW)j`C+L}!!rVdtYS~gjE*gY+aK0Hs; z!{^ByID&@@buIMqVi?CFZskg!Vm<8=_d^VK@1eV{eIc8#LeX*0gn1n?H|#yZnOzN6v)=S|#un$n7~nQAh2Z-FO`+dqz%_z{dN zX^4yKkiB2ed;wc1ZF>jq#YD4__5P2vD8=I!N~Nr2k+GO%EaDIT*L(t7kF} z?)~;~6QE3G4k2xj~emaAOQYF6VH-Gdzw45@yYa>-R+bPt=ThSRI`q0 zgmO?8n?iPRXxLp2-WGza=_HWLdTmWSpwrT-MCT%zhm+4u)2?Vvc7W$h=ig7G^yxDJDpU@(ZBXwn{vA_UpBO3 zS$yS0n{J?v5C=!MbrN%S`2$gtF;X>F^Uzvz?4h+r>KCUS)kVBXtZWd!lfRizck@hfK6&1-v@ zi0-Y#>GQOm`rUg0cW|o|BpP42ZVYmwDM&<=*+7$u4T{Q1;ADUap7Pj`#cGS7V&Bq@ zJt)g<{vlh^bcpqI=6sN)$c!Vz3^)Cxx36Tk!Rwc-p0FTQA@36i#;*`=D|U2S*1nmb)W0bobY+OrafP7%_|2 z4`o;2jBTBjfpL3{DBPR;zzmXAeYyIb;fR-E`_=Sd9a;O#h%cL;rBdIzfj@-UJ5*QL z=Y&9~$2GwP>a*vl0+#huZ^VYvpY1Ue&r8okQCk()LR3$5Z}69kvjM$549&hp{sUFSZDmEq|cA_h+DZIBg`eGJ5XRpX+H=%&Cfc7>8JLvG&yX`~amUX>n0 z2vB-XNm>Pw)e?$TYdnoCmHv)d54%zQ?aKi6^K=IqbUT#hJa#D86+)&5Fu;D-Uh99w z;O|MtpYK}r!tcG=hfYSz;ZUmh$z+fWOdg{PKeq=G=e55$3m4P%0YuMaQ>tZ=w`Udh zSKZYhdYY~_ZeMBIAbA_8fX<~pjE$2#X@CgbAjF|~m0bwBru5k>QYt1bFAY@U zMO71;2jw$>4a4}a^F$A(4cIzQf8-llS^L_0OUAd2Ky)K;^oge^Ebm;?h= z1Z=+9(4H|4br!h1oRZ_GsT166{Lm+^(DS2I`;ZKG3LKEqMa7>QzN^Eg_jTuA^pUyo zn(?T*X)0tqZ|v@zt7*aG>Q(5v=ycP^#{j*DE}J&CmqKADPaVEJ>r583Y80pEeV=@3 zne~QJnS4-{!x-pVH(uszqX7EtWg;!=-ts|Z!@c7#Te79ZmcA?=>PjdD5SM#uzZ4vD z5T0C5a>i^8ZuvbPwX-|o?r$n#B`9iHa5H>=O6aQQv_h4opv56w#KiTiaOY_?(JH)! zoeQ;Z)hw6P73Tgsv`S|m`98rjyMq z_chVaNYFNrZ#EMW^nz49cP5rn!vH--AG{+&Y#4eC@UZdunJx4HWBTO4mj6bM?-ZOk zw$~YHIK^iaMqE~~_39_+crUq`S8xl-&SEIQXo?*Xf6Zxe|71-z%3)^t2CY3=<8Y;f z>yPisUI6*@B5AQH*CA|Wu`Hwp8b*_T&E2oOdC@}GWA<+WsK4~79>iMctk9BR8su&n zs&|YiNtW<9)4K3EAOG2zNhdu4v#cu5oH=hI6c0yFm}CcS*<`zcsjbzbUr7fP8aK{w+) z!Ak1ve-VhnXqh)2lo7pRGmQ?Ky53>Wpr$i6Gz;T(*v$epZj=B)3GpbdQ0hBG^y6Hh z-rkYx3&}xKZ~XSt>7vvk_bbvt)Poj8Aaag@c2!RMGE39wwB$(@G^Y}6Wk{-S_d6`b zdyX8~2ORN*Q2{9z2M7#!LR);UT9wYU57d|=+nsGC4&4PPG!7xj6wiu-Ywj>?|Ja53 zb7ru-XnY$XlwX)@4rljchGyFuSW zJ+w?$nJorodQ;7vidB)WAt|895~fE&jzzvhBS@9HP(Y?A=4k1wEF*E}XW?WyrVXHk z?p;7~yOR&BbV;eR%E5jHS@PUyFTtJ7w{%D4H5JYd`-5ZL9HTx;d5DWv| zk;9i&kIFeUBbxG&O z5p*s#x0b#LS@-Ck=PRSp;ebG;i3e1G*zECz4k3z7bajPP^~rk?0dfGa0&0A^EW-0u z?1r{4oQTbd*mJmFa5pYUGC&(mBw(}|FFN~`lVME_2f^O+uVGgFatio-OHzZR40bvE z<%mHKXyY^wV|#(5cvVFOskl*=_XznTAn)7SJ$4g$w>O*|B<^r_!w$`SRREpSqO=Ei z2WfCkF%y~WeBX45SaVm@eUZk!C!yk4!+k)>w}$2~=#z!)(`f*Eo-o_zDslm0pWV@} z(`R@k_ElMHgW$)7!rga(+xg!Hml>;n3Xx)>J*J8Lx<+MAuh%lscalezIM)$GI40Er zI$f*D8CtL$h^)7IWuAhJ~s zB8qGlPC*oNa};0iE^R#R`w>_bq?jZxAag!PGrIkTQ~L%G0s|R0 z>(ar2wCN<&8~ud^yx=~-wE-k~^a*FO-J3R|N3$S{Zi)>w$#xk>RI@i`MQY|mZHn#? z2xR-iB`oi|mR?NJ2-LD5s+=MR|BScPJJTRn2L4y%ykJZE=fyJJw!oZTWKl=0c85D8F35z(d2y0fWi zT&veHcEdmFrW!#EIqfuh3Q6hwsup7D(U0koBqI=H5O%Q_x+$KX z{^Us_PfH*`d`VE-)I>Ud3V(P|ifAHzkov++aBgqVPl1C^db`AKmgKguX`f@P`&S2{ z#j!Ll^^@39Q8(hmUK5Btsly^@p2A7I?>iX@4=n@m9b_0oJS{W*-iJs}?ru6K2QlFh z7;btEJ1+F{OU+0wlJoSh^f5<<(nfxd4hAoGhv-hbYn_Cc8H71w+I9fCCvZ_#T{C(s z13gs3*SlfQ5kSGT>$lg5Z~V;>nRdsM%!WZJL6m@WDhJA<2Ad3OtY$4`WZsTe<0@8T z=8QREFNW9@XJ;odogg5(1O+ozcE2$XN?u4wQHT)fLyMOQ`&MxY`2q@e^cP|2rS`3P zPk*(E15f+nKS0w2?N#*htQ1ymZaZjKDj0Y%^mHoj1TzbDJ|`y|>^!X*Z&1VjfiFE4 z?1uEILw`B<-GwH1P0x2pSBKGi zIo{@hEI&JUMUxaeLk(T^5mcr`~ zz0p~A6{PW;2*^X7J76VK1Hj#ZgcslQRs^9ScpL2w4C3}{lY+2#pXrPcv9GjArojs0`gv^qWamdU(_B>V@Mb@#8 z8Oc02I0uKr@9p#b{=WbA@aT{GzTelm@9TQKp08!#lhbGcSNSVPY)*(Rj}>-TD}f!B zDl%lyby&>NEj74EjCS-#Z=5|(i6{*2ZQX4kL@d%@Z7Qwgl4$GW-1ul~y%`k=C6AU>M284|ayjb*yFa;Y6@999&A&xP z359U%lyi+6=v68Y()TpmOYWWH<87H^$y7kADY+gyc@iyDl#X35XU6kgmfqSP%k#AS zVLJQetAKVQFfP~q3u54r3uBFxDq@wQiXq}nLp6KA7g?^_+pok*yoteKoZssuqCCkK z+239JkCUseJi*hv)eefIxDRdbrI6Uv?|qDsau0h%_ueqFMs3J`AougviwUMiKQ)8O zm`6qYZq}2MJfmS&Gz|6pSDl)p?A|t_b9L`^8tRx0viPkK?Rimt~Xvi{mT!Y@Al2T#~D_^c4S&@#t^*%=w3i zztWf&^>9qvrOW|ME^4Mfs^5=NQZ)RMzkTpeRT??kav}6OpIjdnHU>TD z%|_Kmd*Zeg5IKXPwW9a#K7XX9ICl-z7z1>fo&cK(#>_*DU2z{zf49~H-}f3j|J+6^ zZLw=CKX1@up2Nbhr4t#2n9vk4c0G%|*3_UM%7QL_`kno*F%4S`m*DU$R%nkLFv2;m zqs^N)4Ba;sEeRnND;N^ruQu#vHE(7WZ?nF#Je#8}ZR5y1aOTPU5f?Qe>{14DxJ!ty zZmAZjedW-q?yvrhGlsoT=etK*m;Z>Do2&`0 z;3LESa>o9iewVh!r_HjynSPUg5$eQ@-PBp4_ga0i*YOO`NU@({f$-X3blQl;&{0i+ za7^TZ3AFaKO6p-gTkYjM%QJzN<$3-x6-*ZPVBoN=Wh+W=ds?COtb}f9L5+_Co^?FS zff$Qe8snb7l&JvU3Dl?jtb1w6aIO`goWz%N@e z#WCS#C4pK@nmk&yUi?%&9{Us?bjP9*?|i8qExq`!UVh<-bZ~!#K$$@&JD59WWez^9 z-7bZZ#2NJD1_@qgEWAEvQc9W`%=otf_bmdtq-tLQ!$LVtJS`oQThVO($wagm70B2_ z>+$PfpC7~zrEYz67db4ghwB=?!Rq)l9@oSBI4UTs)j z8dmf@UJYFAUd=!rgos6%SP6)`Tyct`Hs_gpZ{A1^85C- zx?znQe7+8txAtM-Wj9)4wEd6slT~kMwVlGa?r(ek+L`==sjNJ@G1#Ry$jjcG;rZCi z?VrE&pW?H)20|9M^pL{y5Yrzn;8nw$7EcWGgUP{i-__pvN9MNvGanv4I3AWJW<=hK zj3c6MDOGb}sFmNqYoP$wzxXIt-jGM?RgXZN%)nFD}5?7j0B zOV;d8S`lmJ>=$f;K6ZQx;RE4sO2qR~e36)FR{wR~^)ltv_K`lZkg>(&UH=+mzxO-n zpCfe8ZR}ofmzaWD(jS5VzJgDCMe&yk@4fZ`eT^7uy$~Z4*dyblDI+3>GR{hR;Zb}_ zn(ymy;V)uwq@7KQqsw|*w|Mz}tfJE^J#GNOP$R?&Qz*z435+&kE#dM7{Qmv+TESD>}vYz`-gY%yE4{VD3s<(tZQt; z8pEXtc1cg=q0G!A>ooNyqm5RNs&x+cQFu$^r7ib9;T(@ilxS)YF5O-~S`$z+@JYvy zLp+e8o1DGKf1u~;a@j=srGF1;X5O~$P8QpK$y4b`K8P(W@ttXJYA|b4E?3se2-JBe zq!&*^(dVMGTXhlnaIlmz3+ZQyv<7B!BFsbPzVA+Ss))C)LWtrv&OtLN2ynctv+JDU z^%>ZaubFy{-PM$dZ}sC0^u5(bK0RSY;`K9CLCL5>hbykx&M&n>AB)m!{Rqk@M@Q71 z%$WqwlPz{797^DOtr&+>m*6(Jlqqk-Pm{e{yUp_B-sSebrpcr{tPJmVe` zg`4_?{I$tBgLEjL6;FdI^Kc|rPKwxIdUi+c9$+R~NfqXR8YdmGIW6KflFZg$uCzw6 z@;L}na>{;34;y>*sm>akZ$65ZAUZn>&oAc&VM`3K4|w-0!;9@4Oj8dfRC?;-tlI+S z8ra*78jQp~zgZuAQ|>eIugFG|22=fZ|AU;?K@@-Ho&S+bxDzHPalO*47vs08p0XOj zy&Zo18#isa2}=|9Ki1ah`NyutIc)}&e%!FQ>AR0bY4k7vKSO_XhyBO_T+GUYJEp|5 zdY}TEC$*H}JsB0Q3{)X3V(gko=znFg>6ctj-8>mps?t)~+w`U6_yri0LW<##fH6rB zm{CX?35ze<{rw`v&@a5>(w!Zl#zi@a#3Y(=X$#vw;S3gB&x8U7Y3tg4Vd;2bZi?l` zLIx}XlAH+%aK9UsG?={gE*1;Y%Vtls7KIT-(zs{-N>wdcoDofbPo+JoX{R&PQ*z^` zja=j2Kv4vHu#uL1;kBL32SV%i$``?p7HINzG?IUr1o*#*nNJfA+*#}on9KQw@GB&j zJN4SD3nJVYK^O1ethT#B*9M-a^!=QWOuZQXVFd9F!&3K%WJSk@*?8~<>%tiAqZ0TAfT^nI0Ht&KSEohD>(&v$<*TH{>f=o^iqdo8|#Q@NF4VZbLNBr zvsr}UJ}3t)8RDI5MZUnOz)+>|T)<4dc5+2&)=#&&1d813kU{JTbL;KzKvG6u8pNw( z-~HU%Bn$|(*@jZi-A9?qyMqN#WJ0kepPax&7j-59siQ|dB^k~Nm(uR5r#<{F8VeTQ zRtOR2Tef}JcfUU*q#}ecZYpUAOhd7vlp;Dc*}Z=qFD>}IxQTXZ|HjFeCoF06l2{*K zUl^(g`dSL3P6)leKsAJJd}5yOyh~|e)pcR3%xTWH&{+rDn;i?g9`6^*JS58Ntlxg` zC`35{-{dKI8Ej=mX=H@lwR^VbIbK$L3o0b`gZ* zpX?TuL6a}&;inc@GmdyAW0>FG^`E={RC*LG&g`|xInec-IV_{ohU1cs;(q$+>K5zj zx;cpxXrc-<)qL?!k=J)cNT?-HYbC`_7@K|^;*)H|`zlzo>?=m(-C`nto2{wc2Gz0V z0WQDfy$f#21HNxmLF%}|pzaXwr%cR6D5sI~@&t~E_U0+>QZwSwI=qd`5!K?|B2azv zV-|d1Lt!Zz>_sk~RWHI{b;i+tBX8TA(@#&F(Jw!@U5RNGgPW%+`O)RqyXF39K*PzzQ>d@OsS2!;K`uoK7Yp7VYfRE~k?b_D+QO7nQi9__06y zusY%spHNSRakybHJc0hRI&rHO9`M}B4NC@QG2Mj6h-|8Pa}>uO*Uhac8pWyg#fM&6 zJzrDiE|bfR)e0=Oqj=6Rl*20E*>ZA6l>#RzXnMuke;d`kuMCfi<5nBmx!D|AL4160 zVYC@KVlFl7cl_bf(m?djLO(G>0!Nr2G3NQum#ZokMyjNEGA)y$QMTT`RmZ?vpWtAUc7AF4r1y@Xp{F6mI^@D{!=lH$MWV8;cmlg&)Vl#Dmx`K)w zD;s6i!8e3yXH$px+Jd8 n>AXZcO-$v!U!*oB-E|Ci!$tiLkkr)wQpJe$_YM6xGL z1XO&|%dp!qa!z?u(&K~CNrUonpDpJ|gNxns3r%7-(WO6J1%A(WU#J-C!A^XCFzqPZ z#%YKCh^bfG(GOxSP-)sj7H734G9^$XV@Z&-QA;fLK4+}$iHA%X^J&KrT73Ck^d4lqPHGgQ5MC1b0!t}n@_Ax0~C>Xkv1J=~f2Cnx)^@tp;BOi|(?M9Lp8)1yU(S|?d#p@WT=*dRYc z_eq5+MgipqXj>;8b#>#HUF^$f;6rIQ{%ag!Ozh4yYkW<@Xb$GU|HX~12I7)Pqd8B3Qr&3-k$b41clsR0rL#lAC#Q|V zWWI3tQH3%~jsj)}6TQX$Pp5zY0x-OQ-^zkEBW0W6SI!uqO~8YQE5!wp{_ z1m5kvVV+=64wTsB+twW`>oF|DJdjHfqO%~v>`vK`F2@F~vSF(XR7-gR%W*f@k< z;H_A+7|sT2bib%=S7E|fQJbHmj|gtgqeuVjHAQD)HTXQ}Fal4Fdlemi@4XJY>(+l# z-XB93Vh^T#r+~H3ZPFzax>I|{ZjVz|d3^tVU-74}zFr&H&t{wotEUX|rn|Pp7g-!# zH_l#mRdvAf_$b)w#p20OVRsfY{X!`@ChEC7A*S28Fw<)?j@V(l_EPW6m;i~vic{u~|| z$9FQtqp*NhJ~MGU9w)&w4BG4qkMZJ)E#{95D_`nxy9eqZ@Rg}pX_c9d=hLHwFR@GTo|=GQ z%*E}70_=pl^GJH;ElV5N%rtXJpfdkt?b{DuUbqxJDB%l})k}FuJG0X*-*khSJOb(d-#36%Y=GfdH+Hipg06n)ym*p-2atDesv+-#RK%a{sjvATJiWw&%e0?yUwg`;0)5e^iWP_n!M1k zrY2d7>%0rpGwoSQuhpuIfRX+c;6&jtv^IGz+4a8U53maFq&hTAW)-{~G$CwN+NsXX zz5A59f~s@u*WF%MD~#&;vxVB94b?^z@!cO(Yf;kEN%HNVI)yfQA_rh7vvK+W!a+b z8y@6Df-K2e}DG=G8U58Av375 zbd_lOao3&+k)0(TBcAr5H|KHl5xCh&E}U~v^j8S&D(X_Quz4+-HKdhY;7T-#ew76wSN4F z)fcd51doZdpbY#__-4S=^|8e|Y5maEkYKX?w*#Np2ECG=0k{?XiGr0~^Zc=8gZymM z7I&cD=!QSBbB%GoT;7HJ2H`kEW-kg){i}LdIdwy?$5o*m19AX)IL;0>Y^bcrR^d52>+(n?y?=mKq93oRKNOQ;;#v)OzcWK zx1=HmXd+*ymktUbfFrmfLm*7z*%u(~J@cS@)6C3?_1+-=UJ8qF^_}-`k>ix0BISjD z`C~}*_HF_rhkyf~Yw!Ku{@(9UhW2^-&Ig#!3X&>T28JQ!bC@J{d*O;aH9rWL7J$sG z)BpQh!rOlB+f&WsD=;V4_A493nRLGE0Y_YxRu-phl5E#8(!};;{Idmyn$WvaPEVIV zyjvn%wW9Q{3%iw|vCfbeP8V_qVMrRqV-)804P>5wa=(xkuA~L$=dkaGY6b6%&uU)vU5vZtB8cYn{D!jvFJE^t{saekbh zf$IK@&uPIq4(B%mQ6OSKx{T9)jVYMvVwOIPrito4HF1n{Nt`r1gm{Lfk6T~lCf!n?ns$U|{(o0^@PZMsh-H0%~zc51VBb`xA<1~&Y; zY&(2&=chnxt!gn2dUI1DwmW9z?JN^=TdGn%WYvK;cHZ&}&j>%Z4Ub_}5EzL3<&r`) zOAYLLbzmyFIMr=%Hkxz(DqA*K_=AzK2jvKf@(Hqhq8WJS`V4Z3C^~m-hzh2&D=_$% ze$f||4}KKNdGk|U)buN}x-T)NUAZ>F$O%YeYkFkgU#$?3K+|)lw}w=S;&+@Lv%lKu zgisOn9H=zXvl}c_(IkhWBb&a+Gw1REn(pZQbznp1%5H~V}s$o zsbp~C!x?$zY!z*>TiXhUhQfZg>chjUC{&lnw{WnukSbMEz{j|88=@&?GYs;q4L`jg zvJgi7q$R&B4$H;-c8>pKfm&|oCVxl@RfDrIPE2iiLa29;yKUUWaV+{8GexfxwN7_v zIE|~b@gYbPF8OZO-iMBR=!XZxP`Chx!otj*5ew41E2%pudvG~mt@pdsy z>Ke}WgX?rQhMIodsP4@0oUUm3>O1cF>gl&o(!kq_Hsn9Jt9+s`XJI!DhoLZ`@?r(5 zBFr$sJ45n><6;q?N9AD}{HY7hlu>~@`#cDYe;V@#x(#;=z7%Xe1Zm$0-?o-rUC&_#(JJ&h|f zqmOMWw_b;xiLU3(U`M|9y52Q8v87+%uCf|=j~OXkcf7jfyDVkVq#W@K6?{X>M|~gq z*3+3)tD5UubGAu?rgMa$n|UbVkvX3us0G?UHPs4#(lVo7-<`sUmTUF3A}Ewt1%&q+ zmbM2h-`kEfD3NV5TsFPuZLqR^`V~gZKE!h}jV6#2t2MecR#f>kEdzs~-?{^;yXIqI&%UYZly91* zP0I1SbnHv=AGQ7b)pzc)%er9+nAxHq1- zKD%%yXyw;!e0t}jn-_+_tuRWbL*Bm+C$7_cGVKbZ^!4S_U57m(3FtNY$`^saZc>-h z#dvd_`rRPElPKsvYc~o#vC1zMa!9P({qi$u;;&NUnmT4%dF8t|~L@=UQSG}ffx`T!D9_3G1blvbEW*E6%A_)j6Mz`upT=8?g zJ>S)*9a(TxzxT7qG1T}Hg*<4M)kc^jhKM@+Q7NohmndYU{_AAwdG=f#rPml2rccwbK3VwSj+yc^!U^oN+r_4Cp!B?s3#x z#s_O<{hBr!i5TEs<6!T7R=)mO^^thMqlB%utCS2Fb18EQuXA@lZ5}6zu-oP|`G$Iy z&$77PU(pKDE{^Xar*DGV5!%2amJ2j1xg?2@4H&n%`}py&lby*q_qlnWIJoO!JusCs z3*A5Q&85>)K(eZkLuW-2_+}x1yNNx4c)Wj0+IinnG~x6)P+ZgX5)7#%9UK4Y4!aLB zT|=(HU7}SfvPfNbfJ)1J4H^ut3TdYE7&&0z3aYAC zx2f6}zHg(=;v|Q1Tdkt%`-9LHb$fpuCj`AxYDMoNJ5?^MW&;Dm(7Q#*dDKRowmH4^f4sFA(Nl7&sN_Pjl55N`v)RQ)T*+fY z0>d)>JxLZtROt}Cg#wE=jj7Qj1Qrrr_%VXT4Aen}xqG9Jg7&1U zpRF8JAxgnU(NFj3`Rk|u!2(jG5?th82-JFo5@_X&=J~Q_wzm$ygX?>q3U6}8TN2tX zDFhtRx_T<#$<%DFd$dxlU?6Z@nM$1G2WF4u;QqUcAi2F3YZD#B;&|%ZL9@AqlcfEh zv8^J_41*s3Jmd+=Pt%ieMr84*d!*x8v<3}EJH+>=-!ETza|;(@r-T!p*eEMW9KV6H z9VAyt@HruWEt-ojKBe@=>hO3ra>~{2ypsMQBc>w=_%s{-TYhaCtqJMTB*dTWIeZj( zJ9?Wx$id8SplR5BN%@+Ke}JcjTHD;hOLL30l6fxPmWfCQ>w(xJlujwk-`^%P$*XhJ zK@!f4(A43tajrcJh9CPsi{xgQ&R38er(9gD>DbQ{)m+IdDH%>vxGyPkLrW42c@0Xo zo3uH3;J23QGj_u{WiQ;S=6#S@-y4UvOtW%PXQ3cfNrGfx<7>gdUrA|Oq#H>llmC^O z{EK;A&x38xnwLhX_oH#~s#mEj(a%y8NVDQFr8cSp(FEd!cx8C>TKuU}f$lo%2(p~* zOmBvBMC0^E!F=;mPqQ;M^W%O!C+`ycqcg{)HC_d@q*4SwT=%)mkGW@ba9}+n+1O)3 zKV9hXOOe;k*3M5BuYJ4!S0bVH+d+cS!KixW$uN1T4}g&1m?#!YSb3_);vB1JBcsdw zHxZSOD8GyPOr?k(X1-{1oa{|1d%pQCz_xZ?9=Kro+Evo}a*x}+FMATYO<$7j9Znkr zFFrlJU2-Z>w@beLr(~hNisU!kB_e?A5@9aSx@unf_J!WR)EBH5 zQhMeAX*zw0Rl{Toq_Bl5+?r&B&_ z|LFY+?VV-ptqHBO_wg`3$9}MtHBqjq#&?qn`}egbkgG4n`PRPht-eRpGQ3ilF7Aq3 zn;17#{D(Bgt-kabtU&RMy<&9=4xeZwY8=EGq(cW}%JhDS47t=T`jwYKHVo6pC}v*+ zZ_iSJInWOFwVo$PqUjBm)aT>TK%<9clIRH zd#YK{-TkgbuqNJ^0TkJe@)zrn1p%1lpJe4MRS7lM+?LcUy4qCe`XnQ4Y_K}W+H-D? z94WlL%2itgjO%Ihz!ilw4NG(SJZ8PDTMIN7`t@|}g+UTQnAY}c1FNw_x|xsL4d$?v<8S5$fCRS18KHfkbX zw#e{(@S2`lW9p8793VAbq#ArOL2VuF5z$$I?k2B@yj^(yyt z8@OfYEb8t3qi)9-F^?wAtj17VmnBm7m$_u&Y%qnvm5(t_%)DRmq+0z)DY#uU1acOmvE~m-FhQf;Bs1T}`zF%sbq1 zUP1blBd(Egq989DRaEKkZL9jAXFYELLdABS0Ohq^oizFwrMju=&0#|%^pE>1zTq3@$E=}_ z@$ke`Q<1r~{U9+37Q^23dx;ny<;LG&aS%`8T&Yl_htB*HjZpCe@+&T@M;MpATtNrDS zdpDQ3)SxWXbqbGq27i$Ia1x$4Nrcdee$F2F4&0Snu)i)*|m8Ax4us0D|vKR_X>%LG$ELzaKBAWh8#w0$*brrdr!!7~PImCW}ALHm#? zqJKN~KB=&F&|MFyLFBC+0fL8r;WW#Y)-dcwwn~_B8j}6DGR_BrK}v4?;s}yFdN|l> zA#pVxQd+jio07G1E1)uJNlU4BQ%K#)iQCnGZ_oMRDKdCduG`|uA9o+(9#K(p<%!Vp zllKtRx{$du*i7XC=`R(vtc|5^f{9MpyD&Nap+|L0B~_-}v$=4s`IP43GS z7bi_rDIg-^2_#S6!6Ahgw<)sXs;Qy8b_B~I;%^=9p$ZR?uQyKc^t zrc#MJLDF7}tkQ(2bnEpzZtL~G=^`bnnmm^3g!&T1ygqIt_JcF#3%>`&lALQ4Fh%9h zjOS&MR+<0abQ3_HQ9WLWQ5c*4(YrJPs+w0B=n&hEyN^CzEbPHOcA^<2!q#)>)F zf4Z-s!$c2sPo*ChgsD8`g)hxLKX-`L%2%q+xpAR=a2`a{b#jj=KWI(dr9urS$M1$b zmSn&yH(YmHUA{c$@>Ad3!f|$UO^6wn&(&)(Xa7yY>T(Fg%Im=Fg{16Lc`s1j1FPo< zIFQsrV#W4SBK`9ExM!gEuy@=0RB9yc|9xcpkQ0|Zrma63y~4X$2PyTg_&MYPGM|NR z7)=|^0CQ0G!DtEBOZ!4i&s>>Zzvh@N_q(y(CjE>y)C%xLqH1_0C2d@s>j5-_zsj1N zfJ(uikFDKUR)C5VUTVcrsVSJ$<@(sq)7S!Nqn9>&3j*MA0FH$f^IlK0YOY zy_H;B)n<@@SXa^O{;Cjz`Wh6`YhgO@bk?XDVcd*hZ^H$ytxl3Kw0V-e>~>~;8anHQ z@W_q%=b<%smgNPo)*iW*l-(0(xq|tFkyPSugmf*?*TWk37xC)bVf&V>u|v7%KX3Aj z-)1u=KwLJYhb8juBR9I2U_K+NKp0&O*lBm#js z!QC(KB4G79pRaj=Gq{~9)B$J`qs(3T{~7t!r-XL^&VTrXaZ_(0q9)vp*#QEd4lVU| zVi0_)=Vf$mz9Y9hc-olsP%YHz7=)1OU)pBfWCOEFu3K2pQ?%B`!mV7J)(QyMG%S;u zzf}2FGz@97DgXE7jcvmG&q_oRS}P!H(V__eTw;>QZUB_|eegtF(LJS8|LsI~|2E;J z8d?|jx=ahsY}KM|7Wbb7fS_PA`?bn@IS?`VZE|-}xPftnNPtRYAEI_Ci%c>Qy zZ^q4xtMoI85Vl2&7N}Kd>I8VbnV>UDD?L?}D~MH;RB}1;6nx**imx#DSE(&8e6MxT z(UQBj>`rI^+5`P?d+Lhi{41~9j~f9)SdT>W=CgpnmI4mugYEe?MnRBAwk`+g4uR_h z^8hz(kot9$c>9HDbnQZ-@Re8C?xi&aD;gKSH|Mh&(gTKe{g|5DJ5aio1j%hTu!lf@ zbN_KKNC0-B$KnMV$P()wH+AI&qRt%6)#gm+JeV1H$o)$jW!_f2ZjgWw`uBc4e(_27 zly7R{F%XM(lvo|bvjsmOX>FVUI_T}RmT+F6PY!Kc@@=V~vQ2MN1)fa}Iy4hEKNZx? z091hW6Thl_adWrdOM}sjsbefRwSCUB%Z_zy-hYYxZWfGiZTfv)^xL-S5D@LQ$m$m zXP%>4tDAZgWOD6bn{UK|Yo737XHD9xS2Py>E^N&~va4oz#ZZ9!MIwIxE@aKI#FHP; zo2)%G7gVT~0?hEXHJjG7#5iZ9E5O32 zt!Mp4;RF+Pg=yc_<)OIT;eYAQKYZPt1-XB^DO9W1dv2!h%0~ET!BwFh?buV8F>i;s z7Ih(d^!pt#S>M1U_Uw}S+ppnt6m*{qih)^3mZ(YwHBO@TABq^m@)rUe`%LlJ4qod)ZQAvWofj>)l{!c2ITy zr$D9Zm!U5|=MP{7>Ar=_Zvs>fIjN>Ux+gV5bQM$$Aqo^@aTJB^F$Zi~?2<)8H0^L$ z6S@g2FLlwXL-FTd25|xL&hM2sWGOZ&9vy+*LPRg9uSTK$K7#X@84@mD_v;NuFgGlJ zoekXU-+1#`iWcenMAX|T4QA5R+kQ`MKQw~9Qz6U~uaz>7L(PSx`+TA1nAznKrPEp= zjI;GZ&`G8NU@wdHH`XsNC5&5O)zd$wD}ZlboM0^H+fgb>tfB*dT+vmSeIC(c&obxp zj6a&u!o>=eWls5o$+^3iA$t84{;N(Ia`&8XgdL*=v`aJJ{jNq~HE4YCG^jl%*oU)lFu17_wXfL~rl zfapn`auO=5m)}P7svM{cUaM40E{!i9^GKmYzx{J&l^4k9@UiL+qrW`MLyhT>l9ZQX z{{RMcTm_NORSm(rlW&dZocS!5^(B_~n$!Qhdlcd(!07ObhA14iIz$!t>2Fn`(LetxEDR63AN(*-X)($LMCE z+Vdc5B)kU>R#RB_E@VF@onf9k^B&`e)Z2}Ye+$?O08$HxVd1UFLbtNmeVA_q$4iI< zwELWq;dpqV00_VtatA$|slh?3VadYd^NY?Mf*?sghq+Nm&fRwoqmTm7T2=8{keZ~A+TlD%}zW(?miehvH26FbDvt2SCwZmfZN&$aM=FY#` ze;=uSlzruenNEd&*vZ*@;;8KPktq@mKQg*t6lo7XHr6tN?Qrb9+hYzhM6TQ3iVt$v z&n*G3cTNL9cU|S9ejl%7WRSiExvN?X0aSf)w$E@iwroi_*XRSkByCe8ju5Xk$i{!y zq9WEjO*nHusMhY09+y7C`%9ah9bcwGtCGvfx1N`GZB*IwbvekBW+`54wU_XRhdtJd z4et2SA7_!b>dSdDC(uQZHA?bf^9`E3`OCZtt&&Ro%1SS>zct4TfJT+F1{ZqwK84PL z5%QI~)dzNtisTgux)&gGD<*n~Tu7kG>cApDb%pk8VoEAji8~K9mDV-Lh)MbBO z=!NEGU&+|Z*?kkBbW!TxEviH4+>K<;28hXVQP}NYDAvb*CixUdT#w^smk7FieThS1 zacc0Tx+?k?v>I6MDpXUF8zYR#1<|X|n@4vjE;7S$@ta>xml)k(g4$uN)UayV)hp{% zpT(JLLT@|Ty|_k%t6Dfa7{k6*%UAQho0hQrBfJal%1+m`Xq$3TTVDC~Z#X4Ob%DVr zF=w}4Ra5!=Y&7K>3{t?H*L75|plYimUZH!vCoWI6vgG2H%ewA%#LupdrYq$InZHf|1_AHeO6Q+7<)+B}|(6n5SC z?|BdSDZcoo_$_Ml9HKucVEdzxeAhHg?5VedHb&IX!MNx2CycEDe=L_l*#7Fr+{L2M zwpa&+AfQ477YWq8o#%p0hpwTqpFo(g6**T_->}~q<0VNbR_?Vvohe`)kfFJ8>xD%B zA6XAk3p*)^f);3$;MH@a9G8H~ix~jLo&Q@S7Riy@trPQ*DT^I7*Yt=IbA}Fay<-M} zVPoIJTW%@2_*!~0s@3&wekp&Ne%?O(AL^aN{(1>R0-v^158I;gUqqO)dW4&JfPEdnxsB57-!As}9wYr$Tnc|(^dR^DPuqK-_?m zAqhwWja@+^l#l^iUv6MOC+e0j1pmCp)U^OU81p`BKh;Jv@VU9t7x$8Yf9=kTVzC{~ zH&;Hd;_?El3;%JLgJoO(FXQ~G~DZ;28%qwrlGzZLcl1W61@3`{fjC##1Wmi-Q;zhgi~FW3QiAbC!#!sjUsGnC@$gQxwlHK2l!$92cqjfzI=cdNd)1U8cnxfJ zpHE!W6$hHp{~-+tN)vm7YV1sNYIn9;H_BHhR>~U=wp6vzvm+}5s{s?d_=N@avAb5_ zR`G+ep4`2U_qYVsDTU;Q2IArV(r@?2TpjYpTyd*`1(pVlo|=-c|L^~0tMNZ=TzLts zjK*02sXHXdr>FgxB#s|%6InqR`0)qroca={D39*c7e7EYi7IWM22td-7&cRlAiwXU z-|iQ#u;e9G-|pGdm_Na<@_0S!-0x1$(2q9!U(jJooB_;#RgeiD;;%=)KJThgy8p?^ z%D=tkpfe$Y->hB0+yP5>DOV4bO=Mx(1G{}l&FE#z<;f)4X#VHI-<YURD}rdo|6O5Tr?oagAO(AYU&~LAX-(>x(2HEf9wP5?gLxEnpz)dd}>Gib(RU z`61%G*#BDYjlX9n6D1$?q*mv6n7sECd;EX<3b@(@a9!7#RHPc>6odYLrB3$MH-xDK zP7e8=9<6XE84s;*Mh-k|$;sV55V=#fz_tKc@+0Vky|e(7Ml67+L$W{@EmEM{Dqf)5 zREt+UN=}tue3v@6Vj7ERiK;MHnl)jc>4x6Ui1ah z%-0k5fJkEwCk@_FKQeAM~wh)1oLp2FLh1vTkWV1wWI+<55u`n)~;I0k{)_ud`Z zhhGyiyOQaHXt^ZOQ7%51f}|dlg>4Z4A0YlLXK7$8CwH(uH`m8T^|;hnooH8rW6hhm z%DcDgze~FwV336z0_V7%Jn>{ylwDjNHfPlme@wWT2M`hY^i+>t(E}_)KEJ;oefNho zN0QY=5oZA4al-n)h(+xJ3%|8|4w=`l7`_1qh35w!;#HJ_4JA2OlQBNU(*J9T5Z%KO zWc+|T`~4pC`N+7ExtWWZZi1G$FG$mEPs&+X8hl!&IQ)aJh!%N@kg3_Yd7QRns@r;I zkZ-K6;Hntex|Yj&|4hVH!tCv+U;vasTvOI~f!4A;P;{b@Eurp_M^LDE;X@5=s zOyy-~WU9Qg$;9e^o%v4%aEqWD-LahJ6zkUaA^_EscGIoGUH`5FAVhuAAThjfz(MkU zPp5Y760%k_G6?QzW)Zq!;OgxA(GEn|1U2-9^)Jz0v=W~(@VPxTzwua{2H*(Cb1O(}0r+yR0+1KB$_CT~a3l%yf|_wU|NU5X z3Ak>i@2;1y-fZJRp)oBgXEW8(L7S@__{kv-#XzGNAQI%VYi|*HNhE=2tAVn0h1WN2 zCDAC3@$Kaf#KCj+qSAA$hsFuh5J$-!1N6wYz3+QR5R&CdHKea>+{Mzc&LH6ZweI}tltQWuq^%fX+> zAB=X1U)$T5bf;LX4$D~@zL&d1WX%c6q0T1!Y_!;Z4OzE!r0(&kN|yD_?lRu9=ws5F zKl!-I(_jPqc4_id)T>00t!;sp}X~Klrvt|$4(9^`2aNQ zBzMB(>iey^T7#Ruq-D!RC&O~EhFezIl9N4iX)t~OoDPQ_SJJw5J&yMBmRXz@U3Ct6 z&gV$EJZ0SH4jpn45_`cDw7r+P$`fSPxySUJckAJ3(T%6t;#%jOsDXLAW}E}v#DDPE z*Z3#}(yw2MB9S~MJuG3ro>o`qU&)DCZMRrOW9{RE7qS(r5=}-x)gSuu@5hc6j)l~Ocm3@V?i{^^@~$0)U`7kCAzKubG>|;JVRbQa|5++d z>)rLQGMC?z=4dEy4WRUOX0@Nt!|(V^us}g~+$8>7TR0vcysz2j1#IMx9P2lz$dsP( zt3pLLEVX&H*qLh5d0YXmB8g?R*1v!}?xZq1K9F|cTI+pWkIf)%y9D_3$ZofN(>bTE z0)%Ma=VAMKQF3?K^qiC%%#xitE51rsy^eSouUCq-1BZF0K&Nu|j)1$$V*aq={?Ap8 z2EQeZ_GwjqUIj#U-_l9>`w3E7y{wK_Wc?-L?r2VK}zLaTw z#+Es_A2k3M8kHP+D6V3%4)b4V50#Sz(2+;@>G@N6Am*U7i5@yyM**FtX5hNQ1l@r_ z0rDn6zAeeQHN_c86y9}rAEj8B~BA?^LsfyubCHMtej zxLbZVgB5L`0(j^1%B-rJt}2d15Z8PI?=ERH18G8Hdj-5RzK5GKdObA`(EvxPSAY0u zhCHmeMq1?vFeKYI#YGU~;yR}9_k`$jB?NB!Gi;nCu5#2o@Pt;FdeSS(Drsh#bR60Y zAMMYwLibcx5>d&9;y^1`z^Ju{*T?MSoI&@4NevxTfWOD2B1>@-e6#&RVHa(-QeDU` zX0Hs{K6fJP?U$xtm*dZ#C$sdmU4L;tJ=j6_)4H~{^tKdh?I4@8UE{jGHXi+5r}A{Y z>CO6YF919J^}qdD~{V)pUla7Lf3dPm8Uhc6SQ`qXQogtG~+H2jPPW3>ykxnda0C67IQGm~k1v7CU6tEp4Iq z1{zLD8yh&lq~mSo-o@%ZqN_0G-9gFT2?P|dof9`R-`~EnK)6K)xaDO7DfK7&BYG&c z@GQVP!hi=Tb7d0oxHtnQ@4bG73BOFY?=OW?Eqs znwZe{QDAld^;e(2thZj)o!&Y3>~rtlnKeBfHPUx=pV08deDU<@v{&NDJV zsA&D^(lmT9;LC&(AehCy^pBrcfT(UK%-jCu`mE=Tl~4@>RMvw*2Wnxyv_1X_eDLzs zFN^FgB>f+N`Vu!d-KjcfMM*)K{n{po=Aup41>mLu$s58xhalLRE@%1AVwF!hdv6JW z1WG-mvp&@VR0;_4n_^+2CWxb#ArzAIBPSwp%Ig9RV$t488MrOEK3S4U%}r%$cte*= z76pishgs}-I36<^(R};h9gAON#ZvD9mG3~Q!ukS_k*+~${Js>KKGBe)?xwi`ID?}@CB8T7h%Tjd@3b)sash#gj0?eW53 zK>!GLXXs=`@|q!A%^gmUPWoF>;FwMl&zrIo%QS*d2Z(1pNkDy$p4_rXL$3AO&W{l7 zaofpGMTnoXjblnk?PCq2OO7apgBbi^6F!v|0cWp_1th(Oe1Ov>Q%LMn%20k2iFtI~xK~f&G zRGl1eiBy1!Rv}O28d4}#5~xuJCr;~P>J&G$p8??%bD&A1*}v+pUtCS&9E^FCl+en+ z^#aCYNEHAi*u3-Ll4qmc%&+H4!iIJaR#r7Qsh|ECp^1EakSePnZM2=GQ+%U9il~8SBO~y< zSmekynYt5t)+fwfC4Cn@5N8MWf`GW9iOJGhzUzFv;u&+|X6pF`%Zv=gv#{vR#mvP1 zpg#xab+{qtrG^-=0NTW^=R}Ka%#$h7r?(zup;-v}5;{n+{p3pw98U|L`eyW6r*>LD zKazimk0$|A-SQbKqV(Y{;-PFFkd$ywtLzj3?W3EK39~rTU(=}aFh-O@$Yf5l93i4P zHE27HDa|FJNm?k!FfQoqstm%~!AK0bb)ORwVyUJ5fYF zP$bU GYF?+Xd@pu?1popS|9JA0`Hpc|JdK zf{S*13_wFl!DumS?fcJjU<-~99&8|fkh&dA00mn*Y`fA*;r)4oCsah~Msa(_@a!iy<=RD_} zdoEfT16jr!LyfU=Yug0Csqk+3*(2>l?4F~fD`@U71|esDN2884=@BY+;}O1jMp6MD zNsV5^X03wKa}<3%LlhA!q7w-c{+D5*=Aa+B#aLv*BNOj<|Cbj)zLR;~GPAP z_2l71A`q=S(PBl3W$Q`bi~Q=`yloKE^%vQL*uTq{=zg+@7&gNG>1YBb`eWxG2@o{V zW+njuad*U4O7-Kpxr?V}<7xQFoZqt%utTe=IIT5rB!TGu;r$mgZ9L)+_2r^f4THZM zTYJU2hqe8Sy1Kew2@qY}@>0WYnRfZC6%fW$YMDz;;ylKj_q1r`)E4HF;8qj4EXX`yB_LFB`KHD{)4p3%3KmXF%rb*7i9eiI|=~qK9{^Vykcl|s+{K3|6f>Bzv`|2YqF34>|B2ei4pC0sE>rQOK Ydyz>`geRF [!CAUTION] +> Opting out of a safeguard hold can put devices at risk from known performance issues. We strongly recommend that you complete robust testing to ensure the impact is acceptable before opting out. + +With that in mind, IT admins who stay informed with [Update Compliance](update-compliance-feature-update-status.md#safeguard-holds) and the [Windows Release Health](https://docs.microsoft.com/windows/release-information/status-windows-10-1903) dashboard can choose to temporarily [opt-out of the protection of all safeguard holds](safeguard-opt-out.md) and allow an update to proceed. We recommend opting out only in an IT environment and for validation purposes. If you do opt out of a hold, this condition is temporary. Once an update is complete, protection of safeguard holds is reinstated automatically. diff --git a/windows/deployment/update/safeguard-opt-out.md b/windows/deployment/update/safeguard-opt-out.md index 8a19114d16..b290de8acf 100644 --- a/windows/deployment/update/safeguard-opt-out.md +++ b/windows/deployment/update/safeguard-opt-out.md @@ -6,14 +6,13 @@ ms.mktglfcycl: manage author: jaimeo ms.localizationpriority: medium ms.author: jaimeo -ms.collection: m365initiative-coredeploy manager: laurawi ms.topic: article --- # Opt out of safeguard holds -Safeguard holds prevent a device with a known compatibility issue from being offered a new Windows 10 feature update by using Windows Update. We use safeguard holds to protect the device and user from a failed or poor update experience. We renew the offering once a fix is issued and is verified on an affected device. +Safeguard holds prevent a device with a known compatibility issue from being offered a new Windows 10 feature update by using Windows Update. We use safeguard holds to protect the device and user from a failed or poor update experience. We renew the offering once a fix is issued and is verified on an affected device. For more information about safeguard holds, see LINK ## How can I opt out of safeguard holds? From c3c167b294a0f5f93dd19e2aec5d6824612041b9 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Wed, 21 Oct 2020 15:20:13 -0700 Subject: [PATCH 33/37] connected to TOC, some cross-linking --- windows/deployment/TOC.yml | 4 ++++ windows/deployment/update/safeguard-opt-out.md | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 8778dee89c..fdc36528a1 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -144,6 +144,8 @@ href: update/media-dynamic-update.md - name: Migrating and acquiring optional Windows content href: update/optional-content.md + - name: Safeguard holds + href: update/safeguard-holds.md - name: Manage the Windows 10 update experience items: - name: Manage device restarts after updates @@ -237,6 +239,8 @@ items: - name: How to troubleshoot Windows Update href: update/windows-update-troubleshooting.md + - name: Opt out of safeguard holds + href: update/safeguard-opt-out.md - name: Determine the source of Windows Updates href: update/windows-update-sources.md - name: Common Windows Update errors diff --git a/windows/deployment/update/safeguard-opt-out.md b/windows/deployment/update/safeguard-opt-out.md index b290de8acf..a6ad9a0b05 100644 --- a/windows/deployment/update/safeguard-opt-out.md +++ b/windows/deployment/update/safeguard-opt-out.md @@ -12,7 +12,7 @@ ms.topic: article # Opt out of safeguard holds -Safeguard holds prevent a device with a known compatibility issue from being offered a new Windows 10 feature update by using Windows Update. We use safeguard holds to protect the device and user from a failed or poor update experience. We renew the offering once a fix is issued and is verified on an affected device. For more information about safeguard holds, see LINK +Safeguard holds prevent a device with a known compatibility issue from being offered a new Windows 10 feature update by using Windows Update. We use safeguard holds to protect the device and user from a failed or poor update experience. We renew the offering once a fix is issued and is verified on an affected device. For more information about safeguard holds, see [Safeguard holds](safeguard-holds.md). ## How can I opt out of safeguard holds? From aa46b2c7a57fe3f3240aa1c4815b0a72464d3bc1 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Wed, 21 Oct 2020 15:26:05 -0700 Subject: [PATCH 34/37] fixing image call --- windows/deployment/update/safeguard-holds.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/deployment/update/safeguard-holds.md b/windows/deployment/update/safeguard-holds.md index cb06941c37..558b46cea1 100644 --- a/windows/deployment/update/safeguard-holds.md +++ b/windows/deployment/update/safeguard-holds.md @@ -28,7 +28,8 @@ Queries identify Safeguard IDs for each affected device, giving IT admins a deta On devices that use Windows Update (but not Windows Update for Business), the **Windows Update** page in the Settings app displays a message stating that an update is on its way, but not ready for the device. Instead of the option to download and install the update, users will see this message: -:::image type="content" source="images/safeguard-hold-notification.png" alt-text="Feature update message reading "The Windows 10 May 2020 Update is on its way. Once it's ready for your device, you'll see the update available on this page."::: + +![Feature update message reading "The Windows 10 May 2020 Update is on its way. Once it's ready for your device, you'll see the update available on this page](images/safeguard-hold-notification.png) If you see this message, it means one or more holds affect your device. When the issue is fixed and the update is safe to install, we’ll release the hold and the update can resume safely. From cc6dace3df30a4ce797537c2a65f57238c4e47fc Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Wed, 21 Oct 2020 16:15:57 -0700 Subject: [PATCH 35/37] device impact --- .../next-gen-threat-and-vuln-mgt.md | 2 +- .../tvm-assign-device-value.md | 17 +++++++++++++---- .../tvm-dashboard-insights.md | 1 + .../tvm-end-of-support-software.md | 1 - .../microsoft-defender-atp/tvm-exception.md | 1 + .../tvm-exposure-score.md | 1 + .../tvm-hunt-exposed-devices.md | 1 + .../tvm-microsoft-secure-score-devices.md | 2 +- .../microsoft-defender-atp/tvm-prerequisites.md | 1 + .../microsoft-defender-atp/tvm-remediation.md | 1 + 10 files changed, 21 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md index 2e96df8aa4..54a1538ebe 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md +++ b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md @@ -14,7 +14,7 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance -ms.topic: conceptual +ms.topic: overview --- # Threat and vulnerability management diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-assign-device-value.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-assign-device-value.md index 9c96e86336..8dfec3f344 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-assign-device-value.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-assign-device-value.md @@ -23,10 +23,10 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) @@ -54,14 +54,23 @@ Examples of devices that should be assigned a high value: 1. Navigate to any device page, the easiest place is from the device inventory. 2. Select **Device value** from three dots next to the actions bar at the top of the page. - ![Example of the device value dropdown.](images/tvm-device-value-dropdown.png) -

+ ![Example of the device value dropdown.](images/tvm-device-value-dropdown.png) 3. A flyout will appear with the current device value and what it means. Review the value of the device and choose the one that best fits your device. ![Example of the device value flyout.](images/tvm-device-value-flyout.png) +## How device value impacts your exposure score + +The exposure score is a weighted average across all devices. If you have device groups, you can also filter the score by device group. + +- Normal devices have a weight of 1 +- Low value devices have a weight of 0.75 +- High value devices have a weight of NumberOfAssets / 10. + - If you have 100 devices, each high value device will have a weight of 10 (100/10) + ## Related topics - [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) -- [APIs](next-gen-threat-and-vuln-mgt.md#apis) +- [Exposure Score](tvm-exposure-score.md) +- [APIs](next-gen-threat-and-vuln-mgt.md#apis) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md index debae585fc..004ad94602 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md @@ -25,6 +25,7 @@ ms.topic: conceptual **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-end-of-support-software.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-end-of-support-software.md index cbc9cc0924..7d2f8da30c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-end-of-support-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-end-of-support-software.md @@ -22,7 +22,6 @@ ms.topic: conceptual [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exception.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exception.md index 8b0dad82a1..f8f6565174 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exception.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exception.md @@ -23,6 +23,7 @@ ms.topic: conceptual [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** + - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md index 9d0f0c2f8a..184d1740b8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md @@ -26,6 +26,7 @@ ms.topic: conceptual **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-hunt-exposed-devices.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-hunt-exposed-devices.md index 694318d1d4..d530052017 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-hunt-exposed-devices.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-hunt-exposed-devices.md @@ -26,6 +26,7 @@ ms.topic: article **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md index 5bf4c26a63..ea67db383d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md @@ -22,10 +22,10 @@ ms.topic: conceptual [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) >[!NOTE] > Configuration score is now part of threat and vulnerability management as Microsoft Secure Score for Devices. diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-prerequisites.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-prerequisites.md index 437ee5c49d..9aba0d42d1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-prerequisites.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-prerequisites.md @@ -24,6 +24,7 @@ ms.topic: conceptual **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md index 72f2ad5028..83f4fa34f0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md @@ -24,6 +24,7 @@ ms.topic: conceptual **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) From dd2e31a886078749e0b46335cd33ef4bdc2ecf47 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 21 Oct 2020 16:33:32 -0700 Subject: [PATCH 36/37] Corrected contributor's user name, removed `/en-us` from a URL --- .../microsoft-recommended-driver-block-rules.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index 5c960685b2..d181f745f5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.localizationpriority: medium audience: ITPro ms.collection: M365-security-compliance -author: jogeurte +author: jgeurten ms.reviewer: isbrahm ms.author: dansimp manager: dansimp @@ -29,7 +29,7 @@ Microsoft has strict requirements for code running in kernel. Consequently, mali - Hypervisor-protected code integrity (HVCI) enabled devices - Windows 10 in S mode (S mode) devices -Microsoft recommends enabling [HVCI](https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this is not possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It is recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events. +Microsoft recommends enabling [HVCI](https://docs.microsoft.com/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this is not possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It is recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events. > [!Note] From a791a02db0957ca308c5ce23bb370041e1639014 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 21 Oct 2020 16:39:56 -0700 Subject: [PATCH 37/37] Minor corrections in order to have something to push --- .../microsoft-recommended-driver-block-rules.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index d181f745f5..70b5806db3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -24,9 +24,9 @@ ms.date: 10/15/2020 - Windows 10 - Windows Server 2016 and above -Microsoft has strict requirements for code running in kernel. Consequently, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they are patched and rolled out to the ecosystem in an expedited manner. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy which is applied to the following sets of devices: +Microsoft has strict requirements for code running in kernel. Consequently, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they are patched and rolled out to the ecosystem in an expedited manner. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy which is applied to the following sets of devices: -- Hypervisor-protected code integrity (HVCI) enabled devices +- Hypervisor-protected code integrity (HVCI) enabled devices - Windows 10 in S mode (S mode) devices Microsoft recommends enabling [HVCI](https://docs.microsoft.com/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this is not possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It is recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events.