From e074ca48d307e14e4590666cee8f6b116d15319a Mon Sep 17 00:00:00 2001 From: "H. Poulsen" Date: Tue, 12 Apr 2016 16:15:19 -0700 Subject: [PATCH 01/59] Post-migration cleanup - author updates --- ...ows-10-operating-system-image-using-configuration-manager.md | 2 +- ...10-deployment-with-windows-pe-using-configuration-manager.md | 2 +- windows/deploy/assign-applications-using-roles-in-mdt-2013.md | 2 +- ...build-a-distributed-environment-for-windows-10-deployment.md | 2 +- windows/deploy/configure-mdt-2013-for-userexit-scripts.md | 2 +- windows/deploy/configure-mdt-2013-settings.md | 2 +- windows/deploy/configure-mdt-deployment-share-rules.md | 2 +- ...a-custom-windows-pe-boot-image-with-configuration-manager.md | 2 +- ...create-a-task-sequence-with-configuration-manager-and-mdt.md | 2 +- windows/deploy/create-a-windows-10-reference-image.md | 2 +- ...ion-to-deploy-with-windows-10-using-configuration-manager.md | 2 +- windows/deploy/deploy-a-windows-10-image-using-mdt.md | 2 +- .../deploy-windows-10-using-pxe-and-configuration-manager.md | 2 +- ...ndows-10-with-system-center-2012-r2-configuration-manager.md | 2 +- .../deploy-windows-10-with-the-microsoft-deployment-toolkit.md | 2 +- windows/deploy/deploy-windows-to-go.md | 2 +- ...tion-for-windows-10-deployment-with-configuration-manager.md | 2 +- .../deploy/get-started-with-the-microsoft-deployment-toolkit.md | 2 +- windows/deploy/integrate-configuration-manager-with-mdt-2013.md | 2 +- windows/deploy/key-features-in-mdt-2013.md | 2 +- windows/deploy/mdt-2013-lite-touch-components.md | 2 +- .../monitor-windows-10-deployment-with-configuration-manager.md | 2 +- windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md | 2 +- ...uch-installation-of-windows-10-with-configuration-manager.md | 2 +- ...dows-7-client-with-windows-10-using-configuration-manager.md | 2 +- windows/deploy/refresh-a-windows-7-computer-with-windows-10.md | 2 +- ...dows-7-client-with-windows-10-using-configuration-manager.md | 2 +- .../replace-a-windows-7-computer-with-a-windows-10-computer.md | 2 +- windows/deploy/set-up-mdt-2013-for-bitlocker.md | 2 +- .../simulate-a-windows-10-deployment-in-a-test-environment.md | 2 +- ...ade-to-windows-10-with-system-center-configuraton-manager.md | 2 +- ...grade-to-windows-10-with-the-microsoft-deployment-toolkit.md | 2 +- windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md | 2 +- ...e-mdt-database-to-stage-windows-10-deployment-information.md | 2 +- windows/deploy/use-web-services-in-mdt-2013.md | 2 +- windows/deploy/windows-10-deployment-scenarios.md | 2 +- windows/deploy/windows-deployment-scenarios-and-tools.md | 2 +- windows/keep-secure/device-guard-deployment-guide.md | 2 +- windows/keep-secure/microsoft-passport-guide.md | 2 +- ...ets-by-controlling-the-health-of-windows-10-based-devices.md | 2 +- windows/keep-secure/windows-10-enterprise-security-guides.md | 2 +- windows/keep-secure/windows-10-mobile-security-guide.md | 2 +- windows/keep-secure/windows-10-security-guide.md | 2 +- windows/plan/best-practice-recommendations-for-windows-to-go.md | 2 +- windows/plan/chromebook-migration-guide.md | 2 +- windows/plan/deployment-considerations-for-windows-to-go.md | 2 +- windows/plan/prepare-your-organization-for-windows-to-go.md | 2 +- ...rity-and-data-protection-considerations-for-windows-to-go.md | 2 +- windows/plan/windows-10-compatibility.md | 2 +- windows/plan/windows-10-deployment-considerations.md | 2 +- windows/plan/windows-10-guidance-for-education-environments.md | 2 +- windows/plan/windows-10-infrastructure-requirements.md | 2 +- windows/plan/windows-10-servicing-options.md | 2 +- windows/plan/windows-to-go-frequently-asked-questions.md | 2 +- windows/plan/windows-to-go-overview.md | 2 +- 55 files changed, 55 insertions(+), 55 deletions(-) diff --git a/windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md index 7be8c2bbe2..13a328ea77 100644 --- a/windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md +++ b/windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md @@ -6,7 +6,7 @@ keywords: ["image, deploy, distribute"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: mtniehaus --- # Add a Windows 10 operating system image using Configuration Manager diff --git a/windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md index b655ccdd8b..8e72718b82 100644 --- a/windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md +++ b/windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md @@ -6,7 +6,7 @@ keywords: ["deploy, task sequence"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: mtniehaus --- # Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager diff --git a/windows/deploy/assign-applications-using-roles-in-mdt-2013.md b/windows/deploy/assign-applications-using-roles-in-mdt-2013.md index d5fba8327f..a93346b78f 100644 --- a/windows/deploy/assign-applications-using-roles-in-mdt-2013.md +++ b/windows/deploy/assign-applications-using-roles-in-mdt-2013.md @@ -6,7 +6,7 @@ keywords: ["settings, database, deploy"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: mtniehaus --- # Assign applications using roles in MDT diff --git a/windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md index 8d78744690..481c3d0c86 100644 --- a/windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md +++ b/windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md @@ -6,7 +6,7 @@ keywords: ["replication, replicate, deploy, configure, remote"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: mtniehaus --- # Build a distributed environment for Windows 10 deployment diff --git a/windows/deploy/configure-mdt-2013-for-userexit-scripts.md b/windows/deploy/configure-mdt-2013-for-userexit-scripts.md index 01607fa6ca..69aaf853db 100644 --- a/windows/deploy/configure-mdt-2013-for-userexit-scripts.md +++ b/windows/deploy/configure-mdt-2013-for-userexit-scripts.md @@ -6,7 +6,7 @@ keywords: ["rules, script"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: mtniehaus --- # Configure MDT for UserExit scripts diff --git a/windows/deploy/configure-mdt-2013-settings.md b/windows/deploy/configure-mdt-2013-settings.md index 40a852f3b9..853cc6bf85 100644 --- a/windows/deploy/configure-mdt-2013-settings.md +++ b/windows/deploy/configure-mdt-2013-settings.md @@ -6,7 +6,7 @@ keywords: ["customize, customization, deploy, features, tools"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: mtniehaus --- # Configure MDT settings diff --git a/windows/deploy/configure-mdt-deployment-share-rules.md b/windows/deploy/configure-mdt-deployment-share-rules.md index f0b9946f1e..a600557e1a 100644 --- a/windows/deploy/configure-mdt-deployment-share-rules.md +++ b/windows/deploy/configure-mdt-deployment-share-rules.md @@ -6,7 +6,7 @@ keywords: ["rules, configuration, automate, deploy"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: mtniehaus --- # Configure MDT deployment share rules diff --git a/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md index 7b6d831fae..049c3e93c2 100644 --- a/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md +++ b/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md @@ -6,7 +6,7 @@ keywords: ["tool, customize, deploy, boot image"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: mtniehaus --- # Create a custom Windows PE boot image with Configuration Manager diff --git a/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md index 3430f96464..03c856a7dc 100644 --- a/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md +++ b/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md @@ -6,7 +6,7 @@ keywords: ["deploy, upgrade, task sequence, install"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: mtniehaus --- # Create a task sequence with Configuration Manager and MDT diff --git a/windows/deploy/create-a-windows-10-reference-image.md b/windows/deploy/create-a-windows-10-reference-image.md index 61dd970142..f501072a3f 100644 --- a/windows/deploy/create-a-windows-10-reference-image.md +++ b/windows/deploy/create-a-windows-10-reference-image.md @@ -6,7 +6,7 @@ keywords: ["deploy, deployment, configure, customize, install, installation"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: mtniehaus --- # Create a Windows 10 reference image diff --git a/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md index d0edd50de2..c47ac7bc38 100644 --- a/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md +++ b/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md @@ -6,7 +6,7 @@ keywords: ["deployment, task sequence, custom, customize"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: mtniehaus --- # Create an application to deploy with Windows 10 using Configuration Manager diff --git a/windows/deploy/deploy-a-windows-10-image-using-mdt.md b/windows/deploy/deploy-a-windows-10-image-using-mdt.md index 9ae073428b..366d5f7b7c 100644 --- a/windows/deploy/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deploy/deploy-a-windows-10-image-using-mdt.md @@ -6,7 +6,7 @@ keywords: ["deployment, automate, tools, configure"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: mtniehaus --- # Deploy a Windows 10 image using MDT 2013 Update 2 diff --git a/windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md index 3ee3168fb2..0cdf8e0509 100644 --- a/windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md +++ b/windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md @@ -6,7 +6,7 @@ keywords: ["deployment, image, UEFI, task sequence"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: mtniehaus --- # Deploy Windows 10 using PXE and Configuration Manager diff --git a/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md b/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md index 747ea8bb0e..32ee03ca6c 100644 --- a/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md +++ b/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md @@ -6,7 +6,7 @@ keywords: ["deployment, custom, boot"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: mtniehaus --- # Deploy Windows 10 with System Center 2012 R2 Configuration Manager diff --git a/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md index bcb0321bfd..dec8665051 100644 --- a/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md +++ b/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md @@ -6,7 +6,7 @@ keywords: ["deploy", "tools", "configure", "script"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: mtniehaus --- # Deploy Windows 10 with the Microsoft Deployment Toolkit diff --git a/windows/deploy/deploy-windows-to-go.md b/windows/deploy/deploy-windows-to-go.md index 45666c4a6c..609ae81687 100644 --- a/windows/deploy/deploy-windows-to-go.md +++ b/windows/deploy/deploy-windows-to-go.md @@ -6,7 +6,7 @@ keywords: ["deployment, USB, device, BitLocker, workspace, security, data"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: mtniehaus --- # Deploy Windows To Go in your organization diff --git a/windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md index 3224e87eca..67136031be 100644 --- a/windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md +++ b/windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md @@ -6,7 +6,7 @@ keywords: ["configure, deploy, upgrade"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: mtniehaus --- # Finalize the operating system configuration for Windows 10 deployment with Configuration Manager diff --git a/windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md b/windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md index 57a20dea3e..80d8c4e9f8 100644 --- a/windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md +++ b/windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md @@ -6,7 +6,7 @@ keywords: ["deploy", "image", "feature", "install", "tools"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: mtniehaus --- # Get started with the Microsoft Deployment Toolkit (MDT) diff --git a/windows/deploy/integrate-configuration-manager-with-mdt-2013.md b/windows/deploy/integrate-configuration-manager-with-mdt-2013.md index 3ad425ec3f..fb39507c19 100644 --- a/windows/deploy/integrate-configuration-manager-with-mdt-2013.md +++ b/windows/deploy/integrate-configuration-manager-with-mdt-2013.md @@ -6,7 +6,7 @@ keywords: ["deploy, image, customize, task sequence"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: mtniehaus --- # Integrate Configuration Manager with MDT 2013 Update 2 diff --git a/windows/deploy/key-features-in-mdt-2013.md b/windows/deploy/key-features-in-mdt-2013.md index cf864d189c..21bcc2ef9a 100644 --- a/windows/deploy/key-features-in-mdt-2013.md +++ b/windows/deploy/key-features-in-mdt-2013.md @@ -6,7 +6,7 @@ keywords: ["deploy, feature, tools, upgrade, migrate, provisioning"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: mtniehaus --- # Key features in MDT 2013 Update 2 diff --git a/windows/deploy/mdt-2013-lite-touch-components.md b/windows/deploy/mdt-2013-lite-touch-components.md index 0bfae9889e..580575314a 100644 --- a/windows/deploy/mdt-2013-lite-touch-components.md +++ b/windows/deploy/mdt-2013-lite-touch-components.md @@ -6,7 +6,7 @@ keywords: ["deploy, install, deployment, boot, log, monitor"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: mtniehaus --- # MDT 2013 Update 2 Lite Touch components diff --git a/windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md b/windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md index 6b38847674..7802d20b05 100644 --- a/windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md +++ b/windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md @@ -6,7 +6,7 @@ keywords: ["deploy, upgrade"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: mtniehaus --- # Monitor the Windows 10 deployment with Configuration Manager diff --git a/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md b/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md index 4e0d835ea6..19e866a468 100644 --- a/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md +++ b/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md @@ -6,7 +6,7 @@ keywords: ["deploy, system requirements"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: mtniehaus --- # Prepare for deployment with MDT 2013 Update 2 diff --git a/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md index ca1a31fd3a..d9735f4ee1 100644 --- a/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md +++ b/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md @@ -6,7 +6,7 @@ keywords: ["install, configure, deploy, deployment"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: mtniehaus --- # Prepare for Zero Touch Installation of Windows 10 with Configuration Manager diff --git a/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md index 374661ead5..7d5143cf31 100644 --- a/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -6,7 +6,7 @@ keywords: ["upgrade, install, installation, computer refresh"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: mtniehaus --- # Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager diff --git a/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md b/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md index fee360b2f4..922ae1219e 100644 --- a/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md +++ b/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md @@ -6,7 +6,7 @@ keywords: ["reinstallation, customize, template, script, restore"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: mtniehaus --- # Refresh a Windows 7 computer with Windows 10 diff --git a/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md index b9c865b739..44bc003fca 100644 --- a/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -6,7 +6,7 @@ keywords: ["upgrade, install, installation, replace computer, setup"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: mtniehaus --- # Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager diff --git a/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md b/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md index 5dd918cbc5..ba1084135e 100644 --- a/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md +++ b/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md @@ -6,7 +6,7 @@ keywords: ["deploy, deployment, replace"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: mtniehaus --- # Replace a Windows 7 computer with a Windows 10 computer diff --git a/windows/deploy/set-up-mdt-2013-for-bitlocker.md b/windows/deploy/set-up-mdt-2013-for-bitlocker.md index 23cf6ecf88..3dec8b16b3 100644 --- a/windows/deploy/set-up-mdt-2013-for-bitlocker.md +++ b/windows/deploy/set-up-mdt-2013-for-bitlocker.md @@ -6,7 +6,7 @@ keywords: ["disk, encryption, TPM, configure, secure, script"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: mtniehaus --- # Set up MDT for BitLocker diff --git a/windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md b/windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md index 9afc652d9c..9182555e85 100644 --- a/windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md +++ b/windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md @@ -6,7 +6,7 @@ keywords: ["deploy, script,"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: mtniehaus --- # Simulate a Windows 10 deployment in a test environment diff --git a/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md b/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md index d0f0ff8e73..030ab711f2 100644 --- a/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md +++ b/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md @@ -5,7 +5,7 @@ ms.assetid: F8DF6191-0DB0-4EF5-A9B1-6A11D5DE4878 keywords: ["upgrade, update, task sequence, deploy"] ms.prod: W10 ms.mktglfcycl: deploy -author: CFaw +author: mtniehaus --- # Upgrade to Windows 10 with System Center Configuration Manager diff --git a/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md index 2fa1a8e500..210b0fe19e 100644 --- a/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md +++ b/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md @@ -6,7 +6,7 @@ keywords: ["upgrade, update, task sequence, deploy"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: mtniehaus --- # Upgrade to Windows 10 with the Microsoft Deployment Toolkit diff --git a/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md b/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md index 58b322dba8..ed32ecba07 100644 --- a/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md +++ b/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md @@ -6,7 +6,7 @@ keywords: ["web services, database"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: mtniehaus --- # Use Orchestrator runbooks with MDT diff --git a/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md b/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md index ee21e399db..f832cb28d8 100644 --- a/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md +++ b/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md @@ -6,7 +6,7 @@ keywords: ["database, permissions, settings, configure, deploy"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: mtniehaus --- # Use the MDT database to stage Windows 10 deployment information diff --git a/windows/deploy/use-web-services-in-mdt-2013.md b/windows/deploy/use-web-services-in-mdt-2013.md index 09d35ecef9..c8532e5a75 100644 --- a/windows/deploy/use-web-services-in-mdt-2013.md +++ b/windows/deploy/use-web-services-in-mdt-2013.md @@ -6,7 +6,7 @@ keywords: ["deploy, web apps"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: mtniehaus --- # Use web services in MDT diff --git a/windows/deploy/windows-10-deployment-scenarios.md b/windows/deploy/windows-10-deployment-scenarios.md index c8b2a39bfd..54221f9de3 100644 --- a/windows/deploy/windows-10-deployment-scenarios.md +++ b/windows/deploy/windows-10-deployment-scenarios.md @@ -6,7 +6,7 @@ keywords: ["upgrade, in-place, configuration, deploy"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: mtniehaus --- # Windows 10 deployment scenarios diff --git a/windows/deploy/windows-deployment-scenarios-and-tools.md b/windows/deploy/windows-deployment-scenarios-and-tools.md index 9d87667c9a..a66deb1389 100644 --- a/windows/deploy/windows-deployment-scenarios-and-tools.md +++ b/windows/deploy/windows-deployment-scenarios-and-tools.md @@ -6,7 +6,7 @@ keywords: ["deploy, volume activation, BitLocker, recovery, install, installatio ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: CFaw +author: mtniehaus --- # Windows 10 deployment tools diff --git a/windows/keep-secure/device-guard-deployment-guide.md b/windows/keep-secure/device-guard-deployment-guide.md index cdedb8169e..12aeaa9ef7 100644 --- a/windows/keep-secure/device-guard-deployment-guide.md +++ b/windows/keep-secure/device-guard-deployment-guide.md @@ -5,7 +5,7 @@ ms.assetid: 4BA52AA9-64D3-41F3-94B2-B87EC2717486 keywords: ["virtualization", "security", "malware"] ms.prod: W10 ms.mktglfcycl: deploy -author: brianlic-msft +author: challum --- # Device Guard deployment guide diff --git a/windows/keep-secure/microsoft-passport-guide.md b/windows/keep-secure/microsoft-passport-guide.md index 17108c5fef..d2d62ba501 100644 --- a/windows/keep-secure/microsoft-passport-guide.md +++ b/windows/keep-secure/microsoft-passport-guide.md @@ -6,7 +6,7 @@ keywords: ["security", "credential", "password", "authentication"] ms.prod: W10 ms.mktglfcycl: plan ms.sitesec: library -author: brianlic-msft +author: challum --- # Microsoft Passport guide diff --git a/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md index 1d7eabec2a..5d96128049 100644 --- a/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md +++ b/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md @@ -6,7 +6,7 @@ keywords: ["security", "BYOD", "malware", "device health attestation", "mobile"] ms.prod: W10 ms.mktglfcycl: manage ms.sitesec: library -author: brianlic-msft +author: arnaudjumelet --- # Control the health of Windows 10-based devices diff --git a/windows/keep-secure/windows-10-enterprise-security-guides.md b/windows/keep-secure/windows-10-enterprise-security-guides.md index 7422955a9c..75dfd59ad1 100644 --- a/windows/keep-secure/windows-10-enterprise-security-guides.md +++ b/windows/keep-secure/windows-10-enterprise-security-guides.md @@ -5,7 +5,7 @@ ms.assetid: 57134f84-bd4b-4b1d-b663-4a2d36f5a7f8 ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: brianlic-msft +author: challum --- # Enterprise security guides diff --git a/windows/keep-secure/windows-10-mobile-security-guide.md b/windows/keep-secure/windows-10-mobile-security-guide.md index b8fcdfb590..7995030e49 100644 --- a/windows/keep-secure/windows-10-mobile-security-guide.md +++ b/windows/keep-secure/windows-10-mobile-security-guide.md @@ -6,7 +6,7 @@ keywords: ["data protection, encryption, malware resistance, smartphone, device, ms.prod: W10 ms.mktglfcycl: manage ms.sitesec: library -author: brianlic-msft +author: AMeeus --- # Windows 10 Mobile security guide diff --git a/windows/keep-secure/windows-10-security-guide.md b/windows/keep-secure/windows-10-security-guide.md index ec556b3cf0..fbcf34aefe 100644 --- a/windows/keep-secure/windows-10-security-guide.md +++ b/windows/keep-secure/windows-10-security-guide.md @@ -6,7 +6,7 @@ keywords: ["configure", "feature", "file encryption"] ms.prod: W10 ms.mktglfcycl: manage ms.sitesec: library -author: brianlic-msft +author: challum --- # Windows 10 security overview diff --git a/windows/plan/best-practice-recommendations-for-windows-to-go.md b/windows/plan/best-practice-recommendations-for-windows-to-go.md index 8ab55ac121..4ef9e9177e 100644 --- a/windows/plan/best-practice-recommendations-for-windows-to-go.md +++ b/windows/plan/best-practice-recommendations-for-windows-to-go.md @@ -6,7 +6,7 @@ keywords: ["best practices, USB, device, boot"] ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: TrudyHa +author: mtniehaus --- # Best practice recommendations for Windows To Go diff --git a/windows/plan/chromebook-migration-guide.md b/windows/plan/chromebook-migration-guide.md index 87c111f100..e56979fdef 100644 --- a/windows/plan/chromebook-migration-guide.md +++ b/windows/plan/chromebook-migration-guide.md @@ -6,7 +6,7 @@ keywords: ["migrate", "automate", "device"] ms.prod: W10 ms.mktglfcycl: plan ms.sitesec: library -author: TrudyHa +author: craigash --- # Chromebook migration guide diff --git a/windows/plan/deployment-considerations-for-windows-to-go.md b/windows/plan/deployment-considerations-for-windows-to-go.md index 473ff80e7e..8d512f6395 100644 --- a/windows/plan/deployment-considerations-for-windows-to-go.md +++ b/windows/plan/deployment-considerations-for-windows-to-go.md @@ -6,7 +6,7 @@ keywords: ["deploy, mobile, device, USB, boot, image, workspace, driver"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: TrudyHa +author: mtniehaus --- # Deployment considerations for Windows To Go diff --git a/windows/plan/prepare-your-organization-for-windows-to-go.md b/windows/plan/prepare-your-organization-for-windows-to-go.md index 8c14a856c0..f66acaff2b 100644 --- a/windows/plan/prepare-your-organization-for-windows-to-go.md +++ b/windows/plan/prepare-your-organization-for-windows-to-go.md @@ -6,7 +6,7 @@ keywords: ["mobile, device, USB, deploy"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: TrudyHa +author: mtniehaus --- # Prepare your organization for Windows To Go diff --git a/windows/plan/security-and-data-protection-considerations-for-windows-to-go.md b/windows/plan/security-and-data-protection-considerations-for-windows-to-go.md index 41a1cbce6f..7343863528 100644 --- a/windows/plan/security-and-data-protection-considerations-for-windows-to-go.md +++ b/windows/plan/security-and-data-protection-considerations-for-windows-to-go.md @@ -6,7 +6,7 @@ keywords: ["mobile, device, USB, secure, BitLocker"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: TrudyHa +author: mtniehaus --- # Security and data protection considerations for Windows To Go diff --git a/windows/plan/windows-10-compatibility.md b/windows/plan/windows-10-compatibility.md index 1f9c40a938..7823fc3961 100644 --- a/windows/plan/windows-10-compatibility.md +++ b/windows/plan/windows-10-compatibility.md @@ -6,7 +6,7 @@ keywords: ["deploy", "upgrade", "update", "appcompat"] ms.prod: W10 ms.mktglfcycl: plan ms.sitesec: library -author: TrudyHa +author: mtniehaus --- # Windows 10 compatibility diff --git a/windows/plan/windows-10-deployment-considerations.md b/windows/plan/windows-10-deployment-considerations.md index 422ff1b3af..51d122fa2b 100644 --- a/windows/plan/windows-10-deployment-considerations.md +++ b/windows/plan/windows-10-deployment-considerations.md @@ -6,7 +6,7 @@ keywords: ["deploy", "upgrade", "update", "in-place"] ms.prod: W10 ms.mktglfcycl: plan ms.sitesec: library -author: TrudyHa +author: mtniehaus --- # Windows 10 deployment considerations diff --git a/windows/plan/windows-10-guidance-for-education-environments.md b/windows/plan/windows-10-guidance-for-education-environments.md index 91d543470a..716217d420 100644 --- a/windows/plan/windows-10-guidance-for-education-environments.md +++ b/windows/plan/windows-10-guidance-for-education-environments.md @@ -5,7 +5,7 @@ ms.assetid: 225C9D6F-9329-4DDF-B447-6CE7804E314E ms.prod: W10 ms.mktglfcycl: plan ms.sitesec: library -author: TrudyHa +author: craigash --- # Guidance for education environments diff --git a/windows/plan/windows-10-infrastructure-requirements.md b/windows/plan/windows-10-infrastructure-requirements.md index 0718fc8270..bfa40b1eca 100644 --- a/windows/plan/windows-10-infrastructure-requirements.md +++ b/windows/plan/windows-10-infrastructure-requirements.md @@ -6,7 +6,7 @@ keywords: ["deploy", "upgrade", "update", "hardware"] ms.prod: W10 ms.mktglfcycl: plan ms.sitesec: library -author: TrudyHa +author: mtniehaus --- # Windows 10 infrastructure requirements diff --git a/windows/plan/windows-10-servicing-options.md b/windows/plan/windows-10-servicing-options.md index 1ed3b55f95..0cf0cd63eb 100644 --- a/windows/plan/windows-10-servicing-options.md +++ b/windows/plan/windows-10-servicing-options.md @@ -6,7 +6,7 @@ keywords: ["deploy", "upgrade", "update", "servicing"] ms.prod: W10 ms.mktglfcycl: plan ms.sitesec: library -author: TrudyHa +author: mtniehaus --- # Windows 10 servicing options diff --git a/windows/plan/windows-to-go-frequently-asked-questions.md b/windows/plan/windows-to-go-frequently-asked-questions.md index 3f8e61bb9f..0eaa4178e6 100644 --- a/windows/plan/windows-to-go-frequently-asked-questions.md +++ b/windows/plan/windows-to-go-frequently-asked-questions.md @@ -6,7 +6,7 @@ keywords: ["FAQ, mobile, device, USB"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: TrudyHa +author: mtniehaus --- # Windows To Go: frequently asked questions diff --git a/windows/plan/windows-to-go-overview.md b/windows/plan/windows-to-go-overview.md index a84b375c14..c473ab949b 100644 --- a/windows/plan/windows-to-go-overview.md +++ b/windows/plan/windows-to-go-overview.md @@ -6,7 +6,7 @@ keywords: ["workspace, mobile, installation, image, USB, device, image"] ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: TrudyHa +author: mtniehaus --- # Windows To Go: feature overview From d47f7d286d210d5fd87d9bbb6de0816f04a4cb4b Mon Sep 17 00:00:00 2001 From: unknown Date: Fri, 22 Apr 2016 13:12:16 -0700 Subject: [PATCH 02/59] added params to scanstate syntax topic --- windows/deploy/usmt-scanstate-syntax.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/windows/deploy/usmt-scanstate-syntax.md b/windows/deploy/usmt-scanstate-syntax.md index 09eb224de7..95594ff971 100644 --- a/windows/deploy/usmt-scanstate-syntax.md +++ b/windows/deploy/usmt-scanstate-syntax.md @@ -58,7 +58,7 @@ This section explains the syntax and usage of the **ScanState** command-line opt The **ScanState** command's syntax is: -scanstate \[*StorePath*\] \[/i:\[*Path*\\\]*FileName*\] \[/o\] \[/v:*VerbosityLevel*\] \[/nocompress\] \[/localonly\] \[/encrypt /key:*KeyString*|/keyfile:\[Path\\\]*FileName*\] \[/l:\[*Path*\\\]*FileName*\] \[/progress:\[*Path*\\\]*FileName*\] \[/r:*TimesToRetry*\] \[/w:*SecondsBeforeRetry*\] \[/c\] \[/p\] \[/all\] \[/ui:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/ue:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/uel:*NumberOfDays*|*YYYY/MM/DD*|0\] \[/efs:abort|skip|decryptcopy|copyraw\] \[/genconfig:\[*Path*\\\]*FileName*\[/config:\[*Path*\\\]*FileName*\] \[/?|help\] +scanstate \[*StorePath*\] \[/apps\] \[/ppkg:*FileName*\] \[/i:\[*Path*\\\]*FileName*\] \[/o\] \[/v:*VerbosityLevel*\] \[/nocompress\] \[/localonly\] \[/encrypt /key:*KeyString*|/keyfile:\[Path\\\]*FileName*\] \[/l:\[*Path*\\\]*FileName*\] \[/progress:\[*Path*\\\]*FileName*\] \[/r:*TimesToRetry*\] \[/w:*SecondsBeforeRetry*\] \[/c\] \[/p\] \[/all\] \[/ui:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/ue:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/uel:*NumberOfDays*|*YYYY/MM/DD*|0\] \[/efs:abort|skip|decryptcopy|copyraw\] \[/genconfig:\[*Path*\\\]*FileName*\[/config:\[*Path*\\\]*FileName*\] \[/?|help\] For example: @@ -89,6 +89,14 @@ To create an encrypted store using the Config.xml file and the default migration

StorePath

Indicates a folder where files and settings will be saved. Note that StorePath cannot be c:\. You must specify the StorePath option in the ScanState command, except when using the /genconfig option. You cannot specify more than one StorePath location.

+ +

/apps

+

Scans the image for apps and includes them and their associated registry settings.

+ + +

/ppkg [<FileName>]

+

Exports to a specific file location.

+

/o

Required to overwrite any existing data in the migration store or Config.xml file. If not specified, the ScanState command will fail if the migration store already contains data. You cannot use this option more than once on a command line.

From 97e8a98f7af64fe4e6574b49cef5af2dca407a37 Mon Sep 17 00:00:00 2001 From: unknown Date: Fri, 22 Apr 2016 13:19:37 -0700 Subject: [PATCH 03/59] fixed even row in table --- windows/deploy/usmt-scanstate-syntax.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deploy/usmt-scanstate-syntax.md b/windows/deploy/usmt-scanstate-syntax.md index 95594ff971..ff2636ee8c 100644 --- a/windows/deploy/usmt-scanstate-syntax.md +++ b/windows/deploy/usmt-scanstate-syntax.md @@ -89,7 +89,7 @@ To create an encrypted store using the Config.xml file and the default migration

StorePath

Indicates a folder where files and settings will be saved. Note that StorePath cannot be c:\. You must specify the StorePath option in the ScanState command, except when using the /genconfig option. You cannot specify more than one StorePath location.

- +

/apps

Scans the image for apps and includes them and their associated registry settings.

From 32f6a096b1fd7ca3722701a58efcbb6ab161700f Mon Sep 17 00:00:00 2001 From: Maggie Evans Date: Fri, 22 Apr 2016 15:12:54 -0700 Subject: [PATCH 04/59] Created redirect topics and links in main TOC. --- mdop/TOC.md | 2 ++ mdop/dart-v65 | 9 +++++++++ mdop/softgrid-application-virtualization | 9 +++++++++ 3 files changed, 20 insertions(+) create mode 100644 mdop/dart-v65 create mode 100644 mdop/softgrid-application-virtualization diff --git a/mdop/TOC.md b/mdop/TOC.md index ebafec6c21..56e5ab8cd5 100644 --- a/mdop/TOC.md +++ b/mdop/TOC.md @@ -3,10 +3,12 @@ ## [Application Virtualization]() ### [Application Virtualization 5](appv-v5/) ### [Application Virtualization 4](appv-v4/) +### [SoftGrid Application Virtualization](softgrid-application-virtualization.md) ## [Diagnostics and Recovery Toolset]() ### [Diagnostics and Recovery Toolset 10](dart-v10/) ### [Diagnostics and Recovery Toolset 8](dart-v8/) ### [Diagnostics and Recovery Toolset 7](dart-v7/) +### [Diagnostics and Recovery Toolset 6.5](dart-v65.md) ## [Microsoft Bitlocker Administration and Monitoring]() ### [Microsoft Bitlocker Administration and Monitoring 2.5](mbam-v25/) ### [Microsoft Bitlocker Administration and Monitoring 2](mbam-v2/) diff --git a/mdop/dart-v65 b/mdop/dart-v65 new file mode 100644 index 0000000000..335e945881 --- /dev/null +++ b/mdop/dart-v65 @@ -0,0 +1,9 @@ +--- +title: Diagnostics and Recovery Toolset 6.5 +description: Diagnostics and Recovery Toolset 6.5 +author: jamiejdt +--- + +# Diagnostics and Recovery Toolset 6.5 + +Selecting the link for [Diagnostics and Recovery Toolset 6.5 documentation](https://technet.microsoft.com/en-us/library/jj713388.aspx) will take you to another website. Use your browser's **Back** button to return to this page. \ No newline at end of file diff --git a/mdop/softgrid-application-virtualization b/mdop/softgrid-application-virtualization new file mode 100644 index 0000000000..fd762e0136 --- /dev/null +++ b/mdop/softgrid-application-virtualization @@ -0,0 +1,9 @@ +--- +title: SoftGrid Application Virtualization +description: SoftGrid Application Virtualization +author: jamiejdt +--- + +# SoftGrid Application Virtualization + +Selecting the link for [SoftGrid Application Virtualization documentation](https://technet.microsoft.com/en-us/library/bb906040.aspx) will take you to another website. Use your browser's **Back** button to return to this page. \ No newline at end of file From db0a455bcf7f02c83e76eb8ea2d7e2c7655de080 Mon Sep 17 00:00:00 2001 From: Maggie Evans Date: Fri, 22 Apr 2016 15:21:20 -0700 Subject: [PATCH 05/59] Removed links to old content --- mdop/agpm/resources-for-agpm.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/mdop/agpm/resources-for-agpm.md b/mdop/agpm/resources-for-agpm.md index a87c1701fd..def2f4bf52 100644 --- a/mdop/agpm/resources-for-agpm.md +++ b/mdop/agpm/resources-for-agpm.md @@ -12,10 +12,6 @@ author: jamiejdt - [Advanced Group Policy Management 4.0 documents](http://go.microsoft.com/fwlink/?LinkID=158931) -- [Advanced Group Policy Management 3.0 documents](http://go.microsoft.com/fwlink/?LinkID=158930) - -- [Advanced Group Policy Management 2.5 documents](http://go.microsoft.com/fwlink/?LinkId=163556) - ### Microsoft Desktop Optimization Pack resources - [Microsoft Desktop Optimization Pack (MDOP) for Software Assurance TechCenter](http://go.microsoft.com/fwlink/?LinkID=159870) (http://www.microsoft.com/technet/mdop): Links to MDOP videos and resources. From 8822930ebecd23fc1c43cec467fa6d90135eb13d Mon Sep 17 00:00:00 2001 From: Maggie Evans Date: Fri, 22 Apr 2016 15:24:13 -0700 Subject: [PATCH 06/59] Corrected file names - renamed --- mdop/{dart-v65 => dart-v65.md} | 0 ...tion-virtualization => softgrid-application-virtualization.md} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename mdop/{dart-v65 => dart-v65.md} (100%) rename mdop/{softgrid-application-virtualization => softgrid-application-virtualization.md} (100%) diff --git a/mdop/dart-v65 b/mdop/dart-v65.md similarity index 100% rename from mdop/dart-v65 rename to mdop/dart-v65.md diff --git a/mdop/softgrid-application-virtualization b/mdop/softgrid-application-virtualization.md similarity index 100% rename from mdop/softgrid-application-virtualization rename to mdop/softgrid-application-virtualization.md From aefb6f66b9744231f98c1e75510ff89fedfb9426 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 25 Apr 2016 09:08:47 -0700 Subject: [PATCH 07/59] VSO bug# 7007957 --- windows/manage/disconnect-your-organization-from-microsoft.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/manage/disconnect-your-organization-from-microsoft.md b/windows/manage/disconnect-your-organization-from-microsoft.md index 925e0f6684..3ef46d052e 100644 --- a/windows/manage/disconnect-your-organization-from-microsoft.md +++ b/windows/manage/disconnect-your-organization-from-microsoft.md @@ -370,7 +370,7 @@ You can prevent Windows from setting the time automatically. -or- -- Create a REG\_DWORD registry setting called **NoSync** in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters**, with a value of 1. +- Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters** with a value of **NoSync**. ### 3. Device metadata retrieval From 389fdb445660ed90f88d422be81c320ea7b4b9c1 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Mon, 25 Apr 2016 11:00:36 -0700 Subject: [PATCH 08/59] adding topic --- ...acquire-apps-windows-store-for-business.md | 54 ++++++++++++++++++ windows/manage/images/wsfb-paid-app-temp.png | Bin 0 -> 69880 bytes 2 files changed, 54 insertions(+) create mode 100644 windows/manage/acquire-apps-windows-store-for-business.md create mode 100644 windows/manage/images/wsfb-paid-app-temp.png diff --git a/windows/manage/acquire-apps-windows-store-for-business.md b/windows/manage/acquire-apps-windows-store-for-business.md new file mode 100644 index 0000000000..5ac43b146d --- /dev/null +++ b/windows/manage/acquire-apps-windows-store-for-business.md @@ -0,0 +1,54 @@ +--- +title: Acquire apps in Windows Store for Business (Windows 10) +description: As an admin, you can acquire apps from the Windows Store for Business for your employees. Some apps are free, and some have a price. For info on app types that are supported, see Apps in the Windows Store for Business. +ms.prod: W10 +ms.mktglfcycl: manage +ms.sitesec: library +--- + +# Acquire apps in Windows Store for Business +As an admin, you can acquire apps from the Windows Store for Business for your employees. Some apps are free, and some have a price. For info on app types that are supported, see [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md). + +## App licensing model +The Business store supports two options to license apps: online and offline. **Online** licensing is the default licensing model and is similar to the Windows Store. Online licensed apps require users and devices to connect to the Store for Business service to acquire an app and its license. **Offline** licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. + +For more information, see [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md). + +## Payment options +Some apps are free, and some have a price. Apps can be purchased in the Windows Store for Business using your credit card. You can enter your credit card information on **Account Information**, or when you purchase an app. Currently, we accept these credit cards: +- VISA +- MasterCard +- Discover +- American Express +- Japan Commercial Bureau (JCB) + +## Organization info +There are a couple of things we need to know when you pay for apps. You can add this info to the **Account information** page before you buy apps. If you haven’t provided it, we’ll ask when you make a purchase. Either way works. Here’s the info you’ll need to provide: +- Legal business address +- Payment option (credit card) + +You can add payment info on **Account information**. If you don’t have one saved with your account, you’ll be prompted to provide one when you buy an app. + +## Acquire apps +To acquire an app +1. Log in to http://businessstore.microsoft.com +2. Click Shop, or use Search to find an app. +3. Click the app you want to purchase. +4. On the product description page, choose your license type - either online or offline. + + ![Product description page, showing an app with a price](images/wsfb-paid-app-temp.png) + +5. Free apps will be added to Inventory. For apps with a price, you can set the quantity you want to buy. Type the quantity and click **Next**. +6. If you don’t have a payment method saved in Account settings, Store for Business will prompt you for one. +7. Add your credit card or debit card info, and click **Next**. Your card info is saved as a payment option on **Account information**. + +You’ll also need to have your business address saved on **Account information**. The address is used to generate tax rates. For more information on taxes for apps, see organization tax information. + +Store for Business adds the app to your inventory. From **Inventory**, you can: +- Distribute the app: add to private store, or assign licenses +- View app licenses: review current licenses, reclaim and reassign licenses +- View app details: review the app details page and purchase more licenses + +For info on distributing apps, see [Distribute apps to your employees from the Windows Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md). + +For info on offline-licensed apps, see [Distribute offline apps](distribute-offline-apps.md). diff --git a/windows/manage/images/wsfb-paid-app-temp.png b/windows/manage/images/wsfb-paid-app-temp.png new file mode 100644 index 0000000000000000000000000000000000000000..89e3857d07745d7c5b362613db0344fc1152e9f4 GIT binary patch literal 69880 zcmcG#g7DPY^1p(=lln$wpA|WUs(u|RkN=kQ2caD;f4ru|A6zR_Q z>+?Ln_xk+-@5^;@v5jr#`#tAA_x*|cglVWN65`R~fj}TarRQ>5AP__f1Ohj~A;2q6 zG;h$rAFzv-q70~Pn0^a*0(~W|CJh2rM&n4ivhAS$GfMy5XaY9kQ(6{4K68c?i!6;+Xv+C ziBe+j{JAn0erG~Myo95ESvt07S2R(xvtOP%{oHBWYgrt6#FF?O7e+wMhr}$4fNlSv z2q$4_mKc997L4HbqA=%SFy`O?{5y`I|9Q0EeSXl()c$JU9h6X>2D}Ny4}4PT?Zx5R zVzWDw&A->%Jx}cZs*3417`%6%8XG^zFd-Qdu7-w2bH{Rd&sU@R;Zzar=7a0y+O(%PCpZS$XRTGMHkX$rjVWbpvblSN0^ZNO zrYD$G{yT6#2er{=$+!IwfyuEqDH%9L_dv>}l@= z7TVb3bsZ3wiun1Z^5At@xC9t=v)^+S|KPfq%DX6z_55}E>#^A%TNz}HW~3r!q+e3P zj)It`^lpyKD-DWEO6;EkbG}dYZ!nPL^?uh_j^f$wqSxkV)@9r71#890{qM7{y~1#t zEltHgx2+T(#kJn(rH|ZRzZ}lDZ~ggfBejmIh2r+mTxU6d@9MC$wr+OsTP$KmzocaD zgWg$awiaD^MncQ=?nPM>Z&-_?_mL1|V|;_bF|NtcWRdpK`cSj?g+QwZFle4i;+v(m zn-r%ukGq>QzuSvfP1i-0j`MZ1)vuT&ycm+hRVxd6}nX7{Z3(( z&B0|&h{Ip*-Epnm4JHq%(#srAn-Aomb;ZTCif(7mxoS_ZUmvLKrS1jnE+x+vWXC5(0H6a`oStXB1i_F*{SHDWFj|}ZcC^ka*&4|r>Dibgqe-HSX znsk&&I`(?W5Hll2k}XSG=PuLCT(z#=6`W4}7jJ0HstD$xmyXw|UrX`Z5!5qlU+aHD znirbf@Ke4g^7`GJOfPwCFsOFj&(Lraa{3v;MxjY=Q5%F$_2^{{+yRHK^>|!G80SZ+ zA=b~!?UM4JA65zD(3LTYBFW2{I1K9PVl*DiY;0KVd3kwtZ~m>R{<1lwYxZU(gel;g zb6tS1#LclbAHw)&!b2mya#NqZpW+RRylv-@dl>fp~6Bl&OEG{-$e_ z{d8HDh#m$DhbS83B!w_?k@?%%C)bEe6dOF!oh ziK`R_D()^*QTnUxPk*Vn&%a#Z_?)XigY8~>Nj@{wn?FBW!G)K$G@Q@uiuax|WsdK* z)|V}CR(boLTwdE>gqN-Hws>0J{++K4=cRsgb9o}%CnY9qMdH;tcI_24<0U5c-`JT|qmv#nG3k zv^f4R3;Tf?IVxiBzpx1NxIRB%^1CJ>8n%5BMa>U+b@?rlt~Y`PJ;B7S&tp*ep|_ZP z80?Fn;n7|4K2j64#p>_S1R4Y3Il`eM|o0oBg6+EZ!RFDQVm^W~iWt6#JDQJ{l#g9h-^TIjHsr}}(Shqw< zWy$A^fdd;dhR2UJAnlgaHX?CFaQuFy6MK*xq{hdKz<()!QDyzTg7acCCz?;XyyXzD zd;CTsqW+W;VcE`+zngQV@hqS>c?IrNq`O7lo7FE=WC-_E@MP|>s1@qPqnUYyav?XvBIxCt3I2mSks^Y6Uv z5yAvGPl=v63zuT0Sp4Q=G9jbCowF}zLF;vMJs2FJ2wsf`<7DV^8x!Pa! zJV>^5FKR_=g-jEI6M!T-0OM`R^JRbKN= zxS~iUFzzT=f*yrq74UaIys@ho5)^Hu)Z*6=*yNjJs)EFlY>|psx;Z$gDoOB~{(2@M zY^)qHFMgh5#>%IYQbpxuPj@FFhKn+}O#je3aGMDU`%qvpn1w?eCFoTV_Msx^42gf% zVe@O3Hxa>albkKZ=h@1rC}hFQgSUUR+q`GtA?P^wq_hVSXu*MSVhQBp;u;tl5_jE1 zB;mGTpLVVgX1G67BMJ>k(U-+#G;>R&Dii>Qt_ZQ(U* zqi+}P0D{RVHERa?r9-pxY!S#}1tRA=-C<+~W2@aEk9&#;aqFFy^2=RWY684R83(8y z8N**dOamWduK*u-jIqRgl^o2xqxJuQ`EiW?;f(H^+^tx-W9K_pnC#&F0RM!=LySg` zBc-~#m*r+@-MKoty5=vls0aA* zlMXJ=wrQ7VzS2_N)KBVm_j|FvqTj7Py#9TnPqoW?JjJj-#bj{lc+fEN=*-BYZI>}A zeEol>8H{>}jcT=D^D#ilwHWae*$1pX#269R&56%&eb~o_N4#VO;}FsN%g3ND zoaI>2tHe004tSq?Ig$pg1Xxl#bx`wLI1bJ&0T~!a=Hh{Yfs3OJbnEE;?akFP-(>F` z7#}(rxV1HSKf_z*vz6g&>?fgrcn!|T!G|EdUImhKO#RERNS@Sl_r0G%(Xy~MVvJH` zt3g)4xbtnmpw#p8Jf`8|q9QPMXKUwuAdauqLf4z{EY@${rn`tnKT*_~`Bm*+4Lr2hFSP$hdaqf6ZBSm`e{bk#6 zbR@JeTsecx9bbP!kpKCmhHNn7{tL;Qa-86Zb)NopjBG%l7{u^bV5)m}lZ!y(l(+PIIk?mv#s$xL}d1b8XKV?-H z7y$g?PdrQp6yg^q`f@ThgJq~=S^8Mc&sXO&WFf3Cq>vdu&!wx%lq(x)m8!}vdnSk( zQ<)Bs(Z4%gXIV zEZ#Mrt==4;=!fDqhh@!^IFRJD=aUM|q&D2&II>^5JC3VIQ9}S+-x0g=t0%nKeNUou zc@M<%;%;rhB?SGn*lg)-_1|9;EWEx{m%rTmS}Ir9-7f@dn=|nK2eh35{PWCxci}$> zzktcyOa1NL22Oo@dvxF+6OJtMzZ9aeyBzNDFBbm+*wkfxDCOXPs06jx{c{Rb|9_|i z7`*}g&zAy|w?X><&7<~2%TfF3kx}QV0_ziMEVW~AUJ|R{EES4j!R|P(A3?A> zJ39g37bzP;6ciZfx;=?Ys8?pZwZ48juEP8GXRA@37W@7CIkfcRzVXWJ3!(z&J&kw} z0L?S@F|)ElYET1sK>9@y7lE-qxf!L|$$kvK-48G04+L=t(3JpR`_Ll3FI4(52O(WvWef-4Sl8gqfNcK|qi8StEOfVkj z1=?RCh8R^NA@w&(5~t?2Ps%T4mXXf;?j&<4iY-RS$#IMKJF}Io<5pPR--|!~jBg2~ zWa%@6_w7_N5Vlb)VzFJpKrk`@VYIw^b++gCyN?9mq4}zf0FPK7O6gFA_pAdn#%3@n z(ae`d-S2zCL-=PQ$GPJH?s6y&PQCr~o2%2mnN8XS>ZmSEfISEXrTTlB{0IiRH*H4JTkWQ}94w4ug2nFDILwk- zmew9>gJrQ2c}<#*bD||=lEP=V#`D6<%XvKmr@zsI`?~&&c|?@et!aZx5J_+QKeH!M zscwezwuNqz1=Tno2VjE-J}K@Mq6s{^Rma@+!{1FxGvere)u6L2h%gg9BA1elASVmN zg3(&&O52lCQ->zeJ;uiCXjv7OW=!ZM(Jf#kB7P}OfEs4gR(vOvXE&9jk`77QBw`RP zHEX{`6H8!LXvxW;uQ>yU`LI0$>yn0=#NLlp2a5?526JfK0<5WX^mf_2%fF)?1T4C9 zeg_RIa(sMz`TdF?kmN*=7*HHW?L~$J!)}9NwGCxBc1<8@Ag@XDd+c%m5q99yOL$YO zK6cyIiILXQBJE5DaPj-`TqR~)XWY&rVA0L{3BFX@3|#`qY59}1uk*33uy;*Fc`0|NOk+o)fwt55LX+VU5@18gFjS?s?kJ(OxDhq{dM>G3l z@5_RD0<(S}toDvkxt?Dijck3&R^;^9UzUy_$Lo@AZfXiB`3azYUS3{@@fJ9%oKFO; zmG?3R93cuovCkw~=@LG)0$Fs_*b?|%I9(kaL%@cfuX_k-u6{MriK?@k!t+*DguNg< zUjot#GtoEa>+9|8&m=Jq(h@P!f2qmJB={lKhdhc7e4~Mz&_V7W%S={)rHXRN0@hAAcgrL!EKHae zDgL|iUgzcOgI_(&Vpf@a-vY4q0PZBLw#kiCn@z)a{^A!doB&@|j@UUgln>xZ!R(UW zh)#yoap&YvF%0E0OM~w|lwMS6WK4 zI0gyX5cQW&dbjXQq52)wIcDehrJ>Rp2Ip*_(R*~l&dm3^wwNcowC0wUm}qwaLQAoa zj{}Vdatn^*%4Y;thhN8cS=s?i&{ok`ru5t{vgOcq4f(Tg1`4YEMA0h&@T`4|ky;`up0a6iF0 zVj-S!xQ@d#ET2$5G7j}X%~4}3K&vyK8PKgc|Kh_=6?BL~Vd|*KcMRumalsqm%+aO; z%n=wFunp=}h#?zS`S?VQE@lcehnoK=(fz&O7r)M$Pq-(q1SI@t1iHBn~Nu|hY4aQ|%FEpw`h|n?kUpkU0vG5dLK=d^p^H0szJP+6E`+ zK%n5^LS$o5d93Ox`_N5jyYPlI-!kY!%(ST&p<^YkQ;^9%mGI-09_Nq0A|7&absp0H z8OY3J=26GT!$Xu~K6RKO4GCeSctK3Q=Pbj{!c+~6F@&PnK@H8#Pv0z1zok0|tvSE2 zg&a}?B3XDi{$;lQv9n_z(u1fS_AaP7gk%4KEu{D3K0YJ#Ck>lCizgH%U0PlJnDyZ% zE+d3pSXh|3LE2~&_oY1JTb65K7#t!i9Po(G+lra29pLba$1oIUFQVc{+q*S9Vd`8W zM-^q|%!hJgl)j?KiVD&QP!396>fR>yY94Qy#XyCz)H%EWmqS)C`FVPib`pG-Q9GC& zUx6_FTWJ=Qk@6I*79dy|3_7#?M#WSee9`?Zw$iE{N?{W)RpMx*2RnK=TL0_h^_+loso|#V@|B<#+Ti zGqobH6={jwHYMNwk|O{=4rM#q5>5x;Hd(qq#(55%T3lRQA#;3k(sL1E<7@y|UWPb# zqA}_j5^7}BNd%g6JG0d*-6Vf7_Faa^##YC9Aq}EosZcAX7tz5HrCl1z(RtzZ-neZTQdt``{vs&(r@0PEef9k;-r^SK#~v$cYFd z+J^Uk=K%a|=DEeb1IfyUwo!AtbHdzn#%%e#NAHOSNtNDogm1!k0+@-}sTmfY9NLEJ zN+yvm{#(~fkt9Y1g?lJ@(Wb6R3^|{K-q|LRI*mslQKr>zbETwTMKll&2o1BkOf;N> zZ;|hvo*t!WCx_DKq^L(GP5$GyFl>J28JSJAQf~}NE-NuZ#U@ILr9z#|7F$9VW~GoQ z_Fy!ojS;lyeC>}yRAJT)xXj1=Es0IosDp0!-I@6|VOprMihD9X1kgWRgB)BKy$b4v zj06Jq*DJ0q=dKuiGK4Vkkj>}DDoLRL`s949No!G5JA<%py9?BBiM#fg{O+ZAuY-0!;l(%2x zN*Pfzy$^QoZZkJGhnpd3ROv+_k|5>YuEIUwu90VO{V0pgB0=QFN$`EuzoQao z;zrsU@I0uNf!c`Kg5F{p16}Agh}DHsWBXRA+DN@tI1h{xrPKQQop()dAV|yS5|Lsbq+RGzm#JgWVuo?~YYe6c{Ng@Yw-q?~olXss{2T z`~2q&p2=Z?`a#c*2#wN+B5e{8M}US7!c7VlN>FAX3JpT9G5oY%1C7|>X{B4VztnTA zQG7yj8DZZ)5uj<@X?jvpnM6s!Og@4j#xZ<3^N3?!1?XtdOt>gW{B5Y^vJ1(9|Gi8Y z7pO+BRwm=YCQH}4M!X)#!#4C?VW5~e8n~g8O58F*+DHvza+whU-?2c-^HPlh;@`5u z_|ne%&T7R5WOV zkdP4DXS_wLd6fxkAKEEch+}d7XDX+kV&R25Aw#-|y8v>(9QyyV=Kud50eoDw^Z%mY znocO||GInWIM*LBr+|C+@4q9szVb*(f&c4??tciqe}@a?|2Tjyxc|RB3R_Y^#>dCI z?=AZ7FJJjR4-n8O(i4FZq;oH0e1ruTY)E5oxr;ulPmYv_mu!)(ADp*B0TbYFtm5I4 zkIP-i5%Klk*B2>QFBpbGlxqiWVx581o}8RKM+hVEB}`2azP~rA^YnSWeR0XIj{br* z@O3UlpGCpDlamYI44n(|x8JDswAyixr_BpemegivXP^G|Aot}(v1}SPAKKz)%$nq^ z-~27g8`(M8V?zHMB4B%aJHxNz=IYF8$yXq_3$h%--%bG=U%`L}He=XrzcmX?Qy z$X6^!Lo4Rux^Jtfw(ZAEawz<#lipI=JdN`u+=Q_G7{QmY*M7&CBGhpgYpkCI=F{2bYp8295}yj$78k?bT}YJQxIEGQ9Y{li+k{K>^erI6$cIz5ULSscY%|yZfFD`_a2(wLwD@F7f5_$tV7q8h zjq<`m+l~Ni(KI5<5KeNLIe_fm0Je3Pf1fPvOSKds!q|5J7l6e=Dgnvi!&Y8m=0B6N z!yqQC(d%gFY1W`3lTYAKlOd?z=X@o^>umSyNcRYdt+wTBbagG5@w)pS#|_oQ$eEwQ zf`8!GtLJBakQ~jejVp4W8$~$5o89fH5MDCK@RHnj3_6H1sqyQLYdM{>fB3RS%4J6$H`$Vx6IB*X za9lu>t*)M??B-v`tTWmL$jJQkGdQ{O+@Jzn?plD#rxXGzG<8H1we~E0Sl3T zA5a0_%-0dJFP|JAySn1AUhh(f5fEUeY(hb( zcufgPvVDQFDv& zwtvJd%dQlKhllesHjEW%7qI4|db{5-ju9mMErjhgIxR_v67NOpg+9i3EYqF$Ho9!E z?q@%&db22c?yl4Pb`{nl2_Z5d^Ceq>bcO@emeQBjUSy7(2~`eX{!W&>U~ zA7`q7+$?8s6EwsQE>LFDtPuMP=urSb9JT-_H}^le4&Z&kV#mFYHY3)TD}dFOfn0Ju ze3;h@p+wy#>FdZUDJk^>`-BCDHk&psYtS4^h~E@32nhL(mY$$ThOM50eYohJnChx3 zBtIvX1?YxZCtz+9;)?wxlL_S2F(e`)!r8$&inx)Pq;qOPvB<)+`E{gl3*nmNJGj}R zfd4YULRcDRjr!_>cQT8=Eq(q^Vv65v&AhYzo*-=mFR*5fo{16?yzGH)op?r&6WZsA z>0|i)QKQh{rOPeFdDb{!w#)OHTviI2g3=t1HgJfY+pa@c`4Cw2oC}-+`~HA(i6Vo7 z31|eM=_Ki%x7Qcpln*_DjdFB&_!ID(&)>$-D19!B$OMyAjA{n#VSn)&RxVzQxVMu=2=cL_ic`!Jh!p z?SEf`i5+xK@zQN`6l{m2x|aAr?#r|gCY)bb2rp)RqNJu4lq`f=00Z= z`bml%dFFk8b4E#DdXt=IsyICU{H)(()MgOl8sP6Fp)&h8Y-|Eug&CHRW}mB$kz?Ge z64#8T$KQaou`%w0_%X61nOVlBHF$C~BB}Yb%i-LKgqqVFsKjU-Vn%)osDN`KH8s6> zDzA7Suy+8p^IRE$^?``!6H((bVuinhy)eQb9K7}~X=#LLttv(_ z5F4v9`cFtmkW^giGk2oO?_E$>r+;FBsF3TX#&rNv>hUJ6tb(=N$3Fj< zOx($<Bq~V&t%Vdt#h$lz_s0yIgGtsMD%fv@%nm+m9O*% z38itnFT*fN6yvAfe{BG69nU7vP?3%^bKZp~q2N?-K>xtNC7`95KRDO^Faj_-HX<}S zpI4rhgBlR%l9{7tuy1K;bQJo5Voj3GLYspN6VQwj&8)nH!W0PF9$)p~?X3 zY^|vwKNtY2+;Z~RHLwNI$}#?zfML1$v-JunhRk?B>1ne&fqk#Z6bGV|-W#QnW`Psz zXcdr71}iH@Go~T2#3VZNHFFeLgaSNm!}Z|7n4r+9Q9O2P9s!^&rB`ZHuvl6mu6t91 z=&_7Z1y!*BI~{+i$=sY51_V3UD9(aLLWe+(6I_D0JD}9bl2^EFsCP#(v%C~9WqD-U z5^8(?yFa#q8Z@+p@Bpla7(oAUuK;l&9l_~n1RwXYV*dMI8QeO0n$Y*{O${7(szXz3 z?&VCaE;kJi8Lkcv!!jQ6hbi4P95W+q zs(cxe81kY32NyD5X^ArgcHVVP<8c83hZn76Y9`KY*e&#?~Uq3AXFHVzb4v?0AO8Xh1GT z8+A+cHmT^v-tWvXihE+V&?~l(oIg@zqZDw0NrM8?O@srXATyzq6dDc#dJ0^nYJ0+| z&=#5jwoZUIALH*&LE}sSgVbsguF#eORFN=7LtT9s*l*I2Pb5v+ylKdT`iM2j?JR7M z(`251GkwDUMKx3}%ZdRdEj~j}p+U2<1I#GD^UGGC)^!jSf@A`uCc*8G0Bd_}1?Z6& zrBtiv1G%B55aO~gB8a%mcMJ#*zguGq*xOn=-o$uGJs}~VxLc^CA*TXoHI-Ly6w*T@)DA<=qf@HOWck`n! z!h0xL@R(T|7w`;#z6vYQw5mRA*^xvPXu={kB~_LB9*8B+49N(`v&DWR3j(9ZQ;uWb z0nU=|T4D(KvTn!IWzA%a)N^>sa=A1JFgIi;<@M2l0RaJ@Ka);&aHI-c3kDEO_HtYc zeE0((y1FKEK29C~W~ap_!5I?v7-C7Hc4BN%w{55&)wf-oF#p4C$G}2c6nszW1!x{+E91c zUSrW_=-BN?=GNBMs6bnYY$<413IvwCIs`z@#d-=N08YRT>_!smUlcX+WWoyo##&$h zXChGrh6v+Yp%FMx1xfx;KKuh{A4o9k1z;ii5EIzH2^1_u>lF&w|KRCnLeh@12xUDq z7J_3X52lOLWl;>Upx%!zV{J-F+DZTk`I3@^UL44?pj~M=wkb+Ag2?d??Kox~0C3ER zR#_(KQ)+Un?1#Z&oOqU54=5*zZn0)F1#Axi4GL(W zJTuhShk2eQbeTt?V3q`T7D~W&b2;|Ts=6Fr9O%5lNg!{Tt9x?4MVU#{CX|<5UQf10 zm&s{NC8<02PN!o2ga*Y zvh&9LhNvEniDy&IvNr{?`wG?RZk>316gA{$OIelLJ$ACSP?=5AYngQbe2+q11JwEy zxeaLKf@JtOLxHxBU{Di=L!i*#u8&!6zSbT97PQ&!A3Pia_A&24q5-Kur<|0!4{!83 zpyGlehm!cQvgneLt_XNY8-P=x28Ge1P;Y|iXj8kCS^v7xFHuNL@@Aed_Ri4ANG~s* zv_p(P2yVwle1cT9g{K{a+ft}vEp97=UcTs)^gQOQ33#L7pAd|aC2I0d7lulUP}2%% zfG9S9f`4m5!p-rRDcKS5uI#BS*$|D;ivaH?0Z>1+%Hll<_e|WKjhk>4o4S%o`Je1; zT#*M93U4F%^MfPGIePvvyob7Jk=yjsqy6O;Qc*04Ho2=Wd?Pd7n(g4)wu zC#E&*f*RPKcP~-)6W+f)`C<}&GLEOEWj7v|RJ+Du{Y6RFW}FYGK(#t=;`FyIi{1DW zjFnct^IlhY&7!@m?=&G-^^jo(k|fh|9PY_ai0iA%lRsu2Yw>`gJHbwHyHc@;#og?V zJee|V#XBB&ms8c3YHX|ifS)}siR|N0*ncK5K1pW{rkSU%lfcdE-Pjt5QO1}`-k3mt z=r@9iL+8dTN3@|@> zYBvxuho_}!u453X{Ga@y962C!O-tS*dh#{#8L&hEl=--o`1YC*Dx}e9E0Yr6^*Mo1 zEDY1d_Bq=LoxVn1Pr6zH-w0>0KMnuIR0JznEEBQdw>aDvL|O`GrK=?_h;7G@vX?J}!%;f>t8 zX@{N)huq4oz2FK2qwlDgE4-%i+=+ah9rfxDjkg%mayv60JmoNm7@E!pxO|5d3gYgx}ggmQ- za-eIj`MJ5d4Gq*Do@7$6(%^w7Az(L|&BIF>Km)x&!XuPa?P53~Y(325Yt@l%3Z#Mn> zb#ar6&*6TKZ1eT9sn`9pB+}$Q(Ifk;%)!(H^5j&Q=!y`6<%DX*bC3$Yjpa!K@nHXw zX7T-`s1}!)m^fXo8lqQ&Xc90{$Cvi-VR^DK^?uO5V-HIfscNBxKE_9d-P%C@&|IA= zx)3qf5_`%{?@c(hH;J*XrQLoEV&)6f3u$kAf4Mw#amhe7-zM2Kdsy#M$FP)mD0q&aVFE(e46RvS&#lk$Cv;<$%&iHO(9jn-J_VQr&|F4P7g zx6iC6i?|gTngoXIglOUr`(!4jX7GX6EayQ|O{rk?5^*pF$nmhSwm{n(FJ6|@*oXAV zHLgqR;UYc~yEJF-{VqDiGcqzn-e^ZB)k`6L*zwi9U0fE&yG%Majz958tqq&I{1|+8 zKKr?gLH6h1W?j?1XV38`I*pkZZ58?pEgi`{if6`t9)k*^!S*q}SB%sRIH2Ci#o5mC zDLZVpu{E~^wArMz2nbSLTPB}|5WSYc^?gk#C$jytp%-ZM-UI({?xGuTg7@uzbPp{# zGzL}_mAguxZPx!xX>{r>c!iO|BFEP}A4*I#RbGU@$@z2kG2^NIFRH8dmPzsTuchhs z@12AtpO`ECm1W{mo}*$)H4r?Lik_LfJehD(M23FZG-uN`dZ~-u2Bu(LwvPJijde<~Yp5OD4t-1Ww zd$UEw!%#*Vh~<82z<=*48@}V@9pUS5L1OUgE-}$Y?K*pxl1dARurakI@yfekb4jvZ8+qG{!hrnzxW#*-ej$Am~B$JMqU_&b7+gRa=8_V^_$HHNK*d@2mOy z1=EAiW{jRNef|Ue!47EPVg>(82fn}ojV=C5-zx0bIlqdn*43gR{o~lX?J2sMlMcG8 zSFaqlD4zZcARvy;!im+r4?6mJB}E%otE<0=>#=G4VN1_gv>#fJ@7>s{&)Gks=+!)m z4GIZnfB2R6tM4Ttq@>O#IA?dQZl<)T==FXB5-sC-v|6+46nl<_!S%h0H#z z1OeSej!SK67iIitNjjhzGE9kZTrv%_Y3236qDw{;RevejPnF69+z5BYSO7MDXIB?+ zPJ$RxQdag2Lqsn;3LKu0Gg*Gv#9=a1@FF8eF*?WO=(`rqLOneJDdsxMwBt^iCxA(A#eEiG~hm>yQS5{h2`jttQM;`pK=@SI?R z4L2exwe4#6Sp`Wa4?z(C3Q~Y3*`Gjj6d*4nG8P-&VpUE9+Q3#P(0ZGLD@>3AU-Z2` zP@MVB5dq9D_J6OGR2Eqa3IWWFJ>VLSdz*lxQ;`)B-+&h?mF|8}&f;kjYEq?@$9Dqb z!~RzpSt`s>9td=YB<2769l!=>`d^Cq*R;EQ0s21^OnpQx4z#v-|8M)ZBWC=r_&xs} z)%)N3lYj!Lj?^JND3BxtVr1q6)P zbO;hmG3d&;2dWL8p$0}Ck95lcoru#(QGtnknPEP>qy zV_aB&y5hq004fpnF8?{ZjV`~jGh_U~VBB}C`WsfnEtPMv^!ywY!abl(p0ZLEi;>!F zU4ZU}l{`@%8^{;?nxvK=NyRd|uJt-Y#iL&tT|AyyOG_IctM)x2a`}-oa?OTjty@Vg zNZNkPen2%D68kIIR40zkT~OOq=>E!cy@ATo-0Cj_bhE!w8jC+04>_haDDXby&tDLz z_21gv>=BA8&BNTWlO<97yw)dT*wNK}z6bNAf z(@ah?qil;m;KogK{Y=wg*a=GkUDP%}n+ zDH9gS;OCcJL~>90EemSwO3v0 z)jZi`gJ&Z(*Ay49hg||*$szaS$L+L?t>Z93V+XyfsZ_>w4-fsD<22i5II;iCB&!rZ zrxDP}zGkM}6ROIxXbYBcAhojnFwfj(iO~I|703}Z@kE1IZTX5BMTz}o|AgIR-{<)x zXZ$w@*(CuZJ@m_%q@thGVajk&Gn}PX)^*`!`a8S zzSE;mMHSm-AGp3v#GGJtokfwD_3P+v<<+0CcDq=A>z;@8M>lbXa`CgXJ}S*v{#8O) zH>TMY*R{pgp)L8&Kf2ll+uB^TW9~rrTLY~?Su(kDu+5jPD9wj3z3M8Rj zQo9}ju51~frna*YZ*xxK)FwY5>dQ?@adVl&R0i>8@H__HYQbvv+)qfK6y$%_!+f)9 zA4JOHMypVg>D0cqk6SS)W_|D_iNjU%b>?vgPmUS>HZ@~&!^P^qI35@%e&%k!E7@>1 zA;~OF$l29W7t`Sq@=5_|qm*Z8H>91g!4frQ5P5ufN0J!r0980pY&3*GO8CB)s2Ni@KYM*^X#O^%99z?unk4yEGYl8S41s@9 zgBy!o7iEv<7WTy&9>!UF%#DjV8m7-#Bn8 zkmMY=4hGgPH&c@{52lG%*~$V0F-8>yjviop&aX+CX57J6{S!LLF_TjYZiGd}9J;#8 z`lByozZUA)d<&3@5CqGg>d2lrYIzWsMpO(&m}e`#1dIIQ+Z@fjU?UU%D$FQ_(v$m= zlp`i6C>5Lg?OvV9lpJR;1mpy70EMg;hnH5O#0%|zUvqdju{VYQf#eE zo~ZT=xz0`%CF5(yj^y7r8+hKrud5sL;QI>L+F*x20^Bu%BOcTIMXM_auPd@wujE#nNtk|al%92GJA#^zjFI{{{C}Spial^ z;&{o(+P(DeT4uwc?MXC#EZURIX(JjY!*5*0?_b!wu_#ivpVEfvWqH+v`C7kqzJYrO|W! z!bIc#Piez?3?o0%2glO$f;n2t^r@0aRS-NtgcYeI)`4!`=3nJ(Q9-UA-x2*g)8j|) zmx@t7KD?&iqOz1f^28qA-EPlR+{_=Vn)otDnuhoNcSy2!Vwl}?Ly9nAo)w+o?P_oq zelvEY<%Mo&i)eK{@>sk1lSjCzPG6L?Gcd}_N*(5~{uBDytgvxipRRRRqSQt9 z^H>)CjSf5o#|I68A4R(LOs;E-4nn?#w^2X1$$jx#kpU~QhS;OTXVQpaHNh>?XiEH@ z_T6T=f+9mQsry?y@7GbKpPTISpePD9xyRCAcGlbg`je+*Qz}=z(dx$x?Qp{n_Nqj11YphVsHX_HyO-7F27>qkGHOP>C?C2?frwS~d&D=dqR)6k45 z!QIHRF_-4Rhnuu*+3q_9SgY<43G^AP&FS)$@30$Y6_7e&R-c!~i`vqdgMz5sag(OU zn%mysi+Z$AJ=i~als(jw47EF$#!jrUHx>g!5r(^CY>P>s3Z+#78%a&Ptu ztBAwtJ?=NT!M~&@Zb2D}X594J)zRwW)yMQ+&DfjsvFigJB({*VmbY$ zvL%1)y|~qzb(>o{g+AV`*e!gsx_Q3jOZ}PU^=0FaC)r2Zzk~=rrsTf0r+wr=zm+;G zw)`P@Jxbbwzwc{qwhWb7K3SStqW2F;JDcW;2TJK!?C<}w?$8E36N-9gPq#PsVkLQO zaO337EfaCH*b_tJn3CembOw!tB*8qJ$f;Zz2OVqGhPW>co-qzu)fL?uie^;lY5pqy zEe6ZHooR}FK8<8#CT)z|ZEq$S)2Zt#ybPj+r*oMTX7c8=w=rt08UZn{H~LZm~lP9%qTrDHR*|Zn6vXz z4qvppAu7&m{xPErfW-+U6flzZ3eG&*#eQDb}73t4H-akkLE5Xh6s% zF?>q?UH`V`RGGugWixA?9JSaVKmFV8I#*_V;#L}l0R$P#A%Tv85(BBGSV?sm)bwqmSjwnhtJ5JQTNKmk}uKq=xG_-#juz* ze$JbdP`DkyH%F73M#^Aky$K|XUVaB>jCQWP&)O2YUU~Ze&~z4lQM}O_7g%5c>F)0C zMwaeQ>7|h_Nnz=dF6r*>?k)jI2}x-L1Ox=R^ShsW_Yatv-Pw2MJ?A{n_pu~>>{(zx zjn&jSWGQY+PR+<{4c7t5iAU?(t4O5hJ-lDdBpfl7kiwwhyvj%%cPDVod0=}d+BTHU z3$br!<$tPz{PuECapwKuDo>D2CFGbFJS-)Z(lug@YYLw}ld>hCBt$)GYuLXQdQx>J zeDy0TrQ)xMg209rEn=zWAAgniPlkOsp)_XYV!0fT4hm~$wPJE3Zlu0VAs|Oag6X_b zcWAS?L5&cja|TgDP1)}B)0FpTeUoXe)Dt=aA-_`?wxO@--XPz_CdWb`H0SvdlrV~8 zF64;usvph1gY~aYMvKT_CdAd-HlMxnTK~36s<Rw9x99mbRovQZbI_g!6AkISMHI%&)$VQ^pPK7@>KL zWR%6k)eh5=3*CcuY0SN}kT_4ug?JG^1X(}Q{+m$Lbe=c3tAdvvDj&wL9SXZA3mLT# z6$U4V5Mo?Hx6}atV+p zuvO^61=qyjP<)hTln~c_IgxZT-I$iX*JxHQUk@-%2+nH`m{1^AUOt%L%FINNmPT3VCsDK+h#($mmHDkXL-Ju++~x0qlw4LDYR2@?pP(G zOw8GNJuWc<^{NWl=AxV!aO?{NyL4#ZamccpTK!PZAE-^^Khv5-+KH97Vw&&@otyhT z^J{6#RaLx8EPz6RVp+=~HIJ8X?gJ^ywK*E(oXuf}4CCv!g~D7RyU90?UnU!MyE2t< ze{%08saNW(QH+*g@HTfXRd5Idf549%kC|bo{T?Rbvoun@rqrKIvc>Y65YNzUuQ5h$Hx>|8nr&* z!3-6gI@Nsnm0O$onMNr;e4Glp5k40pyqsx+t;W4)l{H@)%I|{HP8a~5S9?8S)qWR8 z2nf6>CeTe^$F|)5Q1hO}yJIWsRzqDIJd=e<@6TzfE~nqPWvFfre7hSi$j;XS7()>dsDL)O4c*;Gp_Biqrd!7cbz3*8PKH-W0^=J z%Om>ZTtDB)a`bbsM}aau0c{s5e>IPQcspd#=)*zg9VO1X5?+1t@tpOK?+apopk7i*MP$aB;a%1mXEgBtI0dg*h@6q4Y`WlU&M9y*9ld@4f>Qy!JX+ z1rf)I>bK#4ZD%eYi7R<KI9`hZx0S8IVARQ?!d&MRyNmEnr$tiv+ z$X>+pE%A)1TV%iH7c|;`q8jMv%9=YSuc@HmND0ysU z`wMD&#I}RxE9Q?8`IY`0Tx8D`^g?7f>bdO1GY4JT=J^n-g7YE1g-Y=H8+K9puGkVJ zv)JACh_2iDoY0lp=#yr-IJazo82{Bn$Ca}1ly-{ckCXFdqk{wI$U>?Hm{na$ZfX{^Op+> z5qu5RZhh=LRbm0B7`eXDNZ40aKh8g7!-8=n0JXRT%c@PURjwFJEMCpa9esU&EDO7s zW~*_ADbq7N_WQQ-N3^{8TvaPN-@ME!HUXMSN%M3wU_>K~wN~mlT7+Sm3nhCFGnVh8 zS}=QnY9};nRM=nNTP&VLH1q0HQ*>S`gGChJ8Et4{gJaZGy4uvj8ac)g>AEYutCsS7Ve19n z$S2WNnJU=6b6iM^hGdk<7_U~Vsl^*DPL^j+j4o5)SE5DnV19}u`bt6bXWMN^!flAc zP0gf;nY@I0`?4+`%+|rSF)P*j>l88-t8Goyz{3JxEXA?$nbrO?^>$TkZw~#7Lyn`| zcmoGb2AAznlJwffb%62t0W6-KCZ}se=q}Ff9Gl(|cmF%z6f<`)>CYjY8x%}NXQkBN z(_2MqHcV*fOT2{XCt2i{Bm1cw?wEDrk)ubh2)Vu}upy3XXYu`9zfs}aXpc+s{Vm}| zQThSl#m`4EU@&(Yx%}Snl+#K3r=9z0m=Q@?0&^iPPpBX zavH`UdB_pdcxi5c%fW;s(7PjJ@zOSXrx~;#NAJauH( zp`HH@?|@on9$8DEjPbvvHIiX7d>D7a0>G~Uwi5ke2F_Y(M9Y+a5=hv*qg)TK9s|s5 zA^k+VE7We*ax(a>UmKS9xn$`pIc8EX)$y}8Waa!(cW>8IDGxf_gmGK*{*Fc8cvz1{ zEh==T;k`UjWY&1T-y3CHKXVdG2_+Xh_r1J-_D-5}X}{~tq^`|McU8@3X)#jxBQ!2a z*cUv0?|x7LA5P1^UEg-^Uv4{6C4o(Ok72ST>?5b#A5HQn9VfxuR&N?>FaqWDh7e+Y zy+qH$E5UCIbl%a@Zm0X>Slu5vXob;7_1FBNiL{wBAvYbfF~#0ku?&tW{9d?1 zd&Y(wSw2=Q*C;`y-4r@l1hSFrz|*Ef_{Sv6@#KvgX*~(J)BmREGkn? z^5W4kI&$PvEHdu8B_PQ2q2pa2_g=;ZNX~DKw&2#YolxWk@|&yT9Zkc*4tepOi^}K9 zl~`A+fBYc5K^b6M@jQI(2#(VU#gN1TKI`c83*vn0I))EKU7<|(p zx?H-?hrw4ZauDiEDlU%fu8;|@pC}QExq_IeokIL|QBSz`oy%Be4*sFF7p2;JTE#6^ z?}yfJeJm}Hh&W-i3H!h7R?SZDOxuH5zbvAr+#7rEXS{!y+ycWTj2<@AY_5yTs=0i8 zyD3idPUid+oE)R?jB(Gs(ThJd?(!Q~nB2%62KrK)7feYQWKt(bT+9o9Hj*sTdq6Uc z)^hx+=6a`37RG&QUDh=^KP0qvZI1@z*5rgX+zvQKu%b7fIg&OaM{{%O`oE-jvWq^> z(;fay(wy%8o1iVMw7CYh3iTOrE!`j-F6Oj~swwGk&vIWiaI5;xy7FxyZ8jFmwF_~B z^Mb&CaQ-Hpx>O@0v0h!I{DUW#_;u(fZsN&2RrrUxC2;|Yy^|3x`M}r#1l)r(IaPG# zm+*mu@mqE|`bd%QV3h#|_%N9$UZV+XH?TJqWm3!PzcVH@&eX0NO$ah=G3PU0Qq*QkM1 zvxIp5*4x#vE|}nX=O)4SNEXE|y%jt@FMr&Cq449dMlwBH$w$*btV^mw9L%mxuUFZ^H#}N_K1%Lt zP3oBlqtO@`o2gtDdY1KG2t{h@I2p$W{06^BM;_M~X;bjCBccht;wLn_XY5V`U6adr z)J>#g9Mzeas?edzb?4oRdtZ8`4hzLtBP9oj^SnNw5y=d+cS*gj=+2*I2Q|PHwmJl@Tu{KxGqs6S`{0foW znnC^e^EScb+0Q)K>%CTGlHcMlLim*Q6It74y6LAd^d-MYU$9V=Ea;pos65YowFhJH zOn#I?J(hWXbdV|>$@f$I!DiUJN$B%Y-;SWdN&S@@0ZOz^+Un6Tlp}cc^PW;Obd@M( z0NP_r*0D*2TqMuuBKxC(^jix1w?lki=!d+PH74nfHb#Cw#nnU$om^5T&+Id*WI-`AAS1M#OuaVi-2T7z`E6O1x_0ge5kq)a)Ze|DPWCb#b6@d<5} zr@RvWNw?#iR#is$ouLw&S?J`e#B>d*60vHt*Brh(=Pac-{K`RvTS^cFC!|aEMF~Vf(S-< z*jCFKRBE>tAHs}}?N6d-UYTYqDN^BNok*iG78N&a3DUXE2t@G4MCnYgZRs6M@SCl> zfWbTUK|IWx0@MI`XHXsc*v@Sf_GNZSmu*x~BK|`$M^{J*5{94y_Xl;=c(XO(it3To z<@lHZG2xM0n@<^&1bW3?O6ur^Ynd8Qjjbty{7k$THT`;18b|?Y!t~EB*ERM~vK5SI zj=b%n5S1#r!_p;X@-%C_>+1e&meqDtjqnap5s_n&mA`&O2G&QSF{ z@q~-Bi3^<3p!SawUMz2u)3gb%O9(eUzHP&pmLA@Y&y~_ypA#J=OGe zj^b5b-LxGiI$3s6Qu0|jmo!~!8pQv~_YPu`5PWG_ML%^Z zpCItWbUIg_gzxl@aeEP|)oj)LZK-x^0^FW_DwrhJ+Ly^9*<6I~=w1`Vr8_w+15@oE z$`Nu)=oGybnL79b@JL~3G1&~W>DYzZ*?tNkIi1F*qZBOa|E3^~f~vJucZ$n&cUjLv z_NO>Jos#ui+z=6!lS^x4?{<%an-Yo~MU+c_d3m!by&qh3c*);!LYs^^8&72p{d_AS zCdsV5Us#3HIdZ>kcN@_$*6Kc_TeuyShp;Tsf75RJoRYB6p&-6~FBYGW_=7p*6{wxh z#^_Fen;^*&(<|A)m_iS#sCRR>lX5M|UveKo$nTrpKYF|)XJX+MtSbA5SCc+4cie)T z(v!mkzwf(#?H_9#5p}V@DGV}GaP6$6eNgUxpde!HvUhm4gXf)!Y0#s>t?`rntmsRp znw7Ulbivrt{Lyi5JZpucqkm|8()$(Yg#2NGmj;dfM@V~h5@UrIO`(5s^w9~bOhJgG zY0wbdz7>!_2JC@zdTEj*cfxUI;5hfEWa*Q=7CC1cm%Pw7XI^!YiAT`!rlaPfz}yH% zpCAdoqD`hc9%>$qt%Yfz7XLZI!~4tzQd-6Q{EOsl!de>>x$5Qd_tOa3bmA5rzHM2| zDrU?jt9NU;LMr~5QqKbSj!#yJ250+$J-ZEh;B1Og0rzPvBMO$0!%`~EMD+_A)R!Iw zEh^S?Z#YE;ts7bJx-{qUW4u0k{+|22Ea1HmJDpqer zm<~Qk>ylBc!YI4;P@Nn1H&M_B+RaYK(}Yng=bX}Bsk+lFou3ZXZx?ZzOYFM36!Kkd zVs49JNn1taIhFpJjzNqN!ldyJxkK^lNx&ZfUnBp=QhJh7H3ZeE@|VpQZfhbE8s5<^ z*xb^h63Vl-R$rwKJMq8n7El_Ae)8hTEFN~rhXfhXFJzt$+VBD z8HuB%6hn@Cqixs*`)0TXL!6+oKLn^qEWP9Q;>jWBxw&DE9E{Y#yuDwh?{^mjKQrGN z`H`0JXuVfqi3M6wrYO_rB)IRi>?se%@NXVD!){D}QHZl~52UH1Z|hGeyWllg(s`gH z0rRi^v1XcvYQM+(>ph*;>e!2)LBY73)s=tRG#4^>(x|vPekp|#VWX%5g02^BD_Z<` zh?I;8nV^5)#5ncL=d%Gz#BLP7C=)$QFlWS{atcu$jUQz^c1o(zfONdl)Kf(D8S=X3 ztr>5SD~cua4Qnt`dQ|`R6q<6Q(skSn;SQvCz89PFSJ;aF=#PAKG&SX!td;y!K?|-) zRcq@vX9bj8xs0jWl>Q~A8ezu`Q%sfA`?2VYzZR{2`-kygAAS$R7KfgHET=at6Re_v z3`AS|l2i-l`AKc%T=}ES6fg!7{k^ zR4r8N{^@ZI^}Yu=$l>=+EA2=|6SKXn#zvfdk!glXFY{DIOYe}Tsag!0 zyDTHas3S2>k4N0GV_BCZrgM6l`Zq^PM&e>Oe1EqKpG|ojgD<8Q%i2F2I_=e-9K);} zizV%Yagp6PAatFufxYP)5`FEUws6H~N|^9B>`ZZ&;2~D_(Qcz2<j&!;=wF|mq>;F_6&zO?Fx00WhF15rW$Hr9l1qUrsP1y;r>=9qBw zTj~?pPpdx=EGdd@2X^uk-btBzRnD;W+b2?HvZ*V(-WAn#xIL32?&I{XqQ^*r5-JsV}l>6l5V^p~#{et#3Vao^G&&ABEhE!q@AM2@S2vBpMCm z0y#CI^n>Ej_zbFFOueme?zBqFES7N3>ez}bOJ2&jW0LK`C3r`R^k+!pcPSm(LGj@` zW1$A?oN+hjQI3xK7)b*b{bFH7A-~EZ6lKFmVlQxq+dh&^qN3mY?##MKX|4B+UG@QF zb41$t3fptni`io!pN)XrCx*ABn00iP)2dVr52Gd_-O+&*5OXBAFVS89qOazl8u+9s zYN~0qL^wYbAtofCA``>r4gcKC5~f)VouoyY<_`{2nW7Z`^F2 z^~s>@G~HA)1pm!#dw87Q)2|AZ7(lGF$yUr}gN1)WC+J}<=vf8N(>PO5!8c-bqa*5o z68DD)UOO$N0OVV0sA;aWmdY~gfM14=<6hyDrQmKIwD|5a38Y5~6TZTRon-wjbr9Dc zBFh1Vwe!{ore5_@U?WDzobh30*1*AZHFjHzMp6x+Dm|HnKK(&DN{Me`DP1_YRoEWr zbaR(Q7PI}Rk#~Oqc(iNV|HV)Hft$0*`eChxHh4Zi`82T^poJ% zD4|&VKpaWTfXa=L++9ZTXxGZ%B+Q#^gYuaE8|Z#bIZAAUUMAnZ7U7mXpgV?4{2WEp zUo^abKj(gMwYl;vva|qXR3&P|5(iart`x46%y;GDzrQ1dr|%08h{W9=Qd4)`6f>=M z!QGV?$CZ9S6Q*jopp~7my!{V$kDrGQTc3MG6RukQj#SYzC>@^%4_PH@Mw>?oe!1&74jI7yrP8y_eE_XPRU2_g z*3GKO;53*xaNsHAGrB%3NSqnF)S|4zjf}c(QC{}@Ma&4BmLfyTAE3|DYDMdP5XWo-HlX~Wd8KQr8H`!ZPT%f!~JEie< zEvRe7(KLOQ?H#H+5NP{p$KshRRSc}3E-K~D0%?U5bAL1cHt__?pVVZ9?pwklMJj}b zg$eZqAqaG&`s=3R)`i=eH1M#rtjdR)RGsy_3H^*SeBGxG5)-RZ!#0l`A`rvP-aEid zhnrHi$W+gxgr>NhzHl9(2lpA_(U>Lgp9x4n^5jLUyI@r`GJdH`i&KAh4Y5Qw5Bt=5o>O)U>iDu=GRD z91bI=ax%ylbWez7;N^99VWweps}oFC;62=CnC&mMw6yf>ZKM-i<(d1GmNdwa3qcf7 z59O#dYlcu%aQ@z%xX!;6KX&lULo$J%Up{q!XR4eP$0t$vi(c^k+ud@(?(mi- z$#WUTt4sJ(0qeI4cE9(}ZYb(uw*So_p1L?JERG5Y3Z*dR8TBRVWh6KjI(~%PKy*$Yj`xCoF$MqQFflCB&rvM~*RXm*~B2A)?N6hT$9 zRKvzysf4XTljJa>tLvxvS)yx*O&%nW6*BjjLdB2Z(x|lzsgq`^u$Kj?`)P6xhv}!a# zT5%On-1{2yiQAC<86lkMusG497QTnsBFaMNK1u4K$T`B)|%liT;;Gk z_xWj5zTc5yEqY@ox$#3UJUUkeD)3qKaJqn?<>AuijI zYoLb%pS$d(M{6r{Rh?j!E*oE8-@wO-0(g@soHw&)EYA=732QQlOJQjR!d+#8Cv7dh zXH%L|ze4_lhMYM_FjFD3EDJu+!aZvID$oD)bm5Qy$}*_cW5UdyM;;iK`Xqf0fI8=~ zzA&DWFpR=LV&Ow~*T~uLnDek<%r#cfPijMvz3~3g7cVA0QWWy1XUXYUK0YB`4q0VW zM7lO{y|TTp`X46oC@BdA%Z++OCWe!Sv3=dg=!AlV*jSon3kbbT60baWR2;C|I90VX z*{i404AG~wQZ9I3eWytM))y%toFo2z9U`4VuHWUsw(U1!;+n>}v{VxOodqRnu{&=}Ej^HFAxC#KyUw}PmTwny@sb4h z&Y^t14BJ^P^)Gcr##A%8Pgt+`U?^uP5pv#_uZ#v{?>HtvBupf0#We-a#=4&3Djc1I=X^kR$p%r8Th3I=Vq(sJi z;-xb+EZ<_4KHr>;g$-+`8L9?I=L(T=tWIjq3#{0yiGI~ip(i-~+D2mVFQ{@b6vzA+ zM;jWh3CGX&jc;RYQr*%Z2< z-2OH?Cv}JRx0{tm<;PjZzfJE*IQky7_T8Ijlxk(^bZwT`HxHOmwmDM22=z(bQ*}-! z-&2^yVf8LauzdeA40XeX-s|}V@Mr~an-~|y)-R5xC02#>FwmEUZCH`TnK|NQknYFZ zPQ^Ke;7W;^T%1eg`tIwfefW!%GrQQcBEUBxXMU-+$-E>@_DTaktcbx0Kwq;Y0-su( zHoT`&nE{SqXtOl+Gnj=6;VYtxJCKji1u78tG0FYUBd`pxcb+F1^MQyL%&U_tKfuZ^ z^66|9LLt8BbRFw1B;-eU;j97X1f0Xi|K%&VQ#F6$@A?6lNdP8^&su|pOV2gZd%(&# zoBs~LbN|)w2fzjZ4J72N3E=Dw103Vo&S=7D1Z>9}?Y}5xMICT$U#NB z045%Qezbd@ECNv}eK%9A|HTljBvMOLQ97MWQ3hNM0$liLDTN3Iz^Wm4_#dzNdtcz+ zf*HWcAD#sSKx|#@4mUS9+n1|ne;kd$=W+qeFPZ>H$UPIx&;4KY$1H%UzKsyGlF}tf zG_+*}S2p7-oo=8K+x=URryTt56#;*&c2)&}SBY^O)R;hM39vfuO+=YbJE1snKcIdD zDAzDS6NE`)?~eALvPCb zob<#c`<+j_(b^;PBFkx#m~Wry<7~+YUu`+(T>vPO5o^TXO^%gJ{|}n5u&n2FK?_xI z12)l62F@wcTd)e0J9b(%8QOf4rPv)5a66+$tvY0Ee1hq>Zt6Np>*Jk>6rHL*6vSkO zcn!AH{!y%b5FQZ$`Z-4Xb~a=#vDQ(&i`AJp#W|CNFzLHiO3!@BnkdUnDFJMWb`NCn zl`%`^N&p>&H7niNMvF#{nV*^CjPLK5G6RFp!+N8EV|sRMLHVMGVM1`TJgzC-2 zEf?%FJj{1}-OcwO#xsY7H>+RRVT$6?(c@hcPjA^;q9cEWv-Wj`!^^;gh5H|(kNz0h z`y+tt#Z`iWgC#Q$iU=dN*3+_~Z76xg&P4D}oU!)R|FMOu>)|&tEk59n2kXT;66?2J zYeaDa6Ib85mCEVDI=RznmttQPneS?C1D|1v$8Tg0HTrIa7+$^Y&-!pC0 zuvc2HSMt|BfAcH(jdqu>laqzQwC~=%0%oK{j9;$*o_&4lfJNsw6ovvIAd9x(o{(Y- zFls?l|53Jnz@m`3;phq`0j5|=S{mYbBtu2SR7Gf8MMA?qU^{ZXUJHK$U?n2{_iPv3 z3;X|NcSNj(wE*ZG2r*cOUx?Ndl`(t@Ai+zp^77(BfirwBQN(qGRscq*|1i+FGqba! z3}j4X#909Lj1S1&(SeJIfMW63%~J_^-bPV}+6}TYq@XO!0N1ay7Zi`XGOemhwY zu*Cs$*SsiQ0ago~(ZVCZrMAG${q*nghzLV5`9CDBcOhEbcbhF1Pq^QG04z-dMFu>M zTD`bH?Eoz?ARCC-F}V%bTZ>igf=9wIf>44ZPs~{>WHw^9WA$2mxeZb!;pN<(AKchv z66H}ypd#jtK#OKxPnIqQm57Q(627b3=bEN!0bWzh_6kk&mao>dm*l6^eDn|Cdr48r zSlAIQ0CqQSD}`V`F8(a@6%E|l`4fPNBH+9!1f<>^hnm*42 zyCJejbe6{Ra0tkuMfezR3jP@bb~<)>ZQ{Fx9EjDg#{SbtgCro2TFe<$3xSbzje`@%I0E4umR6mY4sGR3i)#dufEC!U2W}ogJ{KE^(p~O)a)WJ zLVw|#bw?LQ=OdrLwZlV7W%N=hs3|Q=B_bK6n<6weVKbv!_ZV0%f`d_GaQScJdxUhg zELODYX&mjI<;ww4QhRPNpy{ykiZSnBr7&-gZh5k7mj1-* z+y#b_AKnOy!_g^7K(t1l)N_j2&)8*drYSqVB7q!csT6L@v4LfpD#@BqdLV?WKQ|{Q zE*R;9kq?<8VD7{#L?Xjo1H-^Mv_+I`IoPHEXAs$++5$)hyNbA?(!jfYqj}{CWLcaq zmZBNhjznR*itLYlMzHlfTR}f_?x2Ws*c*uk-lU-!VG=+}1Bs|N8xfi*4iAJ~gXqc^J=tIUl(lj2h;A73^ARcLN~%ISiXX#i3+u7Xab|ehkq8 zGIP5EctT$RY{0&T1>i-kh>~raGhxIF_TA0U#2xa#2dHo1Hx&uNNTDIt1?)bEZQ->AC@RRR1*CH5_EFC} zxeK62z|=_#jZk^BBIg=P1+-0c3xvmFi9yXF+Jjj{RCvJ_yDt`saeG@Ie_SjSBd60A z&=}yDl$V!FGZZnAA-TQ)Y{fUZlG0aLKhZozUAD#6(5pc*MVV~pLs$(;!3J^QJ8tr* zj~2wPVtV)$q0s{}A1}V+Bf*?B;Ygr15M@69LY@Qjy#^kGHb>%!XnI5>_{MoGdH_x| zj0f<5Y&56<>unx0VW4JWY!fQggHkfIKhyP^9fRWVh1~#Kk%OIa(e?S{`(B zbMcOM#5)JUOFK}|8HlQwnk&`uMb-GB+{wRVaMFxFZiej^rvwylKER~BDZh*_Zex#o z;1K+ItA2$o)Ce)papw6dyA`6QCexCt0TK6wgI8wat^R5=UC#dz(~GXdQ7sYogZuA9 zPPwUiTMhNY|KxSwk~tFD|I_`F4S3;)3>X9uz)T~U#D83pb-9(?ZbTi+2d6e4`=Hb}o6O`F=6E@(p6Spepn7bnN)q zVX|yQ(cAbYqwl<@D(NI3Z+G|SkSEX>{fuf4=LxBP;!?IyMLmBO4qM5&P2IC=7SxdN zb-VF?kON+xLYZKPt1@Z4ZvmU$*IX}pnTc7TQq8tX03(`=$<4cIE9mCqp_&8s)o9dl zHSr#5@lygWQU2F^cN!6yCcRtK9>u^yGsCoM5X{gkxu~Wi_T;*IY*M8bJ{bW-ac`{8 zQFv{wuIT!mpQBGqU0X3QJh^M@K>^;s-*zDSyu_>cAaF0NkV9-HcrEhX`~5cSFrw5@ z%QsVaUs4Kn`I$RwGjtA>oUNu-;&r@}e9R|lcd(h0yjhXu%w{xAR_J>+1>zXEI2pbD zXv3^uyT*@qqj#Kl>NQE(mVvyF2Pz+$2W%ffKYTHOf5hf>(#o~T5x~SUjBJ4~W;;hF zgvN&~7|b}J>pJT?UO>r~qDe`IY=&tY#s&7G!gcxq#Mvbh&<&hHBzkyzNcrG!2a;f- zgT)nX7Q;yMp{Dia_1X}U2b3*pjnFWF+&a7^tzLmn@n1@tGG}iX_FyNcaR(NF&%gS9 z49>R0XbY`I{8%Jx%o2fw^u67M(gzVo18#YTrg1UyPZ+BVN(JIM_$a=w00%UrJXC85 zQ2KR~Af9(X5(ibuz?(*tOIU!F-R}@tb5kNL`U21za&a)W1{lT#Hs)0z(L@YZ9CaNy z+abyf!JxO$t$;;v;msiWh2lmkX;8=w6ufD`5Qj8i5)p2bA;HM0a4-J>$s znovd1>mc4*tPqZLu-*i1s1I5k{1>8$|H430hGY^W^o~i!AUR<_`6?|(B{2!;D-_Wp z2ivn@Z+~xede~yo9b@?wagwocF|QDFiDnJs5#foW1qlE<=(GV7l7n)FF^)5e zb(Xb-LGM9TQYM3KvjA>+BSrRh>!rKlp0Moo>tFXM7xcig+l>%z(!%XoeH$f|QtH#M zKY?a(FX0_lP2R0q^Oy7jAwEtzCsoI~go2!npAj#)s@Q(7#){DFRE?N%F}(BxY2SyQ zC!6#h_#7)O{4Cu1pA3N_Tnzk!yeqNl;(>zrSEm6@gN@m4a>!C{iR;DnZoV-U(~M zxis77M4c5M*5uJE-14Oft8?xeI9!d&aO>9qTF}PNUC74+<=9rKmxGgalyHGeaGQdarE#<=7DC9tx zZ~;r82}VGKIsD=d>u%ESI5ifWouVR&0Wv=X2TUu8K!piLh7I=26O;wl%il&wwaB)> z!r?(u=rXcbOBHX%(eI@KJ>j%U>UE_QiO7`0fD0HXA6`m~b}Je1l7K zr88f_D%sN*Yy@47aLmBRqrW8{q)}>U8?cDp=B5F|ehTR{G(iH{pj?s_F%IC(LW-Y= zgTzuQWL!(s|Bm(zu?-pxbsZ8-^KkwczCJi7)k&S+($jqkY4;n;QP4MRD&_anCB8G& zzqmU;7VLg%kMX{0W`vp;tj|986Hx>TE4TFp83ZLMcd&l_@>LDBO;EsX( zoM(x2tXkEiSQl=|Y!#k!1od5Zru*Fd!H~}KdgXTyV!-w8CM)9BsOaIY^!z*r%N=P2 zA>FxWBjqi%GksNNqfcvBnOuE4sm}xGij>UGuvS^WZzojAKA=TMzdx##mg2A-$D zz%^2(;<~%82~$TNzr*ui*Q}4EquDfg(lhm!i^R7Yfo7t!y^@}AgBY-`ge25@Ff>CR z#fRp8@^_2WULW?95zfwjJ)pbHD|x>uYNJxrzLJ1OGBzNMI8s8_?^Ucr*p#YUQZx1j zUfW1vmKMd)TJXm=;+RnTDZ%cD_SoN^huCxQH1unqd@0@fIt}sfnBP=h_~wABHBGIH zOm~`s0ybGqptwU~Ih`_Lyxck`E&fFvj#>9eUv3uBG`E)s>rg1=X?n4lp3OdDzMVrn zdYArq_3>7h>On)~ZOCwl5$q_0F!ZYwqK`CN-JpXj)>RLXVwCIZy~Ef+?PD5sy3x*g zjBJYk7L*VE0gB{zSYi?~?%;ippGOHmAA3`esvc$%b#SaKjRnv1=B0qJ1^zHKJ-vuJ ztN<%`e^`kuw+KE&;1=y2qVDd^&eqOc!zGfa6x&S&W<;=6A`M=|hvLuhnDGxtPP-l_ z5Q_)!IhIlI*gyagb}Gn8ns^Br@&0@rH~g5yjr16lc8xaanp8la2)9O<1hONA0~ru( zhSr@uAn?VZ79c-(z9pL@=eb5B4Y?nfzxrE&a@ZJMSIDITXCGyZy=jixFeHf=^2q{q zNoF-MLW9T?ag@uT6-d+=vyShQVp(R!k9%mNwipR`Z0nVGJ5?`yxWJ^r#jtrrX$SDBg|$ z-yj+6w82wSdY*{RlF(DKBkq&a_(OiYt-LvE&hJO!qS|5nmwj=v%5ND__q+YynV)xL z4DHJf;vr7l3~68ZGn$Lb+kY=2HHdeFjfC>{njGhG7d<7Xo$kk$*}z`)>*sWHg)-!w#LdB zkhp1U%K%W#zK;IQR{&|I8d@ZP4mJ`M`nM0e{@{l+=R_!?N4~a}aW==8L-u%T{@2i{ zS1lfmbzU<+yOJ-4RdrD+<-XhV&i}ueOxI1NixQ5eGn)r#{Y#}q_!n-y7u=5XabTR2 z7a5%WpL+k`>3V0vOIrFJImy54`HF<6h_4rTe4R<^8%*P1K>>IfOvdi9L5zCOxJN&w zsXJr*wP`tX5>lA>9?ss>WuNV0>3G@H4|1$k?cK8}OE<%?rR;a@%1d9)Wn$HIoKnrR z96@CbKNVfFtVkomR8_8H|G3@kG$ucjH)TIiD5dDBteSpfRQo`9Xen54W=j7i^WBUTTc=M5Pdog{+^h9v2O zUjsakYpZK4uzGQpWLTGE0=sxbLU>0R*wOpv6Sa;r%FnNi+G9B&fn8Yqn(PA}vt*y#)U z+HeX8v&9(an3|r}OCt;>l;JH_PlWy_)ZcD2DGRz9bqmJT62SDg3fDl4Aeue;wX!-o z%ee!8(uA%0j>;WlqiyV{VJUJJXI^nqSCID{=vH24UY-}t@4ESAOgzDM`4W-fE>o1-nARVH{EZG> zPj%FFQ^CQCs)0sfI;ltWIbUer+x->gdUCqOV3WFFKWD`xr@5nK_)S^`J}$pHVfHw~ z+RxoPB0ieHJjDL|+>z26|KaanvzfTw@U^9ax_MR>^eQ8(y-Sou-`w8sGHWP~8CbN& zK4U9`f5%6*r{b!qUNrz_t(?o(L$L69@fE*zL-D0X^#@}&}B!Ceb#&Q z(S-4^u6>qoyW4oD2n@vPi~5ckSjGyi=T{Q1SJ7|U{bX9>uJ7FNo_2nUo){RsXnUYII3oUb{kYW^f%k5A#Q=mxa3S5+SKp2E51kc>C28~v%l zy!V$|v3EQ?iJ=c~7Z6_POr3hoLY;NHH8DMfHM(E0C_4Y_;#9x|A!{#Yd*M6QG7q3g z33f?2Y4(bEmcgB#iq#DbSA38P-46R80YqXPSAq=`?UClNF2qafo0pIW2yP)a?KMYjF6ElA{ok zfzY}UgaQ;(x{23%r@Eh1F|6BiN^ZbS;$al0lV2V79#7^UrVSk)`joVclgmZ2=qd9L zPJc-TMi}l6n{Cn_1o%Cp^SB)uOtN0QWJO+IbbvL^zsq$ylSK?fJ$=|zI<0rJj8}`x z-H=~l*j~+5eb{Igkr%C}B(de6`b8wGb7iH{qU92yo1QXtX1EwwdF|pAbB=X+dbG2n z;F=2#`D)Yr5CB7XHxa(YlKR1c^kJE39Wl3Ut)hZ!M2~czE2gL?4Bn%dN4kh#^xr{P zCUDbOfe-<88SKpAyj!|6PgTH`HI@;LU$UaqyQYr@U;UC3b3u&(2kG!IfZc~kN^lwk zk6gD}c5XCcA$ECmP>^|71RoRsx|cg@*uovvuk3cCviFj$>zOL(v{(3^#ger!R%;0U z3XI?_<^rUvuL3Pc1bG*JQ8IFg`g7dLlm-ubH|=+>d-R^K^?A!sQAS@ljpL&Fh;eL~ zNGfct5AzMO`j1m&({(E{q$RRslH|a_FyG0kdO zWa{C6>z?l4m&^4paaSpZWg|yMdGBK;b_H^4=~!s#q_q8tCc>?#HezTUtzqV?P%oce z#l$`=dGL<*)bm3LB|8rj!?@!@%9acx+@B&TxXIgMw)z&;fqRl{B*J}1Vw}>$q;6!V z#4Jd+24=gjz3hjW>wE;jbEgUO2Cmy&Z|-L88W01qlb;e~#n~=x#+|YElQu*=?-Dzt z?E#@#X}FHgPZ}(pLsBh)@+p}IEU{io?a9E4;eyt($tc1hG#B!TC1|(AiW20cmlEP9&vjQ<8K$%$`ewIdIu0P% z+=TAS`zYCJ*Nbvg~0HHx%z9$p`x9V!gk_R{q5IawA>AP-l)VXX$ zS)RJw49}=3wh@>mC;sHb*x!u69zkGk_S9o@RN%q2BiMG--;Ysr#-=y{L&6Ryz-ICI z>0$bW6@MMO#%qYK_ zt$n*wWV0Y=cLCR#PrMLo_jf@d z@vI1})F`u3ALGzm&eAOI;NK(0!N-ws6LMNby3BYX>{Pl21O^XyAxpY;SVY%&M@JUn zB4Bro748@vT}8dbPjfLxvvs6+xZDNY2E@5@UhNosBu!SVr@k{%W>jt-5kD>^Q0go6 z;t@?ko$}fQ?i+{L%l17HN?~mkDK9f9N)3u~QcB;is z5j=Qr>ghz5BcBuR%;_EH@_NV6Lm7!h(^E>#@c4>iW8za2n5UyX#PdK3JQgAv^hN(Y z9Q_s#4u~1M5tp$EM-CBTPjrp4o8BgH_e4oyUQ&f#TBDN|=@Yl6YK*NzQ$n2VZ4p?w zi@?zOnGsm5w;kw{3IuImX|bbzSsa!o~{pUV&+ z8l+XE#71D$XJ{TtU`u+1oXnI~ndPOV_M<*=Jw;x@&U`06p$_8aH1gXsiuz0QLbJHU zD5)}NE~QI0jFk45c(}0$CxS@vVlU|#bvh@xK(Dz?iVF8M<|>_ zUD-kbTk30<-PHf+6xAJ*3jX(0n&|z0!R?}j@Zf%~b_3-N9Vefp z_3(kqCx{4Fj=oL6*W<;vvf(>t`RO=Z$8l>)_qQw(C;Qo(5V%4WlFM; z+8VvoO8t>C5|~V0LMqGh5^m+nc8`vq(;+NXZr>`D9qmDQ2np(K^#tL_<|=)K|Vpoy3y8{@3<-jIF+zC~PAUROb*q7JLm*3Qv*Vvz% z?8{bovLfBMzK&ccHp`tLcUFo&uW^7N$zQ1Q5k|Z7-0az09vjAK9_2QtTkL_cviw{X76evOTA_=r zHi#-I0>j~A{vtvBK8(Ka)~f^)-Z|7rorMHr1q9cTxt|o z>6OREi<*#)j|awFA(IOY2_Udr2336m%V_j3{hSIyuKV}zfB*gW zXz=N$pH7}U`M`k#6DLlbHEY)N>C?eyAAa~D>iqcQkEll907K=vJS2d+ezLuq;n=Zb zGiS~OjnU7`(a{*%+WKL@;NOX7Ltth_kx6MW%I=t?#aWU~{X-`wc}2T(xGa{R18c0> z{m2y6-8^-Z7_iS8{q{>{r90-{}#kYwgud;S}%374oPcgvD|8a}supaCp0O@V?aO z8@UqdK}1sXboaozio9IxDDFiB*(sV!b_jjBedMfm;jgz2exr5J>+J$xZW)l7?AKT9 zqYZTPceFzc>f^vo3U}4F@?JMA@>-_ku1;djQ5+Z}d#inD>u@K5?Goa%ConrUPe{c0 zvInSL^V)~Z>=5>1>yX^WL4y^(G9Q7HfW>7Ku^#LZ68n|i1J6&1FU^gwHcDy?akmZe zl}2fqNmFKQ_!vD+V2gT%oye5mF^NDkUyqU)+KCcF+!2$y*%KXu_^W%zUd&bJ8ztq4 zz;fmLN5#x&6VNQs-i^x+b9EdfbKg8Xw!oNJOeTWBZt4`%+lKs|5!jziU=Z}f4?mnc zcW$%oWk@I)Jb3W(<;xc>T9licyJN?W^z?LaRZ&q(;IG zpW1-EfW3S7?%%)vn{U3EF=Iw)Y3bp^hp$|@f(lUd^5x4k&oN-|uf(&9z^IRvRGH)@ zIpRGdBFruQ;SCW%!2S1$ciA^dTQf~lrW5T>jhyj|%OcrAcv<)XeP^B6Vlm6D;_()MUSn!(uLE zD?ngqYcXmoNp+20R$&lRuZSgO)E6wNzw1(!lk$RG$+aBWiA?FnF{0_6Ltlt>^tK~- zEH=Ti=dn2P?!2^QpSAtNu4KzBd72X2B}9tAp70VPA~5NeB0*i3vldVJdjfuOJ8E1VamkJTNi(Hym(G8 zd5bs%R~RNM(UrBdOYrF|oc{yngN*HegyjSygs8#j(5N&J5G)mI%lbVy4}n>uxB_wL=_d+)s$Uwm=r z&YcLV5QL#*?AWodz4qFvQ>P|Pnlya)@K z>?8Mmw`<_3bZMDUekE7&(hH#hE_MWq=i|uEZR&9#HRMVTI+fKJsXwr-p}w83dGyQL zjS_2~s60=4dTQL7fuU0xd1(Xfy@fm>rlcY=rS=lylivfY zB`^*#t(o5yvPq3ecAFHHo7BbT1aNSXPJCoi+$RIV&256(MG5_FS2BeT+{7@~oR*>c zCuyu^O^IG{aI$Pc&ydz}Zd@*vY`CJ?Y5@+JIcJ2oz$6qpN3e5?H zx#Cs5eEP)O1v~SddHmLq9}jvPUg#*G^zjDtWh+1j;hL0wa(OkoI&!M_;KjKGX_1SUQ^CH9@(QH_Ee z;eJ41EyA7G3{&Li$_sKtp9~5gn&chf~2Obga#u=e- z+cp|bQ(dZ897&VE+c%L9Og|P3{}keH5LmfER<08j>*UvRHQ!|=zttnE zm&7U3g?jkUl}&UA;jbGaD%PvZ^okQxMnD)r=G_r0$uIWnumThGVVsU#QMR|#~)-&WphRSNv)ac?d7yEOXjcXR`JL6MQO5 zk#9~qF;z*n@(&kMhlh_HXHt`}ZK={5)H@+n#m0o{M@L|P{Zoj4=F5D+J$LThS-5cF zgb5RtFJFG|-o5qf*PlOs{^-%8yLRombm`K^AAfxEY#CS$5gUF%UEh889l|w)Ux@H*x5=2lS!VF>#IqwX zX&LoBdjwJZ8L1krd!Cw{yhN@o^V(6!Uw8wupA}6!Ie-iOfb`Uk;DF zk|`=TD&Vd<6Dfw%E&lVp71~3Cb(E%55Ve#w2)pIPe5qw#JuO z)+_XuF}ci~NWB);_9jCMgqSpCk0vm6kx^Yv$||Y%T}k0U52UGIYAj6lCfxYcL-o!C zF*HtiXtJ^*FQJSC**r@ED>bT%sL!d$E5Ws-yn^~FSmMT^u~Sk!bl>`qa3EBZ!X(ZePZ3kb}ZR6(k4KbF9Pk5dGut~QT*#i*Htg6Gd09?;1<2_iL|}jNWAxw^ z#9^pPzn9?$+xwHiYG5X0ezbiuABETiPyy8tOVMA`Ksi(a?%utNP5QY+6k?Np3XxL5 zR&MKx0fT=ho*99ekIb2q#n=tw!p5 z0vL6TUh*gcbAG2s5F#)bq*^Be6`eOWncFS6T`1w_KnU%)@?dveQ}4r5BxkbKs|QPa zC<9%1EFtyYNbc-TVdtmHEV)=-sEdt>{}2NE(?6%efB}O)h-XM(2y{ST6-KeuDBU+n zIa=!*qff6HRS{!(6EwV{tC5S2~6qOP7@7#8etY<)peKFFD_! z`DT2~n_Yt%ML5{8sJG%a3vu5(T6rQ(_I?llJ`z_~dtRW2aDdEV!@#f-LyFayh?u6z zD6tr&C1yoY-eU=ja^cf|CS`>l z4*h8!qyK*i3*}!V$0*>3%PPm75c)bYjfQB}3xMe!(N;+$aw=i_7zJbsVX1{$@hlcT*&Dx*Pbg!-ZcvmM6N|`46WG7=@4y%^VDLxq>Mp30nb|_t& z)+8v_&&7_U!g9K-CSI`-vj3GK11W#fYK{Y0)1KmkdY@^0cGu z?`KDhO$qv9l=wy#)+MTPqqc%nS3j1(0&N7ASf!Ixk@BmgcEgBBT{9QCKcC?6?HufT zMDw=~i`Y3LDyOk`LZFiyhlq6L_m#MRI#^U_P6qQ8no^1=6a51sFowVwF!<-=84(z~ zv%18rD$A2rlj7UPgi}+JXS5Ay7B2AMv;7?f?PJ{D>=3YJymDfSpBtaW<`Rj%tQFmY zZ)U10bkzIii%haIleAnXzC1PlvmtR^Vw{Aw?;tA!U6=P4uOA`JZSI#6?Bvd8C4@K| zTl?)vjkLZ0P)$9)NU2J_0yWhtpGqON%=%Jrh7 zlj0Zkmo<&{p~OzM`E7DJ}4Od4h7Mnx$~s4fso$*o2VfqKbSx$SeEh)}K56Sj|&rE1*8UOamq z_mKovp;uSx<@uSSz2hZ0O}!$WsXr%owr6!!_$}-mcY2Dv${?@Ni>=ht91`2#f&Gub z=(24RhPKbf$Eu$`KQK_5?O>BvJExp=e zglAWRy}(A)HAVyV=eM_}%L}H7nDPN`M7(W%f2aU8-YE2 z1omqJYZ!r*8P&z4rV8fLi;tyA7W9)giSl4kmk%`2ZGOGxe18QF%IiTN^Tm|7K6M3Y;B+(yFkJ;RgiKNmKqebFVNC~Je1|spK_~8 z%t;pN#+$f2PqTeI2+URN#kG4Jf$7vRR5=M|(!SQgU+zJD6Trcq)hNm}uWjhTandTi z;ZRICF>>A{}RU4%;_TMnC6LN@^ZYVE_5gsW4!`paGs0fl-gBnUtk@Qh4p# z`lQQKlRq33liJ8T%!wmpvm;%(scN@{ePa4aT%CD@ivz1uBzNYvu!C&pU<0>i(4BIg5X zs_JQ|Ox**c2<%zk1EU`HGbnBwr51ze$YjymJ!2b(!G}{&_;Tm;j69MiDn{g#r@X0G zf6ymtsKPVOo%$k)9gAob$eY(A@_3rEEGNDO9BdF*z{4747J7gNsZ}qwAheW@GvTB<4dS2s2J;R#?QXgfu z=MgeLyUB?jyHlyB5Uao+qzK{NBMEFp_kfcb6oJ_uS(Fr+RF}zwt)rCvV!Wt73E&Yi z9uC=w;z_FTI8U}cpX13R`p7)q8z?%Kt}MZ_gH#k7G(}|MKjIQ1^$-U`UhLdE0Y(id|=Pj_w-g?95{Yd+-KI?Y57M zu~07_#G*T)#3(O=3)WHZlsb~GNlWpKaArBMh%gWP3C)8iHSuj0%nfv4d2opSD*p{5 zC6_Wpr6d*8*b+rxWhS-71OgLPQQzjLzU_igrp&COo{gmLfvF3p$q^vl){B2IsPnU> zAM|wTuXG7?quw3w$|i=1g@@9WRnyhwq?#hIXYv?52uv@6hDD}CFpbq9!|19_aE`Kl zV`FD_3{44g0C%EIk{@?Tzt}UGSon)8%*p~%yJ={gu9<(LA0K-;EJEbLo|59bc2Mli zEOE6NL6xXVABSMqO3E?t3Q}6BkGGIg(7<(_cHhXT&$@Z7?;EmnM9jsh;5liY# z=;=#{|9h1beF`F zsSTUGC<) z&)wc$jFYuw`EUd)MFOKjz9Dz_eSxJyXpWdHPhgoY7#`#H{^@Z8J%+Sc{bA?hqx(cI zz&U}5!o$pOjvgW~y+6B%gO8H{P6-O3NtV$1;#9qPHXThnX*Gr2wKYHQt#xGLpvQdd z1q5a+bA47|>>>^bEYi^e0+aFe3k2MauMmWVEw)%>%YCAz+f2K;uI}4yTl8()v{_S4 zT`i5bn`=0}*DYv~WrnMX#N9~Bx5yC;6~8tSSi^piS&jOO#_aK*P+#r*6S$pGqFSy6 zD}3%Mg7|yXi@;<;(?afZd()g{<_LER+-$`zLn0hawvO&;(W!~1hL%Q?=K9@Qk2UXR z(_Oc%j@Hn(+Xz1H7Bpv&RAeC$K{i9=0t%Q#sUf(tyn`w1vsq>*x zw-5C@^lr&b^xd0k&L7$!9yzUrfUej4{9Sov-S3Z7Y(yUoKT z=4U7L`+jiK_Gq$66AaS0bF*32Z(W#ebKmLRWEaakM5}Ik2!^Lh!b?wYM{q|+AyK@bte3L>CQ~x=GAh1DQTIlFB{iDG0_}s5e<_nApgoa|F zx%V7Hk57Al*t1!44Fu3ltU73J8Qmw!*(}@5NWnABcQsaCh4`$%_KoTl;b;OomoW-&`me)_26yWOQ!LI*~`rHgfd2GrboM$ANFZ(&{m^E zv!9pip9o}`u{a)-lLtCj+R!N7EM1J)M3LH-Qt`~^E|Ax z`9q%m9@szn3@nNFZh^oU6K)Dr=6Gi{xL zZM3JEb@ZHLArV*=VJdew%W=0&S!(7pbD;guPVaPYt*)b6Pd|{hJ^zCJb~$*1?JnnH~h9=>lWM%hjmQaX{`FPYta0` zY0icPJc}Y%)8`6oF9f!fi@+58!6m%@Mf|}9%S;nojCYRgKEa?}A5L7#n`3Ho*XML- zq4oaTEjE1fc7m%#AzvR!DzM5Fy!*O*2G-C5LqnC7l>q?(GiJ<~Hf@@hm)DUaM*;%_ zu_cR9*j+i8(pVnl02wTz5UW@@*IYqCMMVW#2nq_?yLWGBXeeBwuBonu&DBj|5gAs_ z?85rODj0~}Ymse^66Dz;s}Gc$s|r4hTIchuC2p2E0*mw02Y%E`hx>Ui zE!~#QwBK&qq^qt*ho;)2OuFnEGazcAfr9(?k`?zBB6mTZ879+0fk~Q+>CqntOtS3W zw?j)^?Is=DXmx6<-K>db8{H;mU7D@>&)bikEaa|;Y!K~1Bxc-2cOpwM-`rcrk z?W|im4{N#UtF9L&y%RjAe}WTYHRJqcX1N{~$<7v`b1e6KJ!saDu0}nzn(1)2aeBM0 zj-73{6XW_Pxmx9khGz4JO8M5xw-5(y9yP$CC-)wn=AQ^GpJ$OTw2oU~uyaJOk%ryc zaRHS^H*F1%54*&RKFae@URfu!%of>*JuK7sR*_3Au1(Y1G@{Qqz2*a3aNpE!(^U7} z9=a~?cJ+6#l8S7&Z;82^<+%?L3v44DEm!@w*N6RDb!^#GOGB%9lO}!JwfJH{TjvjY zpPXb6?qHbVWF+Ik+~yf>#?cG)uS^=a;^SVU^x7DA(0sd@#MBo`WeTuw|zH zcB%+Wm%AIi&WLw(_K)t923zyZ5FJXmdwf{n?^qx(%I6yI zT>44(8?y(bI1MTi7#Fx3DnypCuEXXJ>DrpRh*G<2ORaIHZTE9uWVRH0*vfhE+@M0f zL4n9D)z#$u#C}VMbvJCM{25V1<4rUmrnlQQ``)P2fieBk-OUSy#tQBSQ7y9twmE!T zb`|1s?guToExP|JuR=tK6CWSHXwjmuu(0gx?6|l%fk1Hj^l7P7ib)?+yhI{NOiV;) z5JPTmF7jA~tsXyqoSB)486S;gWo4=J=yKJnRp-u~!w>;#CMPGSr>CPSJf^0mG8>^; z$O*PU1r(wVHixm2l9KR9y=EDk|`>xH(h*%l^%J>2MdbY3OKbH`mhE(&*GobFyW}T_=Lv^M z5Q>S6b43>UBFjuCv#aCZaU9ldK&R#!+Pd1hI@-FrnoYDiHP`;Am-e<1Z>3{|5Q7MP znaYLSx0od!mRSPp3qN-I!KC%agIa%M(0bnR9&5hpcX-U(o>TgV%o==up5fg&1~;Y* zIxtpm;d?zl?%(>YHrx+Ywbs^nznkW|&%650)Jt`>k#G^f&|K_-n_lGn0b54BW7V^n za@KvmzzW)n~L}kB&{bALj3_t>G}F&DBN2{TEu_oojG!&Y&Rs!9EKN zz3dIoPaVAB+kUfbdsudF)<#34sitP{Hccn$H{0}OkGl&kBqEyv?z(>q8Q(@C8kXp0 zd*b`P3(Z>%>#WsT2PXkdwVJjZ*g@+%qfX053_dzu-*ejFkl6B6q!9mw^HH#`CP&chS|*Y@*SztBI4%Fn|5|~ z3l}bAg{biT_ut>Sa|a<#b#?Xn_3N))yN1Wu*w`IAc1)QvWy_W=4<0;NvSbO=5*!?i z=x6fe$>`$5i4%zSCQO*%;o%_`i#KlEXm4-7Y11YQ3{CCaxzonR2JJ&RSiErI!sgAJ z;aZGg)TmJy1|mE(h)r(Yx+N3}V`5@3{!5oGEnmJI8F&kpg^y32IyH0V%t@0bZQZ&x zJUo2Eh7ISH?Ax~wg%}2Q9|A^A>=fh;nNb`@)QN@@SiZ=@+s=5rS;xWcHCpI$0@L6= z1%be{<_ztAd4_SSqfwDN=1nFrGl|F~PiUSmG|zD{zdc?5r_cKtcWbGk)dbSh)@p)T zuUA{$k@{`-k9mjtI+TFB@dx@<3oMfpSocxJZLRvWH1DqSVgI(HjJwRR?6SnRGymPL z%RlTXdcTL$(5|yAJO5`u8-vce?VD=o>Ne@uNoSmK>%-#)MlLeTakG?jmqc2t1m@6x z^ZzF>_7-9cdkfL1YkTFb4clsIeB8gq!cY41Kk2jl{VvPj?jvgp-%lyO%(t1gb*u5}X(>+1AwJBJ}{Cm3`Y+OtFFR$5)!YFhQsb$kD9 z-&qEa9q|V>$oDYwnQJ)Hy5qnuEt_iVbZ^<@S%JBmDtKJK5Eud=nY%&QVhgwTyY+9c zp`)YGs)f!61Ka)ldFO~lgXGH)DjCZ?EMnY-IjABq9dtU@jQbwg9|e}}W)bdS_S?t- z@AuN--eBdvbl0S*hUU9{JFXp}7igz1;UR*zPzsFu4xjQ?Qid6B=IRKH3GCnY85nB7 zE=P|ZMFt@Y9$^B^?2v)0t1H}g=+Ge)LJ5!uWajVhkGX#I=+U!h&mJ>o4B{Io1eLJ~ z!~lCSfnC3T9X@~<5JE98qT0lX6Cn)5X8@LhT_C4jyLLG`IwJakcs~C4Xa0!Nl$m!Q#fA#V4f$dOo_3BkDB0p`~G&GC85U4?c*b42y!RV32XV?}a zM<|A%&E4G{1H=Aerw$xAfMK8!L|rf<3P+3>F-HmFJQht7#0%1J0+S2P{q0Q_yx-gE zEu9vy0D>>&4A!N&w&MrA{T(bboD7THjpPFEYf@67xeODB&|D!flen4Rn`^RVl!0}x zRuCR$JWOLSgI-778CIQ7O&pZPeKDE4^&h%TyLZbb9kjUy+c(vG@153epSKEDb1Wgk zkNdUh(p*bRL$igpW|tN^ecLr1&`w9My|!V;riLAw4d|#fpo4b*R?WKUHpLM7chMYW z(0a#rgX0&QO5BVJc!OmkbFaCk)2zGp@7kuRj_&gWW>U!KZgwRVSQqe(3WX*Q-G;3F zqPNXkI<1;D(b3Tw&{4H*{VpAy(9zp~*MEP^i7P)+D9N|ni z(-r^e(^d5uSQE!#-T!S@AtFpcNCXWeBqT^A5D+rs8A3u&p-~+e>;o9E4d$9>R z{rTsg5dcA22;GW`ieMu|ROoB*;>GX~jDmf`CJ5lr2u6k24*tXD7!@)Q7-G2HyLV$4 z$BrFCeaOk%+Z&Gv)E+&0gzzpTBn0_&>((7Ud>CUxT!o=RYzX5ZT5JyELSUCKU&b&X zt!>-3VJ(J-ppzXLf_QNnNMJ~Ep+)FI(`EmC=d%H=+O|*%Oj}n=6SKCC$0vQl7F&tk zxZn9jeauJb4g!;k%oTiNnX5_M5{rG~jX&tii4Suaw9ryh!>U_Trw@8uovxpS`B8c6 zMf3}S$%V#w9u`?b>#O75nqb`Cw6ktk9nBV6h~1iMXt&U4f;M0)9kc`+Hr3Q@qovtF zOQV~vrfJ6}(=0o|AKb54i7X5GhJ`$R1OeP#n%wjv9Qtn>`L=b>W|*QOurY&M_$?YD z^RWEAz^t-8tYeo9-ao3_7?ZZ`TX564CTcgqKP{M7n@d>WZj9T6du*cJL>ne*udUg? zg~kWHbmtH2c6EkcqF{KYaHvFR#oa)JyD_|#0w&{`NIh(0U5D)daiE=5N6Ri+U34|t z=xR0B)KtE)r)-itHoE9RTU)!0rcNhq?Vhc)-g`&e>AjBEChO<8nicR2ig*lfbM%WE$sewZNuhTjd@jRGw(w`q0Q8(N6^?=YFBhSor~)d5){)wV5Vk z3|e<+rlEsE@b@flFj$^3bsRVgLV-2z(xqL5OuM)5Rrj$u09QH8nLA?En~&-a;hmN<#zXY{P%w ziCbzVNIbyq1Bvo827G~4)oEw zsaD@M+7{h(|I@$KY_m3-M)dKVJ}AZ6s6c33ATY=m80Cqq^F&+(7Gd9S(|3I>yK}!N zjDKSdS_Lezm3decxD8SZEKgvaBeYI(9DHtEubI{zx;Ez`22F?(5<_|0)VMA*R< zYHK%b->UW7omvm+)oS$M7E6b<-#w~#sQthUgrP!f<+tK2^U={4J`-RJ#VnD%Vbt4&kxF8|y;IFqb7k6M0gFt=Oi2B+GWY{7=O*D%j z3{A=9a%{q`(O_L5gGCe~kD92DJSr=j;o8I_x`6YREn9}lF)=YP92+Nwfi^K7Y=V~6 zZ365LnuVEA2cVp-!dA$zM|FmkqZ%^U1PyXc5JX*QIDyH8mPwAr7boF3sK5h$2`l!He!+Kg((K>{_~cddHc@?v^D77vU4k~ zW;o;Lra_LTni@S@YS{MB8f(zn<^3K9N5Ac7r=RGEiC(Wzpf491=87z`L_@>^^=DxH z%(`=LA?j#q{9w@9Z^=*ytk8Y1T3|Bn2J_Zgj{3K!ytCN0b8qEaUiin7@_zd4vT+Xl z*H))VzYfjcd#BwbvyLl1>3n8<@9+hKGhFl}0^?jh_ibYCo6g)DiI#bSA-O{C>v4JR zhKY{)-m?eo{JyWtM?JnX=xE)eS>HBVt@AD_C7GR-(816 zSx!c|Zis};^7$rW4;ycLvqiS;EjwzoY@*S#UGvfUtq=d8ioj$%BZa$BiMt^LmMa`4 z<)mVe!85%zTmR?(bRX8G2~HsJS9rIZ?$NP&sV>}?)rtfLiSE|U!~Z9+X_jq{|IjCP zsWo?7UZExI#RLW?74XgOEwT{(x9^98T6b@*(N#;sx~uM*Pr5yFZ!@H?QCg#9puYuS#IOTWC7J*YmcWNxGw6(MyZK8u~LZHJHQ!GHgy)XP%kpS)JN> zbv2ez=K;&38q2dylxsNDHPsbZ9w5(v)evd9xVRuxs;;h1N=n+XV+SfQYXVkZ*^H`p zhPoVi^;(vB23G#eCInF@8ctwHDNBv~XAS=8)1Efnb-J}}`c{XQ7TsHqGwgDDtbtfC zv`}Cm;|~yfnB{nIzcM9vH_n5-c>0*6q$1lu$9Lzy+s)!Fo!*^W_G+tR+EHWf&~E4K ztmE8fywzcGI#5|rG}xi2e101uT9tHJzKZv z)uv_N)>?g9Yxip1?5);c;y-Vlo%nY2qCpaY zp+aCF=NoYEpyC*Ew*=$_mczHr5)Q{St>Av`%qYpl#LvNK|F{8;@Avw_u)}+OTIhGy z>C;y0tyY@-+BdQ2rul6@?Zp=D*Z-&2iRpTGT+K3s+->-C+%58yH~h^O+4$L;F8jC( zstxSa%)D>s8P;7+P3WJ&eL?Mi0+VqUund#(%;oO-**w$Gg{J$*^!q`tId-Q8Kwy&UZgF>!&9MoFZtr%TZPD4zy4%usd$0SVf8dOFu!)3koXaziAcKgC z+t5HJ8mK^6#y3U$5#wyTZ*))o`z@So+dEpe;#=t+`tGd|2jf&1xAX%GMz zDfos6ztBjQ$GZ_rZBG2~_PP(-yV|tyc(47gZ@S;M)6d|p|1_5iP|Z*-K-buPYwjaV zzF7`>Tr}8orvCb`dMvPRW^dJW<)>|L&l{BPYEa}hsGMh*?Ph*@Oi!L|vxVl(__l2h zkM4hW_Mp_I2Dt*|8I0;EaktJw9G2p2>N~C9fe~F+*f!@6X}SKty>CtIo$YFjwaRB2 z`n6(}rQD77Ei(nSH>M6+IlPUdMN9s$j+e*2m9$td+Z8THv)s)sl}DzoPtg}mBrt+# z9Mqq{{+IIj#z^oJqypbWFEYP9%joJfqbt)*Zp<_bm}mBQslHTboXh>_My(A+MsksU zKKDghO9_8SI&Wymd_&J!18&YRyfxF%Yudmtd!uA$%WNL|%@mcrlpC5sV7YuFvAaQ* ztA47JUi_lL59aFy&(-&_GxVHoe0iqH#TjPTW|?}(^Gt3|H}IaW7dxj}C_~XyHFw|JDqH8`BMM%v2`>W#aOlvrN2ZoA}uohs`&QU2K}{Xq@F@%Kb3PQxpF_ z;rOe1$>p14oY~F>$&2(N7g~qfn+MFokOtkFKFD+Cpc^v>dCoTQoo9Myq1l5artwZD z8E)J;fn0gBM8q^`AxAVc$!$oOgQ?$4eV>_n{&V#1IvB(`ndKmq;qD-1tc+%!?v(N( z(mcd%u0{zZqQW>ROvGFSaFcl>=V?=Ld)oIUu)EdATFjUOzq zdA!st*PZK*yGhE^1I1cHESR{&=)S#vkez||EMwn!Ru2~=;O1^&#j3HyT~F_BDi$Ch z8y@Ru;Wq>OsPAoO7BgQj$HhRb{A1OskNh(St$q>-j362Z4JR<9e0RNK*M0@=dJ-NY zB+G2RRSw@O7Y0I|zZE}S} zxZkVfWb?n_VY+$RBL=Uh;Oi-rmt#l-#$q0KeMhd)I+s5rk8cgx$oM8)z`+}ggeXCR zZ~-%Ht!a^)a0NKWx5*RQW(jPwM8h+ey_YE*jzTU(tNrUOs@WMWaQ7q55!z-5ho%cL z)L}US3$eibnUswR9`9y~hG&U}<%)*piO_`=JfYr^->3i0?5tC+U%t75XR2^FkwZ&- z6AAaDUtF-8Ewo1083LOOfmIF{x>@9Ln{yv2A)G}3gfKCeZz&d7!wp$Nn{1CE83-Kt zW~iwQ_*nc`d#6-CRa4+*UEn%Q%6m6Q@V;0uJl}mtsgv0gC*vY_)VI!DHZ0|*_fnU? zpCx)XPcRHhL*R%OAh6%J#(hUSS7?JngyV_7CXSLAe@CU5x&5kDnX|RP3V-En!H^7r zE%&Dvp?51*?f1e%iTZHWXW|4#Kc_+vuRjeUFy*X@q~POJy??R$z(SsZ0y6^lxrnKZ z&y>U6Mgf`sZ7ATrNDFmAUsgCn|q?MSv;T z9MdZTEE#uQoGB-arxvL_hoUm~ju|R*k}$)r$#^CTp=mxG`G+Lub3gLJy;H}1<4W0x z$Xd$1Y5D&|U|dIB*W5d77=Izpu!zs40%cN$S;pK)S?uS*M9LqhR!;XgXxycYIP835 z9RDH#_j}oLcZ9iyu(*u7fRi16Gw!BbwYtOR+?~4k+(9dLGlnv`Po7Z1vrxEO6u6q@ z^SJSdMV2|sEb+I%->8^pBImK=$sHwiQ`~!@>R-L#_8m_E?&C2u$Ta!;%XG3=h-#Gf5#ZR_+U|W6X)1YY+oK`u_#S5;u4*af(uY5XdDt;v}9)5#NCOB~Pwp z93oW4AJK}t$G`HIsnKH*&#;82U&0$)#2-}1*JIxqkPEoq5I|pfqTg9uo#aB3e4(Ml z!$7>;Fl)I{)-tnf4@*R}a_$ODj2!;MiGo29T6Q#+J(n^D*ASI;}UZ?Dn3E_Nv?EMpBGz; z!`{I&C1Q*pCjos{{Kod_&BN*~T5?WOPdpRxG@JH`t4#}S+K{`sn7$unSYGgr-mTW! z^s7js_~TmibN%4>V8J_0k1}l5%HXa^*heR8#O~?%7(5k8L@O0mvF%o?2#40S%yZ77 z^(%?x6`4-Fka-ZiJYse?`xWti434kDqYegwT?B0rACJP;jAE!4hw+xXQeolV%m?mV z{I^qB*OyY7t1-u4$LGwyb=*H0t)r#j4tDqh;+EVQeA+czvU7q-_##2hNcFoNmIkcX z_NJ$F7mkk3y7Q_E&FEH?*mbADKDr)e8r>MNsvb+$!+PHPZ<2T2_Yg`YLAT4T@qOi# z+NgbMA0}lcNj<3?ZoSI?dW70E?z)?ojAY@Om)vgxyxMjg(verQY#NB}=i!Cs$vh}Q zs=oR&^QrO%d(a_YvWO?tmS=~F>R z%dMAkH|4$sKFLhgwjZUWbNqxA7Q(h>8YX+R%8yVQ)Wvq!RQX0CT|1Cl*z!XfT4=R3 z8$1BCHW;#%aP=T>DEL(xpQpm0-{uNKq=B$|L>dQU^T(T ztd8}qr{QBSlkb`ITozublQ;Dj>zwT;;^8WtsxdEodFyhhvqB7S@}-x1NY8sSUj0v{ zNk^sgzV$v8F*D7Y8u%&IN*q>L2+8bfCCQl(b4B20ob9qsy{wx zggP$uWmracJdTUgzjf;_rASIoPY+b(FG<|>3kaBFXUK$E7Ptt+!skx~q#R*-MF&~| z^jMYE)olU4`J0u5n>B<#%GYwpxJ;A*x8@meeb;8dk4rii197e>U`V*HUQL_bst;rR z=etXY$uVO#BSS-rwxH>`Ic6J$Tem2fV{x$_(RNn9dbM9|(L9nX6~RGfaLMwM82C?Aimu6Wn0^IBOvKX1R8s zS4t`ip&I*XNK4E5+wB+Du`sqIW9gZ;B0wC9)mFTIO|@DUUmjMvK#SMEQG*k$G#K*foz}^W zs7aiPTbFRNnvJKYDAWEsMXX}wA8F5xxlzMuSy@@Ij4S&mVPRnnOwsSJ2n%mPYn*M} zG1Lgevf|gqX%ToEB8X^102t)u<-w$a$1yP-uLUxOT3cE?UKbY^rzqH%nSFgG?aN6) z&^stXN)S&`V*JE1p=0M-hGq$xltIdSE&HmgEKCilG_I*{q@xu!rxSOBF+QK(J@~1s zZ)m0;@q_Lu&d@mVA2pAlb1iF0bI6N5B4Z)N$B&7Rm+@HWC{{}7>VMIhW$=ed`tBIS*!LqNz2j>-EjK-%9=LYd(`K9Ln8ZYAEaT% zf_VWL(5uZS?tsa(dfC{2ZK=Rez9GamTueMvuE^V?y4j#ILDhLHsAkDYv2gQ6lFWbX^bMlLTcFY}T9;owARrdnzQ z@YhCPuzS0Q85$X}4>QOH`I(t9G+Nc$zu)*=Ngl{XD*qn(WqlSpF!70<{!(&lO*OjD zK$%HYEuP`33)Isi@W`Uyq4J}nqs6}meWW{a4Pz^Uypy^L&UxEaK!F`oMn*=0j1Jn1 zMYemrWptuA+MZWq{?ygk&n;=!u>=hBjk@57GalOC8%Cpr%h2Lg|oI|ysXLfeBvlFu-E;hE4 zc<3D~_+luZ74my*9q+tW3ANI5a)|WMWn44GT7eXGR+O@}mbG6`qaQI5Q8zanY(i4f z(m3fnqW^J#lfya+@;f>@;MA_ItXLDqBqjAzJ#=Q}=jXqE{kpigxPX9wu&^+c0FtH% zS2JDoFmsMiPi;Lmrn9UU9-d`&U?fU0gM^SfE@oz=r7gB#(w|9*UA{ccK^4_a`euGP88FF)nc(GAxK3+9Pk)ni$m zLPSkHFIo(3EfNj4gEN3_(&LFM8NWH&SydWh&($zgN5K3!l&P9}=_t8_S1*9;haq8n znJ;T*I}P1O)?Q!m!T^J@ z4-N8ZgI0uVZOK|!IQ>Y*M$2`J4)*?|@G2@Rfiz?~~F zwD98xU&atQqB8G*1OvS}PM?O3iHS)%ZDP7BVluEuADEg>!vZDOa56CamR^_h! zl-ynJ+Mf1~A+3piZC|hi%k^!C7Wb7xn?M;SRD9E`PgA;G%*4Z zhfXigH8(1ZhsT#ExN3FrAcQuejIqQq@KBFo2avA-UqG}A9SQ00mpyJqa1B7jQSjrX1% zzHA&~IHF<=NeI8cx>Pi2)apZ9xqdB&e*}HK`R2_98M8SUqK&<($IJx7hhhJUpSVMc zGhd=xiT%kr2!pJWc?GAKAmlD6wJP@yvW)9 z)IJd`FFUF`a=EY4IO~8{ln#>!=j<&v)uhXnDzD0M~m!NNcR<|vRm#;nW zn#12Ix4aSq`!pejyw%;i)dS+jSCj?oOJKEcD2b)F=CqtG-%ld@6v@I>b5c09t*iYu zmmMzf3!XlehK9CJ%|6eJW8U4k#W&sUBIw6C&g05%9CDuGV4+u5c; zQ{@|-CE0stUKDij@VtbCnsIUY>h*iYL2+9ayd0<3i?k^DNG&6 zxis%N4p#CHmJ5!&?1(E;Hv0R#tn`#1W5d`Qre$sB;ZRdkb7>j~oYOngSQk_{aE%I` zT`Itde^phb)o`|APA{veiZt>k_c4Y}2IXE~- zO{EeXw6BLbSl5G&kS=#^QMUj-L;BwHuiI7$u-G49XDRR z%MJ{iyg4e2-apQ>O2sbMqQ`+hlLL>CLj@s-XelcFl?K-@+&Xz@bAj7X>AgGO7JR$W zt}y$URn^Tz9@e_ifsT@{S(;FH^vJnHAyDt4pJk=N_|^5qCHV1|a@9_mp((EYx? z?h8YGw(=ehdZpH;>tS9h3Z@yerk2MoAmy+1ibu2-aMNI8W7k-=KAtnx&y=lAH^q$T zWGAevIGjq3jfnyOLRo6&YU-=7@=G?sg?uZb;tyqvY$696qDU@@4}*IHj6x{-pX52kr1ChqTEjUK+u%o) z#RBU<+u7nH78tdL{N)Bu36}$EkoO}ahdVnS9v<=>$u!rVsB;441TiV8Y~Z1rs%mrq zN>Z$9^=osy;v`2!xmrw0?VyRW!_r06pYF8O1$kowIm%E^a+s`s&&yT>F)S!(Bi#41 zB!nGxB~mjpJoNMjkG%)`_SROSh7{VFaaL69+FkA^x3_NVj*otY#>qXC@uyJ0V8>0h z6N@TC&G+{9+643(#9hlovOTG)609?c_ot8Ap~;~X&9}X!iXZ+2e6QyvC54P>HXK&~ z`Tvo0&1$&i5h;@*ZW<*erRdF64ziS@UFBHrO`BRT>G(-uF`L^(|wA+yN#FTk)m z#=03roJbb=*hLZx5Q<9e$CL%+#J_=5Oj1%Z9%gQJ$e}8lFjr&YAA9Wo=QKd-R@e**t=7Fob_7k?w zPN2yKpf{PSn2tLza-_Mbsep0+s`M(X?-9^ephVDIXgAUYP3vrNvT;U6Ml$~vJ_4o- zj>ZmtzxyY9t7D&mwO z)+3IHIvZ;f=?5DISE6*O|8|kYgp5513X)Oe9o|Dm%d^V6O0t^th~9tjpqDL598lG| z^!=1fY)QMzO^flESly|Qbcwq=K6ZQrZm|v&9pe>ZGNEE3gFc(EM>`o^miOjb=<5|; zX<0)6AwL!$wkWc5C(S*rp^CAeaxzl$Bd#0L9$oXhrEh4Y zZxLM|O+j~aRP-lXgxYr-h!-;dfQCe#7BH--<^E6-$~;GcvT=cZ!iw_1rNU{jUQ*4; zd`4~!zKJpF4LT@YO`s{bqSfR<(S>iI^u2@MEgXnamS`nh+7y<%O8Dd<`zA08~7$-eM^O}s!Mg~Q~pwNN2 zYfZ^ZgLi**FpW;U5BHu8xwiy!9TBva_e3WPAfm?z@$do@rbxLwc*K=mhgFk>1256^ zBj^5}{;UCZA}d}hTVh_TclY^lA3p1{B9B`Dq@qg10ITr*`}ZS%)Fq+leX^MBx3-^C z(Y0VftKl<=d(1TCI7`Xw*sL;VLdiB*5eZ}5xY6S{R7*|4e}27@Y;>k!e^e;yhsdVm zH%KVPJhBr)L<<*$QWcRaS8qOig^3J}zGdC}t@3whzO|fog|99c=~qwoCKAHja9&hb z+!Fp=(}A+E?d#{0b6JjO9;eZYC}$aGEHy)1Atxu7#8YD{bsWyg93vm=K;V0N2)BDI zDh{W`=%E5_&3c~4PP2GoC`Y|L2cbbBmM(uM0pPF)1-G_3yMO=@IR@@SK8ios8m!?8 z_~GNBSHkZwysZ0<$B}jA4uzxlghFKGHD|)Lj+P|TOIY14NiNQWpOGdDW7d(tAnCue zfcY)D^XiCz^oudLW_idC?A{oQ;usvEvc zpukQQ!O7}1Maw0YMcl0vA*nlcHP^&?hu29Isfy3W_E_br-xdTvCUIY^cy_JqXWk;-&DuGw!_mV&J10>x<_z$`iLT)}S?^<%p$C*fP zZ|~jjOH1KX_&mSMqA9crVmeS4iaa1#s?7Th2K-Sd)RB#N&q~aP#mw4TlvY&CQ;)%< zSAlMchbfqlV;BA!DKbrm(#`$d?LJ_AsJsv!GW|lgmS`=ayIsiYKC$ z;8thm#~;0Mv^Lr%2ucaD7(M8h6xCL;$Sh^MG5n=0KP4qh5*w4thti^hl8$cAnbBgI z)mkk%tQAfBV!1#ULyz6TnJC&_PN!pT&e%n@LPcp8vjb#!u48m6O296&0uA zfC$ls+}gky&vjZD!|iuJv3O6%g5K~R>RM??YB7h~Kq6aZtSZVY9dDz!he1ty0*_Zu zBJtWrdt87JZggLYjr4%H{clkUBa&LZ#S|v{s@~|0^g6;gx=TX^ zA6|ne55-O7Nu*XlUWmjfZTu4IX~*Q2&26#k>yM++=VV9a4saCN`jiV~noJvdWbzuS zh%m)tvccpkwT)}IjYH^xxFa?qulJ8gv35l;vU%{AE>wPppLjDES<_)Uy8MonDs{`P zz4#S-DZ#p+K`9}F?46_NBbT>{wY+$XsV-Tp_~FORSE@Sj!&&i*An!+xP(UV7Ks10v zeB@>Ozh3s-P}x1W9bE8w@(X=RXjH}*3T3-U2%bdJpj!t#BS|SKNLX=ka;~hb#3-{n zIXU^q*t^|1YZ}aui88!JD^F){r&!HB~cP0r0tx6D$3`~R)3xOU^I1* zO}*^y`69+dZqv{s-!);*N6bS*H%L$W6aRb&-0H;e^IYvk9W<}|5Ks7BK~?XN}dn=8M%`S52#Om?=WyTiQ!!7#7X#O_Hkrc{l2~A_P3zRpB8nk4Kzuy_)_iM zJ@wem4p7>RS=n}P=E*uIBcIKMk&Pq!R@GOi9k^n4zUe$Fn7?Y=C1D==a4=b4%Y~F7 z600VXXEsq=$+>Cf(Ksif@zm>hErEkku{UC?%4~mwQwTQRI_cYYfys4Rp5U}^!;u+Fa6HMbM(==uvdRb^{ zkiIG~M%t+IidSJEN?Y?W5sTA$q1aaiD^#TkyUtLG%*ddU^mme^vPY?@S$J0U0@|s8 z@<@cj*`=~q9Ziy|SvCwx;R#dC-pBndz0C9jMJ+xKuOE6%DCEuDGz}BbGtxKKU484i zU|6f&gvl!sr^c-Dwr4e^li!Dl!}Tc_ReeK+5or9FP@D%eXjQM!LJE5l<2HEX@lcvX zm)~k^@Pl|T4Ssh1dSTQwG;5lxu~~05O#N$QZ0Pu=DWbx+YT#?TYkNgdUJ{gEpq&|6 z^w=)pvGm_)JI>7d9`w${%t*@E`GKH6PHo+C3FU2^|+P*v}@2n!k}SJ%*{4=qZ9+^*NRb^n~GAuBuGKddv# zvuzaA_U1+~t+9k9=!UCQXLm2I`QSCV{~~M1_AUGTP03_t_2@b~WI@r(%8$bTF(dS5 z)ZbloVoxUnoV< zb{*kxb|{q=?LUg3Btvk;f7@`_A1`UeOiH&3*qJAh_%a_q_nqGT_qa;TPS#D0e-`ID z{${1s^AP~~o>EJ#pN)_3xSh4;dgW->0=N$*TKm(7M7D_h?Atc6x~demoVGaE z6K6f8WeoS06K7_EmT2SW*NCWc3;j9}9*7%L2xLnR!UkR|K@>-g^k8Ga)2!y+1sC(}{+4*pY{Eln2nxYge z(51K$_ru4(P!|Kec;(UI-dj%H=@uzSFC4yR^NvF(4G zzrrWDvQbHs7v8n^WQmpv`>O~azo0O`AitopTE(aE@b+N5fZxX#3)Qx8UO zK-!KXmVlrj^n-ufqNYATy{u?i$#6XaD`se%y4A|`s#|))L!NOhV2xTvY;|CtnosJ< z*J?f?;o+14a8Hmo>|HJwGG09XC_6;!wP$^M@nTaZOVEn^MDkLrd{D9jI6ZMZgiTgh z-9}aZGP1MEZ%qc$toOfaU*{8&^%YsPb+)B$G;r?^I~zBvkZ~!(UVqy8>hOeJNlpqh z+-|_0A{O>l9Zg?9wVJmSi6?)-%dpUyO&Q#$WhVIgi}IJ(UZU9DMFea5pbcN7sUF|7 zH|cS=#4zdDL&ZYBRJOdjFSOJJMZ@OwjS5mhSb7S6TGUerA-m!Y92o||3wa}KssHLm}m4w$*@-~mKb2;*v>=w{LN5+oK?k8yf zbsYbY^(V+eXYM`nhVO~;==JaIy_aqC@5QrSY@WIvu{{~Ax6S`B_v4^gRE?6LAWq9{GRm9xyL^8XIG-e^v_?$ zB)tC8HP+~ePq{Y{c9oeExr2{ywP#K|ll`d6t!X_54sx}ex~jCk&-`470Kcq-%(gW~ z^t&@fUe$&}m*e!Dlv;+v@3)+nz;$wB*^&0=IS;u-(S0bvs@T^y~3S;SYtp^_gD|a@KxuQX|2h&Pa5AH*S5&PQmKl zyAz07s)9o-_4x3=BE>!%q~2|(_FvoL=ux8dJ>hg%mCA4O=G-Y<7@mFFnZ&)h6J58! zrW}||f*WnJQ<)&)gM~fPb-8t?3w1}-?koF*=vq; z-`|Z74sorCytvN>#Wt)(^2TSchx!G?xI`}-r{|M-3(8P5t!er->^Wul`l&D-B$3=0 zyf5pIXTd7|b^FrteHlqM4ha=OruOka6VHw->X$b5C>E!i@wXRhM`0DuEyKTWw(9#b z8ychv%drs7zRM*J+bEF1ckAt~4T>sid5%Aq-FW1q>}AxbjC)nF4`rpTz1mf*K#=uT zRmT|hFB)&_YcT76*oTWie9 z=4azBa@=Qx{s;>;g$PRDQ@5kXr@#BK?_(l?A%bv+<#?OIZfjrDGEo1X2 z?tvWB6OI&)XeD`?oOEo5k*S|Vfoz+%{Y8nF)ed|XEtg7j$cwy>YKhWHdg*pnW@Wue zPpwFA5C&wDS{WIpT?Fw7au^dDvJl2ZFif{m!gkhNf=rgRu@dj)LD!2^f1kp)ik&ah z2KE;@1#PLD?;(ke>RiY5Uvb4mB9~aj6;Y|e>4PhTnb@Coi`<^fAV21u zW)n@4%Maa=qNw8cH+$L{{Rr=hK+5Wi*b-;LC_3y8Y@T4>>mRG8~3jP!ul^+9JKTJ|C90h_fiw4 z)-YnHg7F^@`x=Cugi%-<6=h{*=XeH&hH0s(WoBs89uwLDB9@w#_DnW7pfeoj@bHlI zfz$cfiR)z5`{7~EN9c#U$fcz=fr2Lt<~W)Uz31j86MT9Ah>rw)Am?6*)lAMp*_b7J_!j)FuY%(=U{DYY8tz>8`DzpTG+aBY00*cY+&Lp!ap*8 zlxh;UL?sI6>M9plb_Xt%&=-MdTS=`4^O_OK;{d=RBmlq&)H<#U2n?xd087i8H@*f2 z20(TJm@s|>4vx()s7vXQxME{r!4w)PKq^5R?K6!DJZFCXJmhU4GmN8POU+C~M6_#S zX_?5Zhnd0>;1oAtP0kt*7_~l*fq{Xk_RtF`;~?icO{%!#V+f(PTV7u7OcOOlBg7HW zrx)h>vKFP29?B(iXY^NQO#iflxdJ9L1W-dan!XOmyK&W`U#CDEvm4`57H>GPz(N@J zqgVkJIpYQs0vD++WZ6Qe@EL{}gq)wOrwJIdvwC}aW?gnlgfs~IOZeqxjyOpegRO{~ zT0gYd-r}SPK3;qTTpxhKnj9am6hbv2=DI58L;n1N>gyQRBsVvA5r^~k`QJYjvG!2= zL<5cZ)yY+rxn*UUEw$9ur(WNow2v*!m-dBn6lsJMV3O`bOvU~5eIlTn7Q3RL;@Q*J zx3;!cuQ)~ei<5^(>2(r|T(lpv%t&4n5cS`S4>dQFWxpE5uEwtOAw@=gL~$xTOCTXA z_gNN?fROOu;8TYi_P#6*&*MsJ4R0A)-q#eT;(jX7MRB=gFDNtV7cE*!C?Ir%J3fL! zQ64Zx!JHR*z*h0(2LXjYzj_&9_n_YQ2lDRe!WQtp!HV98jt=XAWVXr4NyWk)$f-o& zLN6@w%T8Wh+W218hmvlSRi;ynbzcF3RH~I#@4xRjK=zB}dH|KB`J1~;8}d(q9_8<9 zhLxMUdm*oz-^rdsj5qv`&dyHWEE)ejfDfuBF(*s{?u_WEjUUXYiJC*>3A4){#*hpK z-7;fL%f9UJW^`*tv^l7V46mnC$F*keNHX-^2Clq`VlAS+fUsX_0@E9eNJA0UnFMhfZL8cl{S7+NxD0y!O#<$^c0|2K_MOnGv z58wq}M-aEvTX%*76%imY>yHR5xS zymR^yyRa!kk0s{Qgw`_ArKDJZ(#k{GbWOgzJuU4AcnL_>-nnyUad8pg6Jx|Qn9nI# zSjZAq*Vk`wK6(E9IUEWFp_qic6Jlced-v`|y6y}@Imvf>j^v2dNU02F29yj8s3Qz7 zrLq>2z8GVg+?shaIz4@IcCt@*3Mn`8*Rj2}1JpN}|x>#?eyt0@;gO1h!+ zY=ZIqXhs(;_3p_VL8K|FniTM&rY7g0}YXF!hbqthcw6^#=a*K9?OC8A=-z9dKCR z?zI2B$|XgSb??5WYBg2VG)0zjI@t`Q-OlUEJ@42y#T}@C1b>3S4o0gSfk=Vu`1I!2 z0t*(*`8tCdW{$Y~Eo#0_?wHr72S4`XJLLWS{ee=BL5+5UxTv+OOHn30H5E(@TZExt zgqIO!Tv?Sa?-YBsB7rN(?LvfqI_4DN-{{E5&94nZU%q5m#KmYAkZOMOqc0hpE^p>@Z-g!y*S&bt2zZQ6i?I9L8z--chMxj5Vx=hs!4`n8>X5dJusPqDC zv(ar@Eac2DI5^nd-Tm&e9LjggeDX@fKN*1u4kXDw(F;by>3vBx-&E&OzOFF;t z1>xaORN>+C$W1~*+8P?JzWHEf>*Umb*BJlbq}p|?Aym6Zn_k-WBqs#!=C5CG-Orzp z$sQL}RmFei`8ON$KQD96TMO#_`Vm%uw)O|#Ie({>ffPWWhaB&)RTBUA3ogS2x6l`q zBh=!4nw6dHmGiml+qbh%B{yvA=%{rsV6qsPR)AcaJeT%_XcGAw|9SC*-YgC-;Kn=L zjfgH?$^j6hA5kSS35h9NQooYJKeZ{nqz(}+)!aJ<4x`I&v7})<$*&nTOn3KRfVPy` zpIl02Qvz)2+26naX2^mu+fnqMrRY0ZClq93D}*^#-_k=h#!Iz}i;5H#75}~A|LtSM zo}XjLIhuqnBEfk{qQC42ld`=20qa4fj5*99GhTAOY%s6i8wVG_zwFL;5OEP|_f47@Gsgj zi}U}iQL8Rq7+Z%TE4)*alo|xy5qLJxCZN0q6M~f6?#;IW&e!BOOc~71$$_<)nV2|; zfa9?gCxWJX61I4EusMBMMke>)WSaK|D~cuz%|fO}8(slLarD?Ru#a(xiHCc8AU>2> zf>g48I~cCp^X+743N=>zZnKFj7)b_Ts(<&RRo5x(86Zj;wt;d7*r>px-R_Da`tjq( zrhB)jU0;VgMeGWk`7&&~U(>Jf=;h?(WQs!2WP@E@|6HL*?giL9KE9LlKieQitc62B z#M9zO9tRkB7+&<`&6^`ABt9ah_X0!=;C>hw7}z($J7`2K85tNJ6H45h%LSMG&*85+ z^?%Zy=Taj4wOw6Z_4V~CaWo`!sE)oq$M0i>`0erW@l)%TfCT?J-yRBhUm+nOZ7r?j zI$c{gxA+Edjn!-bSZ&>unVGq_=Ve$7M;)>23z@U9rKKehU2q1z8B;Jb1FW8!33z%^ zk`fYnzsAJir^gy}P1=%Q1;6UKF7JY(Vcfr8g`By(h6cgXi*^!Q$$GShrzbL@jm`%n zcC+RGxmyOVe{zmRdW!#rmwVD-eBeFc7p3e-hZ&+pRGDMZ7t2lx{sy4k|GPvCpZI?i zkpI_r%X2zFNWaa_vd9LNnT23NTMGa(tqcsFn;D4%w~Zl@CiKJjY|s4#)ypL9Q}+0r z-qX|bDGa59-U2Xzc{2V*{4dMPtE)#od{9{fKt3qLs-1jFa&phjDbdeeR^h?QUn+3W zu?&l@L>L!0cL?+sKwx4h^krgT)ypJo6~d81fpjM@j)3ZW`|ceL6;%NPf48ACg6rhu z1Y8K-uu)yg=o>e0HokggciTqDg@5K)+AlEh-c&87kOzt~+*vFlp)tEW9;~g}J#$6X=e}bT&Q4>#u_ryKp9YbUh2KO($8=M_J3xv=svb z`AtJv!N43;3WD;L;|D@AGFrl@wzf8KDroT$ylPe6D+A<#fq{`!nGK)yr79GNGh+(5 zGM7PfnFGNh=i=%rngUGuQe9mgU_SqjhMrT>&_vTS3U%KO2? zJIY%J_^x#oC=|QoDIA3Tl&?WIM|cHnN;wCL*Zc43@2QoaHSK-piD0Bar${P;Bi+kE zik`EmE9)?r3O2?X1*pRC0k)8)9RSS&<|xkkAb(R9ouZeA@O4*STzBNT##7X?-RU_v zKOi0`t5@ZWDTpqj$g5@XC$!?4T3W-y!#zR4yGtrE++192BYtPcqD74Mx@?k?bo-K2 zSYZlw$p{8w0s;kOgv#Xhd`Evj9=k#$LaBrP`xe-`V%3Df_wN-5HtX-sUYk(xi|mA1 zq8QaG1o6FCRZpH!^rWDWm#`HzB4a%+M?aoQymQHhw~Nn@C@^5DhrkH`aC<&Up3taU zxL_Rg8i)cSRPJmCd*zXZohVJCwuVO7Uf~pAFlj20Lt;m2YHCT0QWWe?Bov?;MoUPs zlsLnF^qBR}TtD|42a(<~?va`XaX$ z7why09Ni=D?(Xgah&mxIPDvltU!)RO@E+o{$&q2+!0gfkA4X(7!6quB)z`mG@tyD`$+#|o4jT5a{Xl<;)I;cU3C77nK0KK*gaU>q7tl9R%WejsVG$RpL zkZuqe*VQ*NiZ?<_GD*YF1(Em64 z6{>G-XlPhr9{e;rJ79H?`m^FJWX3e0)lV!XCFM)Cg6)IJ6|nmR4~%F8+2>C>lk#r!vSXT5xURM&vq5|G3;|NUDqb+M@lfL9|~mqC-?GBgN{ zjE;Wy_H8-M`9o#)=_b!&mqmXn8k)zww)P-KJV<;KHuR%!FK^?!fm70-#Bu@N6L^~@ z1X{qbnV*rd{_9sOgb)VF@9lX-goO_e4u(fZ<^1;+1MOTN@;9KzX(wH=u(qM$ zfv2Z}L+ZYtjCu)lR=W4{^6@DQ{05y`fW>$jVkTo_<5b{tRx(CW4uXLJ!6)N`MmAa| z=odYKXt?YZM1nwhScsKBsz$^cHpR%um@E}~E@lYj=NC4m<_AYOyO)BBZN?zsu zRruch_2uPa8oIa+Nc&+u`n-j9ppI$5E$O7$hWQwfMT3}&iIGwE;>^3}I&bLS3V~wf zS1hHS*AV6d*cw_Tsi~;SG+kY$oXje4xWEt&4i6g$O-w{Sdc@HcK@MlE*?axwgj24J z|1IGR9xkqO93x9hI50kBWJwUX!jZp(?WbzJG1`G#Da=6UFyH2PptH*fDenl-0WQ94 zL7gBMB!gi6b+ol#R#)eVISfMdVes3<1$Z+_%c-cTga7{i0^vBiTeWr*@`7+LU{qiJ zHChCqJ+vNvT!8fIx!;FgaC?obOgi`Qf&1z9ix67!LN?q(^RTe9vmikGyA_$CwFHCI z1EdMW;^4<~aBvt7X(Dg3$tXHPI2rRE_y<#Tbae8s2m0KL(qjQqm}w8*))IRf zy60okp?Nxol}xU}Y3#W*Z~4?*Os7Alloy;m8DosE6;nyRl`J3b5Jg zh~~K{-b2ek0Xss8SIv!zmbPEq0Q(Y~QI1@wEI*tI8;B+$mqU}BjlrD9hT6X|$&>$5q!7^oI!yr91%Jt*@Y85M#H!ap zP0Gnxp>G07qNAXIiN%u^mZvt0==-;*5?xwboBU5KdPVl%aPt2I5j`(NL~DV0XdZ?k z3j^{QFetVnDjaJ?udu4Bs;o@i&_Gw$%h^Yab_^?x7F#I%@3-4@ zNB;yT8K%2J-qu{;>eWmp=;uz)%6iX_VLyf?<{Wudh3C0)Ys5O3PU<{s2L}hgLAIT) zaW~KvEI~VA?d@`TbG!;C0HfTw50vM5S6z+l?Kx)%N72G=C$#5GC{)0-GR?g?9DhB5 zysYjE)zPlfbc#Zu|zVF*XG=q`?#Cq9ADOI$49W4Q<4FKstI3RTGbU zlT@_%P)dN$&9 zJ;VWEj;$aYGVUXPZrhS6=-&rcLOT-4wNqDGaycV+uVG4rmm0z(djH7=04xX z^zk!9d{K&Qmfez1dvE;PgfvxWrzd&m6X(5q+dvoqGrFM*3>X5STbO|-2O1UYU%m3a ze?J#x6JArZoya83eKR*k8|4c4>JKoVJG%R4)&pha1!D^_l7F$qWiXX*j5;q1v@qCg zn_bGYFnxjVA38g2z;^lZFKrU)eEc!~!pXrw!3#-8EMeOd1L@MD9nd;ZYlK_~gkp?& zeGpXl=+o-#u|RtmsC7x~nI=z;0A&Yt(%;|`F|e>CVcgxAC@-UAW=7E>IIW z1Z$oz8_d9y#|vzql9f?7?SBt%3lbu*CVE_%54##S5&n7@RWfI>E57WgQy`F2gcoOeSz~i)8j{grg`FS^cUPtW+1a7HMpJMZ{aYMqZ zi;|hJXZ+IQ1awyKRP}K~VO7DmEFKq%m2Kyzu00;#iJ~NL*lm{;lV6G17tcNW*bf9Q z#3a0^mVl#QGyO)3DskSQ^k3Z6&XYL-3xxl&K(xikQ}G?tyjqlPN+El*;BW?c`MWcX zBsIUl@lWjz*QI6lG|Ns&f$9o51B0ehvGU*W3{0$YNbxQ{CoJmn784O6OQE5hf@%ry zDuBR&8)j}GAA~D}ZZqFm?Do6+YP6aaHF0!spuB>(p`e04QXuL_s^cahA(5MGQwcNL zx4=ooA2E@qfggJMSmK+T9_i78etAj;aGD}JYS}EgCHEsPT&xJ7f>4ZBPuIZ_8DYwO zzeFvZrs-+)6PhFSjSn#+fY1ZvP4B~(FB0tR>?jnH=WW@;r{mBMtAz<=B0tP!>O@MD z+%TB^t!R;{cI(!yG1i|^tQ$n%F%@n>701AUDlY-Lbk=Y4_CNgviCsw5NV=ol&yjaX zRBvA&R2LTB$GS+?gy-7Y+WG)M+vzvR))>{urvmvY($Pg|#X%Tiys*`!nq1OI%-*4I z>?)suOyzV`lV9F47sdmHdw%Z=f(;^CcXD4G4HGOST}kao?qs*zAHZmFHhl&Khun>d zW@T-Ih?Sj~3|@hrR46}m-VDK28a|40_UNy_V zEh-lL%tEaN?p8}dLC4u(K3A;@mGTy!!OE2f=SoP-tYOa=X@l7kvT*5Pd_@dYoK=_*lhqc|H*L`&&_}w5jRshD7if1& kc^Tbt4jzZ1i_1CL*#qj*DH@}@81SQ^a#Oil(K`IU0U%r_O8@`> literal 0 HcmV?d00001 From 570c0cf9cd0d0ff24145ac9e9c6164e92e0d3b90 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 25 Apr 2016 11:31:44 -0700 Subject: [PATCH 09/59] adding text about default telemetry level in OOBE --- windows/manage/disconnect-your-organization-from-microsoft.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/manage/disconnect-your-organization-from-microsoft.md b/windows/manage/disconnect-your-organization-from-microsoft.md index 3ef46d052e..5bfad5466a 100644 --- a/windows/manage/disconnect-your-organization-from-microsoft.md +++ b/windows/manage/disconnect-your-organization-from-microsoft.md @@ -1549,7 +1549,7 @@ You can set your organization's devices to use 1 of 4 telemetry levels: - [Full](#bkmk-utc-full) -For more info about these telemetry levels, see [Telemetry levels](#bkmk-telemetrylevels). In Windows 10 Enterprise, Windows 10 Education, and IoT Core, the default telemetry level is [Enhanced](#bkmk-utc-enhanced). +For more info about these telemetry levels, see [Telemetry levels](#bkmk-telemetrylevels). If you choose Express settings during installation, your device is configured for the Full telemetry level. In Windows 10 Enterprise, Windows 10 Education, and Windows 10 IoT Core, unattended installations configure your device for the Enhanced telemetry level. **Important**   These telemetry levels only apply to Windows components and apps that use the Connected User Experience and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these telemetry levels. App publishers must let people know about how they use their telemetry, ways to opt in or opt out, and they must separately document their privacy policies. From f1d2847adb8f6c223cb58960a191305cded4a172 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Mon, 25 Apr 2016 13:05:21 -0700 Subject: [PATCH 10/59] changes for paid apps --- .../manage/settings-reference-windows-store-for-business.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/manage/settings-reference-windows-store-for-business.md b/windows/manage/settings-reference-windows-store-for-business.md index 35d9b8a61c..2dcd225e5d 100644 --- a/windows/manage/settings-reference-windows-store-for-business.md +++ b/windows/manage/settings-reference-windows-store-for-business.md @@ -5,7 +5,6 @@ ms.assetid: 34F7FA2B-B848-454B-AC00-ECA49D87B678 ms.prod: W10 ms.mktglfcycl: manage ms.sitesec: library -author: TrudyHa --- # Settings reference: Windows Store for Business @@ -21,11 +20,10 @@ The Windows Store for Business has a group of settings that admins use to manage | | | |----------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Setting | Description | -| Account information | Provides info on these configured settings for your Store for Business account . These settings include: country or region, default domain, organization name, and language preference. You can make updates to these settings with Office 365 or Azure management portals. For more information, see [Manage settings for the Windows Store for Business](manage-settings-windows-store-for-business.md). | +| Account information | Manage organization and payment option information. For more information, see [Manage settings for the Windows Store for Business](manage-settings-windows-store-for-business.md).

Configure whether or not to make offline-licensed apps available in the Store for Business. For more information, see [Distribute offline apps](distribute-offline-apps).| | Device Guard signing | Use the Device Guard signing portal to add unsigned apps to a code integrity policy, or to sign code integrity policies. For more information, see [Device Guard signing portal](device-guard-signing-portal.md). | | LOB publishers | Invite devs to become LOB publishers for your organization. Existing LOB publishers are listed on the page, and you can deactivate or invite them again. For more information, see [Work with line-of-business apps](working-with-line-of-business-apps.md). | | Management tools | Management tools that are synced with Azure AD are listed on this page. You can choose one to use for managing app updates and distribution. For more information, see [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md). | -| Offline licensing | Configure whether or not to make offline-licensed apps available in the Store for Business. For more information, see [Distribute offline apps](distribute-offline-apps.md). | | Permissions | Manage permissions for your employees. For more information, see [Roles and permissions in the Windows Store for Business](roles-and-permissions-windows-store-for-business.md). | | Private store | Update the name for your private store. The new name will be displayed on a tab in the Store. For more information, see [Manage private store settings](manage-private-store-settings.md). | From 4b78bfec150d26c2f8142c6d9c54ddcafb0cdca3 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Mon, 25 Apr 2016 13:29:56 -0700 Subject: [PATCH 11/59] fixed error --- windows/manage/settings-reference-windows-store-for-business.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/manage/settings-reference-windows-store-for-business.md b/windows/manage/settings-reference-windows-store-for-business.md index 2dcd225e5d..48f59c5857 100644 --- a/windows/manage/settings-reference-windows-store-for-business.md +++ b/windows/manage/settings-reference-windows-store-for-business.md @@ -20,7 +20,7 @@ The Windows Store for Business has a group of settings that admins use to manage | | | |----------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Setting | Description | -| Account information | Manage organization and payment option information. For more information, see [Manage settings for the Windows Store for Business](manage-settings-windows-store-for-business.md).

Configure whether or not to make offline-licensed apps available in the Store for Business. For more information, see [Distribute offline apps](distribute-offline-apps).| +| Account information | Manage organization and payment option information. For more information, see [Manage settings for the Windows Store for Business](manage-settings-windows-store-for-business.md).

Configure whether or not to make offline-licensed apps available in the Store for Business. For more information, see [Distribute offline apps](distribute-offline-apps.md).| | Device Guard signing | Use the Device Guard signing portal to add unsigned apps to a code integrity policy, or to sign code integrity policies. For more information, see [Device Guard signing portal](device-guard-signing-portal.md). | | LOB publishers | Invite devs to become LOB publishers for your organization. Existing LOB publishers are listed on the page, and you can deactivate or invite them again. For more information, see [Work with line-of-business apps](working-with-line-of-business-apps.md). | | Management tools | Management tools that are synced with Azure AD are listed on this page. You can choose one to use for managing app updates and distribution. For more information, see [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md). | From 35e9a7dce32560547a48d585665055d0358d1f0d Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Mon, 25 Apr 2016 16:06:51 -0700 Subject: [PATCH 12/59] adding new topic --- ...ge-inventory-windows-store-for-business.md | 45 +++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 windows/manage/manage-inventory-windows-store-for-business.md diff --git a/windows/manage/manage-inventory-windows-store-for-business.md b/windows/manage/manage-inventory-windows-store-for-business.md new file mode 100644 index 0000000000..d81de7df6f --- /dev/null +++ b/windows/manage/manage-inventory-windows-store-for-business.md @@ -0,0 +1,45 @@ +--- +title: Manage inventory in Windows Store for Business (Windows 10) +description: When you acquire apps from the Windows Store for Business, we add them to the Inventory for your organization. Once an app is part of your inventory, you can distribute the app, and manage licenses. +ms.prod: W10 +ms.mktglfcycl: manage +ms.sitesec: library +--- + +# Manage inventory in Window Store for Business +When you acquire apps from the Windows Store for Business, we add them to the inventory for your organization. Once an app is part of your inventory, you can distribute the app, and manage licenses. + +## Distribute apps +You can assign apps to people, or you can make apps available in your private store. Once an app is in your private store, people in your org can install the app on their devices. For more information, see [Distribute apps using your private store](distribute-apps-from-your-private-store.md). + +**To make an app in inventory available in your private store** + +1. Sign in to the [Store for Business](http://businessstore.microsoft.com). +2. Click **Manage**, and then choose **Inventory**. +3. Click **Refine**, and then choose **Online**. Store for Business will update the list of apps on the **Inventory** page. +4. From an app in **Inventory**, click the ellipses under **Action**, and then choose **Add to private store**. + +The value under Private store for the app will change to pending. It will take approximately twelve hours before the app is available in the private store. + +Employees can claim apps that admins added to the private store by doing the following. + +**To claim an app from the private store** + +1. Sign in to your computer with your Azure Active Directory (AD) credentials, and start the Windows Store app. +2. Click the private store tab. +3. Click the app you want to install, and then click **Install**. + +Another way to distribute apps is by assigning them to people in your organization. + +**To assign an app to an employee** + +1. Sign in to Windows Store for Business. +2. Click **Manage**, and then choose **Inventory**. +3. Find an app, click the ellipses under **Action**, and then choose **Assign to people**. +4. Type the email address for the employee that you're assigning the app to, and click **Confirm**. + +Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**. Also, in the Windows Store app, they can find the app under **MyLibrary**. + +## Manage licenses +For apps in inventory, when you assign an app to an employee, a license for the app is assigned to them. You can manage these licenses, either by assigning them, or reclaiming them so you can assign them to another employee. + From 1c34e218df92cad7e207c169a58929cb2ce9cfe2 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 26 Apr 2016 09:53:37 -0700 Subject: [PATCH 13/59] clean up --- .../device-guard-deployment-guide.md | 63 +++++-------------- 1 file changed, 16 insertions(+), 47 deletions(-) diff --git a/windows/keep-secure/device-guard-deployment-guide.md b/windows/keep-secure/device-guard-deployment-guide.md index 12aeaa9ef7..2dae3234ae 100644 --- a/windows/keep-secure/device-guard-deployment-guide.md +++ b/windows/keep-secure/device-guard-deployment-guide.md @@ -585,14 +585,11 @@ Figure 11. Device Guard properties in the System Summary ## Catalog files - Enforcement of Device Guard on a system requires that every trusted application have a signature or its binary hashes added to the code integrity policy. For many organizations, this can be an issue when considering unsigned LOB applications. To avoid the requirement that organizations repackage and sign these applications, Windows 10 includes a tool called Package Inspector that monitors an installation process for any deployed and executed binary files. If the tool discovers such files, it itemizes them in a catalog file. These catalog files offer you a way to trust your existing unsigned applications, whether developed in house or by a third party, as well as trust signed applications for which you do not want to trust the signer but rather the specific application. When created, these files can be signed, the signing certificates added to your existing code integrity policies, and the catalog files themselves distributed to the clients. **Note**   The Enterprise edition of Windows 10 or Windows Server 2016 is required to create and use catalog files. -  - ### **Create catalog files** @@ -648,8 +645,6 @@ When you establish a naming convention it makes it easier to detect deployed cat **Note**   This scan catalogs the hash values for each discovered binary file. If the applications that were scanned are updated, complete this process again to trust the new binaries’ hash values. -  - When finished, the files will be saved to your desktop. To trust this catalog file within a code integrity policy, the catalog must first be signed. Then, the signing certificate can be included in the code integrity policy, and the catalog file can be distributed to the individual client machines. Catalog files can be signed by using a certificate and SignTool.exe, a free tool available in the Windows SDK. For more information about signing catalog files with SignTool.exe, see the [Catalog signing with SignTool.exe](#catsign-signtool) section. ### @@ -668,34 +663,12 @@ If you do not have a code signing certificate, please see the [Create a Device G 1. Initialize the variables that will be used: - - - - - - - - - - - 
$ExamplePath=$env:userprofile+"\Desktop"
+ '$ExamplePath=$env:userprofile+"\Desktop"' + + '$CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"' - - - - - - - - - - - 
$CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"
- - **Note**   - In this example, you use the catalog file you created in the [Create catalog files](#create-catalog-files) section. If you are signing another catalog file, be sure to update the *$ExamplePath* and *$CatFileName* variables with the correct information. - -   + **Note**   + In this example, you use the catalog file you created in the [Create catalog files](#create-catalog-files) section. If you are signing another catalog file, be sure to update the *$ExamplePath* and *$CatFileName* variables with the correct information. 2. Import the code signing certificate. Import the code signing certificate that will be used to sign the catalog file to the signing user’s personal store. In this example, you use the certificate that you created in the [Create a Device Guard code signing certificate](#create-dg-code) section. @@ -750,14 +723,12 @@ To deploy a catalog file with Group Policy: 2. Create a new GPO: right-click the DG Enabled PCs OU, and then click **Create a GPO in this domain, and Link it here**, as shown in Figure 13. - **Note**   - The DG Enabled PCs OU is just an example of where to link the test GPO that you created in this section. You can use any OU name. Also, security group filtering is an option when you consider policy partitioning options based on the strategy discussed in the [Approach enterprise code integrity deployment](#approach-enterprise) section. + **Note**   + The DG Enabled PCs OU is just an example of where to link the test GPO that you created in this section. You can use any OU name. Also, security group filtering is an option when you consider policy partitioning options based on the strategy discussed in the [Approach enterprise code integrity deployment](#approach-enterprise) section. -   + ![figure 13](images/dg-fig13-createnewgpo.png) - ![figure 13](images/dg-fig13-createnewgpo.png) - - Figure 13. Create a new GPO + Figure 13. Create a new GPO 3. Name the new GPO **Contoso DG Catalog File GPO Test**. @@ -1443,19 +1414,17 @@ To deploy and manage a code integrity policy with Group Policy: 6. In the **Display Code Integrity Policy** dialog box, select the **Enabled** option, and then specify the code integrity policy deployment path. - In this policy setting, you specify either the local path in which the policy will exist on the client computer or a Universal Naming Convention (UNC) path that the client computers will look to retrieve the latest version of the policy. This example copied the DeviceGuardPolicy.bin file onto the test machine and will enable this setting and use the file path C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 26. + In this policy setting, you specify either the local path in which the policy will exist on the client computer or a Universal Naming Convention (UNC) path that the client computers will look to retrieve the latest version of the policy. This example copied the DeviceGuardPolicy.bin file onto the test machine and will enable this setting and use the file path C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 26. - **Note**   - *DeviceGuardPolicy.bin* is not a required policy name: It was simply used in the [Create code integrity policies from golden PCs](#create-code-golden) section and so is used here, as well. Also, this policy file does not need to be copied to every computer. Alternatively, you can copy the code integrity policies to a file share to which the computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers. + **Note**   + *DeviceGuardPolicy.bin* is not a required policy name: It was simply used in the [Create code integrity policies from golden PCs](#create-code-golden) section and so is used here, as well. Also, this policy file does not need to be copied to every computer. Alternatively, you can copy the code integrity policies to a file share to which the computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers. -   + ![figure 26](images/dg-fig26-enablecode.png) - ![figure 26](images/dg-fig26-enablecode.png) + Figure 26. Enable the code integrity policy - Figure 26. Enable the code integrity policy - - **Note**   - You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the Windows 10 client computers. Make your code integrity policies friendly and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository. + **Note**   + You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the Windows 10 client computers. Make your code integrity policies friendly and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository.   From 735db2a4f736d763cb4c28de5cc0c63c3ecd3813 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Tue, 26 Apr 2016 11:17:59 -0700 Subject: [PATCH 14/59] adding content to topic --- ...ge-inventory-windows-store-for-business.md | 32 +++++++++++++++++-- 1 file changed, 29 insertions(+), 3 deletions(-) diff --git a/windows/manage/manage-inventory-windows-store-for-business.md b/windows/manage/manage-inventory-windows-store-for-business.md index d81de7df6f..c32546d84c 100644 --- a/windows/manage/manage-inventory-windows-store-for-business.md +++ b/windows/manage/manage-inventory-windows-store-for-business.md @@ -19,7 +19,7 @@ You can assign apps to people, or you can make apps available in your private st 3. Click **Refine**, and then choose **Online**. Store for Business will update the list of apps on the **Inventory** page. 4. From an app in **Inventory**, click the ellipses under **Action**, and then choose **Add to private store**. -The value under Private store for the app will change to pending. It will take approximately twelve hours before the app is available in the private store. +The value under Private store for the app will change to pending. It will take approximately twelve hours before the app is available in the private store. Employees can claim apps that admins added to the private store by doing the following. @@ -33,7 +33,7 @@ Another way to distribute apps is by assigning them to people in your organizati **To assign an app to an employee** -1. Sign in to Windows Store for Business. +1. Sign in to the [Store for Business](http://businessstore.microsoft.com). 2. Click **Manage**, and then choose **Inventory**. 3. Find an app, click the ellipses under **Action**, and then choose **Assign to people**. 4. Type the email address for the employee that you're assigning the app to, and click **Confirm**. @@ -41,5 +41,31 @@ Another way to distribute apps is by assigning them to people in your organizati Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**. Also, in the Windows Store app, they can find the app under **MyLibrary**. ## Manage licenses -For apps in inventory, when you assign an app to an employee, a license for the app is assigned to them. You can manage these licenses, either by assigning them, or reclaiming them so you can assign them to another employee. +For apps in inventory, when you assign an app to an employee, a license for the app is assigned to them. You can manage these licenses, either by assigning them, or reclaiming them so you can assign them to another employee. You can also remove an app from the private store. + +**To assign licenses** +1. Sign in to the [Store for Business](http://businessstore.microsoft.com). +2. Click **Manage**, and then choose **Inventory**. +3. Find an app, click the ellipses under **Action**, and then choose **View license details**. +4. Click **Assign to people**, type the name you are assigning the license to, and then click **Assign**. + +Store for Business assigns a license to the person, and adds them to the list of assigned licenses. + +**To reclaim licenses** +1. Sign in to the [Store for Business](http://businessstore.microsoft.com). +2. Click **Manage**, and then choose **Inventory**. +3. Find an app, click the ellipses under **Action**, and then choose **View license details**. +4. Click the name of the person you are reclaiming the license from, and then click **Reclaim licenses**. + +Store for Business reclaims the license, and updates the number of avialable licenses. After you reclaim a license, you can assign a license to another employee. + +**To remove an app from the private store** + +If you decide that you don't want an app available for employees to install on their own, you can remove it from your private store. +1. Sign in to the [Store for Business](http://businessstore.microsoft.com). +2. Click **Manage**, and then choose **Inventory**. +3. Find an app, click the ellipses under **Action**, and then choose **Remove from private store**, and then click **Remove**. + +The app will still be in your inventory, but your employees will not have access to the app from your private store. + From 7e67f122e7f1da9fc9813e3d607805f698b99cd2 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Tue, 26 Apr 2016 13:14:01 -0700 Subject: [PATCH 15/59] adding new topic for manage orders --- ...anage-orders-windows-store-for-business.md | 55 +++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 windows/manage/manage-orders-windows-store-for-business.md diff --git a/windows/manage/manage-orders-windows-store-for-business.md b/windows/manage/manage-orders-windows-store-for-business.md new file mode 100644 index 0000000000..13a3ef9d9a --- /dev/null +++ b/windows/manage/manage-orders-windows-store-for-business.md @@ -0,0 +1,55 @@ +--- +title: Manage app orders in Windows Store for Business (Windows 10) +description: You can view your order history with Windows Store for Business. +ms.prod: W10 +ms.mktglfcycl: manage +ms.sitesec: library +--- + +# Manage app orders in Windows Store for Business + +After you've acquired apps, you can review order information and invoices on **Order history**. On this page, you can buy more license for an app, view invoices, and request refunds. + +**Order history** lists orders in chronological order and shows: +- Date ordered +- Product name +- Product publisher +- Total cost +- Order status. + +Click to expand an order, and the following info is available: +- Who purchased the app +- Order number +- Quantity purchased +- Cost breakdown +- Links to view your invoice, buy more, or request a refund + +## Invoices + +Invoices for orders are available approximatley 24 hours after your purchase. The link opens a .pdf that you can save for your records. Or, just use the copy here on the Order history page. + +## Buy more licenses + +You can purchase more copies of apps that are in your order history. + +**To buy more licenses** + +1. Sign in to the [Store for Business](http://businessstore.microsoft.com). +2. Click **Manage**, and then choose **Order history**. +3. Click an order, and then click **Buy more**. +4. The app details page displays how many licenses you already have assigned. Click **Buy more** to purchase additional licenses. + +## Refund an order + +Refunds work a little differently for free apps, and apps that have a price. In both cases, you must reclaim licenses before requesting a refund. + +**Refunds for free apps** + + For free apps, there isn't really a refund to request -- you're removing the app from your inventory. You must first reclaim any assigned licenses,and then you can remove the app from your organization's inventory. + + **Refunds for apps that have a price** + + There are a few requirements for apps that have a price: + - **Timing** - Refunds are available for the first 30 days after you place your order. For example, if your order is placed on June 1, you can self-refund through June 30. + - **Avaialble licenses** - You need to have enough available licenses to cover the number of licenses in the order you are refunding. For example, if you purchased 10 copies of an app and you want to request a refund, you must have at least 10 licenses of the app available in your inventory -- those 10 licenses can't be assigned to people in your organization. + - **Whole order refunds only** - You must refund the complete amount of apps in an order. You can't refund a part of an order. For example, if you purchased 10 copies of an app, but later found you only needed 5 copies, you'll need to request a refund for the 10 apps, and then make a separate order for 5 apps. If you have had multiple orders of the same app, you can refund one order but still keep the rest of the inventory. From d63723dcd8cc77873cef525b1682bea38b332f16 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Tue, 26 Apr 2016 13:36:39 -0700 Subject: [PATCH 16/59] adding more details for refund process --- ...anage-orders-windows-store-for-business.md | 20 +++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/windows/manage/manage-orders-windows-store-for-business.md b/windows/manage/manage-orders-windows-store-for-business.md index 13a3ef9d9a..180c738984 100644 --- a/windows/manage/manage-orders-windows-store-for-business.md +++ b/windows/manage/manage-orders-windows-store-for-business.md @@ -26,7 +26,7 @@ Click to expand an order, and the following info is available: ## Invoices -Invoices for orders are available approximatley 24 hours after your purchase. The link opens a .pdf that you can save for your records. Or, just use the copy here on the Order history page. +Invoices for orders are available approximatley 24 hours after your purchase. The link opens a .pdf that you can save for your records. Or, just use the copy here on your **Order history**. ## Buy more licenses @@ -45,7 +45,7 @@ Refunds work a little differently for free apps, and apps that have a price. In **Refunds for free apps** - For free apps, there isn't really a refund to request -- you're removing the app from your inventory. You must first reclaim any assigned licenses,and then you can remove the app from your organization's inventory. + For free apps, there isn't really a refund to request -- you're removing the app from your inventory. You must first reclaim any assigned licenses, and then you can remove the app from your organization's inventory. **Refunds for apps that have a price** @@ -53,3 +53,19 @@ Refunds work a little differently for free apps, and apps that have a price. In - **Timing** - Refunds are available for the first 30 days after you place your order. For example, if your order is placed on June 1, you can self-refund through June 30. - **Avaialble licenses** - You need to have enough available licenses to cover the number of licenses in the order you are refunding. For example, if you purchased 10 copies of an app and you want to request a refund, you must have at least 10 licenses of the app available in your inventory -- those 10 licenses can't be assigned to people in your organization. - **Whole order refunds only** - You must refund the complete amount of apps in an order. You can't refund a part of an order. For example, if you purchased 10 copies of an app, but later found you only needed 5 copies, you'll need to request a refund for the 10 apps, and then make a separate order for 5 apps. If you have had multiple orders of the same app, you can refund one order but still keep the rest of the inventory. + +**To refund an order** + +First, reclaim licenses. +1. Sign in to the [Store for Business](http://businessstore.microsoft.com). +2. Click **Manage**, and then choose **Inventory**. +3. Find the app you want to refund, click the ellipses under **Action**, and then choose **View license details**. +4. Select the number of licenses you need to reclaim, and then click **Reclaim licenses**. + +Then, request a refund. +1. Click **Manage**, and then choose **Order history**. +2. Click the order you want to refund, and click **Refund order**. + +For free apps, the app will be removed from your inventory. + +For apps with a price, your payment option will be refunded with the cost of the app, and the app will be removed from your inventory. From 12c55de9e8336002a7322827d8b6945cf536a38e Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Tue, 26 Apr 2016 14:31:39 -0700 Subject: [PATCH 17/59] updates for account settings --- ...anage-orders-windows-store-for-business.md | 10 +- ...ows-store-for-business-account-settings.md | 97 +++++++++++++++---- 2 files changed, 80 insertions(+), 27 deletions(-) diff --git a/windows/manage/manage-orders-windows-store-for-business.md b/windows/manage/manage-orders-windows-store-for-business.md index 180c738984..77967732e6 100644 --- a/windows/manage/manage-orders-windows-store-for-business.md +++ b/windows/manage/manage-orders-windows-store-for-business.md @@ -56,15 +56,13 @@ Refunds work a little differently for free apps, and apps that have a price. In **To refund an order** -First, reclaim licenses. +Reclaim licenses, and then request a refund. 1. Sign in to the [Store for Business](http://businessstore.microsoft.com). 2. Click **Manage**, and then choose **Inventory**. 3. Find the app you want to refund, click the ellipses under **Action**, and then choose **View license details**. -4. Select the number of licenses you need to reclaim, and then click **Reclaim licenses**. - -Then, request a refund. -1. Click **Manage**, and then choose **Order history**. -2. Click the order you want to refund, and click **Refund order**. +4. Select the number of licenses you need to reclaim, and then click **Reclaim licenses**. +5. Click **Manage**, and then choose **Order history**. +6. Click the order you want to refund, and click **Refund order**. For free apps, the app will be removed from your inventory. diff --git a/windows/manage/update-windows-store-for-business-account-settings.md b/windows/manage/update-windows-store-for-business-account-settings.md index 04f6c8e8a7..c228974770 100644 --- a/windows/manage/update-windows-store-for-business-account-settings.md +++ b/windows/manage/update-windows-store-for-business-account-settings.md @@ -1,11 +1,9 @@ --- title: Update Windows Store for Business account settings (Windows 10) description: The Account information page in Windows Store for Business shows information about your organization that you can update, including country or region, organization name, default domain, and language preference. -ms.assetid: CEFFF451-D7D2-4A35-AF28-4A72B9582585 ms.prod: W10 ms.mktglfcycl: manage ms.sitesec: library -author: TrudyHa --- # Update Windows Store for Business account settings @@ -16,39 +14,96 @@ author: TrudyHa - Windows 10 - Windows 10 Mobile -The **Account information** page in Windows Store for Business shows information about your organization that you can update, including: country or region, organization name, default domain, and language preference. These are settings in the Azure AD directory that you used when signing up for Store for Business +The **Account information** page in Windows Store for Business allows you to manage organization information, payment options, and offline licensing settings. The organization information and payment options are required before you can acquire apps that have a price. -If you need to change any of these settings, you can use Office 365 admin portal, or Azure admin portal. +## Organization information + +We’ll need your business address, email contact, and tax-exemption certificates that apply to your country or locale. + +**Business address and email contact**
Before purchasing apps that have a fee, you need to add or update your organization's business address, and contact email address . -**To make updates to Store for Business directory settings in Office 365** +We use the Business address to calculate sales tax. If your organization's address has already been entered for other commercial purchases through the Microsoft Store, or through other online purchases such as Office 365 or Azure subscriptions, then we’ll use the same address in the Windows Store for Business. If we don’t have an address, we’ll ask you to enter it during your first purchase. -1. [Sign in to Office 365](http://go.microsoft.com/fwlink/p/?LinkId=708616) with your work or school account. +We need an email address in case we need to contact you about your Store for Business account. This email account should reach the admin for your organization’s O365 or Azure AD tenant that is used with Store for Business. -2. Go to the [Office 365 admin center](http://go.microsoft.com/fwlink/p/?LinkId=708620). +To update Organization information, click **Edit organization information**. -3. Select your organization's name on the right side of the page. +## Organization tax information ## +Taxes for Windows Store for Business purchases are determined by your business address. Some countries can provide tax IDs. -4. Change the information you want to update, and then click **Save.** +|Market| Tax identifier | +|------|----------------| +| Brazil | CPNJ (required), CCMID (optional) | +| India | CST ID, VAT ID | +| Taiwan | Unified business number| -For more information about updating organization information, see [Change your organization's address, technical contact email, and other information](http://go.microsoft.com/fwlink/p/?LinkId=708621). +**Tax-exempt status** -**To make updates to Store for Business directory settings in Azure management portal** +If you qualify for tax-exempt status in your market, start a service request to establish tax exempt status for your organization. -1. Sign in to the Azure Portal as Administrator. +**To start a service request** +1. Sign in to the [Store for Business](http://businessstore.microsoft.com). +2. Click **Support**, and then under **Store or account support** click **Start a service request**. -2. Click **Active Directory**. +You’ll need this documentation: -3. On the **Directory** tab, choose your directory +|Country or locale | Documentation | +|------------------|----------------| +| United States | Sales Tax Exemption Certificate | +| Canada | Certificate of Exemption (or equivalent letter of authorization) | +| Ireland | 13B/56A Tax Exemption Certificate| +| International organizations that hold tax exaemption | Certification / letter confirmation from local tax authorities | -4. Click the **Configure** tab. - -For more information about updating organization information, see [Add your own domain name in Azure AD](http://go.microsoft.com/fwlink/p/?LinkId=708622). - -  - -  +**Calculating tax** +Sales taxes are calculated against the unit price, and then aggregated. + +For example:
+(unit price X tax rate) X quantity = total sales tax +-or- +($1.29 X .095) X 100 = $12.25 + +##Payment options## +You can purchase apps from the Windows Store for Business using your credit card. You can enter your credit card information on Account Information, or when you purchase an app. We currently accept these credit cards: +1. VISA +2. MasterCard +3. Discover +4. American Express +5. Japan Commercial Bureau (JCB) + +**Note**:
+Not all cards available in all countries. When you add a payment option, Store for Business shows which cards are available in your region. + +**To add a new payment option** + +1. Sign in to [Store for Business](http://businessstore.microsoft.com). +2. Click **Settings**, and then click **Account information**. +3. Under **My payment options**, tap or click **Show my payment options**, and then select the type of credit card that you want to add. +4. Add information to any required fields, and then click **Next**. + +Once you click Next, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any problems. + +**Note**: 
When adding credit or debit cards, you may be prompted to enter a CVV . The CVV is only used for verification purposes and is not stored in our systems after validation. + +**To update a payment option**: + +1. Sign in to [Store for Business](http://businessstore.microsoft.com). +2. Click **Settings**, and then click **Account information**. +3. Under My payment options > Credit Cards, select the payment option that you want to update, and then click Update. +4. Enter any updated information in the appropriate fields, and then click Next. +Once you click Next, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any problems. + +**Note**:
 Certain actions, like updating or adding a payment option, require temporary “test authorization” transactions to validate the payment option. These may appear on your statement as $0.00 authorizations or as small pending transactions. These transactions are temporary and should not impact your account unless you make several changes in a short period of time or have a low balance. + +##Offline licensing## + +Offline licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Store for Business. This model means organizations can deploy apps when users or devices do not have connectivity to the Store. + +You have the following distribution options for offline-licensed apps: +- Include the app in a provisioning package, and then use it as part of imaging a device. +- Distribute the app through a management tool. +For more information, see Distribute apps to your employees from the Store for Business. From 993c8be0b06b2b808ff8abbab1588ccafc551bdc Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Tue, 26 Apr 2016 15:26:30 -0700 Subject: [PATCH 18/59] adding content and making updates --- ...acquire-apps-windows-store-for-business.md | 3 -- ...ge-inventory-windows-store-for-business.md | 2 -- ...anage-orders-windows-store-for-business.md | 7 +++-- ...ows-store-for-business-account-settings.md | 30 +++++++++++++++++-- 4 files changed, 32 insertions(+), 10 deletions(-) diff --git a/windows/manage/acquire-apps-windows-store-for-business.md b/windows/manage/acquire-apps-windows-store-for-business.md index 5ac43b146d..8e22322f1c 100644 --- a/windows/manage/acquire-apps-windows-store-for-business.md +++ b/windows/manage/acquire-apps-windows-store-for-business.md @@ -35,9 +35,6 @@ To acquire an app 2. Click Shop, or use Search to find an app. 3. Click the app you want to purchase. 4. On the product description page, choose your license type - either online or offline. - - ![Product description page, showing an app with a price](images/wsfb-paid-app-temp.png) - 5. Free apps will be added to Inventory. For apps with a price, you can set the quantity you want to buy. Type the quantity and click **Next**. 6. If you don’t have a payment method saved in Account settings, Store for Business will prompt you for one. 7. Add your credit card or debit card info, and click **Next**. Your card info is saved as a payment option on **Account information**. diff --git a/windows/manage/manage-inventory-windows-store-for-business.md b/windows/manage/manage-inventory-windows-store-for-business.md index c32546d84c..b506ec3b10 100644 --- a/windows/manage/manage-inventory-windows-store-for-business.md +++ b/windows/manage/manage-inventory-windows-store-for-business.md @@ -67,5 +67,3 @@ If you decide that you don't want an app available for employees to install on t 3. Find an app, click the ellipses under **Action**, and then choose **Remove from private store**, and then click **Remove**. The app will still be in your inventory, but your employees will not have access to the app from your private store. - - diff --git a/windows/manage/manage-orders-windows-store-for-business.md b/windows/manage/manage-orders-windows-store-for-business.md index 77967732e6..d698699806 100644 --- a/windows/manage/manage-orders-windows-store-for-business.md +++ b/windows/manage/manage-orders-windows-store-for-business.md @@ -26,7 +26,7 @@ Click to expand an order, and the following info is available: ## Invoices -Invoices for orders are available approximatley 24 hours after your purchase. The link opens a .pdf that you can save for your records. Or, just use the copy here on your **Order history**. +Invoices for orders are available approximatley 24 hours after your purchase. The link opens a .pdf that you can save for your records. ## Buy more licenses @@ -37,7 +37,8 @@ You can purchase more copies of apps that are in your order history. 1. Sign in to the [Store for Business](http://businessstore.microsoft.com). 2. Click **Manage**, and then choose **Order history**. 3. Click an order, and then click **Buy more**. -4. The app details page displays how many licenses you already have assigned. Click **Buy more** to purchase additional licenses. + +You can buy more copies of the app from the product page. ## Refund an order @@ -56,7 +57,7 @@ Refunds work a little differently for free apps, and apps that have a price. In **To refund an order** -Reclaim licenses, and then request a refund. +Reclaim licenses, and then request a refund. If you haven't assigned licenses, start on step 5. 1. Sign in to the [Store for Business](http://businessstore.microsoft.com). 2. Click **Manage**, and then choose **Inventory**. 3. Find the app you want to refund, click the ellipses under **Action**, and then choose **View license details**. diff --git a/windows/manage/update-windows-store-for-business-account-settings.md b/windows/manage/update-windows-store-for-business-account-settings.md index c228974770..9d8fef4c09 100644 --- a/windows/manage/update-windows-store-for-business-account-settings.md +++ b/windows/manage/update-windows-store-for-business-account-settings.md @@ -22,14 +22,40 @@ We’ll need your business address, email contact, and tax-exemption certificate **Business address and email contact**
Before purchasing apps that have a fee, you need to add or update your organization's business address, and contact email address . -We use the Business address to calculate sales tax. If your organization's address has already been entered for other commercial purchases through the Microsoft Store, or through other online purchases such as Office 365 or Azure subscriptions, then we’ll use the same address in the Windows Store for Business. If we don’t have an address, we’ll ask you to enter it during your first purchase. +We use the Business address to calculate sales tax. If your organization's address has already been entered for other commercial purchases through the Microsoft Store, or through other online purchases such as Office 365 or Azure subscriptions, then we’ll use the same address in the Windows Store for Business. If we don’t have an address,we’ll ask you to enter it during your first purchase. We need an email address in case we need to contact you about your Store for Business account. This email account should reach the admin for your organization’s O365 or Azure AD tenant that is used with Store for Business. To update Organization information, click **Edit organization information**. ## Organization tax information ## -Taxes for Windows Store for Business purchases are determined by your business address. Some countries can provide tax IDs. +Taxes for Windows Store for Business purchases are determined by your business address. Businesses in these countries can provide their VAT number or local equivalent: +- Austria +- Belgium +- Croatia +- Czech Republic +- Denmark +- Finland +- France +- Germany +- Greece +- Hungary +- Ireland +- Italy +- Malta +- Netherlands +- Norway +- Poland +- Portugal +- Romania +- Slovakia +- South Africa +- Spain +- Sweden +- Switzerland +- United Kingdom + +These countries can provide their VAT number or local equivalent in **Account information**. However, they can only acquire free apps. |Market| Tax identifier | |------|----------------| From dd6005f2e65bff36c23af91401786d8b0a4d1fc9 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Tue, 26 Apr 2016 15:43:21 -0700 Subject: [PATCH 19/59] author tag --- .../update-windows-store-for-business-account-settings.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/manage/update-windows-store-for-business-account-settings.md b/windows/manage/update-windows-store-for-business-account-settings.md index 9d8fef4c09..1357a11b43 100644 --- a/windows/manage/update-windows-store-for-business-account-settings.md +++ b/windows/manage/update-windows-store-for-business-account-settings.md @@ -4,6 +4,7 @@ description: The Account information page in Windows Store for Business shows in ms.prod: W10 ms.mktglfcycl: manage ms.sitesec: library +author: TrudyHa --- # Update Windows Store for Business account settings @@ -63,6 +64,7 @@ These countries can provide their VAT number or local equivalent in **Account in | India | CST ID, VAT ID | | Taiwan | Unified business number| + **Tax-exempt status** If you qualify for tax-exempt status in your market, start a service request to establish tax exempt status for your organization. @@ -80,6 +82,7 @@ You’ll need this documentation: | Ireland | 13B/56A Tax Exemption Certificate| | International organizations that hold tax exaemption | Certification / letter confirmation from local tax authorities | + **Calculating tax** Sales taxes are calculated against the unit price, and then aggregated. From 78a2f9df91f7a97aca693fc314c3f4f81b9d9c98 Mon Sep 17 00:00:00 2001 From: Maggie Evans Date: Tue, 26 Apr 2016 16:24:57 -0700 Subject: [PATCH 20/59] removing XP --- windows/deploy/usmt-requirements.md | 16 +++------------- 1 file changed, 3 insertions(+), 13 deletions(-) diff --git a/windows/deploy/usmt-requirements.md b/windows/deploy/usmt-requirements.md index 1ecd866e28..ace2abc84a 100644 --- a/windows/deploy/usmt-requirements.md +++ b/windows/deploy/usmt-requirements.md @@ -44,24 +44,14 @@ The following table lists the operating systems supported in USMT. -

Windows® XP Professional

-

X

-

- - -

Windows XP Professional x64 Edition

-

X

-

- -

32-bit versions of Windows Vista

X

-

X

+

64-bit versions of Windows Vista

X

-

X

+

32-bit versions of Windows 7

@@ -101,7 +91,7 @@ The following table lists the operating systems supported in USMT. **Note**   You can migrate a 32-bit operating system to a 64-bit operating system. However, you cannot migrate a 64-bit operating system to a 32-bit operating system. -USMT does not support any of the Windows Server® operating systems, Windows 2000, or any of the starter editions for Windows XP, Windows Vista, or Windows 7. In addition, USMT only supports migration from Windows XP with Service Pack 3. +USMT does not support any of the Windows Server® operating systems, Windows 2000, Windows XP, or any of the starter editions for Windows Vista or Windows 7.   From dc50b105393e4d49ac683f724c22494e6983ccf3 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Wed, 27 Apr 2016 10:02:53 -0700 Subject: [PATCH 21/59] adding author tag --- windows/manage/settings-reference-windows-store-for-business.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/manage/settings-reference-windows-store-for-business.md b/windows/manage/settings-reference-windows-store-for-business.md index 48f59c5857..b3b1cf9083 100644 --- a/windows/manage/settings-reference-windows-store-for-business.md +++ b/windows/manage/settings-reference-windows-store-for-business.md @@ -5,6 +5,7 @@ ms.assetid: 34F7FA2B-B848-454B-AC00-ECA49D87B678 ms.prod: W10 ms.mktglfcycl: manage ms.sitesec: library +author: TrudyHa --- # Settings reference: Windows Store for Business From 34d5c84ea3cc9ac3935bb0be2219f10884cf889b Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 27 Apr 2016 11:39:23 -0700 Subject: [PATCH 22/59] finishing intro sentence --- windows/keep-secure/audit-removable-storage.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/keep-secure/audit-removable-storage.md b/windows/keep-secure/audit-removable-storage.md index 6046b1b29c..5c9276822b 100644 --- a/windows/keep-secure/audit-removable-storage.md +++ b/windows/keep-secure/audit-removable-storage.md @@ -1,6 +1,6 @@ --- title: Audit Removable Storage (Windows 10) -description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Removable Storage, which determines . +description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Removable Storage, which determines when there is a read or a write to a removable drive. ms.assetid: 1746F7B3-8B41-4661-87D8-12F734AFFB26 ms.prod: W10 ms.mktglfcycl: deploy @@ -15,9 +15,9 @@ author: brianlic-msft - Windows 10 -This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Removable Storage**, which determines . +This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Removable Storage**, which determines when there is a read or a write to a removable drive. -Event volume: +Event volume: Low Default: Not configured From 38d00dd402f9218de2f9497c0726050fa18ed012 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Wed, 27 Apr 2016 15:30:32 -0700 Subject: [PATCH 23/59] updates for paid apps --- .../windows-store-for-business-overview.md | 142 ++++++------------ 1 file changed, 50 insertions(+), 92 deletions(-) diff --git a/windows/whats-new/windows-store-for-business-overview.md b/windows/whats-new/windows-store-for-business-overview.md index 9bf1212d06..f2eea69ec7 100644 --- a/windows/whats-new/windows-store-for-business-overview.md +++ b/windows/whats-new/windows-store-for-business-overview.md @@ -85,7 +85,7 @@ For more information, see [Sign up for the Store for Business](../manage/sign-up ### Set up -After your admin signs up for the Store for Business, they can assign roles to other employees in your company. These are the roles and their permissions. +After your admin signs up for the Store for Business, they can assign roles to other employees in your company. The admin needs Azure AD User Admin permissions to assign WSFB roles. These are the roles and their permissions. @@ -137,7 +137,7 @@ Also, if your organization plans to use a management tool, you’ll need to conf ### Get apps and content -Once signed in to the Store for Business, you can browse and search for all products in the Store for Business catalog. For now, apps in the Store for Business are free. Over time, when paid apps are available, you’ll have more options for paying for apps. +Once signed in to the Store for Business, you can browse and search for all products in the Store for Business catalog. Some apps are free, and some apps charge a price. We're continuing to add more paid apps to the Store for Business. Check back if you don't see the app that you're looking for. Currently, you can pay for apps with a credit card. We'll be adding more payment options over time. **App types** -- These app types are supported in the Store for Business: @@ -212,96 +212,54 @@ For more information, see [Manage settings in the Store for Business](../manage/ Store for Business is currently available in these markets. -- Argentina - -- Australia - -- Austria - -- Belgium (Dutch, French) - -- Brazil - -- Canada (English, French) - -- Chile - -- Columbia - -- Croatia - -- Czech Republic - -- Denmark - -- Finland - -- France - -- Germany - -- Greece - -- Hong Kong SAR - -- Hungary - -- India - -- Indonesia - -- Ireland - -- Italy - -- Japan - -- Malaysia - -- Mexico - -- Netherlands - -- New Zealand - -- Norway - -- Philippines - -- Poland - -- Portugal - -- Romania - -- Russia - -- Singapore - -- Slovakia - -- South Africa - -- Spain - -- Sweden - -- Switzerland (French, German) - -- Taiwan - -- Thailand - -- Turkey - -- Ukraine - -- United Kingdom - -- United States - -- Vietnam - +|Country or locale|Paid apps|Free apps| +|-----------------|---------|---------| +|Argentina|X|X| +|Australia|X|X| +|Austria|X|X| +|Belgium (Dutch, French)|X|X| +|Brazil| |X| +|Canada (English, French)|X|X| +|Chile|X|X| +|Columbia|X|X| +|Croatia|X|X| +|Czech Republic|X|X| +|Denmark|X|X| +|Finland|X|X| +|France|X|X| +|Germany|X|X| +|Greece|X|X| +|Hong Kong SAR|X|X| +|Hungary|X|X| +|India| |X| +|Indonesia|X|X| +|Ireland|X|X| +|Italy|X|X| +|Japan|X|X| +|Malaysia|X|X| +|Mexico|X|X| +|Netherlands|X|X| +|New Zealand|X|X| +|Norway|X|X| +|Philippines|X|X| +|Poland|X|X| +|Portugal|X|X| +|Romania|X|X| +|Russia| |X| +|Singapore|X|X| +|Slovakia|X|X| +|South Africa|X|X| +|Spain|X|X| +|Sweden|X|X| +|Switzerland (French, German)|X|X| +|Taiwan| |X| +|Thailand|X|X| +|Turkey|X|X| +|Ukraine| |X| +|United Kingdom|X|X| +|United States|X|X| +|Vietnam|X|X| + ## ISVs and the Store for Business From 7371e7c1305b498d874dcee17acf1beec34519de Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 27 Apr 2016 16:54:13 -0700 Subject: [PATCH 24/59] fixing table --- .../about-client-configuration-settings51.md | 478 ++---------------- 1 file changed, 40 insertions(+), 438 deletions(-) diff --git a/mdop/appv-v5/about-client-configuration-settings51.md b/mdop/appv-v5/about-client-configuration-settings51.md index e8512afd4f..f77a20a083 100644 --- a/mdop/appv-v5/about-client-configuration-settings51.md +++ b/mdop/appv-v5/about-client-configuration-settings51.md @@ -15,444 +15,46 @@ The Microsoft Application Virtualization (App-V) 5.1 client stores its configura The following table displays information about the App-V 5.1 client configuration settings: -
-------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Setting NameSetup FlagDescriptionSetting OptionsRegistry Key ValueDisabled Policy State Keys and Values

PackageInstallationRoot

PACKAGEINSTALLATIONROOT

Specifies directory where all new applications and updates will be installed.

String

Streaming\PackageInstallationRoot

Policy value not written (same as Not Configured)

PackageSourceRoot

PACKAGESOURCEROOT

Overrides source location for downloading package content.

String

Streaming\PackageSourceRoot

Policy value not written (same as Not Configured)

AllowHighCostLaunch

Not available.

This setting controls whether virtualized applications are launched on Windows 10 machines connected via a metered network connection (For example, 4G).

True (enabled); False (Disabled state)

Streaming\AllowHighCostLaunch

0

ReestablishmentRetries

Not available.

Specifies the number of times to retry a dropped session.

Integer (0-99)

Streaming\ReestablishmentRetries

Policy value not written (same as Not Configured)

ReestablishmentInterval

Not available.

Specifies the number of seconds between attempts to reestablish a dropped session.

Integer (0-3600)

Streaming\ReestablishmentInterval

Policy value not written (same as Not Configured)

AutoLoad

AUTOLOAD

Specifies how new packages should be loaded automatically by App-V on a specific computer.

(0x0) None; (0x1) Previously used; (0x2) All

Streaming\AutoLoad

Policy value not written (same as Not Configured)

LocationProvider

Not available.

Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface.

String

Streaming\LocationProvider

Policy value not written (same as Not Configured)

CertFilterForClientSsl

Not available.

Specifies the path to a valid certificate in the certificate store.

String

Streaming\CertFilterForClientSsl

Policy value not written (same as Not Configured)

VerifyCertificateRevocationList

Not available.

Verifies Server certificate revocation status before steaming using HTTPS.

True(enabled); False(Disabled state)

Streaming\VerifyCertificateRevocationList

0

SharedContentStoreMode

SHAREDCONTENTSTOREMODE

Specifies that streamed package contents will be not be saved to the local hard disk.

True(enabled); False(Disabled state)

Streaming\SharedContentStoreMode

0

Name

-
-Note   -

This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet.

-
-
-  -

PUBLISHINGSERVERNAME

Displays the name of publishing server.

String

Publishing\Servers\{serverId}\FriendlyName

Policy value not written (same as Not Configured)

URL

-
-Note   -

This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet.

-
-
-  -

PUBLISHINGSERVERURL

Displays the URL of publishing server.

String

Publishing\Servers\{serverId}\URL

Policy value not written (same as Not Configured)

GlobalRefreshEnabled

-
-Note   -

This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet.

-
-
-  -

GLOBALREFRESHENABLED

Enables global publishing refresh (Boolean)

True(enabled); False(Disabled state)

Publishing\Servers\{serverId}\GlobalEnabled

False

GlobalRefreshOnLogon

-
-Note   -

This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet.

-
-
-  -

GLOBALREFRESHONLOGON

Triggers a global publishing refresh on logon. ( Boolean)

True(enabled); False(Disabled state)

Publishing\Servers\{serverId}\GlobalLogonRefresh

False

GlobalRefreshInterval

-
-Note   -

This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet.

-
-
-  -

GLOBALREFRESHINTERVAL  

Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0.

Integer (0-744

Publishing\Servers\{serverId}\GlobalPeriodicRefreshInterval

0

GlobalRefreshIntervalUnit

-
-Note   -

This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet.

-
-
-  -

GLOBALREFRESHINTERVALUNI

Specifies the interval unit (Hour 0-23, Day 0-31). 

0 for hour, 1 for day

Publishing\Servers\{serverId}\GlobalPeriodicRefreshIntervalUnit

1

UserRefreshEnabled

-
-Note   -

This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet.

-
-
-  -

USERREFRESHENABLED 

Enables user publishing refresh (Boolean)

True(enabled); False(Disabled state)

Publishing\Servers\{serverId}\UserEnabled

False

UserRefreshOnLogon

-
-Note   -

This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet.

-
-
-  -

USERREFRESHONLOGON

Triggers a user publishing refresh onlogon. ( Boolean)

-

Word count (with spaces): 60

True(enabled); False(Disabled state)

Publishing\Servers\{serverId}\UserLogonRefresh

False

UserRefreshInterval

-
-Note   -

This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet.

-
-
-  -

USERREFRESHINTERVAL     

Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0.

-

Word count (with spaces): 85

Integer (0-744 Hours)

Publishing\Servers\{serverId}\UserPeriodicRefreshInterval

0

UserRefreshIntervalUnit

-
-Note   -

This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet.

-
-
-  -

USERREFRESHINTERVALUNIT  

Specifies the interval unit (Hour 0-23, Day 0-31). 

0 for hour, 1 for day

Publishing\Servers\{serverId}\UserPeriodicRefreshIntervalUnit

1

MigrationMode

MIGRATIONMODE

Migration mode allows the App-V client to modify shortcuts and FTA’s for packages created using a previous version of App-V.

True(enabled state); False (disabled state)

Coexistence\MigrationMode

CEIPOPTIN

CEIPOPTIN

Allows the computer running the App-V 5.1 Client to collect and return certain usage information to help allow us to further improve the application.

0 for disabled; 1 for enabled

SOFTWARE/Microsoft/AppV/CEIP/CEIPEnable

0

EnablePackageScripts

ENABLEPACKAGESCRIPTS

Enables scripts defined in the package manifest of configuration files that should run.

True(enabled); False(Disabled state)

\Scripting\EnablePackageScripts

RoamingFileExclusions

ROAMINGFILEEXCLUSIONS

Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage:  /ROAMINGFILEEXCLUSIONS='desktop;my pictures'

RoamingRegistryExclusions

ROAMINGREGISTRYEXCLUSIONS

Specifies the registry paths that do not roam with a user profile. Example usage: /ROAMINGREGISTRYEXCLUSIONS=software\\classes;software\\clients

String

Integration\RoamingReglstryExclusions

Policy value not written (same as Not Configured)

IntegrationRootUser

Not available.

Specifies the location to create symbolic links associated with the current version of a per-user published package. all virtual application extensions, for example shortcuts and file type associations, will point to this path. If you do not specify a path, symbolic links will not be used when you publish the package. For example: %localappdata%\Microsoft\AppV\Client\Integration.

String

Integration\IntegrationRootUser

Policy value not written (same as Not Configured)

IntegrationRootGlobal

Not available.

Specifies the location to create symbolic links associated with the current version of a globally published package. all virtual application extensions, for example shortcuts and file type associations, will point to this path. If you do not specify a path, symbolic links will not be used when you publish the package. For example: %allusersprofile%\Microsoft\AppV\Client\Integration

String

Integration\IntegrationRootGlobal

Policy value not written (same as Not Configured)

VirtualizableExtensions

Not available.

A comma -delineated list of file name extensions that can be used to determine if a locally installed application can be run in the virtual environment.

-

When shortcuts, FTAs, and other extension points are created during publishing, App-V will compare the file name extension to the list if the application that is associated with the extension point is locally installed. If the extension is located, the RunVirtual command line parameter will be added, and the application will run virtually.

-

For more information about the RunVirtual parameter, see [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](running-a-locally-installed-application-inside-a-virtual-environment-with-virtualized-applications51.md).

String

Integration\VirtualizableExtensions

Policy value not written

ReportingEnabled

Not available.

Enables the client to return information to a reporting server.

True (enabled); False (Disabled state)

Reporting\EnableReporting

False

ReportingServerURL

Not available.

Specifies the location on the reporting server where client information is saved.

String

Reporting\ReportingServer

Policy value not written (same as Not Configured)

ReportingDataCacheLimit

Not available.

Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over. Set between 0 and 1024.

Integer [0-1024]

Reporting\DataCacheLimit

Policy value not written (same as Not Configured)

ReportingDataBlockSize

Not available.

Specifies the maximum size in bytes to transmit to the server for reporting upload requests. This can help avoid permanent transmission failures when the log has reached a significant size. Set between 1024 and unlimited.

Integer [1024 - Unlimited]

Reporting\DataBlockSize

Policy value not written (same as Not Configured)

ReportingStartTime

Not available.

Specifies the time to initiate the client to send data to the reporting server. You must specify a valid integer between 0-23 corresponding to the hour of the day. By default the ReportingStartTime will start on the current day at 10 P.M.or 22.

-
-Note   -

You should configure this setting to a time when computers running the App-V 5.1 client are least likely to be offline.

-
-
-  -

Integer (0 – 23)

Reporting\ StartTime

Policy value not written (same as Not Configured)

ReportingInterval

Not available.

Specifies the retry interval that the client will use to resend data to the reporting server.

Integer

Reporting\RetryInterval

Policy value not written (same as Not Configured)

ReportingRandomDelay

Not available.

Specifies the maximum delay (in minutes) for data to be sent to the reporting server. When the scheduled task is started, the client generates a random delay between 0 and ReportingRandomDelay and will wait the specified duration before sending data. This can help to prevent collisions on the server.

Integer [0 - ReportingRandomDelay]

Reporting\RandomDelay

Policy value not written (same as Not Configured)

EnableDynamicVirtualization

-
-Important   -

This setting is available only with App-V 5.0 SP2 or later.

-
-
-  -

Not available.

Enables supported Shell Extensions, Browser Helper Objects, and Active X controls to be virtualized and run with virtual applications.

1 (Enabled), 0 (Disabled)

HKEY_LOCAL_MACHINE\Software\Microsoft\AppV\Client\Virtualization

EnablePublishingRefreshUI

-
-Important   -

This setting is available only with App-V 5.0 SP2.

-
-
-  -

Not available.

Enables the publishing refresh progress bar for the computer running the App-V 5.1 Client.

1 (Enabled), 0 (Disabled)

HKEY_LOCAL_MACHINE\Software\Microsoft\AppV\Client\Publishing

HideUI

-
-Important   -

This setting is available only with App-V 5.0 SP2.

-
-
-  -

Not available.

Hides the publishing refresh progress bar.

1 (Enabled), 0 (Disabled)

ProcessesUsingVirtualComponents

Not available.

Specifies a list of process paths (that may contain wildcards), which are candidates for using dynamic virtualization (supported shell extensions, browser helper objects, and ActiveX controls). Only processes whose full path matches one of these items can use dynamic virtualization.

String

Virtualization\ProcessesUsingVirtualComponents

Empty string.

- -  +|Setting name | Setup Flag | Description | Setting Options | Registry Key Value | Disabled Policy State Keys and Values | +|-------------|------------|-------------|-----------------|--------------------|--------------------------------------| +| PackageInstallationRoot | PACKAGEINSTALLATIONROOT | Specifies directory where all new applications and updates will be installed. | String | Streaming\PackageInstallationRoot | Policy value not written (same as Not Configured) | +| PackageSourceRoot | PACKAGESOURCEROOT | Overrides source location for downloading package content. | String | Streaming\PackageSourceRoot | Policy value not written (same as Not Configured) | +| AllowHighCostLaunch | Not available. |This setting controls whether virtualized applications are launched on Windows 10 machines connected via a metered network connection (For example, 4G). | True (enabled); False (Disabled state) | Streaming\AllowHighCostLaunch | 0 | +| ReestablishmentRetries | Not available. | Specifies the number of times to retry a dropped session. | Integer (0-99) | Streaming\ReestablishmentRetries | Policy value not written (same as Not Configured) | +| ReestablishmentInterval | Not available. | Specifies the number of seconds between attempts to reestablish a dropped session. | Integer (0-3600) | Streaming\ReestablishmentInterval | Policy value not written (same as Not Configured) | +| LocationProvider | Not available. | Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface. | String | Streaming\LocationProvider | Policy value not written (same as Not Configured) | +| CertFilterForClientSsl | Not available. | Specifies the path to a valid certificate in the certificate store. | String | Streaming\CertFilterForClientSsl | Policy value not written (same as Not Configured) | +| VerifyCertificateRevocationList | Not available. | Verifies Server certificate revocation status before steaming using HTTPS. | True(enabled); False(Disabled state) | Streaming\VerifyCertificateRevocationList | 0 | +| SharedContentStoreMode | SHAREDCONTENTSTOREMODE | Specifies that streamed package contents will be not be saved to the local hard disk. | True(enabled); False(Disabled state) | Streaming\SharedContentStoreMode | 0 | +| Name
**Note** This setting cannot be modified using the **set-AppvclientConfiguration** cmdLet. You must use the **Set-AppvPublishingServer** cmdlet. | PUBLISHINGSERVERNAME | Displays the name of publishing server. | String | Publishing\Servers\{serverId}\FriendlyName | Policy value not written (same as Not Configured) | +| URL
**Note** This setting cannot be modified using the **set-AppvclientConfiguration** cmdLet. You must use the **Set-AppvPublishingServer** cmdlet. | PUBLISHINGSERVERURL | Displays the URL of publishing server. | String | Publishing\Servers\{serverId}\URL | Policy value not written (same as Not Configured) | +| GlobalRefreshEnabled
**Note** This setting cannot be modified using the **set-AppvclientConfiguration** cmdLet. You must use the **Set-AppvPublishingServer** cmdlet. | GLOBALREFRESHENABLED | Enables global publishing refresh (Boolean) | True(enabled); False(Disabled state) | Publishing\Servers\{serverId}\GlobalEnabled | False | +| GlobalRefreshOnLogon
**Note** This setting cannot be modified using the **set-AppvclientConfiguration** cmdLet. You must use the **Set-AppvPublishingServer** cmdlet. | GLOBALREFRESHONLOGON | Triggers a global publishing refresh on logon. ( Boolean) | True(enabled); False(Disabled state) | Publishing\Servers\{serverId}\GlobalLogonRefresh | False | +| GlobalRefreshInterval
**Note** This setting cannot be modified using the **set-AppvclientConfiguration** cmdLet. You must use the **Set-AppvPublishingServer** cmdlet. | GLOBALREFRESHINTERVAL | Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. | Integer (0-744) | Publishing\Servers\{serverId}\GlobalPeriodicRefreshInterval | 0 | +| GlobalRefreshIntervalUnit
**Note** This setting cannot be modified using the **set-AppvclientConfiguration** cmdLet. You must use the **Set-AppvPublishingServer** cmdlet. | GLOBALREFRESHINTERVALUNI | Specifies the interval unit (Hour 0-23, Day 0-31). | 0 for hour, 1 for day | Publishing\Servers\{serverId}\GlobalPeriodicRefreshIntervalUnit | 1 | +| UserRefreshEnabled
**Note** This setting cannot be modified using the **set-AppvclientConfiguration** cmdLet. You must use the **Set-AppvPublishingServer** cmdlet. | USERREFRESHENABLED | Enables user publishing refresh (Boolean) | True(enabled); False(Disabled state) | Publishing\Servers\{serverId}\UserEnabled | False | +| UserRefreshOnLogon
**Note** This setting cannot be modified using the **set-AppvclientConfiguration** cmdLet. You must use the **Set-AppvPublishingServer** cmdlet. | USERREFRESHONLOGON | Triggers a user publishing refresh onlogon. ( Boolean)
Word count (with spaces): 60 | True(enabled); False(Disabled state) | Publishing\Servers\{serverId}\UserLogonRefresh | False | +| UserRefreshInterval
**Note** This setting cannot be modified using the **set-AppvclientConfiguration** cmdLet. You must use the **Set-AppvPublishingServer** cmdlet. | USERREFRESHINTERVAL | Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. | Word count (with spaces): 85
Integer (0-744 Hours) | Publishing\Servers\{serverId}\UserPeriodicRefreshInterval | 0 | +| UserRefreshIntervalUnit
**Note** This setting cannot be modified using the **set-AppvclientConfiguration** cmdLet. You must use the **Set-AppvPublishingServer** cmdlet. | USERREFRESHINTERVALUNIT | Specifies the interval unit (Hour 0-23, Day 0-31). | 0 for hour, 1 for day | Publishing\Servers\{serverId}\UserPeriodicRefreshIntervalUnit | 1 | +| MigrationMode | MIGRATIONMODE | Migration mode allows the App-V client to modify shortcuts and FTA’s for packages created using a previous version of App-V. | True(enabled state); False (disabled state) | Coexistence\MigrationMode | | +| CEIPOPTIN | CEIPOPTIN | Allows the computer running the App-V 5.1 Client to collect and return certain usage information to help allow us to further improve the application. | 0 for disabled; 1 for enabled | SOFTWARE/Microsoft/AppV/CEIP/CEIPEnable | 0 | +| EnablePackageScripts | ENABLEPACKAGESCRIPTS | Enables scripts defined in the package manifest of configuration files that should run. | True(enabled); False(Disabled state) | \Scripting\EnablePackageScripts | | +| RoamingFileExclusions | ROAMINGFILEEXCLUSIONS | Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage:  /ROAMINGFILEEXCLUSIONS='desktop;my pictures' | | | | +| RoamingRegistryExclusions | ROAMINGREGISTRYEXCLUSIONS | Specifies the registry paths that do not roam with a user profile. Example usage: /ROAMINGREGISTRYEXCLUSIONS=software\\classes;software\\clients | String | Integration\RoamingReglstryExclusions | Policy value not written (same as Not Configured) | +| IntegrationRootUser | Not available. | Specifies the location to create symbolic links associated with the current version of a per-user published package. all virtual application extensions, for example shortcuts and file type associations, will point to this path. If you do not specify a path, symbolic links will not be used when you publish the package. For example: %localappdata%\Microsoft\AppV\Client\Integration.| String | Integration\IntegrationRootUser | Policy value not written (same as Not Configured) | +|IntegrationRootGlobal | Not available.| Specifies the location to create symbolic links associated with the current version of a globally published package. all virtual application extensions, for example shortcuts and file type associations, will point to this path. If you do not specify a path, symbolic links will not be used when you publish the package. For example: %allusersprofile%\Microsoft\AppV\Client\Integration | String | Integration\IntegrationRootGlobal | Policy value not written (same as Not Configured) | +| VirtualizableExtensions | Not available. | A comma -delineated list of file name extensions that can be used to determine if a locally installed application can be run in the virtual environment.
When shortcuts, FTAs, and other extension points are created during publishing, App-V will compare the file name extension to the list if the application that is associated with the extension point is locally installed. If the extension is located, the **RunVirtual** command line parameter will be added, and the application will run virtually.
For more information about the **RunVirtual** parameter, see [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](running-a-locally-installed-application-inside-a-virtual-environment-with-virtualized-applications51.md). | String | Integration\VirtualizableExtensions | Policy value not written | +| ReportingEnabled | Not available. | Enables the client to return information to a reporting server. | True (enabled); False (Disabled state) | Reporting\EnableReporting | False | +| ReportingServerURL | Not available. | Specifies the location on the reporting server where client information is saved. | String | Reporting\ReportingServer | Policy value not written (same as Not Configured) | +| ReportingDataCacheLimit | Not available. | Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over. Set between 0 and 1024. | Integer [0-1024] | Reporting\DataCacheLimit | Policy value not written (same as Not Configured) | +| ReportingDataBlockSize| Not available. | Specifies the maximum size in bytes to transmit to the server for reporting upload requests. This can help avoid permanent transmission failures when the log has reached a significant size. Set between 1024 and unlimited. | Integer [1024 - Unlimited] | Reporting\DataBlockSize | Policy value not written (same as Not Configured) | +| ReportingStartTime | Not available. | Specifies the time to initiate the client to send data to the reporting server. You must specify a valid integer between 0-23 corresponding to the hour of the day. By default the **ReportingStartTime** will start on the current day at 10 P.M.or 22.
**Note** You should configure this setting to a time when computers running the App-V 5.1 client are least likely to be offline. | Integer (0 – 23) | Reporting\ StartTime | Policy value not written (same as Not Configured) | +| ReportingInterval | Not available. | Specifies the retry interval that the client will use to resend data to the reporting server. | Integer | Reporting\RetryInterval | Policy value not written (same as Not Configured) | +| ReportingRandomDelay | Not available. | Specifies the maximum delay (in minutes) for data to be sent to the reporting server. When the scheduled task is started, the client generates a random delay between 0 and **ReportingRandomDelay** and will wait the specified duration before sending data. This can help to prevent collisions on the server. | Integer [0 - ReportingRandomDelay] | Reporting\RandomDelay | Policy value not written (same as Not Configured) | +| EnableDynamicVirtualization
**Important** This setting is available only with App-V 5.0 SP2 or later. | Not available. | Enables supported Shell Extensions, Browser Helper Objects, and Active X controls to be virtualized and run with virtual applications. | 1 (Enabled), 0 (Disabled) | HKEY_LOCAL_MACHINE\Software\Microsoft\AppV\Client\Virtualization | | +| EnablePublishingRefreshUI
**Important** This setting is available only with App-V 5.0 SP2. | Not available. | Enables the publishing refresh progress bar for the computer running the App-V 5.1 Client. | 1 (Enabled), 0 (Disabled) | HKEY_LOCAL_MACHINE\Software\Microsoft\AppV\Client\Publishing | | +| HideUI
**Important**  This setting is available only with App-V 5.0 SP2.| Not available. | Hides the publishing refresh progress bar. | 1 (Enabled), 0 (Disabled) | | | +| ProcessesUsingVirtualComponents | Not available. | Specifies a list of process paths (that may contain wildcards), which are candidates for using dynamic virtualization (supported shell extensions, browser helper objects, and ActiveX controls). Only processes whose full path matches one of these items can use dynamic virtualization. | String | Virtualization\ProcessesUsingVirtualComponents | Empty string. | ## Got a suggestion for App-V? From 83248415131e37e6f4cef1d5c042f54dfd0451d6 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 28 Apr 2016 07:59:48 -0700 Subject: [PATCH 25/59] Updated to fix VS #7371643 --- windows/keep-secure/index.md | 2 +- windows/keep-secure/protect-enterprise-data-using-edp.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/index.md b/windows/keep-secure/index.md index 80a12f1d0e..f2a2ac4b8c 100644 --- a/windows/keep-secure/index.md +++ b/windows/keep-secure/index.md @@ -62,7 +62,7 @@ Learn about keeping Windows 10 and Windows 10 Mobile secure.

[Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md)

-

With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures to their personal email account, copies and pastes product info to a public Yammer group or tweet, or saves an in-progress sales report to their public cloud storage.

+

With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.

[Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)

diff --git a/windows/keep-secure/protect-enterprise-data-using-edp.md b/windows/keep-secure/protect-enterprise-data-using-edp.md index 6c688aa008..132514c566 100644 --- a/windows/keep-secure/protect-enterprise-data-using-edp.md +++ b/windows/keep-secure/protect-enterprise-data-using-edp.md @@ -17,7 +17,7 @@ author: eross-msft [Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] -With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures to their personal email account, copies and pastes product info to a public Yammer group or tweet, or saves an in-progress sales report to their public cloud storage. +With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. Enterprise data protection (EDP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. EDP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. Finally, another data protection technology, Azure Rights Management also works alongside EDP to extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise aware version of a rights management mail client. From 7fe006e16e35452b3be17ed50f182b916c3137ef Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 28 Apr 2016 08:53:39 -0700 Subject: [PATCH 26/59] fixing table --- ...aging-app-v-51-virtualized-applications.md | 182 ++++++------------ 1 file changed, 62 insertions(+), 120 deletions(-) diff --git a/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md b/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md index bc1485ab15..cf8080c563 100644 --- a/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md +++ b/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md @@ -11,7 +11,7 @@ author: jamiejdt After you have properly deployed the Microsoft Application Virtualization (App-V) 5.1 sequencer, you can use it to monitor and record the installation and setup process for an application to be run as a virtualized application. **Note**   -For more information about configuring the App-V 5.1 sequencer, sequencing best practices, and an example of creating and updating a virtual application, see the [Microsoft Application Virtualization 5.0 Sequencing Guide](http://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V 5.0 Sequencing Guide.docx) (http://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V 5.0 Sequencing Guide.docx). +For more information about configuring the App-V 5.1 sequencer, sequencing best practices, and an example of creating and updating a virtual application, see the [Microsoft Application Virtualization 5.0 Sequencing Guide](http://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V 5.0 Sequencing Guide.docx).   @@ -146,125 +146,67 @@ Copy on write (CoW) file extensions allow App-V 5.1 to dynamically write to spec The following table displays the file types that can exist in a virtual package under the VFS directory, but cannot be updated on the computer running the App-V 5.1 client. All other files and directories can be modified. -.acm - -.asa - -.asp - -.aspx - -.ax - -.bat - -.cer - -.chm - -.clb - -.cmd - -.cnt - -.cnv - -.com - -.cpl - -.cpx - -.crt - -.dll - -.drv - -.exe - -.fon - -.grp - -.hlp - -.hta - -.ime - -.inf - -.ins - -.isp - -.its - -.js - -.jse - -.lnk - -.msc - -.msi - -.msp - -.mst - -.mui - -.nls - -.ocx - -.pal - -.pcd - -.pif - -.reg - -.scf - -.scr - -.sct - -.shb - -.shs - -.sys - -.tlb - -.tsp - -.url - -.vb - -.vbe - -.vbs - -.vsmacros - -.ws - -.esc - -.wsf - -.wsh - -  +| File type | +| --------- | +| .acm | +| .asa | +| .asp | +| .aspx | +| .ax | +| .bat | +| .cer | +| .chm | +| .clb | +| .cmd | +| .cnt | +| .cnv | +| .com | +| .cpl | +| .cpx | +| .crt | +| .dll | +| .drv | +| .exe | +| .fon | +| .grp | +| .hlp | +| .hta | +| .ime | +| .inf | +| .ins | +| .isp | +| .its | +| .js | +| .jse | +| .lnk | +| .msc | +| .msi | +| .msp | +| .mst | +| .mui | +| .nls | +| .ocx | +| .pal | +| .pcd | +| .pif | +| .reg | +| .scf | +| .scr | +| .sct | +| .shb | +| .shs | +| .sys | +| .tlb | +| .tsp | +| .url | +| .vb | +| .vbe | +| .vbs | +| .vsmacros | +| .ws | +| .esc | +| .wsf | +| .wsh | ## Modifying an existing virtual application package From ca489520c534cec6962f8369b7635473eb8f607c Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Thu, 28 Apr 2016 09:12:53 -0700 Subject: [PATCH 27/59] paid apps updates --- windows/manage/apps-in-windows-store-for-business.md | 4 ++++ windows/manage/assign-apps-to-employees.md | 2 +- windows/manage/manage-inventory-windows-store-for-business.md | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/windows/manage/apps-in-windows-store-for-business.md b/windows/manage/apps-in-windows-store-for-business.md index 5e896b7a2f..1376953e1a 100644 --- a/windows/manage/apps-in-windows-store-for-business.md +++ b/windows/manage/apps-in-windows-store-for-business.md @@ -47,6 +47,10 @@ Apps in your inventory will have at least one of these supported platforms liste Apps that you acquire from the Store for Business only work on Windows 10-based devices. Even though an app might list Windows 8 as its supported platform, that tells you what platform the app was originally written for. Apps developed for Windows 8, or Windows phone 8 will work on Windows 10. +Some apps are free, and some apps charge a price. We're continuing to add more paid apps to the Store for Business. Check back if you don't see the app that you're looking for. Currently, you can pay for apps with a credit card. We'll be adding more payment options over time. + +Some apps which are available to consumers in Windows Store might not be available in Windows Store for Business. This can happen for a couple of reasons. The app developer might set the app availability so that it is only available to people using Windows Store. Also, business-to-business transaction regulatory requirements might prevent the app being available in Store for Business. + Line-of-business (LOB) apps are also supported using the Store for Business. Admins can invite IT devs and ISVs to be LOB publishers. Apps developed by your LOB publishers that are submitted to the Store are only available to your organization. Once an administrator accepts an app submitted by one of their LOB publishers, the app can be distributed just like any other app from Store for Business. For more information, see Working with Line-of-Business apps. ## In-app purchases diff --git a/windows/manage/assign-apps-to-employees.md b/windows/manage/assign-apps-to-employees.md index 0864ee8dac..c6e8393f30 100644 --- a/windows/manage/assign-apps-to-employees.md +++ b/windows/manage/assign-apps-to-employees.md @@ -28,7 +28,7 @@ Administrators can assign online-licensed apps to employees in their organizatio 4. Type the email address for the employee that you're assigning the app to, and click **Confirm**. -Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**. +Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**. Also, in the Windows Store app, they can find the app under **My Library**.   diff --git a/windows/manage/manage-inventory-windows-store-for-business.md b/windows/manage/manage-inventory-windows-store-for-business.md index b506ec3b10..f2675df317 100644 --- a/windows/manage/manage-inventory-windows-store-for-business.md +++ b/windows/manage/manage-inventory-windows-store-for-business.md @@ -38,7 +38,7 @@ Another way to distribute apps is by assigning them to people in your organizati 3. Find an app, click the ellipses under **Action**, and then choose **Assign to people**. 4. Type the email address for the employee that you're assigning the app to, and click **Confirm**. -Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**. Also, in the Windows Store app, they can find the app under **MyLibrary**. +Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**. Also, in the Windows Store app, they can find the app under **My Library**. ## Manage licenses For apps in inventory, when you assign an app to an employee, a license for the app is assigned to them. You can manage these licenses, either by assigning them, or reclaiming them so you can assign them to another employee. You can also remove an app from the private store. From ba47a67dc2145fe019869c9a6a0367ff16455ac6 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 28 Apr 2016 09:40:22 -0700 Subject: [PATCH 28/59] fixed code blocks --- ...ate-or-edit-the-sms-defmof-file-mbam-25.md | 36 +++++++++---------- .../edit-the-configurationmof-file-mbam-25.md | 36 +++++++++---------- 2 files changed, 36 insertions(+), 36 deletions(-) diff --git a/mdop/mbam-v25/create-or-edit-the-sms-defmof-file-mbam-25.md b/mdop/mbam-v25/create-or-edit-the-sms-defmof-file-mbam-25.md index 89d24f23b8..104e174531 100644 --- a/mdop/mbam-v25/create-or-edit-the-sms-defmof-file-mbam-25.md +++ b/mdop/mbam-v25/create-or-edit-the-sms-defmof-file-mbam-25.md @@ -27,8 +27,8 @@ In the following sections, complete the instructions that correspond to the vers // Microsoft BitLocker Administration and Monitoring //=================================================== -#pragma namespace ("\\\\.\\root\\cimv2\\SMS") -#pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2\\SMS") + #pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL) [ SMS_Report (TRUE), SMS_Group_Name ("BitLocker Encryption Details"), SMS_Class_ID ("MICROSOFT|BITLOCKER_DETAILS|1.0")] @@ -66,8 +66,8 @@ In the following sections, complete the instructions that correspond to the vers String EnforcePolicyDate; }; -#pragma namespace ("\\\\.\\root\\cimv2\\SMS") -#pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2\\SMS") + #pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL) [ SMS_Report(TRUE), SMS_Group_Name("BitLocker Policy"), SMS_Class_ID("MICROSOFT|MBAM_POLICY|1.0")] @@ -110,8 +110,8 @@ In the following sections, complete the instructions that correspond to the vers }; //Read Win32_OperatingSystem.SKU WMI property in a new class - because SKU is not available before Vista. -#pragma namespace ("\\\\.\\root\\cimv2\\SMS") -#pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2\\SMS") + #pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL) [ SMS_Report (TRUE), SMS_Group_Name ("Operating System Ex"), SMS_Class_ID ("MICROSOFT|OPERATING_SYSTEM_EXT|1.0") ] @@ -124,8 +124,8 @@ In the following sections, complete the instructions that correspond to the vers }; //Read Win32_ComputerSystem.PCSystemType WMI property in a new class - because PCSystemType is not available before Vista. -#pragma namespace ("\\\\.\\root\\cimv2\\SMS") -#pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2\\SMS") + #pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL) [ SMS_Report (TRUE), SMS_Group_Name ("Computer System Ex"), SMS_Class_ID ("MICROSOFT|COMPUTER_SYSTEM_EXT|1.0") ] @@ -193,8 +193,8 @@ In the following sections, complete the instructions that correspond to the vers // Microsoft BitLocker Administration and Monitoring //=================================================== -#pragma namespace ("\\\\.\\root\\cimv2\\SMS") -#pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2\\SMS") + #pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL) [ SMS_Report (TRUE), SMS_Group_Name ("BitLocker Encryption Details"), SMS_Class_ID ("MICROSOFT|BITLOCKER_DETAILS|1.0")] @@ -232,8 +232,8 @@ In the following sections, complete the instructions that correspond to the vers String EnforcePolicyDate; }; -#pragma namespace ("\\\\.\\root\\cimv2\\SMS") -#pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2\\SMS") + #pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL) [ SMS_Report(TRUE), SMS_Group_Name("BitLocker Policy"), SMS_Class_ID("MICROSOFT|MBAM_POLICY|1.0"), @@ -278,8 +278,8 @@ In the following sections, complete the instructions that correspond to the vers string EncodedComputerName; }; -#pragma namespace ("\\\\.\\root\\cimv2\\SMS") -#pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2\\SMS") + #pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL) [ SMS_Report(TRUE), SMS_Group_Name("BitLocker Policy"), SMS_Class_ID("MICROSOFT|MBAM_POLICY|1.0"), @@ -325,8 +325,8 @@ In the following sections, complete the instructions that correspond to the vers }; //Read Win32_OperatingSystem.SKU WMI property in a new class - because SKU is not available before Vista. -#pragma namespace ("\\\\.\\root\\cimv2\\SMS") -#pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2\\SMS") + #pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL) [ SMS_Report (TRUE), SMS_Group_Name ("Operating System Ex"), SMS_Class_ID ("MICROSOFT|OPERATING_SYSTEM_EXT|1.0") ] @@ -339,8 +339,8 @@ In the following sections, complete the instructions that correspond to the vers }; //Read Win32_ComputerSystem.PCSystemType WMI property in a new class - because PCSystemType is not available before Vista. -#pragma namespace ("\\\\.\\root\\cimv2\\SMS") -#pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2\\SMS") + #pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL) [ SMS_Report (TRUE), SMS_Group_Name ("Computer System Ex"), SMS_Class_ID ("MICROSOFT|COMPUTER_SYSTEM_EXT|1.0") ] diff --git a/mdop/mbam-v25/edit-the-configurationmof-file-mbam-25.md b/mdop/mbam-v25/edit-the-configurationmof-file-mbam-25.md index f19930748f..b920db9b8e 100644 --- a/mdop/mbam-v25/edit-the-configurationmof-file-mbam-25.md +++ b/mdop/mbam-v25/edit-the-configurationmof-file-mbam-25.md @@ -25,8 +25,8 @@ To enable the client computers to report BitLocker compliance details through th // Microsoft BitLocker Administration and Monitoring //=================================================== -#pragma namespace ("\\\\.\\root\\cimv2") -#pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2") + #pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL) [Union, ViewSources{"select DeviceId, BitlockerPersistentVolumeId, BitLockerManagementPersistentVolumeId, BitLockerManagementVolumeType, DriveLetter, Compliant, ReasonsForNonCompliance, KeyProtectorTypes, EncryptionMethod, ConversionStatus, ProtectionStatus, IsAutoUnlockEnabled, NoncomplianceDetectedDate, EnforcePolicyDate from Mbam_Volume"}, ViewSpaces{"\\\\.\\root\\microsoft\\mbam"}, dynamic, Provider("MS_VIEW_INSTANCE_PROVIDER")] class Win32_BitLockerEncryptionDetails { @@ -62,8 +62,8 @@ To enable the client computers to report BitLocker compliance details through th String EnforcePolicyDate; }; -#pragma namespace ("\\\\.\\root\\cimv2") -#pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2") + #pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL) [DYNPROPS] Class Win32Reg_MBAMPolicy { @@ -124,8 +124,8 @@ To enable the client computers to report BitLocker compliance details through th EncodedComputerName; }; -#pragma namespace ("\\\\.\\root\\cimv2") -#pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2") + #pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL) [Union, ViewSources{"select Name,OperatingSystemSKU from Win32_OperatingSystem"}, ViewSpaces{"\\\\.\\root\\cimv2"}, dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")] class CCM_OperatingSystemExtended @@ -136,8 +136,8 @@ To enable the client computers to report BitLocker compliance details through th uint32 SKU; }; -#pragma namespace ("\\\\.\\root\\cimv2") -#pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2") + #pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL) [Union, ViewSources{"select Name,PCSystemType from Win32_ComputerSystem"}, ViewSpaces{"\\\\.\\root\\cimv2"}, dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")] class CCM_ComputerSystemExtended @@ -168,8 +168,8 @@ To enable the client computers to report BitLocker compliance details through th // Microsoft BitLocker Administration and Monitoring //=================================================== -#pragma namespace ("\\\\.\\root\\cimv2") -#pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2") + #pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL) [Union, ViewSources{"select DeviceId, BitlockerPersistentVolumeId, BitLockerManagementPersistentVolumeId, BitLockerManagementVolumeType, DriveLetter, Compliant, ReasonsForNonCompliance, KeyProtectorTypes, EncryptionMethod, ConversionStatus, ProtectionStatus, IsAutoUnlockEnabled, NoncomplianceDetectedDate, EnforcePolicyDate from Mbam_Volume"}, ViewSpaces{"\\\\.\\root\\microsoft\\mbam"}, dynamic, Provider("MS_VIEW_INSTANCE_PROVIDER")] class Win32_BitLockerEncryptionDetails { @@ -205,8 +205,8 @@ To enable the client computers to report BitLocker compliance details through th String EnforcePolicyDate; }; -#pragma namespace ("\\\\.\\root\\cimv2") -#pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2") + #pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL) [DYNPROPS] Class Win32Reg_MBAMPolicy { @@ -267,8 +267,8 @@ To enable the client computers to report BitLocker compliance details through th EncodedComputerName; }; -#pragma namespace ("\\\\.\\root\\cimv2") -#pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2") + #pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL) [DYNPROPS] Class Win32Reg_MBAMPolicy_64 { @@ -329,8 +329,8 @@ To enable the client computers to report BitLocker compliance details through th EncodedComputerName; }; -#pragma namespace ("\\\\.\\root\\cimv2") -#pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2") + #pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL) [Union, ViewSources{"select Name,OperatingSystemSKU from Win32_OperatingSystem"}, ViewSpaces{"\\\\.\\root\\cimv2"}, dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")] class CCM_OperatingSystemExtended @@ -341,8 +341,8 @@ To enable the client computers to report BitLocker compliance details through th uint32 SKU; }; -#pragma namespace ("\\\\.\\root\\cimv2") -#pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2") + #pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL) [Union, ViewSources{"select Name,PCSystemType from Win32_ComputerSystem"}, ViewSpaces{"\\\\.\\root\\cimv2"}, dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")] class CCM_ComputerSystemExtended From 7eeb7b083f0a95e2bd8b355c6af71f29415084d1 Mon Sep 17 00:00:00 2001 From: "J. Decker" Date: Thu, 28 Apr 2016 09:48:22 -0700 Subject: [PATCH 29/59] fix formatting --- windows/manage/windows-10-start-layout-options-and-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/manage/windows-10-start-layout-options-and-policies.md b/windows/manage/windows-10-start-layout-options-and-policies.md index 142e4e88a6..5a0c3eadfe 100644 --- a/windows/manage/windows-10-start-layout-options-and-policies.md +++ b/windows/manage/windows-10-start-layout-options-and-policies.md @@ -57,7 +57,7 @@ The following table lists the different parts of Start and any applicable policy

-and-

Dynamically inserted app tile

MDM: Allow Windows Consumer Features

-

Group Policy: Computer Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off Microsoft consumer experiences

+

Group Policy: Computer Configuration\\Administrative Templates\\Windows Components\\Cloud Content\\Turn off Microsoft consumer experiences

Note  

This policy also enables or disables notifications for a user's Microsoft account and app tiles from Microsoft dynamically inserted in the default Start menu.

From 56915118b2cc7fa9caa9012cee45bc878a3adeb4 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 28 Apr 2016 10:10:08 -0700 Subject: [PATCH 30/59] Updated for task #7360131 --- ...ct-data-using-enterprise-site-discovery.md | 87 +++++++++++-------- 1 file changed, 49 insertions(+), 38 deletions(-) diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md index 3c72362e33..4d6f071016 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md +++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md @@ -16,9 +16,9 @@ title: Collect data using Enterprise Site Discovery - Windows 8.1 Update - Windows 7 with Service Pack 1 (SP1) -Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7. This inventory information helps you build a list of websites used by your company so you can make more informed decisions about your IE deployments, including figuring out which sites might be at risk or require overhauls during future upgrades. +Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7. This inventory information helps you build a list of websites used by your company so you can make more informed decisions about your IE deployments, including figuring out which sites might be at risk or require overhauls during future upgrades. -## Requirements +## Before you begin Before you start, you need to make sure you have the following: - Latest cumulative security update (for all supported versions of Internet Explorer): @@ -43,7 +43,7 @@ Before you start, you need to make sure you have the following: You must use System Center 2012 R2 Configuration Manager or later for these samples to work. -Both the PowerShell script and .mof file need to be copied to the same location on the client computer, before you run the scripts. +Both the PowerShell script and the Managed Object Format (.MOF) file need to be copied to the same location on the client device, before you run the scripts. ## What data is collected? Data is collected on the configuration characteristics of IE and the sites it browses, as shown here. @@ -67,7 +67,7 @@ Data is collected on the configuration characteristics of IE and the sites it br The data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements. ## Where is the data stored and how do I collect it? -The data is stored locally, in an industry-standard WMI class, Managed Object Format (.MOF) file or in an XML file, depending on your configuration. This file remains on the client computer until it’s collected. To collect the files, we recommend: +The data is stored locally, in an industry-standard WMI class, .MOF file or in an XML file, depending on your configuration. This file remains on the client computer until it’s collected. To collect the files, we recommend: - **WMI file**. Use Microsoft Configuration Manager or any agent that can read the contents of a WMI class on your computer. @@ -80,48 +80,55 @@ On average, a website generates about 250bytes of data for each visit, causing o

**Important**
The data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements. ## Getting ready to use Enterprise Site Discovery +Before you can start to collect your data, you must run the provided PowerShell script (IETelemetrySetUp.ps1) on your client devices to start generating the site discovery data and to set up a place to store this data locally. Then, you must start collecting the site discovery data from the client devices, using one of these three options: + +- Collect your hardware inventory using the MOF Editor, while connecting to a client device.

+-OR- +- Collect your hardware inventory using the MOF Editor with a .MOF import file.

+-OR- +- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) + +### WMI only: Running the PowerShell script to compile the .MOF file and to update security privileges You need to set up your computers for data collection by running the provided PowerShell script (IETelemetrySetUp.ps1) to compile the .mof file and to update security privileges for the new WMI classes.

**Important**
You must run this script if you’re using WMI as your data output. It's not necessary if you're using XML as your data output. - ![](images/wedge.gif) **To set up Enterprise Site Discovery** +![](images/wedge.gif) **To set up Enterprise Site Discovery** -- Start PowerShell in elevated mode (using admin privileges) and run IETElemetrySetUp.ps1 by by-passing the PowerShell execution policy, using this command: `powershell -ExecutionPolicy Bypass .\IETElemetrySetUp.ps1`. For more info, see [about Execution Policies](http://go.microsoft.com/fwlink/p/?linkid=517460). - -### Optional: Set up your firewall for WMI data +- Start PowerShell in elevated mode (using admin privileges) and run IETElemetrySetUp.ps1 by by-passing the PowerShell execution policy, using this command: `powershell -ExecutionPolicy Bypass .\IETElemetrySetUp.ps1`. For more info, see [about Execution Policies](http://go.microsoft.com/fwlink/p/?linkid=517460). +### WMI only: Set up your firewall for WMI data If you choose to use WMI as your data output, you need to make sure that your WMI data can travel through your firewall for the domain. If you’re sure, you can skip this section; otherwise, follow these steps: - ![](images/wedge.gif) **To set up your firewall** +![](images/wedge.gif) **To set up your firewall** -1. In **Control Panel**, click **System and Security**, and then click **Windows Firewall**. +1. In **Control Panel**, click **System and Security**, and then click **Windows Firewall**. -2. In the left pane, click **Allow an app or feature through Windows Firewall** and scroll down to check the box for **Windows Management Instrumentation (WMI)**. +2. In the left pane, click **Allow an app or feature through Windows Firewall** and scroll down to check the box for **Windows Management Instrumentation (WMI)**. -3. Restart your computer to start collecting your WMI data. +3. Restart your computer to start collecting your WMI data. -## Setting up Enterprise Site Discovery using PowerShell -After you finish the initial setup for Site Discovery using PowerShell, you have the option to continue with PowerShell or to switch to Group Policy. +## Use PowerShell to finish setting up Enterprise Site Discovery +You can determine which zones or domains are used for data collection, using PowerShell. If you don’t want to use PowerShell, you can do this using Group Policy. For more info, see [Use Group Policy to finish setting up Enterprise Site Discovery](#use-group-policy-to-finish-setting-up-enterprise-site-discovery).

**Important**
The .ps1 file updates turn on Enterprise Site Discovery and WMI collection for all users on a device. -### Setting up zones or domains for data collection -You can determine which zones or domains are used for data collection, using PowerShell. +- **Domain allow list.** If you have a domain allow list, a comma-separated list of domains that should have this feature turned on, you should use this process. -- **Domain allow list.** If you have a domain allow list, a comma-separated list of domains that should have this feature turned on, you should use this process. - -- **Zone allow list.** If you have a zone allow list, a comma-separated list of zones that should have this feature turned on, you should use this process. +- **Zone allow list.** If you have a zone allow list, a comma-separated list of zones that should have this feature turned on, you should use this process. ![](images/wedge.gif) **To set up data collection using a domain allow list** - -- Start PowerShell in elevated mode (using admin privileges) and run IETElemetrySetUp.ps1, using this command: `.\IETElemetrySetUp.ps1 [other args] -SiteAllowList sharepoint.com,outlook.com,onedrive.com`. -

**Important**
Wildcards, like \*.microsoft.com, aren’t supported. + + - Start PowerShell in elevated mode (using admin privileges) and run IETElemetrySetUp.ps1, using this command: `.\IETElemetrySetUp.ps1 [other args] -SiteAllowList sharepoint.com,outlook.com,onedrive.com`. + + **Important**
Wildcards, like \*.microsoft.com, aren’t supported. ![](images/wedge.gif) **To set up data collection using a zone allow list** + + - Start PowerShell in elevated mode (using admin privileges) and run IETElemetrySetUp.ps1, using this command: `.\IETElemetrySetUp.ps1 [other args] -ZoneAllowList Computer,Intranet,TrustedSites,Internet,RestrictedSites`. + + **Important**
Only Computer, Intranet, TrustedSites, Internet, and RestrictedSites are supported. -- Start PowerShell in elevated mode (using admin privileges) and run IETElemetrySetUp.ps1, using this command: `.\IETElemetrySetUp.ps1 [other args] -ZoneAllowList Computer,Intranet,TrustedSites,Internet,RestrictedSites`. -

**Important**
Only Computer, Intranet, TrustedSites, Internet, and RestrictedSites are supported. - -## Setting up Enterprise Site Discovery using Group Policy -If you don’t want to continue using PowerShell, you can switch to Group Policy after the initial Site Discovery setup. +## Use Group Policy to finish setting up Enterprise Site Discovery +You can use Group Policy to finish setting up Enterprise Site Discovery. If you don’t want to use Group Policy, you can do this using PowerShell. For more info, see [Use Powershell to finish setting up Enterprise Site Discovery](#use-powershell-to-finish-setting-up-enterprise-site-discovery).

**Note**
 All of the Group Policy settings can be used individually or as a group. ![](images/wedge.gif) **To set up Enterprise Site Discovery using Group Policy** @@ -136,7 +143,6 @@ If you don’t want to continue using PowerShell, you can switch to Group Policy |Administrative Templates\Windows Components\Internet Explorer\Limit Site Discovery output by domain |Manages which domains can collect data |To specify which domains can collect data, you must include your selected domains, one domain per line, in the provided box. It should look like:

microsoft.sharepoint.com
outlook.com
onedrive.com
timecard.contoso.com
LOBApp.contoso.com | ### Combining WMI and XML Group Policy settings - You can use both the WMI and XML settings individually or together, based on: ![](images/wedge.gif) **To turn off Enterprise Site Discovery** @@ -163,12 +169,17 @@ You can use both the WMI and XML settings individually or together, based on:

  • Turn on Site Discovery XML output: XML file path
    • - ## Use Configuration Manager to collect your data -After you’ve collected your data, you’ll need to get the local files off of your employee’s computers. To do this, use the hardware inventory process in Configuration Manager, in one of the following ways. +After you’ve collected your data, you’ll need to get the local files off of your employee’s computers. To do this, use the hardware inventory process in Configuration Manager, using one of these options: -### Collect your hardware inventory using the MOF Editor while connecting to a computer -You can collect your hardware inventory using the MOF Editor, while you’re connected to your client computers. +- Collect your hardware inventory using the MOF Editor, while connecting to a client device.

    +-OR- +- Collect your hardware inventory using the MOF Editor with a .MOF import file.

    +-OR- +- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) + +### Collect your hardware inventory using the MOF Editor while connected to a client device +You can collect your hardware inventory using the MOF Editor, while you’re connected to your client devices. ![](images/wedge.gif) **To collect your inventory** @@ -193,8 +204,8 @@ You can collect your hardware inventory using the MOF Editor, while you’re con 5. Click **OK** to close the default windows.
    Your environment is now ready to collect your hardware inventory and review the sample reports. -### Collect your hardware inventory using the MOF Editor with a MOF import file -You can collect your hardware inventory using the MOF Editor and a MOF import file. +### Collect your hardware inventory using the MOF Editor with a .MOF import file +You can collect your hardware inventory using the MOF Editor and a .MOF import file. ![](images/wedge.gif) **To collect your inventory** @@ -207,8 +218,8 @@ You can collect your hardware inventory using the MOF Editor and a MOF import fi 4. Click **OK** to close the default windows.
    Your environment is now ready to collect your hardware inventory and review the sample reports. -### Collect your hardware inventory using the SMS\DEF.MOF file -You can collect your hardware inventory using the using the Systems Management Server (SMS\DEF.MOF) file. +### Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) +You can collect your hardware inventory using the using the Systems Management Server (SMS\DEF.MOF) file. Editing this file lets you collect your data for System Center Configuration Manager 2007. If you aren’t using this version of Configuration Manager, you won’t want to use this option. ![](images/wedge.gif) **To collect your inventory** @@ -281,7 +292,7 @@ You can collect your hardware inventory using the using the Systems Management S 3. Save the file and close it to the same location.
    Your environment is now ready to collect your hardware inventory and review the sample reports. -### Viewing the sample reports +## View the sample reports with your collected data The sample reports, **SCCM Report Sample – ActiveX.rdl** and **SCCM Report Sample – Site Discovery.rdl**, work with System Center 2012, so you can review your collected data. ### SCCM Report Sample – ActiveX.rdl @@ -336,7 +347,7 @@ Each site is validated and if successful, added to the global site list when you 3. Click **OK** to close the **Bulk add sites to the list** menu. -## Turn off data collection on your client computers +## Turn off data collection on your client devices After you’ve collected your data, you’ll need to turn Enterprise Site Discovery off. ![](images/wedge.gif) **To stop collecting data, using PowerShell** From 29fa4a92dd260f6b55bf2389fca6b7ab05e45ae4 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Thu, 28 Apr 2016 11:01:00 -0700 Subject: [PATCH 31/59] wsfb paid app updates --- windows/manage/TOC.md | 4 +- ...managemement-windows-store-for-business.md | 45 ++++++++++++++----- .../apps-in-windows-store-for-business.md | 2 +- ...ge-inventory-windows-store-for-business.md | 1 + 4 files changed, 40 insertions(+), 12 deletions(-) diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md index 2398446f4f..3324e10449 100644 --- a/windows/manage/TOC.md +++ b/windows/manage/TOC.md @@ -36,6 +36,7 @@ #### [Settings reference: Windows Store for Business](settings-reference-windows-store-for-business.md) ### [Find and acquire apps](find-and-acquire-apps-overview.md) #### [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md) +#### [Acquire apps in the Windows Store for Business](acquire-apps-windows-store-for-business.md) #### [Working with line-of-business apps](working-with-line-of-business-apps.md) ### [Distribute apps to your employees from the Windows Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md) #### [Distribute apps using your private store](distribute-apps-from-your-private-store.md) @@ -43,8 +44,9 @@ #### [Distribute apps with a management tool](distribute-apps-with-management-tool.md) #### [Distribute offline apps](distribute-offline-apps.md) ### [Manage apps](manage-apps-windows-store-for-business-overview.md) -#### [Manage access to private store](manage-access-to-private-store.md) #### [App inventory managemement for Windows Store for Business](app-inventory-managemement-windows-store-for-business.md) +#### [Manage app orders in Windows Store for Business](manage-orders-windows-store-for-business.md) +#### [Manage access to private store](manage-access-to-private-store.md) #### [Manage private store settings](manage-private-store-settings.md) #### [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md) ### [Device Guard signing portal](device-guard-signing-portal.md) diff --git a/windows/manage/app-inventory-managemement-windows-store-for-business.md b/windows/manage/app-inventory-managemement-windows-store-for-business.md index 77c0e6e634..245d15cac1 100644 --- a/windows/manage/app-inventory-managemement-windows-store-for-business.md +++ b/windows/manage/app-inventory-managemement-windows-store-for-business.md @@ -105,11 +105,6 @@ Each app in the Store for Business has an online, or an offline license. For mor   -**Note**   -Removing apps from inventory is not currently supported. - -  - The actions in the table are how you distribute apps, and manage app licenses. We'll cover those in the next sections. Working with offline-licensed apps has different steps. For more information on distributing offline-licensed apps, see [Distribute offline apps](distribute-offline-apps.md). ### Distribute apps @@ -122,15 +117,45 @@ For online-licensed apps, there are a couple of ways to distribute apps from you If you use a management tool that supports Store for Business, you can distribute apps with your management tool. Once it is configured to work with Store for Business, your managment tool will have access to all apps in your inventory. For more information, see [Distribute apps with a management tool](distribute-apps-with-management-tool.md). -### Assign apps +Once an app is in your private store, people in your org can install the app on their devices. For more information, see [Distribute apps using your private store](distribute-apps-from-your-private-store.md). -You can assign apps directly to people in your organization. You can assign apps to individuals, a few people, or to a group. For more information, see [Assign apps to employees](assign-apps-to-employees.md). +**To make an app in inventory available in your private store** -### Private store +1. Sign in to the [Store for Business](http://businessstore.microsoft.com). +2. Click **Manage**, and then choose **Inventory**. +3. Click **Refine**, and then choose **Online**. Store for Business will update the list of apps on the **Inventory** page. +4. From an app in **Inventory**, click the ellipses under **Action**, and then choose **Add to private store**. -The private store is a feature in the Store for Business. Once an online-licensed app is in your inventory, you can make it available in your private store. When you add apps to the private store, all employees in your organization can view and download the app. Employees access the private store as a page in Windows Store app. +The value under Private store for the app will change to pending. It will take approximately twelve hours before the app is available in the private store. -For more information, see [Distribute apps using your private store](distribute-apps-from-your-private-store.md). +Employees can claim apps that admins added to the private store by doing the following. + +**To claim an app from the private store** + +1. Sign in to your computer with your Azure Active Directory (AD) credentials, and start the Windows Store app. +2. Click the private store tab. +3. Click the app you want to install, and then click **Install**. + +Another way to distribute apps is by assigning them to people in your organization. + +If you decide that you don't want an app available for employees to install on their own, you can remove it from your private store. + +**To remove an app from the private store** + +1. Sign in to the [Store for Business](http://businessstore.microsoft.com). +2. Click **Manage**, and then choose **Inventory**. +3. Find an app, click the ellipses under **Action**, and then choose **Remove from private store**, and then click **Remove**. + +The app will still be in your inventory, but your employees will not have access to the app from your private store. + +**To assign an app to an employee** + +1. Sign in to the [Store for Business](http://businessstore.microsoft.com). +2. Click **Manage**, and then choose **Inventory**. +3. Find an app, click the ellipses under **Action**, and then choose **Assign to people**. +4. Type the email address for the employee that you're assigning the app to, and click **Confirm**. + +Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**. Also, in the Windows Store app, they can find the app under **My Library**. ### Manage app licenses diff --git a/windows/manage/apps-in-windows-store-for-business.md b/windows/manage/apps-in-windows-store-for-business.md index 1376953e1a..f1a9e6aaf5 100644 --- a/windows/manage/apps-in-windows-store-for-business.md +++ b/windows/manage/apps-in-windows-store-for-business.md @@ -49,7 +49,7 @@ Apps that you acquire from the Store for Business only work on Windows 10-based Some apps are free, and some apps charge a price. We're continuing to add more paid apps to the Store for Business. Check back if you don't see the app that you're looking for. Currently, you can pay for apps with a credit card. We'll be adding more payment options over time. -Some apps which are available to consumers in Windows Store might not be available in Windows Store for Business. This can happen for a couple of reasons. The app developer might set the app availability so that it is only available to people using Windows Store. Also, business-to-business transaction regulatory requirements might prevent the app being available in Store for Business. +Some apps which are available to consumers in Windows Store might not be available in Windows Store for Business. This can happen for a couple of reasons. The app developer might set the app availability so that it is only available to people using Windows Store. Also, tax requirements for business-to-business transactions might prevent the app being available in Store for Business. Line-of-business (LOB) apps are also supported using the Store for Business. Admins can invite IT devs and ISVs to be LOB publishers. Apps developed by your LOB publishers that are submitted to the Store are only available to your organization. Once an administrator accepts an app submitted by one of their LOB publishers, the app can be distributed just like any other app from Store for Business. For more information, see Working with Line-of-Business apps. diff --git a/windows/manage/manage-inventory-windows-store-for-business.md b/windows/manage/manage-inventory-windows-store-for-business.md index f2675df317..0a364336aa 100644 --- a/windows/manage/manage-inventory-windows-store-for-business.md +++ b/windows/manage/manage-inventory-windows-store-for-business.md @@ -1,6 +1,7 @@ --- title: Manage inventory in Windows Store for Business (Windows 10) description: When you acquire apps from the Windows Store for Business, we add them to the Inventory for your organization. Once an app is part of your inventory, you can distribute the app, and manage licenses. +redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/app-inventory-management-windows-store-for-business ms.prod: W10 ms.mktglfcycl: manage ms.sitesec: library From 552ffb838184fe7a559e109607e2eadc5d95b413 Mon Sep 17 00:00:00 2001 From: "J. Decker" Date: Thu, 28 Apr 2016 11:09:11 -0700 Subject: [PATCH 32/59] smb hardening --- .../keep-secure/windows-10-security-guide.md | 21 ++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/windows/keep-secure/windows-10-security-guide.md b/windows/keep-secure/windows-10-security-guide.md index fbcf34aefe..b5f748c2f1 100644 --- a/windows/keep-secure/windows-10-security-guide.md +++ b/windows/keep-secure/windows-10-security-guide.md @@ -355,7 +355,10 @@ Table 3. Threats and Windows 10 mitigations Windows 10 mitigation - + +

    "Man in the middle" attacks, when an attacker reroutes communications between two users through the attacker's computer without the knowledge of the two communicating users

    +

    Client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require SMB signing and mutual authentication (such as Kerberos).

    +

    Firmware bootkits replace the firmware with malware.

    All certified PCs include a UEFI with Secure Boot, which requires signed firmware for updates to UEFI and Option ROMs.

    @@ -395,6 +398,22 @@ Table 3. Threats and Windows 10 mitigations The sections that follow describe these improvements in more detail. +**SMB hardening improvements for SYSVOL and NETLOGON connections** + +In Windows 10 and Windows Server 2016 Technical Preview, client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require SMB signing and mutual authentication (such as Kerberos). + +- **What value does this change add?** +This change reduces the likelihood of man-in-the-middle attacks. + +- **What works differently?** +If SMB signing and mutual authentication are unavailable, a Windows 10 or Windows Server 2016 computer won’t process domain-based Group Policy and scripts. + + +> **Note:** The registry values for these settings aren’t present by default, but the hardening rules still apply until overridden by Group Policy or other registry values. + +For more information on these security improvements, (also referred to as UNC hardening), see [Microsoft Knowledge Base article 3000483](http://go.microsoft.com/fwlink/p/?LinkId=789216) and [MS15-011 & MS15-014: Hardening Group Policy](http://go.microsoft.com/fwlink/p/?LinkId=789215). + + **Secure hardware** Although Windows 10 is designed to run on almost any hardware capable of running Windows 8, Windows 7, or Windows Vista, taking full advantage of Windows 10 security requires advancements in hardware-based security, including UEFI with Secure Boot, CPU virtualization features (for example, Intel VT-x), CPU memory-protection features (for example, Intel VT-d), TPM, and biometric sensors. From 98e240371f24c63ce292bd3a6493f6477afea795 Mon Sep 17 00:00:00 2001 From: "J. Decker" Date: Thu, 28 Apr 2016 11:47:45 -0700 Subject: [PATCH 33/59] removed colgroup --- windows/keep-secure/windows-10-security-guide.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/windows/keep-secure/windows-10-security-guide.md b/windows/keep-secure/windows-10-security-guide.md index b5f748c2f1..91964d3da0 100644 --- a/windows/keep-secure/windows-10-security-guide.md +++ b/windows/keep-secure/windows-10-security-guide.md @@ -345,10 +345,6 @@ Table 3 lists specific malware threats and the mitigation that Windows 10 provi Table 3. Threats and Windows 10 mitigations ---- From 3171b1c0e75a55367db573448a42fa8ac372e5bc Mon Sep 17 00:00:00 2001 From: "J. Decker" Date: Thu, 28 Apr 2016 11:48:45 -0700 Subject: [PATCH 34/59] spell out smb --- windows/keep-secure/windows-10-security-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/windows-10-security-guide.md b/windows/keep-secure/windows-10-security-guide.md index 91964d3da0..586d509b57 100644 --- a/windows/keep-secure/windows-10-security-guide.md +++ b/windows/keep-secure/windows-10-security-guide.md @@ -396,7 +396,7 @@ The sections that follow describe these improvements in more detail. **SMB hardening improvements for SYSVOL and NETLOGON connections** -In Windows 10 and Windows Server 2016 Technical Preview, client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require SMB signing and mutual authentication (such as Kerberos). +In Windows 10 and Windows Server 2016 Technical Preview, client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require Server Message Block (SMB) signing and mutual authentication (such as Kerberos). - **What value does this change add?** This change reduces the likelihood of man-in-the-middle attacks. From eb60deb49dc6bae0a2bc9bc633dd1846819e9760 Mon Sep 17 00:00:00 2001 From: "J. Decker" Date: Thu, 28 Apr 2016 12:03:03 -0700 Subject: [PATCH 35/59] added SM to changelist --- windows/keep-secure/change-history-for-keep-windows-10-secure.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 3752693094..3940db84d1 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -16,6 +16,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |New or changed topic | Description | |----------------------|-------------| |[Protect derived domain credentials with Credential Guard](credential-guard.md) |Clarified Credential Guard protections | +|[Windows 10 security overview](windows-10-security-guide.md) |Added SMB hardening improvements for SYSVOL and NETLOGON connections | ## March 2016 From 93bf847fc6f8eead8ac4d055d901789e119c054d Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Thu, 28 Apr 2016 14:55:11 -0700 Subject: [PATCH 36/59] fixing link --- windows/manage/distribute-offline-apps.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/manage/distribute-offline-apps.md b/windows/manage/distribute-offline-apps.md index f4f70c7983..8cb184da6b 100644 --- a/windows/manage/distribute-offline-apps.md +++ b/windows/manage/distribute-offline-apps.md @@ -34,7 +34,7 @@ Offline-licensed apps offer an alternative to online apps, and provide additiona You can't distribute offline-licensed apps directly from the Store for Business. Once you download the items for the offline-licensed app, you have three options for distributing the apps: -- **Deployment Image Servicing and Management**. DISM is a command-line tool that is used to mount and service Microsoft WindowsWindows images before deployment. You can also use DISM to install, uninstall, configure, and update Windows features, packages, drivers, and international settings in a .wim file or VHD using the DISM servicing commands. DISM commands are used on offline images. For more information, see [Deployment Image Servicing and Management](https://msdn.microsoft.com/library/windows/hardware/dn898558.aspx). +- **Deployment Image Servicing and Management**. DISM is a command-line tool that is used to mount and service Microsoft WindowsWindows images before deployment. You can also use DISM to install, uninstall, configure, and update Windows features, packages, drivers, and international settings in a .wim file or VHD using the DISM servicing commands. DISM commands are used on offline images. For more information, see [Deployment Image Servicing and Management](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows). - **Windows ICD**. ICD is GUI tool that you can use to create Windows provisioning answer files, and add third-party drivers, apps, or other assets to an answer file. For more information, see [Windows Imaging and Configuration Designer](https://msdn.microsoft.com/library/windows/hardware/dn916113.aspx). From 6a9302f2f07bad219c2ee7ac4f42d099d2c6aa3e Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Fri, 29 Apr 2016 11:11:21 -0700 Subject: [PATCH 37/59] changing wording on app availability --- windows/manage/apps-in-windows-store-for-business.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/windows/manage/apps-in-windows-store-for-business.md b/windows/manage/apps-in-windows-store-for-business.md index f1a9e6aaf5..30d0677d94 100644 --- a/windows/manage/apps-in-windows-store-for-business.md +++ b/windows/manage/apps-in-windows-store-for-business.md @@ -47,9 +47,12 @@ Apps in your inventory will have at least one of these supported platforms liste Apps that you acquire from the Store for Business only work on Windows 10-based devices. Even though an app might list Windows 8 as its supported platform, that tells you what platform the app was originally written for. Apps developed for Windows 8, or Windows phone 8 will work on Windows 10. -Some apps are free, and some apps charge a price. We're continuing to add more paid apps to the Store for Business. Check back if you don't see the app that you're looking for. Currently, you can pay for apps with a credit card. We'll be adding more payment options over time. +Some apps are free, and some apps charge a price. Currently, you can pay for apps with a credit card. We'll be adding more payment options over time. -Some apps which are available to consumers in Windows Store might not be available in Windows Store for Business. This can happen for a couple of reasons. The app developer might set the app availability so that it is only available to people using Windows Store. Also, tax requirements for business-to-business transactions might prevent the app being available in Store for Business. +Some apps which are available to consumers in the Windows Store might not be available to organizations in the Windows Store for Business. App developers can opt-out their apps, and they also need to meet eligibility requirements for Windows Store for Business. For more information, read this info on [Organizational licensing options](https://msdn.microsoft.com/en-us/windows/uwp/publish/organizational-licensing). + +**Note**
    +We are still setting up the catalog of apps for Windows Store for Business. If you are searching for an app and it isn’t available, please check again in a couple of days. Line-of-business (LOB) apps are also supported using the Store for Business. Admins can invite IT devs and ISVs to be LOB publishers. Apps developed by your LOB publishers that are submitted to the Store are only available to your organization. Once an administrator accepts an app submitted by one of their LOB publishers, the app can be distributed just like any other app from Store for Business. For more information, see Working with Line-of-Business apps. From ca7b9c413b55d65328a8a5327fa89d4382444f91 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Fri, 29 Apr 2016 13:17:32 -0700 Subject: [PATCH 38/59] fixing broken link --- .../update-windows-store-for-business-account-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/manage/update-windows-store-for-business-account-settings.md b/windows/manage/update-windows-store-for-business-account-settings.md index 1357a11b43..0150a4f7e4 100644 --- a/windows/manage/update-windows-store-for-business-account-settings.md +++ b/windows/manage/update-windows-store-for-business-account-settings.md @@ -133,6 +133,6 @@ Offline licensing is a new licensing option for Windows 10. With offline license You have the following distribution options for offline-licensed apps: - Include the app in a provisioning package, and then use it as part of imaging a device. - Distribute the app through a management tool. -For more information, see Distribute apps to your employees from the Store for Business. +For more information, see [Distribute apps to your employees from the Store for Business](distribute-apps-with-management-tool.md). From 08b99a852785e67c976ab235ec60c6283782f2ef Mon Sep 17 00:00:00 2001 From: Maggie Evans Date: Fri, 29 Apr 2016 15:05:05 -0700 Subject: [PATCH 39/59] Created multi-column table to replace single-column one The table holding the supported file extension types migrated as a single long list of items. I created a multi-column table so the info would take up less space. --- ...aging-app-v-51-virtualized-applications.md | 76 ++++--------------- 1 file changed, 15 insertions(+), 61 deletions(-) diff --git a/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md b/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md index cf8080c563..bbdaf2448d 100644 --- a/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md +++ b/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md @@ -146,67 +146,21 @@ Copy on write (CoW) file extensions allow App-V 5.1 to dynamically write to spec The following table displays the file types that can exist in a virtual package under the VFS directory, but cannot be updated on the computer running the App-V 5.1 client. All other files and directories can be modified. -| File type | -| --------- | -| .acm | -| .asa | -| .asp | -| .aspx | -| .ax | -| .bat | -| .cer | -| .chm | -| .clb | -| .cmd | -| .cnt | -| .cnv | -| .com | -| .cpl | -| .cpx | -| .crt | -| .dll | -| .drv | -| .exe | -| .fon | -| .grp | -| .hlp | -| .hta | -| .ime | -| .inf | -| .ins | -| .isp | -| .its | -| .js | -| .jse | -| .lnk | -| .msc | -| .msi | -| .msp | -| .mst | -| .mui | -| .nls | -| .ocx | -| .pal | -| .pcd | -| .pif | -| .reg | -| .scf | -| .scr | -| .sct | -| .shb | -| .shs | -| .sys | -| .tlb | -| .tsp | -| .url | -| .vb | -| .vbe | -| .vbs | -| .vsmacros | -| .ws | -| .esc | -| .wsf | -| .wsh | +**File type** + +| .acm | .cnv | .hta | .msp | .sct | .ws | +| .asa | .com | .ime | .mst | .shb | .esc | +| .asp | .cpl | .inf | .mui | .shs | .wsf | +| .aspx| .cpx | .ins | .nls | .sys | .wsh | +| .ax | .crt | .isp | .ocx | .tlb | +| .bat | .dll | .its | .pal | .tsp | +| .cer | .drv | .js | .pcd | .url | +| .chm | .exe | .jse | .pif | .vb | +| .clb | .fon | .lnk | .reg | .vbe | +| .cmd | .grp | .msc | .scf | .vbs | +| .cnt | .hlp | .msi | .scr |. vsmacros | + + ## Modifying an existing virtual application package From d0caccbcc374fdd4204ef62a01a9cd42c10661f5 Mon Sep 17 00:00:00 2001 From: Maggie Evans Date: Fri, 29 Apr 2016 15:47:43 -0700 Subject: [PATCH 40/59] Trying to fix multi-column table. Looks like a table must have a header row in MDL. --- .../creating-and-managing-app-v-51-virtualized-applications.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md b/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md index bbdaf2448d..e694467f90 100644 --- a/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md +++ b/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md @@ -146,8 +146,9 @@ Copy on write (CoW) file extensions allow App-V 5.1 to dynamically write to spec The following table displays the file types that can exist in a virtual package under the VFS directory, but cannot be updated on the computer running the App-V 5.1 client. All other files and directories can be modified. -**File type** +File type +--------- | .acm | .cnv | .hta | .msp | .sct | .ws | | .asa | .com | .ime | .mst | .shb | .esc | | .asp | .cpl | .inf | .mui | .shs | .wsf | From fb97df54a0b0b2c538f8d3751c73beefab55729c Mon Sep 17 00:00:00 2001 From: jamiejdt Date: Fri, 29 Apr 2016 17:56:04 -0700 Subject: [PATCH 41/59] Bug 6613390: Fix Documentation for App-V 5.0 SP3 -> 5.1 Server upgrade Corrected several files to provide better flow and to highlight required registry key fixes --- mdop/appv-v5/TOC.md | 1 + mdop/appv-v5/about-app-v-50-sp3.md | 2 +- mdop/appv-v5/about-app-v-51.md | 38 ++- mdop/appv-v5/check-reg-key-svr.md | 238 ++++++++++++++++ .../how-to-deploy-the-app-v-51-server.1.md | 269 ++++++++++++++++++ ...ing-to-app-v-51-from-a-previous-version.md | 5 +- 6 files changed, 545 insertions(+), 8 deletions(-) create mode 100644 mdop/appv-v5/check-reg-key-svr.md create mode 100644 mdop/appv-v5/how-to-deploy-the-app-v-51-server.1.md diff --git a/mdop/appv-v5/TOC.md b/mdop/appv-v5/TOC.md index 2e81d5ad03..1a7c936696 100644 --- a/mdop/appv-v5/TOC.md +++ b/mdop/appv-v5/TOC.md @@ -79,6 +79,7 @@ ##### [How to Access the Client Management Console 5.1](how-to-access-the-client-management-console51.md) ##### [How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server 5.1](how-to-configure-the-client-to-receive-package-and-connection-groups-updates-from-the-publishing-server-51.md) #### [Migrating to App-V 5.1 from a Previous Version](migrating-to-app-v-51-from-a-previous-version.md) +##### [Check Registry Keys before installing App-V 5.x Server](check-reg-key-svr.md) ##### [How to Convert a Package Created in a Previous Version of App-V 5.1](how-to-convert-a-package-created-in-a-previous-version-of-app-v51.md) ##### [How to Migrate Extension Points From an App-V 4.6 SP2 Package to a Converted App-V 5.1 Package for All Users on a Specific Computer](how-to-migrate-extension-points-from-an-app-v-46-sp2-package-to-a-converted-app-v-51-package-for-all-users-on-a-specific-computer.md) ##### [How to Migrate Extension Points From an App-V 4.6 SP2 Package to App-V 5.1 for a Specific User](how-to-migrate-extension-points-from-an-app-v-46-sp2-package-to-app-v-51-for-a-specific-user.md) diff --git a/mdop/appv-v5/about-app-v-50-sp3.md b/mdop/appv-v5/about-app-v-50-sp3.md index a4418a6430..84f1b27782 100644 --- a/mdop/appv-v5/about-app-v-50-sp3.md +++ b/mdop/appv-v5/about-app-v-50-sp3.md @@ -197,7 +197,7 @@ Complete the following steps to upgrade each component of the App-V infrastructu
    Threat

     

    -

  • If you are upgrading the App-V Server from App-V SP1 Hotfix Package 3 or later, complete the steps in section [Check registry keys after installing the App-V 5.0 SP3 Server](#bkmk-check-reg-key-svr).

    • +

  • If you are upgrading the App-V Server from App-V 5.0 SP1 Hotfix Package 3 or later, complete the steps in section [Check registry keys after installing the App-V 5.0 SP3 Server](#bkmk-check-reg-key-svr).

  • Follow the steps in [How to Deploy the App-V 5.0 Server](how-to-deploy-the-app-v-50-server-50sp3.md).

    • diff --git a/mdop/appv-v5/about-app-v-51.md b/mdop/appv-v5/about-app-v-51.md index 162630bae1..47d75bfb12 100644 --- a/mdop/appv-v5/about-app-v-51.md +++ b/mdop/appv-v5/about-app-v-51.md @@ -63,7 +63,7 @@ See the following links for the App-V 5.1 software prerequisites and supported c ## Migrating to App-V 5.1 -Use the following information to upgrade to App-V 5.1 from earlier versions. See [Migrating from a Previous Version](migrating-from-a-previous-version-app-v-50.md) for more information. +Use the following information to upgrade to App-V 5.1 from earlier versions. See [Migrating to App-V 5.1 from a Previous Version](migrating-to-app-v-51-from-a-previous-version.md) for more information. ### Before you start the upgrade @@ -90,7 +90,7 @@ Review the following information before you start the upgrade:
    Note   -

    To use the App-V client user interface, download the existing version from [Application Virtualization 5.0 Client UI Application](http://www.microsoft.com/download/details.aspx?id=41186).

    +

    Prior to App-V 5.0 SP2, the Client Management User Interface (UI) was provided with the App-V Client installation. For App-V 5.0 SP2 installations (or later), you can use the Client Management UI by downloading from [Application Virtualization 5.0 Client UI Application](http://www.microsoft.com/download/details.aspx?id=41186).

      @@ -98,7 +98,7 @@ Review the following information before you start the upgrade:

    Upgrading from App-V 4.x

    -

    For more information, see:

    +

    You must first upgrade to App-V 5.0. You cannot upgrade directly from App-V 4.x to App-V 5.1. For more information, see:

    • “Differences between App-V 4.6 and App-V 5.0” in [About App-V 5.0](about-app-v-50.md)

    • [Planning for Migrating from a Previous Version of App-V](planning-for-migrating-from-a-previous-version-of-app-v.md)

      • @@ -147,7 +147,35 @@ Complete the following steps to upgrade each component of the App-V infrastructu
       
      -

      See [How to Deploy the App-V 5.0 Server](how-to-deploy-the-app-v-50-server-50sp3.md)

      +

      Follow these steps:

      +
        +

      1. Do one of the following, depending on the method you are using to upgrade the Management database and/or Reporting database:

        + ++++ + + + + + + + + + + + + + + + + +
        Database upgrade methodStep

        Windows Installer

        Skip this step and go to step 2, “If you are upgrading the App-V Server...”

        SQL scripts

        Follow the steps in [How to Deploy the App-V Databases by Using SQL Scripts](how-to-deploy-the-app-v-databases-by-using-sql-scripts.md).

        +

      2. If you are upgrading the App-V Server from App-V 5.0 SP1 Hotfix Package 3 or later, complete the steps in section [Check registry keys after installing the App-V 5.0 SP3 Server](#bkmk-check-reg-key-svr).

        3. +

      3. Follow the steps in [How to Deploy the App-V 5.1 Server](how-to-deploy-the-app-v-51-server.md)

        4. +

         

        +

      Step 2: Upgrade the App-V Sequencer.

      @@ -174,7 +202,7 @@ App-V 5.1 packages are exactly the same as App-V 5.0 packages. There has been no ## What’s New in App-V 5.1 -These sections are for users who are already familiar with App-V and want to know what has changed in App-V 5.1. If you are not already familiar with App-V, you should start by reading [Planning for App-V 5.0](planning-for-app-v-50-rc.md). +These sections are for users who are already familiar with App-V and want to know what has changed in App-V 5.1. If you are not already familiar with App-V, you should start by reading [Planning for App-V 5.1](planning-for-app-v-51.md). ### App-V support for Windows 10 diff --git a/mdop/appv-v5/check-reg-key-svr.md b/mdop/appv-v5/check-reg-key-svr.md new file mode 100644 index 0000000000..40deca6793 --- /dev/null +++ b/mdop/appv-v5/check-reg-key-svr.md @@ -0,0 +1,238 @@ +--- +title: Check Registry Keys before installing App-V 5.x Server +description: Check Registry Keys before installing App-V 5.x Server +ms.assetid: +author: jamiejdt +--- + +# Check Registry Keys before installing App-V 5.x Server + +If you are upgrading the App-V Server from App-V 5.0 SP1 Hotfix Package 3 or later, complete the steps in this section before installing the App-V 5.x Server + + ++++ + + + + + + + + + + + + + + + + + + +

      When this step is required

      You are upgrading from App-V 5.0 SP1 with any subsequent Hotfix Packages that you installed by using an .msp file.

      Which components require that you do this step

      Only the App-V Server components that you are upgrading.

      When you need to do this step

      Before you upgrade the App-V Server to App-V 5.x

      What you need to do

      Using the information in the following tables, update each registry key value under HKLM\Software\Microsoft\AppV\Server with the value that you provided in your original server installation. Completing this step restores registry values that may have been removed when App-V 5.0 SP1 Hotfix Packages were installed.

      + +  + +**ManagementDatabase key** + +If you are installing the Management database, set these registry keys under `HKLM\Software\Microsoft\AppV\Server\ManagementDatabase`. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Key nameDescription

      IS_MANAGEMENT_DB_PUBLIC_ACCESS_ACCOUNT_REQUIRED

      Describes whether a public access account is required to access non-local management databases. Value is set to “1” if it is required.

      MANAGEMENT_DB_NAME

      Name of the Management database.

      MANAGEMENT_DB_PUBLIC_ACCESS_ACCOUNT

      Account used for read (public) access to the Management database.

      +

      Used when IS_MANAGEMENT_DB_PUBLIC_ACCESS_ACCOUNT_REQUIRED is set to 1.

      MANAGEMENT_DB_PUBLIC_ACCESS_ACCOUNT_SID

      Secure identifier (SID) of the account used for read (public) access to the Management database.

      +

      Used when IS_MANAGEMENT_DB_PUBLIC_ACCESS_ACCOUNT_REQUIRED is set to 1.

      MANAGEMENT_DB_SQL_INSTANCE

      SQL Server instance for the Management database.

      +

      If the value is blank, the default database instance is used.

      MANAGEMENT_DB_WRITE_ACCESS_ACCOUNT

      Account used for write (administrator) access to the Management database.

      MANAGEMENT_DB_WRITE_ACCESS_ACCOUNT_SID

      Secure identifier (SID) of the account used for write (administrator) access to the Management database.

      MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT

      Management server remote computer account (domain\account).

      MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT

      Installation administrator login for the Management server (domain\account).

      MANAGEMENT_SERVER_MACHINE_USE_LOCAL

      Valid values are:

      +
        +

      • 1 – the Management service is on the local computer, that is, MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT is blank.

        • +

      • 0 - the Management service is on a different computer from the local computer.

        • +
      + +  + +**ManagementService key** + +If you are installing the Management server, set these registry keys under `HKLM\Software\Microsoft\AppV\Server\ManagementService`. + + ++++ + + + + + + + + + + + + + + + + + + + + +
      Key nameDescription

      MANAGEMENT_ADMINACCOUNT

      Active Directory Domain Services (AD DS) group or account that is authorized to manage App-V (domain\account).

      MANAGEMENT_DB_SQL_INSTANCE

      SQL server instance that contains the Management database.

      +

      If the value is blank, the default database instance is used.

      MANAGEMENT_DB_SQL_SERVER_NAME

      Name of the remote SQL server with the Management database.

      +

      If the value is blank, the local computer is used.

      + +  + +**ReportingDatabase key** + +If you are installing the Reporting database, set these registry keys under `HKLM\Software\Microsoft\AppV\Server\ReportingDatabase`. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Key nameDescription

      IS_REPORTING_DB_PUBLIC_ACCESS_ACCOUNT_REQUIRED

      Describes whether a public access account is required to access non-local reporting databases. Value is set to “1” if it is required.

      REPORTING_DB_NAME

      Name of the Reporting database.

      REPORTING_DB_PUBLIC_ACCESS_ACCOUNT

      Account used for read (public) access to the Reporting database.

      +

      Used when IS_REPORTING_DB_PUBLIC_ACCESS_ACCOUNT_REQUIRED is set to 1.

      REPORTING_DB_PUBLIC_ACCESS_ACCOUNT_SID

      Secure identifier (SID) of the account used for read (public) access to the Reporting database.

      +

      Used when IS_REPORTING_DB_PUBLIC_ACCESS_ACCOUNT_REQUIRED is set to 1.

      REPORTING_DB_SQL_INSTANCE

      SQL Server instance for the Reporting database.

      +

      If the value is blank, the default database instance is used.

      REPORTING_DB_WRITE_ACCESS_ACCOUNT

      REPORTING_DB_WRITE_ACCESS_ACCOUNT_SID

      REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT

      Reporting server remote computer account (domain\account).

      REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT

      Installation administrator login for the Reporting server (domain\account).

      REPORTING_SERVER_MACHINE_USE_LOCAL

      Valid values are:

      +
        +

      • 1 – the Reporting service is on the local computer, that is, REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT is blank.

        • +

      • 0 - the Reporting service is on a different computer from the local computer.

        • +
      + +  + +**ReportingService key** + +If you are installing the Reporting server, set these registry keys under `HKLM\Software\Microsoft\AppV\Server\ReportingService`. + + ++++ + + + + + + + + + + + + + + + + +
      Key nameDescription

      REPORTING_DB_SQL_INSTANCE

      SQL Server instance for the Reporting database.

      +

      If the value is blank, the default database instance is used.

      REPORTING_DB_SQL_SERVER_NAME

      Name of the remote SQL server with the Reporting database.

      +

      If the value is blank, the local computer is used.

      + diff --git a/mdop/appv-v5/how-to-deploy-the-app-v-51-server.1.md b/mdop/appv-v5/how-to-deploy-the-app-v-51-server.1.md new file mode 100644 index 0000000000..e524980035 --- /dev/null +++ b/mdop/appv-v5/how-to-deploy-the-app-v-51-server.1.md @@ -0,0 +1,269 @@ +--- +title: How to Deploy the App-V 5.1 Server +description: How to Deploy the App-V 5.1 Server +ms.assetid: 4729beda-b98f-481b-ae74-ad71c59b1d69 +author: jamiejdt +--- + +# How to Deploy the App-V 5.1 Server + + +Use the following procedure to install the Microsoft Application Virtualization (App-V) 5.1 server. For information about deploying the App-V 5.1 Server, see [About App-V 5.1](about-app-v-51.md#bkmk-migrate-to-51). + +**Before you start:** + +- Ensure that you’ve installed prerequisite software. See [App-V 5.1 Prerequisites](app-v-51-prerequisites.md). + +- Review the server section of [App-V 5.1 Security Considerations](app-v-51-security-considerations.md). + +- Specify a port where each component will be hosted. + +- Add firewall rules to allow incoming requests to access the specified ports. + +- If you use SQL scripts, instead of the Windows Installer, to set up the Management database or Reporting database, you must run the SQL scripts before installing the Management Server or Reporting Server. See [How to Deploy the App-V Databases by Using SQL Scripts](how-to-deploy-the-app-v-databases-by-using-sql-scripts51.md). + +**To install the App-V 5.1 server** + +1. Copy the App-V 5.1 server installation files to the computer on which you want to install it. + +2. Start the App-V 5.1 server installation by right-clicking and running **appv\_server\_setup.exe** as an administrator, and then click **Install**. + +3. Review and accept the license terms, and choose whether to enable Microsoft updates. + +4. On the **Feature Selection** page, select all of the following components. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      ComponentDescription

      Management server

      Provides overall management functionality for the App-V infrastructure.

      Management database

      Facilitates database predeployments for App-V management.

      Publishing server

      Provides hosting and streaming functionality for virtual applications.

      Reporting server

      Provides App-V 5.1 reporting services.

      Reporting database

      Facilitates database predeployments for App-V reporting.

      + +   + +5. On the **Installation Location** page, accept the default location where the selected components will be installed, or change the location by typing a new path on the **Installation Location** line. + +6. On the initial **Create New Management Database** page, configure the **Microsoft SQL Server instance** and **Management Server database** by selecting the appropriate option below. + + + + + + + + + + + + + + + + + + + + + + +
      MethodWhat you need to do

      You are using a custom Microsoft SQL Server instance.

      Select Use the custom instance, and type the name of the instance.

      +

      Use the format INSTANCENAME. The assumed installation location is the local computer.

      +

      Not supported: A server name using the format ServerName\INSTANCE.

      You are using a custom database name.

      Select Custom configuration and type the database name.

      +

      The database name must be unique, or the installation will fail.

      + +   + +7. On the **Configure** page, accept the default value **Use this local computer**. + + **Note**   + If you are installing the Management server and Management database side by side, some options on this page are not available. In this case, the appropriate options are selected by default and cannot be changed. + +   + +8. On the initial **Create New Reporting Database** page, configure the **Microsoft SQL Server instance** and **Reporting Server database** by selecting the appropriate option below. + + + + + + + + + + + + + + + + + + + + + + +
      MethodWhat you need to do

      You are using a custom Microsoft SQL Server instance.

      Select Use the custom instance, and type the name of the instance.

      +

      Use the format INSTANCENAME. The assumed installation location is the local computer.

      +

      Not supported: A server name using the format ServerName\INSTANCE.

      You are using a custom database name.

      Select Custom configuration and type the database name.

      +

      The database name must be unique, or the installation will fail.

      + +   + +9. On the **Configure** page, accept the default value: **Use this local computer**. + + **Note**   + If you are installing the Management server and Management database side by side, some options on this page are not available. In this case, the appropriate options are selected by default and cannot be changed. + +   + +10. On the **Configure** (Management Server Configuration) page, specify the following: + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Item to configureDescription and examples

      Type the AD group with sufficient permissions to manage the App-V environment.

      Example: MyDomain\MyUser

      +

      After installation, you can add additional users or groups by using the Management console. However, global security groups and Active Directory Domain Services (AD DS) distribution groups are not supported. You must use Domain local or Universal groups are required to perform this action.

      Website name: Specify the custom name that will be used to run the publishing service.

      If you do not have a custom name, do not make any changes.

      Port binding: Specify a unique port number that will be used by App-V.

      Example: 12345

      +

      Ensure that the port specified is not being used by another website.

      + +   + +11. On the **Configure** **Publishing Server Configuration** page, specify the following: + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Item to configureDescription and examples

      Specify the URL for the management service.

      Example: http://localhost:12345

      Website name: Specify the custom name that will be used to run the publishing service.

      If you do not have a custom name, do not make any changes.

      Port binding: Specify a unique port number that will be used by App-V.

      Example: 54321

      +

      Ensure that the port specified is not being used by another website.

      + +   + +12. On the **Reporting Server** page, specify the following: + + + + + + + + + + + + + + + + + + + + + + +
      Item to configureDescription and examples

      Website name: Specify the custom name that will be used to run the Reporting Service.

      If you do not have a custom name, do not make any changes.

      Port binding: Specify a unique port number that will be used by App-V.

      Example: 55555

      +

      Ensure that the port specified is not being used by another website.

      + +   + +13. To start the installation, click **Install** on the **Ready** page, and then click **Close** on the **Finished** page. + +14. To verify that the setup completed successfully, open a web browser, and type the following URL: + + **http://<Management server machine name>:<Management service port number>/Console.html**. + + Example: **http://localhost:12345/console.html**. If the installation succeeded, the App-V Management console is displayed with no errors. + + **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + +## Related topics + + +[Deploying App-V 5.1](deploying-app-v-51.md) + +[How to Install the Management and Reporting Databases on Separate Computers from the Management and Reporting Services](how-to-install-the-management-and-reporting-databases-on-separate-computers-from-the-management-and-reporting-services51.md) + +[How to Install the Publishing Server on a Remote Computer](how-to-install-the-publishing-server-on-a-remote-computer51.md) + +[How to Deploy the App-V 5.1 Server Using a Script](how-to-deploy-the-app-v-51-server-using-a-script.md) + +  + +  + + + + + diff --git a/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md b/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md index 5e1395c0f0..64565f8e9c 100644 --- a/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md +++ b/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md @@ -8,10 +8,11 @@ author: jamiejdt # Migrating to App-V 5.1 from a Previous Version -With Microsoft Application Virtualization (App-V) 5.1 you can migrate your existing App-V 4.6 infrastructure to the more flexible, integrated, and easier to manage App-V 5.1 infrastructure. +With Microsoft Application Virtualization (App-V) 5.1, you can migrate your existing App-V 4.6 or App-V 5.0 infrastructure to the more flexible, integrated, and easier to manage App-V 5.1 infrastructure. +However, you cannot migrate directly from App-V 4.x to App-V 5.1, you must migrate to App-V 5.0 first. For more information on migrating from App-V 4.x to App-V 5.0, see [Migrating from a Previous Version](migrating-from-a-previous-version-aap-v-50.md) **Note**   -App-V 5.1 packages are exactly the same as App-V 5.0 packages. There has been no change in the package format between the versions and so there is no need to convert App-V 5.0 packages to App-V 5.1 packages. +App-V 5.1 packages are exactly the same as App-V 5.0 packages. There has been no change in the package format between the versions and therefore, there is no need to convert App-V 5.0 packages to App-V 5.1 packages. For more information about the differences between App-V 4.6 and App-V 5.1, see the **Differences between App-4.6 and App-V 5.0 section** of [About App-V 5.0](about-app-v-50.md). From 88e61dee112546a85e5c2f3c26d9868c62c83308 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Sun, 1 May 2016 12:46:30 -0700 Subject: [PATCH 42/59] fixing link --- mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md b/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md index 64565f8e9c..0eb3ce6d09 100644 --- a/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md +++ b/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md @@ -9,7 +9,7 @@ author: jamiejdt With Microsoft Application Virtualization (App-V) 5.1, you can migrate your existing App-V 4.6 or App-V 5.0 infrastructure to the more flexible, integrated, and easier to manage App-V 5.1 infrastructure. -However, you cannot migrate directly from App-V 4.x to App-V 5.1, you must migrate to App-V 5.0 first. For more information on migrating from App-V 4.x to App-V 5.0, see [Migrating from a Previous Version](migrating-from-a-previous-version-aap-v-50.md) +However, you cannot migrate directly from App-V 4.x to App-V 5.1, you must migrate to App-V 5.0 first. For more information on migrating from App-V 4.x to App-V 5.0, see [Migrating from a Previous Version](migrating-from-a-previous-version-app-v-50.md) **Note**   App-V 5.1 packages are exactly the same as App-V 5.0 packages. There has been no change in the package format between the versions and therefore, there is no need to convert App-V 5.0 packages to App-V 5.1 packages. From 1a33b2e854ef71a98586519f2f6c3a240ead62c8 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 2 May 2016 09:26:19 -0700 Subject: [PATCH 43/59] testing broken link --- windows/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/index.md b/windows/index.md index 08ec4adaa7..33c6dfbb9f 100644 --- a/windows/index.md +++ b/windows/index.md @@ -14,7 +14,7 @@ This library provides the core content that IT pros need to evaluate, plan, depl ## In this library -[What's new in Windows 10](whats-new/index.md) +[What's new in Windows 10](whats-new/) [Plan for Windows 10 deployment](plan/index.md) From 9b7990442e9f7881a37393324430a15303514f69 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 2 May 2016 09:34:08 -0700 Subject: [PATCH 44/59] fixing other links --- windows/index.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/index.md b/windows/index.md index 33c6dfbb9f..51b64fe509 100644 --- a/windows/index.md +++ b/windows/index.md @@ -16,13 +16,13 @@ This library provides the core content that IT pros need to evaluate, plan, depl [What's new in Windows 10](whats-new/) -[Plan for Windows 10 deployment](plan/index.md) +[Plan for Windows 10 deployment](plan/) -[Deploy Windows 10](deploy/index.md) +[Deploy Windows 10](deploy/) -[Keep Windows 10 secure](keep-secure/index.md) +[Keep Windows 10 secure](keep-secure/) -[Manage and update Windows 10](manage/index.md) +[Manage and update Windows 10](manage/) ## Related topics From abe195ca4a01c1db48c794b6c2e74604fc94289c Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 2 May 2016 09:36:42 -0700 Subject: [PATCH 45/59] fixing links again --- windows/index.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/index.md b/windows/index.md index 51b64fe509..08ec4adaa7 100644 --- a/windows/index.md +++ b/windows/index.md @@ -14,15 +14,15 @@ This library provides the core content that IT pros need to evaluate, plan, depl ## In this library -[What's new in Windows 10](whats-new/) +[What's new in Windows 10](whats-new/index.md) -[Plan for Windows 10 deployment](plan/) +[Plan for Windows 10 deployment](plan/index.md) -[Deploy Windows 10](deploy/) +[Deploy Windows 10](deploy/index.md) -[Keep Windows 10 secure](keep-secure/) +[Keep Windows 10 secure](keep-secure/index.md) -[Manage and update Windows 10](manage/) +[Manage and update Windows 10](manage/index.md) ## Related topics From 86395d42ce7e14bf155d14a2f53b4fece06b07f0 Mon Sep 17 00:00:00 2001 From: Maggie Evans Date: Mon, 2 May 2016 10:59:59 -0700 Subject: [PATCH 46/59] Fixed spacing and other minor issues Fixed spacing and other minor issues --- ...aging-app-v-51-virtualized-applications.md | 91 +++++++++++++------ 1 file changed, 64 insertions(+), 27 deletions(-) diff --git a/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md b/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md index e694467f90..f69e1ea016 100644 --- a/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md +++ b/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md @@ -14,7 +14,6 @@ After you have properly deployed the Microsoft Application Virtualization (App-V For more information about configuring the App-V 5.1 sequencer, sequencing best practices, and an example of creating and updating a virtual application, see the [Microsoft Application Virtualization 5.0 Sequencing Guide](http://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V 5.0 Sequencing Guide.docx).   - ## Sequencing an application @@ -28,9 +27,7 @@ You can use the App-V 5.1 Sequencer to perform the following tasks: **Note**   You must create shortcuts and save them to an available network location to allow roaming. If a shortcut is created and saved in a private location, the package must be published locally to the computer running the App-V 5.1 client. - -   - +  - Convert existing virtual packages. The sequencer uses the **%TMP% \\ Scratch** or **%TEMP% \\ Scratch** directory and the **Temp** directory to store temporary files during sequencing. On the computer that runs the sequencer, you should configure these directories with free disk space equivalent to the estimated application installation requirements. Configuring the temp directories and the Temp directory on different hard drive partitions can help improve performance during sequencing. @@ -48,18 +45,14 @@ When you use the sequencer to create a new virtual application, the following li - User configuration file. The user configuration file determines how the virtual application will run on target computers. **Important**   -You must configure the %TMP% and %TEMP% folders that the package converter uses to be a secure location and directory. A secure location is only accessible by an administrator. Additionally, when you sequence the package you should save the package to a location that is secure, or make sure that no other user is allowed to be logged in during the conversion and monitoring process. - -  +You must configure the %TMP% and %TEMP% folders that the package converter uses to be a secure location and directory. A secure location is only accessible by an administrator. Additionally, when you sequence the package you should save the package to a location that is secure, or make sure that no other user is allowed to be logged in during the conversion and monitoring process.  The **Options** dialog box in the sequencer console contains the following tabs: - **General**. Use this tab to enable Microsoft Updates to run during sequencing. Select **Append Package Version to Filename** to configure the sequence to add a version number to the virtualized package that is being sequenced. Select **Always trust the source of Package Accelerators** to create virtualized packages using a package accelerator without being prompted for authorization. **Important**   - Package Accelerators created using App-V 4.6 are not supported by App-V 5.1. - -   + Package Accelerators created using App-V 4.6 are not supported by App-V 5.1.   - **Parse Items**. This tab displays the associated file path locations that will be parsed or tokenized into in the virtual environment. Tokens are useful for adding files using the **Package Files** tab in **Advanced Editing**. @@ -136,7 +129,6 @@ The following table lists the supported shell extensions: -   ## Copy on Write (CoW) file extension support @@ -146,22 +138,67 @@ Copy on write (CoW) file extensions allow App-V 5.1 to dynamically write to spec The following table displays the file types that can exist in a virtual package under the VFS directory, but cannot be updated on the computer running the App-V 5.1 client. All other files and directories can be modified. - -File type ---------- -| .acm | .cnv | .hta | .msp | .sct | .ws | -| .asa | .com | .ime | .mst | .shb | .esc | -| .asp | .cpl | .inf | .mui | .shs | .wsf | -| .aspx| .cpx | .ins | .nls | .sys | .wsh | -| .ax | .crt | .isp | .ocx | .tlb | -| .bat | .dll | .its | .pal | .tsp | -| .cer | .drv | .js | .pcd | .url | -| .chm | .exe | .jse | .pif | .vb | -| .clb | .fon | .lnk | .reg | .vbe | -| .cmd | .grp | .msc | .scf | .vbs | -| .cnt | .hlp | .msi | .scr |. vsmacros | - - +| File type | +| --------- | +| .acm | +| .asa | +| .asp | +| .aspx | +| .ax | +| .bat | +| .cer | +| .chm | +| .clb | +| .cmd | +| .cnt | +| .cnv | +| .com | +| .cpl | +| .cpx | +| .crt | +| .dll | +| .drv | +| .exe | +| .fon | +| .grp | +| .hlp | +| .hta | +| .ime | +| .inf | +| .ins | +| .isp | +| .its | +| .js | +| .jse | +| .lnk | +| .msc | +| .msi | +| .msp | +| .mst | +| .mui | +| .nls | +| .ocx | +| .pal | +| .pcd | +| .pif | +| .reg | +| .scf | +| .scr | +| .sct | +| .shb | +| .shs | +| .sys | +| .tlb | +| .tsp | +| .url | +| .vb | +| .vbe | +| .vbs | +| .vsmacros | +| .ws | +| .esc | +| .wsf | +| .wsh | ## Modifying an existing virtual application package From a5556602650e56fb46a83a059a26eba7fa7d58eb Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 2 May 2016 11:06:55 -0700 Subject: [PATCH 47/59] Revert "fixing link" This reverts commit 88e61dee112546a85e5c2f3c26d9868c62c83308. --- mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md b/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md index 0eb3ce6d09..64565f8e9c 100644 --- a/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md +++ b/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md @@ -9,7 +9,7 @@ author: jamiejdt With Microsoft Application Virtualization (App-V) 5.1, you can migrate your existing App-V 4.6 or App-V 5.0 infrastructure to the more flexible, integrated, and easier to manage App-V 5.1 infrastructure. -However, you cannot migrate directly from App-V 4.x to App-V 5.1, you must migrate to App-V 5.0 first. For more information on migrating from App-V 4.x to App-V 5.0, see [Migrating from a Previous Version](migrating-from-a-previous-version-app-v-50.md) +However, you cannot migrate directly from App-V 4.x to App-V 5.1, you must migrate to App-V 5.0 first. For more information on migrating from App-V 4.x to App-V 5.0, see [Migrating from a Previous Version](migrating-from-a-previous-version-aap-v-50.md) **Note**   App-V 5.1 packages are exactly the same as App-V 5.0 packages. There has been no change in the package format between the versions and therefore, there is no need to convert App-V 5.0 packages to App-V 5.1 packages. From ac479adc79f356acc47a0a12885f1b6a8392b42e Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 2 May 2016 11:21:00 -0700 Subject: [PATCH 48/59] Revert "Migration fix" --- mdop/appv-v5/TOC.md | 1 - mdop/appv-v5/about-app-v-50-sp3.md | 2 +- mdop/appv-v5/about-app-v-51.md | 38 +-- mdop/appv-v5/check-reg-key-svr.md | 238 ---------------- .../how-to-deploy-the-app-v-51-server.1.md | 269 ------------------ ...ing-to-app-v-51-from-a-previous-version.md | 5 +- 6 files changed, 8 insertions(+), 545 deletions(-) delete mode 100644 mdop/appv-v5/check-reg-key-svr.md delete mode 100644 mdop/appv-v5/how-to-deploy-the-app-v-51-server.1.md diff --git a/mdop/appv-v5/TOC.md b/mdop/appv-v5/TOC.md index 1a7c936696..2e81d5ad03 100644 --- a/mdop/appv-v5/TOC.md +++ b/mdop/appv-v5/TOC.md @@ -79,7 +79,6 @@ ##### [How to Access the Client Management Console 5.1](how-to-access-the-client-management-console51.md) ##### [How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server 5.1](how-to-configure-the-client-to-receive-package-and-connection-groups-updates-from-the-publishing-server-51.md) #### [Migrating to App-V 5.1 from a Previous Version](migrating-to-app-v-51-from-a-previous-version.md) -##### [Check Registry Keys before installing App-V 5.x Server](check-reg-key-svr.md) ##### [How to Convert a Package Created in a Previous Version of App-V 5.1](how-to-convert-a-package-created-in-a-previous-version-of-app-v51.md) ##### [How to Migrate Extension Points From an App-V 4.6 SP2 Package to a Converted App-V 5.1 Package for All Users on a Specific Computer](how-to-migrate-extension-points-from-an-app-v-46-sp2-package-to-a-converted-app-v-51-package-for-all-users-on-a-specific-computer.md) ##### [How to Migrate Extension Points From an App-V 4.6 SP2 Package to App-V 5.1 for a Specific User](how-to-migrate-extension-points-from-an-app-v-46-sp2-package-to-app-v-51-for-a-specific-user.md) diff --git a/mdop/appv-v5/about-app-v-50-sp3.md b/mdop/appv-v5/about-app-v-50-sp3.md index 84f1b27782..a4418a6430 100644 --- a/mdop/appv-v5/about-app-v-50-sp3.md +++ b/mdop/appv-v5/about-app-v-50-sp3.md @@ -197,7 +197,7 @@ Complete the following steps to upgrade each component of the App-V infrastructu

       

      -

    • If you are upgrading the App-V Server from App-V 5.0 SP1 Hotfix Package 3 or later, complete the steps in section [Check registry keys after installing the App-V 5.0 SP3 Server](#bkmk-check-reg-key-svr).

      • +

    • If you are upgrading the App-V Server from App-V SP1 Hotfix Package 3 or later, complete the steps in section [Check registry keys after installing the App-V 5.0 SP3 Server](#bkmk-check-reg-key-svr).

    • Follow the steps in [How to Deploy the App-V 5.0 Server](how-to-deploy-the-app-v-50-server-50sp3.md).

      • diff --git a/mdop/appv-v5/about-app-v-51.md b/mdop/appv-v5/about-app-v-51.md index 47d75bfb12..162630bae1 100644 --- a/mdop/appv-v5/about-app-v-51.md +++ b/mdop/appv-v5/about-app-v-51.md @@ -63,7 +63,7 @@ See the following links for the App-V 5.1 software prerequisites and supported c ## Migrating to App-V 5.1 -Use the following information to upgrade to App-V 5.1 from earlier versions. See [Migrating to App-V 5.1 from a Previous Version](migrating-to-app-v-51-from-a-previous-version.md) for more information. +Use the following information to upgrade to App-V 5.1 from earlier versions. See [Migrating from a Previous Version](migrating-from-a-previous-version-app-v-50.md) for more information. ### Before you start the upgrade @@ -90,7 +90,7 @@ Review the following information before you start the upgrade:
      Note   -

      Prior to App-V 5.0 SP2, the Client Management User Interface (UI) was provided with the App-V Client installation. For App-V 5.0 SP2 installations (or later), you can use the Client Management UI by downloading from [Application Virtualization 5.0 Client UI Application](http://www.microsoft.com/download/details.aspx?id=41186).

      +

      To use the App-V client user interface, download the existing version from [Application Virtualization 5.0 Client UI Application](http://www.microsoft.com/download/details.aspx?id=41186).

        @@ -98,7 +98,7 @@ Review the following information before you start the upgrade:

      Upgrading from App-V 4.x

      -

      You must first upgrade to App-V 5.0. You cannot upgrade directly from App-V 4.x to App-V 5.1. For more information, see:

      +

      For more information, see:

      • “Differences between App-V 4.6 and App-V 5.0” in [About App-V 5.0](about-app-v-50.md)

      • [Planning for Migrating from a Previous Version of App-V](planning-for-migrating-from-a-previous-version-of-app-v.md)

        • @@ -147,35 +147,7 @@ Complete the following steps to upgrade each component of the App-V infrastructu
         
        -

        Follow these steps:

        -
          -

        1. Do one of the following, depending on the method you are using to upgrade the Management database and/or Reporting database:

          - ---- - - - - - - - - - - - - - - - - -
          Database upgrade methodStep

          Windows Installer

          Skip this step and go to step 2, “If you are upgrading the App-V Server...”

          SQL scripts

          Follow the steps in [How to Deploy the App-V Databases by Using SQL Scripts](how-to-deploy-the-app-v-databases-by-using-sql-scripts.md).

          -

        2. If you are upgrading the App-V Server from App-V 5.0 SP1 Hotfix Package 3 or later, complete the steps in section [Check registry keys after installing the App-V 5.0 SP3 Server](#bkmk-check-reg-key-svr).

          3. -

        3. Follow the steps in [How to Deploy the App-V 5.1 Server](how-to-deploy-the-app-v-51-server.md)

          4. -

           

          -
        +

        See [How to Deploy the App-V 5.0 Server](how-to-deploy-the-app-v-50-server-50sp3.md)

        Step 2: Upgrade the App-V Sequencer.

        @@ -202,7 +174,7 @@ App-V 5.1 packages are exactly the same as App-V 5.0 packages. There has been no ## What’s New in App-V 5.1 -These sections are for users who are already familiar with App-V and want to know what has changed in App-V 5.1. If you are not already familiar with App-V, you should start by reading [Planning for App-V 5.1](planning-for-app-v-51.md). +These sections are for users who are already familiar with App-V and want to know what has changed in App-V 5.1. If you are not already familiar with App-V, you should start by reading [Planning for App-V 5.0](planning-for-app-v-50-rc.md). ### App-V support for Windows 10 diff --git a/mdop/appv-v5/check-reg-key-svr.md b/mdop/appv-v5/check-reg-key-svr.md deleted file mode 100644 index 40deca6793..0000000000 --- a/mdop/appv-v5/check-reg-key-svr.md +++ /dev/null @@ -1,238 +0,0 @@ ---- -title: Check Registry Keys before installing App-V 5.x Server -description: Check Registry Keys before installing App-V 5.x Server -ms.assetid: -author: jamiejdt ---- - -# Check Registry Keys before installing App-V 5.x Server - -If you are upgrading the App-V Server from App-V 5.0 SP1 Hotfix Package 3 or later, complete the steps in this section before installing the App-V 5.x Server - - ---- - - - - - - - - - - - - - - - - - - -

        When this step is required

        You are upgrading from App-V 5.0 SP1 with any subsequent Hotfix Packages that you installed by using an .msp file.

        Which components require that you do this step

        Only the App-V Server components that you are upgrading.

        When you need to do this step

        Before you upgrade the App-V Server to App-V 5.x

        What you need to do

        Using the information in the following tables, update each registry key value under HKLM\Software\Microsoft\AppV\Server with the value that you provided in your original server installation. Completing this step restores registry values that may have been removed when App-V 5.0 SP1 Hotfix Packages were installed.

        - -  - -**ManagementDatabase key** - -If you are installing the Management database, set these registry keys under `HKLM\Software\Microsoft\AppV\Server\ManagementDatabase`. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        Key nameDescription

        IS_MANAGEMENT_DB_PUBLIC_ACCESS_ACCOUNT_REQUIRED

        Describes whether a public access account is required to access non-local management databases. Value is set to “1” if it is required.

        MANAGEMENT_DB_NAME

        Name of the Management database.

        MANAGEMENT_DB_PUBLIC_ACCESS_ACCOUNT

        Account used for read (public) access to the Management database.

        -

        Used when IS_MANAGEMENT_DB_PUBLIC_ACCESS_ACCOUNT_REQUIRED is set to 1.

        MANAGEMENT_DB_PUBLIC_ACCESS_ACCOUNT_SID

        Secure identifier (SID) of the account used for read (public) access to the Management database.

        -

        Used when IS_MANAGEMENT_DB_PUBLIC_ACCESS_ACCOUNT_REQUIRED is set to 1.

        MANAGEMENT_DB_SQL_INSTANCE

        SQL Server instance for the Management database.

        -

        If the value is blank, the default database instance is used.

        MANAGEMENT_DB_WRITE_ACCESS_ACCOUNT

        Account used for write (administrator) access to the Management database.

        MANAGEMENT_DB_WRITE_ACCESS_ACCOUNT_SID

        Secure identifier (SID) of the account used for write (administrator) access to the Management database.

        MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT

        Management server remote computer account (domain\account).

        MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT

        Installation administrator login for the Management server (domain\account).

        MANAGEMENT_SERVER_MACHINE_USE_LOCAL

        Valid values are:

        -
          -

        • 1 – the Management service is on the local computer, that is, MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT is blank.

          • -

        • 0 - the Management service is on a different computer from the local computer.

          • -
        - -  - -**ManagementService key** - -If you are installing the Management server, set these registry keys under `HKLM\Software\Microsoft\AppV\Server\ManagementService`. - - ---- - - - - - - - - - - - - - - - - - - - - -
        Key nameDescription

        MANAGEMENT_ADMINACCOUNT

        Active Directory Domain Services (AD DS) group or account that is authorized to manage App-V (domain\account).

        MANAGEMENT_DB_SQL_INSTANCE

        SQL server instance that contains the Management database.

        -

        If the value is blank, the default database instance is used.

        MANAGEMENT_DB_SQL_SERVER_NAME

        Name of the remote SQL server with the Management database.

        -

        If the value is blank, the local computer is used.

        - -  - -**ReportingDatabase key** - -If you are installing the Reporting database, set these registry keys under `HKLM\Software\Microsoft\AppV\Server\ReportingDatabase`. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        Key nameDescription

        IS_REPORTING_DB_PUBLIC_ACCESS_ACCOUNT_REQUIRED

        Describes whether a public access account is required to access non-local reporting databases. Value is set to “1” if it is required.

        REPORTING_DB_NAME

        Name of the Reporting database.

        REPORTING_DB_PUBLIC_ACCESS_ACCOUNT

        Account used for read (public) access to the Reporting database.

        -

        Used when IS_REPORTING_DB_PUBLIC_ACCESS_ACCOUNT_REQUIRED is set to 1.

        REPORTING_DB_PUBLIC_ACCESS_ACCOUNT_SID

        Secure identifier (SID) of the account used for read (public) access to the Reporting database.

        -

        Used when IS_REPORTING_DB_PUBLIC_ACCESS_ACCOUNT_REQUIRED is set to 1.

        REPORTING_DB_SQL_INSTANCE

        SQL Server instance for the Reporting database.

        -

        If the value is blank, the default database instance is used.

        REPORTING_DB_WRITE_ACCESS_ACCOUNT

        REPORTING_DB_WRITE_ACCESS_ACCOUNT_SID

        REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT

        Reporting server remote computer account (domain\account).

        REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT

        Installation administrator login for the Reporting server (domain\account).

        REPORTING_SERVER_MACHINE_USE_LOCAL

        Valid values are:

        -
          -

        • 1 – the Reporting service is on the local computer, that is, REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT is blank.

          • -

        • 0 - the Reporting service is on a different computer from the local computer.

          • -
        - -  - -**ReportingService key** - -If you are installing the Reporting server, set these registry keys under `HKLM\Software\Microsoft\AppV\Server\ReportingService`. - - ---- - - - - - - - - - - - - - - - - -
        Key nameDescription

        REPORTING_DB_SQL_INSTANCE

        SQL Server instance for the Reporting database.

        -

        If the value is blank, the default database instance is used.

        REPORTING_DB_SQL_SERVER_NAME

        Name of the remote SQL server with the Reporting database.

        -

        If the value is blank, the local computer is used.

        - diff --git a/mdop/appv-v5/how-to-deploy-the-app-v-51-server.1.md b/mdop/appv-v5/how-to-deploy-the-app-v-51-server.1.md deleted file mode 100644 index e524980035..0000000000 --- a/mdop/appv-v5/how-to-deploy-the-app-v-51-server.1.md +++ /dev/null @@ -1,269 +0,0 @@ ---- -title: How to Deploy the App-V 5.1 Server -description: How to Deploy the App-V 5.1 Server -ms.assetid: 4729beda-b98f-481b-ae74-ad71c59b1d69 -author: jamiejdt ---- - -# How to Deploy the App-V 5.1 Server - - -Use the following procedure to install the Microsoft Application Virtualization (App-V) 5.1 server. For information about deploying the App-V 5.1 Server, see [About App-V 5.1](about-app-v-51.md#bkmk-migrate-to-51). - -**Before you start:** - -- Ensure that you’ve installed prerequisite software. See [App-V 5.1 Prerequisites](app-v-51-prerequisites.md). - -- Review the server section of [App-V 5.1 Security Considerations](app-v-51-security-considerations.md). - -- Specify a port where each component will be hosted. - -- Add firewall rules to allow incoming requests to access the specified ports. - -- If you use SQL scripts, instead of the Windows Installer, to set up the Management database or Reporting database, you must run the SQL scripts before installing the Management Server or Reporting Server. See [How to Deploy the App-V Databases by Using SQL Scripts](how-to-deploy-the-app-v-databases-by-using-sql-scripts51.md). - -**To install the App-V 5.1 server** - -1. Copy the App-V 5.1 server installation files to the computer on which you want to install it. - -2. Start the App-V 5.1 server installation by right-clicking and running **appv\_server\_setup.exe** as an administrator, and then click **Install**. - -3. Review and accept the license terms, and choose whether to enable Microsoft updates. - -4. On the **Feature Selection** page, select all of the following components. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        ComponentDescription

        Management server

        Provides overall management functionality for the App-V infrastructure.

        Management database

        Facilitates database predeployments for App-V management.

        Publishing server

        Provides hosting and streaming functionality for virtual applications.

        Reporting server

        Provides App-V 5.1 reporting services.

        Reporting database

        Facilitates database predeployments for App-V reporting.

        - -   - -5. On the **Installation Location** page, accept the default location where the selected components will be installed, or change the location by typing a new path on the **Installation Location** line. - -6. On the initial **Create New Management Database** page, configure the **Microsoft SQL Server instance** and **Management Server database** by selecting the appropriate option below. - - - - - - - - - - - - - - - - - - - - - - -
        MethodWhat you need to do

        You are using a custom Microsoft SQL Server instance.

        Select Use the custom instance, and type the name of the instance.

        -

        Use the format INSTANCENAME. The assumed installation location is the local computer.

        -

        Not supported: A server name using the format ServerName\INSTANCE.

        You are using a custom database name.

        Select Custom configuration and type the database name.

        -

        The database name must be unique, or the installation will fail.

        - -   - -7. On the **Configure** page, accept the default value **Use this local computer**. - - **Note**   - If you are installing the Management server and Management database side by side, some options on this page are not available. In this case, the appropriate options are selected by default and cannot be changed. - -   - -8. On the initial **Create New Reporting Database** page, configure the **Microsoft SQL Server instance** and **Reporting Server database** by selecting the appropriate option below. - - - - - - - - - - - - - - - - - - - - - - -
        MethodWhat you need to do

        You are using a custom Microsoft SQL Server instance.

        Select Use the custom instance, and type the name of the instance.

        -

        Use the format INSTANCENAME. The assumed installation location is the local computer.

        -

        Not supported: A server name using the format ServerName\INSTANCE.

        You are using a custom database name.

        Select Custom configuration and type the database name.

        -

        The database name must be unique, or the installation will fail.

        - -   - -9. On the **Configure** page, accept the default value: **Use this local computer**. - - **Note**   - If you are installing the Management server and Management database side by side, some options on this page are not available. In this case, the appropriate options are selected by default and cannot be changed. - -   - -10. On the **Configure** (Management Server Configuration) page, specify the following: - - - - - - - - - - - - - - - - - - - - - - - - - - -
        Item to configureDescription and examples

        Type the AD group with sufficient permissions to manage the App-V environment.

        Example: MyDomain\MyUser

        -

        After installation, you can add additional users or groups by using the Management console. However, global security groups and Active Directory Domain Services (AD DS) distribution groups are not supported. You must use Domain local or Universal groups are required to perform this action.

        Website name: Specify the custom name that will be used to run the publishing service.

        If you do not have a custom name, do not make any changes.

        Port binding: Specify a unique port number that will be used by App-V.

        Example: 12345

        -

        Ensure that the port specified is not being used by another website.

        - -   - -11. On the **Configure** **Publishing Server Configuration** page, specify the following: - - - - - - - - - - - - - - - - - - - - - - - - - - -
        Item to configureDescription and examples

        Specify the URL for the management service.

        Example: http://localhost:12345

        Website name: Specify the custom name that will be used to run the publishing service.

        If you do not have a custom name, do not make any changes.

        Port binding: Specify a unique port number that will be used by App-V.

        Example: 54321

        -

        Ensure that the port specified is not being used by another website.

        - -   - -12. On the **Reporting Server** page, specify the following: - - - - - - - - - - - - - - - - - - - - - - -
        Item to configureDescription and examples

        Website name: Specify the custom name that will be used to run the Reporting Service.

        If you do not have a custom name, do not make any changes.

        Port binding: Specify a unique port number that will be used by App-V.

        Example: 55555

        -

        Ensure that the port specified is not being used by another website.

        - -   - -13. To start the installation, click **Install** on the **Ready** page, and then click **Close** on the **Finished** page. - -14. To verify that the setup completed successfully, open a web browser, and type the following URL: - - **http://<Management server machine name>:<Management service port number>/Console.html**. - - Example: **http://localhost:12345/console.html**. If the installation succeeded, the App-V Management console is displayed with no errors. - - **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). - -## Related topics - - -[Deploying App-V 5.1](deploying-app-v-51.md) - -[How to Install the Management and Reporting Databases on Separate Computers from the Management and Reporting Services](how-to-install-the-management-and-reporting-databases-on-separate-computers-from-the-management-and-reporting-services51.md) - -[How to Install the Publishing Server on a Remote Computer](how-to-install-the-publishing-server-on-a-remote-computer51.md) - -[How to Deploy the App-V 5.1 Server Using a Script](how-to-deploy-the-app-v-51-server-using-a-script.md) - -  - -  - - - - - diff --git a/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md b/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md index 64565f8e9c..5e1395c0f0 100644 --- a/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md +++ b/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md @@ -8,11 +8,10 @@ author: jamiejdt # Migrating to App-V 5.1 from a Previous Version -With Microsoft Application Virtualization (App-V) 5.1, you can migrate your existing App-V 4.6 or App-V 5.0 infrastructure to the more flexible, integrated, and easier to manage App-V 5.1 infrastructure. -However, you cannot migrate directly from App-V 4.x to App-V 5.1, you must migrate to App-V 5.0 first. For more information on migrating from App-V 4.x to App-V 5.0, see [Migrating from a Previous Version](migrating-from-a-previous-version-aap-v-50.md) +With Microsoft Application Virtualization (App-V) 5.1 you can migrate your existing App-V 4.6 infrastructure to the more flexible, integrated, and easier to manage App-V 5.1 infrastructure. **Note**   -App-V 5.1 packages are exactly the same as App-V 5.0 packages. There has been no change in the package format between the versions and therefore, there is no need to convert App-V 5.0 packages to App-V 5.1 packages. +App-V 5.1 packages are exactly the same as App-V 5.0 packages. There has been no change in the package format between the versions and so there is no need to convert App-V 5.0 packages to App-V 5.1 packages. For more information about the differences between App-V 4.6 and App-V 5.1, see the **Differences between App-4.6 and App-V 5.0 section** of [About App-V 5.0](about-app-v-50.md). From 59ec2be28637828cd589ee5fda5633cf4a5b9695 Mon Sep 17 00:00:00 2001 From: Maggie Evans Date: Mon, 2 May 2016 15:25:11 -0700 Subject: [PATCH 49/59] Fixed spacing, added multi-column table Fixed spacing, added multi-column table --- ...aging-app-v-51-virtualized-applications.md | 86 +++---------------- 1 file changed, 13 insertions(+), 73 deletions(-) diff --git a/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md b/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md index f69e1ea016..e48e9dd024 100644 --- a/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md +++ b/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md @@ -138,67 +138,19 @@ Copy on write (CoW) file extensions allow App-V 5.1 to dynamically write to spec The following table displays the file types that can exist in a virtual package under the VFS directory, but cannot be updated on the computer running the App-V 5.1 client. All other files and directories can be modified. -| File type | -| --------- | -| .acm | -| .asa | -| .asp | -| .aspx | -| .ax | -| .bat | -| .cer | -| .chm | -| .clb | -| .cmd | -| .cnt | -| .cnv | -| .com | -| .cpl | -| .cpx | -| .crt | -| .dll | -| .drv | -| .exe | -| .fon | -| .grp | -| .hlp | -| .hta | -| .ime | -| .inf | -| .ins | -| .isp | -| .its | -| .js | -| .jse | -| .lnk | -| .msc | -| .msi | -| .msp | -| .mst | -| .mui | -| .nls | -| .ocx | -| .pal | -| .pcd | -| .pif | -| .reg | -| .scf | -| .scr | -| .sct | -| .shb | -| .shs | -| .sys | -| .tlb | -| .tsp | -| .url | -| .vb | -| .vbe | -| .vbs | -| .vsmacros | -| .ws | -| .esc | -| .wsf | -| .wsh | +| File Type | | | | | | +|------------ |------------- |------------- |------------ |------------ |------------ | +| .acm | .asa | .asp | .aspx | .ax | .bat | +| .cer | .chm | .clb | .cmd | .cnt | .cnv | +| .com | .cpl | .cpx | .crt | .dll | .drv | +| .esc | .exe | .fon | .grp | .hlp | .hta | +| .ime | .inf | .ins | .isp | .its | .js | +| .jse | .lnk | .msc | .msi | .msp | .mst | +| .mui | .nls | .ocx | .pal | .pcd | .pif | +| .reg | .scf | .scr | .sct | .shb | .shs | +| .sys | .tlb | .tsp | .url | .vb | .vbe | +| .vbs | .vsmacros | .ws | .wsf | .wsh | | + ## Modifying an existing virtual application package @@ -249,21 +201,9 @@ The App-V 5.1 Sequencer can detect common sequencing issues during sequencing. T You can also find additional information about sequencing errors using the Windows Event Viewer. -## Got a suggestion for App-V? - - -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). ## Other resources for the App-V 5.1 sequencer - [Operations for App-V 5.1](operations-for-app-v-51.md) -  - -  - - - - - From 5b9cd8739a708413204795535d39bd480fda4f9d Mon Sep 17 00:00:00 2001 From: Maggie Evans Date: Mon, 2 May 2016 15:33:03 -0700 Subject: [PATCH 50/59] Update creating-and-managing-app-v-51-virtualized-applications.md --- .../creating-and-managing-app-v-51-virtualized-applications.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md b/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md index e48e9dd024..9dcd40a111 100644 --- a/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md +++ b/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md @@ -13,7 +13,6 @@ After you have properly deployed the Microsoft Application Virtualization (App-V **Note**   For more information about configuring the App-V 5.1 sequencer, sequencing best practices, and an example of creating and updating a virtual application, see the [Microsoft Application Virtualization 5.0 Sequencing Guide](http://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V 5.0 Sequencing Guide.docx). -  ## Sequencing an application @@ -182,8 +181,6 @@ A template can specify and store multiple settings as follows: **Note**   Package accelerators created using a previous version of App-V must be recreated using App-V 5.1. -  - You can use App-V 5.1 package accelerators to automatically generate a new virtual application packages. After you have successfully created a package accelerator, you can reuse and share the package accelerator. In some situations, to create the package accelerator, you might have to install the application locally on the computer that runs the sequencer. In such cases, you should first try to create the package accelerator with the installation media. If multiple missing files are required, you should install the application locally to the computer that runs the sequencer, and then create the package accelerator. From df223dccfa6a5c1be8a7774149f6ca0249787353 Mon Sep 17 00:00:00 2001 From: Maggie Evans Date: Mon, 2 May 2016 15:35:07 -0700 Subject: [PATCH 51/59] Update creating-and-managing-app-v-51-virtualized-applications.md --- .../creating-and-managing-app-v-51-virtualized-applications.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md b/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md index 9dcd40a111..9d9109d788 100644 --- a/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md +++ b/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md @@ -128,11 +128,9 @@ The following table lists the supported shell extensions: -  ## Copy on Write (CoW) file extension support - Copy on write (CoW) file extensions allow App-V 5.1 to dynamically write to specific locations contained in the virtual package while it is being used. The following table displays the file types that can exist in a virtual package under the VFS directory, but cannot be updated on the computer running the App-V 5.1 client. All other files and directories can be modified. From 79300189127f7f2dd49db3a1139c1f69b18ebb7f Mon Sep 17 00:00:00 2001 From: coolriggs Date: Tue, 3 May 2016 14:58:13 -0700 Subject: [PATCH 52/59] update TPM page This includes the initial v1 of RS1 updates --- windows/keep-secure/tpm-recommendations.md | 32 ++++++++++++---------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/windows/keep-secure/tpm-recommendations.md b/windows/keep-secure/tpm-recommendations.md index 82168aa9c3..e157d7c38b 100644 --- a/windows/keep-secure/tpm-recommendations.md +++ b/windows/keep-secure/tpm-recommendations.md @@ -31,7 +31,15 @@ Trusted Platform Module (TPM) technology is designed to provide hardware-based, The most common TPM functions are used for system integrity measurements and for key creation and use. During the boot process of a system, the boot code that is loaded (including firmware and the operating system components) can be measured and recorded in the TPM. The integrity measurements can be used as evidence for how a system started and to make sure that a TPM-based key was used only when the correct software was used to boot the system. -Different versions of the TPM are defined in specifications by the Trusted Computing Group (TCG). +Traditionally, TPMs have been discrete chips soldered to a computer’s motherboard. Such implementations allow the computer’s original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Although discrete TPM implementations are still common, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips. + +TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform’s owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, however, a TPM must be provisioned. Windows 10 automatically provisions a TPM, but if the user reinstalls the operating system, he or she may need to tell the operating system to explicitly provision the TPM again before it can use all the TPM’s features. + +The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards that support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). + +OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone cannot achieve. For example, software alone cannot reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust—that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key truly cannot leave the TPM. + +The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs whereas others do not. **Note**   Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -65,7 +73,6 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in ## Discrete or firmware TPM? - Windows uses discrete and firmware TPM in the same way. Windows gains no functional advantage or disadvantage from either option. From a security standpoint, discrete and firmware share the same characteristics; @@ -77,20 +84,15 @@ From a security standpoint, discrete and firmware share the same characteristics For more info, see [fTPM: A Firmware-based TPM 2.0 Implementation](http://research.microsoft.com/apps/pubs/?id=258236). -## TPM 2.0 Compliance for Windows 10 in the future - - -All shipping devices for Windows 10 across all SKU types must be using TPM 2.0 discrete or firmware from **July 28, 2016**. This requirement will be enforced through our Windows Hardware Certification program. +## TPM 2.0 Compliance for Windows 10 ### Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) -- With Windows 10 as with Windows 8, all connected standby systems are required to include TPM 2.0 support. -- For Windows 10 and later, if a SoC is chosen that includes an integrated fTPM2.0, the device must ship with the fTPM FW support or a discrete TPM 1.2 or 2.0. -- Starting **July 28th, 2016** all devices shipping with Windows 10 desktop must implement TPM 2.0 and ship with the TPM enabled. +- As of July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7, https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx) ### Windows 10 Mobile -- All devices shipping with Windows 10 Mobile must implement TPM 2.0 and ship with the TPM enabled. +- All devices shipping with Windows 10 Mobile must implement TPM 2.0 and ship with the TPM 2.0 enabled. ### IoT Core @@ -102,7 +104,6 @@ All shipping devices for Windows 10 across all SKU types must be using TPM 2.0 d ## TPM and Windows Features - The following table defines which Windows features require TPM support. Some features are not applicable to Windows 7/8/8.1 and are noted accordingly. @@ -124,7 +125,7 @@ The following table defines which Windows features require TPM support. Some fea - + @@ -147,7 +148,7 @@ The following table defines which Windows features require TPM support. Some fea - + @@ -175,7 +176,7 @@ The following table defines which Windows features require TPM support. Some fea - + @@ -240,6 +241,7 @@ There are a variety of TPM manufacturers for both discrete and firmware. @@ -301,7 +303,7 @@ There are a variety of TPM manufacturers for both discrete and firmware. ### Certified TPM parts -Government customers and enterprise customers in regulated industries may have acquisition standards that require use of common certified TPM parts. As a result, OEMs, who provide the devices, may be required to use only certified TPM components on their commercial class systems. Discrete TPM 2.0 vendors have targeted completion of certification by the end of 2015. +Government customers and enterprise customers in regulated industries may have acquisition standards that require use of common certified TPM parts. As a result, OEMs, who provide the devices, may be required to use only certified TPM components on their commercial class systems. Discrete TPM 2.0 vendors have completion certification. ### Windows 7 32-bit support From ffddbb2d2c98d2533a222363aa5cb4bc52452681 Mon Sep 17 00:00:00 2001 From: coolriggs Date: Tue, 3 May 2016 15:20:52 -0700 Subject: [PATCH 53/59] minor tweaks throughout changes for RS1 --- windows/keep-secure/tpm-recommendations.md | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/windows/keep-secure/tpm-recommendations.md b/windows/keep-secure/tpm-recommendations.md index e157d7c38b..651ed1468f 100644 --- a/windows/keep-secure/tpm-recommendations.md +++ b/windows/keep-secure/tpm-recommendations.md @@ -49,11 +49,10 @@ Some information relates to pre-released product which may be substantially modi ## TPM 1.2 vs. 2.0 comparison -From an industry standard, Microsoft has been an industry leader in moving and standardizing on TPM 2.0. As indicated in the table below, TPM 2.0 has many key realized benefits across algorithms, crypto, hierarchy, root keys, authorization and NV RAM. +From an industry standard, Microsoft has been an industry leader in moving and standardizing on TPM 2.0, which has many key realized benefits across algorithms, crypto, hierarchy, root keys, authorization and NV RAM. ## Why TPM 2.0? - TPM 2.0 products and systems have important security advantages over TPM 1.2, including: - The TPM 1.2 spec only allows for the use of RSA and the SHA-1 hashing algorithm. @@ -84,11 +83,18 @@ From a security standpoint, discrete and firmware share the same characteristics For more info, see [fTPM: A Firmware-based TPM 2.0 Implementation](http://research.microsoft.com/apps/pubs/?id=258236). +## Is there any importance for TPM for consumer? +For end consumers, TPM is behind the scenes but still very relevant for Hello, Passport and in the future, many other key features in Windows 10. It offers the best Passport experience, helps encrypt passwords, secures streaming high quality 4K content and builds on our overall Windows 10 experience story for security as a critical pillar. Using Windows on a system with a TPM enables a deeper and broader level of security coverage. + ## TPM 2.0 Compliance for Windows 10 ### Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) - As of July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7, https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx) + +## Two implementation options: +• Discrete TPM chip as a separate discrete component +• Firmware TPM solution using Intel PTT (platform trust technology) or AMD ### Windows 10 Mobile @@ -276,11 +282,12 @@ There are a variety of TPM manufacturers for both discrete and firmware. From 7e2dcd3d1b626bf323b6f9c45c9040172ae9afe8 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Wed, 4 May 2016 08:01:21 -0700 Subject: [PATCH 54/59] 7431425 --- .../change-history-for-manage-and-update-windows-10.md | 5 +++++ .../set-up-a-kiosk-for-windows-10-for-desktop-editions.md | 4 +++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md index 18be77205f..8767cf30ff 100644 --- a/windows/manage/change-history-for-manage-and-update-windows-10.md +++ b/windows/manage/change-history-for-manage-and-update-windows-10.md @@ -13,6 +13,11 @@ author: jdeckerMS This topic lists new and updated topics in the [Manage and update Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). +## May 2016 + +New or changed topic | Description | +---|---| +[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Corrected script for setting a custom shell using Shell Launcher | ## April 2016 diff --git a/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md index b88902b04f..55945ea84b 100644 --- a/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md +++ b/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md @@ -350,7 +350,9 @@ Modify the following PowerShell script as appropriate. The comments in the sampl $ShellLauncherClass.SetEnabled($TRUE) - “`nEnabled is set to “ + $DefaultShellObject.IsEnabled() + $IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled() + + “`nEnabled is set to “ + $IsShellLauncherEnabled.Enabled # Remove the new custom shells. From 59634eee2127458a7a2c8a66d999b91447f27424 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 4 May 2016 09:21:39 -0700 Subject: [PATCH 55/59] cleaning up content --- ...-as-part-of-a-windows-deploymentmbam-25.md | 373 ++++-------------- 1 file changed, 73 insertions(+), 300 deletions(-) diff --git a/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md b/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md index 1924b4d39c..b2a620df28 100644 --- a/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md +++ b/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md @@ -50,275 +50,70 @@ This topic explains how to enable BitLocker on an end user's computer by using M - Robust error handling - You can download the `Invoke-MbamClientDeployment.ps1` script from [Microsoft.com Download Center](https://www.microsoft.com/download/details.aspx?id=48698). This is the main script that your deployment system will call to configure BitLocker drive encryption and record recovery keys with the MBAM Server. + You can download the `Invoke-MbamClientDeployment.ps1` script from [Microsoft.com Download Center](https://www.microsoft.com/download/details.aspx?id=48698). This is the main script that your deployment system will call to configure BitLocker drive encryption and record recovery keys with the MBAM Server. - **WMI deployment methods for MBAM:** The following WMI methods have been added in MBAM 2.5 SP1 to support enabling BitLocker by using the `Invoke-MbamClientDeployment.ps1` PowerShell script. + **WMI deployment methods for MBAM:** The following WMI methods have been added in MBAM 2.5 SP1 to support enabling BitLocker by using the `Invoke-MbamClientDeployment.ps1` PowerShell script. - **MBAM\_Machine WMI Class** - **PrepareTpmAndEscrowOwnerAuth:** Reads the TPM OwnerAuth and sends it to the MBAM recovery database by using the MBAM recovery service. If the TPM is not owned and auto-provisioning is not on, it generates a TPM OwnerAuth and takes ownership. If it fails, an error code is returned for troubleshooting. + **MBAM\_Machine WMI Class** + **PrepareTpmAndEscrowOwnerAuth:** Reads the TPM OwnerAuth and sends it to the MBAM recovery database by using the MBAM recovery service. If the TPM is not owned and auto-provisioning is not on, it generates a TPM OwnerAuth and takes ownership. If it fails, an error code is returned for troubleshooting. -
        Measure BootMeasured Boot Required Required Required
        Passport: MSA or Local Account n/aNot RequiredRequired Required TPM 2.0 is required with HMAC and EK certificate for key attestation support.
        Device Health Attestation n/aNot RequiredRequired Required
        • Infineon
        • Nuvoton
          • +
        • Atmel
        • NationZ
        • ST Micro
        Intel
          -
        • Clovertrail
          • -
        • Haswell
          • -
        • Broadwell
          • -
        • Skylake
          • +
        • Atom (CloverTrail)
        • Baytrail
          • +
        • 4th generation(Haswell)
          • +
        • 5th generation(Broadwell)
          • +
        • Braswell
          • +
        • Skylake
        - - - - - - - - - - - - - - - - -
        ParameterDescription

        RecoveryServiceEndPoint

        A string specifying the MBAM recovery service endpoint.

        +| Parameter | Description | +| -------- | ----------- | +| RecoveryServiceEndPoint | A string specifying the MBAM recovery service endpoint. | -   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        Common return valuesError message

        S_OK

        -

        0 (0x0)

        The method was successful

        MBAM_E_TPM_NOT_PRESENT

        -

        2147746304 (0x80040200)

        TPM is not present in the computer or is disabled in the BIOS configuration.

        MBAM_E_TPM_INCORRECT_STATE

        -

        2147746305 (0x80040201)

        TPM is not in the correct state (enabled, activated and owner installation allowed).

        MBAM_E_TPM_AUTO_PROVISIONING_PENDING

        -

        2147746306 (0x80040202)

        MBAM cannot take ownership of TPM because auto-provisioning is pending. Try again after auto-provisioning is completed.

        MBAM_E_TPM_OWNERAUTH_READFAIL

        -

        2147746307 (0x80040203)

        MBAM cannot read the TPM owner authorization value. The value might have been removed after a successful escrow. On Windows 7, MBAM cannot read the value if the TPM is owned by others.

        MBAM_E_REBOOT_REQUIRED

        -

        2147746308 (0x80040204)

        The computer must be restarted to set TPM to the correct state. You might need to manually reboot the computer.

        MBAM_E_SHUTDOWN_REQUIRED

        -

        2147746309 (0x80040205)

        The computer must be shut down and turned back on to set TPM to the correct state. You might need to manually reboot the computer.

        WS_E_ENDPOINT_ACCESS_DENIED

        -

        2151481349 (0x803D0005)

        Access was denied by the remote endpoint.

        WS_E_ENDPOINT_NOT_FOUND

        -

        2151481357 (0x803D000D)

        The remote endpoint does not exist or could not be located.

        WS_E_ENDPOINT_FAILURE

        -

        2151481357 (0x803D000F)

        The remote endpoint could not process the request.

        WS_E_ENDPOINT_UNREACHABLE

        -

        2151481360 (0x803D0010)

        The remote endpoint was not reachable.

        WS_E_ENDPOINT_FAULT_RECEIVED

        -

        2151481363 (0x803D0013)

        A message containing a fault was received from the remote endpoint. Make sure you are connecting to the correct service endpoint.

        WS_E_INVALID_ENDPOINT_URL

        -

        2151481376 (0x803D0020)

        The endpoint address URL is not valid. The URL must start with “http” or “https”.

        +| Common return values | Error message | +| -------------------- | ------------- | +| **S_OK**
        0 (0x0) | The method was successful. | +| **MBAM_E_TPM_NOT_PRESENT**
        2147746304 (0x80040200) | TPM is not present in the computer or is disabled in the BIOS configuration. | +| **MBAM_E_TPM_INCORRECT_STATE**
        2147746305 (0x80040201) | TPM is not in the correct state (enabled, activated and owner installation allowed). | +| **MBAM_E_TPM_AUTO_PROVISIONING_PENDING**
        2147746306 (0x80040202) | MBAM cannot take ownership of TPM because auto-provisioning is pending. Try again after auto-provisioning is completed. | +| **MBAM_E_TPM_OWNERAUTH_READFAIL**
        2147746307 (0x80040203) | MBAM cannot read the TPM owner authorization value. The value might have been removed after a successful escrow. On Windows 7, MBAM cannot read the value if the TPM is owned by others. | +| **MBAM_E_REBOOT_REQUIRED**
        2147746308 (0x80040204) | The computer must be restarted to set TPM to the correct state. You might need to manually reboot the computer. | +| **MBAM_E_SHUTDOWN_REQUIRED**
        2147746309 (0x80040205) | The computer must be shut down and turned back on to set TPM to the correct state. You might need to manually reboot the computer. | +| **WS_E_ENDPOINT_ACCESS_DENIED**
        2151481349 (0x803D0005) | Access was denied by the remote endpoint. | +| **WS_E_ENDPOINT_NOT_FOUND**
        2151481357 (0x803D000D) | The remote endpoint does not exist or could not be located. | +| **WS_E_ENDPOINT_FAILURE
        2151481357 (0x803D000F) | The remote endpoint could not process the request. | +| **WS_E_ENDPOINT_UNREACHABLE**
        2151481360 (0x803D0010) | The remote endpoint was not reachable. | +| **WS_E_ENDPOINT_FAULT_RECEIVED**
        2151481363 (0x803D0013) | A message containing a fault was received from the remote endpoint. Make sure you are connecting to the correct service endpoint. | +| **WS_E_INVALID_ENDPOINT_URL** 2151481376 (0x803D0020) | The endpoint address URL is not valid. The URL must start with “http” or “https”. | -   - - **ReportStatus:** Reads the compliance status of the volume and sends it to the MBAM compliance status database by using the MBAM status reporting service. The status includes cipher strength, protector type, protector state and encryption state. If it fails, an error code is returned for troubleshooting. - - - - - - - - - - - - - - - - - - -
        ParameterDescription

        ReportingServiceEndPoint

        A string specifying the MBAM status reporting service endpoint.

        - -   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        Common return valuesError message

        S_OK

        -

        0 (0x0)

        The method was successful

        WS_E_ENDPOINT_ACCESS_DENIED

        -

        2151481349 (0x803D0005)

        Access was denied by the remote endpoint.

        WS_E_ENDPOINT_NOT_FOUND

        -

        2151481357 (0x803D000D)

        The remote endpoint does not exist or could not be located.

        WS_E_ENDPOINT_FAILURE

        -

        2151481357 (0x803D000F)

        The remote endpoint could not process the request.

        WS_E_ENDPOINT_UNREACHABLE

        -

        2151481360 (0x803D0010)

        The remote endpoint was not reachable.

        WS_E_ENDPOINT_FAULT_RECEIVED

        -

        2151481363 (0x803D0013)

        A message containing a fault was received from the remote endpoint. Make sure you are connecting to the correct service endpoint.

        WS_E_INVALID_ENDPOINT_URL

        -

        2151481376 (0x803D0020)

        The endpoint address URL is not valid. The URL must start with “http” or “https”.

        - -   - - **MBAM\_Volume WMI Class** - **EscrowRecoveryKey:** Reads the recovery numerical password and key package of the volume and sends them to the MBAM recovery database by using the MBAM recovery service. If it fails, an error code is returned for troubleshooting. - - - - - - - - - - - - - - - - - - -
        ParameterDescription

        RecoveryServiceEndPoint

        A string specifying the MBAM recovery service endpoint.

        - -   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        Common return valuesError message

        S_OK

        -

        0 (0x0)

        The method was successful

        FVE_E_LOCKED_VOLUME

        -

        2150694912 (0x80310000)

        The volume is locked.

        FVE_E_PROTECTOR_NOT_FOUND

        -

        2150694963 (0x80310033)

        A Numerical Password protector was not found for the volume.

        WS_E_ENDPOINT_ACCESS_DENIED

        -

        2151481349 (0x803D0005)

        Access was denied by the remote endpoint.

        WS_E_ENDPOINT_NOT_FOUND

        -

        2151481357 (0x803D000D)

        The remote endpoint does not exist or could not be located.

        WS_E_ENDPOINT_FAILURE

        -

        2151481357 (0x803D000F)

        The remote endpoint could not process the request.

        WS_E_ENDPOINT_UNREACHABLE

        -

        2151481360 (0x803D0010)

        The remote endpoint was not reachable.

        WS_E_ENDPOINT_FAULT_RECEIVED

        -

        2151481363 (0x803D0013)

        A message containing a fault was received from the remote endpoint. Make sure you are connecting to the correct service endpoint.

        WS_E_INVALID_ENDPOINT_URL

        -

        2151481376 (0x803D0020)

        The endpoint address URL is not valid. The URL must start with “http” or “https”.

        + **ReportStatus:** Reads the compliance status of the volume and sends it to the MBAM compliance status database by using the MBAM status reporting service. The status includes cipher strength, protector type, protector state and encryption state. If it fails, an error code is returned for troubleshooting. + + | Parameter | Description | + | --------- | ----------- | + | ReportingServiceEndPoint | A string specifying the MBAM status reporting service endpoint. | + + + | Common return values | Error message | + | -------------------- | ------------- | + | **S_OK**
        0 (0x0) | The method was successful | + | **WS_E_ENDPOINT_ACCESS_DENIED**
        2151481349 (0x803D0005) | Access was denied by the remote endpoint.| + | **WS_E_ENDPOINT_NOT_FOUND**
        2151481357 (0x803D000D) | The remote endpoint does not exist or could not be located. | + | **WS_E_ENDPOINT_FAILURE**
        2151481357 (0x803D000F) | The remote endpoint could not process the request. | + | **WS_E_ENDPOINT_UNREACHABLE**
        2151481360 (0x803D0010) | The remote endpoint was not reachable. | + | **WS_E_ENDPOINT_FAULT_RECEIVED**
        2151481363 (0x803D0013) | A message containing a fault was received from the remote endpoint. Make sure you are connecting to the correct service endpoint. | + | **WS_E_INVALID_ENDPOINT_URL**
        2151481376 (0x803D0020) | The endpoint address URL is not valid. The URL must start with “http” or “https”. | + **MBAM\_Volume WMI Class** + **EscrowRecoveryKey:** Reads the recovery numerical password and key package of the volume and sends them to the MBAM recovery database by using the MBAM recovery service. If it fails, an error code is returned for troubleshooting. + + | Parameter | Description | + | --------- | ----------- | + | RecoveryServiceEndPoint | A string specifying the MBAM recovery service endpoint. | + + + | Common return values | Error message | + | -------------------- | ------------- | + | **S_OK**
        0 (0x0) | The method was successful | + | **FVE_E_LOCKED_VOLUME**
        2150694912 (0x80310000) | The volume is locked. | + | **FVE_E_PROTECTOR_NOT_FOUND**
        2150694963 (0x80310033) | A Numerical Password protector was not found for the volume. | + | **WS_E_ENDPOINT_ACCESS_DENIED**
        2151481349 (0x803D0005) | Access was denied by the remote endpoint. | + | **WS_E_ENDPOINT_NOT_FOUND**
        2151481357 (0x803D000D) | The remote endpoint does not exist or could not be located. | + | **WS_E_ENDPOINT_FAILURE**
        2151481357 (0x803D000F) | The remote endpoint could not process the request. | + | **WS_E_ENDPOINT_UNREACHABLE**
        2151481360 (0x803D0010) | The remote endpoint was not reachable. | + | **WS_E_ENDPOINT_FAULT_RECEIVED**
        2151481363 (0x803D0013) | A message containing a fault was received from the remote endpoint. Make sure you are connecting to the correct service endpoint. | + | **WS_E_INVALID_ENDPOINT_URL**
        2151481376 (0x803D0020) | The endpoint address URL is not valid. The URL must start with “http” or “https”. |   2. **Deploy MBAM by using Microsoft Deployment Toolkit (MDT) and PowerShell** @@ -328,13 +123,9 @@ This topic explains how to enable BitLocker on an end user's computer by using M **Note**   The `Invoke-MbamClientDeployment.ps1` PowerShell script can be used with any imaging process or tool. This section shows how to integrate it by using MDT, but the steps are similar to integrating it with any other process or tool. -   - **Caution**   If you are using BitLocker pre-provisioning (WinPE) and want to maintain the TPM owner authorization value, you must add the `SaveWinPETpmOwnerAuth.wsf` script in WinPE immediately before the installation reboots into the full operating system. **If you do not use this script, you will lose the TPM owner authorization value on reboot.** - -   - + 2. Copy `Invoke-MbamClientDeployment.ps1` to **<DeploymentShare>\\Scripts**. If you are using pre-provisioning, copy the `SaveWinPETpmOwnerAuth.wsf` file into **<DeploymentShare>\\Scripts**. 3. Add the MBAM 2.5 SP1 client application to the Applications node in the deployment share. @@ -467,46 +258,40 @@ This topic explains how to enable BitLocker on an end user's computer by using M **Caution**   This step describes how to modify the Windows registry. Using Registry Editor incorrectly can cause serious issues that can require you to reinstall Windows. We cannot guarantee that issues resulting from the incorrect use of Registry Editor can be resolved. Use Registry Editor at your own risk. -   - 1. Set the TPM for **Operating system only encryption**, run Regedit.exe, and then import the registry key template from C:\\Program Files\\Microsoft\\MDOP MBAM\\MBAMDeploymentKeyTemplate.reg. 2. In Regedit.exe, go to HKLM\\SOFTWARE\\Microsoft\\MBAM, and configure the settings that are listed in the following table. **Note**   You can set Group Policy settings or registry values related to MBAM here. These settings will override previously set values. + + Registry entry + Configuration settings -   + DeploymentTime - Registry entry + 0 = Off - Configuration settings + 1 = Use deployment time policy settings (default) – use this setting to enable encryption at the time Windows is deployed to the client computer. - DeploymentTime + UseKeyRecoveryService - 0 = Off + 0 = Do not use key escrow (the next two registry entries are not required in this case) - 1 = Use deployment time policy settings (default) – use this setting to enable encryption at the time Windows is deployed to the client computer. + 1 = Use key escrow in Key Recovery system (default) - UseKeyRecoveryService + This is the recommended setting, which enables MBAM to store the recovery keys. The computer must be able to communicate with the MBAM Key Recovery service. Verify that the computer can communicate with the service before you proceed. - 0 = Do not use key escrow (the next two registry entries are not required in this case) + KeyRecoveryOptions - 1 = Use key escrow in Key Recovery system (default) + 0 = Uploads Recovery Key only - This is the recommended setting, which enables MBAM to store the recovery keys. The computer must be able to communicate with the MBAM Key Recovery service. Verify that the computer can communicate with the service before you proceed. + 1 = Uploads Recovery Key and Key Recovery Package (default) - KeyRecoveryOptions + KeyRecoveryServiceEndPoint - 0 = Uploads Recovery Key only + Set this value to the URL for the server running the Key Recovery service, for example, http://<computer name>/MBAMRecoveryAndHardwareService/CoreService.svc. - 1 = Uploads Recovery Key and Key Recovery Package (default) - - KeyRecoveryServiceEndPoint - - Set this value to the URL for the server running the Key Recovery service, for example, http://<computer name>/MBAMRecoveryAndHardwareService/CoreService.svc. - -   6. The MBAM Client will restart the system during the MBAM Client deployment. When you are ready for this restart, run the following command at a command prompt as an administrator: @@ -522,20 +307,8 @@ This topic explains how to enable BitLocker on an end user's computer by using M 9. To delete the bypass registry values, run Regedit.exe, and go to the HKLM\\SOFTWARE\\Microsoft registry entry. Right-click the **MBAM** node, and then click **Delete**. - **Got a suggestion for MBAM**? Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). **Got a MBAM issue**? Use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopmbam). - ## Related topics - [Deploying the MBAM 2.5 Client](deploying-the-mbam-25-client.md) [Planning for MBAM 2.5 Client Deployment](planning-for-mbam-25-client-deployment.md) - -  - -  - - - - - From 3b619cfb18fda8b83a32a4d366d6a08f4c28ffe7 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 4 May 2016 09:52:28 -0700 Subject: [PATCH 56/59] cleaning up content --- ...ker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md b/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md index b2a620df28..b9d94fab8e 100644 --- a/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md +++ b/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md @@ -61,6 +61,7 @@ This topic explains how to enable BitLocker on an end user's computer by using M | -------- | ----------- | | RecoveryServiceEndPoint | A string specifying the MBAM recovery service endpoint. | +Here are a list of common error messages: | Common return values | Error message | | -------------------- | ------------- | @@ -84,6 +85,7 @@ This topic explains how to enable BitLocker on an end user's computer by using M | --------- | ----------- | | ReportingServiceEndPoint | A string specifying the MBAM status reporting service endpoint. | + Here are a list of common error messages: | Common return values | Error message | | -------------------- | ------------- | @@ -102,6 +104,7 @@ This topic explains how to enable BitLocker on an end user's computer by using M | --------- | ----------- | | RecoveryServiceEndPoint | A string specifying the MBAM recovery service endpoint. | + Here are a list of common error messages: | Common return values | Error message | | -------------------- | ------------- | From c749eb36a5d49a6700db25c4dda4001b288ecd1e Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 4 May 2016 10:57:19 -0700 Subject: [PATCH 57/59] updating INF to remove SHA1 support --- .../keep-secure/bitlocker-how-to-enable-network-unlock.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md b/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md index 0ee061cb84..1c26ced248 100644 --- a/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md +++ b/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md @@ -196,7 +196,12 @@ To create a self-signed certificate, do the following: Exportable=true RequestType=Cert KeyUsage="CERT_KEY_ENCIPHERMENT_KEY_USAGE" + KeyUsageProperty="NCRYPT_ALLOW_DECRYPT_FLAG" KeyLength=2048 + Keyspec="AT_KEYEXCHANGE" + SMIME=FALSE + HashAlgorithm=sha512 + [Extensions] 1.3.6.1.4.1.311.21.10 = "{text}" From 37da37dc47360e34a77222d2d1fe7a8d71209108 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 4 May 2016 11:23:12 -0700 Subject: [PATCH 58/59] updating INF to remove SHA1 support --- .../bitlocker-how-to-enable-network-unlock.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md b/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md index 1c26ced248..20a2231f7e 100644 --- a/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md +++ b/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md @@ -196,12 +196,11 @@ To create a self-signed certificate, do the following: Exportable=true RequestType=Cert KeyUsage="CERT_KEY_ENCIPHERMENT_KEY_USAGE" - KeyUsageProperty="NCRYPT_ALLOW_DECRYPT_FLAG" + KeyUsageProperty="NCRYPT_ALLOW_DECRYPT_FLAG" KeyLength=2048 - Keyspec="AT_KEYEXCHANGE" - SMIME=FALSE - HashAlgorithm=sha512 - + Keyspec="AT_KEYEXCHANGE" + SMIME=FALSE + HashAlgorithm=sha512 [Extensions] 1.3.6.1.4.1.311.21.10 = "{text}" From e17ec31078036c5391baecca06482dc1da26f01c Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 4 May 2016 14:57:31 -0700 Subject: [PATCH 59/59] cleaning up content --- .../device-guard-deployment-guide.md | 422 ++++++------------ 1 file changed, 126 insertions(+), 296 deletions(-) diff --git a/windows/keep-secure/device-guard-deployment-guide.md b/windows/keep-secure/device-guard-deployment-guide.md index 2dae3234ae..5bace9eb68 100644 --- a/windows/keep-secure/device-guard-deployment-guide.md +++ b/windows/keep-secure/device-guard-deployment-guide.md @@ -2,7 +2,7 @@ title: Device Guard deployment guide (Windows 10) description: Microsoft Device Guard is a feature set that consists of both hardware and software system integrity hardening features that revolutionize the Windows operating system’s security. ms.assetid: 4BA52AA9-64D3-41F3-94B2-B87EC2717486 -keywords: ["virtualization", "security", "malware"] +keywords: virtualization, security, malware ms.prod: W10 ms.mktglfcycl: deploy author: challum @@ -10,7 +10,6 @@ author: challum # Device Guard deployment guide - **Applies to** - Windows 10 @@ -19,7 +18,6 @@ Microsoft Device Guard is a feature set that consists of both hardware and softw ## Introduction to Device Guard - Today’s security threat landscape is more aggressive than ever before. Modern malicious attacks are focused on revenue generation, intellectual property theft, and targeted system degradation, which results in financial loss. Many of these modern attackers are sponsored by nation states with unknown motives and large cyber terrorism budgets. These threats can enter a company through something as simple as an email message and can permanently damage its reputation for securing its software assets, as well as having significant financial impact. Windows 10 introduces several new security features that help mitigate a large percentage of today’s known threats. It is estimated that more than 300,000 new malware variants are discovered daily. Unfortunately, companies currently use an ancient method to discover this infectious software and prevent its use. In fact, current PCs trust everything that runs until malware signatures determine whether a threat exists; then, the antimalware software attempts to clean the PC, often after the malicious software’s effect has already been noticed. This signature-based system focuses on reacting to an infection and ensuring that the particular infection does not happen again. In this model, the system that drives malware detection relies on the discovery of malicious software; only then can a signature be provided to the client to remediate it, which implies that a computer must be infected first. The time between the detection of the malware and a client being issued a signature could mean the difference between losing data and staying safe. @@ -32,15 +30,12 @@ Device Guard's features revolutionize the Windows operating system’s security ## Device Guard overview - Device Guard is a feature set that consists of both hardware and software system integrity hardening features. These features revolutionize the Windows operating system’s security by taking advantage of new virtualization-based security options and the trust-nothing mobile device operating system model. A key feature in this model is called *configurable code integrity*, which allows your organization to choose exactly which software or trusted software publishers are allowed to run code on your client machines—exactly what has made mobile phone security so successful. In addition, Device Guard offers organizations a way to sign existing line-of-business (LOB) applications so that they can trust their own code, without the requirement that the application be repackaged. Also, this same method of signing provides organizations with a way to trust individual third-party applications. Device Guard—with configurable code integrity, Credential Guard, and AppLocker—is the most complete security defense that any Microsoft product has ever been able to offer a Windows client. -Advanced hardware features such as CPU virtualization extensions, IOMMUs, and SLAT, drive these new client security offerings. By integrating these hardware features further into the core operating system, Windows 10 leverages them in new ways. For example, the same type 1 hypervisor technology that is used to run virtual machines in Microsoft Hyper-V is used to isolate core Windows services into a virtualization-based, protected container. This is just one example of how Windows 10 integrates advanced hardware features deeper into the operating system to offer comprehensive modern security to its users. These hardware features are now available in consumer and enterprise PC markets and are discussed in detail in the [Hardware considerations](#hardware) section. +Advanced hardware features such as CPU virtualization extensions, IOMMUs, and SLAT, drive these new client security offerings. By integrating these hardware features further into the core operating system, Windows 10 leverages them in new ways. For example, the same type 1 hypervisor technology that is used to run virtual machines in Microsoft Hyper-V is used to isolate core Windows services into a virtualization-based, protected container. This is just one example of how Windows 10 integrates advanced hardware features deeper into the operating system to offer comprehensive modern security to its users. These hardware features are now available in consumer and enterprise PC markets and are discussed in detail in the [Hardware considerations](#hardware-considerations) section. Along with these new features, some components of Device Guard are existing tools or technologies that have been included in this strategic security offering to provide customers with the most secure Windows operating system possible. Device Guard is intended as a set of client security features to be used in conjunction with the other threat-resistance features available in the Windows operating system, some of which are mentioned in this guide. In addition to an overview of each feature, this guide walks you through the configuration and deployment of them. -### - **Configurable code integrity** The Windows operating system consists of two operating modes: user mode and kernel mode. The base of the operating system runs within the kernel mode, which is where the Windows operating system directly interfaces with hardware resources. User mode is primarily responsible for running applications and brokering information to and from the kernel mode for hardware resource requests. For example, when an application that is running in user mode needs additional memory, the user mode process must request the resources from kernel mode, not directly from RAM. @@ -53,9 +48,7 @@ Historically, most malware has been unsigned. By simply deploying code integrity The Device Guard core functionality and protection start at the hardware level. Devices that have processors equipped with SLAT technologies and virtualization extensions, such as Intel Virtualization Technology (VT-x) and AMD-V, will be able to take advantage of virtualization-based security (VBS) features that enhance Windows security. Device Guard leverages VBS to isolate core Windows services that are critical to the security and integrity of the operating system. This isolation removes the vulnerability of these services from both the user and kernel modes and acts as an impenetrable barrier for most malware used today. One of these isolated services, called the Windows Code Integrity service, drives the Device Guard kernel mode configurable code integrity feature. This prevents code that has penetrated the kernel mode operations from compromising the code integrity service. -Another Windows 10 feature that employs VBS is Credential Guard. Credential Guard provides additional protection to Active Directory domain users by storing domain credentials within the virtualization container that hosts the Windows security services, such as code integrity. By isolating these domain credentials from the active user mode and kernel mode, they have a much lower risk of being stolen. For more information about how Credential Guard complements Device Guard, see the [Device Guard with Credential Guard](#dg-with-cg) section. For information about how to enable Credential Guard, see the [Enable Credential Guard](#enable-cg) section. - -### +Another Windows 10 feature that employs VBS is Credential Guard. Credential Guard provides additional protection to Active Directory domain users by storing domain credentials within the virtualization container that hosts the Windows security services, such as code integrity. By isolating these domain credentials from the active user mode and kernel mode, they have a much lower risk of being stolen. For more information about how Credential Guard complements Device Guard, see the [Device Guard with Credential Guard](#device-guard-with-credential-guard) section. For information about how to enable Credential Guard, see the [Enable Credential Guard](#enable-credential-guard) section. **Device Guard with AppLocker** @@ -63,12 +56,8 @@ Although AppLocker is not considered a new Device Guard feature, it complements **Note**  One example in which Device Guard functionality needs AppLocker supplementation is when your organization would like to limit universal applications. Universal applications have already been validated by Microsoft to be trustworthy to run, but an organization may not want to allow specific universal applications to run in their environment. You can accomplish this enforcement by using an AppLocker rule. -  - AppLocker and Device Guard should run side-by-side in your organization, which offers the best of both security features at the same time and provides the most comprehensive security to as many devices as possible. In addition to these features, Microsoft recommends that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio. -### - **Device Guard with Credential Guard** Although Credential Guard is not a feature within Device Guard, many organizations will likely deploy Credential Guard alongside Device Guard for additional protection against credential theft. Similar to virtualization-based protection of kernel mode code integrity, Credential Guard leverages hypervisor technology to protect domain credentials. This mitigation is targeted at resisting the use of pass-the-hash and pass-the-ticket techniques. By employing multifactor authentication with Credential Guard, organizations can gain additional protection against such threats. For information about how to deploy Credential Guard to your Windows 10 Enterprise clients, see the [Enable Credential Guard](#enable-cg) section. In addition to the client-side enablement of Credential Guard, organizations can deploy mitigations at both the CA and domain controller level to help prevent credential theft. Microsoft will be releasing details about these additional mitigations in the future. @@ -86,42 +75,40 @@ You can easily manage Device Guard features by using the familiar enterprise and - **Windows PowerShell**. Windows PowerShell is primarily used to create and service code integrity policies. These policies represent the most powerful component of Device Guard. For a step-by-step walkthrough of how to create, audit, service, enforce, and deploy code integrity policies, see the [Code integrity policies](#code-integrity-policies) section. These options provide the same experience you are used to in order to manage your existing enterprise management solutions. For more information about how to manage and deploy Device Guard hardware and code integrity features in your organization, see the [Device Guard deployment](#dg-deployment) section. -## Plan for Device Guard +## Plan for Device Guard In this section, you will learn about the following topics: -- [Approach enterprise code integrity deployment](#approach-enterprise). Device Guard deployment in your organization requires a planned approach. In this section, you get high-level recommendations for how to approach enterprise code integrity deployment in your organization. +- [Approach enterprise code integrity deployment](#approach-enterprise-code-integrity-deployment). Device Guard deployment in your organization requires a planned approach. In this section, you get high-level recommendations for how to approach enterprise code integrity deployment in your organization. -- [Device Guard deployment scenarios](#device-guard-deployment). When you plan for Device Guard deployment, Microsoft recommends that you categorize each device in your organization into a deployment scenario. These scenarios will provide a roadmap for your Device Guard deployment. +- [Device Guard deployment scenarios](#device-guard-deployment-scenarios). When you plan for Device Guard deployment, Microsoft recommends that you categorize each device in your organization into a deployment scenario. These scenarios will provide a roadmap for your Device Guard deployment. - [Code signing adoption](#code-signing-adoption). Code signing is important to the security that Device Guard provides. This section outlines the options for code signing and the benefits and disadvantages of each method. -- [Hardware considerations](#hardware). Several Device Guard features require advanced hardware. This section outlines the requirements for each of those features and what to look for during your next hardware refresh. - -## Approach enterprise code integrity deployment +- [Hardware considerations](#hardware-considerations). Several Device Guard features require advanced hardware. This section outlines the requirements for each of those features and what to look for during your next hardware refresh. +## Approach enterprise code integrity deployment Enterprises that want to consider Device Guard should not expect deployment to their entire organization overnight. Device Guard implementation requires that you plan for both end-user and IT pro impact. In addition, the deployment of Device Guard features to your enterprise requires a planned, phased approach to ensure that end-user systems are fully capable and ready to enforce these new security restrictions. Perform the following high-level tasks to approach the deployment of Device Guard to your enterprise: -1. **Group devices into similar functions**. Categorize machines into the groups described in the [Device Guard deployment scenarios](#device-guard-deployment) section. This begins the roadmap for your Device Guard deployment and provides groups of easier and more difficult implementations. From there, assess the quantity of necessary Device Guard policies. The easiest solution is to lock down your entire enterprise, but it might not fit your individual departments’ needs. +1. **Group devices into similar functions**. Categorize machines into the groups described in the [Device Guard deployment scenarios](#device-guard-deployment-scenarios) section. This begins the roadmap for your Device Guard deployment and provides groups of easier and more difficult implementations. From there, assess the quantity of necessary Device Guard policies. The easiest solution is to lock down your entire enterprise, but it might not fit your individual departments’ needs. To discover an appropriate number of policies for your organization, try to separate the defined groups into departments or roles. Then ask some questions: What software does each department or role need to do their job? Should they be able to install and run other departments’ software? Do we need to create a base code integrity policy that aligns with our application catalog? Should users be able to install any application or only choose from an “allowed” list? Do we allow users to use their own peripheral devices? These questions will help you discover the number of necessary policies for your organization. Finally, try to focus on which people or departments would require an additional level of privileges. For example, should department x be able to install and run application xyz, even though no other department does? If the answer is yes and justifiable, you will need a secondary code integrity policy for that group. If not, you will likely be able to merge several policies to simplify management. For more information about configurable code integrity policies, see the [Code integrity policies](#code-integrity-policies) section. -2. **Create code integrity policies from “golden” PCs**. After you create the groups of devices, you can create code integrity policies to align with those groups, similar to the way you would manage corporate images. When you have separated these groups and set up golden PCs that mimic the software and hardware those individual groups require, create code integrity policies from each of them. After you create these, you can merge these code integrity policies to create a master policy, or you can manage and deploy them individually. For step-by-step instructions about how to create code integrity policies, see the [Create code integrity policies from golden PCs](#create-code-golden) section. +2. **Create code integrity policies from “golden” PCs**. After you create the groups of devices, you can create code integrity policies to align with those groups, similar to the way you would manage corporate images. When you have separated these groups and set up golden PCs that mimic the software and hardware those individual groups require, create code integrity policies from each of them. After you create these, you can merge these code integrity policies to create a master policy, or you can manage and deploy them individually. For step-by-step instructions about how to create code integrity policies, see the [Create code integrity policies from golden PCs](#create-code-integrity-policies-from-golden-pcs) section. -3. **Audit and merge code integrity policies**. Microsoft recommends that you test code integrity policies in audit mode before you enforce them. Audit mode allows administrators to run the code integrity policy on a system but not actually block anything. Rather than not allowing applications to run, events are logged with each exception to the policy. This way, you can easily highlight any issues that were not discovered during the initial scan. You can create additional code integrity policies by using the audit events and merge them into the existing policy. For more information about how to audit code integrity policies, see the [Audit code integrity policies](#audit-code-integrity) section. +3. **Audit and merge code integrity policies**. Microsoft recommends that you test code integrity policies in audit mode before you enforce them. Audit mode allows administrators to run the code integrity policy on a system but not actually block anything. Rather than not allowing applications to run, events are logged with each exception to the policy. This way, you can easily highlight any issues that were not discovered during the initial scan. You can create additional code integrity policies by using the audit events and merge them into the existing policy. For more information about how to audit code integrity policies, see the [Audit code integrity policies](#audit-code-integrity-policies) section. 4. **Assess LOB applications that are currently unsigned, and create a catalog file for them**. Catalog files allow organizations to sign applications that do not currently possess digitally signed binaries or applications that a customer would want to add a secondary signature to. These applications can be in-house applications or from third parties, and the process does not require any repackaging of the application. When you create code integrity policies at a rule level above hash values, you will not discover unsigned applications. To include these applications in your code integrity policies, simply create, sign, and deploy a catalog file. For information about catalog files, see the [Catalog files](#catalog-files) section. -5. **Enable desired hardware security features**. Each type of device found in the [Device Guard deployment scenarios](#device-guard-deployment) section takes advantage of different software and hardware integrity configurations. You should assess hardware-based security features separately from code integrity policies because they provide complementary functionality. For information about how to configure Device Guard hardware-based security features, see the [Configure hardware-based security features](#configure-hardware) section. +5. **Enable desired hardware security features**. Each type of device found in the [Device Guard deployment scenarios](#device-guard-deployment-scenarios) section takes advantage of different software and hardware integrity configurations. You should assess hardware-based security features separately from code integrity policies because they provide complementary functionality. For information about how to configure Device Guard hardware-based security features, see the [Configure hardware-based security features](#configure-hardware-based-security-features) section. -6. **Deploy code integrity policies and catalog files**. After you have created and signed the necessary catalog files and created and audited code integrity policies, you are ready to deploy them in phases. Microsoft strongly recommends that you deploy these components to a test group of users, even after your IT organization has tested and vetted them. This provides a final quality control validation before you deploy the catalog files and policies more broadly. For information about how to deploy catalog files with Group Policy, see the [Deploy catalog files with Group Policy](#deploy-cat-gp) section. For additional information about how to deploy code integrity policies, see the [Deploy code integrity policies with Group Policy](#deploy-manage-code-gp) section. +6. **Deploy code integrity policies and catalog files**. After you have created and signed the necessary catalog files and created and audited code integrity policies, you are ready to deploy them in phases. Microsoft strongly recommends that you deploy these components to a test group of users, even after your IT organization has tested and vetted them. This provides a final quality control validation before you deploy the catalog files and policies more broadly. For information about how to deploy catalog files with Group Policy, see the [Deploy catalog files with Group Policy](#deploy-catalog-files-with-group-policy) section. For additional information about how to deploy code integrity policies, see the [Deploy code integrity policies with Group Policy](#deploy-code-integrity-policies-with-group-policy) section. -## Device Guard deployment scenarios +## Device Guard deployment scenarios - -To help simplify the deployment of Device Guard to your organization, Microsoft recommends that you group devices into the deployment scenarios described in this section. Device Guard is not a feature that organizations will just simply “turn on”; rather, it typically requires a phased implementation approach. To see where these scenarios fit into an overall Device Guard deployment approach, see the [Approach to enterprise code integrity deployment](#approach-enterprise) section. +To help simplify the deployment of Device Guard to your organization, Microsoft recommends that you group devices into the deployment scenarios described in this section. Device Guard is not a feature that organizations will just simply “turn on”; rather, it typically requires a phased implementation approach. To see where these scenarios fit into an overall Device Guard deployment approach, see the [Approach to enterprise code integrity deployment](#approach-to-enterprise-code-integrity-deployment) section. **Fixed-workload devices** @@ -131,8 +118,6 @@ Device Guard components that are applicable to fixed-workload devices include: - KMCI VBS protection - - - Enforced UMCI policy **Fully managed devices** @@ -163,14 +148,11 @@ Device Guard is not a good way to manage devices in a Bring Your Own Device (BYO ## Code signing adoption - Code signing is crucial to the successful implementation of configurable code integrity policies. These policies can trust the signing certificates from both independent software vendors and customers. In Windows 10, all Windows Store applications are signed. Also, you can easily trust any other signed application by adding the signing certificate to the code integrity policy. -For unsigned applications, customers have multiple options for signing them so that code integrity policies can trust them. The first option is traditional embedded code signing. Organizations that have in-house development teams can incorporate binary code signing into their application development process, and then simply add the signing certificate to their code integrity policies. The second option for signing unsigned applications is to use catalog files. In Windows 10, customers have the ability to create catalog files as they monitor the installation and initial run of an application. For more information about signing existing unsigned LOB applications or third-party applications, see the [Existing line-of-business applications](#existing-lob) section. +For unsigned applications, customers have multiple options for signing them so that code integrity policies can trust them. The first option is traditional embedded code signing. Organizations that have in-house development teams can incorporate binary code signing into their application development process, and then simply add the signing certificate to their code integrity policies. The second option for signing unsigned applications is to use catalog files. In Windows 10, customers have the ability to create catalog files as they monitor the installation and initial run of an application. For more information about signing existing unsigned LOB applications or third-party applications, see the [Existing line-of-business applications](#existing-line-of-business-applications) section. -### - -**Existing line-of-business applications** +### Existing line-of-business applications Until now, existing LOB applications were difficult to trust if they were signed by a source other than the Windows Store or not signed at all. With Windows 10, signing your existing LOB and third-party unsigned applications is simplified. This new signing method does not require that applications be repackaged in any way. With catalog files, administrators can sign these unsigned applications simply by monitoring for an installation and initial startup. By using this monitoring information, an administrator can generate a catalog file. Catalog files are simply Secure Hash Algorithm 2 (SHA2) hash lists of discovered binaries. These binaries’ hash values are updated every time an application is updated and therefore require an updated catalog file. For simplified administration, consider incorporating embedded code signing into your application development process. For more information about how to generate catalog files, see the [Catalog files](#catalog-files) section. @@ -178,17 +160,16 @@ Until now, existing LOB applications were difficult to trust if they were signed Catalog files are lists of individual binaries’ hash values. If the scanned application is updated, you will need to create a new catalog file. That said, binary signing is still highly recommended for any future applications so that no catalog files are needed.   - When you create a catalog file, you must sign it by using enterprise public key infrastructure (PKI), or a purchased code signing certificate. When signed, code integrity policies can trust the signer or signing certificate of those files. For information about catalog file signing, see the [Catalog files](#catalog-files) section. **Application development** Although in-house applications can be signed after packaging by using catalog files, Microsoft strongly recommends that embedded code signing be incorporated into your application development process. When signing applications, simply add the code signing certificate used to sign your applications to your code integrity policy. This ensures that your code integrity policy will trust any future application that is signed with that certificate. Embedding code signing into any in-house application development process is beneficial to your IT organization as you implement code integrity policies. -## Hardware considerations +## Hardware considerations -Careful consideration about which hardware vendor and specific models to purchase during your next hardware refresh is vitally important to the success of your organization’s Device Guard implementation efforts. In alignment with your current hardware life cycle, consider the process that is discussed in the [Approach enterprise code integrity deployment](#approach-enterprise) section when you determine the appropriate order of hardware replacement in your organization. Device Guard should be deployed in phases; therefore, you have time to methodically plan for its implementation. +Careful consideration about which hardware vendor and specific models to purchase during your next hardware refresh is vitally important to the success of your organization’s Device Guard implementation efforts. In alignment with your current hardware life cycle, consider the process that is discussed in the [Approach enterprise code integrity deployment](#approach-enterprise-code-integrity-deployment) section when you determine the appropriate order of hardware replacement in your organization. Device Guard should be deployed in phases; therefore, you have time to methodically plan for its implementation. Different hardware features are required to implement the various features of Device Guard. There will likely be some individual features that you will be able to enable with your current hardware and some that you will not. However, for organizations that want to implement Device Guard in its entirety, several advanced hardware features will be required. For additional details about the hardware features that are required for Device Guard components, see the following table. @@ -251,57 +232,47 @@ Different hardware features are required to implement the various features of De -  - -## Device Guard deployment - +## Device Guard deployment In this section, you learn about the following topics: -- [Configure hardware-based security features](#configure-hardware). This section explains how to enable the hardware-based security features in Device Guard. Also, you verify that the features are enabled by using both Windows Management Infrastructure (WMI) and Msinfo32.exe. +- [Configure hardware-based security features](#configure-hardware-based-security-features). This section explains how to enable the hardware-based security features in Device Guard. Also, you verify that the features are enabled by using both Windows Management Infrastructure (WMI) and Msinfo32.exe. - [Catalog files](#catalog-files). In this section, you create, sign, and deploy catalog files. You deploy the catalog files by using both Group Policy and System Center Configuration Manager. Also, you use System Center Configuration Manager to inventory the deployed catalog files for reporting purposes. - [Code integrity policies](#code-integrity-policies). This section provides information on how to create, audit, service, merge, deploy, and remove signed and unsigned configurable code integrity policies. -## Configure hardware-based security features - +## Configure hardware-based security features Hardware-based security features make up a large part of Device Guard security offerings. VBS reinforces the most important feature of Device Guard: configurable code integrity. There are three steps to configure hardware-based security features in Device Guard: -1. **Verify that hardware requirements are met and enabled**. Verify that your client machines possess the necessary hardware to run these features. A list of hardware requirements for the hardware-based security features is available in the [Hardware considerations](#hardware) section. +1. **Verify that hardware requirements are met and enabled**. Verify that your client machines possess the necessary hardware to run these features. A list of hardware requirements for the hardware-based security features is available in the [Hardware considerations](#hardware-considerations) section. -2. **Enable the necessary Windows features**. There are several ways to enable the Windows features required for hardware-based security. For details on which Windows features are needed, see the [Windows feature requirements for virtualization-based security](#vb-security) section. +2. **Enable the necessary Windows features**. There are several ways to enable the Windows features required for hardware-based security. For details on which Windows features are needed, see the [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security) section. -3. **Enable desired features**. When the necessary hardware and Windows features have been enabled, you are ready to enable the desired hardware-based security features. For UEFI Secure Boot, see the [Enable UEFI Secure Boot](#enable-secureboot) section. For information about how to enable VBS protection of the KMCI service, see the [Enable virtualization-based protection of kernel mode code integrity](#enable-virtualbased) section. Finally, for information about how to enable Credential Guard, see the [Enable Credential Guard](#enable-cg) section. +3. **Enable desired features**. When the necessary hardware and Windows features have been enabled, you are ready to enable the desired hardware-based security features. For UEFI Secure Boot, see the [Enable UEFI Secure Boot](#enable-unified-extensible-interface-secure-boot) section. For information about how to enable VBS protection of the KMCI service, see the [Enable virtualization-based protection of kernel mode code integrity](#enable-virtualbased) section. Finally, for information about how to enable Credential Guard, see the [Enable Credential Guard](#enable-credential-guard) section. -### +### Windows feature requirements for virtualization-based security -**Windows feature requirements for virtualization-based security** - -In addition to the hardware requirements found in the [Hardware considerations](#hardware) section, you must enable certain operating system features before you can enable VBS: Microsoft Hyper-V and isolated user mode (shown in Figure 1). +In addition to the hardware requirements found in the [Hardware considerations](#hardware-considerations) section, you must enable certain operating system features before you can enable VBS: Microsoft Hyper-V and isolated user mode (shown in Figure 1). **Note**   You can configure these features manually by using Windows PowerShell or Deployment Image Servicing and Management. For specific information about these methods, refer to the [Credential Guard documentation](http://go.microsoft.com/fwlink/p/?LinkId=624529).   - ![figure 1](images/dg-fig1-enableos.png) Figure 1. Enable operating system features for VBS -After you enable these features, you can configure any hardware-based security features you want. For information about how to enable virtualization-based protection of kernel-mode code integrity, see the [Enable virtualization-based protection of kernel-mode code integrity](#enable-virtualbased) section. For information about how to enable UEFI Secure Boot, see the [Enable Unified Extensible Firmware Interface Secure Boot](#enable-secureboot) section. Finally, for additional information about how to enable Credential Guard, see the [Enable Credential Guard](#enable-cg) section. +After you enable these features, you can configure any hardware-based security features you want. For information about how to enable virtualization-based protection of kernel-mode code integrity, see the [Enable virtualization-based protection of kernel-mode code integrity](#enable-virtualization-based-protection-of-kernel-mode-code-integrity) section. For information about how to enable UEFI Secure Boot, see the [Enable UEFI Secure Boot](#enable-unified-extensible-interface-secure-boot) section. Finally, for additional information about how to enable Credential Guard, see the [Enable Credential Guard](#enable-credential-guard) section. -### +### Enable Unified Extensible Firmware Interface Secure Boot -**Enable Unified Extensible Firmware Interface Secure Boot** - -Before you begin this process, verify that the target device meets the hardware requirements for UEFI Secure Boot that are laid out in the [Hardware considerations](#hardware) section. There are two options to configure UEFI Secure Boot: manual configuration of the appropriate registry keys and Group Policy deployment. Complete the following steps to manually configure UEFI Secure Boot on a computer running Windows 10: +Before you begin this process, verify that the target device meets the hardware requirements for UEFI Secure Boot that are laid out in the [Hardware considerations](#hardware-considerations) section. There are two options to configure UEFI Secure Boot: manual configuration of the appropriate registry keys and Group Policy deployment. Complete the following steps to manually configure UEFI Secure Boot on a computer running Windows 10: **Note**   There are two platform security levels for Secure Boot: stand-alone Secure Boot and Secure Boot with DMA protection. DMA protection provides additional memory protection but will be enabled only on systems whose processors include DMA protection (IOMMU) technologies. Without the presence of IOMMUs and with DMA protection disabled, customers will lose protection from driver-based attacks. -  1. Navigate to the **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard** registry subkey. @@ -320,8 +291,6 @@ Unfortunately, it would be time consuming to perform these steps manually on eve **Note**   Microsoft recommends that you test-enable this feature on a group of test machines before you deploy it to machines that are currently deployed to users. -  - **Use Group Policy to deploy Secure Boot** @@ -358,17 +327,13 @@ Microsoft recommends that you test-enable this feature on a group of test machin Processed Device Guard policies are logged in event viewer at Application and Services Logs\\Microsoft\\Windows\\DeviceGuard-GPEXT\\Operational. When the **Turn On Virtualization Based Security** policy is successfully processed, event ID 7000 is logged, which contains the selected settings within the policy. -### +### Enable virtualization-based security of kernel-mode code integrity -**Enable virtualization-based security of kernel-mode code integrity** - -Before you begin this process, verify that the desired computer meets the hardware requirements for VBS found in the [Hardware considerations](#hardware) section, and enable the Windows features discussed in the [Virtualization-based security Windows feature requirements](#vb-security) section. When validated, you can enable virtualization-based protection of KMCI in one of two ways: manual configuration of the appropriate registry subkeys and Group Policy deployment. +Before you begin this process, verify that the desired computer meets the hardware requirements for VBS found in the [Hardware considerations](#hardware-considerations) section, and enable the Windows features discussed in the [Virtualization-based security Windows feature requirements](#virtualization-based-security-windows-featurerrequirements) section. When validated, you can enable virtualization-based protection of KMCI in one of two ways: manual configuration of the appropriate registry subkeys and Group Policy deployment. **Note**   All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. Microsoft recommends that you enable this feature on a group of test machines before you enable it on deployed machines. -  - To configure virtualization-based protection of KMCI manually: 1. Navigate to the **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard** registry subkey. @@ -382,8 +347,6 @@ It would be time consuming to perform these steps manually on every protected ma **Note**   Microsoft recommends that you test-enable this feature on a group of test computers before you deploy it to machines that are currently deployed to users. If untested, there is a possibility that this feature can cause system instability and ultimately cause the client operating system to fail. -  - To use Group Policy to configure VBS of KMCI: 1. Create a new GPO: Right-click the OU to which you want to link the GPO, and then click **Create a GPO in this domain, and Link it here**. @@ -416,13 +379,11 @@ To use Group Policy to configure VBS of KMCI: Processed Device Guard policies are logged in event viewer under Application and Services Logs\\Microsoft\\Windows\\DeviceGuard-GPEXT\\Operational. When the **Turn On Virtualization Based Security** policy has been successfully processed, event ID 7000 is logged, which contains the selected settings within the policy. -### - -**Enable Credential Guard** +### Enable Credential Guard Credential Guard provides an additional layer of credential protection specifically for domain users by storing the credentials within the virtualized container, away from both the kernel and user mode operating system. This makes it difficult for even a compromised system to obtain access to the credentials. In addition to the client-side enablement of Credential Guard, you can deploy additional mitigations at both the Certification Authority and domain controller level to prevent credential theft. Microsoft will be releasing details about these additional mitigations in the future. -Before you begin this process, verify that the desired system meets the hardware requirements for VBS found in the [Hardware considerations](#hardware) section, and that you have enabled the Windows features laid out in the [Virtualization-based security Windows feature requirements](#vb-security) section. When validated, you can enable Credential Guard manually, by configuring the appropriate registry subkeys, or through Group Policy deployment. +Before you begin this process, verify that the desired system meets the hardware requirements for VBS found in the [Hardware considerations](#hardware) section, and that you have enabled the Windows features laid out in the [Virtualization-based security Windows feature requirements](#virtualization-based-security-windows-feature-requirements) section. When validated, you can enable Credential Guard manually, by configuring the appropriate registry subkeys, or through Group Policy deployment. To configure VBS of Credential Guard manually: @@ -437,8 +398,6 @@ To avoid spending an unnecessary amount of time in manual deployments, use Group **Note**   Microsoft recommends that you enable Credential Guard before you join a machine to the domain to ensure that all credentials are properly protected. Setting the appropriate registry subkeys during your imaging process would be ideal to achieve this protection. -  - To use Group Policy to enable Credential Guard: 1. Create a new GPO: right-click the OU to which you want to link the GPO, and then click **Create a GPO in this domain, and Link it here** . @@ -470,8 +429,6 @@ To use Group Policy to enable Credential Guard: **Note**   The default platform security level is **Secure Boot**. If IOMMUs are available within the protected machines, it is recommended that you select **Secure Boot and DMA Protection** to maximize the mitigations that are available through Credential Guard. -   - 7. Check the test client event log for Device Guard GPOs. **Note**   @@ -575,8 +532,6 @@ Table 1. Win32\_DeviceGuard properties -  - Another method to determine the available and enabled Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Device Guard properties are displayed at the bottom of the **System Summary** section, as shown in Figure 11. ![figure 11](images/dg-fig11-dgproperties.png) @@ -590,35 +545,29 @@ Enforcement of Device Guard on a system requires that every trusted application **Note**   The Enterprise edition of Windows 10 or Windows Server 2016 is required to create and use catalog files. -### - -**Create catalog files** +### Create catalog files The creation of catalog files is the first step to add an unsigned application to a code integrity policy. To create a catalog file, copy each of the following commands into an elevated Windows PowerShell session, and then complete the steps: **Note**   -When you establish a naming convention it makes it easier to detect deployed catalog files in the future. In this guide, you will use *\*-Contoso.cat* as the naming convention. For more information about why this practice is helpful to inventory or detect catalog files, see the [Inventory catalog files with System Center Configuration Manager](#inventory-cat-sccm) section. +When you establish a naming convention it makes it easier to detect deployed catalog files in the future. In this guide, you will use *\*-Contoso.cat* as the naming convention. For more information about why this practice is helpful to inventory or detect catalog files, see the [Inventory catalog files with System Center Configuration Manager](#inventory-catalog-files-with-system-center-configuration-manager) section.   1. Be sure that a code integrity policy is currently running in audit mode. - Package Inspector does not always detect installation files that have been removed from the machine during the installation process. To ensure that these binaries are also trusted, the code integrity policy that you created and audited in the [Create code integrity policies from golden PCs](#create-code-golden) and [Audit code integrity policies](#audit-code-integrity) sections should be deployed, in audit mode, to the system on which you are running Package Inspector. + Package Inspector does not always detect installation files that have been removed from the machine during the installation process. To ensure that these binaries are also trusted, the code integrity policy that you created and audited in the [Create code integrity policies from golden PCs](#create-code-integrity-policies-from-golden-pcs) and [Audit code integrity policies](#audit-code-integrity-policies) sections should be deployed, in audit mode, to the system on which you are running Package Inspector. **Note**   This process should **not** be performed on a system running an enforced Device Guard policy, only with a policy running in audit mode. If a policy is currently being enforced, you will not be able to install and run the application. -   - 2. Start Package Inspector, and then scan drive C: `PackageInspector.exe Start C:` **Note**   Package inspector can monitor installations on any local drive. In this example, we install the application on drive C, but any other drive can be used. - -   - +   3. Copy the installation media to drive C. By copying the installation media to drive C, you ensure that Package Inspector detects and catalogs the actual installer. If you skip this step, the future code integrity policy may trust the application to run but not be installed. @@ -645,11 +594,9 @@ When you establish a naming convention it makes it easier to detect deployed cat **Note**   This scan catalogs the hash values for each discovered binary file. If the applications that were scanned are updated, complete this process again to trust the new binaries’ hash values. -When finished, the files will be saved to your desktop. To trust this catalog file within a code integrity policy, the catalog must first be signed. Then, the signing certificate can be included in the code integrity policy, and the catalog file can be distributed to the individual client machines. Catalog files can be signed by using a certificate and SignTool.exe, a free tool available in the Windows SDK. For more information about signing catalog files with SignTool.exe, see the [Catalog signing with SignTool.exe](#catsign-signtool) section. +When finished, the files will be saved to your desktop. To trust this catalog file within a code integrity policy, the catalog must first be signed. Then, the signing certificate can be included in the code integrity policy, and the catalog file can be distributed to the individual client machines. Catalog files can be signed by using a certificate and SignTool.exe, a free tool available in the Windows SDK. For more information about signing catalog files with SignTool.exe, see the [Catalog signing with SignTool.exe](#catalog-signing-with-signtool.exe) section. -### - -**Catalog signing with SignTool.exe** +### Catalog signing with SignTool.exe Device Guard makes it easy for organizations to sign and trust existing unsigned LOB applications. In this section, you sign a catalog file you generated in a previous section by using PackageInspector.exe. For information about how to create catalog files, see the [Create catalog files](#create-catalog-files) section. In this example, you need the following: @@ -659,7 +606,7 @@ Device Guard makes it easy for organizations to sign and trust existing unsigned - Internal certification authority (CA) code signing certificate or purchased code signing certificate -If you do not have a code signing certificate, please see the [Create a Device Guard code signing certificate](#create-dg-code) section for a walkthrough of how to create one. In addition to using the certificate you create in the Create a Device Guard code signing certificate section, this example signs the catalog file that you created in the [Create catalog files](#create-catalog-files) section. If you are using an alternate certificate or catalog file, update the following steps with the appropriate variables and certificate. To sign the existing catalog file, copy each of the following commands into an elevated Windows PowerShell session: +If you do not have a code signing certificate, please see the [Create a Device Guard code signing certificate](#create-a-device-guard-code-signing-certificate) section for a walkthrough of how to create one. In addition to using the certificate you create in the Create a Device Guard code signing certificate section, this example signs the catalog file that you created in the [Create catalog files](#create-catalog-files) section. If you are using an alternate certificate or catalog file, update the following steps with the appropriate variables and certificate. To sign the existing catalog file, copy each of the following commands into an elevated Windows PowerShell session: 1. Initialize the variables that will be used: @@ -670,29 +617,17 @@ If you do not have a code signing certificate, please see the [Create a Device G **Note**   In this example, you use the catalog file you created in the [Create catalog files](#create-catalog-files) section. If you are signing another catalog file, be sure to update the *$ExamplePath* and *$CatFileName* variables with the correct information. -2. Import the code signing certificate. Import the code signing certificate that will be used to sign the catalog file to the signing user’s personal store. In this example, you use the certificate that you created in the [Create a Device Guard code signing certificate](#create-dg-code) section. +2. Import the code signing certificate. Import the code signing certificate that will be used to sign the catalog file to the signing user’s personal store. In this example, you use the certificate that you created in the [Create a Device Guard code signing certificate](#create-a-device-guard-code-signing-certificate) section. 3. Sign the catalog file with Signtool.exe: - - - - - - - - - - - 
        <Path to signtool.exe> sign /n "ContosoDGSigningCert" /fd sha256 /v $CatFileName
        + ` sign /n "ContosoDGSigningCert" /fd sha256 /v $CatFileName` - **Note**   - The *<Path to signtool.exe>* variable should be the full path to the Signtool.exe utility. *ContosoDGSigningCert* is the subject name of the certificate that you will use to sign the catalog file. This certificate should be imported to your personal certificate store on the machine on which you are attempting to sign the catalog file. + **Note**   + The *<Path to signtool.exe>* variable should be the full path to the Signtool.exe utility. *ContosoDGSigningCert* is the subject name of the certificate that you will use to sign the catalog file. This certificate should be imported to your personal certificate store on the machine on which you are attempting to sign the catalog file. -   - - **Note**   - For additional information about Signtool.exe and all additional switches, visit [MSDN Sign Tool page](http://go.microsoft.com/fwlink/p/?LinkId=624163). + **Note**   + For additional information about Signtool.exe and all additional switches, visit [MSDN Sign Tool page](http://go.microsoft.com/fwlink/p/?LinkId=624163).   @@ -706,17 +641,13 @@ If you do not have a code signing certificate, please see the [Create a Device G For testing purposes, you can manually copy signed catalog files to their intended folder. For large-scale implementations, Microsoft recommends that you use Group Policy File Preferences to copy the appropriate catalog files to all desired machines or an enterprise systems management product such as System Center Configuration Manager. Doing this simplifies the management of catalog versions, as well. -### - -**Deploy catalog files with Group Policy** +### Deploy catalog files with Group Policy To simplify the management of catalog files, you can use Group Policy preferences to deploy catalog files to the appropriate PCs in your organization. The following process walks you through the deployment of a signed catalog file called LOBApp-Contoso.cat to a test OU called DG Enabled PCs with a GPO called **Contoso DG Catalog File GPO Test**. **Note**   This walkthrough requires that you have previously created a signed catalog file and have a Windows 10 client PC on which to test a Group Policy deployment. For more information about how to create and sign a catalog file, see the [Catalog files](#catalog-files) section. -  - To deploy a catalog file with Group Policy: 1. From either a domain controller or a client PC that has Remote Server Administration Tools (RSAT) installed, open the Group Policy Management Console (GPMC) by running **GPMC.MSC** or by searching for Group Policy Management. @@ -724,7 +655,7 @@ To deploy a catalog file with Group Policy: 2. Create a new GPO: right-click the DG Enabled PCs OU, and then click **Create a GPO in this domain, and Link it here**, as shown in Figure 13. **Note**   - The DG Enabled PCs OU is just an example of where to link the test GPO that you created in this section. You can use any OU name. Also, security group filtering is an option when you consider policy partitioning options based on the strategy discussed in the [Approach enterprise code integrity deployment](#approach-enterprise) section. + The DG Enabled PCs OU is just an example of where to link the test GPO that you created in this section. You can use any OU name. Also, security group filtering is an option when you consider policy partitioning options based on the strategy discussed in the [Approach enterprise code integrity deployment](#approach-enterprise-code-integrity-deployment) section. ![figure 13](images/dg-fig13-createnewgpo.png) @@ -767,17 +698,13 @@ To deploy a catalog file with Group Policy: 12. Close the Group Policy Management Editor, and then update the policy on the test Windows 10 machine by running GPUpdate.exe. When the policy has been updated, verify that the catalog file exists in C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} on the Windows 10 machine. -### - -**Deploy catalog files with System Center Configuration Manager** +### Deploy catalog files with System Center Configuration Manager As an alternative to Group Policy, you can use System Center Configuration Manager to deploy catalog files to the managed machines in your environment. This approach can simplify the deployment and management of multiple catalog files as well as provide reporting around which catalog each client or collection has deployed. In addition to the deployment of these files, System Center Configuration Manager can also be used to inventory the currently deployed catalog files for reporting and compliance purposes. Complete the following steps to create a new deployment package for catalog files: **Note**   The following example uses a network share named \\\\Shares\\CatalogShare as a source for the catalog files. If you have collection specific catalog files, or prefer to deploy them individually, use whichever folder structure works best for your organization. -  - 1. Open the Configuration Manager console, and select the Software Library workspace. 2. Navigate to Overview\\Application Management, right-click **Packages**, and then click **Create Package**. @@ -844,17 +771,13 @@ After you create the deployment package, deploy it to a collection so that the c 11. Close the wizard. -### - -**Inventory catalog files with System Center Configuration Manager** +### Inventory catalog files with System Center Configuration Manager When catalog files have been deployed to the machines within your environment, whether by using Group Policy or System Center Configuration Manager, you can inventory them with the software inventory feature of System Center Configuration Manager. The following process walks you through the enablement of software inventory to discover catalog files on your managed systems through the creation and deployment of a new client settings policy. **Note**   A standard naming convention for your catalog files will significantly simplify the catalog file software inventory process. In this example, *-Contoso* has been added to all catalog file names. -  - 1. Open the Configuration Manager console, and select the Administration workspace. 2. Navigate to **Overview\\Client Settings**, right-click **Client Settings**, and then click **Create Custom Client Device Settings**. @@ -908,25 +831,19 @@ If nothing is displayed in this view, navigate to Software\\Last Software Scan i ## Code integrity policies -Code integrity policies maintain the standards by which a computer running Windows 10 determines whether an application is trustworthy and can be run. For an overview of code integrity, see the [Configurable code integrity](#config-code) section. +Code integrity policies maintain the standards by which a computer running Windows 10 determines whether an application is trustworthy and can be run. For an overview of code integrity, see the [Configurable code integrity](#configurable-code-integrity) section. A common system imaging practice in today’s IT organization is to establish a “golden” image as a reference for what an ideal system should look like, and then use that image to clone additional company assets. Code integrity policies follow a similar methodology, that begins with the establishment of a golden PC. Like when imaging, you can have multiple golden PCs based on model, department, application set, and so on. Although the thought process around the creation of code integrity policies is similar to imaging, these policies should be maintained independently. Assess the necessity of additional code integrity policies based on what should be allowed to be installed and run and for whom. **Note**   Each machine can have only **one** code integrity policy at a time. Whichever way you deploy this policy, it is renamed to SIPolicy.p7b and copied to C:\\Windows\\System32\\CodeIntegrity. Keep this in mind when you create your code integrity policies. -  - Optionally, code integrity policies can align with your software catalog as well as any IT department–approved applications. One simple method to implement code integrity policies is to use existing images to create one master code integrity policy. You do so by creating a code integrity policy from each image, and then by merging the policies. This way, what is installed on all of those images will be allowed to run, should the applications be installed on a computer based on a different image. Alternatively, you may choose to create a base applications policy and add policies based on the computer’s role or department. Organizations have a choice of how their policies are created, merged or serviced, and managed. **Note**   The following section assumes that you will deploy code integrity policies as part of your Device Guard deployment. Alternatively, configurable code integrity is available without the enablement of Device Guard. -  - -### - -**Code integrity policy rules** +### Code integrity policy rules Code integrity policies consist of several components. The two major components, which are configurable, are called *policy rules* and *file rules*, respectively. Code integrity policy rules are options that the code integrity policy creator can specify on the policy. These options include the enablement of audit mode, UMCI, and so on. You can modify these options in a new or existing code integrity policy. File rules are the level to which the code integrity policy scan ties each binary trust. For example, the hash level is going to itemize each discovered hash on the system within the generated code integrity policy. This way, when a binary prepares to run, the code integrity service will validate its hash value against the trusted hashes found in the code integrity policy. Based on that result, the binary will or will not be allowed to run. @@ -944,58 +861,48 @@ You can set several rule options within a code integrity policy. Table 2 lists e Table 2. Code integrity policy - policy rule options -| **Rule option** | **Description** | -|----------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **0 Enabled:UMCI** | Code integrity policies restrict both kernel-mode and user-mode binaries. By default, only kernel-mode binaries are restricted. Enabling this rule option validates user mode executables and scripts. | -| **1 Enabled:Boot Menu Protection** | This option is not currently supported. | -| **2 Required:WHQL** | By default, legacy drivers that are not Windows Hardware Quality Labs (WHQL) signed are allowed to execute. Enabling this rule requires that every executed driver is WHQL signed and removes legacy driver support. Going forward, every new Windows 10–compatible driver must be WHQL certified. | -| **3 Enabled:Audit Mode (Default)** | Enables the execution of binaries outside of the code integrity policy but logs each occurrence in the CodeIntegrity event log, which can be used to update the existing policy before enforcement. To enforce a code integrity policy, remove this option. | -| **4 Disabled:Flight Signing** | If enabled, code integrity policies will not trust flightroot-signed binaries. This would be used in the scenario in which organizations only want to run released binaries, not flighted builds. | -| **5 Enabled:Inherent Default Policy** | This option is not currently supported. | -| **6 Enabled:Unsigned System Integrity Policy (Default)** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and have UpdatePolicySigners added to the policy to enable future policy modifications. | -| **7 Allowed:Debug Policy Augmented** | This option is not currently supported. | -| **8 Required:EV Signers** | In addition to being WHQL signed, this rule requires that drivers must have been submitted by a partner that has an Extended Verification (EV) certificate. All future Windows 10 and later drivers will meet this requirement. | -| **9 Enabled:Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all code integrity policies. Setting this rule option allows the F8 menu to appear to physically present users. | -| **10 Enabled:Boot Audit on Failure** | Used when the code integrity policy is in enforcement mode. When a driver fails during startup, the code integrity policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. | - -  +| Rule option | Description | +|------------ | ----------- | +| **0 Enabled:UMCI** | Code integrity policies restrict both kernel-mode and user-mode binaries. By default, only kernel-mode binaries are restricted. Enabling this rule option validates user mode executables and scripts. | +| **1 Enabled:Boot Menu Protection** | This option is not currently supported. | +| **2 Required:WHQL** | By default, legacy drivers that are not Windows Hardware Quality Labs (WHQL) signed are allowed to execute. Enabling this rule requires that every executed driver is WHQL signed and removes legacy driver support. Going forward, every new Windows 10–compatible driver must be WHQL certified. | +| **3 Enabled:Audit Mode (Default)** | Enables the execution of binaries outside of the code integrity policy but logs each occurrence in the CodeIntegrity event log, which can be used to update the existing policy before enforcement. To enforce a code integrity policy, remove this option. | +| **4 Disabled:Flight Signing** | If enabled, code integrity policies will not trust flightroot-signed binaries. This would be used in the scenario in which organizations only want to run released binaries, not flighted builds. | +| **5 Enabled:Inherent Default Policy** | This option is not currently supported. | +| **6 Enabled:Unsigned System Integrity Policy (Default)** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and have UpdatePolicySigners added to the policy to enable future policy modifications. | +| **7 Allowed:Debug Policy Augmented** | This option is not currently supported. | +| **8 Required:EV Signers** | In addition to being WHQL signed, this rule requires that drivers must have been submitted by a partner that has an Extended Verification (EV) certificate. All future Windows 10 and later drivers will meet this requirement. | +| **9 Enabled:Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all code integrity policies. Setting this rule option allows the F8 menu to appear to physically present users. | +| **10 Enabled:Boot Audit on Failure** | Used when the code integrity policy is in enforcement mode. When a driver fails during startup, the code integrity policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. | File rule levels allow administrators to specify the level at which they want to trust their applications. This level of trust could be as low as the hash of each binary and as high as a PCA certificate. File rule levels are specified both when you create a new code integrity policy from a scan and when you create a policy from audit events. In addition, to combine rule levels found in multiple policies, you can merge the policies. When merged, code integrity policies combine their file rules. Each file rule level has its benefit and disadvantage. Use Table 3 to select the appropriate protection level for your available administrative resources and Device Guard deployment scenario. Table 3. Code integrity policy - file rule levels -| **Rule level** | **Description** | -|-----------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **Hash** | Specifies individual hash values for each discovered binary. Although this level is specific, it can cause additional administrative overhead to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. | -| **FileName** | Specifies individual binary file names. Although the hash values for an application are modified when updated, the file names are typically not. This offers less specific security than the hash level but does not typically require a policy update when any binary is modified. | -| **SignedVersion** | This combines the publisher rule with a file version number. This option allows anything from the specified publisher, with a file version at or above the specified version number, to run. | -| **Publisher** | This is a combination of the PCA certificate and the common name (CN) on the leaf certificate. In the scenario that a PCA certificate is used to sign multiple companies’ applications (such as VeriSign), this rule level allows organizations to trust the PCA certificate but only for the company whose name is on the leaf certificate (for example, Intel for device drivers). This level trusts a certificate with a long validity period but only when combined with a trusted leaf certificate. | -| **FilePublisher** | This is a combination of the publisher file rule level and the SignedVersion rule level. Any signed file from the trusted publisher that is the specified version or newer is trusted. | -| **LeafCertificate** | Adds trusted signers at the individual signing certificate level. The benefit of using this level versus the individual hash level is that new versions of the product will have different hash values but typically the same signing certificate. Using this level, no policy update would be needed to run the new version of the application. However, leaf certificates have much shorter validity periods than PCA certificates, so additional administrative overhead is associated with updating the code integrity policy when these certificates expire. | -| **PcaCertificate** | Adds the highest certificate in the provided certificate chain to signers. This is typically one certificate below the root certificate, because the scan does not validate anything above the presented signature by going online or checking local root stores. | -| **RootCertificate** | Currently unsupported. | -| **WHQL** | Trusts binaries if they have been validated and signed by WHQL. This is primarily for kernel binaries. | -| **WHQLPublisher** | This is a combination of the WHQL and the CN on the leaf certificate and is primarily for kernel binaries. | -| **WHQLFilePublisher** | Specifies that the binaries are validated and signed by WHQL, with a specific publisher (WHQLPublisher), and that the binary is the specified version or newer. This is primarily for kernel binaries. | - -  +| Rule level | Description | +|----------- | ----------- | +| **Hash** | Specifies individual hash values for each discovered binary. Although this level is specific, it can cause additional administrative overhead to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. | +| **FileName** | Specifies individual binary file names. Although the hash values for an application are modified when updated, the file names are typically not. This offers less specific security than the hash level but does not typically require a policy update when any binary is modified. | +| **SignedVersion** | This combines the publisher rule with a file version number. This option allows anything from the specified publisher, with a file version at or above the specified version number, to run. | +| **Publisher** | This is a combination of the PCA certificate and the common name (CN) on the leaf certificate. In the scenario that a PCA certificate is used to sign multiple companies’ applications (such as VeriSign), this rule level allows organizations to trust the PCA certificate but only for the company whose name is on the leaf certificate (for example, Intel for device drivers). This level trusts a certificate with a long validity period but only when combined with a trusted leaf certificate. | +| **FilePublisher** | This is a combination of the publisher file rule level and the SignedVersion rule level. Any signed file from the trusted publisher that is the specified version or newer is trusted. | +| **LeafCertificate** | Adds trusted signers at the individual signing certificate level. The benefit of using this level versus the individual hash level is that new versions of the product will have different hash values but typically the same signing certificate. Using this level, no policy update would be needed to run the new version of the application. However, leaf certificates have much shorter validity periods than PCA certificates, so additional administrative overhead is associated with updating the code integrity policy when these certificates expire. | +| **PcaCertificate** | Adds the highest certificate in the provided certificate chain to signers. This is typically one certificate below the root certificate, because the scan does not validate anything above the presented signature by going online or checking local root stores. | +| **RootCertificate** | Currently unsupported. | +| **WHQL** | Trusts binaries if they have been validated and signed by WHQL. This is primarily for kernel binaries. | +| **WHQLPublisher** | This is a combination of the WHQL and the CN on the leaf certificate and is primarily for kernel binaries. | +| **WHQLFilePublisher** | Specifies that the binaries are validated and signed by WHQL, with a specific publisher (WHQLPublisher), and that the binary is the specified version or newer. This is primarily for kernel binaries. | **Note**   When you create code integrity policies with the **New-CIPolicy** cmdlet, you can specify a primary file rule level by including the **–Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **–Fallback** parameter. For example, if the primary file rule level is PCACertificate but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate. -  - -### - -**Create code integrity policies from golden PCs** +### Create code integrity policies from golden PCs The process to create a golden code integrity policy from a reference system is straightforward. This section outlines the process that is required to successfully create a code integrity policy with Windows PowerShell. First, for this example, you must initiate variables to be used during the creation process. Rather than using variables, you can simply use the full file paths in the command. Next, you create the code integrity policy by scanning the system for installed applications. When created, the policy file is converted to binary format so that Windows can consume its contents. **Note**   Before you begin this procedure, ensure that the reference PC is clean of viruses or malware. Each piece of installed software should be validated as trustworthy before you create this policy. Also, be sure that any software that you would like to be scanned is installed on the system before you create the code integrity policy. -  - To create a code integrity policy, copy each of the following commands into an elevated Windows PowerShell session, in order: 1. Initialize variables that you will use: @@ -1010,22 +917,16 @@ To create a code integrity policy, copy each of the following commands into an e `New-CIPolicy -Level PcaCertificate -FilePath $InitialCIPolicy –UserPEs 3> CIPolicyLog.txt ` - **Note**   - By specifying the *–UserPEs* parameter, rule option **0 Enabled:UMCI** is automatically added to the code integrity policy. If you do not specify this parameter, use the following command to enable UMCI: + **Note**   + By specifying the *–UserPEs* parameter, rule option **0 Enabled:UMCI** is automatically added to the code integrity policy. If you do not specify this parameter, use the following command to enable UMCI: `Set-RuleOption -Option 0 -FilePath $InitialCIPolicy` -   + **Note**   + You can add the *–Fallback* parameter to catch any applications not discovered using the primary file rule level specified by the *–Level* parameter. For more information about file rule level options, see the [Code integrity policy rules](#code-integrity-policy-rules) section. - **Note**   - You can add the *–Fallback* parameter to catch any applications not discovered using the primary file rule level specified by the *–Level* parameter. For more information about file rule level options, see the [Code integrity policy rules](#code-integrity-policy-rules) section. - -   - - **Note**   - If you would like to specify the code integrity policy scan to look only at a specific drive, you can do so by using the *–ScanPath* parameter. Without this parameter, as shown in the example, the entire system is scanned. - -   + **Note**   + If you would like to specify the code integrity policy scan to look only at a specific drive, you can do so by using the *–ScanPath* parameter. Without this parameter, as shown in the example, the entire system is scanned. 3. Convert the code integrity policy to a binary format: @@ -1034,57 +935,45 @@ To create a code integrity policy, copy each of the following commands into an e After you complete these steps, the Device Guard binary file (DeviceGuardPolicy.bin) and original .xml file (IntialScan.xml) will be available on your desktop. You can use the binary version as a code integrity policy or sign it for additional security. **Note**   -Microsoft recommends that you keep the original .xml file of the policy for use when you need to merge the code integrity policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge code integrity policies, see the [Merge code integrity policies](#merge-code-integrity) section. +Microsoft recommends that you keep the original .xml file of the policy for use when you need to merge the code integrity policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge code integrity policies, see the [Merge code integrity policies](#merge-code-integrity-policies) section. -  +Microsoft recommends that every code integrity policy be run in audit mode before being enforced. Doing so allows administrators to discover any issues with the policy without receiving error message dialog boxes. For information about how to audit a code integrity policy, see the [Audit code integrity policies](#audit-code-integrity-policies) section. -Microsoft recommends that every code integrity policy be run in audit mode before being enforced. Doing so allows administrators to discover any issues with the policy without receiving error message dialog boxes. For information about how to audit a code integrity policy, see the [Audit code integrity policies](#audit-code-integrity) section. - -### - -**Audit code integrity policies** +### Audit code integrity policies When code integrity policies are run in audit mode, it allows administrators to discover any applications that were missed during an initial policy scan and to identify any new applications that have been installed and run since the original policy was created. While a code integrity policy is running in audit mode, any binary that runs and would have been denied had the policy been enforced is logged in the Applications and Services Logs\\Microsoft\\CodeIntegrity\\Operational event log. When these logged binaries have been validated, they can easily be added to a new code integrity policy. When the new exception policy is created, you can merge it with your existing code integrity policies. **Note**   -Before you begin this process, you need to create a code integrity policy binary file. If you have not already done so, see the [Create a code integrity policy](#create-code-golden) section for a step-by-step walkthrough of the process to create a code integrity policy and convert it to binary format. - -  +Before you begin this process, you need to create a code integrity policy binary file. If you have not already done so, see the [Create a code integrity policy](#create-a-code-integrity-policy) section for a step-by-step walkthrough of the process to create a code integrity policy and convert it to binary format. To audit a code integrity policy with local policy: -1. Copy the DeviceGuardPolicy.bin file that you created in the [Create code integrity policies from golden PCs](#create-code-golden) section to C:\\Windows\\System32\\CodeIntegrity. +1. Copy the DeviceGuardPolicy.bin file that you created in the [Create code integrity policies from golden PCs](#create-code-integrity-policies-from-golden-pcs) section to C:\\Windows\\System32\\CodeIntegrity. 2. On the system you want to run in audit mode, open the Local Group Policy Editor by running **GPEdit.msc**. 3. Navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard, and then select **Deploy Code Integrity Policy**. Enable this setting by using the file path C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 22. - **Note**   - *DeviceGuardPolicy.bin* is not a required policy name. This name was simply used in the [Create code integrity policies from golden PCs](#create-code-golden) section and so was used here. Also, this policy file does not need to be copied to every system. Alternatively, you can copy the code integrity policies to a file share to which all computer accounts have access. + **Note**   + *DeviceGuardPolicy.bin* is not a required policy name. This name was simply used in the [Create code integrity policies from golden PCs](#create-code-golden) section and so was used here. Also, this policy file does not need to be copied to every system. Alternatively, you can copy the code integrity policies to a file share to which all computer accounts have access. -   + **Note**   + Any policy you select here is converted to SIPolicy.p7b when it is deployed to the individual computers. - **Note**   - Any policy you select here is converted to SIPolicy.p7b when it is deployed to the individual computers. + ![figure 22](images/dg-fig22-deploycode.png) -   + Figure 22. Deploy your code integrity policy - ![figure 22](images/dg-fig22-deploycode.png) - - Figure 22. Deploy your code integrity policy - - **Note**   - You may have noticed that the GPO setting references a .p7b file and this policy uses a .bin file. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the Windows 10 computers. Microsoft recommends that you make your code integrity policies friendly and allow the system to convert the policy names for you. By doing this, it ensures that the policies are easily distinguishable when viewed in a share or any other central repository. - -   + **Note**   + You may have noticed that the GPO setting references a .p7b file and this policy uses a .bin file. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the Windows 10 computers. Microsoft recommends that you make your code integrity policies friendly and allow the system to convert the policy names for you. By doing this, it ensures that the policies are easily distinguishable when viewed in a share or any other central repository. 4. Restart reference system for the code integrity policy to take effect. 5. Monitor the CodeIntegrity event log. While in audit mode, any exception to the deployed code integrity policy will be logged in the Applications and Services Logs\\Microsoft\\CodeIntegrity\\Operational event log, as shown in Figure 23. - ![figure 23](images/dg-fig23-exceptionstocode.png) + ![figure 23](images/dg-fig23-exceptionstocode.png) - Figure 23. Exceptions to the deployed code integrity policy + Figure 23. Exceptions to the deployed code integrity policy 6. Validate any code integrity policy exceptions. @@ -1097,11 +986,7 @@ To audit a code integrity policy with local policy: **Note**   An alternative method to test a policy is to rename the test file to SIPolicy.p7b and drop it into C:\\Windows\\System32\\CodeIntegrity, rather than deploy it with the local machine policy. -  - -### - -**Create an audit code integrity policy** +### Create an audit code integrity policy When you run code integrity policies in audit mode, validate any exceptions and determine whether you will need to add them to the code integrity policy you want to audit. Use the system as you normally would to ensure that any use exceptions are logged. When you are ready to create a code integrity policy from the auditing events, complete the following steps in an elevated Windows PowerShell session: @@ -1113,7 +998,7 @@ When you run code integrity policies in audit mode, validate any exceptions and 2. Analyze audit results. - Before you create a code integrity policy from audit events, Microsoft recommends that each exception be analyzed, as discussed in steps 5 and 6 of the [Audit code integrity policies](#audit-code-integrity) section. + Before you create a code integrity policy from audit events, Microsoft recommends that each exception be analyzed, as discussed in steps 5 and 6 of the [Audit code integrity policies](#audit-code-integrity-policies) section. 3. Generate a new code integrity policy from logged audit events: @@ -1122,25 +1007,17 @@ When you run code integrity policies in audit mode, validate any exceptions and **Note**   When you create policies from audit events, you should carefully consider the file rule level that you select to trust. In this example, you use the Hash rule level, which should be used as a last resort. -  - -After you complete these steps, the Device Guard audit policy .xml file (DeviceGuardAuditPolicy.xml) will be available on your desktop. You can now use this file to update the existing code integrity policy that you ran in audit mode by merging the two policies. For instructions on how to merge this audit policy with the existing code integrity policy, see the [Merge code integrity policies](#merge-code-integrity) section. +After you complete these steps, the Device Guard audit policy .xml file (DeviceGuardAuditPolicy.xml) will be available on your desktop. You can now use this file to update the existing code integrity policy that you ran in audit mode by merging the two policies. For instructions on how to merge this audit policy with the existing code integrity policy, see the [Merge code integrity policies](#merge-code-integrity-policies) section. **Note**   -You may have noticed that you did not generate a binary version of this policy as you did in the [Create code integrity policies from golden PCs](#create-code-golden) section. This is because code integrity policies created from an audit log are not intended to run as stand-alone policies but rather to update existing code integrity policies. +You may have noticed that you did not generate a binary version of this policy as you did in the [Create code integrity policies from golden PCs](#create-code-integrity-policies-from-golden-pcs) section. This is because code integrity policies created from an audit log are not intended to run as stand-alone policies but rather to update existing code integrity policies. -  - -### - -**Merge code integrity policies** +### Merge code integrity policies When you develop code integrity policies, you will occasionally need to merge two policies. A common example is when a code integrity policy is initially created and audited. Another example is when you create a single master policy by using multiple code integrity policies previously created from golden PCs. Because each Windows 10 machine can have only one code integrity policy, it is important to properly maintain these policies. In this example, audit events have been saved into a secondary code integrity policy that you then merge with the initial code integrity policy. **Note**   -The following example uses the code integrity policy .xml files that you created in the [Create code integrity policies from golden PCs](#create-code-golden) and [Audit code integrity policies](#audit-code-integrity) sections. You can follow this process, however, with any two code integrity policies you would like to combine. - -  +The following example uses the code integrity policy .xml files that you created in the [Create code integrity policies from golden PCs](#create-code-integrity-policies-from-golden-pcs) and [Audit code integrity policies](#audit-code-integrity-policies) sections. You can follow this process, however, with any two code integrity policies you would like to combine. To merge two code integrity policies, complete the following steps in an elevated Windows PowerShell session: @@ -1178,8 +1055,6 @@ Every code integrity policy is created with audit mode enabled. After you have s **Note**   Every code integrity policy should be tested in audit mode first. For information about how to audit code integrity policies, see the [Audit code integrity policies](#audit-code-integrity) section. -  - 1. Initialize the variables that will be used: `$CIPolicyPath=$env:userprofile+"\Desktop\"` @@ -1217,13 +1092,13 @@ Every code integrity policy should be tested in audit mode first. For informatio   -Now that this policy has been enforced, you can deploy it to your test machines. Rename the policy to SIPolicy.p7b and copy it to C:\\Windows\\System32\\CodeIntegrity for testing, or deploy the policy through Group Policy by following the instructions in the [Deploy and manage code integrity policies with Group Policy](#deploy-manage-code-gp) section, or through client management software by following the instructions in the section “Deploying and managing code integrity policies by using Microsoft client management solutions.” +Now that this policy has been enforced, you can deploy it to your test machines. Rename the policy to SIPolicy.p7b and copy it to C:\\Windows\\System32\\CodeIntegrity for testing, or deploy the policy through Group Policy by following the instructions in the [Deploy and manage code integrity policies with Group Policy](#deploy-and-manage-code-integrity-policies-with-group-policy) section, or through client management software by following the instructions in the section “Deploying and managing code integrity policies by using Microsoft client management solutions.” **Signing code integrity policies with SignTool.exe** -Signed code integrity policies give organizations the highest level of malware protection available in Windows 10. In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the machine. These policies are designed to prevent administrative tampering and kernel mode exploit access. With this in mind, it is much more difficult to remove signed code integrity policies than unsigned ones. Before you sign and deploy a signed code integrity policy, Microsoft recommends that you audit the policy to discover any blocked applications that should be allowed to run. For more information about how to audit code integrity policies, see the [Audit code integrity policies](#audit-code-integrity) section. +Signed code integrity policies give organizations the highest level of malware protection available in Windows 10. In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the machine. These policies are designed to prevent administrative tampering and kernel mode exploit access. With this in mind, it is much more difficult to remove signed code integrity policies than unsigned ones. Before you sign and deploy a signed code integrity policy, Microsoft recommends that you audit the policy to discover any blocked applications that should be allowed to run. For more information about how to audit code integrity policies, see the [Audit code integrity policies](#audit-code-integrity-policies) section. -Signing code integrity policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward. If you do not currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Create a Device Guard code signing certificate](#create-dg-code) to create one with your on-premises CA. Before signing code integrity policies for the first time, be sure to enable rule options 9 and 10 to leave troubleshooting options available to test administrators. When validated and ready for enterprise deployment, you can remove these options. For information about how to add rule options, see the [Code integrity policy rules](#code-integrity-policy-rules) section. +Signing code integrity policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward. If you do not currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Create a Device Guard code signing certificate](#create-a-device-guard-code-signing-certificate) to create one with your on-premises CA. Before signing code integrity policies for the first time, be sure to enable rule options 9 and 10 to leave troubleshooting options available to test administrators. When validated and ready for enterprise deployment, you can remove these options. For information about how to add rule options, see the [Code integrity policy rules](#code-integrity-policy-rules) section. **Note**   Signing code integrity policies is the last step in a code integrity deployment. It is much more difficult to remove a signed code integrity policy than an unsigned one. Before you deploy a signed code integrity policy to deployed client computers, be sure to test its effect on a subset of machines. @@ -1236,8 +1111,6 @@ To sign a code integrity policy with SignTool.exe, you need the following compon - An internal CA code signing certificate or a purchased code signing certificate -  - If you do not have a code signing certificate, see the [Create a Device Guard code signing certificate](#create-dg-code) section for instructions on how to create one. If you use an alternate certificate or code integrity policy, be sure to update the following steps with the appropriate variables and certificate so that the commands will function properly. To sign the existing code integrity policy, copy each of the following commands into an elevated Windows PowerShell session: 1. Initialize the variables that will be used: @@ -1247,8 +1120,6 @@ If you do not have a code signing certificate, see the [Create a Device Guard co **Note**   This example uses the code integrity policy that you created in the [Create code integrity policies from golden PCs](#create-code-golden) section. If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information. -   - 2. Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the code integrity policy into the signing user’s personal store on the machine that will be doing the signing. In this example, you use the certificate that was created in the [Create a Device Guard code signing certificate](#create-dg-code) section. 3. Export the .cer code signing certificate. After the code signing certificate has been imported, export the .cer version to your desktop. This version will be added to the policy so that it can be updated later. @@ -1261,15 +1132,11 @@ If you do not have a code signing certificate, see the [Create a Device Guard co `Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath -Kernel -User –Update` - **Note**   - *<Path to exported .cer certificate>* should be the full path to the certificate that you exported in step 3. - -   - - **Note**   - Adding update signers is crucial to being able to modify or disable this policy in the future. For more information about how to disable signed code integrity policies, see the [Disable signed code integrity policies within Windows](#disable-signed-code) section. - -   + **Note**   + *<Path to exported .cer certificate>* should be the full path to the certificate that you exported in step 3. + + **Note**   + Adding update signers is crucial to being able to modify or disable this policy in the future. For more information about how to disable signed code integrity policies, see the [Disable signed code integrity policies within Windows](#disable-signed-code) section. 6. Remove the unsigned policy rule option: @@ -1286,13 +1153,9 @@ If you do not have a code signing certificate, see the [Create a Device Guard co **Note**   The *<Path to signtool.exe>* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the code integrity policy. You should import this certificate to your personal certificate store on the machine you use to sign the policy. -   +9. Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy code integrity policies, see the [Deploy and manage code integrity policies with Group Policy](#deploy-and-manage-code-integrity-policies-with-group-policy) section. -9. Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy code integrity policies, see the [Deploy and manage code integrity policies with Group Policy](#deploy-manage-code-gp) section. - -### - -**Disable unsigned code integrity policies** +### Disable unsigned code integrity policies There may come a time when an administrator wants to disable a code integrity policy. For unsigned code integrity policies, this process is simple. Depending on how the code integrity policy was deployed, unsigned policies can be disabled in one of two ways. If a code integrity policy was manually enabled and copied to the code integrity folder location, simply delete the file and restart the machine. The following locations can contain executing code integrity policies: @@ -1302,9 +1165,7 @@ There may come a time when an administrator wants to disable a code integrity po If the code integrity policy was deployed by using Group Policy, the GPO that is currently enabling and deploying the policy must be set to disabled. Then, the code integrity policy will be disabled on the next computer restart. -### - -**Disable signed code integrity policies within Windows** +### Disable signed code integrity policies within Windows Signed policies protect Windows from administrative manipulation as well as malware that has gained administrative-level access to the system. For this reason, signed code integrity policies are intentionally more difficult to remove than unsigned policies. They inherently protect themselves from modification or removal and therefore are difficult even for administrators to remove successfully. If the signed code integrity policy is manually enabled and copied to the CodeIntegrity folder, to remove the policy, you must complete the following steps: @@ -1315,15 +1176,12 @@ For reference, signed code integrity policies should be replaced and removed fro - <OS Volume>\\Windows\\System32\\CodeIntegrity\\ -  1. Replace the existing policy with another signed policy that has the **6 Enabled: Unsigned System Integrity Policy** rule option enabled. **Note**   To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace. -   - 2. Restart the client computer. 3. Verify that the new signed policy exists on the client. @@ -1331,8 +1189,6 @@ For reference, signed code integrity policies should be replaced and removed fro **Note**   If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures. -   - 4. Delete the new policy. 5. Restart the client computer. @@ -1353,17 +1209,13 @@ If the signed code integrity policy has been deployed using by using Group Polic **Note**   If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures. -   - 4. Set the GPO to disabled. 5. Delete the new policy. 6. Restart the client computer. -### - -**Disable signed code integrity policies within the BIOS** +### Disable signed code integrity policies within the BIOS There may be a time when signed code integrity policies cause a boot failure. Because code integrity policies enforce kernel mode drivers, it is important that they be thoroughly tested on each software and hardware configuration before being enforced and signed. Signed code integrity policies are validated in the pre-boot sequence by using Secure Boot. When you disable the Secure Boot feature in the BIOS, and then delete the file from the following locations on the operating system disk, it allows the system to boot into Windows: @@ -1378,15 +1230,11 @@ There may be a time when signed code integrity policies cause a boot failure. Be Code integrity policies can easily be deployed and managed with Group Policy. A Device Guard administrative template will be available in Windows Server 2016 that allows you to simplify deployment of Device Guard hardware-based security features and code integrity policies. The following procedure walks you through how to deploy a code integrity policy called **DeviceGuardPolicy.bin** to a test OU called *DG Enabled PCs* by using a GPO called **Contoso GPO Test**. **Note**   -This walkthrough requires that you have previously created a code integrity policy and have a Windows 10 client PC on which to test a Group Policy deployment. For more information about how to create a code integrity policy, see the [Create code integrity polices from golden PCs](#create-code-golden) section. - -  +This walkthrough requires that you have previously created a code integrity policy and have a Windows 10 client PC on which to test a Group Policy deployment. For more information about how to create a code integrity policy, see the [Create code integrity polices from golden PCs](#create-code-integrity-polices-from-golden-pcs) section. **Note**   Signed code integrity policies can cause boot failures when deployed. Microsoft recommends that signed code integrity policies be thoroughly tested on each hardware platform before enterprise deployment. -  - To deploy and manage a code integrity policy with Group Policy: 1. On a domain controller on a client computer on which RSAT is installed, open the GPMC by running **GPMC.MSC** or searching for “Group Policy Management” in Windows Search. @@ -1396,11 +1244,9 @@ To deploy and manage a code integrity policy with Group Policy: **Note**   The DG Enabled PCs OU is just an example of where to link the test GPO created in this section. Any OU name can be used. Also, security group filtering is an option when considering policy partitioning options based on the strategy discussed in the [Approach enterprise code integrity deployment](#approach-enterprise) section. -   + ![figure 24](images/dg-fig24-creategpo.png) - ![figure 24](images/dg-fig24-creategpo.png) - - Figure 24. Create a GPO + Figure 24. Create a GPO 3. Name new GPO **Contoso GPO Test**. This example uses Contoso GPO Test as the name of the GPO. You can choose any name that you prefer for this example. @@ -1426,12 +1272,9 @@ To deploy and manage a code integrity policy with Group Policy: **Note**   You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the Windows 10 client computers. Make your code integrity policies friendly and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository. -   - -7. Close the Group Policy Management Editor, and then restart the Windows 10 test machine. Restarting the client computer updates the code integrity policy. For information about how to audit code integrity policies, see the [Audit code integrity policies](#audit-code-integrity)section. - -## Create a Device Guard code signing certificate +7. Close the Group Policy Management Editor, and then restart the Windows 10 test machine. Restarting the client computer updates the code integrity policy. For information about how to audit code integrity policies, see the [Audit code integrity policies](#audit-code-integrity-policies)section. +## Create a Device Guard code signing certificate To sign catalog files or code integrity policies internally, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip these steps and proceed to the sections that outline the steps to sign catalog files and code integrity policies. If you have not purchased a certificate but have an internal CA, complete these steps to create a code signing certificate: @@ -1500,8 +1343,6 @@ Now that the template is available to be issued, you must request one from the W **Note**   If a certificate manager is required to approve any issued certificates and you selected to require management approval on the template, the request will need to be approved in the CA before it will be issued to the client. -  - This certificate must be installed in the user’s personal store on the computer that will be signing the catalog files and code integrity policies. If the signing is going to be taking place on the machine on which you just requested the certificate, exporting the certificate to a .pfx file will not be required because it already exists in your personal store. If you are signing on another computer, you will need to export the .pfx certificate with the necessary keys and properties. To do so, complete the following steps: 1. Right-click the certificate, point to **All Tasks**, and then click **Export**. @@ -1517,23 +1358,12 @@ When the certificate has been exported, import it into the personal store for th ## Related topics -[AppLocker overview](http://go.microsoft.com/fwlink/p/?LinkId=624172) +[AppLocker overview](applocker-overview.md) [Code integrity](http://go.microsoft.com/fwlink/p/?LinkId=624173) -[Credential guard](http://go.microsoft.com/fwlink/p/?LinkId=624529) - -[Device Guard certification and compliance](http://go.microsoft.com/fwlink/p/?LinkId=624840) +[Credential guard](credential-guard.md) [Driver compatibility with Device Guard in Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=624843) [Dropping the Hammer Down on Malware Threats with Windows 10’s Device Guard](http://go.microsoft.com/fwlink/p/?LinkId=624844) - -  - -  - - - - -