From 794df59ad443ed9889d4d23100b2af44ac0e6f8c Mon Sep 17 00:00:00 2001 From: brbrahm <43386070+brbrahm@users.noreply.github.com> Date: Mon, 11 Nov 2019 16:33:02 -0800 Subject: [PATCH 001/188] Add ApplicationControl CSP mdm vs. non-mdm info --- .../mdm/applicationcontrol-csp.md | 28 +++++++++++++++---- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md index cb636ce3ef..a67a565274 100644 --- a/windows/client-management/mdm/applicationcontrol-csp.md +++ b/windows/client-management/mdm/applicationcontrol-csp.md @@ -112,17 +112,35 @@ Scope is dynamic. Supported operation is Get. Value type is char. -## Usage guidance - +## MDM Usage Guidance To use ApplicationControl CSP, you must: - Know a generated policy’s GUID, which can be found in the policy xml as ``. - Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. -If you are using hybrid MDM management with System Center Configuration Manager or using Intune, ensure that you are using Base64 as the Data type when using Custom OMA-URI -functionality to apply the Code Integrity policy. +If you are using hybrid MDM management with System Center Configuration Manager or using Intune, the steps to use Custom OMA-URI functionality to apply the Code Integrity policy are: +- In the Intune portal, navigate to Device configuration, then Profiles, then create a profile with Custom OMA-URI Settings and add a row +- OMA-URI: ./Vendor/MSFT/ApplicationControl/Policies//Policy (filling in Policy GUID with your policy's ID) +- Data type: Base64 +- Certificate file: upload your binary format policy file +Intune handles the creation of a policy node and does all the below steps to deploy policies on your behalf, so you shouldn't do any of the below steps. + +## Non-MDM Usage Guidance +To use ApplicationControl CSP, you must: +- Know a generated policy’s GUID, which can be found in the policy xml as ``. +- Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. +- Create a policy node (a Base64-encoded blob of the binary policy representation) using the certutil -encode command line tool. + +Here is a sample certutil invocation: +``` +certutil -encode WinSiPolicy.p7b WinSiPolicy.cer +``` +An alternative to using certutil would be to use the following PowerShell invocation: +```powershell +[Convert]::toBase64String($(Get-Content -Encoding Byte -ReadCount 0 -Path )) +``` ### Deploy policies -To deploy a new base policy using the CSP, perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data}. Refer to the the Format section in the Example 1 below. +If not using Intune, in order to deploy a new base policy using the CSP, perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data}. Refer to the the Format section in the Example 1 below. To deploy base policy and supplemental policies: - Perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data} with the GUID and policy data for the base policy. From c69b3dfb6908113e16c9320f0a436c926036d7b7 Mon Sep 17 00:00:00 2001 From: brbrahm <43386070+brbrahm@users.noreply.github.com> Date: Mon, 11 Nov 2019 16:39:03 -0800 Subject: [PATCH 002/188] AppControl CSP formatting changes --- .../mdm/applicationcontrol-csp.md | 20 ++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md index a67a565274..365c106a92 100644 --- a/windows/client-management/mdm/applicationcontrol-csp.md +++ b/windows/client-management/mdm/applicationcontrol-csp.md @@ -114,19 +114,21 @@ Value type is char. ## MDM Usage Guidance To use ApplicationControl CSP, you must: -- Know a generated policy’s GUID, which can be found in the policy xml as ``. +- Know a generated policy’s GUID, which can be found in the policy xml as `` or `` for pre-1903 systems. - Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. -If you are using hybrid MDM management with System Center Configuration Manager or using Intune, the steps to use Custom OMA-URI functionality to apply the Code Integrity policy are: -- In the Intune portal, navigate to Device configuration, then Profiles, then create a profile with Custom OMA-URI Settings and add a row -- OMA-URI: ./Vendor/MSFT/ApplicationControl/Policies//Policy (filling in Policy GUID with your policy's ID) +If you are using hybrid MDM management with System Center Configuration Manager (SCCM) or using Intune, the steps to use Custom OMA-URI functionality to apply the Code Integrity policy are: +- In the Intune portal, navigate to Device configuration, then Profiles, then create a profile with Custom OMA-URI Settings and add a row. +- OMA-URI: ./Vendor/MSFT/ApplicationControl/Policies/Policy GUID/Policy - Data type: Base64 -- Certificate file: upload your binary format policy file -Intune handles the creation of a policy node and does all the below steps to deploy policies on your behalf, so you shouldn't do any of the below steps. +- Certificate file: upload your binary format policy file. + +> ![Note] +> Intune handles the creation of a policy node and does all the below steps to deploy policies on your behalf, so you shouldn't do any of the below steps. ## Non-MDM Usage Guidance -To use ApplicationControl CSP, you must: -- Know a generated policy’s GUID, which can be found in the policy xml as ``. +If not using Intune or hybrid MDM management with SCCM, in order to use ApplicationControl CSP, you must: +- Know a generated policy’s GUID, which can be found in the policy xml as `` or `` for pre-1903 systems. - Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. - Create a policy node (a Base64-encoded blob of the binary policy representation) using the certutil -encode command line tool. @@ -140,7 +142,7 @@ An alternative to using certutil would be to use the following PowerShell invoca ``` ### Deploy policies -If not using Intune, in order to deploy a new base policy using the CSP, perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data}. Refer to the the Format section in the Example 1 below. +If not using Intune or hybrid MDM management with SCCM, in order to deploy a new base policy using the CSP, perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data}. Refer to the the Format section in the Example 1 below. To deploy base policy and supplemental policies: - Perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data} with the GUID and policy data for the base policy. From 7a272ab4a16dd8844ee60018a4537e0b40f5ef05 Mon Sep 17 00:00:00 2001 From: brbrahm <43386070+brbrahm@users.noreply.github.com> Date: Wed, 13 Nov 2019 14:52:18 -0800 Subject: [PATCH 003/188] Add OMA-URI info to WDAC policies through Intune Previously, the "Deploy WDAC policies by using Microsoft Intune" document only discussed using an endpoint protection profile. It didn't mention the option to use custom OMA-URI. --- .../mdm/applicationcontrol-csp.md | 12 ++---------- ...r-application-control-policies-using-intune.md | 15 ++++++++++++++- 2 files changed, 16 insertions(+), 11 deletions(-) diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md index 365c106a92..9582765ad6 100644 --- a/windows/client-management/mdm/applicationcontrol-csp.md +++ b/windows/client-management/mdm/applicationcontrol-csp.md @@ -113,18 +113,10 @@ Scope is dynamic. Supported operation is Get. Value type is char. ## MDM Usage Guidance -To use ApplicationControl CSP, you must: -- Know a generated policy’s GUID, which can be found in the policy xml as `` or `` for pre-1903 systems. -- Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. - -If you are using hybrid MDM management with System Center Configuration Manager (SCCM) or using Intune, the steps to use Custom OMA-URI functionality to apply the Code Integrity policy are: -- In the Intune portal, navigate to Device configuration, then Profiles, then create a profile with Custom OMA-URI Settings and add a row. -- OMA-URI: ./Vendor/MSFT/ApplicationControl/Policies/Policy GUID/Policy -- Data type: Base64 -- Certificate file: upload your binary format policy file. +Refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) for more information. > ![Note] -> Intune handles the creation of a policy node and does all the below steps to deploy policies on your behalf, so you shouldn't do any of the below steps. +> Intune handles the creation of a policy node and does all the below steps to deploy policies on your behalf, so you shouldn't do any of the below steps if using Intune to leverage ApplicationControl CSP. ## Non-MDM Usage Guidance If not using Intune or hybrid MDM management with SCCM, in order to use ApplicationControl CSP, you must: diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md index 8a2a80de85..6a5d1faf03 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md @@ -27,8 +27,21 @@ ms.date: 05/17/2018 - Windows 10 - Windows Server 2016 -You can use Microsoft Intune to configure Windows Defender Application Control (WDAC). You can configure Windows 10 client computers to only run Windows components and Microsoft Store apps, or let them also run reputable apps defined by the Intelligent Security Graph. +You can use Microsoft Intune to configure Windows Defender Application Control (WDAC). Beginning in 1903, you can configure a custom profile using Custom OMA-URI to leverage the new ApplicationControl CSP. This CSP has support for [multiple policies](deploy-multiple-windows-defender-application-control-policies.md) and rebootless policies. Custom OMA-URI can also be used on pre-1903 systems to deploy custom policies. +Alternately, you can instead choose to configure an Endpoint Protection profile to deploy built-in Intune-managed WDAC policies on pre-1903 systems. Using Endpoint Protection, you can configure Windows 10 client computers to only run Windows components and Microsoft Store apps, or let them also run reputable apps defined by the Intelligent Security Graph. +## Custom OMA-URI profile +To use ApplicationControl CSP through custom OMA-URI, you must: +- Know a generated policy’s GUID, which can be found in the policy xml as `` or `` for pre-1903 systems. +- Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. + +If you are using hybrid MDM management with System Center Configuration Manager (SCCM) or using Intune, the steps to use Custom OMA-URI functionality to apply the Code Integrity policy are: +- In the Intune portal, navigate to Device configuration, then Profiles, then create a profile with Custom OMA-URI Settings and add a row. +- OMA-URI: ./Vendor/MSFT/ApplicationControl/Policies/Policy GUID/Policy +- Data type: Base64 +- Certificate file: upload your binary format policy file. + +## Endpoint Protection profile 1. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Create profile**. 3. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Endpoint protection** as the **Profile type**. From 9686b801df2c66ec2d30f8cc7eb11b09eb182ef3 Mon Sep 17 00:00:00 2001 From: brbrahm <43386070+brbrahm@users.noreply.github.com> Date: Wed, 13 Nov 2019 15:06:38 -0800 Subject: [PATCH 004/188] Deploy WDAC with Intune correct usage info Add info to differentiate custom OMA-URI with AppLocker CSP vs ApplicationControl CSP --- ...-defender-application-control-policies-using-intune.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md index 6a5d1faf03..7b97d2c9fb 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md @@ -31,11 +31,13 @@ You can use Microsoft Intune to configure Windows Defender Application Control ( Alternately, you can instead choose to configure an Endpoint Protection profile to deploy built-in Intune-managed WDAC policies on pre-1903 systems. Using Endpoint Protection, you can configure Windows 10 client computers to only run Windows components and Microsoft Store apps, or let them also run reputable apps defined by the Intelligent Security Graph. ## Custom OMA-URI profile -To use ApplicationControl CSP through custom OMA-URI, you must: -- Know a generated policy’s GUID, which can be found in the policy xml as `` or `` for pre-1903 systems. +For information on using a custom OMA-URI profile on pre-1903 systems to leverage the AppLocker CSP and deploy custom WDAC policies, refer to [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp). + +For 1903+ systems, in order to use ApplicationControl CSP through custom OMA-URI, you must: +- Know a generated policy’s GUID, which can be found in the policy xml as `` - Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. -If you are using hybrid MDM management with System Center Configuration Manager (SCCM) or using Intune, the steps to use Custom OMA-URI functionality to apply the Code Integrity policy are: +From there, the steps to use Custom OMA-URI functionality to apply the Code Integrity policy are: - In the Intune portal, navigate to Device configuration, then Profiles, then create a profile with Custom OMA-URI Settings and add a row. - OMA-URI: ./Vendor/MSFT/ApplicationControl/Policies/Policy GUID/Policy - Data type: Base64 From 60ed4d684740c59d752721d10eba399b1180bfdf Mon Sep 17 00:00:00 2001 From: brbrahm <43386070+brbrahm@users.noreply.github.com> Date: Wed, 13 Nov 2019 15:09:24 -0800 Subject: [PATCH 005/188] WDAC through Intune formatting changes --- ...ows-defender-application-control-policies-using-intune.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md index 7b97d2c9fb..813faf52ec 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md @@ -28,16 +28,15 @@ ms.date: 05/17/2018 - Windows Server 2016 You can use Microsoft Intune to configure Windows Defender Application Control (WDAC). Beginning in 1903, you can configure a custom profile using Custom OMA-URI to leverage the new ApplicationControl CSP. This CSP has support for [multiple policies](deploy-multiple-windows-defender-application-control-policies.md) and rebootless policies. Custom OMA-URI can also be used on pre-1903 systems to deploy custom policies. + Alternately, you can instead choose to configure an Endpoint Protection profile to deploy built-in Intune-managed WDAC policies on pre-1903 systems. Using Endpoint Protection, you can configure Windows 10 client computers to only run Windows components and Microsoft Store apps, or let them also run reputable apps defined by the Intelligent Security Graph. ## Custom OMA-URI profile For information on using a custom OMA-URI profile on pre-1903 systems to leverage the AppLocker CSP and deploy custom WDAC policies, refer to [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp). -For 1903+ systems, in order to use ApplicationControl CSP through custom OMA-URI, you must: +For 1903+ systems, the steps to use Custom OMA-URI functionality to leverage ApplicationControl CSP and apply the Code Integrity policy are: - Know a generated policy’s GUID, which can be found in the policy xml as `` - Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. - -From there, the steps to use Custom OMA-URI functionality to apply the Code Integrity policy are: - In the Intune portal, navigate to Device configuration, then Profiles, then create a profile with Custom OMA-URI Settings and add a row. - OMA-URI: ./Vendor/MSFT/ApplicationControl/Policies/Policy GUID/Policy - Data type: Base64 From d32a3671602fae3228d9d1e0c12fd622891b4d7b Mon Sep 17 00:00:00 2001 From: brbrahm <43386070+brbrahm@users.noreply.github.com> Date: Wed, 13 Nov 2019 15:15:47 -0800 Subject: [PATCH 006/188] WDAC through Intune add rebootless info --- ...indows-defender-application-control-policies-using-intune.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md index 813faf52ec..c0f47983e9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md @@ -27,7 +27,7 @@ ms.date: 05/17/2018 - Windows 10 - Windows Server 2016 -You can use Microsoft Intune to configure Windows Defender Application Control (WDAC). Beginning in 1903, you can configure a custom profile using Custom OMA-URI to leverage the new ApplicationControl CSP. This CSP has support for [multiple policies](deploy-multiple-windows-defender-application-control-policies.md) and rebootless policies. Custom OMA-URI can also be used on pre-1903 systems to deploy custom policies. +You can use Microsoft Intune to configure Windows Defender Application Control (WDAC). Beginning in 1903, you can configure a custom profile using Custom OMA-URI to leverage the new ApplicationControl CSP. This CSP has support for [multiple policies](deploy-multiple-windows-defender-application-control-policies.md) and rebootless policies (policies that have the “Enabled:Update Policy No Reboot” option set don't require a reboot to take effect). Custom OMA-URI can also be used on pre-1903 systems to deploy custom policies. Alternately, you can instead choose to configure an Endpoint Protection profile to deploy built-in Intune-managed WDAC policies on pre-1903 systems. Using Endpoint Protection, you can configure Windows 10 client computers to only run Windows components and Microsoft Store apps, or let them also run reputable apps defined by the Intelligent Security Graph. From 5547d56729c2d66219ad2788d39cbd757bafb1ca Mon Sep 17 00:00:00 2001 From: isbrahm <43386070+isbrahm@users.noreply.github.com> Date: Mon, 18 Nov 2019 16:06:56 -0800 Subject: [PATCH 007/188] ApplicationControl CSP to redirect Intune usage guidance --- .../mdm/applicationcontrol-csp.md | 24 +++++++------------ 1 file changed, 9 insertions(+), 15 deletions(-) diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md index 9582765ad6..2f681f34f8 100644 --- a/windows/client-management/mdm/applicationcontrol-csp.md +++ b/windows/client-management/mdm/applicationcontrol-csp.md @@ -112,14 +112,11 @@ Scope is dynamic. Supported operation is Get. Value type is char. -## MDM Usage Guidance -Refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) for more information. - +## Usage Guidance > ![Note] -> Intune handles the creation of a policy node and does all the below steps to deploy policies on your behalf, so you shouldn't do any of the below steps if using Intune to leverage ApplicationControl CSP. +> If using Intune standalone or for hybrid management with Configuration Manager (SCCM) through Microsoft Endpoint Manager, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) for more information on deploying policies with ApplicationControl CSP. Microsoft Intune handles the creation of a policy node and does all the below steps to deploy policies on your behalf, so you shouldn't do any of the below steps if using Intune to leverage ApplicationControl CSP. -## Non-MDM Usage Guidance -If not using Intune or hybrid MDM management with SCCM, in order to use ApplicationControl CSP, you must: +In order to use ApplicationControl CSP, you must: - Know a generated policy’s GUID, which can be found in the policy xml as `` or `` for pre-1903 systems. - Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. - Create a policy node (a Base64-encoded blob of the binary policy representation) using the certutil -encode command line tool. @@ -134,13 +131,11 @@ An alternative to using certutil would be to use the following PowerShell invoca ``` ### Deploy policies -If not using Intune or hybrid MDM management with SCCM, in order to deploy a new base policy using the CSP, perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data}. Refer to the the Format section in the Example 1 below. - -To deploy base policy and supplemental policies: -- Perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data} with the GUID and policy data for the base policy. +In order to deploy a new base policy or supplemental policy using the CSP: +- Perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_{Policy GUID}_/Policy** using the Base64-encoded policy node as {Data} with the GUID and policy data for the base policy. Refer to the the Format section in the Example 1 below. - Repeat for each base or supplemental policy (with its own GUID and data). -The following example shows the deployment of two base policies and a supplemental policy (which already specifies the base policy it supplements and does not need that reflected in the ADD). +The following example shows the deployment of two base policies and a supplemental policy. Because the supplemental policy already specifies the base policy it supplements, that does not need to be repeated in the ADD. **Example 1: Add first base policy** ```xml @@ -216,10 +211,9 @@ The following is an example of Get command: ``` ### Delete policies -To delete an unsigned policy, perform a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy**. +To delete an unsigned policy, perform a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_{Policy GUID}_/Policy**. -> [!Note] -> Only signed things should be able to update signed policies. Hence, performing a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** is not sufficient to delete a signed policy. +Only signed things should be able to update signed policies. Hence, performing a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_{Policy GUID}_/Policy** is not sufficient to delete a signed policy. To delete a signed policy: 1. Replace it with a signed update allowing unsigned policy. @@ -236,4 +230,4 @@ The following is an example of Delete command: -``` \ No newline at end of file +``` From 67e957858613ac49d7543a88681221a5fc697752 Mon Sep 17 00:00:00 2001 From: brbrahm <43386070+brbrahm@users.noreply.github.com> Date: Thu, 12 Dec 2019 14:27:34 -0800 Subject: [PATCH 008/188] Resolve applicationcontrol csp merge conflicts --- .../mdm/applicationcontrol-csp.md | 50 ++++++++++++++----- 1 file changed, 38 insertions(+), 12 deletions(-) diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md index dbbecb3b74..881b4476dc 100644 --- a/windows/client-management/mdm/applicationcontrol-csp.md +++ b/windows/client-management/mdm/applicationcontrol-csp.md @@ -80,6 +80,7 @@ This node specifies whether the policy is authorized to be loaded by the enforce Scope is dynamic. Supported operation is Get. Value type is bool. Supported values are as follows: + - True — Indicates that the policy is authorized to be loaded by the enforcement engine on the system. - False — Indicates that the policy is not authorized to be loaded by the enforcement engine on the system. This is the default. @@ -114,22 +115,38 @@ Value type is char. ## Usage guidance -To use ApplicationControl CSP, you must: -- Know a generated policy’s GUID, which can be found in the policy xml as ``. -- Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. +> ![Note] +> If using Intune standalone or for hybrid management with Configuration Manager (SCCM) through Microsoft Endpoint Manager, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) for more information on deploying policies with ApplicationControl CSP. Microsoft Intune handles the creation of a policy node and does all the below steps to deploy policies on your behalf, so you shouldn't do any of the below steps if using Intune to leverage ApplicationControl CSP. -If you are using hybrid MDM management with System Center Configuration Manager or using Intune, ensure that you are using Base64 as the Data type when using Custom OMA-URI functionality to apply the Code Integrity policy via uploading the binary file. +In order to use ApplicationControl CSP, you must: + +- Know a generated policy’s GUID, which can be found in the policy xml as `` or `` for pre-1903 systems. +- Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. +- Create a policy node (a Base64-encoded blob of the binary policy representation) using the certutil -encode command line tool. + +Here is a sample certutil invocation: + +```powershell +certutil -encode WinSiPolicy.p7b WinSiPolicy.cer +``` + +An alternative to using certutil would be to use the following PowerShell invocation: + +```powershell +[Convert]::toBase64String($(Get-Content -Encoding Byte -ReadCount 0 -Path )) +``` ### Deploy policies -To deploy a new base policy using the CSP, perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data}. Refer to the the Format section in the Example 1 below. -To deploy base policy and supplemental policies: -- Perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data} with the GUID and policy data for the base policy. +In order to deploy a new base policy or supplemental policy using the CSP: + +- Perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_{Policy GUID}_/Policy** using the Base64-encoded policy node as {Data} with the GUID and policy data for the base policy. Refer to the the Format section in the Example 1 below. - Repeat for each base or supplemental policy (with its own GUID and data). -The following example shows the deployment of two base policies and a supplemental policy (which already specifies the base policy it supplements and does not need that reflected in the ADD). +The following example shows the deployment of two base policies and a supplemental policy. Because the supplemental policy already specifies the base policy it supplements, that does not need to be repeated in the ADD. **Example 1: Add first base policy** + ```xml 1 @@ -144,7 +161,9 @@ The following example shows the deployment of two base policies and a supplement ``` + **Example 2: Add second base policy** + ```xml 1 @@ -159,7 +178,9 @@ The following example shows the deployment of two base policies and a supplement ``` + **Example 3: Add supplemental policy** + ```xml 1 @@ -174,6 +195,7 @@ The following example shows the deployment of two base policies and a supplement ``` + ### Get policies Perform a GET using a deployed policy’s GUID to interrogate/inspect the policy itself or information about it. @@ -191,6 +213,7 @@ The following table displays the result of Get operation on different nodes: |./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/FriendlyName|Friendly name per the policy| The following is an example of Get command: + ```xml 1 @@ -203,17 +226,20 @@ The following is an example of Get command: ``` ### Delete policies -To delete an unsigned policy, perform a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy**. + +To delete an unsigned policy, perform a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_{Policy GUID}_/Policy**. > [!Note] -> Only signed things should be able to update signed policies. Hence, performing a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** is not sufficient to delete a signed policy. - +> Only signed things should be able to update signed policies. Hence, performing a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_{Policy GUID}_/Policy** is not sufficient to delete a signed policy. + To delete a signed policy: + 1. Replace it with a signed update allowing unsigned policy. 2. Deploy another update with unsigned policy. 3. Perform delete. - + The following is an example of Delete command: + ```xml 1 From 2862f7232f533d506bb40c7ac41466ed8ddd5290 Mon Sep 17 00:00:00 2001 From: brbrahm <43386070+brbrahm@users.noreply.github.com> Date: Fri, 13 Dec 2019 15:26:35 -0800 Subject: [PATCH 009/188] Updates to using WDAC with Intune Add pictures and further descriptions --- ...plication-control-policies-using-intune.md | 71 ++++++++++++++---- .../images/policy-id.png | Bin 0 -> 20687 bytes .../images/wdac-intune-custom-assignments.png | Bin 0 -> 29021 bytes ...wdac-intune-custom-create-profile-name.png | Bin 0 -> 44316 bytes .../images/wdac-intune-custom-oma-uri.png | Bin 0 -> 78906 bytes 5 files changed, 56 insertions(+), 15 deletions(-) create mode 100644 windows/security/threat-protection/windows-defender-application-control/images/policy-id.png create mode 100644 windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-assignments.png create mode 100644 windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-create-profile-name.png create mode 100644 windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-oma-uri.png diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md index c0f47983e9..48b33cfc5d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md @@ -27,31 +27,72 @@ ms.date: 05/17/2018 - Windows 10 - Windows Server 2016 -You can use Microsoft Intune to configure Windows Defender Application Control (WDAC). Beginning in 1903, you can configure a custom profile using Custom OMA-URI to leverage the new ApplicationControl CSP. This CSP has support for [multiple policies](deploy-multiple-windows-defender-application-control-policies.md) and rebootless policies (policies that have the “Enabled:Update Policy No Reboot” option set don't require a reboot to take effect). Custom OMA-URI can also be used on pre-1903 systems to deploy custom policies. +Microsoft Intune can be used to configure Windows Defender Application Control (WDAC) on Windows 10 client computers. Intune includes both basic native support for WDAC as well as the option to use Custom OMA-URI for customized policies. -Alternately, you can instead choose to configure an Endpoint Protection profile to deploy built-in Intune-managed WDAC policies on pre-1903 systems. Using Endpoint Protection, you can configure Windows 10 client computers to only run Windows components and Microsoft Store apps, or let them also run reputable apps defined by the Intelligent Security Graph. +Intune includes a limited number of default policies, which are available in both audit and enforce mode. You can use these default policies to only allow Windows components and Microsoft Store apps to run, or choose to also allow reputable apps defined by the [Intelligent Security Graph (ISG)](use-windows-defender-application-control-with-intelligent-security-graph.md). These policies are currently deployed using the [AppLocker CSP](windows\client-management\mdm\applocker-csp.md), which requires a reboot even for rebootless policies. -## Custom OMA-URI profile -For information on using a custom OMA-URI profile on pre-1903 systems to leverage the AppLocker CSP and deploy custom WDAC policies, refer to [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp). +Intune also allows you the option of using Custom OMA-URI to deploy customized policies. Note that beginning in 1903, Custom OMA-URI deployment leverages the new [ApplicationControl CSP](windows\client-management\mdm\applicationcontrol-csp.md), which offers support for [multiple policies](deploy-multiple-windows-defender-application-control-policies.md) and rebootless policies (policies that have the “Enabled:Update Policy No Reboot” option set don't require a reboot to take effect). -For 1903+ systems, the steps to use Custom OMA-URI functionality to leverage ApplicationControl CSP and apply the Code Integrity policy are: -- Know a generated policy’s GUID, which can be found in the policy xml as `` -- Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. -- In the Intune portal, navigate to Device configuration, then Profiles, then create a profile with Custom OMA-URI Settings and add a row. -- OMA-URI: ./Vendor/MSFT/ApplicationControl/Policies/Policy GUID/Policy -- Data type: Base64 -- Certificate file: upload your binary format policy file. +## Using Default Intune WDAC Policies -## Endpoint Protection profile 1. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Create profile**. -3. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Endpoint protection** as the **Profile type**. +2. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Endpoint protection** as the **Profile type**. ![Configure profile](images/wdac-intune-create-profile-name.png) -4. Click **Configure** > **Windows Defender Application Control**, choose from the following settings and then click **OK**: +3. Click **Configure** > **Windows Defender Application Control**, choose from the following settings and then click **OK**: - - **Application control code intergity policies**: Select **Audit only** to log events but not block any apps from running or select **Enforce** to allow only Windows components and Store apps to run. + - **Application control code integrity policies**: Select **Audit only** to log events but not block any apps from running or select **Enforce** to allow only Windows components and Store apps to run. - **Trust apps with good reputation**: Select **Enable** to allow reputable apps as defined by the Intelligent Security Graph to run in addition to Windows components and Store apps. ![Configure WDAC](images/wdac-intune-wdac-settings.png) + +## Using Custom OMA-URI with ApplicationControl CSP + +For systems running Windows 10 version 1903 and above, the steps to use Custom OMA-URI functionality to leverage the [ApplicationControl CSP](windows\client-management\mdm\applicationcontrol-csp.md) and apply a Code Integrity policy are: + + +1. Locate the policy’s GUID, which can be found in the policy xml as `` + + ![PolicyID](images/policy-id.png) + +2. Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet. The binary policy may be signed or unsigned. + + ```powershell + ConvertFrom-CIPolicy -XmlFilePath ".\Policy.xml" - BinaryFilePath "Policy.bin" + ``` + +3. In the Intune portal, navigate to Device configuration, then Profiles, then create a profile. + + ![Create profile](images/wdac-intune-custom-create-profile-name.png) + +4. Name your policy, set Platform to Windows 10 and later, and change profile type to Custom (OMA-URI). Add a row and use the following: + - OMA-URI: ./Vendor/MSFT/ApplicationControl/Policies/_{Policy GUID}_/Policy + - Data type: Base64 + - Certificate file: upload your binary format policy file + + ![Create Custom OMA-URI](images/wdac-intune-custom-oma-uri.png) + +5. Set Scope and Applicability Rules, then save your policy. + +6. Finally, assign your policy to the appropriate groups. + + ![Assign policy](wdac-intune-custom-assignment.png) + +## Using Custom OMA-URI with AppLocker CSP + +If you need to deploy your policies to clients running older versions of Windows 10, use Custom OMA-URI to leverage the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp): + + +1. Convert the policy to binary format using the ConvertFrom-CIPolicy cmdlet. The binary policy may be signed or unsigned. +2. In the Intune portal, navigate to Device configuration, then Profiles, then create a profile. +3. Name your policy, set Platform to Windows 10 and later, and change profile type to Custom (OMA-URI). Add a row and use the following: + + - OMA-URI: ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping_/EXE/Policy + - Data type: Base64 + - Certificate file: upload your binary format policy file + +4. Set Scope and Applicability Rules, then save your policy. +5. Finally, assign your policy to the appropriate groups. + diff --git a/windows/security/threat-protection/windows-defender-application-control/images/policy-id.png b/windows/security/threat-protection/windows-defender-application-control/images/policy-id.png new file mode 100644 index 0000000000000000000000000000000000000000..12ec2b924f6a78fd0a7774e86331562aa7f08f45 GIT binary patch literal 20687 zcmaI7c|26{`!`IIEF~49P=xG-l6CAt$P(F0WX;Z4XOv{izAGmCPDCTij5YhduVWiK zlVyxq%-o~zeZQXH^W4AZ_lI%L=bZU$=Q{7}eZ8-1B46lgT%lv9qoAO;qWMhKfP#X` zf_yxC`4aiFW=-WA`5&d1frc_g<=~wy^2tSeB^@OSit0Fe!W(MxIj#FMQ!fgNtL^81 zlwEGcwiFaEY&BJtjQp(j7QkQbZ20q^7BQP9^O{aF_SHC`-mB_*g)S>bKDhRDO4$AD zW^r*~&}HP$Kj8}$dAsWYS8*z14;3wy8TYS-SFc1U4(G{UPPekJXcawi)mV&(K03a< zE(oKN6cN6hSnd1tVPUv!O|@oElI5%&))W-o6P}Hhqu@4CKB~&8v^2E#zt+tu04Il93-zcD&iY>iMK{|8 z(SJuFAMY+*_;>W+^8elRY>0A-bOI*!8Ik^T)2?v_RV5gK6*$`mlYB~p&}GNdBUK~d zBg9!Y0W-Y%_7HK1B2*GE65$$KL#bd@H&GHIK=VICEfgdpf%Tw?y-^5hL;H9Wa4L6p zn54JaZe6m)YJo~!DHQ_au zxl@^lJTH?o@P_@*UuDM)u2!M~3+A21&u@@taU30*Snnvb@_J_te99>P<8T$@#|gf4 z*Nwa~cra<>ct#$QJGXzzu;7d5ICdmrV&}FdW%uL9vgcfj+N0) ziO){JVT!e+YaFwB-pf@qtkf=(zDG5rgm!OqzqIoFMe<1Tv4BnGAJn1oGD|B;;%o2) zz0ENwLbS*n=}oi8L|XKmd%uF3>wrVYs`h47Ak8~JkF6JgaTa{DFB3h6st`IrQp1;^ zQR-_ZLnD}a^Q`RMRL*_w&0n}vGfzJ@`*(43DV3wYQIEF*Pol({)dx^BAL16*d8LAz zddfCn8~GEamDWJ{=W+AFnO4ze)()H=INcHIfH+;a@FMi6{b**Yqv(~pb$@N&e)@^H zYhmCdy4h>$_$ztp6y~99-uI?IDm~+HKU@1Vv{fk&9oB&3RDZcP_YHZxcNu>C$RnB+ z>iRxnYc}Re0BQTu0^vZ+arMuYX75jBU=cwQUb92~J~!9F6t$MC%k>W}eMMXQJPnY) zN#R@D0?e=E>-EZ)b1Mnf4bM!}n(U!gJuDT0`-x!8FUz@w%u!5pD^`*yBCl==BrwcO}^~Ash?tefRq1ip}-lGJa%CA4AW997w{r~Ct?~AxcN6} z&atnEj2mgtDp4(#vco9_20jpmfd|5@&N)i~#W9r;Z$CRpg*V zV|P*rsuqo|wPa+fk7!vlO3JIy=oCu2{El;iayk@m>;Bfwq#33)b%8SRUTvKKUD4|P z>)F-AZat7O)bHSlp5=GUH%4~+iZu;%w@1=5I^)ky!^T67(Ya>)vWBW4`T5!F0B1Fo^-^1Q2brQ4&o7JHJgs<{wz)EKcD%!QxPws*d0XqiT)iL{ z*|P3DNIS{ZALjS>8ppmr#g#dbjLo<4mwjmvrU#xcx~mHbge32$B^wXOQ)^*a0>A4c zJ!e&9GN7@z%>{a1U=XQropOqEA<^fk$gSwBTXU9c1A5GRtf- ziQBANFv?|I1Vcav7}Que7ePMwexWt!FJ&;{2x5p~<+>Jp?A1_Rtpr>gk9oh`;C*mm zVby!*r$>l)9R7}RG0m1f_Icv|1%3#?)BNMw-CN=?1LyTA6EO=PD-6u?He;qoR3)dv z{a@I-95O*Ey3(QVToN0(3N_>ho_qKo-`$&YyPBD!AhhUiMwnN6xX(nHyf5yWRq%Z)3i7n`o-w(xEy0SjrpKyydh^ z!jX!3mS$70xu4&7Oh?H&9Y9x4goLqf8f;V@m-&&_Aad%AF+@fjvkTYddh$&a0bwEZ zF7nj>Tp7i+E99>j#2H*Zzd}JV^FMj=|HirhUrpVnCIp(6|4fI1;^sw4)_?sfD*ZQ2 z1{W>dMhOx_!xDdv_qdvLj!zgj=Z1p5p6a35@TewgD1cO$jeL{en)Itlb*=pgdOheF z4)LwX{;3yz4_r96*D%vFbzS1$0HFyrVa{T~$gg6<^kT(Zah#2iO=8z(oYg7M3Ltu8 zf!Lvf+k22*i!`NV>TFDu8p_Ji;AF{=9ezuH-q#PW9PMRS9}-n9 zreB%~HnW)TWzTsp7W!|TyIjE+Egp%8)M#fepj{V>$2aMv**$>RlK}C(1H3fVU1(RMjgSpW+ z0j=zSVjHW=1l(Y6fQ7(5SHQvvz&U?&MZaJgveWKxH=|siOmqkA9JLHncul{>s6b1QJDYR64>9yJcV{X{>cNcH_LbCb;%6PB!9=8M7m zVNz8S9j%3_4d2+X98aJ8n^&jcCR?S(CgVVqCqhKK@ft7upMAO}8YywNZk_Wcic3Wy zES2F7$_he9A`2Y4&x0AiF9m07TnW1SD-ZHv1q0I#pWlDS$vDy;w~55-YTT-Wn|RA) zCk!#q3^}8hbGo*Kj)QS5RY#2`o0LUiLWr|v*Ra3=*BHu?E<<0snVA zXvdzJ51x!tnZU~8t^l0V+N;k2h~im^q?75wzo;Q3YfUE;T&TtvbOSDM9y5hLmT}T= zJX6<%f3ht9ZvPL9$j$!+AzH7VT+?X^+5dFj)erwQ2@CBiSgG~Dut5>d2_^s!7+9Z) zFPXX29slpB#H7wlsfGHwy1>5;_&YN_Jq$))B4gTLhW`P1aF^>R9erz63lh`$(vAbM zrVx&oJE>#$k?=63A4d*1M&XhIN4lKsM{aS%QK+ON7uTbh!KgYmgZE&3JaPmcXHGm_ ze;u5vjy>IW^q%}mHInKu`l`~1op&fVa!c%la6aXS56DoVB3U7OoqR%A2cZc6I0vCMYkgF6bQxQTi_8Zh|6jnO_^3i`bP4VsaEWZ>u?Oa+104>e`R^RUev)U zUJV)Jc6T21Gk?Slg&Vp|tbR?qTJcMSolE3@d9e;t5o~vqt`Q?_VX^g7|{Koj!6XAmlGi|tww;FYC@PJue<+R0= zQ$*cggpE}hp90TfS>5rWt&jh&aEnSlg9NLhH(|ngCn~PiKcQm$2x5+a;H&sAnI_I#O=*VD7T0pf+atQVADuyS7NwvdaMUFl{%FU2J#6g* z=`^#iiwhySb>wEPLlmF99f-&AuD&fCL+Lb1W5>F;P!;nf@2C4N!2@SDn+};peS!kC zxhN3j!*uoJ(a92F15o}xoVc|$<#n_AwWHe&&cihenM~>nBfoYPlvE6B=N;oG z%C|Sf>(vSbwgWk!+KK5>67%=;AKd__I{GxITq)C`k3NGYUeVF%lU?B-m_umucgjA_ zoSaLuTq#C+`#Z&qm+Ydfct>AlvKcR|8$livQHM9a{cX8DE@?06)d7rL6E(3bjjNwS zNg5Y#H@-!b4-UI)47g3qs;3E)jvnnx{^+tSf0L+Tp2~zj?UDZd%quAONMng5-ZM+x z%nA1GoA|eH~Su%G%`I}CDu^2wW?dU};j`00Tx@bsm_pcI*!%%x0$9!dkUx5^cT?Dz(|QF zX3~5YI!-S5uQs#S?P}qMDcPA)hF<>EGg>+ls1O@fHZPxx7;gL6VWw>o64tB#)5bbS zx+rlstN(kI1BasVm0>Aj3d+a zYVV8O-ya@S^l$BXm?$JL$~g3o`WR#bN`;(EnUbHBnO>S7UKte2WY|?5uN&>dk+Dqt zVQ86pUJglln7W7iLZy$Hg~JX!DI!Y94O3nRO4aAuBP`SUx~?iLjhS9?jqa8F))3}EU+Z4CV`O=& zD0V?G*ZiJm!pW(sSy3Ic#P{bC@iOTx0#;-R7;PnjswI2rD44L$;LeEGf8tRQ=@ zQK!yHr}Q1|v%`my>Z_@))l2)ICZGC4&ZJQDb4hdD37^L*gk6$h{WTYbzs_ICrI9Yy zxxMh*F5W1w_!fU7F>a{WEcN=v5Q(|B)=#Xyuav>q2%}7%mvimwKlFtonqP(KVfr+I zY|}i;1aAL^Sl7uVvYhn8{4`YfBH2y|5*9UWW4Q?d(oNJFfE^}w`v`v|?y^Upv0bHF zoo^Q3rCFp#%(t$J%k$0sH|})5F4sZd@Lyo$;^zD$QrD|L6I|hBJAWP6*x&4I2l*yy z39|>P{(cd9eb!F-3fJOE?d6jk)M{SirdnMw8OHY&w&nC5^m$qh0G~taGb!yT6OzY1 z{^_coH3Hur@BSd~8y%B(G$aSo=C2PEe_Qru9;>#rv8&ZEw=zkqN=fm$D2lG~nzvHo zX^6G~u*QG*<2dCFljOC#Y+c^e7V?G@EFa7p)bDbRD*|68GOOuJr!s>PaYcN~Q9eJl zCJN!mF!R5=2+YXbvVe-vxAI-KzFtbnd2<5o)`lFjQt?<@PFfsC`hC5#4L3Vo=ynhC znBv;+i2yu6;e#k78<})y-ETr)hLv-VvUmRiI*Nlc!fFqa&4qq+!~GvS#8|lbrxdnd z!W8$Hw90++wk3en=z6U8jlbE`CqL~f_Ic-wKKF;WYOgcWlW>PMAX9t%PUpVj^^+%0j;)(ZjD^Ns;rgRuZ&5xVDiIDWjja`i;Ne z>k9+Bx_xKSU7>I1BIhN3pO!jF$9YRD>-?}^m(yeU&K!oX>4PL&(GIu)Q*t{w5DLIQ+F+g8u8T2$N1i5wz=cZQ zOyQJbvY+?I?;oCn9!b(Z7bS{8@DA<|j?T##yhlt~_Q1?5Q_*61hxcBl@dY-&<6>KQ zuP!Rl%X z;N3cho+(DmAN$}0ma_9c*Eg$oP^PW-#h2+rrX*N$mvzvOjlU#= zxv`eF_ylf@?}QlQ?{x1BAMX(EmF-lH_5-r46SiJ%C3Fo+g>8ge|2@SXbuEf*$Y*f* z1|*GDZF+y+)gTaQ$&POkCX0XvV`pDYO8`0#Rxtzb?PV2caiRca7vkn|BvzNbJr+{^ z1J~4;b$X`#%Bo1@sXvAXbeq-&1F*y;9>L=do$2L4GQsLN`7LcNxPbTB=VEL%Hmx0N z=yhZQr=)nOXg~OE%fG>Q&upp&*1z#EWRpeIKdr{1D8abnr|Ds(t%*FrCOIu}asHqt3F0{03o04f`z8F+KQhPS*G+fPz+Z{LCw_K*myJC5hJYNwW2e}grG0T`MoPdd-&f-yPNdN_ zFbXMk4!n-tl=_U;J+8 zR~z%C##~fMvbV9?#9-C)_TTc)YIU83Z19hUzW31i9_7z+S$^;kd?j#2XTUIY+sG|I z2oT!B%&f1M6EHKkpmE@oJq zPJtYHzvts#8fDauW>=b(jaH#KEfEb4ue(N|XeLVV3wcCxu;+P{X-e22rdU}c*t@>; z+RNLd2poY7xMDa>^%eZoJ!r`KEbae}tm>h(@>vjzlVJ}I$foka$<(qtp6#xDTS-eX$cr18VdtRifs}iWBBKgEs zzfpndNb%QYnIh+LtEWo*s=@b;o;l{`zNn1526cJ4Zf4{>n{8$C zjy1img13;G&5vyaT(V2*bGh)Z5>Rd&-H-6;xM_mG`l;%U1Xvsl2*#(4VaylTwo1&c z+K3yz#H~8QJE(WA?%r%|!@VCj1|c8s809x`y9K!v-Buz)El5CJzz7&+&ZFM4gc9ZD z8wSyWkn2-=G!5#Sa{js_~)CMDM(W=tZ{d1v^@!K)4`nPo0Q4Zz@5Z` zNMW9<`_|aNEHk-8rzLF%{Q)}CGcn#hyPnh!pLY_;6@NTr`T6)jpla0n8NF^o;)&SA zK}?586NgiIJyLA$aR0!#kIbywzXCcrA>Vqz`S~dOQ6jGxB`4HOFiEbei&!qa4TyrP%96myeE4S}Fwe^dBHF_?-aug63ehcU%8 z_tU$AW825Z0I_8PEydj2%ujo?^~@du4k?|WtDAF6J~samUEr`h+kCk9nTp~^;1c;Z zitl%q=-vP^J&m`SC|Y#GkN7EeZ_aB?>|A`U{D0hUOw5%t6Sv`lYc3AU|H-iZcWJo) zN2zmBZs~*%803z`TR*Uba1|&71h2! zIk`f3J0{NY;9uhJhYz`fmpOTlb5GiGt32y1(F-mAU;B6JrHD*F2RkME%}Mn*B| zEb@<6u2%Ho{@yKXC&$kHDHFddOlW~-E^WdiwkgFEmW3r$xQgego3>-Qf0`_nSg{X9 zVl}-!E3H9avnjHmY+V)Ck1>2D!ju?o1Fj1^S z|1QRF>;B`;#&^L_EBi8b4LU`*YgURCR;%IzQ(2Q{LRR(?nT-!>8$-i_)d#*>7~l)n z;|dv!FEZWzawz`p<1y$d{zXRKIlUN08#`1&w3_;Nm}HhD!z0cz9HYQwXw^q`++I6T z>5Uu0tz4*c9$V{I$8P@&B7+}=qE*zDdfUz_Euom$sz$>fbF4sGiN-(=yI)$aX(f}- zvU-X3Mwu@K2N=p+9kVX!2e*~Td4^5x)f5&==hetd)|D^1MSi;I9tM4mW&+}~{zMgj z3lJI{*k-r_948o8h&CQxRx@*m_PPCd zGpEF{x{fbPQn0XYvSzH58`CvJ`Vs?G*FEBHa~SL&J$GL#Ki^>Q3+?9`HyOli8BFEH z%Bj;!iVC9Njb7q)#cLwFT18BZL%-y5=LEe6Vb6^{r0s&JyrR;bnLTZjhi41TlT!|A zMy}YwMlXz&5sb?Dm?5NPVSYYJ*5v+PBgPXe%v0}U96FaPer03+f~4eQF`DRNspb^a z12V!h39jW^7HzjZ^*NOmHf1y!dV1yg?ulVCm!^+exlVX3h&-z6zfmblzK3WtvRn(? zu<*ee0Jq1VQ1dt-A`p6^{KGW%{8x#>rM^twTO1w zlhHZ7Krj73#YgSZB?0yaA9q`C5JI0stma;#u8r%F8PFXs*<;koP1P$y?C~c<3U2st zOWzE7nq2kqKQGSx+jZspcWa%->r@8@%gDmcN@elYXgGn)*gB8C^f*NT(es}t3e4OE zZo7#&%?$hW^=vn2){Yex#Utgvx=noCl1P)9YK1UY4G?|+Q00aoK4I%unaA{5>QjlR zqHe^GrY{yC#W|^qeT-aOh?5I1U@kNNaKWO{x1y?tOq-^xC5=mT3Pq*A z3{y{xaI0K9a5BrU!t=v($i)fMzsaKE8ufo0z?d&y*XiYA6dfr>g*#JHJfR{9Q$dmf zi2B~-jycx%$SHVuOA=_ST9a~0W+1loZd+E3W&Hv@Xujse_ptKjrvmHec|UEg4rLeU zBbuy23krG!A3L81Dz$Qt^AUA>Ie(-;p$*`}yN@q~V|1O)XotqeP>2!)Cfb~a9^xi{ z^1acOgoC?t`Skn$8OMp7vE`iL|1`PHYovl8)RSC?8QuYNfF3AUR@ccUTfddAUIO-O z{?uOA24qDi4~%ty1t*QMmK1K({8)Wk32=njxOFw|OOB?*ou27I!1`O!R$v2M4N}h? z^cov~Nalh9aEQkoSEgC&M*ca-_1qb()J|HFbA%Lm1d|uNhdgA3pBBM!r>jC-V8VeO zs0N6dLeItOyk9P@YdFl^v#6J_INhZOK~w5VQ^W6Nn*ACRvDywPZj|F)pLQA_#ZT`2 za>%zTG+2-7k*TPNc&v7|IL^AC|0p2s-4H6LI=sJ^-6Z+s`dK4aALSD*a8O3-)%`0a z!ycXQ#dJo(OS!LcJAv>tX~zuyygWp~akE*(t_VcnvsOZCiIin}eSb{QL%Y#LI%1Ba9NedG(QEKIv$g zynWEUq8`B2`Tnwla1G?9mlJLs>^f?X?E-nB@da z><}YEwt)&NJAfwJwR2qs>mB}EMEws%`eNa-=-*~tdCnR4!N{n<^d3I43vh>02Z zL(5Yv^X#HJWv)2MCs&i{@;JB<(Q8T|@*}N1afgG}aF-nnm{bFXHz9@y7_w*%SJ0Nw zA;--GkyB9%F7oSJh8sopp?o7dQeFw9XhE)1PLgu1wWu!Fk4rq8NVzmX)6mg*0PO4b zJV79GEPmJzi>F| zV;0nfs2J`5HmOxc(Ip$cNlhugEs1sG7JR9BM7_b5P!bpk@{<<-v7B0;16(X%%d7jm zh>b8lwZ_WzgnBQDiH($dxhcxlPx*sXb?*(8sBYVnY!&T{Uj-AlKR*bE7O|d~@(FMy#Dk4TrGx>iMUapIn&n_^45OM7o|;49#oQajsX`lp;%a+UHh- zU?vf)w^IyoYe|5Kg)7nY^=p=j!L4*xPrgf*?JuansAj9hdUv90hbzf}cJt+Mt2JE9 z5Q94+;O&jibO(8~I`(f@E&#^vI|m7y7syciFSD9VFek9?FX#u_wk3JjHr@%?FfmRX zL<|F$0r_Dmj4BNb;!F%dZ>y$xe$s!VyS5n)X7ykt1MMh5>O|shnuEt$YeYyyXY&P9KyEig!^s7}sZpi&?*UIe4$B!)%su;Vkkm%wNJ|vMp75>2S zNUD(VXI-xs%^yq}-Lvk-NN8i(GINppO{aGuRr4YI16b?P4^edaP42-F4dnQ?#d!Q| zEs11FDoNI|zWHI2)B$F>Ne|A@2{UJ|%55=>J$FdEK9S{~)p)~c4-%~EjS!K{wVrc=lkVy) zVD1eJvRmeZcD$BFSbpVWDNiK0A+$!_#j%XGxXT$kX_u`*Ob z9rv{#h-&5q;r|Bq|AF?;D@qVe_r2`xo38ts3 zKW^{-y_lg5yK7fh!;(~)^N1aqDakWBICLxC?P5j$sjg_4+^zkshLu1+^THgRG9nX~ zEl~N-jLM(l2CON}pry$rg>KQ=oabf&v7F zZ_^%yqS-koL~LJBWBxNYtXNdS-* zj{su(q`_3!B%d=F%6j%J8V6dh1JiDRL84_viq!usqD@N`Faq`ziy?WF5QG8q|5FTv z5WQ+G_wKW70{|Yd>F*=6uiQ5DC^EVj#9OKE$^~i;l7Ddo?dXhz_-kcWSsi#?vO7}A ze*ZA*5|M*hPnl=ZO>BsD*mL1VkUQqqkl^W{T}m-?;FP!=Iq^M0}v&R7Kpi?kvWe5>D4hVbc*(9Xw%Djw9`ycFd*p5mA*_v*?fBRO2H1XA`PI>R-b}sQsV~-w}-%|Ccj?`J7 z=m)W9 z*Pbo%=a0}F?R#s~|A{R^7%zx+(>L7wj}Y_!s((_tz=?Y$e?L}9maK^XpxJwn!q>@0 zE-!!WJeMC54Yt;Lxw7CG&pJqiqOAU|rq)4|FtD)yPuRdKef)^@!yf8Pa3~qj?Rr3M zg1Y47nfaynL%q+Bzt}|rrUGC~+Up^t%g?5N+ie=Vu)~ObF4MdRS({@-J*rI`Gqff0 zZTa92utk1j=`aS|iH`0f>c#ZIqbZ1_bu~2U44+XM)PVxy2--66VgX0ez)(H=3R+uG~%BKZWk+Rd1h8Fiq1yEjo-^i1fSI|WAqk`$R;pw~L z@vCTBir07F=lEts&NHa>CE&7?8zlS}V`FjUknW2t z;REaXVyrIl_72e3%^@l^%RgXSa?R{>-!_j0TXMThAC{w<)khG2)HP@lxc%nxrWHod zn4-^z{Za3xoXGZJ57xXe>>xIqe-wT_8?G5J2g)R@hRi*G`>KUg?0~Q&tMCEcHIT-< zOPhP30E1T}c|fEaM`DkH1rDW3$WGRpfO`uEEAJ8uPCJK%V~0V&Fy^zTapq$Aa4B`^$1c5eh!v6?V1qKZ zpHustX!=~`r|O0)({-#YF})G9ZWy4iU`O~Ap6w4HL~A@9Qpj``Ycd*Sp7B|&<3|mP zB`mcgYPQbNz~>jQ%uH196loQ?&;aT%pVVrqpW!Gyq|6O=!E?6a_l63{ykDborVLW%We7oe|h>2 zBjTxeX!G~Khv7R(j%Ah*3W{H;He_PnR!Ju2H)c7?OzZU4?Mjm{AG`U{Ng8{iG_9f> za)`Z}T)rb$IqUw?HQx+Ja+Sv&Fa0FotBOk;Njpo?8PCQd8iR_e6W!8c<3-JVImrbg zh67-!B%w##!6Qn}*L_%LjWSlxxJ%PQQz#2m%5u4pzDJKXjaf|j*~xi^zW*@x9`iQ| zDdp^S{h{x)GR2-Uvn0fgr^l5)?4e8Xa(V3hYAxb!pF@Umk?i4|d!zRaES3 z7s627PgkagEEeXH(A7~*o}$$Uq05YLGYZiI087{I@*j3pPdl@??vv?wFf?hMm9LXn zBmhn@Sa&nP#`HtHcjC^7cGKs%2^DN);|vd!Blt|eJ_X9bKEI5sov6|yBc;Y0%Csi> zLcMAI1!cM5@nF_Fu)FE3#lxZ;2^E43+R^&$sg~kF5TIBw&YudOTOLaLQ=B~@VT%eN z(Gon@zTL=OS3_?#HuLI~V^Xf0zN)^oBBIG1rCZvVQZTA1)4PzV{G@cBj%xzA9PZ#U zPq!uBUGMpVS=!$BgCXU|r;1F#gQRt#ASGjDk;*E){t(3`-Guj#wuuBg?+<@u7klGX z?r;^=v>Kka(j}0Yx1puGs*Y+Jf;QK2-!s`5K4-#xKuFG~EnCmJ-0 zZIu=!FzCz95iC@xB?T~mYJ!^PSNJ1x#1A&81Z?5cTuI6>h-q(J5T{GF!^gM}vVZ}! z#^{HS8}Gh+-WfA)R-mMC0Z>z0ls1~Oe4vkQlHIa$*Lu01xUzDiy5aH;_MKfX?DgD{ z-*r}Na8y5i>Bd!uS7{aTvhK~=`{F!DdHx13?;cZ6UU?PJ3XDNRnC9(6>a~-)lLj9S zd|EU$?wS(MgnhpHC4#v;s=`l1C$(geB_%p`M9pbS)h{|s#1Ry7_9bFatR1)e+%HVa z=wTWC>bS>+-ZjEOO{f9TbNlP>U2A2G;!q2f4Ocfpa6$u@|7oua3EAbeRcLSTL7QBD zJIcykuDpF6nSvS*PX_Qhg3@npMbkNq?t%eGv6sYm%YBf3vhN`l%)^IK_NjY)I~^A_ z-mTo4-bk;V;$nXAY2nL3JG#f&>z|?MDN&|@Zb3I>4RdRFL=|&W_pRKO8x-n+j=_1a zHCH|^jP%JQ1s|Z)Ch7cZ>XkT+q~s^wKfkIwV(EKp5C6`G zHMJa454*l$N-B5v6H=`)zk=x5^E&#ItmOcw=;>;Y$>`9i0{Xmj!T5G*%rjqAZ-DsX2`QXSoy%g}9p`BOim~k?Z zw#jmic$BzKgZ>IjKN~6_@FLxwv=X-7oSk6A&_uN$Ktb}{#!@>wKgv-AiPoT@+d7&j zn?P#)xe4&+rScA<)tr1f3yQUk^X5iS5%e#hZ}g#)qhiz^&Eg7qsns3KnzZKOX%>s7 zIc9MDtXO@pShM^p)#5Q5xt6ZjEP|I?wI3xZd;pv9@qNS~<~-5x*yBsC!p4GI#n`6V z`V*wH1c3Rsiwk?(k!GR%eX;)9{8<3a25{b<9J~H>C2bsnE=Z>4e|6W8j_J#>; zwbx`(!550<@yU_KysO3OY=pP?W$FB&G zmNPPyPWJebTu1qj3>U+a-4M7l1emnGx)EM(t?SX%t-Y?J4C_LHErBTwy@0 z-bB-kv05m&l3tBsBm_v3rdx68_DeqgP-aXPLl4***NhdK4Bbh(XLELP_?zrhqF7l} z?J};pf2io7oZ9K@!|}R^5bi|cD3?JE=4e;T*w1w`&8BlS6cMeKgYP~sQ1TkA><=O* zwiu|E6^GwhlY4+xSLcwnb?VG=eDN`fAlk-h3i5B=0(imv0yY;bT5oZ4(zkQO(2<4l z_#vLyJKZ;3JicFhd{ZtTik;#oOS)8)Q!KV5Sd9IHB^`qdXMG(;aLgNj%GW~i?XV+h z@ntBkt%Op4Sa9rXg?BJnFc&3f9nS^z78*;sdt(1{`mvHDE`0wbqx9QhdWvbfT_rKC z0!@$4WS%@d^F&~21pzcr3X$~}Yucxlekx|N^Hb6(|LsF1&1qt^qqlMY^30;-!MJn7 z+Hi9ni%+AaS+;mrk|)(8X`KMC>93@Knz5ppyqDDLVfl#c-GPouI07lZ+r(M0Yw93& z+n5;CHJk>nOyAouI8mO2loC3)z%2ejH?W85y6T*TPhkcw#QXu$(?y^3ouR6r&H=r~ z^2`fe5Bb1tqg=vN9&rrZQ z&i1_%y-CGH3ajNtoAbH$El#opSFNc%{+0Vc^!W{+T=g!^aH$6Zz2qXIIs88{e22{j zsxFdM=n7TiL3=W$^!k{YGda@{78$JLCm4-qcQ$emRIHY=mM6CPaYCz}uU<=6saz>F zoY6%L-xT@UcQEc4&r7^5S{Cj$EDaB%81 zeDgfjmqbAFZ=Ko$V4Aj_GM_Q0d~15!gt&K5!ifo`ZZGK+OXl9(-?{Px5~PSIt03H= z0AOTJPml{_$Iiku(VGc&twO-RPw#Z$ga;xH*@2v0XkOjLDRPSG?`_4Ff`-Ds3x`;k zpp;U!sNSE>)_qZfN~oGhj;`H?guW%P?XTtHU$n&UD=?l1V$ZiFbi+arH;#6Xbwp=& zdTW9qIaIl$HuI5{{acN{g3EuJX!EO0*nPVCG~Dndh1$C@CynOSdqS!=M@Lf);`++8 zoW+zlNe{OzypeT31y9C{?87D*5pcPwrSfqEzT|rEaCYlS8 zPteRDjpUkvero<(Zf*T=A=99(ZeZYtd6lGim_@JN{E0-=Gd&anV0efQrRoB?uB*19 z?UE|R$iISpQB9e)D`Zu`yl=oX%F%TnZ75bopB6Z>O8<&ntmm5cP4{i*7_XX>afzfv`6R;e+64c6bkcbh zb%LXVabK;>LeA%unzq|o3u;eZu0OT3`N@5@+^jUtVXP**i<}x?mgjpuHL$ZJ{6Kzw-D?U~1L{)zM zUSCKngF`^PKj|Z~i`kPPaR>2WpfuQpTzGw5uz&qPrxzlL<qjAl=v~ zGnQd9yb?1~zcC*l535CX5kRMnuufNm7=f^K@xI;67vvSc(bS>(*LtbV`8zbw+`1c~ z_7>KO$DYBI6d|>AWIdWg=Io1-5tIX}TnJ&+yxjXdXhfn4scD%iC+LM!p1RH~70u3p z|5#%F*xRn7T$q7eKdzMx)s8y-lJzb)eE2=(!v;Atlgs@CRd|6NY|KvrG~ji#4)@C+^@vOf(_7(qxNn#JjsXhCcnyqdtv7y_YRLnCBWG zBi1|mH%1&GcQe;TwSVP8Ase{7IB>)2?SUhP0dh4$&QN2=9mF$DEaWwr5Z80dsYq6h z6&bS{EMF0UkXwU-jLQ1;<-rku{)j;PtY(ip-Lv%*lb#NFXn#o{RnK7}M7b>Pne3p3 zPd}pAT5FMp3PVzQlCA!``_`E|;T;v#OdBQ^);Lzs`TmsC(bXFPQ|`YD6E2|^R$M&u z7Ar0g1p4=CzDg_j!E&Lft*!pHnH%$%_bK^T+!7!04AENJP>JUfw7~r|zCI&2uY$XU z^p>~uKa`1nG3=t9v`dlljr^b-jQ`plQl%Y!?I2MeP1qphSAlOwjrR+i7gq)LPMkl>XA z{SA#ihX78QhunujFV|{<61amM8}-CJ6qZJA?4tSKBjWc7uK}w-gDh}OvYtODE9H^g zMs;(H_Y@=X4)A3R-K0lw4|m@=P}T@OSTbO=WChwkH!8H1VgVi(fz-ch@nb(4J-}M% zbbH;N5AI~E=r<7<6+yhTya~_(P?sX-{J!rV? zRCw6a8va;!am=iDCwxXk+@v1%bmbf=;?2(0;l|;B?wR7K*P{zGl}^Jl`1DdyRaaJC z9jgwN2EoFK)k9Yk{y_1D6WivotP5P>r3Xz~hbKbb@?S~AIy_DB=(b6o+S$5%NfW!I6E z4EuuAxI?17>f*x+z-Rp4+&khn9c0`lIMWRN4klf%RWG4n&Iq1GQ|=%zLr-uN9nd7!Vtwioy;o2Tb*-P%&i=K)YMuq z*)bbzeYi;xC|4boNCHb~oK3&*AKLtZ|@w$FVbEH->}jP3JEfo)3ig5k~nLW^B!>enXcMXuIKcEK6&w-iPzAv)zBFZm1AHjOvi_-=FW zqiujU$OKbs?Z}FUMx5GwzEdyOC4eU65kiEqR3l?ara@!P5Js|-VT@%E&mH}K&+~h|o?g%W>%Pu*&pG$p zbHA_e_wzo=Qj664*Cw<9OOx>%3iUThd-iCY!Y8Ye=YZ{5{|u!|%zP^M2OAm)(lUc& z*kUm3N`Ags$=oGCgNm|{RMX6d)!g2cU}gi3W_K5sfu8HbR0Ccnds1DMRh(IR=|cJ~ z&As}O4S;9N0rScFVaZ9}r^(wAFJ-l?ywX+mZD3dvf6KPYxT}CaDr`D|KN89VR0r0MbwnQ=WMnmTk^# zgUq`i#ocu9h3%!r8m71IXJFdVr%%ftl5d`}32Xv1xYb5?2TxD>i3&BLbENrR064#< zzDZzfz)yD6EYo97juqpz^6u+!X%Cf@vH*Mn`!HF!S;q$oZ4<|1<$V%wDBkuPUW~r& zAcw8&6rEM}%s3k!U{TlSkMo_F_upffargfk#}>~3U?2xNsx*^sx7JD(TX8)*GfGl{ z&Vl059Hnag6b~NY|J`30GPln&p6~IDKCjQE#JNX2!`mdLJQ>uu=*DTkuU4uI@bncM z`NCCiwVt)OFwjNTu)n)?##lv_B2{YNKf+??F|=~e@#B8^c7w-ef)fL4@zKN0U-CXa zavDWF&L!y^<%t`#JTA$SD;|1f)jpu`Yqk$Zg9(`bu#(Kl1CjUG#eayI5TL)MNI1d& zJy+##L8mdEw{E1!O|+^soa zt05yfd!48~+;{UD_SnB*H}ViFVw=G3&6N7IylRu4i8cfziw6*Ub7L8m%dKX7y)o8h z519@SV}~o>N@Wq@l3`X@P`PzE(lFtNb$srxY%X@k3Q+;hPJ^yJB;>0^G?=W&439x- zf$fnBfxXFP9u5!`tKP%oK@&V+m`e*#p<)vL*2e_k6%j=lA{kpq z-Zl}Jb%X!ItNaFGVJ20yJjZOp&1PB?Hr*v54MF!8wP?}>j{PPf%LKUJ06gS;4b0DB zvi67nh^+{^&$1u6o;*>Rj?3w|Ame3!dB?Qg>qybNN{o#^bzYjij^7%kF|wVPpwyF! zY7k+Bp?lJT=LRcZQV$k&202?Sx?0WhL0a099obLqUC}ylVDejVNRHTCuJ9CrY(wwCSP>urGdjpZJ12kc*4EF#TA?ob-3>*v zeKj_8x}L6EsX(y$r{LQ+oyG&_m30HJ;CHJC$?{<=e#hNJPay?zd|r5Gp@M*Jpp#S< z!h-BG+yc>-y6}U(FSh-N7qCJ{6O|c=c|?g&GcA z(+b^Tq};u!fo2n8!o>#h2}*iU`mpaf4SDwRsC;s-A-{OA0vW?f^K%wnZ27QyJ=rFK z-ecpYwV`E1(lJ93RbSL3qx57I5Q(RLIwTM&7L3o6*Ah`+ts&Q~{qaP1v%0l-Fn*Iu zLdZSq3xrHf2}(c(g_fGxLq<7MUA*s4lp-i)GH%jK8c-yvK>%Z+b1x+c-_-_B`w<^Q zZ-J&LNSobSDDL%K9z<*r{kk+!7)7030o~QA;9di9tftjyGJfojs{KcJ7~w?fl1;;5 zMNkZL@dx}7Hn7?%G;(tTvNeS53xeU3e3xxQCh0aR2kr1#fwLo?%KW-cJR-%uJ1P?T z6Bmnm9rAvhlzh?aSQt?K(`3@iuOVS<{-NDWicUFHKzB>!;l8LZs2ay(+_hBikZ7l) zwsn`A`lH%RWLFDJ;4JSA?iB5}*6f-~S%NDQ=Tk+rH!p%QiuZ8pn+_U5qM9~!ikn&f z4Au`S6tJLO334otvjG%fx0I1*Q@vrWjPI3j+zQ)SKNs?l&S=*mh;;a5N@u&L&|h&? zV2G?myA|pLy`>JUUzgy0?}`8v>fXn|7!H?6V2^5qNGq`1aVya#wnMu;C`hYVY6;#5 zs*|2a4BY@R4(G!#tUl%=1%bFvhlH~(z2h(qcxE`zRED7R7SX-OuN>-cRld+YOVU%2 ztadzh_D|W8&&ky9SGeFTtJNJ0lQ5C`Nq@`BADz>v*qN$@+0o;*_jW425~Uo=G+cC7 zStay0s#2YOYMXct)R3tMeZ4G(YmTo?_w~N>S4^sWEV|*HK%7-geT0;9m1KL9X?`C@ z!w!3?1!1N7EB(du9t^g2YZ9b&NrIgm#AoPK&m3_X)l~N;ib5MDDw{BSx4r4NrP3|OM~%>YU-9Z~41UGfa-C!$7Hud4lIO+P2^0^)Q1<+`ncO> z$FLr(%R5NzKub$dICGm8pKF@yZQEab{!`v}zfHQgmXP{*?gHT3xCkaR(Haaynm4#q zuM215i)rx7Ftq&Qj?k$TQ!79BjSTZ%8!dsM^*1jMyne4mp00ad?oo7Wd0UXa!5*14)a>lpm83aOI zHk^zyGh4BhGU3=Z2?tAVtKsV6xeN%t0;v4=pz-)Q&QP)vy*z4ouWAh%N8{T-OQH8PFZF*ldI~JH9p^Srv+;%om|@9 z)B!hCOci&XS$q(@_O``Ouj|7%uWRQwJQ;u9fjN(Oxz9UUi+nV+hMOis-x+GxeR-a= zAomnmpCjd1nqiZm6g&LkTm-^bHs%Cwl?dUUI-XIIa8h^O!aRIwdVi1ij;m0PDLPIv z{OYe41H;+Xx*=(yQTHpQpRieU9jlRq#Gwj9Ox7>PIQI>X&gnBI4%xWaAH+l$NuoCh0eaOE!v% z9=$#O+9$~0au=?0qFFQWdfi5qqT?4!T+?y9-fmB@x`t}F@od*}jP#vt&HR&VH`WKq z)GV}^VGr-6(h*RON|0FuseMk?HkuYiXl+2mchdFMcKx2DNvo- zBPEBcJGMH)ZYR3QwP!EGzgLZg?hhWPx^|?jo1yZi`SgXYKhxX;WX@(A#aoL3l6Ke9 z0^nE)gsxpVERXX@kO6*3T*rD~{3AfJyUSMP)iQ(37y&r2jR-#J$gOn^k6 zjO^>gvsf@c2Z3cQoNe>2Y$V*0uSS2Ya6%^W4jV-d;e2DD>E&N#n8phib1edwRKZKn z`%@H<9MjyG{MO_{aQ%nPl9Dep2atx$a`Npz)J#tdug330AZGKq!(d!M1QrB3XJUD_ I+{h*R-=suB*8l(j literal 0 HcmV?d00001 diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-assignments.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-assignments.png new file mode 100644 index 0000000000000000000000000000000000000000..c37d55910d2fd0e3ed0e695bcc7def75d90475c5 GIT binary patch literal 29021 zcmaI72UJsA6fKG(A}XNLu2d^rKtPcqH8w0D9i$gUIwADXgIEw1P!W(4dJjbiBtQre zQBWX+9v~z^ks2UCNJ2~U<9+Y_KgN6Gzl@P_a`xHTXVO)E-?&UzJ)!mysbpz5%+?zw*H%xEv@HC_y+keEzy%z|& z=Mc)nBh>Zxd!PqY`GkijX!HK<8#a-yt3&~J(K!}p!@NfG-$M5c6PxQILVSmALX=dF z*pD9iQ*FCl#rF)zQj}c>t)^@>PMo6p@jV|uI(Ag{-K)YQO%I)Jo|t>^$Ksud#+gFr zHqJsebP`Hjk9pEO9K02haadPx;4#k87dBa4>|9++v{%z=W^T(q_kVQ&_}7!=@Cpe%0`FTj_7l#b_$dX ze_Gy*G}+78OJ~wc(<$J_&2Hp~i}$DRbizli5{>B5K5fG@8Y( zl_RgKK!-}-r`zFyZnmYh*fyBAPSJgX)%fvyfB~IJ7lvV!-X&p!j|8O`WB^dO#1FXdNy=%Lj<9z=uY|zakO#h5|w4@hk z_L~88Eb(?zK3eA4Je+D-U8^UxIQnwUPkQdKCgOXUQdOW{%?F~@ourYEbMujbZTtSc z6Tn^~y%47v*eD>n9Ib3hdy;d)eEf%y7l$rKVP9kZ?cb`d2tD}Y=I)6v^Uq`oTKom3 znl05p0fit2wT?Ow7JLl4EIwArTi|bABJY>+z#=qOwPw$59~|B>wb_>5=MT!O%?e^EHy{QVd2ilg*_pA zQU~LcD-yo)3(;QddSyX+#SedPWQAe5AlC^jQrhvU_v&ubwp~2C3ap(caw<`{5;<6D94zRvdr#AG zQ0WH<@c5XHp1swt4)X!~+I)_B=c|+Y6{c;EH~r@7kUA0j?|v#*lqpWo`(5`Il-`De zj*`K+pXETMAa!91+wPfM|F`cbwWMbYK2|u$eK673otHZ$j_aLFkO7FifnF|bl++G5 zvpVf6U-$ztjR5bGyJSe4*NaX zBsaQ@u`4np_4o=XBfO-Re^3GW*9pzGG4&?dwcg$$aU-xE{Q^cx$+L^SUVzn{clS$oUt!XZw_J;i0Pb_P-E9m*X5{Mor}NAvEoM$_I0+ zJ@NUnb?XYg3lnku+AVpw_;mc^3Iv&7S zohlh->1{RQ(E--HE}p!n38!YM)#cB2!!Qz~hq7?K;%r`owfQ$j{tUu}5Z!6^Iin(Z zHC4PU9x-a~dg4*>7k4I%l_TSK^P0GE22G^C&pt@{E#!fzY3tJ0nVBmP_mh$ZBCj)R z(=))edUJ40bD89G)W!>IuZ%=_ZapUw=8L=~{QGBI&EE9acW4g^Jnk5x>$A4I4-EKc zXaj~+I2t3iKzs;9r-lo_Z@iN6_UP$;-j|pcE3&l$S2nY2dM5vmuFixQ7V$f>ukJ^*adSWAq!_wZ zFr+`!tL$0MEL1!G{OsGAGds_pch5G_noBioU2CZ5jpqzs8ChNtgZvAy7xn$CA&mDs zJQo^4(ykKC$7WMdiX-%Xkug3jCBiGQlAPsxLvd`Sa>Ibsl6&+;H+8!X+v02Um|V+U zy$P441|P(22v&r5%MD(DS#~|!t-ya@X>N9${0t0wYXXnh^`aScsB3Tgj$66RMVL5U zbeX8TQF&3mO|0jnB~BhLtIu3TF>VL?Kg;_>94-CpXTP`@u1#hmxLywal+T-V)XZSo z47}t)KaLghs`xjsY~`<`>$;QNfY?|Lu{*BkpS`MX%lPNf1|xXFH$7=@{-m%BpmI7+ zP*0^%`@B=+L0+cgN-;1cIp=_i{lX(6$LId!xP-_LQNo7Gyne`-((j40MWI_VJ^$|D zwXl>yrQi9s^Bv!G?YQmR4O~lEXfbJ++)(FbS9oM}_m#Fqi~Z;4tE!6&%MD?8B91%3 zcuN1TE2#RjVT0>khl0E;XjO`WK3xAxO>~;*7d(NJd;tnI@R3w?aCpI|MFT-tr1ZI{{y|$ zG^GL9*F=Aw_^%u8X)64~02rH?gu2dNbjt5t%CK`CdMPONIMWuiYXfF`q1T+HU@QNW zHOnm@4>j}FZ*a^L+3=J1>=l30EbIn!jMiL=71s<9eYy0BwaQhP;uyLh zdFny^^1xM9yhm?DN@%iS_vtp;*doyCV%hFa`n^)!_lz|nMFaN{Z!Cfds1GdI zZkQqun<2GA;nEwMX|+kR(f90J!ZXy>)u;1rPxw#PRj3A34gacWjj|jMupNO&kAs#c z=!a#7OVU8YyCj({3k8(xP>e?((|7Rs_-%+1gH74+hChl8`c@+ZOFJHabk3S?s;HjQ$eGbu-&g>C$V0aNL0>%OzCh^ zDIqsrVcEMfH{QDCUWd}n02X-&?uD_(*lH~f#XIco90l8IFFJ%KY{qlG)q#q1Dq_Y+ zI{chQC+Axq^dy|-F=-prM-I*4lsQEX+CX+JWlyNEMx_1WKM>g4tc9{gb%?Ra)v8lF zJ?g}$1!xWc(m~7Wx1Zava&+VkC%9AtR#R=`?IF7hmf`-E%sTB)La<0X-f$oB0oWq? z{uUZ`j2f&?T>^ntOVJ|4E$HFhomonF&(s7#4p6nS@XNleZAgSP1wLoQ3|B1Ga>P;wj8^!pt#AyeOk zn+NU0V*oLEGQ0j$Cs`|3(gC3`oqSMS#3ZHRr+&DRtI1XjoKSZcFA_&&)34E=r$z;k zMqc573!zQaDQh|&vP+Fxp*1pfw+-6}lg#g}3q#B^<1rwbG8o-J`IibmMU5xyza}9U zXIB{+cR>`lG~IHr;mLx@-q`r+kT_d&HtyCP^40L!I-CZkouaPD*qL1I!yta(Ty+Xw zgv67SjWgKUEt`JCmd9wVmz!FCaZ{RYZbQ%@7-o< zs}vm{BS%Nu&4d5!Pa31V^15B%#!SOD#dh@lV?C}VwwM?v6A&`IZRa$S!cgua+^*QB z@8GIdc2uNea?JFwrg2>hKD3_Qy5JSxIQpVIIBuk5Sudi<>7kY_-T5)d+b{;n>2DW? zYm)Uk?r#j}g^(+0sZ;g!I@+i}H}s~6cxp;@{bp4=bG(YIM;+;Y3BX*TDeH3X#?7rE zj$vbFGqa*N#eK0o$3gxh@&;3Qy;RP2@Nz>z(n#HqTk}l-C2$jsyVLG}@%_DKXyP$; zW_Ir(-2sN!ACPm~eKIMo{2_bypv+}oGq{z@mh<*gU93LOe%O*gPGDdCRpCsIeSNoo z?lr<;d>5xsEp{!A)#N~NpPaC!Pp=R=Ag@GB7;^hrZt*(5AnU8mVH(1^WEWPl>;@q0 zQ&PsBM8#6hG4s?G(l$OmKb|yA=mukv%@%jEfhE)tLn0$hM59MVZ=DhvZrks%&GfJC zi6=UeP5ldFdU6`22#W=5x_@q4_+9zEtUv1^TQMG_H{vRf$3<8Uui6!^EC=_cj>Rkk z>=eQSi>Yh6g;_-AHByvI_^&FZskjSGXwMmC;l+b-ak>~-yJ;z-n*Y=9b!T%>;6uth`3+0>VWF$@CO+Z1)}blBL|}8LKgmaU{0eEucGbDqI?SPXK?V)nXFXhA zkQvUSTyms#WXY@K?b(HEQyW@`RnrmRjx>!Ow}%+SK_(l!{q({2)*~$ms_m=iSWUD%_sL%Wt!dM==XGc2uc)sL z0)+dAz+*1VI*pw)7f(bA#Pq_cs?2nnaLs+!m&p7`-QoiMHZwtm?U4x9MH_b28pOa9 z!!Zl>Y>BdSjmf-IORC^20uFc0N#vJXMxa6I?%DA8+u!9TR}IHZU~!&U^AYecgW_3H z6H*mU8Q7bgQlAf*NHs&kqRp3Nj_U zpnY$~Jb5MS!RvU?W9Y4OimnDdn+7Us8KJI>{aZ|YAl@FcNI}=TzGjl_=A&ovmK!my z8O+)MG-B+r%{Q&Ni{vZNu*S8Pab*6tC>z$U;aF`4*%Voq+-&+JB)-lmuR3oK7rqsK zF(f{@^tItJTb9GIif<5k^^Y{@S~T+7wVz)Sv)IL|GU^{A;_oiW$zN8Fl5%Ayy>1IT zLgrsMJK}ct?Y^KIMQ%4$;CX+@om7Y2Bv;Z*h8V>K9_~Z9Z52hI`~!&aiF&%mN#5E! z4Sr6p@5#qkV%kMxG5wkm5ahM66kqaA>JwS^YJ?QtgnUJKwMds$WxR0e{7$cy{=O8e z4CUl)v;efeiO(%kuGhc^&7B~3NZIVK{mc4#=wlJust~AWZ~yML@-xqq1l2(k$VP^d+pX4~b?6(o>_X1H z3s$w|78WAC>v#3VK;gF`FJay4e{S6TnL4fq+{CKU3!o zvnikhtk$PjUoJVkli=D!?aX224DDzz)k25xVpO#GR&*b%q?#IK@P!baKy=r>*+<;=VPORB4Aof`$ z(DJCu>>c!enyO?-g--oxHNQ@QV_U!9F0#H>`7NA+1~|NrpPmzihV&{fZ_cVl|0085 z0%GQ%;AxL+KpF?`XPpgp6s;Scou_#KZfO|=0{E{WlsUUV8O*3I zvyF|Dg-`Fl9srPl={}LQNL-2~o<^2kP>*BpEcD`V_(|`AS`#(2#=O=Q>&0zT zdKcTbEoQ?NXuqEv^~vCT?8>XqEw!Er0Gn=-7ZlJkgV%*15GnKPT{4HsTWAJ zkiN%bQr@k_jbl#XzjCabb;F?EzF|>>yB}?7-fhLA8~J%6?BmxwJLW80HHn-Mz_DO1 zX1Hg|&i-*(m>K<$uU>RP0EU!RFf)7X~isRwb=D#obF1n%r8b#JNT-0JD^X(ef^uVNG7` z+po1m^F>XoeXBaLTvv2pwGP*XJ};5{`1QQd-TJ7OJfbJMuneZ~0mYiLu>IJ996 zxD_4dF#R7I$TqtS$W66>k$izBhXU*Dm}-{xJz_0Rx|q>ARB|~h5vJ5r@sYzk|7|5j_^+^7&s=CS4HFzl#)5yIVj#i`B+l zFF^{IzouGWgVv;~2>I92-lgxeQq1N7W=B(pt3Tzh)?@D&u&uYS#j%DF6-x)I^^1f`)F>1Te3`F?5{3eX=DE|x3s0`M;%0k zTVVF^sKGTCK+rgMyl)sRx-qR@a1q~6Ol-!>x2|<^#BKL&)^4Y}shq)ut@ug*ST0J8 zA=(Kp70U^--?tr4rp>s`g(jQLW!Q$1*m11BwRi}3cd)v97+XM%2M^ia(%6McZ1s4z z`Md&LuMMbP-(@M@l8L#5pJMj*sZsZd6rl_~r`@$|2od8v6g@fnJRO2s4CjP|y$08E z{jio*_L_Hw>AV8!>;4LbYq7D0mK6o{WB26+*^9?((E}1EZjV`#q8Z`dzFQ~)G&*nV z-gakkdsE1q@q*lLAhGTHB{empd~<77C4{$%cDfB_v;sVbW9qYhou|fXFY(b5PN7XB z37cypu5o0Pmo@IHM1Ffd9&)>fUGTR?+=ApTzzYW7H$w*Xo^{dl!fxdp_S|C%l;2*4x2tnP7$SGK ztg_^)(qrCsQulB87yJ;)Aoy!+IB&OI)vHR{ajSTM)K|I~sybBF-uQZefT@S*>?Jqv zcIiDM#!UU(C#{ok0fMXQ#6vT;&c}mnwQOTqGw4BAn*ynv(-xfLW)3Nf+xRZgG|CgyzRw(! z+)hP34%abpbH;yjIq>nydF6+Nje7S_qNQzq9X~)_<)y61^rH-+{hsLjhNigb&(frh~Y8&q3c=-f# z{Y#sXW7Ap!>LDhW8@sq}S~XtSefTmmJHhLPKmbE#_oj+eh5ypL`Bv_Cs!o*_I?{u8 zp_8>mkZ9F;l;qlODY)_s?_pgFcReeQQ#vD*hXNWI#3 z0*M+KeCa^-|B;M?k5yEq&-ztf#TnQw=q?@iW%{W^{|*#fp0-*@$*!%vQt(XJmu+p{ z8*@8$>8H1t%&jOPQG;sbsff`+6sH_%IIRqg$kZ9g)(xg6Iih`1k0M*8GL<)G$Kqi0 z>5tmeb1KmRUXwFT+>J{)e40tG5dmm2bw!smZ$^9X=8-GYub;_ReC+O&5Ppud|_v5P^N^iyKy*n~=rijQQrQR&kou zE^?viv*ho$>bm<W$*xBX&w&H$Gry9ulDMaUAOE%=d!ZGP7HRnIRy!|GVYiKmh4tpf0U#NCkLU!IJUJK{@HrH?kU0g}u7tbP zUPHlDgNr{@j(<|&49C(wPj5B$g}rx33HUi#oB^6TQdza@GJWxrn0d6d%Qm#iadWHL z%U?u~wJd8OM;CS8?S(6S#=X|ww}iBJ=J!kG&_lLH9#^s1Zwe|01HkiwIG>$%xhjYh z+28@F))26Z?jVp{)b2j+F%j%rV4F(yQ^o+1#(Y_~Qy5>J$z6OZo%s4|^>bCtg?A)ioD))k(!;+wFXhZlvP2idX}j1* z9Es!6`zks~Y#1K+X!klDiRBgWG2AyJKBnkwwY%E?!62;WaM2`bRsiwx;$s*6#lsbI z3n_{?qlhHJW=(!1X(h|hM%dumg#JT2+r%E&N2pRx{2S2QG#Qhy*vDYLzSpeKtwMI z@4uC$(ie`~>7+}!y=@zwV=l&`R<&hq=`W=+wx^}-E4+J{cI8yVC#lh@qqeJG+PpP8 zAmuq4pYiTJ&piD`LtTAWVuF1rr-<64go^i5^n$_{93{QUXG|T`Vh6a1KDW_U>Tup0 zZ3#Egi2r2FJD?}J}hPJK;68`w;Ykr%Q4|5TlHs>1g7C!+$$qN2w*HK&&}bvZEljz zj>t~!(_g!@qxUb;q8WnfxYzRCk{1@zW|RvC0ht6rXCu(H8<}8aFCmLQ4_fA z?gq}`9~m$R8<_?9;+D`Fzvpws+6B`nQ*WmHV{f0yO}Ir}WXH>dO#&e!PN=eD^;%5& zyz;1}+)}!EjL#r_VKQZFW#tFYTCI+`u8JM{j&oT=XU+2a^#!jIw*KNdmt5pM!a(cS zJh%>3c>rHGCN;M|3fhMsb_uK96bFvz*iHDiIoRc4OkmpG9H={W6-!hbA*y{`bblt> zwmbiRxt)1KP=?Vn6LX?Vf%C(b=`UVA`R;vNTj(vB?M0P2LCGROR`M2U2y|Fzbhf~? z2DaC1+r^u^^_7@Ki2)O%qjO$R3Z26kdYvbrcPd2Sy;0TSF-f z-K6j0gUbHkUO)kSl(52Cm0c5NL}l?)37?OJ`57@qczA5g3Uj8nr+dF#gs{P9 zAS_jFh5q@;MouoO7h83)Kws>#aMuA^m~`Z_NbZKCdw?~Z6mIn;|7WK};E_)g7YD;u z{1KNw`&rq+YY)cBalSZ!YjQ*vmq&wd&G2a}PaV^q2;plpJL*P$c{f@o%A2!gs;zJ$ zl2+lZ7qwveZ&>K@P$4aI?QbxHD*|%3^#SeJAGS~Ly8vDB31ESOe#zx&DX4E<%-zd4 z-IfrmGs?t3g7W&0!?`rCnF?F4_J^BxQI zUCtwqb!ua`FRYJ_G5%S4S_E&`hpj{O-Jf4F2hH|)Is1<;lR2`{fLuSnRJk^g)WNi^#_(N;7kc(nK@Yhu3^!NU zDvvaS`WiA_`F^qBo8x@&X`H!rs0 zwE^4nUMi6wq^mP(!~qe7cryjfY6?aqdvT*J!8&7gzH**=aK3$OGvOwr>&UUP;Yl4d zG+1N_&HrQIy?B7l zm8f48&5g16iP_n+`4uS^NgF%35WCCXMM|zvM6yV8LafMFF44E(5>xY{^|=N3-_1sx z9E{ZxIlJ_JR(1~)f;p?O2Sw)jR^d7r#`MduV40lyiu@+*6$B+4A2v3+niz2phwIe_ zw@cQxJ4sB{0en+NYxYc|NoM2k_TGBMkr7GlRd%cHBJ{C(2!$&7sZJHVZ{JC{>@)zp z_d{GIc0N2*%rv~ugGq5}*p);`RS{n1>_zzGyKZ!!P{~au&i-n`K8a zunP5p+;Kl|srOrnYun?IrrH2JLjm!KGCuH0y*aSLeM4qCLtb1TR8qDLw7P{|naM0zNeLt`!khvZe>aUzF)6?6 zQP?VPat-HLTw&LqoKDDSlnZ7?t`Wm$T(E<1++LfDLh>nyPBwlgkJYL#h}0(TafA3u zWmAcggxVE6>uT7romo(MV28J5vOFua1Rl^c^@ri(;&tkP9+n37#*{p|YIm)klokHa zEg=-q5$tJ4bF4N3p-aY0Xjl)=Hr2goqRH+cGT&YwDC$Ac>DRdhtNPddI{m9RuWk2AtKGOO#BW|6 zevFxOb9k%>h4%f$k95}tfaP0;4%uXRS0%&HtMA0!7hmX-9}Qw|0}{@;wye z*lLX;!S~gcUXFC(Lv{rbX&wdud(5tvW*>NY!WD z9y$>4=aBlIFyvR$M5MJYA@j6U`-HeOXk0^2&rzG^hoN*IzBZ=Gf@{xv&|z?T4V3Y~ z&gZ(%mwvuwsD}xsR$JDshHu{YT%0?^`{=K4(!+Y`3X6(+qQi8pl&}IkIvX_%rRHpO z5V~2aA4gUiOz6l3@xyYisQc@QJW; z5fMyXMRjP$Barcew%e$P`Ge8L{92DgLQb{}ts3iftvqF>md#iGDajpv&XFZ@@7U`6 zRm)xGf@vY@p4x<3mp(OOE*`d${le3?U&Q>A|9Y9*VZh#o4I?x?|B7>(*xFD}F1yxS z;rL)xOqQ}*Orf6aMVHfEa@N1{)0&saIKQt6*3ICk{6>C5`y2l61&-djs@}p_)okq< zXUofIEE34$$dYsc!)lYA{~Y6;=0loVT#exyU~PjNVrTl*T8{dko2D{TlMcwAnWj!1 z-&v;yWX#qdKl`L}9;M@gUu!8%k(G(OvDl}(iipT9b(uEdU7<}9(w465)#g~bRYwJL z&NhoMpP;weQtA+g4b#nG%IhbLwVA#%u{Yyq< z-t8i=>?qak^06iPpw?0Jd(-;C%Y-x#9kz>gn_sfPE6?@w1u?XrNcBD(z}z)gyNrtU zZmGLOozI;2&x8sLJinQqb=Nh?lp=?887$TILOWxxCVU@pnnWmn5-5$|fJ;EL;fW6} z@6AxTAZv0n@YZ)#3(i@yLohBi2z~uq>t374VeWn+6v9jlcrZe#lj@@)?0hr!rvswy z8U?~ky0o$ub7JNf--8Iv8IJUP71a<-0-|WjIV5E*oAxU4JM2%cVb?-zGxafbRosB_ zC4h`3R!s`)iw7v`9#;La3|xEFx~2fB=0D$&Ku>rr8)s!gY*yL;U#XpmKgg5NdtbM* zK}7{&`~9#A!$iv?&O8MR?|dy|m(J{#XR)BGW~2)u{gER#Vgfp9d*(S_8;2`w6?C!| z)xBr>@9zH4zZHhwlzIi6JJjdq>0nzDO1;~vL!YBV0{W~Cw@uS zYJvKJk+eL1jV>8ZVL9Ia9>)FQAy7osumXK_f994c?bpcGa;XV+cIE&p=J%W*;fL7< zMQ?yeYraYXR({<$HMG^{MoG)cVQ!XGX#8o9SO#py?2=|KX>xXnO8TP~S){#$J1@$A z`BfVZ%#=Z3g@raQcjsFU zq79z4n|74+@~m#X3nXQq#MHP3Ywd^!7YSuE*(CluwtiZTvd9My*Bq8~ZMLt{eMk?o zj&s3r%(L+Ol)f+wH79yHGAlZJX5p8cK>(Xza=xy5TnDGbY269y2-L;2Hs;Zq3tpIn zjf9r#v-|{GCdA35v|MlB&nj@{;)h((OR|L%GD0KabDX`5#(w^18ZEW*#bEq-}lGVo7sB!RG>$MDvri&NSC*jgp(Q@xgH zJ>~5dnGYlv^z@Z)x_hUhx*qrH7N(IPZd5|k?B^WkL347-ghxynA zu*8&%?tnk~SS_n|QeqKdL}}W7PYK^pL^b)0i<(CHLd}*V(6SEgW^dLu4?p6EvQm`C z#-wKli{Kd}da-G!IF@>uochk(;kV;=&|4p`wl*jGHhKU?wXj1+D(0S)NmcEWsST|&r;QCXpgnsNKAv2#T$|M& z$D*79>Y(82EME6^0p7P;MM&Q#&D|Qd+tW?G!=GJi>7D-bu~>son^Qu~OWI~Q^j=M! zwjAf7L)R#b&L54<%-)(x)mqkG(?Rd8(1S5Cis-&H4eHo^$q&Ifse$Uuhbp^Twrys##4(Uups2P)v}WI(&EKg~1tY89ZgoNir-Kc`9Cr_( z_lDh?pY$Z_HvA8iqkuJgIl%1`!u{ts z5LGt0p>>_rXbq8ytqY7?5+ydequ4fUkvX${MG~M<-&^^^MIC9BXGUZ|M6DK=&h)%M zwDR!Qq7da9Ztx-a=4-5_TKwnW>BsC-Mns^dN3O+7M^nxcX~Soi`iI);Wcf67ElPi4 zq8=hjp49&$pDW~YsRCRRv$Ny5pr>eAfT1KHZc+XkL~_#@s(@ES>al3|XG_RRuOp< zahY0?v&OEDMO~(<<71fEJ0LaodnG+*E?^vWyPsB7brjV8R?sm%elltR){~0cS^dCl zq7F(7*x(p?0e@-TGx;8;M(xwM;y(jABWYmM4il0%jQLRB<#s4fjT#U+oZLnk*6JP5 zA5rB0OaDgtq4%;qojhELp9wDMsh_TQn;m!Om85+6RbnRbpRlj;UM*sDLJ_(u5k9q{ z{*bCw0dwlJhN^l+th^PBSUGgSgv`0E+}{XQ!A6+F3I9>lmzpINT+R7yXrZ^)(K5DHSdV&Y`9wxrS@+Vb z<}?8AiSEL0X*IXyhE*dSqgwu4o`AxL=gXklPCR0G^I2!;h8&aPMlR3PnQsT*Hr$sm z&8`HxvP04zA>=g5k}{JV>sNH{){@U*Q-aZAQ19COIN_s?bfGLjD-eGLe4bg5gNZX725SYbqnYv^@%@7)}z_8aSs+t(7F2z4?$97G;#? zYit=5%EIe!kOOE6exEaQ-3OfauwFY9`F}q>P88wp0IO!Nz`Z}G%9_2icwb9!%&7*R z7$mkIPBREz*9t{@#r<|~M%;J-xL5fnD)Z!2w{%5Mh-om@bW#8Js2nZYK#U0Dj`pZi z^Qlo$Aequ0?bhz#K$?)!lT|oPKme^NnJRhsS~asltTwqOSE0R<6G(oPUl~(5ws{VC zm7_dGx~0?Mm7snj^(0)VAaXAjeYfTJnnB0fADs@vA2QUD-u&0a)yI-+N>C5P#QcB= z;rt{S?1Pg{SHM?pIp4+mo+gIFiBn=-sn7Hz62V(j~q&7h2 zQ3E4+K-rN^ewD<&eS7@T&C6=yK0{U^iR!R><;&^_Y_2l#ls-B6nG>qj^I}~7d};g0 z>t>KGMUDF3;IgYX3cJmYtW&8jzmIR#E7c3>$yQh)Iw}PM`@Uh*CKq;QK4m}T1wBlg zTXSQXZniyaUMAfltb7u#&+Z&yc~!jm2-%AafBtPkK^GTs9<~LKVoD2==EtrWMSOZ) zVhg6f1Eb}&?;J}Nd7v+@A5mG>y|yr_{r&mPx>8(dRHf0s^BuO8n6G=>Fj7J^>|sUN zop3nuXC~~fi=+nifvAO@mo;}1UXQa-_VBYv2^gF~Je*$909-lt&)-hecKn|Qo&MML ze^W63uk%pD<24RlxBprd9xHKf1dKj9)$BjU)ggnq?>!Sf#QGZn`#+CQ{r{BqzfM>E ze~+&TU2<)=&(#J+WHMJKXKT1s9+mJt(B*RYU19(ajX?lW2K1<52Xpx4VlBw5HSk!u zsTBCl#CV+xELBFY&0o`d(OPbCb(Npk-0M3$qwE;G7qvFE@$0F!;W!D08GPQC+p3eC z-4L5bQZsN~VsWL|!bkiPL?4bNbXV6F%C9QG==*{TKEGiojZ$k5L9U1tc>#g>lmwPK zL>!{{n_U-eVID;O*$%?D%b2-`a=wVSjW~Op3%KsVlnS}wVaj1R1gi4ztX~it)!$$5 zT051ntQE0h4^~7xIVcI!dL~Jjdi*TMa8>f*_8E}e49BXeCn^#Y23nou*CQ z72wlyy?(X&u83*N{(}no(XrWdb3@A|1vyGP?dr5N&-H3!-O8%P&STf-E^fl-Qc6y1 z`hA4Q<6XeMU!M#34VNavT~8+FcqqUBQXb8lb1`R-Wwyi?%bDoGR@*YR(_pK44w4!6 z(=H_e*Wr;vFh5dpS#;cNZeXD4ROQ9150^(fZ;jPfqwLpB;_8?->Awd_Q6D`?)U-^Pq@ep z!FOMmf$ko>IggHMxDOmv(H36T!Up=wZcqQVdBiJ4u)4b2Dt!K+l+@tyIKMX{gA<$I z9DQ_sYN+v-Fo0Xa!jy8+H*`PeufhpKT5ql_t>pp)Zq~G+jYvnWm)Ry&NMN9 zDjy@(Ut?<6P){M}E`o zpT(_yfWrC}sFV7mO4)(PGcCBh1CHw>_Tl*B5O-^p11S~e5J6|;^*4RauLN$deb{V| zvDt!ITyKf$K9Zu`N<>3&lszDHx`nCX1C?dNxAdH}LYqPX=P3?FWZ$RreA;ypPKJ?W z0sG!rVV_+Fs=fC>${1r>YYL@3-H2FXVRcvYwEX;d-!gN3-r*ZZP$?w0wtKnLtEWUN zQp<^&k)xivcz=Us!oXzo2t{p?IHGziP;c8g?(;XnI-bIOZq&@HFH>c=OO8ErfnYFC zg>X=Ydn;FwqF*)!%qRi;EQJrQnAYO=e}Ec(^GC6=pRae7IP&K;CU^4tC&hiXOV*kc zT-lt)PbY0$bkqR9>!7~ns{Ld%BAWJmsE14&5})RTTJ{|_)4ocu8XLQW*JtM6wl7{1 zzV889AY!zZM|xBF=qnZt?3EfKrw;loR$N| zC@o$5A@xpo&l1B(OiEiAfOx5(E-((2`?<>#IpVrnW%JQ8TX&_w^j)asVw3_QWEzj?);YtCR4plg($^`W&|Y$^G-B5_oMY zX!1U9e4*(Y{Z1+>xj8P1sgXZHAAR1z+J!AGRrDMW_~2iZENeYtZq}7CwUigCP2nZ* z2F!Y)A%RlbWX7o&lEk6OwZ|EDt-AY9@yDW>*W}Fjc{WCkEojTIdcUp3A>F+dI8nNa zE8uEdD$m^-Hc@NU$$-~Csd_!?qNAf@wwynCFJ-z>vH^r)Xqv73!Hl*b~DP3=)ZHcR!Z^$@H5y0dSu=Gg(HCL-rDnjsv+X1_G9}|K`l604t`hyn!hpP zLJyW*A$lf_@T~^3!fw3$dL;$e=}?hWaaY4(v?VhA;5KhAKWTdcTPsayRG*GGKx-TQ z9$q&UVP7$0QL?!A*})|9W6Fcx=@Io_67HhNDPQ9KRKRBklvgv?QeQ7`%mGg6*yYSb92GBu`mmbqM55600CYeX@5=G(Y)BrpKDfh zztPGDM8?N&k@iRxxnF^ zZ{VJ*S0e0t5$zcE>tP{(~Mpsp0r@lZ`QJtvxQVcAydMAZ=cZ z57A1ISFrfwMt&&z$?gf>P*7AYTf*LI-}f>(5Lr6$$FZ|9$N-TVb-){W0wkpdSiW{P zLeGs|@%`z=qS9fgxS!A5{^FVbPYdn^4?h(pyG8@f^4IJ)N!&0(NlFdDKFg^0WsIdE2 z5HGqB9TVa?0$BwPza;#p)E1kVmp8#6q8l|)#tcRuA%c)5 zT0*o@qm14ej54VvdUS&!qJ&|HGJ1LUB=`NC=bZC9?K$V;>x(vft+m(M>stSE{jV*j z%({V;rco9SWr6Gicd&ji>CjJp%YtCRb10X&e4&qKV{%ckwO_w~UJwwG`1Zg&=Xx}Y z3-6C%V;@yixl}YFu(~!bIlabmOwy$w^^QYo0htA>SqwXuT?=Ok(Dh#!J&vU}{qrIL5YHx&( zm2JJ`7UfsUt|a!(bca#-fEV-omfmssH}vraZ{LgNQ692kuBPn*%>IR%?kmJ*vAhw^ zp$X%hugS@y_OT5ndotPhy^;O%Ms*X%LBc{4J!XE8Mr5fHa%sK{aL#hexL}2q4$dSy z4F`}}Wa9hxN45Et((QWo-{_To6^JSv4&DYk;5!Czp#oo!@}mCFY9MDszfv8$7(}{^$NJE^c4nK|^|7>pENnK-e;*s}lbhK5I)y1GWPgmJ}0r1`y@o zamGVn_+8n*ZtFkgSf*|TzjYdmby+>}yf$#_t~>`YHX68AZD%m@+wFIZ&dyCf;MA?4 zsX2ypZzI%hhEJT9AMD#4O#yTALCK~kE8tFA4)z(X&$RbY*01hSY!~kGfTZHo9|g|q zHd}aur)`Np5LBio&7j~y*4*ds;V9gc50BcerVz#D@O(6B{L*EQ1N?K)W^u!szus~WSQ$7NoQbSEjo%vd>MKHc4lW0$u|@heS+95Dtf^r z_o_ z=1t7r=dSk6eE(t=7v%*>%q)hntvPbLF}3Cv=HnL7_ECL-3>|tVxlI|BkOyvyv6hk* z*W-m{#tfsaVjJBHgplc*Djy!34XDW}@H5eYb?B?jM9G4$VV#YLdwEN}$(cd+!7`@3 z-RY#AZw6aiB7l#mZFF6K;eC$M+Gh?Yqev~mf?gfLd6y{Z)J>klzS6&)p-0Jx>+&-= z)i0_MKEAQ4Z{0Z|_t2t@Y52)ep?I>4z9m0H+p_630psb$x#w07v;yD9m=>(E<)&cV z2nx}{`MkIXexvKja`;D%LY9I~I@NOwi=rvYx}wP;b6yNF7!f%$Mzjxa7a)H$2_jmkE zpVwEuyHm=n#nzq<^zx$eF}O@1#^(l?pb#pkZmct2>bAh~*WAzxXt%j~&#!0ecyZpO z&iUMugvGSye-nJcDRsj;JU0&H3^Mbi0!UVS9230TW7m{Nan~tj<`JdqwPbr@`tZiB zT6j>lamK5t(*n6(bV&uU=1JjV)DV$GRDrH=!$1(D2sPfd}+h*LMv9Z+UTdXlpz^{3&AxIKSir zn4|2Z-24~PIk?j*HaMZgs&M??A^3`Je55;bTvB48-gKnle&GK1!4#l)g}Ju%ILH+{ z8v2DnM?gr_B0s^4?g~vMq0$v;jSAWPIFE2TTy?K(cktD$c9^}4t>0NR>`!h$Aa9!l z%+SI$r;536ybtHda@mj}L>Mw_Z+M_5+Ub}>YIAk7LIA*-_s7}T8# zzo3GI7KFz~B-w1+<3{f+R7Ymgc*3CW0!=97jS1Lis8A5@`TW^?c22vh>J0aTftb38 zPLGM7qS(r@!sUsG_OJCR@p-E$uUXG-zP$oa;yn791#Ygkc41-t? z)q?z!T31|3f&||&w$D#Cd54$~8qBNpc-Z#jJ!Qi1?cPc04)dqFP9@0qR!BUTbu~53 zC!e6nA_31;Nv0k0SzyMXhFuWn$viK~6_av7x#Ep=$r}MII20ORjwmzkFZR5x+;6$+ zSlY>Wlqak3(FcfKTpJPch1~v7l|Pqy>8fCp$5Xmchv8{+M7n?w37+xd#x!(EfqPwj z?j%jo2h2+YmIE>8NmWHzgg$+|Y|AzCotDBgGOf{(dp_L8ZPs1Ve%ttNMZ704P?sv_ zXYJuQzWW$nKIX1e*SV*Avc;CJ(XPvLmg0RMLw**%w0Uk~ahFFKDJnA%SOZa9sowz* zuqrp4i#u1vhiu73Jdl0FdGeFqQ9t(aAp)~7P*O$Y3v#n}Agvw7ah-g^=e=K*kE)WM ze8su{z4L2JN7E2bDqo{0gbE|T+*dCS9`SClR{=#RIdKPq1kMX_ofDvphr8*8 z;_97WpR_>d$2eq%^ogko9qYJq5CKuAU)IKpNEobw)R=qq3`E(6t znZ7Nm>1iFgo1RlR3>qrIHO4des+l$@BVA`)r^@WFmXo6{n&&c*2JUAHJi$o$iI4t} z;KrOb1@rm=k=mF9I5S+up$bJhTw+I!9O*$*>=`toE2k%!@UFQYp}IP@wgVp<)7>0V z0#9)C<^gO$`r^N@j&k^$cXsF?2^JO+X8FF2CT*nzHet<{N;X5wJhWufZ{8B~qmbhp z+9w!s3|#(1P9vAp(!QtBMCpzJFQ`caAO#cU@Fx8p3r*^(BHO(4H`{p^VYNYUR5g6q2ywOO1FMTM#Hz- zHW-eeu(g>oE}XMPeI!sLcX+a^%C4Pz<$}Pe_Sk-Uxx`WIFz^VN9|viunwkS@D`&O< zdj(}m{w)ZSCHFro$@s4-HX!djlV}I{U5Cp|@i9C^&_M2aQL}>U;S9@wb_m5-U(FxT zuetmpGf>REcU8G*bT(^h`0#Vj@ntA~!ClCVHiUOCRg$FE*rOm6E zd_Zo=jmszfO?`}dRM>VeTn!+>8p~(t?b55jb{K^{;18-dcU19FQhS>w8Riz(1e#ch zlcCc+a|>LA=2QVOuVH|I&}^np>|uaeAnKVRZR3_AojhnaXjgn`;p5O_a_0@r%%&db zuW54kJL|}}Teg(CgmGtmBH)kT;Ky@_$g5k(RrlXHKiVbEeP#Cc&T{ZhL;o9N@uB$6)u~IL z5|q8tq?c}J2|A_pfdF1j36NY9cCA`Qvc8sbc|s8UA{@`?IG%{Qs9XV^#e$iEUYsJ( z>NN&rW#3nGEs56ezB<=9vzLDTq_(UC?C#+r@dByWPqiHN`=4a+gC>xwkuPCx{*`I4 z1_bk+mb0Ah#tDxu3VahrTEWw5I$4rwE-LHV_N%b;ZH35dkU{2=+1V(tXbccUZ=LgA z%W2GPSe%e!6WF$bB)WvP@hLh)I7e+@A}0O1cs=SFTl8k~yt;#zBV2qw9oEbMMx(z8 zP&xMD*>(OZ6AKHM`!5@Fuo)>dPWo>d<&@~dBf}IKyQ0`VGNVr0T(#S(wO`Z&`=*d% z617)kz9m~#xs=Hk;C5>`OIKLq<_-d|jBM7r!LVbDu%)!~5L?H-1G@H}So^TVd#td7 ztP^2l=MLU|;+GSOs5yL#&zmHy{QzNZ4y-;JjY8!S>QY(sXcD2MRK=obOAKunShZvf zG^W_fG|N(Tos}w2<#!##0J4>@5R1NGg0cCukl`E_tv4p_7IPNv7tv_AX`*=3!#m8T zQ>$!&ixlkK@lp`_w7pLnN_fEhuCgWod#F+u-WqdylVh>J=N4#@-NoycNu@#Rgg?h# zR3e+M!uQ$6H1;e{qBDOqGA!;k*#kFBtc#Z5wr?MHk280Fny6Cvd^p8nA5lY4F6fyb zbHFIj0{E2V2xhzZ1?QH=4RVa?uX-mPP%QWEOBm5%rUsJlhCgu zy&_RJzR1lk$p_FC@*!4mxZ&fq8|(5(LLM^@&O1kgqZlsJ;K!ZCZ7U4O9w8HC-Z?)& zaqL6JDc~EiC9P^t|NXe~O$W>Gv%@Sr1Dn?VX8@N{Mwn~hwreYtp)o1XNr{bZMuw9H zEDv*fRr5gRsKZO)JAZvGO+LVz% zunQBe*lPH3+A~ovVy1fKWzF7S^IVY{mjFRo) zd}DNW88vr$m-Y15*rb(VZ8oCWMQG!4d7*oh6eywBd4M(SahxKu!l@uyt1C!@Zdf&U zs#^*Rvu-1!RAp3J0ju_+GE6||7|9J`EKb$w0=*4=UEc44c_-uH)SK^n@jJo5dz+TS>h+OAF>UAYccQu}J zV@O}$-ZaRt!2}e`hs>7%T<9xrw%*6s81T}3s&c#`Pbu);_~VpX;H_NJ$-^*T8x-puz54&q9B%JuAJZm%Dz*i3QB zyS9F*5?90|xa1zy>joF{@{@y|8k-cw?;u>k4>Ct6N^UmGo2u9&>4+@Asz6aQ!=)CL z+2ik8nO!nM4g+j_do>Zul{dl0WF}bwaeW6SVA2>z#RSm}CDEhSavG4ISjm$*Mwy3P z^@zvpjprp&u9>hxRsL{mOOerF4(2-bV0VK%my$Zcif|OOlr<-x*f8bxCszN?h1pc6 z4`uzJ9AMt>KcJw_>euVGuR~&A244-VqNO2KtsUbIVb-@f=~8m;Bs}c;4TuoM#5Tgp zL~vw%J<}M2W;ljIk;{(V?wlL0)u3~{&$XUfQ*Oz0;%|el5$s*$tjZi>#fK0v?)^>* zwuL}uSlG+Sz6s=Z4`0b{`sWbs^P_h+Ds^WE7KM7zTn#{U3$9i24iI@e#VP%%t(X~D zz|ECW^!5BVBJ17rvwwtxGeN;cRrBS3}5Q-u+! zx(?AC{Q@f~94ZjF>3(yyO$nN&Um-dIR&DC;GUKCg%bG{JnNaa7&Zc zGtjX$oGnQ!xt|I(3LaiUW2L0qzH zu+=q+QiHB8O20RZd9#vn^U^ib4U3!2PF9*q4;)OIHkw+Io>uyC_ITW>I^yRh#61Jo zP9;?pRfEq495r}KKRxG5p8i`aI3N=v_Y}X z>~>?QU;j^fI=zY+4=JfBJdhpv<_&d8{dNkPVeeU`#&0_;(}-iNzteQ^9RB*@-0C7F zB%~WGe&MIeWB@R3Kc*`%%24dF@@AaiHJqdQw{P#m4JIO2TKFzVc{H!XdDMawe%@&_ zfHs2of@fx~N~phbHR#WPUz?x^}C4fV2w+Nki0`9n39gjqO{mG{8Yg?>s=8_%y z2@CrSr(GyI?UibNrw0AiZdpA;ze84{5}k6Py;xMi7{!RlO)FRh*pWc6)QJCj*E3ds z(#Ke&>og`EVc_0AR5AYH1!o^q>x>Iz`I_A|$9BP|$~l^ejeC3T#S*<(=>g$luj#q^hD1!dPQfYPE<1_lKx z-kUWp1niiB3=ir+%xE9GBnCs+LeS39LUWDo)RRx-HuH$uT^)<{DFk`@d$E%Dc7=rU zo=IMQ{-PbXKj~)#%fPpeo7ftC86HLNTje;rA~wT2<{fOY1rEhB{q7GH-L7D@)+0AwAH9Od=^rsL*tY_y;aJk{A(njQB z^CLTw;i#p~Mf2Zx|{;V4HCCnNbP1YCeGFyw2iTGH3>_ z22N4i!yT*9MsjE>zzibAS3i{Ne`;RW|1^B8L2*!WAxnS)I8|ou^wgqyP$@41h(?SW zhW2bKcpY(!x)NC!-~+(de_41B;|r;Y7fyd1=<-9GPbLpY%_>NIH3EA5AJ^{xb#N#8 zf_=VyNeZ;zk+4zrj}NZ$O|^X(l4BGxWaYJ|69h`bGWk(rzqbQjT6!jr7sk~ef?Y>NJ@uCx z_6vmYse3l0`ZQJ3j_?f}s+Z3njW$?nfCxLi_+RS`*k-S=MR|F1@!{I(2p3UgaM?!r z@nV1m@=C_*-J1kH<%P{*jKJ{A>Q%3UV9IS9oRS?gQH**gw?zsnWzw6S!cv6I)24Gd z&C`pyB^7M^B@e*3M?TLH%ex@rSYtx`ZswQ;PAb5(b~WKg-aQ9Ddm#1Br2v-(>_8qX;^J95-T@AlU< zO>f8Y<@2(AqNuNjP~@9S?e=5aaQ&rX6SdR@pqLn4?@AqGRd}rXvHV$aB^&+4oy%D= z25NWHdlU#=2{JOHWj!$_m9@?}b3L!0+4UNb%Pxp?S=xK62nb#H+rdFj`tFDhPz^Ub zr#-qoavqDI+!FVxOU?eFe`yLD_EM+soRyku?xEZVzT3BwQZyWF4SuVYt)D&k9+n^O zbi`Rim<$>BXOW8OT|N;=&dK*{mgp-#a#%~3@Q<(oYD{UsnLq--y07Y9XQlLTjYrV~ zI=`ZG18&w?1g;`ca(x_6ZudY zA9{|Tx80dlM0eUjeN!xPM4lD4N^&u3tERl96ZFPE%H{m;&Tv3yBN9%P)`&G$UKWLE zxC*8iGA6Llef(I$`K3U)cPuKS3+?y%mdu+3_c|!wwABX!$22<@v9m9d_)6oYn_i%` z8i-%g5DrQ693G8?gt&PSHNZfj#_m-x%A;G7yQtvJ9(U|c0;})M!#$L7mGNiVvvInqLj`qCnUGvB7We@TAcnZs3))wKh7@$7WAy?hmTxU#6*CGpFj zO-COGVN3-)2oe;akeOD$FHq57lgZ;(cjs&I&MqKRDJA)S10DRRSFcO7 z-w0Ss$v~^c4wZR)2hN)AXv_WJ`&&;<=9QZ8^TKGKn2ooiVD9r@cnX{+>vUbErz*!5bE9YLlSKfH;nqC3v&x=Scv z&O&#uEJ#j9B`P015=^eF&icIeZp{Y%5Q3HAhNL^@8y#j+cBNz@rxfr>9ze0qv}P?p z5|5zW~k^J*t0 z!T(}{zFWj${TmW@UH@@w zZk}*gt`t4O?1i~ptJu}IR}5AA14YU|*--iTG?{SM!W20{Xo(3&zK-{Z$z`r)$J2^rof9{isd+EX+tmo#B5|3}XTf zz3Ch*`C!e$Jy-USsa3&du<0D!%L|*F2h+3tIVilfTm2N9Niaj{MN7V6!b3$$p&5+n zQ4jo-c2q&mdWP#LM-ByQn|@{>KXvZhdks?(E?0e^h1dL(tI|P9EC$|aVR`i|jd!`< z+u|4v_8q*?U2)E%RY6vSCk0-zoLqG!7V*`&C2gOX#JKaLm=?tb+6`p%2?Jkzs5j&} z{yQ{gXqMPd-$f3T6O)eeJeFS4h8^qZzL0xHK*O>@;$p*$f$Za#Hecp*#n@hzM4W`T z7u9zI5t~~$>Y@AXftmYt{cBmtXhv0ScoR8LtN$eM=THdv(e-F)S(jUhOw7y)pq*uD zVzV?uH27C&5Bp4U8WHEJQy8H{9Y<~={1klr62EPdq;jNXa2a~GK73aOU+fy}1O@rf z33_CQ!V9T@s3D@uJaT4}hLrwS{uemwHAqE6zXf;--2Z#xI{(FU1ffQ9McsGSW~pS} zp&V^ifU)xTST!&VBXgtcETIE`ZkE4UcX48t^U+jJ!X2Pp8n6vjRLJ`3!_B2$ zbYBmUv)%IDcv6mSn6*;C=5wX{W;Zf?v#|JAng3h}{4}phL4Ia1q#P$}mGW??zTsC} z4}nAum#j;cl}EE_co|N|)nJ7*hkki1T1U4(`I!HC;6oaB?gRpM#D}%_&+dcN)(WdL zR%@S;h;tj#g(PBE*n4frEmC3A*}D4nDiG+8uLExWz`GjO4L5>BtHr5(h%PKcU583~ z6SrRa%|VsZn>u9-dUHiblXT>8q$=44g-go&c%2;^kXpPMJN1IWuLo}1Kc`53pEcZ7 z#6NbG(gWUweLOXRd=4=n1Z+0Iwu;mZ2_p zPS~%^b+7DsrRx?bj;ES#KNz5Ztfm^ifHFVbKmdBucogTmRjnDx4x6<)GU}kSN~e4$ zX2Rf8L(;IlmYW6vwQaoU@eh`$MYV4nQEda;WjpT^(*VZ|Bz@thBWs806w338(KRTl zO6!!7?@6<`VPi#6!Qv4Zi^$NY(^Qu~(dk&sMd3+TeI`9qWUGQW^Ni@QE6jTrn{o+e zAh@LwxKYm53PTVkRy5Z_yW0DzztPgJZ%Hvh4LV`5<6Fr3Ei&P6Dz*&G}btoBbbsK{-n$l={TSB%ZVzt_*dLTkjg>c&H3e8SUDIYGzryh+ipyrIwH>y9qt zCMychRB=x>BlC*(s2d6&n+v=TBXA*)G*Ft4k#{4{4WY|Of4n?Bj<7N?F9G1jw>qKp zUPHeuexVDb-S7SUGpzUL@GM99gbVWf;|Rz!!fN6H-`2nHS2XXRs^ZX)*KSS#N_q_e7)JrsleFmZP3kt@7{o#LPLqYYW4Ub zVzo|x|5wwi0t;Da_c08-clTlfI;5+sknvE$9){4>c8t{790+2opLv2|?Dm{vWDtC6 zGwr8Zy~p9YcE{sLuggoj`Hfw9W_n5|v2{t^^;YE`j{*VvuG1{iic}gBkUMm~5$bYyNeE!MFoS}P{A2?@F_zs2&9uo*w z0S1<(rmIu{8^e@BYSgsz7VLa{itJkJo!WcS(P>~nDSB3DQvT;e_ocZ6C-~5d`vIB+ ztL%NZpV-BKefLjx5!_fnc*bt?SOH> zRYb3pLr+@>Z|@=j#dXpJj%kEUXUE!Qw7W3_Z45jD9&M{?=V(lmd5Mhr*usochSy60 zo8A_^svXm$ytdD@gempU0E>rz{gaF$aK$eZ=i_r$^KwxJ_%w_Yf#_<#Ab+>vX|=5U zxxqI=<6>) zJ2PnWgDofuQeUe#+OqP>*p|rj3q*qQ&kKS9`rc)TSLesQ<1nHwadJ}pLlUy;b4^((DcaDD=N!E zU-1Y-J4JuJBzQykYZ`2h_5iVUSJ~l}-u#s7XDKI{gZEMHPhY^BJxd0#(&GH*2W>c8 z*1zyNhcT@@_!VmYF<*15p`-G%(y$9Bm;9hV@eIDCY)1x{fPdZhU5nUM?aPot}y;)Cl;&)rO&=?->&q zn=KJJs}AH%Xgo`RY5o(h)_Qg<-$op3M?PLlBGl+jpFMq6#kL}z3RX!b+QjpPZo0Rd zd?>;fayl*fKM;G;0Mtu(M@79*2cdss${1sw&9Vc$FB1I57l8eCqtuIcytr}MqMbL# zUN5^;a3W+kwU6o7uVg3yTK{je$YjPa%~McadxBarLCd$=D>Y@TTZpsw0pC)MW2+1 z3#Os}V6qg;>{`pnBJP&~?q=(V++i~ntVk~bu*x*~Pc4>MALQt4CkXXL&!OPnW~7hu z->JvBf=u;f%$V%_ZmP+6ZhUHFk?7rtFH~UG`t_!oD?){dTvvL6SDj-*{?J7PADiT( zyAn(F*gTsq70{A|e+O)D2WA690W6)wf6kHm=lI0`CsqIv$>f}sefBw7Yn{E<{;l6id}92N;TqR93JMB_ z$B%TMQczINQczsBrlGo!JgqGNUwmB(diwAIMb#+JpNo?#ZugDuQ&7~V(Vf4zdT~zc z|HwLsf`YO8@8?p#-*;yUii+CDy7!-j0d|&XBU#sp+WWAG>udV!Pwq1=-Mh^7=IhPx zqI`BU)l<5|XVy1(2nl4K?Aeh;t0W z+vH6>K?g2X1c-49#fJ#sE$vaVlJFgxkF3dk`6a!}KQYS@k*(THHtD8qm!{_<3(O)i zxeY*HizLbcR5Qcc)(S`t-;LcLuVu=vQT?iso3#2u>p#AmmM<{^D@40b|dUn_{1!;PD9&UOjK!LF}$Ia5!P;wGB8m8YV4yv zy93(${i_GJIrl8e5t7-(br&W@wl`8s(;#U+RIN);Jy5k zWrSd9dB76i8hg^`#(Fq_$-_jxNJu8A!YX>&V$rSM?_Z+^43w^XFqdqkuY=Cj7^UcW zOnSEc`Xy@2(g|OeD^O!4PJIQ>L#Wly=sRlZYX(z~`Tit+pLgn!^JD!*)SQiA!PQr3QJ-mexYBjlA(OQZbas=lVh z;GdFLl$3Fd%@xo;tt-H`+HdTm^6)-C+Q}X}MW*=KxEu}4_l$o*GTft14Xu+3P^M?UKSkL231Co;26`B5A^P!9&rP=@RG3GTA4W~nqgMN10T z*$)BLzqb+_%qsKneYSgO^}}H;oq$fJG(CG+_d>Xp{bOn1N56#{g1Q8NG5>C+jzqP1 zPn}j%u@$IfXN)L!eH$^K`odFFxMlGG;TT<8v`$iLQmvv5?7*?*T? zx*ejZ{>&ps@Ot#*A?n_` zC|fh#o6&5t+#EOd8>I`@l^rA{VC7JvXriv z>Frv;n%Di2(o5ib(_uwQS2z@{pdm|*KD8p4wm!rrr$1<*UPo#5!urPYlmg~^idW>wvdbK01fe=DPieO!L{=&*$pz?W z%?})}ga$}FfLDv29nB@_qpaS2#uArw0)Eomf+y{AiKR7ONBYo^`D9aD*_@L+*psO| z;hVJ&!RxQz<|&7%5BD!bEa)_+;~ltXd^*U9%ag>C&MnfK(33!YeuwGI0mU-G>!fcL zl7ORvA1t-I1Jw$kF}?lMz(ZL=u066*%xEBP)lCVxFyHvQ7^Fm9sJ zcy!p=Us7GQbuC%p6U(>GlA~K_r%4FB71|xhoNebYb>=gls#tegIY72j62)J&2I|VV zE#mLSyQD0Ofg~Fw+)xzx8|9ij3G_Z;OzjJ|Uw0$=PdtqY-97Y=tSl- z)xMU1@~twRxlE=Rx=N#5-FtkR+T5!^ByzmNJLG9JMP{8qnWR1`bC-{f{LFl4DpY=X zWgoZK9T>FFc|&7cYe52}x${a^r?+TJztU9&H}N@ju-LjuvmqB~O8Q-JcYi7Ns<_LX zCo(%RChQekvS06T3_okJ3&eg=n@h6E+PC@9bCZp~>YC!KO9bz%8Gab)bO{Q`Az|$O z99FYep1(6kn*NxFz}2V1;&zF%+rDX^SE2@V&RA;&T)FBezn7r=i7k^@r zf!;4t_W7s{rmcE>Tz?1dNp$Xb`P5{$|8=j|q1W@);4y#~J|vQ5Og2;Xds6gY743V^ zAnSIr+6C3lD3Nmxhc-kCg!?e|q_2(5u zuKVukqIt^ISVbU{E%l_=RccQ;F~!%vtePGsxI}f;JqMN7`OKI!U74)~s#{dfB{g6- z!ikOJ*u}U64D(#_Qu8Q@U!hBi{q{uLs|EHGMBT#ivd^04?4_oXCx~W^4R;BS1)(JEVP;tRXg6sIMqgf&?0k99V_{jfDmDRu@=T) ze8MR;gBjiHnxU(-%6|JH*=eE63X_EKerQTXC!^ycW?SnyW?B4hJE8euo@X|7anDxE zJQY%|`y6jbjRfUuO(_^D(jg@fSH>m0y504)5PMp??>AQBKD(~!Px>>Dk?kLi9E7x8 zf2j=)C<@VSCqRrAL~NDCf4PPJ^@j8!`YHqavnS<^O4RV(=`uW^%};?gx*TxD<)`v) zXGy^Pd)`uyyVv<6=_fwtGD}nUrS1JGXQr<*pStp~UO#zz+jr03fQ2V4M^_4N1=X}V z;&*D}L(*H|MW{#0gZ*6^Hdwdif4j3u0vY**FU#Eg-dm?xTamVtzimBa^R&bUgtD@# zD!P3@)fHJ(dkd#jHEyqbvB32l@TK=Jo!l214ixAb;cno4)xY4mP}!WG_UCEZJ2^fk z7b1-mF~BaJZ}MB#H~lxu{Vz}LyJ5bZM*Af-m-&Du)9sctiy1Hu=RR5oa@K9tF+Q-M|Eqwb(cu+$kC;r=Vz~4~v;;-)w zH%1d9>|-PcUkq|EkqrKOqc67HO5WFN>!HW+Gxi=UGfc(evPdl7y@hx~h@x z|8`zO&$orw&*<99UG}~R@&D6m1AOM{^m<0WD9(P6^&S=a@BN-sRoXOrjtBY2j4bE= z4G=DN2@zGh3(ZL!^IA1Zq#OUaPr4>Nl~=uiX8!I#=6|;j%*=Wlp5ET9vJKibslwn? z1xP(`w-N5Ynkeddr#)n~NxOntiZ_Y+srgK&MKj|=NDUoFBx@!q^16QcjxIc)U*UPd z{;UmcnD$`@Wr1S>i!)MhD1?7#cQH;@Ik`)k>PI;5)TtH=t>9>XQvciez2!n~^Fpch@<{c^1SQdf$+pj!Qxc3r>Eycv2)OS9~$<13nmMRHc3s6!zm>JlMbK0)edQc z`6Bo4+xmB2^>1CeE6NpUGlNRR_B#;15zPVD0|J!xTcS>ijGG|8Ts6)&xhmA6B>1M< z^M!c1RUx#Kbnz>;pPVX#cu*m{W{RcTf~6A=Q0 zNp~8Fey^ZdDIN02qULQi+t+S#xo}O?^-EG&28<^pDyBSKGONZ&zO7WcPUh zAQqNpU_Aoy3M)-W&|CJtlw**T?-s2Ij}}Y8pV`nU?3Q8wHyu1VQ&NS1=U)D0TiMz~ zBJMvJJ8d#T))(&pn-04bZ9-5+LG4C$3%)_^N1@%J?FT;ig2mB?(0-Rv7cVM|-(*Da zCN@#9kq8l=$c3&JuEUpe*Q<4FrF#_1z*ddOWBjRrgfZdk_CvHFOKFqZ_q9@49;^{q&D1uGfpj_s-chCb(axwda}Sfk89L z26;XY_9I1wSw+fjPxb_6+V>rMjOMG#f=mZ|R3F<$E*(Xi4KyfXe6F)=5&b7boPg8E z*)v0JyKazXn08w2NGb6Jv`ANOH-n^ybgcErJqkPsR$8{NB7(P>)1eLpVVaXCbYB*P zGQ!NR_!{ijGPB?KvVO&{Ief8{2kFI^@5Hs=uK6cS!ET(19D!_uRl*JSyof44PuBv* zkHh!1YSfP9w3~JtrGyrNy}qEK^GE%XCr3@$rPMGlKBfpGr>M(_`r0I4K6(GQe1TG+a#4Omll=rAUOKOFZFRG8&|A>qz9E znXweEC1I`>_^n5$l7JTL)#rRw0kP@YdlY-JMHxO%munkFnR3uyN#MR<3O*#E^CX(y zsOk&xz2cPio|czb^iG~H7D21Umx&zTaPkb2h^%G~k)?jnCa?0N1 z(3s2S^TD3Ay8X;^%APgQ=4p=}zEQksMF5rbkAV>w!^<8mM@opMKX{XBs_jZ&ZX zaIr-J92KTaWbu4a;QN!w5b}#FQZFchzME z?P0|3&VGF!x_|&@bK`xWfPazI$C6Us3MWs1rDTBu1>AQ&#d2D<$)=jF53e(lNo-$d zgM-o%QPl4JGPzFtL&x)J9a1s5AP z=6P&3TuR;?O}sv~L)_d4gK&bOBI?GafR?_TY7cFg}s& zkE-vN_22W0)|YT^3`*fs6U^YGbOtV@Ps@=bZOpJ#Rje6Jo@>J?x_~MbK&O5 znO=q$R3!}{y5*)#u|{XuER(HNp6Zx|O}<<|e#?DhS^w(sER zkp})QUK<}`hRn>dx?ETbN4uM{@``HKS$-T((yTU~#2RKK&)vOGyyPF){IuOyY^E!gr-K?(lKZES1Tlo;I8Q z7Z`GO#z|mEVx18#Sy3@>0>}9IKH<}IMsA!wS5`LxYk*yc8$`Z3x_f>NO7AJhc4v2~ zl^v!{)=1SRg&7v8O$QcstbvGY9;-v1y-MeLHW>YnZ9y~}1(Ki_jDUwY|NSOvnA0d- za}m|*IGOX!C(i|tsas*0CP7&xr!3w^>1j*t$DsXG5BK(3>F!GSJ=?$u-?rOn_m`wJ zqMw4yS+2L)h4gF9?=o2G+oXkm^{`miZ>id)#ZezoyTpEK3uQSdUPhduA zxp_a%KG-5ahQ`rlqHG8`*1>jo|G>8$Q|q; zhiZ8VR$45bld1RKsj$tsaED{H0OQ|I_}Ot`U`+C|%RDZej!#+GhnN!hI^#5$=%S0) z6i3(}wd%#F-itB@u5@AJms=uAa=_DQgs6scQTw$o}NZ07z2-uF3^igA^Qd&J) z*;wkF&CmTbP_-3r?4PsJCuCHwmfCm7s8yEG@SN(WrS11rQ#q-&uD9rCl{HPiDx6Lk zBSQlk0g_zPhs(FijJn#^fsMg-T7EY?3+3V23!m_+Toy?yYjgo`w^iGIMJNKI_MB}4 z30C>%CkCr0kXKoJOn}r2>koeH$>~x0%s85+HV8^Tc!4dyV+i%kL#HUD7J@A!PZg7- zWi$&C7JNXwOoqVYo%=2>!f{Oesdvmutwx=4BCEBphZ+XG*i%=>uB$KTIs`Y68!2bT zHN0_2wc&jBfH%b30J7h_5`)$74M*lR^;eK z4RMn~fp$u%j^sH<5}bSg)LWIWf#)Iw$oNO#0v5Y!lBASKUYmGvK)w1Q1HUrrrhJ-f z06E@?7}lQSA2_)%cGd42_HBI)?itvtvaZ7%yKu|$@SP7Qux72j`n0~C^=(<-L^^!o zI#b0k?j$}I-ppBDIVP=ej^ns<5PcwO?NrZnG@s=}xG?Swvd5sZcfI$rLR3Ma=>mRz zVL=8N0>GVgYM07IogQy}cH(*g(Y>VwJXNx-7o^R~UxTre=e)B5cAVxAG%gL;>;)4# zJLO7Sab>mKr&ke(^vd;aK}Ig|cJNCaKAI0|q>qI)?QygNYT<*uoU`G9 zB-L`^MQce}{0s^AR2+zw6*?30gn;TFs`V!@OZ^^c% zLCni5Qao_8ouS~ck&ongbsOyCY#+$-Z&X7NkuuM4a=Ibrc9X~Ng|mP$Gx;s$W8L2l zsyr+8f@ax755DFiwll8zfI}nYGDelMwx;Vi(WRtcQG^;;)|Nl!>#5aAZa(_5tsH@6 z@e~b@9BK>c?#-5-u}IdH)l?azeKjd{vS5&{NydlWqx)$d4%b))6%8G@+OMh~v)jsX z7ZFML6A3*(#^_FAQPgM>re`qA_H&B-#iqepc*uBkKJS6a;+NAL%hc|n*k*wv<)cl3 ziQc?4ed4E5>5uNeGk22{%nme#BkUni=x(Yzd zI4vifi*(jL1GR~KT}_^4{aTs3jnXB%ML+iYyUrtytW*FM<$e*~{j`7}+vDv)`W1H;4=g70=gG&Is{|MjJXHvLv;7rSOP(pg&Q11hzdOvQo1ET$ zj-k#wO2f|fALLL(teV8;MdI}5@p8T7u(u|EoklAo1S3#RM7G0h_QURRsj>1?SCc0@ zhVG*mI^@>W=0UJ_k;^-e>zp1V&*gYu{XywbK)TL=Mk4qI7VN>}R{z>szCfD*p5yo^ zG6%t{k}ccd)uj0i%&GYHA?kD4(Y;g<_byVsvtQ`&BpZGwj5v&1fgyQ;#^F9Ik%qql zBgSL{oz6aG$bi1^DY%g!e4w)($HUEW9RoVIHi;QH6eMKCWc<_tAhLJP;_tQvYjnyw z#S_C$*VNO0{%$>~*ZxAnhh2OAy;@0M-Z(ZK{hg zn}#;C<2CDV77Y+4%o#6IvzH5@i3w`2%NrX%U4Tu_+tX#1%U!UkgqH^a?k#~aTmovd zAe)qS0Dmq23_2HD6P5W_I{|ADa3TYQv{V(uyaSZ7BH~pKC@O{@7fQbATI=g_! zeE$b1yFjlj?d*8HYW~}8KGCQr@zjpl@fiHX;WUNg6Zh4n`6|2t}}14}@$ z@4$)O$cfjLxqn4dA@nsD*95(n%%HFPcbxCL7f4ZXkbaEMmBs&bQM%~zAB>5ogCg%c zw>d#mj}mEzwl_9rtFbGKnQENL6$`CFIPpA%btK{R)fqc7B|o} zm!kr)gG{N;r?~r|KU_Y)wsW(dQC;Bjs|f}%kW~cjSyqW5%U@ zk@nxb$Z>z}Ov*^E8!l#bFni!WsLROW@Ky&)FS1{bAE|&8{O=hh&A$W63WSlb(*|t} zca{}J|Loft40nYUR`#jILx6b4kz7UI4~{qeNpeqNmpGK7xuT;n;#TdNsb9?4Rq=W= z$-<$Ax*M3R<<@SImEvt!zk5K4ZD9Z4NoNE9a!=mRsmMfE+C7z1>g?lKmUNmtha&(+ z)qz9Ao+zU=``tD0{d#Eefch!*Rs zJS`DfC>rgPRh9l}e^%Z100Z@}Rr+#Gx$tAkX?Dsx82|l^dp>b*%s#Q2ltodJldmYL$1Z#;czZ_RuW#Mdc5!j> zxfZ=p>;}7ln*5?m`UG(W&C)AoGcUfv7DfjmSSTw>?;Rr}Rdn z(#-{`-PnHTPRjV5mdO~WiSy;Y<3~JAYJi?o^CNhUhr{0c^t+iL(vVu`G^xaO5sg*# z+Nus6Gf;w!=j47CIWoZ*Li>6eNF+$wJJoyNlYJD4j+AN-igTY!tvNTg#a=HZ?Xyjl z60ed^_g#sECo>NA2XDX>ecz+G@g`knSNxYmKR1Y9n!nP$#Ol&Wa0XVfb z!v1u&hBrlo=Ooavqo!!NX#Qr$wMF&&8%75}n>!>DbcZ*#Hmy~0=6*rQQ% z+bS&%jcBU9DCHXY+>Kz&>Poq&Q_T!E^-&a+(*fDM{Ku~pMO*-C?FGk}S<%B*x7|Ls zmF=uYOUjZq;KwGm#W3X+MAl)jg2>cpZa<3LXPHVe^*whs{;R{b1b!iCHMJP(|>W_5Gzt{L&#=%a|3a28m zJxyw6<{xl!-f^onM!78}g|f83i;bmJ2KE>`8=sk(QO-?863>q2!90LE=R_qQjS*EH z|3ACRj$jVY=m3GtY{bk+A^Q^0o6U*B|JOUK5!>z&*>p#t1jF_^(w6f`SA{sU_mKyHt=@N>ae`VlMq z9wa-xVx}7AZYXY>%=BPG@wh;(|I}*7Y%<&zMIDMV3^z7IKiE}YMo(Ubii;o<*fl&& zJcm-_1K2;3&!w`IqL{8$bn8zILuK9h^AP-0lM%aB;j_&nn$)+Q`jA>lkrKQgUS^+J zAevZG4ysRQBMN(_pNqPXh;uvP452U%{(T6iKcbmv%&I>4ETluK{`#?e>0HVu7@I>b z7Lbm+4eP?4e~L*+PEpMl+^~7AE>f77S7aN<#}cG_>e$YI+=&iGZcV;TS-rgZ^)Y;9 z{36*n@FTD=Nrum6A6sJS(3O3e__`IT;+*6HQ@wA$@g`{P7a(mXKu1=}hMt>+%DBr# zkbJgn(jO3E?A@dpznG}qx!RfKu%RdV1;00P0(MplB$fKX0?Lx=r1NecLtkDV9S4YW zqs}}yWeGc=(VjneZ@shiITfRdePh^zMgLLW(pyd?U@Z;WvZZsLnN-N5g^lephF(iL z^y+Zp#_52^#;sQMEAWZGxu4PveHQ@Z*Whc0dvL4K|P$0-$erEPbQAC!!~Rs z4tMlmk5}8|aJP3N9jNNa=P9`*ydmu|>QZ;RTGff%*xuI*{x~x)nYH{JM@Ua-hX>`@ z3AP06{ZlQTH}uy4ls;o><)8?;Yg};_9xxG{wu<6?=;)c6O)kcEWTrLZ`?FsQe|d#- zBge{{K&fper5`p$*Y$RBkJ5r9cpD-LqANa3^iwM?08+KdYn~b{ef$$!7$V)1hJCu7 z$x(u;3UD89B>*Eh+7cofiN?vKA+c3ALn~tQpKO0U+RVsMjZrwl5{>FH60cF)$PfZ-oGN7oYZFGJy`}s{^}L4GHMfLwMa^Tizr`j13#zd ze1L0@Je2VJFs#0!kKyKi<{Gn(2=@rgx$QR*Am5fYjd^RAF;S^>0=s ziMDz5N13WmKHkA)!EmL6*Z|Ps%vL=O5aI>@$-Zc@SCD?&-swGl>uu?$S)1*GtirF5 zzNz^3XE~1IRhhU4!{u`HtHF)L3?-9_;46JWSLXI0y*B z2KI!4S_k3pt8XTC;IeL_&OdGxl=-|?!_&8Qd7Y{JX8IcXGvDu|8p5AwiqcRxhX)!q z?rngG`7oK(=gfq=SMk(p z;pCRl&|y8!SAHx)NGRjNZ?{cC*!wVIjGYQB?;^|k1Av6b)dCz(wa-kN+JnB6qgIpO zfz=qz6R>BzPOH{q2*O4ND zz;+}JDA7aW?8&+2aaeNZq~*DE)vq%^TU}(Um?Uj?+zU8-^$%Z-sXF_{XKVpu!CFH*?H=?I<#R^N7;XJc95Lyro9{t7j{iVUM)L z$>Dki;E48A+b@C^@4Ly%`kX(a=iaAW{MKl9T(s?o9nUj&5t)S$uMqbIFmZR zei0*`&44$_EBfR?wz6$e8*irO%lc+sL2^r5EHf-wn>f724begz^t5Gz z2gn`oV!L$**fz(yc~lk(lo`sXy?=R+YF@iD>H7fNrMM|C%-xJ2i>_Vqi=H6%KLW-KM)Ko)ij<0-oot>{#)mPK}otL)e^h-av16&{EPs|UudIn|Y zAC;vZ{tY&~5)GN>=g-$*JcDmDHmrmu-ZPEv6CrMyYk<0MA1)qf{Zp0q+VmmAy@<|o z2liVR8}M|s+Z}zIIpFZPlb=;~F;_uS{YfK_v$6F4My|WOBI6#H_97J>BY9X5#-xr5FuRQyA=2S`PRlK#RxY?q148f zY$N)Gyu)8DA*#`WQms36?_ZJzEA;(y?c!Y%Ih-x4=94G3f-^m$GNRvlD~{wla|TSG zbH1Z18hbt3kmt7gOw+R2i=xk%DGF&Hk^>%tyKvtdFv_O<6=WG`X`&h#uhOGJ`M~JFiToph4*GHuY+f*bodQWGP^e_<8Pfu z?UB2_KS@mup98+wJB&aXfcl6Bz|b+_Y!Ut<@nRpy&TV=gkW#eiFA8X2()e!Ci%;H8 z;SnNhm@8p~X7IM~eWk<3}wf@-HJrQ@*U!$@TbXg44+n;9h#%SsZ2q9wzhO` zEnH~xgUM!&-QSTRIAVidG66(r4!xSso~I3@IFr(#%Q0JRqDFZwDs1|FfjaF$Ht;0< zwnH?b5zt9(C&zF$`Da1kCv5h4q(w=@2uAZp1}ISZF5fT1)Gr||TPg1^pd!kbPhupi z1fnAq*H~I}^YUc(f0bjMg0VL$A1kv7;lZ~RERk;?>s;*HdbPV@(IK)TOzJFny_0~5 z2_L3aDxbNQlg{@qZO`kAUTidstE_wwtx^4>vPMElxi{xV1wh4s3Z)|-U6R6$p)~j~ zT@tOe3Q-puy8P*+yQu85vJ#3mz+5(B-q444BL18rs61~R_*)YUvRL~imahWvd)~5& zAJB*@4J)uO{wMD`b>G#yg`JI@>?k*O`;_=KlGdiU;`F&e*r7|{Mv z(e?fB>6|j_Z;Ow2-G{g89G}a!?#a;V@8@1*1w+P*g5}je}Le4_=}tQPjg=ax_zbIpWOD6xhDr^ zpxxd3N5|iBL&%DEBbL3^yKFSv=hLCnITShMvykf6Lu&ve=1j_*z2U~L({}csIpSdcqIDKZEKQXObt$$<@F=7mG^|#}QT7#youhsg1+Z zOLXQ5W%W5FN#k4SayWMNCH-lqEfIhQ?mg59eGzHY<->%CL46p;L}BgZ&aT)V^tj&U z%}N3-1~(m3>JW5soL)U%@Pf^}Qb<}g5U?h?QjEJipL>2+{X2zb;~EWcZ_D6Ew)a9+=Y0A z%nvA{+Xr(WVTMDFMOb9vtd9iw+ITZhGy6C1VstRs5fr7dRr1GzzSAhYc4pP|f!1kA z+3!T7)(B>0;czLA&|_E|6Qre&d#tk|O+$JZ2ap?$1aP1=)yX-Z`F`}~>thfcn-EiA z7bCzIKUsE{puG)h7Xj@u;!R`n<=4LehIu<~N{Asv#Ef+hX zNDLTc8By6D_p4b$Gd9`YxW*JAGsgaZFReI|G=D|6eS< zfckFw6W?XNI`_`!{1lFP-ATkkH= zZqqKBXbDUIcLb+j-@A_tv}n7r!icke?R}v1Qd5a@BVOf?YNTy_2EBxUsMqY3WIcI#YISIV`&$SW%(kceb&l^!VNk9t z{}NiaX#OSzzQpo6xJiGf{nH@diY4|7yH?v ziebvXWA`#qdKdeCm%s9#oQ55Py6S&9tN$<6Y5&KPwf~C{ytTE}=9!)Fi?$lRZE&&Q zbocNWe~Ljsrg{F&Sg?v`fjeAdjHX7iW4&@1c~m}Mo!y?P)cNP1cezOkVo#!?qFP6p z7n;1E>P(sQh95d8UPN`8wTb^_=cfPfs=D-l(%=6dp(*>(s5)l3yt;iNE_7%1O9~4! zXIScmiw5#ts7mS)Kn!&Dr;I~2@N3A*`NewSe!&NRDp(|>W!q|h!6V*XKbw9R!&fL>46&Qt+S zqkeRBw5#^edtrh^R{~(L_x>f!90vCDEKKIlZtG zYM*b{cCcA*P_6dvKo#wDEKO2<+2?6*UieK@)jFj0QlW!1WKSxNOAzDpZCPhibe5c_ zL&tJD;56>DY8w{_?Z|YLKH_i))spLoCY+_K1ike8#8O}a$Mjl*$k!I=`hVtEx%IIi z6Yl-GiIY}mEZOs^Aa2Z)bqonn?454uz*vecOyjTDNc!?6;WANh)2nMzu2 zqdcr^Y>piHb z3#KI^gTwS#ri!C#!zbRIa>su}FC}T;eIsC|RV@EROyB&YlLh;`5`;CxhVHr(ZJmq1 zWGsvzr9qYT_1L^+{5@emWVzi%OsymcV{%H0a2vsgVYgN|#&Az|;}iTFj{^BqdBVVK z$^E?-1w>y}lVWO{SKnT(Um2F#=IQ_3dUdvqI`2E3DsEW5G532vKggCFifJc2dG_q< z^fP8=ERR5CuRK(RA6@A7RU0Lw*sCh%4xxorn3qr&%x;LXp=_C-NRzhLIZ_9~I0jDJ z@%%dp6eJJ|~3kDx3s^zp*6o}9Kr6sA-Q>ALI}#gHRyX(pY+{VtLiPO+cqosC*q zMfuv)^AZIy-i*=Y_=U*MM%Ev9+VU-x*t3S7(=CZ+6eC=*g~SCx+c2bDb%u6(lO@h)uYUM_Rgzt|h1go!CX`k(qVJ1ze z;~x*tUT?b(g!>gmu)afFgWnMKFNzE-;sy<-ZcrCi*SfA-C3AhzAH3~eH1m?gCh~W- zx`nztA9f|JEhZChcZ2!y(h(1KylAg4ck!u)qc5H2d7$l=>9wEF(P@RfDRr&{cG!dJ z7$tZZ_4GeOuJHEUeOy2_{S^H7I;PJt^3{ZGI$2aGg2~J{=JV0mhnCDGU(NMnPFx;t z{k(I#$=y63YC+Jc(Pp|L37Q)L4<8V{(k>~Pvb)&c<6cu?PXBUIle*>v zUW3e7{D}=FG&n07i4Y!!MZLkZ7bSUhA>1WikBP?E59Rt)-f5(Nj(ei^&z0}beej%N zXg;%LVkb6i_&cq%8ha9*-YtpC#}5%;ZuF||+NZ>G^}~?a<8>?9%J@fV>s6f?!&eQ{ z5miweBImwFRen*?+CS;x9-R%|jC{YeLL6;iO&NIS`G4KS8pv+IX4DVse&#orv>yqp z47)!a_X*73^Uc&&CjJKd0*I1iS^h0Q)p8?&4kJAItnwR=vi;ZvS=x|={U9jjMx#{G z)H$DkWI3-ZyR$lr?ShK065G_G^kpM+mLKzJP#YCWPyn*p57-+XhJtV0>TiIt4O@hd zrZ1?kWEXl$M7X8y-7HNE`(DilVy!lWc3Pr5AtQCxQJW-M1a%z^A&PAe!g@loIa+oq z#k)r8&OfY+56PK#TB`v1)A990w#eF#^jGu0Ea~w?CLVTG@~u%{y`VHumaZ3pXka#c z{6K2S4nS*&BEx#6%Hl=HctO()=e&F% zf)seY)yx0xPHjT4rg~1bMRy5RB_!#T>2mXVHJJ}C|E}jPuDE&rx_?5FPYF+D=F?=D z1v^5ZF|!kwTb2{A9;Z5>G=S)GVye=+F6edmOwz#{YBs>HV@U8`v%bC}h^U=+3#f52 z5vSr|26C{rJPu#hI#t}0z3QCaq-wRVmC(?(1RQ*3JV21va+Z(45rzz@X6lOw76#+A zi)Ezw&GhUeXmb~?`83QnvStaN1A0cY7%Jqp6hmjpMYx-bySLw-Hgcb~##L2gOAPluboyUkmx;jhuOTkWNc+P2%mi+73cR!oxCMj4N#ygW|) zlb^=cni`ciicE%!5g)kF)y>SpZ`*jq@uo(prZaRWuuOlhG*v!RJnW=-C-%F0+u7Z{A*jzBkK%SC9mU^%)d6L)7OnSkFfwp8fhLF;`{VX zYuS5vR7N`NEq?AW%B;*5)+!!ZIFD59JYFmW6}9qzztj`NPG^7Uh_U*B;F#uCJ42W^&OsdOm3_K`BcO%9q0MAC(hNo zC1KRa%AMJ=PX0^5@Rju}dkfWCkAt>&E<;@li_AzjG7Xx0Ms_Jbgol;sC%++DgIh+8c*v{=diC-A@GD1+J#EgcUA_ zzaFrbdt{f4cPgK_X*`u@QCWU=$81lyv`>%vd8y&N&K zrXi_p=cqRY>Gi)QbNQM>^SULGEeM0UPj8&B%pHWIf&g=$ufqMv-p+=+!*gezTBMDf zR65P(hbN}@Lj>JO`Tcl}v6V|r-UoMhqYlUC?d8L<-iB$@Rdz-yA>Z3%rg>2z-7D&k zF7HlAI|xDhA|h)^9Qms=Xj|xxro!P(_K|tLhWm!vc9ni#=}_P8;m$<%RmG(-i$@R1?3rcaTT9d1S4o_%r1#o2PzAfd^PW?~dt7=VoPy#uyu7KOD0(o(v2 z9K1JifM<5VJVU$SxFEvN6$801Rcg4ZUKz${E-6;3OIcOv+B_7S5g(VGT~OAfGQ&BG zF~46NbUfXF1Pl!W&^LOk_EHOE^Jf%_a`bGj4M^*lP(;-V3iw zb3;QB6JRZU<+v9A+#URr9?ha4hUk=y%c_BPXu~GDSZ%RI0~yT2jB%GfxU~)Og7SwN zKi`CiA}H-+yIMGXHH{VDk3`|^-!ZE!8k^!jxeAQAo$MW(p3cjJM?_7_%zXaOMC>z{ zLkiOU?hyyifWXWV8r_=BrGE~k}AV_t=!>r}4c*NE4+-rhAq9yTJ!EkLaiNuQffg)VB9q&Uz(J)HLvQRFjo$P*)S7ubCudG;O8dbuPB)rfJ1rarK=k>dj*3 zs!=2wg#e?kNKm$zB=FeZ)vE84rx>5l*>c`oWg%bk>p=`48}u1HgWv70V*KT_PbTbg z++cKd$>P{pa{EWic}bCaGsf}HoVD1`S@UM@#b@L*oqLePU9r1G5Lzr7RZ~p;JuY^C zbJ$$OO6hk4m9wqURrC3)l>0awCH7IM>&u@X*q=&|jy*ThsKo2U6(eOi(v2 z02_7+`B)cE>&Y{K=8x(A zK^W=w3X!piEWM5N@tvieFj1*C(2{LBJdX?58l@M7Ui=TP>i>po`O9zpANiZ6wYOt* z=(ZRD{U~E>oF4-)L>_=*p+Kb)_0y+MMl{6fUjeR!z$$dI+>k`QuwV?X_g$85E=haZt!P8M(`Tl~kS^r#ZRbYh4XZD}(jOh8NP z1FRc5$$EhG@^n<2=@Ag6e2gVxG6-i5@u!#sR3&Vy_(un5+)ZOd$ypsO&KGm`^tRiwAS{FNJUQhj z_ufReU)SQ8%sXOLu1RcXH9zJS{O0iyqTsJ4o?rKK2+)Px<* z8WRP&u$rX27vJrPp5v^?lcHIEVYVqW5qph$a0_4nWQnD9(6FAv*>l)yC6W9 zf?~%$alUXXwu^A-{Ha#8Qm9sSk#PXAxp1zv-1{8ja9dVyBu>1IBw%5RT8hS;Lhhea zze-Z0TUfKZE6R1Fj4*Abh%mv=&mYGC7LIc+zacquLC-FTCI<(siI2nU_m?caqwyLQ&_LAHW<9ZylAp7RJH8I`sA^=!q%#*{ZGPIj z7t2Q2YM*EOv)7Hp7xJkz7+pvVq)rkyXWUVuHqAtDwwvnV*t*9K1QuEvxN{wd^I@XB z{Zh~#qD9jVicm;@p+k2W_LcdyyCG@%n6_ zLe;YGAkH?i$!@uk^hJ#?r9tp?17mR05;PC=<-$w0L`!Fo);qCW+6Q#vM(L`AtqP+z z;A?pMDN&a~#j6f;X!=44^AD)$Gz~lRO{jkko&`YeTHU~Ll$U>3eOHO_duu->j+x;F ze55Me)#u9HR=oU~=~uFi7PeQ?2*Mmj(tcfhxzL~yQIIg7)RLo@|8y&5l^F)QWCQx4 zrXfxV>et2wE5!*UV30bwyH+H3)U2T!IeGU^fAYGl;G6N>DcfH`D>-+N5rddy)mu|< zPxO#&QWg^so5v<^!Umzjs)0wnNo#`#vJT1I^)$2UQHx%|Ts60@@>Hps(bhW$;qaxN zr<7ux?^#yUIO0M4e95r&b4)%IFnKGHeWh|^^fl5z^axsx%6=yJ?!F)Keyf9XTD#h^ z)S4;!fqwO_a|wn0>}l|fVbmGr#4qacYIwS$1?7cngXFAaqtM^{nllf^1*SSDhZQEV z1T(IJd}An8ZT#5^D3vo}aw<|JG%4P9>*a7?bok!ran$0}oxH4Ph7)+pp0E#79OYZ-C@7%MKTdWq+|0K?0?wI4Q^EL1*Ri3NL^BowyJvRX>UM%luk35RcW8vUij3zcvlW6&7K{mRQkY zkK5i?q{+Pn3k}B8&?Kz27gRNg<)1nPu2Y!pR1(tAQhi6~87;hlrL0%K;~8|Y8md_x8h$ZtY^>J4@(M5tA9W~X1dV60d%LPh=qO&O`Z=lionn5O+5?hrA>P2k!7;j-)=!ZLxK$UzOj-cN@6dku+ba6eexPI9IN4m zBcojJ1fjLXOd)qjc~7k0ov^c^4qMG6%v4S+01O|T0e2n%kJfn)U-;qs#Dvg|%D3!f zx`tjhR9f8jpw7RVM9uoh!q>Y*?D zG-{8&*PMRLq`MJx2Bm3RYqzU<;*n$gmqDRsy0Plp z?Xl4@Q3h?d`B$T^sE9?7FfzZ1JjG>%{A8Zir0xK&{%vcJ0>&+?+Q84(`&UU#RHuEO$mb4&x}kjGl6tfB)R5e z40^d9j~&`nieGjJ?m<47ZuvHrcSFHgHYyn|=fN}+WRYGJwDAI1BZ#*a8o8NGr*k@h z6Tk7xsP`8E!f}<`l9NlFU0Bbb3EHjK9M_t+YQnPl(ZYG>+@hP}XOD0CASu z&r`{^;0?hS?`E)8?JUzV*IHffk8&rzo~BI$7cKG=ANpAlV2IO@qv)5$X_?X8?AKr0l5R6BJObCkS!XP{XBW~>c`?*;d( z$gqQUWWDq+-^>5;+DF?VO!Zj+vTc6}zy*rQ+JAqQk^unqzlW{Df9SRXZVPa9!To>y zONy^=k5y@^_)R?9Gd=-&O{>=%fNWXkUxKi4^g+COYwK9M(;h%T!p_RJMUMW)c zQ1{EO>`8}s#gh`xk^zhGUmR+Sv%keEgzagPjMcs^R?jFbEE{Q_k@cl&ot=(5U-Xqc z_IoAK-p?pds@a7o)vRD4DOWQZEBAdt`RR2mgCqS%Rk{p#OhAI>H-u>;#fVw z)7F0^ZF#JI+?16`<@K|SX8F!}N9W#8J5&>nKR=N@EIu(8A?5o{AtWxK7U6zhN_7(U z{7(@PIywaV@osH11am?Z< zg?m-5>oHYWez+$Yvu2EtEEf|bT$nXY%Q=pe znY^N;^!Yv()FptitBXDqh+l8&q!^zWeJ<9Xf9x`|JTjd(W2s}3fGazj6?|R*yBsxD z_+6kNiLamHNLFFKurC6T?5#i(n53d&&N@tEV1y_`uJ6QnSRo`xWm!eomz7b~?4TB% zzKudX3YB$HPwx2%I4OE<&kD=Mn4HWB?5S`AZ_2Min53;geN$9_t_;eG1VJn3?C@ay zP*$+P&E`KL%T^LlF;T$5i8!j0yE)J|ap0MvZ=|3u_r~>LEiczWNeR+JXOw*B=_bct zg}aM1UF!y{31pVYCERzXGKB$E1RvWZK-tOZCwZxi6 z1=EedSuojS6)La;y#XR!2hg`SWGymGa_tn9(YfEd6b3ldItqtJP_Z-6cj-xrL>x?F z`@Jebj+kC&Ks!GkBN%^-Ieq=lRa8`lftEQS=%oGmgZ^(xCWj!P`S3xH#WleZZ9ExZ zSC+Bhm6D1$SC}yAbuJ4z9aqpWyrPe|pdgJU>2%SM;zjL=BpDa}hmxaRQ1z)vhBe~~ zmobh-uU5PQ(6vnJNPEuxa5cz08>Hq_S1>&^ZDh|CBfp+rFjSRISrt&}$l;I>JSBJX zDT0A&+Gl4pL|+7f{^Ih}Mg(N1h$;%F-X2%Vy~$;r2!8BZwtKCuJd&p4yL|88Q%YsO zjeWviWzC4g*PFErBxI>Et5qgs_sc=F9fX<+a%p`xRRvcCjB0R$mEW$v zebSB`JRmmP)yKqt5Of@_s(|^StFXPtpQj%0Dl-dJwtSwmzc)a0x)K#OZ-DIFU|HIm z+BkP~WTad?QrFsYYAW95;qJn?`E16#k-%?J`8aK0VMpoJ2;BrjX`z58Qp4v~1ZX_P z8P+fHvrC*JP-Vf33l{WPv8KOWvN`z{98ED|jcYnpx<7f!>kgFHyBC$`t>^X^*;E-1 zE&4lKOY=R&1uempFZcHA&m(v$Os>^l=uUA==To9}ud&{fEh}RHAOm)6Q^LMocW6JM z!y???ym69Qdg_EhJlMJ;wehC%i3;=cSh3c% zm6{~vBHR7j%tQICElv|Wv7$A`KchkPP-wzT$Zfi+EcQp^QGMdhijFU3<#6o~rMv=N z*=Gwcl9d8|mzB|V{g9DP!M)bFX_XW#Zb+}MtbX-XQwYHQ9IsoN5X3I$kiwRgN57n3 zM|*s#QC+I)Q|eP%rRUcLWdkD#zP+e}%l3n|@2@BdsT^%-p6>Z(?$QOdLZ!^hWJ8fK~eI&uLHLRw!Pgx)D~j%x#W=Kn2W~3ErxT#Ai|(Xj+JkU9EM=~vif{xh%9ZqdDtmw6BTj#hxv|Ipn{P@((p4ZZPd714K}KQHn4c=fewZ%?;k#gBtv-n?GO~)3=(n zBD#ylv)O=Al0XZ>r1E>yKca0#>DP1$s!H8yC&`8jR5okg$ zrN-zzryQEon)NLoV+dV0ltp>xQRV$pE$GFt~114z; zZ!;jC{~nj%zrh$s7WgvJANZS3CqOA~ljTV+JCnsCk}@JoCa1s$1zN)ck@53=Aoqe?YfI`1__KS!_+R{O1IVJZiRV(sM>p z(;heB{y0x8DFJi(`@w_xe1}!_(7&Kw235j{a##NQlt)?^4$7o#d%5fOf0P zFp^A6n)gUbLxbqTnoqYhtL$|y3V)8sz*EY8kWWW>W|u;4`qsf~zF&yLJHbH(kBJ*ZoDRh2>xEz&{q`-#$ZlR^8!- zjQXVYptZ^MjoDNhG%6Bo5nqWkDl!h(ZjoH?A!F63dxBL8?U{;+%(ySJr-+PMHJ+E^ z$YPLkFrx#8_~~s?k6}}HYBr2h0>KOUmPcC8kkqP|vJLa|uanx7pzwU(wNoJH#vGJe z3Ug+&k__cP_F*g&TkE;9lKL&EOxCV&}6J4>AhGYitRieBgX7OI+tdN+3cSVwu>&=B^uEP9znuJK){Ad8hv%g7(rr9cO zA)j)yXwZCX;nOq=IGx`fp9tDf?o~|c)HA-96fpJk$NQK3&1a!q&?1)`E8eMS^qmTU z&m&v`JaQ@Xebbf6(ez`!oyIpGr@kxwE=_W}v*=Vla8=#M);$_l=L`4;>-_~iPB!b; z`zcitO5^B!DZ0@GmpV!b(aJ(K`IEsD1p=d!e69Q~xN^N^pE#uygq=$^2S>+;a@8`V zH3WZ2fw39f!XaDaS@P2LO5C-)kh1LGbiTM-itF}HH&hj$Oq9gy-8S#bvkstad+n?B zQ?DulVB-)7GQuwLnK`fWQ2VLQ(isY$bmx7yk~gKtEf>!%0LL(=RWXZz7HoeJvzPeF zH6BcGa~>+qIvvU;>k-*Jk4X)FX)9=cX$3zO3&>RkKHqX#k~C6ak3a98E|2eep+S<& zs$e`|UZAsh8y~0gs{X2+|HeSSl9r%7_ick|U=~%j`og_p?^orufEDGG(WVUp3{r}7 zV(~Gb5^PK2!0drxpfDp_y0Np$hDmB-4)v^e!a!#Y`D>Jm`5aAH4=b%^PHZs1zlP?q zCc&rsovU&Rnxu5@l&r^b6A$=!lmvW{!v2XQ)|Qx^Jkys`6YT-PKnden% zSYy$|V|J5n*0)5qTpGiM4B6VsDH7++JU~Z%jBPa3*kIzG^9_uM$Tz`t`@if5aVbX$?Xh-sfv4Z`&Qz1MU?P*Nx51%7Pa^bsw(j zudW4v86~wv3wlmyTY>!;l3T8`^kj>scSTYPYazM=k%rI)c%uNt?ldQo3bT3t%tl1F z8*8PLS^4}w+oLbuF)D{VdIKx@%U~RBbq$=cU|dj9RyyculL?0?m-}k}R>0Ow`E*SE z84;_?FuFAD+gqv`DiW{b_~+wYg=5*&LWTU0B(S9ZMt4^kY0!J;S^XUcvR6Sbdb(Wc>F{zaV`-bXBGD64*}Qi%Z!zt~ER*X4hUd0Z;AW41a>aNft(@PAEG z^GrobxdBzL zQVt$26dW9`zff1jtYn9Aya6p-vGereG9q=JjuQ>Obp{Z0ndwQ@%Q$jOt*vD|OzAkI?!X`^i#@UvU6Wfi^9>CKv^Y_f~(YJyftsAz}>|3E2$e4W;g_lK)+#FfI1 z*@UZjmD3OWQd{<}9r;k2sI8WADF2Vp7>34|-!fDp%pme>E-yLLUYEIyMyxK6I17ZCeUnxFvlqN8!I%8C zHRgaGsFypep8&=f1%)w?iS;p-ElE@5-P`0O(~vx+3OPE{w>E;>Zffy;pb0=c<0t{g z>QaskOJWpOEIbPBzf~}4@R#hnP@U2E&{KM=71ul{r)DMO#>5!)8j7{ZH84}fckacY zGl`^8sBg zgR#06u5`)H4+0#VMXz!4Vh=tmU~1(~G%J}5)IWSuJsXpd!?28a>O`X8=uNibvl~X0 zlKYrs1oSP551?Yzw=zDs&Q|A+8Yuy+0nZbe41eMVrt$$^@93mtT!=89lmk}(XRAs= zDsem#<+Iz~*>QxWWiPz}{0(~wczJs=I3BlP zn4RoPtx}QJ&_K8YE$#%`B*ri`&v&QdfNla@lJxVO+*~Q%rS7o$h`%Z3f97kBos%|@ zfD3j8iV+HGwr`bxX6O9*TJJ=rwKG6wg5GV?mr^V#FQ3)npTqg)LzCOX9a@R|gBu8o zfYm*Wkkev9Nk0$R*y-IPS?aT4f^pOuxk$j+&ag*F|AJj2E_fnx@F@F_%(xfdn3~CC z37kr$SqPiyWR;Z2LV;SoFmR&)Mj(l8mvFZpQF+KEO)kV%K(5QWI$R-B03%TK;#HJ` zmtVjem3%0kg~)g4*u?5gHcs_jIDk!#fDJ*8vtwoa zcVszc{o)B9xkH$faJZIw_K!e$9aiq+q_4p8Jg4CIY!Xo!&M~f%Er#4-@9cGCLm%beEYbmb}yc0nSV98MD3O2<;Va z2_}F{W)!g)(&oZZB?nkAn|UK4wNKxq9&d*5GOi|znZtAThUyp2m8xD`{XPa9E+|eR zsp+J#>;(N8lgtO#ZC9BSJ6*L^H3|i2kij_< zZi_+%xUAc|4GRmzPo+R3;`_J6tMair5nH@E7mh!#KBNljq`M5>kO^El()WlDHrrG( zdv_$KhIzcyl0mU=V(mG%)z-Z3t5tQ>M!EYoXf3~EK9BZm170KEZsP}CF^nV`i*BQC zn*VcNygAp1bmvRc9?+TU;dZwmFfy6_=YFSi9KVT>{GfZF54Fmps7FMAM>$hnWh~s= zO3pbtJ~?Qc?cuGF9DjV(elqH)ZE=UpPtSsBZ6*VV7zzb${sw^HNpI_xpO(XlblpUV zrG41RS%xAf5L;wbB3jDPm*MzwU-53)mY-Gr}=dKjD3;BwqWV+7JFumtF zQRR4lo#)Hb9=+KItb5SGZ?|QZls`PjL)7t< zTLa+M({EJ;c%QW?ea%!=7s+gBn&0Qpw?%!an?NJYYe`+YTA`GJv8#~^O!1uj0Kn?a zdB=UY>|*rGX$ic+8L$#nFM{`q@y+M$X&cOMaSIQ%HAL!Y(()yx$Y>7N^LoGREz3V& zV0cZNFNs}j)u4*GhN!_MucZzrS=UrmVnf0xgX;5%h3~gxJ5z>BwRlduaK2%};u(5S zRA7+eg53{{Ted9Qmkx911+-GT2p8fl-+8YC8#!e|Qw!?terErE4Q{|)MM@>NryMa> zFybk|lH6E*vMtCek^FA_Wx&!&x+RHwE)t)0PsDEiTjsJGmv*ax7oFQDM)oO@UQlku zMVoxAr=AWCFphe^`RK__cqa1F^|{>X?#z!P-s0A=2o{5@OeD%of~+G7Tbq#a6A6kvr^U&((yJ<6EG%sEcPJsyl-DqWh2`C zSXX5S${kw4w7VR96Y;O+^y%9l@P?y(mAxPSYcLR^9Slz+8t zL;B$P>`vjc(!LAJndA*^(sMc6s*{Mh9TdR;kIh0aL~pjX#i64z6#@F*j3vZWC2v z2jgfU(jM^0Mb{ArOPYBou7~hNgKI8IDQQ28?m4S`scztlFrA(Yu9P=NK`L4^B^ek~ z_rth4`RM*5pPGuVux5dcksal^(sQAcWIFBJI@vWJ8&!FQWV6`;0^iY85v5TocaHGZ zW-#7HwZXF@nbQrDlfRe2X<3bUGb=ODddOQe=8I;z*ZI)EicC|Uw$`Ne|fFbhiVCqM1x8t}wM>0gDH5QK|#*w6( zN{)a&x3oMo0DoV$z;q`up!yhH=-8oTkGx&;g3DbDQqbLCu&b#Xg7afkkTBP3g?xGA z6Cyt37d$GZ$Ea3;#iUt#_!GS5yQJ>L3dQzw_+q5cvK3cTV;4N)0x5Ys}mY01KA< zYKF!N5a(*o35MeyV2fV2J}jpu;;-Cp*Q7X!49Qp7>V9;TPe>}cW~ z6Co`v->5Vi@Kq{Iq-1PduTKH1=u7}eR0#iglK6%Ies@0@Cb^Sx05p{tQk_7p_o(wp zE&F4Y5>s7uzZq5y6+TBAc-+IK>*aq1sQ&xV>;LChR@Hgo+VMF$vd%m0Q11fP=h?}2 z2{D!6UM!%pZs7iK*~z^u$bB6VBf&TDGqud1>wgKO05bk>*=xxG#cobv$HHJ+_cX-; z%gBz%_Zq&w#IfnfBH4!RT0A-QV!>Ub|2yB@6kufrK+4DXvgm+vZhn9IiG znY3beDop-JnB4XJsoPn;M(!uR)!%$M&G*~+#dMlYPx?|g@n8iZqrHUNr7PErZE0<}p+4X#lX>w~Fb#>MsW`SmemqH!MB8ZPvCtM4RUF!XJ_ z*3kVpNb9)lt~1He?}hcn&gThz3J1j}Dqgcp?0F!awQs8KlKF{#U&T65ZJO5;beID4 zS*MFr@57zn%NNHa!Jw5phJra5_vKF|=dV#ny4HsxG}X@-_4=Axe2|X-@#*sY%|RF? z>o){w_gWWyGB2*QLS7o1BHM^DvguO;oG%l^oN6IIQP8&YMkBW6GmgkY5BiSrnLch7 z2gGNhP*k`M!k&jd_Qext^Porwl$k+MmRg zjk5Np1d2j3o^gvuh!tv!<9T(xgE!_Rdu2RXPJ|jv7SmBhW}_Zkd`_)6bRORmB&&Cb zhAqB}z1v1&YO8=sKZhB|hb{cjMY^`BTo6rm4P}-6O+* zvBt_OlrN9NoOD(9EH%}uQ!M??1To3})vwftChI^~oQVx4R(Gr($-+CNJZPV<(uKth zsb=l&fVFmo-)gB*cm=e zPg&LOEy77@Mkq_qpkp2V*#3Z=(}<#oKW5FREWYY8U+ApfZIZz|i}jC2jx%F|b1$&D z=&kdD>ji(bw$@FGjf5a-n?B9*245^&B~mrG85AftwDRQ)u4MQqHTE6XjIy=q=ZJw% zzrd5Jqq?J8!mGH2p~Pd9GY8n{!Fq7fc`n73W9x|MXz~+TK`YwxrIVGNW}NAF_ehm4 zNs3p+K=gO*jTu*#|Q>-N#yYsm-1h_TEe?~46vK*h=Hy|O1ax*DflQfPsicT`X zKi-%;08`l6w6_6i5b~iCQS$(4V)D_A1?GU7l=bbApr-i@HkKXe2^~N+?1^-qinTDN77G@) zqK#*f%HBY>ar18Q(~DCz zc(vzSka2Ko!RS5VT)y8q^o3K%&nsDTt=qqJ%^9#No}&_~am(U{V54;~c1jW)Mm`{L&a_ah>-hJz47I!%uWUDXK#!N_#% zbKM4EE@U<9*ES*}xdfC6;=RYy5Xl4TC|;mDsZTJ__!`^H$*l@jxcJ2eCk-}8hKF25Fl=zf&_}uu4I#fS~2C8&1v61}q|_cLH=Nt!(3v6-)T0>|YT8XIu?3dDCKkhjV?hJF?t|p0 z?<`tZG0Kk;4shv@Cf%k>Oqd&7R%rT!2+~7j3Rd~`0bH2=0yT&IFJ*L-i5wo2aF**2*ra{@CgGbZL)ShV5`jD%+O);U4fgX`jPPjZX#8=N4-oJ-oI|qzw3UPpJ z+guci0$Nt0;{H*KsDl2p<;E8Av91h!>i-QFw>VwnNCIp%KK2~uCc>2!X>SWdnfb!}SS)AKK2+_Afu@z}SrG*T&N#Mb1^?8H7Fc`jvcp&{;`A@u;ZJIn zo=px6d$Uq^oo1dKLC1}(5|h0VnayFvq+xMG&^?Nro@J&44R$S4sf+Mz`Lm@A&0T^)JwDkU5c;VOU&VEjZFx!+NJF!Gg6| zN@QQ7qehi|0{m=!r`TL_=V(16E-Pz?8^7x|b@{tX-d&u<*d7Dp2phLi0wG7SBgZBv zYfYP0U9E&?*T0VWN8T~vi+?CMlvyTF|6<3j})Q?PM z>MOy^OqG8jE4-uAs&Bdmo_RdaicdV;yS9$~ypvcJ3qY-IFBNbg7Z-jNov1VyL=IBV zT80_wvnFm`K=;=@?=+Me&fdAg&j(s^rq6KweNb&!fStNV5H_`Xz2oHz;|K5Vo%!|` z!chUr2yr8x} z4YBtJXMml=`VDTE-C#R?wZ`xLwOiVr1&GlDdRw!KVnJGy*(!9vDTw;|Y$yBq1jCTH zu&}iCmk)2vH2887=#2Zr$yX{<^GuSwk=<*a6dO<{em+{2D6=Ty`ruzp#aL@qI2o-K zeZUuPc;RG9Vw~>UUkA}!8V-d1nglb3yENZqKBsNf_P5%i;=QNe9!vbN z(^>3lzP?$&<85KbiHYvq99x%8a^Yx*1y)@*;Pi+-}mu4wRG`kGPkv17#IEq0PO; z9m_1>ws*f~pP={9&DGXlo~Qceeh-u1tT9~6)0$d!?)xEe)UtD(Z^SKRz&jk^cJE+H zWJ>@e-WT6|Di#J`y&FAllVpGFKKU9T2sk_ehwT$!StYqSZ~3=nb!=p3khTe^JCtu7 z&+o*lyYb(AR&yEldB}cFMyu-^FO;e#k(^QBXB79S+EhM~gax z4?!avvtHayjiH_=sopbgXfm|Rp34x|v9l<-XTHNQn47D$;UM{Q=^H|ZDQs8=GQz^^ z9a^rPkeVx}vdZ0s1`BAf<-++qt*D6b`*+TAOC|5Q$;lkh+f;|1Pe$TaQ7*qH&=i(p z6AyIuELkj8hrOj_WHLHhPMqo+K62*+5cD0r_K)*;(MQoyP(kLvH&Z9Jy!=tgEo%O( z7+Uxx-LcHIbWy&k``h!8Ug|-^rV*F%Xl``K_xek>um@IPk)yC|UnAU=1vcGsoBg7Z z;IfTIzgNI`R8|KtiQ`V3IR(`;an^VpnOR0FtK~qr8bm(&l&B}89~}vgF5IdRu&4Cn zcw1FhKi`s9E@dKVR;VGtpb)1D*^%^G!?b32eHO~6idKZ2=eg~rTg4#ES4BM;ox7(0 zo|cyP)>NMnwk-$ow%zh{kOSS6PL(J_2_c6;IBi(cpG&*??-eOyCpA+{iEM@cDyj?G zn%QX?%rc&*fUJYknzWf+ZMOcv{geI^BL%a_f?VXqkmOuarn zPZPocN*&n632Vas@ZL(tDRg(Y0C%h1nm0kWHhbfJea(}T;Pshl*Xg}{tx&=E$4U4G zR>;dK_kb2DRj?C@e72T~$z=N|LIa3Rq}wKNs$MRKh!5a@iiF_^3RzXcQGPxGT1(h} z0smWI0I+=Mr0F!C07jum`3p`s{<_%#lZw^jv4<7->HpZ|`(M9uu$c^~`7g0frn(#l z;1UyOizP69M`=e)^#&@e04E2(tJa@*q`D{ej^!f;_d9x#wKr0AAHM-I!GNH@Tpp}t z&y5Sw`J83BHo3QLf%?l(jbQIVA`?Ema|q7^Ne8j@uIc8ujt7hggXs&8+WuBr1rM5I zKohBMHy`Cqop8kZja{1|C!BVBGua)}B4~taaG&5w2|?BU3{u-?=}a;q zWK1U&U3Y73_kZ7!Zm~?LX+ArSwv#Z>vJW5MaGGi!_EoM`Pa{x`EfDYaBHZaS(4^Cc ztMYgPVm1e08R;ck0!;UtCtMp}2uZk3pgo)nU^kQ-Yp^GV>c<4WXU7KnkRB?GIZ6IR zS8i2{-uUKQ%~nZ?R`jY`)j+H`37SKCL93%yM5#$%VU zdei^c8^Y$!TNJ#4$~H6*NkT`vWi!cfTAaX$n3KFi_#A?##D zGNLmFK&WJ@-6IdAbu<>Df&~r#oHA=58QzKuI!v^F@aCx(%)_5k&~WvU;J%X;0Z{nQ z7(2k+FsmXJ5XMm`%J-*3vL+a)eWav5Cw`9&KpOp<=r3i;?Um_jm{HWTm={;R0a9{a zf}&ToP}@-R8|-M3e!H81WkI)d&IPlU=irBq>XTT3=y$rX^%US4W1UL`QIk9zm3l2Y zHkGCw4t|r+YqdP1RsW`Z$gySkB95&4sPi`d|$5&aw&$c8&&d^90MXmfB$6|@!h6#v$VjS7|fyv zo+O)4x5rmX+z_S_6!(6pp5-I>&Wzr8IwC@Uc8mO{#@!{K8!YJ7_5ZZ@ok3A`+qMJ+ z13?r)iPA)g%4dUQ5d*;IFRvG>}0%{As+V~m*)Rv}cv@n@GmE2nj90x{LPMLZe1k7^nm zRZBhKM(*>=%Y)8_)tao$s(r^wZFYzRgTD%IR}!<{Zd!>qoIub;(seyfcugCwpR_Y+ zSFFoxRQsxcqT1KL3A+Quy|&ahcJY#geBW}|^Yo97bG;2nZ z!i$RF>g=CZy%@8EfYwPX$YO5updp{-_}?+GkH%3|yl-?NpwXs$tEgZ1o!-pTi?JQk zJf%I3LKLIgUk^&}m!j{5*?+;k(=Hdm%AY0G0?3b4hrd})#n7lPK`52Mps%hMhc<=Q zo8N>KFhOkZYmg04)VVy#2yjm9-XBBThb!rDWAhTXJkrY(q16$JlFN5*Kc9fb zx4OW`MZGGoTpR1=DhlUN5l^qZ)gF-<&Ahud2|3=8rO|hFXuq%{ZkbN9Cvj^N z=*%AmV>dg5vt_7EBAZrVJtzVHk;ycqY`Doy{RtS>RC) zJeE{s6R3>a4D!PfT`e44R;pcZ%i73sB$n-AZs->;gcr=(4Qmz~>ezNvFw=U^&C#6w zhEo^?g8Frp9mxw`AT(6-Gli}z&c>JC--C`e^R;f5+`9Bxu+m!|{P+Hw<<%(b;E>9< z=hB)wEp*u6pjL5lu~9<^g{7^nG|n%VOB}SgAs72|jjY&n%4#XBlDV%x<~LQ>T0`WY z=*WEed?^Z8GlDn&Tw0DB`zD;=LKPML4fxO9?klJyBPD#MX%E>-F*U~rF5pH)8-ZZ+TM(^D**WPfN%a$HoD)+y?y#9l@({BA}!5w?~Gmtp74Lq zO!(me-Kxjd{M1&Lgtmzf*uSJHwZ)`~NjQNvTn}GO`Xv(J_6on5cRVwZ?q~1tX4Hj&f+re&0i^m749-vN^ZT;f)3vP$IjzF~w9SKGl4T`^k^-FEr)dMmH1yY?H6l-iZAh;&Yd>lQ`KFTnH^msw8jcQ) zblfO`|4-Hiudi_o|Ifu77RO zO$hQg9TY#yS}A(!`Bo@_eb41BgF}h^QAVwjpC`ublemj5OHog5B zh3P_CZsCQKP+M|&{>L`uIh%UT_q5%#=juN(#YIDB-aw}u4bo#r>)yLm(CEY_P5|h~ zdbWT9OCpM0JYAwer4Alz?(TEyl8il&4DJ&w{VN0~+xUM%aE+9+X850mkN7|N=XIQ6 zm5|EFa$+!mWR{Yyg<9@K1*`_iaLv>-Zu&+i&5#v18O4-*s0xDp*vWsD}H+n8_@d>KhA^v z)?$u$iUV7Ed1G;Tg6OlrB*TVsYExxmUd_G|GiN^1{~)Q2{~KRfzwTRMX!vfxjleRS zi8t|olP(wjoibDVptyu0oqQr-7JgXloRz3Dj3dgNfhw})OC42|GEYiu*$mhqwq30+ zX3a;Sv!yxVrF`1tC^G}r4|CF8^V0f#V7Gj7-}MGB$Dv?na@~XMhC64JN@3u>v|3#) zItp8_snvM)%pZl~H(VYmD-f7C(ZYz1RxI0i)H$PUd+i>K4O$~{j1~lqjt!eZNWz>| zVMIYd+-^#?yp174tsbM`v%VbT%7LVi7|Jp#0W+kll^5d7Wh=({WFKaegUcET~(mmV#!Yd-igHo=*y+2H#&*1pHsS2VXGDiam0+SF;Fse*6-fPi zt!ka$O@r-WXijD@^Y+&zH0yqQhSm7zbO5wIFLdeKKWxqew^u}wQFmLy$Q@Bmn;23C?Vkc*%~lBjj~oT;4`Jewzi#Q@ruORUom&~%dA-1@Q;|(1K zWw*YX&I6~-tMmI(8`+|m1RWUC(c(Zvps%$93jf8}wz9lpc&^LJQa=Mq_WfCEw}e;S zZB>Nj=N{%{r;#kx&QB3x6h-OHUcAN1_^9O<1i{!G3D#UXxo_6H+r<{_R6%rI&COYH zu)u|HIw2$5;n75@WJa5hnpMfN|` z{oeygQPHng%PfH6J>zpGy*0(PEg)kR5vtmsPr47LboaeGnsd)M&SXZz=(j)<1BPD& z6nk8l-l+yC?PP-`g@3|1S@-t9R>?czD`%aKf0%%l25Rg~>pcRed-Z3`DUPE5IWVx* zu9vlz6FhCbvGEzT-pqo4h9B! zYNCH@Z|U;tW9btU`m{%qHdH8_leT8dNh&)$_#0)2YH+ymH}Mrx+>rWmZKvr zG@Gllwe7LpYr@#XoS3ow<}Qt&;`8&a}zp9|)5I3J`fd5J_r)IbtS*t~C$cK?T{)>-|-h9?d2t#pGw1=j6Bg?K=$N|5aW%m zg1HJ#X&05?OGQP^)JvgOS2t4wu?ZMRR(_+rFC|?N$Uv-x?wabTSNMz6U8)!mDByal z9O){Cd-Fm<7L6Pqe6KyMp2D~K@w(=fT~mr*^@y?v5p$&CmFDQX)@wy_>H$USN;M_( zgY#s)!@ty{jIEn^l462qaP|Ymrf~SXXATt0{leb_otNcZu_D*h&&GUtb=s4>bXDwV z1^Z^#2pwt)b@*e7_aZ1%;9^oXvaFz`gitI%dk!p!poehxA{r0N5OdWGf3xsDhnlC?`=|Yl|fg90}xe)ydUlJ{rQ!*_jH{ zS|Jt0V#P;8mUSnx?4IqI6c*d=WKaXLrfd&$fEEHskwql(8)`;u2eh0B7?N2@u$hr6 zTMfjV>!af}u#J9ol__kT;iJt6;q$s=%-;3F=)ai0QH}?_><_&&f_?yFyC?RT+z7ae zH1o7=^4;jh#3w7Z^8|T=SmUJjo`5BX-vYu8{?C~r5sh0aq#jvVO@TbIY1<3)RbM=| z9rXp8cA@v1h03UNpHjTffJ>GL3M=SEM|WU>avII2u-EUuaYcBH+>yTMRCuKnJa;v> z$<0>R4zkxby}kxHZxx8D!J0}cE|*uI9@K`(zHBC!*#X?^yB1f>7Fy7KZ

VTW6IEn+In!XgF8fQqM@ zXDztOB`$b`$!QP4mMB6$D5u1!uk?&)$Ax=1^XqtRG$b{sdqu#lLF71Op zJ${lC4*i=^k!yiKV08H@e;wBUKrc(N??sw(#IObKMOhBTO--I+p^nyDZ_O^U6VK*V z*g$x1`V4oVBTrwNG5zQM;Ff4&pS}F9rQ4=8jZS)+Tk>>%39} zG1mH{tNxz_O~?F^j@kXywYnBBhlsE){^SJminCFAAc=K=KEC}JSxqhwZMUrvnW*6|;Xl=yzX3T-t*s#_~-wO#q4 zxE86Cw03L%vuB^ve9mT++6OHp`W3Kj^FlD_nFE5{aDTdy=9AmKP6+0`bWX;e%NXilQdwh!DEfU?3CweFGrSUitT+>7w$B+H26 z-#w~<44n28?*}Nv3SAS(E07~?ENQ;7n8Q5!XEA~Ymk`+f*NO?yUjnD7;SaO!e)K6< zZkj;~m4HvkkT>+P&*hvS)dVT-ZzvvCeoR0HB6jAit&4gY zi*%eaAvLZUROMFqF3M!@WiPoeH!S{{bSZ)i);|}l5HmJJKPYH=W7mBl&c?j#)IU%+ zZj!%Y_9!hSf~^B&_s~3*W}nMInZn&i&i^q}w#pF1w5%MQv+92>vS8)r7uvN~ls=ZQ zfh8hK3-cjzTfJ+fAiL1R8E(3(2s?CCsCkm5-q)U2LAd8HM^5!AlS#yvySLcSkSJ*i zp1%Io)m};?ZH%hQ<>Si{MpTn7pDbcB;F4dPdWM>B zCOL=23;o0w+LqqXrzY5A?j>5mv<4x9Bf{0C1x3XmhiNbcIm}H@iK5PMU{PPO%g~?E zvi%9a&OHzCvPwvIk_X4_LS#swQ>81{rSe{DGJxtT&R2eZaVq54ke=6%9KP1?1GYNS zq;c{#;m^7C$_epruws!KLL2NhywPS(FVm4lRK;59MsOv~^g+eyYk!%MqRgae&nQ~_ zX`!n5k-5h)lEpNn5W=H#<*@z<=?Zu2 zl|4!3US}!T&QzUy2oJWCTEUniQ0UwiW1{~ex0-mr6B$r+D+*I_;m z&=kAN(5a;@MGjJ{D@HY^!1c`SGeO%cpe9$$bDr0uOvh`n9tT44M8UK8iz@EyBOp^P zU%G!jSy3Q!QjYld0uVBf`n;Laf69-%nw2{lJQtbhEVqC3^-{aYB9M2dc;LxE&OxSb zBCQ;a?+DmX1io)K!XDJXvI+_!56`N+ABzCPS~zBPc6C0uUfKq=T z%VSajwS@+nRm*cSwkQ}g{YwCThq8meq@}0+_gXSdUpHDGtI~#P&HJ7n8s_SJlbKuI zcdRZg6}a>Fb_z$25RFln&%xEBdB!l+!+pm;>l2JWgGi;GJ-cq;gH<}(J2hxrXw$ab zmkJ`e+-z9xmBa~*Z*d35eehF3?07&JJ4s`AeL$hpf-;VCF;eF6>o=3^6nrZ9Uc7i67i>jC3#PxJTAAOi;F{dbqpHWq+;)02dawkefN1M{Uom*>FV? z5Ebb`nIuXrzBjp1(@#+FjxJE7G6vdyO_tCkpHB+N{AmlS`mHTw@K9+j~+(0mafEMm1FWw}4J z&G(jC(?nU&H|uq+$X?;hZ-uv|{GJ2~s+E=g z$084~bGIqzkSr!C?2s%a@gf%o%=!+=Z<efOo?~6Qz0Yt!l9|&(w7$^ zWqO6V<_~u#rM1deFGm*K{+vars?d2mIX{`)2g26HJ5Qn$-1!v(=U=#pXo`y*xIuv=wo67S>cHWaHdTjjvq|I@#Y@S4ZdF z+}zwE78{uiasZ=tcmu0%!C%aF$mcz7KHQGTSV zpU5aAoaPmeRZ1m7F?Ff*Ev4Jto8fl(qnVU5fy>7> zUy}OPXh!TuXzM}+1-!KJ{A!fG6TMh#3a7ol`%9u>if=7Og74(8Ek3^Dn{n0dr1Ab< zr^4fjjF8A)ICh0ujqU|`RK~_*z!R!K!|wB*-V;%Ub$po!>zVo(k3{M{6w`bkZJ}bZ zGKc=0WIH!ZVs%R?j49tB@}u?o0bAhhXvz@9|&aHC4uTSHF3VS=Qed$ zlc^H^FP@QPdhgs)?}Nj=KNJ%;@r(*63g5)a2ZvASef zvN~{6Dwj0v>EdD5^@k>}9$tPkkgP>qW~Ka4DPZayL%Q%S>+$ z-}-al6j|pcBxBAtGwc~P_IPHiZ}{C)IenP2bxx@RBDJGM9}(J8yZfyWcI3=LQH9X= z!1}b8;^R5r!KbxEKG6Fj?8134!P!u=VA!@JAa#9bdEQ8+pD(X0V;H)&^;Kc-rU|D~ zT!zhkq3%Lw!(?YF-w%-cHjh!GWPQ^DcR_2N7G z_KM~sAbB_Ua8+5AS?BvUCkwfxMMO7jodG4~ujj-%_QN-SjNaK`o%$!^Tfa zMtb&+Y353*Fm{A^mc9f6-Hx)64B_jwJ2mCLlb>u={$epMv?p^lXvDe%+z5MZW^ZYC zXri%`qBPW z)NwYzR&eza?(r?&dWv`8vLjFl@j1j4nedr0P9ZOYXZ?s>r`f;+I<2+ak@Up^eCT3U z0B(?e%3h@_xCc~3Y$j^SfimG3Z7Yboal^WhQ$n4eb6#-4k{7rSo<32Q&VOv=|8LIa B_80&F literal 0 HcmV?d00001 diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-oma-uri.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-oma-uri.png new file mode 100644 index 0000000000000000000000000000000000000000..360e07f63fa27bfe51781933e4d05406f122da79 GIT binary patch literal 78906 zcma&N2~?6@)IVyYuUT5z=vZ&1nVFTEIUtsmnNvB>ROU!Zi8BJ0l}&1cBMxXP=7{r* zWR{i#4k#!NWTvQyqzEVoTzcQ{{qFzXweDJXuf=-SKAiJBo3o#@&u{@vT8#a2RMdx?a^X4GHX#Vtj@ykO$XCaA61Wr=cv;=EYd>U+uRl7vKMqV&d{ zZDL*O!F3m?goI4{pU@-qo5e=`D-;tw zuGW8wME}BHj+_3|a(Z`{{%=Q^ z$8K(u@H=U2DDDcoT=8d~|CPXJxBra$S16Y65UaLXhC9V-&K6fLLwo$Fgv8!db{w+F zRHDDJ=g_bj3=AYmOB#njDd=2*$g~7&Wa=f!35Nb0tKdJ!OjeVXVyQ_}Y5`55gg6fH zk~TBkc&w*#!j1oSX)L(H!(9^d+9{q{SQ#5t1i~(brKcEi%i*45DD}Qw2csQ{X57lS zU3SLM4a>v5;3D0d)&H5=@1K_QwVHYu_29@yO|cldd$REnxqT@BF&kNBq7?+GGe~faFFwmB(IN30F&k6^F zG?(6)*(PBb^J%N}4s?_SI83>U^*Q}^Tv0O7QMaV0G80npxsW<2%?A#($pS04JnF_j zM0p7JyU8>`>x|_V(~XO=bC(}UAlWUP}Of8=X1zyP}9B;}Q%Pa9s zbo~C8c8GH$5aGb3G$PQp4}}jj*D`e*!1#BLL)%%a<*Em8xjSI39Cd)UO9p<jY zUfg*F+mW^{_5wlQDHj$0WhLFNG1{#7oz3y^^Q$Oc7}l%x@hS*zJ%7tLlLCBGzc_$j zFmpn0+=b&Qscn4K8$@4$T$6d=7VDfdh%G-#M=a}B!#V4(&Kf_{|XMs3;fn% zLc3J4!^D^Dxy8|wg%lVM_sZC(-8O;ka*Wh1ZuyajKB(wgAv7tGjO}S;ql&e?=RnRg z)>7U9TKkO|LzWrm7r!_r+N9k^Nv(c02%mLzZe|G_W!KWz68t%REf@AmC8baMCDcn< z*X=`Xdfo2^?Ak~&T-07W?s0dsgVHVDZo`}2kL}HYVVfOPFFJ*H@AhC2_S!_bs+<@z zRhxTPbF%YKpi=6RL&993cm(3eP49de{b7PzwSRNQ`vy~3*g{)j{r16G$917o2^_+) z1#Olt%g3u))BPT`$+Cr0SFmrN^^9GCFzP(jnnOP+g?7YZ(U{g}mb>fOo^cWqHIRA$ zw|wG>Ck(u|U#HSXc>^*cfanzpRs!s=mPC3zR`j7b$UUZNxW?+IV%#z4Q*w(h4w{^M zbjt2kZx3?#38D<4ls4_dgTE{Y7RAX^u%T}CXLXx;D$fdFCtUNohjwajx?FwV!at;< z>&g*@_muiXdsaeHX4JdE3B|tQgK)?1OlRW6!%oRA4N7i4$FpQ%2;;tpwzV#<-6#*Q zz1UGHj%y~JcTghj55w8#Hr*$d+KZG5=3*7dW@)|vYo$>BC@iqNEb8~wZ6Kg()`SggGT5{5l8+}S zM&kgTz2>{C8WbnVU341L3ELuJ!XH%L;)pr$u4vCa+rQf$$Ewr>$vs5OrajdI(dvCV zk6IlT`iGZ>rU_fcL8xEGHXSqH;%cs%b~nH!9g)(KGG#g1YovPCYcp8YZy05H^SozS zbF--TL3B!Fu#ZimjOgxNLSI9}2 zXPszj$TPmIN|BZ|xz4{JvDJtwn zo-K@PJ9BjSiC%c>q|;&Eb-G4k)8WeWPp|Obarr7ta#T1ful_*3^57L1O76|WlyjGk zgr^%$I`lrjRGh&;96i4&&jL1fNehydc+qabgEP6`P-j_7WwhNooinF#)i9~K`&U}d zo8*IqK54|QIip-z`#p>i`<8{2@A-mL_1eI}pM}wn>YjWtIHRKPT{HLv?+lrw+Bh!X z_LUMx9i8z)Sk`T>&Hi3IFl0$V;X~gGT)v*HpVLU9CPR{kc^2p4b}x;`FuqORA!U>k z4t^UwZ|^^%PQcNpj;R!rP&QsYI-uK~cxABi^c!})=I+ zEs^cqc4TWF6ZV+DM%pA`CEW?S&Dg@IC#7G&2&dnEG=<5`{dfQoplzvgaN1sRU>sB3 z)SkXFd?3HW5_Z5qsV>ADBPw(P1M3pwI>F`r(!4a26#RiV`sF_9`m)=$xCefhwoezf zx@zC_P7CC3sZ%|)U-{$t4>K7ElIsq*C$;!*uwLQ% zi+x_WfiBwXr!Q@vwH4lwOiY78k?TsT62G2_eqgla!6IIAN%w{@j|}E(R$FDX9+FuyplG(o(tU>f2@}0 zdtJo^qnbn{+h0f8VLDQ>xK*cQRffk{H{59{T3b_+et2 zwvw(&;T?3mdYm{uA}bBUcvq)kZBh6UFF-0zpm)l z;R6xFQID^sQF8V($8=N9pHV7na(lLQ%heaB$M%KAp9c#Zn2ne6W$j(PNepELycq2S zNY+g{SYLl|=GH)>#md3BvEl2CRY4ymQtUfFBjU~{G~zqY4v ztSFbaQ(LM5Lbjf(>Q{xo@5#;B)$gf5j% zo$krFaQe{6zpzvL{&AJ>V_9Er)fR}&(!(WxujIB#$D|n3vnKD>ggW^~%U@3-heFL# zwDKQb?k zU{Uo)OKTLR>wbx%>g_#c&r*xly~NmymG&bhwP)@10DRGBsmVZYt}!4QXod4l%<$rE zf>FC<5vk{BV^nfV(b0PeCG&m7n&~+%Zrh7@%KcU}JQ>0G3XTf)6Nw(gWlp6;Gj3L& zlGnO;55DOEs?D&}Y_kJ`a=Gk0a#44J>~^C5wWCW!#m8;#fR1&geBkY0Y!&YWtNud! z=%-T0pAIJkY;T+07yErxB+jd1o@qZS9#a|5X(Vb@fN!R^7Fj-6c;)ZAU`A~n5svw( z$qY8O!~FZ)2(tB-AY+1Qn8xTOX??4P^#GG}pYF}Ikc8-*Slls{Sw2nnc^X;j?iE?f zFV2vpmC?l?G5()}Y;yeD`_He{?N?qsyGdEgWblokQtXw7S2d6|p`9nuMY&g#pOQ;@FeBJDx#+%(Wf$s-vkXp&jiD9E~>qV?~l*&-+Zz}Ye z68%Zqth}zJoSDGqf=fh6>^MEFWx_HlW5qBa%f0x_6Y z*6ZDJVdzn6*ce`&l+KG-LE5z5H;i@CoS|mLwd4NKhRb2-6(rsk+xEBL?q~hN-^x}nwFy`cp zcIG&y1i(LJn{DI&r2;`= z{Up5kk>UZ2c{fwCnwj7H>CeCjTkqi-p($tgA3?JjP147hd=5xT7AVGk3T%AantTZ zOWiBYdjQyC9JAw5z05O$g7TN&MM#|I`UZSEt`wR5lQXmL0=B4auixX|Q+;Q#^M+s~ zL5ZZX+t2UYpU@Y_S$w^S{g&dqj)U&0jeeF)1_=@Ar&XD~0795sh|1|*jn{f2xsPKX zro7q>nXC}}1)vUa038oyeLW5eT0UVqU8yrctVe_uH}*)-)veiznDkG-eS|%gMme!l zf`oL5aW_FJ{jG{{lSIGr76*h7Bhe|dVSju4xSYw^O`D1MH;45$p-4Wiloerz#iUW$ z*R9T${lA`WQ5m_U4o&bnN9?H_Yv4Z@)Sm!vKk+$}$dw-e*+b7?GJ?V*dsR_h&TFe~ zVSyS@Wh<+a$Np+#o!yq&-ki-C&BJ~cgNdHS(75KBf3o!F?OlT9lAt#Q#~7O0?*s3X^=pu zkd42?fhFqr*stDp^h%>d_aQ%?BW`q7ZL5p5)}+gdLgFNHSpLjMr-&P9|GSzkhfSt` zNOm$PmsB6z7NUF@J=D5MSvwi1kyXX?DEQf^cK}%RjW40P=!MVYQa;)syV1NtFweWG9ER3mNhtUp^~lO-$6ymF|_Yj}-jALL}8fj8vU;%jd~yPI-N+x4cn8ZQ7`g(#X3OMNK^dqj5al{Gs1LBGWY%QUb9M0p7w5i+ieP;#O(M$X7z-1sUwU0gt zZWfZRd%bz1Rie7QAL&I|7upRF@8ggZnd>Mo?}T)zm2||gYe}N!V+Zk)HIXzEvw{7G zwufMAiZ1Evk!`2icPdOqtbzXbo1CI|lL$V;q_^1b`(Glu zl#2Mr{Ex{0J)adm`QmWt`OhMG;hq1QC2}g?O~Sbo26EBozf)JysVxr^k%#{GTfdk2 zNC6!b>UsN=QDn;!c#!_!*Bs|+F90Z8l%nGa9<4$`*8lk1rAWiWg7X z-^MYw?HbM|;06q6C4$VNr;@!J<_iXEfCjJ&aljXBo_8Ir0-@PjxirJ{M)Ej>gE6|v7 z@{ByOuoE~vM)@Ca5PXyt&+X-p;& zgg_=uYJ?DHaI4kLVgADI0UFateI?4TWGH*`*ao?sB;7pkTS6VkKFK69xWs=#^ zs@fE4n7^*a7(SL4CkZ-8Wfq_gL|D}nLaDB_56Wt$CaYpud`Epq0Ncwqdm7C3a!>yTsVb*(- zfQ?#k0RT_b)PlQF5&rPaou8X%H9@XkOjygj59OjDm=23#0`veOb%+#WU@p|;@3+^F z?|pIQpG#4w?VzMe^lhj3fa~$a5xQlMCy89?Nrwe)9N2S2E4iH|TJ7&{T0G(FT!?Vg zie~Q92Zn{xa4q%9h~FN8wZX0M_3IP4VhIR^*ArBpa`M;9RxAYJ5M)9A9;(zT6QKAIYg`#xHZ>8$)*}7iawDjQI&> zi_`Z;_ZX?prm|%ZW|w0dyarOWy+?HZiIsspInMy|H~YRfa?!hQzk7M%%XX4N@{*}`ubon?>j=F#6263i zSD-yr&H}>miD#gom}zma_Cl;w*n&n*Lh5)JNr5?)35AZ-d@~a9O7|~3jb~+YB{f6? zSd~E~&L%0hrQ`yXd*+9D!XIoYKHJ**2<0$fd*s9ZWBAs4eIOg*k`*ju)KINt1$mAB zJlQeJwxm*4Wu=#2iKr^dNXeL|E|vg|YAoQMOTK;d*Z6X^iAZ$xnuFk1QX8Qr63+g8 zjOkZzs5ww`yKOUoGvXyBx-qiY{jEriUaTYzPWSY12|}kn4=K;R?`nwf5uKZ!Iz?T-bNpBYDW8zNZ=khkX<-s^CB1 zo0t0UA%>L{Wq^95#zSY1EJS_AKJE9~>kU|{sWT`PR#D~`5lsta$D(=wot0he+H>$) zc2?q+Zov8qUKe2r_gEV>RmQ~-oe#1yt6e*RW6=Kw-yKj0;Z-ae+uWg`{zQV0C zK9-k6Mc@S^;gj+leQ4CTxN z@3yZJ_1=|E&o&qks+P zZ|k5T+Ju#9P-`aeI2UBYf-efa7#~*-86E`= zjL@@d3gLkr4!m{)--fXz`4jPaUndx+eZ%hFtJ04DH|G2sdTfdB1Uc=gEmG{66Dh`| zMCQlA7u$p(CfscpJoam!>bz4by7-U^gHRrVLIYRY56SNU$1 zyfHTQGgn~8E9QRc#rNH!#fN3KO#iTXahja84-xbs`RLnyU_fA`^>o3-ne#KUiXd%} zihyg+Y>84QHA21#J3P$J{dfMuwm{4cJ;Z*MA zsvv7%R?3P)k1_#yZ}%im@sqEw?=@$8NXNs=w%L8gzNiNdz8Y9Dwf*(*xrgvsCjVKB zs^t#NICy;P3>sLKSq5$0Ytsw!{8^9^g)JNB!cpM$rO#TbZ|L20(Cr2i`dlUG1a{yKbHeI>Vp@_SM5uLn3{u znw9_CZ2ob)mH8gH<5zj^%3d3DTU#y7CPa<###3MxX4IV21ZU+p;cv*C3AY^PU<-RI z^dRtQpEWPRT*4`M)2DnKZ@^6$Nw-l!tmP^r*6w6I>^R)?J(M_tK zd{$b>Ao$;F4L?1dT!Qz>gkJ&o>W@S^YY>dT3!X-;A-)=LUo1gdLUlNqWIatvl$-|% z*lXUbxAc%p%-`br_IHzfGji&COVDGcRd|+CpmKHe@662V+*DGJLQc}Bn%|)rEwdMe zJ{LK<2L$YF=YZefyCzy$a;!tBeXTa0o{QkdJG9oL*cZS3(Sz6N?pHwdspLVLM&-~7 z?JH23seLRu9n&)TxfA~V48A`5_b+PD1Em*mf-9NaZI+~iLGuj+HD?YJtz>Zs1%^t+um?$RHcyxa|N=Ds@596 z$92ZPu;2HC;abH}^}3nCFUqe+T~B08mUSu{m}v)HAJ*3(xzdr9Daq>@ur zbv_Hhn>P?`u<{6Uy4&igAYfWb{!@iXqK1O7V81W&OatT1d0w2?#=B9V%@J(&^u0h4 zmt%~^X=`vdRNj)H&nUr0Mn3HFMs0SlBsR%Rt~*0J zR%OdO@snw^)=hi`sFKx1+QY)DZjjegJPc!`@SGt(!0a~AhL{<_in9dIf}2|R1zQvT z^4!AFp*}c*O;13MgO7I5aoIx+mC zrwe{bOVS-hjjzHPPq5mP5##>s7G(VbtP5>l^Wat8X~jHGT-2!lYk=oIBQw>T`#$>5 z%&afj(KD2@qlxbzYbB)Y>YHBWg7=W98g^Emy&X$K-KB_j|JJYu_TxfkI?4AFSqGY+ zD?%5ue=2G#*ZseIe!|e%`-#nOX>^KTl~CKF^E(rJm=>L{V!Y;D^4#HhBJMU5i*hgPQ*vP(sa`wk^k-k;Mcw3Kb&bGxcVgDYt) zUgwxF6Sdk^-P}&_2h12WV?&iTEU1$McG?7)SvS$w5iRDp-aRDU#q3yLj-10OfCi7JMEK=_3y~k zzd%j6iv2)_s&R2jb#Uri00uKrqxKdrO(yHwky+uW} zEci=A*1pqTa~p5Tcl`8Goa}-AeUNoOB8tA&*?QnEesa11)1vy0U~H-a66ptuK#*p~ zsFUU{OJR9`UM0v6F)jgLUMK*egHN7?z&j`NQ-GjlyY8&i2<&%f^39rQY7NG67s|8 zt%XLdK8>o;+8T?BCp738ay8NMaxq;Ed~ZP%KP2nHXQ?n(ZPu-lmbPg(>gw-%PiDR6 z;_xYmiwi&oH1#33Gio(cB_OG}b$$$4mdYgjML?gkquqbonm)s^Nj`r=t`wPP+rs`o za@iMG0)lzJ-rFoJLYB*$n%>-!c)rxD$9_7NxIn`jnS!9zF?Gx1Hq zZAT0y@nS+%%)%LZkxN%z$q($X5Ywx&wQG;UYrn2e&xp(Z3^xDQhyOlAOnU`5Zu&^} z5;dEq-VZl>4Yek!Q5R_m5`m1I^7ZeA^15i0gUQAJhQJQ~p%(uWSBop!G5;wNCSdbo zX)rg@N8%q7{Qj?yaWf*SzzqNT15`mA!Lqm4Vmi6RMcP5S@ zf$P8I7^Br@$IKE!XyRdWQ4MC|hhOhmnrI%z!NOq;ZuLPoZrrGniy>VS8)9I@`temn zh8+@@j`b%$Ox!9V@#Z2FeQznX<&Fp>p_zDle~fh-Qf><0_~&k2|K81VO%}G%F5#;D zhc11|J@QOJTrC)LWa+KA&(CRul%Lx_q~*V6|3f&=>1^Pmr<~4;n`Hj!w$KTX>#zI6 z^oBI#id&z50f=h~OrpoNHU-B0L&^R-nzFO4Scd+Q18@|d^1(FJ)y;8d*2==tTYCHa zSgmWn(BxTt`RxQhxO*u1pu8XI(bf`y}-+HQXh@R^r6}C zzFbttP7w&BH^=UIg zE(~j3C9bI0ubsgP>a+oGCH>8~fkR48*@d}<7lAj=7ID?RbOQaK8k$M}tllO;u`g^i zt5Sroz<96u`WJBLR0zGrchF-J5=WYZ0zP;^-tBuKr@djJxI_m!+tZ*YKe?-8b)Gnp$tlpBq;rfy zON3C@mzdK*zHck?#@Kx9PU1I>puxO8d^tBN&Ff*6wb4plHgZ+f<6Ll>kD&6}x#?SG zDnsxRFQYG%6-iA5K`CKoZn{b230XG_WyWF~+smfEypMC{g9rT=*mvTy)mtxn6^<7( z;y-4Fgz)crq#0Z#3zj2sJf=-E9pDlLi_0F}XfkyAdDm0Bc8uNmc;0}S1m3?g|IJrg zqNa%OAo175;!Y;s>5&Z$reaS=7<7^{|4d`{Sguc4t{kxp;{E>ZMrjU5%OE10wSd1p;(1Ai5RFmM8YG06*GFf_Y=9dR zfx)f%S=x7N1mp`m13-9#bsW0cy45|$^sL_L5+`gzWZu-o?S1?9`E|TL928_Yc#Ro4 zCaSm@4z$aQRcSuVxLnqSN4{<4e;FJ6eh@tHj6CkOoFao~o>6q69Z?yCBQ;XgS6cMpiVdo~&P80xPV(e<+$F zq&B3HdxV|rj11*r)|5&@be)7r#=>vz^=!&;Q{Van(l$a|wQ^vuEbStS2~`l+45e6$ zC-F$m*H{O)6nE^q`hx8FSF7aS@P(Cg0`Ccav$g%gO!$J?!R9=PrW$8Gd8MiCv0MYR zrbP%2dbVb+$c)|oJvO%U1MRkza4IiqRn6D+SaQ=mt>oAiTU_6OzRyZtc#+P=QPO~# zLoi>%ma@-k{dLB{Tt{S7g}Yg3Q~5?OB%~nn2xt5TfOJjvOH?*Aeir$4r_wOTV^^7H zJxDapFgn@1ra;ua7;(!bF1QNOc%)rvi$sWz(z^0@JAR?0L(p9ZC*d{xL*vZasxsru zX+H|>g7`$nDr-tv%H*cBWJ&e_d^Yz3VJLBlmrGa%+ys>;^7c=V@-Guuw zK>0hlCJC|NO_5^`+r;)YU#OwJ&*RrDCx~{=YhbwQw0VkI3kE}47;~IVdz#EiTS8CO zSQ&F1Bjb-Ml|^1zC)$n+9iob;x54X@CHw04k`ml>Np5`^$bmBLIK#2}uC((kN5PC$ zxN*B4lY;^-bWLGIZy}N>cLP^e1Hu^k+WH(nXqFCt+2KqdnG3zoJOi9Y_^t{M6QaY= zYQo@)@4W(s5Sz=6Y+TFp8o#Zxh&$s5y6TCjkj>Ad)Gy0;M0(D_C|FCqt9O{&lBGLG zh=QyHd}C;1Ih%cOxP*E;D?BhlWha6EL16p~DOv!yYeNLDddA2ZHV6Dr0#9$!+a;Jy zd{8G5d@tdes02dV_$ZlINDwT^>I};pG({D3{r$m#wm{i-&>4v)0%YTq^YRj@TEr&m zHnMxsxggIcl=EfofxumMq(<7QZupS{t>q-Bvzd&(sp zH?Jr9iT8}6C!Ny{rFXyy>o1|bBV_U11{*6e$va_@^}vdgXiZ@s9iBKtH>%gtgu-Wm z^P>Lhw7yw4-%|x3E#K@ZqW$mu(6Uj%lQq7gHav6PnAYoS*L5E-?n!yRIpzZC9P_PF z?J2iL3eU*E!^tPB1X^8Q12zVR_qE@`*DDr9^*6;m1oka5?eS!e*V32Wv!3&gy{pEC zmejO$n`>q1Sq;wUF-QP?1spngn@Y1E2|vkXEo+m3)3b;A=!L#%>%e134j7N`&*pxn zvMxzVnAn9Z!j4NIG!;rIw{op!Gd|Bd&6UVymOg1&Re(=-0RwD)JJ#tixyp)Ht zFy@XzZ@F>82BGCTd4w)s)=HWiVALlIbQFq2@ zhDy0p=Jiq+fmOdu9YA>}um5dF{}eoX6_ZK!Bl%TJzVKf`Y}V{S<_#PTIxEljbV|(Y z+c23fbT0%38D5&M?gi_*f#w7s!cajkKTk^YY#MqHS`9vf{+zW8Futr>&AqHS8~Cx$ z{Y{`1zo}zR34kQ;mpA+y#Bsa(oWc8gB6Y5u+c!+sQpCt5E)Jlc9-KFnZpBJh-B?|2 z)aUU=)fVPpZl&BIh@W|8Lm$vH__8v{065{)e7a|zHvf0CRijfa5}ze^x1U_){n;To z9GI_Zol@Xf!i4qnuBf(}G#_(&_REeBa=R#!GgOPBDOvk<|hmU6+{aClb zC*cM!mldtw#Hl({(ZK{_=Lv0HjSW-GrVq#nDV_;t1-W}9E9rY=}Y&gK~X{uXE{EW{rf8N5uUNMBsQ8!ow z?2Xy2N%c)$PJchtsbqO&IJVDk4W~ta;E}Z;JUhYrTy=%&>6~i=TCVUMZFLN%!t0mL zOypZ#J$T&=J*;Js9e!ZZ(A>fkVb_d4v#ZArkrye?s}nYKtahNw8y$sxTEO;f4;qNp z6P~wjTWM<1io3ZV-FjITU*!R|5{my1Q&V*Ppfd=NE%1IZUiPJK+Gfy3l&hyvdOpRt zYyw+4kgS#=`T7>c5F2%~ZztYKOQnuexg?7!*KG1msTJe_l3VAP1cOor5XawNc1}Zo z<%y84XR|OjpWZZZYAlpySfVd7up=~wdii_+1*7f&A2|+UK|m#=h@0Yb>QE@9aeFIy zn5MEnqcmL0e>HxFV!zPhh(5QcBv*)m<(`jB)fJ2;vr>`YLrj8NVep; z)0ur*sjT^k*7E99{4Mc{XyJ6FHxUJ=rQB6Ww3RJ3P58ak;KCKAp4DZ92Uj?4;aNhLkO0kA_T5ES~ol+))#uG0$ zcSQDyfnG9beGT;M9)w60-52OXpJ4`$9+!~l#k2#=Ht+rr`q-f}VO}o$>>e{BvXt6m zKKx>7tz1pHDnqpx{^R_viVXJ$gX!dStkEDC+h`?|g(x3n>j}z#7lnbc?8~UxSF4kG)Ob@TtvMc_~ z4ZkMDMuz^4U5md|lSdgoaI;s4hy?6~&qXL9NN*&ILKZR&3Qt=NDDtIh&LWcokq%2? z*hkDz_Ti9@2YlS^&R*(Za(y}3qSnlt7cC!MtPQ}3U|macm+eGm_{^n@Mw&iKbc~jI zwGXh8&#(BR?LhXN$8lGO8qwj$fv8Pv%%`Y2M#r zEM#ZfDFu)*=L^lhF?-00pg1=*#IjqH!Q#~Tk16Y9tS$>*x-lav#9=riFG%dkGzk@n z5L+ddvVWX%m~mz-@OWi}E*jJrp3LkF78Mp|W*idyFgxf%ed10M^v#T>HXJ)cHaB*`H5xMTGf zFt2+$c_DKBZ%x$QqfDJ&1rupsBuB6!X8KLgf$}Y0AQ-t?VdT->Ft!^e+B=U;z!NitWB8F}Gmw3-GRT z=I8_?`XYUn^%&i2PMcWVcraUQ=peuLKMX|eGWjtt1*8P@~Dc6d*?ULAK) z4{eb<#6o<0*j8gvI-ch$stKjqHs8Y3;<4`0xo29|GzJIQ=SQ&usvYGH{9Rw#ft{0^ zBw{+|E5wY%-!=CuijkNqD{bp2>!(0a#)J4QWk6H2X|4>{!hz(SI$!lWM0ggwz-oeL z`*RjT1V5I^t4J`@aaq=v{<-qpdSzri7VcNF4&%*R3I9IOpCs7odVOuzv%(3gpUw*IjD495jwZ7`vsg>` zpf(K8*TSu>Ds?G6w1kn|3tyFc(1%ir`dalq2iUkUZ#cMR-6p)bq`9}{EFmkj)>0{* z0)q^^{Mgo<7bVmK*7K7W(%1xo?|??dOa_8Y7%DGS(bn?1(4fIxLZ|A}RT>sw;Zd}yCM=2BP6 z&-3W6qnQ^zg<2Y zs%?iI`Gl^f+TftSqO7}aKC5-B?K8rbWn}lGbsP@A=a-0n?F4^Yb*uG2A~`PL4hx;$ zAWt!#)NwRx74KF>Pct?xV$*^60pWhp7#EZ)MRi}&@tVc+qU2i`G+*mGtz>;zctcVz^z=C<#A2?9Q$hBm7&Sv;!dyl>d7^D*eOF#c zFUCsW(Z7)lL$K9v*TTjz)HTH8@DTo9!Ou(880}mBxM_Up*r-_h=$@=@&q8Y8>?No5W60yS#Uyh}2ymWXSGO+@rzIIEHqOK)`x+gBQ zeHde-bXT(=U;Izg)*Zr3x^*OL0;ryh3Azn`HKJ9@ba(;j)LFDVLlkYinh6;Q&GVry zW=l_BPfigzO=6Y)rzs>sy zwGF=8Z&N@%!k`9dJJ_r@r`*kInUz%f)Jc!mPu;bT8rzN^P*nI)y2qOM4m%N#m{)<<{CteZ~)J2|`OP zw(-{xPeW&cHSaZ{_2(JJ#-}X(6lrAf3@5g4hvvpc(G9dv2~IQAM_t&kw`vHAb!)%f zf^omU#0j6nyf*JzCxq+3e;yai4%>{`30mTOqkf#Ssv+qLx~Q%e9v{(X@V07hpckhO zAUq2(HuZIPc&+l~c53d0yI$CPUBqF9Jkhm_Gu`Q!w=}I9LrG(OZdfn2{@jWb3ds*= zOz#_S9qrWCofg&)vufNYSVZZpU_Eo~MYaCT;u^fYtnKa76Mp*+9B9&Kn3+z}3F}?n zVZCBrg)saVOJ0Y0@V)Xo+pPI)cZIGi;EshIGOWO^2YyFRO}hV>DX_@AOQ|DxBQ{5;nk(z}gRX%K)* z_k0k4=9RWcyC9sR`qIUCdHmL14y9UG?|vG2jw z2Jl;b3!(6ta7yQkYn?=T&z{2Z|>`a?0B*Ljad^>PDuYCXyiDV$1OirW?xW=XRq zdwJ4)Q(8;gTTHB5DB-H`AU{PzO+tR#yx~HbCa$k<1ACm4+>1w`f-ZJl&3BOMob5;& zsCnuwc5SnUt9B1pXBS&;-c`A0#aEkK6C|v8`_$a9^rl>|XijG|^Iq^{(X3#}wq=8& zZSyhLV996_SYj4B0nw0nKkm)q&g5RhMOUk{AZ14HDx4ljnkB=Q?SPdEK4^z;u7CKz zl=S-TdimIK@^SWr(GD2h*ne(kV^M}k^jw(j*r{grJQ675^?~0i-5haEg-dMx@UYyE+AQy>5Lz)Gd$QtwcjJdUR-7M|*%KJ;(3ZV3m*&sa|1SL~ zY@O@(+j~W`Qf7w7R;lZqa>jDz$HfLn`5c!CXaVHd^R--m!R)35+-#gOwQu8%dB7&q z@NZS7B-K5w)S&267o(5t+4~EF$cK36(d>s72ZWjrJ0U?ooo?531w3SO*~`%i{;a=) z3sBwnzYTB9Vi@*&sHzOUyk|F>XC^3{QALjzskJGs)$KZjfAD>1daMMPs3ZsoT0^bE*lV;E}t z%Q_DU<9@a|hiS&1Va7o(Floj=sJWp}y4(prl0b)tFfb&mpsuyJKrVrt%ql8^_nK3y0(U8%OP=k)VN|e>Z1Io{l%!X z1)|>U!Lt|UK6OLk%+XcOOAX|`!h}jDNSD1*7|nX0s{koBk5pB{G&h`%tW+pc`*uBW ztJbA&po=q0`*>vOV9Zo^Hpomuel^T%Y(B8Y2X>g>DTfc=9+@2tsEO>82&%j7@#B%jL5U)xw*~({cw{Tn7fl;1GHWPF*1Q`>jtZ45#~k4pMs> zC<#YyOyX!(OqSY{pNFRvFUNJtm4^qWZvrxE(!7GNDY?NloSAwQqEZIm83 zleWOOBbOW7&6Gs_?qHM)PsZ(|7-|oZorjwyq}ik`<1KrH*5w_6LoXEs@F0#Z_j>NJ z)jAHGQ}EmLfN9Yk_1cck=6;&h;hS*gI1jXqW#s2;b;<8LDd&}nuemmC&HwI-p?LYY zX#B~-sFm0W-0sz`3_%O@J{COaKAgT9LV7yhs39G6@Fg`W>1axR_x}F&60tev)>t_O z;mX5-g%O^P?!$+<3;DtF*~d;_nSPw2`23e}{bE+>mFK^+ywH;!4rti>@Fo)b1&=78 z=6rwrPFAn>kg_bAmwVU39&f=;pLCA^huI1FO3|(CWxp0*&*7I=Ac)b^>VKJTFlXQ8 zA+R?#I;bi0mv+u*yME$t168xgNeQgjj2K|+&mP{^QApk2y0TSAe`T|Qbw!rp@3(TE z3Ir(G)wyVZkG_5p$j~V$-ez}!GMsh(JL&vCylc+=ak}~YaRNKQU3cF%S>f&5J6wKK zx{wC{+DJb@ezo-qbk3H<=aJgsN|qa#OT#a}`TpL*JraQ{5}&orUTz}!b9nFr1n|RB z3o`xK{yCZNm9B0}76o77%b(HIO9dT8*z;99Xki5ky$+uD~4J||rI^dnZu#r8_kwIkDP&waeI zU+H+Zj3*vgl3XlWgIWH=>yzs7G@8I}m@T4|b=o=UiT#A#VBWK^(o4Tj>yrdpkVS>p z^@dnw6zs7Y$WkZggJ?%;?XqQI4fg#0+2fjfB8oG!l@cPnGjb`%HQyyZk{?Y9l zm!o$*^LN_JR}$(>R@Q>3oPsVa?)MiaEmMEYI=bl7%?&C*UBqcRmnMR zb6*L=|71t6AA6Pxdt8#o)T6_BF47KCxM499c zmwe_9_t8G`K}CNs6R~c;#=nZga&37MxYQ7>D1f^c>(5w26;8-@4;J7}s2#p?lfHnR zjz_LdTQyIVsV%>FJ70tp?YgNPR4-GHYD((=#dfvXZDZy0%on0djcZ-q;Y`!_-XpxU z<>BY4$1_Tub*H@QoVrW44lWMPGQg=wPoKXpiy-3)o>f$uW#8Dp0Qv2QU;8@Gao}5g z0OoMT!^aeN5(ZzLDfu2~U+j9U2rq{(S^@7$P|~$;=c3%=gqtg*hG+MmxBsRERA$&i za+$p)dgB&H^v=|^W2ToJP7_d;!O#o=l;yJM=;EjLXn&l4w5M%Q!HoX5z!r*$z&7Q> z?qH@V{z?0~LtT}XKUd!Q^5n{sXw{PH`mRU|*@rbIKi?2~N;Yu*+|&>t|G0A_TxlI7 zvJ00;y59M+OGYJgcgCu7c1d={s^bVxBesg-&oxdtbmRJE>J~|z?;ezw+&qI~Wc z@U+icfpGf8`GHHg{)w@0=nMST#&2q%^Gi_n?zC|F+6^V# zS`w--r@cZ{sN;|!J};ijW=#7qFrCCIxpQW}ibLCE<@xdj+^_F(Ki!f~i79+APEf;h zmx%+OMxI`EAX4C?YK~{Meck?&z%$JdJ+a5?s5^SFDo0*KX@;(Onus;C*+(?Vw(t7? zNcehZb^6?^na3t&2Vz4NCoW)LQn;PmSi{g{Mmo#opq)S3NAQu?^hz;s=BrGQvS&^2a+eD#?Tqzi2uV zqppEk#|`rM_k-=3G=ZW!FOTki@4LD)#zg7p8(j-@CQjTm+PVJXAW#R`GdzPO6z;k; znccbmi?Z>e^@O*vgqW*wLx-ou#r>c>tDR@SRVmt?xN)Hxe$#Rgy7Go>t_VFTYMhcN zm=%@RBkm*zF{W4$srURif+NQ^(|6jeh&JyxoNPWcGL04-o=NpHt+(26YFwJaSUNwg z7nvxfFV%Qr)F#t;1|gHW^bmWB67V8S-Die@iN7`8q6k|!s|4(*s68|~5n4SXv`zDY_cm&-s z>gQm3b}B=lgyhdz55(-AbJzbpPYOUsb@I@FG@zya1x<-n19jvTiB7GC*9^q=B+-(m z-|4(h7EcD*A7MQ^WKt1JA1B1rYTS%+-`MOeBvrOGJk1sO6%hnJl-oZ#NxCyv+ zrbwaW11sq0=)^qco=6y?gsoq*3Yt67;DOR*Vdf;;F?)!m#+Hr-V2^4q*pW+e(>}uu z@TuD@&Id;U-k4nV$H7IW2gpBto#zW(a`a<)rwxsGzjKrx<-cS0#55afnLNnJGAg!> zY>eWB)1YPVblvV^kQmJvDz+ouzJ7A1DFzG%W**1YsDP%6mEwpzi08OK?UP1S_-I}} zj^9kzvoh$Sd3CFub!c8Fi-uIFuLP!!%fjW@6P=8Ln&Sm{SYGP)xFO&E?OV(kYaZc8 zOjq1O7D@974sp^ZYhxe6r$i;$TS+DP;bozaz-IPi3p!}>ZA*E)kKXC_z90P1dhARzLiWd<5aPaRe`X!sa z{0K44SMQ1mQ9p$nKJKrAIy>sQ&t+z>U8|Xph=LZ|I(7w9 z&sx;h!F9VSKf84A@p}hud)d9FDh6&JAXzL>1>JofrhmsC@?>$QDK-;E3gAw1XE}WC z7a3s~sp|=lv>FkKWy-r$x(=4m*jR&(2x-^d(M!|02q_|_xI~0!z5W1L#411+x46^b zd7XC{i`t;&^WCx{w#EZw&;&LEt&SjVRreZ-enw+-=h42J$+X)Q1@EMJ=B`}$md9(L z1j~2hqrZ8E-|GkW0~z{iPoq42DBIzy%fV*&oEF$wuHuE8yb7)Uil!~T!=`0YUI(0W zPsMAL8LTt-9Q!R1d77Te>GEEYpg1jA=MSlDR_mIe&WQf2Kb~}?$qjLq+Exp-?bWLK z2Z%;}IdYV8Ki5;JPu5=8LQUNh`PTVtcEYCsX^`WXCh>f|A7!VRzgF;PNp>^dew<9! zIM=G)hMSb-k>P^ZEM%#}RPp^WxGI>hEk5eKaVsPTb6OOQ{nVH0qFvm`hKlr`8n2p$ zLVhMAQ*xZ}@9i_6t&D%GwL{ghc00vB0*U*2{pP_UJVd z0;s)gAZpzMIF%v#5+RctN`l4tKT`s75d98G`>}=Gv%Fmj%gp{}_*|*B4=IM9MkAVc zfP$cWqrja|R@%#XrW-+UEL?b56X-Es5M*_{#q?0Le6@72JefwbtKB_U1tRi(?q>vs$Re`gNV^oC)+b+~?^ zo6hwiKl)tRPiN<-!F{pNZ}Jt}=#7k|my}OZ>-s+7^mC|AKLHOL$DsS{KZ6?h)6KIi zr*W3g_@vsRmW`zHQJzra7_71IX}y@AI6kh*ZR8G$Uflii@GmQ);y~M^H?~LbRgpJz zgj+d4Rd4INZ7z4(1o;>@_kLh&-D_$o#vps}yFBuo7nyzqEwTP$aB8 zFFwco30kO?!0(0H64l%RBbmRb_g6udE2{J_z!f6MRBQU1!dMU#u+hlx&8X`$6gXd$5 z3cMCXd;!i`9M%g(GX`=%UJp7((Cf!8=L>2XTZ@L~UBb8LGgjsDw-t^z(WxZ6^IJf& zMwKm=o@BfjG`Vv4kew1kL71{ce0OGic31(DXuvWcFjgulYmr^wu*Q(+7GjD#9=R`_ zH~d9b)x!AXF@{97Y+4}D2l0a?xr;RI%g-7T!;e^6EiRQ*+^<_4DlW0@Kz)$Mpf!@7 z&icDlE{RuO<6|B?jncdR#`?6LL!MX2E#G+NX4<6!5OPy7rO81=u#F-1cALH`UHK88 z*B#T5+;Ptb);s0X*lI*dt}+>HPcs#u$%QPy=zC=v>VdrU!XrT{FD;i^;}66T&R#Fn z)>=8(*W6w>OP}^@!|}{n3eV1 zqKTLwc+g`))G?p~RJl#Ukik#K80u}Qf?Wfx&Ms{L*%FWr^}zV`l4=+98n@cg z;jh9ZDr_N*MIzHk8*0>IM8DX;NsP2J>mSP%hz}7hq9qulpaqxC2%Wu%#2Y*L+fxbOGIz7~>sle4vTG<>{(-CmI>@hF%KV*6#N`~e`)}<gI(HJ| z@VIlLHG1HqVZ9qD?75?1MBBxJ9MW}msF8kN*iR0bFXrrL3r}&rqgAU8^l`mz`5=QX zgr{ZiI^I3}REEkrN>%a?M!_kA*8U$L1rXX;mt%$n^5x2d-Dv=-!9WNO#_Y}7g5#x906aCpN;<6S9vek_-l9|Oe9b_XHh@1k_jzXk%Ay8 zdgY0m$XGS9EotaYe|oj;^F}qHKDD2fZ{m$1$%qWRKbLjPivv2fjQz89a(YT>Jg(kR z+uDw)=I9M}st(0`n;@fX2lCAp#;Ys+Hs`Ep3MxIxtY>Y`*!wQkocQz#)E|Tmi4}{w zj7rKdToKn0wd*|RfC93X4DQiq4GezULv|1o6ZkP0oUg$Z3L;!3R+&{?ntR+Lq-g{V zzPX2`6L(0kp?MOf#6#59^}8R*Wj7Xj6fc4-4;1w!7wSgEvsA=xVVGB0oo1Itz=M8|$){Y#U9refabn7THO*6Eqru=Nn!kzPE(FRqv&v)z56G+&-9Y zRZG>51W}v<66x;AHSA>P^+mRD0jHJmY7jp^K?Yn4Xss7(U(Y{$I@K8Ib-qnjY<>L{ z#oQY}n=f5U!Z?R)X9u_dQPVMXMN`pVsRNV&&j2o7>CcOZ$D3<7aDnEDleu`m2zh{L6|rTJ#Ml@rL78%d~$mgZD((6Mh=`riP}Y> zwbS#%!oog;^u1>nCHSm8l?efRF6c}AabXxfMXoebg2k|21l*84l!3H7Lu&BU)m+;T zJA5-03r={AHSmz-V?#ffQoLoXPWI0*^_<+wY_5I!M?gSM?(TU;8B9}W0D7z!q@F^7 zXj;r2^LX%VXh8?kVU&-wbJR|%xuId%YQ3(po@nc%k$ypp_AKx=W-KKI;bK#4DIXsm z!U3Zo-xD0j_DRiM3lN48&mNzW+W{*F@!l=1fl}t=JlcJCvq1*@T?(3%iYL%XG(d`7 za^kC>&=>PT&das-d$1SBW7Q$tMSCB-mOET#c85*9Ywz#E;pL%K7Ymm5+X`qo%d&kZ z!L_)_bxVf))m9TPO;PXRZ$E!_L!n+vVy=ER6w5XH%fy4-jWOYHT64`Lk?)-DiN5Vs zfA)@24F!Xlrm*CBEZ_j+0Cb0h+yOSG*v(Iz+rvs35ve!oF*@}02$PHEl^D}Inh`rnDLt>*sav{^5D^xmnB`4R&N?87%RW?qNgBXM?I(SvXVvB4=g;l)pHVIDq#j% z-TBRMMY*gh1}l6MeEjA|QUY@yy+-lvSr#bq@aMq!kxK6Z8GQvHMx5L>VACy%U1-*%n!ZTdvnywmkb-uGdR-^lqVm2ll z++vBw_wrZ1jt;K5|2h?V|IP=(klFL!J|DZMU;K2v1%s7hB>YcZ7aiks57;i+bpX*X zraO#xb@io1jM~~r9Zqd&(hHgpc2nJcA^Ts6ci6K_xTF{qm~-k@w)SB}LV1aXh}lm2Vkih=X_XXnAk>DGF8_b4vG>EP$0|JO51QE&+u&=K5O`G# z#hejpzdCd2+PB0YlrBM}Qd;DV&7L;s@-%gr@(YkxhMip|<{`^qa4Jf3GBj!RM|2FC zIy~!nYf-Tfznb-4r20_a*EbnSqC=af5P2dN>=)?`UbzUmRVz&re@05!pe_h>y-9OD ztyfU9hXIPH(W|-aih5Iy+lxakQTj$k_QzXYfS&ka@AjW^o0I0>8dA)-XkA^iGKe=* zb1g{`VhdA?^9=IZ@Z?TX7w#DL)tuc$6zD$kD|EfX1Hs;{zK?w>zMFuDPz$|CwZ{xgnWT>+|Nv@a%XgXUPmsSVuqrx6w7E4%s8w_yfw%UUn*Iqj!fq?%)B zZ#O8P6w-$R!yx z+_26pGDK7E^o+Oske5~}X#cUPm~Jq>hnJPfVv|q%@*dU?!klxl?&pUmFN={s@eW2O z=#2;ryCmCEBmmwfRP?Na9f!UedLegCGC62XK>6Mlc~Didb?$2St|V zE3xN;LTG9PtwvHvKY+|E{pkDE61N0305UELPR@TYcXq|Un0t3<|0hYFAm;G3{}iD9 z-iVB?6SpmoyVLH~wnr)Gqjll}{O9?c&xPD(4Kgh(FfF&u5zLBkgRt#_kyLe&etFeP2+N_?7L*F^V^(8_}&E%rjDkd z^j~)exby27*kb+M(|)p*yxO5PYi%?%uwPFq9uwXJu9+bCO1l=IOKP%%g9Ao8ly2^A zE~4RGhwoVfxAY~Np8xLNUp~)~?VVn;{Dk;VcN_4zVS^DMmzPzaM?gYRnqaa42>(fK zn7ug$k+X=izYup$0DDi@uLZPAzMABD*FTfh_A%eUF7}L6VDd{!%==%LLqU%hJxkJN z_*LA@Gu`+MFp*wVX5Fd5soB*fh-JW>YDv2%omL;*n3>&F@~hnYA0&mNfRhqi6fYp? z^OF*-3d;croDaeDbVi8fG-AfAk=lYi7)1i;@~C=eQMQah6c*S~4SqQqysy*$C`pcJ z>U&8iR>|fxBSdIX(Q^knNYae&I2ON(CC~bn6e}6LRn4(hG>Xfg|*lNeo6+27$-@I@i&P z*GIJQS>(iy8mr6J5VZJ~fRf`zsF2~_CqGo}MxLvg4g#J((w;H4sOlL55=~XqZp4`) ze00G7r|ihiipS}|-r&(+6uIY@_kPBM#hDY;ds-J46pL@RiNqod=SCzR?_w@avyuk- zu1mkDE)o2ql6hADpLd4hVh>{&q~>}Qtwv7H@TsU@I$GCrPpbKzFv%OeXP$HAwp8&; zsKxT@vGWGU6trr8?|cd0@2kwWcf{!PS}fsz$+FB;)Js~#g->Ha2(!8V_=vGStL)bE znaaDoS^}R=Y6Ray$ag+CzsnNg>uMBE#Fkg$$(4LlEa)9UX!7hW>7vMj(cJJdwhC*; zf7d)k$o-Oc02uR)7pOY&uSk7Pt{N%7XM3Kfjxo)rgAxhX33>%u*E_A*mt!=w9(MPF zCUv7;R|UtdC!(#C?nMZMRiihi(ZU~e-yLzo>_NZFQeFk@?SL-)!#M$djK0$INHc$| z$azZ@JG;}muGhw|oHaU`Eb;dcyDtNH(`9JZh-?H3OmZg&Vb>AY3Ti>V9fRekF6)W% zRjc*8YwR zmUU^fKW*K?iTxr=8BX}iDFxz0av&x3s#`$wYp^)<)<}#r%E{%)71$#wh ze-Ub^&kmij2yRt}8PdQ-hfbwNSPC@(21fd-49j9Q=iWwGkmi8mxm?4cX4pKmF5N*@ z2!Eg3;T4@L_xaRxS|ixUP99*chT@A&!y$oe$e*zQGxxzhAsE+3fIGMMsNgt3YZiRC z6cb+3nvgcUmL~IOwRh`q_a`k#3;Y_GjbES{aUT`-pqh4%BRCoeg`B-l99>~B?`Syb zqx}zvdB|LBP*nq`>9cxtinXK zQYES(eB3)68b)hysJV9l+xt52Vu1D0mPrrL-KPmOW{Z?>>439W?{9jBqoV%e=RoLq zJXYy#7|kWOcx}#`OcGeN4*b)Ei_+HodEUi}mb5|1>%aPRqT5Q!>}+7kyE*8d;QTC{ng8To9#BvM?Yz|pLOIn z^uA#}eJam~2nCEE4XU>f8io({EH$e(O;eYtk(j*zrDD~Zg4{GevlqJi7)-02WUle< zYz2Moc9p@QoKN>2x}yHB%yD3<7ix2loZg#Jb2s2Rjw(i)UB zo-w7ce~jNU2YeFkO_n}(fjpeh*Z4LbBq{=hoZ{Eseb7{@3JCl;HgLt^P^Q|`p+dB! z4+%Q_NecqzV{mG;`R>28?AY=lR=gQFUIqjJFTHAbQiGNg5X0W-;tI#8@sTwNh{H#; z?3|ISwJyla8+(8^M`UhqUNQQmdBlBmD+QM6;bhA}B*AjhJ& z+(Mk}9cEk%6#~{FaG0_Df!8w_Oy$sJo8?`O8-Ld2$s~_>VRWsWfE+$L7BJwYa=B)} zf(X~2I@g#=f>55;NHE9gc>S8Y9l2M<{Kl_BUH!01A*0VQ@77pd|DzY+PX!)xhdZ0& zH3M5g6EW&rPoXsqQ8gT5iG`P>UjsHrjsSqq0i>d-uNkhOlSJ(tzelkA;Y<|wRsZ-m z+It>)&c6Z7MHzFw;sGYu5PWNI!4bgvmvqW!?r=M}l*tPi6a{_;E< z$ZPS=Bc%>qX>t`nt*LKp>_Ah{E(=^HkWKsq1Okd;o5sLc8^Pg^U6{=qm`eTDtu3AD zO)IdPA268&hTbVn-fP3H?tO}7O%BSV{+2{~u#bx!(e6J|vLM|*)YM*4=$JQb72DeB zYtvP;(AOdcTg;I)$W!>Xv>i`|in*teeiQS>p#F0s2y7U+Y=9UxR}A7}UTo2SD>Gx? zbvT1sXSLU-PjChLn^6kEHMZ@ElQSI_ z*EfLu&;wf2^V8&@+`|PQSxNwx_jFgL=x6J2FHWRtO2(FpB50gIBC*zE2F8R(94rdY z=qFoT!@W&N!xF1~aRFl zJP6Ji_)t1jh^KPs0xp6_eKi+A@ykdw?clFq||9#sKui;*6y4YXu*O zk>O zb+w5SN2i(xWJxKD94y)zIyGYjCPp265?`j9A;x1OzQXzI<&W0yL9uZzmE@9;!wydgN&cykaUQR-It6riR5j%a^`Ckb4cm^Lb^GQxxXTl?&q*} zU6=3bcuB;MU*R5Nn2!K&^}oreDCy~XAQAJ{izvr z(`;%vcNEU6t#4?S>3Ztqi10v19(NLFDnzD->qX$uct?xO5uBbev_@B1ny`+qth8`;6gS7GrhhnT2fm{SJ$Cm2l5b+OAt(53@y2;hi(v zz?CYPJgJZIkCIx&LW|{FQ1L_5p`fhRd& zc)aEH#~6Kx<)B{v10Y+@V|%Y|p!%8(Swv!Kj=tmJ=VorD_JhB4)mfdrtu@}HsFm%* zI(~%mS62L3UzU12ty3nwj8m9yi#iu!f|1UbvHH0phos_jYh_w00;-u2&CnMjepc&M zF(blLZCFVOVB?cXri8CZPtJ0&t+x|E3-2-CooEd7Dqee6Sfh}L!Y1TiKUGD`(1Lie+ zTLuk7eH+ootAt}pTH5F@z>+@s8n8QxJH&zAER$uN^&<76J~&H)zf}2hqG?rJ12f5D z8KZcAmpd8{8?-XifR_^9wkiBU@F5?;=CMgAv=szXVRW>9g|xTL)Jsu`i7=E`o{787KLz2K2~d^@gI z+qG;+x!Bx-7W@w$bJ%jYWO)o(Q2(P0Lqh`A*SXRLHKijY)DdO>Zsaa*1VbE{uPcPv=~hgN;F5#Oy)ha;uV$*<3`Kc> z+gT~d)5~=PsBf<{TH7Sw?pF``SQo4%5Z)P$E^xuii^BcMDL49^um+`1lK`HbdMqyar?mHF3hCP`^hf^@RRa>9?viKGeZ3l*_|uV?D6adbp$)w`kHN0v zvflg^D&S;-=2V#G*icyDV=2V@l$vDBn0-{#2EgI}O*dgiF8?n<3lLeQWlwSe ziu*sg@^UWVltHqHbfVM7FUcEG#$>ZUn2J=f83{*@s;8ai24_*Q~ z3%afTbpiqgXYm-viHIWR(cSW8z+$rdU$im0soy!NLl|4CB9l(chhzYai$;3D`rGZL zk=&SD4=db(6Yvliy>%*e0(c5zHz?*tXF8H+|F4xJCzd}zrZJMmt_a+ezsDaT=f6ML zi>4|Vm3WuCHAd^zt9n;uqAE_3!N12-$4Se6RhIYHa%rvd02P*VuU&sPFB|+NhA;~ewGC5{ zun#0ThoTHCUDD?%eZrV4|%HH^#r*P=}V&?XN(&PxZExFFXzBshfrS@^fkU&C7 z#a69_ivTT!z4J=-PFl@Q^~$_p@b0^0;)DK6@Ta=5Gswy*hW@^3lMAy|@P+Q#>NC|f z!_4O7lRMg7PIy$Pt`g2Sw5L~WS3p=Z7r+C|vy_XG!+O70NK=~aMi>;?;%?IvT?KPV zyTy|treAEg|5ewRm_?l@dn>CI1!LN2tq3Xv_F6Ph_%@QwMvi)I$>C<-Oap9Oouf=X@EF z+=&O%p1EZW^kvm4JL~1Z)VNxg(J9vHt66KqWAKwHniSnO&dj*s%8{e5X|hhAwwHxf zAW-QxxVS4CY4E60<7KO}NcZwotA_gs(H;2+S>mIA>ovo3V6=f8=1CAE(>;^eo$DL# zMLVC^+Mp1I4IOlr(|JaAw?gFjcqpwSWO35B9d1E?91PKujDT? z>vjDuw}k_2S*ondAGNNRMFZknXL~>`MW;SG`D_{*Z;`pV>5*px8FbT(H<>|}K_AR7 z9am%IQg_}Pmy?bWnDuLgCn^N1>Z9Ufpp79eS7w=;>E#zxP zQHwFX7n+B@dEI&YHmI56CN{fAWS7GI7&l~|PR2S!ud1R6pv7_`eqRoGIXwd^yJ;cS z(i0wob$`j zNQJwVFk39n+M{7S=%wNq=R+2ZcGncI-S+Gpv((k`v=8Z$Tj5T!DsgT15Ay`n4x&rf zA696{f|Peb@MTjLq-`72WX`SQj63+!QBDXdY+Vk=r~{IV{Wz5DiPQ+v7PvI$Y?{yF zpHt1}LO33NeU5n6TgWY`8v6NWjMu?c;EfwtvTlVg?~p(Ck*7*?M#8^885nj0UA<CI03YIzURp>QslUymc;TKDxMNQNw;j2a zW(k^(|DC1f_2E|8lUKIeLep4v98vT!dy6kftgWQ^GrmV!kGt8asly?9cmOWfARo=b zH$c_-utUrJ96chz^myOzX~m3xg~h(~iE$i7$V@M&9%EM4<&pfmxc79P4_UmNC6_-A z@@2s<(#TuoS=vM!!%-h)GEItSr59`rty?L27oLPKn~$v%5iRkEPEruQRrGPfzYPM* z`yw_-)89Qb;d$DM;B;FK=<20m(6M7JM~mI zsC$VjL+Z9iCmaL99~0v_*s&slPb@x&GzX>9I1WpJi{0!VNWB1m2i>JL=i7E;;bXzI zGegPfdZqWV8i2BxVmxgmh(IVC@SEGco4{-+)>L@3v-Q%WXUC&<+pF_W!0E_-^#XF| z(r$Rz{J zp96pw?ldH3#C!WjtNfX{brB@uy9;AsfXfdncU@at5d6K(5DPdU1$BjSHnTj>cUrDW zE5>0GfAipx6x2c!vG_sN(d}U4lD%|i>Wu2OpVasH=d+(`D874V?%xV2CQ1|MBP8X# zy6c^lJDq0)9dWHL2A$sc!4;+>^sES>9bav&`@&k&C6Y7PSw<|RmbY$oBXM=#Z+ z4<{^*6`u#Hc1s&d)EQF(u|uT&Oh^00X=FK5N{8N*sv8$7mnQkchOSJ3Ko5(g63wiV zSKw@mSchG-%mvEIXw;WeF|Uix+|^{^rXWHd%vUxu%QVmRDPoPv)!gaTl^tuSq%=2@ zY6=eq-j?%UbkMygn_(rPlOPXzqSD#Lh{oQhGQ%l+MAM5?87+bb?2DKKEp`UJcnr<9 zeE0vma})!rUkc|IXU4*hw|@)u`X+J)th(-K6OEQtHVz)tG!0IF7v5`KkXC>Ec}3ky(u!WMe5 zQI|u7%BVlo(zczDooZbM1~QBWCCgG>-Cwgdn`>Tv?ef1|d966&B0~TE%1SHz^t}KS zanr8K_G&7HdSQ~%yRnoE&*9?YENX1n{&}oxbyTK+Iay0DWVf}<8q%4hbr3k_Fbp1C zK@j6DDOTpU9N)R0h;=FKD?UnZxNA_%)m2#_uPFqLYBfc15_!@CvI6(F9ey>(ESoNc z&Rcl6eUNJqyb5i^thdf`Haus4X6bahN*mybH=-4kVCweP&CPA`KxUO4gX|1?P{mLLCIE{PaT45#puikv?QCKGBY^;`O5?b~Beg)w{ z4bNbK-K)sTf)&*2Kt)rfmvVlj+IB_2_s?C<8A3hd=~Wv}`O&X15qn4dL4@QDF1OJt zxP0e+#X*5K{Asgi95yRUeR|(Q!R$b8tl%(ZV;egKq|f#^i*#o844RP6xf5<66Il!& zxaYYtZYJlqS(rSwOv0OF@Vfr>#AJ-75w_>wP$bHJ30V8iwl(g*;u%Ae6jT2(|06uj z{n>aWS7-T)6E(MJJ%;21w7CI8tjEbfVeI_wq@XY(0sJtKMBQ0it$_bX@zzY)$q)bg zP&rR(3B?3kF8i9j1*~lIqO#bg;QQ^*;O*yl*a^(6ws!b;`V2c*#I zHNCA1m)`I^0QS`ERuA4vG1)|$KBMIJ9(DL#n+jv?POTi{7scWasXr)lbKvNbn;2ss z!Ms91eua)5D6m%~=KDLgN-3?hNhWg^R#wO64>wS9{-wz;PMUl|@P7skXaj;tZjPm5m zS$qXeG|LNndW=HpH1bblbRo|Tf+qrZhDtC8fczZGtB3w#%_th3#P-HAEX%!Z2^GfN zPyq9W5|b>+_rdcy7w^6^Hq>o*JCX9l1_Nlt&JB0nUQ@V(4AD4TFey-?sV;pso%Q^5 z;$R!N?YT%mQ!C~7WWQ0_j`DjlZ&qYfnN=pVO$^_|`40SOKi-d4I@6`%e$`^4WZJZ8 ze2e1}8MUo3gc<&Fk zC-9!-UGcx>RZUl~h&y#hu<(rvKdcQp9KBIjp!%H(0fHu4Rr9++K8tRu-#byO8n2NV zN~0{LIOo+1&IMO<%z(-7_>(EZ%w&4X1;HRdkZ3#DqFpaNs>`+$YH`koe-T z>UBcHQ|Igq5yNtwHsbv|U(DI?jdnM`hDmBd6QVieAN6#8{qY&ghaiD@3oqRI(Ptks z@Xq@l_T9&W6l&^$i&9>i@-;^yGU;*;`mIX5tj*vCLH+zI0r9*73OtKOudDB!{<;B= zUr04117aCf>Ne;|qoJ}w8-)kM$@>W$oQg$+a;Qh^JZLb- z%q?vlRivQPdI1Mx&yh{lii~joiZTGB{7jQg;x~Rh>g3aRd37vTnfm6g`>$EUcDTT= z-#l>r3Yj^PbQlPvYvdJwa1I8jw6#i-%bg#4A9+S?lME`XDJm`kFbi;mbT$Navlh@+ zH`9b}tF$XFfp!v>jyNven+>%>?o-GbYfXb(RRA`)U%XIP?lW5G$l^E`doz^71l_2A z^AwiN+^3%NbXa>y%FKgojUQk@TvTO`;QXC5-M3f>C;Eiy2kZGULrkwa*$RH#6`l}b zeuo{^Fl^pCP%^Vib)S7L9?Gh#m5|4fgsiAz*8VEVO7f^f}ndA*bh!9{<^bki?{_yw~(;% zsWhWqu48g7L!x4TuJ&9mw)e%M@aZ|}zYslz^o0%bdc+)QX9J=j^!7y;9W~=hW-a3`Q;g?)&><9aMR2XE-xhp zDJ{!q&^Z0l0UPrqhd^RwB42#1J2E+)?9Z79OW}~Th2|MxzI93{=Sp=%?w&ctg1HKD z)Z9QR(hKJDs1&;e)`OYV)*NN26MsA}DKeBU80b#Wv)63&Gj~MZonCbn%|hl_IcF<^ zJa_bNbQFJ2W{srv0ETUPmAH@Meo-~3pacnLmThYTHQ80~caRlmdb+UO3;wye!sJMZ z!LjF)3BSXqW`d0S)pBE%S{y~@+KU_KZAe$9!FoW#?*P+5((@G`4xLAj!#i~3CG-#v z=*I@4Af&7Cyf@d(zO|O22LoZo1#clF--yxAwk2iad(n3RIf*?@Jq9474A3GL!(Mf% zeaneOF1j5zyb0x;m>zT^uJ-dER7f#54p*hSK_SV#d4n)tCts}lAjend+85~(tO(*_ zwgG~94y0SMU)b}gAGAK8_Vx$mDfO>=$9FB_3nC-RVsmetun8DDn7%uUrm`s=t}Z3RNZO;Q z6jL&%-0F1NOa^lKEJ=EymXrcDp~}Xb3B>hZngt%T!?);rPp7ZUgkRi-KP7>%i(6F7 zDBCH%o%zY7SIdbn6j>;4wfNlvMrtOH{TE)$%1nXLS$Px}KibrRF|v97Ip-;z1g?A^d9u?>+Gu% zCe6ER38Dd4)&^Miul{a2oF=f*vrI!DIaRNrjk9SBBuKvN1tUC@TYImqQ^WnD3eq=f z%&h_`6PNDuy5BEvub47}f8Lg96`6P6ij08yHFGiuDSSO!WzJb|J!wmzU`~-P-+5x@ zrKO}Cig{f-0Pf5;tLy{Ji|UlI>L+CGxTS_U%IfP zW)_~O1VinM*7GtKifEqFN|PPRhp~+FUzbk!#`WX1oQ6d_rb8!9*`KMG_^v7gx6xfG zBDB1Q@9Nx+mT7Aay1atd14W1kY}N-1N_P<6xV`SM9zgQb@)gL8L2D$Xx&+dh?S(ta zoIA0!W)ELdwpx{%2!R$))hZ-TE!zF~@?g=f%3-|pu;J+cA@04Sn)+elSDvK9hekf}kq{T;1pR?N< zVbt3eu!d$n4Q6U!JX%E>Z1jm zc3z0qbtEExTsP?m`s41hbA*+-=-_+rA)b9RCcE#b0_h3Q&cTQ4wh9NiAX5+6o~{gY z#qAKrkNqhzF%JF{M@0JPhLF3N1KDzz5p$xq!_fhipPnkTj`U5#T! zs+^>L`jCdTT)wxu$`4OmAw)ZuY}F7RG@s&6C~JqiJfB}Ya)K+L_JAWM&o|WEoZrv|UpVe46$s7cV<#l>~sQ)BBv?!;>rs zs$nrBbpt705*~SxT+Pr&X+pjsc}&(vI}8$RKD8T0u|IjcZ!BRbMkRO-b5rU;zC8YN+G)ghW@){?Xb z{4cv>G?)wkodFYcn62@OaOY;<&|9e9dBeKT!#4axdwa1lf-*Y2myR_l`AOgN+@_Yb z)AYh14wZxg*pFl~;-KaBw@aeA%k9pMAbxw9z3ZnnlmAKf!n9)HVCCQ>fV1GqKBslb zuJhw@t&g+-Wb%HuM(|Sph&0#oyN(-T{g43e-aFnKu!KE*IXfP9FS%nU88n=&ueUIz z`&b?{a_Aq#)|hjg%3GJgIcrmcNcHV%i8rU4IXsm8sXGNY$y%K&HH%*Fm5WnFQO@x2 zaRR~Z%gR}73yYq$c1sM_daZ>bG2gDSmEuk~I+RFLjytQ7&qb#>{xu6~K9P_TuCw&H z__KY!S{|ov-S{u+TGIl)?@y^CI>?Cc!Pgr{DG!m*IM5hkH(!O^ibOw6Y^W7zlGiAO8syWd0aE$ z2!qO%>8ZH%^a^<61yv4HzRS04pNK5UF8_XRY+1_eNaI$!uPRVm7r z4Cp)0+R$Ttczm8Mz;Y*2aUY(PD{k)}P5uPG4?SFDzZ18dDi>g&gf_?xAO5#EmwWW+ z(G19{-|M?h_G>`PSmrndXl5)*6GkBgl_CrJ+=mHF2pD6U?g+=6aQ&A?!ARY6R$3lP%#G- z12L69G_F4fI(pm`Q|i}4yM?kT`xRWwmITR4Y~Kydb;DNZGN+$+HvKL897-N(ZpAik zXsGELNXyjX-)8)Wdnzo+!Yy#XCT20n`g6O(K)d4$e)%mXM|l1_7)-7FKaT>2oWKfF zIvHn2xi0G&V=5Cr+E@a>&FUI6QFxBo`ju1uvT0Uw?hICp32Xo7gZ?37S@7cBzEBV` z6GZGuT3Evz1D90}G#pj8p4fTK^VlgO0KljMAX;dK*LZBd%_xTs<}}Zoe7ziXh|&cQ zx=K!pD*TwMY>|YL)YWx^C^c)p8}>2!M234+@W3)a%Iol!vZgP0K9<-zv+5Qxt(vcq z_yGq%)StTVCl22++VmI`jD%t{1dD^A`8bEt?y-o!Pp<_i;5(o7zW&ugPf%P)O-*h3 z_U&0?Oq<>O{N~a)TpT_dEln<_Ggzc{SWM?$5QeMwOE?OG(~p!@0flTjSbrD88T$8j zs@p%}23mER*HD^=DS5$zRy3Nu2b5*4J<7Za_r)TFjP9%yzRHwj?(nlc3%NevO(cg~8nvn|c z0#N1EVW{{qsBzK@{Em35_KRd48iT{(1GFv4asNcAKet&Q*uFzuCSV`J+le}!_7)N%?sVI7>s8A_U$_OE)&GJEVonoK89plt)9(ES3YWR}nI)rFPGl9@xH!?q^a9U*;Y?A1}OTvcKPvqS@?N-lrg80S+Vok2=85s_e==Q2ui; z>+O?5WhCT0G_%$4E~SM6;i_f>8Rxkg`K=4`Mi>3y0Tn~(@-2r_lhZg56~FvL(; zk>Dts-KJ;sXyQr4jY%691EllZkB<>f4^vEA>|o=}7X2U`4jh8^j5$8gw_W-9amL8Q zT*OjRCLcy?;>(z9^DCl@W_SW@!akoYMqhMGavmq1(qj3SC-Ak*QyNztHm9DKOXIh% zSe2~XCez`5z6f5YwiDIoo{C`roeciHMiZ$NBJY$Hpamm!>pWHA$=A7^kot8^xBPj4 zAeCe_xBFUd(o)WW9jb-}V<0Zj^BET-vOahH@B$(fQG<8Rgyg32yOMM{thn??@Rv1% zAdfk70<)TEXTSSjlqk4o+(^%ZG(Q$qyA`04J7*A@NxQD>T`;yma{V^uFrXp+P)=Ak zP`?QMG*8Ir>YZ~s7HFpcikOzwFze@{p>Kdk%l|pk5$eC-#?v;6Zpm`sl%Z1Dxz1q$ z`To@?xY+8g#zFQ_+0 zL)iX}5L$qfIjgrkrYyss2A@N0jv7>H?`6&rOi(d&DWov|+fA=SKdoDUJkcd0Pf+4J zJ^_g16AVZZy6&^apqwfJr;o<#=E_0SCJ1dHouhR+y=gG*Q78h|njmAeG3=fI*hyL` zUy1A#!RPc^qXp{N<)TE)qaPFp-0|hjSR7Ej((S1AvKF}f zR~Q3aT8n?Btog3W6i110vX5{WFwYdW6rZI}-W=4{hse)A1yL7kkOgq1bq^_xQI1DL zEn>{+vK<1m8ZskpKab->jF}Eg4q`U|sE8g>kjSal&CwfCc;lberBmK_W{_^^7?DN> zRt6L%Xzk^l=q2QsYy)(&$r>QU}I-FD;jf=A4WjtZY zG3fwL>#s@PTzN%raOb9o9;2UbGbJgQ$L#y_`^xSfr>I{4g;6@W!(^=5E=aUf=eI~s z&G;Z-dy^LpX6(A07T(Ru@@CM&UA!-9CQp|Qj2|tzXQx0DV8qza-qQsU8C0k+G{k+y zjo0EJQYN3}*_^cE9W`zCLLpf7GH95%axm#LM719$d{Qa+oF7%kncXAYn%z;dOnx4J z9J?JFw(p?opV)e-jaSNkzG7RQ&2PsP7WVGj0UDeStk5?uFrC@W>sCxJ)bjAv$@*o|^=>pftatdw(a;92c2GsT)P0JsJ4{xOqIgEmC8t5n>}2b? z*!=F8QNp~}XRoN!Tn4#D-&BO-_-z@ZZV!6f+fD?PJpGwi zpMr^LxWP;>eETimIsrG3K`AnNJALCzJr+83XF;T7@s7b5mO~f__qgIuw2DYQ9mjp# z4cFYF%%dzAlW&GkaVDlwt)`T2y4|dgf!ff~^=U?VypPv>x+^tC#3^3lC`CwDmj?0I zuVOQm$%1j;{|i|1kGF2r9SgTua3=2FFD-EmiAg6^R_KMUnArvHTOK*$N)0lQivAr3 zR@cz@1deUX17YC*N+wfEklR31l8fs~z1mdQiwT>q-+O+a4`@&n16+Rwhr-$&Km*ad zhJyhrw@aSt=V#Ib-g977{eA-Y*II~o#EQwUZ7x4y4=2%ci=1KuQr-_uxU#BJm{6p0 z7uU7zGBJPw?2*h@^Q~BsH(2ZF8;XmRO91dq+fHMkcpv?XY^9yr1uCBAhrL$Wd74qJGdlZJU-Wd{Fu04HSOru>R}aZIKmq+zfpHA1S%;uQRr7b({wG$m|0TWK zU+yvT1OE%M^iW0p|Mx|Bha6il{{X@IB6!{-z(LEuV3(Ski2F{OD5%8j>}L#P`#?yG z+!E0zFG^+r<`CFsR3{s}> zGbdYC@L%ZOmg7ceigq(g4 zKmd1CC;{%k^^C)y74%KTfDn%k6;@Pfz-^}jo?|mL8{ze9Tg&dIQawD(m)RPQ7Wyz` zNkM-jmZDpkH$rG0S4UlRFZSeLzO+YS*Onc-IWS#ax`nI&$Drc*cxU7 z>l@wfzm*oM|Hu*NWuE5am<9>L6!gnTiK%(|>pj@l)83C!c5F>sHdVRZ-4>sfA0`O> z4EVEj#^JGEhI2PoM0#&~TNEyrjKDwL?u`8*+&9VT-N~BYy12%Y+cXoUqx<5FZu)5_ z_Pbm35L#FjEqVZhAuc)9-r>`c2*BE?~QmmboBBC6d`(mDIMUgjK^? zHHinl-W!zXE!=+W9WYmOKUmZl{QT-=4E;ImRlMownIk2*T8tLhJ0)4_BQM_3XB9A6 z_m$4PJBnjsmN(>%#ON^RP|_Ve;4Zvu?N;{kChZjsyNZ9V8h)KSh_h-FT4^!26nw;q ze6+lWZ}iNXEK!cX)$+lm&6OziOeKR&wrHo)V_@t_n7$Q0H$%C|FLZdH93d$kdk5-M zlfN_%Pm9gFF?#xVY{RkABSW~wNN7LECBjjXZb-B8<~H^If^OK%&U0*M^%0GyFGy8D zZom4i0kno;OM+TN)mdWZPvI1q?Q$i2(G6;YNwM?qV=X!E{(7dkHslh#Gr(<7ep$5{ zQz+Uu(X$noW_6->jI)$IPSP{)`N7WU>)^+308CcaEOlrvg+$O6f^KyzS=^5HU8kmC zkKW)HC6P$O8v6R!(o%6K42JPN*oSk2HINn9uJ8y}suQr{sFCx!?CyqjJKPC(ld*QQ zbd)|zsF`_cR_Z5juyPT?GcCK^hD6ADQt5ED=tCSoVXP*}aXl^5sbg8GE{dUa@*>K+ zo3RE_`@y0i;+YGsEPd#>@fL8UVxk`a& z{%r~@wg0}7a>C^I#E`FQy!s7SI{YP9Sm%$N?nfK@JHFkQdb8b)j#P^R#`@9yb@!n@ zbAhS`WpsA7yOM)LCddr{na^lYMR_n2+**20`Woo_^{jt?V0dU~lH+h`Np>2AwYLK+ zY;XN-qgzd4O;c-Yz7mD2+YUEm_4Q=$bSW}__EYcw^J50^Y_cn7h$aH_kfMogK zXkqfp#2d))w%<**2@J^J|6H~>PWA%+ZXX5z+W}BMb^`mZ!1%|Op1QqNZ2hcv@I~ID zd;`65?;6Cvo;-JrXaZe&u_7#Rm5IxDmDS+Zv%uQObE9eWLoYGvLGbym&$ZQKAsqkU zXmTxCmo9c`5x3M$oa;~5 zDO8jK1hCtX#!GEyt1`MC*WLEq6pe`N7ftrbR-}LMtrf%CpPAa6VpN*>sljGAIH~$8 z-ZDmC{GnQ`o9b5T9b1%v)%`4^xU&1B1xZ0RO9gEbT$7uSk9R81iY7RBuQodnp*R{5 z#h|%;&iA(Pg_k=`S|I5@NvRp8nuW4YdGf)rjW*ut*IMC(;g@sc(fyiu+eri~X(+ni zE{<4e)G$V)ZEG`+@OS8Y-_?+?DaSRsl^HWuW|>mv;U7^Y&jc3g@0M87bs5*xTc1q# zq9%NLo?qk!Fz>GQ&mU0{J$rF#lgWCW-(k^2&jzjKk9k*M`t}~_0uZF)B&py&X1-E2 zv%bpn$35c4C!^*WE*d32cx2(fZnV=B*Kh1R!Jci=)U3$n=JZ|UhAT*$v|GMv^pz1_ z@jz)oUQ&g$2lc$~FA$Z;jh@ga-9V}1J}>r1G{dVR9} zEofF=*E3efypu*9x!Lwb4W;z4+}fNQ?|28i*uGGIaBApiA}oH}3nv}b<@~s`&fW7F zB?PrBtyw8;v`d?fdlK>epBA&MK8D%P$KNA}ZuwTFKb5pJH?9^=uy@1hryRXgBj*c) zI=MEfusic*9}*9BXwZ)iTbt7`nt-G+-hpU|T6n5eY29FE9)j~i-Vspwf-u81;Kkpw z6jG%I5{#H^H$|;>#wsA}lc;19O73p?5kyz;zCcV&P2mr^TmA-j6QgPr>Wik!*d7L! z{&Fe%-Gx_{mp~WJ5AD;cIGQNDTKz=>lb4sL{wo#zU`iiynvTk`MR}Utr70eN!0WA^ zN+b3za`=l?ZR)UI>D8Vgw1Rvb7D*<+X-E4Q8z_woh=(i z1b;@NRJ6cu=siQDmcMzL7m8adsg01?Hh#g2jVWb*8|2&4(0F&!oD!RtC-~y89G1me z+!md6?HWc*vd6fu@WQib!56$>Qxf(LuHsP5J$It~ZmLUsC+5e!{Moz2;=!%-YkkNq zXDM-k9;V^%-YTRU2VRT=aoHtyRNav1#l0o+K(CN=06v?UcJjIlv-Ii!dp;KfWcxl0W2D1-#QfmX*s2*vB$zS9(j$inQUP3vwmV0l^5qbxEk7NCM6vG?=PW*Rc zhshVP-C}u!aGRm&*gE~M(?HLvz0pxA!`zwV@?S2r+MSNz`IdD`cH6c)2cw;B=mo&} z{bCd!6_qxo@ZFX6hdDmr-CRCpYPGyruS;M>;TeBwo(KvGl53u95Y7T} zXq7q;-aUohzX}4Gm)TRdg*04hF;(+=*{EZ)@3*agSWJ?z@T^==x@CJ~HKKSBpHwy9 z<+WjsTDjo$La}HcYQ!$CRf6P_<_F%FM=d!sMGM%UJLxn5X+b+{u141k4(2qq_Loi% z7tc$TT_0+sr*rN4JUovV3(e62!TT1qDF$u6`pJ5!se~pr+qN|ygs_md9KX=r2wg(g3MEBin8)~n3Ge5^U6(>O zW%zVK~2>oj9@37Q4SqNP_S9&oE}v^lDSNnNJ|+T8g#&UA8cTEs)T|L6w+} zeyM*CS>5zrmnk#)obJUU>2yO1)Zfoet@Ns-bxT1R8n5+jxK?kCs%E=&c^h?FOvb{L z5~jjtlu^dZNjihkM8wgiVaczTIOR7T(s-&9j%1C92eBPk_MBw;&6&oRo&|D1B6+b8Dr=x6EMKJu1)y?5r9 zAE3i!bm*8%_KZd){;}{K&-PmI%RYHl9p54fgAZqQM5__J3vKOe z+*%xlhy)3$=3b|Wd>dJ}U&T5{kR>HEF4c|)BeYFHpEOH$e})rLLB8T6B~%n0XcR(m z5RY>vOB=FmzfG<((HG6NwzlSo&dh`YPYS36K&bNdEd#oOY~QCpl3|A)tF=waTJu`q zj*@>L2zuMcNNV4F&x}oFhRi;>Z0)s|oiJGP) zN37xt$nMPF%|MRrHI(S(YI<3VF2Ziry2N1kUOl~IN9hYOFRw|y%+lrSWq7xyOBD@b zMT0#fVttJVWrGN*-TAWl)lfM?+v*W_z;N=rfi)`4i)|QA?}N`fH+Q?Fq>k%f(xI_X z>x86_$OpnJ13c%V+^3gzUGN8it&YtYtB3DlO9vGrS%;tk@LoDjJxeI&+v7GzZEzm*o~PfQ&Of+ zFNh&IZjAbmt3CO7K_JD$zldkKoQh-j!WoHmjt^3wYmJynGSSLd%oX?DSiZfzFgWj@ z-c!g+M!cNHMDKfl*7BoUY(#uSfWj=E#k3U=Il2>4<$y^)+5RbFEkL|8jO*w6Z<+J?8Ox=z+|_g$K~5| zYm$fZ-Xyzdx|_(hT)~$Rhw_z{eDU#5KOF_kv=21`zYuIvlK;IV^_yqu0=wRK%>yIu z9S5XSlwretP{i@&i~RZz*31K|DDj|%`mAkJ9A$+4&={OX$36zSC08IC<1(A9*3$FQ_W&pXGQVLuT~QnLiq{XK z_`o;bn-;BSbYKs>XR`y|7175YuU{L0`NEVThJ?XYvsOkaTMftA`y%DvUK(aMYM!IJ z)j{*)d(MRM>GcTo7gf&j?}t6Vyysz*vAI=c{WfkRYJ1zO=)V3#Fo@x+Hz_o(@iyS- z#^J~!eNZB#)}hn9*x=Z?_g(c#7dK-p%Ruq%+CF#VB|0hABIat1z_p$zDdprim;TML zV+C2pA?1d9k{n7GX@egZ*k?+FM3$)ph5Y#p-Ct4Bp+@#zE1`iO-~FC5j^~f6aumT* znUM}2uDCzCR(g^L1+?41h8#uZq;r|bWFI5um&`nxE!EuK%Pq3ixA%QiPNXTem9(5s z|1?|{A!DnPJU;m$ERv>di!Hsr#>IXl_i$y%dI=eQ-rSnpGs15wnJW-mHOWf^ytP*8 z)r!g6!r-N|z_@qhA5m*uY>jA{SB`<7mL<(vmA0 z^sF}1k5Ejf;_+I4{5-%7avDZ~m#W1SH?2*5;V!tnQTb*m4Jfg$rq6?swanx)GFN;a zP=0DWAiNcs^9>fB^A$E#p`y@ee+ebCAisiI#(-dy%uA@iS$(@zbS6w4`@k#W>Onq=d`?q=f<(1e z*Ds6h8pV2akE}3Z?+-TUPx#VMq}ylV z&Qz?lN#KDV`G$N(S%Co<+Y9{o`=r_x>S~l&o6XP0Zgij_lHWvz+p~^!z1b*uyP>=l zB=b?QdxB*pt-@{JL3wFrxr&lP!wImy2iG2U;nHCjR_t2NF7UrRJmjaBSkU&(*StIv zP`O@+aXN!|&G=puLZd`N=YY&cmpkVv?GS@rR$vCqHG4rN#XW?Th~xDR7rK^LkHMD|Sfyf&C9-V5dDtBc9T=U_T$2a>Y}wLB zuiF(Ib)atX4F&@0H~KAtH}!Q-!>+V?7$H5{HO&RuBR6d0`B&lq+oW#LIbP=tFc-3> z1GjP8bBrHIFYX3J#Ku}hfpX*P+FDbm+B3V|gsl2GGA9p$OfiS9K?RZNMHVhg9i}3- z>I%s7RSr*vyrD=PDz!qFQ0cC$(E~%Li}-v5f3FOKP{e&6?Lz*WbUnU{Y|Px)vD6=T z5OYgZHC>JVfgv4BW+?6E8G57VpV~@x6;YRjI^{5j-3&V@Syqd+YNp4MU0CF!+|QEE zwY>j9OH>y%lwwyo2v|E1334!Q6ZvtPV@@ck`xkmUJ*gkFy|Mr;@5?%AM#Y6ne`Y!O zO?xWNurpGP;JzJ6B0dzswhZ$p&a^uz1j4IEx+-NB!rz9dvU;R8AnH;caQ=v~r9!8* zV|CZ&hH(YHk!>ZCPoE#$#%Jpv6FQ%yTLmD4}Lk4)Yb5B7PHpED}6wBY=| zd=G8CGLmOrytS=~|2Zu*2R#3>lMnv9g>g^IW6N`lpW@A_`MA zmF6zfmZL;jD7D355$}cTsfg9m&raCidA+^Ypf;xmroHV(upTUe)cJOj^uph;M5P|C zvchCnQ%zR&P&6H;H>-H(oj{bAW1svqy#aD6`iGe03Ux_>e=uJvN<3y4+`K>plaUytRoaT8M%wA z)Iu2f4A8;J@tt-O?les?7a|HIGbuk_=Z4`rK(wLX+}Pp;B!9SKW5g~B+)6=V%Eh{i z6qJc_gd6&92DiJ;PBzZuC8v{`UIluY5kC}UZyqSTuKFk~;tvgY?$N&l+3t@D?-%OT z7Sm;QCO}J@v>%+B;#gx%?9>j9M4qr8SGjR@VEt`x=a88&NB`Op3O_CH9hCd+sTcG^ z)ezoV%oxq@6H-`gknfqfTIa8OLZ|x`A*Pj^g^Rs9MDE+qelX~z59^7K=oVfM_h8~* zEOcr5!bB%rp67Nh7C}WC9`8b=&8f#%-HW>06? zPlTA%>pe}zf42)RSeb;h#D9iLEOhGtuPv)p|5cGCjjiN9Yex{@awsw&JDVAl5`nv0 za5~CzuVNfO->~9VGjZDAYj~^IRq42^{Sqa&ZxH0S)6aS!Cw_Q1Q4!hJq8$?9Wi^vA zev&lU*VajMu*;7*XlmTX&6`_TB5tx1?ez`#5o7lHld}?UvVf;ccJe0;41EgQw1MeS zEmTH>r4WnJ;f_?u_Z5>jybdd#k`6Z5`ONPJIiAUX;q>vcH0l>w)jn4nkBDdg7yqx{ zW~J9JkLktEt{StHWVV#?Ql<2`jCa?VNx^%g-TS2%5bAwOvGYg{#D1V_3T#`n4wWU<$G>c*FU2*d9PkZ8WD|t4qC1HG0xos zd$&Kj8nR{rh072JzD@k~9PilWVJn{yZ`+p3Q_$RgEt6BaP`Ps)Lted!G;QLpd9Iu1 z(UO{8Kkp;pQ`URS`yAVZ8DGt%`Fn_`t`#TY*gm6!5hd|en?&yFjWVURHdnXuY-d5} zEy1(9n=T0rdAH4fO?&l`?kuWl9Gqh~PP~v`wTeNTbvvSe)ZVO#7K8bp-1~O1xqtqP z(<@5+I|q1)%bA7vkx{-=qmxk7{4R*sxWa5Y7>tdGpoHkexs6;a;Bqb)CA*w+Gq1|i zr+uc;p%`1D1VkBE|IDmE>Y?;0JZ}5fdGxjpB4^=x#oqIP{pY`=_A=LGL%P)JuM8e@24=Du(7T5ER%vj0;~lh_2-=^OhQ z>ikb7iMM9x3FKi#Wn-*f}*Me;>~!nLwiJwR%Z9S=VL zb}I9Qj19Wh1ltL(j~L|1DL*1|uTE8R#XQl;dU(U|P_kgY_0NCT92GX$&h)(Zv+fB^ zA$P3F%uS&Co`N(Msek|&l^HCP&UJ0FjU+9R2K}|J(n@6={L)wC`q%%9Q~2BNIA>z= zN~PdZ)pn3)VY&8-4-!-$NtoK2OmHvyK#Wvt>ngCi7#V^M4RKRkzar(aDaaJXgc*F+ zC=uj+Gaq9pBRTn)p#>qwAQht7z+#k9IdNaAOliCS)rP&w^E9Q(ear~{u2adk(8j7E zk<25kQi7TXJ3V*m+wfjC)l>AT+6cFptgRP2@)x`9Wi*fnb}#Za8wCvxQ2SZ=1`)of z1rN(h?p;Ss1hUDqZqAv(>RLl%a|XsjmR!4MBEIV~y?nvJ-y*m?+46Y)Q}7*8!7E)1 zdXrfKBuf9t)5i;vXN0N5ir2RtVGrB5Ab*ZO zZaJP`$Usvw`PxHUyi1?z@UzCMLDtU_8!KUJiEZi=HkT9{dlef+iK}Y(wJ;a_c=G-X zY*ZyGe)Ay_Rjwx9-~Th^#PrK~%vR!u{jCFUZHaxjsQTk*9g`4W&tIz|Ze#N*1OMFE z6G-Y3Q5(usxpUija_xo`@y_78jBA!3nZB#~=4Dpw4kBUDJuKB)S+h#t%ixV^VPpJ* za|&f_2A6>QAfr6dw$Uy-^)ZMqH(w_EV6DB;`|t1T1h!Rshg=O}R`+bzcBzAm%j`?5 zGbgO0L&WwqEiOQ>u^UW=>!BZ3XvR&?GpIgG`_TGPbvCPAMheQ0c#`eQ6)e2(FLNO; z=t*c&s1uvW1&F$(vD~x)|I1~1d?aM?4(23{w&8G^Z)LaIDf`7NW(E0pwePvg?tvqo z+cVkE`_MD@q29bD${*KSWgGnnW$q;Pn(4<`RNBd**B}&M`mhB@QLVo4zd9MQ>L~(8^Zq3oI(4Fa@@AgL zxE7drrNgkhtO78GK(5@buZeQ~q4hd_6U1x&(^vzW2`nA<|IcCi2LW}eRI;zlft{#f zWV8@DFrY^u5YTyf8hbk%MfzY=U3o!2wY0QSY&6rqizS*Z$0vU^jptgC^aQ3{78>0d zdQEts#4a6hemdEK?~=W0O-7FXZhqlc$Q}LN{wE*-i1(PQ10t#2fD7rS{|@VbXkyGA zw|6Kian1#?cRUkF!S=8XALMjQ3@f{sMlz}l4)PGU3Xi7b2l17DRXrk0s#tE~hC>8) zPg2$%8rlEzAkIX$FxR*4IkU)a3nV-v*KC{ANam zl3VrT<=xA3`*kz}dqXtaMw-1wiB&kZ^Ed5|&G_zy~oBa8>~sYlxt?WHW9_Snz^h(y1(g~MI^Yy4bubc>$yK0gu=Ku zz#{sfC-xU)5rki^8V;|uf$Iu%f1c}i+hqowZVQMcKm;*IY2bs{#E+T)x80@2L5}Ix zA#9kc__wwK)yuw$*E29Tu#_JSRV&oZDi08dQEoFntr0Ywz2nGV)JV!{#!AVpUt!zR zYQ8f^VRH^0iFaAWT{FnUqp1jE;xLxX*(DBsG1mpVMXN=57ix?|I_X=X+#(ef6InX`W{BU3$_0_w`-a&FJfJ2iDfWZ7pF;DvHX_qLG&W)G6POo+jq8~lKwalL3eQycD+@;vJOtrME;rphnDCN~0}DvN7D!NT0Is~29{9@ zo}QkVjEtx0j3sc!;}({dr5u761Xm>BvmM=PGIPBqO;rawRb?`L2aBf;{=xO_mU}lo zx}Edp9Db|4?+K}DpH#(}Nx1ZB;e+pP^3KJ5;Fi$@ffj>-(L5}}4SnzncorFD~jrS`o= zVzQ*ICo#~xZ-#Z6gHV)A-m{y;Cw6xyjQnS8N``+5c zMRu#YSSWll?LPg~y)}DC=raEaYBO4_mnK{MKw@$F$FFzh-v5DIU1qp{6sm26D3IP= zlq)OT^VyzGpZB~jl(XF+Qkit@qKE85cDHZ|Cqv>Wim`er;UT)|vJp?hmv$WqNGy zYbupv(6^jW!<%apu}-Dgp)0Lx>w`{qAop2(Z?$_k=Q<%oY~nmQkw}D~z(M(2F(YvEtZSJ#YQexYsca*7)p6H0G+9f_PiP#dGyQM0nRMG5i{Qzsx8@L^k@TwZwHYXIdBoj;Lniq%nM4p@QDtO22rz{NGtW zYLTwUL*FMLRHJ0F1l^|mR?2?))!yUR>=R?2z@C3WH>xUq#^?2~8pOnLw&HTY>F^x?%$U@4<7?M*#|2YuNJfOOBrG`?iXJc(02 zN?y7Z4Uw~nO)JaI{3LS0ablFwd|Pa!R9drG_KujZi1&o_W?A)0w$dwqs$-@8<5Qi< zjC8n`5;o52r59*0cTinjT}KLw5&iCaGi09PGJ}+_b{ntt)1qw_DnuG@nRJ5XPHMZ+ zz0!K`gwm_snEB%IkbIXbmPp;cUge^s2`j)* zc+G2nYjSNH6bcvaLR!U7hisWYzgSj|SeTKutmJ#&s~tBu@Rfw&>ya|nDe|c4Rr2qZ zV>Y-wP~_lIvl9G^d6mC3G~F7zPRq<_`r?|3y^Szu_8{ri$Cku z2JEtJzPvd-U#>fHA@pv<)^dv(Wo7SCn7<C{RX_wJ< zbj;c@j7h96*G@ahs2=^#%!2Ph*^V@4tzCinJs#hGCItMQT<#gU$Q;a#?yHE5cqDsQ zUG$o|QY75hgVuyXp-kl;WVXJk4Z)rmZuqAu)hJlXFyfFa?>3~}rlNsP#Xq|-c zBBE8qJFLv_>vU=}2hS!`8TNS%qGZbKXHNI>8eZ~^@=A;7#kMVL$LXmY7t}zUw9gyd z*5|c=RLOb~GB^ALSE?KX7^@)c82F3}o5mV^T{Q6>2H~|Ko2GiZk>p*fxlz{k?2I`j zSJ6o;ah~J(yP3^r&W!J`?v*ZMi*~a5hm4Fi{7qDfD7{dciPD7ip&>7-%<>`eI}tZs zo@$P()|d6g-*4}89C`2;Q>l?rS!oFHKX5(-a%I&wY4C!uurRr_I-5GmW9;obmX<WAwvUM|+7%nGN;gDd8*T0I2{St^z$pZqm-Yx9 z`G8#4JB8$%Z(&~GJRxYb85=3jdEJIPjf7`5^65leQZaTL@to`z&h;FJA&r}Mm5~(9 z)LNXoOCPkEg52j`^;>~rJdW&O%lX<#F}@K_cY81LD$<76;+_fPKnzK+QE0MPYr~)O z$Kty1xZPg2%wCwc;nGNYmNf_VB80u9qB>SDf=CdlaQA!8(mv-W3N2^9rBD~o0 zjXoYBQu#br_vppBo9(?E%nur%=^*wY%kFcC>r>niDCiiwiTC#iB z8P=Z{uWjpjLMzb2$I3hSUKMW)*sg7H9{Vd7>5%-EHBxEo7hUNz6|8!4uR@t!1cS0Z#rX+9YKPMl7~`-CR!t33GmU34v!5 z+$z%us%I-|de3D3g1Zh+A!PR0(_p)PtP0+(_l^1<;M}Ay6usRIjv$vlc{odSM&0XE zc2gZmHCC%Vamp4j*blFe#?gH7F{w_w6u z<*Kr}t)6=Q87Bk4Osp1=cM9_)V0CZdLua&r|MK2~(dRJtU08M@ADRyBrI{V6b&T?A z-w}r*UdJKRnBnNGUq_qyMz33~6q+?=&Ul-qo&3JqFjvbj#NFlrjb!`bF-*Nq=vxtr zKwh$zI(PhyAn}QHqP%u89~C1LabI-fX@JlkhR^i_W0}6xU{}*{AO61GsZ6oaUx#)y zP_7gNR%kM(E!(MK6G3ps6Ue&<_WRGXLa3LC zm<2JD@rxE~xxA5>lW0A}3xfliwKlD^K8tv^<0VRL`A5`~_hRejviOYxR+#Ls5aYEI ze29%~*^uuM@eKY$k-8iMzfRc>CAQLMU{)vQsbe7~!sKz*M!{MAgIO7w`g{Z~sRds)O5ZtSf-Lj3M48EoRHFM#>)(s2! ztpQtKnrL2gJ&qfIWXv2NnnJ%#Y(fYJRrKANSkP;uzDGWcMo%yfL~rTlTb7Vi{@LtK z*zYlLd>*eX;+nP=+P8cY7L*t{P~wu#mT{d`i)Er*xml1A;x(>}ToE3wM4F~aEoBY6 za#+s@ta+A~wu;x;+v$mWZZwAb?)CY)HGX^7P?lin>$D>S?1^~<;AZ$gw7q9olUv&@ ziXb2&q9P(laalk?M7nfrpwgs-k`NG(8ajmD?b1|w?=6tf34|shAT6OKp#@Zg(2)|5 zzMsHyz29~A_rBjg=UjXK$Yml=ne!?0p5q>4+`AGP2}A2Z@CC==?Aam>oGLa7gjN|3 z27ikDWvA;TP^?=&BRK-o^i=9k$Ij ze@V2b-ZUN7@W~LexGCw)MoVG9HS<^_3Stf3j?PUbJB_s4*fa;yuJkf4jTG?5KeZih z?l7vjv-0qiGsc6Qt0f$JV8r{k$uM!a>0yw=#N zWv)hO#@|p}carotp+`(0#r@;9CC2t@ne+F%3Tr+0JT$hezX6#Jk)Pv%`~DlI@p-;a zEE{&D)jJcXs;4tU*E)oX2Wx_)(`2;r)_8yme6hpNa*8?MuXt%em|(EQjwz-S$ll}_ zR!$V30C5WMLM;?0)&QS4>{V>VdvW0%jOP-s{emr6FJXKJATYt(l-2Yq#sxHN+ZFGK zh6tu#R*Q@U#jyK8E>n0e=yBfr!2n{qz3RI~Q8~n&0d}mHaFJu}LX`(AB8+I_t07Xq zrt|t3;-l~{5zGW5D42p(`^Bydiys#+_zkuAoDazM^0TwQEQs}=1p*gIfqc8byxF@U zg6?-`ddnV`Z%e>KD0;~CcJdp zT4NRLa>Pa$OkHeNAoT)OfPAPd9Tht*{;qd-4c6D*dURtX$(^5e zA6?AS;k;+CYnyUBPleBdNqO7GwiEHpZUbN|2t@N+=(F_hgfmO(B)KQaS>Xe1lAseF zWVABS4VK}b(P@$HRW-FbY`li38EbmlYz?L8oZ9CNzQ@6RIn)m|r3RtgQ`}tBo_>YY;dGm0BLvAo= zC?FxZphjh{=ar%LvzZ%t1pk<-z4F`{u94)quF&Hta1U7_RiAA$4a#fl!@~og4}l`X zh4S|#_P^W8swJ(J#hprU+_j(MM}M)AiE+QT*P@U*k_a2H+5PJ9?q5jPvqzC7b|Zn) zHv{`~I*!*P%Lg{Xp3LP6)KRtr^YD-Cr_LG$re8Iv{%ckJ>7>2Bwrw2En<-T7{ynW7 zkIEE)sBqBIZEgF@?D|8Lr2`#}p5)H3?mu2UrG0PjL8Q8zP(=W^)cw`aggR8uD|Rfv z3!{SFN?Dgq)OxSm$dp;P6=?K)&6(zQjXXoHn9NvV0VIjLei}jj+p{pGkvX^iWCVs zywCr{wETYs);$DZ8UWYp(N4hKrW%~P74&`_7ofs+Ip5(H;!Mff!4&g#s{(i&}nvXeG0mAAFV0C394kQt&&{t4Z48RzD@duMV0>E_#uua8D z5)G}5xH}V&FF$BD0O==4Dh|&7{L|r_MnjVc@E3Zl)TM)zQvK_1*01qpMnL|#JE(ts z=de^Ku>HfM!1wIS|CF=6@($qY=$!ti^l;+k|8jL`Fd}$$i79pp0R1MK${ZUY z5D+MoW=u@X?091%iP}@xBZ_r4kT3hMDUnt61aiA?LzlaTMtB5wK`$06M*$|&E&^~8 zLHB#gjw|=w@SRq&)&6s$Hs^q0cqAS;)_Ce)XLEJoGorqc7pdE@Hu;2eGktv+jzk-< zhMgFY`_VdsowHGRU)S+x7-)LbZO`i0r_VL6S+bb83boh-w9>@JK|j2=M3vnY5uVK)?rFxy+=&L62s$N30PG5E)Li4 ztpt=7XLdqb&Nk>f4Z->L{F7FQH=ONYC&`1JkN0O51B+Fp5UVaTT&+~<%VC2yf0)q3 zXY}9fVf1gC-YsvKJ9n_~O_ks(M=<$H&(079X3-ljb#eogwkiWMtk?W*(a35w{?1~0 zN2`K0%3j?gJDA3^KSyqx2L8;k1kNU*yf{T|fYoswZua}L&aQgsT3VB=Nbexbl-Pga z;i1d`IJk`nKuhz@3aJ8(FI?l<>3F$y8~3o&q-(9V6>h=eWae(V zphZV=RSoeXrsR5)OwW0HJ;%91KmTqlKS*a*Q7imavyXo;!#3u~&fbK_LH2~&KO1Q_ z0nHP!*q>>EYZLl0Ro@sud8~MA|ArjgYHPt%#Sw&3F1kFoX}2)}B}19p+JRY6h71~J z9FzFX@Ynn|>Ofl?rqaE$`31^C3F<+X0+9K-2g8dVN6rh1FhIbEci)w7h)IC|%^cf} zK2ahx+!O?YJ8AijHp zqKK;H!cclR@=UWuG&g-P?sVs;J+#m)z1J7d>ne(j=FfF!s#(o(ki9LQ(9a*<{J8!i z!jw{+aV}q7gYrK2iO%)eU^#;!+pM&e=Fb&hDcTYUwu5^jJwZL+#ZyT^;-;#MOm0|z z?g!Y2NQuwfNfsO@N^Y!dH3gi|u|-0vc!T<&Ig_4|J)x_~8*aaOX3wC{(e!<}w;Je} zM@ua{^^#qyXmZAGEZi+*a@39CMR(FlZxG+?^WuHwz`1?8-Nk0^dWbU;D3RQ@m||?j zjS%sfoc=m9?m9&)T+kJGE^NkvfAszAJE!Dq>s<0M9II%`8LeWWPf04^*l*Bi{GA4S zPMWH*Bv}f&zAl)}GfLtmvhuPb`Rb+~J8XoT;a!2}KT_(3+uYs<_wv9lLDTptB;UB6 z?wverqY~;!lfQb6cG5gR2m)HrZ-(huBmRM3uOB$gM98o{B9hXjaC(?@4OaQ=fbvAU zh3FHOKGx`zqcjzvphA6mH3Qx8p7f86eA?}drne{Gcr*syhf}1kKQ6z;-R zij-hny$fCmZME_8; z#X9NKSVzavrwtBUyEe~@FDU8~>$z;nv}OqgXx+%iYg+^xV;+4^oe5ogaw(CaK}gj|l!nj>s2x*68*ZC!d%kFN2^V5j&W+usC) z+C|8=qQ_(<^6YF%U(dxTt(ty^vwEDW5!)YUHRUhg$QPU32;3X=mlQ56(~@arDN=tj z=@4gS2EusVA)1yyRyv;)rVlx|Ofk*mKpW1tg$LF)fNlPg*9qkFIJoVe9>#_@y z(5}g!HW4azFGw9;b{JyHH~IS8=CMw7S=`W#N;2KtRDFK(HDUA^#=^_SlpMI4n{>9D z+bLVhn{*Z%Wz}-br)qDb(C5eg16K7e*K$Q3c}f4&brbZJ4#OwC#gqcF>A)M&bw{YA z%5F#YhY4Ca*7MRj-!<}6``kD7VrrmrCq0w8UN&0GOz`S7)@Fr2U|*^a-%xxJph%Nm zm{i`Op%P*quE7rTmY>-nC)*lLvLZe&-F3zD;dLo(YaY4wrzUxC+;Rv(2)k|77E3FF zc&j2xIx2x_Zw)gmJ_#o0k)5ix?;PH+XWKUuLlX4P2THqI4p$J?*=}Dn*zMr$^RJR5 zKs@EsIq0H}Se>|mo(#7oO&H|9u1iVv85?SY)!+v~olCJ(2~WGsBCH`yHIy-h&oYzK z*7ow-qs-wAU&U9gytlj__mda!aOwMB;H4<|hMeGB+?)rG7d}2p zH($0;NO3Ve3F0{&%&}{hP3`cu;%{n)Lm^_K&6@OIxRL}3E4kToX>Jrv+sJgmE2os{ zPg>=r>=*sMql5yW_YK=e-Dz@X zvv%e0U*We-<`pdOOqxJUVj!zOr4Yw`dI`2_zdKZROn>H>KCx7Qr}55udPXn)&NMFc zPLt4?U@*=R-IcOk(6!ow3EoEajo2FapW}_chN|R;1!$TNG z#e@bz5Z_=O%NTZdIuTD>@!M@47eJd4_7P<6zx0WLrST$*yoNreJ`A9np#2P%WFA+zwP!tL$A5`rd~50 zhtzR|*lfhLtfueS%HT*vuW=y5ULB>S(5+dS3J~KT`}@~J>|ijEfk9qJ$79OU__!kw zN%mA`1F}hN?GL#cDdyy$h;}Nm#XGla^{0ZV6(%=VMKxl;hKx#~CWNhE59xB}8Y@lv z>129818ft_s}ZM0g`x*BGsk}sAWnc}e?)12x-HRjf?H0&!OyH*1u8a*rQaE^*w=M`o-2;c5 z8_560xsiPhG7uK&C++g~Re$%CAn^bNAXB253NOKPOAwO7mx>Te9?>UL74=M$SKvIG z9Tz2^aZlc0IjVn?yc%r=*5ldTAi8&{?yDKnUz9w+^M~~TXymkhhWIalG4X?5Z)`Qj z#0*bED)UC7m?KmvnNz(8AaJh`XEWrHU7+=MF|V@I>HtA;#fZJ>F~=wPg-}7blAp2y zVvHdAx&!`WyI9l;;64FOnY&Ttz#DRh7 zuOGM;Mk{rdc4u(*RMpDE`$<(r@79AO0O1IgkABcTrTmUXKx{D!}ZyIjoVSuMi8XR-X$(3E{@Ic2u;YJtPoAb_5MV_(Lo-NmF9@}x8FQM;|_Z9 zH(Ww9-1WWrH6>4Jw;lUZJUHe$Fvo}g*(XW}RsC5L7{Us^KbQ6Bb3s}m;29nJvv*AO z*C50$U12ZAf7QyN!M`G9BYsjy@-hxfJAG+>>8PpE(D#7TzXJj%yL%q*FO~J88Bwsw z6O#{6YR4KcOmO=9{>DWZ$d2Kj5byro)1H@`&kM%)_clBP*@N)`3rZ7Kk{y6RMti%` zXUds{&#@x~k^Jjvw6dH|;;Y-fv9^7`9)YXcx^9!bR!=$9_Sc{ubyf)2^L#XGMrNcX zIW(kYJsSO4@i$AJCg|ytN!Fs_5url;xv;n5UmE=xPdPq!OsN5HzdivXe=XlA%4*|C7oyKeF=xh-UTruS{b>Pj4ai$^DciCaJhet4Hj7(7#s zDf@)52N-;sJxI~S2QT0YXYI|*AUa`EP+NLJ0?1ojUu9{leZjS}ki4$B(jwhMKR=Xd zu+G~1WV=Ud&;Mxv$7s=Cvbt=%Yq2tkep8TDxho|O@0~~;oI@TN-z$F~S87wPAH#f# z6~#$gk!--JRz+c6#p(uOxffcmEhzrL65f-=Fa)U&K0axvpA~5F>OWva8mb@y{BcawA9h>K+z*K|@K`HNreD z(%2R+FFj|$;Kvt6kQb7XXZ)vM>*Biaxm)RLK9!^42`b*Mi*IE0 zI}>owiKMDT?ykXd^}?!@>*&Yjj{A1Vin;Y0kV*R?^-`=fC)^W0<$uECvJChh?idMI zvZ1u1Fo_HEh~hN^eLohC2Y2&$C1tisnn916WU1Eg9SL<}o{M$LM1LlY4J~Sq`vjKf zlmVgDT>r)j3j(3S6VENz85B zQT3hL0OIiMm=g0q}zsWWB`nA-gKO_yyh ze7^C1;%eB!JEz>y`M#q%(kQ%P@!Tg#x9qD1TbRBPWRB(KyQB?o(tOSKqtI^Gyc@h^ zZgIPPU;2(2n1F>CnMXEYZ}BSFEOI&OYVC9KdS|ju%u$agn^|a^f~jfS+Hpj?)Tz0o ztesDX4q(b0Xw^jhA?DHyr6mLziiT?*j&kwVGweJ-47Jn0KU7)uV7bZFOos`|*)c;)QF z2gwk?+9l*p^hk)^#u{d3*K1eohfK_(x60Jt!td|LIpgDg!8Y8+U;VTm7B1F z#L1<8VCm_Sl^csO@+>s5y<^~iaECT8{3v#P^GXk;^V`{M8MbNGvj z9`?Vs-IWM<>$*hBd4SR2s20u$;FSu9p0Qd2EL>)0Kx2dYxxV#6l`aF~VEFPm>-})9 z$|)v#F;ox6bT;@T3G|=_vE%mRKA!R!<*iB4K zf2{xpkid@+Z8Od~-ZAyp~yF)?5TSj0_hU@_)zI+eZo( z&995q$k^4N?k(ZhJc*9!cZ^vmUlpAfauXE(`e6i;K0!78g7Np`90@m%<(yf% zxF|`-Gm`lrbPb?44F3VT9-u-u*(wnqs7gzV07_Se_lfzXRaSvp8rj7t3$#hoS5^s!tF zB4k`pu3%77O3@mwD0(dCIG10Uc!8i~midm7PjtxO6qyrH)6=>2xQX}p<+CEycjj8V zujJp&>#6m0au_Omd5)S+q_!Xcl5a6Am=$#`Sj6UgAirLdr$wM+7FKcKz{}2KZBsG3j{wE zHS_ii&kpl0%3lFSrA=PY)C4(i6<{p)SW$gef%=!z0Beo-vps4-=kLSO+@)^H6apj* z4w~{M;QJMxJBKqB4b4SuATay*?q4QM+|=){{`K9MljWow3k|Z&ruPyBsO~^|F8Kc+ z)R%M`^Ml;m5+#p-r#2n|#pZq1=L-Om$4E{$5h$D`2Mh#8_D=+yd%!0HKH9$>K8G(r z?ErgnW6=RH)hE#?N-NysZ|{quueq`M_KZ`aG_ED_gOC)(zIikE?IFS>5Pzr}Zs z5=Xyhk%(PQ)(y)VnK4UNHCEGerT%q3mk7wp(8Ig@rwFu zd&zvPFvZa&PN<})s!CIU&$EaGAja-`fUaiufgD!&&CpAe%Q>Nvy%k@|pbSz)d`rll zA5Gqvnb9YnA-;<;a$75~)F&o}PbnogI}NjzJ^Y)u+~B&YO4As1r_u7Z#YPiM7jyYz zN*oUv@kwqoo;>wcxTi*L?}uEj)+p>9+`jQQ`TRn|T0$*J1}k9;e(IfW2GOPbCQ91u zm^${I1WIyK+eIeLPB{okasNIahzBT12$D7Qf5^znqZ6ZhGC>E5oV|xfxW*cQc=T{# zKDE{so8?5Cwulxk7+JxBW2q;i<%8P73QusEl}7`V>jwdCRdtE@LIg*gm(1{~Yd(s- zS|R^rz9t;XZG294(NOs0h?Jgz{M(c)fgR&!f~rE^?~mSLJ-($XrL27Wyf4RBdvJG( zCU0&ebM1G%fcY8kZ>lP6cx{Ncie4bHZTn0>btil>_roxm$<|&Z6WdwdtB=0>DQy1q zV;?rka^8!=mMLG~x)TANwOCJB8p+b;k=eSVoquva_fCVXIWGpWDJST$phA5#jVX_xh;8MS+ z(7hS_E@Y%_m_y@Hl4xNfjyOBpr$z_;rQn(8I4mk$B-b=r;|8~#0W0*{YzmUH1kTRJ zIK5vSDwiLK8PAcPOTEJi3x8CoUXLXdPWikY$l+3QP)%2Bv_XE(OaWZytlMmb&#fk! z^Nfg$d6X`OrkrHk0Ml)_XgjBruTS|VAE?fO)iQVeR)7XeS|DOV>+8U>f>w{q6y-&# z?D`9~QP-|z1$bEb&h&)V6LeODcGHY$sjmuGA!k%}3=xZ$t^E?C1ko)=+riccex3Sa zlv?ino`FToGNVI)bo%ti_^q<}3e%q}#xV-!b2T10WgH9*10qJUV+5XSL{!m}mJUm7 zO*sC?%f8R~ZAfRVQUz|bg!wIhubcaAVy#u%M8`4~9}UUYo_f}ei6@^`6OTMi#%NTF zRnCKJabCj0OgAF2o{@eVBVW7Q`v@;RNa?^uUz?Qr#Cg*JPEILVvC_AN8*dNHvNwYco#=Gur_kO8+VAfRFawN}TLF6T>=Sp2#Iar$lDHPV3O@d)nRN&SjRGe2aOagE?@ z1D|HKNRQEMdD9Kg+>N^YA1M&|<#n~S!R0F0%9g)5KB~w6@I`1-GoiWraaL(posUm8 zJF+m@wWPzr5(Mw5Kp_ZC2s<8E6IKvk-}hNNN{3B}uZk|J>`nS*z#qo8Q%rc|63c~2 zwWp6`?QDOIZ0N**1|JCpuIt%OK7Mc`qRcOa;7y5+ma#q+&g9WSdGqLG>q%k{GHHQh zf3Cvb@{70Ry&vTG;vr9Uoz2g0Xu8JeHhAfq-+aLq)U>_vCs|0!`{p<@<%qv^Tk@=O z4aoy%l;xY=R)Lsg=1ef!_KbFWG+Z@L_U(d&!@FWfpW6`67N(w8%3|8Ru@&GkqL&ch zwu{GXp_GQb3+JV`!rL>9*=3zSY5KS}Ae)v@r5Sg^Wc7;7izCW*eTbS2n{#jAb)TJV zf2}LYN^-XNtQgt;LTh|v+l`kQ=e?n@{VaN6*F43kXi`xWD_%OmP(9)psH5c=+0b2! z4Y#Wpt!Evvcx^ND**{H-n9wT%9U;mW_P6aTi|S{kWIr-w&+(P-f2T^cF)n)c<%L|6 z<1ApXW)5%UI6L&CK(BWEJ(hB&2r$fzT-d@2jc71u*^qfxM=xPcgq?*o0#ifuw1>u9 z1Ffu$8Igm)3wW)5%xn{F%ZI2);}Lh-DDyM179`h@2p5w`#XT?UEiZCq9!73teU_wV zWGXwfnDWN2#t7efCdS^qU(ouIL`_Hg3O#hQ9IlGJoLJk7^)(mXc;UafG;sr0W%eXM zvr5qK`n^X+HD#{gU;dhISkb`fSC$U=DHQ?2UE$j*U2{?!Me?fRb&FG(?zZQnd>i>n zk*`-`qEd1mMKaDZ!Rt9--euz8aMP2{kGwOTpH>bw5e9A(78fl^cQ;%LiBCu zegY6vJJMNrPQ0m@Vd!y}+$g!ZdQ}rg@{V%vuAWAEr6w&h2dNW%JXZRa6RRfpHP%?B z^)OzgspZhE%{dXMytZ^o?Zb>4)~_8g;^y^>z1@I?@ioe;`|b-IbE9GTPzG>!b#DF- z2adUh!I@hc_^j8J7pqZvp&VcArVc~U9{Ieo^w%1qO(;sv zjZVBV(yB;%dz*MREA_WhR;dKp8oj`d-7nQ-t>O|>k8@uV{7@u#3;S^fycCJqy19R{ zbk4@F?n{lC{;g@zrY9rt6tWWTMI;OyWm~&9;-IlUjvaU^>1YfpQgY-ga`Ltf4NR*T zP>mb6ymzUe-F$F+)NmQ9;U0DVXCd+WaxLqPft}jq+Mnxkks1fg@u>P0jt zPU2bFD$}|Ja}r0no!_s9qo2$8XNTM(&l*c>g8>2OVWcC|5KT0Nzb@1>7*Dt8z6}Ca zuJIFEJ=#^E7+Y<8v-g6_=(6nWpaq_+mNyI7%~$xohU|Dn@GggwERJGmM)N-zEL;@} zFXZq3rK-HSc>b>@s#_U3CGx6G(>0LZi{oN zl>_fqou?=AmKmoQTbWnR1_*t>RWL72Wc>VGDL_qY3-aYY@^b5PV%G1Q-GS@wyMrvZ z9iOCmUfve5Kaz(nEZz^lYkhW7o=x5{o%z##6+EV00(BP!*9Pj4@IJbKM-Q_z+j?Dn zIVxju<#=&}@e*p8Pl@!qtw=U~xfHBO&pwCR9uM~+egE86^e!oQGP$6?`EGgB!Z>X) z-J_(Ej{5>`Xn{e0Xi2R+XeR;U(Mog08X*NZV{x+Lk zxaxOa@tuI}8se!3MU$xe5hE|GOkrof)blHi<7{-voSWrIT>S5A?qHT?-+a5)b2VkA z6=n2psc&~=``UZH`-PXcmM_)rhR&b6mH1TIgF@NL+L|U!QTmB53^%TRm`Ef%!zxto zpp?^pMAs&Jv+Tt>e3+c5#0c&Lx2EkCrK(@yRA-#3WA$2c<8INK9qJDpy$>sx8b)n9 zluX9*gT3IE05=T&w8pJ+HdWev=v#|ul9ZCPf|izXc?WUf;=z+dvlB4`|ERdX#w2*MNar2+DaAh3xg8_3%B#Qed}~1;B9Ex?Xcojd!w9>Vlg9+;y9D?%yUpI46M1v zg)t`SVji#fCG8~3G~ISbOlx)6b0d}~{Exf}+|-E)Ffjxhh#*>>JsxXYx#rhcbI(Sx?_4V*M5 z1)J+BsLF|)@o>zq;^%r_J@IUF2|dZ}W;eL~v;{n-Q;MyxS#l{{3|>k!$Ft2@ODuY; zY!1PzjJWM%*kQ8m$BPM*ODdecU)>*ZICx9EeA#d+_sKYypRyzNEHc8dt6Hxs zJX6?4^!v}7TP|WDy!-K>Qf$8n!KK?vlQ9+V7ntr!@l){qM4U8zk`Pcn1%>WeY=rbz zgFr`D$JR@i+>Egl(ngWy{&J+`;7!{YYQ$6U7PWuoo?*fRE}562!l zC@Qe7gMP(e`Rt(ruolis^UK7s24;#VDimGTEZAJr#Rse>a4GKV$*v?I3K8z+=vVQ= zg_pv46!qAfZqg{^3Vk}x!lOuVc#xUFOeg%p-l+eh(}a#rQ}Bd;Sv2QpXRT9S;VjXO-vBLdra`c$OZM9rQmAlLXK}_JEx5$%VO5(vXphUJK|Y9oOh>Intdx%}m<7iq^vK`%d8&-QR4|1|m8_zS9R`3!bco zVh5s-$Adm z2DeH(KcW3#usqMWcu&imbOZo-*6smj8O^KvFMAK2Pd^J@ma+DuWZ<`?b#a0HGhxg}*go zfRX~fp_Ew{JU*Zl##cP*Ci3Kabtj1!Y;n`g)a`Yohp9MYAf!BS)t7~DhrLz+Fr;{M za3EmE@1-Kn5NdZ5?(R3=&0P8$9bIQ#jc+Lq+iFZiC zNI}wytJ~U>GGe+BjDOZpK@~0?#1+uSjDYOk3w56H)uTMtCR)=47FxHPgxk2sb=z)t z0_&-xaJkv@?8#$ayg+o0y+r{cvn>JT!_w7{@GilcO$?9k@r2hCWIB^*wjA zpo0mma+C%ez=rFYjk!SE-#hyxqQhWF)(S=7lvZU>rXod76^@NYnDXA0L2|v=|ArI1 zwYKlC66aSLvT9scg(`xh_>*n(`oF${z^x~bYOIVIZVcYlqT%6=#RP8P9XF(IE>}v=Y-hK%L2QoPE8hJfS~2KV|T3Y9uY3m1Kuc zpYU0C?<{qcxzl#LSd}lZPTaq4by$}aDWg*Fv!O$X)2#AU6<2n&s#q7UuOw)MCtqbc z?;I)>7gNx6u2?{+A8DFz(D=r2y-TqvMpzyN3vwJX&h0j7F%UKwnu5<ZX@#NxPJ zKM5y2Cv%OmPOrH}!>w{U{Fz=b84IErbdz#lzSKNYI(LjmL}dHKLh-fo&K!lw7+GFqEYL8KtgW*@X-WTt8ni6_O~X2PdBrj#woCbH;hi6K@((kFXP=W=M`4?Ex?E6L;zy3 zCg;ZcEfUYMoK&B^2jS-@t{PYj6yF%I>u`8P!8&?kEZZn`IdZRX{bO^E&e$(9akV+# z%}dU)KCbSh8@3TLXm9N1C^YwKBHL{PYsEGa>-3JwctAP!7&`NiGN-sCL0KIFO|7->ZMt z(x{ah*$*9_lx7VzdQCl+)6!xQ20_RRD{4$Sd(Ep~s6rgIk>q^qsGzg!`(_r;N=H3-9 z2s_6k-KCqTsD-KRx&rD?k!ciDkZ5~lprx<`FiU?`2X6*+Xxu(eC!6`{ye6BF6+eEOsv^DL7IQXi54srE8G8k&Uuzwv32~>;e>}FPv$y0;$917*3!SP9Oq)XP{?7s9WAcvdw&sB>C)J z$Yjp-f8Gf%b={cPS~3LjQWDcy&vUQF=q7JIe@#090?8D=Mij#HXW9I9Ksjt;v!rtd zz0jNss7`Gx9QGXg6QDy%nyYt0c(0%(Cb!G7~iMq0o z8b!#VQwo&zPaz|w+d}8pMam$bY(kC<{dzQv5C;v_1#Bgrnrpb?YTTbVubv|Fy-C^Y zM>J!KHw&j7^S&{PL-q(Y#<^bJY=p zr%wOCObH|$gth>KxHJ~&C*19m<2o~S{-u^2ATt7~H zVA8`Y3;`7|N!M~D1CKXt)5PqEhT3&gm7LF0i%pOJM6qf3vK4Yw6a%3Exp%;&&~ZP`~B*jRl#*<=FAMiHi}s z>^AJ6DvxZbaAtVRM(m?P*SpZYgw24q5Q_s6m}X9staKaSPekWe8|Oh=n(6mcqvhFuQ@HFZ z;H>rT-8%_~*|Tzt?&^mDt!1jf(xzBHV7?&hnyn(|xiIi=sex4{<4qj4KQ)x_|HpB5 zeJ8rQp9Yf%Fzzg?^s5AE9;@)sfB~Cl<=5nW=B(=n)IOj9oL;V_H(LR zZXB-LRiGw#WV!xBCfI=wc#?upmwS3e4jw4#$9r1abNW14GbGCV@Sye=wwSI61mP5E@PO zdWD%YpUEyg;J10s0EYBnPm7Ot<^OCKB=JEX@RSD#VSJJxT@`j4XjwmE{yMmFl}Q6z zwc38BaO?`7$o3EI4ugUY8__>$ej3>ifN=9&rME+{3N)GLm=&SnyxoJJaEFa)hYZK% zI>qH5$kot!UR(-#gfULly1|ObLZA-5=kJ zSWzvu^(#6yDdM2_sOg#vx=lvI4cTC!g59o}o0nm%H8@eRwi1iZZuzIz%3|4ChLavg zY?|Ze&A9OSLZ3)ru+-;;GfR~KYp-#gVf?)2GU0)45&cBmL$}n@?Jm8D+PWv9U3CUH zfKT;ZsTJ@#W#Vg&LbeyC_RiB@ALn+$8}_IHB?p#mu8^NS#spg z$urP+i_uW$zg4RZwlB6_t_ErhB)k7Z#PS36B_;jgOVC{5cla#WPoM4~((6egCG&SpLO^QY_!R*!O;sKXTc`KSezF7=Q~my$CAh)=fxLgLln2eEEpro$!IK3IIw zy?xihvblOic({7R^XBPM(ZWR@@@P`HPeHedSVJz6@=86tSJ(lY{!i7$j_DGPFUqe( zd@e|YmO#|*b=RFSIAwQd@?5`c;V<%H#YmssML?VR_nw0W01UL9O}ty{Z6cSB4h`?`pJsd!Cs*HGz2RsU|WjpUs~?=b$O zt&=`al!mGy7O&gF5!^$G^Bz1lwY=`QKy=4CJpqI4%luj;oFBqzuz6fzwzC!>1buoe zxGYEuw(ZS);Ir1NN;P#pY#M5zB^@jfuF9K&1HWAMP&CZZ5D&HV(1r^{%!HEg@x@b4 z(6c}xwAnEiK_l0kg_Wf{F*2ddc}H6dTx&0l7QKlDb<3;7+e76M7oF?g3jI_uaWn|2 z1(o?GCw3uDpy4r`&9hSMa%876At(95Zda?!>i~5~O1OI7gClJGTGW?>bI%s*bVp;K zy)`{{iU`nwiUE!2znCze#kjaVWc_1`d%i4RkhJS&vy-UMt%KVljUzSdbS|hWWPy0* zz64iO`7mb9uWFj`R5nasmF53n82D`ObpQXr_x`sa2C&@hakUk*0&(ayJh#j`;_Nk(rW>j{JjoZ-BnkUoW*YFKc+(bDE zusTl%3eskFiZmKW320TR{du5{QTamrhxWSEE#3mN@q729hiL(-%ob1(Km6OD82E2x zH{bvdxk3Qc;-D$JQU5;?xG4Ynshs*JiS*3p{;LQV`58gZwZ3+_Id%p&l+zn+xBPUx zD))rR{0)r(x5QLY(x#I+K-GzWG|DVBg|f+EAO@kh+UptHV!zWG$#p07L-O$JKy6TG zonk6_bI{xwY}xb^PLais2KVkghY;l4H0YK435-<^HiKEd?olg07>tD}$%}O}#>jC+ zgBp)V*=li1y^>n$_Lt6!9Wi>fl3K0eJ1>c`>@{__{-{~&zI>nL?)Z(@aUVA>19)ml z6CV9hw$o$>15dsE#flvrIT5JOszRTJC;#BqbptmJji|A~l(ks7oKTMGa9>CL>8{Ln zd^IdvfY7SA<<>9K-`r0q{7Y;N<6h$zN3wg4}yFL~4jW7TtEn3TD8 z{jqc)P9w6v@@YCgiYRGnQ?7&bzl*Ulp6>cwyUfgUS^B;H1J+JpK$@DLyW_ewa&%6U zF1&&#SrY)Y{|B3Is%v_`(PbmxoY&2`UC;=nE-7sgWM!ljEzr%N4? zP@p!!Vfz*Zs8vlXCPqWzN%N8mG8&EZW*U&QwS^6X>ZjZi#;UC&7ZRQ7-4mn z6UOXbF|juZ_xowP<~}>^dewgZ07-ZA+-Z5Gbh?Yef>CMc5<2e2>)qtIqdw%;&DO!p zT;wsGTPMloL@Z8QFS+T)mIc13 zjtl4o`?V8?=lazANpw@Q^XJe<-J(%=Ho4rF@R#v&o-uA#TGs|@zg;Aiw;g?OB)9O( zowx4(HghIt>spPwp_B74@)`DX46XG}AKJ>vc0lotznlEbY5mF66vOE=X2U+kFMCgt z+^r4y+`G#s_$N0pMYZ#0wemWP#t!3d;i+HCp(9s)9=iFLf}!4{1cMJvh99rwEZ(t` z;MOnNCd3l|xgTU>!Wg2~vy(Z;zq&hd*hxOaj9!q}23IP8i2=bkSNF=k!Za+`8`Z%} zX_5K3u%-&DI<8R`zq#%edTW^0z{LFmfos7Q4D{HIx3G1a+Tu#>^KQJ3@V(vcfJKd- zQRDpzwCoOV!g2+_U5tVX8}WSAjgFevq~dFB5uW3jP_?>+VEq+L(*GrZS8;n@ycS@h zRkQ*XW2NQr6o6o0Sr&EznoE)5X6h2TEvH}2#;Gs!nfBvX=WDl?A{f~@^@n=e!-@xf z8=n3v+%0Sd>=?=Ea?+()^0iT#XOxFJGc-%c(E6uLB9uXBNhH*qQRVF`P&lfWS8ZeP z*R@-G+W`+`JVv((1Is}_SN>ZJRp+R330JTcx5DRiZcL|2-(>c<&LNlo z?t9-PSZTowD&i(RH z?tyhJ;K}+Az#Iz#&|sR2LpDY)2VKc_cm=1ybC6yIX_9*e8ZmJcl$+Gh$xEnM{^xy9 zbFuPR;hFbxp0!**!YbWoR$fiPjRqIhJ4K2M6?I3O>O-LC4{z3r7(ktK$q+cP%)g3e z&vbbieuw_^#=orpCOXWy-Lwtx)bpkCH%|ex(7}U~9vXTgmpa`j`yQA8Q#*Fc_!8Aj zV&RYQC!Klq^`rLV3FdfU58tBVR->7ZW49_?#q-~Ce#_k7s@2cP1Dwb|il{D+Fq z{8R@1k@S0F|Dm4q|6!_UV|-r-Lf0dyo+Q<+dE^b5Y7?jX_WRIX17OW}kQEVSKP<(T z1<33!72UNyVD&QR*O5a@jzd#6@7C9tex`$JsHL)%;{cyo8*&g9Hr18z2M7l`6EyG# zTLixRCzs~`w)YojTBlJCBNg2S`nZm$6)Rgx6<#bV*rCpr=HcjIi(G}pvY{NAv#>>u zVB-<+vm(uCaeht+)}^vpUYXnOpCl5v&Nc2m1zZ0ygblP{GIc@$&)1(ig24GC<@Z=b zy|VfGUOC~{Cth0|UE-~0Azja`W2Ir0RSvak7V~x1UH_}K>x^o0+qMz00-|(16dQ;L zN)>5>APQ1M>4DHf=ta7Kp$e#oh*E<XkrwH92gG~sdEl>>KWH zWvg45P&Qb8BPQmZjkUOGZ;IA>8AUkMfxhA|>|^~<3l!=1g~i0F9wSN5uwfMmEig-k z>|4`Aw{FR2SWOa|D|8Hk`y(RTXvcr5ID(-ugtael-3V7h<&&lubO-p=##dh(O-pf0 zQ#(bId%p#Fg%-_(R6f|Rtcuik@44XYDLVx-os3(ET{*x1{$X#<*u%86YH3jDU%sUT`^#ETQWPR=H3%ulA6EN-80T4yY zXW%RPDya1ma#{Y$o|_o?QST}9SSxUz`5#aaHQ%t1`ph8IA~S}mm9!WlAD5MNS7LI6 zO^%*>x+^Nf{1wPljqBt~47sk8+>d;9`=hv<*a6ER+RDQYT%3q#^GMvKzOLEmI)%2? zzSx!h{zC0ahp@Ie>Gb%qc1{X(|NC$qg`d$~`2paXi?ctuMM6Z`b?i^7$Qq9CkyUf! z7Qg0^%db^PFf)%3<+e#4{S;S0beMnr+UHU~QRK_=vb(V*DW-DRv0~(#h~i3IKS_!P zJI=bIA1TQo6B1ny$`KU>*S(GIbY`&)>dGQ4mjm+3^;Z;^4mSI~+r|V2FPkupe+}x*p$FG*M zOu@C#L~5ay3gV2@RhdF|-?i_hYjcf@z8kHZg(~t*fDh5GlV|R_bu6~N+3&_hNzM14 z)@rr&Q44p=(H|XiSY)T!+b1vHc`4d;8Va|x0+3M?-2fK?u{qE=>NybCHrbu!hLZBh zyrF8F`Q0U_^oc|s(Dq9)B?vNkQ0-BM zMzV{GAqF%!#$gq=^p;U+++w|&*jP4z)@w`A<&;W8T7V7Lfy$+iJ*b>7HaxE*BIKb!4b}=@lC;4Qp&Quz+!d!3ZnIN_( zCha;|)?kxy4s)u*Sz{j0SwT%;82#~#>~&&`41KTxO$gt)GvaMS)?cfy!EbUKXEyM? zj#B8%I>aqpV8fRoyi8q#E(jK%YM0B2t@4YpUW1La&!!oQ^?GdJL|C5^-&tj~i`&%oj zH%Oz&q_iJ_*SrPBID7p*&=f$OpENY+G+|``GkQwhijBYbV`EGl+7wTC?wqw_s$&N`8Kv~U5k@<_4zfsF^(q{z|0C^yYbx;U>y zS&xdsZ%4o8k>RvsUMv>LfBF8EYj%vP0j6!QfrHSv&d1wf9%+v490!V8Y{KeUpkH~{ z{IxZ&ME&a7PC-eHwR%7Yri?1>5T3c#eGXsxQkxkk*-;V}UH8O`XG3T#US#ki*6*a! zabm4gMe=88-}c6$Cs@;xs!cSytdgQ+wRG_G80STs^^+5G59Ymna4Z!sxP6UGff;Z( z0Jypz`b{`5LWbTdfKG{Omkv!!dl6suk0-$)4(g}gRoT~5+v`Lx#r+M+OJsR>HkLk% z9Ufw9RdWM2N&jRoEIW!>L99Ht`eY|vQt;l=jnHKC@w>3H*YdnWd8MWt^Fw=a5Q!1z8FYhVk zWyi1W!c>or@n)Cv524y4VxMMZq8t8c6``pz@x|}8Dke5oeG#^R;=;N!ZJcr==TZxf zZ2RJiy?8%~Dt~&d?%?d&Dl)SlOo<&vMPZt1)zK z_~X5}lHL#@?agbDL>Cuiu_-ML!f z5aOE@!&)=GS9p#yE^nEqyGrODENAuD#s-@OGLp>um}v2+A+T=lq1$v}UKjIdEY3^y za4dgV((|-9B5Y--Z=)^PAs8iskPbP6*$>c@0#j&!xAuN)cwjXg{^;Go~e~~FX`|2s+;mx=Z zZm?Uk`}z8z%W&P2+}tC>zD+EK*Y`#27LLc@c&v~ zEpX**qd9B>9!5c@J9s74Q*D0P=M*UIHWvoeu^5u`C6voe1zZDg4D}wCA*BO;921OrYF*?-(gg1^ZkjKP3zl)9l8t%ggO>&V~W)=l2QuX z8|R#hrS*PMl?7V=@hFb)bEG3PGItsTIx-5~k!P;{J1AyfM#;EkV9&GXr*gYT+yKl( zQ5`8qCqC#aA9ETAl;X*}H+Z}mX32V#TLtq;_VdS`Vm0v0vp;()>NQf#UtzV(&(+x* zBFY~8VGG^7I?mH(&phI0{I+|qp?ebX<@6rwOlE}~a+T#bvzZM^L?P>mi*DiX%b01W zSr*rAwpE$HHG%V^lT}mQg$<*fou^VnWURAXL&p=Rp`8;Ghoo@rdICQ8VzGB&`_D(F z?cL32ne?LBeOU+5e)}9YcIHY|Y01)tr1)I`Zp9U*n)SmOwPf;44e~Inp1Ihe3gamd zRc`$Vc%n8R<&9Mi%GA&oypq}0U=ZCfb+*7flapu@n6t)?h_4!P>b-3_sF5z2f6+1t zfh}n(ZSI+{J8G2~bj=L6FZ!r%ll=jVhQd^`9~-$Fi}yPH=`CEYkDQJC(@O5`|Exh5 zZZ|g)%rVLrS}#cjT21WFz`zlX9dJ_Vu2QkO4Qv80oigC{4$tpuI9OI*(=oihlN$kl z^9h3hatqEI4l^%(6n{F`FiqoeM5^g4yEnX>Y%1IcK0;fh8#h7X?u@^q;n`EZSc~}O zK6Zp>KXoa2KvneJUX!qa7*Vgve{U&rz)aKKiZuNWV^pwa>%rq;^po;=@}m+S)Ogv; z%A+)-p5wL&W2JCC83(f44ZWd&`?2Jzl5iqT1-a_1hteO-YDRBW&xt9Amo++TC2BNg zF$i!}YK-E@+_Tt}*43!?F9n^Dwi9v2@U%|^LRl&ntK;V8mi14Wmu+oqTt}3`+^2go zS7$b(azRZu+MA+uG4lN8#Jhc5MJgRNdIAGN+6clE-I2pe9PfafjN4+Du5DASkh`*3 z2YLN#cR4w53;Vb|-T!U6L#a)&nd6gC8RY89pN#&yG{SZZG{>|5JB3u~=7up55d2t` zkdl0jZeCtaNl*}mAs4%jiC8>NP@$c<-YYZ%i2DD2>yt%bDF8VNGzf_Ko%JHCrL3)MhSRxoNO4S_yduF*h~0hs=`2zJ^I{?DgpOWxUt zBEJlsls3kQiLGpItXB5h?}B_Rv?WZg;NRj9q@I=#E+4i3Cwfg-tD!`J zfL20LqKi3!i;i7&-|Cx^R%e* zkP2kqW+@N}Pg{3ioDp@K(2^p!tLh=BvN&bD?gwc@dVYF+%=^FGa6BY;DZe6Asdm2^ zQ!6u#(zlFJoTh;&H4SGcwz&~tmSCO$1DhJifd>JfalJcWy!Mwt@@(X*mycWJr^S*4 z=DJ{xZx77f+zm1F`X(MuNi4eOO~n@QK^rNC+D3c>{LRb-|GzMA{jo_nGvHdJ>)1n+ zS?-i&xM2;Elh@g(tP{1x^Mk?MP*Jhg-;?rqVRQFOsrsWl`>A7qRUpcW>R0pRO#=P} DTq2(@ literal 0 HcmV?d00001 From 5bc2b8ec7bc15a97a852b57c8555cc4720f37c3e Mon Sep 17 00:00:00 2001 From: LauraKellerGitHub Date: Thu, 19 Dec 2019 15:28:37 -0800 Subject: [PATCH 010/188] 1643831-windowsdocs-configmgr-rebrand_LK --- .../ltsc/whats-new-windows-10-2015.md | 597 +++++++++--------- 1 file changed, 299 insertions(+), 298 deletions(-) diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2015.md b/windows/whats-new/ltsc/whats-new-windows-10-2015.md index b2e5edb37f..80c78d4413 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2015.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2015.md @@ -1,298 +1,299 @@ ---- -title: What's new in Windows 10 Enterprise 2015 LTSC -ms.reviewer: -manager: laurawi -ms.author: greglin -description: New and updated IT Pro content about new features in Windows 10 Enterprise 2015 LTSC (also known as Windows 10 Enterprise 2015 LTSB). -keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2015 LTSC"] -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.localizationpriority: low -ms.topic: article ---- - -# What's new in Windows 10 Enterprise 2015 LTSC - -**Applies to** -- Windows 10 Enterprise 2015 LTSC - -This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2015 LTSC (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md). - ->[!NOTE] ->Features in Windows 10 Enterprise 2015 LTSC are equivalent to [Windows 10, version 1507](../whats-new-windows-10-version-1507-and-1511.md). - -## Deployment - -### Provisioning devices using Windows Imaging and Configuration Designer (ICD) - -With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Using Windows Provisioning, an IT administrator can easily specify the configuration and settings required to enroll devices into management using a wizard-driven user interface, and then apply this configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers. - -[Learn more about provisioning in Windows 10](/windows/configuration/provisioning-packages/provisioning-packages) - -## Security - -### Applocker - -Applocker was available for Windows 8.1, and is improved with Windows 10. See [Requirements to use AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md) for a list of operating system requirements. - -Enhancements to Applocker in Windows 10 include: - -- A new parameter was added to the [New-AppLockerPolicy](https://technet.microsoft.com/library/hh847211.aspx) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this, set the **ServiceEnforcement** to **Enabled**. -- A new [AppLocker](https://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) configuration service provider was add to allow you to enable AppLocker rules by using an MDM server. -- You can manage Windows 10 Mobile devices by using the new [AppLocker CSP](https://msdn.microsoft.com/library/windows/hardware/dn920019.aspx). - -[Learn how to manage AppLocker within your organization](/windows/device-security/applocker/applocker-overview). - -### Bitlocker - -Enhancements to Applocker in Windows 10 include: - -- **Encrypt and recover your device with Azure Active Directory**. In addition to using a Microsoft Account, automatic [Device Encryption](https://technet.microsoft.com/itpro/windows/keep-secure/windows-10-security-guide#device-encryption) can now encrypt your devices that are joined to an Azure Active Directory domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory. This will make it easier to recover your BitLocker key online. -- **DMA port protection**. You can use the [DataProtection/AllowDirectMemoryAccess](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#dataprotection-allowdirectmemoryaccess) MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on. -- **New Group Policy for configuring pre-boot recovery**. You can now configure the pre-boot recovery message and recover URL that is shown on the pre-boot recovery screen. For more info, see the [Configure pre-boot recovery message and URL](https://technet.microsoft.com/itpro/windows/keep-secure/bitlocker-group-policy-settings#bkmk-configurepreboot) section in "BitLocker Group Policy settings." - -[Learn how to deploy and manage BitLocker within your organization](/windows/device-security/bitlocker/bitlocker-overview). - -### Certificate management - -For Windows 10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Windows Hello for Business in your enterprise. You'll be able to use MDM to enroll, renew, and delete certificates. As in Windows Phone 8.1, you can use the [Certificates app](https://go.microsoft.com/fwlink/p/?LinkId=615824) to review the details of certificates on your device. [Learn how to install digital certificates on Windows 10 Mobile.](/windows/access-protection/installing-digital-certificates-on-windows-10-mobile) - -### Microsoft Passport - -In Windows 10, [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN. - -Microsoft Passport lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports Fast ID Online (FIDO) authentication. After an initial two-step verification during Microsoft Passport enrollment, a Microsoft Passport is set up on the user's device and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify identity; Windows then uses Microsoft Passport to authenticate users and help them to access protected resources and services. - -### Security auditing - -In Windows 10, security auditing has added some improvements: -- [New audit subcategories](#bkmk-auditsubcat) -- [More info added to existing audit events](#bkmk-moreinfo) - -#### New audit subcategories - -In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events: -- [Audit Group Membership](/windows/device-security/auditing/audit-group-membership) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the logon session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource. - When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. Multiple events are generated if the group membership information cannot fit in a single security audit event. -- [Audit PNP Activity](/windows/device-security/auditing/audit-pnp-activity) Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device. - Only Success audits are recorded for this category. If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play. - A PnP audit event can be used to track down changes in system hardware and will be logged on the PC where the change took place. A list of hardware vendor IDs are included in the event. - -#### More info added to existing audit events - -With Windows 10, version 1507, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events: -- [Changed the kernel default audit policy](#bkmk-kdal) -- [Added a default process SACL to LSASS.exe](#bkmk-lsass) -- [Added new fields in the logon event](#bkmk-logon) -- [Added new fields in the process creation event](#bkmk-logon) -- [Added new Security Account Manager events](#bkmk-sam) -- [Added new BCD events](#bkmk-bcd) -- [Added new PNP events](#bkmk-pnp) - -#### Changed the kernel default audit policy - -In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This results in better auditing of services that may start before LSA starts. - -#### Added a default process SACL to LSASS.exe - -In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can enable this under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**. -This can help identify attacks that steal credentials from the memory of a process. - -#### New fields in the logon event - -The logon event ID 4624 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4624: -1. **MachineLogon** String: yes or no - If the account that logged into the PC is a computer account, this field will be yes. Otherwise, the field is no. -2. **ElevatedToken** String: yes or no - If the account that logged into the PC is an administrative logon, this field will be yes. Otherwise, the field is no. Additionally, if this is part of a split token, the linked login ID (LSAP\_LOGON\_SESSION) will also be shown. -3. **TargetOutboundUserName** String - **TargetOutboundUserDomain** String - The username and domain of the identity that was created by the LogonUser method for outbound traffic. -4. **VirtualAccount** String: yes or no - If the account that logged into the PC is a virtual account, this field will be yes. Otherwise, the field is no. -5. **GroupMembership** String - A list of all of the groups in the user's token. -6. **RestrictedAdminMode** String: yes or no - If the user logs into the PC in restricted admin mode with Remote Desktop, this field will be yes. - For more info on restricted admin mode, see [Restricted Admin mode for RDP](http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx). - -#### New fields in the process creation event - -The logon event ID 4688 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4688: -1. **TargetUserSid** String - The SID of the target principal. -2. **TargetUserName** String - The account name of the target user. -3. **TargetDomainName** String - The domain of the target user.. -4. **TargetLogonId** String - The logon ID of the target user. -5. **ParentProcessName** String - The name of the creator process. -6. **ParentProcessId** String - A pointer to the actual parent process if it's different from the creator process. - -#### New Security Account Manager events - -In Windows 10, new SAM events were added to cover SAM APIs that perform read/query operations. In previous versions of Windows, only write operations were audited. The new events are event ID 4798 and event ID 4799. The following APIs are now audited: -- SamrEnumerateGroupsInDomain -- SamrEnumerateUsersInDomain -- SamrEnumerateAliasesInDomain -- SamrGetAliasMembership -- SamrLookupNamesInDomain -- SamrLookupIdsInDomain -- SamrQueryInformationUser -- SamrQueryInformationGroup -- SamrQueryInformationUserAlias -- SamrGetMembersInGroup -- SamrGetMembersInAlias -- SamrGetUserDomainPasswordInformation - -#### New BCD events - -Event ID 4826 has been added to track the following changes to the Boot Configuration Database (BCD): -- DEP/NEX settings -- Test signing -- PCAT SB simulation -- Debug -- Boot debug -- Integrity Services -- Disable Winload debugging menu - -#### New PNP events - -Event ID 6416 has been added to track when an external device is detected through Plug and Play. One important scenario is if an external device that contains malware is inserted into a high-value machine that doesn’t expect this type of action, such as a domain controller. - -[Learn how to manage your security audit policies within your organization](/windows/device-security/auditing/security-auditing-overview). - -### Trusted Platform Module - -#### New TPM features in Windows 10 - -The following sections describe the new and changed functionality in the TPM for Windows 10: -- [Device health attestation](#bkmk-dha) -- [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) support -- [Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) support -- [Credential Guard](/windows/access-protection/credential-guard/credential-guard) support - -### Device health attestation - -Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device health attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource. -Some things that you can check on the device are: -- Is Data Execution Prevention supported and enabled? -- Is BitLocker Drive Encryption supported and enabled? -- Is SecureBoot supported and enabled? - -> **Note**  The device must be running Windows 10 and it must support at least TPM 2.0. - -[Learn how to deploy and manage TPM within your organization](/windows/device-security/tpm//trusted-platform-module-overview). - -### User Account Control - -User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment. - -You should not turn off UAC because this is not a supported scenario for devices running Windows 10. If you do turn off UAC, all Univeral Windows Platform apps stop working. You must always set the **HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA** registry value to 1. If you need to provide auto elevation for programmatic access or installation, you could set the **HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin** registry value to 0, which is the same as setting the UAC slider Never Notify. This is not recommended for devices running Windows 10. - -For more info about how manage UAC, see [UAC Group Policy Settings and Registry Key Settings](/windows/access-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings). - -In Windows 10, User Account Control has added some improvements: - -- **Integration with the Antimalware Scan Interface (AMSI)**. The [AMSI](https://msdn.microsoft.com/library/windows/desktop/dn889587.aspx) scans all UAC elevation requests for malware. If malware is detected, the admin privilege is blocked. - -[Learn how to manage User Account Control within your organization](/windows/access-protection/user-account-control/user-account-control-overview). - -### VPN profile options - -Windows 10 provides a set of VPN features that both increase enterprise security and provide an improved user experience, including: - -- Always-on auto connection behavior -- App=triggered VPN -- VPN traffic filters -- Lock down VPN -- Integration with Microsoft Passport for Work - -[Learn more about the VPN options in Windows 10.](/windows/access-protection/vpn/vpn-profile-options) - - -## Management - -Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices. - -### MDM support - -MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Microsoft Store, VPN configuration, and more. - -MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](https://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification. - -Corporate-owned devices can be enrolled automatically for enterprises using Azure AD. [Reference for Mobile device management for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=533172) - -### Unenrollment - -When a person leaves your organization and you unenroll the user account or device from management, the enterprise-controlled configurations and apps are removed from the device. You can unenroll the device remotely or the person can unenroll by manually removing the account from the device. - -When a personal device is unenrolled, the user's data and apps are untouched, while enterprise information such as certificates, VPN profiles, and enterprise apps are removed. - -### Infrastructure - -Enterprises have the following identity and management choices. - -| Area | Choices | -|---|---| -| Identity | Active Directory; Azure AD | -| Grouping | Domain join; Workgroup; Azure AD join | -| Device management | Group Policy; System Center Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) | - - > **Note**   -With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](https://go.microsoft.com/fwlink/p/?LinkID=613512). - - -### Device lockdown - - -Do you need a computer that can only do one thing? For example: - -- A device in the lobby that customers can use to view your product catalog. -- A portable device that drivers can use to check a route on a map. -- A device that a temporary worker uses to enter data. - -You can configure a persistent locked down state to [create a kiosk-type device](https://technet.microsoft.com/itpro/windows/manage/set-up-a-device-for-anyone-to-use). When the locked-down account is logged on, the device displays only the app that you select. - -You can also [configure a lockdown state](https://technet.microsoft.com/itpro/windows/manage/lock-down-windows-10-to-specific-apps) that takes effect when a given user account logs on. The lockdown restricts the user to only the apps that you specify. - -Lockdown settings can also be configured for device look and feel, such as a theme or a [custom layout on the Start screen](https://technet.microsoft.com/itpro/windows/manage/windows-10-start-layout-options-and-policies). - -### Customized Start layout - -A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Starting in Windows 10, version 1511, administrators can configure a *partial* Start layout, which applies specified tile groups while allowing users to create and customize their own tile groups. Learn how to [customize and export Start layout](/windows/configuration/customize-and-export-start-layout). - -Administrators can also use mobile device management (MDM) or Group Policy to disable the use of [Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight). - -## Updates - -Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service. - -By using [Group Policy Objects](https://go.microsoft.com/fwlink/p/?LinkId=699279), Windows Update for Business is an easily established and implemented system which enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing: - -- **Deployment and validation groups**; where administrators can specify which devices go first in an update wave, and which devices will come later (to ensure any quality bars are met). - -- **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth very efficient. - -- **Use with existing tools** such as System Center Configuration Manager and the [Enterprise Mobility Suite](https://go.microsoft.com/fwlink/p/?LinkId=699281). - -Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](https://technet.microsoft.com/library/hh852345.aspx) and [System Center Configuration Manager](https://technet.microsoft.com/library/gg682129.aspx). - - -Learn more about [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb). - -For more information about updating Windows 10, see [Windows 10 servicing options for updates and upgrades](/windows/deployment/update/waas-servicing-strategy-windows-10-updates). - -## Microsoft Edge - -Microsoft Edge is not available in the LTSC release of Windows 10. - -## See Also - -[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release. - +--- +title: What's new in Windows 10 Enterprise 2015 LTSC +ms.reviewer: +manager: laurawi +ms.author: greglin +description: New and updated IT Pro content about new features in Windows 10 Enterprise 2015 LTSC (also known as Windows 10 Enterprise 2015 LTSB). +keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2015 LTSC"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.localizationpriority: low +ms.topic: article +--- + +# What's new in Windows 10 Enterprise 2015 LTSC + +**Applies to** +- Windows 10 Enterprise 2015 LTSC + +This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2015 LTSC (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md). + +>[!NOTE] +>Features in Windows 10 Enterprise 2015 LTSC are equivalent to [Windows 10, version 1507](../whats-new-windows-10-version-1507-and-1511.md). + +## Deployment + +### Provisioning devices using Windows Imaging and Configuration Designer (ICD) + +With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Using Windows Provisioning, an IT administrator can easily specify the configuration and settings required to enroll devices into management using a wizard-driven user interface, and then apply this configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers. + +[Learn more about provisioning in Windows 10](/windows/configuration/provisioning-packages/provisioning-packages) + +## Security + +### Applocker + +Applocker was available for Windows 8.1, and is improved with Windows 10. See [Requirements to use AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md) for a list of operating system requirements. + +Enhancements to Applocker in Windows 10 include: + +- A new parameter was added to the [New-AppLockerPolicy](https://technet.microsoft.com/library/hh847211.aspx) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this, set the **ServiceEnforcement** to **Enabled**. +- A new [AppLocker](https://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) configuration service provider was add to allow you to enable AppLocker rules by using an MDM server. +- You can manage Windows 10 Mobile devices by using the new [AppLocker CSP](https://msdn.microsoft.com/library/windows/hardware/dn920019.aspx). + +[Learn how to manage AppLocker within your organization](/windows/device-security/applocker/applocker-overview). + +### Bitlocker + +Enhancements to Applocker in Windows 10 include: + +- **Encrypt and recover your device with Azure Active Directory**. In addition to using a Microsoft Account, automatic [Device Encryption](https://technet.microsoft.com/itpro/windows/keep-secure/windows-10-security-guide#device-encryption) can now encrypt your devices that are joined to an Azure Active Directory domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory. This will make it easier to recover your BitLocker key online. +- **DMA port protection**. You can use the [DataProtection/AllowDirectMemoryAccess](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#dataprotection-allowdirectmemoryaccess) MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on. +- **New Group Policy for configuring pre-boot recovery**. You can now configure the pre-boot recovery message and recover URL that is shown on the pre-boot recovery screen. For more info, see the [Configure pre-boot recovery message and URL](https://technet.microsoft.com/itpro/windows/keep-secure/bitlocker-group-policy-settings#bkmk-configurepreboot) section in "BitLocker Group Policy settings." + +[Learn how to deploy and manage BitLocker within your organization](/windows/device-security/bitlocker/bitlocker-overview). + +### Certificate management + +For Windows 10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Windows Hello for Business in your enterprise. You'll be able to use MDM to enroll, renew, and delete certificates. As in Windows Phone 8.1, you can use the [Certificates app](https://go.microsoft.com/fwlink/p/?LinkId=615824) to review the details of certificates on your device. [Learn how to install digital certificates on Windows 10 Mobile.](/windows/access-protection/installing-digital-certificates-on-windows-10-mobile) + +### Microsoft Passport + +In Windows 10, [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN. + +Microsoft Passport lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports Fast ID Online (FIDO) authentication. After an initial two-step verification during Microsoft Passport enrollment, a Microsoft Passport is set up on the user's device and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify identity; Windows then uses Microsoft Passport to authenticate users and help them to access protected resources and services. + +### Security auditing + +In Windows 10, security auditing has added some improvements: +- [New audit subcategories](#bkmk-auditsubcat) +- [More info added to existing audit events](#bkmk-moreinfo) + +#### New audit subcategories + +In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events: +- [Audit Group Membership](/windows/device-security/auditing/audit-group-membership) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the logon session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource. + When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. Multiple events are generated if the group membership information cannot fit in a single security audit event. +- [Audit PNP Activity](/windows/device-security/auditing/audit-pnp-activity) Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device. + Only Success audits are recorded for this category. If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play. + A PnP audit event can be used to track down changes in system hardware and will be logged on the PC where the change took place. A list of hardware vendor IDs are included in the event. + +#### More info added to existing audit events + +With Windows 10, version 1507, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events: +- [Changed the kernel default audit policy](#bkmk-kdal) +- [Added a default process SACL to LSASS.exe](#bkmk-lsass) +- [Added new fields in the logon event](#bkmk-logon) +- [Added new fields in the process creation event](#bkmk-logon) +- [Added new Security Account Manager events](#bkmk-sam) +- [Added new BCD events](#bkmk-bcd) +- [Added new PNP events](#bkmk-pnp) + +#### Changed the kernel default audit policy + +In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This results in better auditing of services that may start before LSA starts. + +#### Added a default process SACL to LSASS.exe + +In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can enable this under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**. +This can help identify attacks that steal credentials from the memory of a process. + +#### New fields in the logon event + +The logon event ID 4624 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4624: +1. **MachineLogon** String: yes or no + If the account that logged into the PC is a computer account, this field will be yes. Otherwise, the field is no. +2. **ElevatedToken** String: yes or no + If the account that logged into the PC is an administrative logon, this field will be yes. Otherwise, the field is no. Additionally, if this is part of a split token, the linked login ID (LSAP\_LOGON\_SESSION) will also be shown. +3. **TargetOutboundUserName** String + **TargetOutboundUserDomain** String + The username and domain of the identity that was created by the LogonUser method for outbound traffic. +4. **VirtualAccount** String: yes or no + If the account that logged into the PC is a virtual account, this field will be yes. Otherwise, the field is no. +5. **GroupMembership** String + A list of all of the groups in the user's token. +6. **RestrictedAdminMode** String: yes or no + If the user logs into the PC in restricted admin mode with Remote Desktop, this field will be yes. + For more info on restricted admin mode, see [Restricted Admin mode for RDP](http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx). + +#### New fields in the process creation event + +The logon event ID 4688 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4688: +1. **TargetUserSid** String + The SID of the target principal. +2. **TargetUserName** String + The account name of the target user. +3. **TargetDomainName** String + The domain of the target user.. +4. **TargetLogonId** String + The logon ID of the target user. +5. **ParentProcessName** String + The name of the creator process. +6. **ParentProcessId** String + A pointer to the actual parent process if it's different from the creator process. + +#### New Security Account Manager events + +In Windows 10, new SAM events were added to cover SAM APIs that perform read/query operations. In previous versions of Windows, only write operations were audited. The new events are event ID 4798 and event ID 4799. The following APIs are now audited: +- SamrEnumerateGroupsInDomain +- SamrEnumerateUsersInDomain +- SamrEnumerateAliasesInDomain +- SamrGetAliasMembership +- SamrLookupNamesInDomain +- SamrLookupIdsInDomain +- SamrQueryInformationUser +- SamrQueryInformationGroup +- SamrQueryInformationUserAlias +- SamrGetMembersInGroup +- SamrGetMembersInAlias +- SamrGetUserDomainPasswordInformation + +#### New BCD events + +Event ID 4826 has been added to track the following changes to the Boot Configuration Database (BCD): +- DEP/NEX settings +- Test signing +- PCAT SB simulation +- Debug +- Boot debug +- Integrity Services +- Disable Winload debugging menu + +#### New PNP events + +Event ID 6416 has been added to track when an external device is detected through Plug and Play. One important scenario is if an external device that contains malware is inserted into a high-value machine that doesn’t expect this type of action, such as a domain controller. + +[Learn how to manage your security audit policies within your organization](/windows/device-security/auditing/security-auditing-overview). + +### Trusted Platform Module + +#### New TPM features in Windows 10 + +The following sections describe the new and changed functionality in the TPM for Windows 10: +- [Device health attestation](#bkmk-dha) +- [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) support +- [Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) support +- [Credential Guard](/windows/access-protection/credential-guard/credential-guard) support + +### Device health attestation + +Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device health attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource. +Some things that you can check on the device are: +- Is Data Execution Prevention supported and enabled? +- Is BitLocker Drive Encryption supported and enabled? +- Is SecureBoot supported and enabled? + +> **Note**  The device must be running Windows 10 and it must support at least TPM 2.0. + +[Learn how to deploy and manage TPM within your organization](/windows/device-security/tpm//trusted-platform-module-overview). + +### User Account Control + +User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment. + +You should not turn off UAC because this is not a supported scenario for devices running Windows 10. If you do turn off UAC, all Univeral Windows Platform apps stop working. You must always set the **HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA** registry value to 1. If you need to provide auto elevation for programmatic access or installation, you could set the **HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin** registry value to 0, which is the same as setting the UAC slider Never Notify. This is not recommended for devices running Windows 10. + +For more info about how manage UAC, see [UAC Group Policy Settings and Registry Key Settings](/windows/access-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings). + +In Windows 10, User Account Control has added some improvements: + +- **Integration with the Antimalware Scan Interface (AMSI)**. The [AMSI](https://msdn.microsoft.com/library/windows/desktop/dn889587.aspx) scans all UAC elevation requests for malware. If malware is detected, the admin privilege is blocked. + +[Learn how to manage User Account Control within your organization](/windows/access-protection/user-account-control/user-account-control-overview). + +### VPN profile options + +Windows 10 provides a set of VPN features that both increase enterprise security and provide an improved user experience, including: + +- Always-on auto connection behavior +- App=triggered VPN +- VPN traffic filters +- Lock down VPN +- Integration with Microsoft Passport for Work + +[Learn more about the VPN options in Windows 10.](/windows/access-protection/vpn/vpn-profile-options) + + +## Management + +Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices. + +### MDM support + +MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Microsoft Store, VPN configuration, and more. + +MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](https://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification. + +Corporate-owned devices can be enrolled automatically for enterprises using Azure AD. [Reference for Mobile device management for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=533172) + +### Unenrollment + +When a person leaves your organization and you unenroll the user account or device from management, the enterprise-controlled configurations and apps are removed from the device. You can unenroll the device remotely or the person can unenroll by manually removing the account from the device. + +When a personal device is unenrolled, the user's data and apps are untouched, while enterprise information such as certificates, VPN profiles, and enterprise apps are removed. + +### Infrastructure + +Enterprises have the following identity and management choices. + +| Area | Choices | +|---|---| +| Identity | Active Directory; Azure AD | +| Grouping | Domain join; Workgroup; Azure AD join | +| Device management | Group Policy; Microsoft Endpoint Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) | + + > **Note**   +With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](https://go.microsoft.com/fwlink/p/?LinkID=613512). + + +### Device lockdown + + +Do you need a computer that can only do one thing? For example: + +- A device in the lobby that customers can use to view your product catalog. +- A portable device that drivers can use to check a route on a map. +- A device that a temporary worker uses to enter data. + +You can configure a persistent locked down state to [create a kiosk-type device](https://technet.microsoft.com/itpro/windows/manage/set-up-a-device-for-anyone-to-use). When the locked-down account is logged on, the device displays only the app that you select. + +You can also [configure a lockdown state](https://technet.microsoft.com/itpro/windows/manage/lock-down-windows-10-to-specific-apps) that takes effect when a given user account logs on. The lockdown restricts the user to only the apps that you specify. + +Lockdown settings can also be configured for device look and feel, such as a theme or a [custom layout on the Start screen](https://technet.microsoft.com/itpro/windows/manage/windows-10-start-layout-options-and-policies). + +### Customized Start layout + +A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Starting in Windows 10, version 1511, administrators can configure a *partial* Start layout, which applies specified tile groups while allowing users to create and customize their own tile groups. Learn how to [customize and export Start layout](/windows/configuration/customize-and-export-start-layout). + +Administrators can also use mobile device management (MDM) or Group Policy to disable the use of [Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight). + +## Updates + +Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service. + +By using [Group Policy Objects](https://go.microsoft.com/fwlink/p/?LinkId=699279), Windows Update for Business is an easily established and implemented system which enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing: + +- **Deployment and validation groups**; where administrators can specify which devices go first in an update wave, and which devices will come later (to ensure any quality bars are met). + +- **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth very efficient. + +- **Use with existing tools** such as Microsoft Endpoint Configuration Manager and the [Enterprise Mobility Suite](https://go.microsoft.com/fwlink/p/?LinkId=699281). + +Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](https://technet.microsoft.com/library/hh852345.aspx) and [Microsoft Endpoint Configuration Manager](https://technet.microsoft.com/library/gg682129.aspx). + + +Learn more about [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb). + +For more information about updating Windows 10, see [Windows 10 servicing options for updates and upgrades](/windows/deployment/update/waas-servicing-strategy-windows-10-updates). + +## Microsoft Edge + +Microsoft Edge is not available in the LTSC release of Windows 10. + +## See Also + +[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release. + From f27bc3752460cb5b466ef5042d0a5428e68bd8f3 Mon Sep 17 00:00:00 2001 From: LauraKellerGitHub Date: Thu, 19 Dec 2019 17:36:15 -0800 Subject: [PATCH 011/188] scorecard terminology corrections --- .../ltsc/whats-new-windows-10-2015.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2015.md b/windows/whats-new/ltsc/whats-new-windows-10-2015.md index 80c78d4413..3749ad2dce 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2015.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2015.md @@ -60,11 +60,11 @@ Enhancements to Applocker in Windows 10 include: For Windows 10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Windows Hello for Business in your enterprise. You'll be able to use MDM to enroll, renew, and delete certificates. As in Windows Phone 8.1, you can use the [Certificates app](https://go.microsoft.com/fwlink/p/?LinkId=615824) to review the details of certificates on your device. [Learn how to install digital certificates on Windows 10 Mobile.](/windows/access-protection/installing-digital-certificates-on-windows-10-mobile) -### Microsoft Passport +### Windows Live ID -In Windows 10, [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN. +In Windows 10, [Windows Live ID service](/windows/access-protection/hello-for-business/hello-identity-verification) replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN. -Microsoft Passport lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports Fast ID Online (FIDO) authentication. After an initial two-step verification during Microsoft Passport enrollment, a Microsoft Passport is set up on the user's device and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify identity; Windows then uses Microsoft Passport to authenticate users and help them to access protected resources and services. +Windows Live ID service lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports Fast ID Online (FIDO) authentication. After an initial two-step verification during Windows Live ID service enrollment, a Windows Live ID service is set up on the user's device and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify identity; Windows then uses Windows Live ID service to authenticate users and help them to access protected resources and services. ### Security auditing @@ -117,7 +117,7 @@ The logon event ID 4624 has been updated to include more verbose information to A list of all of the groups in the user's token. 6. **RestrictedAdminMode** String: yes or no If the user logs into the PC in restricted admin mode with Remote Desktop, this field will be yes. - For more info on restricted admin mode, see [Restricted Admin mode for RDP](http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx). + For more info on restricted admin mode, see [Restricted Admin mode for RDP](https://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx). #### New fields in the process creation event @@ -174,7 +174,7 @@ Event ID 6416 has been added to track when an external device is detected throug The following sections describe the new and changed functionality in the TPM for Windows 10: - [Device health attestation](#bkmk-dha) -- [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) support +- [Windows Live ID](/windows/access-protection/hello-for-business/hello-identity-verification) support - [Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) support - [Credential Guard](/windows/access-protection/credential-guard/credential-guard) support @@ -212,7 +212,7 @@ Windows 10 provides a set of VPN features that both increase enterprise security - App=triggered VPN - VPN traffic filters - Lock down VPN -- Integration with Microsoft Passport for Work +- Integration with Windows Live ID for Work [Learn more about the VPN options in Windows 10.](/windows/access-protection/vpn/vpn-profile-options) @@ -264,9 +264,9 @@ You can also [configure a lockdown state](https://technet.microsoft.com/itpro/wi Lockdown settings can also be configured for device look and feel, such as a theme or a [custom layout on the Start screen](https://technet.microsoft.com/itpro/windows/manage/windows-10-start-layout-options-and-policies). -### Customized Start layout +### Start layout -A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Starting in Windows 10, version 1511, administrators can configure a *partial* Start layout, which applies specified tile groups while allowing users to create and customize their own tile groups. Learn how to [customize and export Start layout](/windows/configuration/customize-and-export-start-layout). +A standard Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Starting in Windows 10, version 1511, administrators can configure a *partial* Start layout, which applies specified tile groups while allowing users to create and customize their own tile groups. Learn how to [customize and export Start layout](/windows/configuration/customize-and-export-start-layout). Administrators can also use mobile device management (MDM) or Group Policy to disable the use of [Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight). @@ -280,7 +280,7 @@ By using [Group Policy Objects](https://go.microsoft.com/fwlink/p/?LinkId=699279 - **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth very efficient. -- **Use with existing tools** such as Microsoft Endpoint Configuration Manager and the [Enterprise Mobility Suite](https://go.microsoft.com/fwlink/p/?LinkId=699281). +- **Use with existing tools** such as Microsoft Endpoint Configuration Manager and the [Enterprise Mobility + Security E3](https://go.microsoft.com/fwlink/p/?LinkId=699281). Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](https://technet.microsoft.com/library/hh852345.aspx) and [Microsoft Endpoint Configuration Manager](https://technet.microsoft.com/library/gg682129.aspx). From 8548ff01cff59d13e58a59e4cdd06beedd289945 Mon Sep 17 00:00:00 2001 From: LauraKellerGitHub Date: Fri, 20 Dec 2019 14:47:14 -0800 Subject: [PATCH 012/188] thirty files config mgr rebrand --- ...hell-cmdlets-windows-defender-antivirus.md | 4 +- .../use-wmi-windows-defender-antivirus.md | 2 +- ...d-protection-windows-defender-antivirus.md | 12 +- ...indows-defender-antivirus-compatibility.md | 2 +- .../windows-defender-offline.md | 4 +- ...rt-windows-defender-application-control.md | 12 +- ...s-defender-application-control-policies.md | 2 +- .../select-types-of-rules-to-create.md | 2 +- .../types-of-devices.md | 2 +- ...ication-control-policy-design-decisions.md | 2 +- ...control-with-intelligent-security-graph.md | 2 +- ...lication-control-with-managed-installer.md | 6 +- .../reqs-wd-app-guard.md | 2 +- .../wd-app-guard-overview.md | 4 +- .../wdsc-device-performance-health.md | 2 +- .../wdsc-hide-notifications.md | 2 +- .../windows-defender-security-center.md | 4 +- ...sed-root-of-trust-helps-protect-windows.md | 2 +- ...sed-root-of-trust-helps-protect-windows.md | 2 +- .../windows-security-baselines.md | 4 +- .../get-support-for-security-baselines.md | 2 +- .../windows-security-baselines.md | 4 +- .../ltsc/whats-new-windows-10-2015.md | 24 +- .../ltsc/whats-new-windows-10-2016.md | 357 +++++++++--------- .../ltsc/whats-new-windows-10-2019.md | 4 +- ...ts-new-windows-10-version-1507-and-1511.md | 12 +- .../whats-new-windows-10-version-1703.md | 2 +- .../whats-new-windows-10-version-1803.md | 2 +- .../whats-new-windows-10-version-1903.md | 2 +- .../whats-new-windows-10-version-1909.md | 2 +- 30 files changed, 243 insertions(+), 242 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md index 326511d75c..45180f8c80 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md @@ -30,9 +30,9 @@ For a list of the cmdlets and their functions and available parameters, see the PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software. > [!NOTE] -> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [System Center Configuration Manager](https://technet.microsoft.com/library/gg682129.aspx), [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), or [Windows Defender Antivirus Group Policy ADMX templates](https://support.microsoft.com/kb/927367). +> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [Microsoft Endpoint Configuration Manager](https://technet.microsoft.com/library/gg682129.aspx), [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), or [Windows Defender Antivirus Group Policy ADMX templates](https://support.microsoft.com/kb/927367). -Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, System Center Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell. +Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell. You can [configure which settings can be overridden locally with local policy overrides](configure-local-policy-overrides-windows-defender-antivirus.md). diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md index 0e88dfd58b..bac24170b6 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md @@ -31,7 +31,7 @@ Windows Defender Antivirus has a number of specific WMI classes that can be used The [MSDN Windows Defender WMIv2 Provider reference library](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) lists the available WMI classes for Windows Defender Antivirus, and includes example scripts. -Changes made with WMI will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, System Center Configuration Manager, or Microsoft Intune can overwrite changes made with WMI. +Changes made with WMI will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune can overwrite changes made with WMI. You can [configure which settings can be overridden locally with local policy overrides](configure-local-policy-overrides-windows-defender-antivirus.md). diff --git a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md index e1d2d9c8e9..f05dbf11e6 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md @@ -60,10 +60,10 @@ Organizations running Windows 10 E5, version 1803 can also take advantage of eme >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. -The following table describes the differences in cloud-delivered protection between recent versions of Windows and System Center Configuration Manager. +The following table describes the differences in cloud-delivered protection between recent versions of Windows and Microsoft Endpoint Configuration Manager. -Feature | Windows 8.1 (Group Policy) | Windows 10, version 1607 (Group Policy) | Windows 10, version 1703 (Group Policy) | System Center Configuration Manager 2012 | System Center Configuration Manager (Current Branch) | Microsoft Intune +Feature | Windows 8.1 (Group Policy) | Windows 10, version 1607 (Group Policy) | Windows 10, version 1703 (Group Policy) | System Center Configuration Manager 2012 | Microsoft Endpoint Configuration Manager (Current Branch) | Microsoft Intune ---|---|---|---|---|---|--- Cloud-protection service label | Microsoft Advanced Protection Service | Microsoft Advanced Protection Service | Cloud-based Protection | NA | Cloud protection service | Microsoft Advanced Protection Service Reporting level (MAPS membership level) | Basic, Advanced | Advanced | Advanced | Dependent on Windows version | Dependent on Windows version | Dependent on Windows version @@ -76,8 +76,8 @@ You can also [configure Windows Defender AV to automatically receive new protect Topic | Description ---|--- -[Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | You can enable cloud-delivered protection with System Center Configuration Manager, Group Policy, Microsoft Intune, and PowerShell cmdlets. -[Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md) | You can specify the level of protection offered by the cloud with Group Policy and System Center Configuration Manager. The protection level will affect the amount of information shared with the cloud and how aggressively new files are blocked. +[Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | You can enable cloud-delivered protection with Microsoft Endpoint Configuration Manager, Group Policy, Microsoft Intune, and PowerShell cmdlets. +[Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md) | You can specify the level of protection offered by the cloud with Group Policy and Microsoft Endpoint Configuration Manager. The protection level will affect the amount of information shared with the cloud and how aggressively new files are blocked. [Configure and validate network connections for Windows Defender Antivirus](configure-network-connections-windows-defender-antivirus.md) | There are certain Microsoft URLs that your network and endpoints must be able to connect to for cloud-delivered protection to work effectively. This topic lists the URLs that should be allowed via firewall or network filtering rules, and instructions for confirming your network is properly enrolled in cloud-delivered protection. -[Configure the block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) | The Block at First Sight feature can block new malware within seconds, without having to wait hours for traditional Security intelligence . You can enable and configure it with System Center Configuration Manager and Group Policy. -[Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) | Windows Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with System Center Configuration Manager and Group Policy. +[Configure the block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) | The Block at First Sight feature can block new malware within seconds, without having to wait hours for traditional Security intelligence. You can enable and configure it with Microsoft Endpoint Configuration Manager and Group Policy. +[Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) | Windows Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running withMicrosoft Endpoint Configuration Manager and Group Policy. diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md index 369ebfe876..64efaa5752 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md @@ -57,7 +57,7 @@ See the [Windows Defender Antivirus on Windows Server 2016](windows-defender-ant >[!IMPORTANT] >Windows Defender AV is only available on endpoints running Windows 10 or Windows Server 2016. > ->In Windows 8.1 and Windows Server 2012, enterprise-level endpoint antivirus protection is offered as [System Center Endpoint Protection](https://technet.microsoft.com/library/hh508760.aspx), which is managed through System Center Configuration Manager. +>In Windows 8.1 and Windows Server 2012, enterprise-level endpoint antivirus protection is offered as [System Center Endpoint Protection](https://technet.microsoft.com/library/hh508760.aspx), which is managed through Microsoft Endpoint Configuration Manager. > >Windows Defender is also offered for [consumer devices on Windows 8.1 and Windows Server 2012](https://technet.microsoft.com/library/dn344918#BKMK_WindowsDefender), although it does not provide enterprise-level management (or an interface on Windows Server 2012 Server Core installations). diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md index 4187645c2e..45d2f577d4 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md @@ -57,7 +57,7 @@ See the [Manage Windows Defender Antivirus Security intelligence updates](manag In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender determines that Windows Defender Offline needs to run, it will prompt the user on the endpoint. -The need to perform an offline scan will also be revealed in System Center Configuration Manager if you're using it to manage your endpoints. +The need to perform an offline scan will also be revealed in Microsoft Endpoint Configuration Manager if you're using it to manage your endpoints. The prompt can occur via a notification, similar to the following: @@ -71,7 +71,7 @@ In Configuration Manager, you can identify the status of endpoints by navigating Windows Defender Offline scans are indicated under **Malware remediation status** as **Offline scan required**. -![System Center Configuration Manager indicating a Windows Defender Offline scan is required](images/defender/sccm-wdo.png) +![Microsoft Endpoint Configuration Manager indicating a Windows Defender Offline scan is required](images/defender/sccm-wdo.png) ## Configure notifications diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md index 765289825b..1accae5758 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md @@ -143,7 +143,7 @@ To sign the existing catalog file, copy each of the following commands into an e 5. Copy the catalog file to C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}. - For testing purposes, you can manually copy signed catalog files to their intended folder. For large-scale implementations, to copy the appropriate catalog files to all desired computers, we recommend that you use Group Policy File Preferences or an enterprise systems management product such as System Center Configuration Manager. Doing this also simplifies the management of catalog versions. + For testing purposes, you can manually copy signed catalog files to their intended folder. For large-scale implementations, to copy the appropriate catalog files to all desired computers, we recommend that you use Group Policy File Preferences or an enterprise systems management product such as Microsoft Endpoint Configuration Manager. Doing this also simplifies the management of catalog versions. ## Add a catalog signing certificate to a Windows Defender Application Control policy @@ -217,9 +217,9 @@ To simplify the management of catalog files, you can use Group Policy preference Before you begin testing the deployed catalog file, make sure that the catalog signing certificate has been added to an appropriate WDAC policy. -## Deploy catalog files with System Center Configuration Manager +## Deploy catalog files with Microsoft Endpoint Configuration Manager -As an alternative to Group Policy, you can use System Center Configuration Manager to deploy catalog files to the managed computers in your environment. This approach can simplify the deployment and management of multiple catalog files as well as provide reporting around which catalog each client or collection has deployed. In addition to the deployment of these files, System Center Configuration Manager can also be used to inventory the currently deployed catalog files for reporting and compliance purposes. Complete the following steps to create a new deployment package for catalog files: +As an alternative to Group Policy, you can use Microsoft Endpoint Configuration Manager to deploy catalog files to the managed computers in your environment. This approach can simplify the deployment and management of multiple catalog files as well as provide reporting around which catalog each client or collection has deployed. In addition to the deployment of these files, Microsoft Endpoint Configuration Manager can also be used to inventory the currently deployed catalog files for reporting and compliance purposes. Complete the following steps to create a new deployment package for catalog files: >[!NOTE] >The following example uses a network share named \\\\Shares\\CatalogShare as a source for the catalog files. If you have collection specific catalog files, or prefer to deploy them individually, use whichever folder structure works best for your organization. @@ -292,9 +292,9 @@ After you create the deployment package, deploy it to a collection so that the c Before you begin testing the deployed catalog file, make sure that the catalog signing certificate has been added to an appropriate WDAC policy,. -## Inventory catalog files with System Center Configuration Manager +## Inventory catalog files with Microsoft Endpoint Configuration Manager -When catalog files have been deployed to the computers within your environment, whether by using Group Policy or System Center Configuration Manager, you can inventory them with the software inventory feature of System Center Configuration Manager. The following process walks you through the enablement of software inventory to discover catalog files on your managed systems through the creation and deployment of a new client settings policy. +When catalog files have been deployed to the computers within your environment, whether by using Group Policy or Microsoft Endpoint Configuration Manager, you can inventory them with the software inventory feature of Microsoft Endpoint Configuration Manager. The following process walks you through the enablement of software inventory to discover catalog files on your managed systems through the creation and deployment of a new client settings policy. >[!NOTE] >A standard naming convention for your catalog files will significantly simplify the catalog file software inventory process. In this example, *-Contoso* has been added to all catalog file names. @@ -332,7 +332,7 @@ When catalog files have been deployed to the computers within your environment, 9. Now that you have created the client settings policy, right-click the new policy, click **Deploy**, and then choose the collection on which you would like to inventory the catalog files. -At the time of the next software inventory cycle, when the targeted clients receive the new client settings policy, you will be able to view the inventoried files in the built-in System Center Configuration Manager reports or Resource Explorer. To view the inventoried files on a client within Resource Explorer, complete the following steps: +At the time of the next software inventory cycle, when the targeted clients receive the new client settings policy, you will be able to view the inventoried files in the built-in Microsoft Endpoint Configuration Manager reports or Resource Explorer. To view the inventoried files on a client within Resource Explorer, complete the following steps: 1. Open the Configuration Manager console, and select the Assets and Compliance workspace. diff --git a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md index ef6e327975..6054e9f6bd 100644 --- a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md @@ -27,7 +27,7 @@ ms.date: 05/03/2018 Because each computer running Windows 10 can have only one WDAC policy, you will occasionally need to merge two or more policies. For example, after a WDAC policy is created and audited, you might want to merge audit events from another WDAC policy. > [!NOTE] -> Because only one SiPolicy.p7b file can be active on a system, the last management authority to write the policy wins. If there was already a policy deployed by using Group Policy and then amanaged installer using System Center Configuration Manager (SCCM) targeted the same device, the SCCM policy would overwrite the SiPolicy.p7b file. +> Because only one SiPolicy.p7b file can be active on a system, the last management authority to write the policy wins. If there was already a policy deployed by using Group Policy and then a managed installer using Microsoft Endpoint Configuration Manager targeted the same device, the Configuration Manager policy would overwrite the SiPolicy.p7b file. To merge two WDAC policies, complete the following steps in an elevated Windows PowerShell session: diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 9633a7cf60..33582e68a9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -62,7 +62,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru | **10 Enabled:Boot Audit on Failure** | Used when the WDAC policy is in enforcement mode. When a driver fails during startup, the WDAC policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. | | **11 Disabled:Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](https://docs.microsoft.com/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is only supported with the Windows 10 May 2019 Update (1903) and higher. Using it on earlier versions of Windows 10 is not supported and may have unintended results. | | **12 Required:Enforce Store Applications** | If this rule option is enabled, WDAC policies will also apply to Universal Windows applications. | -| **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as System Center Configuration Manager, that has been defined as a managed installer. | +| **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager, that has been defined as a managed installer. | | **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). | | **15 Enabled:Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically re-validate the reputation for files that were authorized by the ISG.| | **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot. | diff --git a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md index d6e8fa89a5..cc4ad5d2e3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md @@ -43,7 +43,7 @@ Lamna Healthcare Company (Lamna) is a large healthcare provider operating in the Lamna uses [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) (MEM) in hybrid mode with both Configuration Manager (MEMCM) and Intune. Although they use MEM to deploy many applications, Lamna has always had very relaxed application usage practices: individual teams and employees have been able to install and use any applications they deem necessary for their role on their own workstations. Lamna also recently started to use [Microsoft Defender Advanced Threat Protection](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (MDATP) for better endpoint detection and response. > [!NOTE] -> Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager (SCCM) +> Microsoft Endpoint Configuration Manager was previously known as Microsoft Endpoint Configuration Manager (SCCM) Recently, Lamna experienced a ransomware event that required an expensive recovery process and may have included data exfiltration by the unknown attacker. Part of the attack included installing and running malicious binaries that evaded detection by Lamna's antivirus solution but would have been blocked by an application control policy. In response, Lamna's executive board has authorized a number of new security IT responses, including tightening policies for application use and introducing application control. diff --git a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md index 87a4942ff4..6b431212ee 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md +++ b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md @@ -48,7 +48,7 @@ The first step is to define the desired "circle-of-trust" for your WDAC policies For example, the DefaultWindows policy, which can be found under %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies, establishes a "circle-of-trust" that allows Windows, 3rd-party hardware and software kernel drivers, and applications from the Microsoft Store. -Microsoft Endpoint Configuration Manager (previously known as System Center Configuration Manager (SCCM)), uses the DefaultWindows policy as the basis for its policy but then modifies the policy rules to allow SCCM and its dependencies, sets the managed installer policy rule, and additionally configures SCCM as a managed installer. It also can optionally authorize apps with positive reputation and perform a one-time scan of folder paths specified by the SCCM administrator which adds rules for any apps found in the specified paths on the managed endpoint. This establishes the "circle-of-trust" for SCCM's native WDAC integration. +Microsoft Endpoint Configuration Manager (previously known as Microsoft Endpoint Configuration Manager (SCCM)), uses the DefaultWindows policy as the basis for its policy but then modifies the policy rules to allow SCCM and its dependencies, sets the managed installer policy rule, and additionally configures SCCM as a managed installer. It also can optionally authorize apps with positive reputation and perform a one-time scan of folder paths specified by the SCCM administrator which adds rules for any apps found in the specified paths on the managed endpoint. This establishes the "circle-of-trust" for SCCM's native WDAC integration. The following questions can help you plan your WDAC deployment and determine the right "circle-of-trust" for your policies. They are not in priority or sequential order and are not meant to be an exhaustive set of design considerations. diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md index 22df45d2a2..1990f0a738 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md @@ -38,7 +38,7 @@ After that initial download and installation, the WDAC component will check for The reputation data on the client is rechecked periodically and enterprises can also specify that any cached reputation results are flushed on reboot. >[!NOTE] ->Admins needs to ensure that there is a WDAC policy in place to allow the system to boot and run any other authorized applications that may not be classified as being known good by the Intelligent Security Graph, for example custom line-of-business (LOB) apps. Since the Intelligent Security Graph is powered by global prevalence data, internal LOB apps may not be recognized as being known good. Other mechanisms like managed installer and explicit rules will help cover internal applications. Both System Center Configuration Manager (SCCM) and Microsoft Intune can be used to create and push a WDAC policy to your client machines. +>Admins needs to ensure that there is a WDAC policy in place to allow the system to boot and run any other authorized applications that may not be classified as being known good by the Intelligent Security Graph, for example custom line-of-business (LOB) apps. Since the Intelligent Security Graph is powered by global prevalence data, internal LOB apps may not be recognized as being known good. Other mechanisms like managed installer and explicit rules will help cover internal applications. Both Microsoft Endpoint Configuration Manager (SCCM) and Microsoft Intune can be used to create and push a WDAC policy to your client machines. Other examples of WDAC policies are available in C:\Windows\schemas\CodeIntegrity\ExamplePolicies and can help authorize Windows OS components, WHQL signed drivers and all Store apps. Admins can reference and customize them as needed for their Windows Defender Application Control deployment or [create a custom WDAC policy](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy). diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md index e22de90c86..c3a6983cd6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md @@ -1,6 +1,6 @@ --- title: Authorize apps deployed with a WDAC managed installer (Windows 10) -description: Explains how you can use a managed installer to automatically authorize applications deployed and installed by a designated software distribution solution, such as System Center Configuration Manager. +description: Explains how you can use a managed installer to automatically authorize applications deployed and installed by a designated software distribution solution, such as Microsoft Endpoint Configuration Manager. keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 @@ -28,7 +28,7 @@ ms.date: 06/13/2018 Creating and maintaining application execution control policies has always been challenging, and finding ways to address this issue has been a frequently-cited request for customers of AppLocker and Windows Defender Application Control (WDAC). This is especially true for enterprises with large, ever changing software catalogs. -Windows 10, version 1703 (also known as the Windows 10 Creators Update) provides a new option, known as a managed installer, that allows IT administrators to automatically authorize applications deployed and installed by a designated software distribution solution, such as System Center Configuration Manager. +Windows 10, version 1703 (also known as the Windows 10 Creators Update) provides a new option, known as a managed installer, that allows IT administrators to automatically authorize applications deployed and installed by a designated software distribution solution, such as Microsoft Endpoint Configuration Manager. A managed installer helps an IT admin balance security and manageability requirements when employing application execution control policies by providing an option that does not require specifying explicit rules for software that is being managed through a software distribution solution. ## How does a managed installer work? @@ -159,7 +159,7 @@ Specify `-mionly` if you will not use the Intelligent Security Graph (ISG). ## Security considerations with managed installer Since managed installer is a heuristic-based mechanism, it does not provide the same security guarantees that explicit allow or deny rules do. -It is best suited for deployment to systems where each user is configured as a standard user and where all software is deployed and installed by a software distribution solution, such as System Center Configuration Manager. +It is best suited for deployment to systems where each user is configured as a standard user and where all software is deployed and installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager. Users with administrator privileges or malware running as an administrator user on the system may be able to circumvent the intent of Windows Defender Application Control when the managed installer option is allowed. If the authorized managed installer process performs installations in the context of a user with standard privileges, then it is possible that standard users or malware running as standard user may be able to circumvent the intent of Windows Defender Application Control. diff --git a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md index 9496c86d29..e514735967 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md @@ -41,4 +41,4 @@ Your environment needs the following software to run Windows Defender Applicatio |--------|-----------| |Operating system|Windows 10 Enterprise edition, version 1709 or higher
Windows 10 Professional edition, version 1803 or higher
Windows 10 Professional for Workstations edition, version 1803 or higher
Windows 10 Professional Education edition version 1803 or higher
Windows 10 Education edition, version 1903 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with WDAG for Professional editions. | |Browser|Microsoft Edge and Internet Explorer| -|Management system
(only for managed devices)|[Microsoft Intune](https://docs.microsoft.com/intune/)

**-OR-**

[System Center Configuration Manager](https://docs.microsoft.com/sccm/)

**-OR-**

[Group Policy](https://technet.microsoft.com/library/cc753298(v=ws.11).aspx)

**-OR-**

Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.| +|Management system
(only for managed devices)|[Microsoft Intune](https://docs.microsoft.com/intune/)

**-OR-**

[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/)

**-OR-**

[Group Policy](https://technet.microsoft.com/library/cc753298(v=ws.11).aspx)

**-OR-**

Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.| diff --git a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md index aa8c80886a..390bee5992 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md +++ b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md @@ -32,9 +32,9 @@ If an employee goes to an untrusted site through either Microsoft Edge or Intern Application Guard has been created to target several types of systems: -- **Enterprise desktops.** These desktops are domain-joined and managed by your organization. Configuration management is primarily done through System Center Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wired, corporate network. +- **Enterprise desktops.** These desktops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Endpoint Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wired, corporate network. -- **Enterprise mobile laptops.** These laptops are domain-joined and managed by your organization. Configuration management is primarily done through System Center Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wireless, corporate network. +- **Enterprise mobile laptops.** These laptops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Endpoint Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wireless, corporate network. - **Bring your own device (BYOD) mobile laptops.** These personally-owned laptops are not domain-joined, but are managed by your organization through tools, such as Microsoft Intune. The employee is typically an admin on the device and uses a high-bandwidth wireless corporate network while at work and a comparable personal network while at home. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md index 2669eb3ab6..16cf8c2443 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md @@ -24,7 +24,7 @@ manager: dansimp - Windows 10, version 1703 and later -The **Device performance & health** section contains information about hardware, devices, and drivers related to the machine. IT administrators and IT pros should reference the appropriate documentation library for the issues they are seeing, such as the [configure the Load and unload device drivers security policy setting](https://docs.microsoft.com/windows/device-security/security-policy-settings/load-and-unload-device-drivers) and how to [deploy drivers during Windows 10 deployment using System Center Configuration Manager](https://docs.microsoft.com/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager). +The **Device performance & health** section contains information about hardware, devices, and drivers related to the machine. IT administrators and IT pros should reference the appropriate documentation library for the issues they are seeing, such as the [configure the Load and unload device drivers security policy setting](https://docs.microsoft.com/windows/device-security/security-policy-settings/load-and-unload-device-drivers) and how to [deploy drivers during Windows 10 deployment using Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager). The [Windows 10 IT pro troubleshooting topic](https://docs.microsoft.com/windows/client-management/windows-10-support-solutions), and the main [Windows 10 documentation library](https://docs.microsoft.com/windows/windows-10/) can also be helpful for resolving issues. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md index 875fd5bfae..b8a43788fb 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md @@ -47,7 +47,7 @@ You can only use Group Policy to change these settings. ## Use Group Policy to hide non-critical notifications -You can hide notifications that describe regular events related to the health and security of the machine. These are notifications that do not require an action from the machine's user. It can be useful to hide these notifications if you find they are too numerours or you have other status reporting on a larger scale (such as Update Compliance or System Center Configuration Manager reporting). +You can hide notifications that describe regular events related to the health and security of the machine. These are notifications that do not require an action from the machine's user. It can be useful to hide these notifications if you find they are too numerours or you have other status reporting on a larger scale (such as Update Compliance or Microsoft Endpoint Configuration Manager reporting). This can only be done in Group Policy. diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md index af8816db71..4938625700 100644 --- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md +++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md @@ -72,7 +72,7 @@ You can find more information about each section, including options for configur ![Screen shot of Windows Settings showing the different areas available in the Windows Security](images/settings-windows-defender-security-center-areas.png) > [!NOTE] -> Settings configured with management tools, such as Group Policy, Microsoft Intune, or System Center Configuration Manager, will generally take precedence over the settings in the Windows Security. See the topics for each of the sections for links to configuring the associated features or products. +> Settings configured with management tools, such as Group Policy, Microsoft Intune, or Microsoft Endpoint Configuration Manager, will generally take precedence over the settings in the Windows Security. See the topics for each of the sections for links to configuring the associated features or products. ## How the Windows Security app works with Windows security features @@ -98,7 +98,7 @@ The Windows Security app operates as a separate app or process from each of the It acts as a collector or single place to see the status and perform some configuration for each of the features. -Disabling any of the individual features (through Group Policy or other management tools, such as System Center Configuration Manager) will prevent that feature from reporting its status in the Windows Security app. The Windows Security app itself will still run and show status for the other security features. +Disabling any of the individual features (through Group Policy or other management tools, such as Microsoft Endpoint Configuration Manager) will prevent that feature from reporting its status in the Windows Security app. The Windows Security app itself will still run and show status for the other security features. > [!IMPORTANT] > Individually disabling any of the services will not disable the other services or the Windows Security app. diff --git a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md index a7def9d5fd..cba2a4eb17 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md +++ b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md @@ -82,5 +82,5 @@ As Windows 10 boots, a series of integrity measurements are taken by Windows Def ![Boot time integrity](images/windows-defender-system-guard-boot-time-integrity.png) -After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or System Center Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources. +After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or Microsoft Endpoint Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources. diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md index d91fbb98a5..a17ad45ab9 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md +++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md @@ -83,5 +83,5 @@ As Windows 10 boots, a series of integrity measurements are taken by Windows Def ![Boot time integrity](images/windows-defender-system-guard-boot-time-integrity.png) -After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or System Center Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources. +After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or Microsoft Endpoint Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources. diff --git a/windows/security/threat-protection/windows-security-baselines.md b/windows/security/threat-protection/windows-security-baselines.md index 30b70df2a4..34077fff4c 100644 --- a/windows/security/threat-protection/windows-security-baselines.md +++ b/windows/security/threat-protection/windows-security-baselines.md @@ -51,7 +51,7 @@ In modern organizations, the security threat landscape is constantly evolving, a You can use security baselines to: - Ensure that user and device configuration settings are compliant with the baseline. -- Set configuration settings. For example, you can use Group Policy, System Center Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline. +- Set configuration settings. For example, you can use Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline. ## Where can I get the security baselines? @@ -73,7 +73,7 @@ You may also be interested in this msdn channel 9 video: ## See Also -- [System Center Configuration Manager (SCCM)](https://www.microsoft.com/cloud-platform/system-center-configuration-manager) +- [Microsoft Endpoint Configuration Manager (SCCM)](https://www.microsoft.com/cloud-platform/system-center-configuration-manager) - [Operations Management Suite](https://www.microsoft.com/cloud-platform/operations-management-suite) - [Configuration Management for Nano Server](https://blogs.technet.microsoft.com/grouppolicy/2016/05/09/configuration-management-on-servers/) - [Microsoft Security Guidance Blog](https://blogs.technet.microsoft.com/secguide/) diff --git a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md index 6ef956ed10..175026482e 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md @@ -40,7 +40,7 @@ The toolkit supports formats created by the Windows GPO backup feature (.pol, .i Not yet. PowerShell-based DSC is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs and DSC and to validate system configuration. We are currently developing a tool to provide customers with these features. -**Does SCT support the creation of System Center Configuration Manager (SCCM) DCM packs?** +**Does SCT support the creation of Microsoft Endpoint Configuration Manager (SCCM) DCM packs?** No. A potential alternative is Desired State Configuration (DSC), a feature of the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=40855). A tool that supports conversion of GPO backups to DSC format can be found [here](https://github.com/Microsoft/BaselineManagement). diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md index 723c0bfe49..29c80c909e 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md @@ -51,7 +51,7 @@ In modern organizations, the security threat landscape is constantly evolving, a You can use security baselines to: - Ensure that user and device configuration settings are compliant with the baseline. -- Set configuration settings. For example, you can use Group Policy, System Center Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline. +- Set configuration settings. For example, you can use Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline. ## Where can I get the security baselines? @@ -73,7 +73,7 @@ You may also be interested in this msdn channel 9 video: ## See Also -- [System Center Configuration Manager (SCCM)](https://www.microsoft.com/cloud-platform/system-center-configuration-manager) +- [Microsoft Endpoint Configuration Manager (SCCM)](https://www.microsoft.com/cloud-platform/system-center-configuration-manager) - [Azure Monitor](https://docs.microsoft.com/azure/azure-monitor/) - [Microsoft Security Guidance Blog](https://blogs.technet.microsoft.com/secguide/) - [Microsoft Security Compliance Toolkit Download](https://www.microsoft.com/download/details.aspx?id=55319) diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2015.md b/windows/whats-new/ltsc/whats-new-windows-10-2015.md index 3749ad2dce..3453b80131 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2015.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2015.md @@ -34,11 +34,11 @@ With Windows 10, you can create provisioning packages that let you quickly and e ## Security -### Applocker +### AppLocker -Applocker was available for Windows 8.1, and is improved with Windows 10. See [Requirements to use AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md) for a list of operating system requirements. +AppLocker was available for Windows 8.1, and is improved with Windows 10. See [Requirements to use AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md) for a list of operating system requirements. -Enhancements to Applocker in Windows 10 include: +Enhancements to AppLocker in Windows 10 include: - A new parameter was added to the [New-AppLockerPolicy](https://technet.microsoft.com/library/hh847211.aspx) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this, set the **ServiceEnforcement** to **Enabled**. - A new [AppLocker](https://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) configuration service provider was add to allow you to enable AppLocker rules by using an MDM server. @@ -46,9 +46,9 @@ Enhancements to Applocker in Windows 10 include: [Learn how to manage AppLocker within your organization](/windows/device-security/applocker/applocker-overview). -### Bitlocker +### BitLocker -Enhancements to Applocker in Windows 10 include: +Enhancements to AppLocker in Windows 10 include: - **Encrypt and recover your device with Azure Active Directory**. In addition to using a Microsoft Account, automatic [Device Encryption](https://technet.microsoft.com/itpro/windows/keep-secure/windows-10-security-guide#device-encryption) can now encrypt your devices that are joined to an Azure Active Directory domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory. This will make it easier to recover your BitLocker key online. - **DMA port protection**. You can use the [DataProtection/AllowDirectMemoryAccess](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#dataprotection-allowdirectmemoryaccess) MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on. @@ -60,11 +60,11 @@ Enhancements to Applocker in Windows 10 include: For Windows 10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Windows Hello for Business in your enterprise. You'll be able to use MDM to enroll, renew, and delete certificates. As in Windows Phone 8.1, you can use the [Certificates app](https://go.microsoft.com/fwlink/p/?LinkId=615824) to review the details of certificates on your device. [Learn how to install digital certificates on Windows 10 Mobile.](/windows/access-protection/installing-digital-certificates-on-windows-10-mobile) -### Windows Live ID +### Microsoft Passport -In Windows 10, [Windows Live ID service](/windows/access-protection/hello-for-business/hello-identity-verification) replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN. +In Windows 10, [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN. -Windows Live ID service lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports Fast ID Online (FIDO) authentication. After an initial two-step verification during Windows Live ID service enrollment, a Windows Live ID service is set up on the user's device and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify identity; Windows then uses Windows Live ID service to authenticate users and help them to access protected resources and services. +Microsoft Passport lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports Fast ID Online (FIDO) authentication. After an initial two-step verification during Microsoft Passport enrollment, a Microsoft Passport is set up on the user's device and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify identity; Windows then uses Microsoft Passport to authenticate users and help them to access protected resources and services. ### Security auditing @@ -174,7 +174,7 @@ Event ID 6416 has been added to track when an external device is detected throug The following sections describe the new and changed functionality in the TPM for Windows 10: - [Device health attestation](#bkmk-dha) -- [Windows Live ID](/windows/access-protection/hello-for-business/hello-identity-verification) support +- [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) support - [Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) support - [Credential Guard](/windows/access-protection/credential-guard/credential-guard) support @@ -212,7 +212,7 @@ Windows 10 provides a set of VPN features that both increase enterprise security - App=triggered VPN - VPN traffic filters - Lock down VPN -- Integration with Windows Live ID for Work +- Integration with Microsoft Passport for Work [Learn more about the VPN options in Windows 10.](/windows/access-protection/vpn/vpn-profile-options) @@ -270,7 +270,7 @@ A standard Start layout can be useful on devices that are common to multiple use Administrators can also use mobile device management (MDM) or Group Policy to disable the use of [Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight). -## Updates +## Updates Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service. @@ -280,7 +280,7 @@ By using [Group Policy Objects](https://go.microsoft.com/fwlink/p/?LinkId=699279 - **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth very efficient. -- **Use with existing tools** such as Microsoft Endpoint Configuration Manager and the [Enterprise Mobility + Security E3](https://go.microsoft.com/fwlink/p/?LinkId=699281). +- **Use with existing tools** such as Microsoft Endpoint Configuration Manager and the [Enterprise Mobility Suite](https://go.microsoft.com/fwlink/p/?LinkId=699281). Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](https://technet.microsoft.com/library/hh852345.aspx) and [Microsoft Endpoint Configuration Manager](https://technet.microsoft.com/library/gg682129.aspx). diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2016.md b/windows/whats-new/ltsc/whats-new-windows-10-2016.md index 683b980e8f..727cc608be 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2016.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2016.md @@ -1,178 +1,179 @@ ---- -title: What's new in Windows 10 Enterprise 2016 LTSC -ms.reviewer: -manager: laurawi -ms.author: greglin -description: New and updated IT Pro content about new features in Windows 10 Enterprise 2016 LTSC (also known as Windows 10 Enterprise 2016 LTSB). -keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2016 LTSC"] -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.localizationpriority: low -ms.topic: article ---- - -# What's new in Windows 10 Enterprise 2016 LTSC - -**Applies to** -- Windows 10 Enterprise 2016 LTSC - -This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2016 LTSC (LTSB), compared to Windows 10 Enterprise 2015 LTSC (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md). - ->[!NOTE] ->Features in Windows 10 Enterprise 2016 LTSC are equivalent to Windows 10, version 1607. - -## Deployment - -### Windows Imaging and Configuration Designer (ICD) - -In previous versions of the Windows 10 Assessment and Deployment Kit (ADK), you had to install additional features for Windows ICD to run. Starting in this version of Windows 10, you can install just the configuration designer component independent of the rest of the imaging components. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) - -Windows ICD now includes simplified workflows for creating provisioning packages: - -- [Simple provisioning to set up common settings for Active Directory-joined devices](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment) -- [Advanced provisioning to deploy certificates and apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates) -- [School provisioning to set up classroom devices for Active Directory](https://technet.microsoft.com/edu/windows/set-up-students-pcs-to-join-domain) - -[Learn more about using provisioning packages in Windows 10.](/windows/configuration/provisioning-packages/provisioning-packages) - -### Windows Upgrade Readiness - ->[!IMPORTANT] ->Upgrade Readiness will not allow you to assess an upgrade to an LTSC release (LTSC builds are not available as target versions). However, you can enroll devices running LTSC to plan for an upgrade to a semi-annual channel release. - -Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10. - -With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. - -Use Upgrade Readiness to get: - -- A visual workflow that guides you from pilot to production -- Detailed computer and application inventory -- Powerful computer level search and drill-downs -- Guidance and insights into application and driver compatibility issues, with suggested fixes -- Data driven application rationalization tools -- Application usage information, allowing targeted validation; workflow to track validation progress and decisions -- Data export to commonly used software deployment tools - -The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are upgrade-ready. - -[Learn more about planning and managing Windows upgrades with Windows Upgrade Readiness.](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness) - -## Security - -### Credential Guard and Device Guard - -Isolated User Mode is now included with Hyper-V so you don't have to install it separately. - -### Windows Hello for Business - -When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in this version of Windows 10. Customers who have already deployed Microsoft Passport for Work will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. - -Additional changes for Windows Hello in Windows 10 Enterprise 2016 LTSC: - -- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. -- Group Policy settings for managing Windows Hello for Business are now available for both **User Configuration** and **Computer Configuration**. -- Beginning in this version of Windows 10, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN, enable the Group Policy setting **Turn on convenience PIN sign-in**. - - -[Learn more about Windows Hello for Business.](/windows/access-protection/hello-for-business/hello-identity-verification) - -### Bitlocker - -#### New Bitlocker features - -- **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides additional protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys. - It provides the following benefits: - - The algorithm is FIPS-compliant. - - Easy to administer. You can use the BitLocker Wizard, manage-bde, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices in your organization. - >**Note:** Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms. - -### Security auditing - -#### New Security auditing features - -- The [WindowsSecurityAuditing](https://go.microsoft.com/fwlink/p/?LinkId=690517) and [Reporting](https://go.microsoft.com/fwlink/p/?LinkId=690525) configuration service providers allow you to add security audit policies to mobile devices. - -### Trusted Platform Module - -#### New TPM features - -- Key Storage Providers (KSPs) and srvcrypt support elliptical curve cryptography (ECC). - -### Windows Information Protection (WIP), formerly known as enterprise data protection (EDP) - -With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. - -Windows Information Protection (WIP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. - -- [Create a Windows Information Protection (WIP) policy](https://technet.microsoft.com/itpro/windows/keep-secure/overview-create-wip-policy) -- [General guidance and best practices for Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/guidance-and-best-practices-wip) - -[Learn more about Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip) - -### Windows Defender - -Several new features and management options have been added to Windows Defender in this version of Windows 10. - -- [Windows Defender Offline in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-offline) can be run directly from within Windows, without having to create bootable media. -- [Use PowerShell cmdlets for Windows Defender](/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus) to configure options and run scans. -- [Enable the Block at First Sight feature in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) to leverage the Windows Defender cloud for near-instant protection against new malware. -- [Configure enhanced notifications for Windows Defender in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus) to see more information about threat detections and removal. -- [Run a Windows Defender scan from the command line](/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus). -- [Detect and block Potentially Unwanted Applications with Windows Defender](/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus) during download and install times. - -### Windows Defender Advanced Threat Protection (ATP) - -With the growing threat from more sophisticated targeted attacks, a new security solution is imperative in securing an increasingly complex network ecosystem. Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service, built into Windows 10 that enables enterprise customers detect, investigate, and respond to advanced threats on their networks. - -[Learn more about Windows Defender Advanced Threat Protection (ATP)](/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). - -### VPN security - -- The VPN client can integrate with the Conditional Access Framework, a cloud-based policy engine built into Azure Active Directory, to provide a device compliance option for remote clients. -- The VPN client can integrate with Windows Information Protection (WIP) policy to provide additional security. [Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip), previously known as Enterprise Data Protection. -- New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607) -- Microsoft Intune: *VPN Profile (Windows 10 Desktop and Mobile and later)* policy template includes support for native VPN plug-ins. - -## Management - -### Use Remote Desktop Connection for PCs joined to Azure Active Directory - -From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in this version of Windows 10, you can also connect to a remote PC that is joined to Azure Active Directory (Azure AD). [Learn about the requirements and supported configurations.](/windows/client-management/connect-to-remote-aadj-pc) - -### Taskbar configuration - -Enterprise administrators can add and remove pinned apps from the taskbar. Users can pin apps, unpin apps, and change the order of pinned apps on the taskbar after the enterprise configuration is applied. [Learn how to configure the taskbar.](/windows/configuration/windows-10-start-layout-options-and-policies) - -### Mobile device management and configuration service providers (CSPs) - -Numerous settings have been added to the Windows 10 CSPs to expand MDM capabilities for managing devices. To learn more about the specific changes in MDM policies for this version of Windows 10, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607). - -### Shared PC mode - -This version of Windows 10, introduces shared PC mode, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Education, and Enterprise. [Learn how to set up a shared or guest PC.](/windows/configuration/set-up-shared-or-guest-pc) - -### Application Virtualization (App-V) for Windows 10 - -Application Virtualization (App-V) enables organizations to deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Microsoft Store, and interact with them as if they were installed locally. - -With the release of this version of Windows 10, App-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and App-V or if you're upgrading from a previous version of App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users. - -[Learn how to deliver virtual applications with App-V.](/windows/application-management/app-v/appv-getting-started) - -### User Experience Virtualization (UE-V) for Windows 10 - -Many users customize their settings for Windows and for specific applications. Customizable Windows settings include Microsoft Store appearance, language, background picture, font size, and accent colors. Customizable application settings include language, appearance, behavior, and user interface options. - -With User Experience Virtualization (UE-V), you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to. - -With the release of this version of Windows 10, UE-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and UE-V or upgrading from a previous version of UE-V, you’ll need to download, activate, and install server- and client-side components to start synchronizing user-customized settings across devices. - -[Learn how to synchronize user-customized settings with UE-V.](/windows/configuration/ue-v/uev-for-windows) - -## See Also - -[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release. - +--- +title: What's new in Windows 10 Enterprise 2016 LTSC +ms.reviewer: +manager: laurawi +ms.author: greglin +description: New and updated IT Pro content about new features in Windows 10 Enterprise 2016 LTSC (also known as Windows 10 Enterprise 2016 LTSB). +keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2016 LTSC"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.localizationpriority: low +ms.topic: article +--- + +# What's new in Windows 10 Enterprise 2016 LTSC + +**Applies to** +- Windows 10 Enterprise 2016 LTSC + +This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2016 LTSC (LTSB), compared to Windows 10 Enterprise 2015 LTSC (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md). + +>[!NOTE] +>Features in Windows 10 Enterprise 2016 LTSC are equivalent to Windows 10, version 1607. + +## Deployment + +### Windows Imaging and Configuration Designer (ICD) + +In previous versions of the Windows 10 Assessment and Deployment Kit (ADK), you had to install additional features for Windows ICD to run. Starting in this version of Windows 10, you can install just the configuration designer component independent of the rest of the imaging components. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) + +Windows ICD now includes simplified workflows for creating provisioning packages: + +- [Simple provisioning to set up common settings for Active Directory-joined devices](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment) +- [Advanced provisioning to deploy certificates and apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates) +- [School provisioning to set up classroom devices for Active Directory](https://technet.microsoft.com/edu/windows/set-up-students-pcs-to-join-domain) + +[Learn more about using provisioning packages in Windows 10.](/windows/configuration/provisioning-packages/provisioning-packages) + +### Windows Upgrade Readiness + +>[!IMPORTANT] +>Upgrade Readiness will not allow you to assess an upgrade to an LTSC release (LTSC builds are not available as target versions). However, you can enroll devices running LTSC to plan for an upgrade to a semi-annual channel release. + +Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10. + +With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. + +Use Upgrade Readiness to get: + +- A visual workflow that guides you from pilot to production +- Detailed computer and application inventory +- Powerful computer level search and drill-downs +- Guidance and insights into application and driver compatibility issues, with suggested fixes +- Data driven application rationalization tools +- Application usage information, allowing targeted validation; workflow to track validation progress and decisions +- Data export to commonly used software deployment tools + +The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are upgrade-ready. + +[Learn more about planning and managing Windows upgrades with Windows Upgrade Readiness.](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness) + +## Security + +### Credential Guard and Device Guard + +Isolated User Mode is now included with Hyper-V so you don't have to install it separately. + +### Windows Hello for Business + +When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in this version of Windows 10. Customers who have already deployed Microsoft Passport for Work will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. + +Additional changes for Windows Hello in Windows 10 Enterprise 2016 LTSC: + +- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. +- Group Policy settings for managing Windows Hello for Business are now available for both **User Configuration** and **Computer Configuration**. +- Beginning in this version of Windows 10, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN, enable the Group Policy setting **Turn on convenience PIN sign-in**. + + +[Learn more about Windows Hello for Business.](/windows/access-protection/hello-for-business/hello-identity-verification) + +### BitLocker + +#### New BitLocker features + +- **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides additional protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys. + It provides the following benefits: + - The algorithm is FIPS-compliant. + - Easy to administer. You can use the BitLocker Wizard, manage-bde, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices in your organization. + >**Note:** Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms. + +### Security auditing + +#### New Security auditing features + +- The [WindowsSecurityAuditing](https://go.microsoft.com/fwlink/p/?LinkId=690517) and [Reporting](https://go.microsoft.com/fwlink/p/?LinkId=690525) configuration service providers allow you to add security audit policies to mobile devices. + +### Trusted Platform Module + +#### New TPM features + +- Key Storage Providers (KSPs) and srvcrypt support elliptical curve cryptography (ECC). + +### Windows Information Protection (WIP), formerly known as enterprise data protection (EDP) + +With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. + +Windows Information Protection (WIP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. + +- [Create a Windows Information Protection (WIP) policy](https://technet.microsoft.com/itpro/windows/keep-secure/overview-create-wip-policy) +- [General guidance and best practices for Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/guidance-and-best-practices-wip) + +[Learn more about Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip) + +### Windows Defender + +Several new features and management options have been added to Windows Defender in this version of Windows 10. + +- [Windows Defender Offline in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-offline) can be run directly from within Windows, without having to create bootable media. +- [Use PowerShell cmdlets for Windows Defender](/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus) to configure options and run scans. +- [Enable the Block at First Sight feature in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) to leverage the Windows Defender cloud for near-instant protection against new malware. +- [Configure enhanced notifications for Windows Defender in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus) to see more information about threat detections and removal. +- [Run a Windows Defender scan from the command line](/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus). +- [Detect and block Potentially Unwanted Applications with Windows Defender](/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus) during download and install times. + +### Windows Defender Advanced Threat Protection (ATP) + +With the growing threat from more sophisticated targeted attacks, a new security solution is imperative in securing an increasingly complex network ecosystem. Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service, built into Windows 10 that enables enterprise customers detect, investigate, and respond to advanced threats on their networks. + +[Learn more about Windows Defender Advanced Threat Protection (ATP)](/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). + +### VPN security + +- The VPN client can integrate with the Conditional Access Framework, a cloud-based policy engine built into Azure Active Directory, to provide a device compliance option for remote clients. +- The VPN client can integrate with Windows Information Protection (WIP) policy to provide additional security. [Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip), previously known as Enterprise Data Protection. +- New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607) +- Microsoft Intune: *VPN Profile (Windows 10 Desktop and Mobile and later)* policy template includes support for native VPN plug-ins. + +## Management + +### Use Remote Desktop Connection for PCs joined to Azure Active Directory + +From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in this version of Windows 10, you can also connect to a remote PC that is joined to Azure Active Directory (Azure AD). [Learn about the requirements and supported configurations.](/windows/client-management/connect-to-remote-aadj-pc) + +### Taskbar configuration + +Enterprise administrators can add and remove pinned apps from the taskbar. Users can pin apps, unpin apps, and change the order of pinned apps on the taskbar after the enterprise configuration is applied. [Learn how to configure the taskbar.](/windows/configuration/windows-10-start-layout-options-and-policies) + +### Mobile device management and configuration service providers (CSPs) + +Numerous settings have been added to the Windows 10 CSPs to expand MDM capabilities for managing devices. To learn more about the specific changes in MDM policies for this version of Windows 10, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607). + +### Shared PC mode + +This version of Windows 10, introduces shared PC mode, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Education, and Enterprise. [Learn how to set up a shared or guest PC.](/windows/configuration/set-up-shared-or-guest-pc) + +### Application Virtualization (App-V) for Windows 10 + +Application Virtualization (App-V) enables organizations to deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Microsoft Store, and interact with them as if they were installed locally. + +With the release of this version of Windows 10, App-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and App-V or if you're upgrading from a previous version of App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users. + +[Learn how to deliver virtual applications with App-V.](/windows/application-management/app-v/appv-getting-started) + +### User Experience Virtualization (UE-V) for Windows 10 + +Many users customize their settings for Windows and for specific applications. Customizable Windows settings include Microsoft Store appearance, language, background picture, font size, and accent colors. Customizable application settings include language, appearance, behavior, and user interface options. + +With User Experience Virtualization (UE-V), you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to. + +With the release of this version of Windows 10, UE-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and UE-V or upgrading from a previous version of UE-V, you’ll need to download, activate, and install server- and client-side components to start synchronizing user-customized settings across devices. + +[Learn how to synchronize user-customized settings with UE-V.](/windows/configuration/ue-v/uev-for-windows) + +## See Also + +[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release. + diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index 4c6f69c1a2..2eb8961b72 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -417,7 +417,7 @@ If you wish to take advantage of [Kiosk capabilities in Edge](https://docs.micro ### Co-management -Intune and System Center Configuration Manager policies have been added to enable hyrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management. +Intune and Microsoft Endpoint Configuration Manager policies have been added to enable hyrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management. For more information, see [What's New in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803) @@ -482,7 +482,7 @@ You can now register your Azure AD domains to the Windows Insider Program. For m ### Optimize update delivery -With changes delivered in Windows 10 Enterprise 2019 LTSC, [Express updates](/windows/deployment/update/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with System Center Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](https://technet.microsoft.com/windows-server-docs/management/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS. +With changes delivered in Windows 10 Enterprise 2019 LTSC, [Express updates](/windows/deployment/update/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with Microsoft Endpoint Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](https://technet.microsoft.com/windows-server-docs/management/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS. >[!NOTE] > The above changes can be made available to Windows 10, version 1607, by installing the April 2017 cumulative update. diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md index 7cfd7c2c0d..c688e4952a 100644 --- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md +++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md @@ -42,9 +42,9 @@ With Windows 10, you can create provisioning packages that let you quickly and e [Learn how to manage AppLocker within your organization](/windows/device-security/applocker/applocker-overview). -### Bitlocker +### BitLocker -#### New Bitlocker features in Windows 10, version 1511 +#### New BitLocker features in Windows 10, version 1511 - **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides additional protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys. It provides the following benefits: @@ -52,7 +52,7 @@ With Windows 10, you can create provisioning packages that let you quickly and e - Easy to administer. You can use the BitLocker Wizard, manage-bde, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices in your organization. >**Note:** Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms. -#### New Bitlocker features in Windows 10, version 1507 +#### New BitLocker features in Windows 10, version 1507 @@ -278,7 +278,7 @@ Enterprises have the following identity and management choices. |---|---| | Identity | Active Directory; Azure AD | | Grouping | Domain join; Workgroup; Azure AD join | -| Device management | Group Policy; System Center Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) | +| Device management | Group Policy; Microsoft Endpoint Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) | >[!NOTE]   >With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](https://go.microsoft.com/fwlink/p/?LinkID=613512). @@ -325,9 +325,9 @@ By using [Group Policy Objects](https://go.microsoft.com/fwlink/p/?LinkId=699279 - **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth very efficient. -- **Use with existing tools** such as System Center Configuration Manager and the [Enterprise Mobility Suite](https://go.microsoft.com/fwlink/p/?LinkId=699281). +- **Use with existing tools** such as Microsoft Endpoint Configuration Manager and the [Enterprise Mobility Suite](https://go.microsoft.com/fwlink/p/?LinkId=699281). -Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](https://technet.microsoft.com/library/hh852345.aspx) and [System Center Configuration Manager](https://technet.microsoft.com/library/gg682129.aspx). +Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](https://technet.microsoft.com/library/hh852345.aspx) and [Microsoft Endpoint Configuration Manager](https://technet.microsoft.com/library/gg682129.aspx). Learn more about [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb). diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md index 71c7f06847..1a4c0d57c0 100644 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -195,7 +195,7 @@ We recently added the option to download Windows 10 Insider Preview builds using ### Optimize update delivery -With changes delivered in Windows 10, version 1703, [Express updates](/windows/deployment/update/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with System Center Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](https://technet.microsoft.com/windows-server-docs/management/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS. +With changes delivered in Windows 10, version 1703, [Express updates](/windows/deployment/update/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with Microsoft Endpoint Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](https://technet.microsoft.com/windows-server-docs/management/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS. >[!NOTE] > The above changes can be made available to Windows 10, version 1607, by installing the April 2017 cumulative update. diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md index e13290b34f..051d5d4b6e 100644 --- a/windows/whats-new/whats-new-windows-10-version-1803.md +++ b/windows/whats-new/whats-new-windows-10-version-1803.md @@ -134,7 +134,7 @@ Portions of the work done during the offline phases of a Windows update have bee ### Co-management -**Intune** and **System Center Configuration Manager** policies have been added to enable hybrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management. +**Intune** and **Microsoft Endpoint Configuration Manager** policies have been added to enable hybrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management. For more information, see [What's New in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803) diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md index 45feb23e75..f13c8d694c 100644 --- a/windows/whats-new/whats-new-windows-10-version-1903.md +++ b/windows/whats-new/whats-new-windows-10-version-1903.md @@ -53,7 +53,7 @@ SetupDiag is a command-line tool that can help diagnose why a Windows 10 update ## Servicing -- [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Office 365 ProPlus updates, and Intune content, with System Center Configuration Manager content coming soon! +- [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Office 365 ProPlus updates, and Intune content, with Microsoft Endpoint Configuration Manager content coming soon! - [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. - [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. - **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally. diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md index a9384caf8b..89e6ad37a5 100644 --- a/windows/whats-new/whats-new-windows-10-version-1909.md +++ b/windows/whats-new/whats-new-windows-10-version-1909.md @@ -32,7 +32,7 @@ If you are updating from an older version of Windows 10 (version 1809 or earlier ### Windows Server Update Services (WSUS) -Pre-release Windows 10 feature updates are now available to IT administrators using WSUS. System Center Configuration Manager version 1906 or later is required. For more information, see [Publishing pre-release Windows 10 feature updates to WSUS](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Publishing-pre-release-Windows-10-feature-updates-to-WSUS/ba-p/845054). +Pre-release Windows 10 feature updates are now available to IT administrators using WSUS. Microsoft Endpoint Configuration Manager version 1906 or later is required. For more information, see [Publishing pre-release Windows 10 feature updates to WSUS](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Publishing-pre-release-Windows-10-feature-updates-to-WSUS/ba-p/845054). The Windows 10, version 1909 enablement package will be available on WSUS as [KB4517245](https://support.microsoft.com/kb/4517245), which can be deployed on existing deployments of Windows 10, version 1903. From c6a5dadd2fea0c1d2f70dfc1132d8ff54a99b90b Mon Sep 17 00:00:00 2001 From: LauraKellerGitHub Date: Fri, 20 Dec 2019 18:40:05 -0800 Subject: [PATCH 013/188] fifteen files for system config rebrand --- ...ially-unwanted-apps-windows-defender-antivirus.md | 10 +++++----- ...le-cloud-protection-windows-defender-antivirus.md | 4 ++-- ...event-based-updates-windows-defender-antivirus.md | 4 ++-- ...-outdated-endpoints-windows-defender-antivirus.md | 4 ++-- ...ion-update-schedule-windows-defender-antivirus.md | 2 +- ...-protection-updates-windows-defender-antivirus.md | 10 +++++----- ...e-updates-baselines-windows-defender-antivirus.md | 2 +- ...es-to-security-settings-with-tamper-protection.md | 6 +++--- .../report-monitor-windows-defender-antivirus.md | 2 +- ...review-scan-results-windows-defender-antivirus.md | 2 +- .../run-scan-windows-defender-antivirus.md | 2 +- ...uled-catch-up-scans-windows-defender-antivirus.md | 2 +- ...ud-protection-level-windows-defender-antivirus.md | 4 ++-- ...tune-config-manager-windows-defender-antivirus.md | 6 +++--- ...ft-cloud-protection-windows-defender-antivirus.md | 12 ++++++------ 15 files changed, 36 insertions(+), 36 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md index 0013143d29..43e244ba36 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md @@ -79,7 +79,7 @@ The notification will appear in the usual [quarantine list within the Windows Se #### Configure PUA protection in Windows Defender Antivirus -You can enable PUA protection with Microsoft Intune, System Center Configuration Manager, Group Policy, or via PowerShell cmdlets. +You can enable PUA protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, or via PowerShell cmdlets. You can also use the PUA audit mode to detect PUAs without blocking them. The detections will be captured in the Windows event log. @@ -94,14 +94,14 @@ See [Configure device restriction settings in Microsoft Intune](https://docs.mic ##### Use Configuration Manager to configure PUA protection -PUA protection is enabled by default in the System Center Configuration Manager (Current Branch), starting with version 1606. +PUA protection is enabled by default in the Microsoft Endpoint Configuration Manager (Current Branch), starting with version 1606. -See [How to create and deploy antimalware policies: Scheduled scans settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) for details on configuring System Center Configuration Manager (Current Branch). +See [How to create and deploy antimalware policies: Scheduled scans settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) for details on configuring Microsoft Endpoint Configuration Manager (Current Branch). For Configuration Manager 2012, see [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA). > [!NOTE] -> PUA events blocked by Windows Defender Antivirus are reported in the Windows Event Viewer and not in System Center Configuration Manager. +> PUA events blocked by Windows Defender Antivirus are reported in the Windows Event Viewer and not in Microsoft Endpoint Configuration Manager. ##### Use Group Policy to configure PUA protection @@ -133,7 +133,7 @@ See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use #### View PUA events -PUA events are reported in the Windows Event Viewer, but not in System Center Configuration Manager or in Intune. +PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Configuration Manager or in Intune. You can turn on email notifications to receive mail about PUA detections. diff --git a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md index 328b3fc5a0..6d7e496eec 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md @@ -28,7 +28,7 @@ ms.custom: nextgen Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). ![List of Windows Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png) -You can enable or disable Windows Defender Antivirus cloud-delivered protection with Microsoft Intune, System Center Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app. +You can enable or disable Windows Defender Antivirus cloud-delivered protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app. See [Use Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for an overview of Windows Defender Antivirus cloud-delivered protection. @@ -62,7 +62,7 @@ For more information about Intune device profiles, including how to create and c **Use Configuration Manager to enable cloud-delivered protection:** -See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch). +See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring Microsoft Endpoint Configuration Manager (current branch). **Use Group Policy to enable cloud-delivered protection:** diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md index c238f05823..20d523d368 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md @@ -27,11 +27,11 @@ Windows Defender Antivirus allows you to determine if updates should (or should ## Check for protection updates before running a scan -You can use System Center Configuration Manager, Group Policy, PowerShell cmdlets, and WMI to force Windows Defender Antivirus to check and download protection updates before running a scheduled scan. +You can use Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, and WMI to force Windows Defender Antivirus to check and download protection updates before running a scheduled scan. ### Use Configuration Manager to check for protection updates before running a scan -1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) +1. On your Microsoft Endpoint Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) 2. Go to the **Scheduled scans** section and set **Check for the latest security intelligence updates before running a scan** to **Yes**. diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md index fabe399119..9a6e186de0 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md @@ -35,7 +35,7 @@ If Windows Defender Antivirus did not download protection updates for a specifie ### Use Configuration Manager to configure catch-up protection updates -1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) +1. On your Microsoft Endpoint Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) 2. Go to the **Security intelligence updates** section and configure the following settings: @@ -164,7 +164,7 @@ See the following for more information and allowed parameters: ### Use Configuration Manager to configure catch-up scans -1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) +1. On your Microsoft Endpoint Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) 2. Go to the **Scheduled scans** section and **Force a scan of the selected scan type if client computer is offline...** to **Yes**. diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md index 0185b12a58..c67fd41aa8 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md @@ -36,7 +36,7 @@ You can also randomize the times when each endpoint checks and downloads protect ## Use Configuration Manager to schedule protection updates -1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) +1. On your Microsoft Endpoint Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) 2. Go to the **Security intelligence updates** section. diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md index f76c49cd91..e84e13a57e 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md @@ -52,11 +52,11 @@ There are five locations where you can specify where an endpoint should obtain u - [Microsoft Update](https://support.microsoft.com/help/12373/windows-update-faq) - [Windows Server Update Service](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) -- [System Center Configuration Manager](https://docs.microsoft.com/sccm/core/servers/manage/updates) +- [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/core/servers/manage/updates) - [Network file share](https://docs.microsoft.com/windows-server/storage/nfs/nfs-overview) - [Security intelligence updates for Windows Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/en-us/wdsi/defenderupdates) (Your policy and registry might have this listed as Microsoft Malware Protection Center (MMPC) security intelligence, its former name.) -To ensure the best level of protection, Microsoft Update allows for rapid releases, which means smaller downloads on a frequent basis. The Windows Server Update Service, System Center Configuration Manager, and Microsoft security intelligence updates sources deliver less frequent updates. Thus, the delta can be larger, resulting in larger downloads. +To ensure the best level of protection, Microsoft Update allows for rapid releases, which means smaller downloads on a frequent basis. The Windows Server Update Service, Microsoft Endpoint Configuration Manager, and Microsoft security intelligence updates sources deliver less frequent updates. Thus, the delta can be larger, resulting in larger downloads. > [!IMPORTANT] > If you have set [Microsoft Malware Protection Center Security intelligence page](https://www.microsoft.com/security/portal/definitions/adl.aspx) (MMPC) updates as a fallback source after Windows Server Update Service or Microsoft Update, updates are only downloaded from security intelligence updates when the current update is considered out-of-date. (By default, this is 14 consecutive days of not being able to apply updates from the Windows Server Update Service or Microsoft Update services). @@ -70,11 +70,11 @@ Each source has typical scenarios that depend on how your network is configured, |Windows Server Update Service | You are using Windows Server Update Service to manage updates for your network.| |Microsoft Update | You want your endpoints to connect directly to Microsoft Update. This can be useful for endpoints that irregularly connect to your enterprise network, or if you do not use Windows Server Update Service to manage your updates.| |File share | You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host to download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-windows-defender-antivirus.md) for how file shares can be used in virtual desktop infrastructure (VDI) environments.| -|System Center Configuration Manager | You are using System Center Configuration Manager to update your endpoints.| +|Microsoft Endpoint Configuration Manager | You are using Microsoft Endpoint Configuration Manager to update your endpoints.| |Security intelligence updates for Windows Defender Antivirus and other Microsoft antimalware (formerly referred to as MMPC) |[Make sure your devices are updated to support SHA-2](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus). Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update, and starting Monday October 21, 2019 security intelligence updates will be SHA-2 signed exclusively.
Download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-windows-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. It will only be used if updates cannot be downloaded from Windows Server Update Service or Microsoft Update for [a specified number of days](https://docs.microsoft.com/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).| -You can manage the order in which update sources are used with Group Policy, System Center Configuration Manager, PowerShell cmdlets, and WMI. +You can manage the order in which update sources are used with Group Policy, Microsoft Endpoint Configuration Manager, PowerShell cmdlets, and WMI. > [!IMPORTANT] > If you set Windows Server Update Service as a download location, you must approve the updates, regardless of the management tool you use to specify the location. You can set up an automatic approval rule with Windows Server Update Service, which might be useful as updates arrive at least once a day. To learn more, see [synchronize endpoint protection updates in standalone Windows Server Update Service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus). @@ -113,7 +113,7 @@ The procedures in this article first describe how to set the order, and then how ## Use Configuration Manager to manage the update location -See [Configure Security intelligence Updates for Endpoint Protection](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-definition-updates) for details on configuring System Center Configuration Manager (current branch). +See [Configure Security intelligence Updates for Endpoint Protection](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-definition-updates) for details on configuring Microsoft Endpoint Configuration Manager (current branch). ## Use PowerShell cmdlets to manage the update location diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md index 775068abed..40bc802e34 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md @@ -40,7 +40,7 @@ The cloud-delivered protection is always on and requires an active connection to Windows Defender Antivirus requires [monthly updates](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as "engine updates" and "platform updates"), and will receive major feature updates alongside Windows 10 releases. -You can manage the distribution of updates through Windows Server Update Service (WSUS), with [System Center Configuration Manager](https://docs.microsoft.com/sccm/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network. +You can manage the distribution of updates through Windows Server Update Service (WSUS), with [ Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network. ## In this section diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md index 817ec8cbb1..c9f0ee3311 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md +++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md @@ -141,15 +141,15 @@ Value DisableRealtimeMonitoring = 0 Configuring Tamper Protection in Intune can be targeted to your entire organization as well as to devices and user groups with Intune. -### Can I configure Tamper Protection in System Center Configuration Manager? +### Can I configure Tamper Protection in Microsoft Endpoint Configuration Manager? -Currently we do not have support to manage Tamper Protection through System Center Configuration Manager. +Currently we do not have support to manage Tamper Protection through Microsoft Endpoint Configuration Manager. ### I have the Windows E3 enrollment. Can I use configuring Tamper Protection in Intune? Currently, configuring Tamper Protection in Intune is only available for customers who have [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp). -### What happens if I try to change Microsoft Defender ATP settings in Intune, System Center Configuration Manager, and Windows Management Instrumentation when Tamper Protection is enabled on a device? +### What happens if I try to change Microsoft Defender ATP settings in Intune, Microsoft Endpoint Configuration Manager, and Windows Management Instrumentation when Tamper Protection is enabled on a device? You won’t be able to change the features that are protected by Tamper Protection; those change requests are ignored. diff --git a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md index 16f606bbae..b454b8490d 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md @@ -23,7 +23,7 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -With Windows Defender Antivirus, you have several options for reviewing protection status and alerts. You can use System Center Configuration Manager to [monitor Windows Defender Antivirus](https://docs.microsoft.com/sccm/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune). +With Windows Defender Antivirus, you have several options for reviewing protection status and alerts. You can use Microsoft Endpoint Configuration Manager to [monitor Windows Defender Antivirus](https://docs.microsoft.com/sccm/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune). Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Windows Defender Antivirus issues, including protection updates and real-time protection settings. diff --git a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md index 78fed4d5d4..7e8c703d2d 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md @@ -1,6 +1,6 @@ --- title: Review the results of Windows Defender AV scans -description: Review the results of scans using System Center Configuration Manager, Microsoft Intune, or the Windows Security app +description: Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app keywords: scan results, remediation, full scan, quick scan search.product: eADQiWindows 10XVcnh ms.pagetype: security diff --git a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md index 66db88455e..4db84ce762 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md @@ -41,7 +41,7 @@ A full scan can be useful on endpoints that have encountered a malware threat to ## Use Configuration Manager to run a scan -See [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using System Center Configuration Manager (current branch) to run a scan. +See [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using Microsoft Endpoint Configuration Manager (current branch) to run a scan. ## Use the mpcmdrun.exe command-line utility to run a scan diff --git a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md index e49771c6ae..82c22fd0a3 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md @@ -31,7 +31,7 @@ In addition to always-on real-time protection and [on-demand](run-scan-windows-d You can configure the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-windows-defender-antivirus.md) or if the endpoint is being used. You can also specify when special scans to complete remediation should occur. -This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). +This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). To configure the Group Policy settings described in this topic: diff --git a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md index e6b6bf10d0..0480d91f4e 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md @@ -23,7 +23,7 @@ ms.custom: nextgen - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -You can specify the level of cloud-protection offered by Windows Defender Antivirus with Group Policy and System Center Configuration Manager. +You can specify the level of cloud-protection offered by Windows Defender Antivirus with Group Policy and Microsoft Endpoint Configuration Manager. >[!NOTE] >The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. @@ -47,7 +47,7 @@ For more information about Intune device profiles, including how to create and c ## Use Configuration Manager to specify the level of cloud-delivered protection -See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch). +See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring Microsoft Endpoint Configuration Manager (current branch). ## Use Group Policy to specify the level of cloud-delivered protection diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md index 6ed604307a..df5a122dda 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md @@ -1,6 +1,6 @@ --- title: Configure Windows Defender Antivirus with Configuration Manager and Intune -description: Use System Center Configuration Manager and Microsoft Intune to configure Windows Defender AV and Endpoint Protection +description: Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure Windows Defender AV and Endpoint Protection keywords: scep, intune, endpoint protection, configuration search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -17,13 +17,13 @@ ms.reviewer: manager: dansimp --- -# Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender Antivirus +# Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure and manage Windows Defender Antivirus **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -If you are using System Center Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can also use them to manage Windows Defender Antivirus scans. +If you are using Microsoft Endpoint Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can also use them to manage Windows Defender Antivirus scans. In some cases, the protection will be labeled as Endpoint Protection, although the engine is the same as that used by Windows Defender Antivirus. diff --git a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md index e1d2d9c8e9..c263d97a41 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md @@ -60,10 +60,10 @@ Organizations running Windows 10 E5, version 1803 can also take advantage of eme >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. -The following table describes the differences in cloud-delivered protection between recent versions of Windows and System Center Configuration Manager. +The following table describes the differences in cloud-delivered protection between recent versions of Windows and Microsoft Endpoint Configuration Manager. -Feature | Windows 8.1 (Group Policy) | Windows 10, version 1607 (Group Policy) | Windows 10, version 1703 (Group Policy) | System Center Configuration Manager 2012 | System Center Configuration Manager (Current Branch) | Microsoft Intune +Feature | Windows 8.1 (Group Policy) | Windows 10, version 1607 (Group Policy) | Windows 10, version 1703 (Group Policy) | System Center Configuration Manager 2012 | Microsoft Endpoint Configuration Manager (Current Branch) | Microsoft Intune ---|---|---|---|---|---|--- Cloud-protection service label | Microsoft Advanced Protection Service | Microsoft Advanced Protection Service | Cloud-based Protection | NA | Cloud protection service | Microsoft Advanced Protection Service Reporting level (MAPS membership level) | Basic, Advanced | Advanced | Advanced | Dependent on Windows version | Dependent on Windows version | Dependent on Windows version @@ -76,8 +76,8 @@ You can also [configure Windows Defender AV to automatically receive new protect Topic | Description ---|--- -[Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | You can enable cloud-delivered protection with System Center Configuration Manager, Group Policy, Microsoft Intune, and PowerShell cmdlets. -[Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md) | You can specify the level of protection offered by the cloud with Group Policy and System Center Configuration Manager. The protection level will affect the amount of information shared with the cloud and how aggressively new files are blocked. +[Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | You can enable cloud-delivered protection with Microsoft Endpoint Configuration Manager, Group Policy, Microsoft Intune, and PowerShell cmdlets. +[Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md) | You can specify the level of protection offered by the cloud with Group Policy and Microsoft Endpoint Configuration Manager. The protection level will affect the amount of information shared with the cloud and how aggressively new files are blocked. [Configure and validate network connections for Windows Defender Antivirus](configure-network-connections-windows-defender-antivirus.md) | There are certain Microsoft URLs that your network and endpoints must be able to connect to for cloud-delivered protection to work effectively. This topic lists the URLs that should be allowed via firewall or network filtering rules, and instructions for confirming your network is properly enrolled in cloud-delivered protection. -[Configure the block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) | The Block at First Sight feature can block new malware within seconds, without having to wait hours for traditional Security intelligence . You can enable and configure it with System Center Configuration Manager and Group Policy. -[Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) | Windows Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with System Center Configuration Manager and Group Policy. +[Configure the block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) | The Block at First Sight feature can block new malware within seconds, without having to wait hours for traditional Security intelligence . You can enable and configure it with Microsoft Endpoint Configuration Manager and Group Policy. +[Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) | Windows Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with Microsoft Endpoint Configuration Manager and Group Policy. From 96f2accf27e11730caf9f7016ed12ce46cc3d487 Mon Sep 17 00:00:00 2001 From: LauraKellerGitHub Date: Sat, 21 Dec 2019 05:58:13 -0800 Subject: [PATCH 014/188] adding updated files to PR --- ...types-windows-defender-antivirus - Copy.md | 104 +++++ ...sight-windows-defender-antivirus - Copy.md | 166 ++++++++ ...sions-windows-defender-antivirus - Copy.md | 366 ++++++++++++++++++ ...tions-windows-defender-antivirus - Copy.md | 130 +++++++ ...tions-windows-defender-antivirus - Copy.md | 106 +++++ ...sions-windows-defender-antivirus - Copy.md | 199 ++++++++++ ...ation-windows-defender-antivirus - Copy.md | 72 ++++ ...dows-defender-antivirus-features - Copy.md | 49 +++ ...scans-windows-defender-antivirus - Copy.md | 37 ++ ...eport-windows-defender-antivirus - Copy.md | 85 ++++ ...eploy-windows-defender-antivirus - Copy.md | 38 ++ ...-apps-windows-defender-antivirus - Copy.md | 149 +++++++ ...ction-windows-defender-antivirus - Copy.md | 143 +++++++ 13 files changed, 1644 insertions(+) create mode 100644 windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus - Copy.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus - Copy.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus - Copy.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus - Copy.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus - Copy.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus - Copy.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus - Copy.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features - Copy.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus - Copy.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus - Copy.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus - Copy.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus - Copy.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus - Copy.md diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus - Copy.md new file mode 100644 index 0000000000..1ec92d64e6 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus - Copy.md @@ -0,0 +1,104 @@ +--- +title: Configure scanning options for Windows Defender AV +description: You can configure Windows Defender AV to scan email storage files, back-up or reparse points, network files, and archived files (such as .zip files). +keywords: advanced scans, scanning, email, archive, zip, rar, archive, reparse scanning +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.date: 10/25/2018 +ms.reviewer: +manager: dansimp + +--- + +# Configure Windows Defender Antivirus scanning options + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +**Use Microsoft Intune to configure scanning options** + +See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. + + + +**Use Configuration Manager to configure scanning options:** + +See [How to create and deploy antimalware policies: Scan settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch). + +**Use Group Policy to configure scanning options** + +To configure the Group Policy settings described in the following table: + +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. + +3. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below. + +4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings. + +Description | Location and setting | Default setting (if not configured) | PowerShell `Set-MpPreference` parameter or WMI property for `MSFT_MpPreference` class +---|---|---|--- +See [Email scanning limitations](#ref1)) below | Scan > Turn on e-mail scanning | Disabled | `-DisableEmailScanning` +Scan [reparse points](https://msdn.microsoft.com/library/windows/desktop/aa365503.aspx) | Scan > Turn on reparse point scanning | Disabled | Not available +Scan mapped network drives | Scan > Run full scan on mapped network drives | Disabled | `-DisableScanningMappedNetworkDrivesForFullScan` + Scan archive files (such as .zip or .rar files). The [extensions exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md) will take precedence over this setting. | Scan > Scan archive files | Enabled | `-DisableArchiveScanning` +Scan files on the network | Scan > Scan network files | Disabled | `-DisableScanningNetworkFiles` +Scan packed executables | Scan > Scan packed executables | Enabled | Not available +Scan removable drives during full scans only | Scan > Scan removable drives | Disabled | `-DisableRemovableDriveScanning` +Specify the level of subfolders within an archive folder to scan | Scan > Specify the maximum depth to scan archive files | 0 | Not available + Specify the maximum CPU load (as a percentage) during a scan. Note: This is not a hard limit but rather a guidance for the scanning engine to not exceed this maximum on average. | Scan > Specify the maximum percentage of CPU utilization during a scan | 50 | `-ScanAvgCPULoadFactor` + Specify the maximum size (in kilobytes) of archive files that should be scanned. The default, **0**, applies no limit | Scan > Specify the maximum size of archive files to be scanned | No limit | Not available + Configure low CPU priority for scheduled scans | Scan > Configure low CPU priority for scheduled scans | Disabled | Not available + +>[!NOTE] +>If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives. + +**Use PowerShell to configure scanning options** + +See [Manage Windows Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. + +**Use WMI to configure scanning options** + +For using WMI classes, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx). + +### Email scanning limitations + +We recommend using [always-on real-time protection](configure-real-time-protection-windows-defender-antivirus.md) to protect against email-based malware. + +Always-on protection scans emails as they arrive and as they are manipulated, just like normal files in the operating system. This provides the strongest form of protection and is the recommended setting for scanning emails. + +You can also use this Group Policy to enable scanning of older email files used by Outlook 2003 and older during on-demand and scheduled scans. Embedded objects within an email file (such as attachments and archived files) are also scanned. The following file format types can be scanned and remediated: + +- DBX +- MBX +- MIME + +PST files used by Outlook 2003 or older (where the archive type is set to non-unicode) can also be scanned, but Windows Defender cannot remediate threats detected inside PST files. This is another reason why we recommend using [always-on real-time protection](configure-real-time-protection-windows-defender-antivirus.md) to protect against email-based malware. + +If Windows Defender Antivirus detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat: + +- Email subject +- Attachment name + +>[!WARNING] +>There are some risks associated with scanning some Microsoft Outlook files and email messages. You can read about tips and risks associated with scanning Outlook files and email messages in the following articles: +> +> - [Scanning Outlook files in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-1) +> - [Scanning email messages in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-2) + +## Related topics + +- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) +- [Configure and run on-demand Windows Defender Antivirus scans](run-scan-windows-defender-antivirus.md) +- [Configure scheduled Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md) +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus - Copy.md new file mode 100644 index 0000000000..1fb5ff7d26 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus - Copy.md @@ -0,0 +1,166 @@ +--- +title: Enable Block at First Sight to detect malware in seconds +description: Enable the Block at First sight feature to detect and block malware within seconds, and validate that it is configured correctly. +keywords: scan, BAFS, malware, first seen, first sight, cloud, defender +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.reviewer: +manager: dansimp +ms.custom: nextgen +--- + +# Enable block at first sight + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +Block at first sight is a feature of next-generation protection that provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are also enabled. In most cases, these prerequisite settings are also enabled by default, so the feature is running without any intervention. + +You can [specify how long the file should be prevented from running](configure-cloud-block-timeout-period-windows-defender-antivirus.md) while the cloud-based protection service analyzes the file. And, you can [customize the message displayed on users' desktops](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL. + +>[!TIP] +>Visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work. + +## How it works + +When Windows Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine whether the files are malicious or clean. + +Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). +![List of Windows Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png) + +In Windows 10, version 1803, block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files. + +Block at first sight only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or that originate from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if this is a previously undetected file. + +If the cloud backend is unable to make a determination, Windows Defender Antivirus locks the file and uploads a copy to the cloud. The cloud performs additional analysis to reach a determination before it either allows the file to run or blocks it in all future encounters, depending on whether it determines the file to be malicious or safe. + +In many cases, this process can reduce the response time for new malware from hours to seconds. + +## Confirm and validate that block at first sight is enabled + +Block at first sight requires a number of settings to be configured correctly or it will not work. These settings are enabled by default in most enterprise Windows Defender Antivirus deployments. + +### Confirm block at first sight is enabled with Intune + +1. In Intune, navigate to **Device configuration - Profiles > *Profile name* > Device restrictions > Windows Defender Antivirus**. + + > [!NOTE] + > The profile you select must be a Device Restriction profile type, not an Endpoint Protection profile type. + +2. Verify these settings are configured as follows: + + - **Cloud-delivered protection**: **Enable** + - **File Blocking Level**: **High** + - **Time extension for file scanning by the cloud**: **50** + - **Prompt users before sample submission**: **Send all data without prompting** + + ![Intune config](images/defender/intune-block-at-first-sight.png) + + > [!WARNING] + > Setting the file blocking level to **High** will apply a strong level of detection. In the unlikely event that it causes a false positive detection of legitimate files, use the option to [restore the quarantined files](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus). + +For more information about configuring Windows Defender Antivirus device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). + +For a list of Windows Defender Antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus). + +### Enable block at first sight with SCCM + +1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **AntiMalware Policies**. + +2. Click **Home** > **Create Antimalware Policy**. + +3. Enter a name and a description, and add these settings: + - **Real time protection** + - **Advanced** + - **Cloud Protection Service** + +4. In the left column, click **Real time protection**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**. + ![Enable real-time protection](images/defender/sccm-real-time-protection.png) + +5. Click **Advanced**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**. + ![Enable Advanced settings](images/defender/sccm-advanced-settings.png) + +6. Click **Cloud Protection Service**, set **Cloud Protection Service membership type** to **Advanced membership**, set **Level for blocking malicious files** to **High**, and set **Allow extended cloud check to block and scan suspicious files for up to (seconds)** to **50** seconds. + ![Enable Cloud Protection Service](images/defender/sccm-cloud-protection-service.png) + +7. Click **OK** to create the policy. + + +### Confirm block at first sight is enabled with Group Policy + +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. + +3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **MAPS**, configure the following Group Policies, and then click **OK**: + + - Double-click **Join Microsoft MAPS** and ensure the option is set to **Enabled**. Click **OK**. + + - Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either **Send safe samples (1)** or **Send all samples (3)**. + + > [!WARNING] + > Setting to **Always prompt (0)** will lower the protection state of the device. Setting to **Never send (2)** means block at first sight will not function. + +4. In the **Group Policy Management Editor**, expand the tree to **Windows components** > **Windows Defender Antivirus** > **Real-time Protection**: + + 1. Double-click **Scan all downloaded files and attachments** and ensure the option is set to **Enabled**, and then click **OK**. + + 2. Double-click **Turn off real-time protection** and ensure the option is set to **Disabled**, and then click **OK**. + +If you had to change any of the settings, you should re-deploy the Group Policy Object across your network to ensure all endpoints are covered. + +### Confirm block at first sight is enabled with the Windows Security app + +You can confirm that block at first sight is enabled in Windows Settings. + +Block at first sight is automatically enabled as long as **Cloud-based protection** and **Automatic sample submission** are both turned on. + +### Confirm Block at First Sight is enabled on individual clients + +1. Open the Windows Security app by clicking the shield icon in the task bar. + +2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Manage Settings** under **Virus & threat protection settings**: + + ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png) + +3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**. + +> [!NOTE] +> If the prerequisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. + +### Validate block at first sight is working + +You can validate that the feature is working by following the steps outlined in [Validate connections between your network and the cloud](configure-network-connections-windows-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud). + +## Disable block at first sight + +> [!WARNING] +> Disabling block at first sight will lower the protection state of the endpoint and your network. + +You may choose to disable block at first sight if you want to retain the prerequisite settings without using block at first sight protection. You might wish to do this if you are experiencing latency issues or you want to test the feature's impact on your network. + +### Disable block at first sight with Group Policy + +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure, and then click **Edit**. + +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. + +3. Expand the tree through **Windows components** > **Windows Defender Antivirus** > **MAPS**. + +4. Double-click **Configure the 'Block at First Sight' feature** and set the option to **Disabled**. + + > [!NOTE] + > Disabling block at first sight will not disable or alter the prerequisite group policies. + +## Related topics + +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus - Copy.md new file mode 100644 index 0000000000..6ab53e6c67 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus - Copy.md @@ -0,0 +1,366 @@ +--- +title: Configure and validate exclusions based on extension, name, or location +description: Exclude files from Windows Defender Antivirus scans based on their file extension, file name, or location. +keywords: exclusions, files, extension, file type, folder name, file name, scans +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.date: 12/10/2018 +ms.reviewer: +manager: dansimp +--- + +# Configure and validate exclusions based on file extension and folder location + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +> [!IMPORTANT] +> Windows Defender Antivirus exclusions don't apply to other Microsoft Defender ATP capabilities, including [endpoint detection and response (EDR)](../microsoft-defender-atp/overview-endpoint-detection-response.md), [attack surface reduction (ASR) rules](../microsoft-defender-atp/attack-surface-reduction.md), and [controlled folder access](../microsoft-defender-atp/controlled-folders.md). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, add them to the Microsoft Defender ATP [custom indicators](../microsoft-defender-atp/manage-indicators.md). + +## Exclusion lists + +You can exclude certain files from Windows Defender Antivirus scans by modifying exclusion lists. **Generally, you shouldn't need to apply exclusions**. Windows Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations. + +> [!NOTE] +> Automatic exclusions apply only to Windows Server 2016 and above. The default antimalware policy we deploy at Microsoft doesn't set any exclusions by default. + +This topic describes how to configure exclusion lists for the files and folders. + +Exclusion | Examples | Exclusion list +---|---|--- +Any file with a specific extension | All files with the `.test` extension, anywhere on the machine | Extension exclusions +Any file under a specific folder | All files under the `c:\test\sample` folder | File and folder exclusions +A specific file in a specific folder | The file `c:\sample\sample.test` only | File and folder exclusions +A specific process | The executable file `c:\test\process.exe` | File and folder exclusions + +Exclusion lists have the following characteristics: + +- Folder exclusions will apply to all files and folders under that folder, unless the subfolder is a reparse point. Reparse point subfolders must be excluded separately. +- File extensions will apply to any file name with the defined extension if a path or folder is not defined. + +>[!IMPORTANT] +>The use of wildcards such as the asterisk (\*) will alter how the exclusion rules are interpreted. See the [Use wildcards in the file name and folder path or extension exclusion lists](#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) section for important information about how wildcards work. +> +>You cannot exclude mapped network drives. You must specify the actual network path. +> +>Folders that are reparse points that are created after the Windows Defender Antivirus service starts and that have been added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target. + +To exclude files opened by a specific process, see [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md). + +The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [real-time protection](configure-real-time-protection-windows-defender-antivirus.md). + +>[!IMPORTANT] +>Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). +> +>Changes made in the Windows Security app **will not show** in the Group Policy lists. + +By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence when there are conflicts. + +You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-windows-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings. + +## Configure the list of exclusions based on folder name or file extension + +### Use Intune to configure file name, folder, or file extension exclusions + +See the following articles: +- [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) +- [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) + +### Use Configuration Manager to configure file name, folder, or file extension exclusions + +See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch). + +### Use Group Policy to configure folder or file extension exclusions + +>[!NOTE] +>If you specify a fully qualified path to a file, then only that file is excluded. If a folder is defined in the exclusion, then all files and subdirectories under that folder are excluded. + +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. + +3. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. + +4. Double-click the **Path Exclusions** setting and add the exclusions: + + 1. Set the option to **Enabled**. + 2. Under the **Options** section, click **Show...**. + 3. Enter each folder on its own line under the **Value name** column. If you are entering a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column. + +5. Click **OK**. + + ![The Group Policy setting for file and folder exclusions](images/defender/wdav-path-exclusions.png) + +6. Double-click the **Extension Exclusions** setting and add the exclusions: + + 1. Set the option to **Enabled**. + 2. Under the **Options** section, click **Show...**. + 3. Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column. + +7. Click **OK**. + + ![The Group Policy setting for extension exclusions](images/defender/wdav-extension-exclusions.png) + + + +### Use PowerShell cmdlets to configure file name, folder, or file extension exclusions + +Using PowerShell to add or remove exclusions for files based on the extension, location, or file name requires using a combination of three cmdlets and the appropriate exclusion list parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/itpro/powershell/windows/defender/defender). + +The format for the cmdlets is: + +```PowerShell + - "" +``` + +The following are allowed as the \: + +Configuration action | PowerShell cmdlet +---|--- +Create or overwrite the list | `Set-MpPreference` +Add to the list | `Add-MpPreference` +Remove item from the list | `Remove-MpPreference` + +The following are allowed as the \: + +Exclusion type | PowerShell parameter +---|--- +All files with a specified file extension | `-ExclusionExtension` +All files under a folder (including files in subdirectories), or a specific file | `-ExclusionPath` + +>[!IMPORTANT] +>If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. + +For example, the following code snippet would cause Windows Defender AV scans to exclude any file with the `.test` file extension: + +```PowerShell +Add-MpPreference -ExclusionExtension ".test" +``` + +For more information, see [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index). + +### Use Windows Management Instruction (WMI) to configure file name, folder, or file extension exclusions + +Use the [**Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: + +```WMI +ExclusionExtension +ExclusionPath +``` + +The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`. + +For more information, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx). + + + +### Use the Windows Security app to configure file name, folder, or file extension exclusions + +See [Add exclusions in the Windows Security app](windows-defender-security-center-antivirus.md#exclusions) for instructions. + + +## Use wildcards in the file name and folder path or extension exclusion lists + +You can use the asterisk `*`, question mark `?`, or environment variables (such as `%ALLUSERSPROFILE%`) as wildcards when defining items in the file name or folder path exclusion list. The way in which these wildcards are interpreted differs from their usual usage in other apps and languages. Make sure to read this section to understand their specific limitations. + +>[!IMPORTANT] +>There are key limitations and usage scenarios for these wildcards: +> +>- Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. +>- You cannot use a wildcard in place of a drive letter. +>- An asterisk `*` in a folder exclusion will stand in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names. + +The following table describes how the wildcards can be used and provides some examples. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
WildcardUse in file name and file extension exclusionsUse in folder exclusionsExample useExample matches
* (asterisk)Replaces any number of characters.
Only applies to files in the last folder defined in the argument. 		Replaces a single folder.
Use multiple * with folder slashes \ to indicate multiple, nested folders.
After matching the number of wild carded and named folders, all subfolders will also be included.		 +
    +
  1. C:\MyData\*.txt
    2. +
  2. C:\somepath\*\Data
    3. +
  3. C:\Serv\*\*\Backup +
+ 		+
    +
  1. C:\MyData\notes.txt
    2. +
  2. Any file in: +
      +
    • C:\somepath\Archives\Data and its subfolders
      • +
    • C:\somepath\Authorized\Data and its subfolders
      • +
    +
  3. Any file in: +
      +
    • C:\Serv\Primary\Denied\Backup and its subfolders
      • +
    • C:\Serv\Secondary\Allowed\Backup and its subfolders
      • +
    +
+
+ ? (question mark) + + Replaces a single character.
+ Only applies to files in the last folder defined in the argument. + 		+ Replaces a single character in a folder name.
+ After matching the number of wild carded and named folders, all subfolders will also be included. + 		+
    +
  1. C:\MyData\my?.zip
    2. +
  2. C:\somepath\?\Data
    3. +
  3. C:\somepath\test0?\Data
    4. +
+ 		+
    +
  1. C:\MyData\my1.zip
    2. +
  2. Any file in C:\somepath\P\Data and its subfolders
    3. +
  3. Any file in C:\somepath\test01\Data and its subfolders
    4. +
+
Environment variablesThe defined variable will be populated as a path when the exclusion is evaluated.Same as file and extension use. +
    +
  1. %ALLUSERSPROFILE%\CustomLogFiles
    2. +
+ 		+
    +
  1. C:\ProgramData\CustomLogFiles\Folder1\file1.txt
    2. +
+
+ +>[!IMPORTANT] +>If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will not look for file matches in any subfolders. +> +>For example, you can exclude all files that start with "date" in the folders `c:\data\final\marked` and `c:\data\review\marked` by using the rule argument c:\data\\\*\marked\date*.\*. +> +>This argument, however, will not match any files in **subfolders** under `c:\data\final\marked` or `c:\data\review\marked`. + + + +## Review the list of exclusions + +You can retrieve the items in the exclusion list using one of the following methods: +- [Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) +- [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) +- MpCmdRun +- PowerShell +- [Windows Security app](windows-defender-security-center-antivirus.md#exclusions) + +>[!IMPORTANT] +>Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). +> +>Changes made in the Windows Security app **will not show** in the Group Policy lists. + +If you use PowerShell, you can retrieve the list in two ways: + +- Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line. +- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line. + +### Validate the exclusion list by using MpCmdRun + +To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command: + +```DOS +MpCmdRun.exe -CheckExclusion -path +``` + +>[!NOTE] +>Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later. + +### Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell + +Use the following cmdlet: + +```PowerShell +Get-MpPreference +``` + +In the following example, the items contained in the `ExclusionExtension` list are highlighted: + +![PowerShell output for Get-MpPreference showing the exclusion list alongside other preferences](images/defender/wdav-powershell-get-exclusions-all.png) + +For more information, see [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index). + +### Retrieve a specific exclusions list by using PowerShell + +Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable: + +```PowerShell +$WDAVprefs = Get-MpPreference +$WDAVprefs.ExclusionExtension +$WDAVprefs.ExclusionPath +``` + +In the following example, the list is split into new lines for each use of the `Add-MpPreference` cmdlet: + +![PowerShell output showing only the entries in the exclusion list](images/defender/wdav-powershell-get-exclusions-variable.png) + +For more information, see [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index). + + + +## Validate exclusions lists with the EICAR test file + +You can validate that your exclusion lists are working by using PowerShell with either the `Invoke-WebRequest` cmdlet or the .NET WebClient class to download a test file. + +In the following PowerShell snippet, replace *test.txt* with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure you run the cmdlet within that path. + +```PowerShell +Invoke-WebRequest "http://www.eicar.org/download/eicar.com.txt" -OutFile "test.txt" +``` + +If Windows Defender Antivirus reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR test file website](http://www.eicar.org/86-0-Intended-use.html). + +You can also use the following PowerShell code, which calls the .NET WebClient class to download the test file - as with the `Invoke-WebRequest` cmdlet; replace *c:\test.txt* with a file that conforms to the rule you are validating: + +```PowerShell +$client = new-object System.Net.WebClient +$client.DownloadFile("http://www.eicar.org/download/eicar.com.txt","c:\test.txt") +``` + +If you do not have Internet access, you can create your own EICAR test file by writing the EICAR string to a new text file with the following PowerShell command: + +```PowerShell +[io.file]::WriteAllText("test.txt",'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*') +``` + +You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude. + +## Related topics + +- [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md) +- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) +- [Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) +- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus - Copy.md new file mode 100644 index 0000000000..39f0cb02b4 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus - Copy.md @@ -0,0 +1,130 @@ +--- +title: Configure and validate Windows Defender Antivirus network connections +description: Configure and test your connection to the Windows Defender Antivirus cloud protection service. +keywords: antivirus, windows defender antivirus, antimalware, security, defender, cloud, aggressiveness, protection level +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.date: 10/08/2018 +ms.reviewer: +manager: dansimp +--- + +# Configure and validate Windows Defender Antivirus network connections + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +To ensure Windows Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers. + +This article lists the connections that must be allowed, such as by using firewall rules, and provides instructions for validating your connection. Configuring your protection properly helps ensure that you receive the best value from your cloud-delivered protection services. + +See the blog post [Important changes to Microsoft Active Protection Services endpoint](https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/Important-changes-to-Microsoft-Active-Protection-Service-MAPS/ba-p/274006) for some details about network connectivity. + +>[!TIP] +>You can also visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working: +> +>- Cloud-delivered protection +>- Fast learning (including block at first sight) +>- Potentially unwanted application blocking + +## Allow connections to the Windows Defender Antivirus cloud service + +The Windows Defender Antivirus cloud service provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it is highly recommended because it provides important protection against malware on your endpoints and across your network. + +>[!NOTE] +>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. + +See [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) for details on enabling the service with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app. + +After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints. + +Because your protection is a cloud service, computers must have access to the internet and reach the ATP machine learning services. Do not exclude the URL `*.blob.core.windows.net` from any kind of network inspection. The table below lists the services and their associated URLs. Make sure that there are no firewall or network filtering rules denying access to these URLs, or you may need to create an allow rule specifically for them (excluding the URL `*.blob.core.windows.net`). Below mention URLs are using port 443 for communication. + + +| **Service**| **Description** |**URL** | +| :--: | :-- | :-- | +| Windows Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)|Used by Windows Defender Antivirus to provide cloud-delivered protection|`*.wdcp.microsoft.com`
`*.wdcpalt.microsoft.com`
`*.wd.microsoft.com`| +| Microsoft Update Service (MU)| Security intelligence and product updates |`*.update.microsoft.com`| +|Security intelligence updates Alternate Download Location (ADL)| Alternate location for Windows Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| `*.download.microsoft.com`| +| Malware submission storage|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | `ussus1eastprod.blob.core.windows.net`
`ussus1westprod.blob.core.windows.net`
`usseu1northprod.blob.core.windows.net`
`usseu1westprod.blob.core.windows.net`
`ussuk1southprod.blob.core.windows.net`
`ussuk1westprod.blob.core.windows.net`
`ussas1eastprod.blob.core.windows.net`
`ussas1southeastprod.blob.core.windows.net`
`ussau1eastprod.blob.core.windows.net`
`ussau1southeastprod.blob.core.windows.net` | +| Certificate Revocation List (CRL)|Used by Windows when creating the SSL connection to MAPS for updating the CRL | `https://www.microsoft.com/pkiops/crl/`
`https://www.microsoft.com/pkiops/certs`
`https://crl.microsoft.com/pki/crl/products`
`https://www.microsoft.com/pki/certs` | +| Symbol Store|Used by Windows Defender Antivirus to restore certain critical files during remediation flows | `https://msdl.microsoft.com/download/symbols` | +| Universal Telemetry Client| Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: `vortex-win.data.microsoft.com`
`settings-win.data.microsoft.com`| + +## Validate connections between your network and the cloud + +After whitelisting the URLs listed above, you can test if you are connected to the Windows Defender Antivirus cloud service and are correctly reporting and receiving information to ensure you are fully protected. + +**Use the cmdline tool to validate cloud-delivered protection:** + +Use the following argument with the Windows Defender Antivirus command-line utility (`mpcmdrun.exe`) to verify that your network can communicate with the Windows Defender Antivirus cloud service: + +```DOS +"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -ValidateMapsConnection +``` + +> [!NOTE] +> You need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. This command will only work on Windows 10, version 1703 or higher. + +For more information, see [Manage Windows Defender Antivirus with the mpcmdrun.exe commandline tool](command-line-arguments-windows-defender-antivirus.md). + +**Attempt to download a fake malware file from Microsoft:** + +You can download a sample file that Windows Defender Antivirus will detect and block if you are properly connected to the cloud. + +Download the file by visiting the following link: +- https://aka.ms/ioavtest + +>[!NOTE] +>This file is not an actual piece of malware. It is a fake file that is designed to test if you are properly connected to the cloud. + +If you are properly connected, you will see a warning Windows Defender Antivirus notification: + +![Windows Defender Antivirus notification informing the user that malware was found](images/defender/wdav-malware-detected.png) + +If you are using Microsoft Edge, you'll also see a notification message: + +![Microsoft Edge informing the user that malware was found](images/defender/wdav-bafs-edge.png) + +A similar message occurs if you are using Internet Explorer: + +![Windows Defender Antivirus notification informing the user that malware was found](images/defender/wdav-bafs-ie.png) + +You will also see a detection under **Quarantined threats** in the **Scan history** section in the Windows Security app: + +1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. + +2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label: + + ![Screenshot of the Scan history label in the Windows Security app](images/defender/wdav-history-wdsc.png) + +3. Under the **Quarantined threats** section, click the **See full history** label to see the detected fake malware: + + ![Screenshot of quarantined items in the Windows Security app](images/defender/wdav-quarantined-history-wdsc.png) + +>[!NOTE] +>Versions of Windows 10 before version 1703 have a different user interface. See [Windows Defender Antivirus in the Windows Security app](windows-defender-security-center-antivirus.md). + +The Windows event log will also show [Windows Defender client event ID 2050](troubleshoot-windows-defender-antivirus.md). + +>[!IMPORTANT] +>You will not be able to use a proxy auto-config (.pac) file to test network connections to these URLs. You will need to verify your proxy servers and any network filtering tools manually to ensure connectivity. + +## Related articles + +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) + +- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) + +- [Run an Windows Defender Antivirus scan from the command line](command-line-arguments-windows-defender-antivirus.md) and [Command line arguments](command-line-arguments-windows-defender-antivirus.md) + +- [Important changes to Microsoft Active Protection Services endpoint](https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/Important-changes-to-Microsoft-Active-Protection-Service-MAPS/ba-p/274006) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus - Copy.md new file mode 100644 index 0000000000..03afa1681f --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus - Copy.md @@ -0,0 +1,106 @@ +--- +title: Configure Windows Defender Antivirus notifications +description: Configure and customize Windows Defender Antivirus notifications. +keywords: notifications, defender, antivirus, endpoint, management, admin +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.date: 09/03/2018 +ms.reviewer: +manager: dansimp +--- + +# Configure the notifications that appear on endpoints + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +In Windows 10, application notifications about malware detection and remediation are more robust, consistent, and concise. + +Notifications appear on endpoints when manually triggered and scheduled scans are completed and threats are detected. These notifications also appear in the **Notification Center**, and a summary of scans and threat detections appear at regular time intervals. + +You can also configure how standard notifications appear on endpoints, such as notifications for reboot or when a threat has been detected and remediated. + +## Configure the additional notifications that appear on endpoints + +You can configure the display of additional notifications, such as recent threat detection summaries, in the [Windows Security app](windows-defender-security-center-antivirus.md) and with Group Policy. + +> [!NOTE] +> In Windows 10, version 1607 the feature was called **Enhanced notifications** and could be configured under **Windows Settings** > **Update & security** > **Windows Defender**. In Group Policy settings in all versions of Windows 10, it is called **Enhanced notifications**. + +> [!IMPORTANT] +> Disabling additional notifications will not disable critical notifications, such as threat detection and remediation alerts. + +**Use the Windows Security app to disable additional notifications:** + +1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. + +2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label: + + ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png) + +3. Scroll to the **Notifications** section and click **Change notification settings**. + +4. Slide the switch to **Off** or **On** to disable or enable additional notifications. + +**Use Group Policy to disable additional notifications:** + +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +2. In the **Group Policy Management Editor** go to **Computer configuration**. + +3. Click **Administrative templates**. + +4. Expand the tree to **Windows components > Windows Defender Antivirus > Reporting**. + +5. Double-click **Turn off enhanced notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing. + +## Configure standard notifications on endpoints + +You can use Group Policy to: + +- Display additional, customized text on endpoints when the user needs to perform an action +- Hide all notifications on endpoints +- Hide reboot notifications on endpoints + +Hiding notifications can be useful in situations where you can't hide the entire Windows Defender Antivirus interface. See [Prevent users from seeing or interacting with the Windows Defender Antivirus user interface](prevent-end-user-interaction-windows-defender-antivirus.md) for more information. + +> [!NOTE] +> Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [Microsoft Endpoint Configuration Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/sccm/protect/deploy-use/monitor-endpoint-protection). + +See [Customize the Windows Security app for your organization](../windows-defender-security-center/windows-defender-security-center.md) for instructions to add custom contact information to the notifications that users see on their machines. + +**Use Group Policy to hide notifications:** + +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure, and click **Edit**. + +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. + +3. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**. + +4. Double-click **Suppress all notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing. + +**Use Group Policy to hide reboot notifications:** + +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +2. In the **Group Policy Management Editor** go to **Computer configuration**. + +3. Click **Administrative templates**. + +4. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**. + +5. Double-click **Suppresses reboot notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing. + +## Related topics + +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus - Copy.md new file mode 100644 index 0000000000..79e9d90a7b --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus - Copy.md @@ -0,0 +1,199 @@ +--- +title: Configure exclusions for files opened by specific processes +description: You can exclude files from scans if they have been opened by a specific process. +keywords: Windows Defender Antivirus, process, exclusion, files, scans +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.date: 12/10/2018 +ms.reviewer: +manager: dansimp +--- + +# Configure exclusions for files opened by processes + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +You can exclude files that have been opened by specific processes from Windows Defender Antivirus scans. + +This topic describes how to configure exclusion lists for the following: + + + +Exclusion | Example +---|--- +Any file on the machine that is opened by any process with a specific file name | Specifying "test.exe" would exclude files opened by:

  • c:\sample\test.exe
  • d:\internal\files\test.exe
+Any file on the machine that is opened by any process under a specific folder | Specifying "c:\test\sample\\*" would exclude files opened by:
  • c:\test\sample\test.exe
  • c:\test\sample\test2.exe
  • c:\test\sample\utility.exe
+Any file on the machine that is opened by a specific process in a specific folder | Specifying "c:\test\process.exe" would exclude files only opened by c:\test\process.exe + +When you add a process to the process exclusion list, Windows Defender Antivirus won't scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the [file exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md). + +The exclusions only apply to [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). They don't apply to scheduled or on-demand scans. + +Changes made with Group Policy to the exclusion lists **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Security app **will not show** in the Group Policy lists. + +You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [Microsoft Endpoint Configuration Manager, Microsoft Intune, and with the Windows Security app](#man-tools), and you can [use wildcards](#wildcards) to further customize the lists. + +You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), including [reviewing](#review) your lists. + +By default, local changes made to the lists (by users with administrator privileges; this includes changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts. + +You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-windows-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings. + +## Configure the list of exclusions for files opened by specified processes + + + +### Use Microsoft Intune to exclude files that have been opened by specified processes from scans + +See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. + +### Use Microsoft Endpoint Configuration Manager to exclude files that have been opened by specified processes from scans + +See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch). + +### Use Group Policy to exclude files that have been opened by specified processes from scans + +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. + +3. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. + +4. Double-click **Process Exclusions** and add the exclusions: + + 1. Set the option to **Enabled**. + 2. Under the **Options** section, click **Show...**. + 3. Enter each process on its own line under the **Value name** column. See the [example table](#examples) for the different types of process exclusions. Enter **0** in the **Value** column for all processes. + +5. Click **OK**. + +![The Group Policy setting for specifying process exclusions](images/defender/wdav-process-exclusions.png) + + + +### Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans + +Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a combination of three cmdlets with the `-ExclusionProcess` parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/itpro/powershell/windows/defender/defender). + +The format for the cmdlets is: + +```PowerShell + -ExclusionProcess "" +``` + +The following are allowed as the \: + +Configuration action | PowerShell cmdlet +---|--- +Create or overwrite the list | `Set-MpPreference` +Add to the list | `Add-MpPreference` +Remove items from the list | `Remove-MpPreference` + +>[!IMPORTANT] +>If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. + +For example, the following code snippet would cause Windows Defender AV scans to exclude any file that is opened by the specified process: + +```PowerShell +Add-MpPreference -ExclusionProcess "c:\internal\test.exe" +``` + +See [Manage antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-Windows Defender Antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. + +### Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans + +Use the [**Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: + +```WMI +ExclusionProcess +``` + +The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`. + +See the following for more information and allowed parameters: + +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) + + + +### Use the Windows Security app to exclude files that have been opened by specified processes from scans + +See [Add exclusions in the Windows Security app](windows-defender-security-center-antivirus.md#exclusions) for instructions. + + + +## Use wildcards in the process exclusion list + +The use of wildcards in the process exclusion list is different from their use in other exclusion lists. + +In particular, you cannot use the question mark ? wildcard, and the asterisk \* wildcard can only be used at the end of a complete path. You can still use environment variables (such as %ALLUSERSPROFILE%) as wildcards when defining items in the process exclusion list. + +The following table describes how the wildcards can be used in the process exclusion list: + +Wildcard | Use | Example use | Example matches +---|---|---|--- +\* (asterisk) | Replaces any number of characters |
  • C:\MyData\\*
|
  • Any file opened by C:\MyData\file.exe
+? (question mark) | Not available | \- | \- +Environment variables | The defined variable will be populated as a path when the exclusion is evaluated |
  • %ALLUSERSPROFILE%\CustomLogFiles\file.exe
|
  • Any file opened by C:\ProgramData\CustomLogFiles\file.exe
+ + + +## Review the list of exclusions + +You can retrieve the items in the exclusion list with MpCmdRun, PowerShell, [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/intune/device-restrictions-configure), or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). + +If you use PowerShell, you can retrieve the list in two ways: + +- Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line. +- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line. + +### Validate the exclusion list by using MpCmdRun + +To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command: + +```DOS +MpCmdRun.exe -CheckExclusion -path +``` + +>[!NOTE] +>Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later. + + +### Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell + +Use the following cmdlet: + +```PowerShell +Get-MpPreference +``` + +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. + +### Retrieve a specific exclusions list by using PowerShell + +Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable: + +```PowerShell +$WDAVprefs = Get-MpPreference +$WDAVprefs.ExclusionProcess +``` + +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. + +## Related articles + +- [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md) +- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) +- [Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) +- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus - Copy.md new file mode 100644 index 0000000000..7b22fa2f60 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus - Copy.md @@ -0,0 +1,72 @@ +--- +title: Remediate and resolve infections detected by Windows Defender Antivirus +description: Configure what Windows Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder +keywords: remediation, fix, remove, threats, quarantine, scan, restore +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.date: 09/03/2018 +ms.reviewer: +manager: dansimp +--- + +# Configure remediation for Windows Defender Antivirus scans + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +When Windows Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can configure how Windows Defender Antivirus should react to certain threats, whether it should create a restore point before remediating, and when it should remove remediated threats. + +This topic describes how to configure these settings with Group Policy, but you can also use [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#threat-overrides-settings) and [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). + +You can also use the [`Set-MpPreference` PowerShell cmdlet](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference) or [`MSFT_MpPreference` WMI class](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) to configure these settings. + +## Configure remediation options + +You can configure how remediation works with the Group Policy settings described in this section. + +To configure these settings: + +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. + +3. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below. + +4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings. + +Location | Setting | Description | Default setting (if not configured) +---|---|---|--- +Scan | Create a system restore point | A system restore point will be created each day before cleaning or scanning is attempted | Disabled +Scan | Turn on removal of items from scan history folder | Specify how many days items should be kept in the scan history | 30 days +Root | Turn off routine remediation | You can specify whether Windows Defender Antivirus automatically remediates threats, or if it should ask the endpoint user what to do. | Disabled (threats are remediated automatically) +Quarantine | Configure removal of items from Quarantine folder | Specify how many days items should be kept in quarantine before being removed | Never removed +Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Windows Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable +Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable + +> [!IMPORTANT] +> Windows Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed. +>

+> If you are certain Windows Defender Antivirus quarantined a file based on a false positive, you can restore the file from quarantine after the device reboots. See [Restore quarantined files in Windows Defender Antivirus](restore-quarantined-files-windows-defender-antivirus.md). +>

+> To avoid this problem in the future, you can exclude files from the scans. See [Configure and validate exclusions for Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md). + +Also see [Configure remediation-required scheduled full Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md#remed) for more remediation-related settings. + +## Related topics + +- [Configure Windows Defender Antivirus scanning options](configure-advanced-scan-types-windows-defender-antivirus.md) +- [Configure scheduled Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md) +- [Configure and run on-demand Windows Defender Antivirus scans](run-scan-windows-defender-antivirus.md) +- [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) +- [Configure end-user Windows Defender Antivirus interaction](configure-end-user-interaction-windows-defender-antivirus.md) +- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features - Copy.md new file mode 100644 index 0000000000..3532148261 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features - Copy.md @@ -0,0 +1,49 @@ +--- +title: Configure Windows Defender Antivirus features +description: You can configure Windows Defender Antivirus features with Intune, Microsoft Endpoint Configuration Manager, Group Policy, and PowerShell. +keywords: Windows Defender Antivirus, antimalware, security, defender, configure, configuration, Config Manager, Microsoft Endpoint Configuration Manager, SCCM, Intune, MDM, mobile device management, GP, group policy, PowerShell +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.date: 09/03/2018 +ms.reviewer: +manager: dansimp +--- + +# Configure Windows Defender Antivirus features + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +You can configure Windows Defender Antivirus with a number of tools, including: + +- Microsoft Intune +- Microsoft Endpoint Configuration Manager +- Group Policy +- PowerShell cmdlets +- Windows Management Instrumentation (WMI) + +The following broad categories of features can be configured: + +- Cloud-delivered protection +- Always-on real-time protection, including behavioral, heuristic, and machine-learning-based protection +- How end-users interact with the client on individual endpoints + +The topics in this section describe how to perform key tasks when configuring Windows Defender Antivirus. Each topic includes instructions for the applicable configuration tool (or tools). + +You can also review the [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md) topic for an overview of each tool and links to further help. + +## In this section +Topic | Description +:---|:--- +[Utilize Microsoft cloud-provided Windows Defender Antivirus protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) | Cloud-delivered protection provides an advanced level of fast, robust antivirus detection +[Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)|Enable behavior-based, heuristic, and real-time antivirus protection +[Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md)|Configure how end-users interact with Windows Defender Antivirus, what notifications they see, and whether they can override settings diff --git a/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus - Copy.md new file mode 100644 index 0000000000..b0b2030e32 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus - Copy.md @@ -0,0 +1,37 @@ +--- +title: Run and customize scheduled and on-demand scans +description: Customize and initiate Windows Defender Antivirus scans on endpoints across your network. +keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan, Windows Defender Antivirus +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.date: 09/03/2018 +ms.reviewer: +manager: dansimp +--- + +# Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Windows Defender Antivirus scans. + +## In this section + +Topic | Description +---|--- +[Configure and validate file, folder, and process-opened file exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning +[Configure Windows Defender Antivirus scanning options](configure-advanced-scan-types-windows-defender-antivirus.md) | You can configure Windows Defender Antivirus to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning +[Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) | Configure what Windows Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder +[Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans +[Configure and run scans](run-scan-windows-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app +[Review scan results](review-scan-results-windows-defender-antivirus.md) | Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus - Copy.md new file mode 100644 index 0000000000..295d507e65 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus - Copy.md @@ -0,0 +1,85 @@ +--- +title: Deploy, manage, and report on Windows Defender Antivirus +description: You can deploy and manage Windows Defender Antivirus with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell, or WMI +keywords: deploy, manage, update, protection, windows defender antivirus +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.date: 09/03/2018 +ms.reviewer: +manager: dansimp +--- + +# Deploy, manage, and report on Windows Defender Antivirus + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +You can deploy, manage, and report on Windows Defender Antivirus in a number of ways. + +Because the Windows Defender Antivirus client is installed as a core part of Windows 10, traditional deployment of a client to your endpoints does not apply. + +However, in most cases you will still need to enable the protection service on your endpoints with Microsoft Intune, Microsoft Endpoint Configuration Manager, Azure Security Center, or Group Policy Objects, which is described in the following table. + +You'll also see additional links for: + +- Managing Windows Defender Antivirus protection, including managing product and protection updates +- Reporting on Windows Defender Antivirus protection + +> [!IMPORTANT] +> In most cases, Windows 10 will disable Windows Defender Antivirus if it finds another antivirus product that is running and up-to-date. You must disable or uninstall third-party antivirus products before Windows Defender Antivirus will function. If you re-enable or install third-party antivirus products, then Windows 10 automatically disables Windows Defender Antivirus. + +Tool|Deployment options (2)|Management options (network-wide configuration and policy or baseline deployment) ([3](#fn3))|Reporting options +---|---|---|--- +Microsoft Intune|[Add endpoint protection settings in Intune](https://docs.microsoft.com/intune/endpoint-protection-configure)|[Configure device restriction settings in Intune](https://docs.microsoft.com/intune/device-restrictions-configure)| [Use the Intune console to manage devices](https://docs.microsoft.com/intune/device-management) +Microsoft Endpoint Configuration Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][] +Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Windows Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Windows Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][] +PowerShell|Deploy with Group Policy, Microsoft Endpoint Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference] and [Update-MpSignature] cmdlets available in the Defender module.|Use the appropriate [Get- cmdlets available in the Defender module][] +Windows Management Instrumentation|Deploy with Group Policy, Microsoft Endpoint Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][] +Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Windows Defender Antivirus events][] and add that tool as an app in AAD. + +1. The availability of some functions and features, especially related to cloud-delivered protection, differ between Microsoft Endpoint Configuration Manager (Current Branch) and System Center Configuration Manager 2012. In this library, we've focused on Windows 10, Windows Server 2016, and Microsoft Endpoint Configuration Manager (Current Branch). See [Use Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2) + +2. In Windows 10, Windows Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date ([except on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md)). Traditional deployment therefore is not required. Deployment here refers to ensuring the Windows Defender Antivirus component is available and enabled on endpoints or servers. [(Return to table)](#ref2) + +3. Configuration of features and protection, including configuring product and protection updates, are further described in the [Configure Windows Defender Antivirus features](configure-notifications-windows-defender-antivirus.md) section in this library. [(Return to table)](#ref2) + +[Endpoint Protection point site system role]: https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-protection-site-role +[default and customized antimalware policies]: https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies +[client management]: https://docs.microsoft.com/sccm/core/clients/manage/manage-clients +[enable Endpoint Protection with custom client settings]: https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-protection-configure-client +[Configuration Manager Monitoring workspace]: https://docs.microsoft.com/sccm/protect/deploy-use/monitor-endpoint-protection +[email alerts]: https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-configure-alerts +[Deploy the Microsoft Intune client to endpoints]: https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune +[custom Intune policy]: https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#configure-microsoft-intune-endpoint-protection + [custom Intune policy]: https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#configure-microsoft-intune-endpoint-protection +[manage tasks]: https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#choose-management-tasks-for-endpoint-protection +[Monitor endpoint protection in the Microsoft Intune administration console]: https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#monitor-endpoint-protection +[Set method of the MSFT_MpPreference class]: https://msdn.microsoft.com/library/dn439474 +[Update method of the MSFT_MpSignature class]: https://msdn.microsoft.com/library/dn439474 +[MSFT_MpComputerStatus]: https://msdn.microsoft.com/library/dn455321 +[Windows Defender WMIv2 Provider]: https://msdn.microsoft.com/library/dn439477 +[Set-MpPreference]: https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference.md +[Update-MpSignature]: https://technet.microsoft.com/itpro/powershell/windows/defender/update-mpsignature +[Get- cmdlets available in the Defender module]: https://technet.microsoft.com/itpro/powershell/windows/defender/index +[Configure update options for Windows Defender Antivirus]: manage-updates-baselines-windows-defender-antivirus.md +[Configure Windows Defender features]: configure-windows-defender-antivirus-features.md +[Group Policies to determine if any settings or policies are not applied]: https://technet.microsoft.com/library/cc771389.aspx +[Possibly infected devices]: https://docs.microsoft.com/azure/active-directory/active-directory-reporting-sign-ins-from-possibly-infected-devices +[Windows Defender Antivirus events]: troubleshoot-windows-defender-antivirus.md + +## In this section + +Topic | Description +---|--- +[Deploy and enable Windows Defender Antivirus protection](deploy-windows-defender-antivirus.md) | While the client is installed as a core part of Windows 10, and traditional deployment does not apply, you will still need to enable the client on your endpoints with Microsoft Endpoint Configuration Manager, Microsoft Intune, or Group Policy Objects. +[Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) | There are two parts to updating Windows Defender Antivirus: updating the client on endpoints (product updates), and updating Security intelligence (protection updates). You can update Security intelligence in a number of ways, using Microsoft Endpoint Configuration Manager, Group Policy, PowerShell, and WMI. +[Monitor and report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md) | You can use Microsoft Intune, Microsoft Endpoint Configuration Manager, the Update Compliance add-in for Microsoft Operations Management Suite, or a third-party SIEM product (by consuming Windows event logs) to monitor protection status and create reports about endpoint protection. diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus - Copy.md new file mode 100644 index 0000000000..6f8dd3363b --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus - Copy.md @@ -0,0 +1,38 @@ +--- +title: Deploy and enable Windows Defender Antivirus +description: Deploy Windows Defender Antivirus for protection of your endpoints with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or WMI. +keywords: deploy, enable, Windows Defender Antivirus +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.date: 09/03/2018 +ms.reviewer: +manager: dansimp +--- + +# Deploy and enable Windows Defender Antivirus + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +Depending on the management tool you are using, you may need to specifically enable or configure Windows Defender Antivirus protection. + +See the table in [Deploy, manage, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md#ref2) for instructions on how to enable protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, Active Directory, Microsoft Azure, PowerShell cmdlets, and Windows Management Instruction (WMI). + +Some scenarios require additional guidance on how to successfully deploy or configure Windows Defender Antivirus protection, such as Virtual Desktop Infrastructure (VDI) environments. + +The remaining topic in this section provides end-to-end advice and best practices for [setting up Windows Defender Antivirus on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-windows-defender-antivirus.md). + +## Related topics + +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) +- [Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus - Copy.md new file mode 100644 index 0000000000..43e244ba36 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus - Copy.md @@ -0,0 +1,149 @@ +--- +title: Block potentially unwanted applications with Windows Defender Antivirus +description: Enable the potentially unwanted application (PUA) antivirus feature to block unwanted software such as adware. +keywords: pua, enable, unwanted software, unwanted apps, adware, browser toolbar, detect, block, Windows Defender Antivirus +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: detect +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +audience: ITPro +ms.date: 10/02/2018 +ms.reviewer: +manager: dansimp +--- + +# Detect and block potentially unwanted applications + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge) + +Potentially unwanted applications are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints which adversely affect endpoint performance or use. _PUA_ can also refer to an application that has a poor reputation, as assessed by Microsoft Defender ATP, due to certain kinds of undesirable behavior. + +For example: + +* **Advertising software:** Software that displays advertisements or promotions, including software that inserts advertisements to webpages. +* **Bundling software:** Software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA. +* **Evasion software:** Software that actively tries to evade detection by security products, including software that behaves differently in the presence of security products. + +For more examples and a discussion of the criteria we use to label applications for special attention from security features, see [How Microsoft identifies malware and potentially unwanted applications](../intelligence/criteria.md). + +Potentially unwanted applications can increase the risk of your network being infected with actual malware, make malware infections harder to identify, or waste IT resources in cleaning them up. + +## How it works + +### Microsoft Edge + +The next major version of Microsoft Edge, which is Chromium-based, blocks potentially unwanted application downloads and associated resource URLs. This feature is provided via [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md). + +#### Enable PUA protection in Chromium-based Microsoft Edge + +Although potentially unwanted application protection in Microsoft Edge (Chromium-based) is off by default, it can easily be turned on from within the browser. + +1. From the tool bar, select **Settings and more** > **Settings** +1. Select **Privacy and services** +1. Under the **Services** section, you can toggle **Potentially unwanted app blocking** on or off + +> [!TIP] +> If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our Windows Defender SmartScreen [demo pages](https://demo.smartscreen.msft.net/). + +#### Blocking URLs with Windows Defender SmartScreen + +In Chromium-based Edge with PUA protection turned on, Windows Defender SmartScreen will protect you from PUA-associated URLs. + +Admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge) how Microsoft Edge and Windows Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several group policy [settings](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreen-settings) explicitly for Windows +Defender SmartScreen available, including [one for blocking PUA](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreenpuaenabled). In addition, admins can +[configure Windows Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/available-policies?source=docs#configure-windows-defender-smartscreen) as a whole, using group policy settings to turn Windows Defender SmartScreen on or off. + +Although Microsoft Defender ATP has its own block list, based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md#create-indicators-for-ips-and-urlsdomains-preview) in the Microsoft Defender ATP portal, Windows Defender SmartScreen will respect the new settings. + +### Windows Defender Antivirus + +The potentially unwanted application (PUA) protection feature in Windows Defender Antivirus can detect and block PUAs on endpoints in your network. + +> [!NOTE] +> This feature is only available in Windows 10. + +Windows Defender Antivirus blocks detected PUA files, and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine. + +When a PUA is detected on an endpoint, Windows Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as other threat detections. The notification will be prefaced with _PUA:_ to indicate its content. + +The notification will appear in the usual [quarantine list within the Windows Security app](windows-defender-security-center-antivirus.md#detection-history). + +#### Configure PUA protection in Windows Defender Antivirus + +You can enable PUA protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, or via PowerShell cmdlets. + +You can also use the PUA audit mode to detect PUAs without blocking them. The detections will be captured in the Windows event log. + +> [!TIP] +> You can visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com/Page/UrlRep) to confirm that the feature is working, and see it in action. + +PUA audit mode is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives. + +##### Use Intune to configure PUA protection + +See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. + +##### Use Configuration Manager to configure PUA protection + +PUA protection is enabled by default in the Microsoft Endpoint Configuration Manager (Current Branch), starting with version 1606. + +See [How to create and deploy antimalware policies: Scheduled scans settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) for details on configuring Microsoft Endpoint Configuration Manager (Current Branch). + +For Configuration Manager 2012, see [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA). + +> [!NOTE] +> PUA events blocked by Windows Defender Antivirus are reported in the Windows Event Viewer and not in Microsoft Endpoint Configuration Manager. + +##### Use Group Policy to configure PUA protection + +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure, and select **Edit**. + +2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. + +3. Expand the tree to **Windows components > Windows Defender Antivirus**. + +4. Double-click **Configure protection for potentially unwanted applications**. + +5. Select **Enabled** to enable PUA protection. + +6. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting will work in your environment. Select **OK**. + +##### Use PowerShell cmdlets to configure PUA protection + +Use the following cmdlet: + +```PowerShell +Set-MpPreference -PUAProtection +``` + +Setting the value for this cmdlet to `Enabled` will turn the feature on if it has been disabled. + +Setting `AuditMode` will detect PUAs without blocking them. + +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. + +#### View PUA events + +PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Configuration Manager or in Intune. + +You can turn on email notifications to receive mail about PUA detections. + +See [Troubleshoot event IDs](troubleshoot-windows-defender-antivirus.md) for details on viewing Windows Defender Antivirus events. PUA events are recorded under event ID **1160**. + +#### Allow-listing apps + +Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. See [How to Configure Endpoint Protection in Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/hh508770(v=technet.10)#to-exclude-specific-files-or-folders) for information on allowing files which are currently blocked by PUA protection in Windows Defender Antivirus. + +## Related articles + +- [Next-generation protection](windows-defender-antivirus-in-windows-10.md) +- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus - Copy.md b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus - Copy.md new file mode 100644 index 0000000000..6d7e496eec --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus - Copy.md @@ -0,0 +1,143 @@ +--- +title: Enable cloud-delivered protection in Windows Defender Antivirus +description: Enable cloud-delivered protection to benefit from fast and advanced protection features. +keywords: windows defender antivirus, antimalware, security, cloud, block at first sight +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.reviewer: +manager: dansimp +ms.custom: nextgen +--- + +# Enable cloud-delivered protection + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>[!NOTE] +>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. + +Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). +![List of Windows Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png) + +You can enable or disable Windows Defender Antivirus cloud-delivered protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app. + +See [Use Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for an overview of Windows Defender Antivirus cloud-delivered protection. + +There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service. See [Configure and validate network connections](configure-network-connections-windows-defender-antivirus.md) for more details. + +>[!NOTE] +>In Windows 10, there is no difference between the **Basic** and **Advanced** options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. See the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839) for more information on what we collect. + +**Use Intune to enable cloud-delivered protection** + +1. Sign in to the [Azure portal](https://portal.azure.com). +2. Select **All services > Intune**. +3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). +4. Select **Properties**, select **Settings: Configure**, and then select **Windows Defender Antivirus**. +5. On the **Cloud-delivered protection** switch, select **Enable**. +6. In the **Prompt users before sample submission** dropdown, select **Send all data without prompting**. +7. In the **Submit samples consent** dropdown, select one of the following: + + - **Send safe samples automatically** + - **Send all samples automatically** + + >[!NOTE] + >**Send safe samples automatically** option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. + + > [!WARNING] + > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function. + +8. Click **OK** to exit the **Windows Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile. + +For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles) + +**Use Configuration Manager to enable cloud-delivered protection:** + +See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring Microsoft Endpoint Configuration Manager (current branch). + +**Use Group Policy to enable cloud-delivered protection:** + +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +2. In the **Group Policy Management Editor** go to **Computer configuration**. + +3. Click **Administrative templates**. + +4. Expand the tree to **Windows components > Windows Defender Antivirus > MAPS** + +5. Double-click **Join Microsoft MAPS** and ensure the option is enabled and set to **Basic MAPS** or **Advanced MAPS**. Click **OK**. + +6. Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either of the following: + + 1. **Send safe samples** (1) + 2. **Send all samples** (3) + + >[!NOTE] + >**Send safe samples automatically** option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. + + > [!WARNING] + > Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function. + +7. Click **OK**. + +**Use PowerShell cmdlets to enable cloud-delivered protection:** + +Use the following cmdlets to enable cloud-delivered protection: + +```PowerShell +Set-MpPreference -MAPSReporting Advanced +Set-MpPreference -SubmitSamplesConsent AlwaysPrompt +``` + +>[!NOTE] +>You can also set -SubmitSamplesConsent to `None`. Setting it to `Never` will lower the protection state of the device, and setting it to 2 means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function. + +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. + +**Use Windows Management Instruction (WMI) to enable cloud-delivered protection:** + +Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn439474(v=vs.85).aspx) class for the following properties: + +```WMI +MAPSReporting +SubmitSamplesConsent +``` + +See the following for more information and allowed parameters: +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) + +**Enable cloud-delivered protection on individual clients with the Windows Security app** + +> [!NOTE] +> If the **Configure local setting override for reporting Microsoft MAPS** Group Policy setting is set to **Disabled**, then the **Cloud-based protection** setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. + +1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. + +2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label: + + ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png) + +3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**. + +>[!NOTE] +>If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailable. + +## Related topics + +- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) +- [Configure block at first sight](configure-block-at-first-sight-windows-defender-antivirus.md) +- [Use PowerShell cmdlets to manage Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) +- [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)] +- [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) +- [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) +- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) From d239a9a2977246a7c86e54749ae92d59bb4ac6c2 Mon Sep 17 00:00:00 2001 From: LauraKellerGitHub Date: Thu, 26 Dec 2019 13:20:04 -0800 Subject: [PATCH 015/188] thirty files for system center rebranding to msft endpoint --- .../configure-endpoints.md | 6 +++--- .../configure-server-endpoints.md | 2 +- .../controlled-folders.md | 2 +- .../enable-attack-surface-reduction.md | 4 ++-- .../enable-controlled-folders.md | 4 ++-- .../enable-exploit-protection.md | 6 +++--- .../enable-network-protection.md | 4 ++-- .../evaluate-controlled-folder-access.md | 2 +- .../microsoft-defender-atp/management-apis.md | 2 +- .../minimum-requirements.md | 2 +- .../next-gen-threat-and-vuln-mgt.md | 6 +++--- .../offboard-machines.md | 2 +- .../threat-and-vuln-mgt-scenarios.md | 2 +- .../troubleshoot-onboarding.md | 10 +++++----- .../tvm-dashboard-insights.md | 2 +- .../microsoft-defender-atp/tvm-remediation.md | 2 +- .../tvm-security-recommendation.md | 4 ++-- ...g-the-health-of-windows-10-based-devices.md | 2 +- ...ent-reference-windows-defender-antivirus.md | 4 ++-- ...ed-scan-types-windows-defender-antivirus.md | 2 +- ...t-first-sight-windows-defender-antivirus.md | 2 +- ...le-exclusions-windows-defender-antivirus.md | 4 ++-- ...k-connections-windows-defender-antivirus.md | 2 +- ...notifications-windows-defender-antivirus.md | 2 +- ...le-exclusions-windows-defender-antivirus.md | 8 ++++---- ...e-remediation-windows-defender-antivirus.md | 2 +- ...gure-windows-defender-antivirus-features.md | 6 +++--- ...mediate-scans-windows-defender-antivirus.md | 2 +- ...manage-report-windows-defender-antivirus.md | 18 +++++++++--------- .../deploy-windows-defender-antivirus.md | 4 ++-- 30 files changed, 60 insertions(+), 60 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md index bff2f62710..8c9156855a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md @@ -1,7 +1,7 @@ --- title: Onboarding tools and methods for Windows 10 machines description: Onboard Windows 10 machines so that they can send sensor data to the Microsoft Defender ATP sensor -keywords: Onboard Windows 10 machines, group policy, system center configuration manager, mobile device management, local script, gp, sccm, mdm, intune +keywords: Onboard Windows 10 machines, group policy, endpoint configuration manager, mobile device management, local script, gp, sccm, mdm, intune search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -31,7 +31,7 @@ Machines in your organization must be configured so that the Microsoft Defender The following deployment tools and methods are supported: - Group Policy -- System Center Configuration Manager +- Microsoft Endpoint Configuration Manager - Mobile Device Management (including Microsoft Intune) - Local script @@ -39,7 +39,7 @@ The following deployment tools and methods are supported: Topic | Description :---|:--- [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md) | Use Group Policy to deploy the configuration package on machines. -[Onboard Windows 10 machines using System Center Configuration Manager](configure-endpoints-sccm.md) | You can use either use System Center Configuration Manager (current branch) version 1606 or System Center Configuration Manager(current branch) version 1602 or earlier to deploy the configuration package on machines. +[Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) | You can use either use Microsoft Endpoint Configuration Manager (current branch) version 1606 or Microsoft Endpoint Configuration Manager (current branch) version 1602 or earlier to deploy the configuration package on machines. [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm.md) | Use Mobile Device Management tools or Microsoft Intune to deploy the configuration package on machine. [Onboard Windows 10 machines using a local script](configure-endpoints-script.md) | Learn how to use the local script to deploy the configuration package on endpoints. [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi.md) | Learn how to use the configuration package to configure VDI machines. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index 08b54bfbe4..a7ba0b85ef 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -129,7 +129,7 @@ Once completed, you should see onboarded servers in the portal within an hour. To onboard Windows Server, version 1803 or Windows Server 2019, please refer to the supported methods and versions below. > [!NOTE] -> The Onboarding package for Windows Server 2019 through System Center Configuration Manager currently ships a script. For more information on how to deploy scripts in System Center Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/packages-and-programs). +> The Onboarding package for Windows Server 2019 through Microsoft Endpoint Configuration Manager currently ships a script. For more information on how to deploy scripts in Microsoft Endpoint Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/packages-and-programs). Supported tools include: - Local script diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md index b751dd036f..2575fc6499 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md @@ -25,7 +25,7 @@ ms.custom: asr - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It protects your data by checking against a list of known, trusted apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. It can be turned on via the Windows Security App, or from the System Center Configuration Manager (SCCM) and Intune, for managed devices. Controlled folder access works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). +Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It protects your data by checking against a list of known, trusted apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. It can be turned on via the Windows Security App, or from the Microsoft Endpoint Configuration Manager and Intune, for managed devices. Controlled folder access works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). Controlled folder access works by only allowing apps to access protected folders if the app is included on a list of trusted software. If an app isn't on the list, Controlled folder access will block it from making changes to files inside protected folders. diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md index 80c8e25156..74618f9e83 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md @@ -33,7 +33,7 @@ You can enable attack surface reduction rules by using any of these methods: * [Microsoft Intune](#intune) * [Mobile Device Management (MDM)](#mdm) -* [System Center Configuration Manager (SCCM)](#sccm) +* [Microsoft Endpoint Configuration Manager](#sccm) * [Group Policy](#group-policy) * [PowerShell](#powershell) @@ -101,7 +101,7 @@ Value: c:\path|e:\path|c:\Whitelisted.exe ## SCCM -1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. +1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. 1. Click **Home** > **Create Exploit Guard Policy**. 1. Enter a name and a description, click **Attack Surface Reduction**, and click **Next**. 1. Choose which rules will block or audit actions and click **Next**. diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md index 40cbdce038..fa3b8c47bf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md @@ -30,7 +30,7 @@ You can enable controlled folder access by using any of these methods: * [Windows Security app](#windows-security-app) * [Microsoft Intune](#intune) * [Mobile Device Management (MDM)](#mdm) -* [System Center Configuration Manager (SCCM)](#sccm) +* [Microsoft Endpoint Configuration Manager](#sccm) * [Group Policy](#group-policy) * [PowerShell](#powershell) @@ -80,7 +80,7 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt ## SCCM -1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. +1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. 2. Click **Home** > **Create Exploit Guard Policy**. 3. Enter a name and a description, click **Controlled folder access**, and click **Next**. 4. Choose whether block or audit changes, allow other apps, or add other folders, and click **Next**. diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md index 0f325b3497..5c0bfb97a3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md @@ -34,7 +34,7 @@ You can enable each mitigation separately by using any of these methods: * [Windows Security app](#windows-security-app) * [Microsoft Intune](#intune) * [Mobile Device Management (MDM)](#mdm) -* [System Center Configuration Manager (SCCM)](#sccm) +* [Microsoft Endpoint Configuration Manager](#sccm) * [Group Policy](#group-policy) * [PowerShell](#powershell) @@ -128,9 +128,9 @@ CFG will be enabled for *miles.exe*. Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) configuration service provider (CSP) to enable or disable exploit protection mitigations or to use audit mode. -## SCCM +## Microsoft Endpoint Configuration Manager -1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. +1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. 1. Click **Home** > **Create Exploit Guard Policy**. 1. Enter a name and a description, click **Exploit protection**, and click **Next**. 1. Browse to the location of the exploit protection XML file and click **Next**. diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md index 7f23be0e27..bea514cd5c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md @@ -30,7 +30,7 @@ You can enable network protection by using any of these methods: * [Microsoft Intune](#intune) * [Mobile Device Management (MDM)](#mdm) -* [System Center Configuration Manager (SCCM)](#sccm) +* [Microsoft Endpoint Configuration Manager](#sccm) * [Group Policy](#group-policy) * [PowerShell](#powershell) @@ -51,7 +51,7 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://d ## SCCM -1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. +1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. 1. Click **Home** > **Create Exploit Guard Policy**. 1. Enter a name and a description, click **Network protection**, and click **Next**. 1. Choose whether to block or audit access to suspicious domains and click **Next**. diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md index 5f8fc8a0da..da28a46770 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md @@ -46,7 +46,7 @@ Set-MpPreference -EnableControlledFolderAccess AuditMode > [!TIP] > If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). -You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders.md). +You can also use Group Policy, Intune, MDM, or Microsoft Endpoint Configuration Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders.md). ## Review controlled folder access events in Windows Event Viewer diff --git a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md index 30bbd5efe4..5ec46afedd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md +++ b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md @@ -29,7 +29,7 @@ Microsoft Defender ATP supports a wide variety of options to ensure that custome Acknowledging that customer environments and structures can vary, Microsoft Defender ATP was created with flexibility and granular control to fit varying customer requirements. -Machine onboarding is fully integrated into System Center Configuration Manager and Microsoft Intune for client machines and Azure Security Center for server machines, providing complete end-to-end experience of configuration, deployment, and monitoring. In addition, Microsoft Defender ATP supports Group Policy and other third-party tools used for machines management. +Machine onboarding is fully integrated into Microsoft Endpoint Configuration Manager and Microsoft Intune for client machines and Azure Security Center for server machines, providing complete end-to-end experience of configuration, deployment, and monitoring. In addition, Microsoft Defender ATP supports Group Policy and other third-party tools used for machines management. Microsoft Defender ATP provides fine-grained control over what users with access to the portal can see and do through the flexibility of role-based access control (RBAC). The RBAC model supports all flavors of security teams structure: - Globally distributed organizations and security teams diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md index aaf95f6065..aaf2910af8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md +++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md @@ -180,7 +180,7 @@ For more information, see [Windows Defender Antivirus compatibility](../windows- ## Windows Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled If you're running Windows Defender Antivirus as the primary antimalware product on your machines, the Microsoft Defender ATP agent will successfully onboard. -If you're running a third-party antimalware client and use Mobile Device Management solutions or System Center Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy). +If you're running a third-party antimalware client and use Mobile Device Management solutions or Microsoft Endpoint Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy). diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md index 98d455063a..4e86aca1f8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md +++ b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md @@ -30,12 +30,12 @@ It helps organizations discover vulnerabilities and misconfigurations in real-ti ## Next-generation capabilities Threat & Vulnerability Management is built-in, real-time, cloud-powered, fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledgebase. -It is the first solution in the industry to bridge the gap between security administration and IT administration during remediation process. It does so by creating a security task or ticket through integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM). +It is the first solution in the industry to bridge the gap between security administration and IT administration during remediation process. It does so by creating a security task or ticket through integration with Microsoft Intune and Microsoft Microsoft Endpoint Configuration Manager. It provides the following solutions to frequently-cited gaps across security operations, security administration, and IT administration workflows and communication. - Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities - Linked machine vulnerability and security configuration assessment data in the context of exposure discovery -- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager +- Built-in remediation processes through Microsoft Intune and Microsoft Endpoint Configuration Manager ### Real-time discovery @@ -55,7 +55,7 @@ Threat & Vulnerability Management helps customers prioritize and focus on those ### Seamless remediation Microsoft Defender ATP’s Threat & Vulnerability Management allows security administrators and IT administrators to collaborate seamlessly to remediate issues. -- Remediation requests to IT. Through Microsoft Defender ATP’s integration with Microsoft Intune and System Center Configuration Manager (SCCM), security administrators can create a remediation task in Microsoft Intune from the Security recommendation pages. We plan to expand this capability to other IT security management platforms. +- Remediation requests to IT. Through Microsoft Defender ATP’s integration with Microsoft Intune and Microsoft Endpoint Configuration Manager, security administrators can create a remediation task in Microsoft Intune from the Security recommendation pages. We plan to expand this capability to other IT security management platforms. - Alternate mitigations. Threat & Vulnerability Management provides insights on additional mitigations, such as configuration changes that can reduce risk associated with software vulnerabilities. - Real-time remediation status. Microsoft Defender ATP provides real-time monitoring of the status and progress of remediation activities across the organization. diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md index 7d9e52a115..ea9ee7efc8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md @@ -34,7 +34,7 @@ Follow the corresponding instructions depending on your preferred deployment met ## Offboard Windows 10 machines - [Offboard machines using a local script](configure-endpoints-script.md#offboard-machines-using-a-local-script) - [Offboard machines using Group Policy](configure-endpoints-gp.md#offboard-machines-using-group-policy) -- [Offboard machines using System Center Configuration Manager](configure-endpoints-sccm.md#offboard-machines-using-system-center-configuration-manager) +- [Offboard machines using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md#offboard-machines-using-system-center-configuration-manager) - [Offboard machines using Mobile Device Management tools](configure-endpoints-mdm.md#offboard-and-monitor-machines-using-mobile-device-management-tools) ## Offboard Servers diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md index 13b98ef44d..85a326840f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md @@ -42,7 +42,7 @@ Ensure that your machines: > RS5 customers | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077) > 19H1 customers | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941) -- Are onboarded to Microsoft Intune and System Center Configuration Manager (SCCM). If you are use SCCM, update your console to the latest May version 1905 +- Are onboarded to Microsoft Intune and Microsoft Endpoint Configuration Manager. If you are using Configuration Manager, update your console to the latest version. - Have at least one security recommendation that can be viewed in the machine page - Are tagged or marked as co-managed diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md index 53233130eb..1dbb422ba5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md @@ -40,15 +40,15 @@ If you have completed the onboarding process and don't see machines in the [Mach If the script completes successfully, see [Troubleshoot onboarding issues on the machines](#troubleshoot-onboarding-issues-on-the-machine) for additional errors that might occur. -### Troubleshoot onboarding issues when deploying with System Center Configuration Manager -When onboarding machines using the following versions of System Center Configuration Manager: +### Troubleshoot onboarding issues when deploying with Microsoft Endpoint Configuration Manager +When onboarding machines using the following versions of Microsoft Endpoint Configuration Manager: - System Center 2012 Configuration Manager - System Center 2012 R2 Configuration Manager -- System Center Configuration Manager (current branch) version 1511 -- System Center Configuration Manager (current branch) version 1602 +- Microsoft Endpoint Configuration Manager (current branch) version 1511 +- Microsoft Endpoint Configuration Manager (current branch) version 1602 -Deployment with the above-mentioned versions of System Center Configuration Manager is done by running the onboarding script on the machines. You can track the deployment in the Configuration Manager Console. +Deployment with the above-mentioned versions of Microsoft Endpoint Center Configuration Manager is done by running the onboarding script on the machines. You can track the deployment in the Configuration Manager Console. If the deployment fails, you can check the output of the script on the machines. diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md index 07bd73d2d2..ad666ba5b3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md @@ -26,7 +26,7 @@ ms.topic: conceptual Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including: - Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities - Invaluable machine vulnerability context during incident investigations -- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) +- Built-in remediation processes through Microsoft Intune and Microsoft Microsoft Endpoint Configuration Manager (SCCM) You can use the Threat & Vulnerability Management capability in [Microsoft Defender Security Center](https://securitycenter.windows.com/) to: - View exposure and configuration scores side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed machines diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md index 1d7a8392e8..bc7f405cb4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md @@ -1,6 +1,6 @@ --- title: Remediation and exception -description: You can lower down your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations or filing exceptions provided there are compensation controls. Threat & Vulnerability Management bridges the gap between security administration and IT administration during remediation process. It does so by creating a security task or ticket through integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM). +description: You can lower down your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations or filing exceptions provided there are compensation controls. Threat & Vulnerability Management bridges the gap between security administration and IT administration during remediation process. It does so by creating a security task or ticket through integration with Microsoft Intune and Microsoft Endpoint Configuration Manager. keywords: microsoft defender atp tvm remediation, mdatp tvm, threat & vulnerability management, threat & vulnerability management remediation, tvm remediation intune, tvm remediation sccm search.product: eADQiWindows 10XVcnh search.appverid: met150 diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md index 186b46eb57..b7a682c886 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md @@ -25,9 +25,9 @@ ms.date: 04/11/2019 [!include[Prerelease information](../../includes/prerelease.md)] -The cybersecurity weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact on the security recommendation list. Prioritized recommendation helps shorten the mean time to mitigate or remediate vulnerabilities and drive compliance. +The cyber security weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact on the security recommendation list. Prioritized recommendation helps shorten the mean time to mitigate or remediate vulnerabilities and drive compliance. -Each security recommendation includes an actionable remediation recommendation which can be pushed into the IT task queue through a built-in integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM). It is also dynamic in the sense that when the threat landscape changes, the recommendation also changes as it continuously collect information from your environment. +Each security recommendation includes an actionable remediation recommendation which can be pushed into the IT task queue through a built-in integration with Microsoft Intune and Microsoft Endpoint Configuration Manager. It is also dynamic in the sense that when the threat landscape changes, the recommendation also changes as it continuously collects information from your environment. ## The basis of the security recommendation Each machine in the organization is scored based on three important factors: threat, likelihood to be breached, and value, to help customers to focus on the right things at the right time. diff --git a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md index 1f3bb33e56..d726f7ff56 100644 --- a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md +++ b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md @@ -279,7 +279,7 @@ SAWs are computers that are built to help significantly reduce the risk of compr To protect high-value assets, SAWs are used to make secure connections to those assets. -Similarly, on corporate fully-managed workstations, where applications are installed by using a distribution tool like System Center Configuration Manager, Intune, or any third-party device management, then Device Guard is very applicable. In that type of scenario, the organization has a good idea of the software that an average user is running. +Similarly, on corporate fully-managed workstations, where applications are installed by using a distribution tool like Microsoft Endpoint Configuration Manager, Intune, or any third-party device management, then Device Guard is very applicable. In that type of scenario, the organization has a good idea of the software that an average user is running. It could be challenging to use Device Guard on corporate, lightly-managed workstations where the user is typically allowed to install software on their own. When an organization offers great flexibility, it’s quite difficult to run Device Guard in enforcement mode. Nevertheless, Device Guard can be run in Audit mode, and in that case, the event log will contain a record of any binaries that violated the Device Guard policy. When Device Guard is used in Audit mode, organizations can get rich data about drivers and applications that users install and run. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md index 7bee1e3696..0f08b94b0f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md @@ -26,7 +26,7 @@ manager: dansimp You can manage and configure Windows Defender Antivirus with the following tools: - Microsoft Intune -- System Center Configuration Manager +- Microsoft Endpoint Configuration Manager - Group Policy - PowerShell cmdlets - Windows Management Instrumentation (WMI) @@ -38,7 +38,7 @@ The topics in this section provide further information, links, and resources for Topic | Description ---|--- -[Manage Windows Defender Antivirus with Microsoft Intune and System Center Configuration Manager](use-intune-config-manager-windows-defender-antivirus.md)|Information about using Intune and System Center Configuration Manager to deploy, manage, report, and configure Windows Defender Antivirus +[Manage Windows Defender Antivirus with Microsoft Intune and Microsoft Endpoint Configuration Manager](use-intune-config-manager-windows-defender-antivirus.md)|Information about using Intune and Microsoft Endpoint Configuration Manager to deploy, manage, report, and configure Windows Defender Antivirus [Manage Windows Defender Antivirus with Group Policy settings](use-group-policy-windows-defender-antivirus.md)|List of all Group Policy settings located in ADMX templates [Manage Windows Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-antivirus.md)|Instructions for using PowerShell cmdlets to manage Windows Defender Antivirus, plus links to documentation for all cmdlets and allowed parameters [Manage Windows Defender Antivirus with Windows Management Instrumentation (WMI)](use-wmi-windows-defender-antivirus.md)| Instructions for using WMI to manage Windows Defender Antivirus, plus links to documentation for the WMIv2 APIs (including all classes, methods, and properties) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md index 5d969e79a9..1ec92d64e6 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md @@ -32,7 +32,7 @@ See [Configure device restriction settings in Microsoft Intune](https://docs.mic **Use Configuration Manager to configure scanning options:** -See [How to create and deploy antimalware policies: Scan settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring System Center Configuration Manager (current branch). +See [How to create and deploy antimalware policies: Scan settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch). **Use Group Policy to configure scanning options** diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md index 47b2f1d42a..1fb5ff7d26 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md @@ -73,7 +73,7 @@ For a list of Windows Defender Antivirus device restrictions in Intune, see [Dev ### Enable block at first sight with SCCM -1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **AntiMalware Policies**. +1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **AntiMalware Policies**. 2. Click **Home** > **Create Antimalware Policy**. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index a1020bef6f..6ab53e6c67 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -77,7 +77,7 @@ See the following articles: ### Use Configuration Manager to configure file name, folder, or file extension exclusions -See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring System Center Configuration Manager (current branch). +See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch). ### Use Group Policy to configure folder or file extension exclusions @@ -272,7 +272,7 @@ The following table describes how the wildcards can be used and provides some ex You can retrieve the items in the exclusion list using one of the following methods: - [Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) -- [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) +- [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) - MpCmdRun - PowerShell - [Windows Security app](windows-defender-security-center-antivirus.md#exclusions) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md index 0bd81387b5..39f0cb02b4 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md @@ -43,7 +43,7 @@ The Windows Defender Antivirus cloud service provides fast, strong protection fo >[!NOTE] >The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. -See [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) for details on enabling the service with Intune, System Center Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app. +See [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) for details on enabling the service with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app. After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md index 6bd6aeb7b2..03afa1681f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md @@ -74,7 +74,7 @@ You can use Group Policy to: Hiding notifications can be useful in situations where you can't hide the entire Windows Defender Antivirus interface. See [Prevent users from seeing or interacting with the Windows Defender Antivirus user interface](prevent-end-user-interaction-windows-defender-antivirus.md) for more information. > [!NOTE] -> Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [System Center Configuration Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/sccm/protect/deploy-use/monitor-endpoint-protection). +> Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [Microsoft Endpoint Configuration Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/sccm/protect/deploy-use/monitor-endpoint-protection). See [Customize the Windows Security app for your organization](../windows-defender-security-center/windows-defender-security-center.md) for instructions to add custom contact information to the notifications that users see on their machines. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md index 36714d75c3..79e9d90a7b 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md @@ -41,7 +41,7 @@ The exclusions only apply to [always-on real-time protection and monitoring](con Changes made with Group Policy to the exclusion lists **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Security app **will not show** in the Group Policy lists. -You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [System Center Configuration Manager, Microsoft Intune, and with the Windows Security app](#man-tools), and you can [use wildcards](#wildcards) to further customize the lists. +You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [Microsoft Endpoint Configuration Manager, Microsoft Intune, and with the Windows Security app](#man-tools), and you can [use wildcards](#wildcards) to further customize the lists. You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), including [reviewing](#review) your lists. @@ -57,9 +57,9 @@ You can [configure how locally and globally defined exclusions lists are merged] See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. -### Use System Center Configuration Manager to exclude files that have been opened by specified processes from scans +### Use Microsoft Endpoint Configuration Manager to exclude files that have been opened by specified processes from scans -See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring System Center Configuration Manager (current branch). +See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch). ### Use Group Policy to exclude files that have been opened by specified processes from scans @@ -150,7 +150,7 @@ Environment variables | The defined variable will be populated as a path when th ## Review the list of exclusions -You can retrieve the items in the exclusion list with MpCmdRun, PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/intune/device-restrictions-configure), or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). +You can retrieve the items in the exclusion list with MpCmdRun, PowerShell, [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/intune/device-restrictions-configure), or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). If you use PowerShell, you can retrieve the list in two ways: diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md index 9702fdb478..7b22fa2f60 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md @@ -25,7 +25,7 @@ manager: dansimp When Windows Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can configure how Windows Defender Antivirus should react to certain threats, whether it should create a restore point before remediating, and when it should remove remediated threats. -This topic describes how to configure these settings with Group Policy, but you can also use [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#threat-overrides-settings) and [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). +This topic describes how to configure these settings with Group Policy, but you can also use [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#threat-overrides-settings) and [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). You can also use the [`Set-MpPreference` PowerShell cmdlet](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference) or [`MSFT_MpPreference` WMI class](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) to configure these settings. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md b/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md index d771955c80..3532148261 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md @@ -1,7 +1,7 @@ --- title: Configure Windows Defender Antivirus features -description: You can configure Windows Defender Antivirus features with Intune, System Center Configuration Manager, Group Policy, and PowerShell. -keywords: Windows Defender Antivirus, antimalware, security, defender, configure, configuration, Config Manager, System Center Configuration Manager, SCCM, Intune, MDM, mobile device management, GP, group policy, PowerShell +description: You can configure Windows Defender Antivirus features with Intune, Microsoft Endpoint Configuration Manager, Group Policy, and PowerShell. +keywords: Windows Defender Antivirus, antimalware, security, defender, configure, configuration, Config Manager, Microsoft Endpoint Configuration Manager, SCCM, Intune, MDM, mobile device management, GP, group policy, PowerShell search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -26,7 +26,7 @@ manager: dansimp You can configure Windows Defender Antivirus with a number of tools, including: - Microsoft Intune -- System Center Configuration Manager +- Microsoft Endpoint Configuration Manager - Group Policy - PowerShell cmdlets - Windows Management Instrumentation (WMI) diff --git a/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md index 4e5666fd45..b0b2030e32 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md @@ -34,4 +34,4 @@ Topic | Description [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) | Configure what Windows Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans [Configure and run scans](run-scan-windows-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app -[Review scan results](review-scan-results-windows-defender-antivirus.md) | Review the results of scans using System Center Configuration Manager, Microsoft Intune, or the Windows Security app +[Review scan results](review-scan-results-windows-defender-antivirus.md) | Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md index ad4a8eee3e..295d507e65 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md @@ -1,6 +1,6 @@ --- title: Deploy, manage, and report on Windows Defender Antivirus -description: You can deploy and manage Windows Defender Antivirus with Intune, System Center Configuration Manager, Group Policy, PowerShell, or WMI +description: You can deploy and manage Windows Defender Antivirus with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell, or WMI keywords: deploy, manage, update, protection, windows defender antivirus search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -27,7 +27,7 @@ You can deploy, manage, and report on Windows Defender Antivirus in a number of Because the Windows Defender Antivirus client is installed as a core part of Windows 10, traditional deployment of a client to your endpoints does not apply. -However, in most cases you will still need to enable the protection service on your endpoints with Microsoft Intune, System Center Configuration Manager, Azure Security Center, or Group Policy Objects, which is described in the following table. +However, in most cases you will still need to enable the protection service on your endpoints with Microsoft Intune, Microsoft Endpoint Configuration Manager, Azure Security Center, or Group Policy Objects, which is described in the following table. You'll also see additional links for: @@ -40,13 +40,13 @@ You'll also see additional links for: Tool|Deployment options (2)|Management options (network-wide configuration and policy or baseline deployment) ([3](#fn3))|Reporting options ---|---|---|--- Microsoft Intune|[Add endpoint protection settings in Intune](https://docs.microsoft.com/intune/endpoint-protection-configure)|[Configure device restriction settings in Intune](https://docs.microsoft.com/intune/device-restrictions-configure)| [Use the Intune console to manage devices](https://docs.microsoft.com/intune/device-management) -System Center Configuration Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][] +Microsoft Endpoint Configuration Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][] Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Windows Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Windows Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][] -PowerShell|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference] and [Update-MpSignature] cmdlets available in the Defender module.|Use the appropriate [Get- cmdlets available in the Defender module][] -Windows Management Instrumentation|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][] +PowerShell|Deploy with Group Policy, Microsoft Endpoint Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference] and [Update-MpSignature] cmdlets available in the Defender module.|Use the appropriate [Get- cmdlets available in the Defender module][] +Windows Management Instrumentation|Deploy with Group Policy, Microsoft Endpoint Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][] Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Windows Defender Antivirus events][] and add that tool as an app in AAD. -1. The availability of some functions and features, especially related to cloud-delivered protection, differ between System Center Configuration Manager (Current Branch) and System Center Configuration Manager 2012. In this library, we've focused on Windows 10, Windows Server 2016, and System Center Configuration Manager (Current Branch). See [Use Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2) +1. The availability of some functions and features, especially related to cloud-delivered protection, differ between Microsoft Endpoint Configuration Manager (Current Branch) and System Center Configuration Manager 2012. In this library, we've focused on Windows 10, Windows Server 2016, and Microsoft Endpoint Configuration Manager (Current Branch). See [Use Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2) 2. In Windows 10, Windows Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date ([except on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md)). Traditional deployment therefore is not required. Deployment here refers to ensuring the Windows Defender Antivirus component is available and enabled on endpoints or servers. [(Return to table)](#ref2) @@ -80,6 +80,6 @@ Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by Topic | Description ---|--- -[Deploy and enable Windows Defender Antivirus protection](deploy-windows-defender-antivirus.md) | While the client is installed as a core part of Windows 10, and traditional deployment does not apply, you will still need to enable the client on your endpoints with System Center Configuration Manager, Microsoft Intune, or Group Policy Objects. -[Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) | There are two parts to updating Windows Defender Antivirus: updating the client on endpoints (product updates), and updating Security intelligence (protection updates). You can update Security intelligence in a number of ways, using System Center Configuration Manager, Group Policy, PowerShell, and WMI. -[Monitor and report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md) | You can use Microsoft Intune, System Center Configuration Manager, the Update Compliance add-in for Microsoft Operations Management Suite, or a third-party SIEM product (by consuming Windows event logs) to monitor protection status and create reports about endpoint protection. +[Deploy and enable Windows Defender Antivirus protection](deploy-windows-defender-antivirus.md) | While the client is installed as a core part of Windows 10, and traditional deployment does not apply, you will still need to enable the client on your endpoints with Microsoft Endpoint Configuration Manager, Microsoft Intune, or Group Policy Objects. +[Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) | There are two parts to updating Windows Defender Antivirus: updating the client on endpoints (product updates), and updating Security intelligence (protection updates). You can update Security intelligence in a number of ways, using Microsoft Endpoint Configuration Manager, Group Policy, PowerShell, and WMI. +[Monitor and report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md) | You can use Microsoft Intune, Microsoft Endpoint Configuration Manager, the Update Compliance add-in for Microsoft Operations Management Suite, or a third-party SIEM product (by consuming Windows event logs) to monitor protection status and create reports about endpoint protection. diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md index 9f668be613..6f8dd3363b 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md @@ -1,6 +1,6 @@ --- title: Deploy and enable Windows Defender Antivirus -description: Deploy Windows Defender Antivirus for protection of your endpoints with Microsoft Intune, System Center Configuration Manager, Group Policy, PowerShell cmdlets, or WMI. +description: Deploy Windows Defender Antivirus for protection of your endpoints with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or WMI. keywords: deploy, enable, Windows Defender Antivirus search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -25,7 +25,7 @@ manager: dansimp Depending on the management tool you are using, you may need to specifically enable or configure Windows Defender Antivirus protection. -See the table in [Deploy, manage, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md#ref2) for instructions on how to enable protection with Microsoft Intune, System Center Configuration Manager, Group Policy, Active Directory, Microsoft Azure, PowerShell cmdlets, and Windows Management Instruction (WMI). +See the table in [Deploy, manage, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md#ref2) for instructions on how to enable protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, Active Directory, Microsoft Azure, PowerShell cmdlets, and Windows Management Instruction (WMI). Some scenarios require additional guidance on how to successfully deploy or configure Windows Defender Antivirus protection, such as Virtual Desktop Infrastructure (VDI) environments. From 8455c11d969faf5c2b44a45b2426401b6140d84a Mon Sep 17 00:00:00 2001 From: LauraKellerGitHub Date: Fri, 27 Dec 2019 05:58:30 -0800 Subject: [PATCH 016/188] Rebrand System Center to Msft Endpoint _ Six --- windows/deployment/mbr-to-gpt.md | 914 +++++++++--------- .../planning/act-technical-reference.md | 97 +- ...oyment-considerations-for-windows-to-go.md | 2 +- ...are-your-organization-for-windows-to-go.md | 2 +- .../windows-10-deprecated-features.md | 2 +- .../windows-10-enterprise-faq-itpro.md | 270 +++--- .../windows-10-infrastructure-requirements.md | 6 +- ...indows-to-go-frequently-asked-questions.md | 2 +- .../planning/windows-to-go-overview.md | 2 +- windows/deployment/update/PSFxWhitepaper.md | 2 +- .../update/feature-update-mission-critical.md | 2 +- windows/deployment/update/index.md | 4 +- windows/deployment/update/waas-branchcache.md | 4 +- .../deployment/update/waas-configure-wufb.md | 4 +- .../update/waas-delivery-optimization.md | 4 +- ...aas-deployment-rings-windows-10-updates.md | 2 +- .../deployment/update/waas-integrate-wufb.md | 8 +- ...as-manage-updates-configuration-manager.md | 24 +- .../update/waas-manage-updates-wsus.md | 6 +- .../update/waas-manage-updates-wufb.md | 4 +- .../deployment/update/waas-mobile-updates.md | 2 +- .../waas-optimize-windows-10-updates.md | 10 +- windows/deployment/update/waas-overview.md | 8 +- windows/deployment/update/waas-quick-start.md | 2 +- ...s-servicing-channels-windows-10-updates.md | 2 +- .../update/waas-servicing-differences.md | 2 +- ...s-servicing-strategy-windows-10-updates.md | 4 +- .../update/waas-wufb-group-policy.md | 2 +- windows/deployment/update/waas-wufb-intune.md | 2 +- .../windows-analytics-FAQ-troubleshooting.md | 4 +- 30 files changed, 702 insertions(+), 697 deletions(-) diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md index b4ff72ee14..bce6a639b2 100644 --- a/windows/deployment/mbr-to-gpt.md +++ b/windows/deployment/mbr-to-gpt.md @@ -1,456 +1,458 @@ ---- -title: MBR2GPT -description: How to use the MBR2GPT tool to convert MBR partitions to GPT -keywords: deploy, troubleshoot, windows, 10, upgrade, partition, mbr, gpt -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -audience: itpro author: greg-lindsay -ms.date: 02/13/2018 -ms.reviewer: -manager: laurawi -ms.audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.topic: article ---- - -# MBR2GPT.EXE - -**Applies to** -- Windows 10 - -## Summary - -**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS) by using the **/allowFullOS** option. - ->MBR2GPT.EXE is located in the **Windows\\System32** directory on a computer running Windows 10 version 1703 (also known as the Creator's Update) or later. ->The tool is available in both the full OS environment and Windows PE. To use this tool in a deployment task sequence with Configuration Manager or Microsoft Deployment Toolkit (MDT), you must first update the Windows PE image (winpe.wim, boot.wim) with the [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) 1703, or a later version. - -See the following video for a detailed description and demonstration of MBR2GPT. - - - -You can use MBR2GPT to: - -- Convert any attached MBR-formatted system disk to the GPT partition format. You cannot use the tool to convert non-system disks from MBR to GPT. -- Convert an MBR disk with BitLocker-encrypted volumes as long as protection has been suspended. To resume BitLocker after conversion, you will need to delete the existing protectors and recreate them. -- Convert operating system disks that have earlier versions of Windows 10 installed, such as versions 1507, 1511, and 1607. However, you must run the tool while booted into Windows 10 version 1703 or later, and perform an offline conversion. -- Convert an operating system disk from MBR to GPT using Configuration Manager or MDT provided that your task sequence uses Windows PE version 1703 or later. - -Offline conversion of system disks with earlier versions of Windows installed, such as Windows 7, 8, or 8.1 are not officially supported. The recommended method to convert these disks is to upgrade the operating system to Windows 10 first, then perform the MBR to GPT conversion. - ->[!IMPORTANT] ->After the disk has been converted to GPT partition style, the firmware must be reconfigured to boot in UEFI mode.
Make sure that your device supports UEFI before attempting to convert the disk. - -## Disk Prerequisites - -Before any change to the disk is made, MBR2GPT validates the layout and geometry of the selected disk to ensure that: -- The disk is currently using MBR -- There is enough space not occupied by partitions to store the primary and secondary GPTs: - - 16KB + 2 sectors at the front of the disk - - 16KB + 1 sector at the end of the disk -- There are at most 3 primary partitions in the MBR partition table -- One of the partitions is set as active and is the system partition -- The disk does not have any extended/logical partition -- The BCD store on the system partition contains a default OS entry pointing to an OS partition -- The volume IDs can be retrieved for each volume which has a drive letter assigned -- All partitions on the disk are of MBR types recognized by Windows or has a mapping specified using the /map command-line option - -If any of these checks fails, the conversion will not proceed and an error will be returned. - -## Syntax - - -
MBR2GPT /validate|convert [/disk:<diskNumber>] [/logs:<logDirectory>] [/map:<source>=<destination>] [/allowFullOS] -
- -### Options - -| Option | Description | -|----|-------------| -|/validate| Instructs MBR2GPT.exe to perform only the disk validation steps and report whether the disk is eligible for conversion. | -|/convert| Instructs MBR2GPT.exe to perform the disk validation and to proceed with the conversion if all validation tests pass. | -|/disk:\| Specifies the disk number of the disk to be converted to GPT. If not specified, the system disk is used. The mechanism used is the same as that used by the diskpart.exe tool **SELECT DISK SYSTEM** command.| -|/logs:\| Specifies the directory where MBR2GPT.exe logs should be written. If not specified, **%windir%** is used. If specified, the directory must already exist, it will not be automatically created or overwritten.| -|/map:\=\| Specifies additional partition type mappings between MBR and GPT. The MBR partition number is specified in decimal notation, not hexidecimal. The GPT GUID can contain brackets, for example: **/map:42={af9b60a0-1431-4f62-bc68-3311714a69ad}**. Multiple /map options can be specified if multiple mappings are required. | -|/allowFullOS| By default, MBR2GPT.exe is blocked unless it is run from Windows PE. This option overrides this block and enables disk conversion while running in the full Windows environment.
**Note**: Since the existing MBR system partition is in use while running the full Windows environment, it cannot be reused. In this case, a new ESP is created by shrinking the OS partition.| - -## Examples - -### Validation example - -In the following example, disk 0 is validated for conversion. Errors and warnings are logged to the default location, **%windir%**. - -``` -X:\>mbr2gpt /validate /disk:0 -MBR2GPT: Attempting to validate disk 0 -MBR2GPT: Retrieving layout of disk -MBR2GPT: Validating layout, disk sector size is: 512 -MBR2GPT: Validation completed successfully -``` - -### Conversion example - -In the following example: - -1. Using DiskPart, the current disk partition layout is displayed prior to conversion - three partitions are present on the MBR disk (disk 0): a system reserved partition, a Windows partition, and a recovery partition. A DVD-ROM is also present as volume 0. -2. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](https://msdn.microsoft.com/library/windows/desktop/aa363990.aspx) is **07** corresponding to the installable file system (IFS) type. -2. The MBR2GPT tool is used to convert disk 0. -3. The DiskPart tool displays that disk 0 is now using the GPT format. -4. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3). -5. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](https://msdn.microsoft.com/library/windows/desktop/aa365449.aspx) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type. - ->As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition will boot properly. - -``` -X:\>DiskPart - -Microsoft DiskPart version 10.0.15048.0 - -Copyright (C) Microsoft Corporation. -On computer: MININT-K71F13N - -DISKPART> list volume - - Volume ### Ltr Label Fs Type Size Status Info - ---------- --- ----------- ----- ---------- ------- --------- -------- - Volume 0 F CENA_X64FRE UDF DVD-ROM 4027 MB Healthy - Volume 1 C System Rese NTFS Partition 499 MB Healthy - Volume 2 D Windows NTFS Partition 58 GB Healthy - Volume 3 E Recovery NTFS Partition 612 MB Healthy Hidden - -DISKPART> select volume 2 - -Volume 2 is the selected volume. - -DISKPART> list partition - - Partition ### Type Size Offset - ------------- ---------------- ------- ------- - Partition 1 Primary 499 MB 1024 KB -* Partition 2 Primary 58 GB 500 MB - Partition 3 Recovery 612 MB 59 GB - -DISKPART> detail partition - -Partition 2 -Type : 07 -Hidden: No -Active: No -Offset in Bytes: 524288000 - - Volume ### Ltr Label Fs Type Size Status Info - ---------- --- ----------- ----- ---------- ------- --------- -------- -* Volume 2 D Windows NTFS Partition 58 GB Healthy - -DISKPART> exit - -Leaving DiskPart... - -X:\>mbr2gpt /convert /disk:0 - -MBR2GPT will now attempt to convert disk 0. -If conversion is successful the disk can only be booted in GPT mode. -These changes cannot be undone! - -MBR2GPT: Attempting to convert disk 0 -MBR2GPT: Retrieving layout of disk -MBR2GPT: Validating layout, disk sector size is: 512 bytes -MBR2GPT: Trying to shrink the system partition -MBR2GPT: Trying to shrink the OS partition -MBR2GPT: Creating the EFI system partition -MBR2GPT: Installing the new boot files -MBR2GPT: Performing the layout conversion -MBR2GPT: Migrating default boot entry -MBR2GPT: Adding recovery boot entry -MBR2GPT: Fixing drive letter mapping -MBR2GPT: Conversion completed successfully -MBR2GPT: Before the new system can boot properly you need to switch the firmware to boot to UEFI mode! - -X:\>DiskPart - -Microsoft DiskPart version 10.0.15048.0 - -Copyright (C) Microsoft Corporation. -On computer: MININT-K71F13N - -DISKPART> list disk - - Disk ### Status Size Free Dyn Gpt - -------- ------------- ------- ------- --- --- - Disk 0 Online 60 GB 0 B * - -DISKPART> select disk 0 - -Disk 0 is now the selected disk. - -DISKPART> list volume - - Volume ### Ltr Label Fs Type Size Status Info - ---------- --- ----------- ----- ---------- ------- --------- -------- - Volume 0 F CENA_X64FRE UDF DVD-ROM 4027 MB Healthy - Volume 1 D Windows NTFS Partition 58 GB Healthy - Volume 2 C System Rese NTFS Partition 499 MB Healthy Hidden - Volume 3 FAT32 Partition 100 MB Healthy Hidden - Volume 4 E Recovery NTFS Partition 612 MB Healthy Hidden - -DISKPART> select volume 1 - -Volume 1 is the selected volume. - -DISKPART> list partition - - Partition ### Type Size Offset - ------------- ---------------- ------- ------- - Partition 1 Recovery 499 MB 1024 KB -* Partition 2 Primary 58 GB 500 MB - Partition 4 System 100 MB 59 GB - Partition 3 Recovery 612 MB 59 GB - -DISKPART> detail partition - -Partition 2 -Type : ebd0a0a2-b9e5-4433-87c0-68b6b72699c7 -Hidden : No -Required: No -Attrib : 0000000000000000 -Offset in Bytes: 524288000 - - Volume ### Ltr Label Fs Type Size Status Info - ---------- --- ----------- ----- ---------- ------- --------- -------- -* Volume 1 D Windows NTFS Partition 58 GB Healthy -``` - -## Specifications - -### Disk conversion workflow - -The following steps illustrate high-level phases of the MBR-to-GPT conversion process: - -1. Disk validation is performed. -2. The disk is repartitioned to create an EFI system partition (ESP) if one does not already exist. -3. UEFI boot files are installed to the ESP. -4. GPT metatdata and layout information is applied. -5. The boot configuration data (BCD) store is updated. -6. Drive letter assignments are restored. - -### Creating an EFI system partition - -For Windows to remain bootable after the conversion, an EFI system partition (ESP) must be in place. MBR2GPT creates the ESP using the following rules: - -1. The existing MBR system partition is reused if it meets these requirements:
- a. It is not also the OS or Windows Recovery Environment partition.
- b. It is at least 100MB (or 260MB for 4K sector size disks) in size.
- c. It is less than or equal to 1GB in size. This is a safety precaution to ensure it is not a data partition.
- d. The conversion is not being performed from the full OS. In this case, the existing MBR system partition is in use and cannot be repurposed. -2. If the existing MBR system partition cannot be reused, a new ESP is created by shrinking the OS partition. This new partition has a size of 100MB (or 260MB for 4K sector size disks) and is formatted FAT32. - -If the existing MBR system partition is not reused for the ESP, it is no longer used by the boot process after the conversion. Other partitions are not modified. - ->[!IMPORTANT] ->If the existing MBR system partition is not reused for the ESP, it might be assigned a drive letter. If you do not wish to use this small partition, you must manually hide the drive letter. - -### Partition type mapping and partition attributes - -Since GPT partitions use a different set of type IDs than MBR partitions, each partition on the converted disk must be assigned a new type ID. The partition type mapping follows these rules: - -1. The ESP is always set to partition type PARTITION_SYSTEM_GUID (c12a7328-f81f-11d2-ba4b-00a0c93ec93b). -2. If an MBR partition is of a type that matches one of the entries specified in the /map switch, the specified GPT partition type ID is used. -3. If the MBR partition is of type 0x27, the partition is converted to a GPT partition of type PARTITION_MSFT_RECOVERY_GUID (de94bba4-06d1-4d40-a16a-bfd50179d6ac). -4. All other MBR partitions recognized by Windows are converted to GPT partitions of type PARTITION_BASIC_DATA_GUID (ebd0a0a2-b9e5-4433-87c0-68b6b72699c7). - -In addition to applying the correct partition types, partitions of type PARTITION_MSFT_RECOVERY_GUID also have the following GPT attributes set: -- GPT_ATTRIBUTE_PLATFORM_REQUIRED (0x0000000000000001) -- GPT_BASIC_DATA_ATTRIBUTE_NO_DRIVE_LETTER (0x8000000000000000) - -For more information about partition types, see: -- [GPT partition types](https://msdn.microsoft.com/library/windows/desktop/aa365449.aspx) -- [MBR partition types](https://msdn.microsoft.com/library/windows/desktop/aa363990.aspx) - - -### Persisting drive letter assignments - -The conversion tool will attempt to remap all drive letter assignment information contained in the registry that correspond to the volumes of the converted disk. If a drive letter assignment cannot be restored, an error will be displayed at the console and in the log, so that you can manually perform the correct assignment of the drive letter. **Important**: this code runs after the layout conversion has taken place, so the operation cannot be undone at this stage. - -The conversion tool will obtain volume unique ID data before and after the layout conversion, organizing this information into a lookup table. It will then iterate through all the entries in **HKLM\SYSTEM\MountedDevices**, and for each entry do the following: - -1. Check if the unique ID corresponds to any of the unique IDs for any of the volumes that are part of the converted disk. -2. If found, set the value to be the new unique ID, obtained after the layout conversion. -3. If the new unique ID cannot be set and the value name starts with \DosDevices, issue a console and log warning about the need for manual intervention in properly restoring the drive letter assignment. - -## Troubleshooting - -The tool will display status information in its output. Both validation and conversion are clear if any errors are encountered. For example, if one or more partitions do not translate properly, this is displayed and the conversion not performed. To view more detail about any errors that are encountered, see the associated [log files](#logs). - -### Logs - -Four log files are created by the MBR2GPT tool: - -- diagerr.xml -- diagwrn.xml -- setupact.log -- setuperr.log - -These files contain errors and warnings encountered during disk validation and conversion. Information in these files can be helpful in diagnosing problems with the tool. The setupact.log and setuperr.log files will have the most detailed information about disk layouts, processes, and other information pertaining to disk validation and conversion. Note: The setupact*.log files are different than the Windows Setup files that are found in the %Windir%\Panther directory. - -The default location for all these log files in Windows PE is **%windir%**. - -### Interactive help - -To view a list of options available when using the tool, type **mbr2gpt /?** - -The following text is displayed: - -``` - -C:\> mbr2gpt /? - -Converts a disk from MBR to GPT partitioning without modifying or deleting data on the disk. - -MBR2GPT.exe /validate|convert [/disk:] [/logs:] [/map:=] [/allowFullOS] - -Where: - - /validate - - Validates that the selected disk can be converted - without performing the actual conversion. - - /convert - - Validates that the selected disk can be converted - and performs the actual conversion. - - /disk: - - Specifies the disk number of the disk to be processed. - If not specified, the system disk is processed. - - /logs: - - Specifies the directory for logging. By default logs - are created in the %windir% directory. - - /map:= - - Specifies the GPT partition type to be used for a - given MBR partition type not recognized by Windows. - Multiple /map switches are allowed. - - /allowFullOS - - Allows the tool to be used from the full Windows - environment. By default, this tool can only be used - from the Windows Preinstallation Environment. -``` - -### Return codes - -MBR2GPT has the following associated return codes: - -| Return code | Description | -|----|-------------| -|0| Conversion completed successfully.| -|1| Conversion was canceled by the user.| -|2| Conversion failed due to an internal error.| -|3| Conversion failed due to an initialization error.| -|4| Conversion failed due to invalid command-line parameters. | -|5| Conversion failed due to error reading the geometry and layout of the selected disk.| -|6| Conversion failed because one or more volumes on the disk is encrypted.| -|7| Conversion failed because the geometry and layout of the selected disk do not meet requirements.| -|8| Conversion failed due to error while creating the EFI system partition.| -|9| Conversion failed due to error installing boot files.| -|10| Conversion failed due to error while applying GPT layout.| -|100| Conversion to GPT layout succeeded, but some boot configuration data entries could not be restored.| - - -### Determining the partition type - -You can type the following command at a Windows PowerShell prompt to display the disk number and partition type. Example output is also shown: - - -``` -PS C:\> Get-Disk | ft -Auto - -Number Friendly Name Serial Number HealthStatus OperationalStatus Total Size Partition Style ------- ------------- ------------- ------------ ----------------- ---------- --------------- -0 MTFDDAK256MAM-1K1 13050928F47C Healthy Online 238.47 GB MBR -1 ST1000DM003-1ER162 Z4Y3GD8F Healthy Online 931.51 GB GPT -``` - -You can also view the partition type of a disk by opening the Disk Management tool, right-clicking the disk number, clicking **Properties**, and then clicking the **Volumes** tab. See the following example: - -![Volumes](images/mbr2gpt-volume.PNG) - - -If Windows PowerShell and Disk Management are not available, such as when you are using Windows PE, you can determine the partition type at a command prompt with the DiskPart tool. To determine the partition style from a command line, type **diskpart** and then type **list disk**. See the following example: - -``` -X:\>DiskPart - -Microsoft DiskPart version 10.0.15048.0 - -Copyright (C) Microsoft Corporation. -On computer: MININT-K71F13N - -DISKPART> list disk - - Disk ### Status Size Free Dyn Gpt - -------- ------------- ------- ------- --- --- - Disk 0 Online 238 GB 0 B - Disk 1 Online 931 GB 0 B * -``` - -In this example, Disk 0 is formatted with the MBR partition style, and Disk 1 is formatted using GPT. - - -## Known issue - -### MBR2GPT.exe cannot run in Windows PE - -When you start a Windows 10, version 1903-based computer in the Windows Preinstallation Environment (Windows PE), you encounter the following issues: - -**Issue 1** When you run the MBR2GPT.exe command, the process exits without converting the drive. - -**Issue 2** When you manually run the MBR2GPT.exe command in a Command Prompt window, there is no output from the tool. - -**Issue 3** When MBR2GPT.exe runs inside an imaging process such as a System Center Configuration Manager task sequence, an MDT task sequence, or by using a script, you receive the following exit code: 0xC0000135/3221225781. - -#### Cause - -This issue occurs because in Windows 10, version 1903 and later versions, MBR2GPT.exe requires access to the ReAgent.dll file. However, this dll file and its associated libraries are currently not included in the Windows PE boot image for Windows 10, version 1903 and later. - -#### Workaround - -To fix this issue, mount the Windows PE image (WIM), copy the missing file from the [Windows 10, version 1903 Assessment and Development Kit (ADK)](https://go.microsoft.com/fwlink/?linkid=2086042) source, and then commit the changes to the WIM. To do this, follow these steps: - -1. Mount the Windows PE WIM to a path (for example, C:\WinPE_Mount). For more information about how to mount WIM files, see [Mount an image](https://docs.microsoft.com/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#mount-an-image). - -2. Copy the ReAgent files and the ReAgent localization files from the Window 10, version 1903 ADK source folder to the mounted WIM. - - For example, if the ADK is installed to the default location of C:\Program Files (x86)\Windows Kits\10 and the Windows PE image is mounted to C:\WinPE_Mount, run the following commands from an elevated Command Prompt window: - - **Command 1:** - ```cmd - copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Setup\amd64\Sources\ReAgent*.*" "C:\WinPE_Mount\Windows\System32" - ``` - This command copies three files: - - * ReAgent.admx - * ReAgent.dll - * ReAgent.xml - - **Command 2:** - ```cmd - copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Setup\amd64\Sources\En-Us\ReAgent*.*" "C:\WinPE_Mount\Windows\System32\En-Us" - ``` - This command copies two files: - * ReAgent.adml - * ReAgent.dll.mui - - > [!NOTE] - > If you aren't using an English version of Windows, replace "En-Us" in the path with the appropriate string that represents the system language. - -3. After you copy all the files, commit the changes and unmount the Windows PE WIM. MBR2GPT.exe now functions as expected in Windows PE. For information about how to unmount WIM files while committing changes, see [Unmounting an image](https://docs.microsoft.com/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#unmounting-an-image). - - -## Related topics - -[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) -
[Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications) -
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) +--- +title: MBR2GPT +description: How to use the MBR2GPT tool to convert MBR partitions to GPT +keywords: deploy, troubleshoot, windows, 10, upgrade, partition, mbr, gpt +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro +author: greg-lindsay +ms.date: 02/13/2018 +ms.reviewer: +manager: laurawi +ms.audience: itpro +author: greg-lindsay +ms.localizationpriority: medium +ms.topic: article +--- + +# MBR2GPT.EXE + +**Applies to** +- Windows 10 + +## Summary + +**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS) by using the **/allowFullOS** option. + +>MBR2GPT.EXE is located in the **Windows\\System32** directory on a computer running Windows 10 version 1703 (also known as the Creator's Update) or later. +>The tool is available in both the full OS environment and Windows PE. To use this tool in a deployment task sequence with Configuration Manager or Microsoft Deployment Toolkit (MDT), you must first update the Windows PE image (winpe.wim, boot.wim) with the [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) 1703, or a later version. + +See the following video for a detailed description and demonstration of MBR2GPT. + + + +You can use MBR2GPT to: + +- Convert any attached MBR-formatted system disk to the GPT partition format. You cannot use the tool to convert non-system disks from MBR to GPT. +- Convert an MBR disk with BitLocker-encrypted volumes as long as protection has been suspended. To resume BitLocker after conversion, you will need to delete the existing protectors and recreate them. +- Convert operating system disks that have earlier versions of Windows 10 installed, such as versions 1507, 1511, and 1607. However, you must run the tool while booted into Windows 10 version 1703 or later, and perform an offline conversion. +- Convert an operating system disk from MBR to GPT using Configuration Manager or MDT provided that your task sequence uses Windows PE version 1703 or later. + +Offline conversion of system disks with earlier versions of Windows installed, such as Windows 7, 8, or 8.1 are not officially supported. The recommended method to convert these disks is to upgrade the operating system to Windows 10 first, then perform the MBR to GPT conversion. + +>[!IMPORTANT] +>After the disk has been converted to GPT partition style, the firmware must be reconfigured to boot in UEFI mode.
Make sure that your device supports UEFI before attempting to convert the disk. + +## Disk Prerequisites + +Before any change to the disk is made, MBR2GPT validates the layout and geometry of the selected disk to ensure that: +- The disk is currently using MBR +- There is enough space not occupied by partitions to store the primary and secondary GPTs: + - 16KB + 2 sectors at the front of the disk + - 16KB + 1 sector at the end of the disk +- There are at most 3 primary partitions in the MBR partition table +- One of the partitions is set as active and is the system partition +- The disk does not have any extended/logical partition +- The BCD store on the system partition contains a default OS entry pointing to an OS partition +- The volume IDs can be retrieved for each volume which has a drive letter assigned +- All partitions on the disk are of MBR types recognized by Windows or has a mapping specified using the /map command-line option + +If any of these checks fails, the conversion will not proceed and an error will be returned. + +## Syntax + + +
MBR2GPT /validate|convert [/disk:<diskNumber>] [/logs:<logDirectory>] [/map:<source>=<destination>] [/allowFullOS] +
+ +### Options + +| Option | Description | +|----|-------------| +|/validate| Instructs MBR2GPT.exe to perform only the disk validation steps and report whether the disk is eligible for conversion. | +|/convert| Instructs MBR2GPT.exe to perform the disk validation and to proceed with the conversion if all validation tests pass. | +|/disk:\| Specifies the disk number of the disk to be converted to GPT. If not specified, the system disk is used. The mechanism used is the same as that used by the diskpart.exe tool **SELECT DISK SYSTEM** command.| +|/logs:\| Specifies the directory where MBR2GPT.exe logs should be written. If not specified, **%windir%** is used. If specified, the directory must already exist, it will not be automatically created or overwritten.| +|/map:\=\| Specifies additional partition type mappings between MBR and GPT. The MBR partition number is specified in decimal notation, not hexidecimal. The GPT GUID can contain brackets, for example: **/map:42={af9b60a0-1431-4f62-bc68-3311714a69ad}**. Multiple /map options can be specified if multiple mappings are required. | +|/allowFullOS| By default, MBR2GPT.exe is blocked unless it is run from Windows PE. This option overrides this block and enables disk conversion while running in the full Windows environment.
**Note**: Since the existing MBR system partition is in use while running the full Windows environment, it cannot be reused. In this case, a new ESP is created by shrinking the OS partition.| + +## Examples + +### Validation example + +In the following example, disk 0 is validated for conversion. Errors and warnings are logged to the default location, **%windir%**. + +``` +X:\>mbr2gpt /validate /disk:0 +MBR2GPT: Attempting to validate disk 0 +MBR2GPT: Retrieving layout of disk +MBR2GPT: Validating layout, disk sector size is: 512 +MBR2GPT: Validation completed successfully +``` + +### Conversion example + +In the following example: + +1. Using DiskPart, the current disk partition layout is displayed prior to conversion - three partitions are present on the MBR disk (disk 0): a system reserved partition, a Windows partition, and a recovery partition. A DVD-ROM is also present as volume 0. +2. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](https://msdn.microsoft.com/library/windows/desktop/aa363990.aspx) is **07** corresponding to the installable file system (IFS) type. +2. The MBR2GPT tool is used to convert disk 0. +3. The DiskPart tool displays that disk 0 is now using the GPT format. +4. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3). +5. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](https://msdn.microsoft.com/library/windows/desktop/aa365449.aspx) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type. + +>As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition will boot properly. + +``` +X:\>DiskPart + +Microsoft DiskPart version 10.0.15048.0 + +Copyright (C) Microsoft Corporation. +On computer: MININT-K71F13N + +DISKPART> list volume + + Volume ### Ltr Label Fs Type Size Status Info + ---------- --- ----------- ----- ---------- ------- --------- -------- + Volume 0 F CENA_X64FRE UDF DVD-ROM 4027 MB Healthy + Volume 1 C System Rese NTFS Partition 499 MB Healthy + Volume 2 D Windows NTFS Partition 58 GB Healthy + Volume 3 E Recovery NTFS Partition 612 MB Healthy Hidden + +DISKPART> select volume 2 + +Volume 2 is the selected volume. + +DISKPART> list partition + + Partition ### Type Size Offset + ------------- ---------------- ------- ------- + Partition 1 Primary 499 MB 1024 KB +* Partition 2 Primary 58 GB 500 MB + Partition 3 Recovery 612 MB 59 GB + +DISKPART> detail partition + +Partition 2 +Type : 07 +Hidden: No +Active: No +Offset in Bytes: 524288000 + + Volume ### Ltr Label Fs Type Size Status Info + ---------- --- ----------- ----- ---------- ------- --------- -------- +* Volume 2 D Windows NTFS Partition 58 GB Healthy + +DISKPART> exit + +Leaving DiskPart... + +X:\>mbr2gpt /convert /disk:0 + +MBR2GPT will now attempt to convert disk 0. +If conversion is successful the disk can only be booted in GPT mode. +These changes cannot be undone! + +MBR2GPT: Attempting to convert disk 0 +MBR2GPT: Retrieving layout of disk +MBR2GPT: Validating layout, disk sector size is: 512 bytes +MBR2GPT: Trying to shrink the system partition +MBR2GPT: Trying to shrink the OS partition +MBR2GPT: Creating the EFI system partition +MBR2GPT: Installing the new boot files +MBR2GPT: Performing the layout conversion +MBR2GPT: Migrating default boot entry +MBR2GPT: Adding recovery boot entry +MBR2GPT: Fixing drive letter mapping +MBR2GPT: Conversion completed successfully +MBR2GPT: Before the new system can boot properly you need to switch the firmware to boot to UEFI mode! + +X:\>DiskPart + +Microsoft DiskPart version 10.0.15048.0 + +Copyright (C) Microsoft Corporation. +On computer: MININT-K71F13N + +DISKPART> list disk + + Disk ### Status Size Free Dyn Gpt + -------- ------------- ------- ------- --- --- + Disk 0 Online 60 GB 0 B * + +DISKPART> select disk 0 + +Disk 0 is now the selected disk. + +DISKPART> list volume + + Volume ### Ltr Label Fs Type Size Status Info + ---------- --- ----------- ----- ---------- ------- --------- -------- + Volume 0 F CENA_X64FRE UDF DVD-ROM 4027 MB Healthy + Volume 1 D Windows NTFS Partition 58 GB Healthy + Volume 2 C System Rese NTFS Partition 499 MB Healthy Hidden + Volume 3 FAT32 Partition 100 MB Healthy Hidden + Volume 4 E Recovery NTFS Partition 612 MB Healthy Hidden + +DISKPART> select volume 1 + +Volume 1 is the selected volume. + +DISKPART> list partition + + Partition ### Type Size Offset + ------------- ---------------- ------- ------- + Partition 1 Recovery 499 MB 1024 KB +* Partition 2 Primary 58 GB 500 MB + Partition 4 System 100 MB 59 GB + Partition 3 Recovery 612 MB 59 GB + +DISKPART> detail partition + +Partition 2 +Type : ebd0a0a2-b9e5-4433-87c0-68b6b72699c7 +Hidden : No +Required: No +Attrib : 0000000000000000 +Offset in Bytes: 524288000 + + Volume ### Ltr Label Fs Type Size Status Info + ---------- --- ----------- ----- ---------- ------- --------- -------- +* Volume 1 D Windows NTFS Partition 58 GB Healthy +``` + +## Specifications + +### Disk conversion workflow + +The following steps illustrate high-level phases of the MBR-to-GPT conversion process: + +1. Disk validation is performed. +2. The disk is repartitioned to create an EFI system partition (ESP) if one does not already exist. +3. UEFI boot files are installed to the ESP. +4. GPT metatdata and layout information is applied. +5. The boot configuration data (BCD) store is updated. +6. Drive letter assignments are restored. + +### Creating an EFI system partition + +For Windows to remain bootable after the conversion, an EFI system partition (ESP) must be in place. MBR2GPT creates the ESP using the following rules: + +1. The existing MBR system partition is reused if it meets these requirements:
+ a. It is not also the OS or Windows Recovery Environment partition.
+ b. It is at least 100MB (or 260MB for 4K sector size disks) in size.
+ c. It is less than or equal to 1GB in size. This is a safety precaution to ensure it is not a data partition.
+ d. The conversion is not being performed from the full OS. In this case, the existing MBR system partition is in use and cannot be repurposed. +2. If the existing MBR system partition cannot be reused, a new ESP is created by shrinking the OS partition. This new partition has a size of 100MB (or 260MB for 4K sector size disks) and is formatted FAT32. + +If the existing MBR system partition is not reused for the ESP, it is no longer used by the boot process after the conversion. Other partitions are not modified. + +>[!IMPORTANT] +>If the existing MBR system partition is not reused for the ESP, it might be assigned a drive letter. If you do not wish to use this small partition, you must manually hide the drive letter. + +### Partition type mapping and partition attributes + +Since GPT partitions use a different set of type IDs than MBR partitions, each partition on the converted disk must be assigned a new type ID. The partition type mapping follows these rules: + +1. The ESP is always set to partition type PARTITION_SYSTEM_GUID (c12a7328-f81f-11d2-ba4b-00a0c93ec93b). +2. If an MBR partition is of a type that matches one of the entries specified in the /map switch, the specified GPT partition type ID is used. +3. If the MBR partition is of type 0x27, the partition is converted to a GPT partition of type PARTITION_MSFT_RECOVERY_GUID (de94bba4-06d1-4d40-a16a-bfd50179d6ac). +4. All other MBR partitions recognized by Windows are converted to GPT partitions of type PARTITION_BASIC_DATA_GUID (ebd0a0a2-b9e5-4433-87c0-68b6b72699c7). + +In addition to applying the correct partition types, partitions of type PARTITION_MSFT_RECOVERY_GUID also have the following GPT attributes set: +- GPT_ATTRIBUTE_PLATFORM_REQUIRED (0x0000000000000001) +- GPT_BASIC_DATA_ATTRIBUTE_NO_DRIVE_LETTER (0x8000000000000000) + +For more information about partition types, see: +- [GPT partition types](https://msdn.microsoft.com/library/windows/desktop/aa365449.aspx) +- [MBR partition types](https://msdn.microsoft.com/library/windows/desktop/aa363990.aspx) + + +### Persisting drive letter assignments + +The conversion tool will attempt to remap all drive letter assignment information contained in the registry that correspond to the volumes of the converted disk. If a drive letter assignment cannot be restored, an error will be displayed at the console and in the log, so that you can manually perform the correct assignment of the drive letter. **Important**: this code runs after the layout conversion has taken place, so the operation cannot be undone at this stage. + +The conversion tool will obtain volume unique ID data before and after the layout conversion, organizing this information into a lookup table. It will then iterate through all the entries in **HKLM\SYSTEM\MountedDevices**, and for each entry do the following: + +1. Check if the unique ID corresponds to any of the unique IDs for any of the volumes that are part of the converted disk. +2. If found, set the value to be the new unique ID, obtained after the layout conversion. +3. If the new unique ID cannot be set and the value name starts with \DosDevices, issue a console and log warning about the need for manual intervention in properly restoring the drive letter assignment. + +## Troubleshooting + +The tool will display status information in its output. Both validation and conversion are clear if any errors are encountered. For example, if one or more partitions do not translate properly, this is displayed and the conversion not performed. To view more detail about any errors that are encountered, see the associated [log files](#logs). + +### Logs + +Four log files are created by the MBR2GPT tool: + +- diagerr.xml +- diagwrn.xml +- setupact.log +- setuperr.log + +These files contain errors and warnings encountered during disk validation and conversion. Information in these files can be helpful in diagnosing problems with the tool. The setupact.log and setuperr.log files will have the most detailed information about disk layouts, processes, and other information pertaining to disk validation and conversion. Note: The setupact*.log files are different than the Windows Setup files that are found in the %Windir%\Panther directory. + +The default location for all these log files in Windows PE is **%windir%**. + +### Interactive help + +To view a list of options available when using the tool, type **mbr2gpt /?** + +The following text is displayed: + +``` + +C:\> mbr2gpt /? + +Converts a disk from MBR to GPT partitioning without modifying or deleting data on the disk. + +MBR2GPT.exe /validate|convert [/disk:] [/logs:] [/map:=] [/allowFullOS] + +Where: + + /validate + - Validates that the selected disk can be converted + without performing the actual conversion. + + /convert + - Validates that the selected disk can be converted + and performs the actual conversion. + + /disk: + - Specifies the disk number of the disk to be processed. + If not specified, the system disk is processed. + + /logs: + - Specifies the directory for logging. By default logs + are created in the %windir% directory. + + /map:= + - Specifies the GPT partition type to be used for a + given MBR partition type not recognized by Windows. + Multiple /map switches are allowed. + + /allowFullOS + - Allows the tool to be used from the full Windows + environment. By default, this tool can only be used + from the Windows Preinstallation Environment. +``` + +### Return codes + +MBR2GPT has the following associated return codes: + +| Return code | Description | +|----|-------------| +|0| Conversion completed successfully.| +|1| Conversion was canceled by the user.| +|2| Conversion failed due to an internal error.| +|3| Conversion failed due to an initialization error.| +|4| Conversion failed due to invalid command-line parameters. | +|5| Conversion failed due to error reading the geometry and layout of the selected disk.| +|6| Conversion failed because one or more volumes on the disk is encrypted.| +|7| Conversion failed because the geometry and layout of the selected disk do not meet requirements.| +|8| Conversion failed due to error while creating the EFI system partition.| +|9| Conversion failed due to error installing boot files.| +|10| Conversion failed due to error while applying GPT layout.| +|100| Conversion to GPT layout succeeded, but some boot configuration data entries could not be restored.| + + +### Determining the partition type + +You can type the following command at a Windows PowerShell prompt to display the disk number and partition type. Example output is also shown: + + +``` +PS C:\> Get-Disk | ft -Auto + +Number Friendly Name Serial Number HealthStatus OperationalStatus Total Size Partition Style +------ ------------- ------------- ------------ ----------------- ---------- --------------- +0 MTFDDAK256MAM-1K1 13050928F47C Healthy Online 238.47 GB MBR +1 ST1000DM003-1ER162 Z4Y3GD8F Healthy Online 931.51 GB GPT +``` + +You can also view the partition type of a disk by opening the Disk Management tool, right-clicking the disk number, clicking **Properties**, and then clicking the **Volumes** tab. See the following example: + +![Volumes](images/mbr2gpt-volume.PNG) + + +If Windows PowerShell and Disk Management are not available, such as when you are using Windows PE, you can determine the partition type at a command prompt with the DiskPart tool. To determine the partition style from a command line, type **diskpart** and then type **list disk**. See the following example: + +``` +X:\>DiskPart + +Microsoft DiskPart version 10.0.15048.0 + +Copyright (C) Microsoft Corporation. +On computer: MININT-K71F13N + +DISKPART> list disk + + Disk ### Status Size Free Dyn Gpt + -------- ------------- ------- ------- --- --- + Disk 0 Online 238 GB 0 B + Disk 1 Online 931 GB 0 B * +``` + +In this example, Disk 0 is formatted with the MBR partition style, and Disk 1 is formatted using GPT. + + +## Known issue + +### MBR2GPT.exe cannot run in Windows PE + +When you start a Windows 10, version 1903-based computer in the Windows Preinstallation Environment (Windows PE), you encounter the following issues: + +**Issue 1** When you run the MBR2GPT.exe command, the process exits without converting the drive. + +**Issue 2** When you manually run the MBR2GPT.exe command in a Command Prompt window, there is no output from the tool. + +**Issue 3** When MBR2GPT.exe runs inside an imaging process such as a Microsoft Endpoint Configuration Manager task sequence, an MDT task sequence, or by using a script, you receive the following exit code: 0xC0000135/3221225781. + +#### Cause + +This issue occurs because in Windows 10, version 1903 and later versions, MBR2GPT.exe requires access to the ReAgent.dll file. However, this dll file and its associated libraries are currently not included in the Windows PE boot image for Windows 10, version 1903 and later. + +#### Workaround + +To fix this issue, mount the Windows PE image (WIM), copy the missing file from the [Windows 10, version 1903 Assessment and Development Kit (ADK)](https://go.microsoft.com/fwlink/?linkid=2086042) source, and then commit the changes to the WIM. To do this, follow these steps: + +1. Mount the Windows PE WIM to a path (for example, C:\WinPE_Mount). For more information about how to mount WIM files, see [Mount an image](https://docs.microsoft.com/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#mount-an-image). + +2. Copy the ReAgent files and the ReAgent localization files from the Window 10, version 1903 ADK source folder to the mounted WIM. + + For example, if the ADK is installed to the default location of C:\Program Files (x86)\Windows Kits\10 and the Windows PE image is mounted to C:\WinPE_Mount, run the following commands from an elevated Command Prompt window: + + **Command 1:** + ```cmd + copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Setup\amd64\Sources\ReAgent*.*" "C:\WinPE_Mount\Windows\System32" + ``` + This command copies three files: + + * ReAgent.admx + * ReAgent.dll + * ReAgent.xml + + **Command 2:** + ```cmd + copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Setup\amd64\Sources\En-Us\ReAgent*.*" "C:\WinPE_Mount\Windows\System32\En-Us" + ``` + This command copies two files: + * ReAgent.adml + * ReAgent.dll.mui + + > [!NOTE] + > If you aren't using an English version of Windows, replace "En-Us" in the path with the appropriate string that represents the system language. + +3. After you copy all the files, commit the changes and unmount the Windows PE WIM. MBR2GPT.exe now functions as expected in Windows PE. For information about how to unmount WIM files while committing changes, see [Unmounting an image](https://docs.microsoft.com/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#unmounting-an-image). + + +## Related topics + +[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) +
[Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications) +
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) diff --git a/windows/deployment/planning/act-technical-reference.md b/windows/deployment/planning/act-technical-reference.md index b40be1932a..b9181ca45d 100644 --- a/windows/deployment/planning/act-technical-reference.md +++ b/windows/deployment/planning/act-technical-reference.md @@ -1,48 +1,49 @@ ---- -title: Application Compatibility Toolkit (ACT) Technical Reference (Windows 10) -description: The Microsoft® Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system. -ms.assetid: d90d38b2-2718-4481-90eb-4480719627ba -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.topic: article ---- - -# Application Compatibility Toolkit (ACT) Technical Reference - - -**Applies to** -- Windows 10, version 1607 - ->[!IMPORTANT] ->We've replaced the majority of functionality included in the Application Compatibility Toolkit (ACT) with [Windows Analytics](../update/windows-analytics-overview.md), a solution in the Microsoft Operations Management Suite. Windows Analytics gives enterprises the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With new Windows versions being released multiple times a year, ensuring application and driver compatibility on an ongoing basis is key to adopting new Windows versions as they are released. - -Microsoft developed Windows Analytics in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Windows Analytics was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10. - -With Windows diagnostic data enabled, Windows Analytics collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. - -Use Windows Analytics to get: -- A visual workflow that guides you from pilot to production -- Detailed computer and application inventory -- Powerful computer level search and drill-downs -- Guidance and insights into application and driver compatibility issues, with suggested fixes -- Data driven application rationalization tools -- Application usage information, allowing targeted validation; workflow to track validation progress and decisions -- Data export to commonly used software deployment tools, including System Center Configuration Manager - -The Windows Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. - -At the same time, we've kept the Standard User Analyzer tool, which helps you test your apps and to monitor API calls for potential compatibility issues, and the Compatibility Administrator, which helps you to resolve potential compatibility issues. - -## In this section - -|Topic |Description | -|------|------------| -|[Standard User Analyzer (SUA) User's Guide](sua-users-guide.md) |The Standard User Analyzer (SUA) helps you test your applications and monitor API calls to detect compatibility issues related to the User Account Control (UAC) feature in Windows. | -|[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) |The Compatibility Administrator tool helps you resolve potential application-compatibility issues before deploying a new version of Windows to your organization. | -|[Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md) |You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions. | +--- +title: Application Compatibility Toolkit (ACT) Technical Reference (Windows 10) +description: The Microsoft® Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system. +ms.assetid: d90d38b2-2718-4481-90eb-4480719627ba +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.topic: article +--- + +# Application Compatibility Toolkit (ACT) Technical Reference + + +**Applies to** +- Windows 10, version 1607 + +>[!IMPORTANT] +>We've replaced the majority of functionality included in the Application Compatibility Toolkit (ACT) with [Windows Analytics](../update/windows-analytics-overview.md), a solution in the Microsoft Operations Management Suite. Windows Analytics gives enterprises the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With new Windows versions being released multiple times a year, ensuring application and driver compatibility on an ongoing basis is key to adopting new Windows versions as they are released. + +Microsoft developed Windows Analytics in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Windows Analytics was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10. + +With Windows diagnostic data enabled, Windows Analytics collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. + +Use Windows Analytics to get: +- A visual workflow that guides you from pilot to production +- Detailed computer and application inventory +- Powerful computer level search and drill-downs +- Guidance and insights into application and driver compatibility issues, with suggested fixes +- Data driven application rationalization tools +- Application usage information, allowing targeted validation; workflow to track validation progress and decisions +- Data export to commonly used software deployment tools, including Microsoft Endpoint Configuration Manager + +The Windows Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. + +At the same time, we've kept the Standard User Analyzer tool, which helps you test your apps and to monitor API calls for potential compatibility issues, and the Compatibility Administrator, which helps you to resolve potential compatibility issues. + +## In this section + +|Topic |Description | +|------|------------| +|[Standard User Analyzer (SUA) User's Guide](sua-users-guide.md) |The Standard User Analyzer (SUA) helps you test your applications and monitor API calls to detect compatibility issues related to the User Account Control (UAC) feature in Windows. | +|[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) |The Compatibility Administrator tool helps you resolve potential application-compatibility issues before deploying a new version of Windows to your organization. | +|[Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md) |You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions. | diff --git a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md index 022ac067c8..26f0cb8b74 100644 --- a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md +++ b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md @@ -60,7 +60,7 @@ DirectAccess can be used to ensure that the user can login with their domain cre ### Image deployment and drive provisioning considerations -The Image Deployment process can be accomplished either by a centralized IT process for your organization or by individual users creating their own Windows To Go workspaces. You must have local Administrator access and access to a Windows 10 Enterprise or Windows 10 Education image to create a Windows To Go workspace, or you must be using System Center Configuration Manager 2012 Service Pack 1 or later to distribute Windows To Go workspaces to users. The image deployment process takes a blank USB drive and a Windows 10 Enterprise image (WIM) and turns it into a Windows To Go drive. +The Image Deployment process can be accomplished either by a centralized IT process for your organization or by individual users creating their own Windows To Go workspaces. You must have local Administrator access and access to a Windows 10 Enterprise or Windows 10 Education image to create a Windows To Go workspace, or you must be using Microsoft Endpoint Configuration Manager 2012 Service Pack 1 or later to distribute Windows To Go workspaces to users. The image deployment process takes a blank USB drive and a Windows 10 Enterprise image (WIM) and turns it into a Windows To Go drive. ![windows to go image deployment](images/wtg-image-deployment.gif) diff --git a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md index 6c41d9922c..08cbf28585 100644 --- a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md +++ b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md @@ -55,7 +55,7 @@ The following scenarios are examples of situations in which Windows To Go worksp - **Managed free seating.** The employee is issued a Windows To Go drive that is then used with the host computer assigned to that employee for a given session (this could be a vehicle, workspace, or standalone laptop). When the employee leaves the session, the next time they return they use the same USB flash drive but use a different host computer. -- **Work from home.** In this situation, the Windows To Go drive can be provisioned for employees using various methods including System Center Configuration Manager or other deployment tools and then distributed to employees. The employee is instructed to boot the Windows To Go drive initially at work, which caches the employee’s credentials on the Windows To Go workspace and allows the initial data synchronization between the enterprise network and the Windows To Go workspace. The user can then bring the Windows To Go drive home where it can be used with their home computer, with or without enterprise network connectivity. +- **Work from home.** In this situation, the Windows To Go drive can be provisioned for employees using various methods including Microsoft Endpoint Configuration Manager or other deployment tools and then distributed to employees. The employee is instructed to boot the Windows To Go drive initially at work, which caches the employee’s credentials on the Windows To Go workspace and allows the initial data synchronization between the enterprise network and the Windows To Go workspace. The user can then bring the Windows To Go drive home where it can be used with their home computer, with or without enterprise network connectivity. - **Travel lightly.** In this situation you have employees who are moving from site to site, but who always will have access to a compatible host computer on site. Using Windows To Go workspaces allows them to travel without the need to pack their PC. diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/deployment/planning/windows-10-deprecated-features.md index 72439c1132..4b2d75eae6 100644 --- a/windows/deployment/planning/windows-10-deprecated-features.md +++ b/windows/deployment/planning/windows-10-deprecated-features.md @@ -57,7 +57,7 @@ The features described below are no longer being actively developed, and might b |Trusted Platform Module (TPM) Owner Password Management |This functionality within TPM.msc will be migrated to a new user interface.| 1709 | |Trusted Platform Module (TPM): TPM.msc and TPM Remote Management | To be replaced by a new user interface in a future release. | 1709 | |Trusted Platform Module (TPM) Remote Management |This functionality within TPM.msc will be migrated to a new user interface. | 1709 | -|Windows Hello for Business deployment that uses System Center Configuration Manager |Windows Server 2016 Active Directory Federation Services – Registration Authority (ADFS RA) deployment is simpler and provides a better user experience and a more deterministic certificate enrollment experience. | 1709 | +|Windows Hello for Business deployment that uses Microsoft Endpoint Configuration Manager |Windows Server 2016 Active Directory Federation Services – Registration Authority (ADFS RA) deployment is simpler and provides a better user experience and a more deterministic certificate enrollment experience. | 1709 | |Windows PowerShell 2.0 | Applications and components should be migrated to PowerShell 5.0+. | 1709 | |Apndatabase.xml | Apndatabase.xml is being replaced by the COSA database. Therefore, some constructs will no longer function. This includes Hardware ID, incoming SMS messaging rules in mobile apps, a list of privileged apps in mobile apps, autoconnect order, APN parser, and CDMAProvider ID. | 1703 | |Tile Data Layer | The [Tile Data Layer](https://docs.microsoft.com/windows/configuration/start-layout-troubleshoot#symptom-start-menu-issues-with-tile-data-layer-corruption) database stopped development in Windows 10, version 1703. | 1703 | diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md index 8716d1b086..764b8d1ca5 100644 --- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md +++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md @@ -1,134 +1,136 @@ ---- -title: Windows 10 Enterprise FAQ for IT pros (Windows 10) -description: Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise. -keywords: Windows 10 Enterprise, download, system requirements, drivers, appcompat, manage updates, Windows as a service, servicing channels, deployment tools -ms.prod: w10 -ms.mktglfcycl: plan -ms.localizationpriority: medium -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.date: 08/18/2017 -ms.reviewer: -manager: laurawi -ms.author: greglin -audience: itpro author: greg-lindsay -ms.topic: article ---- - -# Windows 10 Enterprise: FAQ for IT professionals - -Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise. - -## Download and requirements - -### Where can I download Windows 10 Enterprise? - -If you have Windows volume licenses with Software Assurance, or if you have purchased licenses for Windows 10 Enterprise volume licenses, you can download 32-bit and 64-bit versions of Windows 10 Enterprise from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). If you do not have current Software Assurance for Windows and would like to purchase volume licenses for Windows 10 Enterprise, contact your preferred Microsoft Reseller or see [How to purchase through Volume Licensing](https://www.microsoft.com/Licensing/how-to-buy/how-to-buy.aspx). - -### What are the system requirements? - -For details, see [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752). - -### What are the hardware requirements for Windows 10? - -Most computers that are compatible with Windows 8.1 will be compatible with Windows 10. You may need to install updated drivers in Windows 10 for your devices to properly function. See [Windows 10 specifications](https://www.microsoft.com/windows/windows-10-specifications) for more information. - -### Can I evaluate Windows 10 Enterprise? - -Yes, a 90-day evaluation of Windows 10 Enterprise is available through the [TechNet Evaluation Center](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise). The evaluation is available in Chinese (Simplified), Chinese (Traditional), French, German, Italian, Japanese, Korean, Portuguese (Brazil), and Spanish (Spain, International Sort). We highly recommend that organizations make use of the Windows 10 Enterprise 90-day Evaluation to try out deployment and management scenarios, test compatibility with hardware and applications, and to get hands on experience with Windows 10 Enterprise features. - -## Drivers and compatibility - -### Where can I find drivers for my devices for Windows 10 Enterprise? - -For many devices, drivers will be automatically installed in Windows 10 and there will be no need for additional action. -- For some devices, Windows 10 may be unable to install drivers that are required for operation. If your device drivers are not automatically installed, visit the manufacturer’s support website for your device to download and manually install the drivers. If Windows 10 drivers are not available, the most up-to-date drivers for Windows 8.1 will often work in Windows 10. -- For some devices, the manufacturer may provide more up-to-date drivers or drivers that enable additional functionality than the drivers installed by Windows 10. Always follow the recommendations of the device manufacturer for optimal performance and stability. -- Some computer manufacturers provide packs of drivers for easy implementation in management and deployment solutions like the Microsoft Deployment Toolkit (MDT) or Microsoft System Center Configuration Manager. These driver packs contain all of the drivers needed for each device and can greatly simplify the process of deploying Windows to a new make or model of computer. Driver packs for some common manufacturers include: - - [HP driver pack](http://www8.hp.com/us/en/ads/clientmanagement/drivers-pack.html) - - [Dell driver packs for enterprise client OS deployment](http://en.community.dell.com/techcenter/enterprise-client/w/wiki/2065.dell-command-deploy-driver-packs-for-enterprise-client-os-deployment) - - [Lenovo Configuration Manager and MDT package index](https://support.lenovo.com/us/en/documents/ht074984) - - [Panasonic Driver Pack for Enterprise](http://pc-dl.panasonic.co.jp/itn/drivers/driver_packages.html) - -### Where can I find out if an application or device is compatible with Windows 10? - -Many existing Win32 and Win64 applications already run reliably on Windows 10 without any changes. You can also expect strong compatibility and support for Web apps and devices. The [Ready for Windows](https://www.readyforwindows.com/) website lists software solutions that are supported and in use for Windows 10. You can find additional guidance to help with application compatibility at [Windows 10 application compatibility](https://technet.microsoft.com/windows/mt703793) on the Windows IT Center. - -### Is there an easy way to assess if my organization’s devices are ready to upgrade to Windows 10? - -[Windows Analytics Upgrade Readiness](https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics) (formerly known as Upgrade Analytics) provides powerful insights and recommendations about the computers, applications, and drivers in your organization, at no extra cost and without additional infrastructure requirements. This new service guides you through your upgrade and feature update projects using a workflow based on Microsoft recommended practices. Up-to-date inventory data allows you to balance cost and risk in your upgrade projects. You can find additional product information at [Windows Analytics](https://www.microsoft.com/WindowsForBusiness/Windows-Analytics). - -## Administration and deployment - -### Which deployment tools support Windows 10? - -Updated versions of Microsoft deployment tools, including MDT, Configuration Manager, and the Windows Assessment and Deployment Kit (Windows ADK) have been released to support Windows 10. -- [MDT](https://www.microsoft.com/mdt) is Microsoft’s recommended collection of tools, processes, and guidance for automating desktop and server deployment. -- Configuration Manager simplifies the deployment and management of Windows 10. If you are not currently using Configuration Manager, you can download a free 180-day trial of [System Center Configuration Manager and Endpoint Protection (current branch)](https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) from the TechNet Evaluation Center. -- The [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit#winADK) has tools that allow you to customize Windows images for large-scale deployment, and test system quality and performance. You can download the latest version of the Windows ADK for Windows 10 from the Hardware Dev Center. - -### Can I upgrade computers from Windows 7 or Windows 8.1 without deploying a new image? - -Computers running Windows 7 or Windows 8.1 can be upgraded directly to Windows 10 through the in-place upgrade process without a need to reimage the device using MDT and/or Configuration Manager. For more information, see [Upgrade to Windows 10 with System Center Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager) or [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit). - -### Can I upgrade from Windows 7 Enterprise or Windows 8.1 Enterprise to Windows 10 Enterprise for free? - -If you have Windows 7 Enterprise or Windows 8.1 Enterprise and current Windows 10 Enterprise E3 or E5 subscription, you are entitled to the upgrade to Windows 10 Enterprise through the rights of Software Assurance. You can find your product keys and installation media at the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). - -For devices that are licensed under a volume license agreement for Windows that does not include Software Assurance, new licenses will be required to upgrade these devices to Windows 10. - -## Managing updates - -### What is Windows as a service? - -The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time. For more information, see [Overview of Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview). - -### How is servicing different with Windows as a service? - -Traditional Windows servicing has included several release types: major revisions (e.g., the Windows 8.1, Windows 8, and Windows 7 operating systems), service packs, and monthly updates. With Windows 10, there are two release types: feature updates that add new functionality two to three times per year, and quality updates that provide security and reliability fixes at least once a month. - -### What are the servicing channels? - -To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers two servicing channels for Windows 10: Semi-Annual Channel, and Long-Term Servicing Channel (LTSC). For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). For more information on each channel, see [servicing channels](/windows/deployment/update/waas-overview#servicing-channels). - -### What tools can I use to manage Windows as a service updates? - -There are many tools are available. You can choose from these: -- Windows Update -- Windows Update for Business -- Windows Server Update Services -- System Center Configuration Manager - -For more information on pros and cons for these tools, see [Servicing Tools](/windows/deployment/update/waas-overview#servicing-tools). - -## User experience - -### Where can I find information about new features and changes in Windows 10 Enterprise? - -For an overview of the new enterprise features in Windows 10 Enterprise, see [What's new in Windows 10](https://technet.microsoft.com/itpro/windows/whats-new/index) and [What's new in Windows 10, version 1703](/windows/whats-new/whats-new-windows-10-version-1703) in the Docs library. - -Another place to track the latest information about new features of interest to IT professionals is the [Windows for IT Pros blog](https://blogs.technet.microsoft.com/windowsitpro/). Here you’ll find announcements of new features, information on updates to the Windows servicing model, and details about the latest resources to help you more easily deploy and manage Windows 10. - -To find out which version of Windows 10 is right for your organization, you can also [compare Windows editions](https://www.microsoft.com/WindowsForBusiness/Compare). - -### How will people in my organization adjust to using Windows 10 Enterprise after upgrading from Windows 7 or Windows 8.1? - -Windows 10 combines the best aspects of the user experience from Windows 8.1 and Windows 7 to make using Windows simple and straightforward. Users of Windows 7 will find the Start menu in the same location as they always have. In the same place, users of Windows 8.1 will find the live tiles from their Start screen, accessible by the Start button in the same way as they were accessed in Windows 8.1. To help you make the transition a seamless one, download the [Windows 10 Adoption Planning Kit](https://info.microsoft.com/Windows10AdoptionPlanningKit) and see our [end user readiness](https://technet.microsoft.com/windows/dn621092) resources. - -### How does Windows 10 help people work with applications and data across a variety of devices? - -The desktop experience in Windows 10 has been improved to provide a better experience for people that use a traditional mouse and keyboard. Key changes include: -- Start menu is a launching point for access to apps. -- Universal apps now open in windows instead of full screen. -- [Multitasking is improved with adjustable Snap](http://blogs.windows.com/bloggingwindows/2015/06/04/arrange-your-windows-in-a-snap/), which allows you to have more than two windows side-by-side on the same screen and to customize how those windows are arranged. -- Tablet Mode to simplify using Windows with a finger or pen by using touch input. - -## Help and support - -### Where can I ask a question about Windows 10? - -Use the following resources for additional information about Windows 10. -- If you are an IT professional or if you have a question about administering, managing, or deploying Windows 10 in your organization or business, visit the [Windows 10 IT Professional forums](https://social.technet.microsoft.com/forums/home?category=windows10itpro) on TechNet. -- If you are an end user or if you have a question about using Windows 10, visit the [Windows 10 forums on Microsoft Community](https://answers.microsoft.com/windows/forum/windows_10). -- If you are a developer or if you have a question about making apps for Windows 10, visit the [Windows Desktop Development forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsdesktopdev) or [Windows and Windows phone apps forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsapps) on MSDN. -- If you have a question about Internet Explorer, visit the [Internet Explorer forums](https://social.technet.microsoft.com/forums/ie/en-us/home) on TechNet. +--- +title: Windows 10 Enterprise FAQ for IT pros (Windows 10) +description: Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise. +keywords: Windows 10 Enterprise, download, system requirements, drivers, appcompat, manage updates, Windows as a service, servicing channels, deployment tools +ms.prod: w10 +ms.mktglfcycl: plan +ms.localizationpriority: medium +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.date: 08/18/2017 +ms.reviewer: +manager: laurawi +ms.author: greglin +audience: itpro +author: greg-lindsay +ms.topic: article +--- + +# Windows 10 Enterprise: FAQ for IT professionals + +Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise. + +## Download and requirements + +### Where can I download Windows 10 Enterprise? + +If you have Windows volume licenses with Software Assurance, or if you have purchased licenses for Windows 10 Enterprise volume licenses, you can download 32-bit and 64-bit versions of Windows 10 Enterprise from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). If you do not have current Software Assurance for Windows and would like to purchase volume licenses for Windows 10 Enterprise, contact your preferred Microsoft Reseller or see [How to purchase through Volume Licensing](https://www.microsoft.com/Licensing/how-to-buy/how-to-buy.aspx). + +### What are the system requirements? + +For details, see [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752). + +### What are the hardware requirements for Windows 10? + +Most computers that are compatible with Windows 8.1 will be compatible with Windows 10. You may need to install updated drivers in Windows 10 for your devices to properly function. See [Windows 10 specifications](https://www.microsoft.com/windows/windows-10-specifications) for more information. + +### Can I evaluate Windows 10 Enterprise? + +Yes, a 90-day evaluation of Windows 10 Enterprise is available through the [TechNet Evaluation Center](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise). The evaluation is available in Chinese (Simplified), Chinese (Traditional), French, German, Italian, Japanese, Korean, Portuguese (Brazil), and Spanish (Spain, International Sort). We highly recommend that organizations make use of the Windows 10 Enterprise 90-day Evaluation to try out deployment and management scenarios, test compatibility with hardware and applications, and to get hands on experience with Windows 10 Enterprise features. + +## Drivers and compatibility + +### Where can I find drivers for my devices for Windows 10 Enterprise? + +For many devices, drivers will be automatically installed in Windows 10 and there will be no need for additional action. +- For some devices, Windows 10 may be unable to install drivers that are required for operation. If your device drivers are not automatically installed, visit the manufacturer’s support website for your device to download and manually install the drivers. If Windows 10 drivers are not available, the most up-to-date drivers for Windows 8.1 will often work in Windows 10. +- For some devices, the manufacturer may provide more up-to-date drivers or drivers that enable additional functionality than the drivers installed by Windows 10. Always follow the recommendations of the device manufacturer for optimal performance and stability. +- Some computer manufacturers provide packs of drivers for easy implementation in management and deployment solutions like the Microsoft Deployment Toolkit (MDT) or Microsoft Endpoint Configuration Manager. These driver packs contain all of the drivers needed for each device and can greatly simplify the process of deploying Windows to a new make or model of computer. Driver packs for some common manufacturers include: + - [HP driver pack](http://www8.hp.com/us/en/ads/clientmanagement/drivers-pack.html) + - [Dell driver packs for enterprise client OS deployment](http://en.community.dell.com/techcenter/enterprise-client/w/wiki/2065.dell-command-deploy-driver-packs-for-enterprise-client-os-deployment) + - [Lenovo Configuration Manager and MDT package index](https://support.lenovo.com/us/en/documents/ht074984) + - [Panasonic Driver Pack for Enterprise](http://pc-dl.panasonic.co.jp/itn/drivers/driver_packages.html) + +### Where can I find out if an application or device is compatible with Windows 10? + +Many existing Win32 and Win64 applications already run reliably on Windows 10 without any changes. You can also expect strong compatibility and support for Web apps and devices. The [Ready for Windows](https://www.readyforwindows.com/) website lists software solutions that are supported and in use for Windows 10. You can find additional guidance to help with application compatibility at [Windows 10 application compatibility](https://technet.microsoft.com/windows/mt703793) on the Windows IT Center. + +### Is there an easy way to assess if my organization’s devices are ready to upgrade to Windows 10? + +[Windows Analytics Upgrade Readiness](https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics) (formerly known as Upgrade Analytics) provides powerful insights and recommendations about the computers, applications, and drivers in your organization, at no extra cost and without additional infrastructure requirements. This new service guides you through your upgrade and feature update projects using a workflow based on Microsoft recommended practices. Up-to-date inventory data allows you to balance cost and risk in your upgrade projects. You can find additional product information at [Windows Analytics](https://www.microsoft.com/WindowsForBusiness/Windows-Analytics). + +## Administration and deployment + +### Which deployment tools support Windows 10? + +Updated versions of Microsoft deployment tools, including MDT, Configuration Manager, and the Windows Assessment and Deployment Kit (Windows ADK) have been released to support Windows 10. +- [MDT](https://www.microsoft.com/mdt) is Microsoft’s recommended collection of tools, processes, and guidance for automating desktop and server deployment. +- Configuration Manager simplifies the deployment and management of Windows 10. If you are not currently using Configuration Manager, you can download a free 180-day trial of [Microsoft Endpoint Configuration Manager and Endpoint Protection (current branch)](https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) from the TechNet Evaluation Center. +- The [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit#winADK) has tools that allow you to customize Windows images for large-scale deployment, and test system quality and performance. You can download the latest version of the Windows ADK for Windows 10 from the Hardware Dev Center. + +### Can I upgrade computers from Windows 7 or Windows 8.1 without deploying a new image? + +Computers running Windows 7 or Windows 8.1 can be upgraded directly to Windows 10 through the in-place upgrade process without a need to reimage the device using MDT and/or Configuration Manager. For more information, see [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager) or [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit). + +### Can I upgrade from Windows 7 Enterprise or Windows 8.1 Enterprise to Windows 10 Enterprise for free? + +If you have Windows 7 Enterprise or Windows 8.1 Enterprise and current Windows 10 Enterprise E3 or E5 subscription, you are entitled to the upgrade to Windows 10 Enterprise through the rights of Software Assurance. You can find your product keys and installation media at the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). + +For devices that are licensed under a volume license agreement for Windows that does not include Software Assurance, new licenses will be required to upgrade these devices to Windows 10. + +## Managing updates + +### What is Windows as a service? + +The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time. For more information, see [Overview of Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview). + +### How is servicing different with Windows as a service? + +Traditional Windows servicing has included several release types: major revisions (e.g., the Windows 8.1, Windows 8, and Windows 7 operating systems), service packs, and monthly updates. With Windows 10, there are two release types: feature updates that add new functionality two to three times per year, and quality updates that provide security and reliability fixes at least once a month. + +### What are the servicing channels? + +To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers two servicing channels for Windows 10: Semi-Annual Channel, and Long-Term Servicing Channel (LTSC). For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). For more information on each channel, see [servicing channels](/windows/deployment/update/waas-overview#servicing-channels). + +### What tools can I use to manage Windows as a service updates? + +There are many tools are available. You can choose from these: +- Windows Update +- Windows Update for Business +- Windows Server Update Services +- Microsoft Endpoint Configuration Manager + +For more information on pros and cons for these tools, see [Servicing Tools](/windows/deployment/update/waas-overview#servicing-tools). + +## User experience + +### Where can I find information about new features and changes in Windows 10 Enterprise? + +For an overview of the new enterprise features in Windows 10 Enterprise, see [What's new in Windows 10](https://technet.microsoft.com/itpro/windows/whats-new/index) and [What's new in Windows 10, version 1703](/windows/whats-new/whats-new-windows-10-version-1703) in the Docs library. + +Another place to track the latest information about new features of interest to IT professionals is the [Windows for IT Pros blog](https://blogs.technet.microsoft.com/windowsitpro/). Here you’ll find announcements of new features, information on updates to the Windows servicing model, and details about the latest resources to help you more easily deploy and manage Windows 10. + +To find out which version of Windows 10 is right for your organization, you can also [compare Windows editions](https://www.microsoft.com/WindowsForBusiness/Compare). + +### How will people in my organization adjust to using Windows 10 Enterprise after upgrading from Windows 7 or Windows 8.1? + +Windows 10 combines the best aspects of the user experience from Windows 8.1 and Windows 7 to make using Windows simple and straightforward. Users of Windows 7 will find the Start menu in the same location as they always have. In the same place, users of Windows 8.1 will find the live tiles from their Start screen, accessible by the Start button in the same way as they were accessed in Windows 8.1. To help you make the transition a seamless one, download the [Windows 10 Adoption Planning Kit](https://info.microsoft.com/Windows10AdoptionPlanningKit) and see our [end user readiness](https://technet.microsoft.com/windows/dn621092) resources. + +### How does Windows 10 help people work with applications and data across a variety of devices? + +The desktop experience in Windows 10 has been improved to provide a better experience for people that use a traditional mouse and keyboard. Key changes include: +- Start menu is a launching point for access to apps. +- Universal apps now open in windows instead of full screen. +- [Multitasking is improved with adjustable Snap](http://blogs.windows.com/bloggingwindows/2015/06/04/arrange-your-windows-in-a-snap/), which allows you to have more than two windows side-by-side on the same screen and to customize how those windows are arranged. +- Tablet Mode to simplify using Windows with a finger or pen by using touch input. + +## Help and support + +### Where can I ask a question about Windows 10? + +Use the following resources for additional information about Windows 10. +- If you are an IT professional or if you have a question about administering, managing, or deploying Windows 10 in your organization or business, visit the [Windows 10 IT Professional forums](https://social.technet.microsoft.com/forums/home?category=windows10itpro) on TechNet. +- If you are an end user or if you have a question about using Windows 10, visit the [Windows 10 forums on Microsoft Community](https://answers.microsoft.com/windows/forum/windows_10). +- If you are a developer or if you have a question about making apps for Windows 10, visit the [Windows Desktop Development forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsdesktopdev) or [Windows and Windows phone apps forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsapps) on MSDN. +- If you have a question about Internet Explorer, visit the [Internet Explorer forums](https://social.technet.microsoft.com/forums/ie/en-us/home) on TechNet. diff --git a/windows/deployment/planning/windows-10-infrastructure-requirements.md b/windows/deployment/planning/windows-10-infrastructure-requirements.md index 03fd161f35..3b851ad2ca 100644 --- a/windows/deployment/planning/windows-10-infrastructure-requirements.md +++ b/windows/deployment/planning/windows-10-infrastructure-requirements.md @@ -40,7 +40,7 @@ Significant enhancements in the ADK for Windows 10 include new runtime provisio Microsoft Deployment Toolkit 2013 Update 1, available for download [here](https://go.microsoft.com/fwlink/p/?LinkId=625079), has also been updated to support Windows 10 and the new ADK; older versions do not support Windows 10. New in this release is task sequence support for Windows 10 in-place upgrades. -For System Center Configuration Manager, Windows 10 support is offered with various releases: +For Microsoft Endpoint Configuration Manager, Windows 10 support is offered with various releases: | Release | Windows 10 management? | Windows 10 deployment? | |---------------------------------------------|------------------------|------------------------------------------------| @@ -50,7 +50,7 @@ For System Center Configuration Manager, Windows 10 support is offered with var > [!NOTE] -> Configuration Manager 2012 supports Windows 10 version 1507 (build 10.0.10240) and 1511 (build 10.0.10586) for the lifecycle of these builds. Future releases of Windows 10 CB/CBB are not supported With Configuration Manager 2012, and will require System Center Configuration Manager current branch for supported management. +> Configuration Manager 2012 supports Windows 10 version 1507 (build 10.0.10240) and 1511 (build 10.0.10586) for the lifecycle of these builds. Future releases of Windows 10 CB/CBB are not supported With Configuration Manager 2012, and will require Microsoft Endpoint Configuration Manager current branch for supported management.   For more details about System Center Configuration Manager support for Windows 10, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md). @@ -58,7 +58,7 @@ For more details about System Center Configuration Manager support for Windows  ## Management tools -In addition to System Center Configuration Manager, Windows 10 also leverages other tools for management. For Windows Server and Active Directory, existing supported versions are fully supported for Windows 10. New Group Policy templates will be needed to configure new settings available in Windows 10; these templates are available in the Windows 10 media images, and are available as a separate download [here](https://go.microsoft.com/fwlink/p/?LinkId=625081). See [Group Policy settings reference](https://go.microsoft.com/fwlink/p/?LinkId=625082) for a list of the new and modified policy settings. If you are using a central policy store, follow the steps outlined [here](https://go.microsoft.com/fwlink/p/?LinkId=625083) to update the ADMX files stored in that central store. +In addition to Microsoft Endpoint Configuration Manager, Windows 10 also leverages other tools for management. For Windows Server and Active Directory, existing supported versions are fully supported for Windows 10. New Group Policy templates will be needed to configure new settings available in Windows 10; these templates are available in the Windows 10 media images, and are available as a separate download [here](https://go.microsoft.com/fwlink/p/?LinkId=625081). See [Group Policy settings reference](https://go.microsoft.com/fwlink/p/?LinkId=625082) for a list of the new and modified policy settings. If you are using a central policy store, follow the steps outlined [here](https://go.microsoft.com/fwlink/p/?LinkId=625083) to update the ADMX files stored in that central store. No new Active Directory schema updates or specific functional levels are currently required for core Windows 10 product functionality, although subsequent upgrades could require these to support new features. diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.md b/windows/deployment/planning/windows-to-go-frequently-asked-questions.md index 40c4c03e81..77f7cfe31a 100644 --- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.md +++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.md @@ -165,7 +165,7 @@ Yes, if the user has administrator permissions they can self-provision a Windows ## How can Windows To Go be managed in an organization? -Windows To Go can be deployed and managed like a traditional desktop PC using standard Windows enterprise software distribution tools like System Center Configuration Manager. Computer and user settings for Windows To Go workspaces can be managed using Group Policy setting also in the same manner that you manage Group Policy settings for other PCs in your organization. Windows To Go workspaces can be configured to connect to the organizational resources remotely using DirectAccess or a virtual private network connection so that they can connect securely to your network. +Windows To Go can be deployed and managed like a traditional desktop PC using standard Windows enterprise software distribution tools like Microsoft Endpoint Configuration Manager. Computer and user settings for Windows To Go workspaces can be managed using Group Policy setting also in the same manner that you manage Group Policy settings for other PCs in your organization. Windows To Go workspaces can be configured to connect to the organizational resources remotely using DirectAccess or a virtual private network connection so that they can connect securely to your network. ## How do I make my computer boot from USB? diff --git a/windows/deployment/planning/windows-to-go-overview.md b/windows/deployment/planning/windows-to-go-overview.md index ba83d6224b..dcab3997b1 100644 --- a/windows/deployment/planning/windows-to-go-overview.md +++ b/windows/deployment/planning/windows-to-go-overview.md @@ -56,7 +56,7 @@ The applications that you want to use from the Windows To Go workspace should be ## Prepare for Windows To Go -Enterprises install Windows on a large group of computers either by using configuration management software (such as System Center Configuration Manager), or by using standard Windows deployment tools such as DiskPart and the Deployment Image Servicing and Management (DISM) tool. +Enterprises install Windows on a large group of computers either by using configuration management software (such as Microsoft Endpoint Configuration Manager), or by using standard Windows deployment tools such as DiskPart and the Deployment Image Servicing and Management (DISM) tool. These same tools can be used to provision Windows To Go drive, just as you would if you were planning for provisioning a new class of mobile PCs. You can use the [Windows Assessment and Deployment Kit](https://go.microsoft.com/fwlink/p/?LinkId=526803) to review deployment tools available. diff --git a/windows/deployment/update/PSFxWhitepaper.md b/windows/deployment/update/PSFxWhitepaper.md index c46b4cc2da..8f73fcdfd0 100644 --- a/windows/deployment/update/PSFxWhitepaper.md +++ b/windows/deployment/update/PSFxWhitepaper.md @@ -72,7 +72,7 @@ numerous advantages: Historically, download sizes of Windows 10 quality updates (Windows 10, version 1803 and older supported versions of Windows 10) are optimized by using express download. Express download is optimized such that updating Windows 10 systems will download the minimum number of bytes. This is achieved by generating differentials for every updated file based on selected historical base revisions of the same file + its base or RTM version. -For example, if the October monthly quality update has updated Notepad.exe, differentials for Notepad.exe file changes from September to October, August to October, July to October, June to October, and from the original feature release to October are generated. All these differentials are stored in a Patch Storage File (PSF, also referred to as “express download files”) and hosted or cached on Windows Update or other update management or distribution servers (for example, Windows Server Update Services (WSUS), System Center Configuration Manager, or a non-Microsoft update management or distribution server that supports express updates). A device leveraging express updates uses network protocol to determine optimal differentials, then downloads only what is needed from the update distribution endpoints. +For example, if the October monthly quality update has updated Notepad.exe, differentials for Notepad.exe file changes from September to October, August to October, July to October, June to October, and from the original feature release to October are generated. All these differentials are stored in a Patch Storage File (PSF, also referred to as “express download files”) and hosted or cached on Windows Update or other update management or distribution servers (for example, Windows Server Update Services (WSUS), Microsoft Endpoint Configuration Manager, or a non-Microsoft update management or distribution server that supports express updates). A device leveraging express updates uses network protocol to determine optimal differentials, then downloads only what is needed from the update distribution endpoints. The flip side of express download is that the size of PSF files can be very large depending on the number of historical baselines against which differentials were calculated. Downloading and caching large PSF files to on-premises or remote update distribution servers is problematic for most organizations, hence they are unable to leverage express updates to keep their fleet of devices running Windows 10 up to date. Secondly, due to the complexity of generating differentials and size of the express files that need to be cached on update distribution servers, it is only feasible to generate express download files for the most common baselines, thus express updates are only applicable to selected baselines. Finally, calculation of optimal differentials is expensive in terms of system memory utilization, especially for low-cost systems, impacting their ability to download and apply an update seamlessly. diff --git a/windows/deployment/update/feature-update-mission-critical.md b/windows/deployment/update/feature-update-mission-critical.md index 37ed550405..7e35245a09 100644 --- a/windows/deployment/update/feature-update-mission-critical.md +++ b/windows/deployment/update/feature-update-mission-critical.md @@ -19,7 +19,7 @@ ms.topic: article **Applies to**: Windows 10 -Managing an environment with devices that provide mission critical services 24 hours a day, 7 days a week, can present challenges in keeping these devices current with Windows 10 feature updates. The processes that you use to keep regular devices current with Windows 10 feature updates, often aren’t the most effective to service mission critical devices. This whitepaper will focus on the recommended approach of using the System Center Configuration Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates. +Managing an environment with devices that provide mission critical services 24 hours a day, 7 days a week, can present challenges in keeping these devices current with Windows 10 feature updates. The processes that you use to keep regular devices current with Windows 10 feature updates, often aren’t the most effective to service mission critical devices. This whitepaper will focus on the recommended approach of using the Microsoft Endpoint Configuration Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates. For simplicity, we will outline the steps to deploy a feature update manually. If you prefer an automated approach, please see [Using Windows 10 servicing plans to deploy Windows 10 feature updates](waas-manage-updates-configuration-manager.md#use-windows-10-servicing-plans-to-deploy-windows-10-feature-updates). diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md index d08ff458c4..a81d83a38c 100644 --- a/windows/deployment/update/index.md +++ b/windows/deployment/update/index.md @@ -41,12 +41,12 @@ Windows as a service provides a new way to think about building, deploying, and | [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) | Explains updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile. | | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) | Explains how to use Windows Update for Business to manage when devices receive updates directly from Windows Update. Includes walkthroughs for configuring Windows Update for Business using Group Policy and Microsoft Intune. | | [Deploy Windows 10 updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md) | Explains how to use WSUS to manage Windows 10 updates. | -| [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) | Explains how to use Configuration Manager to manage Windows 10 updates. | +| [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) | Explains how to use Configuration Manager to manage Windows 10 updates. | | [Manage device restarts after updates](waas-restart.md) | Explains how to manage update related device restarts. | | [Manage additional Windows Update settings](waas-wu-settings.md) | Provides details about settings available to control and configure Windows Update | | [Windows Insider Program for Business](waas-windows-insider-for-business.md) | Explains how the Windows Insider Program for Business works and how to become an insider. | >[!TIP] ->Windows servicing is changing, but for disaster recovery scenarios and bare-metal deployments of Windows 10, you still can use traditional imaging software such as System Center Configuration Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows 10 images is similar to deploying previous versions of Windows. +>Windows servicing is changing, but for disaster recovery scenarios and bare-metal deployments of Windows 10, you still can use traditional imaging software such as Microsoft Endpoint Configuration Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows 10 images is similar to deploying previous versions of Windows. >With each release of a new feature update for CB, Microsoft makes available new .iso files for use in updating your custom images. Each Windows 10 build has a finite servicing lifetime, so it’s important that images stay up to date with the latest build. For detailed information about how to deploy Windows 10 to bare-metal machines or to upgrade to Windows 10 from previous builds of Windows, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md). Additionally, Windows 10 clients can move from any supported version of Windows 10 (i.e. Version 1511) to the latest version directly (i.e 1709). diff --git a/windows/deployment/update/waas-branchcache.md b/windows/deployment/update/waas-branchcache.md index aee88e8e01..6bb0bf7519 100644 --- a/windows/deployment/update/waas-branchcache.md +++ b/windows/deployment/update/waas-branchcache.md @@ -20,7 +20,7 @@ ms.topic: article > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) -BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and System Center Configuration Manager can use BranchCache to optimize network bandwidth during update deployment, and it’s easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode. +BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager can use BranchCache to optimize network bandwidth during update deployment, and it’s easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode. - Distributed Cache mode operates like the [Delivery Optimization](waas-delivery-optimization.md) feature in Windows 10: each client contains a cached version of the BranchCache-enabled files it requests and acts as a distributed cache for other clients requesting that same file. @@ -39,7 +39,7 @@ In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization ## Configure servers for BranchCache -You can use WSUS and Configuration Manager with BranchCache in Distributed Cache mode. BranchCache in Distributed Cache mode is easy to configure for both WSUS and System Center Configuration Manager. +You can use WSUS and Configuration Manager with BranchCache in Distributed Cache mode. BranchCache in Distributed Cache mode is easy to configure for both WSUS and Microsoft Endpoint Configuration Manager. For a step-by-step guide to configuring BranchCache on Windows Server devices, see the [BranchCache Deployment Guide (Windows Server 2012)](https://technet.microsoft.com/library/jj572990) or [BranchCache Deployment Guide (Windows Server 2016)](https://technet.microsoft.com/windows-server-docs/networking/branchcache/deploy/branchcache-deployment-guide). diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md index 81adf9756d..b22f954ccc 100644 --- a/windows/deployment/update/waas-configure-wufb.md +++ b/windows/deployment/update/waas-configure-wufb.md @@ -190,7 +190,7 @@ Starting with Windows 10, version 1709, you can set policies to manage preview b The **Manage preview builds** setting gives administrators control over enabling or disabling preview build installation on a device. You can also decide to stop preview builds once the release is public. * Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business** - *Manage preview builds* * MDM: **Update/ManagePreviewBuilds** -* System Center Configuration Manager: **Enable dual scan, manage through Windows Update for Business policy** +* Microsoft Endpoint Configuration Manager: **Enable dual scan, manage through Windows Update for Business policy** >[!IMPORTANT] >This policy replaces the "Toggle user control over Insider builds" policy under that is only supported up to Windows 10, version 1703. You can find the older policy here: @@ -273,5 +273,5 @@ When a device running a newer version sees an update available on Windows Update - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) - [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure) - [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) -- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) +- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) - [Manage device restarts after updates](waas-restart.md) diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index 6d7bf33b2a..9de80024c2 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -24,7 +24,7 @@ ms.topic: article > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) -Windows updates, upgrades, and applications can contain packages with very large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization can accomplish this because it is a self-organizing distributed cache that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based servers. You can use Delivery Optimization in conjunction with Windows Update, Windows Server Update Services (WSUS), Windows Update for Business, or System Center Configuration Manager (when installation of Express Updates is enabled). +Windows updates, upgrades, and applications can contain packages with very large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization can accomplish this because it is a self-organizing distributed cache that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based servers. You can use Delivery Optimization in conjunction with Windows Update, Windows Server Update Services (WSUS), Windows Update for Business, or Microsoft Endpoint Configuration Manager (when installation of Express Updates is enabled). Delivery Optimization is a cloud-managed solution. Access to the Delivery Optimization cloud services is a requirement. This means that in order to use the peer-to-peer functionality of Delivery Optimization, devices must have access to the internet. @@ -190,5 +190,5 @@ If you suspect this is the problem, try a Telnet test between two devices on the - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) - [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure) - [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) -- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) +- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) - [Manage device restarts after updates](waas-restart.md) diff --git a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md index d5eab1b3c4..5888c1f3a1 100644 --- a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md +++ b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md @@ -56,7 +56,7 @@ As Table 1 shows, each combination of servicing channel and deployment group is | ![done](images/checklistdone.png) | Build deployment rings for Windows 10 updates (this topic) | | ![to do](images/checklistbox.gif) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) | | ![to do](images/checklistbox.gif) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | -| ![to do](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) | +| ![to do](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) | ## Related topics diff --git a/windows/deployment/update/waas-integrate-wufb.md b/windows/deployment/update/waas-integrate-wufb.md index 4d5f0b31bc..9d8afa433e 100644 --- a/windows/deployment/update/waas-integrate-wufb.md +++ b/windows/deployment/update/waas-integrate-wufb.md @@ -1,6 +1,6 @@ --- title: Integrate Windows Update for Business (Windows 10) -description: Use Windows Update for Business deployments with management tools such as Windows Server Update Services (WSUS) and System Center Configuration Manager. +description: Use Windows Update for Business deployments with management tools such as Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager. ms.prod: w10 ms.mktglfcycl: manage author: jaimeo @@ -21,7 +21,7 @@ ms.topic: article > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) -You can integrate Windows Update for Business deployments with existing management tools such as Windows Server Update Services (WSUS) and System Center Configuration Manager. +You can integrate Windows Update for Business deployments with existing management tools such as Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager. ## Integrate Windows Update for Business with Windows Server Update Services @@ -85,7 +85,7 @@ In this example, the deferral behavior for updates to Office and other non-Windo >[!NOTE] > Because the admin enabled **Update/AllowMUUpdateService**, placing the content on WSUS was not needed for the particular device, as the device will always receive Microsoft Update content from Microsoft when configured in this manner. -## Integrate Windows Update for Business with System Center Configuration Manager +## Integrate Windows Update for Business with Microsoft Endpoint Configuration Manager For Windows 10, version 1607, organizations already managing their systems with a Configuration Manager solution can also have their devices configured for Windows Update for Business (i.e. setting deferral policies on those devices). Such devices will be visible in the Configuration Manager console, however they will appear with a detection state of **Unknown**. @@ -109,6 +109,6 @@ For more information, see [Integration with Windows Update for Business in Windo - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) - [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure) - [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) -- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) +- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) - [Manage device restarts after updates](waas-restart.md) diff --git a/windows/deployment/update/waas-manage-updates-configuration-manager.md b/windows/deployment/update/waas-manage-updates-configuration-manager.md index 1ebdd76767..69abb40e2f 100644 --- a/windows/deployment/update/waas-manage-updates-configuration-manager.md +++ b/windows/deployment/update/waas-manage-updates-configuration-manager.md @@ -1,6 +1,6 @@ --- -title: Deploy Windows 10 updates via System Center Configuration Manager -description: System Center Configuration Manager provides maximum control over quality and feature updates for Windows 10. +title: Deploy Windows 10 updates via Microsoft Endpoint Configuration Manager +description: Microsoft Endpoint Configuration Manager provides maximum control over quality and feature updates for Windows 10. ms.prod: w10 ms.mktglfcycl: manage author: jaimeo @@ -11,7 +11,7 @@ manager: laurawi ms.topic: article --- -# Deploy Windows 10 updates using System Center Configuration Manager +# Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager **Applies to** @@ -25,21 +25,21 @@ ms.topic: article >Due to [naming changes](waas-overview.md#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel. -System Center Configuration Manager provides maximum control over quality and feature updates for Windows 10. Unlike other servicing tools, Configuration Manager has capabilities that extend beyond servicing, such as application deployment, antivirus management, software metering, and reporting, and provides a secondary deployment method for LTSB clients. Configuration Manager can effectively control bandwidth usage and content distribution through a combination of BranchCache and distribution points. Microsoft encourages organizations currently using Configuration Manager for Windows update management to continue doing so for Windows 10 client computers. +Microsoft Endpoint Configuration Manager provides maximum control over quality and feature updates for Windows 10. Unlike other servicing tools, Configuration Manager has capabilities that extend beyond servicing, such as application deployment, antivirus management, software metering, and reporting, and provides a secondary deployment method for LTSB clients. Configuration Manager can effectively control bandwidth usage and content distribution through a combination of BranchCache and distribution points. Microsoft encourages organizations currently using Configuration Manager for Windows update management to continue doing so for Windows 10 client computers. You can use Configuration Manager to service Windows 10 devices in two ways. The first option is to use Windows 10 Servicing Plans to deploy Windows 10 feature updates automatically based on specific criteria, similar to an Automatic Deployment Rule for software updates. The second option is to use a task sequence to deploy feature updates, along with anything else in the installation. >[!NOTE] ->This topic focuses on updating and upgrading Windows 10 after it has already been deployed. To use Configuration Manager to upgrade your systems from the Windows 8.1, Windows 8, or Windows 7 operating system, see [Upgrade to Windows 10 with System Center Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager). +>This topic focuses on updating and upgrading Windows 10 after it has already been deployed. To use Configuration Manager to upgrade your systems from the Windows 8.1, Windows 8, or Windows 7 operating system, see [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager). ## Windows 10 servicing dashboard -The Windows 10 servicing dashboard gives you a quick-reference view of your active servicing plans, compliance for servicing plan deployment, and other key information about Windows 10 servicing. For details about what each tile on the servicing dashboard represents, see [Manage Windows as a service using System Center Configuration Manager](https://technet.microsoft.com/library/mt627931.aspx). +The Windows 10 servicing dashboard gives you a quick-reference view of your active servicing plans, compliance for servicing plan deployment, and other key information about Windows 10 servicing. For details about what each tile on the servicing dashboard represents, see [Manage Windows as a service using Microsoft Endpoint Configuration Manager](https://technet.microsoft.com/library/mt627931.aspx). For the Windows 10 servicing dashboard to display information, you must adhere to the following requirements: - **Heartbeat discovery**. Enable heartbeat discovery for the site receiving Windows 10 servicing information. Configuration for heartbeat discovery can be found in Administration\Overview\Hierarchy Configuration\Discovery Methods. -- **Windows Server Update Service (WSUS)**. System Center Configuration Manager must have the Software update point site system role added and configured to receive updates from a WSUS 4.0 server with the hotfix KB3095113 installed. +- **Windows Server Update Service (WSUS)**. Microsoft Endpoint Configuration Manager must have the Software update point site system role added and configured to receive updates from a WSUS 4.0 server with the hotfix KB3095113 installed. - **Service connection point**. Add the Service connection point site system role in Online, persistent connection mode. - **Upgrade classification**. Select **Upgrade** from the list of synchronized software update classifications. @@ -143,7 +143,7 @@ After you have updated the membership, this new collection will contain all mana ## Use Windows 10 servicing plans to deploy Windows 10 feature updates -There are two ways to deploy Windows 10 feature updates with System Center Configuration Manager. The first is to use servicing plans, which provide an automated method to update devices consistently in their respective deployment rings, similar to Automatic Deployment Rules for software updates. +There are two ways to deploy Windows 10 feature updates with Microsoft Endpoint Configuration Manager. The first is to use servicing plans, which provide an automated method to update devices consistently in their respective deployment rings, similar to Automatic Deployment Rules for software updates. **To configure Windows feature updates for CBB clients in the Ring 4 Broad business users deployment ring using a servicing plan** @@ -160,7 +160,7 @@ There are two ways to deploy Windows 10 feature updates with System Center Confi > >![This is a high-risk deployment](images/waas-sccm-fig9.png) > - >For details about how to manage the settings for high-risk deployments in Configuration Manager, see [Settings to manage high-risk deployments for System Center Configuration Manager](https://technet.microsoft.com/library/mt621992.aspx). + >For details about how to manage the settings for high-risk deployments in Configuration Manager, see [Settings to manage high-risk deployments for Microsoft Endpoint Configuration Manager](https://technet.microsoft.com/library/mt621992.aspx). 5. On the **Deployment Ring** page, select the **Business Ready (Current Branch for Business)** readiness state, leave the delay at **0 days**, and then click **Next**. @@ -214,7 +214,7 @@ Each time Microsoft releases a new Windows 10 build, it releases a new .iso file In this example, the Windows 10 Enterprise 1607 installation media is deployed to \\contoso-cm01\Sources\Operating Systems\Windows 10 Enterprise\Windows 10 Enterprise - Version 1607. >[!NOTE] - >System Center Configuration Manager version 1606 is required to manage machines running Windows 10, version 1607. + >Microsoft Endpoint Configuration Manager version 1606 is required to manage machines running Windows 10, version 1607. 4. On the **General** page, in the **Name** field, type the name of the folder (**Windows 10 Enterprise - Version 1607** in this example). Set the **Version** to **1607**, and then click **Next**. @@ -303,11 +303,11 @@ With the task sequence created, you’re ready to deploy it. If you’re using t | ![done](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) | | ![done](images/checklistdone.png) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) | | ![done](images/checklistdone.png) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | -| ![done](images/checklistdone.png) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
or Deploy Windows 10 updates using System Center Configuration Manager (this topic) | +| ![done](images/checklistdone.png) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
or Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager (this topic) | ## See also -[Manage Windows as a service using System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/manage-windows-as-a-service) +[Manage Windows as a service using Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/manage-windows-as-a-service) ## Related topics diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md index e24cc6ff0b..61db3462a7 100644 --- a/windows/deployment/update/waas-manage-updates-wsus.md +++ b/windows/deployment/update/waas-manage-updates-wsus.md @@ -24,7 +24,7 @@ ms.topic: article >Due to [naming changes](waas-overview.md#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy or the registry. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel. -WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that System Center Configuration Manager provides. +WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that Microsoft Endpoint Configuration Manager provides. When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows 10 client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If you’re currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 10. @@ -331,7 +331,7 @@ Now that you have the **All Windows 10 Upgrades** view, complete the following s | ![done](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) | | ![done](images/checklistdone.png) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) | | ![done](images/checklistdone.png) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | -| ![done](images/checklistdone.png) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
or Deploy Windows 10 updates using Windows Server Update Services (this topic)
or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) | +| ![done](images/checklistdone.png) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
or Deploy Windows 10 updates using Windows Server Update Services (this topic)
or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) | @@ -351,5 +351,5 @@ Now that you have the **All Windows 10 Upgrades** view, complete the following s - [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) - [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure) -- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) +- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) - [Manage device restarts after updates](waas-restart.md) diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md index 479877ca3a..2486006471 100644 --- a/windows/deployment/update/waas-manage-updates-wufb.md +++ b/windows/deployment/update/waas-manage-updates-wufb.md @@ -118,7 +118,7 @@ For more information about Update Compliance, see [Monitor Windows Updates using | ![done](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) | | ![done](images/checklistdone.png) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) | | ![done](images/checklistdone.png) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | -| ![done](images/checklistdone.png) | Deploy updates using Windows Update for Business (this topic)
or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) | +| ![done](images/checklistdone.png) | Deploy updates using Windows Update for Business (this topic)
or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) | ## Related topics - [Update Windows 10 in the enterprise](index.md) @@ -135,7 +135,7 @@ For more information about Update Compliance, see [Monitor Windows Updates using - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) - [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure) - [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) -- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) +- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) - [Manage device restarts after updates](waas-restart.md) diff --git a/windows/deployment/update/waas-mobile-updates.md b/windows/deployment/update/waas-mobile-updates.md index c0d1218ade..abb64e0561 100644 --- a/windows/deployment/update/waas-mobile-updates.md +++ b/windows/deployment/update/waas-mobile-updates.md @@ -70,7 +70,7 @@ Only the following Windows Update for Business policies are supported for Window - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) - [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure) - [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) -- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) +- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) - [Manage device restarts after updates](waas-restart.md) diff --git a/windows/deployment/update/waas-optimize-windows-10-updates.md b/windows/deployment/update/waas-optimize-windows-10-updates.md index 7eda1ffad1..7cc93640af 100644 --- a/windows/deployment/update/waas-optimize-windows-10-updates.md +++ b/windows/deployment/update/waas-optimize-windows-10-updates.md @@ -33,7 +33,7 @@ Two methods of peer-to-peer content distribution are available in Windows 10. >[!NOTE] >Full BranchCache functionality is supported in Windows 10 Enterprise and Education; Windows 10 Pro supports some BranchCache functionality, including BITS transfers used for servicing operations. - Windows Server Update Services (WSUS) and System Center Configuration Manager can use BranchCache to allow peers to source content from each other versus always having to contact a server. Using BranchCache, files are cached on each individual client, and other clients can retrieve them as needed. This approach distributes the cache rather than having a single point of retrieval, saving a significant amount of bandwidth while drastically reducing the time that it takes for clients to receive the requested content. + Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager can use BranchCache to allow peers to source content from each other versus always having to contact a server. Using BranchCache, files are cached on each individual client, and other clients can retrieve them as needed. This approach distributes the cache rather than having a single point of retrieval, saving a significant amount of bandwidth while drastically reducing the time that it takes for clients to receive the requested content.

@@ -43,9 +43,9 @@ Two methods of peer-to-peer content distribution are available in Windows 10. | BranchCache | ![no](images/crossmark.png) | ![no](images/crossmark.png) |![yes](images/checkmark.png) | ![yes](images/checkmark.png) | > [!NOTE] -> System Center Configuration Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use System Center Configuration Manager to manage, in the same Configuration Manager boundary Group. For more information, see [Client Peer Cache](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/client-peer-cache). +> Microsoft Endpoint Configuration Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use Microsoft Endpoint Configuration Manager to manage, in the same Configuration Manager boundary Group. For more information, see [Client Peer Cache](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/client-peer-cache). > -> In addition to Client Peer Cache, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with System Center Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in System Center Configuration Manager](https://docs.microsoft.com/configmgr/osd/get-started/prepare-windows-pe-peer-cache-to-reduce-wan-traffic). +> In addition to Client Peer Cache, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with Microsoft Endpoint Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/get-started/prepare-windows-pe-peer-cache-to-reduce-wan-traffic). ## Express update delivery @@ -55,7 +55,7 @@ Windows 10 quality update downloads can be large because every package contains > Express update delivery applies to quality update downloads. Starting with Windows 10, version 1709, Express update delivery also applies to feature update downloads for clients connected to Windows Update and Windows Update for Business. ### How Microsoft supports Express -- **Express on System Center Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or later, or Windows 10, version 1607 with the April 2017 cumulative update. +- **Express on Microsoft Endpoint Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or later, or Windows 10, version 1607 with the April 2017 cumulative update. - **Express on WSUS Standalone** Express update delivery is available on [all support versions of WSUS](https://technet.microsoft.com/library/cc708456(v=ws.10).aspx). @@ -93,7 +93,7 @@ At this point, the download is complete and the update is ready to be installed. | ![done](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) | | ![done](images/checklistdone.png) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) | | ![done](images/checklistdone.png) | Optimize update delivery for Windows 10 updates (this topic) | -| ![to do](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) | +| ![to do](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) | ## Related topics diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index 4f6bf5db20..ff07ad3cbe 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -112,7 +112,7 @@ The concept of servicing channels is new, but organizations can use the same man In the Semi-Annual servicing channel, feature updates are available as soon as Microsoft releases them. Windows 10, version 1511, had few servicing tool options to delay feature updates, limiting the use of the Semi-Annual servicing channel. Starting with Windows 10, version 1607, more servicing tools that can delay feature updates for up to 365 days are available. This servicing model is ideal for pilot deployments and testing of Windows 10 feature updates and for users such as developers who need to work with the latest features immediately. Once the latest release has gone through pilot deployment and testing, you will be able to choose the timing at which it goes into broad deployment. -When Microsoft officially releases a feature update for Windows 10, it is made available to any device not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft System Center Configuration Manager, or Windows Update for Business, however, can defer feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for the Semi-Annual Channel will be available but not necessarily immediately mandatory, depending on the policy of the management system. For more details about Windows 10 servicing tools, see [Servicing tools](#servicing-tools). +When Microsoft officially releases a feature update for Windows 10, it is made available to any device not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft Endpoint Configuration Manager, or Windows Update for Business, however, can defer feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for the Semi-Annual Channel will be available but not necessarily immediately mandatory, depending on the policy of the management system. For more details about Windows 10 servicing tools, see [Servicing tools](#servicing-tools). Organizations are expected to initiate targeted deployment on Semi-Annual Channel releases. All customers, independent software vendors (ISVs), and partners should use this time for testing and piloting within their environments. After 2-4 months, we will transition to broad deployment and encourage customers and partners to expand and accelerate the deployment of the release. For customers using Windows Update for Business, the Semi-Annual Channel provides three months of additional total deployment time before being required to update to the next release. @@ -163,9 +163,9 @@ There are many tools with which IT pros can service Windows as a service. Each o - **Windows Update (stand-alone)** provides limited control over feature updates, with IT pros manually configuring the device to be in the Semi-Annual Channel. Organizations can target which devices defer updates by selecting the Defer upgrades check box in Start\Settings\Update & Security\Advanced Options on a Windows 10 device. - **Windows Update for Business** is the second option for servicing Windows as a service. This servicing tool includes control over update deferment and provides centralized management using Group Policy. Windows Update for Business can be used to defer updates by up to 365 days, depending on the version. These deployment options are available to clients in the Semi-Annual Channel. In addition to being able to use Group Policy to manage Windows Update for Business, either option can be configured without requiring any on-premises infrastructure by using Intune. - **Windows Server Update Services (WSUS)** provides extensive control over Windows 10 updates and is natively available in the Windows Server operating system. In addition to the ability to defer updates, organizations can add an approval layer for updates and choose to deploy them to specific computers or groups of computers whenever ready. -- **System Center Configuration Manager** provides the greatest control over servicing Windows as a service. IT pros can defer updates, approve them, and have multiple options for targeting deployments and managing bandwidth usage and deployment times. +- **Microsoft Endpoint Configuration Manager** provides the greatest control over servicing Windows as a service. IT pros can defer updates, approve them, and have multiple options for targeting deployments and managing bandwidth usage and deployment times. -With all these options, which an organization chooses depends on the resources, staff, and expertise its IT organization already has. For example, if IT already uses System Center Configuration Manager to manage Windows updates, it can continue to use it. Similarly, if IT is using WSUS, it can continue to use that. For a consolidated look at the benefits of each tool, see Table 1. +With all these options, which an organization chooses depends on the resources, staff, and expertise its IT organization already has. For example, if IT already uses Microsoft Endpoint Configuration Manager to manage Windows updates, it can continue to use it. Similarly, if IT is using WSUS, it can continue to use that. For a consolidated look at the benefits of each tool, see Table 1. **Table 1** @@ -190,7 +190,7 @@ With all these options, which an organization chooses depends on the resources, | ![to do](images/checklistbox.gif) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) | | ![to do](images/checklistbox.gif) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) | | ![to do](images/checklistbox.gif) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | -| ![to do](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) | +| ![to do](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) | diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md index b2f7bf1b6a..7e0bf21538 100644 --- a/windows/deployment/update/waas-quick-start.md +++ b/windows/deployment/update/waas-quick-start.md @@ -48,7 +48,7 @@ See [Assign devices to servicing channels for Windows 10 updates](waas-servicing ## Staying up to date -The process for keeping Windows 10 up to date involves deploying a feature update, at an appropriate time after its release. A variety of management and update tools such as Windows Update, Windows Update for Business, Windows Server Update Services, System Center Configuration Manager, and third-party products) can be used to help with this process. [Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/upgrade-readiness-get-started), a free tool to streamline Windows upgrade projects, is another important tool to help. +The process for keeping Windows 10 up to date involves deploying a feature update, at an appropriate time after its release. A variety of management and update tools such as Windows Update, Windows Update for Business, Windows Server Update Services, Microsoft Endpoint Configuration Manager, and third-party products) can be used to help with this process. [Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/upgrade-readiness-get-started), a free tool to streamline Windows upgrade projects, is another important tool to help. Because app compatibility, both for desktop apps and web apps, is outstanding with Windows 10, extensive advanced testing isn’t required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps, broad deployment can begin. diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md index 2f891c98c0..2eae42de3a 100644 --- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md @@ -178,7 +178,7 @@ By enabling the Group Policy setting under **Computer Configuration\Administrati | ![done](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) | | ![done](images/checklistdone.png) | Assign devices to servicing channels for Windows 10 updates (this topic) | | ![to do](images/checklistbox.gif) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | -| ![to do](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) | +| ![to do](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) | ## Related topics diff --git a/windows/deployment/update/waas-servicing-differences.md b/windows/deployment/update/waas-servicing-differences.md index 66ffdd5dd6..d55a28a5c1 100644 --- a/windows/deployment/update/waas-servicing-differences.md +++ b/windows/deployment/update/waas-servicing-differences.md @@ -87,7 +87,7 @@ Moving to the cumulative model for legacy OS versions continues to improve predi Lastly, the cumulative update model directly impacts the public Preview releases offered in the 3rd and/or 4th weeks of the month. Update Tuesday, also referred to as the "B" week release occurs on the second Tuesday of the month. It is always a required security update across all operating systems. In addition to this monthly release, Windows also releases non-security update "previews" targeting the 3rd (C) and the 4th (D) weeks of the month. These preview releases include that month’s B-release plus a set of non-security updates for testing and validation as a cumulative package. We recommend IT Administrators uses the C/D previews to test the update in their environments. Any issues identified with the updates in the C/D releases are identified and then fixed or removed, prior to being rolled up in to the next month’s B release package together with new security updates. Security-only Packages are not part of the C/D preview program. > [!NOTE] -> Only preview updates for the most recent release of Windows 10 are published to Windows Server Update Services (WSUS). For customers using the WSUS channel, and products such as System Center Configuration Manager that rely on it, will not see preview updates for older versions of Windows 10. +> Only preview updates for the most recent release of Windows 10 are published to Windows Server Update Services (WSUS). For customers using the WSUS channel, and products such as Microsoft Endpoint Configuration Manager that rely on it, will not see preview updates for older versions of Windows 10. > [!NOTE] > Preview updates for Windows 10 are not named differently than their LCU counterparts and do not contain the word 'Preview'. They can be identified by their release date (C or D week) and their classification as non-security updates. diff --git a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md index 66702a34a3..e82f2eebde 100644 --- a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md @@ -32,7 +32,7 @@ Windows 10 spreads the traditional deployment effort of a Windows upgrade, which - **Identify excluded devices.** For some organizations, special-purpose devices such as those used to control factory or medical equipment or run ATMs require a stricter, less frequent feature update cycle than the Semi-annual Channel can offer. For those machines, you must install Windows 10 Enterprise LTSB to avoid feature updates for up to 10 years. Identify these devices, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly. - **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that you’re looking for feedback rather than people to just “try it out” and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible. - **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain will need to download a .admx package and copy it to their [Central Store](https://support.microsoft.com/help/929841/how-to-create-the-central-store-for-group-policy-administrative-templa) (or to the [PolicyDefinitions](https://msdn.microsoft.com/library/bb530196.aspx) directory in the SYSVOL of a domain controller if not using a Central Store). Always manage new group polices from the version of Windows 10 they shipped with by using the Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for “ADMX download for Windows build xxxx”. For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) -- **Choose a servicing tool.** Decide which product you’ll use to manage the Windows updates in your environment. If you’re currently using Windows Server Update Services (WSUS) or System Center Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 updates. Alternatively, you can use Windows Update for Business. In addition to which product you’ll use, consider how you’ll deliver the updates. With Windows 10, multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools). +- **Choose a servicing tool.** Decide which product you’ll use to manage the Windows updates in your environment. If you’re currently using Windows Server Update Services (WSUS) or Microsoft Endpoint Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 updates. Alternatively, you can use Windows Update for Business. In addition to which product you’ll use, consider how you’ll deliver the updates. With Windows 10, multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools). - **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those that are the most business critical. Because the expectation is that application compatibility with Windows 10 will be high, only the most business critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](../upgrade/manage-windows-upgrades-with-upgrade-readiness.md). >[!NOTE] @@ -56,7 +56,7 @@ Each time Microsoft releases a Windows 10 feature update, the IT department shou | ![to do](images/checklistbox.gif) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) | | ![to do](images/checklistbox.gif) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) | | ![to do](images/checklistbox.gif) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | -| ![to do](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) | +| ![to do](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) | ## Related topics diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md index 8b7d1bcfd2..5119f6f5be 100644 --- a/windows/deployment/update/waas-wufb-group-policy.md +++ b/windows/deployment/update/waas-wufb-group-policy.md @@ -138,7 +138,7 @@ We recommend that you set up a ring to receive preview builds by joining the Win - [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) - [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure) - [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) -- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) +- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) - [Manage device restarts after updates](waas-restart.md) diff --git a/windows/deployment/update/waas-wufb-intune.md b/windows/deployment/update/waas-wufb-intune.md index 71296b4265..30af2075e1 100644 --- a/windows/deployment/update/waas-wufb-intune.md +++ b/windows/deployment/update/waas-wufb-intune.md @@ -282,7 +282,7 @@ You have now configured the **Ring 4 Broad business users** deployment ring to r - [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) - [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) -- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) +- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) - [Manage device restarts after updates](waas-restart.md) diff --git a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md index 5898646433..390875d11b 100644 --- a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md +++ b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md @@ -73,7 +73,7 @@ If devices are not showing up as expected, find a representative device and foll 5. Check the output of the script in the command window and/or log **UA_dateTime_machineName.txt** to ensure that all steps were completed successfully. 6. If you are still seeing errors you can't diagnose, then consider open a support case with Microsoft Support through your regular channel and provide this information. -If you want to check a large number of devices, you should run the latest script at scale from your management tool of choice (for example, System Center Configuration Manager) and check the results centrally. +If you want to check a large number of devices, you should run the latest script at scale from your management tool of choice (for example, Microsoft Endpoint Configuration Manager) and check the results centrally. If you think the issue might be related to a network proxy, check "Enable data sharing" section of the [Enrolling devices in Windows Analytics](windows-analytics-get-started.md) topic. Also see [Understanding connectivity scenarios and the deployment script](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) on the Windows Analytics blog. @@ -285,7 +285,7 @@ Note that different Azure Log Analytics plans have different data retention peri ### Why do SCCM and Upgrade Readiness show different counts of devices that are ready to upgrade? -System Center Configuration Manager (SCCM) considers a device ready to upgrade if *no installed app* has an upgrade decision of “not ready” (that is, they are all "ready" or "in progress"), while Upgrade Readiness considers a device ready to upgrade only if *all* installed apps are marked “ready”. +Microsoft Endpoint Configuration Manager considers a device ready to upgrade if *no installed app* has an upgrade decision of “not ready” (that is, they are all "ready" or "in progress"), while Upgrade Readiness considers a device ready to upgrade only if *all* installed apps are marked “ready”. Currently, you can choose the criteria you wish to use: - To use the SCCM criteria, create the collection of devices ready to upgrade within the SCCM console (using the analytics connector). From 9906750fa0124069be45944d4799c8e007e5440a Mon Sep 17 00:00:00 2001 From: LauraKellerGitHub Date: Fri, 27 Dec 2019 17:01:18 -0800 Subject: [PATCH 017/188] Rebrand System Center to Msft Endpoint - Seven --- ...ollment-using-windows-provisioning-tool.md | 2 +- ...dded-8-1-handheld-devices-to-windows-10.md | 24 +- .../mdm/mdm-enrollment-of-windows-devices.md | 2 +- .../client-management/mdm/policy-ddf-file.md | 8 +- .../windows-10-mobile-and-mdm.md | 4 +- windows/configuration/TOC.md | 2 +- .../cortana-at-work-overview.md | 2 +- .../cortana-at-work-voice-commands.md | 2 +- ...can-use-configuration-service-providers.md | 2 +- .../provisioning-create-package.md | 2 +- .../provisioning-packages.md | 4 +- ...ith-system-center-configuration-manager.md | 8 +- .../ue-v/uev-deploy-required-features.md | 4 +- .../uev-deploy-uev-for-custom-applications.md | 2 +- .../ue-v/uev-manage-configurations.md | 4 +- .../ue-v/uev-prepare-for-deployment.md | 6 +- windows/deployment/TOC.md | 4 +- .../change-history-for-deploy-windows-10.md | 321 ++++++------ windows/deployment/deploy-m365.md | 157 +++--- windows/deployment/deploy-whats-new.md | 4 +- ...ystem-image-using-configuration-manager.md | 151 +++--- ...-windows-pe-using-configuration-manager.md | 4 +- ...e-boot-image-with-configuration-manager.md | 235 ++++----- ...-windows-10-using-configuration-manager.md | 8 +- ...-10-using-pxe-and-configuration-manager.md | 153 +++--- ...em-center-2012-r2-configuration-manager.md | 229 ++++----- ...0-deployment-with-configuration-manager.md | 6 +- ...0-deployment-with-configuration-manager.md | 8 +- ...f-windows-10-with-configuration-manager.md | 8 +- ...-windows-10-using-configuration-manager.md | 8 +- ...-windows-10-using-configuration-manager.md | 481 +++++++++--------- windows/deployment/deploy.md | 4 +- 32 files changed, 933 insertions(+), 926 deletions(-) diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md index c5b559cf50..182e1020aa 100644 --- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md @@ -35,7 +35,7 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro > [!NOTE] > - Bulk-join is not supported in Azure Active Directory Join. > - Bulk enrollment does not work in Intune standalone environment. -> - Bulk enrollment works in System Center Configuration Manager (SCCM) + Intune hybrid environment where the ppkg is generated from the SCCM console. +> - Bulk enrollment works in Microsoft Endpoint Configuration Manager + Intune hybrid environment where the ppkg is generated from the SCCM console. > - To change bulk enrollment settings, login to **AAD**, then **Devices**, and then click **Device Settings**. Change the number under **Maximum number of devices per user**. ## What you need diff --git a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md index e05ab31e6f..7544b5297b 100644 --- a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md +++ b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md @@ -15,7 +15,7 @@ ms.date: 06/26/2017 # Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices -Like any Windows devices, Windows 10 Mobile devices use Microsoft Update by default to download updates over the Internet. However, in some enterprise environments, devices may not be able to access the Internet to retrieve their updates. Because of network restrictions or other enterprise policies, devices must download their updates from an internal location. This document describes how to enable offline updates using System Center Configuration Manager. +Like any Windows devices, Windows 10 Mobile devices use Microsoft Update by default to download updates over the Internet. However, in some enterprise environments, devices may not be able to access the Internet to retrieve their updates. Because of network restrictions or other enterprise policies, devices must download their updates from an internal location. This document describes how to enable offline updates using Microsoft Endpoint Configuration Manager. Here is a table of update path to Windows 10 Mobile. @@ -79,7 +79,7 @@ Down the road, after the upgrade to Windows 10 is complete, if you decide to pus **Requirements:** - The test device must be same as the other production devices that are receiving the updates. -- Your test device must be enrolled with System Center Configuration Manager. +- Your test device must be enrolled with Microsoft Endpoint Configuration Manager. - Your device can connect to the Internet. - Your device must have an SD card with at least 0.5 GB of free space. - Ensure that the settings app and PhoneUpdate applet are available via Assigned Access. @@ -93,7 +93,7 @@ The following diagram is a high-level overview of the process. Define the baseline update set that will be applied to other devices. Use a device that is running the most recent image as the test device. -Trigger the device to check for updates either manually or using System Center Configuration Manager. +Trigger the device to check for updates either manually or using Microsoft Endpoint Configuration Manager. **Manually** @@ -104,7 +104,7 @@ Trigger the device to check for updates either manually or using System Center C > **Note**  There is a bug in all OS versions up to GDR2 where the CSP will not set the assigned value. There is no way to change or set this until GDR2 is deployed onto the device. -**Using System Center Configuration Manager** +**Using Microsoft Endpoint Configuration Manager** 1. Remotely trigger a scan of the test device by deploying a Trigger Scan Configuration Baseline. @@ -132,16 +132,16 @@ There are two ways to retrieve this file from the device; one pre-GDR1 and one p 1. Create a Configuration Item using ConfigMgr to look at the registry entry ./Vendor/MSFT/EnterpriseExt/DeviceUpdate/ApprovedUpdatesXml. - > **Note**  In System Center Configuration Manager, you may see an error about exceeding the file limit when using ApprovedUpdatesXml. However, the process still completes even if the file is large. + > **Note**  In Microsoft Endpoint Configuration Manager, you may see an error about exceeding the file limit when using ApprovedUpdatesXml. However, the process still completes even if the file is large. If the XML file is greater than 32K you can also use ./Vendor/MSFT/FileSystem/<*filename*>. 2. Set a baseline for this Configuration Item with a “dummy” value (such as zzz), and ensure that you do not remediate it. The dummy value is not be set; it is only used for comparison. -3. After the report XML is sent to the device, System Center Configuration Manager displays a compliance log that contains the report information. The log can contain significant amount of data. +3. After the report XML is sent to the device, Microsoft Endpoint Configuration Manager displays a compliance log that contains the report information. The log can contain significant amount of data. 4. Parse this log for the report XML content. -For a step-by-step walkthrough, see [How to retrieve a device update report using System Center Configuration Manager logs](#how-to-retrieve-a-device-update-report-using-system-center-configuration-manager-logs). +For a step-by-step walkthrough, see [How to retrieve a device update report using Microsoft Endpoint Configuration Manager logs](#how-to-retrieve-a-device-update-report-using-system-center-configuration-manager-logs). **Post-GDR1: Retrieve the report xml file using an SD card** @@ -252,7 +252,7 @@ Now that the other "production" or "in-store" devices have the necessary informa ### Use this process for unmanaged devices -If the update policy of the device is not managed or restricted by System Center Configuration Manager, an update process can be initiated on the device in one of the following ways: +If the update policy of the device is not managed or restricted by Microsoft Endpoint Configuration Manager, an update process can be initiated on the device in one of the following ways: - Initiated by a periodic scan that the device automatically performs. - Initiated manually through **Settings** -> **Phone Update** -> **Check for Updates**. @@ -261,14 +261,14 @@ If the update policy of the device is not managed or restricted by System Center If the update policy of the device is managed or restricted by MDM, an update process can be initiated on the device in one of the following ways: -- Trigger the device to scan for updates through System Center Configuration Manager. +- Trigger the device to scan for updates through Microsoft Endpoint Configuration Manager. Ensure that the trigger scan has successfully executed, and then remove the trigger scan configuration baseline. > **Note**  Ensure that the PhoneUpdateRestriction Policy is set to a value of 0, to ensure that the device will not perform an automatic scan. -- Trigger the device to scan as part of a Maintenance Window defined by the IT Admin in System Center Configuration Manager. +- Trigger the device to scan as part of a Maintenance Window defined by the IT Admin in Microsoft Endpoint Configuration Manager. After the installation of updates is completed, the IT Admin can use the DUReport generated in the production devices to determine if the device successfully installed the list of updates. If the device did not, error codes are provided in the DUReport.xml. To retrieve the device update report from a device, perform the same steps defined in [Step 2](#step2). @@ -456,7 +456,7 @@ DownloadFiles $inputFile $downloadCache $localCacheURL ``` -## How to retrieve a device update report using System Center Configuration Manager logs +## How to retrieve a device update report using Microsoft Endpoint Configuration Manager logs Use this procedure for pre-GDR1 devices. @@ -465,7 +465,7 @@ Use this procedure for pre-GDR1 devices. 1. Trigger a device scan. Go to **Settings** -> **Phone Update** -> **Check for Updates**. Since the DUReport settings have not been remedied, you should see a non-compliance. -2. In System Center Configuration Manager under **Assets and Compliance** > **Compliance Settings**, right-click on **Configuration Items**. +2. In Microsoft Endpoint Configuration Manager under **Assets and Compliance** > **Compliance Settings**, right-click on **Configuration Items**. 3. Select **Create Configuration Item**. ![device update using sccm](images/windowsembedded-update5.png) diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md index 08bae9914c..d6d47fa107 100644 --- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md @@ -279,7 +279,7 @@ There are a few instances where your device may not be able to connect to work, |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------| | Your device is already connected to your organization’s cloud. | Your device is already connected to either Azure AD, a work or school account, or an AD domain. | | We could not find your identity in your organization’s cloud. | The username you entered was not found on your Azure AD tenant. | -| Your device is already being managed by an organization. | Your device is either already managed by MDM or System Center Configuration Manager. | +| Your device is already being managed by an organization. | Your device is either already managed by MDM or Microsoft Endpoint Configuration Manager. | | You don’t have the right privileges to perform this operation. Please talk to your admin. | You cannot enroll your device into MDM as a standard user. You must be on an administrator account. | | We couldn’t auto-discover a management endpoint matching the username entered. Please check your username and try again. If you know the URL to your management endpoint, please enter it. | You need to provide the server URL for your MDM or check the spelling of the username you entered. | diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md index a5298bf190..5cea02dabc 100644 --- a/windows/client-management/mdm/policy-ddf-file.md +++ b/windows/client-management/mdm/policy-ddf-file.md @@ -1660,7 +1660,7 @@ Related Documents: - Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) - How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/intune/windows-store-for-business) - How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/intune/apps-deploy) -- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) +- Manage apps from the Microsoft Store for Business with Microsoft Endpoint Configuration Manager (https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) - How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/intune/lob-apps-windows) @@ -11037,7 +11037,7 @@ Related Documents: - Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) - How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/intune/windows-store-for-business) - How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/intune/apps-deploy) -- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) +- Manage apps from the Microsoft Store for Business with Microsoft Endpoint Configuration Manager (https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) - How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/intune/lob-apps-windows) @@ -23035,7 +23035,7 @@ Related Documents: - Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) - How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/intune/windows-store-for-business) - How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/intune/apps-deploy) -- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) +- Manage apps from the Microsoft Store for Business with Microsoft Endpoint Configuration Manager (https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) - How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/intune/lob-apps-windows) @@ -51689,7 +51689,7 @@ Related Documents: - Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) - How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/intune/windows-store-for-business) - How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/intune/apps-deploy) -- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) +- Manage apps from the Microsoft Store for Business with Microsoft Endpoint Configuration Manager (https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) - How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/intune/lob-apps-windows) diff --git a/windows/client-management/windows-10-mobile-and-mdm.md b/windows/client-management/windows-10-mobile-and-mdm.md index 47a439de72..81a57e3657 100644 --- a/windows/client-management/windows-10-mobile-and-mdm.md +++ b/windows/client-management/windows-10-mobile-and-mdm.md @@ -37,7 +37,7 @@ Windows 10 supports end-to-end device lifecycle management to give companies con ## Deploy Windows 10 Mobile has a built-in device management client to deploy, configure, maintain, and support smartphones. Common to all editions of the Windows 10 operating system, including desktop, mobile, and Internet of Things (IoT), this client provides a single interface through which Mobile Device Management (MDM) solutions can manage any device that runs Windows 10. Because the MDM client integrates with identity management, the effort required to manage devices throughout the lifecycle is greatly reduced. -Windows 10 includes comprehensive MDM capabilities that can be managed by Microsoft management solutions, such as Microsoft Intune or System Center Configuration Manager, as well as many third-party MDM solutions. There is no need to install an additional, custom MDM app to enroll devices and bring them under MDM control. All MDM system vendors have equal access to Windows 10 Mobile device management application programming interfaces (APIs), giving IT organizations the freedom to select whichever system best fits their management requirements, whether Microsoft Intune or a third-party MDM product. For more information about Windows 10 Mobile device management APIs, see [Mobile device management](https://go.microsoft.com/fwlink/p/?LinkId=734050). +Windows 10 includes comprehensive MDM capabilities that can be managed by Microsoft management solutions, such as Microsoft Intune or Microsoft Endpoint Configuration Manager, as well as many third-party MDM solutions. There is no need to install an additional, custom MDM app to enroll devices and bring them under MDM control. All MDM system vendors have equal access to Windows 10 Mobile device management application programming interfaces (APIs), giving IT organizations the freedom to select whichever system best fits their management requirements, whether Microsoft Intune or a third-party MDM product. For more information about Windows 10 Mobile device management APIs, see [Mobile device management](https://go.microsoft.com/fwlink/p/?LinkId=734050). ### Deployment scenarios @@ -187,7 +187,7 @@ Azure AD is a cloud-based directory service that provides identity and access ma **Mobile Device Management** Microsoft [Intune](https://www.microsoft.com/server-cloud/products/microsoft-intune/overview.aspx), part of the Enterprise Mobility + Security, is a cloud-based MDM system that manages devices off premises. Like Office 365, Intune uses Azure AD for identity management so employees use the same credentials to enroll devices in Intune that they use to sign into Office 365. Intune supports devices that run other operating systems, such as iOS and Android, to provide a complete MDM solution. -You can also integrate Intune with Configuration Manager to gain a single console for managing all devices in the cloud and on premises, mobile or PC. For more information, see [Manage Mobile Devices with Configuration Manager and Microsoft Intune](https://technet.microsoft.com/library/jj884158.aspx). For guidance on choosing between a stand-alone Intune installation and Intune integrated with System Center Configuration Manager, see Choose between Intune by itself or integrating Intune with System Center Configuration Manager. +You can also integrate Intune with Configuration Manager to gain a single console for managing all devices in the cloud and on premises, mobile or PC. For more information, see [Manage Mobile Devices with Configuration Manager and Microsoft Intune](https://technet.microsoft.com/library/jj884158.aspx). For guidance on choosing between a stand-alone Intune installation and Intune integrated with Microsoft Endpoint Configuration Manager, see Choose between Intune by itself or integrating Intune with Configuration Manager. Multiple MDM systems support Windows 10 and most support personal and corporate device deployment scenarios. MDM providers that support Windows 10 Mobile currently include: AirWatch, Citrix, MobileIron, SOTI, Blackberry and others. Most industry-leading MDM vendors already support integration with Azure AD. You can find the MDM vendors that support Azure AD in [Azure Marketplace](https://azure.microsoft.com/marketplace/). If your organization doesn’t use Azure AD, the user must use an MSA during OOBE before enrolling the device in your MDM using a corporate account. >**Note:** Although not covered in this guide, you can use Exchange ActiveSync (EAS) to manage mobile devices instead of using a full-featured MDM system. EAS is available in Microsoft Exchange Server 2010 or later and Office 365. diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md index c0ad05a8bd..7428624219 100644 --- a/windows/configuration/TOC.md +++ b/windows/configuration/TOC.md @@ -141,7 +141,7 @@ ### [Administering UE-V](ue-v/uev-administering-uev.md) #### [Manage Configurations for UE-V](ue-v/uev-manage-configurations.md) ##### [Configuring UE-V with Group Policy Objects](ue-v/uev-configuring-uev-with-group-policy-objects.md) -##### [Configuring UE-V with System Center Configuration Manager](ue-v/uev-configuring-uev-with-system-center-configuration-manager.md) +##### [Configuring UE-V with Microsoft Endpoint Configuration Manager](ue-v/uev-configuring-uev-with-system-center-configuration-manager.md) ##### [Administering UE-V with Windows PowerShell and WMI](ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md) ###### [Managing the UE-V Service and Packages with Windows PowerShell and WMI](ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md) ###### [Managing UE-V Settings Location Templates Using Windows PowerShell and WMI](ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md) diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md index cca8151178..48199e5b25 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md @@ -45,7 +45,7 @@ Cortana requires the following hardware and software to successfully run the inc |Client operating system |