Date: Mon, 27 Mar 2023 08:08:14 -0700
Subject: [PATCH 029/143] Removed check Not ready ART check result from Windows
10 and later update rings
---
.../prepare/windows-autopatch-fix-issues.md | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
index 0c4b7973da..a180a874ec 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
@@ -45,14 +45,13 @@ This setting must be turned on to avoid a "lack of permissions" error when we in
| ----- | ----- |
| Not ready | Allow access to unlicensed admins should be turned on. Without this setting enabled, errors can occur when we try to access your Azure AD organization for service. You can safely enable this setting without worrying about security implications. The scope of access is defined by the roles assigned to users, including our operations staff.For more information, see [Unlicensed admins](/mem/intune/fundamentals/unlicensed-admins). |
-### Windows 10 and later update rings
+### Update rings for Windows 10 or later
-Your "Windows 10 and later update ring" policy in Intune must not target any Windows Autopatch devices.
+Your "Update rings for Windows 10 or later" policy in Intune must not target any Windows Autopatch devices.
| Result | Meaning |
| ----- | ----- |
-| Not ready | You have an "update ring" policy that targets all devices, all users, or both.
To resolve, change the policy to use an assignment that targets a specific Azure Active Directory (AD) group that doesn't include any Windows Autopatch devices.
For more information, see [Manage Windows 10 and later software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).
|
-| Advisory | Both the **Modern Workplace Devices - All** and **Modern Workplace - All** Azure AD groups are groups that we create after you enroll in Windows Autopatch.You can continue with enrollment. However, you must resolve the advisory prior to deploying your first device. To resolve the advisory, see [Maintain the Windows Autopatch environment](../operate/windows-autopatch-maintain-environment.md).
|
+| Advisory | You have an "update ring" policy that targets all devices, all users, or both. Windows Autopatch will also create our own update ring policies during enrollment. To avoid conflicts with Windows Autopatch devices, we'll exclude our devices group from your existing update ring policies that target all devices, all users, or both. You must consent to this change when you go to enroll your tenant.|
## Azure Active Directory settings
From 7bc4dc315b29aaabdce1d1416e9b56355f57e0c9 Mon Sep 17 00:00:00 2001
From: Stephanie Savell <101299710+v-stsavell@users.noreply.github.com>
Date: Mon, 27 Mar 2023 11:22:23 -0500
Subject: [PATCH 030/143] Update laps-csp.md
Acro edits.
---
windows/client-management/mdm/laps-csp.md | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/windows/client-management/mdm/laps-csp.md b/windows/client-management/mdm/laps-csp.md
index c55fc11c1d..f846a1bb50 100644
--- a/windows/client-management/mdm/laps-csp.md
+++ b/windows/client-management/mdm/laps-csp.md
@@ -112,7 +112,7 @@ Use this setting to tell the CSP to immediately generate and store a new passwor
-This action invokes an immediate reset of the local administrator account password, ignoring the normal constraints such as PasswordLengthDays, etc
+This action invokes an immediate reset of the local administrator account password, ignoring the normal constraints such as PasswordLengthDays, etc.
@@ -333,7 +333,7 @@ This setting is ignored if the password is currently being stored in Azure.
This setting is only honored when the Active Directory domain is at Windows Server 2016 Domain Functional Level or higher.
-- If this setting is enabled, and the Active Directory domain meets the DFL prerequisite, the password will be encrypted before before being stored in Active Directory.
+- If this setting is enabled, and the Active Directory domain meets the DFL prerequisite, the password will be encrypted before being stored in Active Directory.
- If this setting is disabled, or the Active Directory domain does not meet the DFL prerequisite, the password will be stored as clear-text in Active Directory.
@@ -642,8 +642,8 @@ If not specified, this setting defaults to True.
| Value | Description |
|:--|:--|
-| false | Allow configured password expiriration timestamp to exceed maximum password age. |
-| true (Default) | Do not allow configured password expiriration timestamp to exceed maximum password age. |
+| false | Allow configured password expiration timestamp to exceed maximum password age. |
+| true (Default) | Do not allow configured password expiration timestamp to exceed maximum password age. |
@@ -746,7 +746,7 @@ If not specified, this setting will default to 3 (Reset the password and logoff
| Value | Description |
|:--|:--|
| 1 | Reset password: upon expiry of the grace period, the managed account password will be reset. |
-| 3 (Default) | Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will terminated. |
+| 3 (Default) | Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will be terminated. |
| 5 | Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted. |
From 14a6d5db740fd0274cdc310c93f237f47bf9d417 Mon Sep 17 00:00:00 2001
From: Stephanie Savell <101299710+v-stsavell@users.noreply.github.com>
Date: Mon, 27 Mar 2023 11:25:17 -0500
Subject: [PATCH 031/143] Update policy-csp-admx-smartcard.md
Acro edit.
---
windows/client-management/mdm/policy-csp-admx-smartcard.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/client-management/mdm/policy-csp-admx-smartcard.md b/windows/client-management/mdm/policy-csp-admx-smartcard.md
index a43fd22887..bf8346b0da 100644
--- a/windows/client-management/mdm/policy-csp-admx-smartcard.md
+++ b/windows/client-management/mdm/policy-csp-admx-smartcard.md
@@ -599,7 +599,7 @@ This policy setting allows you to control whether elliptic curve cryptography (E
-This policy settings lets you configure if all your valid logon certificates are displayed.
+This policy setting lets you configure if all your valid logon certificates are displayed.
During the certificate renewal period, a user can have multiple valid logon certificates issued from the same certificate template. This can cause confusion as to which certificate to select for logon. The common case for this behavior is when a certificate is renewed and the old one has not yet expired. Two certificates are determined to be the same if they are issued from the same template with the same major version and they are for the same user (determined by their UPN).
@@ -796,7 +796,7 @@ By default the user principal name (UPN) is displayed in addition to the common
- If you enable this policy setting or do not configure this setting, then the subject name will be reversed.
-If you disable , the subject name will be displayed as it appears in the certificate.
+If you disable, the subject name will be displayed as it appears in the certificate.
From e11cd0dd0f41d0f766e52c18e1c2a01c07b6aa43 Mon Sep 17 00:00:00 2001
From: Stephanie Savell <101299710+v-stsavell@users.noreply.github.com>
Date: Mon, 27 Mar 2023 11:35:42 -0500
Subject: [PATCH 032/143] Update
basic-level-windows-diagnostic-events-and-fields-1803.md
Acro edits.
---
...ndows-diagnostic-events-and-fields-1803.md | 88 +++++++++----------
1 file changed, 44 insertions(+), 44 deletions(-)
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
index 3ce33ede55..c94b44464a 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
@@ -370,8 +370,8 @@ The following fields are available:
- **AppraiserVersion** The version of the appraiser file that is generating the events.
- **BlockAlreadyInbox** The uplevel runtime block on the file already existed on the current OS.
- **BlockingApplication** Indicates whether there are any application issues that interfere with the upgrade due to the file in question.
-- **DisplayGenericMessage** Will be a generic message be shown for this file?
-- **DisplayGenericMessageGated** Indicates whether a generic message be shown for this file.
+- **DisplayGenericMessage** Will a generic message be shown for this file?
+- **DisplayGenericMessageGated** Indicates whether a generic message will be shown for this file.
- **HardBlock** This file is blocked in the SDB.
- **HasUxBlockOverride** Does the file have a block that is overridden by a tag in the SDB?
- **MigApplication** Does the file have a MigXML from the SDB associated with it that applies to the current upgrade mode?
@@ -1314,8 +1314,8 @@ The following fields are available:
- **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device.
- **RunDate** The date that the diagnostic data run was stated, expressed as a filetime.
- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data on an infrequent schedule and only from machines at diagnostic data levels higher than Basic.
-- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information.
-- **RunResult** The hresult of the Appraiser diagnostic data run.
+- **RunOnline** Indicates if appraiser was able to connect to Windows Update and therefore is making decisions using up-to-date driver coverage information.
+- **RunResult** The result of the Appraiser diagnostic data run.
- **SendingUtc** Indicates whether the Appraiser client is sending events during the current diagnostic data run.
- **StoreHandleIsNotNull** Obsolete, always set to false
- **TelementrySent** Indicates whether diagnostic data was successfully sent.
@@ -1560,7 +1560,7 @@ The following fields are available:
- **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store.
- **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine.
- **OSEdition** Retrieves the version of the current OS.
-- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc
+- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc.
- **OSOOBEDateTime** Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC).
- **OSSKU** Retrieves the Friendly Name of OS Edition.
- **OSSubscriptionStatus** Represents the existing status for enterprise subscription feature for PRO machines.
@@ -1715,7 +1715,7 @@ The following fields are available:
- **InternalPrimaryDisplayPhysicalDPIY** Retrieves the physical DPI in the y-direction of the internal display.
- **InternalPrimaryDisplayResolutionHorizontal** Retrieves the number of pixels in the horizontal direction of the internal display.
- **InternalPrimaryDisplayResolutionVertical** Retrieves the number of pixels in the vertical direction of the internal display.
-- **InternalPrimaryDisplaySizePhysicalH** Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches .
+- **InternalPrimaryDisplaySizePhysicalH** Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches.
- **InternalPrimaryDisplaySizePhysicalY** Retrieves the physical vertical length of the display in mm. Used for calculating the diagonal length in inches
- **NumberofExternalDisplays** Retrieves the number of external displays connected to the machine
- **NumberofInternalDisplays** Retrieves the number of internal displays in a machine.
@@ -1807,7 +1807,7 @@ The following fields are available:
- **AppStoreAutoUpdateMDM** Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 - Not configured. Default: [2] Not configured
- **AppStoreAutoUpdatePolicy** Retrieves the Microsoft Store App Auto Update group policy setting
- **DelayUpgrade** Retrieves the Windows upgrade flag for delaying upgrades.
-- **OSAssessmentFeatureOutOfDate** How many days has it been since a the last feature update was released but the device did not install it?
+- **OSAssessmentFeatureOutOfDate** How many days has it been since the last feature update was released but the device did not install it?
- **OSAssessmentForFeatureUpdate** Is the device is on the latest feature update?
- **OSAssessmentForQualityUpdate** Is the device on the latest quality update?
- **OSAssessmentForSecurityUpdate** Is the device on the latest security update?
@@ -2099,7 +2099,7 @@ The following fields are available:
- **pendingDecision** Indicates the cause of reboot, if applicable.
- **primitiveExecutionContext** The state during system startup when the uninstall was completed.
- **revisionVersion** The revision number of the security update being uninstalled.
-- **transactionCanceled** Indicates whether the uninstall was cancelled.
+- **transactionCanceled** Indicates whether the uninstall was canceled.
### CbsServicingProvider.CbsQualityUpdateInstall
@@ -2397,7 +2397,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicabilityGenericFailure
-This event indicatse that we have received an unexpected error in the Direct to Update (DTU) Coordinators CheckApplicability call. The data collected with this event is used to help keep Windows secure and up to date.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinators CheckApplicability call. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3091,7 +3091,7 @@ The following fields are available:
- **secondsInMixedMode** The amount of time (in seconds) that the cluster has been in mixed mode (nodes with different operating system versions in the same cluster).
- **securityLevel** The cluster parameter: security level.
- **securityLevelForStorage** The cluster parameter: security level for storage.
-- **sharedVolumeBlockCacheSize** Specifies the block cache size for shared for shared volumes.
+- **sharedVolumeBlockCacheSize** Specifies the block cache size shared volumes.
- **shutdownTimeoutMinutes** Specifies the amount of time it takes to time out when shutting down.
- **upNodeCount** Specifies the number of nodes that are up (online).
- **useClientAccessNetworksForCsv** The cluster parameter: use client access networks for CSV.
@@ -3191,7 +3191,7 @@ This event captures basic checksum data about the device inventory items stored
The following fields are available:
-- **DeviceCensus** A count of devicecensus objects in cache.
+- **DeviceCensus** A count of device census objects in cache.
- **DriverPackageExtended** A count of driverpackageextended objects in cache.
- **FileSigningInfo** A count of file signing objects in cache.
- **InventoryApplication** A count of application objects in cache.
@@ -3204,7 +3204,7 @@ The following fields are available:
- **InventoryDeviceInterface** A count of Plug and Play device interface objects in cache.
- **InventoryDeviceMediaClass** A count of device media objects in cache.
- **InventoryDevicePnp** A count of device Plug and Play objects in cache.
-- **InventoryDeviceUsbHubClass** A count of device usb objects in cache
+- **InventoryDeviceUsbHubClass** A count of device USB objects in cache
- **InventoryDriverBinary** A count of driver binary objects in cache.
- **InventoryDriverPackage** A count of device objects in cache.
- **InventoryMiscellaneousOfficeAddIn** A count of office add-in objects in cache.
@@ -3988,7 +3988,7 @@ The following fields are available:
- **hwPhysmemory** The physical memory available to the client, truncated down to the nearest gibibyte. '-1' if unknown. This value is intended to reflect the maximum theoretical storage capacity of the client, not including any hard drive or paging to a hard drive or peripheral. Default: '-1'.
- **isMsftDomainJoined** '1' if the client is a member of a Microsoft domain. '0' otherwise. Default: '0'.
- **osArch** The architecture of the operating system (e.g. 'x86', 'x64', 'arm'). '' if unknown. Default: ''.
-- **osPlatform** The operating system family that the within which the Omaha client is running (e.g. 'win', 'mac', 'linux', 'ios', 'android'). '' if unknown. The operating system Name should be transmitted in lowercase with minimal formatting. Default: ''.
+- **osPlatform** The operating system family within which the Omaha client is running (e.g. 'win', 'mac', 'linux', 'ios', 'android'). '' if unknown. The operating system Name should be transmitted in lowercase with minimal formatting. Default: ''.
- **osServicePack** The secondary version of the operating system. '' if unknown. Default: ''.
- **osVersion** The primary version of the operating system. '' if unknown. Default: ''.
- **requestCheckPeriodSec** The update interval in seconds. The value is read from the registry. Default: '-1'.
@@ -4085,7 +4085,7 @@ The following fields are available:
- **hwPhysmemory** The physical memory available to the client, truncated down to the nearest gibibyte. '-1' if unknown. This value is intended to reflect the maximum theoretical storage capacity of the client, not including any hard drive or paging to a hard drive or peripheral. Default: '-1'.
- **isMsftDomainJoined** '1' if the client is a member of a Microsoft domain. '0' otherwise. Default: '0'.
- **osArch** The architecture of the operating system (e.g. 'x86', 'x64', 'arm'). '' if unknown. Default: ''.
-- **osPlatform** The operating system family that the within which the Omaha client is running (e.g. 'win', 'mac', 'linux', 'ios', 'android'). '' if unknown. The operating system name should be transmitted in lowercase with minimal formatting. Default: ''.
+- **osPlatform** The operating system family within which the Omaha client is running (e.g. 'win', 'mac', 'linux', 'ios', 'android'). '' if unknown. The operating system name should be transmitted in lowercase with minimal formatting. Default: ''.
- **osServicePack** The secondary version of the operating system. '' if unknown. Default: ''.
- **osVersion** The primary version of the operating system. '' if unknown. Default: ''.
- **requestCheckPeriodSec** The update interval in seconds. The value is read from the registry. Default: '-1'.
@@ -4999,7 +4999,7 @@ The following fields are available:
- **AdditionalReasons** If an action has been assessed as inapplicable, the additional logic prevented it.
- **CachedEngineVersion** The engine DLL version that is being used.
- **EventInstanceID** A unique identifier for event instance.
-- **EventScenario** Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **EventScenario** Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was canceled, succeeded, or failed.
- **HandlerReasons** If an action has been assessed as inapplicable, the installer technology-specific logic prevented it.
- **IsExecutingAction** If the action is presently being executed.
- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.).
@@ -5033,7 +5033,7 @@ The following fields are available:
- **CachedEngineVersion** The engine DLL version that is being used.
- **EventInstanceID** A unique identifier for event instance.
-- **EventScenario** Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **EventScenario** Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was canceled, succeeded, or failed.
- **FailedParseActions** The list of actions that were not successfully parsed.
- **ParsedActions** The list of actions that were successfully parsed.
- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.).
@@ -5077,7 +5077,7 @@ The following fields are available:
- **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled.
- **DriverSyncPassPerformed** Were drivers scanned this time?
- **EventInstanceID** A globally unique identifier for event instance.
-- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was canceled, succeeded, or failed.
- **ExtendedMetadataCabUrl** Hostname that is used to download an update.
- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
- **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan.
@@ -5147,8 +5147,8 @@ The following fields are available:
- **ClientVersion** Version number of the software distribution client
- **DeviceModel** Device model as defined in the system bios
- **EventInstanceID** A globally unique identifier for event instance
-- **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc.
-- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver".
+- **EventScenario** Indicates the purpose of the event - whether because scan started, succeeded, failed, etc.
+- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver".
- **FlightId** The specific id of the flight the device is getting
- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.)
- **RevisionNumber** Identifies the revision number of this specific piece of content
@@ -5189,7 +5189,7 @@ The following fields are available:
- **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority.
- **DownloadScenarioId** A unique ID for a given download, used to tie together Windows Update and Delivery Optimizer events.
- **EventInstanceID** A globally unique identifier for event instance.
-- **EventScenario** Indicates the purpose for sending this event: whether because the software distribution just started downloading content; or whether it was cancelled, succeeded, or failed.
+- **EventScenario** Indicates the purpose for sending this event: whether because the software distribution just started downloading content; or whether it was canceled, succeeded, or failed.
- **EventType** Identifies the type of the event (Child, Bundle, or Driver).
- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
@@ -5241,8 +5241,8 @@ The following fields are available:
- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client
- **ClientVersion** The version number of the software distribution client
-- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
-- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver"
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was canceled, succeeded, or failed
+- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver"
- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough
- **FileId** A hash that uniquely identifies a file
- **FileName** Name of the downloaded file
@@ -5274,7 +5274,7 @@ The following fields are available:
- **IsNetworkMetered** Indicates whether Windows considered the current network to be ?metered"
- **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any
- **MOUpdateDownloadLimit** Mobile operator cap on size of operating system update downloads, if any
-- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby)
+- **PowerState** Indicates the power state of the device at the time of heartbeat (DC, AC, Battery Saver, or Connected Standby)
- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one
- **ResumeCount** Number of times this active download has resumed from a suspended state
- **RevisionNumber** Identifies the revision number of this specific piece of content
@@ -5307,7 +5307,7 @@ The following fields are available:
- **DeviceModel** The device model.
- **DriverPingBack** Contains information about the previous driver and system state.
- **EventInstanceID** A globally unique identifier for event instance.
-- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was canceled, succeeded, or failed.
- **EventType** Possible values are Child, Bundle, or Driver.
- **ExtendedErrorCode** The extended error code.
- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode is not specific enough.
@@ -5675,7 +5675,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentMitigationSummary
-This event sends a summary of all the update agent mitigations available for an this update. The data collected with this event is used to help keep Windows secure and up to date.
+This event sends a summary of all the update agent mitigations available for this update. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -5958,7 +5958,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360 (HRESULT used to diagnose errors).
- **Setup360Scenario** The Setup360 flow type (for example, Boot, Media, Update, MCT).
- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS).
-- **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, canceled.
- **TestId** An ID that uniquely identifies a group of events.
- **WuId** This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId.
@@ -5980,7 +5980,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
- **TestId** ID that uniquely identifies a group of events.
- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
@@ -6002,7 +6002,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
- **TestId** ID that uniquely identifies a group of events.
- **WuId** Windows Update client ID.
@@ -6024,7 +6024,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360. This is an HRESULT error code that's used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled
- **TestId** A string to uniquely identify a group of events.
- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as ClientId.
@@ -6068,7 +6068,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS).
-- **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, canceled.
- **TestId** ID that uniquely identifies a group of events.
- **WuId** Windows Update client ID.
@@ -6090,7 +6090,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
- **Setup360Scenario** Setup360 flow type (Boot, Media, Update, MCT).
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
- **TestId** A string to uniquely identify a group of events.
- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
@@ -6112,7 +6112,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type, Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
- **TestId** A string to uniquely identify a group of events.
- **WuId** Windows Update client ID.
@@ -6224,10 +6224,10 @@ The following fields are available:
- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred.
- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
-- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors.
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
- **TestId** A string to uniquely identify a group of events.
- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
@@ -6296,7 +6296,7 @@ The following fields are available:
### Microsoft.Windows.WERVertical.OSCrash
-This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event.
+This event sends binary data from the collected dump file whenever a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event.
The following fields are available:
@@ -6715,7 +6715,7 @@ The following fields are available:
- **CatalogId** The Store Catalog ID for the product being installed.
- **ProductId** The Store Product ID for the product being installed.
-- **SkuId** Specfic edition of the app being updated.
+- **SkuId** Specific edition of the app being updated.
### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest
@@ -7069,7 +7069,7 @@ The following fields are available:
- **flightMetadata** Contains the FlightId and the build being flighted.
- **objectId** Unique value for each Update Agent mode.
- **relatedCV** Correlation vector value generated from the latest USO scan.
-- **result** Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled.
+- **result** Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Canceled, 3 = Blocked, 4 = BlockCanceled.
- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
- **sessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios).
- **sessionId** Unique value for each Update Agent mode attempt.
@@ -7379,7 +7379,7 @@ The following fields are available:
- **detectionBlockreason** The reason detection did not complete.
- **detectionRetryMode** Indicates whether we will try to scan again.
- **errorCode** The error code returned for the current process.
-- **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
+- **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was canceled, succeeded, or failed.
- **flightID** The unique identifier for the flight (Windows Insider pre-release build) should be delivered to the device, if applicable.
- **interactive** Indicates whether the user initiated the session.
- **networkStatus** Indicates if the device is connected to the internet.
@@ -7410,7 +7410,7 @@ This event indicates the reboot was postponed due to needing a display. The data
The following fields are available:
- **displayNeededReason** Reason the display is needed.
-- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was canceled, succeeded, or failed.
- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours.
- **revisionNumber** Revision number of the update.
- **updateId** Update ID.
@@ -7528,7 +7528,7 @@ This event indicates that an enabled GameMode process prevented the device from
The following fields are available:
-- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was canceled, succeeded, or failed.
- **gameModeReason** Name of the enabled GameMode process that prevented the device from restarting to complete an update.
- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
@@ -7632,13 +7632,13 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.PowerMenuOptionsChanged
-This event is sent when the options in power menu changed, usually due to an update pending reboot, or after a update is installed. The data collected with this event is used to help keep Windows secure and up to date.
+This event is sent when the options in power menu changed, usually due to an update pending reboot, or after an update is installed. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
- **powermenuNewOptions** The new options after the power menu changed.
- **powermenuOldOptions** The old options before the power menu changed.
-- **rebootPendingMinutes** If the power menu changed because a reboot is pending due to a update, this indicates how long that reboot has been pending.
+- **rebootPendingMinutes** If the power menu changed because a reboot is pending due to an update, this indicates how long that reboot has been pending.
- **wuDeviceid** The device ID recorded by Windows Update if the power menu changed because a reboot is pending due to an update.
@@ -8122,7 +8122,7 @@ The following fields are available:
- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
- **FlightId** Unique identifier for each flight.
-- **InstanceId** Unique GUID that identifies each instances of setuphost.exe.
+- **InstanceId** Unique GUID that identifies each instance of setuphost.exe.
- **MitigationScenario** The update scenario in which the mitigation was executed.
- **RelatedCV** Correlation vector value generated from the latest USO scan.
- **ReparsePointsFailed** Number of reparse points that are corrupted but we failed to fix them.
@@ -8145,7 +8145,7 @@ The following fields are available:
- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
- **EditionIdUpdated** Determine whether EditionId was changed.
- **FlightId** Unique identifier for each flight.
-- **InstanceId** Unique GUID that identifies each instances of setuphost.exe.
+- **InstanceId** Unique GUID that identifies each instance of setuphost.exe.
- **MitigationScenario** The update scenario in which the mitigation was executed.
- **ProductEditionId** Expected EditionId value based on GetProductInfo.
- **ProductType** Value returned by GetProductInfo.
From 8a95dbb80e810bcc56f5800ec8dfda900321168f Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Mon, 27 Mar 2023 09:53:06 -0700
Subject: [PATCH 033/143] edits
---
windows/deployment/update/release-cycle.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/update/release-cycle.md b/windows/deployment/update/release-cycle.md
index 9db5c35e05..fdd92b834c 100644
--- a/windows/deployment/update/release-cycle.md
+++ b/windows/deployment/update/release-cycle.md
@@ -26,7 +26,7 @@ This article provides details on the types of updates that Microsoft provides, a
| [Monthly security update release](#monthly-security-update-release)| A cumulative update release that includes both security and non-security content | Second Tuesday of each month, typically published at 10:00 AM Pacific Time (PST/PDT) |
| [Optional non-security preview release](#optional-non-security-preview-release)| An optional cumulative update release that's typically used for early validation of the monthly security update release| Fourth Tuesday of each month, typically published at 10:00 AM Pacific Time (PST/PDT) |
| [Out-of-band (OOB) release](#oob-releases) | Resolves a recently identified issue or vulnerability | As needed |
-| [Annual feature update](#annual-feature-updates) | | Once a year in the second half of the calendar year |
+| [Annual feature update](#annual-feature-updates) | An update with new features and enhancements that also changes the Windows version. | Once a year in the second half of the calendar year |
| [Continuous innovation for Windows 11](#continuous-innovation-for-windows-11)| Introduces new features and enhancements for Windows 11 | Periodically included in an optional non-security preview release then in the monthly security update releases |
From 783c4deade33ce9b3d96fad43f529bcd7735e1ef Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Mon, 27 Mar 2023 10:08:09 -0700
Subject: [PATCH 034/143] terminology edits for b rel
---
windows/deployment/update/release-cycle.md | 2 +-
windows/deployment/windows-autopatch/TOC.yml | 10 +++++-----
...ws-autopatch-windows-quality-update-overview.md | 2 +-
...ows-autopatch-windows-quality-update-signals.md | 14 +++++++-------
4 files changed, 14 insertions(+), 14 deletions(-)
diff --git a/windows/deployment/update/release-cycle.md b/windows/deployment/update/release-cycle.md
index fdd92b834c..5e42226027 100644
--- a/windows/deployment/update/release-cycle.md
+++ b/windows/deployment/update/release-cycle.md
@@ -50,7 +50,7 @@ Monthly security update releases are available through the following channels:
- Windows Server Update Services (WSUS)
- The [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx)
-Many update management tools, such as [Microsoft Configuration Manager](/mem/configmgr/), rely on these channels for update deployment.
+Many update management tools, such as [Microsoft Configuration Manager](/mem/configmgr/) and [Microsoft Intune](/mem/intune/), rely on these channels for update deployment.
## Optional non-security preview release
diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml
index ec97a45acf..d79c3125aa 100644
--- a/windows/deployment/windows-autopatch/TOC.yml
+++ b/windows/deployment/windows-autopatch/TOC.yml
@@ -51,16 +51,16 @@
items:
- name: Customize Windows Update settings
href: operate/windows-autopatch-windows-update.md
- - name: Windows quality updates
+ - name: Windows monthly security update release
href: operate/windows-autopatch-windows-quality-update-overview.md
items:
- - name: Windows quality update end user experience
+ - name: Windows monthly security update end user experience
href: operate/windows-autopatch-windows-quality-update-end-user-exp.md
- - name: Windows quality update signals
+ - name: Windows monthly security update signals
href: operate/windows-autopatch-windows-quality-update-signals.md
- - name: Windows quality update communications
+ - name: Windows monthly security update communications
href: operate/windows-autopatch-windows-quality-update-communications.md
- - name: Windows quality update reports
+ - name: Windows monthly security update reports
href: operate/windows-autopatch-windows-quality-update-reports-overview.md
items:
- name: Summary dashboard
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
index c687882aaf..ac728972ce 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
@@ -38,7 +38,7 @@ For a device to be eligible for Windows quality updates as a part of Windows Aut
## Windows quality update releases
-Windows Autopatch deploys the [B release of Windows quality updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385) that are released on the second Tuesday of each month.
+Windows Autopatch deploys the [Monthly security update releases](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385) that are released on the second Tuesday of each month.
To release updates to devices in a gradual manner, Windows Autopatch deploys a set of mobile device management (MDM) policies to each update deployment ring to control the rollout. There are three primary policies that are used to control Windows quality updates:
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-signals.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-signals.md
index 492e76ed01..b5046b576f 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-signals.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-signals.md
@@ -1,6 +1,6 @@
---
-title: Windows quality update signals
-description: This article explains the Windows quality update signals
+title: Windows monthly security update release signals
+description: This article explains the Windows monthly security update release signals
ms.date: 01/24/2023
ms.prod: windows-client
ms.technology: itpro-updates
@@ -12,9 +12,9 @@ manager: dougeby
ms.reviewer: hathind
---
-# Windows quality update signals
+# Windows monthly security update release signals
-Windows Autopatch monitors a specific set of signals and aims to release quality updates both quickly and safely. The service doesn't comprehensively monitor every use case in Windows.
+Windows Autopatch monitors a specific set of signals and aims to release the monthly security update both quickly and safely. The service doesn't comprehensively monitor every use case in Windows.
If there's a scenario that is critical to your business, which isn't monitored by Windows Autopatch, you're responsible for testing and taking any follow-up actions, like requesting to pause the release.
@@ -24,9 +24,9 @@ Before being released to the Test ring, Windows Autopatch reviews several data s
| Pre-release signal | Description |
| ----- | ----- |
-| Windows Payload Review | The contents of the B release are reviewed to help focus your update testing on areas that have changed. If any relevant changes are detected, a [customer advisory](../operate/windows-autopatch-windows-quality-update-communications.md#communications-during-release) will be sent out. |
-| C-Release Review - Internal Signals | Windows Autopatch reviews active incidents associated with the previous C release to understand potential risks in the B release. |
-| C-Release Review - Social Signals | Windows Autopatch monitors social signals to better understand potential risks associated with the B release. |
+| Windows Payload Review | The contents of the monthly security update release are reviewed to help focus your update testing on areas that have changed. If any relevant changes are detected, a [customer advisory](../operate/windows-autopatch-windows-quality-update-communications.md#communications-during-release) will be sent out. |
+| Optional non-security preview release review - Internal Signals | Windows Autopatch reviews active incidents associated with the previous optional non-security preview release to understand potential risks in the monthly security update release. |
+| Optional non-security preview release review - Social Signals | Windows Autopatch monitors social signals to better understand potential risks associated with the monthly security update release. |
## Early signals
From 34f42c53402d5be2cd6ebc97cab7e582d7047892 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Mon, 27 Mar 2023 11:25:58 -0700
Subject: [PATCH 035/143] lcu edits
---
windows/deployment/update/servicing-stack-updates.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md
index a7a6c5b72e..08bc528d69 100644
--- a/windows/deployment/update/servicing-stack-updates.md
+++ b/windows/deployment/update/servicing-stack-updates.md
@@ -39,9 +39,9 @@ Servicing stack update are released depending on new issues or vulnerabilities.
Both Windows client and Windows Server use the cumulative update mechanism, in which many fixes to improve the quality and security of Windows are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates.
-Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes.
+Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest monthly security update release and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes.
-Beginning with the February 2021 LCU, Microsoft will publish all future cumulative updates and SSUs for Windows 10, version 2004 and later together as one cumulative monthly update to the normal release category in WSUS.
+Microsoft publishes all cumulative updates and SSUs for Windows 10, version 2004 and later together as one cumulative monthly update to the normal release category in WSUS.
## Is there any special guidance?
From c381792ed9dcfb74357f87ab5e9dbbd12297aa35 Mon Sep 17 00:00:00 2001
From: valemieux <98555474+valemieux@users.noreply.github.com>
Date: Mon, 27 Mar 2023 11:53:15 -0700
Subject: [PATCH 036/143] Update citool-commands.md
---
.../operations/citool-commands.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands.md b/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands.md
index 4ae81919b5..9c88206c87 100644
--- a/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands.md
+++ b/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands.md
@@ -65,7 +65,7 @@ CiTool makes Windows Defender Application Control (WDAC) policy management easie
4. List the actively enforced WDAC policies on the system
```powershell
- # Check each policy's IsEnforced state and return only the enforced policies
+ # Check each policy's IsEnforced state and return only the enforced policies
(CiTool -lp -json | ConvertFrom-Json).Policies | Where-Object {$_.IsEnforced -eq "True"} |
Select-Object -Property PolicyID,FriendlyName | Format-List
```
From ef05c2d8cf8b3d348b38e1ed98ca41dee19f9d9a Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Mon, 27 Mar 2023 11:55:44 -0700
Subject: [PATCH 037/143] patch tuesday edits
---
windows/deployment/update/release-cycle.md | 8 ++++----
windows/whats-new/whats-new-windows-10-version-21H2.md | 2 +-
windows/whats-new/whats-new-windows-10-version-22H2.md | 2 +-
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/windows/deployment/update/release-cycle.md b/windows/deployment/update/release-cycle.md
index 5e42226027..acc62dbc5c 100644
--- a/windows/deployment/update/release-cycle.md
+++ b/windows/deployment/update/release-cycle.md
@@ -32,7 +32,7 @@ This article provides details on the types of updates that Microsoft provides, a
## Monthly security update release
-Most people are familiar with the **Monthly security update release**. The **Monthly security update release** updates are released on the second Tuesday of each month, and are typically published at 10:00 AM Pacific Time (PST/PDT). This release might commonly be referred to as:
+Most people are familiar with the **monthly security update release**. The **monthly security update release** is published on the second Tuesday of each month, typically at 10:00 AM Pacific Time (PST/PDT). This release might commonly be referred to as:
- Patch Tuesday
- Update Tuesday
@@ -54,7 +54,7 @@ Many update management tools, such as [Microsoft Configuration Manager](/mem/con
## Optional non-security preview release
-**Optional non-security preview releases** provide IT admins an opportunity for early validation of that content prior to the **Monthly security update release**. Admins can test and validate production-quality releases ahead of the planned monthly security update release for the following month. These updates are optional, cumulative, non-security preview releases. New features might initially be deployed in the prior month's **Optional non-security preview release**, then ship in the following **Monthly security update release**. These releases are only offered to the most recent, supported versions of Windows.
+**Optional non-security preview releases** provide IT admins an opportunity for early validation of that content prior to the **monthly security update release**. Admins can test and validate production-quality releases ahead of the planned monthly security update release for the following month. These updates are optional, cumulative, non-security preview releases. New features might initially be deployed in the prior month's **optional non-security preview release**, then ship in the following **monthly security update release**. These releases are only offered to the most recent, supported versions of Windows.
**Optional non-security preview releases** might commonly be referred to as:
@@ -63,7 +63,7 @@ Many update management tools, such as [Microsoft Configuration Manager](/mem/con
- Preview CUs
> [!Important]
-> Starting in April 2023, all **Optional non-security preview releases** will be released on the fourth Tuesday of the month. This change in release cadence gives admins a consistent time cycle for testing and validating fixes and features.
+> Starting in April 2023, all **optional non-security preview releases** will be released on the fourth Tuesday of the month. This change in release cadence gives admins a consistent time cycle for testing and validating fixes and features.
To access the optional non-security preview release:
- Navigate to **Settings** > **Update & Security** > **Windows Update** and select **Check for updates**.
@@ -86,7 +86,7 @@ Some key considerations about OOB releases include:
## Continuous innovation for Windows 11
-Starting with Windows 11, version 22H2, new features and enhancements are introduced periodically to provide continuous innovation for Windows 11. These features and enhancements use the normal update servicing channels you're already familiar with. At first, new features are introduced with an **Optional non-security preview release** and gradually rolled out to unmanaged clients. These new features are released later as part of a **Monthly security update release**.
+Starting with Windows 11, version 22H2, new features and enhancements are introduced periodically to provide continuous innovation for Windows 11. These features and enhancements use the normal update servicing channels you're already familiar with. At first, new features are introduced with an **optional non-security preview release** and gradually rolled out to unmanaged clients. These new features are released later as part of a **monthly security update release**.
Some of the new features may be disruptive to organizations. By default, these select features are turned off temporarily for all managed devices until the next annual feature update is installed. In this scenario, a device is considered managed if it uses one of the following to determine which updates to install:
diff --git a/windows/whats-new/whats-new-windows-10-version-21H2.md b/windows/whats-new/whats-new-windows-10-version-21H2.md
index c6aaf4368c..2e68bca2a5 100644
--- a/windows/whats-new/whats-new-windows-10-version-21H2.md
+++ b/windows/whats-new/whats-new-windows-10-version-21H2.md
@@ -35,7 +35,7 @@ To learn more about the status of the November 2021 Update rollout, known issues
Windows 10, version 21H2 feature updates are installed annually using the General Availability Channel. Previous feature updates were installed using the General Availability Channel. For more information on this change, see the [How to get the Windows 10 November 2021 Update](https://blogs.windows.com/windowsexperience/?p=176473).
-Quality updates are still installed monthly on patch Tuesday.
+Quality updates are still installed monthly on the second Tuesday of the month.
For more information, see:
diff --git a/windows/whats-new/whats-new-windows-10-version-22H2.md b/windows/whats-new/whats-new-windows-10-version-22H2.md
index 99199e8037..f657b2fae0 100644
--- a/windows/whats-new/whats-new-windows-10-version-22H2.md
+++ b/windows/whats-new/whats-new-windows-10-version-22H2.md
@@ -31,7 +31,7 @@ To learn more about the status of the Windows 10, version 22H2 rollout, known is
For more information about updated tools to support this release, see [IT tools to support Windows 10, version 22H2](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-22h2/ba-p/3655750).
-The Windows 10, version 22H2 feature update is installed as part of the general availability channel. Quality updates are still installed monthly on patch Tuesday.
+The Windows 10, version 22H2 feature update is installed as part of the general availability channel. Quality updates are still installed monthly on the second Tuesday of the month.
For more information, see:
From 0110adf8a3dd225725fa70233b0e701172e166d0 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Mon, 27 Mar 2023 12:14:17 -0700
Subject: [PATCH 038/143] roll back a few edits
---
windows/deployment/windows-autopatch/TOC.yml | 10 +++++-----
...windows-autopatch-windows-quality-update-signals.md | 6 +++---
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml
index d79c3125aa..5a4a89047b 100644
--- a/windows/deployment/windows-autopatch/TOC.yml
+++ b/windows/deployment/windows-autopatch/TOC.yml
@@ -51,16 +51,16 @@
items:
- name: Customize Windows Update settings
href: operate/windows-autopatch-windows-update.md
- - name: Windows monthly security update release
+ - name: Windows quality updates
href: operate/windows-autopatch-windows-quality-update-overview.md
items:
- - name: Windows monthly security update end user experience
+ - name: Windows quality update end user experience
href: operate/windows-autopatch-windows-quality-update-end-user-exp.md
- - name: Windows monthly security update signals
+ - name: Windows quality security update signals
href: operate/windows-autopatch-windows-quality-update-signals.md
- - name: Windows monthly security update communications
+ - name: Windows quality security update communications
href: operate/windows-autopatch-windows-quality-update-communications.md
- - name: Windows monthly security update reports
+ - name: Windows quality security update reports
href: operate/windows-autopatch-windows-quality-update-reports-overview.md
items:
- name: Summary dashboard
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-signals.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-signals.md
index b5046b576f..bd21b2a994 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-signals.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-signals.md
@@ -1,6 +1,6 @@
---
-title: Windows monthly security update release signals
-description: This article explains the Windows monthly security update release signals
+title: Windows quality update release signals
+description: This article explains the Windows quality update release signals
ms.date: 01/24/2023
ms.prod: windows-client
ms.technology: itpro-updates
@@ -12,7 +12,7 @@ manager: dougeby
ms.reviewer: hathind
---
-# Windows monthly security update release signals
+# Windows quality update signals
Windows Autopatch monitors a specific set of signals and aims to release the monthly security update both quickly and safely. The service doesn't comprehensively monitor every use case in Windows.
From be94e6edc8a9c5c15513961978cc8e499ddaa3ff Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Mon, 27 Mar 2023 12:15:20 -0700
Subject: [PATCH 039/143] roll back a few edits
---
windows/deployment/windows-autopatch/TOC.yml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml
index 5a4a89047b..ec97a45acf 100644
--- a/windows/deployment/windows-autopatch/TOC.yml
+++ b/windows/deployment/windows-autopatch/TOC.yml
@@ -56,11 +56,11 @@
items:
- name: Windows quality update end user experience
href: operate/windows-autopatch-windows-quality-update-end-user-exp.md
- - name: Windows quality security update signals
+ - name: Windows quality update signals
href: operate/windows-autopatch-windows-quality-update-signals.md
- - name: Windows quality security update communications
+ - name: Windows quality update communications
href: operate/windows-autopatch-windows-quality-update-communications.md
- - name: Windows quality security update reports
+ - name: Windows quality update reports
href: operate/windows-autopatch-windows-quality-update-reports-overview.md
items:
- name: Summary dashboard
From 30329054f8bad4b7bc9c12049d9185ddb252e103 Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Mon, 27 Mar 2023 15:19:01 -0400
Subject: [PATCH 040/143] Mo Updates
---
windows/client-management/mdm/laps-csp.md | 4 +-
...-in-policy-csp-supported-by-surface-hub.md | 6 +--
.../mdm/policy-csp-admx-smartcard.md | 4 +-
.../mdm/policy-csp-browser.md | 4 +-
.../mdm/policy-csp-defender.md | 9 +----
.../client-management/mdm/surfacehub-csp.md | 40 +++++++++----------
windows/client-management/mdm/toc.yml | 2 +-
7 files changed, 30 insertions(+), 39 deletions(-)
diff --git a/windows/client-management/mdm/laps-csp.md b/windows/client-management/mdm/laps-csp.md
index f846a1bb50..b5c76b1b14 100644
--- a/windows/client-management/mdm/laps-csp.md
+++ b/windows/client-management/mdm/laps-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the LAPS CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 02/28/2023
+ms.date: 03/27/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -746,7 +746,7 @@ If not specified, this setting will default to 3 (Reset the password and logoff
| Value | Description |
|:--|:--|
| 1 | Reset password: upon expiry of the grace period, the managed account password will be reset. |
-| 3 (Default) | Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will be terminated. |
+| 3 (Default) | Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will terminated. |
| 5 | Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted. |
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
index 532725ac33..4c67e36e15 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
@@ -15,11 +15,7 @@ ms.topic: reference
# Policies in Policy CSP supported by Windows 10 Team
-This article lists the policies in Policy CSP that are applicable for Windows 10 Team.
-
-## Accounts
-
-- [AllowMicrosoftAccountConnection](policy-csp-accounts.md#allowmicrosoftaccountconnection)
+This article lists the policies in Policy CSP that are applicable for the Surface Hub operating system, **Windows 10 Team**.
## ApplicationDefaults
diff --git a/windows/client-management/mdm/policy-csp-admx-smartcard.md b/windows/client-management/mdm/policy-csp-admx-smartcard.md
index 66b14b8c2f..9f8cd9d3d9 100644
--- a/windows/client-management/mdm/policy-csp-admx-smartcard.md
+++ b/windows/client-management/mdm/policy-csp-admx-smartcard.md
@@ -4,7 +4,7 @@ description: Learn more about the ADMX_Smartcard Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 03/23/2023
+ms.date: 03/27/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -798,7 +798,7 @@ By default the user principal name (UPN) is displayed in addition to the common
If you enable this policy setting or do not configure this setting, then the subject name will be reversed.
-If you disable, the subject name will be displayed as it appears in the certificate.
+If you disable , the subject name will be displayed as it appears in the certificate.
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
index 7dc55c850b..821501520e 100644
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -4,7 +4,7 @@ description: Learn more about the Browser Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 03/23/2023
+ms.date: 03/27/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -2901,7 +2901,7 @@ Don't enable both this setting and the Keep favorites in sync between Internet E
-This policy settings lets you decide whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features.
+This policy setting lets you decide whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features.
- If you enable this policy setting, employees can't access the about:flags page.
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index 2f84f6c62c..99bd8a5bcc 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -4,7 +4,7 @@ description: Learn more about the Defender Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 03/23/2023
+ms.date: 03/27/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -697,12 +697,7 @@ Allows or disallows Windows Defender Realtime Monitoring functionality.
-
-This policy setting allows you to configure scanning for network files. It is recommended that you do not enable this setting.
-
-- If you enable this setting, network files will be scanned.
-
-- If you disable or do not configure this setting, network files will not be scanned.
+
diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md
index 87ba8d39de..46e9609e96 100644
--- a/windows/client-management/mdm/surfacehub-csp.md
+++ b/windows/client-management/mdm/surfacehub-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the SurfaceHub CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 03/24/2023
+ms.date: 03/27/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -36,7 +36,7 @@ The following list shows the SurfaceHub configuration service provider nodes:
- [ExchangeModernAuthEnabled](#deviceaccountexchangemodernauthenabled)
- [ExchangeServer](#deviceaccountexchangeserver)
- [Password](#deviceaccountpassword)
- - [PasswordRotationPeriod](#deviceaccountpasswordrotationperiod)
+ - [PasswordRotationEnabled](#deviceaccountpasswordrotationenabled)
- [SipAddress](#deviceaccountsipaddress)
- [UserName](#deviceaccountusername)
- [UserPrincipalName](#deviceaccountuserprincipalname)
@@ -482,53 +482,53 @@ Password for the device account. Get is allowed here, but will always return a b
-
-### DeviceAccount/PasswordRotationPeriod
+
+### DeviceAccount/PasswordRotationEnabled
-
+
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
-
+
-
+
```Device
-./Vendor/MSFT/SurfaceHub/DeviceAccount/PasswordRotationPeriod
+./Vendor/MSFT/SurfaceHub/DeviceAccount/PasswordRotationEnabled
```
-
+
-
+
Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory (or Azure AD).
-
+
-
+
-
+
-
+
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Get, Replace |
-
+
-
+
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Password rotation enabled. |
| 1 | Disabled. |
-
+
-
+
-
+
-
+
### DeviceAccount/SipAddress
diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml
index 4b7a21cdcd..e4247312ed 100644
--- a/windows/client-management/mdm/toc.yml
+++ b/windows/client-management/mdm/toc.yml
@@ -49,7 +49,7 @@ items:
href: policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md
- name: Policies supported by Windows 10 IoT Core
href: policies-in-policy-csp-supported-by-iot-core.md
- - name: Policies supported by Microsoft Windows 10 Team
+ - name: Policies supported by Windows 10 Team
href: policies-in-policy-csp-supported-by-surface-hub.md
- name: Policies that can be set using Exchange Active Sync (EAS)
href: policies-in-policy-csp-that-can-be-set-using-eas.md
From 44ea8e8f733006640e40d97929c2712644a40e89 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Mon, 27 Mar 2023 15:19:09 -0400
Subject: [PATCH 041/143] redirect
---
.openpublishing.redirection.json | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 6921b57b15..27a37626d3 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -20739,6 +20739,11 @@
"source_path": "windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md",
"redirect_url": "/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy",
"redirect_document_id": true
+ },
+ {
+ "source_path": "/microsoft-store/sign-up-microsoft-store-for-business.md",
+ "redirect_url": "/microsoft-store",
+ "redirect_document_id": false
}
]
}
\ No newline at end of file
From 22cee7ef1e20623490fb5ec4fe8281d2313a6d9f Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Mon, 27 Mar 2023 15:23:26 -0400
Subject: [PATCH 042/143] update
---
.openpublishing.redirection.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 27a37626d3..1fbec15095 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -20741,7 +20741,7 @@
"redirect_document_id": true
},
{
- "source_path": "/microsoft-store/sign-up-microsoft-store-for-business.md",
+ "source_path": "microsoft-store/sign-up-microsoft-store-for-business.md",
"redirect_url": "/microsoft-store",
"redirect_document_id": false
}
From 5aedec93fc39f87fecb712b089fe14684294ba3b Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Mon, 27 Mar 2023 12:33:43 -0700
Subject: [PATCH 043/143] roll back a few edits
---
windows/deployment/update/release-cycle.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/deployment/update/release-cycle.md b/windows/deployment/update/release-cycle.md
index acc62dbc5c..0cacc4a2aa 100644
--- a/windows/deployment/update/release-cycle.md
+++ b/windows/deployment/update/release-cycle.md
@@ -19,14 +19,14 @@ Windows updates help you to stay productive and protected. They provide your use
This article provides details on the types of updates that Microsoft provides, and how they help make the overall user experience simple and consistent.
-## Types update releases
+## Types of update releases
|Release type | Description | Release cycle |
|---|---|---|
| [Monthly security update release](#monthly-security-update-release)| A cumulative update release that includes both security and non-security content | Second Tuesday of each month, typically published at 10:00 AM Pacific Time (PST/PDT) |
| [Optional non-security preview release](#optional-non-security-preview-release)| An optional cumulative update release that's typically used for early validation of the monthly security update release| Fourth Tuesday of each month, typically published at 10:00 AM Pacific Time (PST/PDT) |
| [Out-of-band (OOB) release](#oob-releases) | Resolves a recently identified issue or vulnerability | As needed |
-| [Annual feature update](#annual-feature-updates) | An update with new features and enhancements that also changes the Windows version. | Once a year in the second half of the calendar year |
+| [Annual feature update](#annual-feature-updates) | An update with new features and enhancements that also changes the Windows version | Once a year in the second half of the calendar year |
| [Continuous innovation for Windows 11](#continuous-innovation-for-windows-11)| Introduces new features and enhancements for Windows 11 | Periodically included in an optional non-security preview release then in the monthly security update releases |
From 24153fed555cb570a66d6ddd6f8c2d80e9fc78c7 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Mon, 27 Mar 2023 12:35:52 -0700
Subject: [PATCH 044/143] roll back a few edits
---
windows/deployment/update/release-cycle.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/windows/deployment/update/release-cycle.md b/windows/deployment/update/release-cycle.md
index 0cacc4a2aa..8abcea7090 100644
--- a/windows/deployment/update/release-cycle.md
+++ b/windows/deployment/update/release-cycle.md
@@ -60,7 +60,8 @@ Many update management tools, such as [Microsoft Configuration Manager](/mem/con
- C or D week releases (meaning the third or fourth week of the month)
- Preview updates
-- Preview CUs
+- Preview CU
+- LCU preview
> [!Important]
> Starting in April 2023, all **optional non-security preview releases** will be released on the fourth Tuesday of the month. This change in release cadence gives admins a consistent time cycle for testing and validating fixes and features.
From 1c15b9edbdc4c76b02e1b4135c67f9150efc8b8f Mon Sep 17 00:00:00 2001
From: Angela Fleischmann
Date: Mon, 27 Mar 2023 14:15:01 -0600
Subject: [PATCH 045/143] Update .openpublishing.redirection.json
20750: Enter blank line.
---
.openpublishing.redirection.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 1fbec15095..de2e3440be 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -20746,4 +20746,4 @@
"redirect_document_id": false
}
]
-}
\ No newline at end of file
+}
From 750b34aa2e02d55c50e75d7e65454cddebc357de Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Mon, 27 Mar 2023 16:30:51 -0400
Subject: [PATCH 046/143] Add override for AllowScanningNetworkFiles
---
windows/client-management/mdm/policy-csp-defender.md | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index 99bd8a5bcc..1f26de308e 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -702,6 +702,10 @@ Allows or disallows Windows Defender Realtime Monitoring functionality.
+This policy setting allows you to configure real-time scanning for files that are accessed over the network. It is recommended to enable this setting.
+
+- If you enable this setting or do not configure this setting, network files will be scanned.
+- If you disable this setting, network files will not be scanned.
From 59ddd2ef3ec25bf02db5018cf5727a3c71831241 Mon Sep 17 00:00:00 2001
From: Angela Fleischmann
Date: Mon, 27 Mar 2023 14:32:14 -0600
Subject: [PATCH 047/143] Update .openpublishing.redirection.json
Line 20744: Fix source path to docset folder name.
---
.openpublishing.redirection.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index de2e3440be..8beb705a6c 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -20741,7 +20741,7 @@
"redirect_document_id": true
},
{
- "source_path": "microsoft-store/sign-up-microsoft-store-for-business.md",
+ "source_path": "store-for-business/sign-up-microsoft-store-for-business.md",
"redirect_url": "/microsoft-store",
"redirect_document_id": false
}
From dde73c9bbe027c41acdd6b3e5e2e0efb7461acd5 Mon Sep 17 00:00:00 2001
From: Angela Fleischmann
Date: Mon, 27 Mar 2023 14:47:37 -0600
Subject: [PATCH 048/143] Update
windows/deployment/update/waas-configure-wufb.md
Line 227: Fix note formatting.
---
windows/deployment/update/waas-configure-wufb.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md
index c4720bd8c2..394a399cc7 100644
--- a/windows/deployment/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@@ -224,7 +224,7 @@ The features that are turned off by default from servicing updates will be enabl
| GPO for Windows 11, version 22H2 with [kb5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage end user experience > **Enable features introduced via servicing that are off by default**| \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate |
| MDM for Windows 11, version 22H2 with [kb5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later: ../Vendor/MSFT/Policy/Config/Update/**[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol)** | \Microsoft\PolicyManager\default\Update\AllowTemporaryEnterpriseFeatureControl |
-> [Note]
+> [!Note]
> Clients
## Summary: MDM and Group Policy settings for Windows 10, version 1703 and later
From c9ce76e6886f4f9d3d3bf2ddefe8c104e0f52e86 Mon Sep 17 00:00:00 2001
From: Angela Fleischmann
Date: Mon, 27 Mar 2023 14:58:02 -0600
Subject: [PATCH 049/143] Apply suggestions from code review
Line 92: Delete extra space between words.
---
windows/deployment/update/release-cycle.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/update/release-cycle.md b/windows/deployment/update/release-cycle.md
index 8abcea7090..aa65a1cf19 100644
--- a/windows/deployment/update/release-cycle.md
+++ b/windows/deployment/update/release-cycle.md
@@ -89,7 +89,7 @@ Some key considerations about OOB releases include:
Starting with Windows 11, version 22H2, new features and enhancements are introduced periodically to provide continuous innovation for Windows 11. These features and enhancements use the normal update servicing channels you're already familiar with. At first, new features are introduced with an **optional non-security preview release** and gradually rolled out to unmanaged clients. These new features are released later as part of a **monthly security update release**.
-Some of the new features may be disruptive to organizations. By default, these select features are turned off temporarily for all managed devices until the next annual feature update is installed. In this scenario, a device is considered managed if it uses one of the following to determine which updates to install:
+Some of the new features may be disruptive to organizations. By default, these select features are turned off temporarily for all managed devices until the next annual feature update is installed. In this scenario, a device is considered managed if it uses one of the following to determine which updates to install:
- Windows Update for Business
- Devices that have updates managed Microsoft Intune use Windows Update for Business
From 39bfb9bc56cbce3bd794f8357cb6c1a9c6da0bdc Mon Sep 17 00:00:00 2001
From: Angela Fleischmann
Date: Mon, 27 Mar 2023 15:00:15 -0600
Subject: [PATCH 050/143] Update
windows/deployment/update/waas-configure-wufb.md
Line 227: Remove the exclamation mark I added. Will ask contrib.
---
windows/deployment/update/waas-configure-wufb.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md
index 394a399cc7..c4720bd8c2 100644
--- a/windows/deployment/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@@ -224,7 +224,7 @@ The features that are turned off by default from servicing updates will be enabl
| GPO for Windows 11, version 22H2 with [kb5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage end user experience > **Enable features introduced via servicing that are off by default**| \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate |
| MDM for Windows 11, version 22H2 with [kb5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later: ../Vendor/MSFT/Policy/Config/Update/**[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol)** | \Microsoft\PolicyManager\default\Update\AllowTemporaryEnterpriseFeatureControl |
-> [!Note]
+> [Note]
> Clients
## Summary: MDM and Group Policy settings for Windows 10, version 1703 and later
From 5cdad0936de48bf8ea65ba26e73204cd602efa44 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Mon, 27 Mar 2023 14:52:41 -0700
Subject: [PATCH 051/143] remoce note
---
windows/deployment/update/waas-configure-wufb.md | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md
index c4720bd8c2..abf55e970a 100644
--- a/windows/deployment/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@@ -224,8 +224,7 @@ The features that are turned off by default from servicing updates will be enabl
| GPO for Windows 11, version 22H2 with [kb5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage end user experience > **Enable features introduced via servicing that are off by default**| \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate |
| MDM for Windows 11, version 22H2 with [kb5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later: ../Vendor/MSFT/Policy/Config/Update/**[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol)** | \Microsoft\PolicyManager\default\Update\AllowTemporaryEnterpriseFeatureControl |
-> [Note]
-> Clients
+
## Summary: MDM and Group Policy settings for Windows 10, version 1703 and later
The following are quick-reference tables of the supported policy values for Windows Update for Business in Windows 10, version 1607 and later.
From ab8f438f4b8f245023962a2a6157434977766aab Mon Sep 17 00:00:00 2001
From: jsuther1974
Date: Mon, 27 Mar 2023 16:34:10 -0700
Subject: [PATCH 052/143] Added troubleshooting topic and fixed other topics
related to debugging and troubleshooting
---
.../event-id-explanations.md | 110 ++++++--------
.../event-tag-explanations.md | 58 ++++++-
.../operations/known-issues.md | 25 ++-
.../wdac-debugging-and-troubleshooting.md | 143 ++++++++++++++++++
...r-application-control-operational-guide.md | 10 --
5 files changed, 267 insertions(+), 79 deletions(-)
create mode 100644 windows/security/threat-protection/windows-defender-application-control/operations/wdac-debugging-and-troubleshooting.md
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
index 4b9c9e64bd..8a74cb79d7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
@@ -8,7 +8,7 @@ author: jsuther1974
ms.reviewer: jogeurte
ms.author: vinpa
manager: aaroncz
-ms.date: 06/27/2022
+ms.date: 03/24/2023
ms.topic: reference
---
@@ -20,43 +20,77 @@ ms.topic: reference
- Windows 11
- Windows Server 2016 and later (limited events)
-A Windows Defender Application Control policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations:
+## WDAC Events Overview
-- Events about Application Control policy activation and the control of executables, dlls, and drivers appear in **Applications and Services logs** > **Microsoft** > **Windows** > **CodeIntegrity** > **Operational**
+WDAC logs events when a policy is loaded as well as when a binary attempts to run and is blocked, or would be blocked if the policy is in audit mode. These block events include information that identifies the policy and gives more details about the block. Generally, WDAC doesn't generate events when a binary is allowed; however, you can turn on allow audit events for files that were authorized by Managed Installer or the Intelligent Security Graph (ISG) as described later in this article.
-- Events about the control of MSI installers, scripts, and COM objects appear in **Applications and Services logs** > **Microsoft** > **Windows** > **AppLocker** > **MSI and Script**
+### Core WDAC event logs
+
+WDAC events are generated under two locations in the Windows Event Viewer:
+
+- **Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational** includes events about Application Control policy activation and the control of executables, dlls, and drivers.
+- **Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script** includes events about the control of MSI installers, scripts, and COM objects.
+
+Most app and script failures that occur when WDAC is active can be diagnosed using these two event logs. This article describes in greater detail the events that exist in these logs. To understand the meaning of different data elements, or tags, found in the details of these events, see [Understanding Application Control event tags](event-tag-explanations.md).
> [!NOTE]
> These event IDs are not included on Windows Server Core edition.
-## Windows CodeIntegrity Operational log
+## WDAC block events for executables, dlls, and drivers
+
+These events are found in the **CodeIntegrity - Operational** event log.
| Event ID | Explanation |
|--------|-----------|
-| 3004 | This event isn't common and may occur with or without an Application Control policy present. It typically indicates a kernel driver tried to load with an invalid signature. For example, the file may not be WHQL-signed on a system where WHQL is required. |
-| 3033 | This event isn't common. It often means the file's signature is revoked or expired. Try using option `20 Enabled:Revoked Expired As Unsigned` in your policy along with a non-signature rule (for example, hash) to address issues with revoked or expired certs. |
+| 3004 | This event isn't common and may occur with or without an Application Control policy present. It typically indicates a kernel driver tried to load with an invalid signature. For example, the file may not be WHQL-signed on a system where WHQL is required.
This event is also seen for kernel- or user-mode code that the developer opted-in to [/INTEGRITYCHECK](/cpp/build/reference/integritycheck-require-signature-check) but is not signed correctly. |
+| 3033 | This event may occur with or without an Application Control policy present and should occur alongside a 3077 event if caused by WDAC policy. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired. Presence of the Lifetime Signing EKU is the only case where an expired signature will be blocked by WDAC. Try using option `20 Enabled:Revoked Expired As Unsigned` in your policy along with a non-signature rule (for example, hash) to address issues with revoked or expired certs.
This event is also seen for code that the developer opted-in to [Code Integrity Guard (CIG)](/microsoft-365/security/defender-endpoint/exploit-protection-reference?view=o365-worldwide#code-integrity-guard) but then attempts to load code that doesn't meet the requirements of CIG. |
| 3034 | This event isn't common. It's the audit mode equivalent of event 3033 described above. |
| 3076 | This event is the main Application Control block event for audit mode policies. It indicates that the file would have been blocked if the policy was enforced. |
| 3077 | This event is the main Application Control block event for enforced policies. It indicates that the file didn't pass your policy and was blocked. |
| 3089 | This event contains signature information for files that were blocked or would have been blocked by Application Control. One 3089 event is created for each signature of a file. The event shows the total number of signatures found and an index value to identify the current signature. Unsigned files produce a single 3089 event with TotalSignatureCount 0. 3089 events are correlated with 3004, 3033, 3034, 3076 and 3077 events. You can match the events using the `Correlation ActivityID` found in the **System** portion of the event. |
-| 3099 | Indicates that a policy has been loaded. This event also includes information about the Application Control policy options that were specified by the policy. |
-## Windows AppLocker MSI and Script log
+## WDAC block events for packaged apps, MSI installers, scripts, and COM objects
+
+These events are found in the **AppLocker – MSI and Script** event log.
| Event ID | Explanation |
|--------|-----------|
-| 8028 | This event indicates that a script host, such as PowerShell, queried Application Control about a file the script host was about to run. Since the policy was in audit mode, the script or MSI file should have run. Some script hosts may have additional information in their logs. Note: Most third-party script hosts don't integrate with Application Control. Consider the risks from unverified scripts when choosing which script hosts you allow to run. |
+| 8028 | This event indicates that a script host, such as PowerShell, queried Application Control about a file the script host was about to run. Since the policy was in audit mode, the script or MSI file should have run, but would not have passed the WDAC policy if it was enforced. Some script hosts may have additional information in their logs. Note: Most third-party script hosts don't integrate with Application Control. Consider the risks from unverified scripts when choosing which script hosts you allow to run. |
| 8029 | This event is the enforcement mode equivalent of event 8028 described above. Note: While this event says that a script was blocked, the actual script enforcement behavior is implemented by the script host. The script host may allow the file to run with restrictions and not block the file outright. For example, PowerShell will allow a script to run but only in [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). |
| 8036| COM object was blocked. To learn more about COM object authorization, see [Allow COM object registration in a Windows Defender Application Control policy](allow-com-object-registration-in-windows-defender-application-control-policy.md). |
+| 8037 | This event indicates that a script host queried Application Control about a file the script host was about to run, the file passed the WDAC policy and was allowed to run. |
| 8038 | Signing information event correlated with either an 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. 8038 events are correlated with 8028 and 8029 events and can be matched using the `Correlation ActivityID` found in the **System** portion of the event. |
+| 8039 | This event indicates that a packaged app (MSIX/AppX) was allowed to install or run because the WDAC policy is in audit mode, but would have been blocked if the policy was enforced. |
+| 8040 | This event indicates that a packaged app was prevented from installing or running due to the WDAC policy. |
+
+## WDAC policy activation events
+
+These events are found in the **CodeIntegrity - Operational** event log, unless otherwise noted.
+
+| Event ID | Explanation |
+|--------|-----------|
+| 3095 | The Application Control policy can't be refreshed and must be rebooted instead. |
+| 3096 | The Application Control policy wasn't refreshed since it's already up-to-date. This event's Details includes useful information about the Application Control policy, such as the policy options that were specified by the policy. |
+| 3097 | The Application Control policy can't be refreshed. |
+| 3099 | Indicates that a policy has been loaded. This event's Details includes useful information about the Application Control policy, such as the policy options that were specified by the policy. |
+| 3100 | The application control policy was refreshed but was unsuccessfully activated. Retry. |
+| 3101 | Application Control policy refresh started for *N* policies. |
+| 3102 | Application Control policy refresh finished for *N* policies. |
+| 3103 | The system is ignoring the Application Control policy refresh. For example, an inbox Windows policy that does not meet the conditions for activation. |
+| 3105 | The system is attempting to refresh the Application Control policy with the specified Id. |
+| 8002 | This event is found in the **AppLocker - EXE and DLL** event log. When a process launches that matches a managed installer rule, this event is raised with PolicyName = MANAGEDINSTALLER found in the event Details. Events with PolicyName = EXE or DLL are not related to WDAC. |
## Diagnostic events for Intelligent Security Graph (ISG) and Managed Installer (MI)
> [!NOTE]
> When Managed Installer is enabled, customers using LogAnalytics should be aware that Managed Installer may fire many 3091 events. Customers may need to filter out these events to avoid high LogAnalytics costs.
+### WDAC diagnostic events 3090, 3091, and 3092
+
Events 3090, 3091 and 3092 prove helpful diagnostic information when the ISG or MI option is enabled by any Application Control policy. These events can help you debug why something was allowed/denied based on managed installer or ISG. These events don't necessarily indicate a problem but should be reviewed in context with other events like 3076 or 3077 described above.
+These events are found in the **CodeIntegrity - Operational** event log.
+
| Event ID | Explanation |
|--------|---------|
| 3090 | *Optional* This event indicates that a file was allowed to run based purely on ISG or managed installer. |
@@ -65,10 +99,12 @@ Events 3090, 3091 and 3092 prove helpful diagnostic information when the ISG or
The above events are reported per active policy on the system, so you may see multiple events for the same file.
-### ISG and MI diagnostic event details
+#### ISG and MI diagnostic event details
The following information is found in the details for 3090, 3091, and 3092 events.
+These events are found in either the **CodeIntegrity - Operational** event log or the **CodeIntegrity - Verbose** event log, depending on your version of Windows.
+
| Name | Explanation |
|------|------|
| ManagedInstallerEnabled | Indicates whether the specified policy enables managed installer trust |
@@ -78,7 +114,7 @@ The following information is found in the details for 3090, 3091, and 3092 event
| AuditEnabled | True if the Application Control policy is in audit mode, otherwise it is in enforce mode |
| PolicyName | The name of the Application Control policy to which the event applies |
-### Enabling ISG and MI diagnostic events
+#### Enabling ISG and MI diagnostic events
To enable 3090 allow events, create a TestFlags regkey with a value of 0x300 as shown in the following PowerShell command. Then restart your computer.
@@ -88,56 +124,6 @@ reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x
3091 and 3092 events are inactive on some versions of Windows. The above steps will also turn on those events.
-## Event ID 3099 Options
-
-The Application Control policy rule option values can be derived from the "Options" field in the Details section of the Code integrity 3099 event. To parse the values, first convert the hex value to binary. To derive and parse these values, follow the below workflow.
-
-- Access Event Viewer.
-- Access the Code integrity 3099 event.
-- Access the details pane.
-- Identify the hex code listed in the "Options" field.
-- Convert the hex code to binary.
-
-:::image type="content" source="images/event-3099-options.png" alt-text="Event 3099 policy rule options.":::
-
-For a simple solution for converting hex to binary, follow these steps:
-
-1. Open the Calculator app.
-1. Select the menu icon. :::image type="icon" source="images/calculator-menu-icon.png" border="false":::
-1. Select **Programmer** mode.
-1. Select **HEX**. :::image type="icon" source="images/hex-icon.png" border="false":::
-1. Enter your hex code. For example, `80881000`.
-1. Switch to the **Bit Toggling Keyboard**. :::image type="icon" source="images/bit-toggling-keyboard-icon.png" border="false":::
-
-:::image type="content" source="images/calculator-with-hex-in-binary.png" alt-text="An example of the calculator app in programmer mode, with a hex code converted into binary.":::
-
-This view will provide the hex code in binary form, with each bit address shown separately. The bit addresses start at 0 in the bottom right. Each bit address correlates to a specific event policy-rule option. If the bit address holds a value of 1, the setting is in the policy.
-
-Next, use the bit addresses and their values from the table below to determine the state of each [policy rule-option](select-types-of-rules-to-create.md#table-1-windows-defender-application-control-policy---policy-rule-options). For example, if the bit address of 16 holds a value of 1, then the **Enabled: Audit Mode (Default)** option is in the policy. This setting means that the policy is in audit mode.
-
-| Bit Address | Policy Rule Option |
-|-------|------|
-| 2 | `Enabled:UMCI` |
-| 3 | `Enabled:Boot Menu Protection` |
-| 4 | `Enabled:Intelligent Security Graph Authorization` |
-| 5 | `Enabled:Invalidate EAs on Reboot` |
-| 7 | `Required:WHQL` |
-| 10 | `Enabled:Allow Supplemental Policies` |
-| 11 | `Disabled:Runtime FilePath Rule Protection` |
-| 13 | `Enabled:Revoked Expired As Unsigned` |
-| 16 | `Enabled:Audit Mode (Default)` |
-| 17 | `Disabled:Flight Signing` |
-| 18 | `Enabled:Inherit Default Policy` |
-| 19 | `Enabled:Unsigned System Integrity Policy (Default)` |
-| 20 | `Enabled:Dynamic Code Security` |
-| 21 | `Required:EV Signers` |
-| 22 | `Enabled:Boot Audit on Failure` |
-| 23 | `Enabled:Advanced Boot Options Menu` |
-| 24 | `Disabled:Script Enforcement` |
-| 25 | `Required:Enforce Store Applications` |
-| 27 | `Enabled:Managed Installer` |
-| 28 | `Enabled:Update Policy No Reboot` |
-
## Appendix
A list of other relevant event IDs and their corresponding description.
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
index f358465735..31cf192cbc 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
@@ -10,10 +10,10 @@ ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: jsuther1974
-ms.reviewer: isbrahm
+ms.reviewer: jogeurte
ms.author: vinpa
manager: aaroncz
-ms.date: 07/13/2021
+ms.date: 03/24/2023
ms.technology: itpro-security
ms.topic: article
---
@@ -37,14 +37,14 @@ Represents the type of signature which verified the image.
| 6 | AppX / MSIX package catalog verified |
| 7 | File was verified |
-## ValidatedSigningLevel
+## Requested and ValidatedSigningLevel
Represents the signature level at which the code was verified.
| ValidatedSigningLevel Value | Explanation |
|---|----------|
| 0 | Signing level hasn't yet been checked |
-| 1 | File is unsigned |
+| 1 | File is unsigned or has no signature that passes the active policies |
| 2 | Trusted by Windows Defender Application Control policy |
| 3 | Developer signed code |
| 4 | Authenticode signed |
@@ -92,6 +92,56 @@ Represents why verification failed, or if it succeeded.
| 27 | The signing chain appears to be tampered/invalid |
| 28 | Resource page hash mismatch |
+## Policy activation event Options
+
+The Application Control policy rule option values can be derived from the "Options" field in the Details section for successful [policy activation events](event-id-explanations.md#wdac-policy-activation-events). To parse the values, first convert the hex value to binary. To derive and parse these values, follow the below workflow.
+
+- Access Event Viewer.
+- Access the Code integrity 3099 event.
+- Access the details pane.
+- Identify the hex code listed in the "Options" field.
+- Convert the hex code to binary.
+
+:::image type="content" source="images/event-3099-options.png" alt-text="Event 3099 policy rule options.":::
+
+For a simple solution for converting hex to binary, follow these steps:
+
+1. Open the Calculator app.
+1. Select the menu icon. :::image type="icon" source="images/calculator-menu-icon.png" border="false":::
+1. Select **Programmer** mode.
+1. Select **HEX**. :::image type="icon" source="images/hex-icon.png" border="false":::
+1. Enter your hex code. For example, `80881000`.
+1. Switch to the **Bit Toggling Keyboard**. :::image type="icon" source="images/bit-toggling-keyboard-icon.png" border="false":::
+
+:::image type="content" source="images/calculator-with-hex-in-binary.png" alt-text="An example of the calculator app in programmer mode, with a hex code converted into binary.":::
+
+This view will provide the hex code in binary form, with each bit address shown separately. The bit addresses start at 0 in the bottom right. Each bit address correlates to a specific event policy-rule option. If the bit address holds a value of 1, the setting is in the policy.
+
+Next, use the bit addresses and their values from the table below to determine the state of each [policy rule-option](select-types-of-rules-to-create.md#table-1-windows-defender-application-control-policy---policy-rule-options). For example, if the bit address of 16 holds a value of 1, then the **Enabled: Audit Mode (Default)** option is in the policy. This setting means that the policy is in audit mode.
+
+| Bit Address | Policy Rule Option |
+|-------|------|
+| 2 | `Enabled:UMCI` |
+| 3 | `Enabled:Boot Menu Protection` |
+| 4 | `Enabled:Intelligent Security Graph Authorization` |
+| 5 | `Enabled:Invalidate EAs on Reboot` |
+| 7 | `Required:WHQL` |
+| 10 | `Enabled:Allow Supplemental Policies` |
+| 11 | `Disabled:Runtime FilePath Rule Protection` |
+| 13 | `Enabled:Revoked Expired As Unsigned` |
+| 16 | `Enabled:Audit Mode (Default)` |
+| 17 | `Disabled:Flight Signing` |
+| 18 | `Enabled:Inherit Default Policy` |
+| 19 | `Enabled:Unsigned System Integrity Policy (Default)` |
+| 20 | `Enabled:Dynamic Code Security` |
+| 21 | `Required:EV Signers` |
+| 22 | `Enabled:Boot Audit on Failure` |
+| 23 | `Enabled:Advanced Boot Options Menu` |
+| 24 | `Disabled:Script Enforcement` |
+| 25 | `Required:Enforce Store Applications` |
+| 27 | `Enabled:Managed Installer` |
+| 28 | `Enabled:Update Policy No Reboot` |
+
## Microsoft Root CAs trusted by Windows
The rule means trust anything signed by a certificate that chains to this root CA.
diff --git a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
index a5642a032c..f2125eb6c8 100644
--- a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
+++ b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
@@ -28,15 +28,34 @@ ms.localizationpriority: medium
This article covers tips and tricks for admins and known issues with Windows Defender Application Control (WDAC). Test this configuration in your lab before enabling it in production.
-## Managed Installer and ISG will cause garrulous events
+## WDAC policy file locations
+
+**Multiple policy format WDAC policies** are found in the following locations depending on whether the policy is signed or not, and the method of policy deployment that was used.
+
+- <OS Volume>\\Windows\\System32\\CodeIntegrity\\CiPolicies\Active\\*\{PolicyId GUID\}*.cip
+- <EFI System Partition>\\Microsoft\\Boot\\CiPolicies\Active\\*\{PolicyId GUID\}*.cip
+
+The *\{PolicyId GUID\}* value is unique by policy and defined in the policy XML with the <PolicyId> element.
+
+For **single policy format WDAC policies**, in addition to the two locations above, also look for a file called SiPolicy.p7b that may be found in the following locations:
+
+- <EFI System Partition>\\Microsoft\\Boot\\SiPolicy.p7b
+- <OS Volume>\\Windows\\System32\\CodeIntegrity\\SiPolicy.p7b
+
+> [!NOTE]
+> A multiple policy format WDAC policy using the single policy format GUID `{A244370E-44C9-4C06-B551-F6016E563076}` may exist under any of the policy file locations.
+
+## Known issues
+
+### Managed Installer and ISG will cause garrulous events
When Managed Installer and ISG are enabled, 3091 and 3092 events will be logged when a file didn't have Managed Installer or ISG authorization, regardless of whether the file was allowed. These events have been moved to the verbose channel beginning with the September 2022 Update Preview since the events don't indicate an issue with the policy.
-## .NET native images may generate false positive block events
+### .NET native images may generate false positive block events
In some cases, the code integrity logs where Windows Defender Application Control errors and warnings are written will contain error events for native images generated for .NET assemblies. Typically, native image blocks are functionally benign as a blocked native image will fall back to its corresponding assembly and .NET will regenerate the native image at its next scheduled maintenance window.
-## MSI Installations launched directly from the internet are blocked by WDAC
+### MSI Installations launched directly from the internet are blocked by WDAC
Installing .msi files directly from the internet to a computer protected by WDAC will fail.
For example, this command won't work:
diff --git a/windows/security/threat-protection/windows-defender-application-control/operations/wdac-debugging-and-troubleshooting.md b/windows/security/threat-protection/windows-defender-application-control/operations/wdac-debugging-and-troubleshooting.md
new file mode 100644
index 0000000000..91970316c1
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/operations/wdac-debugging-and-troubleshooting.md
@@ -0,0 +1,143 @@
+---
+title: WDAC debugging and troubleshooting guide
+description: Learn how to debug and troubleshoot app and script failures when using WDAC
+author: valemieux
+ms.author: jogeurte
+ms.reviewer: jsuther1974
+ms.topic: how-to
+ms.date: 03/23/2023
+ms.custom: template-how-to
+ms.prod: windows-client
+ms.technology: itpro-security
+---
+
+# WDAC debugging and troubleshooting
+
+**Applies to**
+
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
+
+> [!NOTE]
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
+
+This article describes how to debug and troubleshoot app and script failures when using Windows Defender Application Control (WDAC).
+
+## 1 - Gather WDAC diagnostic data
+
+Before debugging and troubleshooting WDAC issues, you must collect information from a device exhibiting the problem behavior. Run the following commands from an elevated PowerShell window to collect the diagnostic information you may need:
+
+1. Gather general WDAC diagnostic data and copy it to %userprofile%\AppData\Local\Temp\DiagOutputDir\CiDiag by running:
+
+ ```powershell
+ cidiag.exe /stop
+ ```
+
+ If CiDiag.exe is not present in your version of Windows, gather this information manually:
+
+ - WDAC policy binaries from the [Windows and EFI system partitions](known-issues.md#wdac-policy-file-locations)
+ - WDAC event logs
+ - AppLocker event logs
+ - Other event logs that may contain useful information from other Windows apps and services
+ - A text file containing only critical error events found in the WDAC event logs
+ - A text file containing full event details for critical error events found in the WDAC event logs
+
+2. Save the device's System Information to the CiDiag folder by running `msinfo32.exe /report $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\SystemInformation.txt`.
+3. Use [CiTool.exe](citool-commands.md) to inventory the list of WDAC policies on the device by running `citool.exe -lp -json > $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\CiToolOutput.json`. Skip this step if CiTool.exe is not present in your version of Windows.
+4. Export AppLocker registry key data to the CiDiag folder by running the following commands:
+
+ `reg.exe query HKLM\Software\Policies\Microsoft\Windows\SrpV2 /s > $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerRegistry.txt`
+ `reg.exe query HKLM\Software\Policies\Microsoft\Windows\AppidPlugins /s >> $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerRegistry.txt`
+ `reg.exe query HKLM\System\CurrentControlSet\Control\Srp\ /s >> $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerRegistry.txt`
+
+5. Copy any AppLocker policy files from %windir%System32\AppLocker to the CiDiag folder by running `Copy-Item -Path $env:windir\System32\AppLocker -Destination $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\ -Recurse -Force`
+6. Collect file information for the AppLocker policy files collected in the previous step by running `Get-ChildItem -Path $env:windir\System32\AppLocker\ -Recurse | select Mode,LastWriteTime,CreationTime,Length,Name >> $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerPolicyFiles.txt`
+7. Export the effective AppLocker policy by running `Get-AppLockerPolicy -xml -Effective > $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLocker.xml`
+8. Collect AppLocker services configuration and state information by running the following commands:
+
+ `sc.exe query appid > $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerServices.txt`
+ `sc.exe query appidsvc >> $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerServices.txt`
+ `sc.exe query applockerfltr > $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerServices.txt`
+
+### Core WDAC event logs
+
+WDAC events are generated under two locations:
+
+- Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational
+- Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script
+
+Within the CiDiag output directory, these event logs are called CIOperational.evtx and ALMsiAndScript.evtx, respectively.
+
+### Other Windows event logs that may be useful
+
+Sometimes, you may be able to supplement the information contained in the core WDAC event logs with information found in these other event logs. The ones shown in *italics* are not collected by cidiag.exe.
+
+- Applications and Services logs – Microsoft – Windows – CodeIntegrity – Verbose
+- Applications and Services logs – Microsoft – Windows – AppLocker – EXE and DLL
+- Applications and Services logs – Microsoft – Windows – AppLocker – Packaged app-Deployment
+- Applications and Services logs – Microsoft – Windows – AppLocker – Packaged app-Execution
+- Applications and Services logs – Microsoft – Windows – AppID - Operational
+- Applications and Services logs – Microsoft – Windows – CAPI2 - Operational
+- Applications and Services logs – Microsoft – Windows – DeviceGuard - Operational
+- *Applications and Services logs – Microsoft – Windows – PowerShell - \**
+- *Windows - Application*
+- *Windows - System*
+
+## 2 - Use the diagnostic and log data to identify problems
+
+Having gathered the necessary diagnostic information from a device, you're ready to begin your analysis of the diagnostic data collected in the previous step.
+
+1. Verify the set of WDAC policies that are active and enforced. Confirm that only those policies you expect to be active are currently active. Be aware that [Windows includes inbox policies](inbox-wdac-policies.md) that may also be active. You can use either of these methods:
+
+ - Review the output from *CiTool.exe -lp*, if applicable, which was saved to the CIDiag output directory as CiToolOutput.json. See [use Microsoft Edge to view the formatted json file](/microsoft-edge/devtools-guide-chromium/json-viewer/json-viewer).
+ - Review all [policy activation events](../event-id-explanations.md#wdac-policy-activation-events) from the core WDAC event log found at **Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational**. Within the CIDiag output directory, this event log is called CIOperational.evtx.
+
+2. Review any [block events for executables, dlls, and drivers](../event-id-explanations.md#wdac-block-events-for-executables-dlls-and-drivers) from the core WDAC event log found at **Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational**. Within the CIDiag output directory, this event log is called CIOperational.evtx. Use information from the block events and their correlated 3089 signature details event(s) to investigate any blocks that are unexplained or unexpected. See the blocked executable example described later in this article for reference.
+3. Review any [block events for packaged apps, MSI installers, scripts, and COM objects](../event-id-explanations.md#wdac-block-events-for-packaged-apps-msi-installers-scripts-and-com-objects) from the core script enforcement event log found at **Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script**. Within the CIDiag output directory, this event log is called ALMsiAndScript.evtx. Use information from the block events and their correlated 8038 signature details event(s) to investigate any blocks that are unexplained or unexpected.
+
+Most WDAC-related issues, including app and script failures, can be diagnosed using the preceding steps.
+
+### Event analysis for an example blocked executable
+
+
+
+## 3 - Resolve common problems
+
+### A file was blocked that you want to allow
+
+- Use data from the core WDAC event logs to add rules to allow the blocked file.
+- Re-deploy the file or app using a managed installer if your policy trusts managed installers.
+
+### A policy is active that is unexpected
+
+This condition may exist if:
+
+- A policy was removed but the system hasn't been rebooted.
+- A policy was partially removed, but a copy of the policy still exists in either the System or EFI partition.
+- A policy with PolicyId {A244370E-44C9-4C06-B551-F6016E563076} (single-policy format) was copied to the multiple-policy format policy location before activation, resulting in a duplicate policy binary on disk. Check for both SiPolicy.p7b and \{A244370E-44C9-4C06-B551-F6016E563076\}.cip files in the System and EFI partitions.
+- A policy was incorrectly deployed to the device.
+- An attacker with administrator access has applied a policy to cause denial of service for some critical processes.
+
+To resolve such an issue, follow the instructions to [Remove WDAC policies](../disable-windows-defender-application-control-policies.md) for the identified policy.
+
+### An unhandled app failure is occurring and no WDAC events are observed
+
+Some apps alter their behavior when a user mode WDAC policy is active which can result in unexpected failures. This can also be seen as a side-effect of script enforcement, since the script enforcement behaviors are implemented by the individual script hosts and may not be handled by apps that interact with those script hosts.
+
+Try to isolate the root cause by doing the following:
+
+- Check for events in [other event logs](#other-windows-event-logs-that-may-be-useful) corresponding with the app failures.
+- Temporarily replace the WDAC policy with another policy that [disables script enforcement](../design/script-enforcement.md) and re-test.
+- Temporarily replace the WDAC policy with another policy that [allows all COM objects](../allow-com-object-registration-in-windows-defender-application-control-policy.md) and re-test.
+- Temporarily replace the WDAC policy with another policy that relaxes other [policy rules](../select-types-of-rules-to-create.md#windows-defender-application-control-policy-rules) and re-test.
+
+### An app deployed by a managed installer is not working
+
+To debug issues using managed installer, try the following:
+
+- Check that the effective AppLocker policy $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLocker.xml is correct as described in
+- Check that the AppLocker services are running. These should be found in $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerServices.txt created earlier.
+- Check that an AppLocker file exists called MANAGEDINSTALLER.APPLOCKER
+- Check if the app is encountering a [known limitation with managed installer](../configure-authorized-apps-deployed-with-a-managed-installer.md#known-limitations-with-managed-installer). If so, you must authorize the app using other means.
+-
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md
index 4a03e5ee20..ffa96146c9 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md
@@ -31,16 +31,6 @@ ms.topic: article
After enabling you understand how to design and deploy your Windows Defender Application Control (WDAC) policies, this guide covers understanding the effects your policies are having and troubleshooting when they aren't behaving as expected. It contains information on where to find events and what they mean, and also querying these events with Microsoft Defender for Endpoint Advanced Hunting feature.
-## WDAC Events Overview
-
-Windows Defender Application Control generates and logs events when a policy is loaded as well as when a binary attempts to execute and is blocked. These events include information that identifies the policy and gives more details about the block. Generally, WDAC doesn't generate events when a binary is allowed; however, there's the option to enable events when Managed Installer and/or the Intelligent Security Graph (ISG) is configured.
-
-WDAC events are generated under two locations:
-
- - Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational
-
- - Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script
-
## In this section
| Topic | Description |
From 6fc6a2182fdae6a71b95a76dd792e2153c869456 Mon Sep 17 00:00:00 2001
From: Aaron Czechowski
Date: Mon, 27 Mar 2023 18:35:01 -0700
Subject: [PATCH 053/143] fix tier
---
.../deployment/deploy-enterprise-licenses.md | 4 +++-
windows/deployment/deploy-whats-new.md | 14 ++++++++------
.../deploy-a-windows-10-image-using-mdt.md | 4 +++-
...ed-with-the-microsoft-deployment-toolkit.md | 4 +++-
.../prepare-for-windows-deployment-with-mdt.md | 4 +++-
windows/deployment/do/index.yml | 4 +++-
windows/deployment/do/mcc-isp-faq.yml | 4 +++-
.../do/waas-delivery-optimization-faq.yml | 10 ++++++----
.../do/waas-delivery-optimization.md | 18 ++++++++++--------
windows/deployment/index.yml | 10 ++++++----
windows/deployment/mbr-to-gpt.md | 6 ++++--
.../planning/windows-to-go-overview.md | 6 ++++--
.../deployment/update/deploy-updates-intune.md | 8 +++++---
windows/deployment/update/safeguard-holds.md | 6 ++++--
.../update/servicing-stack-updates.md | 6 ++++--
.../update/update-compliance-get-started.md | 4 +++-
.../update/waas-manage-updates-wsus.md | 6 ++++--
.../update/waas-manage-updates-wufb.md | 6 ++++--
windows/deployment/update/waas-overview.md | 6 ++++--
windows/deployment/update/waas-restart.md | 8 +++++---
windows/deployment/update/waas-wu-settings.md | 6 ++++--
.../update/waas-wufb-group-policy.md | 6 ++++--
.../deployment/update/windows-update-logs.md | 6 ++++--
windows/deployment/upgrade/log-files.md | 10 ++++++----
windows/deployment/upgrade/setupdiag.md | 14 ++++++++------
.../upgrade/windows-10-edition-upgrades.md | 6 ++++--
.../upgrade/windows-10-upgrade-paths.md | 10 ++++++----
windows/deployment/usmt/usmt-overview.md | 14 ++++++++------
.../usmt-recognized-environment-variables.md | 12 +++++++-----
...active-directory-based-activation-client.md | 4 +++-
...tivate-using-key-management-service-vamt.md | 14 ++++++++------
.../windows-10-subscription-activation.md | 4 +++-
windows/deployment/windows-autopatch/index.yml | 4 +++-
.../overview/windows-autopatch-overview.md | 6 ++++--
.../demonstrate-deployment-on-vm.md | 6 ++++--
windows/deployment/windows-autopilot/index.yml | 6 ++++--
windows/hub/index.yml | 5 +++--
.../whats-new/deprecated-features-resources.md | 4 +++-
windows/whats-new/deprecated-features.md | 6 ++++--
windows/whats-new/feature-lifecycle.md | 4 +++-
windows/whats-new/index.yml | 1 +
windows/whats-new/ltsc/index.md | 3 +--
.../ltsc/whats-new-windows-10-2019.md | 3 +--
.../ltsc/whats-new-windows-10-2021.md | 3 +--
windows/whats-new/removed-features.md | 6 ++++--
.../whats-new-windows-10-version-20H2.md | 4 +++-
.../whats-new-windows-10-version-21H1.md | 4 +++-
.../whats-new-windows-10-version-21H2.md | 4 +++-
.../whats-new-windows-10-version-22H2.md | 6 ++++--
.../whats-new-windows-11-version-22H2.md | 6 ++++--
windows/whats-new/windows-11-overview.md | 4 +++-
windows/whats-new/windows-11-plan.md | 6 ++++--
windows/whats-new/windows-11-prepare.md | 6 ++++--
windows/whats-new/windows-11-requirements.md | 6 ++++--
54 files changed, 222 insertions(+), 125 deletions(-)
diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md
index 7239ce998b..92d3cab701 100644
--- a/windows/deployment/deploy-enterprise-licenses.md
+++ b/windows/deployment/deploy-enterprise-licenses.md
@@ -8,7 +8,9 @@ ms.prod: windows-client
ms.technology: itpro-fundamentals
ms.localizationpriority: medium
ms.topic: how-to
-ms.collection: highpri, tier2
+ms.collection:
+ - highpri
+ - tier2
appliesto:
- ✅ Windows 10
- ✅ Windows 11
diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md
index 5c8f6ce68d..f878a7d748 100644
--- a/windows/deployment/deploy-whats-new.md
+++ b/windows/deployment/deploy-whats-new.md
@@ -1,15 +1,17 @@
---
title: What's new in Windows client deployment
-manager: aaroncz
-ms.author: frankroj
description: Use this article to learn about new solutions and online content related to deploying Windows in your organization.
ms.localizationpriority: medium
ms.prod: windows-client
-author: frankroj
-ms.topic: article
-ms.collection: highpri, tier2
-ms.date: 11/23/2022
ms.technology: itpro-deploy
+author: frankroj
+manager: aaroncz
+ms.author: frankroj
+ms.topic: conceptual
+ms.collection:
+ - highpri
+ - tier2
+ms.date: 11/23/2022
---
# What's new in Windows client deployment
diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
index 8a735ec6c4..7ecf3516b0 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@@ -8,7 +8,9 @@ ms.localizationpriority: medium
author: frankroj
ms.topic: article
ms.technology: itpro-deploy
-ms.collection: highpri, tier2
+ms.collection:
+ - highpri
+ - tier3
ms.date: 11/28/2022
---
diff --git a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
index 757c32ec36..fc628c12d5 100644
--- a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
@@ -8,7 +8,9 @@ ms.localizationpriority: medium
author: frankroj
ms.topic: article
ms.technology: itpro-deploy
-ms.collection: highpri, tier2
+ms.collection:
+ - highpri
+ - tier3
ms.date: 11/28/2022
---
diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
index bf1a4099cc..57be35765a 100644
--- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
@@ -8,7 +8,9 @@ ms.localizationpriority: medium
author: frankroj
ms.topic: article
ms.technology: itpro-deploy
-ms.collection: highpri, tier2
+ms.collection:
+ - highpri
+ - tier3
ms.date: 11/28/2022
---
diff --git a/windows/deployment/do/index.yml b/windows/deployment/do/index.yml
index 7c057be789..cdbe9ad071 100644
--- a/windows/deployment/do/index.yml
+++ b/windows/deployment/do/index.yml
@@ -9,7 +9,9 @@ metadata:
ms.topic: landing-page
ms.prod: windows-client
ms.technology: itpro-updates
- ms.collection: highpri, tier3
+ ms.collection:
+ - highpri
+ - tier3
author: aczechowski
ms.author: aaroncz
manager: dougeby
diff --git a/windows/deployment/do/mcc-isp-faq.yml b/windows/deployment/do/mcc-isp-faq.yml
index 1d912e7b10..b07e11c2e1 100644
--- a/windows/deployment/do/mcc-isp-faq.yml
+++ b/windows/deployment/do/mcc-isp-faq.yml
@@ -5,7 +5,9 @@ metadata:
author: amymzhou
ms.author: amymzhou
manager: aaroncz
- ms.collection: highpri, tier3
+ ms.collection:
+ - highpri
+ - tier3
ms.topic: faq
ms.date: 09/30/2022
ms.prod: windows-client
diff --git a/windows/deployment/do/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml
index cb916610f0..f363e5116d 100644
--- a/windows/deployment/do/waas-delivery-optimization-faq.yml
+++ b/windows/deployment/do/waas-delivery-optimization-faq.yml
@@ -2,13 +2,15 @@
metadata:
title: Delivery Optimization Frequently Asked Questions
description: The following is a list of frequently asked questions for Delivery Optimization.
- ms.reviewer: aaroncz
+ ms.reviewer: mstewart
ms.prod: windows-client
- author: carmenf
+ author: cmknox
ms.author: carmenf
- manager: dougeby
+ manager: aaroncz
ms.technology: itpro-updates
- ms.collection: highpri, tier3
+ ms.collection:
+ - highpri
+ - tier3
ms.topic: faq
ms.date: 08/04/2022
title: Delivery Optimization Frequently Asked Questions
diff --git a/windows/deployment/do/waas-delivery-optimization.md b/windows/deployment/do/waas-delivery-optimization.md
index 0f88d16b68..94d89f77a1 100644
--- a/windows/deployment/do/waas-delivery-optimization.md
+++ b/windows/deployment/do/waas-delivery-optimization.md
@@ -1,14 +1,16 @@
---
title: What is Delivery Optimization?
-manager: aaroncz
description: This article provides information about Delivery Optimization, a peer-to-peer distribution method in Windows 10 and Windows 11.
ms.prod: windows-client
-author: cmknox
-ms.localizationpriority: medium
-ms.author: carmenf
-ms.collection: tier3, highpri
-ms.topic: article
ms.technology: itpro-updates
+ms.localizationpriority: medium
+author: cmknox
+ms.author: carmenf
+manager: aaroncz
+ms.collection:
+ - tier3
+ - highpri
+ms.topic: overview
ms.date: 12/31/2017
---
@@ -16,7 +18,7 @@ ms.date: 12/31/2017
**Applies to**
-- Windows 10
+- Windows 10
- Windows 11
> **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the master spreadsheet available at the Download Center [for Windows 11](https://www.microsoft.com/en-us/download/details.aspx?id=104594) or [for Windows 10](https://www.microsoft.com/en-us/download/details.aspx?id=104678).
@@ -81,7 +83,7 @@ In Windows client Enterprise, Professional, and Education editions, Delivery Opt
## How Microsoft uses Delivery Optimization
-At Microsoft, to help ensure that ongoing deployments weren't affecting our network and taking away bandwidth for other services, Microsoft IT used a couple of different bandwidth management strategies. Delivery Optimization, peer-to-peer caching enabled through Group Policy, was piloted and then deployed to all managed devices using Group Policy. Based on recommendations from the Delivery Optimization team, we used the "group" configuration to limit sharing of content to only the devices that are members of the same Active Directory domain. The content is cached for 24 hours. More than 76 percent of content came from peer devices versus the Internet.
+At Microsoft, to help ensure that ongoing deployments weren't affecting our network and taking away bandwidth for other services, Microsoft IT used a couple of different bandwidth management strategies. Delivery Optimization, peer-to-peer caching enabled through Group Policy, was piloted and then deployed to all managed devices using Group Policy. Based on recommendations from the Delivery Optimization team, we used the "group" configuration to limit sharing of content to only the devices that are members of the same Active Directory domain. The content is cached for 24 hours. More than 76 percent of content came from peer devices versus the Internet.
For more information, check out the [Adopting Windows as a Service at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/851/Adopting-Windows-as-a-service-at-Microsoft) technical case study.
diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml
index 5e9e859e17..c2e2672c36 100644
--- a/windows/deployment/index.yml
+++ b/windows/deployment/index.yml
@@ -5,15 +5,17 @@ summary: Learn about deploying and keeping Windows client devices up to date. #
metadata:
title: Windows client deployment resources and documentation # Required; page title displayed in search results. Include the brand. < 60 chars.
- description: Learn about deploying Windows 10 and keeping it up to date in your organization. # Required; article description that is displayed in search results. < 160 chars.
+ description: Learn about deploying Windows and keeping it up to date in your organization. # Required; article description that is displayed in search results. < 160 chars.
ms.topic: landing-page
- ms.technology: itpro-apps
+ ms.technology: itpro-deploy
ms.prod: windows-client
- ms.collection: highpri, tier1
+ ms.collection:
+ - highpri
+ - tier1
author: frankroj
ms.author: frankroj
manager: aaroncz
- ms.date: 10/31/2022 #Required; mm/dd/yyyy format.
+ ms.date: 10/31/2022
localization_priority: medium
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md
index 4caffd0228..2ab8313425 100644
--- a/windows/deployment/mbr-to-gpt.md
+++ b/windows/deployment/mbr-to-gpt.md
@@ -7,8 +7,10 @@ ms.author: frankroj
ms.date: 11/23/2022
manager: aaroncz
ms.localizationpriority: high
-ms.topic: article
-ms.collection: highpri, tier2
+ms.topic: how-to
+ms.collection:
+ - highpri
+ - tier2
ms.technology: itpro-deploy
---
diff --git a/windows/deployment/planning/windows-to-go-overview.md b/windows/deployment/planning/windows-to-go-overview.md
index f9b22c70d2..e49022488b 100644
--- a/windows/deployment/planning/windows-to-go-overview.md
+++ b/windows/deployment/planning/windows-to-go-overview.md
@@ -5,9 +5,11 @@ manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: frankroj
-ms.topic: article
+ms.topic: overview
ms.technology: itpro-deploy
-ms.collection: highpri, tier2
+ms.collection:
+ - highpri
+ - tier2
ms.date: 10/28/2022
---
diff --git a/windows/deployment/update/deploy-updates-intune.md b/windows/deployment/update/deploy-updates-intune.md
index 5c884406fd..8ce126fdb1 100644
--- a/windows/deployment/update/deploy-updates-intune.md
+++ b/windows/deployment/update/deploy-updates-intune.md
@@ -1,6 +1,6 @@
---
title: Deploy updates with Intune
-description: Deploy Windows client updates with Intune
+description: Deploy Windows client updates with Intune.
ms.prod: windows-client
author: mestew
ms.localizationpriority: medium
@@ -8,7 +8,9 @@ ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
-ms.collection: highpri, tier2
+ms.collection:
+ - highpri
+ - tier2
ms.date: 12/31/2017
---
@@ -16,7 +18,7 @@ ms.date: 12/31/2017
**Applies to**
-- Windows 10
+- Windows 10
- Windows 11
See the Microsoft Intune [documentation](/mem/intune/protect/windows-update-for-business-configure#windows-10-feature-updates) for details about using Intune to deploy and manage Windows client updates.
diff --git a/windows/deployment/update/safeguard-holds.md b/windows/deployment/update/safeguard-holds.md
index 7bb8cf8dca..da7a3accae 100644
--- a/windows/deployment/update/safeguard-holds.md
+++ b/windows/deployment/update/safeguard-holds.md
@@ -1,6 +1,6 @@
---
title: Safeguard holds
-description: What are safeguard holds, how can you tell if one is in effect, and what to do about it
+description: What are safeguard holds, how can you tell if one is in effect, and what to do about it.
ms.prod: windows-client
author: mestew
ms.localizationpriority: medium
@@ -8,7 +8,9 @@ ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
-ms.collection: highpri, tier2
+ms.collection:
+ - highpri
+ - tier2
ms.date: 12/31/2017
---
diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md
index 08bc528d69..30228a83de 100644
--- a/windows/deployment/update/servicing-stack-updates.md
+++ b/windows/deployment/update/servicing-stack-updates.md
@@ -6,8 +6,10 @@ author: mestew
ms.localizationpriority: high
ms.author: mstewart
manager: aaroncz
-ms.collection: highpri, tier2
-ms.topic: article
+ms.collection:
+ - highpri
+ - tier2
+ms.topic: conceptual
ms.technology: itpro-updates
ms.date: 12/31/2017
---
diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md
index a7272569b6..251aa25370 100644
--- a/windows/deployment/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@@ -6,7 +6,9 @@ ms.prod: windows-client
author: mestew
ms.author: mstewart
ms.localizationpriority: medium
-ms.collection: highpri, tier2
+ms.collection:
+ - highpri
+ - tier2
ms.topic: article
ms.date: 05/03/2022
ms.technology: itpro-updates
diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md
index 231671f5d7..93ab10c8bc 100644
--- a/windows/deployment/update/waas-manage-updates-wsus.md
+++ b/windows/deployment/update/waas-manage-updates-wsus.md
@@ -6,8 +6,10 @@ author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
-ms.topic: article
-ms.collection: highpri, tier2
+ms.topic: how-to
+ms.collection:
+ - highpri
+ - tier2
ms.technology: itpro-updates
ms.date: 12/31/2017
---
diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md
index 2cd41a5831..54da439aad 100644
--- a/windows/deployment/update/waas-manage-updates-wufb.md
+++ b/windows/deployment/update/waas-manage-updates-wufb.md
@@ -6,8 +6,10 @@ ms.prod: windows-client
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
-ms.topic: article
-ms.collection: highpri, tier2
+ms.topic: overview
+ms.collection:
+ - highpri
+ - tier2
ms.technology: itpro-updates
ms.date: 12/31/2017
---
diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md
index 184b4e1c7a..2585696606 100644
--- a/windows/deployment/update/waas-overview.md
+++ b/windows/deployment/update/waas-overview.md
@@ -6,8 +6,10 @@ author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
-ms.topic: article
-ms.collection: highpri, tier2
+ms.topic: overview
+ms.collection:
+ - highpri
+ - tier2
ms.technology: itpro-updates
ms.date: 12/31/2017
---
diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md
index ea9726a38e..e95825d0c0 100644
--- a/windows/deployment/update/waas-restart.md
+++ b/windows/deployment/update/waas-restart.md
@@ -1,13 +1,15 @@
---
-title: Manage device restarts after updates (Windows 10)
+title: Manage device restarts after updates
description: Use Group Policy settings, mobile device management (MDM), or Registry to configure when devices will restart after a Windows 10 update is installed.
ms.prod: windows-client
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
-ms.topic: article
-ms.collection: highpri, tier2
+ms.topic: how-to
+ms.collection:
+ - highpri
+ - tier2
ms.technology: itpro-updates
ms.date: 12/31/2017
---
diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md
index 19c313af57..dd358bb8a2 100644
--- a/windows/deployment/update/waas-wu-settings.md
+++ b/windows/deployment/update/waas-wu-settings.md
@@ -6,8 +6,10 @@ ms.localizationpriority: medium
author: mestew
ms.author: mstewart
manager: aaroncz
-ms.topic: article
-ms.collection: highpri, tier2
+ms.topic: how-to
+ms.collection:
+ - highpri
+ - tier2
ms.technology: itpro-updates
ms.date: 03/09/2023
---
diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md
index 7c7b83dcd3..7d696f704d 100644
--- a/windows/deployment/update/waas-wufb-group-policy.md
+++ b/windows/deployment/update/waas-wufb-group-policy.md
@@ -5,9 +5,11 @@ ms.prod: windows-client
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
-ms.collection: highpri, tier2
+ms.collection:
+ - highpri
+ - tier2
manager: aaroncz
-ms.topic: article
+ms.topic: how-to
ms.technology: itpro-updates
ms.date: 02/28/2023
---
diff --git a/windows/deployment/update/windows-update-logs.md b/windows/deployment/update/windows-update-logs.md
index 0f3dcb78bb..b4ab1cd282 100644
--- a/windows/deployment/update/windows-update-logs.md
+++ b/windows/deployment/update/windows-update-logs.md
@@ -5,8 +5,10 @@ ms.prod: windows-client
author: mestew
ms.author: mstewart
manager: aaroncz
-ms.topic: article
-ms.collection: highpri, tier2
+ms.topic: troubleshooting
+ms.collection:
+ - highpri
+ - tier2
ms.technology: itpro-updates
ms.date: 12/31/2017
---
diff --git a/windows/deployment/upgrade/log-files.md b/windows/deployment/upgrade/log-files.md
index 60af41b984..e5e5fca659 100644
--- a/windows/deployment/upgrade/log-files.md
+++ b/windows/deployment/upgrade/log-files.md
@@ -1,13 +1,15 @@
---
title: Log files and resolving upgrade errors
-manager: aaroncz
-ms.author: frankroj
description: Learn how to interpret and analyze the log files that are generated during the Windows 10 upgrade process.
ms.prod: windows-client
author: frankroj
+manager: aaroncz
+ms.author: frankroj
ms.localizationpriority: medium
-ms.topic: article
-ms.collection: highpri, tier2
+ms.topic: troubleshooting
+ms.collection:
+ - highpri
+ - tier2
ms.technology: itpro-deploy
ms.date: 10/28/2022
---
diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md
index 62aa926553..3b512451f5 100644
--- a/windows/deployment/upgrade/setupdiag.md
+++ b/windows/deployment/upgrade/setupdiag.md
@@ -1,14 +1,16 @@
---
title: SetupDiag
-manager: aaroncz
-ms.author: frankroj
description: SetupDiag works by examining Windows Setup log files. This article shows how to use the SetupDiag tool to diagnose Windows Setup errors.
ms.prod: windows-client
-author: frankroj
-ms.localizationpriority: medium
-ms.topic: article
-ms.collection: highpri, tier2
ms.technology: itpro-deploy
+author: frankroj
+manager: aaroncz
+ms.author: frankroj
+ms.localizationpriority: medium
+ms.topic: troubleshooting
+ms.collection:
+ - highpri
+ - tier2
ms.date: 10/28/2022
---
diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md
index a49e89b8ed..ea38090b1d 100644
--- a/windows/deployment/upgrade/windows-10-edition-upgrades.md
+++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md
@@ -6,8 +6,10 @@ ms.author: frankroj
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
-ms.topic: article
-ms.collection: highpri, tier2
+ms.topic: conceptual
+ms.collection:
+ - highpri
+ - tier2
ms.technology: itpro-deploy
ms.date: 10/28/2022
---
diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md
index 7e8b1b574e..9cd2a2aca9 100644
--- a/windows/deployment/upgrade/windows-10-upgrade-paths.md
+++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md
@@ -1,13 +1,15 @@
---
title: Windows 10 upgrade paths (Windows 10)
-manager: aaroncz
-ms.author: frankroj
description: You can upgrade to Windows 10 from a previous version of Windows if the upgrade path is supported.
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
-ms.topic: article
-ms.collection: highpri, tier2
+manager: aaroncz
+ms.author: frankroj
+ms.topic: conceptual
+ms.collection:
+ - highpri
+ - tier2
ms.technology: itpro-deploy
ms.date: 10/28/2022
---
diff --git a/windows/deployment/usmt/usmt-overview.md b/windows/deployment/usmt/usmt-overview.md
index eb67085ba9..dae39a70bd 100644
--- a/windows/deployment/usmt/usmt-overview.md
+++ b/windows/deployment/usmt/usmt-overview.md
@@ -1,14 +1,16 @@
---
-title: User State Migration Tool (USMT) Overview (Windows 10)
+title: User State Migration Tool (USMT) overview
description: Learn about using User State Migration Tool (USMT) 10.0 to streamline and simplify user state migration during large deployments of Windows operating systems.
+ms.prod: windows-client
+ms.technology: itpro-deploy
+author: frankroj
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
-author: frankroj
ms.date: 11/01/2022
-ms.topic: article
-ms.collection: highpri, tier2
-ms.technology: itpro-deploy
+ms.topic: overview
+ms.collection:
+ - highpri
+ - tier2
---
# User State Migration Tool (USMT) overview
diff --git a/windows/deployment/usmt/usmt-recognized-environment-variables.md b/windows/deployment/usmt/usmt-recognized-environment-variables.md
index 3239732839..762ede46cb 100644
--- a/windows/deployment/usmt/usmt-recognized-environment-variables.md
+++ b/windows/deployment/usmt/usmt-recognized-environment-variables.md
@@ -1,14 +1,16 @@
---
-title: Recognized Environment Variables (Windows 10)
+title: Recognized environment variables
description: Learn how to use environment variables to identify folders that may be different on different computers.
+ms.prod: windows-client
+ms.technology: itpro-deploy
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
author: frankroj
ms.date: 11/01/2022
-ms.topic: article
-ms.collection: highpri, tier2
-ms.technology: itpro-deploy
+ms.topic: ceonceptual
+ms.collection:
+ - highpri
+ - tier2
---
# Recognized environment variables
diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
index 2495b86782..9304d88783 100644
--- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
+++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
@@ -10,7 +10,9 @@ ms.technology: itpro-fundamentals
ms.localizationpriority: medium
ms.date: 11/07/2022
ms.topic: how-to
-ms.collection: highpri, tier2
+ms.collection:
+ - highpri
+ - tier2
---
# Activate using Active Directory-based activation
diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
index 72dd3657cf..3401c97658 100644
--- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
+++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
@@ -1,16 +1,18 @@
---
-title: Activate using Key Management Service (Windows 10)
+title: Activate using Key Management Service
description: Learn how to use Key Management Service (KMS) to activate Windows.
ms.reviewer: nganguly
+ms.prod: windows-client
+ms.technology: itpro-fundamentals
+author: frankroj
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
-author: frankroj
ms.localizationpriority: medium
ms.date: 11/07/2022
-ms.topic: article
-ms.collection: highpri, tier2
-ms.technology: itpro-fundamentals
+ms.topic: how-to
+ms.collection:
+ - highpri
+ - tier2
---
# Activate using Key Management Service
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index 924489e2c6..59914650f4 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -7,7 +7,9 @@ ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.collection: highpri, tier2
+ms.collection:
+ - highpri
+ - tier2
ms.topic: conceptual
ms.date: 11/23/2022
appliesto:
diff --git a/windows/deployment/windows-autopatch/index.yml b/windows/deployment/windows-autopatch/index.yml
index 2105efa402..f80f14cdd2 100644
--- a/windows/deployment/windows-autopatch/index.yml
+++ b/windows/deployment/windows-autopatch/index.yml
@@ -14,7 +14,9 @@ metadata:
ms.custom: intro-hub-or-landing
ms.prod: windows-client
ms.technology: itpro-updates
- ms.collection: highpri, tier2
+ ms.collection:
+ - highpri
+ - tier2
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
index 35df585aa1..c515617ae7 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
@@ -1,6 +1,6 @@
---
title: What is Windows Autopatch?
-description: Details what the service is and shortcuts to articles
+description: Details what the service is and shortcuts to articles.
ms.date: 07/11/2022
ms.prod: windows-client
ms.technology: itpro-updates
@@ -9,7 +9,9 @@ ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
-ms.collection: highpri, tier2
+ms.collection:
+ - highpri
+ - tier2
ms.reviewer: hathind
---
diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
index 4ca53207b6..4ebfe798e1 100644
--- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
+++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
@@ -1,13 +1,15 @@
---
title: Demonstrate Autopilot deployment
-manager: aaroncz
description: Step-by-step instructions on how to set up a virtual machine with a Windows Autopilot deployment.
ms.prod: windows-client
ms.technology: itpro-deploy
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
-ms.collection: highpri, tier2
+manager: aaroncz
+ms.collection:
+ - highpri
+ - tier2
ms.topic: tutorial
ms.date: 10/28/2022
---
diff --git a/windows/deployment/windows-autopilot/index.yml b/windows/deployment/windows-autopilot/index.yml
index 82cba08343..78ac058a36 100644
--- a/windows/deployment/windows-autopilot/index.yml
+++ b/windows/deployment/windows-autopilot/index.yml
@@ -9,11 +9,13 @@ metadata:
ms.topic: landing-page
ms.prod: windows-client
ms.technology: itpro-deploy
- ms.collection: highpri, tier1
+ ms.collection:
+ - highpri
+ - tier1
author: frankroj
ms.author: frankroj
manager: aaroncz
- ms.date: 10/28/2022 #Required; mm/dd/yyyy format.
+ ms.date: 10/28/2022
localization_priority: medium
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
diff --git a/windows/hub/index.yml b/windows/hub/index.yml
index 34186301e4..8eb8641a31 100644
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@@ -12,8 +12,9 @@ metadata:
ms.prod: windows-client
ms.collection:
- highpri
- author: dougeby #Required; your GitHub user alias, with correct capitalization.
- ms.author: dougeby #Required; microsoft alias of author; optional team alias.
+ - tier1
+ author: aczechowski #Required; your GitHub user alias, with correct capitalization.
+ ms.author: aaroncz #Required; microsoft alias of author; optional team alias.
ms.date: 10/01/2021 #Required; mm/dd/yyyy format.
localization_priority: medium
diff --git a/windows/whats-new/deprecated-features-resources.md b/windows/whats-new/deprecated-features-resources.md
index f00940e722..6728e2b1bd 100644
--- a/windows/whats-new/deprecated-features-resources.md
+++ b/windows/whats-new/deprecated-features-resources.md
@@ -9,7 +9,9 @@ author: mestew
ms.author: mstewart
manager: aaroncz
ms.topic: reference
-ms.collection: highpri, tier1
+ms.collection:
+ - highpri
+ - tier1
---
# Resources for deprecated features
diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md
index 331770192b..84ceba70f7 100644
--- a/windows/whats-new/deprecated-features.md
+++ b/windows/whats-new/deprecated-features.md
@@ -8,8 +8,10 @@ ms.localizationpriority: medium
author: mestew
ms.author: mstewart
manager: aaroncz
-ms.topic: article
-ms.collection: highpri, tier1
+ms.topic: conceptual
+ms.collection:
+ - highpri
+ - tier1
---
# Deprecated features for Windows client
diff --git a/windows/whats-new/feature-lifecycle.md b/windows/whats-new/feature-lifecycle.md
index d97cc8895b..d987cfd951 100644
--- a/windows/whats-new/feature-lifecycle.md
+++ b/windows/whats-new/feature-lifecycle.md
@@ -9,7 +9,9 @@ ms.author: mstewart
ms.topic: article
ms.technology: itpro-fundamentals
ms.date: 10/28/2022
-ms.collection: highpri, tier2
+ms.collection:
+ - highpri
+ - tier2
---
# Windows client features lifecycle
diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml
index d1f1ec51df..c988c8ebb4 100644
--- a/windows/whats-new/index.yml
+++ b/windows/whats-new/index.yml
@@ -11,6 +11,7 @@ metadata:
ms.topic: landing-page
ms.collection:
- highpri
+ - tier1
author: aczechowski
ms.author: aaroncz
manager: dougeby
diff --git a/windows/whats-new/ltsc/index.md b/windows/whats-new/ltsc/index.md
index 78b5590c17..e294bee159 100644
--- a/windows/whats-new/ltsc/index.md
+++ b/windows/whats-new/ltsc/index.md
@@ -6,8 +6,7 @@ author: mestew
ms.author: mstewart
manager: aaroncz
ms.localizationpriority: low
-ms.topic: article
-ms.collection: highpri, tier1
+ms.topic: overview
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
---
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index 14d7f14fa9..d696f8b2da 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -6,8 +6,7 @@ description: New and updated IT Pro content about new features in Windows 10 Ent
ms.prod: windows-client
author: mestew
ms.localizationpriority: medium
-ms.topic: article
-ms.collection: highpri, tier1
+ms.topic: conceptual
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
---
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index ccc6db0ea1..c766c7f2af 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -6,8 +6,7 @@ description: New and updated IT Pro content about new features in Windows 10 Ent
ms.prod: windows-client
author: mestew
ms.localizationpriority: high
-ms.topic: article
-ms.collection: highpri, tier1
+ms.topic: conceptual
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
---
diff --git a/windows/whats-new/removed-features.md b/windows/whats-new/removed-features.md
index d0825bcd12..06f89c6fff 100644
--- a/windows/whats-new/removed-features.md
+++ b/windows/whats-new/removed-features.md
@@ -6,10 +6,12 @@ ms.localizationpriority: medium
author: mestew
ms.author: mstewart
manager: aaroncz
-ms.topic: article
+ms.topic: conceptual
ms.technology: itpro-fundamentals
ms.date: 01/05/2023
-ms.collection: highpri, tier1
+ms.collection:
+ - highpri
+ - tier1
---
# Features and functionality removed in Windows client
diff --git a/windows/whats-new/whats-new-windows-10-version-20H2.md b/windows/whats-new/whats-new-windows-10-version-20H2.md
index 078b022d66..3030181ea5 100644
--- a/windows/whats-new/whats-new-windows-10-version-20H2.md
+++ b/windows/whats-new/whats-new-windows-10-version-20H2.md
@@ -7,7 +7,9 @@ ms.author: mstewart
manager: aaroncz
ms.localizationpriority: high
ms.topic: article
-ms.collection: highpri, tier2
+ms.collection:
+ - highpri
+ - tier2
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
---
diff --git a/windows/whats-new/whats-new-windows-10-version-21H1.md b/windows/whats-new/whats-new-windows-10-version-21H1.md
index 77d6e3c52f..af47ae3987 100644
--- a/windows/whats-new/whats-new-windows-10-version-21H1.md
+++ b/windows/whats-new/whats-new-windows-10-version-21H1.md
@@ -7,7 +7,9 @@ ms.author: mstewart
manager: aaroncz
ms.localizationpriority: high
ms.topic: article
-ms.collection: highpri, tier2
+ms.collection:
+ - highpri
+ - tier2
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
---
diff --git a/windows/whats-new/whats-new-windows-10-version-21H2.md b/windows/whats-new/whats-new-windows-10-version-21H2.md
index 2e68bca2a5..0e8808f228 100644
--- a/windows/whats-new/whats-new-windows-10-version-21H2.md
+++ b/windows/whats-new/whats-new-windows-10-version-21H2.md
@@ -7,7 +7,9 @@ ms.author: mstewart
author: mestew
ms.localizationpriority: medium
ms.topic: article
-ms.collection: highpri, tier2
+ms.collection:
+ - highpri
+ - tier2
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
---
diff --git a/windows/whats-new/whats-new-windows-10-version-22H2.md b/windows/whats-new/whats-new-windows-10-version-22H2.md
index f657b2fae0..e1ecaecbb0 100644
--- a/windows/whats-new/whats-new-windows-10-version-22H2.md
+++ b/windows/whats-new/whats-new-windows-10-version-22H2.md
@@ -7,9 +7,11 @@ ms.author: mstewart
author: mestew
manager: aaroncz
ms.localizationpriority: medium
-ms.topic: article
+ms.topic: conceptual
ms.date: 10/18/2022
-ms.collection: highpri, tier1
+ms.collection:
+ - highpri
+ - tier2
---
# What's new in Windows 10, version 22H2
diff --git a/windows/whats-new/whats-new-windows-11-version-22H2.md b/windows/whats-new/whats-new-windows-11-version-22H2.md
index 9879efdeab..bb565c5358 100644
--- a/windows/whats-new/whats-new-windows-11-version-22H2.md
+++ b/windows/whats-new/whats-new-windows-11-version-22H2.md
@@ -6,8 +6,10 @@ ms.prod: windows-client
ms.author: mstewart
author: mestew
ms.localizationpriority: medium
-ms.topic: article
-ms.collection: highpri, tier1
+ms.topic: conceptual
+ms.collection:
+ - highpri
+ - tier2
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
---
diff --git a/windows/whats-new/windows-11-overview.md b/windows/whats-new/windows-11-overview.md
index 93f8c35444..df91262622 100644
--- a/windows/whats-new/windows-11-overview.md
+++ b/windows/whats-new/windows-11-overview.md
@@ -9,7 +9,9 @@ ms.date: 09/20/2022
ms.technology: itpro-fundamentals
ms.localizationpriority: medium
ms.topic: overview
-ms.collection: highpri, tier1
+ms.collection:
+ - highpri
+ - tier1
---
# Windows 11 overview
diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md
index d61ccbad1a..ce4a6efa32 100644
--- a/windows/whats-new/windows-11-plan.md
+++ b/windows/whats-new/windows-11-plan.md
@@ -6,8 +6,10 @@ author: mestew
ms.author: mstewart
manager: aaroncz
ms.localizationpriority: high
-ms.topic: article
-ms.collection: highpri, tier1
+ms.topic: conceptual
+ms.collection:
+ - highpri
+ - tier1
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
---
diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md
index 46740f84c3..9a0cdaf844 100644
--- a/windows/whats-new/windows-11-prepare.md
+++ b/windows/whats-new/windows-11-prepare.md
@@ -6,8 +6,10 @@ author: mestew
ms.author: mstewart
manager: aaroncz
ms.localizationpriority: high
-ms.topic: article
-ms.collection: highpri, tier1
+ms.topic: conceptual
+ms.collection:
+ - highpri
+ - tier1
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
---
diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md
index f264fb396a..74230a9b73 100644
--- a/windows/whats-new/windows-11-requirements.md
+++ b/windows/whats-new/windows-11-requirements.md
@@ -6,8 +6,10 @@ author: mestew
ms.author: mstewart
ms.prod: windows-client
ms.localizationpriority: medium
-ms.topic: article
-ms.collection: highpri, tier1
+ms.topic: conceptual
+ms.collection:
+ - highpri
+ - tier1
ms.technology: itpro-fundamentals
ms.date: 02/13/2023
---
From 4c4a46cc40da927b23d09071f5a5e8e441b74967 Mon Sep 17 00:00:00 2001
From: Aaron Czechowski
Date: Mon, 27 Mar 2023 18:47:08 -0700
Subject: [PATCH 054/143] acrolinx
---
.../planning/windows-to-go-overview.md | 38 +++++++++----------
windows/deployment/update/safeguard-holds.md | 12 +++---
2 files changed, 25 insertions(+), 25 deletions(-)
diff --git a/windows/deployment/planning/windows-to-go-overview.md b/windows/deployment/planning/windows-to-go-overview.md
index e49022488b..d176c2c88d 100644
--- a/windows/deployment/planning/windows-to-go-overview.md
+++ b/windows/deployment/planning/windows-to-go-overview.md
@@ -24,15 +24,15 @@ ms.date: 10/28/2022
Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that enables the creation of a Windows To Go workspace that can be booted from a USB-connected external drive on PCs.
-PCs that meet the Windows 7 or later [certification requirements](/previous-versions/windows/hardware/cert-program/) can run Windows 10 in a Windows To Go workspace, regardless of the operating system running on the PC. Windows To Go workspaces can use the same image enterprises use for their desktops and laptops and can be managed the same way. Windows To Go is not intended to replace desktops, laptops or supplant other mobility offerings. Rather, it provides support for efficient use of resources for alternative workplace scenarios. There are some additional considerations that you should keep in mind before you start to use Windows To Go:
+PCs that meet the Windows 7 or later [certification requirements](/previous-versions/windows/hardware/cert-program/) can run Windows 10 in a Windows To Go workspace, regardless of the operating system running on the PC. Windows To Go workspaces can use the same image enterprises use for their desktops and laptops and can be managed the same way. Windows To Go isn't intended to replace desktops, laptops or supplant other mobility offerings. Rather, it provides support for efficient use of resources for alternative workplace scenarios. There are some other considerations that you should keep in mind before you start to use Windows To Go:
- [Windows To Go: feature overview](#windows-to-go-feature-overview)
- [Differences between Windows To Go and a typical installation of Windows](#differences-between-windows-to-go-and-a-typical-installation-of-windows)
- [Roaming with Windows To Go](#roaming-with-windows-to-go)
- [Prepare for Windows To Go](#prepare-for-windows-to-go)
- [Hardware considerations for Windows To Go](#hardware-considerations-for-windows-to-go)
- - [Additional resources](#additional-resources)
- - [Related topics](#related-topics)
+ - [Other resources](#additional-resources)
+ - [Related articles](#related-topics)
> [!NOTE]
> Windows To Go is not supported on Windows RT.
@@ -41,24 +41,24 @@ PCs that meet the Windows 7 or later [certification requirements](/previous-vers
Windows To Go workspace operates just like any other installation of Windows with a few exceptions. These exceptions are:
-- **Internal disks are offline.** To ensure data isn't accidentally disclosed, internal hard disks on the host computer are offline by default when booted into a Windows To Go workspace. Similarly if a Windows To Go drive is inserted into a running system, the Windows To Go drive will not be listed in Windows Explorer.
-- **Trusted Platform Module (TPM) is not used.** When using BitLocker Drive Encryption a pre-operating system boot password will be used for security rather than the TPM since the TPM is tied to a specific computer and Windows To Go drives will move between computers.
+- **Internal disks are offline.** To ensure data isn't accidentally disclosed, internal hard disks on the host computer are offline by default when booted into a Windows To Go workspace. Similarly if a Windows To Go drive is inserted into a running system, the Windows To Go drive won't be listed in Windows Explorer.
+- **Trusted Platform Module (TPM) is not used.** When using BitLocker Drive Encryption, a pre-operating system boot password will be used for security rather than the TPM since the TPM is tied to a specific computer and Windows To Go drives will move between computers.
- **Hibernate is disabled by default.** To ensure that the Windows To Go workspace is able to move between computers easily, hibernation is disabled by default. Hibernation can be re-enabled by using Group Policy settings.
- **Windows Recovery Environment is not available.** In the rare case that you need to recover your Windows To Go drive, you should re-image it with a fresh image of Windows.
- **Refreshing or resetting a Windows To Go workspace is not supported.** Resetting to the manufacturer's standard for the computer doesn't apply when running a Windows To Go workspace, so the feature was disabled.
-- **Upgrading a Windows To Go workspace is not supported.** Older Windows 8 or Windows 8.1 Windows To Go workspaces cannot be upgraded to Windows 10 workspaces, nor can Windows 10 Windows To Go workspaces be upgraded to future versions of Windows 10. For new versions, the workspace needs to be re-imaged with a fresh image of Windows.
+- **Upgrading a Windows To Go workspace is not supported.** Older Windows 8 or Windows 8.1 Windows To Go workspaces can't be upgraded to Windows 10 workspaces, nor can Windows 10 Windows To Go workspaces be upgraded to future versions of Windows 10. For new versions, the workspace needs to be re-imaged with a fresh image of Windows.
## Roaming with Windows To Go
-Windows To Go drives can be booted on multiple computers. When a Windows To Go workspace is first booted on a host computer it will detect all hardware on the computer and install any needed drivers. When the Windows To Go workspace is subsequently booted on that host computer it will be able to identify the host computer and load the correct set of drivers automatically.
+Windows To Go drives can be booted on multiple computers. When a Windows To Go workspace is first booted on a host computer, it will detect all hardware on the computer and install any needed drivers. When the Windows To Go workspace is next booted on that host computer, it will be able to identify the host computer and load the correct set of drivers automatically.
-The applications that you want to use from the Windows To Go workspace should be tested to make sure they also support roaming. Some applications bind to the computer hardware which will cause difficulties if the workspace is being used with multiple host computers.
+The applications that you want to use from the Windows To Go workspace should be tested to make sure they also support roaming. Some applications bind to the computer hardware, which will cause difficulties if the workspace is being used with multiple host computers.
## Prepare for Windows To Go
Enterprises install Windows on a large group of computers either by using configuration management software (such as Microsoft Configuration Manager), or by using standard Windows deployment tools such as DiskPart and the Deployment Image Servicing and Management (DISM) tool.
-These same tools can be used to provision Windows To Go drive, just as you would if you were planning for provisioning a new class of mobile PCs. You can use the [Windows Assessment and Deployment Kit](/windows-hardware/get-started/adk-install) to review deployment tools available.
+These same tools can be used to provision Windows To Go drive, just as if you were planning for provisioning a new class of mobile PCs. You can use the [Windows Assessment and Deployment Kit](/windows-hardware/get-started/adk-install) to review deployment tools available.
> [!IMPORTANT]
> Make sure you use the versions of the deployment tools provided for the version of Windows you are deploying. There have been many enhancements made to support Windows To Go. Using versions of the deployment tools released for earlier versions of Windows to provision a Windows To Go drive is not supported.
@@ -69,7 +69,7 @@ Are there any drivers that you need to inject into the image?
How will data be stored and synchronized to appropriate locations from the USB device?
-Are there any applications that are incompatible with Windows To Go roaming that should not be included in the image?
+Are there any applications that are incompatible with Windows To Go roaming that shouldn't be included in the image?
What should be the architecture of the image - 32bit/64bit?
@@ -81,7 +81,7 @@ For more information about designing and planning your Windows To Go deployment,
**For USB drives**
-The devices listed in this section have been specially optimized and certified for Windows To Go and meet the necessary requirements for booting and running a full version of Windows 10 from a USB drive. The optimizations for Windows To Go include the following:
+The devices listed in this section have been specially optimized and certified for Windows To Go and meet the necessary requirements for booting and running a full version of Windows 10 from a USB drive. The optimizations for Windows To Go include the following items:
- Windows To Go certified USB drives are built for high random read/write speeds and support the thousands of random access I/O operations per second required for running normal Windows workloads smoothly.
- Windows To Go certified USB drives have been tuned to ensure they boot and run on hardware certified for use with Windows 7 and later.
@@ -103,7 +103,7 @@ As of the date of publication, the following are the USB drives currently certif
- Spyrus Secure Portable Workplace ([http://www.spyruswtg.com/](https://go.microsoft.com/fwlink/p/?LinkId=618720))
> [!IMPORTANT]
- > You must use the Spyrus Deployment Suite for Windows To Go to provision the Spyrus Secure Portable Workplace. For more information about the Spyrus Deployment Suite for Windows To Go please refer to [http://www.spyruswtg.com/](https://go.microsoft.com/fwlink/p/?LinkId=618720).
+ > You must use the Spyrus Deployment Suite for Windows To Go to provision the Spyrus Secure Portable Workplace. For more information about the Spyrus Deployment Suite for Windows To Go, see [http://www.spyruswtg.com/](https://go.microsoft.com/fwlink/p/?LinkId=618720).
- Spyrus Worksafe ([http://www.spyruswtg.com/](https://go.microsoft.com/fwlink/p/?LinkId=618720))
@@ -123,25 +123,25 @@ As of the date of publication, the following are the USB drives currently certif
- Western Digital My Passport Enterprise ([http://www.wd.com/wtg](https://go.microsoft.com/fwlink/p/?LinkId=618722))
- We recommend that you run the WD Compass utility to prepare the Western Digital My Passport Enterprise drive for provisioning with Windows To Go. For more information about the WD Compass utility please refer to [http://www.wd.com/wtg](https://go.microsoft.com/fwlink/p/?LinkId=618722)
+ We recommend that you run the WD Compass utility to prepare the Western Digital My Passport Enterprise drive for provisioning with Windows To Go. For more information about the WD Compass utility, see [http://www.wd.com/wtg](https://go.microsoft.com/fwlink/p/?LinkId=618722)
**For host computers**
-When assessing the use of a PC as a host for a Windows To Go workspace you should consider the following criteria:
+When assessing the use of a PC as a host for a Windows To Go workspace, you should consider the following criteria:
- Hardware that has been certified for use with Windows 7 or later operating systems will work well with Windows To Go.
-- Running a Windows To Go workspace from a computer that is running Windows RT is not a supported scenario.
-- Running a Windows To Go workspace on a Mac computer is not a supported scenario.
+- Running a Windows To Go workspace from a computer that is running Windows RT isn't a supported scenario.
+- Running a Windows To Go workspace on a Mac computer isn't a supported scenario.
The following table details the characteristics that the host computer must have to be used with Windows To Go:
|Item|Requirement|
|--- |--- |
|Boot process|Capable of USB boot|
-|Firmware|USB boot enabled. (PCs certified for use with Windows 7 or later can be configured to boot directly from USB, check with the hardware manufacturer if you are unsure of the ability of your PC to boot from USB)|
+|Firmware|USB boot enabled. (PCs certified for use with Windows 7 or later can be configured to boot directly from USB, check with the hardware manufacturer if you're unsure of the ability of your PC to boot from USB)|
|Processor architecture|Must support the image on the Windows To Go drive|
|External USB Hubs|Not supported; connect the Windows To Go drive directly to the host machine|
-|Processor|1 Ghz or faster|
+|Processor|1 GHz or faster|
|RAM|2 GB or greater|
|Graphics|DirectX 9 graphics device with WDDM 1.2 or greater driver|
|USB port|USB 2.0 port or greater|
@@ -163,7 +163,7 @@ In addition to the USB boot support in the BIOS, the Windows 10 image on your Wi
- [Windows To Go Step by Step Wiki](https://go.microsoft.com/fwlink/p/?LinkId=618950)
- [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkId=618951)
-## Related topics
+## Related articles
[Deploy Windows To Go in your organization](../deploy-windows-to-go.md)
[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.yml)
diff --git a/windows/deployment/update/safeguard-holds.md b/windows/deployment/update/safeguard-holds.md
index da7a3accae..6535bc2084 100644
--- a/windows/deployment/update/safeguard-holds.md
+++ b/windows/deployment/update/safeguard-holds.md
@@ -21,11 +21,11 @@ ms.date: 12/31/2017
- Windows 10
- Windows 11
-Microsoft uses quality and compatibility data to identify issues that might cause a Windows client feature update to fail or roll back. When we find such an issue, we might apply safeguard holds to the updating service to prevent affected devices from installing the update in order to safeguard them from these experiences. We also use safeguard holds when a customer, a partner, or Microsoft internal validation finds an issue that would cause severe impact (for example, rollback of the update, data loss, loss of connectivity, or loss of key functionality) and when a workaround is not immediately available.
+Microsoft uses quality and compatibility data to identify issues that might cause a Windows client feature update to fail or roll back. When we find such an issue, we might apply safeguard holds to the updating service to prevent affected devices from installing the update in order to safeguard them from these experiences. We also use safeguard holds when a customer, a partner, or Microsoft internal validation finds an issue that would cause severe effect (for example, rollback of the update, data loss, loss of connectivity, or loss of key functionality) and when a workaround isn't immediately available.
Safeguard holds prevent a device with a known issue from being offered a new operating system version. We renew the offering once a fix is found and verified. We use holds to ensure customers have a successful experience as their device moves to a new version of Windows client.
-The lifespan of safeguard holds varies depending on the time required to investigate and fix an issue. During this time, Microsoft works diligently to procure, develop, and validate a fix and then offer it to affected devices. We monitor quality and compatibility data to confirm that a fix is complete before releasing the safeguard hold. Once we release the safeguard hold, Windows Update will resume offering new operating system versions to devices.
+The safeguard holds lifespan varies depending on the time required to investigate and fix an issue. During this time, Microsoft works diligently to procure, develop, and validate a fix and then offer it to affected devices. We monitor quality and compatibility data to confirm that a fix is complete before releasing the safeguard hold. Once we release the safeguard hold, Windows Update will resume offering new operating system versions to devices.
Safeguard holds only affect devices that use the Windows Update service for updates. We encourage IT admins who manage updates to devices through other channels (such as media installations or updates coming from Windows Server Update Services) to remain aware of known issues that might also be present in their environments.
@@ -33,19 +33,19 @@ IT admins managing updates using the [Windows Update for Business deployment ser
## Am I affected by a safeguard hold?
-IT admins can use [Windows Update for Business reports](wufb-reports-overview.md) to monitor various update health metrics for devices in their organization. The reports provide a list of [active Safeguard Holds](wufb-reports-workbook.md#bkmk_update-group-feature) to provide you insight into the safeguard holds that are preventing devices from updating or upgrading.
+IT admins can use [Windows Update for Business reports](wufb-reports-overview.md) to monitor various update health metrics for devices in their organization. The reports provide a list of [active Safeguard Holds](wufb-reports-workbook.md#bkmk_update-group-feature) to provide you with insight into the safeguard holds that are preventing devices from updating or upgrading.
-Windows Update for Business reports identifies safeguard holds by their 8-digit identifiers. For safeguard holds associated with publicly discussed known issues, you can find additional details about the issue on the [Windows release health](/windows/release-health/) dashboard by searching for the safeguard hold ID on the **Known issues** page for the relevant release.
+Windows Update for Business reports identifies safeguard holds by their 8-digit identifiers. For safeguard holds associated with publicly discussed known issues, you can find more details about the issue on the [Windows release health](/windows/release-health/) dashboard by searching for the safeguard hold ID on the **Known issues** page for the relevant release.
On devices that use Windows Update (but not Windows Update for Business), the **Windows Update** page in the Settings app displays a message stating that an update is on its way, but not ready for the device. Instead of the option to download and install the update, users will see this message:
-This message means that the device is protected by one or more safeguard holds. When the issue is resolved and the update is safe to install, we will release the safeguard hold and the update can resume safely.
+This message means that the device is protected by one or more safeguard holds. When the issue is resolved and the update is safe to install, we'll release the safeguard hold and the update can resume safely.
## What can I do?
-We recommend that you do not attempt to manually update until issues have been resolved and holds released.
+We recommend that you don't attempt to manually update until issues have been resolved and holds released.
> [!CAUTION]
> Opting out of a safeguard hold can put devices at risk from known performance issues. We strongly recommend that you complete robust testing to ensure the impact is acceptable before opting out.
From dc77ed9f57c902e1ac204c2149dca62aa93de524 Mon Sep 17 00:00:00 2001
From: Aaron Czechowski
Date: Mon, 27 Mar 2023 18:50:08 -0700
Subject: [PATCH 055/143] fix typo
---
.../deployment/usmt/usmt-recognized-environment-variables.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/usmt/usmt-recognized-environment-variables.md b/windows/deployment/usmt/usmt-recognized-environment-variables.md
index 762ede46cb..7e377402d1 100644
--- a/windows/deployment/usmt/usmt-recognized-environment-variables.md
+++ b/windows/deployment/usmt/usmt-recognized-environment-variables.md
@@ -7,7 +7,7 @@ manager: aaroncz
ms.author: frankroj
author: frankroj
ms.date: 11/01/2022
-ms.topic: ceonceptual
+ms.topic: conceptual
ms.collection:
- highpri
- tier2
From 46095f6607aa29cba51501fc8e8f378c9df582ba Mon Sep 17 00:00:00 2001
From: Aaron Czechowski
Date: Mon, 27 Mar 2023 18:52:01 -0700
Subject: [PATCH 056/143] fix missing bookmark
---
windows/deployment/planning/windows-to-go-overview.md | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/windows/deployment/planning/windows-to-go-overview.md b/windows/deployment/planning/windows-to-go-overview.md
index d176c2c88d..29746b5180 100644
--- a/windows/deployment/planning/windows-to-go-overview.md
+++ b/windows/deployment/planning/windows-to-go-overview.md
@@ -31,11 +31,9 @@ PCs that meet the Windows 7 or later [certification requirements](/previous-vers
- [Roaming with Windows To Go](#roaming-with-windows-to-go)
- [Prepare for Windows To Go](#prepare-for-windows-to-go)
- [Hardware considerations for Windows To Go](#hardware-considerations-for-windows-to-go)
- - [Other resources](#additional-resources)
- - [Related articles](#related-topics)
> [!NOTE]
-> Windows To Go is not supported on Windows RT.
+> Windows To Go isn't supported on Windows RT.
## Differences between Windows To Go and a typical installation of Windows
@@ -157,7 +155,7 @@ In addition to the USB boot support in the BIOS, the Windows 10 image on your Wi
|UEFI BIOS|32-bit|32-bit only|
|UEFI BIOS|64-bit|64-bit only|
-## Additional resources
+## Other resources
- [Windows 10 forums](https://go.microsoft.com/fwlink/p/?LinkId=618949)
- [Windows To Go Step by Step Wiki](https://go.microsoft.com/fwlink/p/?LinkId=618950)
From 6831e168e4a9ff654ae3b020c400ca75f23f72ac Mon Sep 17 00:00:00 2001
From: jsuther1974
Date: Tue, 28 Mar 2023 08:30:05 -0700
Subject: [PATCH 057/143] Update wdac-debugging-and-troubleshooting.md
---
.../operations/wdac-debugging-and-troubleshooting.md | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/operations/wdac-debugging-and-troubleshooting.md b/windows/security/threat-protection/windows-defender-application-control/operations/wdac-debugging-and-troubleshooting.md
index 91970316c1..862a0bb9ce 100644
--- a/windows/security/threat-protection/windows-defender-application-control/operations/wdac-debugging-and-troubleshooting.md
+++ b/windows/security/threat-protection/windows-defender-application-control/operations/wdac-debugging-and-troubleshooting.md
@@ -40,8 +40,6 @@ Before debugging and troubleshooting WDAC issues, you must collect information f
- WDAC event logs
- AppLocker event logs
- Other event logs that may contain useful information from other Windows apps and services
- - A text file containing only critical error events found in the WDAC event logs
- - A text file containing full event details for critical error events found in the WDAC event logs
2. Save the device's System Information to the CiDiag folder by running `msinfo32.exe /report $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\SystemInformation.txt`.
3. Use [CiTool.exe](citool-commands.md) to inventory the list of WDAC policies on the device by running `citool.exe -lp -json > $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\CiToolOutput.json`. Skip this step if CiTool.exe is not present in your version of Windows.
@@ -56,9 +54,9 @@ Before debugging and troubleshooting WDAC issues, you must collect information f
7. Export the effective AppLocker policy by running `Get-AppLockerPolicy -xml -Effective > $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLocker.xml`
8. Collect AppLocker services configuration and state information by running the following commands:
- `sc.exe query appid > $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerServices.txt`
- `sc.exe query appidsvc >> $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerServices.txt`
- `sc.exe query applockerfltr > $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerServices.txt`
+ `sc.exe query appid ; sc.exe query appidsvc; sc.exe query applockerfltr > $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerServices.txt`
+ `>> $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerServices.txt`
+ `>> $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerServices.txt`
### Core WDAC event logs
From 480b0b822f2cd41b14e3719609f5b2dd6ff8c84c Mon Sep 17 00:00:00 2001
From: jsuther1974
Date: Tue, 28 Mar 2023 10:38:12 -0700
Subject: [PATCH 058/143] Update wdac-debugging-and-troubleshooting.md
---
.../wdac-debugging-and-troubleshooting.md | 80 ++++++++++++++-----
1 file changed, 59 insertions(+), 21 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/operations/wdac-debugging-and-troubleshooting.md b/windows/security/threat-protection/windows-defender-application-control/operations/wdac-debugging-and-troubleshooting.md
index 862a0bb9ce..4f6d9ae41e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/operations/wdac-debugging-and-troubleshooting.md
+++ b/windows/security/threat-protection/windows-defender-application-control/operations/wdac-debugging-and-troubleshooting.md
@@ -28,7 +28,7 @@ This article describes how to debug and troubleshoot app and script failures whe
Before debugging and troubleshooting WDAC issues, you must collect information from a device exhibiting the problem behavior. Run the following commands from an elevated PowerShell window to collect the diagnostic information you may need:
-1. Gather general WDAC diagnostic data and copy it to %userprofile%\AppData\Local\Temp\DiagOutputDir\CiDiag by running:
+1. Gather general WDAC diagnostic data and copy it to %userprofile%\AppData\Local\Temp\DiagOutputDir\CiDiag:
```powershell
cidiag.exe /stop
@@ -41,22 +41,47 @@ Before debugging and troubleshooting WDAC issues, you must collect information f
- AppLocker event logs
- Other event logs that may contain useful information from other Windows apps and services
-2. Save the device's System Information to the CiDiag folder by running `msinfo32.exe /report $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\SystemInformation.txt`.
-3. Use [CiTool.exe](citool-commands.md) to inventory the list of WDAC policies on the device by running `citool.exe -lp -json > $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\CiToolOutput.json`. Skip this step if CiTool.exe is not present in your version of Windows.
-4. Export AppLocker registry key data to the CiDiag folder by running the following commands:
+2. Save the device's System Information to the CiDiag folder:
- `reg.exe query HKLM\Software\Policies\Microsoft\Windows\SrpV2 /s > $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerRegistry.txt`
- `reg.exe query HKLM\Software\Policies\Microsoft\Windows\AppidPlugins /s >> $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerRegistry.txt`
- `reg.exe query HKLM\System\CurrentControlSet\Control\Srp\ /s >> $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerRegistry.txt`
+ ```powershell
+ msinfo32.exe /report $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\SystemInformation.txt
+ ```
-5. Copy any AppLocker policy files from %windir%System32\AppLocker to the CiDiag folder by running `Copy-Item -Path $env:windir\System32\AppLocker -Destination $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\ -Recurse -Force`
-6. Collect file information for the AppLocker policy files collected in the previous step by running `Get-ChildItem -Path $env:windir\System32\AppLocker\ -Recurse | select Mode,LastWriteTime,CreationTime,Length,Name >> $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerPolicyFiles.txt`
-7. Export the effective AppLocker policy by running `Get-AppLockerPolicy -xml -Effective > $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLocker.xml`
-8. Collect AppLocker services configuration and state information by running the following commands:
+3. Use [CiTool.exe](citool-commands.md) to inventory the list of WDAC policies on the device. Skip this step if CiTool.exe is not present in your version of Windows.
- `sc.exe query appid ; sc.exe query appidsvc; sc.exe query applockerfltr > $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerServices.txt`
- `>> $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerServices.txt`
- `>> $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerServices.txt`
+ ```powershell
+ citool.exe -lp -json > $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\CiToolOutput.json
+ ````
+
+4. Export AppLocker registry key data to the CiDiag folder:
+
+ ```powershell
+ reg.exe query HKLM\Software\Policies\Microsoft\Windows\SrpV2 /s > $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerRegistry.txt; reg.exe query HKLM\Software\Policies\Microsoft\Windows\AppidPlugins /s >> $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerRegistry.txt; reg.exe query HKLM\System\CurrentControlSet\Control\Srp\ /s >> $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerRegistry.txt
+ ```
+
+5. Copy any AppLocker policy files from %windir%System32\AppLocker to the CiDiag folder:
+
+ ```powershell
+ Copy-Item -Path $env:windir\System32\AppLocker -Destination $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\ -Recurse -Force -ErrorAction Ignore
+ ```
+
+6. Collect file information for the AppLocker policy files collected in the previous step:
+
+ ```powershell
+ Get-ChildItem -Path $env:windir\System32\AppLocker\ -Recurse | select Mode,LastWriteTime,CreationTime,Length,Name >> $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerPolicyFiles.txt
+ ```
+
+7. Export the effective AppLocker policy:
+
+ ```powershell
+ Get-AppLockerPolicy -xml -Effective > $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLocker.xml
+ ```
+
+8. Collect AppLocker services configuration and state information:
+
+ ```powershell
+ sc.exe query appid > $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerServices.txt; sc.exe query appidsvc >> $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerServices.txt; sc.exe query applockerfltr >> $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerServices.txt
+ ```
### Core WDAC event logs
@@ -102,12 +127,12 @@ Most WDAC-related issues, including app and script failures, can be diagnosed us
## 3 - Resolve common problems
-### A file was blocked that you want to allow
+### Issue: A file was blocked that you want to allow
- Use data from the core WDAC event logs to add rules to allow the blocked file.
- Re-deploy the file or app using a managed installer if your policy trusts managed installers.
-### A policy is active that is unexpected
+### Issue: A policy is active that is unexpected
This condition may exist if:
@@ -119,7 +144,7 @@ This condition may exist if:
To resolve such an issue, follow the instructions to [Remove WDAC policies](../disable-windows-defender-application-control-policies.md) for the identified policy.
-### An unhandled app failure is occurring and no WDAC events are observed
+### Issue: An unhandled app failure is occurring and no WDAC events are observed
Some apps alter their behavior when a user mode WDAC policy is active which can result in unexpected failures. This can also be seen as a side-effect of script enforcement, since the script enforcement behaviors are implemented by the individual script hosts and may not be handled by apps that interact with those script hosts.
@@ -130,12 +155,25 @@ Try to isolate the root cause by doing the following:
- Temporarily replace the WDAC policy with another policy that [allows all COM objects](../allow-com-object-registration-in-windows-defender-application-control-policy.md) and re-test.
- Temporarily replace the WDAC policy with another policy that relaxes other [policy rules](../select-types-of-rules-to-create.md#windows-defender-application-control-policy-rules) and re-test.
-### An app deployed by a managed installer is not working
+### Issue: An app deployed by a managed installer is not working
To debug issues using managed installer, try the following:
-- Check that the effective AppLocker policy $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLocker.xml is correct as described in
+- Check that the WDAC policy that is blocking the app includes the option to enable managed installer.
+- Check that the effective AppLocker policy $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLocker.xml is correct as described in [Automatically allow apps deployed by a managed installer](../configure-authorized-apps-deployed-with-a-managed-installer.md#create-and-deploy-an-applocker-policy-that-defines-your-managed-installer-rules-and-enables-services-enforcement-for-executables-and-dlls).
- Check that the AppLocker services are running. These should be found in $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerServices.txt created earlier.
-- Check that an AppLocker file exists called MANAGEDINSTALLER.APPLOCKER
+- Check that an AppLocker file exists called MANAGEDINSTALLER.APPLOCKER exists in the CiDiag folder created earlier. If not, repeat the steps to deploy and enable the managed installer AppLocker configuration.
+- Restart the managed installer process and check that an 8002 event is observed in the **AppLocker - EXE and DLL** event log for the managed installer process with PolicyName = MANAGEDINSTALLER. If instead you see an event with 8003 or 8004 with PolicyName = MANAGEDINSTALLER, then check the ManagedInstaller rules in the AppLocker policy XML and ensure a rule matches the managed installer process.
+- [Use fsutil.exe](../configure-wdac-managed-installer.md#using-fsutil-to-query-extended-attributes-for-managed-installer-mi) to verify files written by the managed installer process have the managed installer origin extended attribute. If not, re-deploy the files with the managed installer and check again.
+- Test installation of a different app using the managed installer.
+- Add another managed installer to your AppLocker policy and test installation using the other managed installer.
- Check if the app is encountering a [known limitation with managed installer](../configure-authorized-apps-deployed-with-a-managed-installer.md#known-limitations-with-managed-installer). If so, you must authorize the app using other means.
--
+
+### Issue: An app you expected to be allowed by the Intelligent Security Graph (ISG) is not working
+
+To debug issues using ISG, try the following:
+
+- Check that the WDAC policy that is blocking the app includes the option to enable the intelligent security graph.
+- Check that the AppLocker services are running. These should be found in $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerServices.txt created earlier.
+- [Use fsutil.exe](../configure-wdac-managed-installer.md#using-fsutil-to-query-extended-attributes-for-intelligent-security-graph-isg) to verify files have the ISG origin extended attribute. If not, re-deploy the files with the managed installer and check again.
+- Check if the app is encountering a [known limitation with ISG](../use-windows-defender-application-control-with-intelligent-security-graph.md#known-limitations-with-using-the-isg).
From 01014008b35c07dad4719a985f7a178acb6e4fcf Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Tue, 28 Mar 2023 17:28:03 -0400
Subject: [PATCH 059/143] Update Surface Hub applicability
---
...-in-policy-csp-supported-by-surface-hub.md | 152 +-----------------
1 file changed, 1 insertion(+), 151 deletions(-)
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
index 4c67e36e15..49bdb3e952 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
@@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Windows 10 Team
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 03/24/2023
+ms.date: 03/28/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -26,15 +26,6 @@ This article lists the policies in Policy CSP that are applicable for the Surfac
- [AllowAppStoreAutoUpdate](policy-csp-applicationmanagement.md#allowappstoreautoupdate)
- [AllowDeveloperUnlock](policy-csp-applicationmanagement.md#allowdeveloperunlock)
-## Authentication
-
-- [AllowAadPasswordReset](policy-csp-authentication.md#allowaadpasswordreset)
-- [AllowEAPCertSSO](policy-csp-authentication.md#alloweapcertsso)
-- [AllowFastReconnect](policy-csp-authentication.md#allowfastreconnect)
-- [AllowSecondaryAuthenticationDevice](policy-csp-authentication.md#allowsecondaryauthenticationdevice)
-- [EnableFastFirstSignIn](policy-csp-authentication.md#enablefastfirstsignin)
-- [EnableWebSignIn](policy-csp-authentication.md#enablewebsignin)
-
## Bluetooth
- [AllowAdvertising](policy-csp-bluetooth.md#allowadvertising)
@@ -48,48 +39,26 @@ This article lists the policies in Policy CSP that are applicable for the Surfac
## Browser
- [AllowAddressBarDropdown](policy-csp-browser.md#allowaddressbardropdown)
-- [AllowAddressBarDropdown](policy-csp-browser.md#allowaddressbardropdown)
-- [AllowAutofill](policy-csp-browser.md#allowautofill)
- [AllowAutofill](policy-csp-browser.md#allowautofill)
- [AllowBrowser](policy-csp-browser.md#allowbrowser)
-- [AllowBrowser](policy-csp-browser.md#allowbrowser)
-- [AllowCookies](policy-csp-browser.md#allowcookies)
- [AllowCookies](policy-csp-browser.md#allowcookies)
- [AllowDeveloperTools](policy-csp-browser.md#allowdevelopertools)
-- [AllowDeveloperTools](policy-csp-browser.md#allowdevelopertools)
-- [AllowDoNotTrack](policy-csp-browser.md#allowdonottrack)
- [AllowDoNotTrack](policy-csp-browser.md#allowdonottrack)
- [AllowFlashClickToRun](policy-csp-browser.md#allowflashclicktorun)
-- [AllowFlashClickToRun](policy-csp-browser.md#allowflashclicktorun)
-- [AllowMicrosoftCompatibilityList](policy-csp-browser.md#allowmicrosoftcompatibilitylist)
- [AllowMicrosoftCompatibilityList](policy-csp-browser.md#allowmicrosoftcompatibilitylist)
- [AllowPasswordManager](policy-csp-browser.md#allowpasswordmanager)
-- [AllowPasswordManager](policy-csp-browser.md#allowpasswordmanager)
-- [AllowPopups](policy-csp-browser.md#allowpopups)
- [AllowPopups](policy-csp-browser.md#allowpopups)
- [AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#allowsearchsuggestionsinaddressbar)
-- [AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#allowsearchsuggestionsinaddressbar)
-- [AllowSmartScreen](policy-csp-browser.md#allowsmartscreen)
- [AllowSmartScreen](policy-csp-browser.md#allowsmartscreen)
- [ClearBrowsingDataOnExit](policy-csp-browser.md#clearbrowsingdataonexit)
-- [ClearBrowsingDataOnExit](policy-csp-browser.md#clearbrowsingdataonexit)
-- [ConfigureAdditionalSearchEngines](policy-csp-browser.md#configureadditionalsearchengines)
- [ConfigureAdditionalSearchEngines](policy-csp-browser.md#configureadditionalsearchengines)
- [DisableLockdownOfStartPages](policy-csp-browser.md#disablelockdownofstartpages)
-- [DisableLockdownOfStartPages](policy-csp-browser.md#disablelockdownofstartpages)
-- [EnterpriseModeSiteList](policy-csp-browser.md#enterprisemodesitelist)
- [EnterpriseModeSiteList](policy-csp-browser.md#enterprisemodesitelist)
- [HomePages](policy-csp-browser.md#homepages)
-- [HomePages](policy-csp-browser.md#homepages)
-- [PreventLiveTileDataCollection](policy-csp-browser.md#preventlivetiledatacollection)
- [PreventLiveTileDataCollection](policy-csp-browser.md#preventlivetiledatacollection)
- [PreventSmartScreenPromptOverride](policy-csp-browser.md#preventsmartscreenpromptoverride)
-- [PreventSmartScreenPromptOverride](policy-csp-browser.md#preventsmartscreenpromptoverride)
-- [PreventSmartScreenPromptOverrideForFiles](policy-csp-browser.md#preventsmartscreenpromptoverrideforfiles)
- [PreventSmartScreenPromptOverrideForFiles](policy-csp-browser.md#preventsmartscreenpromptoverrideforfiles)
- [PreventUsingLocalHostIPAddressForWebRTC](policy-csp-browser.md#preventusinglocalhostipaddressforwebrtc)
-- [PreventUsingLocalHostIPAddressForWebRTC](policy-csp-browser.md#preventusinglocalhostipaddressforwebrtc)
-- [SetDefaultSearchEngine](policy-csp-browser.md#setdefaultsearchengine)
- [SetDefaultSearchEngine](policy-csp-browser.md#setdefaultsearchengine)
## Camera
@@ -120,7 +89,6 @@ This article lists the policies in Policy CSP that are applicable for the Surfac
- [AllowRealtimeMonitoring](policy-csp-defender.md#allowrealtimemonitoring)
- [AllowScanningNetworkFiles](policy-csp-defender.md#allowscanningnetworkfiles)
- [AllowScriptScanning](policy-csp-defender.md#allowscriptscanning)
-- [AllowUserUIAccess](policy-csp-defender.md#allowuseruiaccess)
- [AttackSurfaceReductionOnlyExclusions](policy-csp-defender.md#attacksurfacereductiononlyexclusions)
- [AttackSurfaceReductionRules](policy-csp-defender.md#attacksurfacereductionrules)
- [AvgCPULoadFactor](policy-csp-defender.md#avgcpuloadfactor)
@@ -183,10 +151,6 @@ This article lists the policies in Policy CSP that are applicable for the Surfac
- [DOSetHoursToLimitForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#dosethourstolimitforegrounddownloadbandwidth)
- [DOVpnKeywords](policy-csp-deliveryoptimization.md#dovpnkeywords)
-## Experience
-
-- [DoNotShowFeedbackNotifications](policy-csp-experience.md#donotshowfeedbacknotifications)
-
## ExploitGuard
- [ExploitProtectionSettings](policy-csp-exploitguard.md#exploitprotectionsettings)
@@ -287,74 +251,13 @@ This article lists the policies in Policy CSP that are applicable for the Surfac
## Security
-- [RecoveryEnvironmentAuthentication](policy-csp-security.md#recoveryenvironmentauthentication)
- [RecoveryEnvironmentAuthentication](policy-csp-security.md#recoveryenvironmentauthentication)
- [RequireProvisioningPackageSignature](policy-csp-security.md#requireprovisioningpackagesignature)
- [RequireRetrieveHealthCertificateOnBoot](policy-csp-security.md#requireretrievehealthcertificateonboot)
-## Settings
-
-- [ConfigureTaskbarCalendar](policy-csp-settings.md#configuretaskbarcalendar)
-
## Start
-- [AllowPinnedFolderDocuments](policy-csp-start.md#allowpinnedfolderdocuments)
-- [AllowPinnedFolderDownloads](policy-csp-start.md#allowpinnedfolderdownloads)
-- [AllowPinnedFolderFileExplorer](policy-csp-start.md#allowpinnedfolderfileexplorer)
-- [AllowPinnedFolderHomeGroup](policy-csp-start.md#allowpinnedfolderhomegroup)
-- [AllowPinnedFolderMusic](policy-csp-start.md#allowpinnedfoldermusic)
-- [AllowPinnedFolderNetwork](policy-csp-start.md#allowpinnedfoldernetwork)
-- [AllowPinnedFolderPersonalFolder](policy-csp-start.md#allowpinnedfolderpersonalfolder)
-- [AllowPinnedFolderPictures](policy-csp-start.md#allowpinnedfolderpictures)
-- [AllowPinnedFolderSettings](policy-csp-start.md#allowpinnedfoldersettings)
-- [AllowPinnedFolderVideos](policy-csp-start.md#allowpinnedfoldervideos)
-- [ConfigureStartPins](policy-csp-start.md#configurestartpins)
-- [ConfigureStartPins](policy-csp-start.md#configurestartpins)
-- [DisableContextMenus](policy-csp-start.md#disablecontextmenus)
-- [DisableContextMenus](policy-csp-start.md#disablecontextmenus)
-- [DisableControlCenter](policy-csp-start.md#disablecontrolcenter)
-- [DisableEditingQuickSettings](policy-csp-start.md#disableeditingquicksettings)
-- [ForceStartSize](policy-csp-start.md#forcestartsize)
-- [ForceStartSize](policy-csp-start.md#forcestartsize)
-- [HideAppList](policy-csp-start.md#hideapplist)
-- [HideAppList](policy-csp-start.md#hideapplist)
-- [HideChangeAccountSettings](policy-csp-start.md#hidechangeaccountsettings)
-- [HideFrequentlyUsedApps](policy-csp-start.md#hidefrequentlyusedapps)
-- [HideFrequentlyUsedApps](policy-csp-start.md#hidefrequentlyusedapps)
-- [HideHibernate](policy-csp-start.md#hidehibernate)
-- [HideLock](policy-csp-start.md#hidelock)
-- [HidePeopleBar](policy-csp-start.md#hidepeoplebar)
-- [HidePowerButton](policy-csp-start.md#hidepowerbutton)
-- [HideRecentJumplists](policy-csp-start.md#hiderecentjumplists)
-- [HideRecentJumplists](policy-csp-start.md#hiderecentjumplists)
-- [HideRecentlyAddedApps](policy-csp-start.md#hiderecentlyaddedapps)
-- [HideRecentlyAddedApps](policy-csp-start.md#hiderecentlyaddedapps)
-- [HideRecommendedSection](policy-csp-start.md#hiderecommendedsection)
-- [HideRecommendedSection](policy-csp-start.md#hiderecommendedsection)
-- [HideRecoPersonalizedSites](policy-csp-start.md#hiderecopersonalizedsites)
-- [HideRecoPersonalizedSites](policy-csp-start.md#hiderecopersonalizedsites)
-- [HideRestart](policy-csp-start.md#hiderestart)
-- [HideShutDown](policy-csp-start.md#hideshutdown)
-- [HideSignOut](policy-csp-start.md#hidesignout)
-- [HideSleep](policy-csp-start.md#hidesleep)
-- [HideSwitchAccount](policy-csp-start.md#hideswitchaccount)
-- [HideTaskViewButton](policy-csp-start.md#hidetaskviewbutton)
-- [HideTaskViewButton](policy-csp-start.md#hidetaskviewbutton)
-- [HideUserTile](policy-csp-start.md#hideusertile)
-- [ImportEdgeAssets](policy-csp-start.md#importedgeassets)
-- [NoPinningToTaskbar](policy-csp-start.md#nopinningtotaskbar)
-- [ShowOrHideMostUsedApps](policy-csp-start.md#showorhidemostusedapps)
-- [ShowOrHideMostUsedApps](policy-csp-start.md#showorhidemostusedapps)
-- [SimplifyQuickSettings](policy-csp-start.md#simplifyquicksettings)
- [StartLayout](policy-csp-start.md#startlayout)
-- [StartLayout](policy-csp-start.md#startlayout)
-
-## Storage
-
-- [WPDDevicesDenyReadAccessPerDevice](policy-csp-storage.md#wpddevicesdenyreadaccessperdevice)
-- [WPDDevicesDenyReadAccessPerUser](policy-csp-storage.md#wpddevicesdenyreadaccessperuser)
-- [WPDDevicesDenyWriteAccessPerDevice](policy-csp-storage.md#wpddevicesdenywriteaccessperdevice)
-- [WPDDevicesDenyWriteAccessPerUser](policy-csp-storage.md#wpddevicesdenywriteaccessperuser)
## System
@@ -364,7 +267,6 @@ This article lists the policies in Policy CSP that are applicable for the Surfac
- [AllowLocation](policy-csp-system.md#allowlocation)
- [AllowStorageCard](policy-csp-system.md#allowstoragecard)
- [AllowTelemetry](policy-csp-system.md#allowtelemetry)
-- [AllowTelemetry](policy-csp-system.md#allowtelemetry)
## TextInput
@@ -412,19 +314,7 @@ This article lists the policies in Policy CSP that are applicable for the Surfac
- [AllowNonMicrosoftSignedUpdate](policy-csp-update.md#allownonmicrosoftsignedupdate)
- [AllowTemporaryEnterpriseFeatureControl](policy-csp-update.md#allowtemporaryenterprisefeaturecontrol)
- [AllowUpdateService](policy-csp-update.md#allowupdateservice)
-- [AutomaticMaintenanceWakeUp](policy-csp-update.md#automaticmaintenancewakeup)
-- [AutoRestartDeadlinePeriodInDays](policy-csp-update.md#autorestartdeadlineperiodindays)
-- [AutoRestartDeadlinePeriodInDaysForFeatureUpdates](policy-csp-update.md#autorestartdeadlineperiodindaysforfeatureupdates)
-- [AutoRestartNotificationSchedule](policy-csp-update.md#autorestartnotificationschedule)
-- [AutoRestartRequiredNotificationDismissal](policy-csp-update.md#autorestartrequirednotificationdismissal)
- [BranchReadinessLevel](policy-csp-update.md#branchreadinesslevel)
-- [ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#configuredeadlineforfeatureupdates)
-- [ConfigureDeadlineForQualityUpdates](policy-csp-update.md#configuredeadlineforqualityupdates)
-- [ConfigureDeadlineGracePeriod](policy-csp-update.md#configuredeadlinegraceperiod)
-- [ConfigureDeadlineGracePeriodForFeatureUpdates](policy-csp-update.md#configuredeadlinegraceperiodforfeatureupdates)
-- [ConfigureDeadlineNoAutoReboot](policy-csp-update.md#configuredeadlinenoautoreboot)
-- [ConfigureDeadlineNoAutoRebootForFeatureUpdates](policy-csp-update.md#configuredeadlinenoautorebootforfeatureupdates)
-- [ConfigureDeadlineNoAutoRebootForQualityUpdates](policy-csp-update.md#configuredeadlinenoautorebootforqualityupdates)
- [ConfigureFeatureUpdateUninstallPeriod](policy-csp-update.md#configurefeatureupdateuninstallperiod)
- [DeferFeatureUpdatesPeriodInDays](policy-csp-update.md#deferfeatureupdatesperiodindays)
- [DeferQualityUpdatesPeriodInDays](policy-csp-update.md#deferqualityupdatesperiodindays)
@@ -436,23 +326,16 @@ This article lists the policies in Policy CSP that are applicable for the Surfac
- [DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection](policy-csp-update.md#donotenforceenterprisetlscertpinningforupdatedetection)
- [EngagedRestartDeadline](policy-csp-update.md#engagedrestartdeadline)
- [EngagedRestartDeadlineForFeatureUpdates](policy-csp-update.md#engagedrestartdeadlineforfeatureupdates)
-- [EngagedRestartSnoozeSchedule](policy-csp-update.md#engagedrestartsnoozeschedule)
-- [EngagedRestartSnoozeScheduleForFeatureUpdates](policy-csp-update.md#engagedrestartsnoozescheduleforfeatureupdates)
-- [EngagedRestartTransitionSchedule](policy-csp-update.md#engagedrestarttransitionschedule)
-- [EngagedRestartTransitionScheduleForFeatureUpdates](policy-csp-update.md#engagedrestarttransitionscheduleforfeatureupdates)
- [ExcludeWUDriversInQualityUpdate](policy-csp-update.md#excludewudriversinqualityupdate)
- [FillEmptyContentUrls](policy-csp-update.md#fillemptycontenturls)
- [IgnoreMOAppDownloadLimit](policy-csp-update.md#ignoremoappdownloadlimit)
- [IgnoreMOUpdateDownloadLimit](policy-csp-update.md#ignoremoupdatedownloadlimit)
- [ManagePreviewBuilds](policy-csp-update.md#managepreviewbuilds)
-- [NoUpdateNotificationsDuringActiveHours](policy-csp-update.md#noupdatenotificationsduringactivehours)
- [PauseDeferrals](policy-csp-update.md#pausedeferrals)
- [PauseFeatureUpdates](policy-csp-update.md#pausefeatureupdates)
- [PauseFeatureUpdatesStartTime](policy-csp-update.md#pausefeatureupdatesstarttime)
- [PauseQualityUpdates](policy-csp-update.md#pausequalityupdates)
- [PauseQualityUpdatesStartTime](policy-csp-update.md#pausequalityupdatesstarttime)
-- [PhoneUpdateRestrictions](policy-csp-update.md#phoneupdaterestrictions)
-- [ProductVersion](policy-csp-update.md#productversion)
- [RequireDeferUpgrade](policy-csp-update.md#requiredeferupgrade)
- [RequireUpdateApproval](policy-csp-update.md#requireupdateapproval)
- [ScheduledInstallDay](policy-csp-update.md#scheduledinstallday)
@@ -462,19 +345,11 @@ This article lists the policies in Policy CSP that are applicable for the Surfac
- [ScheduledInstallSecondWeek](policy-csp-update.md#scheduledinstallsecondweek)
- [ScheduledInstallThirdWeek](policy-csp-update.md#scheduledinstallthirdweek)
- [ScheduledInstallTime](policy-csp-update.md#scheduledinstalltime)
-- [ScheduleImminentRestartWarning](policy-csp-update.md#scheduleimminentrestartwarning)
-- [ScheduleRestartWarning](policy-csp-update.md#schedulerestartwarning)
-- [SetAutoRestartNotificationDisable](policy-csp-update.md#setautorestartnotificationdisable)
-- [SetDisablePauseUXAccess](policy-csp-update.md#setdisablepauseuxaccess)
-- [SetDisableUXWUAccess](policy-csp-update.md#setdisableuxwuaccess)
-- [SetEDURestart](policy-csp-update.md#setedurestart)
- [SetPolicyDrivenUpdateSourceForDriverUpdates](policy-csp-update.md#setpolicydrivenupdatesourcefordriverupdates)
- [SetPolicyDrivenUpdateSourceForFeatureUpdates](policy-csp-update.md#setpolicydrivenupdatesourceforfeatureupdates)
- [SetPolicyDrivenUpdateSourceForOtherUpdates](policy-csp-update.md#setpolicydrivenupdatesourceforotherupdates)
- [SetPolicyDrivenUpdateSourceForQualityUpdates](policy-csp-update.md#setpolicydrivenupdatesourceforqualityupdates)
- [SetProxyBehaviorForUpdateDetection](policy-csp-update.md#setproxybehaviorforupdatedetection)
-- [TargetReleaseVersion](policy-csp-update.md#targetreleaseversion)
-- [UpdateNotificationLevel](policy-csp-update.md#updatenotificationlevel)
- [UpdateServiceUrl](policy-csp-update.md#updateserviceurl)
- [UpdateServiceUrlAlternate](policy-csp-update.md#updateserviceurlalternate)
@@ -486,31 +361,6 @@ This article lists the policies in Policy CSP that are applicable for the Surfac
- [AllowWiFiDirect](policy-csp-wifi.md#allowwifidirect)
- [WLANScanMode](policy-csp-wifi.md#wlanscanmode)
-## WindowsDefenderSecurityCenter
-
-- [CompanyName](policy-csp-windowsdefendersecuritycenter.md#companyname)
-- [DisableAccountProtectionUI](policy-csp-windowsdefendersecuritycenter.md#disableaccountprotectionui)
-- [DisableAppBrowserUI](policy-csp-windowsdefendersecuritycenter.md#disableappbrowserui)
-- [DisableClearTpmButton](policy-csp-windowsdefendersecuritycenter.md#disablecleartpmbutton)
-- [DisableDeviceSecurityUI](policy-csp-windowsdefendersecuritycenter.md#disabledevicesecurityui)
-- [DisableEnhancedNotifications](policy-csp-windowsdefendersecuritycenter.md#disableenhancednotifications)
-- [DisableFamilyUI](policy-csp-windowsdefendersecuritycenter.md#disablefamilyui)
-- [DisableHealthUI](policy-csp-windowsdefendersecuritycenter.md#disablehealthui)
-- [DisableNetworkUI](policy-csp-windowsdefendersecuritycenter.md#disablenetworkui)
-- [DisableNotifications](policy-csp-windowsdefendersecuritycenter.md#disablenotifications)
-- [DisableTpmFirmwareUpdateWarning](policy-csp-windowsdefendersecuritycenter.md#disabletpmfirmwareupdatewarning)
-- [DisableVirusUI](policy-csp-windowsdefendersecuritycenter.md#disablevirusui)
-- [DisallowExploitProtectionOverride](policy-csp-windowsdefendersecuritycenter.md#disallowexploitprotectionoverride)
-- [Email](policy-csp-windowsdefendersecuritycenter.md#email)
-- [EnableCustomizedToasts](policy-csp-windowsdefendersecuritycenter.md#enablecustomizedtoasts)
-- [EnableInAppCustomization](policy-csp-windowsdefendersecuritycenter.md#enableinappcustomization)
-- [HideRansomwareDataRecovery](policy-csp-windowsdefendersecuritycenter.md#hideransomwaredatarecovery)
-- [HideSecureBoot](policy-csp-windowsdefendersecuritycenter.md#hidesecureboot)
-- [HideTPMTroubleshooting](policy-csp-windowsdefendersecuritycenter.md#hidetpmtroubleshooting)
-- [HideWindowsSecurityNotificationAreaControl](policy-csp-windowsdefendersecuritycenter.md#hidewindowssecuritynotificationareacontrol)
-- [Phone](policy-csp-windowsdefendersecuritycenter.md#phone)
-- [URL](policy-csp-windowsdefendersecuritycenter.md#url)
-
## WirelessDisplay
- [AllowMdnsAdvertisement](policy-csp-wirelessdisplay.md#allowmdnsadvertisement)
From cca3f13f8e8e847d7ec768d5e2894833b6fe947d Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Tue, 28 Mar 2023 18:15:33 -0400
Subject: [PATCH 060/143] More exclusions
---
.../mdm/policies-in-policy-csp-supported-by-surface-hub.md | 2 --
1 file changed, 2 deletions(-)
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
index 49bdb3e952..e17a1d7e53 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
@@ -324,8 +324,6 @@ This article lists the policies in Policy CSP that are applicable for the Surfac
- [DisableDualScan](policy-csp-update.md#disabledualscan)
- [DisableWUfBSafeguards](policy-csp-update.md#disablewufbsafeguards)
- [DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection](policy-csp-update.md#donotenforceenterprisetlscertpinningforupdatedetection)
-- [EngagedRestartDeadline](policy-csp-update.md#engagedrestartdeadline)
-- [EngagedRestartDeadlineForFeatureUpdates](policy-csp-update.md#engagedrestartdeadlineforfeatureupdates)
- [ExcludeWUDriversInQualityUpdate](policy-csp-update.md#excludewudriversinqualityupdate)
- [FillEmptyContentUrls](policy-csp-update.md#fillemptycontenturls)
- [IgnoreMOAppDownloadLimit](policy-csp-update.md#ignoremoappdownloadlimit)
From c9e744727eab83d0ba814c4ab3dfcc4365c6e980 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 29 Mar 2023 07:39:32 -0400
Subject: [PATCH 061/143] restored content deleted by cleanrepo activities
---
.openpublishing.redirection.json | 5 ---
windows/security/TOC.yml | 2 +
.../mbsa-removal-and-guidance.md | 44 +++++++++++++++++++
3 files changed, 46 insertions(+), 5 deletions(-)
create mode 100644 windows/security/threat-protection/mbsa-removal-and-guidance.md
diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 0b711cb79a..723d827b23 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -20650,11 +20650,6 @@
"redirect_url": "/windows/security",
"redirect_document_id": false
},
- {
- "source_path": "windows/security/threat-protection/mbsa-removal-and-guidance.md",
- "redirect_url": "/windows/security",
- "redirect_document_id": false
- },
{
"source_path": "windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md",
"redirect_url": "/windows/security",
diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml
index 38c4f1639f..4984e4e28e 100644
--- a/windows/security/TOC.yml
+++ b/windows/security/TOC.yml
@@ -215,6 +215,8 @@
href: threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
- name: Get support
href: threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
+ - name: Guide to removing Microsoft Baseline Security Analyzer (MBSA)
+ href: threat-protection/mbsa-removal-and-guidance.md
- name: Virus & threat protection
items:
- name: Overview
diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md
new file mode 100644
index 0000000000..7e43ebb8df
--- /dev/null
+++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md
@@ -0,0 +1,44 @@
+---
+title: Guide to removing Microsoft Baseline Security Analyzer (MBSA)
+description: This article documents the removal of Microsoft Baseline Security Analyzer (MBSA) and provides alternative solutions.
+ms.prod: windows-client
+ms.localizationpriority: medium
+ms.author: paoloma
+author: paolomatarazzo
+manager: aaroncz
+ms.technology: itpro-security
+ms.date: 03/29/2023
+ms.topic: article
+---
+
+# What is Microsoft Baseline Security Analyzer and its uses?
+
+Microsoft Baseline Security Analyzer (MBSA) is used to verify patch compliance. MBSA also performed several other security checks for Windows, IIS, and SQL Server. Unfortunately, the logic behind these extra checks hadn't been actively maintained since Windows XP and Windows Server 2003. Changes in the products since then rendered many of these security checks obsolete and some of their recommendations counterproductive.
+
+MBSA was largely used in situations where Microsoft Update a local WSUS or Configuration Manager server wasn't available, or as a compliance tool to ensure that all security updates were deployed to a managed environment. While MBSA version 2.3 introduced support for Windows Server 2012 R2 and Windows 8.1, it has since been deprecated and no longer developed. MBSA 2.3 isn't updated to fully support Windows 10 and Windows Server 2016.
+
+> [!NOTE]
+> In accordance with our [SHA-1 deprecation initiative](https://aka.ms/sha1deprecation), the Wsusscn2.cab file is no longer dual-signed using both SHA-1 and the SHA-2 suite of hash algorithms (specifically SHA-256). This file is now signed using only SHA-256. Administrators who verify digital signatures on this file should now expect only single SHA-256 signatures. Starting with the August 2020 Wsusscn2.cab file, MBSA will return the following error "The catalog file is damaged or an invalid catalog." when attempting to scan using the offline scan file.
+
+## Solution
+
+A script can help you with an alternative to MBSA's patch-compliance checking:
+
+- [Using WUA to Scan for Updates Offline](/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline), which includes a sample .vbs script.
+For a PowerShell alternative, see [Using WUA to Scan for Updates Offline with PowerShell](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0).
+
+For example:
+
+[](/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline)
+[](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0)
+
+The preceding scripts use the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it.
+The wsusscn2.cab file contains the metadata of only security updates, update rollups and service packs available from Microsoft Update; it doesn't contain any information on non-security updates, tools or drivers.
+
+## More Information
+
+For security compliance and for desktop/server hardening, we recommend the Microsoft Security Baselines and the Security Compliance Toolkit.
+
+- [Windows security baselines](windows-security-baselines.md)
+- [Download Microsoft Security Compliance Toolkit 1.0](https://www.microsoft.com/download/details.aspx?id=55319)
+- [Microsoft Security Guidance blog](/archive/blogs/secguide/)
\ No newline at end of file
From a664f4f5b28f2da5ec98399101717cfeea7a414a Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 29 Mar 2023 07:46:00 -0400
Subject: [PATCH 062/143] restore pics
---
.../images/powershell-example.png | Bin 0 -> 84909 bytes
.../threat-protection/images/vbs-example.png | Bin 0 -> 118541 bytes
2 files changed, 0 insertions(+), 0 deletions(-)
create mode 100644 windows/security/threat-protection/images/powershell-example.png
create mode 100644 windows/security/threat-protection/images/vbs-example.png
diff --git a/windows/security/threat-protection/images/powershell-example.png b/windows/security/threat-protection/images/powershell-example.png
new file mode 100644
index 0000000000000000000000000000000000000000..4ec2be97afb70ab01d843f60dbaf73657f0957b2
GIT binary patch
literal 84909
zcmV)uK$gFWP)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGi!~g&e!~vBn4jTXf|D{PpK~#8N>|F(1
zRmt~%Vs|1)BZA%CEg;?9A_@u?N{5Ja2!hhxA>An|*t%|a*Ka#?`};q0-+S=JPr4&YOEC@0stMGk5L`4`TPLoVcNWrR#5~_Ny;&*8}kl$Y{KWmJhhUxK|O1
zvRA%Cr1~CQD~N!fe-(7Ltj4YHf!^!Sz%%6*?ml=G*==v*t(p*Yp7*6#Kfu;L4W1sx
z*rsg?OYPlwsV@!PNr5QteG_3WhKP+wz`>PEQ6KGy7(;tR=^Wx`_$Roeq$Gjwmz|%V
zpTH-Us9){4hPqgjiy^9};7RI&C#8oo6;C5Pxele#(KwY+gCVm_iOi62Q64!3D%d>R
z1UxxQj98?O^^480_snb*m8xOoGE-=8v_WS6EX-eQj@$+*bUim6D)TMz)KwLn3S9#p
z<-cF-<*=8jt)c)R3|UoIlpX1B)G#
ziHGI+J
zcoQ`!jQq-ia5ai6Lk&6e=b8Ky=;qCv9B~cxCBfy49Pt}U)eL)bF2Qb>F?jOE
zn7T2VV~VjoitN5#6jrv7B1^w
z8j7cE!UghV38zGu7?}6_6@LEYLK4gS{XAJ3F_j13AF6FnUsWc)#5tWNK$DHtx%J8Hl$nUq(poWqlwSWb>dYvOh
z@i?S*26K(aXr@L8caL>FMV$~h+52JcVoMIZM=Me#WcZCdZV`1!6%#DjFQiDkwL1C#mMzAh7n;P*6Nm$|EN`ob85{+64)G$NzkekTIC*CLvOp-If+T$gd
zxx|)hwAFhHh|hg|v5^pXM_n$QeKb)sZ
zjX76vRU;hb?maraUrU1;D$3oB3%quv9lR+zFpO+PLQyY{$E0)NZo$p4++hQs^9@MN
ztOswp5z6Wd5s_3%dX*Wn>#rasvkpeCS=bw1iR!M~n77mb;Rp63yR-{B+Iyk5%?gc|
zd$|T#=~a#kb&VJ;Z@{G=RnkZj=*anbat4sqO+ac%9WFPPVC4LRXlw4o<>ow?pQ_?2
zUmoL!;nOt`pIih9>b71*_uzlJ2)bG>NUp2FspwqHRM|o0{DT{6`BHvgu4-w8vZ^j5
z*9CL`rIq;lQ)yifbs2hsREe9-)!eAVo66#l6w>{pej(IgI&jgpgtl)cbr-@b87(5F
zxawlV!Sfh8i@K(aK9;DF^pcj(VUZ%!!H7qO(qmzy^s@YTQWo&esziELI(XwL52oM+KUE*M{Mh0F7CG^nA3fXfs}9#bHd1qCL5e>h1Rr*JZmmF9On
zo-Bzufjm!^?oFXW5pMAmsF9{=^6yLW8=7lS!XOTmS%a`j%hP`qA|Ve`c7@$fjr@|7
z9`OxPrMQ$HZ#Ly6MPbt0seIJ1@)R~>7nPl)MuEzuN@0ow5tJTpIyLNc*02<&Vubh;
zC-`yMV8!ak1|CV4uL;WY3k79-G!1SjMfP+}5E_$53F=|mwlIW;W+3TI8UnIfxk|kE
zT=63l`m;!gPeT~M3xJy8(8D7elW+-<|G$?8HPoXR#Kb3YL;Xtn>Z`Bt`RAYW8|s?}
zU*o%PAK;m%pZdoTtJ5DrgCy$5AAiIbUwqMTDgP5lSi#>z_wV25uAQBo{Du;{|L(*M
z^($Ox$A|oe+TiyQHhT1Ofi5;0urk<+08J0P@z&coyv3M8e?ZHpz@fAr6g~4DPDVE4
zW=jUge<0}sZY25O-dmT^)b}h(Z@df5EhaeE*oE#_uHjwciEMihYu&=h_W
zNMp5tqq-eT$Tn+jzK-ZTvdu^lWy7TA3esq&Si>Z2F0#9(k>42C-jYIYgDh5T(L_ML
z5@M2;Ak1e2?z}w-1yS25Jx!diRpJ!Zi3)~T@3Z)4!|z|2rY*7K2D#In{{e5z(qp8J
z3+B9;RX(1KNoBe!@eS5p8hglG;QM(q$(&Fm^`E^|U~@+^_|r50RALRqMm?^fcoVmB
zb`Nj54%blZr2>-xo0!`E2+U~ZuG3iKP@^)Vmo*f#0so;d6&Oh_b>LKuu&$4&p~%XA
z6qA_v4aHt8a1G^O)P&fY%NVLe1}EL*4J8X-!3c`mLctqthSvOK@J5m3jM<3;8~1UN
z7nj}5S@n7mjYufG3jh5_xVV#dCSnH}sa|EBSP@VQCqoO^TAfArYp-C~>;O#O6a~AY
zi`cMMAG;zi!>j%hR_n)cal;$iC|@1e?J&XFwmuwBu0?6=8H^%Wm}8%UZ7Vc!r@M@s
zG+e5-6IUuSNV55}9RFW5xa)}}>ajGqp`_FYGY~$pD^Jdxa7Zv8#a@cib<<8qdg{U#
zq!iBXlb@%=?(gpp7t);N{24}W9!kZfKYYa81DLThgwHRCqvuHyqHM^e&*rMQfrZU|
zk#w(c%^P@G@FXP2@3+$6hMHo)i7=bn<|$gh>3A~cucHQ0GKS-c^Bh=@U3~;D2Vrf}+})M$IX&%xHwk4uwfXlZ+#nrlCZ+R
zl?FGI#AZ0B_t6tHMO6Vc%$RNDH$&R>m$;cgSt$*iEzRX3@@Ci&xncQy#$$<#cP~-n
z8eo`$9(vjept!`Iq`(c8*)gPMXp)4OqO#@^7k9+G0Jv%C;LVrsV&2S6II5$AeYrQO
zfl1|9=sBo>57SU4wZaBqFAdlW1a?(5#0WNH%EH;p1=g6{O9k@J=8x3BhaT#BJD{a*
z%}J1PU#5hUdAlnnOYXs`>{jmHnCY76s=kckhHh+GX@qfG{kZU<%RSLr-2i7(TS!@?Bf>Wl
zrw@8#$V~o#GIZ)zEORWvog3FsR#1SQK^;iTt3+)IlVDO$hLEl&McqFJY{Nzd3x{PfgFnpj-*E!5C*Q~^>zh0A*O?~fp9;decr40UCOInwGZ
zLr$S(;lU|!l|h65dP;_*R9*wa^j4No+_yjGuX=m
zekNRl2^)&y3}J74*-HX8Fw7K!JmoTp)UedJ
zJO%3Jvc$_?BuHCuY3-7ua*)K0P_&|ScVn2UCB>z@SoapZxL|L8hN#egR$lG}13&yx
zG^n9YmY2gTsFbTTZ-xctJETB!ha=*=qT!oy3BxD@d{y_zg#IjIjW5KgK`$4CVT7sd
zjmn^Sf`<7$G+3gr>irxw
z*SRfFHrBl{}JB%=u5oz_J{c7^RGA(`adT6=rf{EKI^~t
zi}b~p_?Y-V{Lcft`N7wZ;UW5L;NE9ne9`a!`13FO{fypz=UeVdrNjrHet~bk`jUk5
zOMLd_XIws_ybsd{?>~5CxS0MJ`t
zFG|BDO93ewLwwg9Gt42fwVL0(b+2t{cu&7+G`>^
ze<{)$rOC>-z$hZO^kv*MOz4SS7_)pAm01g`{FdQJfjm~Px4_t$mU#L(Neo@F3$dp+
zq2u~As4cSknOP#HKZclj_cfuui;K&^OJXKaya`)TotcVLkvZ7noR6%)VDKhuAp6?$
z;7!p6PtuuNXv>?d3!bbSdM?!>J@z!0=xpm0dayR&jWR)ERb~H_Pkuu=_U}9Z-gsNI
z=bVGDqZ^|0uR!Be1EpgL@0c=}1eIe1n=xTREGwAyV$)E90*mRdO~O~6LgHS1asnlu
zWD(PEAmL&IA@vKC^eX&4Gejb>KMsh=_ndv7%{RhsD{rP5U4TiO^V=M8zc65dx)d~M$77>
zx+^c#ne8A67i}IAC
zx(Uk42?f#kl^)2+6nxdn%1HcUh=-Mdr7@Dq#rc(tFq8=}D@*@(j{Gavwk(|TA0_yl
z=I>087bx+NC#K&(j}@rG@**^MwIU)og3qjMgodg{IHz4hcX>LrG!7!;axYRm{jp&U4n=2K#t~9xuWYthFG%69WTFf6}*KtbvwqxpiTddr+pUazl@#lNO3)@_BX=pLS$pdaUsP6z-MQfaEdI48!3%D|S
z*f>JpuK|)f&LZRb%cw|*#Wck|ShUrZpN^yjp_~C;yxI*l!%XaVI)p9yKF~{Q!-?`c
zn6R44Hr*J;x_gk&a0^b^9f)eW2PMZe@D^Fab%zTi*l_vKtJ(h#;-1z2kRB^gmPgY$
z)1M6+95W3mXVR;1wD>AEEg@)@5iBeqn2$-Vq6eeT!8Z3*Ap3liEkavn8d4(D$=YM-u*PRAI@ni{EKTm~NR|$pvfwW@=1K2I
zdDl}EkH4US-A@Y*pt$_JhOH#OV0e+%kH(03fe5;A5trJUAu&S_JsC-;x!8><+k&uA
zP9Nnhtr$Ml78UuqIFntCu{7j0mKGtW^C>P3w)q2heL~{R)Z~U${#v8K55GT*twjd6TydQXaX_S=p))60ptIL7bn3kL5m{Wq!IZ6h1~O)F^~NTo^s%
zsk5n3m57Jw5-c6&r+Yj?K4Ba#9VSeSN17?9{PYx7IPnFFi#xzCj3Z2kTe%`~ub)Rz
z53=(OxU}UK+w#L$9QL^_6Id3P(iy5|NqQpP6V#jOMT#?bfPE^==~#mF28hy-=1*-1
zi5VQC|3}Owy=#sM36&-Pp_A}PuvI)tR39}W7GIUh&GabtX)jxnq(**4D%%VaG^W$Z
zsAKpX>S!!nhLzO}5_1{Ih7lb|TMU{g>%ypMUKy5kN`WVOIrdmjqw>iG#TCtihvFo|tLMsYDB5@^_&K@Wx$
z=jx_DYDiMjDXr?3>jqAW4P4K4dhP$;p7cNSwx@QsP>yNCq
zJ6O3V2hm=~kyuNpIo$-MrB%=mK8KwyB{+4!1sToHV7JRTzHkw#AFDxVKqx9NUB{vG
z^~j4aM`_y)DgzC#s`_ZS)B~3@b?9hoM?qN)WOUtvDYP
zKo6<`HFd@4u1P~=Yy}A$SwJhoxS=n%r3T)6gAo{f8mU!fIBw*M@{&p%N~nSJCQGPD
zZy_`!L7TQ4Isx^#`_{8CH{HwSSCD%adMn&$2=GCnmp9C}*dn#@HVzkclR&z{_Y8m1
zl-n6$+%6m-VKCEhr~mxL+#`2IqoTD8A~?COS}k)VWonn!zn3v@{gWrcO9U3nQgBKz-?Ulw5iWsh+V&Drtjf$_=D+
zTtYl`I%%yiEZc5}Gf^3+xO^Kq6(sb8NIc1ns3|#x&4!*>Y?6kBTXf;L(GulPzYSlX
zlkiVX!fg9gs4mte1hl{+>wIb>LsS&du-#gZ;|D@fe)9!9bGZ#Vn{1GF?KzBE>dUoX
z!f`*Us~+?>SR%^pI6XIg3@6YK*7Zr~u>$3rpO2o7Qpm~f;*?{aybX90c2dTKETliJ
znrA`^_bYHRIe_$%P6UTjPjo+lw3=QVJisp~%K-0I;??W?wblPhQl<7{I+9RNV(Yg_
zM`D}B44F&qD%5}2CNXS>3*mn@ys;?`8qOqC*tSO$hpxkwXjo(6Yzl*P$|0nmGKF7)
z{!6gVMZ>Vf|8V-@@d))_rwtxaXf`+XaG03>RrEUqN=#zS&<)1`<#2WBFg38LuxJ7uPVeh{C?tnny$1m{h*Pr3ruRg=~
z_rJiqZ@eO=zaYK;*6aM|^uH#O6H)(nUw=+=^Cd#sg#smZV)q9*-l_Hv1zxceyWj74
zr#r*~C3b(D8zfL4eFbO)zm2tr?r{HiY3}5%-+pqNyFToM-$sajlOl9)a34g7eiiZa
zZ=<0u)g9@
zI4oF*w4QdXlU|6r+;}dWxw-^5=p9eu_VjzMEdeeo*TKm>54SIz#=dn9xcht~-T4yl
z_oU##YdyG3mgLj--O1fBQpx{OM&akEaja
zgf{Rd^IyRKb@kK>b6V6|M9tZ6XV)3$pWgd*A
zOgD1tpB&7z;dEXRc1DIs>zIz-_oqXBl__{KmZ)i7f_+-r$ZeNG>O~ps*EB_OpCtNT
z8wXV-E2NhyprS(#n|xFttFsC>-kbzon~lgQP{EKzI^fOGMx2Kpp1G}zF;lHk*eJ`r
ztR6ONCoVlFh1x1*43W3MR*`L{#PkP~su_O#;k*8sa`v``6R3o~&oOL<0bEmBp|_jA
z3Q*N76~RXXaP{U@?m_A7Fh*m?4NTn@g1E34xcZ$!Qr}ZpxY87pR0IO0Y=HxNbiuZ@
znm@}5jh)h1VwldTdhaL40aA-FarL54VEOE_ZB?0ihD}
z>maM|8t2!x_Y$9Ro;8
zv7G`beYV4&^gnxh>VGr|1d1u~-+c3ps6c&<2}_P4xZ@QB_?|{kVl4veTEXpbIDRV<
zTf31S9E$X+Chkj<@IxdVLu^PmSi*)_Fhd)ydC5o*4+n25f5_xX5-kfsPJJm-&n1&E
z9f!x+8aS*ohvM`txb@a^Ff*`6aA+zCo!}F6CV0PdUraImi9`bR#%nM2e}?||jK8W%s4^kXhBit?}k~7|9d*PzIuzu`g6kC7+Y4S%kmhuXClDewjEM#6Z$$K5-+b-m{*@5#y~aNnofD`>Mi7&jeu=~a
zC8j@=NT41$&WKIcFO7j79b_7>LvVU*PY*QW+(PKirSM-?{L^2+q&G
znG^Dn|F{$T3fKr1#*QN89LR_5G;JsNgo@MM1U#a|!dAQH_xnZ5CdxCAuZW+nqT&7g
zoPlBj$D{@U|KRlgRzw2z$Z3N!y`N$n+bWzL9yDDGhaBB8X$2|Rf{z&6+UwC!oQ5_1
zyM-9zY}Iw--@1mHG*Y<7SdcQVNqUzd3d@R7cl$QQH9$twJ=EOjKxKRgDvQf->CJag
z66VdN!5c>nE~g9GsatU8oi~ws_BG+i}
z&x^yn=?+M1e35$~N-nuL;2sCNs4~b(xq&xX6S<*YP$0d~&BP4pen&7}{s_u?-{jKO
zI9Uf5-*|-Wb;h*0foQn(CIW2iF=i_J2-65A>-8YH(i`KX^s(|tEf!iAA+x&;3#V~&r=zedq>HRwT|^YLLO-e#&8?Lb#{f3x
zZ&2sbMNCl#oU$&V{?a9EHue>?>EDnZCs1t26Ws}f?X<$aq8%X!W8e8RG!gA-qX`8H
zuXK|j8Dca$tX2@tb~s`DBPoqh+>R#npG`lo0|h921ceKE8L@m>_;AKc2sDy?h9pE1
z?#pB9Um~$UiRlleUlOQ?4^(7(8*n<*Lqn91
z_W4C~v)zNj880cj!v8~6_tMZL7&agJP?R^{1v__I4+`VL*=81Wwcm4SApDVKFv01w
z<=otuFpQgtry){9+a3XlrGtiOjwqeLGwhgmW31d{$%Tzu#?MDM@5cFMv@wQlO2Ovc
zSo#!?E7uJ2GvkE~VJw^}-fS+7wH@04ZR##eo4Et*9Q;R~Blbs=NL&9;=y3uScj*)G
zMrvb;TLC7pgZ_zGbx$S~=NQA?D;0L>H!y1nJCDZ$g)hAcZNoiiX={eIXEmf|+fjp(
zMacA|=|nP)=zRATM0(F+sTorZaQ1G-xpv3ip~4xh@vl-*$%HqQ=L8ajwQdKfcT
zha#u94>jG*6qg9rMHYTZ~ulp*dtDlCy*|*
z%1muIouG!5wSblN5oj8DVxd02N3Yf+!I*1})$1H^>L_1GSkHGm5rYf2`XC{v1siLB
zDC?cZZYO{2^G?QyrEbvB+Qae6?>J1o+5j#dkyx@zccL;Vaz;vCMI?ss<9vo#|l{ay>!_{z&@E3KUyy
zaP49hJ){BH-{M({lRhVrUw08_JNbtLGSUgIL6BDv2^kv>Xoz6~$PEeleCtbwncn;%
zQTa~4`5<(MD5vf3aylRr$JNN3|tb`;m1e+}X1t1x7W0hRA}d_hfZF>HwqrT_DX-%p~OjWPPIn~kvz
zIR3f_bsq&ag@icvC{2vzm?zHBLvw8tc;g%p-q1l0gg+FHSJOs)=2@sNwZoYU#bgfa
zBQmxUwa-3}2{L3plMry3QKN2Ju?zK-Zd%|G#CaUYwnJsq*aBTjW;?>24nk>(9b%&+
zDIHzJXI9gFLdnTAjE+;s^}bq+6>OZE6q`tbyvs3VV*>UT+=JyRUC7IA2Tz*f@Rnid
zR2{?}=kId-n}{9D_ppHU3lO_fXJY3g3d037RE;|2ObZO1NgarbKX7l@Y%{)}R1xmV
z;;QO%r+5B!1&S%<)A&2137NSWa|J_8W6&)}72$?L{u~f@pUt}nhDUbgFMZ+PlUnY`
zU8NV2;wwl~dI38Nks6cy{P-g2Ff?NGTx>3g(wM*wpk()%(kq;k5~RcB#S~-iMfQLp
zAuJ0cc^YQ<@ys!Tc)9y*cRjY_oiJbGmtV}EDd+xEIV5+VB;leCAu@X}N)PW|_cNtf
z)e;iaF?ejN9nm3=Ar_@OQia-)hI6jdu^sAE1w15VGgeVq=CF3yMP(|8eN7~_0?Gck4Ownvo82?UgNqW;EZ
zrqjbLg={z^1Gt3oh;L^
zj5>5)yo~O~0{G^&ape@2^-rhA>rkJeuEjPn1O$U_ZRFL_sK@DV#@Thn!uuVn4p<@UO
zi-Kib3#Kcm!|zlH@|v$=lwg)P@6t6)QPx6LLl2BYv#9Zn(b9bhX&I@IA)PEOy#h{q
zJUKnByy+Uh5tR-=-sl|mp6i0ei6m^-J&E+HUPzDtI2)Lupy?J4m>h(&6@Pa;HU!Tn
zYqnA-QQ^aX#mDx!>lWl!SL&&fxGzME^wp17D7*t{HaMJ(SS}g9|`+@uz#g=wKk*q*29YrE`c0IeYW0l$K9MZ=a-`F*W
zV7YrQ&bRhq6b);m>0x@N@>jUBymQMdIg6DiPvwv@#1vJkKOr$sjfm1b6C92$higf=
zC|#<@WXT;=M>f0>-$WY17SNTwm>*8%WN9qeik#vLB(SXBG`vY`W1R9)3}tOIjl$S!
zSw(Bgiw)0I7iB&8*4&1BbQ)Z(4x+f4o~4WyMo~F^a%vD#-VNR)17y=xK{JFaLs3O7
zl=Vq9p!%%bz@L+QV)~^aZ^Vk@l<5wXMF(@tJb5zLCsVgv)t#}>^e@5M
zO?$u_ZGmx{LXi_4N(q}FBj^ZKmLAxAKX~sAL_{E&_RFa7Oem%qA~N?fwg=X60#%R_
zkLdCaOq^;0pV)GGc$A-{14gazLUwu_e8UnkVdEKu<5n=)?A1e4WRq
zj2c@f5z`IQ5PC>(^gN{-l+%rcD%v<=ZHXW!C#YFuVT)fiwl37=5F{Y82q9^t_$vwY
zv8nn{T^o(yq%xRnq%`KcA}2c=O{K+HYDoeucsb4la+>s3OrN+DlgOADOILRTD~wm-
zTePQq18}(HB2HhpiAB=OFl6>VNX*j13!i=myQFI8J$qo^M}X2Ll`q^9hMrW
zqOl+qXA)E3+x!fU`H}&-HAYNg9;BCra_txtnu!z6rw|==
z9L+mF_6zhJ)iH@W$sQYeZfewNNf%pi
zl-h9q2~L+h)7H*!!zZO*5-8qOQvBF{<3c5vdIg6dQ%G4KPrZU2U_OJ;3cO5tqj
zE~j76f7aU=|9Bei*i15;L6#Gs3T4dJjqK=`86pyV4k=nv9gB-OH3#a^t
z&oRX`1M0w%R7O%+gmvVv&|u}J|H9|Q>PmVYw5aBG#s3XB7`7j-`v}SeS*?|yFf7^5egLB^q%Q%
zEKES$EV^J$iSrXLe@=;nganDrX;
zYBBvQ>Guefn8frm5(|`={!kJK6gx%z!Gi~4ffCd2B!NK1#l@kfrbaAKV)~u*xFL^i
z=kv{julwn_XP?G1Pd_E5zaV}0?Snzj>VHi_VfvXsv11j~)z!Hhw{PF>{~A%~s&#P09x*vqt6Uwsv?z4jVMpM3I(;LdMzY%W05ef8DAVK|R+zX(td
zzWp9LkzZj~$S3&n!B5!b_dIrbKLwq@X9XOL9e1U&1#^#KF9Zn_C1cqwn{8os*ktdeGMrI8F>BK
zI{1dA;G?I?uxPa@*gRXT?+KJ%eGOl}^(@XO<)OI!Dpv-4`w}u6o<)7M8Ip3ILz>kQ
zeDLmb`0&Rs(S4x^feHB>+l6zHIDPCGp8JvcBM_b6h)Z|zfn>X8@iK&xI=6ncCYtcMrmdO8lL}*
z{(TOAPfy(Z&ri74*M)CCeFHE3=NsI*^E64uOYrfDrdEG|;-qA}_|{W6;pLB4Zqy?o
zHy>wf2J*c2#+UHj?uzcDAiT(hirv4(9XfPK;Nv@8U0s3ix4Xc=AUHca|5tEg?iT^-
zRLKX(@BR`8V>;lO`U>8B?-Qg~-9+Du1Bdwh=SCgsn;K!`6@xf49rRqjg16tggxK<@
z;k4BVS9<&K{_`z3cq$jSU;6;w8`SaK2ls&=KEZm+P~5$H2WR(e$E}_m1m!nlt-?Ay
zRU3~h)QNr9>QfHi!*x#@LN-{SuP6*RegHgInd4ICN!n7z|;pXG$x|^Q^3G+;H0T6n-wT{@jKM|=pd%^
zZQM)`z>Tk8hHv6U+&t%lJNMs!<-tfC(_D_{?!OK@k66UG9m1#h32RoY!;f#ZVa<^;
z-2d=pWO!MY5@b^k(7ShhJc;o-^Hh2L^Uw=)L(g
zvh8dL7#|?Dqz=(XEYQ_fMr`yqOq|NZEbB>zI?gh
z&Tn(Jc6RvUOa7}lcaKBd`P9GU{;P>6c7HGT?!DWbRws61_fK$QfD${g6T82x8w5~^
zS3iSgWEsxoc4EJcGbU_{KxT0h&V)vRH(s6pdFkYxm}8NFtdbVk8SSSqP4I?o<~}KQ
zipd6V><;iG)iHE_09MS}0^S4-@Ysd~!#099iFij-*y!!VM`5GL&%!5D_&EB{(tjL{
z-3{+Es+67Z?Fbq(Fq0Z+n!?h)T8eej0zKbhr?&>ip#X_y9L)8>FD
zzX4Vn+xR>Z0-n)yRb2u%9je0!K{^w3p?*pMJe~=kXRIDST$0K>oUX&@{}fH6To{d_
zGDYGugmt&|roRc1>PY*uF
z=}!KE=Nv#K^nMEO!Uni`#A1S?E+k~B!%VV5cYPVRR{>j$&Xae+&Bh!Grwj!9P>z_c
z4Q|&HX2%Rl
zaE=47=*yoX{uqA)2jSxP;c6xr)&DKN1qzCnfG1~0pk|MW8#W>1$Sz!ZL5@1G9d&#Q
zWVOu1o{-tFS!#gt)+HFTVqFmj1rGYJ#8hcxG_@}UPi;5M*Jz=viU31d12JdT
zqVvoaj9R%7`?d5?)S`yN$uprj%L<3eW@6HKN2-efUVU8-)_XT#!D>@%wAzS*s##d?
zr3$01)=)NC2D=>=@UNYR5!7xxISYg|&BHL}r#eV1)ImWMfg;s!^z!Y9IZW-NsDUKk
z-Pjg4AG4%(x)3QJ5dezpm>_VYt&82JUN6S+I~Eur-z(
zTZ+}v)`BmL2ii?cV*1My$@a7*cKrbL!w)~8q@;vf1EZSJ9<2Mf1Q?jCpK3){niIuFNBfX3~F$nMQB
zfQ5Gq*v^Dp8Z1x7BiK|$NIWI;L4d_hhIMwOGD=xceir<&nFLremUNG<3KT9!VbaVm
z*dBmwqQdeOO;eWmWR2l;jI<>wODaE=QJ%u&=^o=JaN+!nl!;jS!nn+@B*;_FoL_gw
z&+=n_1%4Qpmx!OAx1cRqxrApgv9wsaTwF?rrOS3TqBPn4VY9WNt4$gr%ZtSm)|Hiu
z)r0;2D{OBdCNVt;i2xM)KKRtBQydt%y1L@WAAcl(dV~gbFuNHWH}d!0ownW&>1ADT
z-+u)2_GTij@(LUc?QuA(76}zM;9}7A$1)Or=Cj|U*6@dmORZ^K-}3f|eBXs>1)
zBI@B(^+n{g-i5(-bF4mGhKh!3h&$oa4?M%v_M+kXD`>2}0#`E^?2c|lRp&jdTwsXM
z!dm2ZK7);0tOh#$bW@xyDZtRxA+X!B4~b1ZDC>F}E0-C>!Thf
zeD~F0fMOd%9Xnr(g3>;Cy1GGXS0ozhFCr}>7Td#`QI=hUy6$#_<&|Iv+s#$Q2(ye6
ziKhn%!Qlw4X{V9h4d?w&5{T#{v#JriDSAk1Zle+Y5Mn(}z#zH}iOCJf4h!M51b$(S
zu*e}D%h^Vj3I^DdMu5}&6n3sKM|^26h4D>EAu&@jq2mR_rFX(^<33bB{~XG?U%;A0
zI!J7N7C8kMaoETar)zH`C$|wLsVSK4l!cDwF05T(1k2bqloCMMJDxypc^9&48Zll*
z6F${%VAnP>$H=@5s(TAtHZx5{7hz5BVEu-{nvj^pB&Od<1W=Mo9R{5%EK2N*;jpfc
z1^|jP@nn9-Q53&|xDDr-DfiH6RKJ-xv&it#_rxS7G5vMvuLw|L5|fz3#L@2tD5jmT
zZCHPkX=6gBm=0-7gUz%5N?e{4kL_H}@@13PGVIKQhxkPK8L!aKc2gIell53)X$p>>
z{`1I~G`)cx)PFN^yPu2f2h4VQf9S=+uOaUEBJKsoqwhZnu@@r)=K5cs*qIuCmHH12V5vHmKBPhNEGZ*Q=
z``k5D<(9$7;9&ooG1hU$YzaVULMbMx7$UOZDiT7oV4&|hAiT;(m}4Cezwlg0%{IUW
zhfo}gE`-b+V{CE^#qn73FC_4ov>mzSE#OTzf@?$pEX+M94HJx7=FXMDNY@@KoX^Ae
zbQVTQ86mB<9^TRUn4m_Tck)h@6_s%yHDSFcf+MprN`*jD0B}5ID;$q6g0{9ZBo;fP
zqW5K-iOa^^d8Uxu>5r4)>EJEg1KXoe<3bMh=akA;G_=n#b!VD>U2jF__z
z>ek^ncK9R*=$j6v!pHLz#TC41RW`;7>tGC()uQL=h)t&F5bPC)1N(irK}gdx3&%YC
zF?zv4XxT@@m7UDg4`3#kvgR1n78+rbGs%OpB|Pc5*jpdKv>hSv3(Lgh*?N$q^6T$C
z1A8lXDuXGG#uUTZGZMoDM^Lc0w_9xdslBu?VevsoE_Z=%Oc4zAov6)S;75J~T|3BW
z24c!g186%3P#yOnfYQ;@w4->2*dJaDpMV5NtUiQ*sC?|$WepX*K-e5l!;YP{gWhKH
zWK3{4sszWqA~9l<7x5Qh%?4xaO>c+0cPh54J8)&P^G?Pvk>@6+KZyhYCAx>EDE(}i
z!I|DqaJse^+QvRuqrMO9+?1@2nd6T^C(2J
z#~}hHP1LqrBmtvQUeW~hb>-kq(?)2`Q_wf@!_t)wDDS(Bl}?$6+kXm8PxV2|uNDE;
zBUO%{QJf+37z+OXHo2h-$qQP6c0tBGID
zJPHS_Pr>tG7-Aw$VVmY*oUZ7@L;~LaG-kV@z9=7dk!{$xcpu8rBC+IHHMY+tkQ9QU
zfs9
zO03lM#P~TvkTJ%jl~E{5NkGN3cObta3Ws#fak8Zs{fZzyCC*tv-xZ1_5X<%%x|fhn>M4*syXJmOGbW_fl=-_jY2Q
zV;O?oz0h^<9!3a`X&FN8x7w*3C-zd@t`5j<_rxlT2sE9Ig^aonR#`@(At4g0JTG9c
zZ4_R6suc=5Phgd8EUKf!AZ2(K$)RVk-OLj@QSC6&bVuK<4(vJ81$k**v~^Z+2UWe$
zUO?qCz@mNmi13cYHlxF^&+LWfuEXf-sl&0n>oB$oL3eQm_cEvBxz{n0o)y2H#Pp}p
zlLFMAItRtfG3uzSkc0e>;uX{1jyThkt$G(ZZc$8P8bp6-fD)6K#Psi`zbZiek*l8j
z=fIwj*ioIoJ?^8!pOl`o3_{)~j`tA%qvHPB^n^#8{#o>A=O?B=k)9Nw&R+ctI-V6c
zbh-c$2aoV4ogaGh#6C%}J<|jymvGoQdVw9lsJPMz!$K7_AJl7JViHA+bPMF6|;^qq_n}4e6YXfhF
zBjUXRFnp#dOrWsR
z4kOvbHZx0E8CE!A+#EAVu((UvT$d5X%(I2;LiV|e5hg9Pr}QaJD%-dPc92k$86`c8Q8MG^-<0QDQ2U5<#+iGNayA2wN6t|lETOQ(3d0mxJ%|>2;MBo`7(R#E
zip8OJ9X*?f@|9m`L7mzRLn&PuRt751=uLq*Z07_CH7mMLWo73sQ`x30c7)_SYSW!(
zu~*LlQ`Jl{O2Gk501rX%zP-(mUqE#ceKV)12aCjJtXX7;`Bp{HS!s`=(j3e)%|oPT
zC@wZtfH!3~43lpl(ZK_gw}c@rB@ML&S&&?R0xn0-pq~Eo<~qUAB@!3QbHSTK{{7M1
zT+p;#2{@COit4npn6|+iP6yB6_KgnkMz6tz%dcXx!cOoO+VGFm6*&dx8Zy=#QhUCCg=xw=x;cKH1YJV7YSDG+t
zTRe`a+d(6w8H<$I&Ikr*y>kO2CR5qu1_XhpVgSqdD#)=2@(
z*_qq~wEY^AA-1@rVVPD4R_jJ$$r5wwAP0~c>I2?XD_rSelkwVAPFI8;_oui7oNG_w
z{IR1@Fw23Hi6w?j)kaCzQxqP8*!^x$b1H$+1|5Xf)nO<*s9fFvXWA}N=caZOd7&^&
zbuUIK?!?jqjnLn!h3Pw@aopO91D~;*ybMW2oBX!hEL=R6T03hsqIDcN_DzM8a{05rS*GF=DtrN?QnQ
zBy|VB;Gn^xw62nSZgZ(_h6X;UOpL}H^E_-&*@VcJn{W)sMPzOduGLjw>A^y5o3Dku
zu4@=I+ZnN;A@oexL^R33=pDH8OfNU@$Q!c@ckgy$y>~U1C}^Pi619btIkKbTxVOhV
z0!=x~ESPR4kXO~lPTr)+Cqz6<)t6-2lkmSZr8kYhf%(}w999PA
zXJuob#xTE>kY{juJhqI2Z4<-RXt8_5D|-LuWQSE6&YY&g{r_3{MgLO=oXYYQn9A(F
zkYDImv4X;C{(12~CyLKLBYHSo*#P4=9mkZpR9E(~wG7pPt*v5t37;1MkZ}DNH$g4K
zUmwP;4P*C(;RFmr=U8LTS{F>2#Q>Q|xCI8)k-JjdiJOmMiVDA7xpb(VrPd$7aHhqv
z^!}e|D3wckvj+`eto$@UD(OOEE|pbquKX|3ui^P0lNg|$6rgV22XEL`6tnGBNQmuY
z8*yZhJBEn7iQy?3Vn;|Fic@nidd4A?B?N#s&J=lBsiYNjVTkNtaARhlL0k*6;?H5&
zbZuBgwc>C#TsZ~7)N$P;~*AjipA|7TAt$D|TS5&jl=1WWa5JgzDRf2@1t5w^FQ8
z(}RBOWvp6Gpf~Rj4mrAU?Q=Av10H*ikOoG1FFt{&quv~F3Cr`R5d(X!GgBL>8DS`e
z{a4^oqk6KdD4#IwVL#&$@(KJyMB_cgHE9g0qO|>D&fj!
zI1o{a@bgvh^9q6K9)ApzqedMBP)0BgDMn&m3uZ6a4ModDT#^VQ
zC@0(;KWQ`eF%`t$428K`7`fOTXY-qJ!owfCJ=nG^`~`A6HG7=&52N%=Fm|;klJcA2
z?s5XU2TyYIL&E$yURe_yN~yw`oCYjfVGg<7kvNx=!*$a5>;^<-Ho!pB5l2$1kw83Z
z3kg8_0m>ZyIrT_Puf%Xg9VqHYB8kdotbY)?cAlK3#%VFDPvC(4KKf5_RqSDIeSpeg
zgt^v#C1AytBLs4d
zhz>i$X{S7Cb68P6Y%3e*#9HjN@xXMGcqC?2AtARBQ)g=9L`oe(1E`&+8sK1R18hyG
zUUM8^V@(b;KDtij1#5Oy9R@s#c1e~8V&?1n=y
zjr5~-Kz5}g$H$ox%yd#_osCB2QFf@zrp_ZnW+2-eip@bOvIj=@nGnedOf7m~{PYQ&
z7M((AS_Brj-VCoxtY=>1*v=FZ553RnIr~Ig``JW8wBdFvCN@^-FY=#b|86_dwg#b{%
z`%5%@zALI)ui!#$2gc4~^`hq^O;=VImNr|2JJuYLk)-`iAs|p=Wg{M01~62H=}cy}
z!aTSc$|@Tvz8L`oJ&&pC#6$O~qw}OT({tF%*KA13;w`YmvOQU-X{v$Q7H5oFejIJr
z?!rNx%vpUOw70Zln943lu0DzCw%Z8vAaI^VWg&1HN&^#5+6c#M??P*}A^fvSF;>P7
zF_DQlnspHk&CkL>-vlz7B2m-Z2PZ2RC~Qba?WJz$Z?=Ql?g(_;d>QNKnqZ#g8C194
zgrkua7VpVHN6$^HUSk9`(>QeYK8B~R5{r(m7#3tU2uQ6QS9`O;u
zBp@Ux(=}n5^&DDKVmV-8i82t#Ypq3;XBOO?*+{H|)S3(N$(2V!TeGtFHw-
zo+Xmb#Gt-1pZwa$%gsP`Spkv=*p85PHf_TRoX)?9rE7$RHiq`=Ec${94W>L@-x6GEw3X1rA|G~7{&Qn;EgvS!JvG{?Bq-&-gI*mWt}I%JAleq68;(c
z5asTT?9xn3(oTlMCMzt`3�PPD~=f6m2XX0naR}EF3r(igTXS5$F3N#Mv5-Db*Oy
zb`T}dbxbf66HU=ZMxExu9`7l_s7dfQ`@XqYPys6GO?d40Ii~xFu8*X2%gQgA=K12qLu9=I_)s7ca_7`_7pZA$;Ec_2s+!p7*9^Ur
z`B*wr9os@Wv22khqzq%>Z2AyDP1^yV&QD>ZYXVt~Y=rN%!jAABB-GzPM(GtibEOj_
z31s;ECK$8S6)wk<;JDA9WMn`i7{=zcc$<-T^98JSC`DXgC`_%qu->Br^Q6}ypz3K1
zn`nj1b*2oq$px_Xt%OlfF;pZsA+r7s3F!HFVF%rm
zHb_%h8K5%rk8cK=V~D&1a#N^XM{huU^)>K@>_YjCi{K5{Kw2xw&crP+Ki7!ylIrNX
z+JqsjF0;)rg6cAHVGz9bI1~8k;c#IGlB>HRJ#qsAYudmYx(Ag7A=q1X3lk)*(NdF6
z&%zaZEW=Qeo{N(A->#1LZv!GSLZ5Wl7X8NNyH~qu^)&3fP;@aUN)^Pa#>}
z4fE7a$WJ6-rGZ0&$)D&m{5Q~V0Vv*-?bOL>q++k4nZOB5BT?eX(�n4a=D!#K%7F
zWuvnK3nO7+ag}JKl%mmzP3W>!#ca1trq!_RR@ldyOcP)uA=4PBp#5pHiC*?5jj8pN
zJ~!gBytrLEDZX%P6_y_}57||Q(qM1v*m444IF}cdlg){7@yO50z(z{8-HTusP+`7Y
zJQmI^fgpZXM{Zjf3TJPV1iW1Rn1;j3&$J(=)v&yn7DQ#^??%c8bB>?gXX$YKR2N|x
z7!Ru}S4RO4m7BkWf{5*C%0Q0HYd$~u6$FC><7I8lrNQb$Wo71&AWwe2l$OxX@eA5Y
z=x5>Fv!L_^d|VhS3#&hSM(oPU&<{LO&M{!wOFq4<71lw@zDzdeP(G72h=)jC8$(%~8I%vD$;!={jA~?t5y0`LZ$)%`
zDgm52nQLUakEQrz8gql93Ijn(Ya*4C$u*O4(lUq8a~;C8MA8a}C|P3YTvi6A4N`jS
z1(BR4w+v^rf))4thbU{qKemYLXG6%u`YAPtNjSbsQK_SsOj<
z=ktjAi6}1jT-cT49pD)Vrz?{S7WQWnJ^v>MC^82&>`8!`zCHY6axrTWRY=e=gfx=b
z>?=N3qr2jwM|9N1Y!HXyg*2Ig;YM$gl4qqVgME0;JTt?4@QB2SW5bQu0eNjp+=
zM(}|{*mk%8#igB?y<(t#JV|>LMT71qS=;-c>3j6aiQrl)aDo=r~WFc
z>RK^M&JD5QCFr}_NA1SvXTYW8n1k&HQ(?I`f;2FHH1xd)M=~*n&h|o1emy#=?Ifm{
zAiuL0jaQ$73V}~;>s6HH7r->E0y7pnVA5Q7=-T=szpNVx;n5_Rg6BwP=#=&0i1ng&
z9!usEJ>RgR4qPZM#f%Lh2n#O7jfP^ZJye3p1nfJ4s~|s1AJJuCS`#I`;KrDe7VscOSSGIeL$<>HWo2NdR#Tv4aw
z+K0@#W7$`6`}!TKTOlTF4Mu0@HN^QJ#g2VRIC-`ib?3t&A#Z|Vtg})Fw@kc-t!wp=
zol%5!p0#kWw8I4IaKjgQA-TL2S}O?57=TH!!#>u-KDiTF`JG4!3W79gshNd6@H=t{
zi`_F&ap4j)w;N*OGG7#ycHy-55h&}Vp{4jH3JOS5k~hcDndXq7LG4)aZEV;{X%96)
zb{5I{L`|GJQwa6Y4wTm2!R)zPkaO`J^pS?_;^a$KLNM|!T!XdI9+Y0Vj-sSI6ovX=
zOGqv8cSCtGwH+J0RLwDbjs@iOlHsCFU?^>Z^UVzih@||-=%S$KB36+(zkZ_`*6c4r
zO-CEX6QFN6P>fpg4;`V8^qNvkVuSu{0>;VPq3&0J$uvMNP(O_`Ui=qFBj(zXc76fM
zi%hX#cO+?~-ds3unhxq}s1J!e&;NINQh-Xj_9YhCC!zlGb!e=xfbZEd?Ak%2kd#oR
zr;5W00RBSM>=LwtHW4%zy{Xa7kA
z1cxCe_!PpLo=04I2i$dBNWgVaQbg+WWF4HYxrLmZdX#6SW0qYS+MBzvWjT#pvbM-S
z$4pf+KX%37UIBI38M?5G??4Fw)IJ*mIuaCq9rX}ab`2NmyD)mPH7-AY4|P|bfh=h;
z)qT$(zv?PIz;)q-CM31V3nbhHM{C#LcEmsexhbT-o4
z;6h6;YMOg6QPBg(?2nLu^7%MonvT3HuGgd?@zM*JEUklS+aqz<$`Zro1tQ3KFHFui
zVY-|hu3o=}+Do^gGS3!mt(Q<+Q;X5cM^G3OKm$N8#;*-RS$P|hBF}QqfuFuHBv(bC
zqNy9Dd8HUGqmQ!7Pos$VmKnxCeK7$Ir)}+qYwdg3ww^{;(qyWx+(U7BGgeq9V#90#
z3ehr?d9GxbiYx7%$T)wFID7Or4Y1tH?(qensD{qHaW;?Pb(s+V;gG!
zeW=f6J8cYBM*d&vNdfBYwJ)&3@-zZsim+mnH9dF_1jZHN1lzVlDBL87Ll+-La9lBr
z4A>+i2^UkxsbWcKY4p&T`e=+XOAkSH5rqp?NTzNw)t>uu(e_&!xBtGWU{KHg<;gWhRmS<
zGszTGCXI?6jxo!E%sbMyD4v80-J4^LVeDWFWdo`MfdID%n21e*kVZB{jRu_AjF-}6
zePp&3rNO|8^_Kzg{{JV+Phj@{sq~}(mC*YMyo)Z<=-!8ItEkZOX4qt#gbZdL2mpkq
zM59$InMw+*QTa5Psg%q=-4y2vbEt6*Fl|c$^jDMZK2;Zm&%A?#^m@`@&LQ-86r#?Z
z#p%=Mkl5NzCV?*6O9|LyOptu(16bX0c**DXS07}5m
zv>@tq+VN+>f9@J!M*85h)GDHdn71q-ieuaY@(R)%g~igB(voU6Sa{>Ha2hE4*r8=
z`~qO=&xal?I~9f}NkrhnGiQaqoJ|FA`-~ZRrZvrUsb}M2MlbHSt5(AW�ZJ_EQtY1Okxt#UzS7w
z>cN8t@bvWLz{u9t7C-&;69LpiCku-KN=#xB)1O8UX;9yN_Z^y>oALG6Uq4!dO1%0d
zR%m!&mA=;_X|<6r)`&?=V*1sz+R*2beMwA22Hx0i5s2@;{brD9C#0VNR2cnXfkFm$
zKKchAe1OkC|D5yRzJ2?V2kePSOk#R8-MxF4>pP+y@83!cM;M+k4e8TQKYb*RC_NUS
zzWL@GczAdqKR=(d4H>f-pu{AmCnqsL4JPK?-Q7`GScosb{PJh_8Hlm)XPqpF#r$G`5|fyooWuY%Kul};{`>DA3ru}|eR$)IH}TR-FQMnsCE&ZS1_RV9
zAAO7T>z^X?#-l0g#%E#@lbD{69@Uq`^xuhL(aVHM{QxC)VkdTD_g8ZqIE8n9i102k
ziAhXi`rlI+;ZZ+0oxSoA_ebo+PVB_)f9(ZSNDNM5
zCw5}@mvX-dPTzh115z74KuY6(klFGPvRXezcKau2xcRk!L+r#(?EcB_op;{BYp=b=
z(d)0jjvs&gQE=zU9a~Bu>ew=ZUvj?)PS3vaHQaN5#N`)$z!v`xuq)s-Y(0Jt!NvTE
zD&`vFk7L(PQ+)EBAb?!5-64D<@Qb=19(;yRAN(Nr2Yk?*iMZC+1pj~^zrKsKx|an1
z2HZDq_n`Xr2ZDdheU7lm3V|Q^?Cm%3y}&Q(K6&#E4CMA`cQQGNySf?q(eHOSkXnhj
zs8TL$u=^Ii`;!I!|L&fxjKQW|JKhOaRJ{HKv9T0G(BQCe&)^w``~0q6z6~Y
zc0D4pVv*7OJZ{vtAlN??uV1ai>8v_JwGZ&Zho9qmSp__OL%6&ywcN#
zeDn;5jU#*b
zpgPz+KyOP6d;|Gydc7tC0Z}RV{+&L&OKDswZKKeS@!~t*qbwm5Rh@6(xyA;ZE4hri
zMlJ{DW*z*dE
zm)QXKFXBkf3%KCrhF8D7jhySR!CRXA_;rVjq%>6-=N;-D43z?xYn9W
zIwt5Kwr)Oz7O!I*keO^{8puZotn7mGW@l26-o;y=^8xnFu4rWEC*$qARmeCWidRY1
zI$#`)WMe%}8?!M@gulH9`KS%pd3>8Kxpaw5ARc0lAAU%lh5L{l<_OH;Rf3G7j{R%YX=EK2cD=IrLpz_tXaoFiB$NPNidFU87|?m*B9^4mYb4aqY!6tlVjdwI*)Jv@oG~-(aIP0VE}2zeJz@
z6BuXqLPK^Q<+%+PI;(Ku)wgi?k$@<6e?YG}X
zKwu!;-C3XdW%mo<^b@uRet@T5cpFQd+wt7%pX2p+K7wArO~HL~KYWXf;tNO#a76EO
zS77Izi@tj=BV?NyUb&osz}$A+eCb03*l44nxfLJ2*o?!;wOrJTsryiW={j!R=z?oz
zD_qsJ(2#Km;g?>9^A-ZLFE1mq>?PEDyW*M8ZXm7iCG1fr)9XL2$h<{7I;Zgby&G__
zFh%F7gQ$G=P3&LojGsPihF5kiEOs71llLCfJ@X#icj=<8;tXnDdKXUX4&vMA3Q_v>
zr(8MklmN*~^Ox*WwXzX4~n
zXnx{@+~?S}-T{T-9(eY%&tXkqSs3PvXTJOidp4`!laD^YDieRI>K#}eO+(+^7ZI&t
z%xP^`x~gCkUyP$`9Vnew;2%eW!%oVxw-0YVU4~LF&jGDh?EW3j+}s?Ejg1^-W@i2_
zaAM$g^w=@Z&pv5!baLYSk8{7MIbFE&87h0fK*P=ZsObHQqdRX5o)G)t+XwjOd;Yln
z)A!%t{saD!bLPJP<~|;f*2Ub{U*G4h-+se4r+)frAe|q7|=Zf_MH&53CHsl`Tv7YAIj&6iQ>Qc-u*}46O)+!;`A}$#t%RI$Uo@d5ft4m
z^5HLUbq2~CJ5gKH2;Ru;IGNRil;RGk%-_vFNRuODq*t~fv#b)lQQNum-Ff5H!CQP7
zx+_iTz7}}AP4G(1pzC_>taskXO+>`Uc!zHRZv_3HvJ1S?TlwMRiKdF?@i1v&y8c3}
zR;08f>HmyvD6SokqN<4)GF=I!7^jJD9uQ3!piQ-6*f1EZH9cQ7Y
zc^oz@-%0#C5bnJkQ`M+#hHgXXv6YxSYX^p?Y{%*9q2Nu{rS$bNjKa9`j-mgpxnAXB_z%&&1tWpuGs?Icns8h+j-%`a2Ny|Lae`f=@pAgnN4@N}my(
zZh3P6oQ7yrz+tB)G@^R2a=sI)D{7&pMjdV@JMW!(I*W=SRvhof
zdH>@C75h6yY6
z5S^xmTRn@h*lr;ji|68Y_hRs*EWneo1W(=)yL{(kovIB^R;gjj(RrxOn~OVF7GTbFm{7FqBCZpvuFdX!`
zaIU{dn~6zGe*@yl=;GG1uk*o3uq$T&4w*!Qz=^lL3_0iXp>OQYKR15Z2H0ob#HJ;?
z`H2xYx#iu#ym>TIOOYlq%M22VdKjj_j*d3Pq#dW>qGL;_Xo$SlS{mhdVdA<3)Mh8a
z)Y2b@r>n5_P%6|dQlMd#2#d8E(2nVa3IX8sO+k3@#p@WatTU(rljaDIh&IC<*JaqT
z#vH>`%t=FWLc#MBvBqHm?6=ubo;H}Jy8vjtICgA3MC}Lv^AH;#;TVM7JVF@b)10>MX3VUJS3Jn{cIX0cmx*$ciN`
zXsQ)#&r2il_$HWH?tsKXJ$R
z&Vcbafzw1~0!e8r#I{VwaA^Xk`kAEpn4z|CEkZ6%gzNrIFf!J_5M@(LP!oVtrxK;V
z2R*&Y7`0RbAtj11(lMfV7N~DtP8yx%pf(eenEnp*FgU&V;*0&7)6czp-fdmyTkkfn>l`R)BW2P47I+wxE?GPW#WOU#ilg(*B`_g++-BJ&U
zNt!r);Red;FTun&1M8gPvC$|N>-3_~-PVV!_!um5PRGU_dnukK2YCH?5$N50nanR~
z3;ut)#>H>MjBV@CbWs|q5gSRPGDl&rB$`NDnY3OD9T#UHwL=m6TvlTFTuX$Nk!B$y
zqFKz-M%OJ#csuE0i{}Dd?2tm7w+6=U+=QMUS>)6%!q^?#(A_1Aj7xG*l(a?>nR=Ni
zt4TXFLgV#msIQs}^?>=P?UaS~YGWwcuSU;RX{=jef}twA;bcnSO<+A-O%wJ81mfi9
zDOkWRekR7vBrQ(P0>?6EVz`VooKxpRLfRBbXEs1$fhO9oO-EJUQViL$0oAEw{?4#O
z_(d5sbxXo@yCuBy6>y%Nf#-mKyoiI%nccwY!TWr7#MH{-uPn&Q05kKeW
zg9ryKvJ}qB!TgMe<)=vLGe1j{X-15n?z8gqX7ckH?5DUCr{6Cy#kea=S3yu0mL|)K
zm4U)|%4X2>B{OfDHRVOmgq4ZaRah=o7FK3Kx?&R3--U$W#LT&{urLmk*aj=^WHZuB@D1nI*0T>s~ct|sl*236Tu?Vnnpl|}B
znFbiQ$Q=vTQ0Gx0Fyg?;U?80tlrAeAfeDw!1Z^bLcfj5`0;5$4SQrn1B5x*c2+Ig>ngZ;q3VmhXuo*}Qx*AhOFTsb7=<<9x#yonNqsX$&UZma2bq&836R+p
zjnhHpxL#L86%lA~sz#V&nuZ-qb#bcv0#q~-k)B?Ut_yh>s(1h`7q6i0_En5tvJY8B
zZODrYgK=0lUL-`$$jOETX;#UVUC23q4wE%cp|q?UZnk7nifA}u5|fzz|49f=Y^Q>U
ziS7OLkXaW>CXo&T>hEH~?4!8T+l+w33z)mY1<9r5sJVR?GZegV*xZ>k4}FYW9)tKJ
z_7q1GqgO=WsEH+<^Exn%{>$p0hxKlKOx_p^S1n^4ENa0bk4k7NsKX+uoy;lifkI9&
zLPCBjrK64wr<)-&WgCpoUcq|P80f4Z4M(1|B4MQnoEF;TLt~)^Vw)N<&nOGq)V9GT
zqZf7sT~HXd2|+cTkY41A`LhA
zFmNI*iZer5KFm*A*3bN65|fzzC}QAr`B+Kql!lN;gg7mSEm)M*ArtRBma6UI=BS3S`7L4jRTvNX*_;xa
zn4V7l>ADy)o8q&@lmwtWGFSQaV`U+J0fLFL9IRY-0Tp_rxS7G5vMvuLVwG5|fz3Bp@+3iAhXi`b&}+oWvw1G5sY;2u{E5
zZQVoQ#7$-^{k8>)+{8JXj8=KF1%%uj5{oBTcf>8i{Dn10+{C+J&WT%)$rf1tmpLeI
zBK%LDr{Wf(s{YQ!lH6~r%<-@*0h4}IGpd^UATxLHhrB`_&d>c9@y{~BnFc{u!$d8t@)?a4lvc0AXB$@1*Y;VpG$mj
z8u;*6lpgWnZzbY9kMT8?#qJ0`Q;7L1Na&P};2e~TBS%6YrFj~6UwIKh(P+;Uc*Mfh
z*^|>M=DQVR!+O%bWb|PbTmUEg!vor%iVmgS&Sc)@)+m#+l)8R0%e3x9#s3OzYce9svV;Z|vLWi-{T`
z@Q=#J!qqG-D|pA2VE>*I@G9$qM^F~jmKeauC!2VKIB;5RcM2Zi1yET=&r8J~J~2g5
zTQTs>oy2TMtlDfxTB$A;XdOd*RV$8#9eQW6#82#$ZjGCf%P
z<>I(cEP<&T&LyNH=yWp4ivhQ;&fJ2^FaAQ{Pp2mXr=1muIC7N#pr|8{T6GGZHZ=09
zIHSF`71P)^Y?F86Y;!ZW9ZJ7hK)lk<#n4}&1FeW2%#_@M*s>h(CTP(80n>peZ-%33
z)wui4Gmu#tg%GDbFiXCSwYu@}w{d_~+Epme)5T1?Gy*5;#7eqYvcCdb*J?u1APc_M
zmfZRz33+Sy=hWl5*RMiVHxo|VO>n&OHl``-VEK`9Y}jCc`L>1Vtg1oZvu|L6vhF|`
zWOhS0q6;(U?FMg*HBuAU+AeKuI98AP;!0e*aR(>!>Tx)w7EU3RSmBnAtdMYw5LtxD
zQ_w+JT`zdNjmYolfk|8!R7k67ZZ4;L!q04oPx=r}9w04qx;ESk`Y>6_2#uu~u+6%S
z^t5t3f1`)WBhd2bL1pKaQM;AFKd~GmXCFme@kP|fMZvq_c}$VqPUX}>blVLKk+ehg
z*)vrB9Z0Ub2;Nj}oV#?3fX4~>K_?M;B5jz;czAJyHuYK-ke~B?>`^_Y%>ho=mS@;I9w}AhW7z4q_p3~
z($%CPOBx`*=N^`$*4Gjw~j1X?6LMrn(^%$fDo^164BRY;*~nX3kSS;RyPiD0by9VZ7(9S>foMNiT$VQF?aU~tg?$oSwv{R2FA=Z%X8f@
zHT6SXRUT~4_h6co9@^SPz==#236;YrODFANyAzI;U&DxL#%Q^ajb(=`aKOPEE7cER
zh@exjPL*{w8xduB2tQW|x3cS4v&#p)b=2vC8sV`w7#lVBBf9+>nPpC>P9|`gu7{#7
z`aeYrDVOLfw;#n}r(l}Y14G>-SVDCfNZ$Zecb~-$hXnZR9z)L6%cRL3$GJnEI8bm6
z>Y9f!Z>c>>`?|oJAArOICq%%>07bohaEZHwK&!*pq3;O?s{i`6Y;mg@8mbBj1n7FH
z79%#t;h@$5v|PCiZQmN4-m_l-PAnY@Jp1-7SSQp%Z_Qq)>mJ3?f?iBtZVOGFBRF2v
zhw(E^QQzK(u*T=1yWSb<6z*5rhjB8RsO-Ck?M4AKusEZ+p%l9!TVTJ*7iC#7P&r(Q
zT`D?=XnPg27?_df+`&d~t%
z8|PNV^xNqP!6_WWNNXBR8j%Ex%vM=*T9he9shMM_5?_1ZDH>t48u18(j-#1I1OhZV
zD)G%Y#?yaKNR-}irb$ufmeV*7H$59jDCk2$D-HX0TVV*9bX;7v+FYP!^S4-GaY^8m
zjk&V1N%Ik^=G=%ll>EbHkzX_}Cu12$Az;tBBHXfJh^&_rq8ylVXNy|TZ;0NNzR@xS5A@e!EvcA
zxcH`ASw^#oWg+mfL5eE_U75^~xv%e&gOH3?Y+Fg%t^njXUV2Vk{it2JGO~d~)X$~I
zFB2=LFr1q=qA=Fx!v*a!f}YPXfqw{l?$oB-ix^>E96!k<4UBB_zTwo4!`TEr)old%
zg>v%nvlY{yLr(}!f8J68?$Z>(q@<`{O#c94fFY$trWlckSuZ9riPB#doWvw1G5xzq
z3{GMalbHUJBnBrjiAhX9@vvn1qW0A9e3hB+U1>#1rLz
zRNNbtzqbCEW9TD8;5d2RY9-ScfCWjK`4lEG7QTz2|3_11FSiV89
zLBGr|e|o`9l(WMF*!rr6CRW*-yLAqs+*_CaaJC1PV6Spf-a$lZZgx$D|EVl^~}aP%l!o?ytmo$BWi5cgRQYh$+h
zTfrFi+=4@W>^Pi;6JAmLH&hSB8I%_hdwZtmlZm58C?9r^gq#`n1;h?|JH`CF_MW76
z5xgm5ZLad@No?N2gK)6gPi;bN!OAz2WIVjh+mgHl9UYT@}(UbYi?B
zi_Gtsq6tdOcE$Oa^VoCr9Ap=nVDx-j$St(sfNJC%YbdR7#0ZKrifANTen7%GRM{Le
z=37!+YvMJB1a-#I3U+9@)(*J^)|fb#9fUynk+6@ME$A4kMwo4y3)@Ww*qhx6Nkwgp
zrSv7)W^qbJkeY9UklG%MA;DK#>4=F07~>UP(b8B9*@d>$=?pP-i4&&H=D&vK(j+Zn
z+N>i;KO2qdEI;CrU*Uw&1QsLI%rKhLpDfIuh&Rm&?|lCTMo1pO?Vb{hQM1PM{$&G(
zkX-5j`K7iPu4;_&3v4lgbu8-aN-Lc(oZD>AjPp-myLk%2hbZVnX+soFSi52BOaklm
zv55CPj_LCSpAE6JDXu|89b8<(;IzjNQy1A|GW({Eb@WMFaI)k&hS2|s^q&F#__6shY6VnBQtrTC$315Bp
z7IV-%@;z9Y7j4{xgOF!n+_%{IDoo~ZCJF$1*<)Zp}SZg)@Pfbpd$F*i@<4?
zVLHq<7{Km)0~YF}BJWfvaxPxSLbEJ*+3iQ^)w>u&ozmJn4NpCN5mVJX2wY3CVCz0e
zX+)qTJsa(JU%@y<{t9sheu`@Xkdb^I3%BfnUUWP3x4Ym%M+>%kHX__D1R}$CZEVAtG1-MOJEC7jBrgRrVTNX^oLs(B(>OG~JY^)SaW3C$&i1U&A@4GO@Jg-ny-rqYh&TE(+Wk;J_Us(
zA<$nzBfBzNsAqzOj)gGUPHMZP87kVUNIN0*eTFg8>#iZ-xPQNSz&<=y)JuV@rV$S1
zltD!^1IDX%AhhN-)FYa)ZPqqqUAcv&R>d%0u@kvHoiwUjqO2r^($m9S+XCu9q(Mos
zy~;(jAt@Kchf#-7(!;)-E0{cfD^feILftnH^3$mEiI_{g>2?SRI|*akAOxkJ=S&!n
z{2K&L8qf~!#;#RV4_R$Erqp2KREj%83z3aiF=Y4-0=zCrkjWxrn~fY_51eTx?Pd5b
z)U`KL2lIog0hvc+s*GA33V#P007So(ClH;pl{!C91KpRKsI%)JrIF$bz$v=&CWep(
zG=A49G!{2QUQQk1ZO=nab~kBObieKb*9M%~HA52_HGLG1I)sz~iW-}#%?)ww=4Hz3
z7%~C^k=)iwoy7~W9-dg}R0@s7T3p=z^3bzbzL&yRu-@gA+dNOd@
z9Ev5@QP9?L!MM#QFixI?QCY++;)sOJD;cKdq-vAEFEEdQ>xpDY%{9a#%Sh}e|I`IW
zusv}Gi?@4_DYgf4^Y{l`viYistK7-7qcq7pT3|~2p5Yirrbu|nC5)AQXa@u8u*Qdz
zuzs^O)J(}V2ui{hcJw%ziH@G
zKN^SOf|bWyno3q!%(Ow)QIssP-#Z1%RvBZ)mO~iJRyvF3uVjJw+Zk{WsA{sE7>uC0
z+ndZL>KLSnm>fxl%fV2{QawisR)_P{9C6Su1uFBkvDiF}+9nn|lV!^u4$h@2m`qbiDa1
zo5_^cvh?DBgr{gp?T`#>8&Ay9J|r@SWQ65<#KWE=0q<&krtunK>W%=odlw@7us4<%
zdJ+KHWAS=>DyI$Co-5Z-J5&7rwvaVK-PP-ml_M?6@CbpFISee1VuK?+!(;In#^$ON
z4KQEN6B2YCxAF+~9|ZL2T!~B-pz6Q2QES>LzdO
zAx)Ic?XB1MAoy_YycVm_5)4z=??RJ~((B~SP*noKkk?AW$#+s4FB
zCUz#acWg|o31%`ec5K_W?PSL%zxzM;oO{1^S66pe)%#Sf7i&rQpf#R%rhc9(8l_dB
zxkR6i`a=8uz3u~GNrYQR61%=Cz4~zoUn|TKOhttjk5p1+G)@q*W1(sTH%3k#|2SfS%ZHqy6GUsFXg^2xrUL>n0VyzJjhIgnG9gZcUs^6Q%lZu!}#m$+}c#
zAG&2`h(I6uzhLfwpf%E>ijE3JBBi|BED`Ty{P0MK0|?dT~Dv}Orqx_ge|fHcFgnx{K=n^;%wC{u%_(b5;pE-!BjA&B1xTzum!t%lAjX0
z!Ii*1Fg<5(?3KP45Wbz!~CU3H~5^V2D8HDgRgMd#LM@$Ay$5zEADs
zts(tkaQBgTP?aw||FS8e46S5FK$o!UhJ4}*Cg;d9C!E9838s4(VzQRdcSldlfX#2r
z|Kz=*#Ob)=@I8BYS8$3LUygoF^6oq25VIitJ-o42-NahV>V#ii)AVT)mj$3E?z55h
ze+4YCEMIcpm6Y~>bsR%a9B_~@GXQ$$;_^FMp`KV1Gi;qq=wSKO7A+9!2OlXhL^G_qR-S3!$6ZM9G;AF-wDHgI1V#^n=(h$6GpZhQz&Z
zXIU{1YA1|l}C@DMi
z0{TgeJ#mzN@dod0-u@wZXP!A*LNc^!A#NLlJK)F@J`+WyVA92EHQYtS;jz(oG46d;
z35uYN;;&gQ1>iS6Z-bBm%v$^n(e?^%0fp_mcwCOfaD@k)*Plc6-$ZTXm~_3FOa~)%
zi?hc>WNk12*^b?1s;y2P4TS7XFZuPCNHP;^NWAUZ7}=9yyYK2MbHX7@Acgvdrn?Zt
zS?z2!ThdbVkjeu&1riiDL4&BcG0(DDNS!7)`cC{{
zsu4$e)nF&YP)Hc9$1=YX)RC}92TpaqAluEK1Fh@*&?1Z
ze2yHN+{P*JZdNdi(5W6K^?O~}pQu@%no2#vfU=A*yqdd;EawGV7K2Bk`?Jy!UQVpj
zN+9uLO$~M?xA|)D_w`>HigD?=r%%&^Rl*Np>7_%@TGB^%14*s~c|QNkkIHFWn{?Cf1Eiaf~at~C*cJ)Y|Qn2AWzq9ox0X=
zT@VxsTx&6E&lm*gCKF(!6VTG*-!v;VxS-A^kI0?WBAgY7HOJPaEV5w7&?>tnW{KDk
zmKKwQtW^4k&zYVq1Chezoub4AeCn0>LA(SJK5)WaLtSVN-t)ASb&Wy!EnkU;$M%`p(
z`_5p?KCV{>o9!6GZA)(@vgU){sZdGa=hO`(s){Ete2fqRz~wvv`4uXt+1#+sM-0Mb
zTg*xI_umr;X1({Gv<{Y8?O^Nk9*$6on8C_F99HbYzlBp69Z?U)IczvvsN0w+u&88|
zzt+b8x$TV1{hB>+VJqRHi8-;yWft-SMI%jxoUN|d2)__e4jD1`Ppk+m#_u0oiY9V2*^giil1x&h-6Dw?uO-
zq-G2DCkN0k!P@7gES31;H9VS29!SoIEtu48KDOVq&9peI$DF_@B?!kP(%>lF8rOf6
znuJUu3L`KS#i&zu$WnH?NJ=v@gSPS!Z$I{Zmv?H1bjiL@N+DE`03d9rk&Id_c}
zesoFro^dvC7=5#8Su_qzzG_=VK!bl{pe>9N(^MS8L&T`YJ
zjJg=b5!OLpp`HllP86ZrCTJv{loT^$Py0tn#P;n_TiO&&@Cp?{Fmb@}Qh8eHll_5A
z?T_|CLY?gIQp)56=qFV!BeSF)Kaft
z@eEC#h(O>qLRaKId(?PV(tu#h*r(j+5fLPY$M2uvW9-!a=rdb1#FRTaL+0uB8OHq;9UZU@Z0jPq%4(ekeA`}m5
z7pH=`rG@1a+z1{HBE})7+;9XlY7ibxm-+PkL0gQdVFGKGm|ujL
ze5r(q0)(P2WUXgEAahOX{^eKq0eV3n12}?HJ(
zQu;jC2oO!3V|IOJe{;&!U990pdT;RLgMU|##l2#rk1MnKPlI~ubuz5{d)V%7>$uFU
zRfNa@&RgN#+h;SAjkjcD31xG3<;^u!8hlq!S}u
zBmE=dgwfZsOs-uT7Ia8|=r<=1xkJK|g`2WyOZ%OFps;d(eCjRJ)wlqe5%qld0SG0W_^Lul)>&2B4?geK5MDpPH0UWS5}&
znNssSiIp2wOj%%|1Ys7=s!*qze<;4yo2BTMTa&YA7(F8X@td|X20(#@g51=y4lRyL
zoYk5wTPvQ4p)8jS{#Kz)Y@!KF0)*3}s?;1Rwe=n@8B^%dT`#qK@c$PHaK)&_cPJE~
z&x!_L9nyZf!)Ssz$bS*uT>*N=yootMxFxK!;jw&Yb2bhIHvoVJL1P%7-&IPrQXf7Ja
z-Fl20IC|Of@%>||N^`2`sC!;1GbU~YO5G!4R5Qzce7otEUE*FfO;&5Ge9z1@;sJ!R
z^5(5F3ylU5sj!eO)!BA4+3n?KZWeuf6bP1ims7^wic@tD-$_jOsS}cP_Cu2`X?SXcTZmgraskN)mv!!J$8AeH<$uM4mM^4d9F{@4D
ze|#npkEZ6vLHMqAMxrXUja;xv$uH6gOTge|i=m%_3h7LY|K
z{#l=2-a9}|Az{7arL+;nEEIO*$yQ^zQc!Y;Hjo@XVI6_ou-O^*A1X5OvzJ(lKgSx>>7=GX#aR|Tgbi&LD4vjrodwNBPV^iv^dTWcDa52WBo
zwKO?W&rw4nPPP1^WYy||eqBzfvVb5yd)~zA
z7{pf`i>6|vA2ITJtL>AIb~@)?v}KCEcW0KE;|rNq;v>aVp{Dt={2^pA3t?_Pa}-}Wwej0
zFV9-S-}fs;Q+CfM>%g8xv9oc{e4@yqj0yGpAf#lXXu@=in1T)Ggp?FX=QaQ@OK(cw
zFb;_tKQU=Dl7w4pZ%#9a+n4)Bex$%WC$##ENrF&70a**722-ni9Tp;Y_M#-Cpgtj&
z@Rwa2E_R~+Qgq0H``)Ffiz+ifn^)~!cc{D&Qp6o1JHsn8;8>@E4H%x)fxdHEwIw3M
zH$YP+zS#*MiHU^6|I4~QxNWJct0U5Ei<~Xtx;Qp*$`i)Idu||Ur5fR%q`nP;yTfwG
z!eO42+_*v6DX8Fj#CEDHVTnD&HAwLxQI^Tu-;
z7^EZ&nIiKLCSh)05gB_x%Y!I;^~9&X%wmp45bloE{eV0=tBQ@dy<4{{BmuZ@U-Xdv
zI#Kjdn}*9WA*NZ2UfR)fRf~&bfyqe&IZR;3dfd_VKN#;qGiPO&BpZ!OcDR)AGdNap
zjr{I8HL$-zCrLfkwCqg|?=$0`|h3wa0m`e`2>OyI0>yU%{s7RWg;2%OuOm31`
z`f~Zg;J*koMt-cdLo4wEa{6&QQFO+>o}$b<;fqu8
zlTP(!&6EI0cH=@tqPSHFNe@T2+^cbjRK1qYG=uzJ#HO_q0d>W?FO+Hy$Ul-Zzo2fb?PMb90sUf40hfoFg4=z1+Q=Cs6D
z8X=Tkl8jr1zxwQ~nw(|>+oom-c=}%vvuTid^)%8F9{77v>^Z|y;;39)YgG*7iUgDq
zuy52s*x1X+LFjN?x5yBeYME%6N1jhQJDWiVe{}U*y^*wxyzzb9zBxgMU_!0sRDN6X
zAp15F4Qq(#M733HpV7z(p9qk4I-V~zwjqxC9sNiW&uE*#8yJ%uVS=#{g{#hm4%FSA
z7+o~kal)f#>@jiNLs%3H`YLo1U#S0O8T0*X^-cG<&p(!iyYQ7HKOnL(v7+t6c%{~uu*q9>S2yq!vVT1
z^1^b$q7rqziAM=9J5)CD*P~qI*MI-={TiW0zXNv862+aA+JWD1xs2PVWhJl-DMSK#Pn*X7JNSI{Z8}C&|wThLW+44?JL=;2Y{s~QT4#&uZ*q0Z8q1F
zII9#RQfN*kl7gumtM0%TBth;3P2Gq{^E3_4M>2le$g}I+tBp?LQrEvM4z4_Z@R)mD
z^N@c}!hI`wZV6As6Sl@?fSOSA_fg&S#;o~qzSJ=GMGnid#u@!OQRLrRUObGv%v(CA
zl=ms2#)7-C!1C)UGPbx|0e~Wncsq?n!rRAW=YeF7n}h6H9}jEEvas!)jA70|BDDLf
zZMKY_%~{B%C^DiEabV*F{?+oO)bZt@kn|U9O(7j9b8f+~J}?i1J8f4F5*Ls17N4we
z)C+*ArX2mnPmM(>%JCWT`)V`-A-8IhmW11Gmit&mU0it=%NJ0^2;Y}>zcTC2po%>V
z5K&a$#ud-mt$e?Eva8im3lzB`n(mj&1B)*T)&>lM8bDo}MUH3Tn3ZFhFTe2Z1o5r{~^%tuN2y%>z?D4Yv;!Ht*xM8N=YZXXLnjYse=;t@CJ9;7B
zPrefSY(i@8C$`5g`7i^4`GI7bXYI56GM6%!ikTe0qt%MF%VvDwRH0j!Ok-$E(iK-T
zJ7nFtFF&&5eUQ+S>>iqy*FP@aau5A3+Hc1_4#s}{V!uprypXplew|QXh$#F))$-zC
zIt#CEcUvVPen>`U;fC8s|ne
zL!)XbkDGAq>3?Zb-I$8>l8@QWkv)4n!>UPBWCmu6cF7NlQ5R
z=17Fbv=EXh&CcLCuSSaz6hT(aNrND@GB`ao9oG>~Br~eBYpxEJ8NJHtT|lJ7VI=8-
zSaZI7FjUbQvuE}VhxL?%Zq=cnjx2%?&T{0`mB*U{QB7STQPhr2SRjWlyn%&hCDxB$
zHXxTC{fx?4N%%bbK`rPu8;bLb$-LRpH+~Bg{bnyS3d*kJ%$|g>vOm>3y~)YuR)vc@
z_
zHyhxHf$6XA-`5I)GZFE4#yAXfBYw@X??G=NlX|@4HTjWz;oN-Xn?dv5CFpIK-DE;?
zG;mzoA2Z(z;GZjU${sB-Vo4X37$PCz}{bQ|;nRNBO
z;oHlg$!?;f!JnB*$j+{y;)2#RX{W1c4(oF`a9URPX2WnKO(m`4Sg@`XLVEKI&bm`8
zR?Z#Wbtkcf^k-I+b0!uPkBdKLQwAoJXMqCm(hD}>TN2jupu~|TxEBc%-@xh+f|L6b
zd3M;_sdUdwbKg`2_k4E3u&+Jd_jr0-Qvdi6>Z@a9EDlE9LAzsrk~N)2XdxRqZ>{!&!-;*@v=Q%3;W^J@vAe~JG(GYG1FDE
zbLcfPOD8ATMa5=0``{#0A+t!!ukm)ikPXY2KAD$=Y0_A=N8PmG#cW|RGLaNatM{9g
z(r{=qK}X5+DXpRai(4XkHbs#tK#99s!~51HSIF@t@B^5t#PS@4EFtNis%RpUNy(`2
zz+HA9&y^#E>gjt9^YRsUM90WT~xuD+#1#<+{JXbpq%1qHe
z08Dm(tkdwB*Do1*H&OWel6UE+!Mi`6LX3FQnu4Mc?i*7EF2t=9GAn|h+|3;gCC&7z
zeRFqBECm!}JuZeaEG$S!~kq^B1A
z2v;@L%`k=k8VAObHt?L~K;QqvnD`Ks_DZLMrJ-!ix#I;M%MCzPRk6%&pHs5&vm~9w
z-pzz${78wIxIoY*lb$e*M2b?HRdMfjh}pd^a_;A{<^NoulI%5SWhp%8+sJF+P9UiVMVMia@@Q_2q?l;5;VK_fAC0$$QM
zc=9%^0X`h=4lKc=k-B55$kO&NoD|M}nmoW7{`juVnfMv*Ua(-zmC#YxaVz?#WF!=x
z&pB&^jMR76PwpKi6FSzR-Y~_CuAE0c$2qsP(7(;pR5W^|e?X{ahex8K{OE#;VNmy4
z8dM+fuWX0))VQu(E#&tKP!==Q6B}U!5nw`&L=kIBd70Sd;M#ZTjB0ME%GR;`bYDU}
z5A7bh2AGqx>=b)vCVFg#Z(%s&3^CO6meyv8vtBs=rh?424JsCu!L5mLQ$
zQd1}`lULr*N^WKtS#u;|y{1;JfWTVsBWRAohTl-lIgd3f0thb)N4r+`2*txs6*vE=
z4$Y&c@%>b_y}s@1aB%P}L@ye8;YuDNreyRvNn?
z#M&6n-N8l5hw;06GfTGO*N~HU^K8UIfOQ^)Wx0^WlEe)S5f`
z3pcUE&nHC=!
z$e)5k~{p_CgL^hRi)(T2F-OYm
zQW?6yL^mmF|F$^5?5gCW9{JCTtRodZk#K|zZmU(9r0C`i;4EY#@i7Err&|<>JI52V
zkY%EL_v37%IE*n7Nt^O-gz8_hA>#;Dms3;=`c?9xdW2G!Ns)~PwAGY*<1{yXxj)`K
z*_)v=qs+$LXo;?5QAXY`lrdZFniAWo3h*XvhH%%h_SMmqAq$CUR;?Ijowlg;npR}(
zb@(%N_mUICIP439q)o+W+(Zweaw8bOC4bGKCtXKs+EPD=ST}P~UC4<5)ghv0(QDYN
zBbF3c(LRd-XiUwZyf}iLcVKA7RzhUlqn!U`2zwzYHLi)7dk7D&2L;QYt56JPry0fm
z&H1i@+LnMd;&@`)+i>J%o=fqI_6ce%
z4@o``KsXH8%f7L-O-$E-()vj5fqor6unq22vLj#MT8BMMQk!zlyR{Cjv#gz7(vaUo
z&ae3MW!Vxz<(DdKXO}sHD^Ey$8y!srZh~Mw@^8^NheS=fo8ThVw><*_*}sA5vnJ+E
zoCwMLZCXQhTX(bZu{DFHIDQdou^lHQcVs
zuPiwice6eE7hJM#{RCaPAqDr_c2=rI4t;jVR3uw|&
zC(b1gUj`<~4t@&Ys;AVw*Y~@ri=&FL)$gX-h#Eof;gsaf4$AjQ0@g$~WGRJ>_cH~bt`(2AGd!b?
zAK$>wZ%Wq@ptC;9vOG3;pda$G>>oCU+yciiSPWcCQiGAXy8&#N)p=bi-tSt
zuVQR|I$i^?*1ho!2BX{{BDuB9ifePoh!_;=Uj2X~;aB21%5TzRZIQ7^+^M&xTj{)|
zIkG(8{h+Wj@mbZmVQPGf=_e0?5zzYO--EACc3;XWt@9Bx3!euJQVtHx8fCG(FWSSE
zY$R?q&Zph?>G<&YSrZ4(dJe=-?)N_3JOS92Gi5t;OZoK=@JgjO4%X8N;Z}`z&rWO2
ztMO6KpUQLuQKRdEM;GV8_lbNseQ9Eo?F95lrcROGCAp`9!LGW;>R~w?6