From 777af751f8c72b639840800a18313d2ed53577a6 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 9 Aug 2023 12:07:53 +0200 Subject: [PATCH 01/44] PDE initial export --- .../personal-data-encryption/configure.md | 37 +++++++++++++++++++ .../personal-data-encryption/toc.yml | 4 +- 2 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md new file mode 100644 index 0000000000..228d8faf26 --- /dev/null +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md @@ -0,0 +1,37 @@ +--- +title: PDE settings and configuration +description: Learn about the available options to configure Personal Data Encryption (PDE) and how to configure them via Microsoft Intune or configuration Service Provider (CSP). +ms.topic: how-to +ms.date: 03/13/2023 +--- + +# PDE settings and configuration + +This article describes the Personal Data Encryption (PDE) settings and how to configure them via Microsoft Intune or configuration Service Provider (CSP). + +## PDE settings list + +## PDE configuration + +### Configure PDE with Microsoft Intune + +To configure devices using Microsoft Intune, [create a **Settings catalog** policy][MEM-1], and use the settings listed under the category **`Local Policies Security Options`**: + +Assign the policy to a security group that contains as members the devices or users that you want to configure. + +### Configure PDE with CSP + +Alternatively, you can configure devices using a [custom policy][MEM-2] with the [Name CSP][CSP-1].\ + +The policy settings are located under: `./Device/Vendor/MSFT/`. + +|Setting| +| - | +| **Setting name**: Title
**Policy CSP name**: `Setting Name`| + + + +[CSP-1]: /windows/client-management/mdm/policy-csp-localpoliciessecurityoptions + +[MEM-1]: /mem/intune/configuration/settings-catalog +[MEM-2]: /mem/intune/configuration/custom-settings-windows-10 \ No newline at end of file diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml b/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml index 0bb7c66820..72bc8d3dce 100644 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml @@ -1,7 +1,9 @@ items: - name: Overview href: index.md -- name: Configure PDE with Intune +- name: Configure PD`E + href: configure.md +- name: (Old) Configure PDE with Intune href: configure-pde-in-intune.md - name: Enable Personal Data Encryption (PDE) href: intune-enable-pde.md From f29b6870af539b6cc3398660012d3e1126233b8e Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 9 Aug 2023 12:09:30 +0200 Subject: [PATCH 02/44] removed include file --- .../includes/pde-description.md | 20 ------------------- .../personal-data-encryption/index.md | 14 ++++++++++++- 2 files changed, 13 insertions(+), 21 deletions(-) delete mode 100644 windows/security/operating-system-security/data-protection/personal-data-encryption/includes/pde-description.md diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/includes/pde-description.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/includes/pde-description.md deleted file mode 100644 index b34908147d..0000000000 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/includes/pde-description.md +++ /dev/null @@ -1,20 +0,0 @@ ---- -ms.topic: include -ms.date: 03/13/2023 ---- - - - - -Starting in Windows 11, version 22H2, Personal Data Encryption (PDE) is a security feature that provides more encryption capabilities to Windows. - -PDE differs from BitLocker in that it encrypts individual files and content instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker. - -PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimize the number of credentials the user has to remember to gain access to content. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requirement requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business. - -Because PDE utilizes Windows Hello for Business, PDE is also accessibility friendly due to the accessibility features available when using Windows Hello for Business. - -Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business. Users will only be able to access their PDE protected content once they've signed into Windows using Windows Hello for Business. Additionally, PDE has the ability to also discard the encryption keys when the device is locked. - -> [!NOTE] -> PDE can be enabled using MDM policies. The content to be protected by PDE can be specified using [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or protect content using PDE. diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md index 83e0433698..617cf005e1 100644 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md @@ -7,7 +7,19 @@ ms.date: 03/13/2023 # Personal Data Encryption (PDE) -[!INCLUDE [Personal Data Encryption (PDE) description](includes/pde-description.md)] +Starting in Windows 11, version 22H2, Personal Data Encryption (PDE) is a security feature that provides more encryption capabilities to Windows. + +PDE differs from BitLocker in that it encrypts individual files and content instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker. + +PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimize the number of credentials the user has to remember to gain access to content. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requirement requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business. + +Because PDE utilizes Windows Hello for Business, PDE is also accessibility friendly due to the accessibility features available when using Windows Hello for Business. + +Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business. Users will only be able to access their PDE protected content once they've signed into Windows using Windows Hello for Business. Additionally, PDE has the ability to also discard the encryption keys when the device is locked. + +> [!NOTE] +> PDE can be enabled using MDM policies. The content to be protected by PDE can be specified using [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or protect content using PDE. + [!INCLUDE [personal-data-encryption-pde](../../../../../includes/licensing/personal-data-encryption-pde.md)] From 2324a12d483b9e23cf1a2923568659b75ce8d14f Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 9 Aug 2023 12:42:59 +0200 Subject: [PATCH 03/44] articles merge --- .../configure-pde-in-intune.md | 30 --- .../personal-data-encryption/configure.md | 251 ++++++++++++++++++ .../{faq-pde.yml => faq.yml} | 0 .../intune-disable-arso.md | 63 ----- .../intune-disable-hibernation.md | 62 ----- .../intune-disable-memory-dumps.md | 61 ----- ...tune-disable-password-connected-standby.md | 76 ------ .../intune-disable-wer.md | 64 ----- .../intune-enable-pde.md | 70 ----- .../personal-data-encryption/toc.yml | 20 +- 10 files changed, 254 insertions(+), 443 deletions(-) delete mode 100644 windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune.md rename windows/security/operating-system-security/data-protection/personal-data-encryption/{faq-pde.yml => faq.yml} (100%) delete mode 100644 windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso.md delete mode 100644 windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-hibernation.md delete mode 100644 windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-memory-dumps.md delete mode 100644 windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-password-connected-standby.md delete mode 100644 windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-wer.md delete mode 100644 windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde.md diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune.md deleted file mode 100644 index fe2fb5b3e9..0000000000 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune.md +++ /dev/null @@ -1,30 +0,0 @@ ---- -title: Configure Personal Data Encryption (PDE) in Intune -description: Configuring and enabling Personal Data Encryption (PDE) required and recommended policies in Intune -ms.topic: how-to -ms.date: 03/13/2023 ---- - - - - -# Configure Personal Data Encryption (PDE) policies in Intune - -The various required and recommended policies needed for Personal Data Encryption (PDE) can be configured in Intune. The following links for both required and recommended policies contain step by step instructions on how to configure these policies in Intune. - -## Required prerequisites - -1. [Enable Personal Data Encryption (PDE)](intune-enable-pde.md) -1. [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md) - -## Security hardening recommendations - -1. [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md) -1. [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md) -1. [Disable hibernation](intune-disable-hibernation.md) -1. [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md) - -## See also - -- [Personal Data Encryption (PDE)](index.md) -- [Personal Data Encryption (PDE) FAQ](faq-pde.yml) diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md index 228d8faf26..bcf0f04760 100644 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md @@ -9,10 +9,71 @@ ms.date: 03/13/2023 This article describes the Personal Data Encryption (PDE) settings and how to configure them via Microsoft Intune or configuration Service Provider (CSP). + + +The various required and recommended policies needed for Personal Data Encryption (PDE) can be configured in Intune. The following links for both required and recommended policies contain step by step instructions on how to configure these policies in Intune. + +## Required prerequisites + +1. [Enable Personal Data Encryption (PDE)](intune-enable-pde.md) +1. [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md) + +## Security hardening recommendations + +1. [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md) +1. [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md) +1. [Disable hibernation](intune-disable-hibernation.md) +1. [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md) + + ## PDE settings list ## PDE configuration +### Enable Personal Data Encryption (PDE) + +By default, Personal Data Encryption (PDE) is not enabled on devices. Before PDE can be used on a device, it needs to be enabled. This can be done via a custom OMA-URI policy assigned to the device. + +> [!NOTE] +> Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled. + +## Enable Personal Data Encryption (PDE) in Intune + +To enable Personal Data Encryption (PDE) using Intune, follow the below steps: + +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. In the **Home** screen, select **Devices** in the left pane +1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles** +1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile** +1. In the **Create profile** window that opens: + 1. Under **Platform**, select **Windows 10 and later** + 1. Under **Profile type**, select **Templates** + 1. When the templates appears, under **Template name**, select **Custom** + 1. Select **Create** to close the **Create profile** window +1. The **Custom** screen will open. In the **Basics** page: + 1. Next to **Name**, enter **Personal Data Encryption** + 1. Next to **Description**, enter a description + 1. Select **Next** +1. In **Configuration settings** page: + 1. Next to **OMA-URI Settings**, select **Add** + 1. In the **Add Row** window that opens: + 1. Next to **Name**, enter **Personal Data Encryption** + 1. Next to **Description**, enter a description + 1. Next to **OMA-URI**, enter in: + **`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`** + 1. Next to **Data type**, select **Integer** + 1. Next to **Value**, enter in **1** + 1. Select **Save** to close the **Add Row** window + 1. Select **Next** +1. In the **Assignments** page: + 1. Under **Included groups**, select **Add groups** + > [!NOTE] + > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. + 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window + 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next** +1. In **Applicability Rules**, configure if necessary and then select **Next** +1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create** + ### Configure PDE with Microsoft Intune To configure devices using Microsoft Intune, [create a **Settings catalog** policy][MEM-1], and use the settings listed under the category **`Local Policies Security Options`**: @@ -29,6 +90,196 @@ The policy settings are located under: `./Device/Vendor/MSFT/`. | - | | **Setting name**: Title
**Policy CSP name**: `Setting Name`| +## Disable Winlogon automatic restart sign-on (ARSO) + +Winlogon automatic restart sign-on (ARSO) isn't supported for use with Personal Data Encryption (PDE). For this reason, in order to use PDE, ARSO needs to be disabled. + +To disable ARSO using Intune, follow the below steps: + +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) +1. In the **Home** screen, select **Devices** in the left pane +1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles** +1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile** +1. In the **Create profile** window that opens: + 1. Under **Platform**, select **Windows 10 and later** + 1. Under **Profile type**, select **Templates** + 1. When the templates appear, under **Template name**, select **Administrative templates** + 1. Select **Create** to close the **Create profile** window. +1. The **Create profile** screen will open. In the **Basics** page: + 1. Next to **Name**, enter **Disable ARSO** + 1. Next to **Description**, enter a description + 1. Select **Next** +1. In the **Configuration settings** page: + 1. On the left pane of the page, make sure **Computer Configuration** is selected + 1. Under **Setting name**, scroll down and select **Windows Components** + 1. Under **Setting name**, scroll down and select **Windows Logon Options**. You may need to navigate between pages on the bottom right corner before finding the **Windows Logon Options** option + 1. Under **Setting name** of the **Windows Logon Options** pane, select **Sign-in and lock last interactive user automatically after a restart** + 1. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK** + 1. Select **Next** +1. In the **Scope tags** page, configure if necessary and then select **Next** +1. In the **Assignments** page: + 1. Under **Included groups**, select **Add groups** + > [!NOTE] + > Make sure to select **Add groups** under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. + 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window + 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next** +1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create** + +## Additional PDE configurations in Intune +## Disable kernel-mode crash dumps and live dumps for PDE + +Kernel-mode crash dumps and live dumps can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. + +To disable kernel-mode crash dumps and live dumps using Intune, follow the below steps: + +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) +1. In the **Home** screen, select **Devices** in the left pane +1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles** +1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile** +1. In the **Create profile** window that opens: + 1. Under **Platform**, select **Windows 10 and later** + 1. Under **Profile type**, select **Settings catalog** + 1. Select **Create** to close the **Create profile** window +1. The **Create profile** screen will open. In the **Basics** page: + 1. Next to **Name**, enter **Disable Kernel-Mode Crash Dumps** + 1. Next to **Description**, enter a description. + 1. Select **Next** +1. In the **Configuration settings** page: + 1. Select **Add settings** + 1. In the **Settings picker** window that opens: + 1. Under **Browse by category**, scroll down and select **Memory Dump** + 1. When the settings for the **Memory Dump** category appear under **Setting name** in the lower pane, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window + 1. Change both **Allow Live Dump** and **Allow Crash Dump** from **Allow** to **Block** by selecting the slider next to each option, and then select **Next** +1. In the **Scope tags** page, configure if necessary and then select **Next** +1. In the **Assignments** page: + 1. Under **Included groups**, select **Add groups** + > [!NOTE] + > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. + 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window + 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next** +1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create** + +## Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE + +Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. + +To disable Windows Error Reporting (WER) and user-mode crash dumps using Intune, follow the below steps: + +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) +1. In the **Home** screen, select **Devices** in the left pane +1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles** +1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile** +1. In the **Create profile** window that opens: + 1. Under **Platform**, select **Windows 10 and later** + 1. Under **Profile type**, select **Settings catalog** + 1. Select **Create** to close the **Create profile** window +1. The **Create profile** screen will open. In the **Basics** page: + 1. Next to **Name**, enter **Disable Windows Error Reporting (WER)** + 1. Next to **Description**, enter a description + 1. Select **Next** +1. In the **Configuration settings** page: + 1. Select **Add settings** + 1. In the **Settings picker** window that opens: + 1. Under **Browse by category**, expand **Administrative Templates** + 1. Under **Administrative Templates**, scroll down and expand **Windows Components** + 1. Under **Windows Components**, scroll down and select **Windows Error Reporting**. Make sure to only select **Windows Error Reporting** and not to expand it + 1. When the settings for the **Windows Error Reporting** subcategory appear under **Setting name** in the lower pane, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window + 1. Change **Disable Windows Error Reporting** from **Disabled** to **Enabled** by selecting the slider next to the option + 1. Select **Next** +1. In the **Scope tags** page, configure if necessary and then select **Next** +1. In the **Assignments** page: + 1. Under **Included groups**, select **Add groups** + > [!NOTE] + > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. + 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window + 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next** +1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create** + + +## Disable hibernation for PDE + +Hibernation files can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable hibernation. + +To disable hibernation using Intune, follow the below steps: + +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) +1. In the **Home** screen, select **Devices** in the left pane +1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles** +1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile** +1. In the **Create profile** window that opens: + 1. Under **Platform**, select **Windows 10 and later** + 1. Under **Profile type**, select **Settings catalog** + 1. Select **Create** to close the **Create profile** window +1. The **Create profile** screen will open. In the **Basics** page: + 1. Next to **Name**, enter **Disable Hibernation** + 1. Next to **Description**, enter a description + 1. Select **Next** +1. In the **Configuration settings** page: + 1. select **Add settings** + 1. In the **Settings picker** window that opens: + 1. Under **Browse by category**, scroll down and select **Power** + 1. When the settings for the **Power** category appear under **Setting name** in the lower pane, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window + 1. Change **Allow Hibernate** from **Allow** to **Block** by selecting the slider next to the option + 1. Select **Next** +1. In the **Scope tags** page, configure if necessary and then select **Next** +1. In the **Assignments** page: + 1. Under **Included groups**, select **Add groups** + > [!NOTE] + > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. + 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window + 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next** +1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create** + +## Disable allowing users to select when a password is required when resuming from connected standby for PDE + +When the **Disable allowing users to select when a password is required when resuming from connected standby** policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including Azure Active Directory joined devices, is different: + +- On-premises Active Directory joined devices: + - A user can't change the amount of time after the device's screen turns off before a password is required when waking the device + - A password is required immediately after the screen turns off + The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices +- Workgroup devices, including Azure AD joined devices: + - A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device + - During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome + +Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**. + +## Disable allowing users to select when a password is required when resuming from connected standby in Intune + +To disable the policy **Disable allowing users to select when a password is required when resuming from connected standby** using Intune, follow the below steps: + +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) +1. In the **Home** screen, select **Devices** in the left pane +1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles** +1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile** +1. In the **Create profile** window that opens: + 1. Under **Platform**, select **Windows 10 and later** + 1. Under **Profile type**, select **Settings catalog** + 1. Select **Create** to close the **Create profile** window +1. The **Create profile** screen will open. In the **Basics** page: + 1. Next to **Name**, enter **Disable allowing users to select when a password is required when resuming from connected standby** + 1. Next to **Description**, enter a description + 1. Select **Next**. + +1. In the **Configuration settings** page: + 1. Select **Add settings** + 1. In the **Settings picker** window that opens: + 1. Under **Browse by category**, expand **Administrative Templates** + 1. Under **Administrative Templates**, scroll down and expand **System** + 1. Under **System**, scroll down and select **Logon** + 1. When the settings for the **Logon** subcategory appear under **Setting name** in the lower pane, select **Allow users to select when a password is required when resuming from connected standby**, and then select the **X** in the top right corner of the **Settings picker** window to close the window + 1. Leave the slider for **Allow users to select when a password is required when resuming from connected standby** at the default of **Disabled** + 1. select **Next** + +1. In the **Scope tags** page, configure if necessary and then select **Next** +1. In the **Assignments** page: + 1. Under **Included groups**, select **Add groups** + > [!NOTE] + > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. + 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window + 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next** +1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create** + [CSP-1]: /windows/client-management/mdm/policy-csp-localpoliciessecurityoptions diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde.yml b/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml similarity index 100% rename from windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde.yml rename to windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso.md deleted file mode 100644 index 9fda445c43..0000000000 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso.md +++ /dev/null @@ -1,63 +0,0 @@ ---- -title: Disable Winlogon automatic restart sign-on (ARSO) for PDE in Intune -description: Disable Winlogon automatic restart sign-on (ARSO) for PDE in Intune -ms.topic: how-to -ms.date: 06/01/2023 ---- - -# Disable Winlogon automatic restart sign-on (ARSO) for PDE - -Winlogon automatic restart sign-on (ARSO) isn't supported for use with Personal Data Encryption (PDE). For this reason, in order to use PDE, ARSO needs to be disabled. - -## Disable Winlogon automatic restart sign-on (ARSO) in Intune - -To disable ARSO using Intune, follow the below steps: - -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) -1. In the **Home** screen, select **Devices** in the left pane -1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles** -1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile** -1. In the **Create profile** window that opens: - 1. Under **Platform**, select **Windows 10 and later** - 1. Under **Profile type**, select **Templates** - 1. When the templates appear, under **Template name**, select **Administrative templates** - 1. Select **Create** to close the **Create profile** window. -1. The **Create profile** screen will open. In the **Basics** page: - 1. Next to **Name**, enter **Disable ARSO** - 1. Next to **Description**, enter a description - 1. Select **Next** -1. In the **Configuration settings** page: - 1. On the left pane of the page, make sure **Computer Configuration** is selected - 1. Under **Setting name**, scroll down and select **Windows Components** - 1. Under **Setting name**, scroll down and select **Windows Logon Options**. You may need to navigate between pages on the bottom right corner before finding the **Windows Logon Options** option - 1. Under **Setting name** of the **Windows Logon Options** pane, select **Sign-in and lock last interactive user automatically after a restart** - 1. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK** - 1. Select **Next** -1. In the **Scope tags** page, configure if necessary and then select **Next** -1. In the **Assignments** page: - 1. Under **Included groups**, select **Add groups** - > [!NOTE] - > Make sure to select **Add groups** under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. - 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window - 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next** -1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create** - -## Additional PDE configurations in Intune - -The following PDE configurations can also be configured using Intune: - -### Prerequisites - -- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md) - -### Security hardening recommendations - -- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md) -- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md) -- [Disable hibernation](intune-disable-hibernation.md) -- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md) - -## More information - -- [Personal Data Encryption (PDE)](index.md) -- [Personal Data Encryption (PDE) FAQ](faq-pde.yml) diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-hibernation.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-hibernation.md deleted file mode 100644 index ef18936b1b..0000000000 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-hibernation.md +++ /dev/null @@ -1,62 +0,0 @@ ---- -title: Disable hibernation for PDE in Intune -description: Disable hibernation for PDE in Intune -ms.topic: how-to -ms.date: 03/13/2023 ---- - -# Disable hibernation for PDE - -Hibernation files can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable hibernation. - -## Disable hibernation in Intune - -To disable hibernation using Intune, follow the below steps: - -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) -1. In the **Home** screen, select **Devices** in the left pane -1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles** -1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile** -1. In the **Create profile** window that opens: - 1. Under **Platform**, select **Windows 10 and later** - 1. Under **Profile type**, select **Settings catalog** - 1. Select **Create** to close the **Create profile** window -1. The **Create profile** screen will open. In the **Basics** page: - 1. Next to **Name**, enter **Disable Hibernation** - 1. Next to **Description**, enter a description - 1. Select **Next** -1. In the **Configuration settings** page: - 1. select **Add settings** - 1. In the **Settings picker** window that opens: - 1. Under **Browse by category**, scroll down and select **Power** - 1. When the settings for the **Power** category appear under **Setting name** in the lower pane, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window - 1. Change **Allow Hibernate** from **Allow** to **Block** by selecting the slider next to the option - 1. Select **Next** -1. In the **Scope tags** page, configure if necessary and then select **Next** -1. In the **Assignments** page: - 1. Under **Included groups**, select **Add groups** - > [!NOTE] - > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. - 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window - 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next** -1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create** - -## Additional PDE configurations in Intune - -The following PDE configurations can also be configured using Intune: - -### Prerequisites - -- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md) -- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md) - -### Security hardening recommendations - -- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md) -- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md) -- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md) - -## More information - -- [Personal Data Encryption (PDE)](index.md) -- [Personal Data Encryption (PDE) FAQ](faq-pde.yml) diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-memory-dumps.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-memory-dumps.md deleted file mode 100644 index 66a238e3c9..0000000000 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-memory-dumps.md +++ /dev/null @@ -1,61 +0,0 @@ ---- -title: Disable kernel-mode crash dumps and live dumps for PDE in Intune -description: Disable kernel-mode crash dumps and live dumps for PDE in Intune -ms.topic: how-to -ms.date: 03/13/2023 ---- - -# Disable kernel-mode crash dumps and live dumps for PDE - -Kernel-mode crash dumps and live dumps can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. - -## Disable kernel-mode crash dumps and live dumps in Intune - -To disable kernel-mode crash dumps and live dumps using Intune, follow the below steps: - -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) -1. In the **Home** screen, select **Devices** in the left pane -1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles** -1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile** -1. In the **Create profile** window that opens: - 1. Under **Platform**, select **Windows 10 and later** - 1. Under **Profile type**, select **Settings catalog** - 1. Select **Create** to close the **Create profile** window -1. The **Create profile** screen will open. In the **Basics** page: - 1. Next to **Name**, enter **Disable Kernel-Mode Crash Dumps** - 1. Next to **Description**, enter a description. - 1. Select **Next** -1. In the **Configuration settings** page: - 1. Select **Add settings** - 1. In the **Settings picker** window that opens: - 1. Under **Browse by category**, scroll down and select **Memory Dump** - 1. When the settings for the **Memory Dump** category appear under **Setting name** in the lower pane, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window - 1. Change both **Allow Live Dump** and **Allow Crash Dump** from **Allow** to **Block** by selecting the slider next to each option, and then select **Next** -1. In the **Scope tags** page, configure if necessary and then select **Next** -1. In the **Assignments** page: - 1. Under **Included groups**, select **Add groups** - > [!NOTE] - > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. - 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window - 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next** -1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create** - -## Additional PDE configurations in Intune - -The following PDE configurations can also be configured using Intune: - -### Prerequisites - -- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md) -- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md) - -### Security hardening recommendations - -- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md) -- [Disable hibernation](intune-disable-hibernation.md) -- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md) - -## More information - -- [Personal Data Encryption (PDE)](index.md) -- [Personal Data Encryption (PDE) FAQ](faq-pde.yml) diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-password-connected-standby.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-password-connected-standby.md deleted file mode 100644 index 4cf442e308..0000000000 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-password-connected-standby.md +++ /dev/null @@ -1,76 +0,0 @@ ---- -title: Disable allowing users to select when a password is required when resuming from connected standby for PDE in Intune -description: Disable allowing users to select when a password is required when resuming from connected standby for PDE in Intune -ms.topic: how-to -ms.date: 03/13/2023 ---- - -# Disable allowing users to select when a password is required when resuming from connected standby for PDE - -When the **Disable allowing users to select when a password is required when resuming from connected standby** policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including Azure Active Directory joined devices, is different: - -- On-premises Active Directory joined devices: - - A user can't change the amount of time after the device's screen turns off before a password is required when waking the device - - A password is required immediately after the screen turns off - The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices -- Workgroup devices, including Azure AD joined devices: - - A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device - - During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome - -Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**. - -## Disable allowing users to select when a password is required when resuming from connected standby in Intune - -To disable the policy **Disable allowing users to select when a password is required when resuming from connected standby** using Intune, follow the below steps: - -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) -1. In the **Home** screen, select **Devices** in the left pane -1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles** -1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile** -1. In the **Create profile** window that opens: - 1. Under **Platform**, select **Windows 10 and later** - 1. Under **Profile type**, select **Settings catalog** - 1. Select **Create** to close the **Create profile** window -1. The **Create profile** screen will open. In the **Basics** page: - 1. Next to **Name**, enter **Disable allowing users to select when a password is required when resuming from connected standby** - 1. Next to **Description**, enter a description - 1. Select **Next**. - -1. In the **Configuration settings** page: - 1. Select **Add settings** - 1. In the **Settings picker** window that opens: - 1. Under **Browse by category**, expand **Administrative Templates** - 1. Under **Administrative Templates**, scroll down and expand **System** - 1. Under **System**, scroll down and select **Logon** - 1. When the settings for the **Logon** subcategory appear under **Setting name** in the lower pane, select **Allow users to select when a password is required when resuming from connected standby**, and then select the **X** in the top right corner of the **Settings picker** window to close the window - 1. Leave the slider for **Allow users to select when a password is required when resuming from connected standby** at the default of **Disabled** - 1. select **Next** - -1. In the **Scope tags** page, configure if necessary and then select **Next** -1. In the **Assignments** page: - 1. Under **Included groups**, select **Add groups** - > [!NOTE] - > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. - 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window - 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next** -1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create** - -## Additional PDE configurations in Intune - -The following PDE configurations can also be configured using Intune: - -### Prerequisites - -- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md) -- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md) - -### Security hardening recommendations - -- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md) -- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md) -- [Disable hibernation](intune-disable-hibernation.md) - -## More information - -- [Personal Data Encryption (PDE)](index.md) -- [Personal Data Encryption (PDE) FAQ](faq-pde.yml) diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-wer.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-wer.md deleted file mode 100644 index 39fe957317..0000000000 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-wer.md +++ /dev/null @@ -1,64 +0,0 @@ ---- -title: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE in Intune -description: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE in Intune -ms.topic: how-to -ms.date: 03/13/2023 ---- - -# Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE - -Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. - -## Disable Windows Error Reporting (WER)/user-mode crash dumps in Intune - -To disable Windows Error Reporting (WER) and user-mode crash dumps using Intune, follow the below steps: - -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) -1. In the **Home** screen, select **Devices** in the left pane -1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles** -1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile** -1. In the **Create profile** window that opens: - 1. Under **Platform**, select **Windows 10 and later** - 1. Under **Profile type**, select **Settings catalog** - 1. Select **Create** to close the **Create profile** window -1. The **Create profile** screen will open. In the **Basics** page: - 1. Next to **Name**, enter **Disable Windows Error Reporting (WER)** - 1. Next to **Description**, enter a description - 1. Select **Next** -1. In the **Configuration settings** page: - 1. Select **Add settings** - 1. In the **Settings picker** window that opens: - 1. Under **Browse by category**, expand **Administrative Templates** - 1. Under **Administrative Templates**, scroll down and expand **Windows Components** - 1. Under **Windows Components**, scroll down and select **Windows Error Reporting**. Make sure to only select **Windows Error Reporting** and not to expand it - 1. When the settings for the **Windows Error Reporting** subcategory appear under **Setting name** in the lower pane, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window - 1. Change **Disable Windows Error Reporting** from **Disabled** to **Enabled** by selecting the slider next to the option - 1. Select **Next** -1. In the **Scope tags** page, configure if necessary and then select **Next** -1. In the **Assignments** page: - 1. Under **Included groups**, select **Add groups** - > [!NOTE] - > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. - 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window - 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next** -1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create** - -## Additional PDE configurations in Intune - -The following PDE configurations can also be configured using Intune: - -### Prerequisites - -- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md) -- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md) - -### Security hardening recommendations - -- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md) -- [Disable hibernation](intune-disable-hibernation.md) -- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md) - -## More information - -- [Personal Data Encryption (PDE)](index.md) -- [Personal Data Encryption (PDE) FAQ](faq-pde.yml) diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde.md deleted file mode 100644 index 795504237c..0000000000 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde.md +++ /dev/null @@ -1,70 +0,0 @@ ---- -title: Enable Personal Data Encryption (PDE) in Intune -description: Enable Personal Data Encryption (PDE) in Intune -ms.topic: how-to -ms.date: 03/13/2023 ---- - -# Enable Personal Data Encryption (PDE) - -By default, Personal Data Encryption (PDE) is not enabled on devices. Before PDE can be used on a device, it needs to be enabled. This can be done via a custom OMA-URI policy assigned to the device. - -> [!NOTE] -> Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled. - -## Enable Personal Data Encryption (PDE) in Intune - -To enable Personal Data Encryption (PDE) using Intune, follow the below steps: - -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. In the **Home** screen, select **Devices** in the left pane -1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles** -1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile** -1. In the **Create profile** window that opens: - 1. Under **Platform**, select **Windows 10 and later** - 1. Under **Profile type**, select **Templates** - 1. When the templates appears, under **Template name**, select **Custom** - 1. Select **Create** to close the **Create profile** window -1. The **Custom** screen will open. In the **Basics** page: - 1. Next to **Name**, enter **Personal Data Encryption** - 1. Next to **Description**, enter a description - 1. Select **Next** -1. In **Configuration settings** page: - 1. Next to **OMA-URI Settings**, select **Add** - 1. In the **Add Row** window that opens: - 1. Next to **Name**, enter **Personal Data Encryption** - 1. Next to **Description**, enter a description - 1. Next to **OMA-URI**, enter in: - **`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`** - 1. Next to **Data type**, select **Integer** - 1. Next to **Value**, enter in **1** - 1. Select **Save** to close the **Add Row** window - 1. Select **Next** -1. In the **Assignments** page: - 1. Under **Included groups**, select **Add groups** - > [!NOTE] - > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. - 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window - 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next** -1. In **Applicability Rules**, configure if necessary and then select **Next** -1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create** - -## Additional PDE configurations in Intune - -The following PDE configurations can also be configured using Intune: - -### Prerequisites - -- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md) - -### Security hardening recommendations - -- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md) -- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md) -- [Disable hibernation](intune-disable-hibernation.md) -- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md) - -## More information - -- [Personal Data Encryption (PDE)](index.md) -- [Personal Data Encryption (PDE) FAQ](faq-pde.yml) diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml b/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml index 72bc8d3dce..f526600bd4 100644 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml @@ -1,21 +1,7 @@ items: -- name: Overview +- name: PDE overview href: index.md -- name: Configure PD`E +- name: Configure PDE href: configure.md -- name: (Old) Configure PDE with Intune - href: configure-pde-in-intune.md -- name: Enable Personal Data Encryption (PDE) - href: intune-enable-pde.md -- name: Disable Winlogon automatic restart sign-on (ARSO) for PDE - href: intune-disable-arso.md -- name: Disable kernel-mode crash dumps and live dumps for PDE - href: intune-disable-memory-dumps.md -- name: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE - href: intune-disable-wer.md -- name: Disable hibernation for PDE - href: intune-disable-hibernation.md -- name: Disable allowing users to select when a password is required when resuming from connected standby for PDE - href: intune-disable-password-connected-standby.md - name: PDE frequently asked questions (FAQ) - href: faq-pde.yml \ No newline at end of file + href: faq.yml \ No newline at end of file From 5b9280f71bcbf391763ac103517e97dea015a69e Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 9 Aug 2023 13:29:02 +0200 Subject: [PATCH 04/44] updates --- .../personal-data-encryption/configure.md | 66 ++++--------------- 1 file changed, 12 insertions(+), 54 deletions(-) diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md index bcf0f04760..da0f067521 100644 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md @@ -9,13 +9,9 @@ ms.date: 03/13/2023 This article describes the Personal Data Encryption (PDE) settings and how to configure them via Microsoft Intune or configuration Service Provider (CSP). +## Prerequisites - -The various required and recommended policies needed for Personal Data Encryption (PDE) can be configured in Intune. The following links for both required and recommended policies contain step by step instructions on how to configure these policies in Intune. - -## Required prerequisites - -1. [Enable Personal Data Encryption (PDE)](intune-enable-pde.md) +1. [Enable PDE](#enable-personal-data-encryption-pde) 1. [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md) ## Security hardening recommendations @@ -28,51 +24,23 @@ The various required and recommended policies needed for Personal Data Encryptio ## PDE settings list -## PDE configuration +The following table lists the available settings for PDE. -### Enable Personal Data Encryption (PDE) +| Setting name | Description | Details | +|-|-|-| +|Enable PDE|By default, Personal Data Encryption (PDE) is not enabled on devices. Before PDE can be used on a device, it must be enabled.| This setting is required.| +|Disable Winlogon automatic restart sign-on (ARSO)| Winlogon ARSO isn't supported for use with PDE. To use PDE, ARSO must be disabled.| This setting is required.| +|Disable kernel-mode crash dumps and live dumps for PDE.|Kernel-mode crash dumps and live dumps can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.|This setting is recommended.| -By default, Personal Data Encryption (PDE) is not enabled on devices. Before PDE can be used on a device, it needs to be enabled. This can be done via a custom OMA-URI policy assigned to the device. > [!NOTE] > Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled. ## Enable Personal Data Encryption (PDE) in Intune -To enable Personal Data Encryption (PDE) using Intune, follow the below steps: - -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. In the **Home** screen, select **Devices** in the left pane -1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles** -1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile** -1. In the **Create profile** window that opens: - 1. Under **Platform**, select **Windows 10 and later** - 1. Under **Profile type**, select **Templates** - 1. When the templates appears, under **Template name**, select **Custom** - 1. Select **Create** to close the **Create profile** window -1. The **Custom** screen will open. In the **Basics** page: - 1. Next to **Name**, enter **Personal Data Encryption** - 1. Next to **Description**, enter a description - 1. Select **Next** -1. In **Configuration settings** page: - 1. Next to **OMA-URI Settings**, select **Add** - 1. In the **Add Row** window that opens: - 1. Next to **Name**, enter **Personal Data Encryption** - 1. Next to **Description**, enter a description - 1. Next to **OMA-URI**, enter in: - **`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`** - 1. Next to **Data type**, select **Integer** - 1. Next to **Value**, enter in **1** - 1. Select **Save** to close the **Add Row** window - 1. Select **Next** -1. In the **Assignments** page: - 1. Under **Included groups**, select **Add groups** - > [!NOTE] - > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. - 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window - 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next** -1. In **Applicability Rules**, configure if necessary and then select **Next** -1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create** +**`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`** +**Data type**, select **Integer** +**Value**, enter in **1** ### Configure PDE with Microsoft Intune @@ -92,16 +60,7 @@ The policy settings are located under: `./Device/Vendor/MSFT/`. ## Disable Winlogon automatic restart sign-on (ARSO) -Winlogon automatic restart sign-on (ARSO) isn't supported for use with Personal Data Encryption (PDE). For this reason, in order to use PDE, ARSO needs to be disabled. -To disable ARSO using Intune, follow the below steps: - -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) -1. In the **Home** screen, select **Devices** in the left pane -1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles** -1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile** -1. In the **Create profile** window that opens: - 1. Under **Platform**, select **Windows 10 and later** 1. Under **Profile type**, select **Templates** 1. When the templates appear, under **Template name**, select **Administrative templates** 1. Select **Create** to close the **Create profile** window. @@ -125,10 +84,9 @@ To disable ARSO using Intune, follow the below steps: 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next** 1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create** -## Additional PDE configurations in Intune ## Disable kernel-mode crash dumps and live dumps for PDE -Kernel-mode crash dumps and live dumps can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. + To disable kernel-mode crash dumps and live dumps using Intune, follow the below steps: From 51f0bd039bec23979e5f409243c2b4cd461e709c Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 9 Aug 2023 13:46:54 +0200 Subject: [PATCH 05/44] update --- .../personal-data-encryption/configure.md | 163 +++--------------- 1 file changed, 20 insertions(+), 143 deletions(-) diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md index da0f067521..bd5d6074b1 100644 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md @@ -9,29 +9,17 @@ ms.date: 03/13/2023 This article describes the Personal Data Encryption (PDE) settings and how to configure them via Microsoft Intune or configuration Service Provider (CSP). -## Prerequisites - -1. [Enable PDE](#enable-personal-data-encryption-pde) -1. [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md) - -## Security hardening recommendations - -1. [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md) -1. [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md) -1. [Disable hibernation](intune-disable-hibernation.md) -1. [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md) - - ## PDE settings list -The following table lists the available settings for PDE. +The following table lists the required and suggested settings to use with PDE. -| Setting name | Description | Details | +| Setting name | Description | Required? | |-|-|-| -|Enable PDE|By default, Personal Data Encryption (PDE) is not enabled on devices. Before PDE can be used on a device, it must be enabled.| This setting is required.| +|Enable PDE|PDE isn't enabled by default. Before PDE can be used, you must enable it.| This setting is required.| |Disable Winlogon automatic restart sign-on (ARSO)| Winlogon ARSO isn't supported for use with PDE. To use PDE, ARSO must be disabled.| This setting is required.| -|Disable kernel-mode crash dumps and live dumps for PDE.|Kernel-mode crash dumps and live dumps can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.|This setting is recommended.| - +|Disable kernel-mode crash dumps and live dumps|Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.|This setting is recommended.| +|Disable Windows Error Reporting (WER)/user-mode crash dumps|Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps.|| +|Disable hibernation|Hibernation files can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable hibernation.|| > [!NOTE] > Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled. @@ -60,133 +48,31 @@ The policy settings are located under: `./Device/Vendor/MSFT/`. ## Disable Winlogon automatic restart sign-on (ARSO) +Settings Catalog: +Category: `Administrative Templates` +`Windows Components > Windows Logon Options\Sign-in and lock last interactive user automatically after a restart` - 1. Under **Profile type**, select **Templates** - 1. When the templates appear, under **Template name**, select **Administrative templates** - 1. Select **Create** to close the **Create profile** window. -1. The **Create profile** screen will open. In the **Basics** page: - 1. Next to **Name**, enter **Disable ARSO** - 1. Next to **Description**, enter a description - 1. Select **Next** -1. In the **Configuration settings** page: - 1. On the left pane of the page, make sure **Computer Configuration** is selected - 1. Under **Setting name**, scroll down and select **Windows Components** - 1. Under **Setting name**, scroll down and select **Windows Logon Options**. You may need to navigate between pages on the bottom right corner before finding the **Windows Logon Options** option - 1. Under **Setting name** of the **Windows Logon Options** pane, select **Sign-in and lock last interactive user automatically after a restart** - 1. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK** - 1. Select **Next** -1. In the **Scope tags** page, configure if necessary and then select **Next** -1. In the **Assignments** page: - 1. Under **Included groups**, select **Add groups** - > [!NOTE] - > Make sure to select **Add groups** under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. - 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window - 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next** -1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create** +## Disable kernel-mode crash dumps and live dumps\ -## Disable kernel-mode crash dumps and live dumps for PDE +`Disable Kernel-Mode Crash Dumps`` +Category: `Memory Dump` - -To disable kernel-mode crash dumps and live dumps using Intune, follow the below steps: - -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) -1. In the **Home** screen, select **Devices** in the left pane -1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles** -1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile** -1. In the **Create profile** window that opens: - 1. Under **Platform**, select **Windows 10 and later** - 1. Under **Profile type**, select **Settings catalog** - 1. Select **Create** to close the **Create profile** window -1. The **Create profile** screen will open. In the **Basics** page: - 1. Next to **Name**, enter **Disable Kernel-Mode Crash Dumps** - 1. Next to **Description**, enter a description. - 1. Select **Next** -1. In the **Configuration settings** page: - 1. Select **Add settings** - 1. In the **Settings picker** window that opens: - 1. Under **Browse by category**, scroll down and select **Memory Dump** - 1. When the settings for the **Memory Dump** category appear under **Setting name** in the lower pane, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window - 1. Change both **Allow Live Dump** and **Allow Crash Dump** from **Allow** to **Block** by selecting the slider next to each option, and then select **Next** -1. In the **Scope tags** page, configure if necessary and then select **Next** -1. In the **Assignments** page: - 1. Under **Included groups**, select **Add groups** - > [!NOTE] - > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. - 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window - 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next** -1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create** +`Allow Live Dump`:Block +`Allow Crash Dump`: Block ## Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE -Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. +**Administrative Templates**, scroll down and expand **Windows Components** +Under **Windows Components**, scroll down and select **Windows Error Reporting**. Make sure to only select **Windows Error Reporting** and not to expand it +When the settings for the **Windows Error Reporting** subcategory appear under **Setting name** in the lower pane, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window +Change **Disable Windows Error Reporting** from **Disabled** to **Enabled** by selecting the slider next to the option -To disable Windows Error Reporting (WER) and user-mode crash dumps using Intune, follow the below steps: +## Disable hibernation -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) -1. In the **Home** screen, select **Devices** in the left pane -1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles** -1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile** -1. In the **Create profile** window that opens: - 1. Under **Platform**, select **Windows 10 and later** - 1. Under **Profile type**, select **Settings catalog** - 1. Select **Create** to close the **Create profile** window -1. The **Create profile** screen will open. In the **Basics** page: - 1. Next to **Name**, enter **Disable Windows Error Reporting (WER)** - 1. Next to **Description**, enter a description - 1. Select **Next** -1. In the **Configuration settings** page: - 1. Select **Add settings** - 1. In the **Settings picker** window that opens: - 1. Under **Browse by category**, expand **Administrative Templates** - 1. Under **Administrative Templates**, scroll down and expand **Windows Components** - 1. Under **Windows Components**, scroll down and select **Windows Error Reporting**. Make sure to only select **Windows Error Reporting** and not to expand it - 1. When the settings for the **Windows Error Reporting** subcategory appear under **Setting name** in the lower pane, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window - 1. Change **Disable Windows Error Reporting** from **Disabled** to **Enabled** by selecting the slider next to the option - 1. Select **Next** -1. In the **Scope tags** page, configure if necessary and then select **Next** -1. In the **Assignments** page: - 1. Under **Included groups**, select **Add groups** - > [!NOTE] - > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. - 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window - 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next** -1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create** - - -## Disable hibernation for PDE - -Hibernation files can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable hibernation. - -To disable hibernation using Intune, follow the below steps: - -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) -1. In the **Home** screen, select **Devices** in the left pane -1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles** -1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile** -1. In the **Create profile** window that opens: - 1. Under **Platform**, select **Windows 10 and later** - 1. Under **Profile type**, select **Settings catalog** - 1. Select **Create** to close the **Create profile** window -1. The **Create profile** screen will open. In the **Basics** page: - 1. Next to **Name**, enter **Disable Hibernation** - 1. Next to **Description**, enter a description - 1. Select **Next** -1. In the **Configuration settings** page: - 1. select **Add settings** - 1. In the **Settings picker** window that opens: - 1. Under **Browse by category**, scroll down and select **Power** +1. Under **Browse by category**, scroll down and select **Power** 1. When the settings for the **Power** category appear under **Setting name** in the lower pane, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window 1. Change **Allow Hibernate** from **Allow** to **Block** by selecting the slider next to the option - 1. Select **Next** -1. In the **Scope tags** page, configure if necessary and then select **Next** -1. In the **Assignments** page: - 1. Under **Included groups**, select **Add groups** - > [!NOTE] - > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. - 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window - 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next** -1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create** ## Disable allowing users to select when a password is required when resuming from connected standby for PDE @@ -229,15 +115,6 @@ To disable the policy **Disable allowing users to select when a password is requ 1. Leave the slider for **Allow users to select when a password is required when resuming from connected standby** at the default of **Disabled** 1. select **Next** -1. In the **Scope tags** page, configure if necessary and then select **Next** -1. In the **Assignments** page: - 1. Under **Included groups**, select **Add groups** - > [!NOTE] - > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. - 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window - 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next** -1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create** - [CSP-1]: /windows/client-management/mdm/policy-csp-localpoliciessecurityoptions From 00fdd02fd3078d1572f3740f26caceed094a5895 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 9 Aug 2023 14:04:53 +0200 Subject: [PATCH 06/44] uppdates --- .../personal-data-encryption/configure.md | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md index bd5d6074b1..efff303da5 100644 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md @@ -115,6 +115,31 @@ To disable the policy **Disable allowing users to select when a password is requ 1. Leave the slider for **Allow users to select when a password is required when resuming from connected standby** at the default of **Disabled** 1. select **Next** + +!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)] + +| Category | Setting name | Value | +|--|--|--| +| Device Guard | Credential Guard | Select one of the options:
 - **Enabled with UEFI lock**
 - **Enabled without lock** | + +>[!IMPORTANT] +> If you want to be able to turn off Windows Defender Credential Guard remotely, choose the option **Enabled without lock**. + +[!INCLUDE [intune-settings-catalog-2](../../../../includes/configure/intune-settings-catalog-2.md)] + +> [!TIP] +> You can also configure Credential Guard by using an *account protection* profile in endpoint security. For more information, see [Account protection policy settings for endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security-account-protection-profile-settings). + +Alternatively, you can configure devices using a [custom policy][INT-1] with the [DeviceGuard Policy CSP][CSP-1].\ +The policy settings are located under: `./Device/Vendor/MSFT/Policy/Config/DeviceGuard/`. + +| Setting | +|--| +| **Setting name**: Turn On Virtualization Based Security
**Policy CSP name**: `EnableVirtualizationBasedSecurity` | +| **Setting name**: Credential Guard Configuration
**Policy CSP name**: `LsaCfgFlags` | + + + [CSP-1]: /windows/client-management/mdm/policy-csp-localpoliciessecurityoptions From 4d7de6ab88acd763c27e47fbd5dde2e1c728f62c Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 9 Aug 2023 14:06:28 +0200 Subject: [PATCH 07/44] uppdates --- includes/configure/gpo-settings-1.md | 6 ++++++ includes/configure/gpo-settings-2.md | 6 ++++++ includes/configure/intune-custom-settings-1.md | 13 +++++++++++++ includes/configure/intune-custom-settings-2.md | 9 +++++++++ includes/configure/intune-custom-settings-info.md | 6 ++++++ includes/configure/intune-settings-catalog-1.md | 6 ++++++ includes/configure/intune-settings-catalog-2.md | 6 ++++++ includes/configure/tab-intro.md | 6 ++++++ 8 files changed, 58 insertions(+) create mode 100644 includes/configure/gpo-settings-1.md create mode 100644 includes/configure/gpo-settings-2.md create mode 100644 includes/configure/intune-custom-settings-1.md create mode 100644 includes/configure/intune-custom-settings-2.md create mode 100644 includes/configure/intune-custom-settings-info.md create mode 100644 includes/configure/intune-settings-catalog-1.md create mode 100644 includes/configure/intune-settings-catalog-2.md create mode 100644 includes/configure/tab-intro.md diff --git a/includes/configure/gpo-settings-1.md b/includes/configure/gpo-settings-1.md new file mode 100644 index 0000000000..2859223cc7 --- /dev/null +++ b/includes/configure/gpo-settings-1.md @@ -0,0 +1,6 @@ +--- +ms.date: 06/21/2023 +ms.topic: include +--- + +To configure devices using group policy, [create a group policy object (GPO)](/windows/security/operating-system-security/network-security/windows-firewall/create-a-group-policy-object) and use the settings located under \ No newline at end of file diff --git a/includes/configure/gpo-settings-2.md b/includes/configure/gpo-settings-2.md new file mode 100644 index 0000000000..cc0cad6c72 --- /dev/null +++ b/includes/configure/gpo-settings-2.md @@ -0,0 +1,6 @@ +--- +ms.date: 11/08/2022 +ms.topic: include +--- + +The policy settings can be configured locally by using the Local Group Policy Editor (`gpedit.msc`), linked to the domain or organizational units, and filtered to security groups. \ No newline at end of file diff --git a/includes/configure/intune-custom-settings-1.md b/includes/configure/intune-custom-settings-1.md new file mode 100644 index 0000000000..d911751e75 --- /dev/null +++ b/includes/configure/intune-custom-settings-1.md @@ -0,0 +1,13 @@ +--- +ms.date: 02/22/2022 +ms.topic: include +--- + +To configure devices with Microsoft Intune, use a custom policy: + +1. Go to the Microsoft Intune admin center +2. Select **Devices > Configuration profiles > Create profile** +3. Select **Platform > Windows 10 and later** and **Profile type > Templates > Custom** +4. Select **Create** +5. Specify a **Name** and, optionally, a **Description > Next** +6. Add the following settings: \ No newline at end of file diff --git a/includes/configure/intune-custom-settings-2.md b/includes/configure/intune-custom-settings-2.md new file mode 100644 index 0000000000..1a601acaa7 --- /dev/null +++ b/includes/configure/intune-custom-settings-2.md @@ -0,0 +1,9 @@ +--- +ms.date: 11/08/2022 +ms.topic: include +--- + +7. Select **Next** +8. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next** +9. Under **Applicability Rules**, select **Next** +10. Review the policy configuration and select **Create** \ No newline at end of file diff --git a/includes/configure/intune-custom-settings-info.md b/includes/configure/intune-custom-settings-info.md new file mode 100644 index 0000000000..8ff9da4294 --- /dev/null +++ b/includes/configure/intune-custom-settings-info.md @@ -0,0 +1,6 @@ +--- +ms.date: 11/08/2022 +ms.topic: include +--- + +For more information about how to create custom settings using Intune, see [Use custom settings for Windows devices in Intune](/mem/intune/configuration/custom-settings-windows-10). \ No newline at end of file diff --git a/includes/configure/intune-settings-catalog-1.md b/includes/configure/intune-settings-catalog-1.md new file mode 100644 index 0000000000..713555d40b --- /dev/null +++ b/includes/configure/intune-settings-catalog-1.md @@ -0,0 +1,6 @@ +--- +ms.date: 06/21/2023 +ms.topic: include +--- + +To configure devices using Microsoft Intune, [create a *Settings catalog policy*](/mem/intune/configuration/settings-catalog) and use the following settings: \ No newline at end of file diff --git a/includes/configure/intune-settings-catalog-2.md b/includes/configure/intune-settings-catalog-2.md new file mode 100644 index 0000000000..ebd6a2e1ef --- /dev/null +++ b/includes/configure/intune-settings-catalog-2.md @@ -0,0 +1,6 @@ +--- +ms.date: 11/08/2022 +ms.topic: include +--- + +Assign the policy to a group that contains as members the devices or users that you want to configure. \ No newline at end of file diff --git a/includes/configure/tab-intro.md b/includes/configure/tab-intro.md new file mode 100644 index 0000000000..e195a9281a --- /dev/null +++ b/includes/configure/tab-intro.md @@ -0,0 +1,6 @@ +--- +ms.date: 02/22/2022 +ms.topic: include +--- + +The following instructions provide details how to configure your devices. Select the option that best suits your needs. \ No newline at end of file From 5be1e046be3ea436cf2fb4c761c35941115530f3 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 9 Aug 2023 14:14:13 +0200 Subject: [PATCH 08/44] includes --- .../data-protection/personal-data-encryption/configure.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md index efff303da5..1099161dc6 100644 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md @@ -116,7 +116,7 @@ To disable the policy **Disable allowing users to select when a password is requ 1. select **Next** -!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)] +[!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)] | Category | Setting name | Value | |--|--|--| @@ -125,7 +125,7 @@ To disable the policy **Disable allowing users to select when a password is requ >[!IMPORTANT] > If you want to be able to turn off Windows Defender Credential Guard remotely, choose the option **Enabled without lock**. -[!INCLUDE [intune-settings-catalog-2](../../../../includes/configure/intune-settings-catalog-2.md)] +[!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)] > [!TIP] > You can also configure Credential Guard by using an *account protection* profile in endpoint security. For more information, see [Account protection policy settings for endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security-account-protection-profile-settings). From b8f2ca5f3b9ba2ab1fbcbd7df5799c4ea819a57e Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 9 Aug 2023 14:32:12 +0200 Subject: [PATCH 09/44] updates --- .../personal-data-encryption/configure.md | 55 ++----------------- 1 file changed, 6 insertions(+), 49 deletions(-) diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md index 1099161dc6..76a1e5431d 100644 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md @@ -54,26 +54,10 @@ Category: `Administrative Templates` ## Disable kernel-mode crash dumps and live dumps\ -`Disable Kernel-Mode Crash Dumps`` - -Category: `Memory Dump` - -`Allow Live Dump`:Block -`Allow Crash Dump`: Block - ## Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE -**Administrative Templates**, scroll down and expand **Windows Components** -Under **Windows Components**, scroll down and select **Windows Error Reporting**. Make sure to only select **Windows Error Reporting** and not to expand it -When the settings for the **Windows Error Reporting** subcategory appear under **Setting name** in the lower pane, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window -Change **Disable Windows Error Reporting** from **Disabled** to **Enabled** by selecting the slider next to the option - ## Disable hibernation -1. Under **Browse by category**, scroll down and select **Power** - 1. When the settings for the **Power** category appear under **Setting name** in the lower pane, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window - 1. Change **Allow Hibernate** from **Allow** to **Block** by selecting the slider next to the option - ## Disable allowing users to select when a password is required when resuming from connected standby for PDE When the **Disable allowing users to select when a password is required when resuming from connected standby** policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including Azure Active Directory joined devices, is different: @@ -90,47 +74,20 @@ Because of this undesired outcome, it's recommended to explicitly disable this p ## Disable allowing users to select when a password is required when resuming from connected standby in Intune -To disable the policy **Disable allowing users to select when a password is required when resuming from connected standby** using Intune, follow the below steps: - -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) -1. In the **Home** screen, select **Devices** in the left pane -1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles** -1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile** -1. In the **Create profile** window that opens: - 1. Under **Platform**, select **Windows 10 and later** - 1. Under **Profile type**, select **Settings catalog** - 1. Select **Create** to close the **Create profile** window -1. The **Create profile** screen will open. In the **Basics** page: - 1. Next to **Name**, enter **Disable allowing users to select when a password is required when resuming from connected standby** - 1. Next to **Description**, enter a description - 1. Select **Next**. - -1. In the **Configuration settings** page: - 1. Select **Add settings** - 1. In the **Settings picker** window that opens: - 1. Under **Browse by category**, expand **Administrative Templates** - 1. Under **Administrative Templates**, scroll down and expand **System** - 1. Under **System**, scroll down and select **Logon** - 1. When the settings for the **Logon** subcategory appear under **Setting name** in the lower pane, select **Allow users to select when a password is required when resuming from connected standby**, and then select the **X** in the top right corner of the **Settings picker** window to close the window - 1. Leave the slider for **Allow users to select when a password is required when resuming from connected standby** at the default of **Disabled** - 1. select **Next** - - [!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)] | Category | Setting name | Value | |--|--|--| -| Device Guard | Credential Guard | Select one of the options:
 - **Enabled with UEFI lock**
 - **Enabled without lock** | - ->[!IMPORTANT] -> If you want to be able to turn off Windows Defender Credential Guard remotely, choose the option **Enabled without lock**. +|`Memory Dump`|`Allow Live Dump`|Block|| +|`Memory Dump`|`Allow Crash Dump`|Block|| +|`Administrative Templates`| `System > Logon` | Select **Allow users to select when a password is required when resuming from connected standby:**
 - **Disabled**| +|**Power**|**Allow Hibernate**|Change **Allow Hibernate** from **Allow** to **Block** by selecting the slider next to the option| +|`Administrative Templates`| **Windows Components > Windows Error Reporting** | Change **Disable Windows Error Reporting** from **Disabled** to **Enabled** by selecting the slider next to the option| [!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)] -> [!TIP] -> You can also configure Credential Guard by using an *account protection* profile in endpoint security. For more information, see [Account protection policy settings for endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security-account-protection-profile-settings). +Alternatively, you can configure devices using a [custom policy][INT-1] with the [Policy CSP][CSP-1].\ -Alternatively, you can configure devices using a [custom policy][INT-1] with the [DeviceGuard Policy CSP][CSP-1].\ The policy settings are located under: `./Device/Vendor/MSFT/Policy/Config/DeviceGuard/`. | Setting | From 0989666354505ad79c23d8a1f90e79ebf4105530 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 11 Aug 2023 08:16:23 -0400 Subject: [PATCH 10/44] updates:q --- .../data-protection/personal-data-encryption/configure.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md index 76a1e5431d..20945120ed 100644 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md @@ -2,7 +2,7 @@ title: PDE settings and configuration description: Learn about the available options to configure Personal Data Encryption (PDE) and how to configure them via Microsoft Intune or configuration Service Provider (CSP). ms.topic: how-to -ms.date: 03/13/2023 +ms.date: 08/11/2023 --- # PDE settings and configuration @@ -95,8 +95,6 @@ The policy settings are located under: `./Device/Vendor/MSFT/Policy/Config/Devic | **Setting name**: Turn On Virtualization Based Security
**Policy CSP name**: `EnableVirtualizationBasedSecurity` | | **Setting name**: Credential Guard Configuration
**Policy CSP name**: `LsaCfgFlags` | - - [CSP-1]: /windows/client-management/mdm/policy-csp-localpoliciessecurityoptions From 55f2f142a83bc27acb46c485fc4fd75adb15090e Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 11 Aug 2023 10:52:45 -0400 Subject: [PATCH 11/44] updates --- .../personal-data-encryption/configure.md | 107 ++++++++++- .../personal-data-encryption/faq.yml | 14 -- .../personal-data-encryption/index.md | 172 +++--------------- 3 files changed, 134 insertions(+), 159 deletions(-) diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md index 20945120ed..6e9dd3a346 100644 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md @@ -9,6 +9,66 @@ ms.date: 08/11/2023 This article describes the Personal Data Encryption (PDE) settings and how to configure them via Microsoft Intune or configuration Service Provider (CSP). +> [!NOTE] +> PDE can be configured using MDM policies. The content to be protected by PDE can be specified using [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or protect content using PDE. + +> [!NOTE] +> Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled. + +### Security hardening recommendations + +- [Kernel-mode crash dumps and live dumps disabled](/windows/client-management/mdm/policy-csp-memorydump#memorydump-policies) + + Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. For information on disabling crash dumps and live dumps via Intune, see [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md). + +- [Windows Error Reporting (WER) disabled/User-mode crash dumps disabled](/windows/client-management/mdm/policy-csp-errorreporting#errorreporting-disablewindowserrorreporting) + + Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For more information on disabling crash dumps via Intune, see [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md). + +- [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate) + + Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For more information on disabling crash dumps via Intune, see [Disable hibernation](intune-disable-hibernation.md). + +- [Allowing users to select when a password is required when resuming from connected standby disabled](/windows/client-management/mdm/policy-csp-admx-credentialproviders#admx-credentialproviders-allowdomaindelaylock) + + When this policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including Azure Active Directory joined devices, is different: + + - On-premises Active Directory joined devices: + + - A user can't change the amount of time after the device´s screen turns off before a password is required when waking the device. + + - A password is required immediately after the screen turns off. + + The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices. + + - Workgroup devices, including Azure AD joined devices: + + - A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device. + + - During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome. + + Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**. + + For information on disabling this policy via Intune, see [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md). + +### Highly recommended + +- [BitLocker Drive Encryption](../bitlocker/index.md) enabled + + Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to work alongside BitLocker for increased security. PDE isn't a replacement for BitLocker. + +- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview) + + In certain scenarios such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost. In such scenarios, any content protected with PDE will no longer be accessible. The only way to recover such content would be from backup. + +- [Windows Hello for Business PIN reset service](../../../identity-protection/hello-for-business/hello-feature-pin-reset.md) + + Destructive PIN resets will cause keys used by PDE to protect content to be lost. A destructive PIN reset will make any content protected with PDE no longer accessible after the destructive PIN reset has occurred. Content protected with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets. + +- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) + + Provides additional security when authenticating with Windows Hello for Business via biometrics or PIN + ## PDE settings list The following table lists the required and suggested settings to use with PDE. @@ -95,9 +155,54 @@ The policy settings are located under: `./Device/Vendor/MSFT/Policy/Config/Devic | **Setting name**: Turn On Virtualization Based Security
**Policy CSP name**: `EnableVirtualizationBasedSecurity` | | **Setting name**: Credential Guard Configuration
**Policy CSP name**: `LsaCfgFlags` | + +## Disable PDE and decrypt content + +Once PDE is enabled, it isn't recommended to disable it. However if PDE does need to be disabled, it can be done so via the MDM policy described in the section [How to enable PDE](#how-to-enable-pde). The value of the OMA-URI needs to be changed from **`1`** to **`0`** as follows: + +- Name: **Personal Data Encryption** +- OMA-URI: **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption** +- Data type: **Integer** +- Value: **0** + +Disabling PDE doesn't decrypt any PDE protected content. It only prevents the PDE API from being able to protect any additional content. PDE protected files can be manually decrypted using the following steps: + +1. Open the properties of the file +2. Under the **General** tab, select **Advanced...** +3. Uncheck the option **Encrypt contents to secure data** +4. Select **OK**, and then **OK** again + +PDE protected files can also be decrypted using [WINS-1]. Using `cipher.exe` can be helpful to decrypt files in the following scenarios: + +- Decrypting a large number of files on a device +- Decrypting files on a large number of devices. + +To decrypt files on a device using `cipher.exe`: + +- Decrypt all files under a directory including subdirectories: + + ```cmd + cipher.exe /d /s: + ``` + +- Decrypt a single file or all of the files in the specified directory, but not any subdirectories: + + ```cmd + cipher.exe /d + ``` + +> [!IMPORTANT] +> Once a user selects to manually decrypt a file, the user will not be able to manually protect the file again using PDE. + +## Next steps + +- Review the [Personal Data Encryption (PDE) FAQ](faq.yml) + [CSP-1]: /windows/client-management/mdm/policy-csp-localpoliciessecurityoptions [MEM-1]: /mem/intune/configuration/settings-catalog -[MEM-2]: /mem/intune/configuration/custom-settings-windows-10 \ No newline at end of file +[MEM-2]: /mem/intune/configuration/custom-settings-windows-10 + +[WINS-1]: /windows-server/administration/windows-commands/cipher \ No newline at end of file diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml b/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml index 0429e74204..1e069f5f47 100644 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml @@ -45,14 +45,6 @@ sections: answer: | No. PDE protected content can only be accessed after signing on locally to Windows with Windows Hello for Business credentials. - - question: How can it be determined if a file is protected with PDE? - answer: | - - Files protected with PDE and EFS will both show a padlock on the file's icon. To verify whether a file is protected with PDE vs. EFS: - 1. In the properties of the file, navigate to **General** > **Advanced**. The option **Encrypt contents to secure data** should be selected. - 2. Select the **Details** button. - 3. If the file is protected with PDE, under **Protection status:**, the item **Personal Data Encryption is:** will be marked as **On**. - - [`cipher.exe`](/windows-server/administration/windows-commands/cipher) can also be used to show the encryption state of the file. - - question: Can users manually encrypt and decrypt files with PDE? answer: | Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section **Disable PDE and decrypt files** in [Personal Data Encryption (PDE)](index.md). @@ -64,9 +56,3 @@ sections: - question: What encryption method and strength does PDE use? answer: | PDE uses AES-CBC with a 256-bit key to encrypt content. - -additionalContent: | - ## See also - - [Personal Data Encryption (PDE)](index.md) - - [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md) - diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md index 617cf005e1..f522dc5930 100644 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md @@ -2,101 +2,39 @@ title: Personal Data Encryption (PDE) description: Personal Data Encryption unlocks user encrypted files at user sign-in instead of at boot. ms.topic: how-to -ms.date: 03/13/2023 +ms.date: 08/11/2023 --- # Personal Data Encryption (PDE) -Starting in Windows 11, version 22H2, Personal Data Encryption (PDE) is a security feature that provides more encryption capabilities to Windows. +Starting in Windows 11, version 22H2, Personal Data Encryption (PDE) is a security feature that provides file-based data encryption capabilities to Windows. -PDE differs from BitLocker in that it encrypts individual files and content instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker. +PDE utilizes Windows Hello for Business to link *data encryption keys* with user credentials. When a user signs in to a device using Windows Hello for Business, decryption keys are released, and encrypted data is accessible to the user.\ +When a user logs off, decryption keys are discarded and data is inaccessible, even if another user signs in to the device. -PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimize the number of credentials the user has to remember to gain access to content. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requirement requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business. +The use of Windows Hello for Business offers the following advantages: -Because PDE utilizes Windows Hello for Business, PDE is also accessibility friendly due to the accessibility features available when using Windows Hello for Business. +- It reduces the number of credentials to access encrypted content: users only need to sign-in with Windows Hello for Business +- The accessibility features available when using Windows Hello for Business extend to PDE protected content -Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business. Users will only be able to access their PDE protected content once they've signed into Windows using Windows Hello for Business. Additionally, PDE has the ability to also discard the encryption keys when the device is locked. - -> [!NOTE] -> PDE can be enabled using MDM policies. The content to be protected by PDE can be specified using [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or protect content using PDE. - - -[!INCLUDE [personal-data-encryption-pde](../../../../../includes/licensing/personal-data-encryption-pde.md)] +PDE differs from BitLocker in that it encrypts files instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.\ +Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business. ## Prerequisites -### Required +To use PDE, the following prerequisites must be met: -- [Azure AD joined device](/azure/active-directory/devices/concept-azure-ad-join) -- [Windows Hello for Business Overview](../../../identity-protection/hello-for-business/index.md) -- Windows 11, version 22H2 and later Enterprise and Education editions +- The devices must be [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) + - Domain-joined and hybrid Azure AD joined devices aren't supported +- Users must sign in with [Windows Hello for Business](../../../identity-protection/hello-for-business/index.md) + - [FIDO/security key authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) isn't supported +- Windows 11, version 22H2 and later -### Not supported with PDE - -- [FIDO/security key authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) -- [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-) - - For information on disabling ARSO via Intune, see [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md). -- [Protect your enterprise data using Windows Information Protection (WIP)](../../../information-protection/windows-information-protection/protect-enterprise-data-using-wip.md) -- [Hybrid Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join-hybrid) -- Remote Desktop connections - -### Security hardening recommendations - -- [Kernel-mode crash dumps and live dumps disabled](/windows/client-management/mdm/policy-csp-memorydump#memorydump-policies) - - Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. For information on disabling crash dumps and live dumps via Intune, see [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md). - -- [Windows Error Reporting (WER) disabled/User-mode crash dumps disabled](/windows/client-management/mdm/policy-csp-errorreporting#errorreporting-disablewindowserrorreporting) - - Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For more information on disabling crash dumps via Intune, see [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md). - -- [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate) - - Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For more information on disabling crash dumps via Intune, see [Disable hibernation](intune-disable-hibernation.md). - -- [Allowing users to select when a password is required when resuming from connected standby disabled](/windows/client-management/mdm/policy-csp-admx-credentialproviders#admx-credentialproviders-allowdomaindelaylock) - - When this policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including Azure Active Directory joined devices, is different: - - - On-premises Active Directory joined devices: - - - A user can't change the amount of time after the device´s screen turns off before a password is required when waking the device. - - - A password is required immediately after the screen turns off. - - The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices. - - - Workgroup devices, including Azure AD joined devices: - - - A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device. - - - During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome. - - Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**. - - For information on disabling this policy via Intune, see [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md). - -### Highly recommended - -- [BitLocker Drive Encryption](../bitlocker/index.md) enabled - - Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to work alongside BitLocker for increased security. PDE isn't a replacement for BitLocker. - -- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview) - - In certain scenarios such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost. In such scenarios, any content protected with PDE will no longer be accessible. The only way to recover such content would be from backup. - -- [Windows Hello for Business PIN reset service](../../../identity-protection/hello-for-business/hello-feature-pin-reset.md) - - Destructive PIN resets will cause keys used by PDE to protect content to be lost. A destructive PIN reset will make any content protected with PDE no longer accessible after the destructive PIN reset has occurred. Content protected with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets. - -- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) - - Provides additional security when authenticating with Windows Hello for Business via biometrics or PIN +[!INCLUDE [personal-data-encryption-pde](../../../../../includes/licensing/personal-data-encryption-pde.md)] ## PDE protection levels -PDE uses AES-CBC with a 256-bit key to protect content and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). +PDE uses **AES-CBC** with a **256-bit key** to protect content and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). | Item | Level 1 | Level 2 | |---|---|---| @@ -115,27 +53,11 @@ When a file is protected with PDE, its icon will show a padlock. If the user has Scenarios where a user will be denied access to PDE protected content include: -- User has signed into Windows via a password instead of signing in with Windows Hello for Business biometric or PIN. -- If protected via level 2 protection, when the device is locked. -- When trying to access content on the device remotely. For example, UNC network paths. -- Remote Desktop sessions. -- Other users on the device who aren't owners of the content, even if they're signed in via Windows Hello for Business and have permissions to navigate to the PDE protected content. - -## How to enable PDE - -To enable PDE on devices, push an MDM policy to the devices with the following parameters: - -- Name: **Personal Data Encryption** -- OMA-URI: **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption** -- Data type: **Integer** -- Value: **1** - -There's also a [PDE CSP](/windows/client-management/mdm/personaldataencryption-csp) available for MDM solutions that support it. - -> [!NOTE] -> Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled. - -For information on enabling PDE via Intune, see [Enable Personal Data Encryption (PDE)](intune-enable-pde.md). +- User has signed into Windows via a password instead of signing in with Windows Hello for Business biometric or PIN +- If protected via level 2 protection, when the device is locked +- When trying to access content on the device remotely. For example, UNC network paths +- Remote Desktop sessions +- Other users on the device who aren't owners of the content, even if they're signed in via Windows Hello for Business and have permissions to navigate to the PDE protected content ## Differences between PDE and BitLocker @@ -155,52 +77,14 @@ The main difference between protecting files with PDE instead of EFS is the meth To see if a file is protected with PDE or with EFS: 1. Open the properties of the file -2. Under the **General** tab, select **Advanced...** -3. In the **Advanced Attributes** windows, select **Details** +1. Under the **General** tab, select **Advanced...** +1. In the **Advanced Attributes** windows, select **Details** For PDE protected files, under **Protection status:** there will be an item listed as **Personal Data Encryption is:** and it will have the attribute of **On**. For EFS protected files, under **Users who can access this file:**, there will be a **Certificate thumbprint** next to the users with access to the file. There will also be a section at the bottom labeled **Recovery certificates for this file as defined by recovery policy:**. -Encryption information including what encryption method is being used to protect the file can be obtained with the [cipher.exe /c](/windows-server/administration/windows-commands/cipher) command. - -## Disable PDE and decrypt content - -Once PDE is enabled, it isn't recommended to disable it. However if PDE does need to be disabled, it can be done so via the MDM policy described in the section [How to enable PDE](#how-to-enable-pde). The value of the OMA-URI needs to be changed from **`1`** to **`0`** as follows: - -- Name: **Personal Data Encryption** -- OMA-URI: **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption** -- Data type: **Integer** -- Value: **0** - -Disabling PDE doesn't decrypt any PDE protected content. It only prevents the PDE API from being able to protect any additional content. PDE protected files can be manually decrypted using the following steps: - -1. Open the properties of the file -2. Under the **General** tab, select **Advanced...** -3. Uncheck the option **Encrypt contents to secure data** -4. Select **OK**, and then **OK** again - -PDE protected files can also be decrypted using [cipher.exe](/windows-server/administration/windows-commands/cipher). Using `cipher.exe` can be helpful to decrypt files in the following scenarios: - -- Decrypting a large number of files on a device -- Decrypting files on a large number of devices. - -To decrypt files on a device using `cipher.exe`: - -- Decrypt all files under a directory including subdirectories: - - ```cmd - cipher.exe /d /s: - ``` - -- Decrypt a single file or all of the files in the specified directory, but not any subdirectories: - - ```cmd - cipher.exe /d - ``` - -> [!IMPORTANT] -> Once a user selects to manually decrypt a file, the user will not be able to manually protect the file again using PDE. +Encryption information including what encryption method is being used to protect the file can be obtained with the [`cipher.exe /c`](/windows-server/administration/windows-commands/cipher) command. ## Windows out of box applications that support PDE @@ -209,7 +93,7 @@ Certain Windows applications support PDE out of the box. If PDE is enabled on a - Mail - Supports protecting both email bodies and attachments -## See also +## Next steps -- [Personal Data Encryption (PDE) FAQ](faq-pde.yml) -- [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md) +- Learn about the available options to configure Personal Data Encryption (PDE) and how to configure them via Microsoft Intune or configuration Service Provider (CSP): [PDE settings and configuration](configure.md) +- Review the [Personal Data Encryption (PDE) FAQ](faq.yml) From 076fbcffed9f1d9e24f46070f3ada58f5406f0ff Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 11 Aug 2023 12:16:59 -0400 Subject: [PATCH 12/44] updates --- .../personal-data-encryption/configure.md | 119 ++++-------------- .../personal-data-encryption/index.md | 29 +++-- 2 files changed, 44 insertions(+), 104 deletions(-) diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md index 6e9dd3a346..885fad8a2a 100644 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md @@ -11,84 +11,31 @@ This article describes the Personal Data Encryption (PDE) settings and how to co > [!NOTE] > PDE can be configured using MDM policies. The content to be protected by PDE can be specified using [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or protect content using PDE. - -> [!NOTE] -> Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled. - -### Security hardening recommendations - -- [Kernel-mode crash dumps and live dumps disabled](/windows/client-management/mdm/policy-csp-memorydump#memorydump-policies) - - Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. For information on disabling crash dumps and live dumps via Intune, see [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md). - -- [Windows Error Reporting (WER) disabled/User-mode crash dumps disabled](/windows/client-management/mdm/policy-csp-errorreporting#errorreporting-disablewindowserrorreporting) - - Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For more information on disabling crash dumps via Intune, see [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md). - -- [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate) - - Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For more information on disabling crash dumps via Intune, see [Disable hibernation](intune-disable-hibernation.md). - -- [Allowing users to select when a password is required when resuming from connected standby disabled](/windows/client-management/mdm/policy-csp-admx-credentialproviders#admx-credentialproviders-allowdomaindelaylock) - - When this policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including Azure Active Directory joined devices, is different: - - - On-premises Active Directory joined devices: - - - A user can't change the amount of time after the device´s screen turns off before a password is required when waking the device. - - - A password is required immediately after the screen turns off. - - The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices. - - - Workgroup devices, including Azure AD joined devices: - - - A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device. - - - During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome. - - Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**. - - For information on disabling this policy via Intune, see [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md). - -### Highly recommended - -- [BitLocker Drive Encryption](../bitlocker/index.md) enabled - - Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to work alongside BitLocker for increased security. PDE isn't a replacement for BitLocker. - -- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview) - - In certain scenarios such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost. In such scenarios, any content protected with PDE will no longer be accessible. The only way to recover such content would be from backup. - -- [Windows Hello for Business PIN reset service](../../../identity-protection/hello-for-business/hello-feature-pin-reset.md) - - Destructive PIN resets will cause keys used by PDE to protect content to be lost. A destructive PIN reset will make any content protected with PDE no longer accessible after the destructive PIN reset has occurred. Content protected with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets. - -- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) - - Provides additional security when authenticating with Windows Hello for Business via biometrics or PIN +> +> The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled. ## PDE settings list -The following table lists the required and suggested settings to use with PDE. +The following table lists the required settings to enable PDE. -| Setting name | Description | Required? | -|-|-|-| -|Enable PDE|PDE isn't enabled by default. Before PDE can be used, you must enable it.| This setting is required.| -|Disable Winlogon automatic restart sign-on (ARSO)| Winlogon ARSO isn't supported for use with PDE. To use PDE, ARSO must be disabled.| This setting is required.| -|Disable kernel-mode crash dumps and live dumps|Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.|This setting is recommended.| -|Disable Windows Error Reporting (WER)/user-mode crash dumps|Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps.|| -|Disable hibernation|Hibernation files can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable hibernation.|| +| Setting name | Description | +|-|-| +|Enable PDE|PDE isn't enabled by default. Before PDE can be used, you must enable it.| +|Disable Winlogon automatic restart sign-on (ARSO)| Winlogon ARSO isn't supported for use with PDE. To use PDE, ARSO must be disabled.| > [!NOTE] > Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled. -## Enable Personal Data Encryption (PDE) in Intune +## PDE hardening recommendations -**`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`** -**Data type**, select **Integer** -**Value**, enter in **1** +The following table lists the recommended settings to improve PDE's security. + +| Setting name | Description | +|-|-| +|Disable kernel-mode crash dumps and live dumps|Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.| +|Disable Windows Error Reporting (WER)/user-mode crash dumps|Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps.| +|Disable hibernation|Hibernation files can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable hibernation.| +|Allowing users to select when a password is required when resuming from connected standby disabled|When this policy isn't configured on Azure AD joined devices, users on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device. During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. It's recommended to explicitly disable this policy on Azure AD joined devices.| ### Configure PDE with Microsoft Intune @@ -112,37 +59,18 @@ Settings Catalog: Category: `Administrative Templates` `Windows Components > Windows Logon Options\Sign-in and lock last interactive user automatically after a restart` -## Disable kernel-mode crash dumps and live dumps\ - -## Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE - -## Disable hibernation - -## Disable allowing users to select when a password is required when resuming from connected standby for PDE - -When the **Disable allowing users to select when a password is required when resuming from connected standby** policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including Azure Active Directory joined devices, is different: - -- On-premises Active Directory joined devices: - - A user can't change the amount of time after the device's screen turns off before a password is required when waking the device - - A password is required immediately after the screen turns off - The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices -- Workgroup devices, including Azure AD joined devices: - - A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device - - During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome - -Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**. - -## Disable allowing users to select when a password is required when resuming from connected standby in Intune [!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)] | Category | Setting name | Value | |--|--|--| -|`Memory Dump`|`Allow Live Dump`|Block|| -|`Memory Dump`|`Allow Crash Dump`|Block|| -|`Administrative Templates`| `System > Logon` | Select **Allow users to select when a password is required when resuming from connected standby:**
 - **Disabled**| -|**Power**|**Allow Hibernate**|Change **Allow Hibernate** from **Allow** to **Block** by selecting the slider next to the option| -|`Administrative Templates`| **Windows Components > Windows Error Reporting** | Change **Disable Windows Error Reporting** from **Disabled** to **Enabled** by selecting the slider next to the option| +|**PDE**|**Enable Personal Data Encryption (User)**|Enable Personal Data Encryption| +|**Administrative Templates > Windows Components > Windows Logon Options**|**Sign-in and lock last interactive user automatically after a restart**|Enabled| +|**Memory Dump**|**Allow Live Dump**|Block|| +|**Memory Dump**|**Allow Crash Dump**|Block|| +|**Administrative Templates > System > Logon** | **Allow users to select when a password is required when resuming from connected standby** | Disabled| +|**Power**|**Allow Hibernate**|Block| +|**Administrative Templates > Windows Components > Windows Error Reporting** | **Disable Windows Error Reporting** | **Enabled**| [!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)] @@ -155,7 +83,6 @@ The policy settings are located under: `./Device/Vendor/MSFT/Policy/Config/Devic | **Setting name**: Turn On Virtualization Based Security
**Policy CSP name**: `EnableVirtualizationBasedSecurity` | | **Setting name**: Credential Guard Configuration
**Policy CSP name**: `LsaCfgFlags` | - ## Disable PDE and decrypt content Once PDE is enabled, it isn't recommended to disable it. However if PDE does need to be disabled, it can be done so via the MDM policy described in the section [How to enable PDE](#how-to-enable-pde). The value of the OMA-URI needs to be changed from **`1`** to **`0`** as follows: diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md index f522dc5930..7afed4f153 100644 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md @@ -24,17 +24,15 @@ Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release To use PDE, the following prerequisites must be met: -- The devices must be [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) - - Domain-joined and hybrid Azure AD joined devices aren't supported -- Users must sign in with [Windows Hello for Business](../../../identity-protection/hello-for-business/index.md) - - [FIDO/security key authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) isn't supported - Windows 11, version 22H2 and later +- The devices must be [Azure AD joined][AAD-1]. Domain-joined and hybrid Azure AD joined devices aren't supported +- Users must sign in using [Windows Hello for Business](../../../identity-protection/hello-for-business/index.md). Password and [security key][AAD-2] sign in aren't supported [!INCLUDE [personal-data-encryption-pde](../../../../../includes/licensing/personal-data-encryption-pde.md)] ## PDE protection levels -PDE uses **AES-CBC** with a **256-bit key** to protect content and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). +PDE uses *AES-CBC* with a *256-bit key* to protect content and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). | Item | Level 1 | Level 2 | |---|---|---| @@ -86,14 +84,29 @@ For EFS protected files, under **Users who can access this file:**, there will b Encryption information including what encryption method is being used to protect the file can be obtained with the [`cipher.exe /c`](/windows-server/administration/windows-commands/cipher) command. +### Recommendations for using PDE + +The following are recommendations for using PDE: + +- Enable [BitLocker Drive Encryption](../bitlocker/index.md). Although PDE works without BitLocker, it's recommended to enable BitLocker. PDE is meant to work alongside BitLocker for increased security at it isn't a replacement for BitLocker +- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview). In certain scenarios, such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost making any PDE-protected concent inaccessible. The only way to recover such content is from a backup. If the files are synced to OneDrive, to regain access you have to re-sync OneDrive +- [Windows Hello for Business PIN reset service](../../../identity-protection/hello-for-business/hello-feature-pin-reset.md). Destructive PIN resets will cause keys used by PDE to protect content to be lost, making any content protected with PDE inaccessible after the destructive PIN reset has occurred. Content protected with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason, Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets +- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) offers additional security when authenticating with Windows Hello for Business via biometrics or PIN + ## Windows out of box applications that support PDE -Certain Windows applications support PDE out of the box. If PDE is enabled on a device, these applications will utilize PDE. +Certain Windows applications support PDE out of the box. If PDE is enabled on a device, these applications will utilize PDE: -- Mail - - Supports protecting both email bodies and attachments +| App name | Details | +|-|-| +| Mail | Supports protecting both email bodies and attachments| ## Next steps - Learn about the available options to configure Personal Data Encryption (PDE) and how to configure them via Microsoft Intune or configuration Service Provider (CSP): [PDE settings and configuration](configure.md) - Review the [Personal Data Encryption (PDE) FAQ](faq.yml) + + + +[AAD-1]: /azure/active-directory/devices/concept-azure-ad-join +[AAD-2]: /azure/active-directory/authentication/howto-authentication-passwordless-security-key From 93beb633694c5527a10c7c304db27a580dc9c26e Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 11 Aug 2023 12:27:43 -0400 Subject: [PATCH 13/44] updates --- .../personal-data-encryption/configure.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md index 885fad8a2a..5dcd799c92 100644 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md @@ -76,12 +76,14 @@ Category: `Administrative Templates` Alternatively, you can configure devices using a [custom policy][INT-1] with the [Policy CSP][CSP-1].\ -The policy settings are located under: `./Device/Vendor/MSFT/Policy/Config/DeviceGuard/`. +|OMA-URI|Format|Value| +|-|-|-| +|`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`|int|`1`| +|`./Device/Vendor/MSFT/Policy/Config/MemoryDump/AllowCrashDump`| int| `0`| +|`./Device/Vendor/MSFT/Policy/Config/MemoryDump/AllowLiveDump` |int| `0`| +|`./Device/Vendor/MSFT/Policy/Config/ErrorReporting/DisableWindowsErrorReporting`|string|``| +|`./Device/Vendor/MSFT/Policy/Config/ADMX_CredentialProviders/AllowDomainDelayLock`|string|``| -| Setting | -|--| -| **Setting name**: Turn On Virtualization Based Security
**Policy CSP name**: `EnableVirtualizationBasedSecurity` | -| **Setting name**: Credential Guard Configuration
**Policy CSP name**: `LsaCfgFlags` | ## Disable PDE and decrypt content From d6423fdd3880ed77caf406da42ca18f236ef797d Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 11 Aug 2023 14:02:40 -0400 Subject: [PATCH 14/44] update --- .../personal-data-encryption/configure.md | 109 ++++++++++++++++++ 1 file changed, 109 insertions(+) diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md index 5dcd799c92..c2db39d5c6 100644 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md @@ -74,6 +74,115 @@ Category: `Administrative Templates` [!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)] + +> [!TIP] +> Use the following Graph call to automatically create the settings catalog policy in your tenant without assignments nor scope tags. [1](#footnote1) + +```msgraph-interactive +POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies +Content-Type: application/json + +{ + "id": "00-0000-0000-0000-000000000000", + "name": "_MSLearn_PDE", + "description": "", + "platforms": "windows10", + "technologies": "mdm", + "roleScopeTagIds": [ + "0" + ], + "settings": [ + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_admx_credentialproviders_allowdomaindelaylock", + "choiceSettingValue": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", + "value": "device_vendor_msft_policy_config_admx_credentialproviders_allowdomaindelaylock_0", + "children": [] + } + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_errorreporting_disablewindowserrorreporting", + "choiceSettingValue": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", + "value": "device_vendor_msft_policy_config_errorreporting_disablewindowserrorreporting_1", + "children": [] + } + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_windowslogon_allowautomaticrestartsignon", + "choiceSettingValue": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", + "value": "device_vendor_msft_policy_config_windowslogon_allowautomaticrestartsignon_0", + "children": [] + } + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_memorydump_allowcrashdump", + "choiceSettingValue": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", + "value": "device_vendor_msft_policy_config_memorydump_allowcrashdump_0", + "children": [] + } + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_memorydump_allowlivedump", + "choiceSettingValue": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", + "value": "device_vendor_msft_policy_config_memorydump_allowlivedump_0", + "children": [] + } + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "user_vendor_msft_pde_enablepersonaldataencryption", + "choiceSettingValue": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", + "value": "user_vendor_msft_pde_enablepersonaldataencryption_1", + "children": [] + } + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_power_allowhibernate", + "choiceSettingValue": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", + "value": "device_vendor_msft_policy_config_power_allowhibernate_0", + "children": [] + } + } + } + ] + } +``` + +1 When using this call, authenticate to your tenant in the Graph Explorer window. If it's the first time using Graph Explorer, you may need to authorize the application to access your tenant or to modify the existing permissions. This graph call requires *DeviceManagementConfiguration.ReadWrite.All* permissions. + + Alternatively, you can configure devices using a [custom policy][INT-1] with the [Policy CSP][CSP-1].\ |OMA-URI|Format|Value| From d0f7be37db472f824adbbe96e382ec3fd192d7ec Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 11 Aug 2023 14:25:44 -0400 Subject: [PATCH 15/44] joined lines for POST --- .../personal-data-encryption/configure.md | 97 +------------------ 1 file changed, 1 insertion(+), 96 deletions(-) diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md index c2db39d5c6..9ed0735375 100644 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md @@ -82,102 +82,7 @@ Category: `Administrative Templates` POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies Content-Type: application/json -{ - "id": "00-0000-0000-0000-000000000000", - "name": "_MSLearn_PDE", - "description": "", - "platforms": "windows10", - "technologies": "mdm", - "roleScopeTagIds": [ - "0" - ], - "settings": [ - { - "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", - "settingInstance": { - "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", - "settingDefinitionId": "device_vendor_msft_policy_config_admx_credentialproviders_allowdomaindelaylock", - "choiceSettingValue": { - "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", - "value": "device_vendor_msft_policy_config_admx_credentialproviders_allowdomaindelaylock_0", - "children": [] - } - } - }, - { - "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", - "settingInstance": { - "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", - "settingDefinitionId": "device_vendor_msft_policy_config_errorreporting_disablewindowserrorreporting", - "choiceSettingValue": { - "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", - "value": "device_vendor_msft_policy_config_errorreporting_disablewindowserrorreporting_1", - "children": [] - } - } - }, - { - "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", - "settingInstance": { - "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", - "settingDefinitionId": "device_vendor_msft_policy_config_windowslogon_allowautomaticrestartsignon", - "choiceSettingValue": { - "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", - "value": "device_vendor_msft_policy_config_windowslogon_allowautomaticrestartsignon_0", - "children": [] - } - } - }, - { - "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", - "settingInstance": { - "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", - "settingDefinitionId": "device_vendor_msft_policy_config_memorydump_allowcrashdump", - "choiceSettingValue": { - "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", - "value": "device_vendor_msft_policy_config_memorydump_allowcrashdump_0", - "children": [] - } - } - }, - { - "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", - "settingInstance": { - "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", - "settingDefinitionId": "device_vendor_msft_policy_config_memorydump_allowlivedump", - "choiceSettingValue": { - "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", - "value": "device_vendor_msft_policy_config_memorydump_allowlivedump_0", - "children": [] - } - } - }, - { - "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", - "settingInstance": { - "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", - "settingDefinitionId": "user_vendor_msft_pde_enablepersonaldataencryption", - "choiceSettingValue": { - "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", - "value": "user_vendor_msft_pde_enablepersonaldataencryption_1", - "children": [] - } - } - }, - { - "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", - "settingInstance": { - "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", - "settingDefinitionId": "device_vendor_msft_policy_config_power_allowhibernate", - "choiceSettingValue": { - "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", - "value": "device_vendor_msft_policy_config_power_allowhibernate_0", - "children": [] - } - } - } - ] - } +{ "id": "00-0000-0000-0000-000000000000", "name": "_MSLearn_PDE", "description": "", "platforms": "windows10", "technologies": "mdm", "roleScopeTagIds": [ "0" ], "settings": [ { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_admx_credentialproviders_allowdomaindelaylock", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_admx_credentialproviders_allowdomaindelaylock_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_errorreporting_disablewindowserrorreporting", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_errorreporting_disablewindowserrorreporting_1", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_windowslogon_allowautomaticrestartsignon", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_windowslogon_allowautomaticrestartsignon_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_memorydump_allowcrashdump", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_memorydump_allowcrashdump_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_memorydump_allowlivedump", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_memorydump_allowlivedump_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "user_vendor_msft_pde_enablepersonaldataencryption", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "user_vendor_msft_pde_enablepersonaldataencryption_1", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_power_allowhibernate", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_power_allowhibernate_0", "children": [] } } } ] } ``` 1 When using this call, authenticate to your tenant in the Graph Explorer window. If it's the first time using Graph Explorer, you may need to authorize the application to access your tenant or to modify the existing permissions. This graph call requires *DeviceManagementConfiguration.ReadWrite.All* permissions. From 6112e325a2fd32b536cedf490bbde51158ed8ff1 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 11 Aug 2023 15:05:48 -0400 Subject: [PATCH 16/44] updates --- .../personal-data-encryption/configure.md | 69 ++++++++----------- 1 file changed, 28 insertions(+), 41 deletions(-) diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md index 9ed0735375..5afc65aba5 100644 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md @@ -1,13 +1,13 @@ --- title: PDE settings and configuration -description: Learn about the available options to configure Personal Data Encryption (PDE) and how to configure them via Microsoft Intune or configuration Service Provider (CSP). +description: Learn about the available options to configure Personal Data Encryption (PDE) and how to configure them via Microsoft Intune or Configuration Service Providers (CSP). ms.topic: how-to ms.date: 08/11/2023 --- # PDE settings and configuration -This article describes the Personal Data Encryption (PDE) settings and how to configure them via Microsoft Intune or configuration Service Provider (CSP). +This article describes the Personal Data Encryption (PDE) settings and how to configure them via Microsoft Intune or Configuration Service Providers (CSP). > [!NOTE] > PDE can be configured using MDM policies. The content to be protected by PDE can be specified using [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or protect content using PDE. @@ -37,28 +37,7 @@ The following table lists the recommended settings to improve PDE's security. |Disable hibernation|Hibernation files can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable hibernation.| |Allowing users to select when a password is required when resuming from connected standby disabled|When this policy isn't configured on Azure AD joined devices, users on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device. During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. It's recommended to explicitly disable this policy on Azure AD joined devices.| -### Configure PDE with Microsoft Intune - -To configure devices using Microsoft Intune, [create a **Settings catalog** policy][MEM-1], and use the settings listed under the category **`Local Policies Security Options`**: - -Assign the policy to a security group that contains as members the devices or users that you want to configure. - -### Configure PDE with CSP - -Alternatively, you can configure devices using a [custom policy][MEM-2] with the [Name CSP][CSP-1].\ - -The policy settings are located under: `./Device/Vendor/MSFT/`. - -|Setting| -| - | -| **Setting name**: Title
**Policy CSP name**: `Setting Name`| - -## Disable Winlogon automatic restart sign-on (ARSO) - -Settings Catalog: -Category: `Administrative Templates` -`Windows Components > Windows Logon Options\Sign-in and lock last interactive user automatically after a restart` - +## Configure PDE with Microsoft Intune [!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)] @@ -66,17 +45,18 @@ Category: `Administrative Templates` |--|--|--| |**PDE**|**Enable Personal Data Encryption (User)**|Enable Personal Data Encryption| |**Administrative Templates > Windows Components > Windows Logon Options**|**Sign-in and lock last interactive user automatically after a restart**|Enabled| -|**Memory Dump**|**Allow Live Dump**|Block|| -|**Memory Dump**|**Allow Crash Dump**|Block|| +|**Memory Dump**|**Allow Live Dump**|Block| +|**Memory Dump**|**Allow Crash Dump**|Block| |**Administrative Templates > System > Logon** | **Allow users to select when a password is required when resuming from connected standby** | Disabled| |**Power**|**Allow Hibernate**|Block| |**Administrative Templates > Windows Components > Windows Error Reporting** | **Disable Windows Error Reporting** | **Enabled**| [!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)] - > [!TIP] -> Use the following Graph call to automatically create the settings catalog policy in your tenant without assignments nor scope tags. [1](#footnote1) +> Use the following Graph call to automatically create the settings catalog policy in your tenant without assignments nor scope tags. +> +> When using this call, authenticate to your tenant in the Graph Explorer window. If it's the first time using Graph Explorer, you may need to authorize the application to access your tenant or to modify the existing permissions. This graph call requires *DeviceManagementConfiguration.ReadWrite.All* permissions. ```msgraph-interactive POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies @@ -85,10 +65,9 @@ Content-Type: application/json { "id": "00-0000-0000-0000-000000000000", "name": "_MSLearn_PDE", "description": "", "platforms": "windows10", "technologies": "mdm", "roleScopeTagIds": [ "0" ], "settings": [ { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_admx_credentialproviders_allowdomaindelaylock", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_admx_credentialproviders_allowdomaindelaylock_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_errorreporting_disablewindowserrorreporting", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_errorreporting_disablewindowserrorreporting_1", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_windowslogon_allowautomaticrestartsignon", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_windowslogon_allowautomaticrestartsignon_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_memorydump_allowcrashdump", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_memorydump_allowcrashdump_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_memorydump_allowlivedump", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_memorydump_allowlivedump_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "user_vendor_msft_pde_enablepersonaldataencryption", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "user_vendor_msft_pde_enablepersonaldataencryption_1", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_power_allowhibernate", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_power_allowhibernate_0", "children": [] } } } ] } ``` -1 When using this call, authenticate to your tenant in the Graph Explorer window. If it's the first time using Graph Explorer, you may need to authorize the application to access your tenant or to modify the existing permissions. This graph call requires *DeviceManagementConfiguration.ReadWrite.All* permissions. +## Configure PDE with CSP - -Alternatively, you can configure devices using a [custom policy][INT-1] with the [Policy CSP][CSP-1].\ +Alternatively, you can configure devices using the [Policy CSP][CSP-1] and [PDE CSP][CSP-2]. |OMA-URI|Format|Value| |-|-|-| @@ -98,15 +77,25 @@ Alternatively, you can configure devices using a [custom policy][INT-1] with the |`./Device/Vendor/MSFT/Policy/Config/ErrorReporting/DisableWindowsErrorReporting`|string|``| |`./Device/Vendor/MSFT/Policy/Config/ADMX_CredentialProviders/AllowDomainDelayLock`|string|``| - ## Disable PDE and decrypt content -Once PDE is enabled, it isn't recommended to disable it. However if PDE does need to be disabled, it can be done so via the MDM policy described in the section [How to enable PDE](#how-to-enable-pde). The value of the OMA-URI needs to be changed from **`1`** to **`0`** as follows: +Once PDE is enabled, it isn't recommended to disable it. However if you need to disable PDE, you can do so using the following steps: -- Name: **Personal Data Encryption** -- OMA-URI: **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption** -- Data type: **Integer** -- Value: **0** +### Disable PDE with a settings catalog policy in Intune + +[!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)] + +| Category | Setting name | Value | +|--|--|--| +|**PDE**|**Enable Personal Data Encryption (User)**|Disable Personal Data Encryption| + +[!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)] + +### Disable PDE with CSP + +|OMA-URI|Format|Value| +|-|-|-| +|`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`|int|`0`| Disabling PDE doesn't decrypt any PDE protected content. It only prevents the PDE API from being able to protect any additional content. PDE protected files can be manually decrypted using the following steps: @@ -144,8 +133,6 @@ To decrypt files on a device using `cipher.exe`: [CSP-1]: /windows/client-management/mdm/policy-csp-localpoliciessecurityoptions +[CSP-2]: /windows/client-management/mdm/personaldataencryption-csp -[MEM-1]: /mem/intune/configuration/settings-catalog -[MEM-2]: /mem/intune/configuration/custom-settings-windows-10 - -[WINS-1]: /windows-server/administration/windows-commands/cipher \ No newline at end of file +[WINS-1]: /windows-server/administration/windows-commands/cipher From 2ef6ca10755586da5773fc8f687db9229b9e36d2 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 11 Aug 2023 15:34:52 -0400 Subject: [PATCH 17/44] updates --- .../personal-data-encryption/configure.md | 64 ++++++++++--------- 1 file changed, 35 insertions(+), 29 deletions(-) diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md index 5afc65aba5..521c299687 100644 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md @@ -20,8 +20,8 @@ The following table lists the required settings to enable PDE. | Setting name | Description | |-|-| -|Enable PDE|PDE isn't enabled by default. Before PDE can be used, you must enable it.| -|Disable Winlogon automatic restart sign-on (ARSO)| Winlogon ARSO isn't supported for use with PDE. To use PDE, ARSO must be disabled.| +|Enable Personal Data Encryption|PDE isn't enabled by default. Before PDE can be used, you must enable it.| +|Sign-in and lock last interactive user automatically after a restart| Winlogon automatic restart sign-on (ARSO) isn't supported for use with PDE. To use PDE, ARSO must be disabled.| > [!NOTE] > Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled. @@ -32,10 +32,10 @@ The following table lists the recommended settings to improve PDE's security. | Setting name | Description | |-|-| -|Disable kernel-mode crash dumps and live dumps|Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.| -|Disable Windows Error Reporting (WER)/user-mode crash dumps|Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps.| -|Disable hibernation|Hibernation files can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable hibernation.| -|Allowing users to select when a password is required when resuming from connected standby disabled|When this policy isn't configured on Azure AD joined devices, users on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device. During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. It's recommended to explicitly disable this policy on Azure AD joined devices.| +|Kernel-mode crash dumps and live dumps|Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.| +|Windows Error Reporting (WER)/user-mode crash dumps|Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps.| +|Hibernation|Hibernation files can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable hibernation.| +|Allow users to select when a password is required when resuming from connected standby |When this policy isn't configured on Azure AD joined devices, users on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device. During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. It's recommended to explicitly disable this policy on Azure AD joined devices.| ## Configure PDE with Microsoft Intune @@ -43,13 +43,13 @@ The following table lists the recommended settings to improve PDE's security. | Category | Setting name | Value | |--|--|--| -|**PDE**|**Enable Personal Data Encryption (User)**|Enable Personal Data Encryption| -|**Administrative Templates > Windows Components > Windows Logon Options**|**Sign-in and lock last interactive user automatically after a restart**|Enabled| -|**Memory Dump**|**Allow Live Dump**|Block| -|**Memory Dump**|**Allow Crash Dump**|Block| -|**Administrative Templates > System > Logon** | **Allow users to select when a password is required when resuming from connected standby** | Disabled| -|**Power**|**Allow Hibernate**|Block| -|**Administrative Templates > Windows Components > Windows Error Reporting** | **Disable Windows Error Reporting** | **Enabled**| +|**PDE**|Enable Personal Data Encryption (User)|Enable Personal Data Encryption| +|**Administrative Templates > Windows Components > Windows Logon Options**|Sign-in and lock last interactive user automatically after a restart|Disabled| +|**Memory Dump**|Allow Live Dump|Block| +|**Memory Dump**|Allow Crash Dump|Block| +|**Administrative Templates > Windows Components > Windows Error Reporting** | Disable Windows Error Reporting | Enabled| +|**Power**|Allow Hibernate|Block| +|**Administrative Templates > System > Logon** | Allow users to select when a password is required when resuming from connected standby | Disabled| [!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)] @@ -72,14 +72,16 @@ Alternatively, you can configure devices using the [Policy CSP][CSP-1] and [PDE |OMA-URI|Format|Value| |-|-|-| |`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`|int|`1`| +|`./Device/Vendor/MSFT/Policy/Config/WindowsLogon/AllowAutomaticRestartSignOn`|string|``| |`./Device/Vendor/MSFT/Policy/Config/MemoryDump/AllowCrashDump`| int| `0`| |`./Device/Vendor/MSFT/Policy/Config/MemoryDump/AllowLiveDump` |int| `0`| |`./Device/Vendor/MSFT/Policy/Config/ErrorReporting/DisableWindowsErrorReporting`|string|``| +|`./Device/Vendor/MSFT/Policy/Config/Power/AllowHibernate` |int| `0`| |`./Device/Vendor/MSFT/Policy/Config/ADMX_CredentialProviders/AllowDomainDelayLock`|string|``| -## Disable PDE and decrypt content +## Disable PDE -Once PDE is enabled, it isn't recommended to disable it. However if you need to disable PDE, you can do so using the following steps: +Once PDE is enabled, it isn't recommended to disable it. However if you need to disable PDE, you can do so using the following steps. ### Disable PDE with a settings catalog policy in Intune @@ -93,38 +95,42 @@ Once PDE is enabled, it isn't recommended to disable it. However if you need to ### Disable PDE with CSP +You can disable PDE with CSP using the following setting: + |OMA-URI|Format|Value| |-|-|-| |`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`|int|`0`| -Disabling PDE doesn't decrypt any PDE protected content. It only prevents the PDE API from being able to protect any additional content. PDE protected files can be manually decrypted using the following steps: +## Decrypt PDE-encrypted content + +Disabling PDE doesn't decrypt any PDE protected content. It only prevents the PDE API from being able to protect any additional content. PDE-protected files can be manually decrypted using the following steps: 1. Open the properties of the file -2. Under the **General** tab, select **Advanced...** -3. Uncheck the option **Encrypt contents to secure data** -4. Select **OK**, and then **OK** again +1. Under the **General** tab, select **Advanced...** +1. Uncheck the option **Encrypt contents to secure data** +1. Select **OK**, and then **OK** again -PDE protected files can also be decrypted using [WINS-1]. Using `cipher.exe` can be helpful to decrypt files in the following scenarios: +PDE-protected files can also be decrypted using [`cipher.exe`][WINS-1], which can be helpful in the following scenarios: - Decrypting a large number of files on a device -- Decrypting files on a large number of devices. +- Decrypting files on multiple of devices To decrypt files on a device using `cipher.exe`: - Decrypt all files under a directory including subdirectories: - ```cmd - cipher.exe /d /s: - ``` + ```cmd + cipher.exe /d /s: + ``` - Decrypt a single file or all of the files in the specified directory, but not any subdirectories: - ```cmd - cipher.exe /d - ``` + ```cmd + cipher.exe /d + ``` > [!IMPORTANT] -> Once a user selects to manually decrypt a file, the user will not be able to manually protect the file again using PDE. +> Once a user selects to manually decrypt a file, the user won't be able to manually protect the file again using PDE. ## Next steps @@ -132,7 +138,7 @@ To decrypt files on a device using `cipher.exe`: -[CSP-1]: /windows/client-management/mdm/policy-csp-localpoliciessecurityoptions +[CSP-1]: /windows/client-management/mdm/policy-configuration-service-provider [CSP-2]: /windows/client-management/mdm/personaldataencryption-csp [WINS-1]: /windows-server/administration/windows-commands/cipher From b513c30ecf9cf0c74b393ffef74138fb49637efd Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 11 Aug 2023 16:04:16 -0400 Subject: [PATCH 18/44] updates --- .../data-protection/personal-data-encryption/configure.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md index 521c299687..bc72081ebb 100644 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md @@ -72,12 +72,12 @@ Alternatively, you can configure devices using the [Policy CSP][CSP-1] and [PDE |OMA-URI|Format|Value| |-|-|-| |`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`|int|`1`| -|`./Device/Vendor/MSFT/Policy/Config/WindowsLogon/AllowAutomaticRestartSignOn`|string|``| +|`./Device/Vendor/MSFT/Policy/Config/WindowsLogon/AllowAutomaticRestartSignOn`|string|`/`| |`./Device/Vendor/MSFT/Policy/Config/MemoryDump/AllowCrashDump`| int| `0`| |`./Device/Vendor/MSFT/Policy/Config/MemoryDump/AllowLiveDump` |int| `0`| -|`./Device/Vendor/MSFT/Policy/Config/ErrorReporting/DisableWindowsErrorReporting`|string|``| +|`./Device/Vendor/MSFT/Policy/Config/ErrorReporting/DisableWindowsErrorReporting`|string|`/`| |`./Device/Vendor/MSFT/Policy/Config/Power/AllowHibernate` |int| `0`| -|`./Device/Vendor/MSFT/Policy/Config/ADMX_CredentialProviders/AllowDomainDelayLock`|string|``| +|`./Device/Vendor/MSFT/Policy/Config/ADMX_CredentialProviders/AllowDomainDelayLock`|string|`/`| ## Disable PDE From 5b17368bf461e5572eb8ea9b525a893ab2009340 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 11 Aug 2023 16:19:50 -0400 Subject: [PATCH 19/44] updates --- .../data-protection/personal-data-encryption/configure.md | 5 +---- .../data-protection/personal-data-encryption/faq.yml | 4 ++-- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md index bc72081ebb..b577c577bb 100644 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md @@ -14,7 +14,7 @@ This article describes the Personal Data Encryption (PDE) settings and how to co > > The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled. -## PDE settings list +## PDE settings The following table lists the required settings to enable PDE. @@ -23,9 +23,6 @@ The following table lists the required settings to enable PDE. |Enable Personal Data Encryption|PDE isn't enabled by default. Before PDE can be used, you must enable it.| |Sign-in and lock last interactive user automatically after a restart| Winlogon automatic restart sign-on (ARSO) isn't supported for use with PDE. To use PDE, ARSO must be disabled.| -> [!NOTE] -> Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled. - ## PDE hardening recommendations The following table lists the recommended settings to improve PDE's security. diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml b/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml index 1e069f5f47..9dbd3b3def 100644 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml @@ -4,7 +4,7 @@ metadata: title: Frequently asked questions for Personal Data Encryption (PDE) description: Answers to common questions regarding Personal Data Encryption (PDE). ms.topic: faq - ms.date: 03/13/2023 + ms.date: 08/11/2023 title: Frequently asked questions for Personal Data Encryption (PDE) summary: | @@ -47,7 +47,7 @@ sections: - question: Can users manually encrypt and decrypt files with PDE? answer: | - Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section **Disable PDE and decrypt files** in [Personal Data Encryption (PDE)](index.md). + Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section [Decrypt PDE-encrypted content](configure.md#decrypt-pde-encrypted-content). - question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE protected content? answer: | From 801c35cab26eefa47d78d41372c90aa935a2be13 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 11 Aug 2023 16:53:11 -0400 Subject: [PATCH 20/44] updates to OMA-URI values --- .../data-protection/personal-data-encryption/configure.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md index b577c577bb..7a7277136f 100644 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md @@ -69,12 +69,12 @@ Alternatively, you can configure devices using the [Policy CSP][CSP-1] and [PDE |OMA-URI|Format|Value| |-|-|-| |`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`|int|`1`| -|`./Device/Vendor/MSFT/Policy/Config/WindowsLogon/AllowAutomaticRestartSignOn`|string|`/`| +|`./Device/Vendor/MSFT/Policy/Config/WindowsLogon/AllowAutomaticRestartSignOn`|string|``| |`./Device/Vendor/MSFT/Policy/Config/MemoryDump/AllowCrashDump`| int| `0`| |`./Device/Vendor/MSFT/Policy/Config/MemoryDump/AllowLiveDump` |int| `0`| -|`./Device/Vendor/MSFT/Policy/Config/ErrorReporting/DisableWindowsErrorReporting`|string|`/`| +|`./Device/Vendor/MSFT/Policy/Config/ErrorReporting/DisableWindowsErrorReporting`|string|``| |`./Device/Vendor/MSFT/Policy/Config/Power/AllowHibernate` |int| `0`| -|`./Device/Vendor/MSFT/Policy/Config/ADMX_CredentialProviders/AllowDomainDelayLock`|string|`/`| +|`./Device/Vendor/MSFT/Policy/Config/ADMX_CredentialProviders/AllowDomainDelayLock`|string|``| ## Disable PDE From 3a06a978a7c4fe8ee5a696082faa75410edc5720 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 11 Aug 2023 17:01:30 -0400 Subject: [PATCH 21/44] redirects --- ...blishing.redirection.windows-security.json | 45 +++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/.openpublishing.redirection.windows-security.json b/.openpublishing.redirection.windows-security.json index 54589ae7b4..6e2684b399 100644 --- a/.openpublishing.redirection.windows-security.json +++ b/.openpublishing.redirection.windows-security.json @@ -7334,6 +7334,51 @@ "source_path": "windows/security/zero-trust-windows-device-health.md", "redirect_url": "/windows/security/security-foundations/zero-trust-windows-device-health", "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune.md", + "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/configure", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso.md", + "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/configure", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-hibernation.md", + "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/configure", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-memory-dumps.md", + "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/configure", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-password-connected-standby.md", + "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/configure", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-wer.md", + "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/configure", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde.md", + "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/configure", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/includes/pde-description.md", + "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde.yml", + "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/faq", + "redirect_document_id": false } ] } From 0ca325899fa2e4b819809fd8cf1426d95d2688a6 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 11 Aug 2023 18:19:02 -0400 Subject: [PATCH 22/44] updates --- .../data-protection/personal-data-encryption/index.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md index 7afed4f153..6fe6c59028 100644 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md @@ -84,13 +84,13 @@ For EFS protected files, under **Users who can access this file:**, there will b Encryption information including what encryption method is being used to protect the file can be obtained with the [`cipher.exe /c`](/windows-server/administration/windows-commands/cipher) command. -### Recommendations for using PDE +## Recommendations for using PDE The following are recommendations for using PDE: - Enable [BitLocker Drive Encryption](../bitlocker/index.md). Although PDE works without BitLocker, it's recommended to enable BitLocker. PDE is meant to work alongside BitLocker for increased security at it isn't a replacement for BitLocker -- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview). In certain scenarios, such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost making any PDE-protected concent inaccessible. The only way to recover such content is from a backup. If the files are synced to OneDrive, to regain access you have to re-sync OneDrive -- [Windows Hello for Business PIN reset service](../../../identity-protection/hello-for-business/hello-feature-pin-reset.md). Destructive PIN resets will cause keys used by PDE to protect content to be lost, making any content protected with PDE inaccessible after the destructive PIN reset has occurred. Content protected with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason, Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets +- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview). In certain scenarios, such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost making any PDE-protected concent inaccessible. The only way to recover such content is from a backup. If the files are synced to OneDrive, to regain access you must re-sync OneDrive +- [Windows Hello for Business PIN reset service](../../../identity-protection/hello-for-business/hello-feature-pin-reset.md). Destructive PIN resets will cause keys used by PDE to protect content to be lost, making any content protected with PDE inaccessible. After a destructive PIN reset, content protected with PDE must be recovered from a backup. For this reason, Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets - [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) offers additional security when authenticating with Windows Hello for Business via biometrics or PIN ## Windows out of box applications that support PDE From f7fb6b07519f6caaafe93320dc603ca07e99f72d Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Thu, 17 Aug 2023 11:34:09 -0700 Subject: [PATCH 23/44] add mbam/mdop from 2019 8233265 --- windows/whats-new/deprecated-features.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md index 5d0649468d..866159a45c 100644 --- a/windows/whats-new/deprecated-features.md +++ b/windows/whats-new/deprecated-features.md @@ -49,6 +49,7 @@ The features in this article are no longer being actively developed, and might b | Microsoft Edge | The legacy version of Microsoft Edge is no longer being developed.| 2004 | | Companion Device Framework | The [Companion Device Framework](/windows-hardware/design/device-experiences/windows-hello-companion-device-framework) is no longer under active development.| 2004 | | Dynamic Disks | The [Dynamic Disks](/windows/win32/fileio/basic-and-dynamic-disks#dynamic-disks) feature is no longer being developed. This feature will be fully replaced by [Storage Spaces](/windows-server/storage/storage-spaces/overview) in a future release.| 2004 | +| Microsoft BitLocker Administration and Monitoring (MBAM)| [Microsoft BitLocker Administration and Monitoring (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/), part of the [Microsoft Desktop Optimization Pack (MDOP)](/lifecycle/announcements/mdop-extended) is is no longer being developed. | September, 2019 | | Language Community tab in Feedback Hub | The Language Community tab will be removed from the Feedback Hub. The standard feedback process: [Feedback Hub - Feedback](feedback-hub://?newFeedback=true&feedbackType=2) is the recommended way to provide translation feedback. | 1909 | | My People / People in the Shell | My People is no longer being developed. It may be removed in a future update. | 1909 | | Package State Roaming (PSR) | PSR will be removed in a future update. PSR allows non-Microsoft developers to access roaming data on devices, enabling developers of UWP applications to write data to Windows and synchronize it to other instantiations of Windows for that user.
 
The recommended replacement for PSR is [Azure App Service](/azure/app-service/). Azure App Service is widely supported, well documented, reliable, and supports cross-platform/cross-ecosystem scenarios such as iOS, Android and web.
 
PSR was removed in Windows 11.| 1909 | From 9f7653268fc4ea8f2a7fd260560abd36fb778686 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Thu, 17 Aug 2023 11:35:56 -0700 Subject: [PATCH 24/44] add mbam/mdop from 2019 8233265 --- windows/whats-new/deprecated-features.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md index 866159a45c..4729a760c3 100644 --- a/windows/whats-new/deprecated-features.md +++ b/windows/whats-new/deprecated-features.md @@ -1,7 +1,7 @@ --- title: Deprecated features in the Windows client description: Review the list of features that Microsoft is no longer developing in Windows 10 and Windows 11. -ms.date: 08/01/2023 +ms.date: 08/17/2023 ms.prod: windows-client ms.technology: itpro-fundamentals ms.localizationpriority: medium From 3f67863dd2e41e0523becf55a3f41e020930e9bb Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 21 Aug 2023 12:23:13 -0400 Subject: [PATCH 25/44] updates --- .../personal-data-encryption/index.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md index 6fe6c59028..0608ea1a7c 100644 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md @@ -10,7 +10,7 @@ ms.date: 08/11/2023 Starting in Windows 11, version 22H2, Personal Data Encryption (PDE) is a security feature that provides file-based data encryption capabilities to Windows. PDE utilizes Windows Hello for Business to link *data encryption keys* with user credentials. When a user signs in to a device using Windows Hello for Business, decryption keys are released, and encrypted data is accessible to the user.\ -When a user logs off, decryption keys are discarded and data is inaccessible, even if another user signs in to the device. +When a user logs off, decryption keys are discarded and data is inaccessible, even if another user signs into the device. The use of Windows Hello for Business offers the following advantages: @@ -26,7 +26,10 @@ To use PDE, the following prerequisites must be met: - Windows 11, version 22H2 and later - The devices must be [Azure AD joined][AAD-1]. Domain-joined and hybrid Azure AD joined devices aren't supported -- Users must sign in using [Windows Hello for Business](../../../identity-protection/hello-for-business/index.md). Password and [security key][AAD-2] sign in aren't supported +- Users must sign in using [Windows Hello for Business](../../../identity-protection/hello-for-business/index.md) + +> [!IMPORTANT] +> If you sign in with a password or a [security key][AAD-2], you can't access PDE protected content. [!INCLUDE [personal-data-encryption-pde](../../../../../includes/licensing/personal-data-encryption-pde.md)] @@ -64,8 +67,8 @@ PDE is meant to work alongside BitLocker. PDE isn't a replacement for BitLocker, | Item | PDE | BitLocker | |--|--|--| | Release of decryption key | At user sign-in via Windows Hello for Business | At boot | -| Decryption keys discarded | When user signs out of Windows or one minute after Windows lock screen is engaged | At reboot | -| Files protected | Individual specified files | Entire volume/drive | +| Decryption keys discarded | When user signs out of Windows or one minute after Windows lock screen is engaged | At shutdown | +| Protected content | All files in protected folders | Entire volume/drive | | Authentication to access protected content | Windows Hello for Business | When BitLocker with TPM + PIN is enabled, BitLocker PIN plus Windows sign-in | ## Differences between PDE and EFS @@ -89,7 +92,7 @@ Encryption information including what encryption method is being used to protect The following are recommendations for using PDE: - Enable [BitLocker Drive Encryption](../bitlocker/index.md). Although PDE works without BitLocker, it's recommended to enable BitLocker. PDE is meant to work alongside BitLocker for increased security at it isn't a replacement for BitLocker -- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview). In certain scenarios, such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost making any PDE-protected concent inaccessible. The only way to recover such content is from a backup. If the files are synced to OneDrive, to regain access you must re-sync OneDrive +- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview). In certain scenarios, such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost making any PDE-protected content inaccessible. The only way to recover such content is from a backup. If the files are synced to OneDrive, to regain access you must re-sync OneDrive - [Windows Hello for Business PIN reset service](../../../identity-protection/hello-for-business/hello-feature-pin-reset.md). Destructive PIN resets will cause keys used by PDE to protect content to be lost, making any content protected with PDE inaccessible. After a destructive PIN reset, content protected with PDE must be recovered from a backup. For this reason, Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets - [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) offers additional security when authenticating with Windows Hello for Business via biometrics or PIN From 26f75b57bd36b0e22bcbbc2d07cd50d8bc9f2269 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Wed, 23 Aug 2023 21:40:48 -0700 Subject: [PATCH 26/44] Autopatch deployment guide --- windows/deployment/windows-autopatch/TOC.yml | 2 + .../windows-autopatch-deployment-journey.png | Bin 0 -> 57811 bytes .../windows-autopatch-deployment-guide.md | 329 ++++++++++++++++++ 3 files changed, 331 insertions(+) create mode 100644 windows/deployment/windows-autopatch/media/windows-autopatch-deployment-journey.png create mode 100644 windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml index ad017e7f92..d63bb90e3f 100644 --- a/windows/deployment/windows-autopatch/TOC.yml +++ b/windows/deployment/windows-autopatch/TOC.yml @@ -10,6 +10,8 @@ href: overview/windows-autopatch-roles-responsibilities.md - name: Privacy href: overview/windows-autopatch-privacy.md + - name: Windows Autopatch deployment journey + href: overview/windows-autopatch-deployment-guide.md - name: FAQ href: overview/windows-autopatch-faq.yml - name: Prepare diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-deployment-journey.png b/windows/deployment/windows-autopatch/media/windows-autopatch-deployment-journey.png new file mode 100644 index 0000000000000000000000000000000000000000..ca58a89191104f6bbb525451cda8548a11495262 GIT binary patch literal 57811 zcmeFZ1yfvGw*?9zArLHq;O;KL-QC?a0fKvQ4-z~LGz5p>PH=Z?JOp=lcjs-AbH4kX zTd&T0Kj3y%icO`v_nKqMnrn=?2~m`nKzfDq3JMAeNlH>w84BtJaQSQm?iuhykWd;L z_yO&xEFlb4GK9Ac{PO&xkem<{)Q>2HJENz!!rMt|IYL1pcRc-r?y=1?hJso)lM)qD zb=BW%LimQSmQb4JXxfb}_68jvAI!qdO&RJ6J-n5^YNGm@m8Fem^*LLpzdtv({z_oL zGKI#A=MN&auuQ*3ovf@wI)91dI+}%WbxwSJ{RLi>ySfb-WH_6{b?r01*!SL~xL~Hr zMbCME=J56|)!VsLyUIdsyhg*TMXyH716bSBs~!rG>CctZ3oOGwS6i=`TK`;)pd0!= znFs}yPTL9v^ZQCr!xtL%_myu66b$0;D=0l^Sgb!+_0RtA3jrkliD83(1N*!Oq>3YS z?KAZbUdf?O^W)xRgZoe1NVZ>4P^Pt)8ncal!eoJ_4(r=NekH#y-;AL`!b)^!7~w~I zZyMy@K#k!e+TC-Vu2{}lt)70=dr#p62l&ej4z~8j&^NUQoY-9Flcm{ES`erro!&%L{==rvQN z_U^aY^eUaLsBYAR63=~YpkU^>nWf!VbGD)_ZCPV*-*7cZi@T{%gLHfxf;loJUk$D` zxngR&%uUzX^dj)QnMPRfwpUx9&1)7oiy2P)1nH0RPIEq|@3~J(fWkJrRquk*AVg$h zmH7!1=7RcdHx0V}IilUJXllEhfV+6Apn7&A5-0DA%e|H)mg8V4mT94S8nD>G=@0G~ zh;}bR?vA_0aTo62sZ_lWSj0iJb1o?RYteE_L#?Af|6t0Awk+33Z3`3G=srzjvVf+& zrTyR<0$oD1VDbWWz?SF1(IzA>kujwk3KJTZlLrVUlpsqeDmX+t3KGKAw?Vty3K{yc{JfnP zvUS49w$Dh_dHuNbKx^TOV6w)RS2aM!)T%~0N4oNvw{*c z{LsLq@Akp~PF7s)Io8r1P^);cN}$t;m|C^mIvNBvkVcSfVUS~dLFXiwes#NDA_EIErFP^!Z3uQWP^$1m<4Gc^&*v=P& zoN&A`rslmDCCVA}Noktg)L_+Bcwo1q8ni^s7bwV+`jcq6 z#t~fnDh+d9^j`eb4+Ig7o=1P}y_dv;ZETv3gXbH zwVcaG<<+M&fvHDVH5cZNA1PcSU669Iyfz|d`AuCHuk@GJ zpj)a0-Ddl8@ErPE2xgnCjGuEW*b0q>zKcE9@GG(_Up&$`rU{64a0`9&@;qTo`^23f z*H4lLwM2{M-3@ju*d*31b;YW?d+S;Z$eITn)d5@{tFG1{mDQukWdgj|!2xHvsCmYs zeI63lQqf$qbIRrVTXG*A0QZyq==LMH_>nJ&4f-ZZS>sY^c4T9*Aju$8+h|H`=E@Y- zUL&1}8OyeqaQhq5?}+}(WY(0}Tt}?Bq2MuDPDKdZ!8oRvjd++<xyiJZZV&I2Yj39$7$nw(cTrDFmqsJd4`h`-aE{C{k$NbQwm=Pvp}dZk z9y7n^%o2hxu;UPuj@}C(JZb7Pk8M;lc^<=;%3RhlCAr|MyqL5m#V*rPJW02X=mgYw z#1?Qy7A3?xKLAcvU-TK5_bN%033ZQ@Rs$3Nyc?RjVmptgYI9*c;XS{tN-v#$^^z2K zjJL0v^cRe2X)RRPQd1nZhBtKZmLSs<|OzSv^P;m^KXf}Z=j(u!Xr!U+f9M_qBmL%!H2E% z#cumDqoz57uS3xP>J#`dD*@xRHr)NS zK{;zFZwBZ{W4YFk*=CA427kqZ;_=yj{&FCR9C;wgG~99l#Y!RzYj zq9kPl%J`gwh8Z3ey=x5G@rhZ#Ebmq9iy2LRSz7qiV~i$rh8jC{5C!jF4t& z4J3FrW8%At_z?#t`EV=oLoCK6e(;Ph^pKw&6lxd#SB%t_sp5^q5YWJ1`rjzsJqsFAoG4jVCR3Noyd{yjw2;0b2~=NZP?V}OZ*MD%5eMn8 zIovsA7w&a|&n5<1;?GDmvA(NANHwMVu(wE56tqf2^Np>_)lB9|74{_4#Y;ZGzrm{e zVu$$S?O8+^VqHMtJ-8QI@uDh$S7hy#yM*&KheL~|*QU?nPKv{1t(@jBLTrM1@RpwQ=8B&Rv0R`8#>Z05e`YQf*urtM@2m=2M+)W}3CY0tUf zS-`+@zFgZ~_A(N+$M(J4{}iReJXIGX3TojEp}i=8)PBf$kwv&jYN-u@T8n(PGST>B zm}Xg``6!nS9P7cqUm|xIB=Ay`d@ZoNtFe#9Tn=Ly8C1?4{jn3jP*=r@4r*^3TR9y))}(z8$2YR%$GR#E7eFybH>6%LeTJYFGg$U?!&Pe~HAk=4&tJU@96f*XmGnqwxZ+g~r9Gm1!$;*`ON4v7PuGqYWwx*giA zfwBYO!gT}QCPHqN=Q!jyz@Kw8=ui9*7?$DiW`+WYVy#I&gJ<`9Q>Yv?MBlgWw-lMr zVfO~av}TKisl^2dO-vT7`;n8Q!%Jqd9a? z^gV5>s3O6x9b|opP1&NxQGT@%gI8>We90&m0gG*sVPK- z?W}#rYU3F{h>INdJwQppG(=X=BsdWVd08Rp;J^_?Z@TNM7mA2TtgB@^hoS<_#s1Cw zUGF<0Ue`)lSJz0{aI)OXf{+#DYX&jG2Xymag@o7ir&QdP0RfEZXNuY^=NDq^R<7SL z#k`A+=d;U=O*bB~NHo~FKABk;zFO|3wwRLA+AR}qhYfGIrF94hnH8copA@8w01~{s zxUnxfG07a6T-0!lBx^+0`HQZElKx_?T@qy!uCVI`qu1-c`Tzl9c;&5eCvv{1xjiEV zQTt4j>z~mw?dg@gWm#F=(A2#JZfvU;`7+`#R_H+ixE^AM2PEGs)BkJ>{Jlh5Ue+Wn z=F5uf$W_Y<>dYjy0<<(4Z$c}Kgl~@dYeP zFS}BPvYIoL2a;AC9a$vUG4|AHU23RZR#26k>Jzqic)C)_N#;9JdJ(}dUxd#pJ|P62 zU@rJBBJ<_;S+|Ky925F$2<9(Y=dV_?gXXAkHPObfrrK|dt;c&)`wwKMrJ`z)z8&2f za;}B0h?m7ynxrF?LY=|QqTFl3zxn2kMSX*ddCeo%jvhT)9-l6g95BmkgWI?B4F`Gw zx?LIr^HS`KuJlcsIzmKTBPwiml^;3ZIJ{)W7OCMJ0~*@^dFaBtn5enXpYFmFPGKRm z-DvFAjT$ev{ezL~j_k(Cj%ehh^jaCZmO!~_`#a5$I}jrtGr`@w$U-lP#WxLjPzyqL z#3888D)E?>*$+YD!j4hmq7zrVRCng^6W!cHx!2sQ??=5j$d~X^Y6q;~FOr*0edR(p z2VcIUJW5+)tNqL%7xjh~GupvMP56+#t&dl(SXxCQKPKwTGk7D8S_6&7fP_wRIupmC z#|5LO$-*n^8otHk4AxepU_uu+|rf>P=Glwy6Ojbd;odRS}n|^_s|F`v`%~ zfRe?HaRCd*Td(7|9T&R8h>B}oL7-V;LiWK;;Y%{@0H??rDBst9@HOI5pTv4Venx8mb{iR* zhxR^5W+XJmJ3LcXA1sVJe8c2mA_f8Fysd8t3;P>^x;Lqf=L}Nye6AwlWWau^-`@D^ zRyufbb8Rt%^d%8+{>CSmfXS-Mx|SN6q}A{XYS31-tI;k%*2J`HcnP3SqDd~ z8%ova$1baE67|j8!(Ih#zrf`!N~zlEfc4s|pay-iBqf~TWAQ~vl3zD#Y2FsU7L2F&DzWn<`}YEs^qQ$5ACw-7V`H?}+_uSC0taTuYaxaDZXI zgBNgMm_{~rhyhYVW?QMLuKjJreCzvCW?Ff1#J(qUIkI6Gz?|skOHjnv#n&I%TdGH4!gYTW^_mlzz_B z8csg^FGRNGtghIszNJX6qNbJKET?FLm@A&Z025uBntwZ^M5}|w)psHKT*eWWw_d8O z1IwLHq0^Aj4)>1!;6IzsQ?O752w`1^NpbcD^l)ZZSyOrRB#~c7!VvF8_sTj_acQ4O zW6{wg(#a|1`^KuB?yPw{57(V$4SW4+e!fdA|Lg6a{hR|QGVA2iCrU_*X?t_P2fw5U zNbQn*^r25yST*Y&nA}SarBvp--O|y7UhD}bzmWQ35{HB5a5C4I;Ya50@ZiCsS@&EGIGXA2MF?qn=rttZ=oT+A?2wV|I0v(~%7zIwcP-G7 zuncCbnZdi5NG1lfjkdRrz6HPPwWGc!fF{*oH(G7@ojS_Imw$GWR5H(Tkr*_N%D|zv z3B;cCpqHP|I@B{@bX~m91f$fWvqy3er zVhB2HbMxCh0g~DTZH-!@^temah)(qVvz)-@+2^G?W5^KDf5PiCrQKc}MXfQC8JNKs zjsg0e0Ia$y#BzUCiC9Y|dBN(}u);S_H8KZp_mAJB5C8aGfo$@)S&SX#NH&t{U`*5u zygpkP(+(hK772+_?bq&MuLF~YNVB0CxU_Lf@`><|HVT@d87PTN#v8ejIs|*o ze1GjRXRN#Z+B;bJt_r#QQ}8I4CuOrf1aQ0}OIt^H>E$&Fj%TK5FeAS&Q`>^VI@Q}1^h_RdHJe9X|2V^A` z9X7J^Ve@7=!1@6C7+H82z1n$Z?;iR<@$_g1LNM1igk{G5YKN(1yKG(Ml5~k$1zhg5 zSlHS%GxORUe;2&BYKu_uXkWz$p>-Bag!@l(rk_d~dC#A`9ST@nTR21x+C)SX_ax@6 zhSR)ZU?avY*bd+>6fD96X-ro@eEXB-`FpyPU5vuXtb)M7uSZ ztpjnSpnp80dWY7XN;4=QPC8dNjqXDKzV;iA5rO+%1 zLr{3^-hV-kS1t-Pe)Lx3M>4S+m`%_Blf!NUb7R!htk1x)w|N6?x^QVqWVcF` zZj5Ch=V+fdX7q3!8MDqrkxWvr6M$Y>LZ*WaeUuC_4g)qWN3srM{kic^iPkumgprd* zb7vQOB@4*$A2+ism)au?8{lD3px`kx_r;GCGp-tbGa~!j)0E`;_*!kfVQRwdYeWv7 zD44|3KBN*VB6hC)avIl2Ltx%z5$49aGaQ=3t#PJ9DRGRQ>Ky56Zg|lRO$R!T7!{(1 zsU*F(E{Z4yao@Um16mS$@E^b!%mog@v?mDPPI9;G-jHy#MbjrRv5CI#E@Wi>_1)|# z;=kvaY*JV9`ny$p(LNCW_VPJw9NRnJgiCO%m{g3ZKUc5c0J&u zXf|0Tw|TWA*)kWmQlHfV>V~s@9FZ*Z8r8SGUs?Fq7OsxuJ}vFx1qoi)y|Q5>rNuM`!E1b}g2tZ#aiVAScU6mL8W9s$?K`c6yv6j31DwB} z3O9(nA^pw2KZAEqyrWeTsA^r0|*1fU)mA}$`+1nSbl?XWw5Ex^( z5KzePh^Yrn8Ht~oy6-`hM;&|&4hmzz^pvILV<;|7y|R%cJ;jNQJ!oI%eE&9_>m|*{ zbOaTBYKZr=zWp0Bsg|fdyn#Tw9w|wW16nsjC2fTE6~r<{)5^a$uBW#CrizOAznonM z^!5L7_Vp?t7nLSo7R#`h1qp<>MP%9k6b9<|7BmC1R5Xmw92O-kodbr_9MQVAA}yCb z#bYeiLpPm;D|YxLLf{^LO-k)_lZl(erEx9|_!k~ZyKX@~2ZpvWrThMu#QFy<_$Y1? zDT)E(;9j`cOv5>arDZwjg0&BtYh6tzpIBl(PyzO97?9}@dFqCe%f1#Hedm%X_7DeJ zI&QbzQ8jgVdu^kpMXf>_G&@;>An`L!g2@&`sUKF8$|(I5mJr;jHpkH=#(Y?7pHmB0 znYAckg1iyxvJ|Jc5s{75q5M<;gmlz9Wy6S@pcz=63jJ4RBSmdo&CwWd`k7B~y~l7< zCk$xXsT}JE3{=v54%dI!K7}nBc-SqseGs4|n&C5uzDr7i0Et<&9Zy zCU#|RR-3zG=o~~he`X>fx^Xi)91x%Y&k^5%zY@8nKe3`$lI)oyHltzt)lTw@Q*nlx zq{z3J5E7pn8_6~CNZI!!J|^+SZx14SD|NuH3H<3M3mK!qpIX4>fgNo0+)sf)Gks_z zDn;4UQK#nm7KNk8D%%b}o6Mo5P&S*&VX;7&pe`fp1tc^}c6KCtqC< z5TKz&wip|*>hC0*TzxV4c3&prO&)7ilr-)D`r$h+=FA$xjx8i}ix>3E@eC3$y1#=) z==)3(?SUOoVgQC9|0!?~`2MaEzXK;q_pcKn>7wzW%(`^9jY{bo`?^5MnRubaF&Q#o zBRqqm>`d8uEkznV*{5VMF~b8Jpz*pZ;?UoT(*a8j0=);Q9yBr_6G-chT$P0@BrSSG zc#et2gPwssYmP53cxwOdP6Lp(!JIl$pH<5TJCMkwr_|v^VL#&y4X#my+@Txzw*idD z?Xl!VzNfu0hL)w49LHLF)7Qqna)ibkn(2a><~uM(I~D@~Voe<`{V1)Li&g*~6|;ge zB+Jh3OQW*9x`ev=>SkZ|y>d@Ux)qYnU|%J=n2?UzWy4zhsDD6O!(w(P>yP+eB&t8% z1<5p#skTgSpF5H^gl3I-1QK^fqa#&OKWIX~hLGJKJ-F2!ZEj-lDnc+j--~QL(0f%F zRh?#iYjW(Bw(+5BMX!4TKn@L^o4x^vc7S#TcA`1kA2fIvbo3~6)aDlSS&du1bZ38u z5-MZ*cWvVNE5xiVTs8@^iKknBlMaDI9m$vD<kJtTdPqNoopn#(dz(&fFfhOv77B47tC!pS1BWZvKJtj zqy#Q}W?k`(TF8E9mw3B58u{E1ygQ(k#_>z?lBg7hYrGUoRf@$orZ^0%OKfC3SVjtLLIVxX!-ZT1D^CabL+<1jYFjKEDsd3{T*Q2h+dX>4mUztQRfI&v!- zBNz%`&+W7E4RnCzp5BnlUPXxihZO!YtFoz*!kvuCWf4K-&m!A}3yT7}riH zqh2Nz#`af7%-Jiu`ke~y#dU~Of7C@K1x+&-7SrD&@JlIDAdQD}0uHvV@AQDI5 zHPrV06r?0qIa3FVuj#yYdnf!m3-Zs;baq*JhKlGo-#2FAtJ1|3Zb(YHKfmpBfW$)Sz$}89e69$;7-@&{~~u%GUKL zVjCMyLq{cnR{n{)&PeH1l7r1;VQdyBqmK2I=fdL%V~{L=r5Cq0a$*~d?B=i*Gt^L+ z`Dj`vT36odr>HJ>5nq&p$EhRlv@&u*ev#z`)GWseC6I=h6wd;&7BHT2f>^(MPEB+o zGE7VRZrfx)5?@6jm~ z-xZ=~fk)M(@7PUo#*nA$77n~;WFlFArRN;szkKogU1fwL`d?Z>OVCK~gDG5D<-O|2 zTw9ZBNm-C~;1=!6o+g-PP%dC*5Z+utmgwn}-{%P7yU83~y}NL2TINB<0OpkhZ`-^D zJ+@Ea?mms(D$#f=&>0I|)YdeJ=_2WTxQhIY08BTf-vf{~Ik`O#QjpjjQ*5eRI>Bw^ zW7wIa+!qr0=X*8QJKf-^A`U`YWlEZkfq5m89LX${{^f0n zb5me)1E?Q&Yu`(E+$z!| zdsEqNYbC#=)ho;2X~JdID?1Pgbpg{!K!Sswujdkqv&9--*n?gRd{W~&{y_Y7ryv>z zo(B0RR2d47^PXm%!}_>}L6hBbyGHXx1fy41p@>wSY|~zOf7V8|_3S{h9*RKnB-p{5 zGya9!^{ay5=M_<50ay8jeIbMheySQ^JV{0SFR;FRNgTEqJsxLsE(edXx%b!Jw}eM` z@d6Jfwh8Bbm&1u3Lq#s0^uo#yeU}0UWgoIOR*_wIJ`lD%?k?V`A9w6dmU7TLldmBG zt8{}oR?&DPKo$1STWslfUZy&CC-|IC4*T4xq;c)LMsb@=9D7ypUw7nuT4^of$_*o2 zc*Gv&JHj4*SZndA=1F046VX$XUl6<-Q|mG3pDN_s|}up4a)fsoOmCzkW{`m{uc{&1)r0pTmp1 zVpH#Q+@sX>u7AN{i6xcZbe68+;48(uU7 z&+6ZVYCJ&}#&$kvVGpd~eRY=uqe1iBS!VOUe)^%vpylD*)_WIv*vo$Tqu1)$0xhy@ z+w%LCu7D)|@i!+y^##d|et^rq5XOqFcSZ#Y78FV&ljU)W!i*(^goIpECRaYPr1Dq} zZ8uZX8ysFGemf$4yv7H@gXz8y^WS`uM?YI_?eX)`ef-1XmHpzEYBeABkIRn8{FQN0 zAr!WGg?$iQAT&d-gtS!uglEB;pns?cs~}(9Y9tS`dt1M0)2;HbkGgOV{dIqf*EWa8 zt*pWBvwwrzqBnZCD+?@i46WEp95)yAk z3^1Ai#{uQj3 z_R*zWE5!<~9U-a1Mdc4xL+zV{4w`%fVPXr48sHcXAj!~=KbPkvU;TJ3`AH4p_Z&Ug z%=d=qK;tfJlZi+0ut}KL4rvG`=HH@$BKZp9b6DiqQu1JRfW5LXnCL|JuReg0DS7NZ z^J?+?u}2i*fr(-}k;_8-Z`k)Z&RW;tUkN;FNbsK1Xss-FL6WL=1pf`Vk!h=i#_RlH zx3(g*m%J>~AOJp2x8qaOd2XbC!_0{Zh$7daw%{Rdn~*~?9*v&M`|-W_kU|d2DW!i6 z>(5*#X^THWQC{*B4U8%G(eX)adsP3r#QZtuS?ia)mtD;sMSn;6ozrOO}kav}-MtGbI|6w)q_VD2bue5O= zRlP{_-BuYe*bi#5ny>$Kd$C{NpN`uKB|`bbVZ9F~_0eIGd_vpDz86H9Z0FC#tdXR9 z0;?(nZ%T*>|3BM_%!MH8%i3F)mN&l&<6Gq+?9+Rt7q4(7#S`HO%QcWbmnTz9IUjZ`DPAvk%qqu%p9vblS`LXy=A+Nox(^zK!=w4S& zd)#`XQtDZzA)yet=rZY6`b(JW?SsYivy`((f@%8I3JeQ5p_wt%*{hUX!kgP$pW~jF z5+()g>uP2Cs{MzL7u3oI!;~^1`$3m1P7b8{lvR;cNF4u;RMw|wsaSt>^HD8V_eBb`?U6Tr%jReuy#a2J zwz`Ty>t-|uE1Ah%dL-IkCEgg3>|M4B8qeyGPr-f64-LMB`^B5@1P_&SH_PU$HJ4>u zk>lEOa+$l8d{H=?dfE54ajBl0*ui!4Uxycj>WoP1os&uvDGyW&+=}_^W>Jp|tDEl% z_iJfUOH`+@^-7#Y!kyNJU&&D~3hr!gYgJi*IgMg6gmab9VeWjqx!*@DzKHkvV0=G+ zX>|?W+8``)--JgfLf1V4%VZ7xGH_N+fYmH2^-!*dgSjI#XcC^h1g79ZJBGc4&X>Xr z_}3Ls9(_L|Hwa63KA@L+r(ioh`I&eKYFDXjSz%0@{#wGU%@mb7sY<#M+ zIykJbhJ&Sn7JU-iTtc=KZ|IEbI!wjXGB8d}k?8#VyjZKkbaNyoRAa1|I1^Qe(H z>!oWO!eY?NVZXaxq>TqhGqw*Icq%kd#*BG44EAjX%}?Z1%HyENa=88@#l!uwss}%X z6f_KZ>~|wXg;yprhwlcDIQDIF!t70eNX@e(B6w*+vTz;d?p8l%`d~HauwJ)rJaRY= zspsZciDvcS*k;c~$`Lx5Vw^1v+dkY+RN2FFmax2cukkvhWgaKEa*CT!bs|DSM6{Z# zwSVuArja7lgJoE}v^^E&1(8jy6PirrLC1fbW|`*+-pAg+eF;0C=-$rNHWCWWzwtRu z>!w)8nZHuT%ls#-W|_uk8QXP(n#6_Ry-%b)pC(^jgx8E+Z($DE?;7vP_5)kk>hR_4 zqDzooW)I)J?GX1a9ZR1&AlrY&V;+=GY2(q`CdeT5L678xEkp^w`@v;W0Z~~+eRe5n zJ6NW}<+kl?p?kZ$XJc!P{L`vtodp&PO!0Tj5J+B7O44F`bfE`R%HR?_TXRf?o{(}t zMBmNBd>M$YOd!ph4IuK;z&6{;t90(ZX^N%QKIJD&y`&HAB#c)-4dqvNclU`RtB1TMhUxA1hL7=6mhu z_qS~n4ro3CX3p97;4AQ&RewZiknp*QMBqQmXG}P*D##kZZC?{a|Jy>#&maNzTq|}r z3teHNwBq|}!nwZX(RtD)d2rpzj6&)>TkD`RE=;)ee`*H`S(6d)h=#%Etc}5@Jc(}o zRhY{rxV&Y}ef1b40nfdP*#}1Xgr?O<6Hw2y`%AysI5Up9u+KQ`?-{9QJjZ#@Yizu( ztq!5%2()47aN8DMl05=B>D-;7x9b!Dt=O{2G>0X=}zU4Eqm5HDFv|^&Y}(i=X0~jz&oz z)!3UKX!+{)>XRC|v3Y(m%fvIxKaxwhR+r75CH}H)KH4E*X;w$!s(0;4lFa641;})d zanT*#`On!@C!R%AC0c5If%VfNLk`0xJyY28PuR%Mz&_QVAzsZ*_^8 zH#+oAY0vofk3KRO#?c!x_D4Ht2^HJ=utn~LKjam!kGDMMM*Yz?N1!VQp!dRqubAfK z*}NnSo>m^EQgLu4#YjczHoi6&tn2I)%*Bn-EV&LnFIfAmewL8J3Wdcv#{`2xmva|< zc!_A_Qc%v$X|nKj6l%9+xwKu|<`njpv~rhzo-j#;J&AYRvU5=0X>^E3qjR0=ApE9u zZ0rK};qDL&6w2ZW)tYy$1+``aBrX*m4Xx5E?6*36qlIf-ZUt6%TMO46Q}giemb@)T zV>whSSfst0+$U%mRk2|x7F}rpoamn`>#XT36+MbSASPz6h*!ufLHyR3Sy?-$mkN}K zVTxR%biLP;uS@J-(Z_u;hh;O@ z(Xq;q&#H&~D7IJzu5B?3y(4hsAL8D5JN(LYjQC^eLl-*>S;RrIF4K`rsW4bg2sfG8 zR?^(JitJ8Jvry~-4*&XtW1neEu6u+lb&(4yq}g429Va0aye(N~(`=RxdrCygeO z(lAz-#$ZK(l2iEM6lO7&wdMn7{NlZ+HyO}2fO)5*8jbD~Jk1*kt#mVo6*UhV83GJi z_q&u{%RMKDciFfEsh(>pi}e!x!wuf|Vj?Z&Y$^p+b<73I?6t{_8NZ_1Qt}*5f&k({ zB@2223z+FO=~rnUqZxv-3>hMsvZ%&C{9$LrA$s92(xy|QA>d$7URZvd$uGwNYA{(T z*$k&e`S^Cv+rEDuyW^fbjpHRFmtzBFUD&5LH2H=wkcZb8aU8fz_Pgi|3=S9Ow(O_B zjHi}apK|2M_hd;kP0!um&$>4lyox@Us}3iw%Ucr+H8wQ#)p)595Q<~i<;5HqM}}p1 z46*ebmdfC6hnl^Fl9;gC;yTrKx!2IHxHJsj{PYyi4jiq)sh7V}&{P~T9_Qk|U^hFs zCV6VsdY%?15mc^IkI(4V<&pevt7EVXSvm)Z;Opg9tiK=XDKo5_>szdI$1&;7s~Fqx zoJ_kr&`0eCtu=EuSksg=>*UfGnBHw|jOwlG%N49UyYxCcXOhre;)KsK+9S=}lb@46 zTh({i2vS*Ns8;zTbW)1>)qWibM!b-`bkga10XUD6@U0f#W0K-uho&0??SH&K-Ow&n zL9jG(*7KmCAXizZ+5AfA>Vtmw-jSkiJ-6LAAD{g)m`ZLobzd3ClF+U4oSd)TU?6XT zmY+_DSn3x!A84CLWXKXf!SYokFa2?Qx-PWkc&MzB5ZVc(v`N?srmVNrM90!$s`?Bb$C zr)J1FVg#AS$hRvb#bLoG$TqA>pSBH32Q%LD)nuaJaO(7lF#?V12-If70Z0aZb8spl z4l)lFhRk=EYoROQBClV)^UyJ5khy+Pr^{9^qy9LPl(qieOQCt&Cgn%OM_;|FpRj+O z9<4*t!eOUA(Q$veZDy=GG5v9ZXjftTBavTgax20B-aE%wjm5h$=FvaZ{@l56KHPr& zrj*8^rE_p=pRrWi5_ZbEt&et6yipLH{JCu6xx@M(LypVrW%G9pp_(JQMIfz4t%x$7 zs#6fJCD4X1Klt&Y3DI|2?z`$%~cmif>a(;DY+6Io3TL!P_e zvj>6R|5i-ne5<88vUkDgwqtf8FW%9XB{I_=R`aP3pw_i7n~5zZwJ`GyWKA(oxKBH& z)ato(GiAgaRe{^=Q*n;Q`_YpL#$ye0|8(jHpGR`0MzobY#3nVOrc2>Ah z?}RFxdH)&mo0$r#?o<#Pf|9@qskL$KkMLO4@K2-GLJub#<__I6J!7|>Geyz)0)#t@ z`>jlY2}kRJe^H~utYn|BRGofFqie;Xoi@j*_#7+Bf}zD57`F0^V$dBz)=(QT{RsonF59@&wzLVz z+ngnbt&{vdzSh}pg4*}ykGLt92YAk7_B}oq1Hf~xNjM%)t?Qn-)Nyx?(}vUfJHoqg zo`zc-Bgo5$cPcj>%yqJ5oLJw8& z<=539d)NU%g2!QM(~7g?yoyTBAetM$ZbxqPyj9Nu;3Otl16o~7Q&YLt)0ahb1RM0xlP9dd(YwpHKfaP`+WMH z8dM#K*bw4H;$^c5{lTOq@T_8bB774~>61iWw)eK@CmWOcjp}J3C8 z6B^W%wqI`RW@I+F#gKfwO52A|f$ep@6NSd$AEdZ4!rA$GL{wB#5#}pc7+s&89|xsA zr#c@8x#lZ8vB`s+_wP~6ZyN}&ed3Gj4U&sv!#E~_KWyuOny=;!_<66t-0{@fOSJQ~ zF6f#R>;tzY1`g3B0DZ!Hs}7N8Z3XVFpt;Bl@bQYmcj?t%{vr)%fOg;M=Fw5VU@tZF zQlG5kkUkBsMd6{o2d8PFjmM^bzf(`ha28X{Ij0b3gXS(NkOo zwzon}rnwj0n#Ai})OJK3?-_6uDoAG*&Bni6;qYDv?Iv7L8a_cgn!2&WTh3fBbtdV`Q~ z&z6vZ$I43t&NVM*Z5sA{H=Cze{O0ptX&aDxEZ9BPV9uoFbsaw#?b)1n*hjwOg|SLI zWVU{G$sawIQXp|Ws4<8ZW)_isAEEn*N_E{&k9hf0uXD-H_%R`VVB=DMqw&8lkc78(!Z?lBIotWfxP95yXpO&uOS))6e7 zi-?GrQEJ6tbE#!v`)b(m7(PbaQS+4~Y7m$^t@dRz-LcIl{nT5mLnP;jsu zDxw?kM;jtD0yLmC)F1ah^AXmkPlkU{0}wPs>AuwE)<{le3w?jro>nM^jZ`+U3+@N; z4=QZik2i`Ek8V-K2DjvRp!34$&Xk_`PxpwC$Q;Lo?GXQU!p(Oef|S|v6%gR>4c8(W zklB2kcH0c?UCr^1lLGAr>`OR{^J}P+zf{&=@^MA^CQ_#?;xmfucdhK7%GOgqS4nFP%E5^a;w%BNRqFrISLRl& zIk}NI{z?e_?OzO*D(}}lQiA8Vw>fy!d#6NuDf|E~q035)oMp=yPbj+7AGyBSY~fRnvK}B90Q*FhzB! z^aOBST_;LG`ak5VEKjW(n-r-)VoIjgk#~Qy4=lm+>HlFLUa5ZrINx)tgIOHs#{&*{ z1`WbGJohe1n7brGJyXJ;cZDVhR&^;dGNX5~1X^;H3_H{#$_&k_{n;msn1r})u$({y z6)u&O-r-IL&-s8EDQ$bny%k^loq~T9yY-z-KOh9*#@@_ zBU2OT;#a4w&hqgsLFR(03Iv;4jdq8dQkdE{)(PIB5pohCyec4^E_GSSEQ%! z_%Hglt`p~f=-ayjIq)g)@Hz&Ntg2jqB=%2f^~KN0Ny>yWNC+_umf;rDg8g2jmW1bm zV@TCFPxD3NX9Mmj;wPczDTsytDWl>@-rwJMOFPq*V^9zWAp)}^9aD{Nr_jTmHu1^N z`IqV#n*m{S07y_kiIHadBUAsE7D$7bm7kygBbDU|D|%S3*rz0oU3~kmiz}k zS{M$PkI+E+Ksq}+W6~aqo?6J}9~9i?T@MN#6HhYxj5FMm^3?ApqVm5)#BRaF#Kf60 zBav~22z?+0wh39`ftm^KFKyfj32qv%iL4q~HMnh4V7!Xf8XockTC=`y99d5i{eLCU z$*U{?WVIgH%d@jRfEGGKOnh3w(cFig-K%CwfqShKSId`xP6XCi_=@;H z!pW1=zm6-3%VD#(zt6^AS&WE;l)x{<0{Hy1R*Uz&!Nb1H#}v*bkKUniDOzOSD>Yh; z64t*ozUvJn`~PLtfgdXu7Z)$Dm6e&!bp5BoZL}<4{wYQ7v2{?vd%4gPclrnS61r`} z(s!AG`cF7d*c`Ztkp0u&02OS#*xaMjE-d}8BoKS~|Il^TVO4F5>u= zNu`k#rMv3@hwko1y1PN(T^sbi-tX^To`-*6$BJ3AX3czNb`OXOj@Zk;0nUbw7%p-7 zd!VXR%JpfIdI86*JZK>ZD6R%6bj`Jf6N)Nva$}@Z zfhOFk0nRgx+}>92^Xdd02sULt~>j z-`Crq6`0fa;r1pPY9PC%pMV$N8oD+zUSh2D8=89Ve&$D~=1C^bI9FmQ&L`5wd)H1AC^R%G1%uV%FL^~oG{)?p2r;$Ut8A?twR;ZO3_3npnMcvcR1CqIT| z-$6Z_?%#Lka(BmJk~o>+O9#-~J<5hz46h=EeDnA3}k2Zws46yUa*ifnbDi&^|8$q}8&+$-jF zAHz=HWIW(?tzwRI`Y9xt)w`2L_Frtk_7GTzTSc8+N;MLJ>rjN!?&H)^}f>dXP3<2qOUYrE$Dj=(1524;yA z5)c&!MdaM%@bU2<-z>CeGabHYP|XVZajT))@$LfV zHIt~PGsJ;GKOxm!U7x|F`I@z`{Fg(xzraI&d=p?maP+;qootG8{p8)RB6p9xAzc)# zL|#!*q34jp@cYR@kJco9Y;9TOzkKt%GG2(#6H50|3=XW{PjmpWr|yV8vMIJ7FMpTR zn*#(ycWTO zsD&0&@9)O@9QFXG5kasLBQRuu{?w~h#r##&@2g2&$b|ije?tOJ13TiVJ%-CJQt-;} zf4&W)S9LsIN>+D0-D^n0sls3%d(-h`LFMgMJ=|`CO?1ui?-nrw`lCPFWp6dV6DKN7 zPgd19K;=#Kwdq{D)geus>%Rx1D92%EURshz)+Ft5MyX{pML4ZWNe%)rNsIn>dkfrw zxzx&lP%%l1kkwYU(%PD??^zuL^jCHD(|pDVph%!mLFyub!C>^2hgy%*r{DWKw70Pi zs#qa~_)eTk2ApD-Q=%{hnRbT>LmWv$msDx2H2N%r`{3P|@-GB0SGt_hNp2Oe& z7l=m20XQC zPY(if(pIAZ`@LKV@ra38d0B5e-wTUSbAD6+nmtu5PY-rXJ~@rC7^>6X z3bPTYS9A01$Elt`b3H&~@_qleK5Eehsv78p<{v-4Dw1&gp5GR21A``@`5^V)ih}xk zgoXV+eIoQyVjM#v0(SdF1HY2DJUMN}sIvI`R*k_d)rNQ+batf1-;48+2dnV_-sO#` zzi)g4Ogkq>M?V3&h_%t;sKlB|=n?lKfnMl|joX4wYiP?KR~0WAU7AbSlLq(^u6THO zG{oYxRaLnul3xWk-6I7ooyZf1+TEZtE6lWbz0g3zTYQDGR1hO^;7exAuIg3$<4TI_42F`=OQ2Z=kUqj!Voz+oSkIPN22U<=O2OZjjnozetjNCx+ z$b;N_?~z}Wrd)y9+uIM>_f9L8S|%z|KLzR(#3Pb0*4#MF%)Y>4HC zR87-u@9y6K!#9iKAYkh0{#5ZfI6v1QeOKv|Ln#LvbWiM0+NQjuq@=dI|G179g;vcP zYytMYQg|dJY^@*g{>3)yte4$Ov1Tw^sjsTRWtf_H%N@lEjgj?8*^vTZ; zPhJU!`-~dnUpq()vj-y85E|A54vp>8_euV(@iJw|^hdd!EdbsEmw+?n|LvcQ*}cO0 z(;Lxe;*g|lgQHy0vJOiAE=g~t<)na<+5s^_f`FK-WFaT&XU%ruWT?}+t34?3aWof- z1H;q34a1xJhJ|7X@VJIgVQ9&&y&k_unsW?kvaJ0r?`#7PAO7f0>*Sh459=qnmk)Ad z5MPF@=3t2Ox0-GslzqDYolRCXPE6{=$T`nm-uOypoVBywm>-(!@uHuU{eeXOy^Uzo zu~j8A^Vc{hX)ngp5jryk@umiDdmdrFu4nCayZYIwZ@MY7spon1(HUFFz^|YntOtOB z&)8wx5b^{5Wlp=v@DD7G>Fe^mkt$yR!h}s-ZO& zduyTxqxb$xNLO5n&Ks1Bg(rf`ySsH6LkKUs4SZ+&W0_2YoedJ6eCm7y;*)CTszBxu zPOT_i?*U)>pQ(n=``_4R&J$=9rmB^m5weHB#pyi>8bC1 zW-}S;0^6U7!O3T{h?`H1ey=ZCRrH*u36xcQQF+d#2xXGYANW5?@atDv@>I^tb-r)V z&FD!oR?$Txhjs32={fHgT2sw^+rj-Uy(%b%fb0YiA0w^Bm`FJekq6!@Zv;C)b)tDW%RU zG=Y*Kt$!fK_d_JPtVnU?Bk}+y25t-jtZ!dvjnCbEIWsc@=BvS3&JAo5z03yC4tb$~ zWFMfIjDK}0`t-bVBVI@~(O^n487-4?msV@cPpRGc!+`n2eZ?|rOI!2X>!oAwllgt? zR+eQ9mxro_l6?^UD{K_O6rss5;{9A?HeP1bpSE8)`RL|S|Nh#jxKO;q?-}`r z$}Zy{DYaSvAp&3qq;1+ST(#e}dhxGUib1Xw=aqrX2M-=-Ii4IJ`yn#edSrW@46xA| z`Q`J09?q>W87UABKn|OlnyS`=6uMsfG9AfuauMY0Y>(6pc$~<8uV3!zy}g42LV@Ae zZ&u9d!9pzaOiiU)v6RnJDSdln$s9R<73g_ZgU zOjAzt!x& zEW0fPK8LjC%{FBz*PdLN&$!86Wjv7ah2+yc;2lSbX$S7h7cX9vX*f@8u`rI+N~5zc#U)^ov{* zi{et3Mxo{0O>%yg6+eIert_FMHEX^pua#+iy=hpt-iFq4F5orUX#=)>rU)hBkEtom z;GL%uV6r%aE~Ph9A-Bda0Q=rS`F-uIuF{qW*96I+p0p&`AvBJoCY7%|4x%RI#>m@T z!Xo+bqj;mz_U!n!7a8sb`Wu`|%SoyWA3}T8u}$y!2seXf*azPdum}-X0@q4{_=C}QU@JuWM6Tv;!s&#`q#e=g|lv|9)o7SafV&hb{`K@l*cAN(2_Hf#< zdW+f+3@6{V6?&SCIK6JpnKbo{(xXbDji#>8n*mFnq|;mjNZG)BZDeGm_x+g}Gz5Mi zvj$jjySuv)@wrU1vFt3NG>h?rJo4Z3jZ2-#C1M}bC*Cm>XHfmvO5MYO&mP#Xm-y;T ziEQUnQ&=szaO=)%VvHO!G4EUBpUiTWBsrwE>b!!~sOJoP~ znIFUrhY~WPZ!vB^p=TtpeUY3tc5K_)q;L2WL{CqelHli4OAId~VNud+=$liMkpspE zo{IRIMazRot{V=@Lv($eUSo#_b0w;)Y*}+^<=!<8h2q&Rk%H;gFDmNgxxU_?CFvDh zZ^8N2!BPeEdDSTnGOUE~h>wqW*mZwJko_ilB-!Fs!1J>LH3+L;4s@F6GRe9pBpvld zaQ=n`Gn?4bY<|o*$=Qrjem_=QPza??1;!30!<@|yEW7h4B>=|3eY9EiUbxutDO$Nh^-!EY^l@^ayw_KR|GeXJoyMhzLsnqp|(;L*V!)?lM!; z(&Fm1GoMilwNm(&G+UyPZ7BwdKu8iZKu~~~Z2hqzKNfFU^ZJ0nmh6bHfqODUY5u(# zQ8u`WO651UmxrsfNm@QhbXV^n0td@B*Ob|8uw*v#AUahk+&yn*-04Lj=icWdjkZ4KMh|P5%-xAdyglk__7Ka z)4Pa9(#_L7_j(sd+2$~U$uomL85y~ePVhK)fJyGfg3}Z=t`iSmTSrXEg*sE8Jj%MA zU3p^OqDW?!l|FmcDnn=zDJODOi9x=Ivju4-AV-~Fd427#%!k3#w$bwI_(3eOY~Wore6M1;rb@ zUde#3goC8NZ@A^_s-v!O0Z|c+l|_XFRvWIc7*6~jMXO0=WCM2K42JI2|L~wZepuzH zemAEYXL{r62M2x?k>u^0=S%rFRBxxoF|CMyaUF7b@laTalC-}M2@bCfl{h|TAgQ3g zXBpR0>HD`BNhZ4JNJVtH2C|3$q{%fxJk(A94iFjTbyF!g;?Hr&>XZBnT{f~~5kcMA zvxop|$%}%JG=@gpqdheVrl2F~{&1Cbc;p?C!R!fKV?KU;;$fjY!^(Fun`C=9M|*_! zT*u15^%ZuNf)=h`;|I^*4e-pZ$hN8z>$-V)d08MlrLa*<=)RP+fNYHh@Ogxd;cc4k zc0Pr@jypICaiu?K!e7QDBUV$GV*2MZzoVXxM}MDpp5~fF$T}4+zN;S@CCW@?t!i{x z6)n4)PKOxLqn>--4J)C8r@DwqNI>x}KhGF`uydi6zLVgb4-=v(XhFYtPn~Dq4a*9(pZx+yD7Ipe8u703Cy-EvEGj{ z9>I8I7bBJTcqeQc78<8lR){Q0A(1*mA$7^mC&zLwICYlY&NQYL;HC+2Z zEv|2!){@E46TiA1^DtURCoHg$&@!0NL;~pO{jax*2NRwhJ{PbXgnMDr4Zgv!v#5RC zNF6P|V!zi*tCaYHy&P5H;gUYSeE%~i=J^b;*vq$4t^$C!pNW+_c?3tl(8gLUBl}37 zq4c1RwJIrv5q$3ff;ya?o%Lu}Z(S~_S&#vf%er(({Ny_u3F!S;(kjA2Q7~FDD8TUa zeFnSknWpqa6FHS+e>ak^j#F7Dd9Uimix_=sdS!i**YjsBw}w9!C)c4+7>sxl9q+5euLY87l7e6^Fz*Z1pFlyq>|g zyYm;&L14Q}#Q%%S2bdUoR@Xv_%C9+n-VXqJ$f)prNXLK$=6PVIVIhki75$3MoxkkT zbQjsOH-;l;X?AzP&U`l-fD^YB>iCs-OZ&0m!PmsP1D*@s0-X!sP z{+rhT%V%Pagp+^QP$)Pil!LR-C`*M)pKj8IeVk~*h;ZS_osZUjiUtO5Yt$vSGMi%= zrj5Z)g|@A*5>3!j>2PKcI{@3v4PYEogticlq-?iKO$lSc@KB;5$Ah4%i5o7b`J-E< z@^tY@vZg3wlamNQ(FNapwk1=K1n*eR`5vGQ@G>luH_?*$^TTxAoFJW`E^|q-5&FQ% zZn>n9rZg^!*P4EEJaQ3sIpL=YQ?h1ZDE&Fh4?N)zI$t-y`Oc~F;~_{Up+9VKjXkzY8Z1;G?75g3GQ5gzOzFFnz7 zwojGK?IuxvwmjKUHNG2}!hveg9_7ewe8kOA>~zovmpFVE;?%%#b2P)A?I2p;wg*qc zJn^b(b{D^oC}KVeg_LjZCwt`r`DnoSb9{_9mNU;<;i+g}qN6j;&|IWJyyqXT7THcD zOmuX=Po3PGC?d(0Fa-++3EOei#f%IOpJ2}Pu5CrK3U%`R7jrE7v};(IK|Dpqw<`wk zeIW=?EoPJA+9)zvQ5Yt@n@9MA#UG7sBgsqvRw;p49rgr{ls}J5X%WaIBqZ~B3v5!a zQ8G#-8+wAS>Qf}``fog;l2L;VIUkruqT=d5u1b1zWBlQWGMA|RQLYJw6RFLRWh;zB z{Gu1>LnRj481zoIAe{COPZqVd8!8Oe(9j@8|Ci~v9@tPMjWMx+erOMS1OAVYaQ+ob z!HJXimgI9j3Y1hd-)QDy1B(1h!Z=Kxj1gpI4`6{)In~8YI=i`V-t4b35n}bavt~LXn)q!iKlkjzw6<3CvD6qcd-1IYlGeie6Pt$xJj+ zF>qkFL6Mf0E-YOd{9fTud!L>6*k^qF)9OyzsY=M_2O}&s>A|1XtQF?n-MyvOxpJ3z z6LfF$IfXW)w_TiN)^TyD(Q`zFt_GzKpy#yhMP1)fJ2iU^$Jp%Z>Z*HwKe_AcHApWL zL+MDUuH{PRZ!5G65fz9&PI{+@1C`!FIV7v0R`bfZbfzxn1EUOOX+r0PHqZBI*D=kN zzXx>icoTd>3+1dmKUmnWRH2ckV$MR|$GOiGs`pBr`m}p(MoDh;=KGU61;praL8hFjm&iKr4f%5gzatxxC@K8{+BCFnbLR z4G{MvfAM?YSv^(=WL4dVsY(t!8O7&wX*se@3thR-6Lj)WB%+uqqXK>I$f{V+ z{#k#dcX%(O?(X9r2CrY_2aovs-Jq z1><<7^2+mso*oa&whRM3yBw?fv)~$IRnVU4NP(f=$CN$csUZvzF1n)#nu$4{Aob*TdMTjW?Xd64U84zQgPYZ&f{t= zQ4_DZ$uxaDSysmNB+-2R2keCde7bwP66bRpNoc(scj&ywyz#Z$iVQ`kzjdrx>7W)Q zDNiV=MX}z6Hz1ADac`jZDz`OwA7YFPiLyzU3n;6f_1lhtlWXV1ss&=#@Y>OVZ*dfj z`uv2}6@eQdJuHqHNCM@%*~M=(E`}d*^@^e#_Fg5&>mI&vK2?bKtr<>1w6bq%kH?cG-Qt zpUS-qs+=1Ju0Cv@&Jc;jo5K*>X7^Bo0Z%9 zff#A;o%O$WzyxX}ibV`^Oo5>2UhDbs;~u6%7BBFXXnl!@SlrlPpV7)Rl%Kd|w^`&P z#xjF7ptk~_vxpP4m`G)2@)IGzGw&VFTsC!hoq(Mi#hDS;@P&M}t|Yd^(4YkmO|&NE zPQ6VPO|j4D-N4u30*`Fdk;4pfM+d+n(nau8E^y*$AVq-8-)xqQ8qSfinwH55SUu|D!7fg%JvNN?F22*dn-G6=-3cq~{cB2}6+pCN z7gOm->GbJh)SIzZm7$GI5~yTPhrw}E9bp`nm`V<7B|Q$4Wk0)9eA8ELc{RO{gZ&pj z6NqNV_gaoJ0$tPX zAQVnImyeNF;;gT)nA?v@M=US~8^@m^FwqAyG6ALH=a`LiPMGw?1BZ)`7IgFr9)Ait z)qHP{TD-lFRU8wu-|Sne*BYayX;Ebu-0*#rkdiOfLd>pJKQkm@G~SGK zPE(%Gv(XE}3j*(HNVR1((RT%y7HMTZ#iGoUEVKP!}z0g;h>utV&nMQw{ zrWO@n^7~+?LcEkxM#$yW{a`bPDp+~r_u1KrHIqZ05O)mP0}wpY_gN04@^jwLgB)h?80Z6 zj*#Tdm~z^9mpMGRm_S>vNB+!P^CFAhgeVy8pH>8(k36eQ=?%(3(R46&FdcZ65sn-n zQzDdh?>gnFVJ*!DBjjRkx%Co+4}l|iY*HC=FdpTDVP`h7y%Q74F2k&unZnsp)o0i_ zprguIwf5Pz`7ENR8j9D2aDF~MKCau!Qp|s0`6PBhMIPMztt#JC>IL!rZ_>wuCX$t?+skB<)w3=>KAHv z8RbyI%W_5B_(Vi3MR_&52L~Wg)*J+?K{k2PqyrTF3k?DYQXy2x1qyS5s2UNdZ#0Gn z!n!#5L4bQS1=-agUYi7W00iAX3|LLKYIg&qCa>JIiDNhbmbNMYRFd@F^Xb1|=YC`2 zcofXCUVG$p$H9mHb#3Emytzk!WT^q<`mp21*8zF%(j^tei>o5=wjLGAKyG$uerk|B zP`Z&mhjw?r*5(-%hi7D8TGm?cktHYqGYka=fwP?B76#Inh{#9+JUl48f`0Sn{E5th z-lhHen7Rq6^L#3HkIQHaCjUR37lXpUcwPGd6)x6o#p#XTzwD7-`FdV^Qu+Z;fqut< zSUld3{}Z*FVJ_5PMyzvTER#C+TAy}%ogUl9dmLi}BHp>qig7#Khy``z=@G>%+_DMA;&T zanGzB)kY;0ToE(}KlN&&g~K`z__$4T#ywjW5)UF?6ugtei89sC$od`ixtuM7n0?+8 zk@5p@G!m1iMgpOT{yo@ySJeJ$G>g8oYN}A-S+Aq~(c9G@v9)HAXKxORll<2iT=n0Y z=r|jmyI;3z&(EBp>l=7o%x#ab=+1W%^IX31D-!ujc5nckZNwxn}ZHR)3fp2Yn@6$VjJ@7jPg%i%~!sM zzmNy!=4H5?vFZmu3sON7h$j2v)5U=G0b(k>pIR=W*KSeVD69Q(PNFC%v~kd|Joq?{ z9S;9N*-K%OrJS%3CO93ISWUyu&6(;0*6BrT{XH@a^&9e6Y!FK_YBN}Z&_*+`V zd$W2Gp^me%7o+A*rLa$6cw#=RhYl&{o!5Ht*e>>Xix?FNgZq;=fsgUp;x!!gmS>Fl_#+(Z4Tt zgLfcaI3v=kRqun1{dVRx`TtN7zeM06#33{k+;wzvvRfO`4O4aa`%w3f^=bGeG7?M3 z2w)JP%1u8l{LcS!5|>>_fM`L$v_2C8u+0A+Z-1$SFbHikSK064iQK_>!L#sVf(R|LT72%MC-p%9+v8Vf*DZa6^1BKX)I zBfqu?{LBFY`LHginQZ`wcSXd<--qbT=pse(i@(ld!0^642B0FqXN1+&)f+30|APMU z)dRp#EE;d$jsd)JYL@}}8$V9SP)D0u#geRL3_=`pT9zwq%eqej{&|BkAQ#)?ec|W07W8y zUGv~8yUCCS&gIvK1wpX*qpp@#4Fp)iG@$$4EJ4HSm^e9&!~k81a#2u{-w^auYdA;K zV=L7&7sOceFY8P`!UHX!1^akIGEM^^U)p}PKm)X(J7n_;c{~E)3L%o01MUNO>s$VZ zJ%r}v-JoqH3$adZ+m~&I?#TVQ>BYywTgV8!S%$wFcnw7AKk6;@B%pxJFq0Lt{@0T&(71Es1UD)N&fpdIl#BT=W*=Qcv+)u`y=9G6oMCS4JV zBo|lTMTgYRtN3l76*miU=4dE~zKJcbq8WDe;=+39^@*Sp0F0cL zk>pxqvB+#d=*`opANla)n*4c{AbO6yj78eCeCLyeX#9i7P+x{h1tqTYpF4Z%`In;g z2yi_7v_@{8I~`n|vH9&a;7#|}qHP8g0qyA#7C~{r{qX}D99b(DrtmYZL~bifUdxHu0Nik`Pg)Y2)YvETDeW%4 ze)N6VVOn|?s6zk_{E?oQZ>Wae02wU2Hn6R%X^l=$Yh}lkc~P+M{3!0+@NBXb9EJa! z%v_L4({tEYq2jodIIYc4^5e>mDe}MTW5nQLg*L`V2}1i;>1zj|I0>?8a@9V{AtNDoS!d zFy&9k{*NYuB)`n9)Dto@Iqpo2Nxi#X3UdGyWv!;phLrCms|pfL!I(5PecVb#hO(f* z{C4mhsO-4jb&}e+_l!A6J8X3qMK!>FrhqTvsO`I}zsxg2^ryplBl_@T>kQ zjJiMr9QNVSmv26^D1|2Hty-CND$b2THK#Q|#5ztmEPOe?GbLMf(bYKseSQSEaZ5y> zJ!r-lm><*TAd30(FUdMFfQHqNbiV#L zoax#+KwT-r4lkfs!Wyfbi^sQsasOP`5=!GQ=`X}!e>O5$`7n;5bT&xP7f02i9-EU2 z142Om)Bw49?F2K@cNEL*w`x4m7|IsOED+&pj;U1Q7{$mJnj!=VtPXE5_5{HrA4Ta) zpL6HLqMCs*DvJ2kL`|rP5D4{<_1d(%Gyq{e{&8<}v#_=l8d#1szgPZ+0{jJmL%RPD zCCGAb&MJo~4_LRq^%|tBQ6RfP%%~c`j!}ZphvJd=k-=LDUX7Sm0j@?b@S^{(kbopL zgjf;gR0(T9e{q|Jv~*JRsGDbhy8Q1uC!jl}!JR-&mt$V69q0qcNdC~~Xbio^dOfD9 z)9Gwg@s*HHXQZfn33mqL@OkDiSHM^VtzH1hML}`34C2pWg^-}+9 z*Q7HZ%wpXyum`1xip(d?aK@lKx_`hcm*#E{$U2bFmK24wFT}n6*QU=>4XF+uI?oPA zGM4{ABY&AI*8!KMQEsT%gw>u0mHYb#KKc6^kcT7UbU%m8mk?}kzS(U5-o<%{wckq8 z?H(QF;^j5NQP=!;i>3YbnXm@bbm&NgD*Nx|K^Mzh+*KT40#l#8GWZ`p^e+_jo6k}B zdkf~sb8_AuZBxggg36))aH;>YcAqIrTtNe*J_tUs#H8T;d%NWf20?p@i|v2{OCps8 zr3(Jx`@b}fy2#czuhV`!m;iwCl92Ad8(9TSzwp+CH4Ts=2HfFE?AV~Z;lDkP6S83R z3dF%aUd~y36;!|Ymx*S|g_2laj6OFv-vF4PxcSJ9f1RRxcYrn4;9Z2hHPv&cH<|4} zj*lXQaUbUH^MGgy%Q$sR*v@qf z#D;Hj&mWN~E`wXnY9dN}jc%XK7Ej@ZyEdli4XMcQZrq3Y7jI(cv-DrnR_1je!Q?C~Fb@8uNE z@^_Nc&@*R7aOwnfYC z(S^sZ_$iSYpslY?6iym){%{#^9q*{4D=_?*LGuCxw!1qr$n|`ou09FkHa;#Qa%c{< z@#d-}JMojsy^F%_qnYXKX>>oQ9oUx=yOpwFk}bF{HeYB@o%oJRWqO6z=c=jF74;YK zHMmZGcB(DWkMG4<@Tl|@i;P-JR+Yt#56|V>F{vbrpjw}Nv~fK=2+mWXv*Y?ahJVzC zuhAy~rS(EEIYb+4-7P+D+G!C9POjhe`9k@G`Z&sPUEfLF7OVoyTit4$t(*gz^6G z`-0QP(W9%t4=^kNdfMl`A7KGqy>Howj>7S2?x|KPExH^l?>6%>Vd2 zn6b<8Ie36h@W|{@nz+S#Ra7;XgWbZK*bz2F6L&J@JB|J(+7-uv_*UT-dXD!eGDA9- zSEv`2Cq$rf*&{{+w80r|Un!A7Y*q&R{r#~mbctj@eSH27nIpX)&kX6zIcA#}yvGZ( zp9Z}ub<7tc(6CcG8l0e9b$sniAP4F_ z4TtY$ZtK}4k3@Z5I31lE(HlbMXw%z=V7UBS&)A>BwTG;CM}}8fKFjn7=}<*rhvo&cCuEonczKRyBsHPL7tBPGm+OSlpEa zpk%$JVlSJhM-#n8E0j*>4zhjMw`Q(+pX?cmm<}H@MSgMV)DU9BzZJHd+4Ic#Ox@BU zZ#B(9;MG*xcjPd8E7x_I=D?S*9UP&h8!lVvNnuw~LF|66B@~>-YtaXxGtYfs6ddgD zN8T>rdPHfyND>;O`!Hn(Bd74HqqqBMvCD}02Juxj2d@76upu<8lkc*QiNl9GXKR+u zaf$&!9YXXnExL4d%}$!6^0D{q`lW7)mu4D@W8{DwnXti{fy#2VRqWe(bm`PF%|tIF zrZ_=swMCoKAiH9fcVpU%Ee}^9=f=%Bqq9eYLFHZIZ!f`4@1zxhNB7+>(m6y zvO@-p&^k(AQ?A82*2T7S=*+{+GtC(y#fLLOc^Oq6meNt~K35K_Z&qiQAL#GnWHTAF z9W!1HhKJ;Hb|Jxw7|oQIGVgrX=1NdGs4U*9;7OO(kNol?U63t{b^KNj>;Xln{ORs` zl>C`kxb95X&gTAPiRGz0F7XR^*eEYNo$9>ov0kx9*k46@zJS6AW60(Z;CjCJu-`KC zj+p|T*u>L7LcaJ^#x^W!p_?9N&gP8WrPe{8yS^~Vi2YqzQtR2^Uz{M`?3L@Vve>=D zdj#+R`SVo?xGKp4R+DM}v}~{4D2*@2+}kYVfK` zQDo$MhjZIf4vZ)R`X%K=y3u?hP;qmO-O9Xl-m{0DhZUFIcQ7x4C924Xt4APH`;Pc% zz|R$)7xY=8N9k68PBiCJ-5s%uqZkze>4Zg=o!?)W{cPf)i5t(?wD31B9q(3BB)I#X ztnuy^-ZFjxRc1!(J3%EgY=wCBZW$bit4 zHZeVsn|c?v>mpAX18^IqcgR`1kdf(@!3xS^q+l$+MKP)LVYXiwHfh0&#qUi{a_E1~ zCR`{Pb9;~+KYk^hkS+b(2xdapzRFJ9#cAkBwv)CI)H#3-w<)*H2!e+oIO~w24kN00 z38>AKO9|V}tn6ll))fPdVbcT$wgn=Nk1B#NwL}Id946aoT#L?PyWcE~q%>){jSCtV zz~|QW&9Q;{|8aHr@pIe8^;Dr%wt_he!hzAJwsuZ)*EMklL(+!l9QWoX-!KaI;-3~P zgkrq}E)#HwsDjDI-N4r{UgP#gEz;*29N%m0jJEAYQ#;67L&Q`rrVu?mV?3%EM2xP4 zE|N~{PZ9CFNkEn>Rpw7Gr2z1VGMgc8p6!|vGv`1!sPEnfv#CT55UZ;g6J^Txa^-u% zSv2!&=MdGR_Ew7cHVoS%kpCh$_R&6w1BGZfLjv2I^|(cMGL)0)Rmz4@8f7H?D5hCV zla5U5#rmp48ok$TYT*2GwkQwAzf5E~8%`$vvP3_ziy4K=u3!=DV6Cx9qMum{dP)|= zcAM{Bu>P(U@i^~n-KprOi1iMpT*c1&YXhrvhbK zMOP!dPo3$kNj}8WNsgB?0y+JS5M>kBcVoLUn;Nx3sM{(9FW}0tx3t&E(ciqw=-$(T z`djQFMeySS3eD;>=ZHvH@;g(`Xu%+VYO>kX1Z?SDNsU*m5cKh(l#=a1>PO}Lh4-IM zhr-2P>t!I@itqg@(c7#HLm7K&GMty#(CJD4$o!*Iv8DxTN0O3R5#jYcQ<16AVp?I- zz13dl?+9^;R|F|s=s9Qb1oP0?)EzU+e0D_pNpUNyyA|^j3y%G#OjJ?*sb&w9dL#Wo z=(zej1&!IMr|Q$E+Y-xtw#lV!uUZ~u-rdwg1Gk5BW8a@0B_4qF`r!q@p|^dp6z=cqxX=O7!Hw@ZpB#fg2pK%o(*3^S3`rphfmcw zx8QrTnYfsSJxZpNTyI(3idor{^7vxKL0o;g{Lk6QMVSs*geK{lZlm=eF@%oi4JglX zC}3&7DIpgbj3r(;X2OoO45t#b6*k^~)=1A@h2O7~5HBR#cz7GtK(b&Nk*FrC7LkUx zX2VjIf?<@7EC&^b)RYoT@j^&6y^GPqeR;HR`z7 zj}pYBfA!L!P`?rbKoNf`tEI3I+e+7!wUJ6w5$~~tS1iDeg92_3v{Vh)%)7)|37DJj z>9!8liSk6XH|%MVVcvO;HsariFd@omppV&uHN(+UsD ze<}NT@e9$z1v zgavjXnG-rysihHf9$iIQjbSNzo<$2QQH4NZrNS1!kA+`7K|y%3`mKoyU9rq09^7SJ z?J1zzX)CVED0ku4>x@{%Yodv2P0Ud5?bROWsquV^OMJI0$17?+-lEAqb}U8WKp8ri zwEO&RhU&_D-6dnfnSpMRftO@-Ugbn6exT$LXTv8KO&dnsfk|fY`LAffG@tGOC^3-$ zrht!!hX*_twWtLiU_Y5VDV|ubL_Gws7-d|RpA$(atCP`{OwnC>#-e0}V95ngwv(LX z@LRfL+bnku@l6WC>MU~sl<1rnfx#eLtvl1;U+6#!&T1ac5`OljP8+U2w3Ag1cHk}) zS&}V#9^w9;`~4DmvBPIH9~h4)qQAXAD4_>O%A@pk`B~nc7w7#nBr|1G{l)!b$7(Sp z4tK(^O9QBL+w(YuNbF+UzNN2bI^9_|0}(-}^3g>?tO)1>h$ffb3z3*Z&zV+>URBE@ zEGxV^nX-+ZV<#o^as#QJ-_e{>gu~n<+#qx{cSdgZyE;c>OnN+Wz=19S|{wm$}AnY;tBG)saMq7oG1w}Ac zLpE+o%)>}4wJF>v8GC!zrIa4ct90f$9vpud@3K@38#q`;9_T2sna#Jud{e7ipZOga zjn2T|0VL8Cs_1=@4lRq3Q#02^A$=W%wqZ47=d9ORFjI?1^BrpG@_uBBKmPR{pc9yUe4oE++Z(RuaqB~58j6#$+(B=(?!v$mX z+(vnu6cW92x1D^ECHO57pw7V;m0LauN-z$ob?L7vq%?VF(%fmvX1eVOFCy#%ciBWw_wJ0=w}ty^?zEo!&$g;%?MCk8@Ap_&t5s&v z(L#afDJ#mDD`GuSJl`W2 zyrD!E65^rdc0k=uhe_a7mORE>A*w%t8e8t0*?*m|Z@Z}}ql~i=X=S3joqiF%yDAY4 zlubg{I@igfkU8Z@l&*CU9G)59zx{^gR(-t!N0LKDe_~0D#e>F{mCQ9Uy!61(!Y0 z65*&2h9%{>_HT1+0-=^ij?0;YoWj!l;!>;?!3jI;h|?JHJ?pHdn@xy`;2xc);Ajb+ zZivR}eRqa#IKCibj?H0@*UP_kA+PgD!%cs7{r1r+&u&N9C`UnOVt8llj_^di1;#@m zJ)8a~Foii6#BBb!ciw~b38wh~tci(m%L6BBOFKIb`7r|xJLf|ULDR;S_|w&PGtj%t zd*>q)59^E+6kBWYY{L~^X4nQG;{dnh3n3xa>+i`xXu}!?xp5A6a`P@EEESj*-!sog z8b6ILpc9|%_s+xy%n#rWhf&xBTbsV=k68}ZM`*f(ua#I=6>ZQpMHz{bD~9Nd(An`d zveL(m^FoBBUpbGK^E-L7nHIUv&x{#C#+mFhkL!Vosy2DRkbTB>R&l_$nJb-ja-@m~ zI(;;^?*Y#*&n`X4#<-rXlJMPqFp}_DpmyZXD9e|A85)W4iKn@_1oBVre^|pp^X?B| zs%l9R{}lVp>n#XCTVrW?$Y-mKgW^3e8mR+$%=xipoiR3R5phJsqZUAscF$*y?wNRt z^`vj;^gsv3{f?7JfXE3Cg6bc3d&fK*OJi!NV>kuQoxMteN##8u%Ihux#wxsU=SKjw z#CLG2iwu6xAtOKI@^YwN?mEW9=U^(p7em$=ay_LC?8^GOi6b|8Z1e|R*H+a^UkZ7Y z;01Sr=7%^vkW!f)x)FGv5}=$4{^_grZya(*++hk;D7aSv6R;Bz5dlhKnSvTg`1jJE z?w2FW%7Bx-#aT5E)oq7u@$}MsINj(<8073V8ANIlkzzT;fsehx3Po8itd`?f#F8$11dj2?M9e zgysroL>8P^er7AR63Y+!PHk%yGGpZAfRFbC|9t8KB3+yjz*hw_hkc@Nb;PoN^#SRz z3OkI#FIaC!pAXaQ;jprs2amP#dbfyjR`j(Ot#)MPm!v8WAs@+e-E#O89f~u;b>Unr zyIY(GFDYr5%OCY(dXF3%2p5{QvUg3w^|B4aEi&hX9$k>(2fj8TwB{{Sva z>S@%Qy?H;8OjuyA2M+X?h{V7uzQz|peOxShci^Y(vK~5GR)UE-b)29ApZq-dq@)bP=yuO1KC9vV5b|_S zbz`h*{(tSgXIxWR_rDFII0(py0wMx-qzQ_Mbd>=_1eD&3(p%^)B*Dr60s;ckMVj>9 zOF){^A|;`B>AfXD2>I`WZH?MS> zcL4hu0zpMNx^UtxAcWi@Jr=40u}ffGp5TbnsH?hr{40JSqplj(*E_lS+}XZIp)xLV zvDrW(b=~QB@A<)i;vpPk1QOVJ)4N_LbiY?&8L3kbt$)r9`yp#OnlWJMFxyriyTV4Y zb5$Yxi;Ysyg6Lcz3hb&nQ~;dcvvR;ySp%-Zf!tCfQ`3)E^M==C#uR<@g`o<9<2gk_ zjfqj~)T8WDT|cr*LYv9LV6(3W{cCD%Y0GkLO9cDJUfr_IFcw2pU#x7%hBc9i@mFFD zKV4p)dEkx-JM=0a?@ziTV^VUeWUM@MMZUv^OGEZod_dqK$SDGxcZ||Q0DJewTw`u&DenDyLDK68 zV88E3sq@2D>9RGRQ`#@l<#``B>Q8W*`?zOBNT~dkUK34|4BRdDeR(E3>r+jRn!y0b z)vaYo13@HYuAx3HW{LUo8fKe_Gu`t=)P76rJs zt71wQ2D9LQ;Xg=-u~Gy4nUi-1+d(mvNmQChE3)cN<&hAm0Db{TWUKP_%ulw) zuW%prJLiBn}6_&VMOi$N?8+r1H7v z8O=gqWg*_tUr|(l9cd=0tbiA?DYyiHmfCDs&i^~x=iQxw0y9MwmEip3sSB+KBg04T zU!PZSC_S+BFpx7!{wpM?0V2Y}TG>Kx)5QKeAjtk4C{HFpzMbx7{K3rpmwJ^yy9C@R zktqI~T+h`0l^yaxr1o=PpEiJ1o&kr<0AG)P?G|up2CYF)AGSVsKa>XPf&PtrMEgVd z$7kwi-v2v9S34lf{2EJVoj}P9Zcg5a@V^3jk(eVgbpKlWY-$fDr-JXk_kw{y#7ySY z|M5rKeKiPp6hnh9#Ih9pKS@!q0CxkxAk%VlF?>uP59aBAODmWJYk|Yw%>c1crL1w-tpgCj(g3o}L{~<8mwc>h4Bof;%m_Wv(|OLvJ%%pqTZD2>9U{gY9YbV!Pi@!f)H82A)_g! zl>eJ_7z`ZIP8_cq?P|}1HikYBXYsMNUWx7Xe=rq6nA%TR*)OQYl-SGtz{&khh%5l>oQPEMeIPMuTmOYJHw&P_;IF~Pxcyi7 z+*Lq{grZGf)j^}?ps=^{4g^oMGR!8-)IvY2I#3Jr5)kPPFh+g_9a4iQLO=d5{vkDZ z{~Hy4I=Z~S$!U_O6Le2Q;wr`GkexdCq<~8b4WO_L-{0Q{8mPjt93ap;_|2nRPac3E zP6#;%*qh5k<=uRYKfg6~5kNhi<=YbhkiaowVC!e0TY#eK zUe+9tgYn`gNk!etCu6MXY;yDg`w^%o^{YJc zf5GEfGK}s`i$JhO;Syo42Ev0vBl2$VRN+53g}@EYV&t9w9t$xdt8LtJ%BQ0tGUJdl z28(JB{ZD_uf2ZQ(&}f6ilnrG-9j_SKv5iaZWX**Lh$_;gH$olXV*FDO|9~@si|oc! z!~Yxoc)gYb>csnvFBl{xirh$BrF3zQb_uiZcxya+(lDx$&dW5xs7c2Vv27!1vrIqJ zYf%Jo>HYMZm+7NZ!HBM4Do+0lNR@?_ofq$IlHFz=^eS^dd(d{R#8 zfY%_q2_vYc6kp_+GmvJ=J_%O2?Y+SuS9 zE=*37<0RU0dYjczz@cGL>oCb+4=1xmR-~#gE>n`dyTV3x=BP&SU%5JVK8epoIjg*F zxzYMnYUmT42;SK{rAacT{w~VkRwU!`-|L%^M zt|i3n_DnMS5r@g`8%xRc((9KU3rj~mgQLn>IlO00@{1EHH>nBF=b<`N1xf8II4etx z@pGO~+%P{<%$KM zb-hUdaLG)q+`miIT8$oAj$a=p&oTrIGj$Vt2;}Bx8_J@_%gvnV-XMP#Nz|OXQ1 ze=#23ZhPb+$Kc2%3A-<&>nFBqKSn7gDMiMM5?(IASZ{0q`{Z&1(uXBCePC!11A^st zGUWt3<=!@6fI!z_QwPS>=h_5bd?i0kkAP~WQSn@f%-WK482QXqv-L-u%j{99-T{Le zR#x3g!%8lWZP18cyvD4mw_eU2l?P6#m(DC3$(9rpvo4UH@S(ND?wzbJC#$sd9bY~4 z2hh?K5S;TDSaX&+XS-wUnNY993aZC9-f8iW4MJ80*^6Ef#;A_(rHoz|Dxz{MnSfzu zrN;jxaIWG`>a$58V5>2yT%`6&WkW|IrVSFvvws1I;f zKTFReRD;HVuK~M58<+k9Z#1$G+m`&4IaVtq#

2ej~qOnZsdID(!hAqx87abki8d zz>5m=C+M5wmw{ZK1wc;oOusVnpU~pNfx6UdUCsvXjK3=KNz{EJQZDoj4t+s%98@R3D-*{QmwhurgnhEjlE}AuAY__(UJo z`gV?7!{ISNjh?!=n{i13$o5^%Leu4nFgxgiLI7WVPJ8Vw!&ioy0^lHRR1|mUfz6(so4bCc_&$WkW~Mm~mJ}b| z>(_UhUy!%do*ZeM^;*`t6rp`Z;T0TJJ>2%~aq?QNJYttmjSZN5ufO(Q7S`^!p|b15 zk%H;2y^MFB*oVc}$nCBMd#AtPSOf7X!*{@Aj@VNKK~UvKCzZ=5VxH{9uTC?(W|5Yj z>N|2{t~N=!FR^t0_1c29iBx9p}RirDc~`}XURz>(Wo%Da(T6&z3ZIO6TVv$GtGNj0S}kV-%8rx9YZAW zj={pMFT4PeKEW3JUvR%C+^LBZ$_W9obKM3^+CWME_{7BXh3db7CR?lr$qs-S_T0j1 z3Fw!t7U%9ZYn^rTxXK-w4w&sxJwt#hA62*zCH2|+bg>fZIzhNQO=bo;TzN9$EZ#b^i zV?0{!Vmt za0kM-)UWk<9-G;IfXj8c2xcg}(Zn}kg+#OW zbbbd(Vy=PC<;HEwV!Wrs;|ZRa%IQqPK8EbkUuZ~vlP0OwR-)rJd>(dHo=l=r*$eYj zao@67K|a$SA_echwLr)o?GTr};%&c!9*hjM3q z$~g%cejM&S(qzI;FyX&m1K__9R2sm4A&BDv{CCTOw7UgEPIh8Qtt_VyI1%M18J=MKyok2t_#$F^3 z`f^MP_ucvRrpfL`Em$JVMs|6>OhCt@iSrT|HGYAAd>I__32%**II0v#W}mxGFoRwWBe*QAEaoBXOqF0Q8l2W%j= zJo8kS86Y8l9RDBbffO@%wBc@xh?IN0#UF#2q8MUd9f}yLD|IEhD$$g*Gf3{;R2aTE zf*Pw*lW1O;_jxLnID_Qe2$HF0{^zK7p{fFL4FJRqf*zlDqq#wT5Xth%AaTQ05dkD& z1HHI|;h8P#w;(MQ8uh>@l~QwE0m#@}5}z<~8^N*N&gnhx7$7mqE4GSAgEpb5%LL5+ z6s*cK=J#KR9=PXNE(LcXWnGMbC=BHfk;y?Xzn&psX=l)@5*SZSc`gp8x$~HPqH~Q? z{G1~{XecA{l1#AYP$!HD#pcMc>KK5R-mSl3g}ykl!A0KH8hO)B^Ov3++|YW=Eh#Eh z3en|odUtUpT$&2rnSF{Z*x^dpolYBS(J31JN*qQ{?u!~FOoA}?Wy$oM2Xx79bB)hh@XE_!wxn_o%Tz@d<>gVsX2Q!yeR-tDezaOMh7N{uC`lq?f! zJ<}w{+c{(1(DKzwXf*lj2%i$|&%%sTZ{sRqSd4G1*Pq%-Bo?aJ51v}>m9s}#JYR_d z7PECL0)6a&=lpv2obvjgD2aJ`j5uy1N&^==gIIjqFOb>%G=IIF?U5JhD=|KU;T5t= zTNft$Sks+n^QxkGT2M;Dj(vN!&00Cg5BzG(Q|ke{^j+0C67g0(cd+e@#OoJ+^gsD0f={W1?xaLP{W?=P0AD*R1iRvVMTt6+rO^x$jD>UQhUT zR7x6jaNp)a(8Nzq{rn*+?=R`TdlUOcmPeP_&?~Mp)yl_;JD!^X!F2w^7I*1_L2&`= znNWo^1mUKQkC|MY?CQ0O<9Zuj6CIh7oyWBHw;yDm>k2={_71a=6P;!d>S-oie=Cfb z^h#IlOMe6lCzOwf4;b)kvHNy_7~b48i_Yu3eqrzW`^w=-nz)IK%$MFak z3r879B%e0U9dfHJNxh;IJ6|8hpm?-sXvwdGmyBG~GwQkQ59_s8Oq9ghvh^%0l$tFd zR#-+0ZPMcV?bM`vNi@AVCovQ%%F4&-=~=l3jsq;hZPFmP1^YzRYvf+9$gq19qu~~j zI!sgmaKi4W?_dBiZ?ZTWU0l|R&C`n4_{)-f1YVoeVb%$b=dOzrPZ`7~1$P{_`+WnL z=#&b+RDRj{*3B?1n%})|ljb!AcrBG2zhOiJl3^2%hn--C;tFTT?JLM6*DO~2nIhUQ zRJNZ|Kd1YWSO*2T^RMO)u5#)xb4;3}PX@aUc8p!=FkU)gt1HN3UZbF)J|IlQ2Kx*u zn5N5Kf+=FmIr-=PGP}Lc#p+lKGEnmaCg<#nBoXr7bg^D<>do4maTof$Tdst@;g9VM zwr&`@LEIk$BBet%YFu-E`Zf=+w+7Qo?!pXvDbnUte9w%5+bfWU=?uew6tu#N9Zm=4 z#i9_T#+cc|j>dzvGd^nZ4?kZPE&=37mR?#2Y{cj9YxBp$^m*EU5YAc+apS&GG{;f8 z1%3+ejlN1^HIBQ~UbD3TD@LrI*^F2KDn-)VA5>Mq%>mi5yMrwt7r~DVRP1eF?{a*9 zF!HPjkq@KbmJ=ks{kb27__NHb@HM+E82A})e^wiK6TNt_#c{j(nK!Am(;iIfc2^$N z-Vb+5H($xdI>9kZRhiRs_lk!k(=+W_(0C4G@ww&v%3@eaav~+p+L1K(=)jgjaoU7_ zd(B)!yNV<2Ab-#C>4ees5@qj2=YkQ^o&fs$m`wW_w^JaE)~9>W-Ru17_6dfk5!YW- z2NvcO5Rx=yfr#y6d1ME|W8EZIfCzgN;*`#2#L|r2>!v&q629_F2g! zz9B|yxFGw=s}gBL0?7AzHBmamhAW{s%(~TCjpNxRoI8kw*2WyGEzH%0a&omm17Qg5 z{cMI~A@O)M>uoTjH10znf;gCu9ZxR9dSKyA;kO>aqkGFDqJTySnDzSXp05j!_)(T{ zy%bmNKa_5b)9Np>3j3M6tRDj(hm&Ve9=LoCvHdaHg#8{1x1n4wS75=Ks?J{q!Fj-4 z$T#o7_RSHf=o8;iYg?==CLnc>0W7w{^(ZKrfuknP_3x>X-z30>DmZ% z?czNyw!62{A!0LlzDF2#Cwq#%9i-dR6c(H^36)K7FCiglQJT2*k?kn8(qj#P zKDup+Z=Ltr)pFgdW04}VV*0^CuQQ|kAqQAh9+)L70BC1~K$dA(?`9)YY}MxX`i|QV z$>GsrUpve))8Vo1Scx^p37I1AuXc(>W-Ezz>0>nJ;=<;wlVQ6BxH6q85I-<@^i03F zU~$l`*^-Oo0r?A!#YXR-=%AF}l0m{fFvoHLo4KqlqYLmyK=@&|m8G9G>zLhB2L1dZ zvM`MNr`YvQwd0=M(ulEccl*7R^vCo-l`i6*TlN?C&%iMg5`U?Xn|tMOqjvL5az|Om zHZbC3rlagjqD{MVoaAP>wAW_^^Eh$JgOEQ!HUv>0I!$yVG#c;+?TCon{Y=c^^$fq{ zyOLYhoFcBkk~K^20-Z8R3)UZgZLWW^AEdAbBK9Xrx!xt_ec6-6Ps4{&_Mi*}SAV;d zUkNU?fsl^%%$bauIoEOA=%V@;3O%hk1&P)9gyD2o+&?7dc7sv*e$o$XR<~AgHNel9 zZ76DiOq4$C;!hd>{=LVpT7oC&5HGiUq}W_zKmtD50%Q$r&+?o)0Hgp?ym|W#9lelK zEYgk^w`J0HSHIUMF$9fBx|LdPP{j=Qc7dETY(1HgW)U$cRLUtqb#~5{&5hdv_%$OY4$&0r0NS}Dgh+?9;e^X>gn!e9 zQwaR64G*N&CVt@gOu0@|t z8gZ_S@1fvD0Q{Ig1DKvHleTF+?jTws{smK`u#K6KPI9D$O)EG2qj2y+VpO48M++ZF z84ryc>}LwV+KJUeIVS=LrGc5ui(WS>TZ4}o=csJ`@fX5Cl4He@bLicf2V1 z)r_ZHeh$=>oWz;nO8kIL`xh-c;DiIp1Hn)2^T(;O$k)p4{N8KtxPzs3SloPNkoYDO z?0eL-<^~iG;-`XaG}9^qEtRg}uRYgOxL zTN`s-bD(N`Qd%3uVr1uU{>7$ok}l7st@^s2`6ly;(v`(C5Q;h0iB`lE$Qv-IrU1!E zZ5aFdChGS1%ad(m2le9xp#P7{g0;GgQbIbJ2Kc1b&1V>3W~z<*4`q`ZVTi}1`mx=+ z`5__H+IoL_pDKJ{-XnLo`mmUNM4nmaXPCe{v663@Crf9)Uz_5ibGV#BNU#wcRGj6_ z28%!Nd`fKd$O9Gc5`FCx@`ZNQ0!ro$^W2jqPAU<)?(V}%B7@={*%K0JzWBR)7O`4w z_hhK5JQqIYBM6gMYpE3dLp=S=^RG|_ep^d3?8k+#ZTEBE zhrFilv%dhpCp^l;pw)8i@nX*MiMj6tShWF*iOSAvb~TrPDUWtM$e)P}Mtp|0+&T>d z3kt!~;HF*RW|Hv*#mH;I2?KZ2K#+_TU?Kr7()C)PwjIfoQIXzcA&{SJ);<3E=W zC&MJ(;6Q#x6aQR!~`DJ$(7q2v#ATS$g z!SKoARYNfu#-6qExk!se=!BUM$60jUYd-DQ!BL`_3c#<6(bJU^;}80~*GH^hZ+Ou% zoyk$Abs68nWZVR~>U(#2KvLL8fOYkE(c(kkO<3o=3F-P$IYr?WY`Y`C)il@}sb(`3 z)gaJC9SaX~6MAJm!ZJPu3D;I_e)^5a)F&Kdtgi$bTdj^Lm}L0xx>E4nP9a@fa=K^X za!2La-rbuR&I%7D8V$kP^4zjgRT@2jQD(7@WVA0@^xjcSJG8 z(NpTr$JF|(D9xCl6dVUqR*8#*@j=`-uMQmIs_s2u3`OO%rhvI-;Zn8HKv>V-6yAu# zb3CN$`N$;!} zh31OR&-<)?3wB56KUx9ImkP}t=xFhWn0D`_0GAAepvMEMtSh&?(M8!8o#IL=%yb@L zR}L@Vp{fGu;FNsMyYpE4Fu`eZwv1`0wY}HbMx9kZnIk^vlpru+ zKu(4@1I5J(kF>bLyr<1UBo5+X41lZ0BWv$k#JNVidA;OSt8s=0Y=X1?;{+!>5D?`+ zIP^#vNnT+3z|m+1Z}C@hk*34RoNX^9v@2ZZ z6yvw7G0ZqavRj{U8hIhKaYl=fm8)pBLH+K>c}9f@9kS<$z979k`xT&UY;cBF1oJ;W zgEIu!ojtlZzpT$qlW>TiQ6)3v+^gnmQaDMfvpb>lUkHkoV&8jY7M~Xh(W0yKx;V;Y z=o~;;J=nvL^_Q|eeM0#S<4S)*cO9!r6Q(YO+toVb(y&ToJ&doe=qRhq~T4y{I^CjX{?zrx6G6Fk{z zu3sG+FKRtFhF$jZ-}_o?@ap?U7r&r;$6)X-Czsc?{3E2%l^vEdbOM7{rxc~gNgKhW zAUz>JSyhZ$B3^BZbcV>5>S&aSW~$)ytjMesmyVR^7Q zwO%v>t5JT$!>WAlI8h-_5Pdn>v0Nhu_5m@aLH`kB({qEkV9YxX>ozPY8bjrxHw?*G+jj!L3{YIk)whf9% z?&-R}-ne?a;=Y;R;W^W?5UkyRQ=sRZf`0ivZ)p6@J;Ne%A4LriO+{*oqUsx2c#!gpeLmo`m`Za1E~hWrKF~eWJ< z21n#LW0BE+E}wE2|5IY-0~F(Y<;`Ij+zVKN%w-+d4Gau-%kH#?;qX42Ru0)89Amc> zyOz3Z;L*ahCR)V__7^Kyi-+uwy35U#EXnkJh>#b{(RNJ%;iS^3v$rBquIN4woYUH^ z5k6h}r28#qFBV+a#T48#_YZxnR6SHrQjneTU-SWC#^)87UDmt86f1aYxFObJMh4~b z(h|h$ZM#Z41tK^^&2l`pdzR07{@nHA@{h=#G48FLpLrI5d$TuYsIz=gjSRD#i!)^J z?2^sA!sX`6^qF-snW3y=!iL?urT3!J$cO3n`0dc|58GeZ%!jJoY(KJuHPW>|Sp!B# zgeMy=c(DWr)au12`}r>>n9UDAb+7!IvmI8(9NKCoGj~)WDMc_l!_~s$QCAp10@~ZIFFFSQY^f`S1$&@xIxx9~AtY4{i$?dA_zIiuYCPleg^2JZ%3J&$ zd2pxs9+A=0XU5nE-4G<1(J)lw>}yvkBB57$JH~fwqkm-)W$ArSs=57Yf(&9x2Bae` zX5F`ziLScqWT`ZJnL9FT*!*dUgqc5cRC7RqDO_jTu4K>d;yl&?#eZ;q zUi;gg&(UXl$LOd(uNVEuj4p5Zt{ZLZOqqsT;OO}@4n|hNkdC^5moJxC<(~5j`>V>I zS&L2nF|`(#-7aH?j1^C+OA*-v0uMj zBJEXNF?w<7)%cv3K@oL~cSKD&S4w@(fR5%+`DZ2a}f>(b1ZEFVga zvuD2xqnUu9H12Mq$}@W$MS}aH`xQ6R`H+elFq)QymrUyj-SNYw8s&VDe!f#iIPQnH65%b6_A5NtXp=W#ACp#E99}k z797738w_{LKQiS?-6wTK_lpyaOY$aVX8>j;Z{cI*CD^Q-YwEM81qqTiIk55r3lnq` zaDmQY>pRIXHfbng!Q|i&FkSu}df@h=g%lyfqN-cSzqpqrXg2w%8A$T38E0jDDFg)Y zRzL66ymJ{?(}GXVbPg@N+(Qd5hDsY+XTSwXcYt_u^l?okjY7jtL%UNQIl#{EuER_* zOO01_uSxc@7XR^$d8ogd*C@F_vQk`RJ`P{PWzwq4=vE^eZtnvJ5$RbvLf1n!Z0??C z0SV4o_1*f-d?go@;-wcE5xY#i-rIHwfH;@Ws+Rd60^IiMLZ$L_5_o2awyU0w`(z6p zV_pBG)GT$gX$w0y(UQ%Hi#fIV`cRxHtnR*1yO$z{Vz7T{#m62&I@>G5DqE~X7_#+< z*R+Vlj8yY1GlbljTYm38Fc|O4?;F>fu9Vquhj9S_r#|b9@__X29b+Yf_V8t+np)@A z!$~arQ@kotJElSfn&A-})atH3J)Qt%QOV$|c(oLX5kfjLh}vZ9##X=K3tlMyA{9Ts zTFAgcw#v@3QLFB+<`_sXnEm2D0GFhrcj)sZm0AHVh4!d2G*0V)cl0=r14!ugNqXVJ z5(u2+HBNKyY#x3Pv^D?poaY)u8RXsKqm`4|QN1Zrp!=2jcEQXA#L)16{2fiK#@Q!p z1ocf>Zi-CD;SCwYdnt0k9uo|CT>cc1Ek%rA&c7H2B+vbiH;S*HD!%ySZFaJmm=U!!%MXsG29-fcLYv zZr;oifrD+>OgPF8V?dRqQtyAWR;hn)8!UAY6XM$aZ{H8z8XNHL6<(PJT8DD zIeYr&6}*t|@Q3<%WJ8tbM%xEA482IvPO-w@EjeGXZ6&Hi=t7wGoCk5)aKUw*7Q=F> zuCIf`tn_)x1;MYS+}83FJDI>1Dx_Ct&^do$w`rwr>&3EUZCB8>R>P*VqLmLKL9(ox zZmGpYJJHx4H>xTC-vu|?K|w+DE%#=gQ@#!|X%1p1O5$naMHi_hNj@)taEec8SMxm| z@ZS`H1sFuW&V5fIYJ3A88Z)o8hu7vo)HzSKCe_#I5dcyS3%)l4hN1EVBwZ=Tkcws) z7P2SJ6Sg9c?uWC!&ZIwpILm?iCFQhZXN(DlpAJHS-B%5uOqUGDj|aVZV+$bRwzhQL zdVqQUO+g>Ag%yC~79<0-VI-1KJ7VxUOoYn0_~+Gf#X02WaRt%)OGs0K)u`kW8MdBCNC&Dz{VQNmPQDdZh0*BNnX??1j zQ#o$VrDhbf5u){wNJ7>KjpmZ%(7E2I{v+CA*$6936;yD=VRfcq+(x!_1mDMw0_!7v zn)HuY;xazD=LGHF*(skc6~-UQ$1@dnU}8NGJ%0$RKD6LZqX9uEhIO?K|m zl93TZ?ur&5P_Cn|mP@3lSNhmFJ0w~Yp%JI6xar_TwE+azSxYLgvmzjuQ1S%%)S`5J zU@w6a%aroxgM@bpqgC6f8#^+17Y)s&HGFnxm%6-t;Qe~_ZVjxkjSwo^%u3Q0+IQUk?;#j2cLGlfM`J6z0>a zt|j|movkQh7OT!&RpzD?Qaoi9JV}jtedr;hA1K32z0+kk0c`4Euz>2TZck;6>hn#a z270*o%bfc&WK!Xor;#R0R7(P?=z+_(I<_1QKPypQ8KF6H`uHNfL)5cp&#H!GU&kIc zbRx^J2pATXNGv%HjrBkBQMhpZ1BEzkS|LU7&>7Y$QIDleo6u)uR)=`j656x|&&!3; zIf&Hg6y@&&De72rxV^-Y+woh86brm}s!kjeJln@MCIyet#qs-F8g#<@%eMOqwoGhd zhJAjPo$`oBl~8TR1#648LuY4LjfEAZO7_&jWy7RE?OGPY5p5&NiNHrb&Q>v*{x>BCK zV;4AIVZA#`be+;7au~yL#ko2CB2<~&qq;uWyfvKfp{$3KL7VI!NlRBclBpH1oL(7H z&_DU3^beYY*^Od2ac7bu3+x}8!qftai?5C6Oj6(QJ7^tavfm8%H@sS|dhTtKZ#Vuz z_KY5OM%_jI&Cr>AVg~+{rLY`*n4g{ z*?}&>R-*Rj(tkVh`Vu2Pp)zU9U%_l^iAz*b_WIOjZo|S6?Kq`ky&O_B@6v#4zr_fc zM7tW5xq3~RoE79AJC%2os^U{KFvNJFbJfFA*ln$DY>Q;xpeEEjLT{u4*eCtj>F~B@C8Z{3<7Ocal2v<0Iqy7fi_K{Th4@@x97RL(6Y< zP1&_#U6vSU=R2&eLf2(FQKuB#U26_iY}_Fx2A%bbS0xAfefA34K!@$W8xazDioX>0&FsGS`%4q}tuH{iays+D-mu`b$iXsAuJ+CMCCC zC0{#b9C{yg>3mO)=~PH~hIb35;}D-@x97*=k4c|(d{Qi0jEUuzx;n)|cPW*>(>X|t zUS@S>Q#NAS(QzA32OOhnP)OW*3^tyM%OQo|&*-S2F zrpF1SYBuUo-`@({Fzdy;D>M!L^W9ySitVHJtql9~J?aVoA=5@t-{wb62M!52H$N}G zj8#P-%(gP9T2I;0MXmp36T{SB{-}Vj%a`Y}t-Q2`J!j0tR#{?A~T&;C5hWVrca42~@AH~c2 zsoTrkEA>gg^Q%^lxs{bt+{n~z`&CM{BmrIguL4G_CK-6ZwVaZxpSW z9)rx_%R>)C!4o07E8J;WbW63=&C#kgLpj?aRRbrG&aK1ZL`0yKp(SjYM=(%`oH*f# zMHa@3S(X|p<7{L!2X+RM#{}}BtNY{zpS3AMCau>f@TZsJ; zy~D79TAUZ*2=oKiyh-xN^vLUe=UWjE8n>8w&0+Ameq{FI-YayLGIg7$Q*{YnR0h;| ziD1$FtL-$wh4{pg)(Z?ZSzDMnrD6Z4M`$&xwh~}^Hgo5pGG5~r%(s7cjnZdvfGKkiXpQTVZtt%Cl0Hg$v-H|@(tt70vCa|?9qTGC#2 zz1@zGKR|^tCjc-y+*L_ zp$_k=tZf^>zs)G<*lw9Gp68{(6=j}8ceL^McLao_-hw7MSP8g)7+`9!K89Z4aaDhi zuBn!GfsI8vCPD9!0TaLx<>6|(51v<$xukXBq!})jtJfx= ztuHPe#i#HDT3kRIsNSP|O$DcVa}hjo4s3*kX#=2Pu4^;lC$YVr6s%DNDt@DVog0aT6W#)*v8(L>_-*}sj2d_KR z-dNtyupQzF9C(`<*ZgiA^CyXuI{qR`X8|S=9-2pPdoM~@OG}=b-upgUjOYEz2aC`t zT<0vHzNn#JNIu7(VouJ_zv!vq?|vy+^q8Q7JPJkL*_as|986)zHBh?=#}Ts04kJpb zt@>6~H`a&Bo#hN>=(KM4td+czL|GZ&n#}p1IV82|>K3m|_g=(V=6WpD)8=O%7q-M| zg`O1UD||lg1u}n8P`p2NOpwB(JrY$NrPX;UTxC8-)8}%{AdDh3)HV=*xc~cQ4Wemf zK_)V_*hpcqT0VZzl!9WF{gDr4?F;4VQT}j@mOk5Q4Iip0xT&U~K5DD!gYW<;+HmPz zVCct84I@AGCsD;k)(P)SZ9u??Ak&f46cSgx7Gge1<}V;gW?Qu_R z;4FJXGtgdy^ZgN7+0xj7+)K`rhEc`Uq-5x8?*qZt;$1fvkE)WrF9W@alGo9Z-z$F? z<5C|b^t;*=i5JItYTat!wEhjp(K!Hf!*1N*&Hd;XkU&Y{a}R`i2*96=hGxBTU&10+YE*2cl4dlYUQA$43BpB57RBS9N&998Xo&7 zF3S_AcC;AJmSwdO*=X*#0FrrpgPNTvfqN#PzigDp?Z)72ys_W8BqDUGvIy?HkUyIZ z%YyQI*e6j?`J9mGeui<`I$WRc&(_y-j|hGd2GvLHws_vYzNP%p8n36{bkC8_&U@%- z-oPPwRzhc#Ki7HZ6G6ZRnNf+>YXb^?l9OyjWZ3fH+gbsV%lNjeBa{ zE#H&{S12h>NG2Vk@L7ZYo=*!#m*IX+Pj0D7-)O+Vq;wUnS)Hzl3HDz18Ki^r)me59nFZ^o&&2$ z0l_^-C4-FnsX6M8E#OGJ8kj^t>v34R-aQ`@zr&z zFTl*HL1RKoVmCK(M9>_f-B`7$=Vv*E^ z3|k6{F>CO&T6WMsx2gxy4(*~9AGQfns zAw#eFTBx4BhB1>m^VE_k-=y?>CF6|nS1{6%U@qcadwKR(yZbeyThs07Z9T6QR`qK! z!nyMw07K9f=GnyrVrqW}PZhjnRS4S1>(iti(WFz;-v*K5+U2`cSl4l1C)^31nmO}% z3b{4Jw=-THEYQ*b%4?c~@Y1>L7Ao2^Hu}v}8rvV_y^>C-EFWN{ptwW}9=W=d{OW<< zFnNFtZ&#sq%Ib@1`BbIq&NnMCW_|-R*VrjJx@K$qRg#6YrB|`q?!0?u0~mM(S^nM~ z;6X&GN_zyDxV1eWC=OClytxBr75JQf1}qKu2p$420UzVT;9=lX`x|I;@bNhT#sl=Z s2<8a%uiXFtfdB7pK)pRUy3d(y_A;Q$ZW}By6ch@w%75hCGk*U60Hox>nE(I) literal 0 HcmV?d00001 diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md new file mode 100644 index 0000000000..2af7fed5dc --- /dev/null +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md @@ -0,0 +1,329 @@ +--- +title: Deployment guide +description: This guide explains how to successfully deploy Windows Autopatch in your environment +ms.date: 08/24/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: hathind +ms.collection: + - tier2 +--- + +# Windows Autopatch deployment guide + +As organizations move to support hybrid and remote workforces, and continue to adopt cloud-based endpoint management with services such as Intune, managing updates is critical. + +Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization. + +A successful Windows Autopatch deployment starts with planning and determining your objectives. Use this deployment guide to plan your move or migration to Windows Autopatch. + +This guide: + +- Helps you plan your deployment and adopt Windows Autopatch +- Lists and describes some common objectives +- Provides a recommended deployment plan +- Provides migration considerations for Windows Update for Business (WUfB) and Microsoft Configuration Manager +- Lists some common general considerations when deploying Windows Autopatch +- Provides suggested business case benefits and communication guidance +- Gives additional guidance and how to join the Autopatch community + +## Determine your objectives + +In this section, details some common objectives when using Windows Autopatch. + +Once an organization is onboarded, Windows Autopatch automatically creates multiple progressive deployment rings and applies the latest updates according to Windows Autopatch recommended practices and your organization's custom configuration. While there are options to adjust configurations such as quality update cadence, the service provides you with a baseline to begin establishing your update objectives. + +Use Windows Autopatch service to solve the following challenges: + +- Difficulty developing and defending update cadence and general best practices +- Increase visibility and improve issue reporting +- Achieving a consistent update success rate +- Standardize and optimize the configuration for devices, policies, tools and versions across their environment +- Transition to modern update management by configuring Intune and Windows Update for Business +- Make update processes more efficient and less reliant on IT admin resources +- Address vulnerabilities and Windows quality updates as soon as possible to improve security +- Assist with compliance to align with industry standards +- Invest more time on value-add IT projects rather than monthly updates +- Planning and managing Windows feature updates +- Transition to Windows 11 + +## Recommended deployment steps + +The following deployment steps can be used as a guide to help you to create your organization's specific deployment plan to adopt and deploy Windows Autopatch. + +:::image type="content" source="../media/windows-autopatch-deployment-journey.png" alt-text="Windows Autopatch deployment journey" lightbox="../media/windows-autopatch-deployment-journey.png"::: + +### Step 1: Prepare + +[Review the prerequisites](../prepare/windows-autopatch-prerequisites.md) and [enroll your tenant](../prepare/windows-autopatch-enroll-tenant.md) into the Windows Autopatch service. At this stage, your devices aren't affected. You can enroll your tenant and review the service options before registering your devices. + +| Steps | Description | +| ----- | ----- | +| **1A: Set up the service** |

  • Prepare your environment, review existing update policies and [General Considerations](#general-considerations)
  • Review and understand [changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) when enrolling into the service
  • Enroll into the service and [add your admin contacts](../deploy/windows-autopatch-admin-contacts.md)
  • Review [Roles and responsibilities](../overview/windows-autopatch-roles-responsibilities.md)
  • Verify the [changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) completed successfully
| +| **1B: Confirm update service needs and configure your workloads** |
  • [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md): Expedite preferences and cadence customizations
  • [Windows feature updates](../operate/windows-autopatch-windows-feature-update-overview.md): Servicing version preferences
  • [Driver and firmware updates](../operate/windows-autopatch-manage-driver-and-firmware-updates.md): Set to either Manual or Automatic
  • [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md): Set to either Monthly Enterprise Channel or opt-out
  • [Microsoft Edge](../operate/windows-autopatch-edge.md): Required. Beta and Stable Channel
  • [Microsoft Teams](../operate/windows-autopatch-teams.md): Required. Automatic
| +| **1C: Consider your Autopatch groups distribution** | Organizations have a range of Windows devices including desktop computers, laptops and tablets that might be grouped across multiple logical or physical locations. When planning your Autopatch groups strategy, consider the Autopatch group structure that best fits your organizational needs. It's recommended to utilize the service defaults as much as possible. However, if necessary, you can customize the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) with additional deployment rings and/or [create your own Custom Autopatch group(s)](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group).

  • Review your device inventory and consider a representative mix of devices across your distribution
  • Review your Azure AD groups that you wish to use to register devices into the service
  • Review [device registration options](../deploy/windows-autopatch-device-registration-overview.md) and [register your first devices](../deploy/windows-autopatch-register-devices.md)
| +| **1D: Review network optimization** | It's important to [prepare your network](../prepare/windows-autopatch-configure-network.md) to ensure that your devices have access to updates in the most efficient way, without impacting your infrastructure.

A recommended approach to manage bandwidth consumption is to utilize [Delivery Optimization](../prepare/windows-autopatch-configure-network.md#delivery-optimization). You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages amongst multiple devices in your deployment. | + +### Step 2: Evaluate + +Evaluate Windows Autopatch with around 50 devices to ensure the service meets your needs. You can adjust this number based on your organizational make-up. It's recommended to monitor one update cycle during this evaluation step. + +| Steps | Description | +| ----- | ----- | +| **2A: Review reporting capabilities** |
  • [Windows quality update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-quality-update-reports)
  • [Windows feature update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-feature-update-reports)
  • [Windows Update for Business (WufB) reports](/mem/intune/protect/windows-update-compatibility-reports#use-the-windows-feature-update-device-readiness-report)
Windows Autopatch quality and feature update reports provide a progress view on the latest update cycle for your devices. These reports should be reviewed often to ensure you understand the update state of your Windows Autopatch devices.

There might be times when using Windows Autopatch for update deployment that it's beneficial to review Windows Update for Business (WUfB) reports.

For example, when preparing to deploy Windows 11, you might find it useful to evaluate your devices using the [Windows feature update device readiness](/mem/intune/protect/windows-update-compatibility-reports#use-the-windows-feature-update-device-readiness-report) and [Windows feature update compatibility risks reports](/mem/intune/protect/windows-update-compatibility-reports#use-the-windows-feature-update-compatibility-risks-report) in Intune.| +| **2B: Review operational changes** | As part of the introduction of Windows Autopatch, you should consider how the service integrates with your existing operational processes.
  • Identify service desk and end user computing process changes
  • Identify any alignment with third party support agreements
  • Review the default Windows Autopatch support process and alignment with your existing Premier and Unified support options
  • Identify IT admin process change & service interaction points
| +| **2C: Educate end users and key stakeholders**| Educate your end users by creating guides for the Windows Autopatch end user experience.
  • [Windows quality updates](../operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md)
  • [Windows feature updates](../operate/windows-autopatch-groups-windows-feature-update-overview.md)
    • [Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md)
  • [Microsoft Edge](../operate/windows-autopatch-edge.md)
  • [Microsoft Teams](../operate/windows-autopatch-teams.md)

Include your IT support and help desk in the early stages of the Windows Autopatch deployment and planning process. Early involvement allows your support staff to:
  • Gain knowledge and experience in identifying and resolving update issues more effectively
  • Prepare them for support production rollouts. Knowledgeable help desk and support teams also help end users adopt to changes

Your support staff can experience a walkthrough of the Windows Autopatch admin experience through the [Windows Autopatch demo site](https://aka.ms/autopatchdemo). | +| **2D: Pilot planning** | Identify target pilot group(s) of up to 500 devices. It's recommended to include a cross-section of your organizational make-up to ensure your pilot results are representative of your organizational environment. | + +### Step 3: Pilot + +Plan to pilot the service with around 500 devices to provide sufficient pilot coverage to be ready for deployment. You can adjust this number based on your organizational make-up. It's recommended to monitor one to two update cycles during the pilot step. + +| Steps | Description | +| ----- | ----- | +| **3A: Register devices** | Register pilot device group(s) | +| **3B: Monitor update process success** |
  • Quality update: One to two update cycles
  • Feature update: Set of pilot devices scheduled across several weeks
  • Drivers and firmware: One to two update cycles
  • Microsoft 365 Apps for enterprise (if not opted-out): One to two update cycles
  • Microsoft Edge: One to two update cycles
  • Microsoft Teams: One to two update cycles
    • | +| **3C: Review reports** |
    • [Quality update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-quality-update-reports): Monitor data in the reports across one to two update cycles
    • [Feature update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-feature-update-reports): Monitor data in the reports across the update schedule
    • [Windows Update for Business (WufB) reports](/mem/intune/protect/windows-update-compatibility-reports#use-the-windows-feature-update-device-readiness-report): Monitor data in the report across one to two update cycles
    | +| **3D: Implement operational changes** |
    • Pilot Service Desk, end user computing and third party (if applicable) process changes with pilot representatives
    • IT admins must:
      • Review deployment progress using Windows Autopatch reports
      • Respond to identified actions to help improve success rates
    | +| **3E: Communicate with stakeholders** | Review and action the stakeholder communications plan. | +| **3F: Deployment planning** | Prepare target deployment groups for phased deployment of Windows Autopatch. | + +### Step 4: Deploy + +Following a successful pilot, you can commence deployment to your broader organization. The pace at which you deploy is dependent on your own requirements; for example, deploying in groups of 500 to 5000 per week are commonly used approaches to complete the deployment of Windows Autopatch. + +| Steps | Description | +| ----- | ----- | +| **4A: Review reports** |
    • Review deployment progress using Windows Autopatch reports
    • Respond to identified actions to help improve success rates
    | +| **4B: Communicate with stakeholders** | Review and action the stakeholder communications plan | +| **4C: Complete operational changes** |
    • Service Desk readiness is complete and in place
    • IT admins take the required action(s) based on the Autopatch reports
    | + +## Migration considerations + +If you're an existing Windows Update for Business (WufB) or Configuration Manager customer, there are several considerations that could accelerate your deployment along a shorter path. + +### Why migrate from Windows Update for Business or Configuration Manager to Windows Autopatch? + +Customers who are using Windows Update for Business (WufB) or Configuration Manager are ideally placed to quickly adopt Windows Autopatch and take advantage of the key benefits that Windows Autopatch provides. + +When moving from Windows Update for Business (WufB) or Configuration Manager to Windows Autopatch, you can enhance and optimize the update experience that you're already familiar with. + +Once migrated, there are several configuration tasks that you no longer need to carry out: + +| Autopatch benefit | Configuration Manager | Windows Update for Business (WufB) | +| ----- | ----- | ----- | +| Automated setup and on-going configuration of Windows Update policies | Manage and perform recurring tasks such as:
    • Download updates
      • Distribute to distribution points
    • Target update collections
    | Manage "static" deployment ring policies | +| Automated management of deployment ring membership | Manually check collection membership and targets | Manage "static" deployment ring membership | +| Maintain minimum Windows feature version and progressively move between servicing versions | Spend time developing, testing and rolling-out task sequence | Set up and deploy Windows feature update policies | +| Service provides release management, signal monitoring, testing, and Windows Update deployment | Setup, target and monitor update test collections | Manage Test deployment rings and manually monitor update signals | +| Simple, integrated process to turn on the service as part of the Windows 365 provisioning policy | Manually target Cloud PCs in device collections | Manually target Cloud PCs in Azure AD groups | + +In addition to the reports, other benefits include: + +| Autopatch benefit | Configuration Manager and Windows Update for Business (WufB) | +| ----- | ----- | +| Windows quality and feature update reports with integrated alerts, deep filtering, and status-at-a-glance | Requires you to manually navigate and hunt for status and alerts | +| Filter by action needed with integrated resolution documentation | Requires you to research and discover possible actions relating to update issues | +| Better visibility for IT admins, Security compliance and proof for regulator | Requires you to pull together different reports and views across multiple admin portals | + +Service management benefits include: + +| Autopatch benefit | Configuration Manager and Windows Update for Business (WufB) | +| ----- | ----- | +| Windows automation and Microsoft Insights | First or third-party resources required to support and manage updates internally | +| Microsoft research and insights determine the 'go/no-go' for your update deployment | Limited signals and insights from your organization to determine the 'go/no-go' for your update deployment | +| Windows Autopatch might pause or roll back an update. The pause or rollback is dependent on the scope of impact and to prevent end user disruption | Manual intervention required, widening the potential impact of any update issues | +| By default, Windows Autopatch [expedites quality updates](../operate/windows-autopatch-groups-windows-quality-update-overview.md#expedited-releases) as needed. | Manual intervention required, widening the potential impact of any update issues | + +### Migrating from Windows Update for Business (WufB) to Windows Autopatch + +#### Assessing your readiness to migrate from Windows Update for Business (WufB) to Windows Autopatch + +When moving from Windows Update for Business (WufB) to Windows Autopatch, you can accelerate and simplify your adoption by assessing how ready you're to quickly migrate to the Windows Autopatch service by considering key differences that might impact your deployment: + +| Step | Assessment step | Recommendation | +| ----- | ----- | ----- | +| **One** | Use "user based" vs. "device based" targeting | Windows Autopatch doesn't support "user based" targeting. If your Windows Update deployment is "user based", you must plan to move to a device-based targeting model by adding and registering devices into Windows Autopatch. Use the [Consider your Autopatch groups guidance](#step-1-prepare) | +| **Two** | Use Microsoft Edge channels | Windows Autopatch deploys Microsoft Edge Stable channel to devices in all deployment rings except for the Test deployment ring. The Test deployment ring is configured for the Microsoft Edge Beta channel. If you're currently using different channels, you should prepare your teams to understand that your Windows Autopatch devices will start using these channels. For more information, see [Confirm update service needs and configure your workloads](#step-1-prepare). | +| **Three** | Use Microsoft 365 Apps for enterprise | Windows Autopatch deploys the Monthly Enterprise Channel to all Microsoft 365 Apps for enterprise clients. If your organization is utilizing a different channel and you don't wish to adopt the Monthly Enterprise Channel, you can opt out of updates for Microsoft 365 Apps for enterprise. For more information, see [Confirm update service needs and configure your workloads](#step-1-prepare) | +| **Four** | Prepare your policies | You should consider any existing policy configurations in your Windows Update for Business (WUfB), Intune or on-premises environment that could impact your deployment of Windows Autopatch. For more information, review [General considerations](#general-considerations) | +| **Five** | Use network optimization technologies | We recommend you consider your network optimization technologies as part of your Windows Autopatch deployment. However, if you're already using Windows Update for Business (WufB) it's likely you already have your network optimization solution in place. For more information, see [Review network optimization](#step-1-prepare) | + +### Optimized deployment path: Windows Update for Business (WufB) to Windows Autopatch + +Once you have assessed your readiness state to ensure you're aligned to Windows Autopatch readiness, you can optimize your deployment of Windows Autopatch to quickly migrate to the service. The following steps illustrate a recommended optimized deployment path: + +| Step | Example timeline | Task | +| ----- | ----- | ----- | +| **Step 1: Prepare > Set up the service** | Week one | Follow our standard guidance to turn on the Windows Autopatch service
    • Prepare your environment, review existing update policies and [General Considerations](#general-considerations)
    • Review and understand the [changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) when enrolling into the service
    • Enroll into the service and [add your admin contacts](../deploy/windows-autopatch-admin-contacts.md)
    • Review [Roles and responsibilities](../overview/windows-autopatch-roles-responsibilities.md)
    • Verify the [changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) have completed successfully
    | +| **Step 1: Prepare > Adjust the service configuration based on your migration readiness** | Week one |
    • [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md)
    • [Windows feature updates](../operate/windows-autopatch-windows-feature-update-overview.md)
    • [Driver and firmware updates](../operate/windows-autopatch-manage-driver-and-firmware-updates.md)
    • [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md)
    • [Microsoft Edge](../operate/windows-autopatch-edge.md)
    • [Microsoft Teams](../operate/windows-autopatch-teams.md)
    • Use the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) or [create a Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups)
    | +| **Step 2: Evaluate** | Week one to month two | Evaluate with around 50 devices for one update cycle to confirm the correct service configurations are in place | +| **Step 3: Pilot** | Month two to three | Pilot with around 500 - 5000 devices for one update cycle to ensure you can further validate with your key stakeholders and Service Desk teams | +| **Step 4: Deploy** | Month three to six | Phase deployments as necessary to migrate your estate. You can move as quickly as you feel comfortable | + +### Migrating from Configuration Manager to Windows Autopatch + +Regardless of if you're migrating from Configuration Manager to Microsoft Intune or if you're remaining with Configuration Manager, if you're currently using Configuration Manager to manage updates, you can migrate the update workloads to Windows Autopatch and take advantage of the key benefits for your Configuration Manager environment. + +#### Assessing your readiness to migrate from Configuration Manager to Windows Autopatch + +When moving from Configuration Manager to Windows Autopatch, the fastest path to quickly gain value from Windows Autopatch is to already have co-management and the requisite workloads moved to Intune. + +| Step | Assessment step | Recommendation | +| ----- | ----- | ----- | +| **One** | Turn on co-management | If you're using co-management across Configuration Manager and your managed devices, you meet the key requirements to use Windows Autopatch.

    If you don't have co-management, see [How to use co-management in Configuration Manager](/mem/configmgr/comanage/how-to-enable) | +| **Two** | Use required co-management workloads | Using Windows Autopatch requires that your managed devices use the following three co-management workloads:
    • Windows Update policies workload
    • Device configuration workload
    • Office Click-to-Run apps workload

    If you have these workloads configured, you meet the key requirements to use Windows Autopatch. If you don't have these workloads configured, review [How to switch Configuration Manager workloads to Intune](/mem/configmgr/comanage/how-to-switch-workloads) | +| **Three** | Prepare your policies | You should consider any existing policy configurations in your Configuration Manager (or on-premises) environment that could impact your deployment of Windows Autopatch. For more information, review [General considerations](#general-considerations) | +| **Four** | Ensure Configuration Manager collections or Azure AD device groups readiness | To move devices to Windows Autopatch, you must register devices with the Windows Autopatch service. To do so, use either Azure AD device groups, or Configuration Manager collections. Ensure you have either Azure AD device groups or Configuration Manager collections that allow you to evaluate, pilot and then migrate to the Windows Autopatch service. For more information, see [Register your devices](../deploy/windows-autopatch-register-devices.md#before-you-begin). | + +### Optimized deployment path: Configuration Manager to Windows Autopatch + +Once you have assessed your readiness state to ensure you're aligned to Windows Autopatch readiness, you can optimize your deployment of Windows Autopatch to quickly migrate to the service. The following steps illustrate a recommended optimized deployment path: + +| Step | Example timeline | Task | +| ----- | ----- | ----- | +| **Step 1: Prepare > Set up the service** | Week one | Follow our standard guidance to turn on the Windows Autopatch service
    • Prepare your environment, review existing update policies and [General Considerations](#general-considerations).
    • Review and understand the [changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) when enrolling into the service
    • Enroll into the service and [add your admin contacts](../deploy/windows-autopatch-admin-contacts.md)
    • Review [Roles and responsibilities](../overview/windows-autopatch-roles-responsibilities.md)
    • Verify the [changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) have completed successfully.
    | +| **Step 1: Prepare > Adjust the service configuration based on your migration readiness** | Week one |
    • [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md)
    • [Windows feature updates](../operate/windows-autopatch-windows-feature-update-overview.md)
    • [Driver and firmware updates](../operate/windows-autopatch-manage-driver-and-firmware-updates.md)
    • [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md)
    • [Microsoft Edge](../operate/windows-autopatch-edge.md)
    • [Microsoft Teams](../operate/windows-autopatch-teams.md)
    • Use the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) or [create a Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups)
    | +| **Step 2: Evaluate** | Week one to month two | Evaluate with around 50 devices for one update cycle to confirm the correct service configurations are in place | +| **Step 3: Pilot** | Month two to three | Pilot with around 500 - 5000 devices for one update cycle to ensure you can further validate with your key stakeholders and Service Desk teams | +| **Step 4: Deploy** | Month three to six | Phase deployments as necessary to migrate your estate. You can move as quickly as you feel comfortable | + +## General considerations + +As part of your planning process, you should consider any existing enterprise configurations in your environment that could affect your deployment of Windows Autopatch. + +Many organizations have existing policies and device management infrastructure, for example: + +- Group Policy Objects (GPO) +- Registry settings +- Configuration Manager +- Existing Mobile Device Management (MDM) policies +- Servicing profiles for Microsoft 365 Apps + +It's a useful exercise to create a baseline of your policies and existing settings to map out the configuration that could impact your move to Windows Autopatch. + +### Group policy + +Review existing policies and their structure. Some policies might apply globally, some apply at the site level, and some are specific to a device. The goal is to know and understand the intent of global policies, the intent of local policies, and so on. + +On-premises AD group policies are applied in the LSDOU order (Local, Site, Domain, and Organizational Unit (OU)). In this hierarchy, OU policies overwrite domain policies, domain policies overwrite site policies, and so on. + +| Area | Path | Recommendation | +| ----- | ----- | ----- | +| Windows Update Group Policy settings | `Computer Configuration\Administrative Templates\Windows Components\Windows Updates` | The most common Windows Update settings delivered through Group Policy can be found under this path. This is a good place for you to start your review. | +| Don't connect to any Windows Update Internet locations | `Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not connect to any Windows Update Internet locations` | This is a common setting for organizations that rely solely on intranet update locations such as Windows Server Update Services (WSUS) servers and can often be overlooked when moving to cloud update services such as Windows Update for Business (WufB)

    When turned on, this policy prevents contact with the public Windows Update service and won't establish connections to Windows Update. This might cause the connection to Windows Update for Business (WufB), and Delivery Optimization to stop working. | +| Scan Source policy | `Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage updates offered from Windows Server Update Service` | You can choose what types of updates to get from either Windows Server Update Services (WSUS) or Windows Update for Business (WufB) service with the Windows Update Scan Source policy.

    You should review any scan source policy settings targeting devices to ensure:
    • That no conflicts exist that could affect update deployment through Windows Autopatch
    • Such policies aren't targeting devices enrolled into Windows Autopatch
    | + +### Registry settings + +Any policies, scripts or settings that create or edit values in the following registry keys might interfere with Windows and Office Update settings delivered through Autopatch. It's important to understand how these settings interact with each other and with the Windows and Office Update service as part of your Autopatch planning. + +| Key | Description | +| ----- | ----- | +| `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState` (Intune MDM only cloud managed)

    `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate` (If GPO/WSUS/Configuration Manager is deployed) | This key contains general settings for Windows Update, such as the update source, the service branch, and the deferral periods for feature and quality updates. | +| `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU` (If GPO/WSUS/Configuration Manager is deployed) | This key contains settings for Automatic Updates, such as the schedule, the user interface, and the detection frequency. | +| `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update` (GPO/WSUS/Configuration Manager/Intune MDM Managed) | This key contains settings for update policies that are managed by Mobile Device Management (MDM) or Group Policy, such as pausing updates, excluding drivers, or configuring delivery optimization. | +| `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration` (GPO/Configuration Manager/Intune MDM Managed) | This key contains the registry keys for the Update Channel. This is a dynamic key that changes (depending on the configured settings) and the CDNBaseUrl (set when Microsoft 365 installs on the device).

    Look at the `UpdateChannel` value. The value tells you how frequently Office is updated.

    For more information, see [Manage Microsoft 365 Apps with Configuration Manager](/mem/configmgr/sum/deploy-use/manage-office-365-proplus-updates#bkmk_channel) to review the values, and what they're set to. Windows Autopatch currently supports the Monthly Enterprise Channel. If you opt into Office updates, it should be set to the Monthly Enterprise channel. | + +> [!NOTE] +> For more information about Windows Update Settings for Group Policy and Mobile Device Management (MDM), see [Manage additional Windows Update settings](/windows/deployment/update/waas-wu-settings). + +### Configuration Manager + +#### Windows and Microsoft 365 Apps for enterprise updates + +When Configuration Manager is deployed, and if Software Update policies are configured, the Software Update policies could conflict with Windows Update for Business and Office Update policies. + +Configuration Manager could require custom settings to disable software updates and assist with troubleshooting conflicting legacy, on-premises, configurations to ensure that Autopatch deliver Windows and Office updates. It's safe to implement this change if you aren't managing third party updates from Configuration Manager. + +To ensure that Software Update Policies don't conflict with Windows Update for Business (WufB) and Office Update policies, create a Software Update Policy in Configuration Manager that has: + +- Windows and Office Update configuration disabled +- Includes devices enrolled into Autopatch to remove any existing configuration(s). + +If this policy remains live, confirm that Autopatch devices aren't included in the live Software Update Policy in Configuration Manager. + +All devices that are enrolled in Autopatch use Windows and Office Update policies from the service, and any configurations that are applied through Configuration Manager Software Update Policies can be removed. + +For example, Configuration Manager Software Update Policy settings exclude Autopatch enrolled devices from receiving conflicting configuration for Windows and Office Updates: + +| Device setting | Recommended configuration | +| ----- | ----- | +| Enable software updates | No | +| Enable management of the Office 365 Client Agent | + +#### Existing Mobile Device Management (MDM) policies + +| Policy | Description | +| ----- | ----- | +| **MDM to win over GP** | As part of the tenant enrollment process, Autopatch deploys a Device configuration profile, which applies to all registered devices to set Mobile Device Management (MDM) to win over Group Policy (GP) with the "MDMWinsOverGP" CSP.

    When applied, any MDM policy that's set, and has an equivalent GP Policy, results in the GP service blocking the policy setting. Setting the value to 0 (zero) or deleting the policy removes the GP policy blocks and restore the saved GP policies.

    This setting doesn't apply to all scenarios. This setting doesn't work for:
    • User scoped settings. This setting applies to device scoped settings only
    • Any custom Group Policy Object (GPO) outside of ADMX. For example, Microsoft Edge or Chrome settings
    • Any Windows Update for Business policies (WUfB). When you use Windows Update for Business (WUfB), ensure all previous Group Policies (GP) are removed that relate to Windows Update to ensure that Autopatch policies can take effect.


    For more information and guidance on the expected behavior applied through this policy, see [ControlPolicyConflict Policy CSP](/windows/client-management/mdm/policy-csp-controlpolicyconflict). | +| **Windows Update for Business (WufB) policies** | If you have any existing *Deployment rings for Windows 10 and later or Windows feature update DSS policies* in place, ensure that the assignments don't target Windows Autopatch devices. This is to avoid creating policy conflicts and unexpected update behaviour, which could impact update compliance and end user experience. | +| **Update Policy CSP** | If any policies from the [Update Policy CSP](/windows/client-management/mdm/policy-csp-update) that aren't deployed and managed by Windows Autopatch are deployed to devices, policy conflicts and unexpected update behavior could occur and could affect update compliance and the end user experience. | + +#### Servicing profiles for Microsoft 365 Apps for enterprise + +You can use automation to deliver monthly updates to Microsoft 365 Apps for enterprise directly from the Office Content Delivery Network (CDN) using [Servicing profiles](/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise#compatibility-with-servicing-profiles). A servicing profile takes precedence over other policies, such as a Microsoft Intune policy or the Office Deployment Tool. The servicing profile affects all devices that meet the [device eligibility requirements](/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise#device-eligibility) regardless of existing management tools in your environment. + +You can consider retargeting servicing profiles to non-Windows Autopatch devices or if you plan to continue using them, you can [block Windows Autopatch delivered Microsoft 365 App updates](/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise#allow-or-block-microsoft-365-app-updates) for Windows Autopatch-enrolled devices. + +## Business case + +Part of your planning might require articulating the business benefits of moving to Windows Autopatch from your existing update solution(s). Windows Autopatch provides several resources to help when building your business case. + +- [How Windows Autopatch works for you](https://www.microsoft.com/microsoft-365/windows/autopatch) +- [What is Windows Autopatch?](https://techcommunity.microsoft.com/t5/windows-autopatch/windows-autopatch-resource-guide/m-p/3502461#_note3) +- [Forrester - The Projected Total Economic Impact™ Of Windows Autopatch: Cost Savings And Business Benefits Enabled By Windows Autopatch](https://techcommunity.microsoft.com/t5/windows-autopatch/windows-autopatch-resource-guide/m-p/3502461#_note6) +- [Windows Autopatch Skilling snack](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/skilling-snack-windows-autopatch/ba-p/3787448) + +## Stakeholder communications + +Change management relies on clear and helpful communication about upcoming changes. The best way to have a smooth deployment is to make sure end users and stakeholders are aware of all changes and disruptions. Your rollout communication plan should include all pertinent information, how to notify users, and when to communicate. + +- Identify groups being impacted by the Autopatch deployment +- Identify key stakeholders in the impacted groups +- Determine the types of communications needed +- Develop your messaging based on the Recommended deployment steps +- Create your stakeholder and communication plan schedule based on the Recommended deployment steps +- Have communications drafted and reviewed, and consider your delivery channels such as: + - Social media posts + - Internal messaging app (for example, Microsoft Teams) + - Internal team site + - Email + - Company blog + - Prerecorded on-demand videos + - Virtual meeting(s) + - In-person meetings + - Team workshops +- Deploy your stakeholder communication plan + +## Review your objectives and business case with stakeholders + +Review your original objectives and business case with your key stakeholders to ensure your outcomes have been met and to ensure your expected value has been achieved. + +## Need additional guidance? + +If you need assistance with your Windows Autopatch deployment journey, you have the following support options: + +- Microsoft Account Team +- [Microsoft FastTrack](/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request#microsoft-fasttrack) +- Windows Autopatch Service Engineering Team + - [Tenant enrollment support request](../prepare/windows-autopatch-enrollment-support-request.md) + - [General support request](../operate/windows-autopatch-support-request.md) + +First contact your Microsoft Account team who can work with you to establish any guidance or support you might need. If you don't have a Microsoft Account Team contact or wish to explore other routes, Microsoft FastTrack offers Microsoft 365 deployment guidance for customers with 150 or more licenses of an eligible subscription at no additional cost. Finally, you can also log a support request with the Windows Autopatch Service Engineering Team. + +### Windows Autopatch Private Community (APC) + +Once you're underway with your deployment, consider joining the [Windows Autopatch Private Community (APC)](https://aka.ms/WindowsAutopatchPrivateCommunity) where you can: + +- Engage directly with the Windows Autopatch Engineering Teams and other Autopatch customers. +- Gain access to exclusive virtual meetings, focus groups, surveys, Teams discussions and previews. + +### Windows Autopatch Technology Adoption Program (TAP) + +If you have at least 500 devices enrolled in the service and are willing to test and give Microsoft feedback at least once a year, consider signing up to the [Windows Autopatch Technology Adoption Program (TAP)](https://aka.ms/JoinWindowsAutopatchTAP) to try out new and upcoming Windows Autopatch features. From 17904c75b1fcb63416589c40c61ae9bf67d8a17e Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Wed, 23 Aug 2023 22:10:06 -0700 Subject: [PATCH 27/44] Tweak --- .../overview/windows-autopatch-deployment-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md index 2af7fed5dc..2bf8116671 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md @@ -255,7 +255,7 @@ For example, Configuration Manager Software Update Policy settings exclude Autop | Device setting | Recommended configuration | | ----- | ----- | | Enable software updates | No | -| Enable management of the Office 365 Client Agent | +| Enable management of the Office 365 Client Agent | No | #### Existing Mobile Device Management (MDM) policies From 843d42d85e92ee2bb69746df41c959c3c3ee5511 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 24 Aug 2023 09:48:38 -0400 Subject: [PATCH 28/44] author updates via docfx --- windows/security/docfx.json | 3 --- 1 file changed, 3 deletions(-) diff --git a/windows/security/docfx.json b/windows/security/docfx.json index 20fa610bfa..817a43769a 100644 --- a/windows/security/docfx.json +++ b/windows/security/docfx.json @@ -77,7 +77,6 @@ "application-security//**/*.yml": "vinaypamnani-msft", "application-security/application-control/windows-defender-application-control/**/*.md": "jsuther1974", "application-security/application-control/windows-defender-application-control/**/*.yml": "jsuther1974", - "application-security/application-control/user-account-control/*.md": "paolomatarazzo", "hardware-security/**/*.md": "vinaypamnani-msft", "hardware-security/**/*.yml": "vinaypamnani-msft", "information-protection/**/*.md": "vinaypamnani-msft", @@ -98,8 +97,6 @@ "application-security//**/*.yml": "vinpa", "application-security/application-control/windows-defender-application-control/**/*.md": "jsuther", "application-security/application-control/windows-defender-application-control/**/*.yml": "jsuther", - "application-security/application-control/user-account-control/*.md": "paoloma", - "application-security/application-control/user-account-control/*.yml": "paoloma", "hardware-security//**/*.md": "vinpa", "hardware-security//**/*.yml": "vinpa", "information-protection/**/*.md": "vinpa", From fe91e56b211fd78f974fc4e18a9cce3be2961820 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Thu, 24 Aug 2023 08:34:50 -0700 Subject: [PATCH 29/44] Corrections and tweaks --- windows/deployment/windows-autopatch/TOC.yml | 2 +- .../windows-autopatch-deployment-guide.md | 87 ++++++++++--------- 2 files changed, 46 insertions(+), 43 deletions(-) diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml index d63bb90e3f..575f19116b 100644 --- a/windows/deployment/windows-autopatch/TOC.yml +++ b/windows/deployment/windows-autopatch/TOC.yml @@ -10,7 +10,7 @@ href: overview/windows-autopatch-roles-responsibilities.md - name: Privacy href: overview/windows-autopatch-privacy.md - - name: Windows Autopatch deployment journey + - name: Windows Autopatch deployment guide href: overview/windows-autopatch-deployment-guide.md - name: FAQ href: overview/windows-autopatch-faq.yml diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md index 2bf8116671..e0bca63ffe 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md @@ -1,5 +1,5 @@ --- -title: Deployment guide +title: Windows Autopatch deployment guide description: This guide explains how to successfully deploy Windows Autopatch in your environment ms.date: 08/24/2023 ms.prod: windows-client @@ -34,11 +34,11 @@ This guide: ## Determine your objectives -In this section, details some common objectives when using Windows Autopatch. +This section details some common objectives when using Windows Autopatch. Once an organization is onboarded, Windows Autopatch automatically creates multiple progressive deployment rings and applies the latest updates according to Windows Autopatch recommended practices and your organization's custom configuration. While there are options to adjust configurations such as quality update cadence, the service provides you with a baseline to begin establishing your update objectives. -Use Windows Autopatch service to solve the following challenges: +Use Windows Autopatch to solve the following challenges: - Difficulty developing and defending update cadence and general best practices - Increase visibility and improve issue reporting @@ -58,49 +58,49 @@ The following deployment steps can be used as a guide to help you to create your :::image type="content" source="../media/windows-autopatch-deployment-journey.png" alt-text="Windows Autopatch deployment journey" lightbox="../media/windows-autopatch-deployment-journey.png"::: -### Step 1: Prepare +### Step one: Prepare [Review the prerequisites](../prepare/windows-autopatch-prerequisites.md) and [enroll your tenant](../prepare/windows-autopatch-enroll-tenant.md) into the Windows Autopatch service. At this stage, your devices aren't affected. You can enroll your tenant and review the service options before registering your devices. -| Steps | Description | +| Step | Description | | ----- | ----- | | **1A: Set up the service** |
    • Prepare your environment, review existing update policies and [General Considerations](#general-considerations)
    • Review and understand [changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) when enrolling into the service
    • Enroll into the service and [add your admin contacts](../deploy/windows-autopatch-admin-contacts.md)
    • Review [Roles and responsibilities](../overview/windows-autopatch-roles-responsibilities.md)
    • Verify the [changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) completed successfully
    | | **1B: Confirm update service needs and configure your workloads** |
    • [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md): Expedite preferences and cadence customizations
    • [Windows feature updates](../operate/windows-autopatch-windows-feature-update-overview.md): Servicing version preferences
    • [Driver and firmware updates](../operate/windows-autopatch-manage-driver-and-firmware-updates.md): Set to either Manual or Automatic
    • [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md): Set to either Monthly Enterprise Channel or opt-out
    • [Microsoft Edge](../operate/windows-autopatch-edge.md): Required. Beta and Stable Channel
    • [Microsoft Teams](../operate/windows-autopatch-teams.md): Required. Automatic
    | | **1C: Consider your Autopatch groups distribution** | Organizations have a range of Windows devices including desktop computers, laptops and tablets that might be grouped across multiple logical or physical locations. When planning your Autopatch groups strategy, consider the Autopatch group structure that best fits your organizational needs. It's recommended to utilize the service defaults as much as possible. However, if necessary, you can customize the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) with additional deployment rings and/or [create your own Custom Autopatch group(s)](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group).

    • Review your device inventory and consider a representative mix of devices across your distribution
    • Review your Azure AD groups that you wish to use to register devices into the service
    • Review [device registration options](../deploy/windows-autopatch-device-registration-overview.md) and [register your first devices](../deploy/windows-autopatch-register-devices.md)
    | | **1D: Review network optimization** | It's important to [prepare your network](../prepare/windows-autopatch-configure-network.md) to ensure that your devices have access to updates in the most efficient way, without impacting your infrastructure.

    A recommended approach to manage bandwidth consumption is to utilize [Delivery Optimization](../prepare/windows-autopatch-configure-network.md#delivery-optimization). You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages amongst multiple devices in your deployment. | -### Step 2: Evaluate +### Step two: Evaluate Evaluate Windows Autopatch with around 50 devices to ensure the service meets your needs. You can adjust this number based on your organizational make-up. It's recommended to monitor one update cycle during this evaluation step. -| Steps | Description | +| Step | Description | | ----- | ----- | | **2A: Review reporting capabilities** |
    • [Windows quality update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-quality-update-reports)
    • [Windows feature update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-feature-update-reports)
    • [Windows Update for Business (WufB) reports](/mem/intune/protect/windows-update-compatibility-reports#use-the-windows-feature-update-device-readiness-report)
    Windows Autopatch quality and feature update reports provide a progress view on the latest update cycle for your devices. These reports should be reviewed often to ensure you understand the update state of your Windows Autopatch devices.

    There might be times when using Windows Autopatch for update deployment that it's beneficial to review Windows Update for Business (WUfB) reports.

    For example, when preparing to deploy Windows 11, you might find it useful to evaluate your devices using the [Windows feature update device readiness](/mem/intune/protect/windows-update-compatibility-reports#use-the-windows-feature-update-device-readiness-report) and [Windows feature update compatibility risks reports](/mem/intune/protect/windows-update-compatibility-reports#use-the-windows-feature-update-compatibility-risks-report) in Intune.| | **2B: Review operational changes** | As part of the introduction of Windows Autopatch, you should consider how the service integrates with your existing operational processes.
    • Identify service desk and end user computing process changes
    • Identify any alignment with third party support agreements
    • Review the default Windows Autopatch support process and alignment with your existing Premier and Unified support options
    • Identify IT admin process change & service interaction points
    | -| **2C: Educate end users and key stakeholders**| Educate your end users by creating guides for the Windows Autopatch end user experience.
    • [Windows quality updates](../operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md)
    • [Windows feature updates](../operate/windows-autopatch-groups-windows-feature-update-overview.md)
      • [Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md)
    • [Microsoft Edge](../operate/windows-autopatch-edge.md)
    • [Microsoft Teams](../operate/windows-autopatch-teams.md)

    Include your IT support and help desk in the early stages of the Windows Autopatch deployment and planning process. Early involvement allows your support staff to:
    • Gain knowledge and experience in identifying and resolving update issues more effectively
    • Prepare them for support production rollouts. Knowledgeable help desk and support teams also help end users adopt to changes

    Your support staff can experience a walkthrough of the Windows Autopatch admin experience through the [Windows Autopatch demo site](https://aka.ms/autopatchdemo). | +| **2C: Educate end users and key stakeholders**| Educate your end users by creating guides for the Windows Autopatch end user experience.
    • [Windows quality updates](../operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md)
    • [Windows feature updates](../operate/windows-autopatch-groups-windows-feature-update-overview.md)
      • [Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md)
    • [Microsoft Edge](../operate/windows-autopatch-edge.md)
    • [Microsoft Teams](../operate/windows-autopatch-teams.md)

    Include your IT support and help desk in the early stages of the Windows Autopatch deployment and planning process. Early involvement allows your support staff to:
    • Gain knowledge and experience in identifying and resolving update issues more effectively
    • Prepare them to support production rollouts. Knowledgeable help desk and support teams also help end users adopt to changes

    Your support staff can experience a walkthrough of the Windows Autopatch admin experience through the [Windows Autopatch demo site](https://aka.ms/autopatchdemo). | | **2D: Pilot planning** | Identify target pilot group(s) of up to 500 devices. It's recommended to include a cross-section of your organizational make-up to ensure your pilot results are representative of your organizational environment. | -### Step 3: Pilot +### Step three: Pilot Plan to pilot the service with around 500 devices to provide sufficient pilot coverage to be ready for deployment. You can adjust this number based on your organizational make-up. It's recommended to monitor one to two update cycles during the pilot step. -| Steps | Description | +| Step | Description | | ----- | ----- | | **3A: Register devices** | Register pilot device group(s) | | **3B: Monitor update process success** |
    • Quality update: One to two update cycles
    • Feature update: Set of pilot devices scheduled across several weeks
    • Drivers and firmware: One to two update cycles
    • Microsoft 365 Apps for enterprise (if not opted-out): One to two update cycles
    • Microsoft Edge: One to two update cycles
    • Microsoft Teams: One to two update cycles
      • | | **3C: Review reports** |
      • [Quality update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-quality-update-reports): Monitor data in the reports across one to two update cycles
      • [Feature update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-feature-update-reports): Monitor data in the reports across the update schedule
      • [Windows Update for Business (WufB) reports](/mem/intune/protect/windows-update-compatibility-reports#use-the-windows-feature-update-device-readiness-report): Monitor data in the report across one to two update cycles
      | | **3D: Implement operational changes** |
      • Pilot Service Desk, end user computing and third party (if applicable) process changes with pilot representatives
      • IT admins must:
        • Review deployment progress using Windows Autopatch reports
        • Respond to identified actions to help improve success rates
      | -| **3E: Communicate with stakeholders** | Review and action the stakeholder communications plan. | +| **3E: Communicate with stakeholders** | Review and action your stakeholder communication plan. | | **3F: Deployment planning** | Prepare target deployment groups for phased deployment of Windows Autopatch. | -### Step 4: Deploy +### Step four: Deploy Following a successful pilot, you can commence deployment to your broader organization. The pace at which you deploy is dependent on your own requirements; for example, deploying in groups of 500 to 5000 per week are commonly used approaches to complete the deployment of Windows Autopatch. -| Steps | Description | +| Step | Description | | ----- | ----- | | **4A: Review reports** |
      • Review deployment progress using Windows Autopatch reports
      • Respond to identified actions to help improve success rates
      | -| **4B: Communicate with stakeholders** | Review and action the stakeholder communications plan | +| **4B: Communicate with stakeholders** | Review and action your stakeholder communication plan | | **4C: Complete operational changes** |
      • Service Desk readiness is complete and in place
      • IT admins take the required action(s) based on the Autopatch reports
      | ## Migration considerations @@ -117,7 +117,7 @@ Once migrated, there are several configuration tasks that you no longer need to | Autopatch benefit | Configuration Manager | Windows Update for Business (WufB) | | ----- | ----- | ----- | -| Automated setup and on-going configuration of Windows Update policies | Manage and perform recurring tasks such as:
      • Download updates
        • Distribute to distribution points
      • Target update collections
      | Manage "static" deployment ring policies | +| Automated setup and on-going configuration of Windows Update policies | Manage and perform recurring tasks such as:
      • Download updates
      • Distribute to distribution points
      • Target update collections
      | Manage "static" deployment ring policies | | Automated management of deployment ring membership | Manually check collection membership and targets | Manage "static" deployment ring membership | | Maintain minimum Windows feature version and progressively move between servicing versions | Spend time developing, testing and rolling-out task sequence | Set up and deploy Windows feature update policies | | Service provides release management, signal monitoring, testing, and Windows Update deployment | Setup, target and monitor update test collections | Manage Test deployment rings and manually monitor update signals | @@ -144,15 +144,15 @@ Service management benefits include: #### Assessing your readiness to migrate from Windows Update for Business (WufB) to Windows Autopatch -When moving from Windows Update for Business (WufB) to Windows Autopatch, you can accelerate and simplify your adoption by assessing how ready you're to quickly migrate to the Windows Autopatch service by considering key differences that might impact your deployment: +When moving from Windows Update for Business (WufB) to Windows Autopatch, you can accelerate and simplify your adoption by assessing your readiness to quickly migrate to the Windows Autopatch service by considering key differences that might impact your deployment: | Step | Assessment step | Recommendation | | ----- | ----- | ----- | -| **One** | Use "user based" vs. "device based" targeting | Windows Autopatch doesn't support "user based" targeting. If your Windows Update deployment is "user based", you must plan to move to a device-based targeting model by adding and registering devices into Windows Autopatch. Use the [Consider your Autopatch groups guidance](#step-1-prepare) | -| **Two** | Use Microsoft Edge channels | Windows Autopatch deploys Microsoft Edge Stable channel to devices in all deployment rings except for the Test deployment ring. The Test deployment ring is configured for the Microsoft Edge Beta channel. If you're currently using different channels, you should prepare your teams to understand that your Windows Autopatch devices will start using these channels. For more information, see [Confirm update service needs and configure your workloads](#step-1-prepare). | -| **Three** | Use Microsoft 365 Apps for enterprise | Windows Autopatch deploys the Monthly Enterprise Channel to all Microsoft 365 Apps for enterprise clients. If your organization is utilizing a different channel and you don't wish to adopt the Monthly Enterprise Channel, you can opt out of updates for Microsoft 365 Apps for enterprise. For more information, see [Confirm update service needs and configure your workloads](#step-1-prepare) | -| **Four** | Prepare your policies | You should consider any existing policy configurations in your Windows Update for Business (WUfB), Intune or on-premises environment that could impact your deployment of Windows Autopatch. For more information, review [General considerations](#general-considerations) | -| **Five** | Use network optimization technologies | We recommend you consider your network optimization technologies as part of your Windows Autopatch deployment. However, if you're already using Windows Update for Business (WufB) it's likely you already have your network optimization solution in place. For more information, see [Review network optimization](#step-1-prepare) | +| **1** | "user based" vs. "device based" targeting | Windows Autopatch doesn't support "user based" targeting. If your Windows Update deployment is "user based", you must plan to move to a device-based targeting model by adding and registering devices into Windows Autopatch. Use the [Consider your Autopatch groups guidance](#step-one-prepare) | +| **2** | Microsoft Edge channels | Windows Autopatch deploys Microsoft Edge Stable channel to devices in all deployment rings except for the Test deployment ring. The Test deployment ring is configured for the Microsoft Edge Beta channel. If you're currently using different channels, you should prepare your teams to understand that your Windows Autopatch devices will start using these channels. For more information, see [Confirm update service needs and configure your workloads](#step-one-prepare). | +| **3** | Microsoft 365 Apps for enterprise | Windows Autopatch deploys the Monthly Enterprise Channel to all Microsoft 365 Apps for enterprise clients. If your organization is utilizing a different channel and you don't wish to adopt the Monthly Enterprise Channel, you can opt out of updates for Microsoft 365 Apps for enterprise. For more information, see [Confirm update service needs and configure your workloads](#step-one-prepare) | +| **4** | Prepare your policies | You should consider any existing policy configurations in your Windows Update for Business (WUfB), Intune or on-premises environment that could impact your deployment of Windows Autopatch. For more information, review [General considerations](#general-considerations) | +| **5** | Network optimization technologies | We recommend you consider your network optimization technologies as part of your Windows Autopatch deployment. However, if you're already using Windows Update for Business (WufB) it's likely you already have your network optimization solution in place. For more information, see [Review network optimization](#step-one-prepare) | ### Optimized deployment path: Windows Update for Business (WufB) to Windows Autopatch @@ -160,11 +160,11 @@ Once you have assessed your readiness state to ensure you're aligned to Windows | Step | Example timeline | Task | | ----- | ----- | ----- | -| **Step 1: Prepare > Set up the service** | Week one | Follow our standard guidance to turn on the Windows Autopatch service
      • Prepare your environment, review existing update policies and [General Considerations](#general-considerations)
      • Review and understand the [changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) when enrolling into the service
      • Enroll into the service and [add your admin contacts](../deploy/windows-autopatch-admin-contacts.md)
      • Review [Roles and responsibilities](../overview/windows-autopatch-roles-responsibilities.md)
      • Verify the [changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) have completed successfully
      | -| **Step 1: Prepare > Adjust the service configuration based on your migration readiness** | Week one |
      • [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md)
      • [Windows feature updates](../operate/windows-autopatch-windows-feature-update-overview.md)
      • [Driver and firmware updates](../operate/windows-autopatch-manage-driver-and-firmware-updates.md)
      • [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md)
      • [Microsoft Edge](../operate/windows-autopatch-edge.md)
      • [Microsoft Teams](../operate/windows-autopatch-teams.md)
      • Use the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) or [create a Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups)
      | -| **Step 2: Evaluate** | Week one to month two | Evaluate with around 50 devices for one update cycle to confirm the correct service configurations are in place | -| **Step 3: Pilot** | Month two to three | Pilot with around 500 - 5000 devices for one update cycle to ensure you can further validate with your key stakeholders and Service Desk teams | -| **Step 4: Deploy** | Month three to six | Phase deployments as necessary to migrate your estate. You can move as quickly as you feel comfortable | +| **Step one: Prepare > Set up the service** | Week one | Follow our standard guidance to turn on the Windows Autopatch service
      • Prepare your environment, review existing update policies and [General Considerations](#general-considerations)
      • Review and understand the [changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) when enrolling into the service
      • Enroll into the service and [add your admin contacts](../deploy/windows-autopatch-admin-contacts.md)
      • Review [Roles and responsibilities](../overview/windows-autopatch-roles-responsibilities.md)
      • Verify the [changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) have completed successfully
      | +| **Step one: Prepare > Adjust the service configuration based on your migration readiness** | Week one |
      • [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md)
      • [Windows feature updates](../operate/windows-autopatch-windows-feature-update-overview.md)
      • [Driver and firmware updates](../operate/windows-autopatch-manage-driver-and-firmware-updates.md)
      • [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md)
      • [Microsoft Edge](../operate/windows-autopatch-edge.md)
      • [Microsoft Teams](../operate/windows-autopatch-teams.md)
      • Use the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) or [create a Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups)
      | +| **Step two: Evaluate** | Week one to month two | Evaluate with around 50 devices for one update cycle to confirm the correct service configurations are in place | +| **Step three: Pilot** | Month two to three | Pilot with around 500 - 5000 devices for one update cycle to ensure you can further validate with your key stakeholders and Service Desk teams | +| **Step four: Deploy** | Month three to six | Phase deployments as necessary to migrate your estate. You can move as quickly as you feel comfortable | ### Migrating from Configuration Manager to Windows Autopatch @@ -176,10 +176,10 @@ When moving from Configuration Manager to Windows Autopatch, the fastest path to | Step | Assessment step | Recommendation | | ----- | ----- | ----- | -| **One** | Turn on co-management | If you're using co-management across Configuration Manager and your managed devices, you meet the key requirements to use Windows Autopatch.

      If you don't have co-management, see [How to use co-management in Configuration Manager](/mem/configmgr/comanage/how-to-enable) | -| **Two** | Use required co-management workloads | Using Windows Autopatch requires that your managed devices use the following three co-management workloads:
      • Windows Update policies workload
      • Device configuration workload
      • Office Click-to-Run apps workload

      If you have these workloads configured, you meet the key requirements to use Windows Autopatch. If you don't have these workloads configured, review [How to switch Configuration Manager workloads to Intune](/mem/configmgr/comanage/how-to-switch-workloads) | -| **Three** | Prepare your policies | You should consider any existing policy configurations in your Configuration Manager (or on-premises) environment that could impact your deployment of Windows Autopatch. For more information, review [General considerations](#general-considerations) | -| **Four** | Ensure Configuration Manager collections or Azure AD device groups readiness | To move devices to Windows Autopatch, you must register devices with the Windows Autopatch service. To do so, use either Azure AD device groups, or Configuration Manager collections. Ensure you have either Azure AD device groups or Configuration Manager collections that allow you to evaluate, pilot and then migrate to the Windows Autopatch service. For more information, see [Register your devices](../deploy/windows-autopatch-register-devices.md#before-you-begin). | +| **1** | Turn on co-management | If you're using co-management across Configuration Manager and your managed devices, you meet the key requirements to use Windows Autopatch.

      If you don't have co-management, see [How to use co-management in Configuration Manager](/mem/configmgr/comanage/how-to-enable) | +| **2** | Use required co-management workloads | Using Windows Autopatch requires that your managed devices use the following three co-management workloads:
      • Windows Update policies workload
      • Device configuration workload
      • Office Click-to-Run apps workload

      If you have these workloads configured, you meet the key requirements to use Windows Autopatch. If you don't have these workloads configured, review [How to switch Configuration Manager workloads to Intune](/mem/configmgr/comanage/how-to-switch-workloads) | +| **3** | Prepare your policies | You should consider any existing policy configurations in your Configuration Manager (or on-premises) environment that could impact your deployment of Windows Autopatch. For more information, review [General considerations](#general-considerations) | +| **4** | Ensure Configuration Manager collections or Azure AD device groups readiness | To move devices to Windows Autopatch, you must register devices with the Windows Autopatch service. To do so, use either Azure AD device groups, or Configuration Manager collections. Ensure you have either Azure AD device groups or Configuration Manager collections that allow you to evaluate, pilot and then migrate to the Windows Autopatch service. For more information, see [Register your devices](../deploy/windows-autopatch-register-devices.md#before-you-begin). | ### Optimized deployment path: Configuration Manager to Windows Autopatch @@ -187,11 +187,11 @@ Once you have assessed your readiness state to ensure you're aligned to Windows | Step | Example timeline | Task | | ----- | ----- | ----- | -| **Step 1: Prepare > Set up the service** | Week one | Follow our standard guidance to turn on the Windows Autopatch service
      • Prepare your environment, review existing update policies and [General Considerations](#general-considerations).
      • Review and understand the [changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) when enrolling into the service
      • Enroll into the service and [add your admin contacts](../deploy/windows-autopatch-admin-contacts.md)
      • Review [Roles and responsibilities](../overview/windows-autopatch-roles-responsibilities.md)
      • Verify the [changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) have completed successfully.
      | -| **Step 1: Prepare > Adjust the service configuration based on your migration readiness** | Week one |
      • [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md)
      • [Windows feature updates](../operate/windows-autopatch-windows-feature-update-overview.md)
      • [Driver and firmware updates](../operate/windows-autopatch-manage-driver-and-firmware-updates.md)
      • [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md)
      • [Microsoft Edge](../operate/windows-autopatch-edge.md)
      • [Microsoft Teams](../operate/windows-autopatch-teams.md)
      • Use the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) or [create a Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups)
      | -| **Step 2: Evaluate** | Week one to month two | Evaluate with around 50 devices for one update cycle to confirm the correct service configurations are in place | -| **Step 3: Pilot** | Month two to three | Pilot with around 500 - 5000 devices for one update cycle to ensure you can further validate with your key stakeholders and Service Desk teams | -| **Step 4: Deploy** | Month three to six | Phase deployments as necessary to migrate your estate. You can move as quickly as you feel comfortable | +| **[Step one: Prepare > Set up the service](#step-one-prepare)** | Week one | Follow our standard guidance to turn on the Windows Autopatch service
      • Prepare your environment, review existing update policies and [General Considerations](#general-considerations).
      • Review and understand the [changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) when enrolling into the service
      • Enroll into the service and [add your admin contacts](../deploy/windows-autopatch-admin-contacts.md)
      • Review [Roles and responsibilities](../overview/windows-autopatch-roles-responsibilities.md)
      • Verify the [changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) have completed successfully.
      | +| **[Step one: Prepare > Adjust the service configuration based on your migration readiness](#step-one-prepare)** | Week one |
      • [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md)
      • [Windows feature updates](../operate/windows-autopatch-windows-feature-update-overview.md)
      • [Driver and firmware updates](../operate/windows-autopatch-manage-driver-and-firmware-updates.md)
      • [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md)
      • [Microsoft Edge](../operate/windows-autopatch-edge.md)
      • [Microsoft Teams](../operate/windows-autopatch-teams.md)
      • Use the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) or [create a Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups)
      | +| **[Step two: Evaluate](#step-two-evaluate)** | Week one to month two | Evaluate with around 50 devices for one update cycle to confirm the correct service configurations are in place | +| **[Step three: Pilot](#step-three-pilot)** | Month two to three | Pilot with around 500 - 5000 devices for one update cycle to ensure you can further validate with your key stakeholders and Service Desk teams | +| **[Step four: Deploy](#step-four-deploy)** | Month three to six | Phase deployments as necessary to migrate your estate. You can move as quickly as you feel comfortable | ## General considerations @@ -237,9 +237,9 @@ Any policies, scripts or settings that create or edit values in the following re #### Windows and Microsoft 365 Apps for enterprise updates -When Configuration Manager is deployed, and if Software Update policies are configured, the Software Update policies could conflict with Windows Update for Business and Office Update policies. +When Configuration Manager is deployed, and if Software Update policies are configured, the Software Update policies could conflict with Windows Update for Business and Office Update policies. -Configuration Manager could require custom settings to disable software updates and assist with troubleshooting conflicting legacy, on-premises, configurations to ensure that Autopatch deliver Windows and Office updates. It's safe to implement this change if you aren't managing third party updates from Configuration Manager. +Configuration Manager could require custom settings to disable software updates and assist with troubleshooting conflicting legacy, on-premises configurations to ensure that Autopatch delivers Windows and Office updates. It's safe to implement this change if you aren't managing third party updates from Configuration Manager. To ensure that Software Update Policies don't conflict with Windows Update for Business (WufB) and Office Update policies, create a Software Update Policy in Configuration Manager that has: @@ -257,11 +257,14 @@ For example, Configuration Manager Software Update Policy settings exclude Autop | Enable software updates | No | | Enable management of the Office 365 Client Agent | No | +> [!NOTE] +> There is no requirement to create a Configuration Manager Software Update Policy if the policies aren’t in use. + #### Existing Mobile Device Management (MDM) policies | Policy | Description | | ----- | ----- | -| **MDM to win over GP** | As part of the tenant enrollment process, Autopatch deploys a Device configuration profile, which applies to all registered devices to set Mobile Device Management (MDM) to win over Group Policy (GP) with the "MDMWinsOverGP" CSP.

      When applied, any MDM policy that's set, and has an equivalent GP Policy, results in the GP service blocking the policy setting. Setting the value to 0 (zero) or deleting the policy removes the GP policy blocks and restore the saved GP policies.

      This setting doesn't apply to all scenarios. This setting doesn't work for:
      • User scoped settings. This setting applies to device scoped settings only
      • Any custom Group Policy Object (GPO) outside of ADMX. For example, Microsoft Edge or Chrome settings
      • Any Windows Update for Business policies (WUfB). When you use Windows Update for Business (WUfB), ensure all previous Group Policies (GP) are removed that relate to Windows Update to ensure that Autopatch policies can take effect.


      For more information and guidance on the expected behavior applied through this policy, see [ControlPolicyConflict Policy CSP](/windows/client-management/mdm/policy-csp-controlpolicyconflict). | +| **MDM to win over GP** | As part of the tenant enrollment process, Autopatch deploys a Device configuration profile, which applies to all registered devices to set Mobile Device Management (MDM) to win over Group Policy (GP) with the "MDMWinsOverGP" CSP.

      When applied, any MDM policy that's set, and has an equivalent GP Policy, results in the GP service blocking the policy setting. Setting the value to 0 (zero) or deleting the policy removes the GP policy blocks and restore the saved GP policies.

      This setting doesn't apply to all scenarios. This setting doesn't work for:
      • User scoped settings. This setting applies to device scoped settings only
      • Any custom Group Policy Object (GPO) outside of ADMX. For example, Microsoft Edge or Chrome settings
      • Any Windows Update for Business policies (WUfB). When you use Windows Update for Business (WUfB), ensure all previous Group Policies (GP) are removed that relate to Windows Update to ensure that Autopatch policies can take effect


      For more information and guidance on the expected behavior applied through this policy, see [ControlPolicyConflict Policy CSP](/windows/client-management/mdm/policy-csp-controlpolicyconflict) | | **Windows Update for Business (WufB) policies** | If you have any existing *Deployment rings for Windows 10 and later or Windows feature update DSS policies* in place, ensure that the assignments don't target Windows Autopatch devices. This is to avoid creating policy conflicts and unexpected update behaviour, which could impact update compliance and end user experience. | | **Update Policy CSP** | If any policies from the [Update Policy CSP](/windows/client-management/mdm/policy-csp-update) that aren't deployed and managed by Windows Autopatch are deployed to devices, policy conflicts and unexpected update behavior could occur and could affect update compliance and the end user experience. | @@ -287,8 +290,8 @@ Change management relies on clear and helpful communication about upcoming chang - Identify groups being impacted by the Autopatch deployment - Identify key stakeholders in the impacted groups - Determine the types of communications needed -- Develop your messaging based on the Recommended deployment steps -- Create your stakeholder and communication plan schedule based on the Recommended deployment steps +- Develop your messaging based on the [Recommended deployment steps](#recommended-deployment-steps) +- Create your stakeholder and communication plan schedule based on the [Recommended deployment steps](#recommended-deployment-steps) - Have communications drafted and reviewed, and consider your delivery channels such as: - Social media posts - Internal messaging app (for example, Microsoft Teams) @@ -321,8 +324,8 @@ First contact your Microsoft Account team who can work with you to establish any Once you're underway with your deployment, consider joining the [Windows Autopatch Private Community (APC)](https://aka.ms/WindowsAutopatchPrivateCommunity) where you can: -- Engage directly with the Windows Autopatch Engineering Teams and other Autopatch customers. -- Gain access to exclusive virtual meetings, focus groups, surveys, Teams discussions and previews. +- Engage directly with the Windows Autopatch Engineering Teams and other Autopatch customers +- Gain access to exclusive virtual meetings, focus groups, surveys, Teams discussions and previews ### Windows Autopatch Technology Adoption Program (TAP) From 41c11a3e4fe8a6c36cc8d1a3ae73c45484d5f516 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Thu, 24 Aug 2023 08:38:36 -0700 Subject: [PATCH 30/44] ...baha --- .../overview/windows-autopatch-deployment-guide.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md index e0bca63ffe..33cd19f001 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md @@ -160,11 +160,11 @@ Once you have assessed your readiness state to ensure you're aligned to Windows | Step | Example timeline | Task | | ----- | ----- | ----- | -| **Step one: Prepare > Set up the service** | Week one | Follow our standard guidance to turn on the Windows Autopatch service
      • Prepare your environment, review existing update policies and [General Considerations](#general-considerations)
      • Review and understand the [changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) when enrolling into the service
      • Enroll into the service and [add your admin contacts](../deploy/windows-autopatch-admin-contacts.md)
      • Review [Roles and responsibilities](../overview/windows-autopatch-roles-responsibilities.md)
      • Verify the [changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) have completed successfully
      | -| **Step one: Prepare > Adjust the service configuration based on your migration readiness** | Week one |
      • [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md)
      • [Windows feature updates](../operate/windows-autopatch-windows-feature-update-overview.md)
      • [Driver and firmware updates](../operate/windows-autopatch-manage-driver-and-firmware-updates.md)
      • [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md)
      • [Microsoft Edge](../operate/windows-autopatch-edge.md)
      • [Microsoft Teams](../operate/windows-autopatch-teams.md)
      • Use the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) or [create a Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups)
      | -| **Step two: Evaluate** | Week one to month two | Evaluate with around 50 devices for one update cycle to confirm the correct service configurations are in place | -| **Step three: Pilot** | Month two to three | Pilot with around 500 - 5000 devices for one update cycle to ensure you can further validate with your key stakeholders and Service Desk teams | -| **Step four: Deploy** | Month three to six | Phase deployments as necessary to migrate your estate. You can move as quickly as you feel comfortable | +| **[Step one: Prepare > Set up the service](#step-one-prepare)** | Week one | Follow our standard guidance to turn on the Windows Autopatch service
      • Prepare your environment, review existing update policies and [General Considerations](#general-considerations)
      • Review and understand the [changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) when enrolling into the service
      • Enroll into the service and [add your admin contacts](../deploy/windows-autopatch-admin-contacts.md)
      • Review [Roles and responsibilities](../overview/windows-autopatch-roles-responsibilities.md)
      • Verify the [changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) have completed successfully
      | +| **[Step one: Prepare > Adjust the service configuration based on your migration readiness](#step-one-prepare)** | Week one |
      • [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md)
      • [Windows feature updates](../operate/windows-autopatch-windows-feature-update-overview.md)
      • [Driver and firmware updates](../operate/windows-autopatch-manage-driver-and-firmware-updates.md)
      • [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md)
      • [Microsoft Edge](../operate/windows-autopatch-edge.md)
      • [Microsoft Teams](../operate/windows-autopatch-teams.md)
      • Use the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) or [create a Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups)
      | +| **[Step two: Evaluate](#step-two-evaluate)** | Week one to month two | Evaluate with around 50 devices for one update cycle to confirm the correct service configurations are in place | +| **[Step three: Pilot](#step-three-pilot)** | Month two to three | Pilot with around 500 - 5000 devices for one update cycle to ensure you can further validate with your key stakeholders and Service Desk teams | +| **[Step four: Deploy](#step-four-deploy)** | Month three to six | Phase deployments as necessary to migrate your estate. You can move as quickly as you feel comfortable | ### Migrating from Configuration Manager to Windows Autopatch From 3d1be28e1b5a2e2eaeb791ac164222467c2f616e Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Thu, 24 Aug 2023 08:42:14 -0700 Subject: [PATCH 31/44] Tweak --- .../overview/windows-autopatch-deployment-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md index 33cd19f001..f3098d8081 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md @@ -148,7 +148,7 @@ When moving from Windows Update for Business (WufB) to Windows Autopatch, you ca | Step | Assessment step | Recommendation | | ----- | ----- | ----- | -| **1** | "user based" vs. "device based" targeting | Windows Autopatch doesn't support "user based" targeting. If your Windows Update deployment is "user based", you must plan to move to a device-based targeting model by adding and registering devices into Windows Autopatch. Use the [Consider your Autopatch groups guidance](#step-one-prepare) | +| **1** | "User based" vs. "device based" targeting | Windows Autopatch doesn't support "user based" targeting. If your Windows Update deployment is "user based", you must plan to move to a device-based targeting model by adding and registering devices into Windows Autopatch. Use the [Consider your Autopatch groups guidance](#step-one-prepare) | | **2** | Microsoft Edge channels | Windows Autopatch deploys Microsoft Edge Stable channel to devices in all deployment rings except for the Test deployment ring. The Test deployment ring is configured for the Microsoft Edge Beta channel. If you're currently using different channels, you should prepare your teams to understand that your Windows Autopatch devices will start using these channels. For more information, see [Confirm update service needs and configure your workloads](#step-one-prepare). | | **3** | Microsoft 365 Apps for enterprise | Windows Autopatch deploys the Monthly Enterprise Channel to all Microsoft 365 Apps for enterprise clients. If your organization is utilizing a different channel and you don't wish to adopt the Monthly Enterprise Channel, you can opt out of updates for Microsoft 365 Apps for enterprise. For more information, see [Confirm update service needs and configure your workloads](#step-one-prepare) | | **4** | Prepare your policies | You should consider any existing policy configurations in your Windows Update for Business (WUfB), Intune or on-premises environment that could impact your deployment of Windows Autopatch. For more information, review [General considerations](#general-considerations) | From 637b107813d5ab4a366e903ab887d60acbff1b1e Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Thu, 24 Aug 2023 09:10:31 -0700 Subject: [PATCH 32/44] TOC and image update --- windows/deployment/windows-autopatch/TOC.yml | 2 +- .../windows-autopatch-deployment-journey.png | Bin 57811 -> 58459 bytes .../windows-autopatch-deployment-guide.md | 2 +- 3 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml index 575f19116b..2ee3c1c6fc 100644 --- a/windows/deployment/windows-autopatch/TOC.yml +++ b/windows/deployment/windows-autopatch/TOC.yml @@ -10,7 +10,7 @@ href: overview/windows-autopatch-roles-responsibilities.md - name: Privacy href: overview/windows-autopatch-privacy.md - - name: Windows Autopatch deployment guide + - name: Deployment guide href: overview/windows-autopatch-deployment-guide.md - name: FAQ href: overview/windows-autopatch-faq.yml diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-deployment-journey.png b/windows/deployment/windows-autopatch/media/windows-autopatch-deployment-journey.png index ca58a89191104f6bbb525451cda8548a11495262..fd79d4d7f9605d144b62901273db6400b694ae8d 100644 GIT binary patch literal 58459 zcmeFZbySq?w+0NNAT1y*-Ho8qqI4tOrF3_fbSN;Sv~+jF&?wy{&A`x|L-ReTzjMxe zzO~+Oeg7ZUa{0Ix&fNRjdtZCs``R<1ALPW*QHW6B;NZ|DB}5eA;GO`Fk4Bz80{(hO zCIt`t1@E9JE(BLP^kNJ6$77TCvhU&GDk4#D3?6*yC6@)8H)$CkAfuTDR%VZLEjR%iLf8N{M^&^lA8kiMfVq*yWs&P21b70|3Dw7Mt1>W9y*Qbd!sKDWXpYNz`a0tJj-l_S*BmRE!Ermls z`~3u`1CL1X=c(}#8vCCo$0r2(f1Wl`*xUX*jo|A0K41a7Ak+W7AOOQZF|22*H|e}h z(DulZ(EXM<1i5O-@gO^NS7Y<;d}&Mw*M)&3 z=d0-tZw+EfIBi|~CGWa@yZ>DyCF0;_dQTTM^8oX(gd#Tsc%2RfHH zv_x9a&5}x|Wpv)X%yQkx zC&TBO&m=Q6QXU;_mu^Fr_&?$u%sL%+l(|cb4n|Zp>-#c=|I#@a$xpg^hD46f-ZqJZ zfEKsnV4|}knw4LLO$}#?j%FJk((8F8jR{*H+_<^5tl}nNb3L1D#uJgH5y(Jrn^fpd zG~yH?S{`Z?3x+SH1vM0J-=^~qDnFt}MYBC?hZD}pfB*M*sXhIATV$E!ubZ7p6lovh zv?im;UL@k{eZm`lMyrzf0MlBzcz zzrM&}AqwA_(*8Mkb)~RRFYD@VB=W7x6pfDu)Wa#?hUXl|7~b&vo(C?1wikQb2(zd> z^P;H!z7OIiHhWtMjvF%9?Jl7kyhhxyMH_^s9>8KZbV)Yp2L^|70keI2`FgphDWODhT_7W{ zbS*f6U>Rj)L6yAyrgru1PJBq=W!5;sGG!Z_3E-9Gc1Lu$C!gVmM4+Ei#y!!wkCW+2 ziPj&3@OW?0e~~;!tTzv+fE8v%ppxY^EZ>M42Qt1FQ+Z6VybB~h|F=^3@8s-liJL&U zaq)$Z)qfaf3GuPL$9;W+Vgwb)uNk0bZ&RV-r(ALB)JyShFIuuz&Br!W7WIW6!ayWw z^WP$ZLwSUd5*qAt67ui@^TEuCUz@^QjbVBUonjp-+vcb*+f;-VpB;qEH@FXW9nhwq zz^a;$QSQju301K4eXIQ85fAkn5q6MLg`%RCaBTHIMsnk~n&>#_Dy z=o2?t>(~=)WLoMLm9Q8yhAymLt_RM7@~OP@=mcPv^@1>eY)OLVbK8KWr}Uh(N{ZTI zD#oT;5V;ep@Yo)MI7F>l${%|w3yPy`b$7GRe>@Y*rMC{xZpU6^rdX44Z0tt4#rC$q z`Ze*=TtZxaonsx(SsyD{1!j;jO1W2e?!3c{Fh2^PNX0_7|Jbn`k0@uv3OGHs+(;(0 zD#_(YwfF!quCwWT3^8(9t=C4YHCO)&YKvH$pu8UCN&{I*B{|&-l`=iTTJ@tT*3(|i zk5L^+p|^XWgJyflR)Ijn0aPQdzL(KfM??x+32H_kU)Ow!I;w9Hja{G4Hgs{bpviNG zP(&@)ojVi!|zBV>hIScKX&Woy9F|vW)$j%0UOgH_fp|3){s1pi+RA;F1!# z6g-aPl9>5y{X``xYKW$q8GXsup5AEtX*U}UHr=4{So0Ez=bT-79BT*H_b=Lg#NMc# z7>cp0x^aWCtE@;bIm&ZB(0=V{D9vbyp2jZHt{O<4|k zDMg#$lCn$Vf*^V<#@?^^9l@67x{F!50+WWo5N@%@2#I#Usd5rx5^lqNm8JMAiHx33 z6Iw2%!~$NJN9@#(L0mv7j9+R+ucJ)#l!yP33Lh6lTtpa1()!|U)%TuG67hI?mQw+Y z8hC`1I6k$qqs5d=s7pA2`=X8_K^g>`2xK;0#2i-5yM+@Gki>!0JF&}hOsy1D8-vJW z)vxNo;u_5(Cnypt$*!HfM@>bS7SyaRIT(NwH?XYhr2w_A?vX=HSB&?38-u)1M0WXt zfoCVcB#Apm@H&@zKw_SndEj_Fr6cZ8KL@$+6$GLpkp(r_Akd75))i*c8gRQsa}|iB zPDKh6#ePS@RLZ9AmAfEcDoPRS^-wWp=UHJu;QR6wN7eD@LekhU{B( z>Nx?XpypT_gG2LNg(|-G=yKd%C_z+wc{_N>SE}P@-_oJ67-3{7J#}&Nk*#?2ODR;Z zNMWlsxQ%xg)}WYp4LtG#R<^Gr1r)CYk-vs;oijEm#YuNmuVJYv?W%Hfib?$>*D^^8 z7auU}6zP+4mbP#+==9`L+=7YpgwZVJ^%>3Yj?7X2YDQd#x#D`0c8 z*mAYC+vu^Y!j4}dbDvizJ4V7{WgN}^#+qqoe<*UaK#FZ@ZNO8RP0G)nOLoyOJzk4e zem1tFgcR?SWYwd`%8h$&Q5X&@)Xk?gsyQ~5=UI@R> z^IZWjn*Z6S;HqMal-VQT(p{45;r&fI7VnBQcotx`&xd=A2a;9H@Pblrrg zAbA~jI7ai;MtFQ(lQMUYXO%jMMU$jZL@RMRVq}j!sc}q?k@kASuIDK%t2DTnq(~cF zuu%}+VFXt%PnqR=qT9Nr`{BESxI{#LYDw7T`IHF}i5e?E35>^vA)>7cYH$dRe|%RZ zTL48TzGP@pWBIyrJaLHA9E9?T${J~%&p#(SAXH9{kU>daZA<|=`Wy(Dde(szU%y2= zh%(jw1hX`C3LIPg4PupLP!D=6N!nOn7?hcOuO}!^Pc(K}Ic_YI=6Y_hC`K%Ya9Kzm zevhNgE{O9h{E&>N_O z)xf=_mKzsLz>roIZB zF9Mz9F)bLfl^RwX-!5dQw|6|NkxFY<1X2w@(Os$)J14rLS2xZo5?oI8nW*6_jflP> zKIFwmhD{QDLVIMFYbFrR_ZJpbt^k0iL%YW|P`iq&A)keP9sB8e*$q5tw|i;muwXJIbsA`3WjDBw(M-0{Hcw*aMK9;dkV=M)Oe9rsF(5{u*3wX;ex7C|t0~^O+*!L}7xTy>8%~`tjD?$3^T<*I2exKLl=oSA?WP zzYuzG#7|Mf%`5co)Km0oLN1S09)b#X#wrGw^V7JTfX`S^#H5ZGJw-V$~_sQ34 z(1gp{0xCfK{*sOjYRFJ@Y%Y@5V42aV`go^snH)mRv`ryB#%KYmIV1C3+T*4skV!l? zC3__*!>e#ucD+kVF%z9^nI;qgU%P{lyE+y5J^i%^EtAVH5E4MgAzi+F-ZNwMOi{@A zpQXd`ikOl8Ez4B;aipafv7@B4(8_ms)?_K}rSgD|djw8vEt+hdIOj)mcg7oi-;?&L z8p_1_K@OxuDzJHJFUV|EYg_JJyls+%Yj|$@5)N%WHzyg7L2qvx^J2_MT@f~IS3S=w zYwv^wV!80l01bK7P?>jYzDYzF5b@-FhyzH#c*j*Z3=NH9UfpI9Qwg4j>zmQb9v*Uj zw`v(z_XwFU)OoN%AaO2PMbqza&BlQW!g@l_TOAMp6x9!!oM-1E&X%r8_@XT(hI2WU zhQ{mn1e9EFc$`eF%1|H!4CdStGu!1t9T;D(&()x4I4-`5W2K>TL@&b;4E5aNXkG)& z1d#AOtU&Yc95OGapnFhnn@%@OEaZB|=Jl+vHh_!*S#fjHk%lUAeh(rcVpnB!IT|h9 z@x7YAB0HNGo}nk#?e%IzfwUNcC2mjvv4<$xK4oV0cNq5sBAV^n9_r0zE6OD^i1M0T z4Mbd(gQ}j4i7^8!tja*>>QcbkPuko5-6k@Xe7v8Fd_p0t$=}!x4V3QOJ@^sgNf-9Y zjI}bDs_O92I`NRcyFmk{qynp)dM~2*enNxT`C~k_QFjH7M z!~@}{k#sye?z3Lvac1Wz%eg@_?5D73LqubZ=OufSJ)nMwG>=4NJ;}GjOMULOuoa*l zR2yZY9>ASGox{9UN5=Z*O~i0Tf`7>)+CdUMR+;c!Iwjzm-95cTTzW*%9YQlPU9c21NB*QJSx0zXrY+IgTV0fm zfSnDoXogY1aRnWMXkYXI4EDa@xYgy%PR1i|;=6LIvrkIMO zDKg0Box(TwAdz)-vmpFn$L$)`uE3-ogS?qVi4|x4j*<)^L*2RKQYMp3REwZIEP@$PZZZ@a@M=fobDYxkz!Mq6HGutB<7|n(HW`t-xnm-+(LJrQl<)fz4`sns zq(zILqK!XQW+V@Piy&rQOb?+Fk{%6i`cBWX@~6APJdVd$YCCr32zOZ>%z(_jPGJKR zvZn+^kKdjGMh-$FVF5ig9bY)BBQk@?co`wG44~u}iDKEiLQiq(d#YdaqXzMf&;9c7 zTY7|!K*cW}bp0XoM-i33q};xP$a%xG$NX1$Aw%U?;HRpmTY6>`S&VemlrEY{6Cxo4 z74v1_H`11sY(!~P9BCzy2yv9bm4#TGs7f>4 z8qZ;05HXWf#H*Z``K>Kx(p;VX-<-4cIadQL7E28O6Jp z=e{N7@*y|yI125Bn2yoE zadbz2f|SskpDPy1ytV(HBR(SvLE4~HVhh7NH#g*`LsH=Y@s&fwFF+Q(-t6JY*(^9Z zQjyywxVhhcS2jgcyo1~nmy}oZeC-j26h#5$_zmi!U@`oaW1W>xK81~{OHcxA?2dx*r(8Z~s!o{VY zYbEkR@wHuiJ0$r5%5d-3B_0$Y&b|b2hLD(woT+FFJXO`X zgb)s~%aKwh6L^~G>%f&lb-7yS%U3tbGyodkXhly{u>!^EXf%XGdC#U~c}8oP59Sqw z9*a3ccV=M9q4&9JA?_N zX${J&*(+X&<~-uqrTL8r?XG8n5T=Wr0weV9PwK=3)VZ75ujJN_@cc@GyqGvNjPjmk zbo4_#$d_qxn4>Y$CD0|Ya)o6{Ls>jQ36ULEcCcuVH`q(28y|S|X6->u;Vo4g(;M?O zLQv%^zi)c@)zK&r3R6Ota1O@fu1^eCr)AYq3UN4^0AE%yKQT}b;;9}Gf^1l98EJ-Q z1~wCs?w>jcQL_x|FEVDvquXlHHpZ{*r2vh`+Dk?&4*ZT5{$aA(_`}KWSmMpmjtP9R z@IMw3Sr<>fIMen#CP$t8>(uzNKF{7;R zJKmoZg~&|Xddmn};qtZzI*kqNO7(%+0Z+Ti**GZ}4n0qcUf6SLrQX#YJ&s6CCUQ3z zKg=>pEEeD+VJN`yCYpT&(clTkF73hfx>D=toM!(`ic7x68Yms_-KV5Gav|b$4+AM9 z8wqQCIU~yP56>HRC!xfTiN=o6)=MbOXW&ebVvlfBGqE zFjMc4$YNl^2KC!j)*G-?s?3E^P|(5H>9}eJj&?jM6|%=9&EQ$^W9X~p64tN*|4u&h z`G|R~)P=G(x2EZZ#|O4e7BuAO?(cD>Ze%)sKwpW7iQ>_CmTUfx5>TTN{|Fe&)xjtQ zUxBO=%#ZO-#=aXPjd$pxn>2hOYZQ;r0La@F3?w)4GEfE-WzU^auh!C*df9j%1;%#g zSNCd15sqDl1-oR0?b5px-175APx+1P2tD8Djf_RChnkwz=lG$uX%$@|)~EQ!%ARb$ zLPMa)f|qmX35cJTb*K*ySEO0`LwIQcHk_a#tVQN1&p5V}(=$mm-M(+TnQ?zizBq&i zP4looa2`=@zz&%LIf{~u7(#BO;x6BVZQ6IP!y@>E%oG>e1If#Sw+Mim3;g>|fSANuLjNHgJ$ zm@&A77cA&?%7;V#ncKw6_KzwzIraO4WlY@`UIjPR)7L;R{v>YVVe0(DG$P5M;|p8B z#+yV8p*-r|cnylQKlZv3N#F72OLIGj4jmZOdYUG746fzaCV}fPK`A~ zd1B%P-DAHYf0B<|C;y2>I=>s%g#VJ?FZ$UxqoW?JPA#VW|B=7FDFZ7alsL@OKLQhc zRwMkd-JU1+COcsP3cx%3@?39annd{q5N2M8I|Llkz$c*2DDCtNGzzvT~4f zv>=u#%hS$+ISld$cFAXnMi?~W(w!{0W7KHzc(n1k5)HU(j~~ifJZ9p^aibXqKw0L! zM}M-J6Ov~KTz8-2(aOKz;Ot8tDPcR&|7JklWJ+^et+M%;jz*VcrmZJgMW_QxZtsoR z^epF|Qd~*N)>S~3>k@q^l^-I^0j@bEWjxrOWIvD;<8{(fqR~oyOzFVPlaTy_Axd}` zND01zV8QrrKluaFle$y?N0C3y+AK!}CF}R5$*2=izFeKePc-_?;Tj4Pl_$?N)7l^6 z9WyH+ly%;QP>{R)zaS`eF}}R;>AQ}lEOVjBCWp{Hw-0HSJ~hDDQyD2aq+JUz5y_#h<~2KapoYBW zRp_%^#9nu{izk=ifHHsE9nU6lvv9SbX>INJQV6-ONEtD2Na&F#oX0gHbC)Kzws&O_ zGK?1mP3y+h2_Iw0lUKe6E{Us0s#rCazS7?|DXAFOoMsKf!rw{veVRCy2r#B|ppj`` zQzpg8GSJVSe;2ue_J`A+gqquwiFyIS!f(Le?u?J&(%23T)-}Wv2d(PLzFk2U*?;#R!&4CAI7b5+%3=*$t;*`3 zR%Z)}8Of~+xh_*@3&7&|E9gs}7}z1I({pP6r*gfi$fmnhjeYh%oXtP~V+K`AuBPk67v z=s&Lmgd!s5-<@CZq8t>^8Ux{eX!EnJ2Vlaa}6&d_P1v4(i=<{|k;Vmz8+o^}!tU zPQ?cTkkoq9#T-u24A1%p6%KTEmQ@Y8}z&Mw4OIvk^$hIuiD zQ2u>JC5EthSYfRAKE2udO3H#~ya9ip!9!rCVs_7rX=bE=sNnVT(LliD2sn8qpEyN5 z6ipv9%93P_(K`I_kclYXB!99&@`2 zinV=7fv)|H2gYeE>za`w%8vFT-KSURXpti4Ab>hr<8ets^DeN_fQXt87PpsK`$|>R zquOuWNP$lp2$hW&UY=Cz)tx+FE31C?({?liw_$j}6r|8wD~&&JISi<>IS~u*W{7K(;>?)B{LTwWU3%Gao*)at>ZL=?K5~KhKK$)2Duo9sCe8^*QW=?O$l z=%#B?k8>h08)`pO#Y!}S&k=nnMDs2cj461`f051xZ~8Ky{wEr5A*_^A!j-MRJ1tZS z{&bCAt!ZU*kq$@ly=1Ac5`tE7?Cqf}GTc5QQpU};f?b0LVKSio>R-iUWaNa&b)`~r z0l8w&LFp*rM5N=kf?Tn?dp)Qn=%Cc)*EC^##pobvT7Jstb`j%Vfcpe%^5YK?F}OOzUEmf0fI zp0=?E^R;5%s|vb6vF~HM4;{4{K!7-qIUn(A)zRI*kyCJpRE*4Qjpb za_hI8btUd${7c!x?1l(5Z?&FcN{$daW8ruH2vnUXW`_jqF$*!t8wqRs=vg6ss^skLbD}L=y`LMT3NWH0W99lR(uD z;&NbShrSTITM*pQ88?Kt1>Az10`fWc0z!0oe`L0IY)cn+AxwN zn0{$O<}^TB$NgMFLRIkL)X+NgCVz-DE2z5m^BRGEMvAFq?o7b@9*zp?@mW=gKp}+6 z@0|J;#6{I$Yl~pMGWxI7tH0-J_4HlrJ#%A9&`xaZdgv_i!8!&5AwUF19N$;(pF6Tl)xjR8@TjNyb4n9p>@B?h7@Eje#es>pi%=D1A~@?;31 zLJI?PCf!c*i->WjCk<>wYKR>g_+mx^hqCGA?Uvq0Dvp3x_LeT7s?V%axtq<5UwfL! zkB$E_Za*1m;Dhv;Eb1;f^lf|q4VWqPcT3Q_bEp|Qm1!tk5!Te8$3o|{axx^NnjsHa zfZfZasrfb*dva0J3_Iuxj`WMl%;}_j6nKp;!tym?+E~x}ldv%fjz1TzjMN?tS=ua4 zwiYpJhFGv14+&SeGqpzGISo(s&0L03TFRy2;r{w&tA@2gDYHFgtZd9GO)>-BP&`g5 zcePijfSFz;ira#vG89*HEW!oAD?@|dpVZw8B?SDe#&g6--kgu)n0Zem+N(^;OGDb8 ze4*%AQ+WjX;SnH#6OlH~iQ0RvEu9*-K%ZI?E+jsYT^~!TL!w6I>faXqX=;W#Lx+cH z*3LH%^y#ky5g%IWFeQ;#=V6Z*(e1!WQg!;PbA<2QA@3+|W;a9`IlwqK^llo0Wfa$hXtiQq-*%S zz^D8?7r1x~FZ;hofN5NB2*kmQhonfTz<$&BTYbUr&5mx5?>M$$3XFHD>OFoh><(xpZB0>6U~Y(Bla2DVH*wvL~orAG|qWVk!DuW`AGYfm)D&-w@b^LJ*Srd%vQ9~NWY z+-$K4ykJu%?qJ6t^P$1^H^dWeUKYTh02Zix&;8+p&c_6>=nKm4^1qn2Uxw=*Zr6Ee zu`~ifEo-&ud5Uj(h7<-pxE6Fva;aCToG6AP!8oupefsCfz8TGq@{e0C(7Roex3;Xh zz2cENr$P@6)H1p_5@$y)4@rZA9+t9Zfn}CiR77=AV{JhqqGdG_r}@rSx2}nxpX?9be($NxG>@Cj%DKeuzc~L z5h@{@KmM;@<-bW59|B(x$!jP0j%}tr1p~GS0t+x7!$hviU!-{}+t7M*%>cJUAiq>F z8znG!b@Ks;|C|(9oBF@?vHx4agZuxvb@=@j3=JGkf8rz(QOxsGROn_R&VHp^hwd8eE{#2DZ*YXJG3AqD54>c>UdbzE zr1NHetf-@6PyYS~1reOH)qK6eivy6uVgpPm{m#T=ulWG=?mU#ur@vUO#bzqS!MJ(V z0xSAht>pkY_yx`D^zwso()+Gvz5DgLFf!dH=Mu9DCJLMUqP||@ko3l|i}xDJayRNv zvl|Pc@BG4qU%i7-w!o@6hi>{?-P>`}&x_5vJ-QgGB6gCUj(xaFa1f0L-|E~PE)IJx zdJlUJ_1@nl?mKos(VbLy+z^hG)UX8U!~coErkHih<$6N%%H)d2{SDcj)l@~emvFM^ z$=!*(?umh2$FRWi4>dinnyoTE@_##-ONHm9eMRmy_`+%2g~Ma z&&OKXC8uC;27s6ix%W2X3X+im&(SA}sO`evt{R0~=pb>KKdMv%yD#D2l&C8$731Z( z-7^?#F~i1kqzAdTQQd@fROA-l-At%-VfJPIakL5z61MV-O!)2L*&2%n6!)*e3D3PJ zx#SKSJ}%*tGM;P6)DtR^{41uZiQm3`bGZri5Ik|KGEU!59y>mZC<{dvywO{%u$p_r z+2a0w@q=1i4A(P3C)^|d%KVgzif0l|D!rc{;|81h&Q==r$K&5G6p`NljJy=9F1Z?? zK~3{mZm;o_dG)WS?$vQwsJTbgd%LqKEpV@aOwx40cDHV{w7bXosRZ@k+?G!fUUvUe zDgAy-Pq+wp?iUVpsweGXqHF!3BHJjSOMz4^}kPr~}Hm68D^q*nwSS5Ktz_@nze48*#1?q@yRf;( zrJ9rW(s@fh1*tWr|^H`n#jL`|i*kJL6Gv4lJ0wSW(SSGHh#II$v(qOW%vD)9C<+29ZRy zOjn>Xc`%vFW}#69lh6@?K!1}uo=vX>s5MhAp*2(KWR4d{-DEaH1Cz7~V0e`eet(MN ze|R%mAgT*~|7NhP>$Fg*c>_GX|LY=4@W%Ti)Zw~mQgOT8hV5cuD!s^OD!%USP^wO7 zGWI8&4cL7DmleKSpeU0OIXW6z2p66-*!%XXqN1X=S2D&|sJRVJnC>Xz)A|tau0xt= zal_(K&HWh{Qc`HcZ1w=Lx7P-?1Gh=f@u;hj$}Q$rvSJ^Yf{I}k$tmS;#?W|>_www6 zJZxN~RlT5gE1$JEOF#NHPf^xv&AQ=eP1UYfoTv~Xq}XR2tMq@acHA0MDN?ms1QT*< z(;aiQY5gQ^{3v;Ev3Lh*#&m7oEejWr zG<41Tk8)yPzPnS4HVbWt?kR#C;X{d=bTZ z-9?-|1yX8Q%wq}6S`ru}($`|Gr<%Zi?-5G;rT$7#<}G8OwH^yo!aL1c%bD%TB5`r? zyxd&Jwvh~|r7u3rd%DVj@u-c-$G&b#!(n(>&}&wd&2yot_O3C;d$sy0C3<<^!l&vb=I#7C(-+S+cNd*y37 zhcb6CQtR0hfm^eNv(E9KHZZf%)S{ZCB(Z5T57O5|O;XpG%sgBBoEUb&6lKjZ_MKvm zJ8yJftIZcEpJ;k)M*LV&v+}xBo3rDhp3k>spDn`>{^AJjMv-M$dbho`rBU%QklP?8 zLnsfF2Y;7N7O8&X+`hI%py6@gmF!K?xK@jM!0+8s<8abyA3EXovp=#8P7C2?txPxL zdK*}E^SP=HcjUTToqOBmq@Td%xfLtOb9$S`vx`D<-k=7)axxw(VP`lA;zlSoX%8Y( zu&9AzW;{uj%(k3j^vcuR)ZLnt9k&-y+1aUIY{&~(a$-qLE zLRJc7v-nK>e}UAC_)Dv>s^Tol`Auz_l5RJlzM1((MDXeJk#dr67cPtk;W=aTs524fn96mdHrmXm(BLP<5kdMIi7b+)x~~~3d+iCCJR;O>TI|+ zlsBIpziQjIB-U;0g3~I7e|xf0Bs*HF!{;K`ymK*}Hxsk)6Q1pMPD5O8JGs+(#Lg>n z>AKgr^ubodX}BGhktxEy9l+i>bN80hw*eS}mU1)2jMfEKUDvL<^GyO-;>O6%KgwM+ zW)D|=%Cz4|Ek2#|ITs*FV^+N0d&5*ljG>i0#%rehVR0G6;r*dI^lzKWffzmeW}2pO zpXZ=vhmD_q%)IYaDVxwRL)j`?xt91)Hi-1~aWQqYL66%B3^Vf18W6If!o>GW1FyAo zk}9!4X%^tG_DFBM#uB$SA?b_9z@q6Yn(e%P*Qxd8qMBiWz|j_CNx|kjA_4;SR`1)c z$M~hZ{)*`3s)vpP;;q1<%506B(np)W{FmFwYM|69@j(V7N-FwH)k3qsYb>#h0z=~QA)Wy`JAo^ObeWj z(7X=NhW^=S5ZRkN%QtRj+Cs}|TP1|fOmr~ogr7BJrTY<6>(2%;v~)lDDwzFkHsW_b z8w&bWM>nWx+qqU$Lm1vY#EuU2#)pascZUz^6l(=tN_}D??#E|u`leug3&Y_82rsw@ z1Tw-;tLz0v>x%6k73Afa0HN}0c{?T#zP47D-zu9#_D$Q$_=HA-J==3FDwhS>I`HP1 z_#7|ew1oJ_)MUCN*KJN*3tu+yv0(GnqRLJXg0o9Vyz46q-&V){`wC)f0h5SpD_|66 z@C3AD!->UA#IRu#CACFs`ugzN^2KX{|50x+h5{dbh%5nz%mp5|ZE-h-K} z^d=enij^X2ddhna-+Haw1twD_ZB$Z!9;4=hZd=v)6E15^gCN;jewDl+=%2kl z*jymKuDgl=10&}{wD(kF%mh7mtLE;2q|l$!;Sx_nJzWakS1<0gwZSm|71Eqzx~k$Z zxzu>JR&$F{{$+$ne+K#7t@;+2OP zGK7IinZhho<0_T7_(oOsn|A4&GPQVi7f7;oh^D>k8~OOB;kfuL(aNR#x@BHA^?v&l zI=`?_;E3+Uwk6N)5#~ZhyR}5+*fQ@!3JnqZ)`c+Zca`2j$ zc9D>r0|=4EIZ*MKzn%5L+=9yaR5XZFIBX=$e9x8+l?+(w-288!&7Q^Y2M;nN%j#~w zUNNR?G`(KvU$KAgB6_Q4Zhnm}cn9kPm`K&a{1<_~iuNmGP}5wqus)4l@~xV{SP^ue zU*(PW>E?~~?qUFe?b2(rKH|a|+?$%Z=d8(qcIiqqy_Q(QXBn+>-K z`K5&dZ9#iKYWfzRDq+-9)Oyp;m^t5f@l5)i&#jMEShVmQRwxbmtTxF{;EL9UKhO@< z2H0T=E6-JxJqv@^V{N$h8-tnSHT33lx(9AyG0N<6tedbDLNN{S83Rq0W8uxenKxn4 zC2i0gE@8bE)J*4da}Wm*3TWE0)1co1hHzmBTxzqwqD7w6xb2Q-?e4lNrwtitD*% z8u8(T5mJ^BRMJ4GCCbnmap@E;C9qQs{y|vIv``;B7jshgj=OE{2jp}I=>-$NnRz2`>g8bbL=Gu~*^ppVaWw5;W&RaJD*i{Wa z`fbOQOu^JtU%u4Lvi)(8oFI}*CNMk!W*qV$MD$Y2O@|?`tT$NQDx3-e(H$J$29{sR=fT3H6A3N6}Z< zpX~(g*MpRx6t&VdRF~7JJ@v;y@L7}5bry}DE>+efAl;*>qi|5fP3U(+IV8d4O0;9XVH z&>Wy+_(GX1BKP66CG?|=&@OUJii;nP;K@9ktA23lgH2@2ER&O$qo+^lAO*<7^we3!6Os(J0n> z5w~n2rTTic8yG=t;;J2#&n^(CmEIRpMoQ0zEgl^g))@OP;1z@It-4T^6@-2pySV+) zz0UK1$sOMjb@-SC7={iaVsAeOW~*lEEuNQ9X!elc2M#wP{WHOCul0d;veF4+_cHY{ zn^qC?+h}(M&}{=rJ5h<+P@0KOb@k=#+yQvAko0zX3Twuu_YOuX%k9?pw+*$sozGue(-v9WkEW_ByO~?GSoSmU?;gnH_9i2g&gU-J+;<_o8TVydVeK#d zKa-pcmLnw)QyWN((wacG)$T7mPgc9DA}E`Pn-_@d<~s3KB7S2NZ9aouJ_m|ZvnG}# zWM`=BkHfb)=SrCxxS_O8LON)87`n(l!QLhZfMM9$*_mr}Dxz)tKzm8NEYTqEWPkgu zhqovYpV_{@q_p z^>|_TuEc3TKqz(L>dUX_PtLoms-{Q2ZuB~iZ}MrrY8U72fD_!S^6%C=W#Md%fAVLT zF%o~#`_cDIPeZ57)J?C%v9*oR_@-2NgcmdC4wq@#b#puvP@|QOKIx>e97R-;s=DoY z8F4Y!u~3u!A%aOxBK^9D{HN9;y)<%C(0&L84Z|jBbsaU}ljBn7cjvQ3(0Ar2*1@dl z{H+h=JcB9zv~~1yF9qnf&g+L$cq-3zl|FGvw>TA@Wv+ac-5Q|j&U$-j=Hdi12`B;K z4AZ_Dc>D1xq=Bq%nmA^LpZ9!goV5}dt}tz(mp^puVS&2vs>ic7z@?`bYof*Q7rxFU zji2AL5FKlN>%WIZ+xR})z)iH-!yzoXZ z(K-QO1Y?NvW;DYMg*wj)5s%VihWu`CrcINmmb&w4caIYbHr*MFU}8 zY^NwThO5gn64C@YpZQ0cUh~}_-m_{QedpF>kq-z3OoBx!Z)2L6_Rk=CE53 zc1u)pXRW>Bu#XWBR=2;Z4c4?W&V(Y?L-G!g=d^MG_@qL}Ch-2M3erCidUfUQeTE_# zn-W%<$*`xFSkhnkyt`}MAZlJ}=d)?t>solPKZh@hky{DOR5i2e>JrFMSdq|dZwtD; zuVKTU&QnEip@f3USb(kRT=h$@PUN69u}#fJ4>j%P;{964-@9hv3yFJ|^*2regC#S! zS$*#NF-rayif&d1&}sXlimRrzeb{0R$x+?D+qjkZ-B}A0X)PHKft!v7kb^Aaq3z?_t48AHQ&7x zom|=Feevi<=`-e*qr!%dSS1zJ>7bofi1>o6O4XWOq{r9!7c3Lgi{jVLKWsfZUy9Ub z6;&4lk+gf{U&!z`k_ueOLx)ejl{H=z+{_&YcZpu{R9<(Kd`c}*tqrr#!wdAcQ!7pa zj=5W`+w4wzA1Jg*jexc=5YM8O2B=#6OuwuOi_cUlH_*>xjP2}VT3hb#Y&=haDW|gh z;ZU>r zN2SGgt(d2thkm-8RH|{iZvFy~`0q`$)`}R^IL#fi`5l zSi&jikmn*_d;ymh13-b>5bz%(67UA$$ld%Zo=)53=`0;-)xFD1xNlBGWs+fa^LOWm z$+7SpxSMQB2ye1Tee$*1*6$ZUvWTlpN`4lS^tug_x25}J7%t)bcT}++`7_f0=NPW! zGvfSD&rf7|lzwfz|7COKnui&eB9a}!a=I;28}osb=UX43BKBeJ2eJa+=;DaRwd8s7 zmd!iW2BYbnkA2VF#!#vSZ3jw>^x}8YW0y~`ZHDs}>5ZE^h{Db(xXP&tQGICM{nO#k zqV+OqzFyHT=s*b%$XAru(X0Z0}*>&G^iyffR^82Ve076`^&k-}{y-G6U26~1+%lkCs z18ty>ROSI>p?|8V4FH{R^75Kj8uXw6?hP#hv}8c?4Y$FvC=t90h7GyR%?;kDSrw*m z0pInI4-i=&fX07_?2op~_~@ujtIqm0@=HSm1hmvH;3xf{23Cxd;Ko|<^Xi1|{zo9b zt|@J+xzZXK`1S%(K+;i(0Fr`4gP1C*P`@( z{VGP)THJ$*`yc)Lf1rtiU}kP^ZfR)=AWB6=)t|sdMnJ%hS9RRuJNV{Zk-l%n2{)kK z-1Z8lLfw84nV)Yxl%&BoE{`5`y>DF4;r}U5=OAZ?hK9-}zd^^uRJ#|dP{0|lBK`{qE zG6O)KtY{Yy5a4s(WvB8t2I3d#WFA46e@8&gb-!X2kl2*cj&|j4%#nbmFHUVS3hkfp zt`SS@OqU((?Y(|eU4n*=p7`=TC*UK0jV9+ky_>;)<5c!#kDehw)jH=pQ~|unrS(hU zL8`l4N4NW581H|6#lyqH&u?jIsxDZYcN;D8B%Z05h2h#XEoVv( z)H?k?be(lTlv~rlL1ei~S+szH(%mUaDhMde(h|~0cZh`2NJ=B!xpaqg$I>7nv4pge z-&xRG-+lMb<>5Rh=FFKh^P5>>hOFP_)>dLn3>%uK4d~Fq z%{H340qc+PnQisky1PL_1Ez`?$iOaMIJd*U`eFI@!8hxr&WJAoWgkXzlw$`T^RYC% zz-Zz2bKX1Ad%bG8#dEl&wF@Z`jK797h1F-~05bABDh99-MKO%Qbm`cMA9-`Yqp>kr z9-I6a6uNqGyG78?cTZivZDp*rPw@L3&{&@WSDzzeke_!U-v0{v{_&tFNh*qoGqTji zfmlf%41(&t^Br7TnZd)z5jY6bJ8xogn@<^*rRpMMk&^8sSN|z+bkreK)YMVTTILK! zs{z5mv6hc1K`+Q#L>?i2V)Qz-!Cib+^?$Jf_S3de<32Jz{~59!yn@`6t$ui4K1N~^ zyd46^AQTV{W%Z|R+yZAk=bOjfl54Wdaoba9xJdeh$kkWme+11-jYsGfB)h!*8)yL! zHw}mhheKx}o>TP|prd?Bk8S@~jP(|XU7D#IeRy+|=OLkXCN+V& zO@|vso$=^3w1kaZFB$cN#VFFzfqI8K7YpasHgaays4lJt%)J%1KKm4z@^xJ|+Yin!2Bt$lWaGvz+4KxU0)s>?7SC0~p z*6Z;pp$E-HILA|UeNHo$_0{VfVNWTl8_46x< z*6<@P*dINQToX@m9okr}k+LZM!sLHN)P*I_bW#TfUJkK}zD4!P7g^7Y9u%51*`mH{ zHH>uB+2@S|fZ%L>Yi8feHSyqxyB?OWbr|@+I!3DpByzl1|4RZsZg7(%P!t-S0KsCa zUN63YkQ5Ss?36#(y4|~z1SkswQcFLcHR?wjs>tQhI$cvn@>ou5#FxGGaXoOGw~>9p zzt|q5tB%wtw3kE{EpG_Lc%7@WtZcAlCOReQhb1mj5pX6}ky>U0m}#Fs=uSF5ialuF`T<=p_fAufB(wAzo;ptR-6%On4R)WOk?3{I;8|m;oaDX5+vxD+ z+K31UsRL%QpAH;#Uy||re6UHL7us;j>z z=qH0}@#5Z)Z2j30B2bahgT%bzYn*j&<&SxP`^_mMrwymyr4IGkSy{J73f%VBOZxC* zvkeqAOoG(kG@{QJm77f({MDk`ScT<6Rz?CH*9hULdgbCrDSQT%{@GazzIQ~w+cMKO zHeTE5VkU^CGZ+~gjZ-N#4COf9FK~B#^QPYh0?y*gqKXsE4Gj&g1X>IRigAUk1)nOv z#hAzl?hjk{2`Yogq2TZKHlAQ*k14R`U=lFhS)eP3Vo+t+TvRaHS@s2lGHutgGBg3ia>P7~dholTW2tX)@_pNE zxVm*ulQ(8--CBK~<&5Jpqe`Lnz-O^<=N2w01qFS7Z@T&W_rjv=*&jZSZb&`P{aOEP zuewF+{0QE2Ud<}l2(;wIs(BpD5o>>K!eqX4n_g-3B$3#4z2wo4&gQ?j^zOBXw{St+TQLuW=;LqV=oD!wp01rj0?Yd(fjV*s~RK|CMbO6)* zqTBssAe@kd+roE#vfFcxI`5n&y!ftwflwRww@^8&RM}(|WxrfOE23cju4&ndS4^`B z8ettvr;h%;;rhv(oSXs_1BJ=oKNMG9&!>%f0!Xj#bM%;yu|Ho0v0ES0aWNJ+dd#4+ zJ>LqY$XCfNsF>#vis0bj(EEo(+1L#K7#7`otMbZeKe-=t+Y3Xh5(^hMwpSbSyJI9O z<>v9*S%Li+ui|Y-RSDGJysdfa_C2BtdEmVMYf7o4Br6*@bbZ}vl=fo3R}hc zYlhw~N<4N3e;gF}(W&p^GW9o+?WF3tT_}(bB$WgF<0r5cPybr*;_*VAcdS|71913j zzQ1jL0|$q(AHz++ZCtsEWe3XnT}(7h?Ae*yf;^@!u|efoK`Iwp#OSBL zD;J|Rj1Z`}Y1u07UrhvOWo6CGXzI#gretJD@Udw$ng8B2OGUs7q$}sI2lm_^2F`Dx z+(9Z>D%ewTaq;KwbH8h&(tOz7wp@6D>BEd7flNR^erP^eF`e(A&++_jQNK{P4d?Qq zwzt0@dIvZqB3~$r3n~xJ?{)YJ?7G9fJwos`^4?e5bfKB=#emKZCM0g3plNYouD!pj zdPyzQUjl{n$Vke&ckjU2+1=3Kv3lzYcy9URL+4|#0#VQG~cF-O_0+$sfLc)t1G6fb( zrLJK(-o*3^*1fV{=(c)VmX_C?hMyTdZ=VX@<`!H{4J5JL|a za0$y}VWIIyQfh?S;r^1`4G)D5R8_$SUnK*TQvc&sOAtA=se*>3SrFMly+__oVw@wx z#Ui!IzCn*GP>ish-A1Giu)eFtsqA28&~nzOL^Mj+_nakYX&QlkT=a#GH3Ye0Cx(@P zR6`zQ7ZaV`jQxE>tsC*qd}=?XNJHqnC!bntSH+v-*5uEe4;sq(yIoxb5S}2Sxj*9prM*+5X4?(op_JSiHeKQXP*48XC73$KJ@*`|&s?E{@@x zAece@%YdxNp2^lNHBkIZ4G+X!T(&R z883~XaWqPNimQ19_5vDxPFZ5OOm3&KCog}VL}Gtx`i+}3?R%-BGoiMHcD`W3;cPY8 z^eT5m|2{2!hO^Pv9S7Y%=YR)!@y38a0*K5oQc_Y3XhM*sh%e-KdwG3p+MI7EfBZ{c{?Y+`=PRv|Oy_-qf<&%T zZ0y3ieyi=i`j}|94Ng2e*FnEmb;|*$;;I)y-2NC^@8*iM9zSnr8ydD_p$~%Xd?^fk zQz+Fg7A4!6GqwFYTOzlIe1`UOMzN|Nv73vjF)>b^x910+y@AWR3)bd`BQVv3toC{6 z5hM1#)P8DGn(tRhUHZpX(VWuH)7Saj{~Rk-2o)98gu`SB#f+Md4&>_UpF&J(?y=98 z@iaa`GaB#saHUrxC0Ir)8_(>dM^{-%A1_Z=%K^e;C8j1}TC!(YyW&Y6E3Sa83^&e4 zRf=7UK-62BbeOQ#YE^bkq34we>BE0wq6J)TL)5pW=F?S3xDIC-0X;w0{y47)xAiO zyVxUE*r~wF!K7B!P1s*n3`otaELwJkr%3&MvFox!QOn%qG!h9FYI(=qmX$OSpY>x; zrP_>d-c}m^0v3%SGkRk{!nKd6ylT?B9jeM075dcGk@P32wuaN=zCE;jn=F%9SP-GM z>p&sm1W4}1ve9HbCMG8*2ikkHc&|lv6bCEQp+@DQh81GE&d1iNZQ~q>$_k^JolVKAj^8QKd&xRZ9n)Tv#|rKhFQxm@wj}VPRn;T&9`r*nLc=r>AUO?2?AJehcy6mGH33 zJ;1U$0zI~I>YBo%r+_>b(7eC>r-E6%Vsw14ff&srAtuglT8O_r*U?AxpHH&BEd_@p zfQ5qt0^YA~AQ0?l#S`r>dRCGZfo9g|0cyC-u0*F9!i%8-eB~IiNTnFVnN#lYK5+t> zf5KrB$=eow<*kAm`rBb(!(!=6G%CAW0~@BF5nQ8HqpDqg?xaaY#f)=MBNd%$$z^U# z*@bWL7LuPYqvH;_?pbj54IM(5)C&&2r~@RE5} zx1xkvn{x`GpEOVcCDf<|P2jul7CBXJ@~U%I3S*X|7HwZSMeT(ejuSS}Rt!4dC@i|+ zu5ATj;@&=^n#wVW`0!asUmEkNzODbM?Oq$>1k9n9wp2)2Gn{W01*2E$`T&@#qRWkTe`ZAWA|C42$jJ|P_}m^ zeKDef_GxDtGj9oE=KG8XZw^rJ*@`*o%arZF)A{&y32QX>x#+E3PqJ6>qj z@L?2xoI0c65R**D^IDUQG6j2UJzhN`T>Hhf;;(!Jl~&6%p>+$_Yn0Q%umK=f*zxlo zHINU|j>W}AaJL0P9Rq{5>mklFA*{+P>iXS6gVfKA6y?!QD#WVIXAEavyu*#@Q<{3v zT^AW6L>yZelf7?$_O(cshJs|^C?hwnF6{eq{rG+WBK;iZsM$n^UF|Rz+BS0~bfeqUX-)$kA4I!#ru&NEe2O$7-Fm!&O>2qKTb9JkKn%GiJziLZ!I5lr6kX~s zheK6dXG48HK}un9qY+Xzt$Yo;?DG+^wtd+Leq*coFb6_cn<{ntbh10ullo0?3qC_E z2VVw(7R#Y<}!!Vm_+c+;OhRLeKE2!}4B}>^7;12XMSS;^gEkk-yK) z(lFh0e&V3Fg{H||WvShN=gDg}R@Nfpk?e#7GImZSpQ&A+bSreh{VKSzjV+^nUrPu5 zmoyuSywx;JOI0yq>IJIeiQGG#T2gvvH^;4_9~e14%1%KYjiOi1Apsk923}HB`!ig)1pvwQaIG^DGVnY9f(3^&oh? z3WGe}?Om!-A@4{p3i(lGP8_+3DJ|<#fop0pLcNolXbrBr1>E%3W6mW@VzC96eC;QGxFoY1M_j+HV)MFyvAW zDaq>Trm*&|z#~bw*_p^Ump!-48#lgY@T~K8@r=(;->97`$9LS{TofeG?rOR?7&fK8 zs>06%kvXNpdgEV}=7Hr`x``@!?)QgX|L+K%^! z+Ixir$}G$(%bPd0{rKN#R#xxIbEO%V&HB8(FUd}Ls*IiDzHyPhmf$XM&6gN{j~odPn>W8v$RxV3lDKb>HZb5MJuIX%a`<~vqKWN$cSJI$wg z%Aq0A`GpQraev|dfPCBNcuX_ZA&i9N6YQNiVO&lT2pmI1H zYus=7h~}YRsr+G+iTV5 z>FN)6=Bgyg>KR~-=|*XyN&8m%IVo6$WPcn(N|$Ed_8WuiYJ=la!u@AM;o0MEVQ3-| z1}sMfbXMXYd6ll4)yq*kO03rBWr7)*471A+Bjc=gPV0TbE$$o1(^oLXSzF~CxrbvJ z!`nu;^TxSA5xY7ly!Yu~5LP$8Z`Jv?0vYy(sh{dJ01YxJYS~0)V}L^K&a>%S@69XC zTKR($EwI0z6sS|!CT#CeO4><+nL#!22>!W3V5_BScGQY5PfP8`)qpouyZ<jGPQkh5DS*Uin zzVsS<`-y^fT8|f5BXkMi@0DjyxtHh;q9sq;Q(1IQC@dI%D!&@3lkQZKAkvmCo0?2J zaA+mvDVSn^U=$}M|(1hF+V zH#b+z3U>^l=P#cTcCdMt6=NqI!rnf_aDFKffe{L5?M#vU+FYWT4k8R;?D zALC+x9eaKl+nn!hZL)^G>_y_Ua1^*_s`IrsUVe-3Y`4lU@(;Ncw-MDZbAd`@6^=IN z^@)uBkuwKE>4vf(@4Z69Sh>_*5`kmcwj0`)xUd=4k0N1S7o^(RSM$SIemHZxVme34 zd$IX?sOdy0$h7F|_9hj+6sDR{u`Vv^__S3tC zOgl+FJy^=(Bi0UGmp%NX=d?1Nx%<3T-=v$eb4r$of@C{L;fF=DqAA>R|8}S1#}^Z6 zx4PN1Kja)Z%s~mYL(7}@vB~V`nyj$NOfpEg^hXrxbxyy(&maoODXgc-Dr(ALPr-02zoHcqRd}(lri@^4@01tA*l|c0ZjqS)+l*X-hp17NQio0Hd=#h{ z?D7RxYQ)`N_97e@Do86w@QT<+kQbnZg1>v)NFpr$BM%2mGhf}=fN{!}d-|4}EmyC| zb<0!ZclouYn#y{CpKW8yTB<~42g99RN2c#zOsRHtM?NW@0Jq8H_M%(pn3@>Cut~TQ zwhKMmfIW!}Tv0UzQCz65Cl9GD8WU1$t?j1#pp5s^N^GZw-1SVLjDf0tT~55x& z!i~8`aKawsg#{ZMdkoPFh-Y52bv;RX4sHqNO4f1I{A=}=+^or8vTIN`S67h^B;HVw z#zi9!jSL%*%f<9_H18T0Pp|z4%R$)GEf7PEdpZ@RDOLl1ctxUDP!&^Sm+01k35ID; z0>acR`M^ZE)a1kTh}oUV6F?je<7x2cn+{ zHr2CzGmHUJp|c>|<%`E4FE5{?T#!GvMUs{(=O{v=Sf@%S@T>_%*P{fuHi|R-vAZ+2>@J&hkzW6e7b2Qw)>`yp| zQsM#!`G-RGEQOhV@d%5^>#`qN8VKi*t{sN8S7;3E!Or%56K0>bsJ9Fh$53#wvA3-y z9)^{mDj{YhLLzy#uQ3=?Ohhp1xRBas-iX@KtsL%(NiF5(~HG`c$p* ze!G}{pN<$C@Ej#&PehLqSbPjzCNu z6Ixu8D0W_6)l>2x(jb)hPj{Cfng9z6%cDoT4Y)M%SFj6TSr8tasHMu^O8oi7K9Mk+ z2hEf*vox!@-_ls0^)1v8PS=YP`y>p-27N2RQK3ZJ5<$Y7eC7lfe zy?MmmWP%2`0nuY&by5H*=O%=3>9Zfv+}E!<=FaAn-Xz*4k?VL}{j_O&Z!IA_OSNsG zZnFJWtI$dKmwgyxDVo#@{Su41oOy-qM>a0f;93gCF>!UNyJdGb1-A|?TG<PFWs5*vH&vqh4m(3Pix6vueO3mt203Wz~l>(YLcaVKHga(nbioeG1# zvbb-rL)OdP^FZzR;ixr-MQ;;TGs;2OCLcecnQD$VglB5`pe;_+sYZ^AsnkWKIuJNq zCtOzHDYcHxPq-f)+^*(7FKm|P&`^d)xEW5?>}MY;p^i=MI|>4ifV_{qXvcV=XfG? z#YROLYqUev%=P0-G`4lwmGuQH6Iec0xJ`#v!+G;kFfEKC({r!cEUD@{bB=KOF^y{a z?8I1^_z);;yvVCVW@3#(5o0~&{B%1ZJ;%dFRYqSi@Rcs~04(RmA-ITJu@j62aec#f zVj>vI@mYk;CiE`voYE#$+#QgnoZ{1T`bq_hk8;%3Hc;4m(t`3j`DmN+W1-QCBL0a3 zd_(P|N!T0JZuR|Rs|c#h{?dup9>Dn~E+HXJ@yE!$zAY3BBIgyqho=@cZdA)5ltF@< z?5~4zYvIFVJs&Nmjj>Z5bmjT1ZMQRVT_!Z9Plec#2_ML}T;_5GxlO5+SUb-Q93*;OovfFC>7zxN6^o}yRN^klfPwHVEq5I?Y)>*ytqLgQ^>nEOzI;Mz9PF zr&%4z%BXnz?8Bzgv%i|S>J&Y+YuK?EVGqbACbWmA@fL?xLlKF^R!2$aC)`8cMsXh^ zMafzMSPdpiA6mX#4&t>!fetZRFc$O>`)TNUY>*{5PwtVGSW>u&1P{#b4;}Z9M!CaC z4@>Y4VdYL!)UMDcXQxf^-+H5X%VQcsge^jJ^cmrSeu$SO1AMn?L*>n1Hlb|MZV@^@ z!6U2o(*6Ut>I8u(R;^%s$A-@GtthnecJtidi;yt7)9M8ooOEW365Xoqn~Qj27WOPgnge7>w?&OaIkf zRKav%qRa7(CrR?yajluMJh*F<;{}<-$5K^Lx`&N}vlFts23(*tkpMjdktcTM(HOfW zY)fj3oOV%mCLOb~IyJIG=$++wKFa3I)VJGq@zXgo2?S!$o7FkZM@Dhanw|uZe2Dc) z4=5^p5Wx3x3Z=#>r$XZ#YMLvy;He(F`e==VTrIWKjG#asaX`FL6$lH)AyEfYX`C3^|0Xii-h2)-kt|Bp~8= zV0o_Nqyl8=>({TqdnL1VCsTk>+v7^s>7kp(L>3^$69z%~%k+Z>kFx{Dx!>H}T6S2MpGpr^GRdZyxA8BeeZof$FfN zWLYhYFD9-r`eI!PE!Vf+wWpGjiJcwT7Fi(oyzpA2hbMCg&aImQ; z#7EZR0bdCvaP=Nt81N0nRR@igWrnw1gZ+<3OCB1Lu(m8Qo*a8$ve*%Uh=@uKqT zzS^F3$MU+GGA+0bZs5A&v4;6iZY*|HDT1C!SAtq57+$GsfhSXy{jn}%o8qXIV6LTL z6`CC)>OR)@1gqebnzAQ&_Ur3(U0lb>Y1Z#2ld4~-zuUm_Vd&%!fj}T2h||nWVoMXR z=Yh)SpPYQ3UD^)AtefP)yWwgMPI)+opnziahxCN9W-r+I5p*;Cra74rqhy@@AY8GJ zh0aLZrhF`waWl4jCiJ>JEOL?(j{s%IVh1T^X1s$azO3KK3>lvV@u@MIqm^WZ7tqt5FX1{!($uAxbZ!~mh8wq`~=7A1;a|QFBboUAMj&9XFYd+<+YVAZ9 z!C$)h6o4Qg6i6`3|LBo5N|G*cpWbQejG*sv8RsnJwg~ZRNXS6%pxvP5Wg8dpuKsjRg;o4@P0MK_6{C7Wd^tPzc>pU>W;@}X<$GvHU ziJc-N)r9J`l(z%}OQ;Fqk^6cx%kx3pUJ7J(8TJ@wLP>(wR5BUE$ zEas$!#E_A3SsjnYw}vR~fuW%{by?{<`uqEVg=i130iRfI@bup!ufQn13#wkZ5az5Y zyGJpqQPtU7Sq);9vi!?%1!Lp6fsMlZqOsuYU~dl?eAyL<+WY_A+FfM4ysqR*=02XR zIYb%%;wdU|0ZGP)-$7HBhPlTaD0=z;QBdi#8)8D_T!d$%33WW=k>vxBi}(i`7LF*| zV=4glfQ=J?YDN!2-9I0VRH|Nd?s>p<79sGMfS!Oa3*Y=eYoa!;u0Qe6?uMKK8dq{d-kUQwX*S9_ivo`Fy>)~&lGy^xi@fx|!LVjXk-*7_K zdDRw2ru%p4p?wMReZ-^;2Km(fqRDf8%l6>SI3^pl%=~|jq_nrCMHGYwi;~S=fsoBZ zfv>#S$c2HE5OU_1Td?BqVcKuTM90(#=PZpD_%Yjd5fpIeF#p)zt162xJkwO(JR0$; z{K!y1?qV~cT^-+vczF0pywp<(Kh{h+Hy^C(-&WQz{@~HEWX&OP#CN}-Ljh+0$UfxT zT&$g0B8Rf8MwSHZY{*I3(Y1RnU&K7d&2ptYJ#e$nUDw4_&(-KW`I>cKN#263F(Olq z%%#6#1$ZjG*RKDH0sfjke50+B0x;_n$APmqEnASzpOWUe-FM%;Di=?gTp z^?V259|P++MMvqSkn0w_@L z26rPaqV6c%j_6}KLd&BNh>9k1T4Zii(=*wh1*c2RtCv45VDxWclzOL}?`--K?{{?X zmweEh&eV)Y4-A5825Cg1t;q0v)l5UCB@FONb%T%z(|_(|!=N(tGYyz=#A;pBppoI8=C?^phQ%LQ1 zOa8~(#EgW_C*g2zUS0t8(SX6_$nE%0Z`N+v{PAQXgwo_PCnD{#wp$vq-X1Uo4ZDFy zD^QRz0h@#?T9Y4H=Sz47iT;4!ki_bb9^7;%18EK#$RCA9c{~FYKQTMNvhEr;z8~WH z`?o`rlO}hKLqUFq?UXF}1>0wH1K2qb5Dp~)5Rm#A@;9SVXzqZxA6nLNkB+?nYNjix+6PiQtl9>;yA)qiba) z6JTGBzrK?MeA|t#DqBQ=EMoxjF4ucG25m5gqJV$^!bB(`y;3eq{AGU|L4QBfe#Hp! zIy*Z9EWyyj%i&!E!z12K*6`&;BNGQG@S9*iHv0XAElUB6F6~O zl)Gl>3u@$`kM@V<$z8rb`906bRwHB0tDXt00X~s{Su^*5lOVtT%*jXz>pPyZx{lL@ zgm}yY6RBlzcDCMdfWk66Bi=5iLTN#ZeK(@OrBzdfOYm~I+hDk_ZlW=eDaK|07yo2tiOY{EBk)ypr=Psx4y{i|UYy|@PUJSeN4PY_HP0Ca&=KbhX<4bz^5I!X4{kMj0 zUk({?KlkuWJX#CYv(*MyU$lE){DFJ z@(NrxOuo5e07L?O9vdNNf(Qf&AB{Y5FpKNx(nD` z&5Ac)IpONMe)E+``jsDyK~_j`^R*YeK+EDEy>Qw$UXVW&oyv89HlD@2y!$Fb7O=Hf zb80}c!`}ra5}XtZ@@U}QYhZN~oHr}Kozv_Ytcv;Le>zXOgcdJm@Ny=Q=(8;N=}mz5 zx;u9~jEX)#6peB_MQCxKw*k+i_TT$}+`SOl65$rV#b+0tZIEf&S}HYun*7?zh6 z+^X5_KL7AtzTu+%B|sy-*Ecrqj2?FA6+E08lHoT4ROq+!PZ@ggU~yh2I2trt{6P;c z>c96o66gN7vbDwih|>p2`>t;Skv7}dbX<<7j{E`Ec*LEg$-3~OdE{0NX+dgb*+2;k zhqDQI9aRA{Aeh0Zkq~PY4K^~f<=3vfXjuiEQrlS{7@(zwjh^TP8aAO7vr^2p!{O;Z z1*jJ*9u8>sdmjJ?P7*fpUW%zwRG?53!#ombrQe&C1*y3Lf`W*{Vn7}oExF55<3Iiv z6qo}V$>7ziCYx&){cHu(VAufaf(HJEKrg<&P=VM_f8NavKnn35#@`tA&PN@yCUddvO=&=r7^BoZ31_1Xb#y!FCd$q;(~a ziIGaW-uGfJf-GI|AOK=MaB@+HW5}Dw zx)JT(;i0UIOiUd=>VH3X8#(D?Lvky*)WV?byj62k({39rv;Q_jdH{t%w;oeCX#`(z=Qd>|eUG7l!{mxS`S|io!yGve9WFOPBrw3B5E0ONG^#u3!Sl3t6S@ zT_)jw4-Xigpg*9~fZj5=tN51>{gOfb)gOwDsy`UsAI<>knn*(b-w5ij_q8uB>H!yA zQR;>^5Kg3Z&4K6fr%(PL?ePJ>B#S|*G)M+1<@6QfKE`Ei4AQgKSPPA`!1cJJ<~hIW z#FN2bCtJES-A8ug_e%(zy!AVA<}8_i%mpi1{8(I-no0wx;$LL(FKJYoIOAZ50$l`T zRN2_v=#EdV=H6GW(cNol{A9t!nrn%Il3g|G$5akbC-2l?br?dJ0Ht^*#EK@Jtc`yU00Joy?YJB*DSv z3Wm7*X_dXZ7-s8!kI=HXMyd50?vB$YHPiXHV12)_(|$#ku^kp$Du#Qd*#Sl!ettf| zOW-&x;1^bX*@eq@;y)1@+0||<#(1+7-QIR1dRolHt2a~i{T(6wq+ zoz7=)-RMSaLYZsxy$PDnm-PfnaF0->(<0C}lkTu!B?`pXlUzWrRrJ&|Q6q5`ZshE_=z6Sv#+3|==a2M>gwu>O%Y*4fD1tgyW$z! zn`F@FU7H^St(y~xPd>W0mQ~KC;w^u3%^I=xp^Z1Q;@nvB;O?&fIjZPHG^!>zh*FK{ ztUqvW$|o4f&=Din)^N3)y>4L(e&p`f&XlZrzL^hNe^IY*iM~mJ~ z_D`j(?)bWS%Q2oS4~LsYs!lNXSads~OhagVD^Xc2{)UidNQFgW`fy}CbIB*7Lo7Rk zuxmPCB#gt$=MST(yUb&_(ed&DlJSB2a6u*_?t>nig=J*^97(;gF>MIgn8<3m20g^x zZ+gIu=T6g)9}XY^=+l$xcc9e7=F4$a15dz&s!1i46OOqfGHUJI-!;%%WB`J~`N=Dx zQpo}ies{1};j`>rFWG*y%cQB73CGnC99S-0v*Ko48V;X~934iHN|@VlWHjCAL9}Y# z)EO<#W{d8A>qV4*8yx(f2}w!weuyORg2atvXD`%VsgFukAHK!mYTVIueuADogjLvn ziZ4RkbKD(avPB|&TS2ux_{Kvb7oL}yl*LP2>!23ZEQcg7=Tcc3Cuf7uj{&}|mp85M zMa~wLaiXnfy=O5|RU~?z|2DOrsS@0N!oEMr0De)L5I_RQb`)dMfKp*(Iv%@naj2t$ zE}iJylgvg^A8LK4W@z(9z9m|xFir68V>ojzBz}I!U$Uv{xIyMXIX7H`L7mWh}PL zTlERyBBaf#nQuFsDL$c|hzb*R|u8KeN^C-oyam<{o^&moivr zTKd@e^=o7=L8+&TpwTWK6!vby@;cEE6@ua*(?>IUpG{UN?(4AVXGZ^77qrF8{HD$I zX>*VB@4wc>R>a9xjAKf}pfBiG6I z?^_;s)&>z*?otNl*4P#Jv~q$Bg~ulPMlS;V;^bR&Ghg?omlnH4D3c6ierMX4Ky3pg ze;K0P5N`a{Wcun)?!MPssv~fe$#{$S!bmCa3Q`l?kS`vtHlLkeh+67Uo%={v>Wo6` zp<0@ggmwVlt14B&yZaP);bOVWVq#(jr*P?H&L9q5VTu8%sj<=koRi z=apG6AM&-M_?JwdZ@r$Z&E{KtuM2+hgCzLuphz|W|IkgDAl`9%1PZ+A{2-~uz%!Q< z6r{++UUNY+o$+ILfRCGY5^53+Wu!Zfh;luH$;RJ=KOjm*Nu|`P8-nBW3Gl>3wF8o z9_wEZI&U{IW50-!a9c#QDBOavh?QWk3Fa63RovWu0N{^eRSmjZCVLTGb@aA+pI^+53_s=2 zC}W=D3+>2^q{gLv4W^;&$>-z#qmXu2eQb|m-j(mn;xQrL+a;4aS*RxCf?o2{@qHS`q@O*R(CkssPpwMPHGzdC ziEz_QisKE@%lgXv2cW*PKWD_P0in7LkxfuuIRH|j(U#*je5Sbq3hxa=Yy(m4*x7Sf zq=z3Uu2uKm-yzPW$ycRE81EgJn(;0@E&cYAyl!mN9^pV)YRr=wH)4bYCc~)K>7OC= zUquaTv7NOi(qMw!A;W^E^!2Swh`kt`%m(3AYizl6WHAO4uU1RAp}R?e^~N)IU|;WY zndOM*IHa>;Hk8-6Xt{U-q`L#mF|E~hfT}Es;`o!P47E0q44ygE7QA(2i(SamO}U(qD^<(P zSp7}DYSegB489mj-(kC+*Cl0fOfFwa4T@?OmdEGRV{e$pq2lkZyQ!&F9rz4?cX)yc zF7TuKhj0DcNjS<&K6vWsZiZ1ehuMo%GPY!8MaGhf3!l1R7jE*^vfxFTrYVByW3(if zU8{=f%CDCuf1<~H_~C)`P%t4xd5ZCqRx0W!ev?6-o|u_vA$KQLKno_>Gp00TF{2jS zcmW_UZy_r7DKLuAHsOzMjCaJ_%AP5#K<$<#$W$G5jqg3=CL>$9`XN|jd%+oY^BB)Q zl>aHehnJPc0}bDSP3&hv>O+E5{!`K~mKk=+N^Nb^Q1Qh!Rkj|Fm58e(+%O20R^=SA zP!U23Q92f^1BD(94ejIEs*(s^`w)s6H5D1{U=S4v-L{eOclAmFvb@mh&2%-*y`vN} zQbkWzDc#Fr$}`jXc|T7EE6>~P%&^}yhhkzQDx77d1a>$Z$~a|<=}kGY-aG*wVE7z~As8Rz9n{_L+xR-fi#7@s`1IR5s4uo^g)YdeX zytDiUG$qgiCX&jCwe<}R-;+Pj{=<=Y?!&A!)Y{=sG;(a$cQp7z{Usb3827Y0Lo){n zM;;XCnS2+fIJTWU*-$CZT9t04m`pMuFoR3Rgk}^Bt>evo$6w(9l1i&8g&S77 zizFrw%;Y5(-QESPj}_^HOGWp4+vM?@C+v(S-4EV{3+mox-Z$kU86v1UysE|~wD$U% z;=ztT({;5FKBwjENKv=pyn^PwyjtpO5;)CyW$r4&-rn9D2^-|XU>+Q3 zN2p|d|F-y41Wz>+&Lv{9Ecl(4BP{d*iMG9lnqgl02F2c6Bk_cE84=;jI>WLsQg>ps zbq$U((anzbMiDzudqp`{MaQ58+AlmaM-@8nurS zMsXiHkC`igGQ5S=6d*>7sSm0-z#JKrFdg5y$^xH$=^igAxm9#9QWLkRVM2WMYKU=^~lvAwc-LK82HRX9Hrx30O2g{|lblh3mD z=g5&H4vW7e1{vF(0n1{AAif3fm3ZVHgwQ1+p5qb8_j105rp^IeDg|vD{ot-P zI?(g8Uu?c77wt}t!4{t#qm~mIgYgf_IEq?t2aYv+b+A}m+tss^IehcNu=GO{U(4pg ze8nzUjI(@s+3KhzTzV*q#)?F2&=c0b7M5mGo1;$8LH&1VbB#z_=gpfC3-oetBptd{ z2D77YMDf4r3d%8KrS;}@LU?o*Y0LBPmysUxH-tu2vo^%H4-XH6ys1w({E?$O5Zlzz z*be_zSNhzZT?Q?A2v1M&n<@h6hP;_+m)!V_(E2CEoC+O>z)53JPEsb$v25q)mY8`; zyNT)K z@^p$&fS6d@{B1r1aQCdNWQdeUa%U=5+Yd!Mv0Emm=uYOIg6=q>t@Az3`vd}|Itrj% z?a|RyTE;up`O2!bTSq?4fJl`>IM1SvHdfd!!VXF2d|X@2QcmFqj}C7~fl~F8e`bv< zqUFBfx9M0k@Mz_ax0-SH5^^&!Qv;a_b@b!= z+Py_(3Il{yZ|$8a=uDE5bbQ7MJ!D6@{!H4l3noNO$h4D>g4pP((%sl-G{@Yrh?%t< zVIDHBJXUxOcNE8I&av1^#}8wUU*pQ&j=VlEvygCw6pma}#ld2;C+?{V-7fxQglJ)j zrdO-lSX0)O$D9Ai@_L_0<1McwIo>?Y*o0D^9jTl90%jJIU51Je!N8!V?zu+lMw+~pmA$eZuhrly(E&CoS-jc|?zW*{>K`n|@1 zHg)jq3!QX8gb)<#&6SVG8z5A>==tKoMJ-ue<6^hx`qJN;F!3vwlt#D4@r3L;f7)e5 z*xFl)9^`ndVioqkSrl&O`x=!dXvNXsdB@l!p{egC#UV*}Lky=0A0lXF-4QK2(^yY? z%6V?`voJ;oTM2_RwYEo!LQjshqCy7IT$wDJlF_T&lYv(rVW89s$hYPGaPN+I!Yt|x z+d)5=vDqJ+xARnySBBu@?oX5^Tb!JBC5vk1(8Gr_W8uB(UIJ@qiFV5N?&4#dR`ZYz z%Jksq15fJl z;sh-o<0&#?1sG_2%Yz-`=+TyP`{CwSOln5M%G1FyU~8sx#>>4%$DeU_uVC42-YPF^ z77sqMk+&+>rm11XgHn(p&s3obEsOGRo`LBzmgkMbj|$)wO8vKzQ}5nEt5Gwm+exy_ zl<2G-tk(N>*Z|TiV0=37pkzd!6qP|DnIK=)B>E|%pz{sj#-X4sZR>q>G{FDGIo7bYUW3K_(}wZ4pY- z)Guy$3tgp`m=C!7xE7SS+4_Sd?xDrw2&F)*0Ov}PU6!B9r#`Wz&wkF=;my!N&Dj-b zqslYf_Mrqu*E64Gr`vzDIa`C*7iA^nWggeW{*w_quA~wne&624?U)4P1508XR zQ5DP}3N0Nq4mioNz6VTEQWVts&Wu};_#Ra5?Mzrd>hR^sZ(MB8&F5=F$(cHgswu;G ziPHk^GE=He{6}(|b+TfcUvc1mvDoX$xa7H+8^C-os2wp|RH?*U)Z(A;Qo*J-aU^Uu z5B6>`2Gf)bevQJ$Mj`Am4M^R8{2G+U2=Wsmr+1$5pv#US);?sNI4W>Gsc`M>PqqLt zx>ZAS*HAN6Iqqk0U6rHvdLizQE+Cz@$8=poLsY$e*8T6KC&*wzQ1(&K4XLd1pgXGM$Dlod7 zW1Y_@LcVv3@sT*>Ro=hDo6%8Eo6*vKU5OaVM@Euk8FBm7*n!H^T)S{oB`#Bk^;?3A z;P*n4!fue%SS@uTlRx>DK3r^-H4_i=(~ZTIu`*}wzzW_|K{iz+ErraLZA4`2aFkmbBrVFiOX^6p=pl|Hcycpe4DA_)x6rewm~p%YC*S zP&=aGz~KX9xUh47S`b;k*I`z5)tQO%A+q}|taYLz7v7z%6ZA$O4ctg$Fz8I_P zGy8P;kKk}LTp_Et2f}OdZ6KBn;yuU5$30h7u|ZkZ%+J{cs6o59n_?f@{Vkw98q;Ru zGvzM*U$tz8R71H@$|)z^qNl5*%sx=XfLkSBzNOof6_E}qBA`+P0RbT>z4scbh)6FA zND&031_-@FP(XSwk&Ym}w*&}D{`0}L_Hw=Z-ACW)mlLjw3!cm}=9u#t^Ed9{Ttr$% ztV%KFThoo2^SVF)Vw`j@q_D_0(93XR+xx*G%ztS_x9cqUUH@ui*UkE`ARMc-MY#_` zR0{?`a2^;K$m?)N^lvNaY+z>`yk|FInm>Tds&r5MsgF^7qTjceZc}FL>a5qKH2#&e z1tsp=vfiR?o{Fb9ie=VT#Eh>^Ux-7mF|_?j;dX!RY!vzjR;X6A1OdH^>338Fjl7sXchKT#|kDWrJnPy_TfZ!ve2ouUCU0^(HNvie>CiSxC~ zfX&FJ|D2Epw(~$QjLCw&gl6K(%3$jg6EN3=~}B?y+GGW;giU!wOrs zYtCcPN`{sJaM^azQL-l1seJfBq))#cO+mE#eciWm&7LbauqW+)xhV(bw_ESj(=_gq z$9sP6`A{*-n+b!z8CblqGs5-irDL&@5ze0WA+l;*ana zroK~Thwralqy3XYlyN$<>?;Xn&XmU@^9`Uu$&#^ntp$po ziHbfQ`&7*HUZjP4ctTgW0!NS8m6QTQ?YEe4}`g^qQE|F z1Go$zegHI9)4?&J6BQQj{u#&1*S(orqQ_AM$XSP+A*4Ok3JNS@_6=Byz`e7tXO_;yl=OWy;-EZT z)BaOr9o$a~QX$uNEA!Gx=S4n=#4sKC&_vmmiObz9ev@dUP;nXn#ZNzzk zBmM6^6Y?to3Cuu~#SiFnqFqbZMMcfNo#Y4W`>2~AHH8iX@S<#p+0!TxoH*mwa0p!t z(mtEdbp~!K@mfp4dB5-;2vgl0L|2KHP!v7d$b))jcTt^1?$?X z*t<4c>L2B%wMt)>xO6lN6w|J}O(KUgIVMcZ4CTfCj`1lX?*k(SG%JP4G0(w!)-Mz* z$^U{L0hRL$QIO6PipwPdBXY>2W(n-#2t~5{|?H4i|Qv|E$2V%>Rm5iD6QJ?r-+7cO8$QqW=XCSz4zPZ3}-0$Aqf zQ~&xcU^fE><~4|J|2wn~(olg`0Ns3s&_9?#3P6?uI!h|50?NOKMG6vFLQ<~ZSd0*w zljq0To(JH%8q)SvEdS3iguU+oE zv3?FNV<2JV_a}x=9cO{?QoF$5OPXBBqu)9z<++_WdHyeS=AVib2=O1rcI*vh^wJ`$ z*Q$VU5FaYk)gwsz5cjXAgJM2S8Tvl>-51(T6~SJmnq|U3c9{zVd%H)Hy6g38$#FU% z1E@f&XiKxd0uf`e-H*G4$T?!HC=defe9?kfn}$G&`*&js$K0`AFw`P^U1Fxsf0C%( zJv?{0u(>&+htSLAf zb947|!vwKWq!!J8K7t?NGao23*9O#^PA4FOm9(=6ByD{Ew6JK7IIv)t0@$5@gEARx zYF5LsAMCR&A2hA4;RLy)_dleJV6C~YBa(o8$W^m*EOWD)3uUBjm?^D4@f(}_r# z#V4-Ly%V;C`Z{@UyOb-^71$r!$tClb?YpL5bshjq6NUnv-!jD^JDjlYI9-Vuv7{Gx zW(H)15Ip*?&W?9UQHOdTTB0i^XU6AKWDefBdU>F*$pAN;dfY~?;?yq_M z3~XErUi2El)zwUnsbfBD7jmtYeVUf*hHZUdMrHHrg`6wP$0-KZx~5!_saRh**LXr^ zKd*V+v5_+U9=#$<;h3i)SanOyM@r7|bN`7u-2}qxzn0TSCilH4`6eIf-4^OciQOW# zfEWuxTO6CU{X^K=%r*ExbGj;iepy9)7ueG^#B3PV%(94=%2+987tFcqL7iFY7cdC( zZ)V0$eFbKBoCydgo$vaPant+*P&Hi#U4=xBzr0e9-lInZLZ~Ho58)93Au+pfLz zn(%ljAijqOVp!ceMn;`l%|I?zH(*g_QX3@`9)~;rpG;r79#)39soezTEDrpV5T`J! z*G0{r?&`|}zEYL@hz@-s~i4WNX^!qCEk zXBOWL4acQ@U^J4)#GzBBs*1P6B>q5nWaA+U*QxhWhR+E&?WNq!)y!F|g;K&XL%1RBC zFl}h#{)Lv!Vw(0Qf@Q$G=#7Q1XCD}%J}l5~g5IiQ?3Deq_+=#s@djv|rA)BMO!$(257&WZiqC^1;{wxSl5w|4?Tk;Nb1NJ>b0KF@f@) zJ@BQN1@85O5nRcx=} z9$5o(Zc`nZh1HQTL#L0AoY2yr!un{gOxD>-3_GGO*Y58F!;K$d=>i+i!&|274gO52 zrYQy3#LV?5>754H%13!mQj*&u&|~}rNshp}Stl}|Z7N;&R`J-T{F<1O;?d!G^rZ_u zNW$yGEj0CV94K01X?JC3A>B&`DXlJh|;RbuM{Ck!ifkG{GD32HgA>dK-m4>XX%01 zc0|DK9Ei@#3<4W~&f5)T$DuS>`8_0a&L7VX+C_2R{ z4DsxTRy;Dgud&^=?oa7<@7$T~5o6mPLoT$gzxTenb1vL-Id_KeU6(fodjG%ZZNUqb z{Ndg-ycB7Ha3JFjhcfKoI+Bp){|Fs#fc_T7)U??ZkH=)LRZr?i`1GAh-j9xx0eo@K zZ%Ja^xB-b|Vx_8@z(Z}M?GG4z zc9T%vBX!;9o8gT_@gEgrf|C2j=$nXhXR4eqjxwCyd+{pc#CR2-A(YQn|M=o7P?jyL zxpukfg*`SNf42J|IC*PrvH8X7?wo6x+rHMnA{I7eH6YZ`m+Zv>c?Tz|$DrT_Qzanq z!|Yp9r{TmOVnojsQd9TWw?gJ>7i!Rw^Lo>-sND!5P$o$~%=Pv}&n*^g^R#W#tn}{t z{bU?%5O1v9bR@nM#HRjHA7|xJxcw5*0vPf4s!~qs8ouM891T5`0Bw0NZCbm<(oIa7 z*V`V16R>eG!U|eud$F6Q*!mz};^*nvg@_4MH(R&YYlMu{K>+BO^t6BSF72ua_PjRx z!CN0ZuPd#2qvb8d-_^U;!Vm}yfQ?_ix9-2*2+Gdb{0Ns=b8EU3ST_|fc-C?$esKEc zy4-xwFkO4C)1sPC_yNd%3vaAmbN*gEI8^1aB_T6g3G1zMl%CT#C-viv&;BQOm7N5o zf5oA2RFM2O^g4eC^nxq`ea}I$%jyWQhn9JK)2WcUB_^)IF+tCvOD|AOuM)2hp51!g zx6@3-#2vICxL62;+DV5Rvy}4WKM5G58Q9LVG$Rw1yxC-M8^m@0i0unj7k>}s++v(6 zEG)c%I^b1s1?N&wgahQAIN#6kor%CL2&GgJSLVGtgwkgpu9Uyu@NsV+1qC8ZzG(@z zFtrV&)ZuJ1PH!YmFzwgER8-v2sE10~#Cb>k{S$^HQe8XPhf08=%;gs%sa9md=$j5b=mL6%xF6P!_M1HP%VeqU*{)5)Pr#R?iHDD!Q9cJqpVhq4SHE`z zkT>j6AgutPtB=R|sJ|qAeZc|mEFwu1gh5m9-c>9v{^R3AYL70Nr0tmPjyIO1?y~y_ zMCrW>F6MpB&GNI8q|z=wCgi;p=vIMQ5cehteY%BWf1|xYbXKs^G05EY^_NnA73uv} zH9`eA+R8Ke?6lf?_vIzY!9SFs{YP1o@VmqM?y|Ge(Mvgvw=Lpuvs<>HID)E(vh?O# z!BHZcif8NPZbwa3;>K7xptRgtSm*AwP zt$lXtGTjh2!OQ6pH0g05)70pCtsaccY3a@j;awO|cg^VwW79?jwoW>#YWoeuuH$)r zv8Z@gJA{Jw0flSx(mX!+XLfH{pgsF2>+-y|M>%kWvds{Gel zP7}CRPx-;4r+r$CZ)dX#PVm=3qbM-jiB{jR$!b`@&8#y+b=96A-e|&c;Fwx862?3eZt+8IGlAgUUGx z?$bv+t2i75(WI;sTq%34T~(N6i>}EezO`{H#pY-*DhY!#6T2^V>(gXpmNX{%9{tTf zA8aC7=I;T5KSz7trJaGP#pNbfz99?DL1wJ3jO6-=yG3$ofcN!&1YWhmR!W%M2T zhuhb@bIaWe~_&zK)eOez)SVJ=<$srJh9g?=0mzU)_a<(6XV1Q3QlE_ z0^j;|#JIP8R^1tq3$=DPDLl+a-EWpV^sdt<1>M6h)Z z2)+Gqb#r6-XHz%epWTEkG2ri=F$a_g4q4E@5?0*^5fFLn^Us!U>6}YP9m@^*JY4RL z&vT*D_t!_|lPU`(E8naKXNNW5$5>19fEq3F`W=gF^*vv#M$1;~QSOU{lu5HvVzs183_@X*5q5xHIdk7}}{L<0C$(d{R7_H|T)- zFj}eAIjCGZR-1*e1}O*<^)9`&pv2&JD@9qd+`;K@{izggAfo_mrXp*_5IvfZVPy|dJY2k*alhZW}+P0Hs5FPZtu zISPE(UikT`>Pc=!P3#0ml^Os|zMJFj!DMTVj2O#QbmZS4&h3wcOVHTrIk%T3oFCbA zYX}jlPkXg_&*nqT(48FqZYB3WqMuFzdYhpXFG+Wu1tZw(d0fW;M3OKakPOca6yIsD z|J4o%vh4~Vwn^#PevRV1)NVGo=tS(t`-g3Ey9}-z*S7k^Z=O)HnPbg(x+Y zSm9ynv(vA3QAt@jxRn_c3<@uP@aB@pr&n{JGMBu=cBcqxPaC=8Y4~9$7#|@?tl91y zayjk{?86ceQvZ}G)lfQJpz~6_&MO#~t^`M9V*N$7ZIh89pi=I@ubZ*5h)PIGOiaE<#Qui#;_9hDvHR=AbAxZ9j!7Y)e=e5Hzz-%Vh-=KUG8 zyqXM1Z7GmdXB25t(IYu-?CZLgq~rD_4NvsOOiFb@JJq)@d+cjDkNMF{&&PK|LBioV<&XL9WEMQOX3$+Bz(Wq{ejG=d1@nrU zw<-oE*}oz13Oh&XwQH(lMX@=R(;SU~X8Y3;be8QCvi=utA^L2Ua}ZI5ixH*Y@}^7q zlqaNnTD-~Bm(BcbB({)V>}t<&au6fpaq#U6Oia499=qT&Ftk0F2ZVKxlKNi9w)p4_ z|B|`DwlUNQdo{#<_d0Q4eA&mwqU3}<3IdX@W#!oV)?U}G-5lrgUTTLiX~U7(S`33X z>*rHk3A`AYKF84Aei=Lx>-lr<+^-Ud;C6t)`0+fGL4PyV1i1!WvC}ISNkDY}v6U0_ z`A+SQ1)GTT!f@a>sRN**#%rO9cxC$#&6G(FzC(&aG?pH-rNRw1EJzl_&r7p{P`Qgc z7lX#fOU(PhonTLo>aG&<6b#>~+|}PUJ+ZFycCO7i(Q<8nA0XHk0+4X@5G>Bax!t2O z!jq6B?=#9cnI9@tuZc{OLiVW8@tFB?adIYamYA}*P6Z_E<)$cmwx(su?8k#rjMsJb ze}N*dwWVnnKN`|xZ)#E*qwVU+mKNV%SZMf!4Ik$n+3UHFH8qzc%RRj`-d@zkFH>v0 zJ2&{Z622c7v+gCg)B?)X%ixkrdIl5*f=B5=#Q~?X(}C}b9|W;IwD)^8lIuX0ExNa4 zEATUZ=xH-)C@>Ut4o0(T34*Qwo_cf$S9)6#d|XO<>=J2Z~%aS^GeW?mIz%-y4rWC3fOeNCm z;4H#_3D<$fgfp6gE$h7N7_3-iS{IYL;8rYaR6KH1r!1?9OSK)O>_ z=h7LnT%tgoVd49y`>qqE+hevJ(giq1EokGTPjiayj98dB%?0m)S{$3WV6!w-q1H(ZCg+7o6kk0LY?`zWdpB zvcmldvN0Lte>@MO+G?rfYPTGX6NtgY0phNXO#B~Yx!?6HC_nxz<(i?gYmlO&r*a7y z!>1&Jw_p@_Y1w@CqSm=bh_Jag6Cv^zRtjnb=0VJuss<8E#k~%rJeOf=fqqKq^}~iP zkmiCufb9*@56DpEvz%vQH1{nHXpz5;fMnr4x*umWPw3L|?_rK*8=k5ax7UMGC!YKA za^ne=6vedxb$v^AWMiYF?fysyb`>%!uZ)UP1>3h)zD<_HqaJzB8q7Pt1L*Bm8k)^| zIcu6PEz-(2&v=)8uG878^TL$i2b|B!MQhlaK;J>@&71XQ66JTp;Wzq7GKURaORa0xawwjXF#&Na@GelO9Mr?TlT6_TaOp!zEDnu@pg6ka%hTbG(bIL3Fbn+q z-6xj|-+9z-g3OC$4b3Rmn7%7pbY>DJ+-TAeP^Nd))dFoZYjV1vAC#~Frj;71TJ^xG$a<@ z)sPDF10Mns8G%IkT79+i#v&zgFPV_Yprun2-lAkEinjLRj`uFlmVD0Y z2XdR#OmJ|%wuw8TttCE9w=n%DRzh6dtLKuugLg?#?V=Wk%heh&u|CE7bRMyT3D>*T z11JQe709dvTRrB)tcpR6^MvMYGcy3<9o4IY-?&-7h<#eoz+|I*L(h#^%+smYvszmB zAZDB5o#L-bBUE;vSdQsWefwSJ+`aA%txxF**#1s{E1hVx@%gO7YvzT+^;PBb*81pI zZ_sHx26X@Z-cOeSi=B58g;&P9`ohHE$;)E0fhI^gkGd8Qo?V@xPb}-EyD7}2Oo7u%5G6N(b5Di$o zU!UBvy{!#_i+-tPyIZ{W%7jaji=EkmV^uqa>hmiH6XOT1;3&aWMGJ!GayK<Supvr6Ps65la8eoAnki8Ybh)obToLYnJoXKEWr}vzYm!^K>&$ zT>GgEvM&l`V^||PGQNc+ofqZlrBcNp0#?gP zWbbBliAXM7Cx9Aru^q2hJ?b?s@Fa?S%>DZn20k1N*|ktXW!M+GxcgU;O*I21Q{GtbATU_86&Tq4eZA_d@*vM`<=@s~mUT`FoL zw9)8wgcpW6m%xN&G2oY(dPincw`?Me(6LF0q20eSsM9P|uP=Wv`<%*7e`5ea)6z*2 zLKK^=A#SjG@I93^^LlLNo9DWO5=+3`pr(Yi_|B| zH#7zPz5zC?hohSTGx|CfY!xRwu06NBap(-;-kt)>()b)-p zZ22{|{et&EieR})Ls6XqOO#n_xy>NWmkW7N2Bls}$v(&ksaeQj#iNJLdi~s<&-y@E zm(a{!w{SBD)w*>-9w^2&(JC=Nj7r|j2Pbb-E-*~8thR^^Tp`OlO7W+z18V4psnV-hrJo8x=ki;|c)ULJ5wG%vjYn)Ee4LS3P6< zZgciIDm!pB4kSCfp(Fv(5ZBjP`{i=oJxuh}FU9qb!Ip>*4t07KgFT@5hryi$jqSNs z1Y@P&wzP9XeqtZVDDO9J!B?E?8jPvCB?4k=tvw{CxUui2ZSHP4FB;8tc;n6zm;dPI zDEmmnNf9{%ek7tF?oW5)rw$G4W`?L@p3STKlj27VdQA8yCNl~E&;2u`s4NWMX z`@Hghh`q1;7qK_xFR{16Z(?u5X`z3_-jSkYd{%!E{x7-XbsF2XZMj!lG+()h43mtu zr*`U-x^N)cIeq4F<$+g9z-i*j>4Hdy2<{(Y)BGF3vS+-Sw`Jzto9Ng<;UFT*_DPv- zYP8G^=~QJ=<c!{P|%WD;OR{tWN=fa;-sV?wPoJ*L3^3cJf1k zWR6jUYz6}|fzcoe$6tCg+VlD$h2H0)doQVOjI}P^vabAA6Uv_dj7Zz6aG_2RaGuk1 zctP>7nT``yST7DWv-Jxs&m_z`JMLt%elAZrjv1l=((}%3XWCjR=QRz-)v(-KPgcfr z)SA6r`t3;cU**U4(wf_cZ%QDaGjI(P*6#w5T!4*@4w&+V-Wtq9b|_&t^6PS?$K5KLt5< znw4xB3(|2uyA|Kvh8#9;K|=OV3T?)L%U)Ym3e*ViV`+hE#~Sboa_C@Y-@|38ON!#+ z;N6a6oObdZgu2uiB*9`ZkRa0}Hejos#Py2tTI+@X) z(PZ>_7b;i17qQgpL|e1gaebEF=m1_$E|=G|UukDPQ&&_?Te5hzqOT}Te4Ojl-;4hF zsMFtaDO&wzC;93)OvmP29UnAwOhXaOWq>xETzYO;>I%|$5dq!)VlwB?ME4|iEv!@k9-&XXzij35^;**0$Z66&nQShY#PsdBO(XqU-eFn#(jPtSz zvX1B2ajR@@K?oM{TYd*e;sM1uU-dIRe=Fp9xS&_Rn49%um@yD@99Iy7JIr@w!*7k* z+WzSJt`$!4y+pL3t2JAF($mn)x7>PobC=p%g+Tj>X=uMg<{5DV$vTKOMHLgHHcz;N zYBM!wc4MgZUB?Ga4iKlo5^7BqPL2EgtjHxXY}9S45xGuW5RpFUr}W_wD||OfAI0Aov#c;TDG4Lo0=Gyp*X!rJB>WE^ajSf%bwS=| zjS`)Y{8r*7e@hKxCt~TFPG4JR@i+uASaWGufBLlruR^MD!`fagZ63{qM|RK70@Z&_ zEX&nEXRy)1o7ZTqJuTESj|0tp>!rOmY+c%Q!%6z*!boy!80W;z zFJsD3p~swL(z&wvTQ5o1?mzhc76V7+@J$jllB?Fen_1jaO|R&xw(-^<=zP|9?QN!% zBIC<&#Yfy9Tuv67pL<2SJE>Y)xjhWlT)}-Ub%DhAN(xb>U=v3Vq~yc0IOB1XK>pns zwddvJ+K-t-Lfi7M`j<%X6a`c`SgSs0w9mFRzYDsLAsLq9L(be97WRhDT}Jiy#3==7 zXfUP>C-MibK439#bc{Z*eO5`}EeafsdE)5LucSJRjl)t5Y{F0LfCPuBip#G^lifcQ zq>Rt7?q3SfbkuUyEyG?^NE*ckv@!XPMp?@!T`O0INR_}eaR&!`>5~|!$89(3!F&C> z#3X9`oyo_ax*y-3E>L*1?xVM>UVF-8HJDO{m|zQH&>AV;gQXt`E4&XAYQD@(CO;!f z;*={^L}>w!*q3Fn13YzNHPB)`3Yn3 zbwyUwcL0qw$e?Uvm;!&WV?@yTKa$-wl!vWs;!-5bW&Cv_W`da z?YVt0L{*?MPdJF;P@3rJA<2By+s80vQe4ZooRPbJTH;YaX~Ki;5nyVA1Daz|3}W5& zulU*HmKBU1ve~g-8hr{@+^zM9QKRfXr7^?f)b?GMLSOyFo2LUU!kY)=j0NJ1+Mkgy z^v~{#iqG9D^{a;r-lA{Z!lpTiKB;ais*ZCXO`maPa?%R5yf$nv2Wp5Eym}>_-_d0o zMa}es8fvl26R9NCj?t+zpas$$T8k_7M9stkHTnF{3CakD>xxB==`1iJRV~ zg*vk_C&DU*t7O|=d2y<3`DB6D$&$!fx&?(rvNZY+lh3hou8I>qVW2FTP_z3%A%V$N zRuDkPp?Z{4ORcyXQTa-KbOQ+}xog+$NDktprW@eC8KcqdnQ40764}i*qzK48AQU0q zU$1a^_JRSN5}D`w0GJYp$}vp6b5*OrQdXj91d;Rl!dkX#krv|G!Wx|(a`5uU6;=AM z-KBO^)Rl6PM6=4!XIcX^cXaKvuxp-CZJ4FCq^!x3@+&8FhobE^_(5(yh)7fe1XEDZ zkPqqkU_iqB@C8T#Tw01Jf9^L3^k(YYcLq*ij^Kh~r8!2eOseUF@f7!?xv+E#rMg2F z6G3eNUTyq1kio#&vb4%X9pOGfD>88G`OBl!7<#l!8OsO4d zBN=e(TQ$lEM7!mBHP0GlRMEo3d#G8|x@Rbn4-++m{Md(Fjf`F)>NJ1^=))Hl*RjnS zlw0aNRkgg}L5NneQ=g)VNgfa2cx5g9{mKR~6)tRN;#6($$)<Q42zf$rreYs__1bd(1!j#>{fo(qzM`S_W2OuOB_Xl^fE4a^@ z9%Tjaos~>UVmpjb6c0l@Xa~uNRexX80fNevlp9kqh-^n&d|0k#5otJcr2?C)$N{n3 z6m}%+9!K)Mh2Br|-6=#+@;pyg!|e}phUCZ9 z-VF`$Di*UnulSN{HVN7?g@hqYW@Y8@f%(1h4SO<0jH+4}eiJloamRA&j6Lu>vBe<6G`GwRMgF}q_s{}aSxkb+e7>veJ2>5EUfMMHEa)KV z%cQw2GF9v3hOTYx?vFq=Z=fh0I?Ge@`WRKWnYnqT$o8E)=7h+~8OQdvwp^JiG6@Hx zSFl8j{J}=oQ^ui7v=NCJ0(3=Nh`vsk5H*cXCU0}ebY%% zU2!svcd?x0VTo`F`q@&I$Be5b9I?%6u+O}!hcWKJ3*@KOwO8hDf53R5dw^E3_g9f-<3MfD=#B$X&fELZbyrsH<;!;KlMG0 zWsOU=O`qFwcRIeJQG)zEyR(gxe9^;o*GVr^mWZ#otMwbvfkfv!z3=#SWOiINl_uTg z-CpjRidNc>O^vGh1|_Qc8a||~^=z{A>MBs=hxsfDqlV z`40$; zRxx6RV)FH|M`MlaxQOlNl{D3H7X7Qu^x0n*B{Op-{+vn5=eO*RrY0^E2^wLA?FAS= z41G3im4<2NKveKY2FW?%t7BA@7z(#X^78T~-`Hi9kEvA7B=={k=;|i#{LjE&t?&A} z$X73=1s6v;>DPEZ?%R}M=@M#i`SDH^X{6a-+Wn+>Am~~3yPOfL?yz){<|66y243WE zWbTr_CWDjJn0h&{zEn)t(b|F0sZ6{_U3+0&OmFv>eK4r{Qi_wU@TIvN@Yi2YCe40Nt^BQ7A{o^2m@FUKV&U?H( zWV8mY7ncnM*H&(A73(N!w99j5&`mwn|C);*J)L~%bS%}4`x;)5emsO6g2bD+A1JEOG(8<)jsH|TidcMN1QS3a!H0O#8y4jdiGbG|Lru9S! zDS5@Ts$BOV>psSo()&cQSBzf)^0?jF!zEK3%>e^!kFURU6YpK|lS1D`kJ#*?eNPX8 zwElF^@d|i1$cn!2tT3j#qOwZmk*2F1wKGCDfW9a%Y$yDzn9aqYvS*=Hc`ywTx}%TAGWrs z>o$hP^fN|9k`Rj)#wFdMcw;nEf=I{sb=Qy9kIa5eR$ys)xk~l&M1pphPT-CWSh<}Y z9#cPC-wx4vJeZDPQh0e6_}H%mSuk(M_yP(_Yc+QJ7I*sxomOcUqBCgBqqiCkiSGr+ z2lr1dRK<$#!v?)M9AEE!HMOph>JZas66z`P_tZj-zV8A4p?-qI7Kb$SNw~hrr4zPe zGpE#r8&96p9i0;nlCimX;^a|}sqN39=naC-f1P9{=2hK&>X9pc4nb?+e8PS{rpuLh zXfrx*-F3`!bE|2>)7_V_f!Ui&^ky)6eVZEYPx8P)=}v3oTz1DpIRjl{b&^e3;`pCdb2AYRHFU+NXh zld@G@O!BbXDcOwQg3p1@U@`v2cW;3NP0dv*HQ(_h((u`8cD#+@UD=~GdwAR9Q;B?@ ziU)7|x;G{@Mf!zxgvhV2kkmK0uMt`;rRFwTL|L-PekYaWoX94e)WzlDAQPov{nGO% zI;5I2gPlJtUaSauYWB}o54f$e8sM^ZFbwvbz51Odf=W-lcYbCpFc z;qwsxTN&Zv3tTGihae9hWcpW6bq#E^#hzQ)1U;F&?VY|?ZcZ4*Hz$B~A!J{2? zQr}}le@T>)n=C1(&0SJX`xCz$T+G_qT8hk`?fx*WPWPj(^Ga}&xf0yS=xAOkRy3T+ zlZl${y>49h<5iI-CD#piLwNdL8Ml3Znf{6AoB2%ZHE1sYqccr&@*4AZrYRAyf6b=T zZgb8LcG>iuG*vVH@vdl$oLnEZjt&A_$2VPalU07=lbuKlRCa`I;V6>*S)CMv`-6;0 zR_=Gt4_+F*2W|VkeVLQ1`}mGrN(&QVi&7!R%bka?BJZ_D5!T%h=y?+4b8|Vm&3s*N zgPB^mRp8TNrnu6gCG?lWlZ@BqdILs^j4J-)iFt3iRFspiPkU3A&fbZs!$Y+79iv1zK^&S|W?*?a|gFby{E&AWacdF`^?$AX_lrU{O_N5$RE6d4O%a+ zu9j-HyF$BAbY1;n)=s{?Sh|`S$CsBmQ)w28ZnLL!)?;49N`IQmd0S7TA9{1;-;ZXv zW0Co;JIM90_O|nW=*JvQ&Jl;@|`QMg#EqvfHcRDx> z%_(z?Wxq;iFbfr6Ipt}<6i3c=x8@d-KP;7NDG2aG&m{zBPIugIpKj6b~XdaB(io;OVE{)7my4#wdb8|w4?`kY}Sk%$jCVF6Kr0~o_z z_+h&a@mmA;8C-Xk?lfPRSClqTo1Z@zqd=8NbJb2){{)h z;wGd8Vg$j=EUEj-1}qzCimL6mntm8ETSs_jE8cn#oUaLD_Cdx&1JkF~qVsx5Na~-Q zHz3(aoj^=>!02n&MBc-)X$=&wA=ON1t%l9RFcs?7t3_hHfig(XJC>+kSE9be41Nxm zdGx;q(EoC2oZ?88TP``q%##~ib+y<}V+_QS&gj zqm3_TZrT*&QL6fq)_1cG7f6jzZ}S{XP%(Ez=pUDIoSjoa?e$$)6~^RsdBMEi=~wZ; z2XUStU*di) zS&D^a%Er?j*14W&C9hH22X}V*);OH2J&@jp{2(jO?lfpX=v3kv -DqBMCGsm&JV zC=wC_1@LVKCrv4bQckTd)Tek3ne#__LS_>aS~i&$rh`)w%vRTu?uM1GwrNQXL3K3F zfbqNbX55cVY?eE!6z?)+_xZ+&Nou|iE{fvZnA5tcRz-%SM5b`OEf zweU8s$ekGW?hj5m{R}?5-Vu}7?djR71JY>>NT9Y4aHTkRX%}lax7TI9By;b@nR7f` za`D*hjg=_15>#n@nWyND0Wt9?l} zLYwQAP)Lp|vqzvS3n_{3B{1(KY061rSg-AOoJm^GCz<$!Mc>01_nP_4+wEmQp%Fwf zS+kC5{+N{)T-kl0aKuhqw&WoHzLHBxgJH28|M#x2mOo1jrsa4`GYc(u14 z(y=^gy`%m};pYenSoKw%8>Mdk=X(v=Jb%s+bQcTz(zVvjo(P&kbEy`Gzx%+p!V|8u zSqv5#Vv$Chmyz4jj31;SUb_bd+gI7c9PcNxqLxDg+z@wG^o=B%?2|urgr6D{s;qAi z8si%a9}>&uilQ)>uw&4Wfx^RRs1qFkj?#nIgVZhm=LDv$h~2rL9sFczPp!*r z;-^VSsO|s*qzZe|kDibyo#~MPD^(FzTlgRec*ypgmiZMpZZAGUP#Y{rl53KnebDC$ za23$c`yau>!6)=KcnJ6~_#HbcZgK4xSd!pl@CO)t@Torzh6{Xr&;I`p`2Rizqyz$% ZNO^Y9gDUfp(@{AlMLFer`F9Oo{y+MaEDitw literal 57811 zcmeFZ1yfvGw*?9zArLHq;O;KL-QC?a0fKvQ4-z~LGz5p>PH=Z?JOp=lcjs-AbH4kX zTd&T0Kj3y%icO`v_nKqMnrn=?2~m`nKzfDq3JMAeNlH>w84BtJaQSQm?iuhykWd;L z_yO&xEFlb4GK9Ac{PO&xkem<{)Q>2HJENz!!rMt|IYL1pcRc-r?y=1?hJso)lM)qD zb=BW%LimQSmQb4JXxfb}_68jvAI!qdO&RJ6J-n5^YNGm@m8Fem^*LLpzdtv({z_oL zGKI#A=MN&auuQ*3ovf@wI)91dI+}%WbxwSJ{RLi>ySfb-WH_6{b?r01*!SL~xL~Hr zMbCME=J56|)!VsLyUIdsyhg*TMXyH716bSBs~!rG>CctZ3oOGwS6i=`TK`;)pd0!= znFs}yPTL9v^ZQCr!xtL%_myu66b$0;D=0l^Sgb!+_0RtA3jrkliD83(1N*!Oq>3YS z?KAZbUdf?O^W)xRgZoe1NVZ>4P^Pt)8ncal!eoJ_4(r=NekH#y-;AL`!b)^!7~w~I zZyMy@K#k!e+TC-Vu2{}lt)70=dr#p62l&ej4z~8j&^NUQoY-9Flcm{ES`erro!&%L{==rvQN z_U^aY^eUaLsBYAR63=~YpkU^>nWf!VbGD)_ZCPV*-*7cZi@T{%gLHfxf;loJUk$D` zxngR&%uUzX^dj)QnMPRfwpUx9&1)7oiy2P)1nH0RPIEq|@3~J(fWkJrRquk*AVg$h zmH7!1=7RcdHx0V}IilUJXllEhfV+6Apn7&A5-0DA%e|H)mg8V4mT94S8nD>G=@0G~ zh;}bR?vA_0aTo62sZ_lWSj0iJb1o?RYteE_L#?Af|6t0Awk+33Z3`3G=srzjvVf+& zrTyR<0$oD1VDbWWz?SF1(IzA>kujwk3KJTZlLrVUlpsqeDmX+t3KGKAw?Vty3K{yc{JfnP zvUS49w$Dh_dHuNbKx^TOV6w)RS2aM!)T%~0N4oNvw{*c z{LsLq@Akp~PF7s)Io8r1P^);cN}$t;m|C^mIvNBvkVcSfVUS~dLFXiwes#NDA_EIErFP^!Z3uQWP^$1m<4Gc^&*v=P& zoN&A`rslmDCCVA}Noktg)L_+Bcwo1q8ni^s7bwV+`jcq6 z#t~fnDh+d9^j`eb4+Ig7o=1P}y_dv;ZETv3gXbH zwVcaG<<+M&fvHDVH5cZNA1PcSU669Iyfz|d`AuCHuk@GJ zpj)a0-Ddl8@ErPE2xgnCjGuEW*b0q>zKcE9@GG(_Up&$`rU{64a0`9&@;qTo`^23f z*H4lLwM2{M-3@ju*d*31b;YW?d+S;Z$eITn)d5@{tFG1{mDQukWdgj|!2xHvsCmYs zeI63lQqf$qbIRrVTXG*A0QZyq==LMH_>nJ&4f-ZZS>sY^c4T9*Aju$8+h|H`=E@Y- zUL&1}8OyeqaQhq5?}+}(WY(0}Tt}?Bq2MuDPDKdZ!8oRvjd++<xyiJZZV&I2Yj39$7$nw(cTrDFmqsJd4`h`-aE{C{k$NbQwm=Pvp}dZk z9y7n^%o2hxu;UPuj@}C(JZb7Pk8M;lc^<=;%3RhlCAr|MyqL5m#V*rPJW02X=mgYw z#1?Qy7A3?xKLAcvU-TK5_bN%033ZQ@Rs$3Nyc?RjVmptgYI9*c;XS{tN-v#$^^z2K zjJL0v^cRe2X)RRPQd1nZhBtKZmLSs<|OzSv^P;m^KXf}Z=j(u!Xr!U+f9M_qBmL%!H2E% z#cumDqoz57uS3xP>J#`dD*@xRHr)NS zK{;zFZwBZ{W4YFk*=CA427kqZ;_=yj{&FCR9C;wgG~99l#Y!RzYj zq9kPl%J`gwh8Z3ey=x5G@rhZ#Ebmq9iy2LRSz7qiV~i$rh8jC{5C!jF4t& z4J3FrW8%At_z?#t`EV=oLoCK6e(;Ph^pKw&6lxd#SB%t_sp5^q5YWJ1`rjzsJqsFAoG4jVCR3Noyd{yjw2;0b2~=NZP?V}OZ*MD%5eMn8 zIovsA7w&a|&n5<1;?GDmvA(NANHwMVu(wE56tqf2^Np>_)lB9|74{_4#Y;ZGzrm{e zVu$$S?O8+^VqHMtJ-8QI@uDh$S7hy#yM*&KheL~|*QU?nPKv{1t(@jBLTrM1@RpwQ=8B&Rv0R`8#>Z05e`YQf*urtM@2m=2M+)W}3CY0tUf zS-`+@zFgZ~_A(N+$M(J4{}iReJXIGX3TojEp}i=8)PBf$kwv&jYN-u@T8n(PGST>B zm}Xg``6!nS9P7cqUm|xIB=Ay`d@ZoNtFe#9Tn=Ly8C1?4{jn3jP*=r@4r*^3TR9y))}(z8$2YR%$GR#E7eFybH>6%LeTJYFGg$U?!&Pe~HAk=4&tJU@96f*XmGnqwxZ+g~r9Gm1!$;*`ON4v7PuGqYWwx*giA zfwBYO!gT}QCPHqN=Q!jyz@Kw8=ui9*7?$DiW`+WYVy#I&gJ<`9Q>Yv?MBlgWw-lMr zVfO~av}TKisl^2dO-vT7`;n8Q!%Jqd9a? z^gV5>s3O6x9b|opP1&NxQGT@%gI8>We90&m0gG*sVPK- z?W}#rYU3F{h>INdJwQppG(=X=BsdWVd08Rp;J^_?Z@TNM7mA2TtgB@^hoS<_#s1Cw zUGF<0Ue`)lSJz0{aI)OXf{+#DYX&jG2Xymag@o7ir&QdP0RfEZXNuY^=NDq^R<7SL z#k`A+=d;U=O*bB~NHo~FKABk;zFO|3wwRLA+AR}qhYfGIrF94hnH8copA@8w01~{s zxUnxfG07a6T-0!lBx^+0`HQZElKx_?T@qy!uCVI`qu1-c`Tzl9c;&5eCvv{1xjiEV zQTt4j>z~mw?dg@gWm#F=(A2#JZfvU;`7+`#R_H+ixE^AM2PEGs)BkJ>{Jlh5Ue+Wn z=F5uf$W_Y<>dYjy0<<(4Z$c}Kgl~@dYeP zFS}BPvYIoL2a;AC9a$vUG4|AHU23RZR#26k>Jzqic)C)_N#;9JdJ(}dUxd#pJ|P62 zU@rJBBJ<_;S+|Ky925F$2<9(Y=dV_?gXXAkHPObfrrK|dt;c&)`wwKMrJ`z)z8&2f za;}B0h?m7ynxrF?LY=|QqTFl3zxn2kMSX*ddCeo%jvhT)9-l6g95BmkgWI?B4F`Gw zx?LIr^HS`KuJlcsIzmKTBPwiml^;3ZIJ{)W7OCMJ0~*@^dFaBtn5enXpYFmFPGKRm z-DvFAjT$ev{ezL~j_k(Cj%ehh^jaCZmO!~_`#a5$I}jrtGr`@w$U-lP#WxLjPzyqL z#3888D)E?>*$+YD!j4hmq7zrVRCng^6W!cHx!2sQ??=5j$d~X^Y6q;~FOr*0edR(p z2VcIUJW5+)tNqL%7xjh~GupvMP56+#t&dl(SXxCQKPKwTGk7D8S_6&7fP_wRIupmC z#|5LO$-*n^8otHk4AxepU_uu+|rf>P=Glwy6Ojbd;odRS}n|^_s|F`v`%~ zfRe?HaRCd*Td(7|9T&R8h>B}oL7-V;LiWK;;Y%{@0H??rDBst9@HOI5pTv4Venx8mb{iR* zhxR^5W+XJmJ3LcXA1sVJe8c2mA_f8Fysd8t3;P>^x;Lqf=L}Nye6AwlWWau^-`@D^ zRyufbb8Rt%^d%8+{>CSmfXS-Mx|SN6q}A{XYS31-tI;k%*2J`HcnP3SqDd~ z8%ova$1baE67|j8!(Ih#zrf`!N~zlEfc4s|pay-iBqf~TWAQ~vl3zD#Y2FsU7L2F&DzWn<`}YEs^qQ$5ACw-7V`H?}+_uSC0taTuYaxaDZXI zgBNgMm_{~rhyhYVW?QMLuKjJreCzvCW?Ff1#J(qUIkI6Gz?|skOHjnv#n&I%TdGH4!gYTW^_mlzz_B z8csg^FGRNGtghIszNJX6qNbJKET?FLm@A&Z025uBntwZ^M5}|w)psHKT*eWWw_d8O z1IwLHq0^Aj4)>1!;6IzsQ?O752w`1^NpbcD^l)ZZSyOrRB#~c7!VvF8_sTj_acQ4O zW6{wg(#a|1`^KuB?yPw{57(V$4SW4+e!fdA|Lg6a{hR|QGVA2iCrU_*X?t_P2fw5U zNbQn*^r25yST*Y&nA}SarBvp--O|y7UhD}bzmWQ35{HB5a5C4I;Ya50@ZiCsS@&EGIGXA2MF?qn=rttZ=oT+A?2wV|I0v(~%7zIwcP-G7 zuncCbnZdi5NG1lfjkdRrz6HPPwWGc!fF{*oH(G7@ojS_Imw$GWR5H(Tkr*_N%D|zv z3B;cCpqHP|I@B{@bX~m91f$fWvqy3er zVhB2HbMxCh0g~DTZH-!@^temah)(qVvz)-@+2^G?W5^KDf5PiCrQKc}MXfQC8JNKs zjsg0e0Ia$y#BzUCiC9Y|dBN(}u);S_H8KZp_mAJB5C8aGfo$@)S&SX#NH&t{U`*5u zygpkP(+(hK772+_?bq&MuLF~YNVB0CxU_Lf@`><|HVT@d87PTN#v8ejIs|*o ze1GjRXRN#Z+B;bJt_r#QQ}8I4CuOrf1aQ0}OIt^H>E$&Fj%TK5FeAS&Q`>^VI@Q}1^h_RdHJe9X|2V^A` z9X7J^Ve@7=!1@6C7+H82z1n$Z?;iR<@$_g1LNM1igk{G5YKN(1yKG(Ml5~k$1zhg5 zSlHS%GxORUe;2&BYKu_uXkWz$p>-Bag!@l(rk_d~dC#A`9ST@nTR21x+C)SX_ax@6 zhSR)ZU?avY*bd+>6fD96X-ro@eEXB-`FpyPU5vuXtb)M7uSZ ztpjnSpnp80dWY7XN;4=QPC8dNjqXDKzV;iA5rO+%1 zLr{3^-hV-kS1t-Pe)Lx3M>4S+m`%_Blf!NUb7R!htk1x)w|N6?x^QVqWVcF` zZj5Ch=V+fdX7q3!8MDqrkxWvr6M$Y>LZ*WaeUuC_4g)qWN3srM{kic^iPkumgprd* zb7vQOB@4*$A2+ism)au?8{lD3px`kx_r;GCGp-tbGa~!j)0E`;_*!kfVQRwdYeWv7 zD44|3KBN*VB6hC)avIl2Ltx%z5$49aGaQ=3t#PJ9DRGRQ>Ky56Zg|lRO$R!T7!{(1 zsU*F(E{Z4yao@Um16mS$@E^b!%mog@v?mDPPI9;G-jHy#MbjrRv5CI#E@Wi>_1)|# z;=kvaY*JV9`ny$p(LNCW_VPJw9NRnJgiCO%m{g3ZKUc5c0J&u zXf|0Tw|TWA*)kWmQlHfV>V~s@9FZ*Z8r8SGUs?Fq7OsxuJ}vFx1qoi)y|Q5>rNuM`!E1b}g2tZ#aiVAScU6mL8W9s$?K`c6yv6j31DwB} z3O9(nA^pw2KZAEqyrWeTsA^r0|*1fU)mA}$`+1nSbl?XWw5Ex^( z5KzePh^Yrn8Ht~oy6-`hM;&|&4hmzz^pvILV<;|7y|R%cJ;jNQJ!oI%eE&9_>m|*{ zbOaTBYKZr=zWp0Bsg|fdyn#Tw9w|wW16nsjC2fTE6~r<{)5^a$uBW#CrizOAznonM z^!5L7_Vp?t7nLSo7R#`h1qp<>MP%9k6b9<|7BmC1R5Xmw92O-kodbr_9MQVAA}yCb z#bYeiLpPm;D|YxLLf{^LO-k)_lZl(erEx9|_!k~ZyKX@~2ZpvWrThMu#QFy<_$Y1? zDT)E(;9j`cOv5>arDZwjg0&BtYh6tzpIBl(PyzO97?9}@dFqCe%f1#Hedm%X_7DeJ zI&QbzQ8jgVdu^kpMXf>_G&@;>An`L!g2@&`sUKF8$|(I5mJr;jHpkH=#(Y?7pHmB0 znYAckg1iyxvJ|Jc5s{75q5M<;gmlz9Wy6S@pcz=63jJ4RBSmdo&CwWd`k7B~y~l7< zCk$xXsT}JE3{=v54%dI!K7}nBc-SqseGs4|n&C5uzDr7i0Et<&9Zy zCU#|RR-3zG=o~~he`X>fx^Xi)91x%Y&k^5%zY@8nKe3`$lI)oyHltzt)lTw@Q*nlx zq{z3J5E7pn8_6~CNZI!!J|^+SZx14SD|NuH3H<3M3mK!qpIX4>fgNo0+)sf)Gks_z zDn;4UQK#nm7KNk8D%%b}o6Mo5P&S*&VX;7&pe`fp1tc^}c6KCtqC< z5TKz&wip|*>hC0*TzxV4c3&prO&)7ilr-)D`r$h+=FA$xjx8i}ix>3E@eC3$y1#=) z==)3(?SUOoVgQC9|0!?~`2MaEzXK;q_pcKn>7wzW%(`^9jY{bo`?^5MnRubaF&Q#o zBRqqm>`d8uEkznV*{5VMF~b8Jpz*pZ;?UoT(*a8j0=);Q9yBr_6G-chT$P0@BrSSG zc#et2gPwssYmP53cxwOdP6Lp(!JIl$pH<5TJCMkwr_|v^VL#&y4X#my+@Txzw*idD z?Xl!VzNfu0hL)w49LHLF)7Qqna)ibkn(2a><~uM(I~D@~Voe<`{V1)Li&g*~6|;ge zB+Jh3OQW*9x`ev=>SkZ|y>d@Ux)qYnU|%J=n2?UzWy4zhsDD6O!(w(P>yP+eB&t8% z1<5p#skTgSpF5H^gl3I-1QK^fqa#&OKWIX~hLGJKJ-F2!ZEj-lDnc+j--~QL(0f%F zRh?#iYjW(Bw(+5BMX!4TKn@L^o4x^vc7S#TcA`1kA2fIvbo3~6)aDlSS&du1bZ38u z5-MZ*cWvVNE5xiVTs8@^iKknBlMaDI9m$vD<kJtTdPqNoopn#(dz(&fFfhOv77B47tC!pS1BWZvKJtj zqy#Q}W?k`(TF8E9mw3B58u{E1ygQ(k#_>z?lBg7hYrGUoRf@$orZ^0%OKfC3SVjtLLIVxX!-ZT1D^CabL+<1jYFjKEDsd3{T*Q2h+dX>4mUztQRfI&v!- zBNz%`&+W7E4RnCzp5BnlUPXxihZO!YtFoz*!kvuCWf4K-&m!A}3yT7}riH zqh2Nz#`af7%-Jiu`ke~y#dU~Of7C@K1x+&-7SrD&@JlIDAdQD}0uHvV@AQDI5 zHPrV06r?0qIa3FVuj#yYdnf!m3-Zs;baq*JhKlGo-#2FAtJ1|3Zb(YHKfmpBfW$)Sz$}89e69$;7-@&{~~u%GUKL zVjCMyLq{cnR{n{)&PeH1l7r1;VQdyBqmK2I=fdL%V~{L=r5Cq0a$*~d?B=i*Gt^L+ z`Dj`vT36odr>HJ>5nq&p$EhRlv@&u*ev#z`)GWseC6I=h6wd;&7BHT2f>^(MPEB+o zGE7VRZrfx)5?@6jm~ z-xZ=~fk)M(@7PUo#*nA$77n~;WFlFArRN;szkKogU1fwL`d?Z>OVCK~gDG5D<-O|2 zTw9ZBNm-C~;1=!6o+g-PP%dC*5Z+utmgwn}-{%P7yU83~y}NL2TINB<0OpkhZ`-^D zJ+@Ea?mms(D$#f=&>0I|)YdeJ=_2WTxQhIY08BTf-vf{~Ik`O#QjpjjQ*5eRI>Bw^ zW7wIa+!qr0=X*8QJKf-^A`U`YWlEZkfq5m89LX${{^f0n zb5me)1E?Q&Yu`(E+$z!| zdsEqNYbC#=)ho;2X~JdID?1Pgbpg{!K!Sswujdkqv&9--*n?gRd{W~&{y_Y7ryv>z zo(B0RR2d47^PXm%!}_>}L6hBbyGHXx1fy41p@>wSY|~zOf7V8|_3S{h9*RKnB-p{5 zGya9!^{ay5=M_<50ay8jeIbMheySQ^JV{0SFR;FRNgTEqJsxLsE(edXx%b!Jw}eM` z@d6Jfwh8Bbm&1u3Lq#s0^uo#yeU}0UWgoIOR*_wIJ`lD%?k?V`A9w6dmU7TLldmBG zt8{}oR?&DPKo$1STWslfUZy&CC-|IC4*T4xq;c)LMsb@=9D7ypUw7nuT4^of$_*o2 zc*Gv&JHj4*SZndA=1F046VX$XUl6<-Q|mG3pDN_s|}up4a)fsoOmCzkW{`m{uc{&1)r0pTmp1 zVpH#Q+@sX>u7AN{i6xcZbe68+;48(uU7 z&+6ZVYCJ&}#&$kvVGpd~eRY=uqe1iBS!VOUe)^%vpylD*)_WIv*vo$Tqu1)$0xhy@ z+w%LCu7D)|@i!+y^##d|et^rq5XOqFcSZ#Y78FV&ljU)W!i*(^goIpECRaYPr1Dq} zZ8uZX8ysFGemf$4yv7H@gXz8y^WS`uM?YI_?eX)`ef-1XmHpzEYBeABkIRn8{FQN0 zAr!WGg?$iQAT&d-gtS!uglEB;pns?cs~}(9Y9tS`dt1M0)2;HbkGgOV{dIqf*EWa8 zt*pWBvwwrzqBnZCD+?@i46WEp95)yAk z3^1Ai#{uQj3 z_R*zWE5!<~9U-a1Mdc4xL+zV{4w`%fVPXr48sHcXAj!~=KbPkvU;TJ3`AH4p_Z&Ug z%=d=qK;tfJlZi+0ut}KL4rvG`=HH@$BKZp9b6DiqQu1JRfW5LXnCL|JuReg0DS7NZ z^J?+?u}2i*fr(-}k;_8-Z`k)Z&RW;tUkN;FNbsK1Xss-FL6WL=1pf`Vk!h=i#_RlH zx3(g*m%J>~AOJp2x8qaOd2XbC!_0{Zh$7daw%{Rdn~*~?9*v&M`|-W_kU|d2DW!i6 z>(5*#X^THWQC{*B4U8%G(eX)adsP3r#QZtuS?ia)mtD;sMSn;6ozrOO}kav}-MtGbI|6w)q_VD2bue5O= zRlP{_-BuYe*bi#5ny>$Kd$C{NpN`uKB|`bbVZ9F~_0eIGd_vpDz86H9Z0FC#tdXR9 z0;?(nZ%T*>|3BM_%!MH8%i3F)mN&l&<6Gq+?9+Rt7q4(7#S`HO%QcWbmnTz9IUjZ`DPAvk%qqu%p9vblS`LXy=A+Nox(^zK!=w4S& zd)#`XQtDZzA)yet=rZY6`b(JW?SsYivy`((f@%8I3JeQ5p_wt%*{hUX!kgP$pW~jF z5+()g>uP2Cs{MzL7u3oI!;~^1`$3m1P7b8{lvR;cNF4u;RMw|wsaSt>^HD8V_eBb`?U6Tr%jReuy#a2J zwz`Ty>t-|uE1Ah%dL-IkCEgg3>|M4B8qeyGPr-f64-LMB`^B5@1P_&SH_PU$HJ4>u zk>lEOa+$l8d{H=?dfE54ajBl0*ui!4Uxycj>WoP1os&uvDGyW&+=}_^W>Jp|tDEl% z_iJfUOH`+@^-7#Y!kyNJU&&D~3hr!gYgJi*IgMg6gmab9VeWjqx!*@DzKHkvV0=G+ zX>|?W+8``)--JgfLf1V4%VZ7xGH_N+fYmH2^-!*dgSjI#XcC^h1g79ZJBGc4&X>Xr z_}3Ls9(_L|Hwa63KA@L+r(ioh`I&eKYFDXjSz%0@{#wGU%@mb7sY<#M+ zIykJbhJ&Sn7JU-iTtc=KZ|IEbI!wjXGB8d}k?8#VyjZKkbaNyoRAa1|I1^Qe(H z>!oWO!eY?NVZXaxq>TqhGqw*Icq%kd#*BG44EAjX%}?Z1%HyENa=88@#l!uwss}%X z6f_KZ>~|wXg;yprhwlcDIQDIF!t70eNX@e(B6w*+vTz;d?p8l%`d~HauwJ)rJaRY= zspsZciDvcS*k;c~$`Lx5Vw^1v+dkY+RN2FFmax2cukkvhWgaKEa*CT!bs|DSM6{Z# zwSVuArja7lgJoE}v^^E&1(8jy6PirrLC1fbW|`*+-pAg+eF;0C=-$rNHWCWWzwtRu z>!w)8nZHuT%ls#-W|_uk8QXP(n#6_Ry-%b)pC(^jgx8E+Z($DE?;7vP_5)kk>hR_4 zqDzooW)I)J?GX1a9ZR1&AlrY&V;+=GY2(q`CdeT5L678xEkp^w`@v;W0Z~~+eRe5n zJ6NW}<+kl?p?kZ$XJc!P{L`vtodp&PO!0Tj5J+B7O44F`bfE`R%HR?_TXRf?o{(}t zMBmNBd>M$YOd!ph4IuK;z&6{;t90(ZX^N%QKIJD&y`&HAB#c)-4dqvNclU`RtB1TMhUxA1hL7=6mhu z_qS~n4ro3CX3p97;4AQ&RewZiknp*QMBqQmXG}P*D##kZZC?{a|Jy>#&maNzTq|}r z3teHNwBq|}!nwZX(RtD)d2rpzj6&)>TkD`RE=;)ee`*H`S(6d)h=#%Etc}5@Jc(}o zRhY{rxV&Y}ef1b40nfdP*#}1Xgr?O<6Hw2y`%AysI5Up9u+KQ`?-{9QJjZ#@Yizu( ztq!5%2()47aN8DMl05=B>D-;7x9b!Dt=O{2G>0X=}zU4Eqm5HDFv|^&Y}(i=X0~jz&oz z)!3UKX!+{)>XRC|v3Y(m%fvIxKaxwhR+r75CH}H)KH4E*X;w$!s(0;4lFa641;})d zanT*#`On!@C!R%AC0c5If%VfNLk`0xJyY28PuR%Mz&_QVAzsZ*_^8 zH#+oAY0vofk3KRO#?c!x_D4Ht2^HJ=utn~LKjam!kGDMMM*Yz?N1!VQp!dRqubAfK z*}NnSo>m^EQgLu4#YjczHoi6&tn2I)%*Bn-EV&LnFIfAmewL8J3Wdcv#{`2xmva|< zc!_A_Qc%v$X|nKj6l%9+xwKu|<`njpv~rhzo-j#;J&AYRvU5=0X>^E3qjR0=ApE9u zZ0rK};qDL&6w2ZW)tYy$1+``aBrX*m4Xx5E?6*36qlIf-ZUt6%TMO46Q}giemb@)T zV>whSSfst0+$U%mRk2|x7F}rpoamn`>#XT36+MbSASPz6h*!ufLHyR3Sy?-$mkN}K zVTxR%biLP;uS@J-(Z_u;hh;O@ z(Xq;q&#H&~D7IJzu5B?3y(4hsAL8D5JN(LYjQC^eLl-*>S;RrIF4K`rsW4bg2sfG8 zR?^(JitJ8Jvry~-4*&XtW1neEu6u+lb&(4yq}g429Va0aye(N~(`=RxdrCygeO z(lAz-#$ZK(l2iEM6lO7&wdMn7{NlZ+HyO}2fO)5*8jbD~Jk1*kt#mVo6*UhV83GJi z_q&u{%RMKDciFfEsh(>pi}e!x!wuf|Vj?Z&Y$^p+b<73I?6t{_8NZ_1Qt}*5f&k({ zB@2223z+FO=~rnUqZxv-3>hMsvZ%&C{9$LrA$s92(xy|QA>d$7URZvd$uGwNYA{(T z*$k&e`S^Cv+rEDuyW^fbjpHRFmtzBFUD&5LH2H=wkcZb8aU8fz_Pgi|3=S9Ow(O_B zjHi}apK|2M_hd;kP0!um&$>4lyox@Us}3iw%Ucr+H8wQ#)p)595Q<~i<;5HqM}}p1 z46*ebmdfC6hnl^Fl9;gC;yTrKx!2IHxHJsj{PYyi4jiq)sh7V}&{P~T9_Qk|U^hFs zCV6VsdY%?15mc^IkI(4V<&pevt7EVXSvm)Z;Opg9tiK=XDKo5_>szdI$1&;7s~Fqx zoJ_kr&`0eCtu=EuSksg=>*UfGnBHw|jOwlG%N49UyYxCcXOhre;)KsK+9S=}lb@46 zTh({i2vS*Ns8;zTbW)1>)qWibM!b-`bkga10XUD6@U0f#W0K-uho&0??SH&K-Ow&n zL9jG(*7KmCAXizZ+5AfA>Vtmw-jSkiJ-6LAAD{g)m`ZLobzd3ClF+U4oSd)TU?6XT zmY+_DSn3x!A84CLWXKXf!SYokFa2?Qx-PWkc&MzB5ZVc(v`N?srmVNrM90!$s`?Bb$C zr)J1FVg#AS$hRvb#bLoG$TqA>pSBH32Q%LD)nuaJaO(7lF#?V12-If70Z0aZb8spl z4l)lFhRk=EYoROQBClV)^UyJ5khy+Pr^{9^qy9LPl(qieOQCt&Cgn%OM_;|FpRj+O z9<4*t!eOUA(Q$veZDy=GG5v9ZXjftTBavTgax20B-aE%wjm5h$=FvaZ{@l56KHPr& zrj*8^rE_p=pRrWi5_ZbEt&et6yipLH{JCu6xx@M(LypVrW%G9pp_(JQMIfz4t%x$7 zs#6fJCD4X1Klt&Y3DI|2?z`$%~cmif>a(;DY+6Io3TL!P_e zvj>6R|5i-ne5<88vUkDgwqtf8FW%9XB{I_=R`aP3pw_i7n~5zZwJ`GyWKA(oxKBH& z)ato(GiAgaRe{^=Q*n;Q`_YpL#$ye0|8(jHpGR`0MzobY#3nVOrc2>Ah z?}RFxdH)&mo0$r#?o<#Pf|9@qskL$KkMLO4@K2-GLJub#<__I6J!7|>Geyz)0)#t@ z`>jlY2}kRJe^H~utYn|BRGofFqie;Xoi@j*_#7+Bf}zD57`F0^V$dBz)=(QT{RsonF59@&wzLVz z+ngnbt&{vdzSh}pg4*}ykGLt92YAk7_B}oq1Hf~xNjM%)t?Qn-)Nyx?(}vUfJHoqg zo`zc-Bgo5$cPcj>%yqJ5oLJw8& z<=539d)NU%g2!QM(~7g?yoyTBAetM$ZbxqPyj9Nu;3Otl16o~7Q&YLt)0ahb1RM0xlP9dd(YwpHKfaP`+WMH z8dM#K*bw4H;$^c5{lTOq@T_8bB774~>61iWw)eK@CmWOcjp}J3C8 z6B^W%wqI`RW@I+F#gKfwO52A|f$ep@6NSd$AEdZ4!rA$GL{wB#5#}pc7+s&89|xsA zr#c@8x#lZ8vB`s+_wP~6ZyN}&ed3Gj4U&sv!#E~_KWyuOny=;!_<66t-0{@fOSJQ~ zF6f#R>;tzY1`g3B0DZ!Hs}7N8Z3XVFpt;Bl@bQYmcj?t%{vr)%fOg;M=Fw5VU@tZF zQlG5kkUkBsMd6{o2d8PFjmM^bzf(`ha28X{Ij0b3gXS(NkOo zwzon}rnwj0n#Ai})OJK3?-_6uDoAG*&Bni6;qYDv?Iv7L8a_cgn!2&WTh3fBbtdV`Q~ z&z6vZ$I43t&NVM*Z5sA{H=Cze{O0ptX&aDxEZ9BPV9uoFbsaw#?b)1n*hjwOg|SLI zWVU{G$sawIQXp|Ws4<8ZW)_isAEEn*N_E{&k9hf0uXD-H_%R`VVB=DMqw&8lkc78(!Z?lBIotWfxP95yXpO&uOS))6e7 zi-?GrQEJ6tbE#!v`)b(m7(PbaQS+4~Y7m$^t@dRz-LcIl{nT5mLnP;jsu zDxw?kM;jtD0yLmC)F1ah^AXmkPlkU{0}wPs>AuwE)<{le3w?jro>nM^jZ`+U3+@N; z4=QZik2i`Ek8V-K2DjvRp!34$&Xk_`PxpwC$Q;Lo?GXQU!p(Oef|S|v6%gR>4c8(W zklB2kcH0c?UCr^1lLGAr>`OR{^J}P+zf{&=@^MA^CQ_#?;xmfucdhK7%GOgqS4nFP%E5^a;w%BNRqFrISLRl& zIk}NI{z?e_?OzO*D(}}lQiA8Vw>fy!d#6NuDf|E~q035)oMp=yPbj+7AGyBSY~fRnvK}B90Q*FhzB! z^aOBST_;LG`ak5VEKjW(n-r-)VoIjgk#~Qy4=lm+>HlFLUa5ZrINx)tgIOHs#{&*{ z1`WbGJohe1n7brGJyXJ;cZDVhR&^;dGNX5~1X^;H3_H{#$_&k_{n;msn1r})u$({y z6)u&O-r-IL&-s8EDQ$bny%k^loq~T9yY-z-KOh9*#@@_ zBU2OT;#a4w&hqgsLFR(03Iv;4jdq8dQkdE{)(PIB5pohCyec4^E_GSSEQ%! z_%Hglt`p~f=-ayjIq)g)@Hz&Ntg2jqB=%2f^~KN0Ny>yWNC+_umf;rDg8g2jmW1bm zV@TCFPxD3NX9Mmj;wPczDTsytDWl>@-rwJMOFPq*V^9zWAp)}^9aD{Nr_jTmHu1^N z`IqV#n*m{S07y_kiIHadBUAsE7D$7bm7kygBbDU|D|%S3*rz0oU3~kmiz}k zS{M$PkI+E+Ksq}+W6~aqo?6J}9~9i?T@MN#6HhYxj5FMm^3?ApqVm5)#BRaF#Kf60 zBav~22z?+0wh39`ftm^KFKyfj32qv%iL4q~HMnh4V7!Xf8XockTC=`y99d5i{eLCU z$*U{?WVIgH%d@jRfEGGKOnh3w(cFig-K%CwfqShKSId`xP6XCi_=@;H z!pW1=zm6-3%VD#(zt6^AS&WE;l)x{<0{Hy1R*Uz&!Nb1H#}v*bkKUniDOzOSD>Yh; z64t*ozUvJn`~PLtfgdXu7Z)$Dm6e&!bp5BoZL}<4{wYQ7v2{?vd%4gPclrnS61r`} z(s!AG`cF7d*c`Ztkp0u&02OS#*xaMjE-d}8BoKS~|Il^TVO4F5>u= zNu`k#rMv3@hwko1y1PN(T^sbi-tX^To`-*6$BJ3AX3czNb`OXOj@Zk;0nUbw7%p-7 zd!VXR%JpfIdI86*JZK>ZD6R%6bj`Jf6N)Nva$}@Z zfhOFk0nRgx+}>92^Xdd02sULt~>j z-`Crq6`0fa;r1pPY9PC%pMV$N8oD+zUSh2D8=89Ve&$D~=1C^bI9FmQ&L`5wd)H1AC^R%G1%uV%FL^~oG{)?p2r;$Ut8A?twR;ZO3_3npnMcvcR1CqIT| z-$6Z_?%#Lka(BmJk~o>+O9#-~J<5hz46h=EeDnA3}k2Zws46yUa*ifnbDi&^|8$q}8&+$-jF zAHz=HWIW(?tzwRI`Y9xt)w`2L_Frtk_7GTzTSc8+N;MLJ>rjN!?&H)^}f>dXP3<2qOUYrE$Dj=(1524;yA z5)c&!MdaM%@bU2<-z>CeGabHYP|XVZajT))@$LfV zHIt~PGsJ;GKOxm!U7x|F`I@z`{Fg(xzraI&d=p?maP+;qootG8{p8)RB6p9xAzc)# zL|#!*q34jp@cYR@kJco9Y;9TOzkKt%GG2(#6H50|3=XW{PjmpWr|yV8vMIJ7FMpTR zn*#(ycWTO zsD&0&@9)O@9QFXG5kasLBQRuu{?w~h#r##&@2g2&$b|ije?tOJ13TiVJ%-CJQt-;} zf4&W)S9LsIN>+D0-D^n0sls3%d(-h`LFMgMJ=|`CO?1ui?-nrw`lCPFWp6dV6DKN7 zPgd19K;=#Kwdq{D)geus>%Rx1D92%EURshz)+Ft5MyX{pML4ZWNe%)rNsIn>dkfrw zxzx&lP%%l1kkwYU(%PD??^zuL^jCHD(|pDVph%!mLFyub!C>^2hgy%*r{DWKw70Pi zs#qa~_)eTk2ApD-Q=%{hnRbT>LmWv$msDx2H2N%r`{3P|@-GB0SGt_hNp2Oe& z7l=m20XQC zPY(if(pIAZ`@LKV@ra38d0B5e-wTUSbAD6+nmtu5PY-rXJ~@rC7^>6X z3bPTYS9A01$Elt`b3H&~@_qleK5Eehsv78p<{v-4Dw1&gp5GR21A``@`5^V)ih}xk zgoXV+eIoQyVjM#v0(SdF1HY2DJUMN}sIvI`R*k_d)rNQ+batf1-;48+2dnV_-sO#` zzi)g4Ogkq>M?V3&h_%t;sKlB|=n?lKfnMl|joX4wYiP?KR~0WAU7AbSlLq(^u6THO zG{oYxRaLnul3xWk-6I7ooyZf1+TEZtE6lWbz0g3zTYQDGR1hO^;7exAuIg3$<4TI_42F`=OQ2Z=kUqj!Voz+oSkIPN22U<=O2OZjjnozetjNCx+ z$b;N_?~z}Wrd)y9+uIM>_f9L8S|%z|KLzR(#3Pb0*4#MF%)Y>4HC zR87-u@9y6K!#9iKAYkh0{#5ZfI6v1QeOKv|Ln#LvbWiM0+NQjuq@=dI|G179g;vcP zYytMYQg|dJY^@*g{>3)yte4$Ov1Tw^sjsTRWtf_H%N@lEjgj?8*^vTZ; zPhJU!`-~dnUpq()vj-y85E|A54vp>8_euV(@iJw|^hdd!EdbsEmw+?n|LvcQ*}cO0 z(;Lxe;*g|lgQHy0vJOiAE=g~t<)na<+5s^_f`FK-WFaT&XU%ruWT?}+t34?3aWof- z1H;q34a1xJhJ|7X@VJIgVQ9&&y&k_unsW?kvaJ0r?`#7PAO7f0>*Sh459=qnmk)Ad z5MPF@=3t2Ox0-GslzqDYolRCXPE6{=$T`nm-uOypoVBywm>-(!@uHuU{eeXOy^Uzo zu~j8A^Vc{hX)ngp5jryk@umiDdmdrFu4nCayZYIwZ@MY7spon1(HUFFz^|YntOtOB z&)8wx5b^{5Wlp=v@DD7G>Fe^mkt$yR!h}s-ZO& zduyTxqxb$xNLO5n&Ks1Bg(rf`ySsH6LkKUs4SZ+&W0_2YoedJ6eCm7y;*)CTszBxu zPOT_i?*U)>pQ(n=``_4R&J$=9rmB^m5weHB#pyi>8bC1 zW-}S;0^6U7!O3T{h?`H1ey=ZCRrH*u36xcQQF+d#2xXGYANW5?@atDv@>I^tb-r)V z&FD!oR?$Txhjs32={fHgT2sw^+rj-Uy(%b%fb0YiA0w^Bm`FJekq6!@Zv;C)b)tDW%RU zG=Y*Kt$!fK_d_JPtVnU?Bk}+y25t-jtZ!dvjnCbEIWsc@=BvS3&JAo5z03yC4tb$~ zWFMfIjDK}0`t-bVBVI@~(O^n487-4?msV@cPpRGc!+`n2eZ?|rOI!2X>!oAwllgt? zR+eQ9mxro_l6?^UD{K_O6rss5;{9A?HeP1bpSE8)`RL|S|Nh#jxKO;q?-}`r z$}Zy{DYaSvAp&3qq;1+ST(#e}dhxGUib1Xw=aqrX2M-=-Ii4IJ`yn#edSrW@46xA| z`Q`J09?q>W87UABKn|OlnyS`=6uMsfG9AfuauMY0Y>(6pc$~<8uV3!zy}g42LV@Ae zZ&u9d!9pzaOiiU)v6RnJDSdln$s9R<73g_ZgU zOjAzt!x& zEW0fPK8LjC%{FBz*PdLN&$!86Wjv7ah2+yc;2lSbX$S7h7cX9vX*f@8u`rI+N~5zc#U)^ov{* zi{et3Mxo{0O>%yg6+eIert_FMHEX^pua#+iy=hpt-iFq4F5orUX#=)>rU)hBkEtom z;GL%uV6r%aE~Ph9A-Bda0Q=rS`F-uIuF{qW*96I+p0p&`AvBJoCY7%|4x%RI#>m@T z!Xo+bqj;mz_U!n!7a8sb`Wu`|%SoyWA3}T8u}$y!2seXf*azPdum}-X0@q4{_=C}QU@JuWM6Tv;!s&#`q#e=g|lv|9)o7SafV&hb{`K@l*cAN(2_Hf#< zdW+f+3@6{V6?&SCIK6JpnKbo{(xXbDji#>8n*mFnq|;mjNZG)BZDeGm_x+g}Gz5Mi zvj$jjySuv)@wrU1vFt3NG>h?rJo4Z3jZ2-#C1M}bC*Cm>XHfmvO5MYO&mP#Xm-y;T ziEQUnQ&=szaO=)%VvHO!G4EUBpUiTWBsrwE>b!!~sOJoP~ znIFUrhY~WPZ!vB^p=TtpeUY3tc5K_)q;L2WL{CqelHli4OAId~VNud+=$liMkpspE zo{IRIMazRot{V=@Lv($eUSo#_b0w;)Y*}+^<=!<8h2q&Rk%H;gFDmNgxxU_?CFvDh zZ^8N2!BPeEdDSTnGOUE~h>wqW*mZwJko_ilB-!Fs!1J>LH3+L;4s@F6GRe9pBpvld zaQ=n`Gn?4bY<|o*$=Qrjem_=QPza??1;!30!<@|yEW7h4B>=|3eY9EiUbxutDO$Nh^-!EY^l@^ayw_KR|GeXJoyMhzLsnqp|(;L*V!)?lM!; z(&Fm1GoMilwNm(&G+UyPZ7BwdKu8iZKu~~~Z2hqzKNfFU^ZJ0nmh6bHfqODUY5u(# zQ8u`WO651UmxrsfNm@QhbXV^n0td@B*Ob|8uw*v#AUahk+&yn*-04Lj=icWdjkZ4KMh|P5%-xAdyglk__7Ka z)4Pa9(#_L7_j(sd+2$~U$uomL85y~ePVhK)fJyGfg3}Z=t`iSmTSrXEg*sE8Jj%MA zU3p^OqDW?!l|FmcDnn=zDJODOi9x=Ivju4-AV-~Fd427#%!k3#w$bwI_(3eOY~Wore6M1;rb@ zUde#3goC8NZ@A^_s-v!O0Z|c+l|_XFRvWIc7*6~jMXO0=WCM2K42JI2|L~wZepuzH zemAEYXL{r62M2x?k>u^0=S%rFRBxxoF|CMyaUF7b@laTalC-}M2@bCfl{h|TAgQ3g zXBpR0>HD`BNhZ4JNJVtH2C|3$q{%fxJk(A94iFjTbyF!g;?Hr&>XZBnT{f~~5kcMA zvxop|$%}%JG=@gpqdheVrl2F~{&1Cbc;p?C!R!fKV?KU;;$fjY!^(Fun`C=9M|*_! zT*u15^%ZuNf)=h`;|I^*4e-pZ$hN8z>$-V)d08MlrLa*<=)RP+fNYHh@Ogxd;cc4k zc0Pr@jypICaiu?K!e7QDBUV$GV*2MZzoVXxM}MDpp5~fF$T}4+zN;S@CCW@?t!i{x z6)n4)PKOxLqn>--4J)C8r@DwqNI>x}KhGF`uydi6zLVgb4-=v(XhFYtPn~Dq4a*9(pZx+yD7Ipe8u703Cy-EvEGj{ z9>I8I7bBJTcqeQc78<8lR){Q0A(1*mA$7^mC&zLwICYlY&NQYL;HC+2Z zEv|2!){@E46TiA1^DtURCoHg$&@!0NL;~pO{jax*2NRwhJ{PbXgnMDr4Zgv!v#5RC zNF6P|V!zi*tCaYHy&P5H;gUYSeE%~i=J^b;*vq$4t^$C!pNW+_c?3tl(8gLUBl}37 zq4c1RwJIrv5q$3ff;ya?o%Lu}Z(S~_S&#vf%er(({Ny_u3F!S;(kjA2Q7~FDD8TUa zeFnSknWpqa6FHS+e>ak^j#F7Dd9Uimix_=sdS!i**YjsBw}w9!C)c4+7>sxl9q+5euLY87l7e6^Fz*Z1pFlyq>|g zyYm;&L14Q}#Q%%S2bdUoR@Xv_%C9+n-VXqJ$f)prNXLK$=6PVIVIhki75$3MoxkkT zbQjsOH-;l;X?AzP&U`l-fD^YB>iCs-OZ&0m!PmsP1D*@s0-X!sP z{+rhT%V%Pagp+^QP$)Pil!LR-C`*M)pKj8IeVk~*h;ZS_osZUjiUtO5Yt$vSGMi%= zrj5Z)g|@A*5>3!j>2PKcI{@3v4PYEogticlq-?iKO$lSc@KB;5$Ah4%i5o7b`J-E< z@^tY@vZg3wlamNQ(FNapwk1=K1n*eR`5vGQ@G>luH_?*$^TTxAoFJW`E^|q-5&FQ% zZn>n9rZg^!*P4EEJaQ3sIpL=YQ?h1ZDE&Fh4?N)zI$t-y`Oc~F;~_{Up+9VKjXkzY8Z1;G?75g3GQ5gzOzFFnz7 zwojGK?IuxvwmjKUHNG2}!hveg9_7ewe8kOA>~zovmpFVE;?%%#b2P)A?I2p;wg*qc zJn^b(b{D^oC}KVeg_LjZCwt`r`DnoSb9{_9mNU;<;i+g}qN6j;&|IWJyyqXT7THcD zOmuX=Po3PGC?d(0Fa-++3EOei#f%IOpJ2}Pu5CrK3U%`R7jrE7v};(IK|Dpqw<`wk zeIW=?EoPJA+9)zvQ5Yt@n@9MA#UG7sBgsqvRw;p49rgr{ls}J5X%WaIBqZ~B3v5!a zQ8G#-8+wAS>Qf}``fog;l2L;VIUkruqT=d5u1b1zWBlQWGMA|RQLYJw6RFLRWh;zB z{Gu1>LnRj481zoIAe{COPZqVd8!8Oe(9j@8|Ci~v9@tPMjWMx+erOMS1OAVYaQ+ob z!HJXimgI9j3Y1hd-)QDy1B(1h!Z=Kxj1gpI4`6{)In~8YI=i`V-t4b35n}bavt~LXn)q!iKlkjzw6<3CvD6qcd-1IYlGeie6Pt$xJj+ zF>qkFL6Mf0E-YOd{9fTud!L>6*k^qF)9OyzsY=M_2O}&s>A|1XtQF?n-MyvOxpJ3z z6LfF$IfXW)w_TiN)^TyD(Q`zFt_GzKpy#yhMP1)fJ2iU^$Jp%Z>Z*HwKe_AcHApWL zL+MDUuH{PRZ!5G65fz9&PI{+@1C`!FIV7v0R`bfZbfzxn1EUOOX+r0PHqZBI*D=kN zzXx>icoTd>3+1dmKUmnWRH2ckV$MR|$GOiGs`pBr`m}p(MoDh;=KGU61;praL8hFjm&iKr4f%5gzatxxC@K8{+BCFnbLR z4G{MvfAM?YSv^(=WL4dVsY(t!8O7&wX*se@3thR-6Lj)WB%+uqqXK>I$f{V+ z{#k#dcX%(O?(X9r2CrY_2aovs-Jq z1><<7^2+mso*oa&whRM3yBw?fv)~$IRnVU4NP(f=$CN$csUZvzF1n)#nu$4{Aob*TdMTjW?Xd64U84zQgPYZ&f{t= zQ4_DZ$uxaDSysmNB+-2R2keCde7bwP66bRpNoc(scj&ywyz#Z$iVQ`kzjdrx>7W)Q zDNiV=MX}z6Hz1ADac`jZDz`OwA7YFPiLyzU3n;6f_1lhtlWXV1ss&=#@Y>OVZ*dfj z`uv2}6@eQdJuHqHNCM@%*~M=(E`}d*^@^e#_Fg5&>mI&vK2?bKtr<>1w6bq%kH?cG-Qt zpUS-qs+=1Ju0Cv@&Jc;jo5K*>X7^Bo0Z%9 zff#A;o%O$WzyxX}ibV`^Oo5>2UhDbs;~u6%7BBFXXnl!@SlrlPpV7)Rl%Kd|w^`&P z#xjF7ptk~_vxpP4m`G)2@)IGzGw&VFTsC!hoq(Mi#hDS;@P&M}t|Yd^(4YkmO|&NE zPQ6VPO|j4D-N4u30*`Fdk;4pfM+d+n(nau8E^y*$AVq-8-)xqQ8qSfinwH55SUu|D!7fg%JvNN?F22*dn-G6=-3cq~{cB2}6+pCN z7gOm->GbJh)SIzZm7$GI5~yTPhrw}E9bp`nm`V<7B|Q$4Wk0)9eA8ELc{RO{gZ&pj z6NqNV_gaoJ0$tPX zAQVnImyeNF;;gT)nA?v@M=US~8^@m^FwqAyG6ALH=a`LiPMGw?1BZ)`7IgFr9)Ait z)qHP{TD-lFRU8wu-|Sne*BYayX;Ebu-0*#rkdiOfLd>pJKQkm@G~SGK zPE(%Gv(XE}3j*(HNVR1((RT%y7HMTZ#iGoUEVKP!}z0g;h>utV&nMQw{ zrWO@n^7~+?LcEkxM#$yW{a`bPDp+~r_u1KrHIqZ05O)mP0}wpY_gN04@^jwLgB)h?80Z6 zj*#Tdm~z^9mpMGRm_S>vNB+!P^CFAhgeVy8pH>8(k36eQ=?%(3(R46&FdcZ65sn-n zQzDdh?>gnFVJ*!DBjjRkx%Co+4}l|iY*HC=FdpTDVP`h7y%Q74F2k&unZnsp)o0i_ zprguIwf5Pz`7ENR8j9D2aDF~MKCau!Qp|s0`6PBhMIPMztt#JC>IL!rZ_>wuCX$t?+skB<)w3=>KAHv z8RbyI%W_5B_(Vi3MR_&52L~Wg)*J+?K{k2PqyrTF3k?DYQXy2x1qyS5s2UNdZ#0Gn z!n!#5L4bQS1=-agUYi7W00iAX3|LLKYIg&qCa>JIiDNhbmbNMYRFd@F^Xb1|=YC`2 zcofXCUVG$p$H9mHb#3Emytzk!WT^q<`mp21*8zF%(j^tei>o5=wjLGAKyG$uerk|B zP`Z&mhjw?r*5(-%hi7D8TGm?cktHYqGYka=fwP?B76#Inh{#9+JUl48f`0Sn{E5th z-lhHen7Rq6^L#3HkIQHaCjUR37lXpUcwPGd6)x6o#p#XTzwD7-`FdV^Qu+Z;fqut< zSUld3{}Z*FVJ_5PMyzvTER#C+TAy}%ogUl9dmLi}BHp>qig7#Khy``z=@G>%+_DMA;&T zanGzB)kY;0ToE(}KlN&&g~K`z__$4T#ywjW5)UF?6ugtei89sC$od`ixtuM7n0?+8 zk@5p@G!m1iMgpOT{yo@ySJeJ$G>g8oYN}A-S+Aq~(c9G@v9)HAXKxORll<2iT=n0Y z=r|jmyI;3z&(EBp>l=7o%x#ab=+1W%^IX31D-!ujc5nckZNwxn}ZHR)3fp2Yn@6$VjJ@7jPg%i%~!sM zzmNy!=4H5?vFZmu3sON7h$j2v)5U=G0b(k>pIR=W*KSeVD69Q(PNFC%v~kd|Joq?{ z9S;9N*-K%OrJS%3CO93ISWUyu&6(;0*6BrT{XH@a^&9e6Y!FK_YBN}Z&_*+`V zd$W2Gp^me%7o+A*rLa$6cw#=RhYl&{o!5Ht*e>>Xix?FNgZq;=fsgUp;x!!gmS>Fl_#+(Z4Tt zgLfcaI3v=kRqun1{dVRx`TtN7zeM06#33{k+;wzvvRfO`4O4aa`%w3f^=bGeG7?M3 z2w)JP%1u8l{LcS!5|>>_fM`L$v_2C8u+0A+Z-1$SFbHikSK064iQK_>!L#sVf(R|LT72%MC-p%9+v8Vf*DZa6^1BKX)I zBfqu?{LBFY`LHginQZ`wcSXd<--qbT=pse(i@(ld!0^642B0FqXN1+&)f+30|APMU z)dRp#EE;d$jsd)JYL@}}8$V9SP)D0u#geRL3_=`pT9zwq%eqej{&|BkAQ#)?ec|W07W8y zUGv~8yUCCS&gIvK1wpX*qpp@#4Fp)iG@$$4EJ4HSm^e9&!~k81a#2u{-w^auYdA;K zV=L7&7sOceFY8P`!UHX!1^akIGEM^^U)p}PKm)X(J7n_;c{~E)3L%o01MUNO>s$VZ zJ%r}v-JoqH3$adZ+m~&I?#TVQ>BYywTgV8!S%$wFcnw7AKk6;@B%pxJFq0Lt{@0T&(71Es1UD)N&fpdIl#BT=W*=Qcv+)u`y=9G6oMCS4JV zBo|lTMTgYRtN3l76*miU=4dE~zKJcbq8WDe;=+39^@*Sp0F0cL zk>pxqvB+#d=*`opANla)n*4c{AbO6yj78eCeCLyeX#9i7P+x{h1tqTYpF4Z%`In;g z2yi_7v_@{8I~`n|vH9&a;7#|}qHP8g0qyA#7C~{r{qX}D99b(DrtmYZL~bifUdxHu0Nik`Pg)Y2)YvETDeW%4 ze)N6VVOn|?s6zk_{E?oQZ>Wae02wU2Hn6R%X^l=$Yh}lkc~P+M{3!0+@NBXb9EJa! z%v_L4({tEYq2jodIIYc4^5e>mDe}MTW5nQLg*L`V2}1i;>1zj|I0>?8a@9V{AtNDoS!d zFy&9k{*NYuB)`n9)Dto@Iqpo2Nxi#X3UdGyWv!;phLrCms|pfL!I(5PecVb#hO(f* z{C4mhsO-4jb&}e+_l!A6J8X3qMK!>FrhqTvsO`I}zsxg2^ryplBl_@T>kQ zjJiMr9QNVSmv26^D1|2Hty-CND$b2THK#Q|#5ztmEPOe?GbLMf(bYKseSQSEaZ5y> zJ!r-lm><*TAd30(FUdMFfQHqNbiV#L zoax#+KwT-r4lkfs!Wyfbi^sQsasOP`5=!GQ=`X}!e>O5$`7n;5bT&xP7f02i9-EU2 z142Om)Bw49?F2K@cNEL*w`x4m7|IsOED+&pj;U1Q7{$mJnj!=VtPXE5_5{HrA4Ta) zpL6HLqMCs*DvJ2kL`|rP5D4{<_1d(%Gyq{e{&8<}v#_=l8d#1szgPZ+0{jJmL%RPD zCCGAb&MJo~4_LRq^%|tBQ6RfP%%~c`j!}ZphvJd=k-=LDUX7Sm0j@?b@S^{(kbopL zgjf;gR0(T9e{q|Jv~*JRsGDbhy8Q1uC!jl}!JR-&mt$V69q0qcNdC~~Xbio^dOfD9 z)9Gwg@s*HHXQZfn33mqL@OkDiSHM^VtzH1hML}`34C2pWg^-}+9 z*Q7HZ%wpXyum`1xip(d?aK@lKx_`hcm*#E{$U2bFmK24wFT}n6*QU=>4XF+uI?oPA zGM4{ABY&AI*8!KMQEsT%gw>u0mHYb#KKc6^kcT7UbU%m8mk?}kzS(U5-o<%{wckq8 z?H(QF;^j5NQP=!;i>3YbnXm@bbm&NgD*Nx|K^Mzh+*KT40#l#8GWZ`p^e+_jo6k}B zdkf~sb8_AuZBxggg36))aH;>YcAqIrTtNe*J_tUs#H8T;d%NWf20?p@i|v2{OCps8 zr3(Jx`@b}fy2#czuhV`!m;iwCl92Ad8(9TSzwp+CH4Ts=2HfFE?AV~Z;lDkP6S83R z3dF%aUd~y36;!|Ymx*S|g_2laj6OFv-vF4PxcSJ9f1RRxcYrn4;9Z2hHPv&cH<|4} zj*lXQaUbUH^MGgy%Q$sR*v@qf z#D;Hj&mWN~E`wXnY9dN}jc%XK7Ej@ZyEdli4XMcQZrq3Y7jI(cv-DrnR_1je!Q?C~Fb@8uNE z@^_Nc&@*R7aOwnfYC z(S^sZ_$iSYpslY?6iym){%{#^9q*{4D=_?*LGuCxw!1qr$n|`ou09FkHa;#Qa%c{< z@#d-}JMojsy^F%_qnYXKX>>oQ9oUx=yOpwFk}bF{HeYB@o%oJRWqO6z=c=jF74;YK zHMmZGcB(DWkMG4<@Tl|@i;P-JR+Yt#56|V>F{vbrpjw}Nv~fK=2+mWXv*Y?ahJVzC zuhAy~rS(EEIYb+4-7P+D+G!C9POjhe`9k@G`Z&sPUEfLF7OVoyTit4$t(*gz^6G z`-0QP(W9%t4=^kNdfMl`A7KGqy>Howj>7S2?x|KPExH^l?>6%>Vd2 zn6b<8Ie36h@W|{@nz+S#Ra7;XgWbZK*bz2F6L&J@JB|J(+7-uv_*UT-dXD!eGDA9- zSEv`2Cq$rf*&{{+w80r|Un!A7Y*q&R{r#~mbctj@eSH27nIpX)&kX6zIcA#}yvGZ( zp9Z}ub<7tc(6CcG8l0e9b$sniAP4F_ z4TtY$ZtK}4k3@Z5I31lE(HlbMXw%z=V7UBS&)A>BwTG;CM}}8fKFjn7=}<*rhvo&cCuEonczKRyBsHPL7tBPGm+OSlpEa zpk%$JVlSJhM-#n8E0j*>4zhjMw`Q(+pX?cmm<}H@MSgMV)DU9BzZJHd+4Ic#Ox@BU zZ#B(9;MG*xcjPd8E7x_I=D?S*9UP&h8!lVvNnuw~LF|66B@~>-YtaXxGtYfs6ddgD zN8T>rdPHfyND>;O`!Hn(Bd74HqqqBMvCD}02Juxj2d@76upu<8lkc*QiNl9GXKR+u zaf$&!9YXXnExL4d%}$!6^0D{q`lW7)mu4D@W8{DwnXti{fy#2VRqWe(bm`PF%|tIF zrZ_=swMCoKAiH9fcVpU%Ee}^9=f=%Bqq9eYLFHZIZ!f`4@1zxhNB7+>(m6y zvO@-p&^k(AQ?A82*2T7S=*+{+GtC(y#fLLOc^Oq6meNt~K35K_Z&qiQAL#GnWHTAF z9W!1HhKJ;Hb|Jxw7|oQIGVgrX=1NdGs4U*9;7OO(kNol?U63t{b^KNj>;Xln{ORs` zl>C`kxb95X&gTAPiRGz0F7XR^*eEYNo$9>ov0kx9*k46@zJS6AW60(Z;CjCJu-`KC zj+p|T*u>L7LcaJ^#x^W!p_?9N&gP8WrPe{8yS^~Vi2YqzQtR2^Uz{M`?3L@Vve>=D zdj#+R`SVo?xGKp4R+DM}v}~{4D2*@2+}kYVfK` zQDo$MhjZIf4vZ)R`X%K=y3u?hP;qmO-O9Xl-m{0DhZUFIcQ7x4C924Xt4APH`;Pc% zz|R$)7xY=8N9k68PBiCJ-5s%uqZkze>4Zg=o!?)W{cPf)i5t(?wD31B9q(3BB)I#X ztnuy^-ZFjxRc1!(J3%EgY=wCBZW$bit4 zHZeVsn|c?v>mpAX18^IqcgR`1kdf(@!3xS^q+l$+MKP)LVYXiwHfh0&#qUi{a_E1~ zCR`{Pb9;~+KYk^hkS+b(2xdapzRFJ9#cAkBwv)CI)H#3-w<)*H2!e+oIO~w24kN00 z38>AKO9|V}tn6ll))fPdVbcT$wgn=Nk1B#NwL}Id946aoT#L?PyWcE~q%>){jSCtV zz~|QW&9Q;{|8aHr@pIe8^;Dr%wt_he!hzAJwsuZ)*EMklL(+!l9QWoX-!KaI;-3~P zgkrq}E)#HwsDjDI-N4r{UgP#gEz;*29N%m0jJEAYQ#;67L&Q`rrVu?mV?3%EM2xP4 zE|N~{PZ9CFNkEn>Rpw7Gr2z1VGMgc8p6!|vGv`1!sPEnfv#CT55UZ;g6J^Txa^-u% zSv2!&=MdGR_Ew7cHVoS%kpCh$_R&6w1BGZfLjv2I^|(cMGL)0)Rmz4@8f7H?D5hCV zla5U5#rmp48ok$TYT*2GwkQwAzf5E~8%`$vvP3_ziy4K=u3!=DV6Cx9qMum{dP)|= zcAM{Bu>P(U@i^~n-KprOi1iMpT*c1&YXhrvhbK zMOP!dPo3$kNj}8WNsgB?0y+JS5M>kBcVoLUn;Nx3sM{(9FW}0tx3t&E(ciqw=-$(T z`djQFMeySS3eD;>=ZHvH@;g(`Xu%+VYO>kX1Z?SDNsU*m5cKh(l#=a1>PO}Lh4-IM zhr-2P>t!I@itqg@(c7#HLm7K&GMty#(CJD4$o!*Iv8DxTN0O3R5#jYcQ<16AVp?I- zz13dl?+9^;R|F|s=s9Qb1oP0?)EzU+e0D_pNpUNyyA|^j3y%G#OjJ?*sb&w9dL#Wo z=(zej1&!IMr|Q$E+Y-xtw#lV!uUZ~u-rdwg1Gk5BW8a@0B_4qF`r!q@p|^dp6z=cqxX=O7!Hw@ZpB#fg2pK%o(*3^S3`rphfmcw zx8QrTnYfsSJxZpNTyI(3idor{^7vxKL0o;g{Lk6QMVSs*geK{lZlm=eF@%oi4JglX zC}3&7DIpgbj3r(;X2OoO45t#b6*k^~)=1A@h2O7~5HBR#cz7GtK(b&Nk*FrC7LkUx zX2VjIf?<@7EC&^b)RYoT@j^&6y^GPqeR;HR`z7 zj}pYBfA!L!P`?rbKoNf`tEI3I+e+7!wUJ6w5$~~tS1iDeg92_3v{Vh)%)7)|37DJj z>9!8liSk6XH|%MVVcvO;HsariFd@omppV&uHN(+UsD ze<}NT@e9$z1v zgavjXnG-rysihHf9$iIQjbSNzo<$2QQH4NZrNS1!kA+`7K|y%3`mKoyU9rq09^7SJ z?J1zzX)CVED0ku4>x@{%Yodv2P0Ud5?bROWsquV^OMJI0$17?+-lEAqb}U8WKp8ri zwEO&RhU&_D-6dnfnSpMRftO@-Ugbn6exT$LXTv8KO&dnsfk|fY`LAffG@tGOC^3-$ zrht!!hX*_twWtLiU_Y5VDV|ubL_Gws7-d|RpA$(atCP`{OwnC>#-e0}V95ngwv(LX z@LRfL+bnku@l6WC>MU~sl<1rnfx#eLtvl1;U+6#!&T1ac5`OljP8+U2w3Ag1cHk}) zS&}V#9^w9;`~4DmvBPIH9~h4)qQAXAD4_>O%A@pk`B~nc7w7#nBr|1G{l)!b$7(Sp z4tK(^O9QBL+w(YuNbF+UzNN2bI^9_|0}(-}^3g>?tO)1>h$ffb3z3*Z&zV+>URBE@ zEGxV^nX-+ZV<#o^as#QJ-_e{>gu~n<+#qx{cSdgZyE;c>OnN+Wz=19S|{wm$}AnY;tBG)saMq7oG1w}Ac zLpE+o%)>}4wJF>v8GC!zrIa4ct90f$9vpud@3K@38#q`;9_T2sna#Jud{e7ipZOga zjn2T|0VL8Cs_1=@4lRq3Q#02^A$=W%wqZ47=d9ORFjI?1^BrpG@_uBBKmPR{pc9yUe4oE++Z(RuaqB~58j6#$+(B=(?!v$mX z+(vnu6cW92x1D^ECHO57pw7V;m0LauN-z$ob?L7vq%?VF(%fmvX1eVOFCy#%ciBWw_wJ0=w}ty^?zEo!&$g;%?MCk8@Ap_&t5s&v z(L#afDJ#mDD`GuSJl`W2 zyrD!E65^rdc0k=uhe_a7mORE>A*w%t8e8t0*?*m|Z@Z}}ql~i=X=S3joqiF%yDAY4 zlubg{I@igfkU8Z@l&*CU9G)59zx{^gR(-t!N0LKDe_~0D#e>F{mCQ9Uy!61(!Y0 z65*&2h9%{>_HT1+0-=^ij?0;YoWj!l;!>;?!3jI;h|?JHJ?pHdn@xy`;2xc);Ajb+ zZivR}eRqa#IKCibj?H0@*UP_kA+PgD!%cs7{r1r+&u&N9C`UnOVt8llj_^di1;#@m zJ)8a~Foii6#BBb!ciw~b38wh~tci(m%L6BBOFKIb`7r|xJLf|ULDR;S_|w&PGtj%t zd*>q)59^E+6kBWYY{L~^X4nQG;{dnh3n3xa>+i`xXu}!?xp5A6a`P@EEESj*-!sog z8b6ILpc9|%_s+xy%n#rWhf&xBTbsV=k68}ZM`*f(ua#I=6>ZQpMHz{bD~9Nd(An`d zveL(m^FoBBUpbGK^E-L7nHIUv&x{#C#+mFhkL!Vosy2DRkbTB>R&l_$nJb-ja-@m~ zI(;;^?*Y#*&n`X4#<-rXlJMPqFp}_DpmyZXD9e|A85)W4iKn@_1oBVre^|pp^X?B| zs%l9R{}lVp>n#XCTVrW?$Y-mKgW^3e8mR+$%=xipoiR3R5phJsqZUAscF$*y?wNRt z^`vj;^gsv3{f?7JfXE3Cg6bc3d&fK*OJi!NV>kuQoxMteN##8u%Ihux#wxsU=SKjw z#CLG2iwu6xAtOKI@^YwN?mEW9=U^(p7em$=ay_LC?8^GOi6b|8Z1e|R*H+a^UkZ7Y z;01Sr=7%^vkW!f)x)FGv5}=$4{^_grZya(*++hk;D7aSv6R;Bz5dlhKnSvTg`1jJE z?w2FW%7Bx-#aT5E)oq7u@$}MsINj(<8073V8ANIlkzzT;fsehx3Po8itd`?f#F8$11dj2?M9e zgysroL>8P^er7AR63Y+!PHk%yGGpZAfRFbC|9t8KB3+yjz*hw_hkc@Nb;PoN^#SRz z3OkI#FIaC!pAXaQ;jprs2amP#dbfyjR`j(Ot#)MPm!v8WAs@+e-E#O89f~u;b>Unr zyIY(GFDYr5%OCY(dXF3%2p5{QvUg3w^|B4aEi&hX9$k>(2fj8TwB{{Sva z>S@%Qy?H;8OjuyA2M+X?h{V7uzQz|peOxShci^Y(vK~5GR)UE-b)29ApZq-dq@)bP=yuO1KC9vV5b|_S zbz`h*{(tSgXIxWR_rDFII0(py0wMx-qzQ_Mbd>=_1eD&3(p%^)B*Dr60s;ckMVj>9 zOF){^A|;`B>AfXD2>I`WZH?MS> zcL4hu0zpMNx^UtxAcWi@Jr=40u}ffGp5TbnsH?hr{40JSqplj(*E_lS+}XZIp)xLV zvDrW(b=~QB@A<)i;vpPk1QOVJ)4N_LbiY?&8L3kbt$)r9`yp#OnlWJMFxyriyTV4Y zb5$Yxi;Ysyg6Lcz3hb&nQ~;dcvvR;ySp%-Zf!tCfQ`3)E^M==C#uR<@g`o<9<2gk_ zjfqj~)T8WDT|cr*LYv9LV6(3W{cCD%Y0GkLO9cDJUfr_IFcw2pU#x7%hBc9i@mFFD zKV4p)dEkx-JM=0a?@ziTV^VUeWUM@MMZUv^OGEZod_dqK$SDGxcZ||Q0DJewTw`u&DenDyLDK68 zV88E3sq@2D>9RGRQ`#@l<#``B>Q8W*`?zOBNT~dkUK34|4BRdDeR(E3>r+jRn!y0b z)vaYo13@HYuAx3HW{LUo8fKe_Gu`t=)P76rJs zt71wQ2D9LQ;Xg=-u~Gy4nUi-1+d(mvNmQChE3)cN<&hAm0Db{TWUKP_%ulw) zuW%prJLiBn}6_&VMOi$N?8+r1H7v z8O=gqWg*_tUr|(l9cd=0tbiA?DYyiHmfCDs&i^~x=iQxw0y9MwmEip3sSB+KBg04T zU!PZSC_S+BFpx7!{wpM?0V2Y}TG>Kx)5QKeAjtk4C{HFpzMbx7{K3rpmwJ^yy9C@R zktqI~T+h`0l^yaxr1o=PpEiJ1o&kr<0AG)P?G|up2CYF)AGSVsKa>XPf&PtrMEgVd z$7kwi-v2v9S34lf{2EJVoj}P9Zcg5a@V^3jk(eVgbpKlWY-$fDr-JXk_kw{y#7ySY z|M5rKeKiPp6hnh9#Ih9pKS@!q0CxkxAk%VlF?>uP59aBAODmWJYk|Yw%>c1crL1w-tpgCj(g3o}L{~<8mwc>h4Bof;%m_Wv(|OLvJ%%pqTZD2>9U{gY9YbV!Pi@!f)H82A)_g! zl>eJ_7z`ZIP8_cq?P|}1HikYBXYsMNUWx7Xe=rq6nA%TR*)OQYl-SGtz{&khh%5l>oQPEMeIPMuTmOYJHw&P_;IF~Pxcyi7 z+*Lq{grZGf)j^}?ps=^{4g^oMGR!8-)IvY2I#3Jr5)kPPFh+g_9a4iQLO=d5{vkDZ z{~Hy4I=Z~S$!U_O6Le2Q;wr`GkexdCq<~8b4WO_L-{0Q{8mPjt93ap;_|2nRPac3E zP6#;%*qh5k<=uRYKfg6~5kNhi<=YbhkiaowVC!e0TY#eK zUe+9tgYn`gNk!etCu6MXY;yDg`w^%o^{YJc zf5GEfGK}s`i$JhO;Syo42Ev0vBl2$VRN+53g}@EYV&t9w9t$xdt8LtJ%BQ0tGUJdl z28(JB{ZD_uf2ZQ(&}f6ilnrG-9j_SKv5iaZWX**Lh$_;gH$olXV*FDO|9~@si|oc! z!~Yxoc)gYb>csnvFBl{xirh$BrF3zQb_uiZcxya+(lDx$&dW5xs7c2Vv27!1vrIqJ zYf%Jo>HYMZm+7NZ!HBM4Do+0lNR@?_ofq$IlHFz=^eS^dd(d{R#8 zfY%_q2_vYc6kp_+GmvJ=J_%O2?Y+SuS9 zE=*37<0RU0dYjczz@cGL>oCb+4=1xmR-~#gE>n`dyTV3x=BP&SU%5JVK8epoIjg*F zxzYMnYUmT42;SK{rAacT{w~VkRwU!`-|L%^M zt|i3n_DnMS5r@g`8%xRc((9KU3rj~mgQLn>IlO00@{1EHH>nBF=b<`N1xf8II4etx z@pGO~+%P{<%$KM zb-hUdaLG)q+`miIT8$oAj$a=p&oTrIGj$Vt2;}Bx8_J@_%gvnV-XMP#Nz|OXQ1 ze=#23ZhPb+$Kc2%3A-<&>nFBqKSn7gDMiMM5?(IASZ{0q`{Z&1(uXBCePC!11A^st zGUWt3<=!@6fI!z_QwPS>=h_5bd?i0kkAP~WQSn@f%-WK482QXqv-L-u%j{99-T{Le zR#x3g!%8lWZP18cyvD4mw_eU2l?P6#m(DC3$(9rpvo4UH@S(ND?wzbJC#$sd9bY~4 z2hh?K5S;TDSaX&+XS-wUnNY993aZC9-f8iW4MJ80*^6Ef#;A_(rHoz|Dxz{MnSfzu zrN;jxaIWG`>a$58V5>2yT%`6&WkW|IrVSFvvws1I;f zKTFReRD;HVuK~M58<+k9Z#1$G+m`&4IaVtq#

      2ej~qOnZsdID(!hAqx87abki8d zz>5m=C+M5wmw{ZK1wc;oOusVnpU~pNfx6UdUCsvXjK3=KNz{EJQZDoj4t+s%98@R3D-*{QmwhurgnhEjlE}AuAY__(UJo z`gV?7!{ISNjh?!=n{i13$o5^%Leu4nFgxgiLI7WVPJ8Vw!&ioy0^lHRR1|mUfz6(so4bCc_&$WkW~Mm~mJ}b| z>(_UhUy!%do*ZeM^;*`t6rp`Z;T0TJJ>2%~aq?QNJYttmjSZN5ufO(Q7S`^!p|b15 zk%H;2y^MFB*oVc}$nCBMd#AtPSOf7X!*{@Aj@VNKK~UvKCzZ=5VxH{9uTC?(W|5Yj z>N|2{t~N=!FR^t0_1c29iBx9p}RirDc~`}XURz>(Wo%Da(T6&z3ZIO6TVv$GtGNj0S}kV-%8rx9YZAW zj={pMFT4PeKEW3JUvR%C+^LBZ$_W9obKM3^+CWME_{7BXh3db7CR?lr$qs-S_T0j1 z3Fw!t7U%9ZYn^rTxXK-w4w&sxJwt#hA62*zCH2|+bg>fZIzhNQO=bo;TzN9$EZ#b^i zV?0{!Vmt za0kM-)UWk<9-G;IfXj8c2xcg}(Zn}kg+#OW zbbbd(Vy=PC<;HEwV!Wrs;|ZRa%IQqPK8EbkUuZ~vlP0OwR-)rJd>(dHo=l=r*$eYj zao@67K|a$SA_echwLr)o?GTr};%&c!9*hjM3q z$~g%cejM&S(qzI;FyX&m1K__9R2sm4A&BDv{CCTOw7UgEPIh8Qtt_VyI1%M18J=MKyok2t_#$F^3 z`f^MP_ucvRrpfL`Em$JVMs|6>OhCt@iSrT|HGYAAd>I__32%**II0v#W}mxGFoRwWBe*QAEaoBXOqF0Q8l2W%j= zJo8kS86Y8l9RDBbffO@%wBc@xh?IN0#UF#2q8MUd9f}yLD|IEhD$$g*Gf3{;R2aTE zf*Pw*lW1O;_jxLnID_Qe2$HF0{^zK7p{fFL4FJRqf*zlDqq#wT5Xth%AaTQ05dkD& z1HHI|;h8P#w;(MQ8uh>@l~QwE0m#@}5}z<~8^N*N&gnhx7$7mqE4GSAgEpb5%LL5+ z6s*cK=J#KR9=PXNE(LcXWnGMbC=BHfk;y?Xzn&psX=l)@5*SZSc`gp8x$~HPqH~Q? z{G1~{XecA{l1#AYP$!HD#pcMc>KK5R-mSl3g}ykl!A0KH8hO)B^Ov3++|YW=Eh#Eh z3en|odUtUpT$&2rnSF{Z*x^dpolYBS(J31JN*qQ{?u!~FOoA}?Wy$oM2Xx79bB)hh@XE_!wxn_o%Tz@d<>gVsX2Q!yeR-tDezaOMh7N{uC`lq?f! zJ<}w{+c{(1(DKzwXf*lj2%i$|&%%sTZ{sRqSd4G1*Pq%-Bo?aJ51v}>m9s}#JYR_d z7PECL0)6a&=lpv2obvjgD2aJ`j5uy1N&^==gIIjqFOb>%G=IIF?U5JhD=|KU;T5t= zTNft$Sks+n^QxkGT2M;Dj(vN!&00Cg5BzG(Q|ke{^j+0C67g0(cd+e@#OoJ+^gsD0f={W1?xaLP{W?=P0AD*R1iRvVMTt6+rO^x$jD>UQhUT zR7x6jaNp)a(8Nzq{rn*+?=R`TdlUOcmPeP_&?~Mp)yl_;JD!^X!F2w^7I*1_L2&`= znNWo^1mUKQkC|MY?CQ0O<9Zuj6CIh7oyWBHw;yDm>k2={_71a=6P;!d>S-oie=Cfb z^h#IlOMe6lCzOwf4;b)kvHNy_7~b48i_Yu3eqrzW`^w=-nz)IK%$MFak z3r879B%e0U9dfHJNxh;IJ6|8hpm?-sXvwdGmyBG~GwQkQ59_s8Oq9ghvh^%0l$tFd zR#-+0ZPMcV?bM`vNi@AVCovQ%%F4&-=~=l3jsq;hZPFmP1^YzRYvf+9$gq19qu~~j zI!sgmaKi4W?_dBiZ?ZTWU0l|R&C`n4_{)-f1YVoeVb%$b=dOzrPZ`7~1$P{_`+WnL z=#&b+RDRj{*3B?1n%})|ljb!AcrBG2zhOiJl3^2%hn--C;tFTT?JLM6*DO~2nIhUQ zRJNZ|Kd1YWSO*2T^RMO)u5#)xb4;3}PX@aUc8p!=FkU)gt1HN3UZbF)J|IlQ2Kx*u zn5N5Kf+=FmIr-=PGP}Lc#p+lKGEnmaCg<#nBoXr7bg^D<>do4maTof$Tdst@;g9VM zwr&`@LEIk$BBet%YFu-E`Zf=+w+7Qo?!pXvDbnUte9w%5+bfWU=?uew6tu#N9Zm=4 z#i9_T#+cc|j>dzvGd^nZ4?kZPE&=37mR?#2Y{cj9YxBp$^m*EU5YAc+apS&GG{;f8 z1%3+ejlN1^HIBQ~UbD3TD@LrI*^F2KDn-)VA5>Mq%>mi5yMrwt7r~DVRP1eF?{a*9 zF!HPjkq@KbmJ=ks{kb27__NHb@HM+E82A})e^wiK6TNt_#c{j(nK!Am(;iIfc2^$N z-Vb+5H($xdI>9kZRhiRs_lk!k(=+W_(0C4G@ww&v%3@eaav~+p+L1K(=)jgjaoU7_ zd(B)!yNV<2Ab-#C>4ees5@qj2=YkQ^o&fs$m`wW_w^JaE)~9>W-Ru17_6dfk5!YW- z2NvcO5Rx=yfr#y6d1ME|W8EZIfCzgN;*`#2#L|r2>!v&q629_F2g! zz9B|yxFGw=s}gBL0?7AzHBmamhAW{s%(~TCjpNxRoI8kw*2WyGEzH%0a&omm17Qg5 z{cMI~A@O)M>uoTjH10znf;gCu9ZxR9dSKyA;kO>aqkGFDqJTySnDzSXp05j!_)(T{ zy%bmNKa_5b)9Np>3j3M6tRDj(hm&Ve9=LoCvHdaHg#8{1x1n4wS75=Ks?J{q!Fj-4 z$T#o7_RSHf=o8;iYg?==CLnc>0W7w{^(ZKrfuknP_3x>X-z30>DmZ% z?czNyw!62{A!0LlzDF2#Cwq#%9i-dR6c(H^36)K7FCiglQJT2*k?kn8(qj#P zKDup+Z=Ltr)pFgdW04}VV*0^CuQQ|kAqQAh9+)L70BC1~K$dA(?`9)YY}MxX`i|QV z$>GsrUpve))8Vo1Scx^p37I1AuXc(>W-Ezz>0>nJ;=<;wlVQ6BxH6q85I-<@^i03F zU~$l`*^-Oo0r?A!#YXR-=%AF}l0m{fFvoHLo4KqlqYLmyK=@&|m8G9G>zLhB2L1dZ zvM`MNr`YvQwd0=M(ulEccl*7R^vCo-l`i6*TlN?C&%iMg5`U?Xn|tMOqjvL5az|Om zHZbC3rlagjqD{MVoaAP>wAW_^^Eh$JgOEQ!HUv>0I!$yVG#c;+?TCon{Y=c^^$fq{ zyOLYhoFcBkk~K^20-Z8R3)UZgZLWW^AEdAbBK9Xrx!xt_ec6-6Ps4{&_Mi*}SAV;d zUkNU?fsl^%%$bauIoEOA=%V@;3O%hk1&P)9gyD2o+&?7dc7sv*e$o$XR<~AgHNel9 zZ76DiOq4$C;!hd>{=LVpT7oC&5HGiUq}W_zKmtD50%Q$r&+?o)0Hgp?ym|W#9lelK zEYgk^w`J0HSHIUMF$9fBx|LdPP{j=Qc7dETY(1HgW)U$cRLUtqb#~5{&5hdv_%$OY4$&0r0NS}Dgh+?9;e^X>gn!e9 zQwaR64G*N&CVt@gOu0@|t z8gZ_S@1fvD0Q{Ig1DKvHleTF+?jTws{smK`u#K6KPI9D$O)EG2qj2y+VpO48M++ZF z84ryc>}LwV+KJUeIVS=LrGc5ui(WS>TZ4}o=csJ`@fX5Cl4He@bLicf2V1 z)r_ZHeh$=>oWz;nO8kIL`xh-c;DiIp1Hn)2^T(;O$k)p4{N8KtxPzs3SloPNkoYDO z?0eL-<^~iG;-`XaG}9^qEtRg}uRYgOxL zTN`s-bD(N`Qd%3uVr1uU{>7$ok}l7st@^s2`6ly;(v`(C5Q;h0iB`lE$Qv-IrU1!E zZ5aFdChGS1%ad(m2le9xp#P7{g0;GgQbIbJ2Kc1b&1V>3W~z<*4`q`ZVTi}1`mx=+ z`5__H+IoL_pDKJ{-XnLo`mmUNM4nmaXPCe{v663@Crf9)Uz_5ibGV#BNU#wcRGj6_ z28%!Nd`fKd$O9Gc5`FCx@`ZNQ0!ro$^W2jqPAU<)?(V}%B7@={*%K0JzWBR)7O`4w z_hhK5JQqIYBM6gMYpE3dLp=S=^RG|_ep^d3?8k+#ZTEBE zhrFilv%dhpCp^l;pw)8i@nX*MiMj6tShWF*iOSAvb~TrPDUWtM$e)P}Mtp|0+&T>d z3kt!~;HF*RW|Hv*#mH;I2?KZ2K#+_TU?Kr7()C)PwjIfoQIXzcA&{SJ);<3E=W zC&MJ(;6Q#x6aQR!~`DJ$(7q2v#ATS$g z!SKoARYNfu#-6qExk!se=!BUM$60jUYd-DQ!BL`_3c#<6(bJU^;}80~*GH^hZ+Ou% zoyk$Abs68nWZVR~>U(#2KvLL8fOYkE(c(kkO<3o=3F-P$IYr?WY`Y`C)il@}sb(`3 z)gaJC9SaX~6MAJm!ZJPu3D;I_e)^5a)F&Kdtgi$bTdj^Lm}L0xx>E4nP9a@fa=K^X za!2La-rbuR&I%7D8V$kP^4zjgRT@2jQD(7@WVA0@^xjcSJG8 z(NpTr$JF|(D9xCl6dVUqR*8#*@j=`-uMQmIs_s2u3`OO%rhvI-;Zn8HKv>V-6yAu# zb3CN$`N$;!} zh31OR&-<)?3wB56KUx9ImkP}t=xFhWn0D`_0GAAepvMEMtSh&?(M8!8o#IL=%yb@L zR}L@Vp{fGu;FNsMyYpE4Fu`eZwv1`0wY}HbMx9kZnIk^vlpru+ zKu(4@1I5J(kF>bLyr<1UBo5+X41lZ0BWv$k#JNVidA;OSt8s=0Y=X1?;{+!>5D?`+ zIP^#vNnT+3z|m+1Z}C@hk*34RoNX^9v@2ZZ z6yvw7G0ZqavRj{U8hIhKaYl=fm8)pBLH+K>c}9f@9kS<$z979k`xT&UY;cBF1oJ;W zgEIu!ojtlZzpT$qlW>TiQ6)3v+^gnmQaDMfvpb>lUkHkoV&8jY7M~Xh(W0yKx;V;Y z=o~;;J=nvL^_Q|eeM0#S<4S)*cO9!r6Q(YO+toVb(y&ToJ&doe=qRhq~T4y{I^CjX{?zrx6G6Fk{z zu3sG+FKRtFhF$jZ-}_o?@ap?U7r&r;$6)X-Czsc?{3E2%l^vEdbOM7{rxc~gNgKhW zAUz>JSyhZ$B3^BZbcV>5>S&aSW~$)ytjMesmyVR^7Q zwO%v>t5JT$!>WAlI8h-_5Pdn>v0Nhu_5m@aLH`kB({qEkV9YxX>ozPY8bjrxHw?*G+jj!L3{YIk)whf9% z?&-R}-ne?a;=Y;R;W^W?5UkyRQ=sRZf`0ivZ)p6@J;Ne%A4LriO+{*oqUsx2c#!gpeLmo`m`Za1E~hWrKF~eWJ< z21n#LW0BE+E}wE2|5IY-0~F(Y<;`Ij+zVKN%w-+d4Gau-%kH#?;qX42Ru0)89Amc> zyOz3Z;L*ahCR)V__7^Kyi-+uwy35U#EXnkJh>#b{(RNJ%;iS^3v$rBquIN4woYUH^ z5k6h}r28#qFBV+a#T48#_YZxnR6SHrQjneTU-SWC#^)87UDmt86f1aYxFObJMh4~b z(h|h$ZM#Z41tK^^&2l`pdzR07{@nHA@{h=#G48FLpLrI5d$TuYsIz=gjSRD#i!)^J z?2^sA!sX`6^qF-snW3y=!iL?urT3!J$cO3n`0dc|58GeZ%!jJoY(KJuHPW>|Sp!B# zgeMy=c(DWr)au12`}r>>n9UDAb+7!IvmI8(9NKCoGj~)WDMc_l!_~s$QCAp10@~ZIFFFSQY^f`S1$&@xIxx9~AtY4{i$?dA_zIiuYCPleg^2JZ%3J&$ zd2pxs9+A=0XU5nE-4G<1(J)lw>}yvkBB57$JH~fwqkm-)W$ArSs=57Yf(&9x2Bae` zX5F`ziLScqWT`ZJnL9FT*!*dUgqc5cRC7RqDO_jTu4K>d;yl&?#eZ;q zUi;gg&(UXl$LOd(uNVEuj4p5Zt{ZLZOqqsT;OO}@4n|hNkdC^5moJxC<(~5j`>V>I zS&L2nF|`(#-7aH?j1^C+OA*-v0uMj zBJEXNF?w<7)%cv3K@oL~cSKD&S4w@(fR5%+`DZ2a}f>(b1ZEFVga zvuD2xqnUu9H12Mq$}@W$MS}aH`xQ6R`H+elFq)QymrUyj-SNYw8s&VDe!f#iIPQnH65%b6_A5NtXp=W#ACp#E99}k z797738w_{LKQiS?-6wTK_lpyaOY$aVX8>j;Z{cI*CD^Q-YwEM81qqTiIk55r3lnq` zaDmQY>pRIXHfbng!Q|i&FkSu}df@h=g%lyfqN-cSzqpqrXg2w%8A$T38E0jDDFg)Y zRzL66ymJ{?(}GXVbPg@N+(Qd5hDsY+XTSwXcYt_u^l?okjY7jtL%UNQIl#{EuER_* zOO01_uSxc@7XR^$d8ogd*C@F_vQk`RJ`P{PWzwq4=vE^eZtnvJ5$RbvLf1n!Z0??C z0SV4o_1*f-d?go@;-wcE5xY#i-rIHwfH;@Ws+Rd60^IiMLZ$L_5_o2awyU0w`(z6p zV_pBG)GT$gX$w0y(UQ%Hi#fIV`cRxHtnR*1yO$z{Vz7T{#m62&I@>G5DqE~X7_#+< z*R+Vlj8yY1GlbljTYm38Fc|O4?;F>fu9Vquhj9S_r#|b9@__X29b+Yf_V8t+np)@A z!$~arQ@kotJElSfn&A-})atH3J)Qt%QOV$|c(oLX5kfjLh}vZ9##X=K3tlMyA{9Ts zTFAgcw#v@3QLFB+<`_sXnEm2D0GFhrcj)sZm0AHVh4!d2G*0V)cl0=r14!ugNqXVJ z5(u2+HBNKyY#x3Pv^D?poaY)u8RXsKqm`4|QN1Zrp!=2jcEQXA#L)16{2fiK#@Q!p z1ocf>Zi-CD;SCwYdnt0k9uo|CT>cc1Ek%rA&c7H2B+vbiH;S*HD!%ySZFaJmm=U!!%MXsG29-fcLYv zZr;oifrD+>OgPF8V?dRqQtyAWR;hn)8!UAY6XM$aZ{H8z8XNHL6<(PJT8DD zIeYr&6}*t|@Q3<%WJ8tbM%xEA482IvPO-w@EjeGXZ6&Hi=t7wGoCk5)aKUw*7Q=F> zuCIf`tn_)x1;MYS+}83FJDI>1Dx_Ct&^do$w`rwr>&3EUZCB8>R>P*VqLmLKL9(ox zZmGpYJJHx4H>xTC-vu|?K|w+DE%#=gQ@#!|X%1p1O5$naMHi_hNj@)taEec8SMxm| z@ZS`H1sFuW&V5fIYJ3A88Z)o8hu7vo)HzSKCe_#I5dcyS3%)l4hN1EVBwZ=Tkcws) z7P2SJ6Sg9c?uWC!&ZIwpILm?iCFQhZXN(DlpAJHS-B%5uOqUGDj|aVZV+$bRwzhQL zdVqQUO+g>Ag%yC~79<0-VI-1KJ7VxUOoYn0_~+Gf#X02WaRt%)OGs0K)u`kW8MdBCNC&Dz{VQNmPQDdZh0*BNnX??1j zQ#o$VrDhbf5u){wNJ7>KjpmZ%(7E2I{v+CA*$6936;yD=VRfcq+(x!_1mDMw0_!7v zn)HuY;xazD=LGHF*(skc6~-UQ$1@dnU}8NGJ%0$RKD6LZqX9uEhIO?K|m zl93TZ?ur&5P_Cn|mP@3lSNhmFJ0w~Yp%JI6xar_TwE+azSxYLgvmzjuQ1S%%)S`5J zU@w6a%aroxgM@bpqgC6f8#^+17Y)s&HGFnxm%6-t;Qe~_ZVjxkjSwo^%u3Q0+IQUk?;#j2cLGlfM`J6z0>a zt|j|movkQh7OT!&RpzD?Qaoi9JV}jtedr;hA1K32z0+kk0c`4Euz>2TZck;6>hn#a z270*o%bfc&WK!Xor;#R0R7(P?=z+_(I<_1QKPypQ8KF6H`uHNfL)5cp&#H!GU&kIc zbRx^J2pATXNGv%HjrBkBQMhpZ1BEzkS|LU7&>7Y$QIDleo6u)uR)=`j656x|&&!3; zIf&Hg6y@&&De72rxV^-Y+woh86brm}s!kjeJln@MCIyet#qs-F8g#<@%eMOqwoGhd zhJAjPo$`oBl~8TR1#648LuY4LjfEAZO7_&jWy7RE?OGPY5p5&NiNHrb&Q>v*{x>BCK zV;4AIVZA#`be+;7au~yL#ko2CB2<~&qq;uWyfvKfp{$3KL7VI!NlRBclBpH1oL(7H z&_DU3^beYY*^Od2ac7bu3+x}8!qftai?5C6Oj6(QJ7^tavfm8%H@sS|dhTtKZ#Vuz z_KY5OM%_jI&Cr>AVg~+{rLY`*n4g{ z*?}&>R-*Rj(tkVh`Vu2Pp)zU9U%_l^iAz*b_WIOjZo|S6?Kq`ky&O_B@6v#4zr_fc zM7tW5xq3~RoE79AJC%2os^U{KFvNJFbJfFA*ln$DY>Q;xpeEEjLT{u4*eCtj>F~B@C8Z{3<7Ocal2v<0Iqy7fi_K{Th4@@x97RL(6Y< zP1&_#U6vSU=R2&eLf2(FQKuB#U26_iY}_Fx2A%bbS0xAfefA34K!@$W8xazDioX>0&FsGS`%4q}tuH{iays+D-mu`b$iXsAuJ+CMCCC zC0{#b9C{yg>3mO)=~PH~hIb35;}D-@x97*=k4c|(d{Qi0jEUuzx;n)|cPW*>(>X|t zUS@S>Q#NAS(QzA32OOhnP)OW*3^tyM%OQo|&*-S2F zrpF1SYBuUo-`@({Fzdy;D>M!L^W9ySitVHJtql9~J?aVoA=5@t-{wb62M!52H$N}G zj8#P-%(gP9T2I;0MXmp36T{SB{-}Vj%a`Y}t-Q2`J!j0tR#{?A~T&;C5hWVrca42~@AH~c2 zsoTrkEA>gg^Q%^lxs{bt+{n~z`&CM{BmrIguL4G_CK-6ZwVaZxpSW z9)rx_%R>)C!4o07E8J;WbW63=&C#kgLpj?aRRbrG&aK1ZL`0yKp(SjYM=(%`oH*f# zMHa@3S(X|p<7{L!2X+RM#{}}BtNY{zpS3AMCau>f@TZsJ; zy~D79TAUZ*2=oKiyh-xN^vLUe=UWjE8n>8w&0+Ameq{FI-YayLGIg7$Q*{YnR0h;| ziD1$FtL-$wh4{pg)(Z?ZSzDMnrD6Z4M`$&xwh~}^Hgo5pGG5~r%(s7cjnZdvfGKkiXpQTVZtt%Cl0Hg$v-H|@(tt70vCa|?9qTGC#2 zz1@zGKR|^tCjc-y+*L_ zp$_k=tZf^>zs)G<*lw9Gp68{(6=j}8ceL^McLao_-hw7MSP8g)7+`9!K89Z4aaDhi zuBn!GfsI8vCPD9!0TaLx<>6|(51v<$xukXBq!})jtJfx= ztuHPe#i#HDT3kRIsNSP|O$DcVa}hjo4s3*kX#=2Pu4^;lC$YVr6s%DNDt@DVog0aT6W#)*v8(L>_-*}sj2d_KR z-dNtyupQzF9C(`<*ZgiA^CyXuI{qR`X8|S=9-2pPdoM~@OG}=b-upgUjOYEz2aC`t zT<0vHzNn#JNIu7(VouJ_zv!vq?|vy+^q8Q7JPJkL*_as|986)zHBh?=#}Ts04kJpb zt@>6~H`a&Bo#hN>=(KM4td+czL|GZ&n#}p1IV82|>K3m|_g=(V=6WpD)8=O%7q-M| zg`O1UD||lg1u}n8P`p2NOpwB(JrY$NrPX;UTxC8-)8}%{AdDh3)HV=*xc~cQ4Wemf zK_)V_*hpcqT0VZzl!9WF{gDr4?F;4VQT}j@mOk5Q4Iip0xT&U~K5DD!gYW<;+HmPz zVCct84I@AGCsD;k)(P)SZ9u??Ak&f46cSgx7Gge1<}V;gW?Qu_R z;4FJXGtgdy^ZgN7+0xj7+)K`rhEc`Uq-5x8?*qZt;$1fvkE)WrF9W@alGo9Z-z$F? z<5C|b^t;*=i5JItYTat!wEhjp(K!Hf!*1N*&Hd;XkU&Y{a}R`i2*96=hGxBTU&10+YE*2cl4dlYUQA$43BpB57RBS9N&998Xo&7 zF3S_AcC;AJmSwdO*=X*#0FrrpgPNTvfqN#PzigDp?Z)72ys_W8BqDUGvIy?HkUyIZ z%YyQI*e6j?`J9mGeui<`I$WRc&(_y-j|hGd2GvLHws_vYzNP%p8n36{bkC8_&U@%- z-oPPwRzhc#Ki7HZ6G6ZRnNf+>YXb^?l9OyjWZ3fH+gbsV%lNjeBa{ zE#H&{S12h>NG2Vk@L7ZYo=*!#m*IX+Pj0D7-)O+Vq;wUnS)Hzl3HDz18Ki^r)me59nFZ^o&&2$ z0l_^-C4-FnsX6M8E#OGJ8kj^t>v34R-aQ`@zr&z zFTl*HL1RKoVmCK(M9>_f-B`7$=Vv*E^ z3|k6{F>CO&T6WMsx2gxy4(*~9AGQfns zAw#eFTBx4BhB1>m^VE_k-=y?>CF6|nS1{6%U@qcadwKR(yZbeyThs07Z9T6QR`qK! z!nyMw07K9f=GnyrVrqW}PZhjnRS4S1>(iti(WFz;-v*K5+U2`cSl4l1C)^31nmO}% z3b{4Jw=-THEYQ*b%4?c~@Y1>L7Ao2^Hu}v}8rvV_y^>C-EFWN{ptwW}9=W=d{OW<< zFnNFtZ&#sq%Ib@1`BbIq&NnMCW_|-R*VrjJx@K$qRg#6YrB|`q?!0?u0~mM(S^nM~ z;6X&GN_zyDxV1eWC=OClytxBr75JQf1}qKu2p$420UzVT;9=lX`x|I;@bNhT#sl=Z s2<8a%uiXFtfdB7pK)pRUy3d(y_A;Q$ZW}By6ch@w%75hCGk*U60Hox>nE(I) diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md index f3098d8081..68f24c2b64 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md @@ -1,6 +1,6 @@ --- title: Windows Autopatch deployment guide -description: This guide explains how to successfully deploy Windows Autopatch in your environment +description: This guide explains how to successfully deploy Windows Autopatch in your environment ms.date: 08/24/2023 ms.prod: windows-client ms.technology: itpro-updates From 8d450ce62b7c997d579917f340854c6583f7b6d0 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Thu, 24 Aug 2023 09:15:28 -0700 Subject: [PATCH 33/44] Fixed image...again --- .../windows-autopatch-deployment-journey.png | Bin 58459 -> 58459 bytes .../windows-autopatch-deployment-guide.md | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-deployment-journey.png b/windows/deployment/windows-autopatch/media/windows-autopatch-deployment-journey.png index fd79d4d7f9605d144b62901273db6400b694ae8d..1e898235fa557878cfb7fae1e93e1bbaa71d46bd 100644 GIT binary patch delta 10528 zcmZ8lcRbtc+m1T)*ymJHMYU#Cl~S~3tF>2+h}c?c3$;obUz93}+O=!cj>Mipt7;Xc zV#J8OWA8Nb#yOvN{NB$ef9Cr<_kCU0ecktSPjpdFbWx)X8-Ob|D+)qFLdmfa_6`&_+*pN=+DNhirxGwv9fW4l1>Vm~(__d3`zsu%Jf_uqd)PD*R+ zDz`5!hG)RB7CV>b9#_BK;fboT-^zK!ln!2%6~Ud5@l`e^tlYrb%Dz%22s@J2VqmfpafbmNE@Af81Sy@?xiMsShkF{-ra`x_%oA<0M z$Z=WE%d*c_0n9RgXSQQ)1M78I5mKVy2B6YQ1TAb-GQ2>SH^j&{NFcoAG0c?W|?$BS* z+}JG8O;=M>d;9in2`s?!cn#(&(e~3;M@L6t-f7?*A;l(B<;>%FRefMrs?K%%S#9&~ z2iakhD>jL$RWDM@kQ$Lu+4Z6sIYtQY-NC_d^(~$zNcB!m^ya|OD_T>o;ieS(B=f+4 z-nBlZ(s@P?yQ)TGfr2AZJTY=OPImAp@KDhyr#P;NtxjBlntRoii&?}W>5_8t+y%NC z=pwD5=Qb8^(FS@PzLT)nWK2VWsQpy}q&WiElx&mt(-Uj989W1&;ak*JJbx7V1d z%LHeo5^8Yv%Jn+D$IW{z^2>My>vdq(-1;e5qTctZt6e_T2s2KV>(U8fqc`CmU=e84r+fx*|*_9d;$j85+D>1X>6GFTs#BU|qr z2wRmk5xbTL{P*iv3#zrgaoUtZ`m-P_%YU-Twz0CZ!WGXng(AdE^48cOvY$bBDVG=?=Qv z4Sr={@6J{6v+Q8nPHB17lQSUKBNaaNsr`^VQ%atde!*8Jk<`ca)a0D2zm;!BNwi75 zbh35(y?=hlX+z(#7ke-;{(uT*UDdSJ~+Qk(t%zlb@NAbq|u6+$2PNjX- zmnJPl_truL3xHf`^vlO56yy$9f8D8!iXr|;-Q;O4SM+kxiap0Gv?+}r_T#Lx4$)Q4 zcQ{0vuDrM6BlhIr-fw#o8~7zf!E20(;tK%7(XzVu)fxpu%xwU)6!saAKi-t=mNH=zR9VgZ9lqslzF9 zSyg}hINFk>UhA>_9&IA{%9TXbZ!A3&1-P$@b>^|e;v6EvY44|qw(au$MmUimi#`J6 zNN}>jc>JxBJVpZbDav-&OB*8P`--9 z0Giz_rlWPRNu1x*5dSW_qx=hzQK~2g(iy?edDMOJ1rxf9c_>%=^Y}<}FT-omaPO5zu*T!LsJ>=Xa7l*jC!MctpKkL3flt|O zgB%2eq+V}SE!!O6>$gBICsc*p9($IurBLikVp&-iZ}Es+7S*BLkT}cppuLbntE7in zw5DiTQpvaLVY0&Na@}1j1C?g*rG~PfyQ-I*f(U}p0flfk3c}_d2qq>p(uQlmuQiPJ zKIx3k57yr26e*~k+`K=IIs{y82?r66%O8;N?Ba5*jSz(8t#sK>W&Z>hh%3bC;j{r@ z4AV1e`xP{xp|CtB&+eio@Lowlj=Xf@{AB8lsNk&8C)GJ8=}YEU;ziXLH~*rZoS2YTQYx2ckK}itE_+Qrl%E3dRDp{d{^iSzis_iZ zl?Q_BmBR=qd}&JGB|6z*Tj3J7S^cy6A}IA_$hynQ6*n3lwM}B5RGTg#JJfPEb$P@T zZSzGm`)=o6xb%pFHJot5+q#KU&9p@%-Scmcmrn`Re?Qz*Xm+;wA)}YjX9hJ6*STwD zn>8F-VrwJt${Ub*IyqS`vdAV8Hw3>db{Hq&zPt7!!Em+Qj~&wN@pC(~uK%Z|S>a{jfv&K(w}vtULTT^!KfGm?-gnhzzzrzK$)P&jyw{It^_Nb^Ddz}| z@LWq<9{DImB&h#Ju_~mDg`9029oCCjUTN{iB#NI+vh*u2$-DPG?e)27T-bHx(EvXRVLVLe2uuIp{HOSt?Y4+n%Q7y~$ixiD6Wacbc z%8UQL*8sH*678t8@AcgnyPJ@zGJDxEhz-tyls3pos8-XPT;;+ep53Gv&{2>~7BR5* zSrCn-rS?W`HJX>tzvD)D%lt|9Uh^}COVrJ?06E4#Ec+yUotHEFsW5lpTOY}*Gy0gh zv?}G-Q`i)rAwlcdd;V|oiOQyA>Z4gsuREFi4m*oSw+93{2I2|W8%FOTeT?WXQnJ}q z&6X>HZ|)dE`5w`7Zrb^z*IGQcQo95xCr8=|FyT3noHK^lBwACv=h7dw#Fk4U)qc^; zKsitKi=|ISEJG9ef52Vd)Jjlf-55EYC3jTPaHwX&b?eX_T>M}}_m1op~h^)5g zV4=F(CKcblFnvL+3hGkVRzLKZR}Xq%T*I_o0xm5mDEKiLHYYL(f^&#{7PzO^t=4c?W1l}((>L#P4nN7m`%g#Yw2EDY$4C)r}!DUqI zteg~`?;WRI+KP+uKPU7n3FDC78av9un&g|XoQ5ix(13}hAkO}R=G4C4|NO0SqT`i1QdE|NYrppUpZuBll zb^5BYeOSmrXIMYi!dCZtpWW@(+u&s^q1AKo6m_#7WZo*!u0&`mgi>=egF9Dca+?f# z34tDvMB9nGp-j&H`SX!r$W@ypqHW}+*9jyxD%wGe12&J$U6hH;xA3i>7Dh$wqt}G5 z2iz2tn2a^{Ms`tkwNA6f=L2~O$r;8&mOHwXR{qied_HY$E%l{4ynx<}on%Dc&o$~N zvTWsahDe8wh=kFOHHr*a1(?E@P87|vHXb~tzP)0jlFfc<3KyBEiK|6BQaAg1>u@xP zEw|tmsBh=vl_N(|V(v6;3L$LS?UqvYfstm8%w=dN`(>vf%dHXsb@7gw^vem-&=zmO z8UAN{6GkpqkO88jx4|eHD*9cM*Tbh{RPHz)rJmOOs4pF}E!dr!c5!rAu+TA$0oT-8 zJt_1WT8X*6E>p()z!fQuQgjingsWNg4#7J&eG)8pggwOsQhH;CIO5f`ZOy>lAl`t( zoZQi@BeU^Hi5I}6t}hA|K z+nJA`IW6Ri5`Iv6$|p8sI%+fl&I8t?%>7ZfoPrtvLWAW3rLVu|IZBnf2-NSk=(hf4 zS&@%dV(OI>JkZD$#5aPq|8T)rJ%DHV3=SF)f#dn! z6s#5~kZxN&ihU;gG`5Lo`$+BOy|#i5PG3E}%+n>V$JEVky)h_Y8@`LWGKKDUIGa5U z2M&r_l!%$6*!TKf>-B7lK1Hb4+l}kxGQX_dG!kSrn2~fCfyMZm3D+OVg*tjk+T~Pqw^sy-{wVE=j5W-MR-yq9yOC zWVR+ahaI&1zm}un(!1}zJqW*7&>>$LR~g;}rM`_>IRHnQSs<5~x(_eO8k;|&r@YEK zw~&rWKW#$hBmbg(wN$h5@Ie`69+{T+MLEtt<|5c)Mb|102w&ArQk*8Sa6;RbLlV#!>Mv@2N!EF{`^V&G*upS?m=?el;%C<5eh?FsU5b zMAtp~IeoF1xal_;%n=|{N%I+KzEFlzUGw2Uy#6WG_AFqO>}ZVHO!actGc_PHfz#!) z#VG#c;w`;cnVRYn^ef*{rtqkz$_@@4aq}HBRKCOJYyN?)qoS*5BT`bMDUZ+mo#-g- z=O^4Lr^!OboYbx?AEw%O<=hi2=ly;bUsR>l$@kjkyI~8wjhoSm&K(Bg)D(n^$={RK zTlwJimYUMCV?%!=Apn2aL!Q>rPhgcdbTOhT=jx^-jw^1)@ftcx`}x$_!&ySUH6W~u znyKn}#t(n};U!Obu{0EE(bl6-vDT+<;{JgbU-gbXhTL8S=9~1ZudROIk5Sx|a)>Fz zj1G_W#lxnY6_Z{)2aM#roOX&>UgIpMNSwB#SrG%(u^*M5ZFaVsqaM#OqS5}|8@~!I z?ZOuhT>kcRm@25|H~$+qWk>BQ{z1r^%2zPSp1O69G||3ex{HIw(VA*B0EyeR+ZH!Z z*jMbRZ(sUFw1$w3w?eF%=DrNHE^$%XKDN->$E{GA*b^@Vz|bdk!lR%<%|X|ptt5x; z!^*OW4fN+gyIUJto%3cX9e%fKksURELEP2(`XVptZQ>vYlzwNWq&t>cS+UE^#vt79 zcJ^b-JV0Gw=)tSF56#L`DqE4|Wu*qTnP`YuxdoZ6TjT3dl$!}zm({p&rKmTil5KJa z&SWNd@8b+m&qtYL{E5fzXV3JB`6WJaJ7!X3w&hju%R5mr1&s~f00PUif+nPqF z7?$Y&@o9U;?KNzvu&}VhOLIrAFy%i))#o-i1&nqBwU0mDU=UZ_p2@S`793El{nX5e zCMo7u;m5@n+htL(K9IT3CW;q2w7|r~1-2c$Aics z;}2A&32~~Yr#`x8jPaM>rmWYvFv<9fJ@*pV3V&Qvdb#e zHOq#jafO`-)8$qa9 z2AYjpuVo0q&}yRz=2=3jQBrN)t1n&xwJCRvbd2!K@?|h1TT#nVxtr1uI{s?0C&_Sr zPYm=qcnGx4E_h5Ya(S;H?CVN<-X1J#ix94{{NZ~wWd{^tZ|RArM{X#|jPtyAF_`N~ z_&iEy&sNdmsULh8qV?6Bo)CoD=|oj2P8SC#`L9^&X zGp0mi*7cIXJAa>QFsgqGP0Vc)fUT(c6a=TvE09dd(M>rVY@&=3l$V*u!2-f6BX2T! z-8Kjw5KzC|5MmRwu1`m#tWdTfNn3S5(!lG}DpbIdykedy9C3!$3wX-z|JV(iN~?BB zWE3za%3qN(rUiI~8~^GqDRv$a#Wh8L#U7lNK&;QA zxf?L!PkQYa8grBX#Dz39`YlHp*FyZ3pO6YLJep&b$)Rsx2Eb>ond#|iaH)x|&Vs+Z zzyi&A-cCW*58%^&EkKh8sLE&#k zfpim*;LroYWy%_n)0MK~#0x88tHP%89F!MNtj~5+`hJ^%&HA~XV#9(TL7)8obbF1P zn)@V?3T2_2315fV)xK`5)(9=sO@LQoS99lR#$VN91 z4j+dzLjn5)EEBKn2Rjy;xAk;H7Eji#%Qo4WR3ioQyrM;HGr^}-kypz$kCUty!`oy0 za4s$@4HsVTuMF-j4*;Zt(UF{63LzI52Z}6PXJ>y1*SvI8Vb`C2MJ~%W1zd=~fXPW$ z(!E^wH!9H^C#@ zbVq|KxvSNtb--|>pj2JXi9C6S0i9;Ae6=yZI3G5cv~M0Hh`Wk&x#MGr*=ef5VEtLp zuVYT{5G9uaIUol3MT?OWJz|TCBk&Rr<+lpb&$vH0GBPqgUM#~ttx5&Fb@2A{i{)Yc z*^@)Z$=ic#@G3kQm5pe4;C@|`hhD;ymEOa3kohR#hCM2=Az(+xVlMN7PQ09KBmem4 zqo%Evsu=ZI#ATaT-Rv=*zN!&95mj^T-zX{4t z?Vqlrv>R$N75oh&%Xd$fv%Map3~sh<$5R}t;`xP|s`TpQm3h0+&5e~6bggoO=j6=9 zWa2xrA)0(F6Nm?lA&Gpq5Qc$DuTRl?Cyx)k!6t;ALuCArF}(axquuxy80&pUv=yhX z_fjchR0-<}d;%I9s%K-Fc7d*)R&EGhv?^mOozo66Jl7w7MX;OG=0HE=3V%I++^p_1 zKLLRUhqSMBG(DZ%O_D|~k6$5cY@b4R4k6SPIdly=SP;e3?w ztap|X81~LnZ#22ap*x&>0FX<*kJ+0N9}=U6QN9t;fF~j&#lt8l0#KoPOAV)1D9Fp> zmwFz5LpZo_(sN+-S0PeNKj43`zii_$>&-rsRjQZ?krTISxw(3r&Agmy+vK5@0g)_S z#W|Ef*PfJHYJuHqm%keZJ%{qrqgyU~<02A_L(aKpi<~=MHrEukaiVL6=RRM*>+0*7Z7@Z@gfBVeF$VU z)@W;=q&ZXeexu4^z-(fJ=D*`S=OQ>Ux2RlgWRoh{8Y|Xxh^cXIL=3o%i`tj0m#iYT zMw6@w@E`&Jn4)1iZE6;3ztVf?|5H<>U3#Z4iSbI05y1;-Zb%fV>iH!l} z15e=^cnzvr{XdDy1?)4XdaXu5;eXLfaF21#fC0zT_Q^6DGoO9+Ygv`en+?{`iB*87 z+iUXS95+3qC+lJM`g|p*v_t)@XCbsB=z@i3QSP#H>}z5jb!+H&OV7hG$RGEQ1P`hZ zbcpxjuaj4C$AQWgFR8_w%E`|$w{y#}qqPQz7b+B=J6Doxz~TF$ChK8b-e{HY()12z zDh7iYQ48pN$1VHeN$7>glcA(#;M5WGOe58cpxJL|p!0wvx&x;&aWEnzyRvi8||A~ETw>7yioMmUC?x4P!!zhWD^Yzn-mD+jAg8xagNAL}EiXiPJ4Nk4E(+DZB+ho6AcBcP($2D<@yj$O=u8B0e zjZ@>i<3BwOiby}kfaIG#uSLJ%usM*pg#?xEtSxy+-#z3|DqY>RbZ+)#L6eNd0Qmdg zWmD9@-{7VHmp0*iMXm5*v(J!9=hObwUz_Wjo3%3E(=P#&4=-I7=lEz)`s+LUZJs)h zB)fgqBS$YyzVqsvJGyY&AVs#64K2=+9J2PBu4>;kVRzn|~)ZFMB?bpsbB{jW-=97PA0BD5&$hwE{Kio5G*ICkdp6xq|aTv&| zsr}M>Zg$O38#Uzz;H2q9Ks}o|1;!$V5IS|yTP?ym;WQ+hb3m-JIiQ64f35CV%g^s< zfcJOZ?+tpSgOEdHfufWb4nZIgMsRTMPNtUViwr-Iy~{<1T(@u^D^69}oW4rhyM7rm zV4JVrvAc5K7by66($QRD-eB5Jr!=$Op-BIPJ<62j1cXTyS9)kcH$yI<@JH+4D1Bre zd7om~ zs)elaYLQ|7C8Srv>V4ur8hje0Y4LAg`(2io_ncx#{?ND@sUv6AdppIc*yE})%6KVR zcsw5mL7X@9S2=A@to;(3_;7)HqV4tvW~Npr8W?$EiWfmCcQ0vexThQ2^UzyXV+$_I(7QbBL#QxWi{3jI*HKd z*DQ;~B%O65&ng6B{*$UJ>T5-bLzMBzOL*z_K%kWia?^;y8jBr!=!Ml22L3?IRGsxX z3ezGKCwdL z_iKq@snQA?!{~c!?|)|gs&d#EuPQ7p?L8HG?s3juVcTTm>low7MD^^E5|jWTV%ctF zEaWqe&u;8Li$Egt9`?;emgLJRKtcFdzXFG;^plx4^HKRM;sb$!pPIt#8-FBy7v5O0x?pG9Q1oBs@1alc1d!Nun$DEExxTr7Nn_Jt40iQ-A$Zh zs<@qn8o2vkpX*#@+ogMjg-^l(tvIS^^f`RXGn%3b_>p-RuC`Uu=Q zEWjnG3Mp;5RQyfS#d(KTq

      1hTnBF9AA!x`l-;p`xsgxPG99>CploAtF`uwHwuH z@X6v@-|>u<_H0PYryBf96M)Lx3EU(7`sZ7T^KXHKlCb!nxjtr8%xoswmWj}&^jK(~ zqIStyhP1i8xnT-P#icbqv18qSB=RlhpYLSOzZ;2pyrn^6SV%5pH(BR-Ww5WZvLDhT z#cN%u1~(!F%i28-p#jhC63mFYqJbta?AgIyJ5nIf)0=Ie8HZTcv1^2Ie>Mb+7GPdd z7Z1&9c)3?-{n{z|@G8+{xdo-9B|gRe!<^sC8ore%O~Lg_>;*)%o$P}|nMsN_*5%^hJf`SW>AwKWJNAwaoKBCLvfeIU%&dq!Vry_#J^i6WgY zEwu^Qpc;}?kTP5>n!Svg@Lepu=0Zg|>mmigE8jNTf-`o3#4cQ*yvKdR)X=Sq$$Cxs z?kQ$_Ek~rc$*%Fxcs3@uQ!9n$>*sg$3TOM2`0;CooFt7}GFzG=r=tbp?sj`Us4m<4 z?K6=pn%pFZ$?u0E+U=RXbQwvCDjGIy5#~oOP;MmUfT)8ad}Vo!{Dx>>_B@UnLEwWq zM)RLg_8(7Dlc2_mbK-*p%&9Jgx?C*8M7mYd!eq;})v05Ewj8tJx75?;pwwa~Momc= zbRPX$!hqaz*?38#J>KX`aPtbOI$qGHspWWr%_a4loafTy@Ent~w2HP&Sa00~RyLp$ z_9!W>!+rn+x~_Jf%&5;Y#H+`M9w^CR>7-XJ`EDuC#vNnq9&mzvV)eJ!qQ%sXD4kjs zMF%e+`0XAJLwc9t+r^#yfiV;{y!w+;WjcOK^V%akwS!liZ+(O~jm~_SH%8m3woe<@A}%UHjrs$%7tG3`w;AW+)}3iSZUK)64H*y69n z+Fy#^VoJWs{R74L`+0KpVtuwBW*0mV{2VC-aj$JrEL7Mxb*nGCVTOQ^{VfQl!sE!TX^wruwXn z%U1+UNAaV}#+saZ5ymtxkypzkfhieIVD3l56_lou-|8=(@aYOvlgT-DqG$F2nwE~M zQX*l}!ILZ65nzfdBxe0cChe5taq825;>EtvtUy zxQ9SVy%2}PdQ~li%i@*ASRq@Ei4BLV_DL(6OCcpQxz5Dme%}T75eAV_nn?wE*h~Qw zq^x6BlsKj<-s+4mkk^TOdppUzMKq2jlak8YPata0TeXr^m#s{k=Sn7}V7c;9)24#` z6tlDkFL)hd5WjzPrj$_%6LjTT!pXcw{KBLE^Lua=1dxejYG*_MqlcW^56a&_nyPwF J%2jMa{tJ>NN%Q~! delta 10531 zcmZ8_cRbts_kVD4+fw(cJv-3aT2-rPtBRU6YX!BX#10AGT2)n4ZAvMnN)Rjdh-z!Z z9#KN5y|)-4`Nh58@9*>dejktgnfG~}^Bm`#*9+f4hwq>(GpYk7ox)%nnU;aAxu=v+ zB7w1yT*%nuHgB+T=fdUJl%wr8YvKd3bm3pV((3B!^7&z~tMDUp|A`lzs*CA;lhqy> zV+;D9N`vU!#h|X-GX>Q}@iaKAPm?Iux8e$Jo!XI^-fzg_a{lo)STo}Tg@dBH8R74d zu17P<91tu)JsjYj#`UKVfj!-(|Ro8G&;~ZU# z&y%84fF_T=@@6|60<1p-wFm~)NX#w=#T$l^q`LEo7DA+=M~ zLGaw+rJg%5+Bs%4I|G-~lSN*;p>`$$y(vPwCnN<$M)v)&QxuhVziH21P~LxOEb^zy z@r_c8Q}dPzarHrDJ7cC#7*1Q36#}0}%e8s(qxg|?SLUUeWV$r&Uyhobta2Ob=;-M0 zH{1vGP#0`Zd-QvUx@HKQmWc~p{uz*sqoV?YhNTD;Viaea3irpt>*9jRnVJBed#W@> z7Gs9WR6+F{aEQ5vT^A9_+OBfphfPOh*%W8%2Y2Qcs2!zSRX@LJ1rF-qbr+`|nrl(1 zi!&4Y@xx$(y|=$mRq1GHsqOQ@yGikJ;IRMEfs5N+x?<*)No+-zq*{~H{=$eigF=Oc zjTq|?DS0zQW2GZw386;Hs_Gxs8h(rC%%XYcSIr!mRQWhcP{;eltMOtVxMj06 z6PoDU5Cs@9mzizNSvK^1cF0y;zuK@=+n2dam|FdCv*ycQVC(#pRxMI-=jR#_jE`Is zdnPiuDX9|<9(|ApovIBoL4D5(+8(iwV%q7byN-q6Q>BuLsRW{$rCRzQbj81H+!;U3 zp|8&}d9|r3F&0|wrrqiXjt)Dgd_XD!z?ZeqP`9xdv73kLz8O)97`Zf?m z`>@-wBw&n1YKT#F^Q5i!NWO3M*!B>|IjqK1%Fo8j?G}cP=+L~0bky*8*l+b|*6f@W zhvXrVw$R~1laja1brw+<`!I3QQ*s?cWm81+;EEUB1RjqKNBIaD&^-_NQj6AtCO!}Q z0YJv^@Dl4bx1L}A@{>EcqkDJeG>W*0r-Wx|6xR^8Px?-KcEPR-Eq)VTZOjX% zb?@be&A9B6G$#4g;;S#oU19P{TCh=u0_!PgkH(E6hNpDAbk?`2j>GAt~FV|`IhrDEd=bJFoeAm|fG;QDHYIzd8X*-MgVAa$t9+o_KZHL2E*;#ay zCVKINybg08^_+KRF6+2Bn5&aN)>sO{Z%2lzrmArBOeY~E_|kGUTk)}?>1k=euhne> zrETHpyU|Y(Do0Tyo50@@&K$aqoe9DVrpil6jWlwSR0~{Xl3`GYmccamZ!I%Y)>^Y; zRqu*%575cVk3jr>oVr)x;@O)n?}hG*?PwOQf28-!DWIPM%WRX*S(q!$a4gOIb)c-I z6w-f1(sKIa4bip{^a77gxk|rISDI zg{>PkJgM8%MmZZJbjxPrNBsM0NiCuq^{YVXX*Myqk0T)NqRNsUr)_X~Iw$hKRP`S` zzB|5-3nB6qlX(yL?IhKvljuB~SDodMmY&(k>_^u|EZb!F@0!)ph?t@G+@v!?gM0C5FI9Gm4y3<(LO|*Q}65^@aTlr+nQo+A$#}SOUpReK-$u&(N5Vp6yC(8}_f_UuE z;P#M(?pDFlM(B|ALvxAc8iTfqW-b1B*UlQx5!P0o67$|H7n`c8qf`85<5H2p=_u~+ zkh$H(uOG>q%4UU|?tyMM2SHYNk$EC4<9SADER!bS3Xn7%Yox|Nt47Pni0u1=He!~< z@ZSd60r5m+^h9*|(T29w5YO};Lbp7lIDR@bxS#C;heY7K>_Q;9?C0?s1f@cm9kprr zDqD<75P?4RSxnf9iiaPVV5j&KeCwJl#G_Z8JCzfKq0Q<_hUd22`x15lKd@Rt~Ng;CQN_3z)?4E_Isow z?xRn$jr&Nyg$9q^{ST(Q3!O;rx)-~u{vUwSj6o1y{HLh&E0Il8?wtK9DaDP>e$WNc zgR~jX2Rr`DjtkwPq`xVvfAk4gf1;37C?XNRGe&ieX8KO2PaK+OaZJh9i^f3BAvxRg z6n6xJ&-b{uK8coAo`uVD2C%v9Fzn0V*lQz7xa~-X%%}1?^%jx3H^KWdm^(gu5Wr26 zPg>gUYO?TK$M^BEI(0E-d=2j=JhiNY;ArQtp|!|~;U5f7os&7m6pV0_4X)cx+A&m?l6Ni4_4BNi~tzs;KM5HRiJSK5?SIV`n6{-l|^=Y2Q^_ z4En(##1Pm<;om*4w#zcAc1tx!UqPRF)$uka8~#Ji1vsonO0VYW0L=nagtQNUGBV>v zo9u$Ml4kD=cGDtDM=DDgk5vD{h5Ep47f+Hz-%bd=dBR|mSMl&A)2)fll{+4FKO19& zO06mEomxE2(w4HA{33DYvgX)r!lJ&{IaB)3hdYZ3dH$r-yw)udVbdGa*A9H*{RoJL59-i zMjFw!ooZ=}zU2!$Syj2Bt)xV~A_-5jPbEV2t)=IsW{EK>c)YkczG__RXcqd? zn94Pj({hu;L49ZGVPY*u0@g`$`GWT6e3_CW$1oNZlHmZP4^i@5gG+Wpq+!&&>2!eu zSb>Zxe%E-3uT4S3e~Q56YB{OAA>`XAm(}{5nhRYU@bH^w){aT6?SJ+DJ@~nV#u;!& zqtS%2*4k4Jai*>A)veu&Bz}ET$nz+Vbm6_gy7msFbcH137j;n{)?NrRzSw`h=oQT` zV$(aZ>t{EpQNL0r)KT79#FUK%u{Tf0@5y_*JFQ*4tTVJQeKV8dl>m zw!P01YCvZH%!@nfR=FC(wwvA})h~;ED5y=!lDz8i5F-GHDV8VUIpZb2 zC$DNPOx?95-&qXRNWO_#2vH6{))h7Q#U6lqBoME#`2J^ApynMTqL(}*ET6Nf+5Jg0 za-{Lf7;K?K!j?OEGT?asO?oEd&PJ1~Ny@#y`;dbkUzJ1sesiG{Jh3dsSFKIR&J^qzQ zM6?u1Op#5q>Ni8%`2%xYu2~s&iDQl}^T4oyc19ICi7&9zxJM(aS&EAbuh{pe4AFJF zV^r&vJu)|z%1EzcP|$np>N+G^Qefn!Ph77kajeIbt3vF-o(t5?#2?l@8x{%LSyUVTNA74)$zdvaFb=t_i{uQ|-B`rxuwCjKCz zi#H4(@1dp#$kZ59*XL-eKuO2Phxt>)vzohZW2jf;P35VU$t34bb5@@cnai|vHvyY{ z_ln>C`kTBEi&=K@U@|w8LhsM^0sVr-{Oc9Mr?G|%t@5EMkR<@-a#}}4~ z^T$DKIHt;fRdb9!u&(2ey1fea*Uev{_SGgJ_(Pejlfyi}7>9l){v>^>X78O=p6}Mx zD?vbg1cBYg!u<0$C3}?RS)mE>uQoaH#pDc;uYLnhQu&?4YiAF5svf(_w0dj&Nq2YG z@}RCUdViOe6!9mFf+g=|>DjflDf3l3!TfE0sPO#;&DrvY!B7pH-R!IkT=ThIT)^}Q z(%e8_zjv;>|Bg~8NL_w+kd8(5nBI10!r?*}7KEQtS0a5pHBt@UJ;pJWnJ$u#1Ktxl_0N*Jh|UkLkI~l(;SOP`0CUeV4WE1M9#IIJ?Br zTXzm}{S-_Zx+)q{gYfyYFkV0N7>LZ6x5n3K=CW6>R7<;iq46xdiQMYa1uUifNv9KQ z>~W;iZW#|KfX5F(n9lU0|FFFh@r+Pq$Q2UkM;&`jr++Q;4W@CR z_{GbMsgoind9q!k0SNb&d~6+5v8R+%d=)3ZA=(c%)DG0i;V+XX*Rs!cUE(u;RsRe0 zneP>i)IIovsJr|HPf`SR4(4LNdyHj#sVFL8s70ZmLtpfiTpqAvsMTyO$O|Zv>I8S! zo?Yl#Jzo}bzUuuv$CB1ET`uRxDfI7_F=GJa!01R7u!l zs-CFtTwK#hFr(T7#<~_(Y1ATE&K$b&-d)K;&a?-vfv9;>TMxF~U%|G-U#pSNaIK56 zHV1}T?^}79A8Z82cM(@MGQUn$)m%Ggg-h_-k}UE&d$VY8A1R88!T~gFZ|UfmKDIig z+5~h|PR$*)NevW$y?Y`F#AS_Wj&wzIkz*&XVg5)u!=r@j2OLXiE1Wwas*B?+u}CgE ze@IRH-E&t7*N zYfG+3w?#h22GJGO%gEe_ej}Kq@zEjdTK28!WMrW)^fb2Etb*npU!9g9O#YZs13M@; z9SIU>XJ@o|1t1W3!aJ>UiT=wkr_Vch{o=Mc7gEnA$ztX%8d0qkP0z>mW5Z5a;Y#%mmb48<{Y`!4KqPbasFTZtU3Y;pCP#oi@?X?oCD+4%-;$|oK>0U~uh>cAHIUvpZy~HwnZ+F|5h!ZiKmr_2U$(7ucMt0*X|ukXaY1SK}R849yaL>C=S#J^eH*bT(mAAujxJ-$*wwTM3aA|N8?;l9p=lu^hHCJ6j&sjGoty zn`M}KO{+WceUlWoYhTCOkm^3P-p*P0ZTW6N5#g`d%u-26Ujhqdl|nWJV#~2*#1}-) zLfds#-q~XX>EB;Kmng4jnHY%-fx4QSn$ACk)b(i%>SnWs3Jk2QviANz_BSxS-O9TzNPt|Er$UitwrXUMFTbokUBKRlqs|GU7+d!dIAg0VboSLnH!9yk-0Vgs+qWH@i+T6@NLgqcLk^uoOIB zcI&0`AoD{~4ewob9tm#8M&Ik(x;HRhcF?fv>jX3cZ1xZm6WT?sVigG~DcS!M$}j)^ z%BwT5a8JJC&B&rdUmpFC5cP!QYBc@yuCQm{XW;WzjOB9H__c6N&HoI;@p_Q8?by z`0+74HT|Ya>aZHOjMK`RWnf)Avsf9$Iy;B>zB!)udG=pKKvxn|o*7yIV!6U*r%)!3 zL6ZCTBI_(JQ~@hXad+=J1x@<4R8$WsCoI;!_^!ytH6ya7Hrnn)V-_8ElH7SNnufl1 z#!#bgMBs=BWeh!68It^>4E3kihR%u$iS?Mv_E2I7y?q*5JI4SHu%WcWEgsq+Q68U< zyI)cJ+?kSo?X7X=!&<(gHBm0>-A%Kyw-5+KN$ei*?r%lU%Ta&Qzpgz;>f0ZH|9F3E zaXc|IKR3G|KxyzI*Z}?30JC>%V+OqHAgl8deD(EMhGq_dKZv?&*dD z({r7PI1c#ZnK)jpmk+4z_8VE9${nplL>aotbboMpe`v&SopmYU3#(hgPTL73O?q%(s@9*rv9ieO&Z{)+Hm^A>zsKebO_2p}j4K{CX7b{&tvfKHe^IlBug;7pC z@rxe4w87guKL}8`X-$&W1=DK|!M`gfEl2$1iZ>B;nGTuQpF1`Qp*1&iazJe_nrO1F z$3B67#tAj0MHqJ#jjDQhBs0c#P-oi1Mq4}2(t6X32dtduWxOxZoi78F(BkRnkQA}( zoytm(PM=?vtE9Vx4~N}y`mJA~QXkCB)|rgLCNpW?%{K_0dOAE%|Hr#0_u!waG)oNN z;@HhlVotW|Gmkj=f6urJwtHk6)1YD$h_7I*S{AyW1G*%?ji3n#&>7)nl*X*sn^@AA z&5rc^c7L`e4FsDF%{L4Ot_#?a3N49TM-~l?hm0+d|IlWjg-E(sh<=Q69NGIQTQE5~ zIqBgMBQH#@eIaxMEG6^VtRPnMsgmb!vCgII8v_do5C3uBCjHY~DX5vaovnZb{m2ok z^K!nsE_EUXu#`>8X7t_04@K@#i31u#UiDeeC-nEjr3gWu>w z9!@e*O|FvXxpb;%nW8`)}y(4#SS%Rb#+Ha&#%LKSHok1s(VD7@nh z=4IhXvr6rIvMz5@b<<%#T5Rx@Q`fJT`Jcspy3KaVoXrI)J~OQ6W%z#aPRj$-X*QqF zzALgg((5^R-o?o2cT&X!Jw3Q(b2N%NM}At-JFiPpO!nTpw-m-f%kd~7>t+?MpvPaP z1VoeUk6${bQIq?h2^LJPADwm=GrBv=xua#dulAhSR)lUW%M0vBpT$$AUsx!zYM1Cu ze9PM*Y5*W+6kSN@ij~pUlk?m%3j-136^^z4CuB+Dbp!n@nUcK?PBdAuqA;yo9Puq? zl)U=}ouc~9I~+P2PkSk3@=2@105PLRq{%M>972iT>f-!4Uz%dy$R+xZ26I4(wg1kw zLkmsKc4|Y~t+)z6TsB7Dy3QEOBDY;Eup&%W|oaJNzl{LW*i9hKFcR3%Oz#E_~XDBopQ#%pYHFiM$y|I84q<$9_p8#y zz}!4_U+?Gi8GHIK>inrh)KX1VVrr{BeyOjsxSU=Gt9Is?>h{&k@3u0wb7~8MvrbR$!7gC^(#2!V9}(oK3gI4`^<-g_1dGIuzej!~$w?_l z9ouppzB|EMQhv6HUL^H>wfd>LS6el)cb#GbX-P=>#*;3mv?>6RVf`UXVo5N1Mik^# zPOudY)O?We83fQxL7-5mo12@f>wDF^(2Wx-%_-;8-;G(isda;aPL965l}|<$+b&h# z5s0tg>_%$YSbr8~vkqcx)hb#(vEr2a8u`FdK6pC z&W!lyv*%}@mGDOr;*U8yBn>2samrh{OA-Cc^vN!&&5p6eFUNGyj@N%&DEc;!M-wy5 zPKvv`B#IVhTtJ{thG8@SrcYq3Ol6#9SL~R;#Md1M{!_(we!-ySaFAzRj#$zgVjGeK zu9r-sinEzW5QW?Zfn)^exj-knT_y0Vep45z8zsp>W&FidFr})vQD{AC@wnO+?KUDU zXYrW^1Udr~u_zUyWXPx=OJG{-ycj&wUAOo0yv6QtdyOlwE^lon*d5n9gR`Y(lmns* zqZ}2}WxGSNx1R0^Ec7Snh2Wu&@9zz62>Um{QK1f!ASy@9)C^*#GcE>CKZPi;mel67 zySuf3Kz3Tx?}N{zlN?h$l^bhG(vvPUHdpPlty%9fSHaPO z01)UR6+)RelP~BL=SAburvcMmdAH6@u}FLj(4Le+FNAE8m?g)ADuu*(h=ZXtAk4k9 zGg1sxS4}n_CH%1~j%whmFSBgo)xPSGu;}Azv3Rsvtzj+!^M`AHtUP{=<#`!j;AjTV z^O?f8m(WwQKUSw<09{)5RQ2)Pg~0$q!%8_V2Z*H1)?e7rdkk8X&m| z>#PKXY}bh6ZbkW1;V%5aJM8`{<@xzkXblp&_ipN?m|QeAiw1NLh&ijKbhQ_?kW|2C zqA2)|{jEuCLx7k9U*W{w4l=6os%2MQ{j51_%-v*geNSog?_}vbHr!VWqd3hIKB~*M z{-U}pZKJzAwOIN2XSqOA8Ps5D>y`FGyUw?-n+nFqOMbj=FK1D$KyKDfj1*$!0oxGl zih7*I^;fddMF5Ns9tq>80fk+mau3SY&s01J*-aA3G`FAPm5@_Nv*kW)mvF;+t8K#P zky&)@mM*0e&qEOUK}+T1UKZ+A$EC;qE3;NFqjOnMW@FThulbwap=NcPn$rbl;oc#Nds=0_BTM4z{q8GwjSxuzLyh{evz>=OMIp1F5V?w&!D_DnR;m8>&lE zsVsz%wKG(Rt(sQ6alcris}qa`I*{*GpJy`%JnAY+!c$8(K% Date: Thu, 24 Aug 2023 09:39:22 -0700 Subject: [PATCH 34/44] Final tweak --- .../windows-autopatch-deployment-guide.md | 25 +++++++++++-------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md index f3098d8081..69cab728bf 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md @@ -109,7 +109,7 @@ If you're an existing Windows Update for Business (WufB) or Configuration Manage ### Why migrate from Windows Update for Business or Configuration Manager to Windows Autopatch? -Customers who are using Windows Update for Business (WufB) or Configuration Manager are ideally placed to quickly adopt Windows Autopatch and take advantage of the key benefits that Windows Autopatch provides. +Customers who are using Windows Update for Business (WufB) or Configuration Manager can quickly adopt Windows Autopatch and take advantage of the key benefits that Windows Autopatch provides. When moving from Windows Update for Business (WufB) or Configuration Manager to Windows Autopatch, you can enhance and optimize the update experience that you're already familiar with. @@ -149,8 +149,8 @@ When moving from Windows Update for Business (WufB) to Windows Autopatch, you ca | Step | Assessment step | Recommendation | | ----- | ----- | ----- | | **1** | "User based" vs. "device based" targeting | Windows Autopatch doesn't support "user based" targeting. If your Windows Update deployment is "user based", you must plan to move to a device-based targeting model by adding and registering devices into Windows Autopatch. Use the [Consider your Autopatch groups guidance](#step-one-prepare) | -| **2** | Microsoft Edge channels | Windows Autopatch deploys Microsoft Edge Stable channel to devices in all deployment rings except for the Test deployment ring. The Test deployment ring is configured for the Microsoft Edge Beta channel. If you're currently using different channels, you should prepare your teams to understand that your Windows Autopatch devices will start using these channels. For more information, see [Confirm update service needs and configure your workloads](#step-one-prepare). | -| **3** | Microsoft 365 Apps for enterprise | Windows Autopatch deploys the Monthly Enterprise Channel to all Microsoft 365 Apps for enterprise clients. If your organization is utilizing a different channel and you don't wish to adopt the Monthly Enterprise Channel, you can opt out of updates for Microsoft 365 Apps for enterprise. For more information, see [Confirm update service needs and configure your workloads](#step-one-prepare) | +| **2** | Microsoft Edge channels | Windows Autopatch deploys Microsoft Edge Stable channel to devices in all deployment rings except for the Test deployment ring. The Test deployment ring is configured for the Microsoft Edge Beta channel. If you're currently using different channels, your teams should understand that your Windows Autopatch devices use these channels. For more information, see [Confirm update service needs and configure your workloads](#step-one-prepare). | +| **3** | Microsoft 365 Apps for enterprise | Windows Autopatch deploys the Monthly Enterprise Channel to all Microsoft 365 Apps for enterprise clients. If your organization is using a different channel and you don't wish to adopt the Monthly Enterprise Channel, you can opt out Microsoft 365 Apps for enterprise updates. For more information, see [Confirm update service needs and configure your workloads](#step-one-prepare) | | **4** | Prepare your policies | You should consider any existing policy configurations in your Windows Update for Business (WUfB), Intune or on-premises environment that could impact your deployment of Windows Autopatch. For more information, review [General considerations](#general-considerations) | | **5** | Network optimization technologies | We recommend you consider your network optimization technologies as part of your Windows Autopatch deployment. However, if you're already using Windows Update for Business (WufB) it's likely you already have your network optimization solution in place. For more information, see [Review network optimization](#step-one-prepare) | @@ -172,7 +172,7 @@ Regardless of if you're migrating from Configuration Manager to Microsoft Intune #### Assessing your readiness to migrate from Configuration Manager to Windows Autopatch -When moving from Configuration Manager to Windows Autopatch, the fastest path to quickly gain value from Windows Autopatch is to already have co-management and the requisite workloads moved to Intune. +When you migrate from Configuration Manager to Windows Autopatch, the fastest path to quickly gain value from Windows Autopatch is to already have co-management and the requisite workloads moved to Intune. | Step | Assessment step | Recommendation | | ----- | ----- | ----- | @@ -216,7 +216,7 @@ On-premises AD group policies are applied in the LSDOU order (Local, Site, Domai | Area | Path | Recommendation | | ----- | ----- | ----- | | Windows Update Group Policy settings | `Computer Configuration\Administrative Templates\Windows Components\Windows Updates` | The most common Windows Update settings delivered through Group Policy can be found under this path. This is a good place for you to start your review. | -| Don't connect to any Windows Update Internet locations | `Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not connect to any Windows Update Internet locations` | This is a common setting for organizations that rely solely on intranet update locations such as Windows Server Update Services (WSUS) servers and can often be overlooked when moving to cloud update services such as Windows Update for Business (WufB)

      When turned on, this policy prevents contact with the public Windows Update service and won't establish connections to Windows Update. This might cause the connection to Windows Update for Business (WufB), and Delivery Optimization to stop working. | +| Don't connect to any Windows Update Internet locations | `Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not connect to any Windows Update Internet locations` | This is a common setting for organizations that rely solely on intranet update locations such as Windows Server Update Services (WSUS) servers and can often be overlooked when moving to cloud update services such as Windows Update for Business (WufB)

      When turned on, this policy prevents contact with the public Windows Update service and won't establish connections to Windows Update, and might cause the connection to Windows Update for Business (WufB), and Delivery Optimization to stop working. | | Scan Source policy | `Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage updates offered from Windows Server Update Service` | You can choose what types of updates to get from either Windows Server Update Services (WSUS) or Windows Update for Business (WufB) service with the Windows Update Scan Source policy.

      You should review any scan source policy settings targeting devices to ensure:
      • That no conflicts exist that could affect update deployment through Windows Autopatch
      • Such policies aren't targeting devices enrolled into Windows Autopatch
      | ### Registry settings @@ -239,7 +239,7 @@ Any policies, scripts or settings that create or edit values in the following re When Configuration Manager is deployed, and if Software Update policies are configured, the Software Update policies could conflict with Windows Update for Business and Office Update policies. -Configuration Manager could require custom settings to disable software updates and assist with troubleshooting conflicting legacy, on-premises configurations to ensure that Autopatch delivers Windows and Office updates. It's safe to implement this change if you aren't managing third party updates from Configuration Manager. +Configuration Manager could require custom settings to disable software updates and assist with troubleshooting conflicting legacy, on-premises configurations to ensure that Autopatch deliver Windows and Office updates. It's safe to implement this change if you aren't managing third party updates from Configuration Manager. To ensure that Software Update Policies don't conflict with Windows Update for Business (WufB) and Office Update policies, create a Software Update Policy in Configuration Manager that has: @@ -265,7 +265,7 @@ For example, Configuration Manager Software Update Policy settings exclude Autop | Policy | Description | | ----- | ----- | | **MDM to win over GP** | As part of the tenant enrollment process, Autopatch deploys a Device configuration profile, which applies to all registered devices to set Mobile Device Management (MDM) to win over Group Policy (GP) with the "MDMWinsOverGP" CSP.

      When applied, any MDM policy that's set, and has an equivalent GP Policy, results in the GP service blocking the policy setting. Setting the value to 0 (zero) or deleting the policy removes the GP policy blocks and restore the saved GP policies.

      This setting doesn't apply to all scenarios. This setting doesn't work for:
      • User scoped settings. This setting applies to device scoped settings only
      • Any custom Group Policy Object (GPO) outside of ADMX. For example, Microsoft Edge or Chrome settings
      • Any Windows Update for Business policies (WUfB). When you use Windows Update for Business (WUfB), ensure all previous Group Policies (GP) are removed that relate to Windows Update to ensure that Autopatch policies can take effect


      For more information and guidance on the expected behavior applied through this policy, see [ControlPolicyConflict Policy CSP](/windows/client-management/mdm/policy-csp-controlpolicyconflict) | -| **Windows Update for Business (WufB) policies** | If you have any existing *Deployment rings for Windows 10 and later or Windows feature update DSS policies* in place, ensure that the assignments don't target Windows Autopatch devices. This is to avoid creating policy conflicts and unexpected update behaviour, which could impact update compliance and end user experience. | +| **Windows Update for Business (WufB) policies** | If you have any existing *Deployment rings for Windows 10 and later or Windows feature update DSS policies* in place, ensure that the assignments don't target Windows Autopatch devices. This is to avoid creating policy conflicts and unexpected update behavior, which could impact update compliance and end user experience. | | **Update Policy CSP** | If any policies from the [Update Policy CSP](/windows/client-management/mdm/policy-csp-update) that aren't deployed and managed by Windows Autopatch are deployed to devices, policy conflicts and unexpected update behavior could occur and could affect update compliance and the end user experience. | #### Servicing profiles for Microsoft 365 Apps for enterprise @@ -287,7 +287,7 @@ Part of your planning might require articulating the business benefits of moving Change management relies on clear and helpful communication about upcoming changes. The best way to have a smooth deployment is to make sure end users and stakeholders are aware of all changes and disruptions. Your rollout communication plan should include all pertinent information, how to notify users, and when to communicate. -- Identify groups being impacted by the Autopatch deployment +- Identify groups impacted by the Autopatch deployment - Identify key stakeholders in the impacted groups - Determine the types of communications needed - Develop your messaging based on the [Recommended deployment steps](#recommended-deployment-steps) @@ -325,8 +325,13 @@ First contact your Microsoft Account team who can work with you to establish any Once you're underway with your deployment, consider joining the [Windows Autopatch Private Community (APC)](https://aka.ms/WindowsAutopatchPrivateCommunity) where you can: - Engage directly with the Windows Autopatch Engineering Teams and other Autopatch customers -- Gain access to exclusive virtual meetings, focus groups, surveys, Teams discussions and previews +- Gain access to: + - Exclusive virtual meetings + - Focus groups + - Surveys + - Teams discussions + - Previews ### Windows Autopatch Technology Adoption Program (TAP) -If you have at least 500 devices enrolled in the service and are willing to test and give Microsoft feedback at least once a year, consider signing up to the [Windows Autopatch Technology Adoption Program (TAP)](https://aka.ms/JoinWindowsAutopatchTAP) to try out new and upcoming Windows Autopatch features. +If you have at least 500 devices enrolled in the service, and will test and give Microsoft feedback at least once a year, consider signing up to the [Windows Autopatch Technology Adoption Program (TAP)](https://aka.ms/JoinWindowsAutopatchTAP) to try out new and upcoming Windows Autopatch features. From c6390ac45430f38fbaa6f1b2fa5001c9f533512e Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Thu, 24 Aug 2023 09:43:35 -0700 Subject: [PATCH 35/44] Added to What's new --- .../whats-new/windows-autopatch-whats-new-2023.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md index 7e051ce0a7..a439a1529c 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md @@ -27,6 +27,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed. | Article | Description | | ----- | ----- | +| [Deployment guide](../overview/windows-autopatch-deployment-guide.md) | New guide. This guide explains how to successfully deploy Windows Autopatch in your environment | | [Windows quality updates](../operate/windows-autopatch-groups-windows-quality-update-overview.md) | Added the **This pause is related to Windows Update** option to the [Pause and resume a release feature](../operate/windows-autopatch-groups-windows-quality-update-overview.md#pause-and-resume-a-release) | | [Manage driver and firmware updates](../operate/windows-autopatch-manage-driver-and-firmware-updates.md)| Added [policy settings](../operate/windows-autopatch-manage-driver-and-firmware-updates.md#view-driver-and-firmware-policies-created-by-windows-autopatch) for all deployment rings | | [Manage driver and firmware updates](../operate/windows-autopatch-manage-driver-and-firmware-updates.md) | General Availability
      • [MC661218](https://admin.microsoft.com/adminportal/home#/MessageCenter)
      | From 5d2ad5a46a1ea5cde3546df09144c3f7b1a89cd8 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Thu, 24 Aug 2023 11:14:05 -0700 Subject: [PATCH 36/44] WUfB consistency --- .../windows-autopatch-deployment-guide.md | 34 +++++++++---------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md index 69cab728bf..5d0efaad00 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md @@ -75,7 +75,7 @@ Evaluate Windows Autopatch with around 50 devices to ensure the service meets yo | Step | Description | | ----- | ----- | -| **2A: Review reporting capabilities** |
      • [Windows quality update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-quality-update-reports)
      • [Windows feature update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-feature-update-reports)
      • [Windows Update for Business (WufB) reports](/mem/intune/protect/windows-update-compatibility-reports#use-the-windows-feature-update-device-readiness-report)
      Windows Autopatch quality and feature update reports provide a progress view on the latest update cycle for your devices. These reports should be reviewed often to ensure you understand the update state of your Windows Autopatch devices.

      There might be times when using Windows Autopatch for update deployment that it's beneficial to review Windows Update for Business (WUfB) reports.

      For example, when preparing to deploy Windows 11, you might find it useful to evaluate your devices using the [Windows feature update device readiness](/mem/intune/protect/windows-update-compatibility-reports#use-the-windows-feature-update-device-readiness-report) and [Windows feature update compatibility risks reports](/mem/intune/protect/windows-update-compatibility-reports#use-the-windows-feature-update-compatibility-risks-report) in Intune.| +| **2A: Review reporting capabilities** |
      • [Windows quality update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-quality-update-reports)
      • [Windows feature update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-feature-update-reports)
      • [Windows Update for Business (WUfB) reports](/mem/intune/protect/windows-update-compatibility-reports#use-the-windows-feature-update-device-readiness-report)
      Windows Autopatch quality and feature update reports provide a progress view on the latest update cycle for your devices. These reports should be reviewed often to ensure you understand the update state of your Windows Autopatch devices.

      There might be times when using Windows Autopatch for update deployment that it's beneficial to review Windows Update for Business (WUfB) reports.

      For example, when preparing to deploy Windows 11, you might find it useful to evaluate your devices using the [Windows feature update device readiness](/mem/intune/protect/windows-update-compatibility-reports#use-the-windows-feature-update-device-readiness-report) and [Windows feature update compatibility risks reports](/mem/intune/protect/windows-update-compatibility-reports#use-the-windows-feature-update-compatibility-risks-report) in Intune.| | **2B: Review operational changes** | As part of the introduction of Windows Autopatch, you should consider how the service integrates with your existing operational processes.
      • Identify service desk and end user computing process changes
      • Identify any alignment with third party support agreements
      • Review the default Windows Autopatch support process and alignment with your existing Premier and Unified support options
      • Identify IT admin process change & service interaction points
      | | **2C: Educate end users and key stakeholders**| Educate your end users by creating guides for the Windows Autopatch end user experience.
      • [Windows quality updates](../operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md)
      • [Windows feature updates](../operate/windows-autopatch-groups-windows-feature-update-overview.md)
        • [Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md)
      • [Microsoft Edge](../operate/windows-autopatch-edge.md)
      • [Microsoft Teams](../operate/windows-autopatch-teams.md)

      Include your IT support and help desk in the early stages of the Windows Autopatch deployment and planning process. Early involvement allows your support staff to:
      • Gain knowledge and experience in identifying and resolving update issues more effectively
      • Prepare them to support production rollouts. Knowledgeable help desk and support teams also help end users adopt to changes

      Your support staff can experience a walkthrough of the Windows Autopatch admin experience through the [Windows Autopatch demo site](https://aka.ms/autopatchdemo). | | **2D: Pilot planning** | Identify target pilot group(s) of up to 500 devices. It's recommended to include a cross-section of your organizational make-up to ensure your pilot results are representative of your organizational environment. | @@ -88,7 +88,7 @@ Plan to pilot the service with around 500 devices to provide sufficient pilot co | ----- | ----- | | **3A: Register devices** | Register pilot device group(s) | | **3B: Monitor update process success** |
      • Quality update: One to two update cycles
      • Feature update: Set of pilot devices scheduled across several weeks
      • Drivers and firmware: One to two update cycles
      • Microsoft 365 Apps for enterprise (if not opted-out): One to two update cycles
      • Microsoft Edge: One to two update cycles
      • Microsoft Teams: One to two update cycles
        • | -| **3C: Review reports** |
        • [Quality update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-quality-update-reports): Monitor data in the reports across one to two update cycles
        • [Feature update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-feature-update-reports): Monitor data in the reports across the update schedule
        • [Windows Update for Business (WufB) reports](/mem/intune/protect/windows-update-compatibility-reports#use-the-windows-feature-update-device-readiness-report): Monitor data in the report across one to two update cycles
        | +| **3C: Review reports** |
        • [Quality update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-quality-update-reports): Monitor data in the reports across one to two update cycles
        • [Feature update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-feature-update-reports): Monitor data in the reports across the update schedule
        • [Windows Update for Business (WUfB) reports](/mem/intune/protect/windows-update-compatibility-reports#use-the-windows-feature-update-device-readiness-report): Monitor data in the report across one to two update cycles
        | | **3D: Implement operational changes** |
        • Pilot Service Desk, end user computing and third party (if applicable) process changes with pilot representatives
        • IT admins must:
          • Review deployment progress using Windows Autopatch reports
          • Respond to identified actions to help improve success rates
        | | **3E: Communicate with stakeholders** | Review and action your stakeholder communication plan. | | **3F: Deployment planning** | Prepare target deployment groups for phased deployment of Windows Autopatch. | @@ -105,17 +105,17 @@ Following a successful pilot, you can commence deployment to your broader organi ## Migration considerations -If you're an existing Windows Update for Business (WufB) or Configuration Manager customer, there are several considerations that could accelerate your deployment along a shorter path. +If you're an existing Windows Update for Business (WUfB) or Configuration Manager customer, there are several considerations that could accelerate your deployment along a shorter path. ### Why migrate from Windows Update for Business or Configuration Manager to Windows Autopatch? -Customers who are using Windows Update for Business (WufB) or Configuration Manager can quickly adopt Windows Autopatch and take advantage of the key benefits that Windows Autopatch provides. +Customers who are using Windows Update for Business (WUfB) or Configuration Manager can quickly adopt Windows Autopatch and take advantage of the key benefits that Windows Autopatch provides. -When moving from Windows Update for Business (WufB) or Configuration Manager to Windows Autopatch, you can enhance and optimize the update experience that you're already familiar with. +When moving from Windows Update for Business (WUfB) or Configuration Manager to Windows Autopatch, you can enhance and optimize the update experience that you're already familiar with. Once migrated, there are several configuration tasks that you no longer need to carry out: -| Autopatch benefit | Configuration Manager | Windows Update for Business (WufB) | +| Autopatch benefit | Configuration Manager | Windows Update for Business (WUfB) | | ----- | ----- | ----- | | Automated setup and on-going configuration of Windows Update policies | Manage and perform recurring tasks such as:
        • Download updates
        • Distribute to distribution points
        • Target update collections
        | Manage "static" deployment ring policies | | Automated management of deployment ring membership | Manually check collection membership and targets | Manage "static" deployment ring membership | @@ -125,7 +125,7 @@ Once migrated, there are several configuration tasks that you no longer need to In addition to the reports, other benefits include: -| Autopatch benefit | Configuration Manager and Windows Update for Business (WufB) | +| Autopatch benefit | Configuration Manager and Windows Update for Business (WUfB) | | ----- | ----- | | Windows quality and feature update reports with integrated alerts, deep filtering, and status-at-a-glance | Requires you to manually navigate and hunt for status and alerts | | Filter by action needed with integrated resolution documentation | Requires you to research and discover possible actions relating to update issues | @@ -133,18 +133,18 @@ In addition to the reports, other benefits include: Service management benefits include: -| Autopatch benefit | Configuration Manager and Windows Update for Business (WufB) | +| Autopatch benefit | Configuration Manager and Windows Update for Business (WUfB) | | ----- | ----- | | Windows automation and Microsoft Insights | First or third-party resources required to support and manage updates internally | | Microsoft research and insights determine the 'go/no-go' for your update deployment | Limited signals and insights from your organization to determine the 'go/no-go' for your update deployment | | Windows Autopatch might pause or roll back an update. The pause or rollback is dependent on the scope of impact and to prevent end user disruption | Manual intervention required, widening the potential impact of any update issues | | By default, Windows Autopatch [expedites quality updates](../operate/windows-autopatch-groups-windows-quality-update-overview.md#expedited-releases) as needed. | Manual intervention required, widening the potential impact of any update issues | -### Migrating from Windows Update for Business (WufB) to Windows Autopatch +### Migrating from Windows Update for Business (WUfB) to Windows Autopatch -#### Assessing your readiness to migrate from Windows Update for Business (WufB) to Windows Autopatch +#### Assessing your readiness to migrate from Windows Update for Business (WUfB) to Windows Autopatch -When moving from Windows Update for Business (WufB) to Windows Autopatch, you can accelerate and simplify your adoption by assessing your readiness to quickly migrate to the Windows Autopatch service by considering key differences that might impact your deployment: +When moving from Windows Update for Business (WUfB) to Windows Autopatch, you can accelerate and simplify your adoption by assessing your readiness to quickly migrate to the Windows Autopatch service by considering key differences that might impact your deployment: | Step | Assessment step | Recommendation | | ----- | ----- | ----- | @@ -152,9 +152,9 @@ When moving from Windows Update for Business (WufB) to Windows Autopatch, you ca | **2** | Microsoft Edge channels | Windows Autopatch deploys Microsoft Edge Stable channel to devices in all deployment rings except for the Test deployment ring. The Test deployment ring is configured for the Microsoft Edge Beta channel. If you're currently using different channels, your teams should understand that your Windows Autopatch devices use these channels. For more information, see [Confirm update service needs and configure your workloads](#step-one-prepare). | | **3** | Microsoft 365 Apps for enterprise | Windows Autopatch deploys the Monthly Enterprise Channel to all Microsoft 365 Apps for enterprise clients. If your organization is using a different channel and you don't wish to adopt the Monthly Enterprise Channel, you can opt out Microsoft 365 Apps for enterprise updates. For more information, see [Confirm update service needs and configure your workloads](#step-one-prepare) | | **4** | Prepare your policies | You should consider any existing policy configurations in your Windows Update for Business (WUfB), Intune or on-premises environment that could impact your deployment of Windows Autopatch. For more information, review [General considerations](#general-considerations) | -| **5** | Network optimization technologies | We recommend you consider your network optimization technologies as part of your Windows Autopatch deployment. However, if you're already using Windows Update for Business (WufB) it's likely you already have your network optimization solution in place. For more information, see [Review network optimization](#step-one-prepare) | +| **5** | Network optimization technologies | We recommend you consider your network optimization technologies as part of your Windows Autopatch deployment. However, if you're already using Windows Update for Business (WUfB) it's likely you already have your network optimization solution in place. For more information, see [Review network optimization](#step-one-prepare) | -### Optimized deployment path: Windows Update for Business (WufB) to Windows Autopatch +### Optimized deployment path: Windows Update for Business (WUfB) to Windows Autopatch Once you have assessed your readiness state to ensure you're aligned to Windows Autopatch readiness, you can optimize your deployment of Windows Autopatch to quickly migrate to the service. The following steps illustrate a recommended optimized deployment path: @@ -216,8 +216,8 @@ On-premises AD group policies are applied in the LSDOU order (Local, Site, Domai | Area | Path | Recommendation | | ----- | ----- | ----- | | Windows Update Group Policy settings | `Computer Configuration\Administrative Templates\Windows Components\Windows Updates` | The most common Windows Update settings delivered through Group Policy can be found under this path. This is a good place for you to start your review. | -| Don't connect to any Windows Update Internet locations | `Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not connect to any Windows Update Internet locations` | This is a common setting for organizations that rely solely on intranet update locations such as Windows Server Update Services (WSUS) servers and can often be overlooked when moving to cloud update services such as Windows Update for Business (WufB)

        When turned on, this policy prevents contact with the public Windows Update service and won't establish connections to Windows Update, and might cause the connection to Windows Update for Business (WufB), and Delivery Optimization to stop working. | -| Scan Source policy | `Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage updates offered from Windows Server Update Service` | You can choose what types of updates to get from either Windows Server Update Services (WSUS) or Windows Update for Business (WufB) service with the Windows Update Scan Source policy.

        You should review any scan source policy settings targeting devices to ensure:
        • That no conflicts exist that could affect update deployment through Windows Autopatch
        • Such policies aren't targeting devices enrolled into Windows Autopatch
        | +| Don't connect to any Windows Update Internet locations | `Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not connect to any Windows Update Internet locations` | This is a common setting for organizations that rely solely on intranet update locations such as Windows Server Update Services (WSUS) servers and can often be overlooked when moving to cloud update services such as Windows Update for Business (WUfB)

        When turned on, this policy prevents contact with the public Windows Update service and won't establish connections to Windows Update, and might cause the connection to Windows Update for Business (WUfB), and Delivery Optimization to stop working. | +| Scan Source policy | `Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage updates offered from Windows Server Update Service` | You can choose what types of updates to get from either Windows Server Update Services (WSUS) or Windows Update for Business (WUfB) service with the Windows Update Scan Source policy.

        You should review any scan source policy settings targeting devices to ensure:
        • That no conflicts exist that could affect update deployment through Windows Autopatch
        • Such policies aren't targeting devices enrolled into Windows Autopatch
        | ### Registry settings @@ -241,7 +241,7 @@ When Configuration Manager is deployed, and if Software Update policies are conf Configuration Manager could require custom settings to disable software updates and assist with troubleshooting conflicting legacy, on-premises configurations to ensure that Autopatch deliver Windows and Office updates. It's safe to implement this change if you aren't managing third party updates from Configuration Manager. -To ensure that Software Update Policies don't conflict with Windows Update for Business (WufB) and Office Update policies, create a Software Update Policy in Configuration Manager that has: +To ensure that Software Update Policies don't conflict with Windows Update for Business (WUfB) and Office Update policies, create a Software Update Policy in Configuration Manager that has: - Windows and Office Update configuration disabled - Includes devices enrolled into Autopatch to remove any existing configuration(s). @@ -265,7 +265,7 @@ For example, Configuration Manager Software Update Policy settings exclude Autop | Policy | Description | | ----- | ----- | | **MDM to win over GP** | As part of the tenant enrollment process, Autopatch deploys a Device configuration profile, which applies to all registered devices to set Mobile Device Management (MDM) to win over Group Policy (GP) with the "MDMWinsOverGP" CSP.

        When applied, any MDM policy that's set, and has an equivalent GP Policy, results in the GP service blocking the policy setting. Setting the value to 0 (zero) or deleting the policy removes the GP policy blocks and restore the saved GP policies.

        This setting doesn't apply to all scenarios. This setting doesn't work for:
        • User scoped settings. This setting applies to device scoped settings only
        • Any custom Group Policy Object (GPO) outside of ADMX. For example, Microsoft Edge or Chrome settings
        • Any Windows Update for Business policies (WUfB). When you use Windows Update for Business (WUfB), ensure all previous Group Policies (GP) are removed that relate to Windows Update to ensure that Autopatch policies can take effect


        For more information and guidance on the expected behavior applied through this policy, see [ControlPolicyConflict Policy CSP](/windows/client-management/mdm/policy-csp-controlpolicyconflict) | -| **Windows Update for Business (WufB) policies** | If you have any existing *Deployment rings for Windows 10 and later or Windows feature update DSS policies* in place, ensure that the assignments don't target Windows Autopatch devices. This is to avoid creating policy conflicts and unexpected update behavior, which could impact update compliance and end user experience. | +| **Windows Update for Business (WUfB) policies** | If you have any existing *Deployment rings for Windows 10 and later or Windows feature update DSS policies* in place, ensure that the assignments don't target Windows Autopatch devices. This is to avoid creating policy conflicts and unexpected update behavior, which could impact update compliance and end user experience. | | **Update Policy CSP** | If any policies from the [Update Policy CSP](/windows/client-management/mdm/policy-csp-update) that aren't deployed and managed by Windows Autopatch are deployed to devices, policy conflicts and unexpected update behavior could occur and could affect update compliance and the end user experience. | #### Servicing profiles for Microsoft 365 Apps for enterprise From b35d59760cc1cc0c73fccf6a60c12d7f17ad22c2 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Thu, 24 Aug 2023 14:52:40 -0700 Subject: [PATCH 37/44] pull-8762-mainchange --- windows/deployment/do/TOC.yml | 4 +--- windows/deployment/do/mcc-enterprise-deploy.md | 6 +++--- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/windows/deployment/do/TOC.yml b/windows/deployment/do/TOC.yml index 1697bfc141..136f9e7998 100644 --- a/windows/deployment/do/TOC.yml +++ b/windows/deployment/do/TOC.yml @@ -38,13 +38,11 @@ - name: Requirements href: mcc-enterprise-prerequisites.md - name: Deploy Microsoft Connected Cache - href: mcc-enterprise-portal-deploy.md + href: mcc-enterprise-deploy.md - name: Update or uninstall MCC href: mcc-enterprise-update-uninstall.md - name: Appendix href: mcc-enterprise-appendix.md - - name: MCC for Enterprise and Education (early preview) - href: mcc-enterprise-deploy.md - name: MCC for ISPs items: - name: MCC for ISPs Overview diff --git a/windows/deployment/do/mcc-enterprise-deploy.md b/windows/deployment/do/mcc-enterprise-deploy.md index cdcf5c1b5d..53d2940cc1 100644 --- a/windows/deployment/do/mcc-enterprise-deploy.md +++ b/windows/deployment/do/mcc-enterprise-deploy.md @@ -1,5 +1,5 @@ --- -title: MCC for Enterprise and Education (early preview) +title: Deploying your cache node manager: aaroncz description: How to deploy a Microsoft Connected Cache (MCC) for Enterprise and Education cache node ms.prod: windows-client @@ -12,7 +12,7 @@ ms.technology: itpro-updates ms.collection: tier3 --- -# Deploying your enterprise cache node +# Deploying your cache node **Applies to** @@ -130,7 +130,7 @@ Installing MCC on your Windows device is a simple process. A PowerShell script p - Downloads, installs, and deploys EFLOW - Enables Microsoft Update so EFLOW can stay up to date - Creates a virtual machine -- Enables the firewall and opens ports 80 for inbound and outbound traffic. Port 80 is used by MCC. +- Enables the firewall and opens ports 80 and 22 for inbound and outbound traffic. Port 80 is used by MCC, and port 22 is used for SSH communications. - Configures Connected Cache tuning settings. - Creates the necessary *FREE* Azure resource - IoT Hub/IoT Edge. - Deploys the MCC container to server. From a9b6ef6df8465e13db4ca0ad33a5fc9e81fb954e Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Thu, 24 Aug 2023 14:57:08 -0700 Subject: [PATCH 38/44] delete cmm-enterprise-portal-deploy --- .../do/mcc-enterprise-portal-deploy.md | 145 ------------------ 1 file changed, 145 deletions(-) delete mode 100644 windows/deployment/do/mcc-enterprise-portal-deploy.md diff --git a/windows/deployment/do/mcc-enterprise-portal-deploy.md b/windows/deployment/do/mcc-enterprise-portal-deploy.md deleted file mode 100644 index eea23e3bad..0000000000 --- a/windows/deployment/do/mcc-enterprise-portal-deploy.md +++ /dev/null @@ -1,145 +0,0 @@ ---- -title: Deploying your cache node -manager: aaroncz -description: How to deploy Microsoft Connected Cache (MCC) for Enterprise and Education cache node -ms.prod: windows-client -ms.author: carmenf -author: cmknox -ms.reviewer: mstewart -ms.topic: article -ms.date: 12/31/2017 -ms.technology: itpro-updates -ms.collection: tier3 ---- - -# Deploying your cache node - -**Applies to** - -- Windows 10 -- Windows 11 - -## Create the Microsoft Connected Cache resource - -1. Navigate to Azure portal by using the [following link](https://aka.ms/mcc-enterprise-preview): - > [!IMPORTANT] - > You must access Azure portal using this link (https://aka.ms/mcc-enterprise-preview) in order to find the correct Microsoft Connected Cache resource. - - ![Screenshot of Azure portal "Create a resource" page, where you search for the Microsoft Connected Cache resource](images/ent-mcc-portal-create.png) - -1. In the search bar by **Get Started**, search for `Microsoft Connected Cache for Enterprise`. - ![Screenshot of Azure portal after searching for the Microsoft Connected Cache resource](images/ent-mcc-portal-resource.png) -1. Select **Create** to create your Microsoft Connected Cache resource. When prompted, choose the subscription, resource group, and location of your cache node. Also, enter a name for your cache node. -1. The creation of the cache node may take a few minutes. After a successful creation, you'll see a “Deployment complete” page as below. Select **Go to resource**. -![Screenshot of Azure portal after the deployment is complete](images/ent-mcc-deployment-complete.png) - -## Create, provision, and deploy the cache node in Azure portal - -To create, provision, and deploy the cache node in Azure portal, follow these steps: -1. Open Azure portal and navigate to the Microsoft Connected Cache for Enterprise (preview) resource. -1. Navigate to **Settings** > **Cache nodes** and select **Create Cache Node**. -1. Provide a name for your cache node and select **Create** to create your cache node. -1. You may need to refresh to see the cache node. Select the cache node to configure it. -1. Fill out the Basics and Storage fields. Enter the cache drive size in GB - this has a minimum size of 50 GB. - - ![Screenshot of Azure portal on the Provisioning page, where the user can configure their cache node.](images/ent-mcc-provisioning.png) -Once complete, select **Save** at the top of the page and select **Provision server**. -1. To deploy your cache node, download the installer by selecting **Download provisioning package**. -1. Run the provided provisioning script - note that this is unique to each cache node. - -## Verify proper functioning MCC server - -#### Verify client side - -Connect to the EFLOW VM and check if MCC is properly running: - -1. Open PowerShell as an Administrator. -2. Enter the following commands: - - ```powershell - Connect-EflowVm - sudo -s - iotedge list - ``` - - :::image type="content" source="./images/ent-mcc-connect-eflowvm.png" alt-text="Screenshot of running connect-EflowVm, sudo -s, and iotedge list from PowerShell." lightbox="./images/ent-mcc-connect-eflowvm.png"::: - -You should see MCC, edgeAgent, and edgeHub running. If you see edgeAgent or edgeHub but not MCC, try this command in a few minutes. The MCC container can take a few minutes to deploy. - -#### Verify server side - -For a validation of properly functioning MCC, execute the following command in the EFLOW VM or any device in the network. Replace with the IP address of the cache server. - -```powershell -wget [http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com] -``` - -A successful test result will display a status code of 200 along with additional information. - -:::image type="content" source="./images/ent-mcc-verify-server-ssh.png" alt-text="Screenshot of a successful wget with an SSH client." lightbox="./images/ent-mcc-verify-server-ssh.png"::: - - :::image type="content" source="./images/ent-mcc-verify-server-powershell.png" alt-text="Screenshot of a successful wget using PowerShell." lightbox="./images/ent-mcc-verify-server-powershell.png"::: - -Similarly, enter the following URL from a browser in the network: - -`http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com` - -If the test fails, see the [common issues](#common-issues) section for more information. - -### Monitoring your metrics - -To view the metrics associated with your cache nodes, navigate to the **Overview** > **Monitoring** tab within the Azure portal. - -:::image type="content" source="./images/mcc-isp-metrics.png" alt-text="Screenshot of the Azure portal displaying the metrics view in the Overview tab."::: - -You can choose to monitor the health and performance of all cache nodes or one at a time by using the dropdown menu. The **Egress bits per second** graph shows your inbound and outbound traffic of your cache nodes over time. You can change the time range (1 hour, 12 hours, 1 day, 7 days, 14 days, and 30 days) by selecting the time range of choice on the top bar. - -If you're unable to view metrics for your cache node, it may be that your cache node is unhealthy, inactive, or hasn't been fully configured. - - -### Intune (or other management software) configuration for MCC - -For an [Intune](/mem/intune/) deployment, create a **Configuration Profile** and include the Cache Host eFlow IP Address or FQDN: - -:::image type="content" source="./images/ent-mcc-intune-do.png" alt-text="Screenshot of Intune showing the Delivery Optimization cache server host names."::: - -## Common Issues - -#### PowerShell issues - -If you're seeing errors similar to this error: `The term Get- isn't recognized as the name of a cmdlet, function, script file, or operable program.` - -1. Ensure you're running Windows PowerShell version 5.x. - -1. Run \$PSVersionTable and ensure you're running version 5.x and *not version 6 or 7*. - -1. Ensure you have Hyper-V enabled: - - **Windows 10:** [Enable Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v) - - **Windows Server:** [Install the Hyper-V role on Windows Server](/windows-server/virtualization/hyper-v/get-started/install-the-hyper-v-role-on-windows-server) - -#### Verify Running MCC Container - -Connect to the Connected Cache server and check the list of running IoT Edge modules using the following commands: - -```bash -Connect-EflowVm -sudo iotedge list -``` - -:::image type="content" source="./images/ent-mcc-iotedge-list.png" alt-text="Screenshot of the iotedge list command." lightbox="./images/ent-mcc-iotedge-list.png"::: - -If edgeAgent and edgeHub containers are listed, but not "MCC", you may view the status of the IoT Edge security manager by using the command: - -```bash -sudo journalctl -u iotedge -f -``` - -This command will provide the current status of the starting, stopping of a container, or the container pull and start. - -:::image type="content" source="./images/ent-mcc-journalctl.png" alt-text="Screenshot of the output from journalctl -u iotedge -f." lightbox="./images/ent-mcc-journalctl.png"::: - - -> [!NOTE] -> You should consult the IoT Edge troubleshooting guide ([Common issues and resolutions for Azure IoT Edge](/azure/iot-edge/troubleshoot)) for any issues you may encounter configuring IoT Edge, but we've listed a few issues that we encountered during our internal validation. From 0138693df014279798d904b7921be742dcfe2118 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Thu, 24 Aug 2023 15:00:03 -0700 Subject: [PATCH 39/44] temp redir of mcc-enterprise-portal-deploy to mcc-enterprise-deploy --- .openpublishing.redirection.windows-deployment.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.openpublishing.redirection.windows-deployment.json b/.openpublishing.redirection.windows-deployment.json index 49fd3e464e..06fc754819 100644 --- a/.openpublishing.redirection.windows-deployment.json +++ b/.openpublishing.redirection.windows-deployment.json @@ -750,6 +750,11 @@ "redirect_url": "/windows/deployment/windows-10-subscription-activation", "redirect_document_id": false }, + { + "source_path": "windows/deployment/do/mcc-enterprise-portal-deploy.md", + "redirect_url": "/windows/deployment/do/mcc-enterprise-deploy", + "redirect_document_id": false + }, { "source_path": "windows/deployment/windows-autopatch/deploy/index.md", "redirect_url": "/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts", From 2950b19dc2f01f742de2b24a41d4cfb6600b80b6 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 25 Aug 2023 07:16:05 -0400 Subject: [PATCH 40/44] Acceptance note --- .../hello-for-business/hello-feature-pin-reset.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index e330291c34..d46d1075a5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -68,7 +68,9 @@ To register the applications, follow these steps: :::row-end::: :::row::: :::column span="3"::: - 3. Review the permissions requested by the *Microsoft Pin Reset Service Production* application and select **Accept** to confirm consent to both applications to access your organization + 3. Review the permissions requested by the *Microsoft Pin Reset Service Production* application and select **Accept** to confirm consent to both applications to access your organization. + >[!NOTE] + >After accepance, the redirect page will show a blank page. This is a known behavior. :::column-end::: :::column span="1"::: :::image type="content" alt-text="Screenshot showing the PIN reset service permissions final page." source="images/pinreset/pin-reset-service-prompt-2.png" lightbox="images/pinreset/pin-reset-service-prompt-2.png" border="true"::: @@ -178,7 +180,7 @@ The _PIN reset_ configuration can be viewed by running [**dsregcmd /status**](/a **Applies to:** Azure AD joined devices -PIN reset on Azure AD-joined devices uses a flow called *web sign-in* to authenticate users in the lock screen. Web sign-in only allows navigation to specific domains. If web sign-in attempts to navigate to a domain that isn't allowed, it displays a page with the error message: *We can't open that page right now*.\ +PIN reset on Azure AD-joined devices uses a flow called *web sign-in* to authenticate users in the lock screen. Web sign-in only allows navigation to specific domains. If web sign-in attempts to navigate to a domain that isn't allowed, it displays a page with the error message: *"We can't open that page right now"*.\ If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, then you must configure your devices with a policy to allow a list of domains that can be reached during PIN reset flows. When set, it ensures that authentication pages from that identity provider can be used during Azure AD joined PIN reset. [!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)] @@ -196,7 +198,7 @@ Alternatively, you can configure devices using a [custom policy][INT-1] with the |
      • OMA-URI: `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls`
      • Data type: String
      • Value: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be **signin.contoso.com;portal.contoso.com**
        • | > [!NOTE] -> For Azure Government, there is a known issue with PIN reset on Azure AD Joined devices failing. When the user attempts to launch PIN reset, the PIN reset UI shows an error page that says, "We can't open that page right now." The ConfigureWebSignInAllowedUrls policy can be used to work around this issue. If you are experiencing this problem and you are using Azure US Government cloud, set **login.microsoftonline.us** as the value for the ConfigureWebSignInAllowedUrls policy. +> For Azure Government, there is a known issue with PIN reset on Azure AD Joined devices failing. When the user attempts to launch PIN reset, the PIN reset UI shows an error page that says, *"We can't open that page right now"*. The ConfigureWebSignInAllowedUrls policy can be used to work around this issue. If you are experiencing this problem and you are using Azure US Government cloud, set **login.microsoftonline.us** as the value for the ConfigureWebSignInAllowedUrls policy. ## Use PIN reset From 5488c268d7912bb48fa134b66a9fb213a44c7a17 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Fri, 25 Aug 2023 09:27:02 -0700 Subject: [PATCH 41/44] Tweak --- .../overview/windows-autopatch-deployment-guide.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md index 5d0efaad00..fb1b851773 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md @@ -225,10 +225,10 @@ Any policies, scripts or settings that create or edit values in the following re | Key | Description | | ----- | ----- | -| `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState` (Intune MDM only cloud managed)

        `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate` (If GPO/WSUS/Configuration Manager is deployed) | This key contains general settings for Windows Update, such as the update source, the service branch, and the deferral periods for feature and quality updates. | -| `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU` (If GPO/WSUS/Configuration Manager is deployed) | This key contains settings for Automatic Updates, such as the schedule, the user interface, and the detection frequency. | -| `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update` (GPO/WSUS/Configuration Manager/Intune MDM Managed) | This key contains settings for update policies that are managed by Mobile Device Management (MDM) or Group Policy, such as pausing updates, excluding drivers, or configuring delivery optimization. | -| `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration` (GPO/Configuration Manager/Intune MDM Managed) | This key contains the registry keys for the Update Channel. This is a dynamic key that changes (depending on the configured settings) and the CDNBaseUrl (set when Microsoft 365 installs on the device).

        Look at the `UpdateChannel` value. The value tells you how frequently Office is updated.

        For more information, see [Manage Microsoft 365 Apps with Configuration Manager](/mem/configmgr/sum/deploy-use/manage-office-365-proplus-updates#bkmk_channel) to review the values, and what they're set to. Windows Autopatch currently supports the Monthly Enterprise Channel. If you opt into Office updates, it should be set to the Monthly Enterprise channel. | +| `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState`
        (Intune MDM only cloud managed)

        `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate`
        (If GPO/WSUS/Configuration Manager is deployed) | This key contains general settings for Windows Update, such as the update source, the service branch, and the deferral periods for feature and quality updates. | +| `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU`
        (If GPO/WSUS/Configuration Manager is deployed) | This key contains settings for Automatic Updates, such as the schedule, the user interface, and the detection frequency. | +| `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update`
        (GPO/WSUS/Configuration Manager/Intune MDM Managed) | This key contains settings for update policies that are managed by Mobile Device Management (MDM) or Group Policy, such as pausing updates, excluding drivers, or configuring delivery optimization. | +| `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration`
        (GPO/Configuration Manager/Intune MDM Managed) | This key contains the registry keys for the Update Channel. This is a dynamic key that changes (depending on the configured settings) and the CDNBaseUrl (set when Microsoft 365 installs on the device).

        Look at the `UpdateChannel` value. The value tells you how frequently Office is updated.

        For more information, see [Manage Microsoft 365 Apps with Configuration Manager](/mem/configmgr/sum/deploy-use/manage-office-365-proplus-updates#bkmk_channel) to review the values, and what they're set to. Windows Autopatch currently supports the Monthly Enterprise Channel. If you opt into Office updates, it should be set to the Monthly Enterprise channel. | > [!NOTE] > For more information about Windows Update Settings for Group Policy and Mobile Device Management (MDM), see [Manage additional Windows Update settings](/windows/deployment/update/waas-wu-settings). From 6e7e0f50c77febcba1e33dac101afc186fd76ff2 Mon Sep 17 00:00:00 2001 From: David Strome Date: Fri, 25 Aug 2023 16:19:11 -0700 Subject: [PATCH 42/44] Create test.txt --- test.txt | 1 + 1 file changed, 1 insertion(+) create mode 100644 test.txt diff --git a/test.txt b/test.txt new file mode 100644 index 0000000000..c0c17bba9a --- /dev/null +++ b/test.txt @@ -0,0 +1 @@ +test file to test sync From 0b192dc0c33981e53c8bba4ff32738d15378480a Mon Sep 17 00:00:00 2001 From: David Strome Date: Fri, 25 Aug 2023 17:02:03 -0700 Subject: [PATCH 43/44] Delete test.txt --- test.txt | 1 - 1 file changed, 1 deletion(-) delete mode 100644 test.txt diff --git a/test.txt b/test.txt deleted file mode 100644 index c0c17bba9a..0000000000 --- a/test.txt +++ /dev/null @@ -1 +0,0 @@ -test file to test sync From 468aac185b1e74d2d70351a8a3655f980b2f5f0d Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Mon, 28 Aug 2023 10:59:46 -0600 Subject: [PATCH 44/44] Update waas-delivery-optimization-reference.md Fix errors in text. --- windows/deployment/do/waas-delivery-optimization-reference.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md index 2103cab516..2735892b16 100644 --- a/windows/deployment/do/waas-delivery-optimization-reference.md +++ b/windows/deployment/do/waas-delivery-optimization-reference.md @@ -276,9 +276,7 @@ Starting in Windows 10, version 1803, allows you to delay the use of an HTTP sou MDM Setting: **DelayCacheServerFallbackForeground** -Starting in Windows 10, version 1903, allows you to delay the fallback from cache server to the HTTP source for foreground content download by X seconds. If the 'Delay foreground download from HTTP' policy is set, it will apply first (to allow downloads from peers) and then this policy will be applied. **By default, this policy isn't set.** - -By default this policy isn't set. So, +Starting in Windows 10, version 1903, allows you to delay the fallback from cache server to the HTTP source for foreground content download by X seconds. If the 'Delay foreground download from HTTP policy is set, it will apply first (to allow downloads from peers) and then this policy will be applied. **By default, this policy isn't set.** ### Delay Background Download Cache Server Fallback (in secs)