From c105d18b44f9b2d6965fddfcdea1b4fbc3fd0108 Mon Sep 17 00:00:00 2001 From: Heidi Lohr Date: Mon, 14 Jan 2019 13:17:46 -0800 Subject: [PATCH 01/10] Made updates as per Shawn Jiang's instructions Updated SharedPC CSP doc. --- windows/client-management/mdm/sharedpc-csp.md | 59 +++++++++++-------- 1 file changed, 35 insertions(+), 24 deletions(-) diff --git a/windows/client-management/mdm/sharedpc-csp.md b/windows/client-management/mdm/sharedpc-csp.md index ef19b3d790..fc9b018956 100644 --- a/windows/client-management/mdm/sharedpc-csp.md +++ b/windows/client-management/mdm/sharedpc-csp.md @@ -27,18 +27,18 @@ The supported operation is Get. **EnableSharedPCMode** A boolean value that specifies whether Shared PC mode is enabled. -The supported operations are Get and Replace. +The supported operations are Add, Get, Replace, and Delete. Setting this value to True triggers the action to configure a device to Shared PC mode. -The default value is False. +The default value is Not Configured and SharedPC mode is not enabled. **SetEduPolicies** A boolean value that specifies whether the policies for education environment are enabled. Setting this value to true triggers the action to configure a device as education environment. -The supported operations are Get and Replace. +The supported operations are Add, Get, Replace, and Delete. -The default value changed to false in Windows 10, version 1703. This node needs to be configured independent of EnableSharedPCMode. In Windows 10, version 1607, the default value is true and education environment is automatically configured when SharedPC mode is configured. +The default value changed to false in Windows 10, version 1703. The default value is Not Configured and this node needs to be configured independent of EnableSharedPCMode. In Windows 10, version 1607, the value is set to True and the education environment is automatically configured when SharedPC mode is configured. **SetPowerPolicies** Optional. A boolean value that specifies that the power policies should be set when configuring SharedPC mode. @@ -46,9 +46,9 @@ Optional. A boolean value that specifies that the power policies should be set w > [!Note] > If used, this value must be set before the action on the **EnableSharedPCMode** node is taken. -The supported operations are Get and Replace. +The supported operations are Add, Get, Replace, and Delete. -The default value is True. +The default value is Not Configured and the effective power settings are determined by the OS's default power settings. The SharedPC provisioning package's value is True. **MaintenanceStartTime** Optional. An integer value that specifies the daily start time of maintenance hour. Given in minutes from midnight. The range is 0-1440. @@ -56,9 +56,9 @@ Optional. An integer value that specifies the daily start time of maintenance ho > [!Note] >  If used, this value must be set before the action on the **EnableSharedPCMode** node is taken. -The supported operations are Get and Replace. +The supported operations are Add, Get, Replace, and Delete. -The default value is 0 (12 AM). +The default value is Not Configured and its value in the SharedPC provisioning package is 0 (12 AM). **SignInOnResume** Optional. A boolean value that, when set to True, requires sign in whenever the device wakes up from sleep mode. @@ -66,9 +66,9 @@ Optional. A boolean value that, when set to True, requires sign in whenever the > [!Note] > If used, this value must be set before the action on the **EnableSharedPCMode** node is taken. -The supported operations are Get and Replace. +The supported operations are Add, Get, Replace, and Delete. -The default value is True. +The default value is Not Configured and its value in the SharedPC provisioning package is True. **SleepTimeout** The amount of time in seconds before the PC sleeps. 0 means the PC never sleeps. Default is 5 minutes. This node is optional. @@ -76,9 +76,9 @@ The amount of time in seconds before the PC sleeps. 0 means the PC never sleeps. > [!Note] > If used, this value must be set before the action on the **EnableSharedPCMode** node is taken. -The supported operations are Get and Replace. +The supported operations are Add, Get, Replace, and Delete. -The default value changed to 300 in Windows 10, version 1703. The default value is 3600 in Windows 10, version 1607. +The default value is Not Configured, and effective behavior is determined by the OS's default settings. Its value in the SharedPC provisioning package for Windows 10, version 1703 is 300, and in Windows 10, version 1607 is 3600. **EnableAccountManager** A boolean that enables the account manager for shared PC mode. @@ -86,9 +86,9 @@ A boolean that enables the account manager for shared PC mode. > [!Note] > If used, this value must be set before the action on the **EnableSharedPCMode** node is taken. -The supported operations are Get and Replace. +The supported operations are Add, Get, Replace, and Delete. -The default value is True. +The default value is Not Configured and its value in the SharedPC provisioning package is True. **AccountModel** Configures which type of accounts are allowed to use the PC. @@ -96,7 +96,7 @@ Configures which type of accounts are allowed to use the PC. > [!Note] > If used, this value must be set before the action on the **EnableSharedPCMode** node is taken. -The supported operations are Get and Replace. +The supported operations are Add, Get, Replace, and Delete. The following list shows the supported values: @@ -104,13 +104,15 @@ The following list shows the supported values: - 1 - Only domain-joined accounts are enabled. - 2 - Domain-joined and guest accounts are allowed. +Its value in the SharedPC provisioning package is 1 or 2. + **DeletionPolicy** Configures when accounts are deleted. > [!Note] > If used, this value must be set before the action on the **EnableSharedPCMode** node is taken. -The supported operations are Get and Replace. +The supported operations are Add, Get, Replace, and Delete. For Windows 10, version 1607, here is the list shows the supported values: @@ -123,17 +125,19 @@ For Windows 10, version 1703, here is the list of supported values: - 1 - Delete at disk space threshold - 2 - Delete at disk space threshold and inactive threshold +The default value is Not Configured. Its value in the SharedPC provisioning package is 1 or 2. + **DiskLevelDeletion** Sets the percentage of disk space remaining on a PC before cached accounts will be deleted to free disk space. Accounts that have been inactive the longest will be deleted first. > [!Note] > If used, this value must be set before the action on the **EnableSharedPCMode** node is taken. -The default value is 25. +The default value is Not Configured. Its default value in the SharedPC provisioning package is 25. -For example, if the **DiskLevelCaching** number is set to 50 and the **DiskLevelDeletion** number is set to 25 (both default values). Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) during a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign off of an account if free space is under the deletion threshold and disk space is very low, regardless whether the PC is actively in use or not. +For example, if the **DiskLevelCaching** number is set to 50 and the **DiskLevelDeletion** number is set to 25 (both default values). Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) during a daily maintenance period, accounts will be deleted (oldest last used first) when the system is idle until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign off of an account if free space is under half of the deletion threshold and disk space is very low, regardless of whether the PC is actively in use or not. -The supported operations are Get and Replace. +The supported operations are Add, Get, Replace, and Delete. **DiskLevelCaching** Sets the percentage of available disk space a PC should have before it stops deleting cached accounts. @@ -141,15 +145,16 @@ Sets the percentage of available disk space a PC should have before it stops del > [!Note] > If used, this value must set before the action on the **EnableSharedPCMode** node is taken. -The default value is 50. +The default value is Not Configured. The default value in the SharedPC provisioning package is 25. For example, if the **DiskLevelCaching** number is set to 50 and the **DiskLevelDeletion** number is set to 25 (both default values). Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) during a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign off of an account if free space is under the deletion threshold and disk space is very low, regardless whether the PC is actively in use or not. +The supported operations are Add, Get, Replace, and Delete. **RestrictLocalStorage** Added in Windows 10, version 1703. Restricts the user from using local storage. This node is optional. -Default value is true Value type is bool. Supported operations are Get and Replace. +The default value is Not Configured and behavior is no such restriction applied. Value type is bool. Supported operations are Add, Get, Replace, and Delete. Default in SharedPC provisioning package is False. > [!Note] > If used, this value must set before the action on the **EnableSharedPCMode** node is taken. @@ -157,7 +162,7 @@ Default value is true Value type is bool. Supported operations are Get and Repla **KioskModeAUMID** Added in Windows 10, version 1703. Specifies the AUMID of the app to use with assigned access. This node is optional. -Value type is string. Supported operations are Get and Replace. +Value type is string. Supported operations are Add, Get, Replace, and Delete. > [!Note] > If used, this value must set before the action on the **EnableSharedPCMode** node is taken. @@ -165,7 +170,7 @@ Value type is string. Supported operations are Get and Replace. **KioskModeUserTileDisplayText** Added in Windows 10, version 1703. Specifies the display text for the account shown on the sign-in screen which launches the app specified by KioskModeAUMID. This node is optional. -Value type is string. Supported operations are Get and Replace. +Value type is string. Supported operations are Add, Get, Replace, and Delete. > [!Note] > If used, this value must set before the action on the **EnableSharedPCMode** node is taken. @@ -173,11 +178,17 @@ Value type is string. Supported operations are Get and Replace. **InactiveThreshold** Added in Windows 10, version 1703. Accounts will start being deleted when they have not been logged on during the specified period, given as number of days. -Default value is 30. Value type is integer. Supported operations are Get and Replace. +The default value is Not Configured. Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +The default in the SharedPC provisioning package is 30. **MaxPageFileSizeMB** Added in Windows 10, version 1703. Maximum size of the paging file in MB. Applies only to systems with less than 32 GB storage and at least 3 GB of RAM. This node is optional. +Default value is Not Configured. Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +Default in the SharedPC provisioning package is 1024. + > [!Note] > If used, this value must set before the action on the **EnableSharedPCMode** node is taken. From b54a736c9d38007ff0f6b2023110209319b21f83 Mon Sep 17 00:00:00 2001 From: Heidi Lohr Date: Mon, 14 Jan 2019 16:01:12 -0800 Subject: [PATCH 02/10] Updated items as per Shawn's feedback. --- windows/client-management/mdm/sharedpc-csp.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/sharedpc-csp.md b/windows/client-management/mdm/sharedpc-csp.md index fc9b018956..1f06ceb44e 100644 --- a/windows/client-management/mdm/sharedpc-csp.md +++ b/windows/client-management/mdm/sharedpc-csp.md @@ -48,7 +48,7 @@ Optional. A boolean value that specifies that the power policies should be set w The supported operations are Add, Get, Replace, and Delete. -The default value is Not Configured and the effective power settings are determined by the OS's default power settings. The SharedPC provisioning package's value is True. +The default value is Not Configured and the effective power settings are determined by the OS's default power settings. Its value in the SharedPC provisioning package is True. **MaintenanceStartTime** Optional. An integer value that specifies the daily start time of maintenance hour. Given in minutes from midnight. The range is 0-1440. @@ -187,7 +187,7 @@ Added in Windows 10, version 1703. Maximum size of the paging file in MB. Applie Default value is Not Configured. Value type is integer. Supported operations are Add, Get, Replace, and Delete. -Default in the SharedPC provisioning package is 1024. +The default in the SharedPC provisioning package is 1024. > [!Note] > If used, this value must set before the action on the **EnableSharedPCMode** node is taken. From 0f9d7766b2a8a52c1945dd275d382d26f7ef5c40 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 14 Jan 2019 17:17:40 -0800 Subject: [PATCH 03/10] fixed link --- .../test-scenarios-wd-app-guard.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md index d2602326e1..798a74c87b 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: justinha ms.author: justinha -ms.date: 10/16/2018 +ms.date: 01/16/2019 --- # Application Guard testing scenarios @@ -46,7 +46,7 @@ How to install, set up, turn on, and configure Application Guard for Enterprise- ### Install, set up, and turn on Application Guard Before you can use Application Guard in enterprise mode, you must install Windows 10 Enterprise edition, version 1709, which includes the functionality. Then, you must use Group Policy to set up the required settings. -1. Install Application Guard, using the [installation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard) steps in this guide. +1. Install Application Guard, using the [installation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard#install-application-guard) steps in this guide. 2. Restart the device and then start Microsoft Edge. From 4273609566113abf90b638347e3addabbada1612 Mon Sep 17 00:00:00 2001 From: Heidi Lohr Date: Tue, 15 Jan 2019 09:54:03 -0800 Subject: [PATCH 04/10] Updated values --- windows/client-management/mdm/sharedpc-csp.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/sharedpc-csp.md b/windows/client-management/mdm/sharedpc-csp.md index 1f06ceb44e..62e577bb48 100644 --- a/windows/client-management/mdm/sharedpc-csp.md +++ b/windows/client-management/mdm/sharedpc-csp.md @@ -192,9 +192,9 @@ The default in the SharedPC provisioning package is 1024. > [!Note] > If used, this value must set before the action on the **EnableSharedPCMode** node is taken. -Default value is 1024. Value type is integer. Supported operations are Get and Replace. - +Default value is Not Configured. Value type is integer. Supported operations are Add, Get, Replace, and Delete. +The default in the SharedPC provisioning package is 1024. ## Related topics From fe37e9fd9ee70f13d3839814956af138a8e9b6bb Mon Sep 17 00:00:00 2001 From: Heidi Lohr Date: Tue, 15 Jan 2019 10:46:47 -0800 Subject: [PATCH 05/10] Updated values again --- windows/client-management/mdm/sharedpc-csp.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/windows/client-management/mdm/sharedpc-csp.md b/windows/client-management/mdm/sharedpc-csp.md index 62e577bb48..dad95a061e 100644 --- a/windows/client-management/mdm/sharedpc-csp.md +++ b/windows/client-management/mdm/sharedpc-csp.md @@ -185,10 +185,6 @@ The default in the SharedPC provisioning package is 30. **MaxPageFileSizeMB** Added in Windows 10, version 1703. Maximum size of the paging file in MB. Applies only to systems with less than 32 GB storage and at least 3 GB of RAM. This node is optional. -Default value is Not Configured. Value type is integer. Supported operations are Add, Get, Replace, and Delete. - -The default in the SharedPC provisioning package is 1024. - > [!Note] > If used, this value must set before the action on the **EnableSharedPCMode** node is taken. From 8033d85023df4981a76129c153a3b380ad3cb500 Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Tue, 15 Jan 2019 22:18:52 +0000 Subject: [PATCH 06/10] Updated with links to Intune --- .../windows-defender-smartscreen-available-settings.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md index ef1582c6fa..660b1b518c 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md @@ -16,7 +16,10 @@ ms.date: 1/26/2018 - Windows 10 - Windows 10 Mobile -Windows Defender SmartScreen works with Group Policy and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Windows Defender SmartScreen, you can show employees a warning page and let them continue to the site, or you can block the site entirely. +Windows Defender SmartScreen works with Intune, Group Policy, and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Windows Defender SmartScreen, you can show employees a warning page and let them continue to the site, or you can block the site entirely. + +See [Windows 10 (and later) settings to protect devices using Intune](https://docs.microsoft.com/en-us/intune/endpoint-protection-windows-10#windows-defender-smartscreen-settings) for the controls you can use in Intune. + ## Group Policy settings SmartScreen uses registry-based Administrative Template policy settings. For more info about Group Policy, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514). This site provides links to the latest technical documentation, videos, and downloads for Group Policy. From 1c6a2007f3f85797944c0ff19e295e5e3b75e60a Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Wed, 16 Jan 2019 00:47:43 +0000 Subject: [PATCH 07/10] Merged PR 13812: Added bitlocker detail to What's New 1809 Added steps to configure Bitlocker --- windows/whats-new/whats-new-windows-10-version-1809.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md index 04956b3138..d95b6a7d26 100644 --- a/windows/whats-new/whats-new-windows-10-version-1809.md +++ b/windows/whats-new/whats-new-windows-10-version-1809.md @@ -69,6 +69,14 @@ You can choose which encryption algorithm to apply automatic BitLocker encryptio For example, you can choose the XTS-AES 256 encryption algorithm, and have it applied to devices that would normally encrypt themselves automatically with the default XTS-AES 128 algorithm during OOBE. +To achieve this: + +1. Configure the [encryption method settings](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm. +2. [Assign the policy](https://docs.microsoft.com/intune/device-profile-assign) to your Autopilot device group. + - **IMPORTANT**: The encryption policy must be assigned to **devices** in the group, not users. +1. Enable the Autopilot [Enrollment Status Page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices. This is also important because if the ESP is not enabled, the policy will not apply when the device boots. + + ### Windows Defender Application Guard Improvements Windows Defender Application Guard (WDAG) introduced a new user interface inside **Windows Security** in this release. Standalone users can now install and configure their Windows Defender Application Guard settings in Windows Security without needing to change registry key settings. From b86583031d077b2a3e104957e812fa8dbf7191cb Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Wed, 16 Jan 2019 00:47:58 +0000 Subject: [PATCH 08/10] Merged PR 13811: Added bitlocker info to Autopilot Added info about BitLocker encryption --- windows/deployment/windows-autopilot/TOC.md | 1 + .../deployment/windows-autopilot/bitlocker.md | 40 ++++++++++++++++++ .../images/bitlocker-encryption.png | Bin 0 -> 14308 bytes 3 files changed, 41 insertions(+) create mode 100644 windows/deployment/windows-autopilot/bitlocker.md create mode 100644 windows/deployment/windows-autopilot/images/bitlocker-encryption.png diff --git a/windows/deployment/windows-autopilot/TOC.md b/windows/deployment/windows-autopilot/TOC.md index dd630b65e0..0911105dfa 100644 --- a/windows/deployment/windows-autopilot/TOC.md +++ b/windows/deployment/windows-autopilot/TOC.md @@ -18,6 +18,7 @@ #### [Adding devices](add-devices.md) #### [Creating profiles](profiles.md) #### [Enrollment status page](enrollment-status.md) +#### [BitLocker encryption](bitlocker.md) ### [Administering Autopilot via Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles) ### [Administering Autopilot via Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot) ### [Administering Autopilot via Microsoft 365 Business & Office 365 Admin portal](https://support.office.com/article/Create-and-edit-Autopilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa) diff --git a/windows/deployment/windows-autopilot/bitlocker.md b/windows/deployment/windows-autopilot/bitlocker.md new file mode 100644 index 0000000000..f530d66f35 --- /dev/null +++ b/windows/deployment/windows-autopilot/bitlocker.md @@ -0,0 +1,40 @@ +--- +title: Setting the BitLocker encryption algorithm for Autopilot devices +description: Microsoft Intune provides a comprehensive set of configuration options to manage BitLocker on Windows 10 devices. +keywords: Autopilot, BitLocker, encryption, 256-bit, Windows 10 +ms.prod: w10 +ms.technology: Windows +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +ms.localizationpriority: medium +author: greg-lindsay +ms.author: greg-lindsay +--- + +# Setting the BitLocker encryption algorithm for Autopilot devices + +With Windows Autopilot, you can configure the BitLocker encryption settings to be applied before automatic encryption is started. This ensures that the default encrytion algorithm is not applied automatically when this is not the desired setting. Other BitLocker policies that must be applied prior to encryption can also be delivered before automatic BitLocker encryption begins. + +The BitLocker encryption algorithm is used when BitLocker is first enabled, and sets the strength to which full volume encryption should occur. Available encryption algorithms are: AES-CBC 128-bit, AES-CBC 256-bit, XTS-AES 128-bit or XTS-AES 256-bit encryption. The default value is XTS-AES 128-bit encryption. See [BitLocker CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp) for information about the recommended encryption algorithms to use. + +An example of encryption settings is shown below. + + ![BitLocker encryption settings](images/bitlocker-encryption.png) + +Note that a device which is encrypted automatically will need to be decrypted prior to changing the encyption algorithm. + +To ensure the desired BitLocker encryption algorithm is set before automatic encryption occurs for Autopilot devices: + +1. Configure the [encryption method settings](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm. +2. [Assign the policy](https://docs.microsoft.com/intune/device-profile-assign) to your Autopilot device group. + - **IMPORTANT**: The encryption policy must be assigned to **devices** in the group, not users. +3. Enable the Autopilot [Enrollment Status Page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices. This is a critical step because if the ESP is not enabled, the policy will not apply when the device boots. + +## Requirements + +Windows 10, version 1809 or later. + +## See also + +[Bitlocker overview](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview) diff --git a/windows/deployment/windows-autopilot/images/bitlocker-encryption.png b/windows/deployment/windows-autopilot/images/bitlocker-encryption.png new file mode 100644 index 0000000000000000000000000000000000000000..f2766e12d2415d8a70a8443f9b858ae51b6f924f GIT binary patch literal 14308 zcmcJ$cUV(TwD%hoLj%Pd+#54cJ|&gvuAc$Yd-6{Ci1nq!o9l>?*agTdrFG3S^&U} zLEMkv&TZTg=40$`z@8gqJ%tRPASi)q%;Pb z11!AN0WYN)@INbVlLPVa$qQ&^dRJ~Q&?)Y``b zUK--tq0Zk=G@pWZHq5YSy_(=FWbQvl3zS|mmyr#bcCJPDq0W|qmjccfKtsYy0pkIf z6WC%0dW++_cBjy=K2&kM19NIr>B?E~bUEu8*x%oOh&1Tn*5C6D!yV@<(eMEt$ng{9 zpGuiBR6|*L=10Scbk`l4yS+Jwxj4&=lR%e<`)H2Bvzadl0gk;9cK_s+jnW_S0F%p?XJH258Z@81*NVG$T&(Y8sNO^r*KPFG)h` zUkjQvyBGT6hMH;A=z=m~ZO=s=EX!bTe7Ow7U3Uy=bcYppC!NENcMH=@-^!@woaeX1rKL48c=MUiTvs;Vrz^qV16hlzOl9+F(gD%o`^RaMKCNOTi?{DFXO#1{K zblswHdRBJh?_N3nJ0oIZ0^B9dSF1nT;{J!=-F?=t3uXhBF^8-ROM}cz?W`xO8Wm-^p76hPZZ<7SBHHOWz}FkJa87@GU1`>Tjp$56irY zodqUirWVyF2p_~ZDuj{%ZO^gheWgW{z1`-XvrCcPwpmX@>(!s)&Lb2KokgCFfH-5* z=W3>oa?_$_5nNesw^zy%`^6@A;tI^09^GjfK7I;XsZiC7^PN@xdi0uZuQwDK9W?4S zv{F(I>NDG-KB7Px0_|p%YV>nNJ$j21^!s7v7yoiIr0%kEWm(cYyIIEbR9zLCy)iJi zccX^7jGl&bvh)*h9r0D(e<*#|)^Nv$K@YCKcBYR|sn+!4)(xvsG;cW}-jpCM^vFIJ zJ9?pKL};C(e&xgbx|Ac$;Cbn{9g!q`{z$QNJN5Tq!-WN>0?8F3 zkXa+{CF+Z)&vsR2(A5Ac@MPL}9_XZgd7zFoJ6myt9$$X&!<2kI`o<6^=}|1|hROuD zNK6?lb?)(wTXJr2=Cs)lgw2k^x9{5S$?USorR$2BWO~b6&nUa(@N}m_mo@piO$r}; z8`SIP87DdsM2ZcHykUrC?ugpuudN7kS9V+9{Duj{eEU3on^x=bX1hv=S<;7v$JFU! z9wDfyK<4(bPwe1e|KC|YV}ukvR7pi6i;*7R0FgVjxlrmdyCbJZ1Nr8*fobOPA)C~5 zbwIMFp2_*_2XbFHz_a1gsQ5S*;?v=z%cJTr-;M`Hy3}#((IVi_nSF0|taUyoFO)zG zMx;#@xZg0O6mx>xy|_}eqf`o`gDm)iiQ6^$Rumb}ne2-RJLkDLzot8XGM6V)1tvFH z4S@150)4~G_aL+*FLJ{jsj8a4(6CnwfV5`Zp>msjjnqoCX%);&$XZARDFIij`V5svaHW ziRU_eIEW53-tb*64ik=iRY!qEn&^M2ZA;z@8{^vB;xR!SsZ-B;4Tnv0X&JwP)UD=a zhWf;Q5%VECZXF|F(j*_(!CPCEoYVNi!MJDp0rvbkkRC~rgs+LZ6S9k6p}^bxz1_zh z_wokiLSFD1cLuQhRv!zR5WX`}F^~{>-=4{Bjr1aZ)IZZ4RQ1ueAq51!6pPFUrV8*7 z7PU!GD7WY)r0F<#Ffmrj-^kNfdbL(D-nGJ9N#=P3EHN#LYwEI|bzG=O!WV!KVU#UY zEjRu&*|f|qBx)L^U4H+tK%q)bzqoL`V;D=d=xk$2(uwy&mMd>k_r5CIA?Dsc6|7a0Ogvdh-F=uOV*9f*#P@=t z(JIQJ?$5<`w?Ei@*|swq1`p{T=}CD^MjofEL%hPrDyci{3RSuA=3>A`0Y4TnW^&Q%WYf(!GaA0jN4WuxyTLSorN9yWAz73HWSZ2NuU*<9Zio(0}wYtdn^3EEb{H!nb5cY-V;B*Hs-JJ|9XNiH?N%q;Pnk$ z(*QupKThDkcHsZ1n)zz8&*2l|hANY$cTBMbLAV0%W5TIk0;tx<3RMnE82>tjZzczT zs*?8QS*^}2q1Evch2h#j&vV zE?>YJ$FSc5Wg<3aH#`KJR{|c)O00|K_E=9y^~hY!tKEU>-ZvCbpP}lgFbH^~US38U z8tg2&`&g63jSh&l8_79w@Kp8Qn-|4CJPxI2)xW*NyLz+7l7foM^pE}MgUx3BW_&)b z<2^7VBmv+nrPCqp$3f*rW_yFl%+jK$r*2!OJO4g#Fp-hAtf17`kCu_gy^X2b_c9$Q zx8xZEa-M8_!$V1WqS4sV$Fo||H`kE_jr#CM?3a&Nbxi0NC1p3Q78;8A#_Vc~?%$E3 zI2Zaz>9K*}CeJQ^-w!8SE}sbkcZrWM!~)G9uMjTC;a0Fp_~i!Deb=FK_l&JV2^rJN zX2uMUV(emCpwsqT6d8@7P^{`2Bv2EIw+9^F+@ThWG(P^7#@KE7VTj--Sr#wg$+F$Q=x` zOO7#C*^NuU`E=pl*N$cH4y2}v5_&0$GT z;ky4})$tc;Q|77B`K#vqF03xEFX&YiUnj}#E>2Tl{JJbAwCK*q8y@HGmXkCnkL+-- zoqm?xzkg2Fq3z$dTHaCk=mu7+M}{c*DVS_IfBcjfq3IhVR^oFUVio26OnsE<2;9$7 zodg_GCsv&j8pKT?lSCvi$Kw*a3X%f6w9`Q9jLojgFY(V(AhvDtIWrm0Xx-Du{XAP>^?p zIo_!{Pipw4TwbSdAXT#ndC-q&CAg_J!9hM*`wy**OuC=p$GJzR-Q!R2#x2l&R+JA0 z3R_piU-mEzvZ*ZXiJ(@Hx`ELriB}3khpSMarJQelaBj(LN2Wrz`J_~jHWRo|!~_$I z-O>H^WUdFwMxEWWixlT=g^z zo6a`jzya@E zj=nsS-KnFQSa74J{=~I2O;E-m%G9b?S-Z-ZUVeN z&Ek^+i2gPvvl~M29^V^hd9!Z-RjY{qp2t~|PJW#21WeObb>R)Xr^ijs?Y`j0$tGRx z9r0l*xoTD6X~CQGzptj&(ofQYh`W_Xw#{z+AGm=3jpuOsY|g;IASBrl(0Xm^ZC%Bk zPlJx+(HGMil`o2U+8=pb16i3JGahpCOyVqWLyljVYQ%oLaSvLCJMn&!&!@8>+lo7? z9e!llh+|9hNn%4@HlC#yatRCri)|N$jiYNn24!FspF@=dX6GDFPt{+HgC|s>dncx~ z!MF*nxd46Zc2)$B9B1y9iP~q^3dgC)IJ=3ay|M0=p|=VnPj+8fJAXwN)G#6}o(3+4 zQew@~&Ed?EMybruS@BgD16>`M9284lUO3XmXvM`&HlVY;PsXR;Dc%IKzsod3O65j66yFQzYb3sH zL4EZ#bEyp)v0i-do7VL+?dI==DRhvOe;dJZa;Po;!(kuBa&w8RL3(YxzBOi8El;pH zoC$bUYs3dj?Ec_~KHhA|UzHvJm0YQRzD+%2ztSS=Em$08P&&3T8`{TC?^v^)9Tu54 z{*CL>(aiR9Xsp%XPTIhsZbaDj1Uw=6C@w?$Vh7lu#%Wa8)0V%+yvS8562o63$lq?> zjjXvE1uas2`#w!Q$v5RIxFSXas+JFw_TNHhT+#bEi7&6No!Zasy%A7HdCq+le9qxW zbW}MTw@Qwn^f+c(9}etkSP58dTlnT;D>)L|S`jllee)!6Kl7&u{D`77c41n@D$(0y z3VeWCcS{LYYUFgJ|FaF>7XY;-N)SoN_yz{Tc?XzVylVQ{(*`zQ?6%N^J{SxqWz4wA z9@8B^D8{yX%En>O&Nq7en8@L6UQe~bt&Ey0=gNaqFj40wwt1bf6 zz4bn*#$she%4YA8EE4Y?FT;CU-JSW{9TnB$m?l;d!{_=v=1_wQqeglbXQ%4+cF1e* zVlEL<;odvb<5|8qvs7o(IetAx!wzdx1ta0nsjZg# zj`kz&^E%FNHZmL3M$$+>Xba3wU)pBFbdOAn=nm$U+!Ul8I%F&nO@lo>Tx&^GR6InJeU^Ei zflclhU*U+NLmra}+Ic#&AIB5~*^M*;R=s=3Gy>O}--=Hv?U~7nDaQ@+>BT7GwHFa2n62XeQs>9Gt$iW!EPj zXpc^G^OL@+cH9=+ONJa7$Ge3$HI++0ikyD17&o9je%9+|he(*L_Ev3h7RsMbzdFhI zGottXR&fS0bIdO6sJuZP*h3=|+p0TQ^%zy0V$0 zb?#~{PzTyx*({U?rB0kN@m!_z=#0EN=yOAV6pGtHq`QsSGpAQXY`zFI6HB%B%Cb{6 z+{~_deyO5tld{^sm7JnL=bKB}UppsFWEPfL| zxp#9qHXXzHZC?ia{H$>HIr+F&W)G~dDHro>xr}u$XPRYsHmZY%UPbJBC{(>4Im`MX z1#eOV7vzr(s>RFH`PANgG2Ro$eO`~6yOKi;Y9HYP$_XK_BZ0p4=6e85SxzQK&elac zmFtj7WsLp`vslnX}OtG~|T*i})!Fda+ zqsley8k`mP&cVe%q!|6G@Z!r)6F5=0Ljc`QbNr+)m82{;9sqwm?A!@Bxjw2NB1OcC z(Jg=a>G+u;no)J5t(n4WrRDUD8{>hU#Dsi&f?o6-J!Kq*lg4>R3RP2uH$aPY9(ui)uxl&Nnl*@ zYu#r;DW*~P09BJt$>t1{?l;sU@C~`kvvNN3pV#d@ndgR+G~Xd|OTRGuF#F8c!;Aeq z(?sFPT5vK%W@hHafH;3gY_P){U8=ZJqdAho>9@0w096aGcscG^{)~3)Hhy;zq)^YI z<#%`%{VvR$s*-Y}M{;btvNHAqi##U-e;hfvX0Y^xQV+K!drwik@8_D$>2eSQuCYau z!qd_92EJNGzz?BYo#iZq_y+nZJ<{ns<;fbCSH&Zagi^-ceQW!&x_4|34dv#U+&UKZ zH7oCS?1zW41+~Y${A5ykSNCA-D*& zH{Sm_0sl|aAE6u~YVIHAM015IX)B6b1b?HYZ>hxroQi^u*FY|mb3KiV#?5P^u=Gna z)x{OiV+ClZbzP!6Di~|F7JQ6w)Y#>r9`F>uz_yn6)v~AV>(sjrUq_nD^eWMWA58|} z?>lY|RILJ4*}&Ua#+26I!CP%(?xY!gJ}XxyA8jfoIk~_p4Fh65`qI*(3~|?NEQAYc zJF4eO?3yJ-gjoCwcp~vhT7Klj^$$VM0Z&26|#SS)g4u%X}fO$;jaz_wU)8%gbM>6>4hjM$m#mYPUZP zmE(_$&{wm5gb4=uWL3prd>o)7Ik~{6zv3i#pdf!|h@_hu9b~vRg6q*LU!^bU7A$2i z(k1KF&CazOze0yd1sQwSIFo_~Uu_-aD*#21fWi zuuRiGVz$!RaO|>Pb}tG1`STSb@qH7RAsDW%OSS&Ovh0`4?n>=1Z?b~Z!DpzV<2JMN zN@f&=gK@E?0okHS%_xa>$L+2n+wd8QZ||&>hiEgX-6Zb6y*%N=VQ0YDb~rNI3^=ef zu^^&AAXq6gB`*I{d4PSezPlU=yvxuB4}J28z3qJl(Kq9F@WJ8pRP%S^w(c#rum2)ItS<6F&Nx)@B z09D|CU(+guhQyc9hG1EvYDrh7JFwv6*~Q5*de&%WjT`~H;d9t=1Ql^+DgDhD8DU-4 z>_bkt&@v*z$K*+@!b4XFpK%{2GrYGL(f+)>ck81*#H%fTMn>u{H`BVHex`%%Ej~ho z8O6db^AVMTg2kJxO?ckmsV|fc4w~M#zImKcv)%OIr4^NsqO9sM2dA;@6)8kL9 zhPXeBF_F;^k}xvr*s4Zn&?+D}YX4KI)B48KTU|xo;jgS@hVub2)vB-TvkEe~GFe>S zs`fpS=5u|1x#`Ap8PS|Ee9e{WMlKmd+z_l04R#I?IQ4#(13P#lCdLXHi)u7ce#Prs zCCah8Fb3%dUPDEJ@6TW)(&%%O4FUhMq6vvShC$>BpT%0Wt*P%V-gE=JGR{!jwaMEjai ztE>*7HZQR)j}J>!z_^NK+LHN9$R;A_%0AirMpT{U6c4xvGN?yFRAd;g4EsH6{Svcs z39Rx?&`-1DEkWZIxhOF;>Gky{kQRsK1ZiDd}s*0Rx>+-K-6SjMtw11)X7DHyJ z%?}b>d{bb8+XtZkA5j%|iu2Zg&$RZP%%d!=K8Gv4^aJO5Zi5|2NB~3diCN9V{}iJ9 zpA7WBNt6FWHFGOGBz%D<(@Mj{^%`BP4(l-6JCZplvs{Af84E!u^C^3N*m zi=@!=j7YD{$=DpZ*$=;FrB9S>B!|0{(QO1AS87d4;)zW*qVDBG0(+@8I$kE8mpq+@ z=)nuVsSxsNsgk7(7PkrnmEZ~;xo=KZ#mh@ZqRZ#7Ei|v@-7e4X!)ZY>%L$dY9Jgwl z@sMBAKYtQfB;WwEs7@%R(j2|t^tT>pAYXa)G7#-KH|q9vJ?I!@DcJN&o&q*hoiEBY zsFfn0bYjl049(c_v-`RzmhC-uRnH^PD+P6T`%-2px_GzxUG}VaqSlqB$J^XMXhWn; zSsfUZ9MIh=M~RR^%9_fj$`?_8rb#OgK3;H+E?4{ZTOY9sje~lwa!-|L*lU<9O;BeE zH&}q2&SirG=e&zE-1>{>SPL`_8!O06m?m+l-LanE-CELt45;8}jzkfIu!kaaVW1KC)xmG1wR?x<#@+d(MP{qYSq zOp0Swo*}rG_&O)|buY{M2X#-3IN8TY0`pHg+>IYNH6$w{LxlvhBBbgPB5I9=7f4!& zJ1V|QrgW`LIuH$a#qiaVBsNHVRi(eCo@hi{ut9}eIW*KBDjsCe@OG8kJa`n;8jV~c!*3uoW#X_y*9ir+c?RrP_4(7h#hRDa#A9ii zE_-J1MzjIH2IFnB00d*ge*jm#`h*CzWlWPe4(&wXBQicUV#5Ng(N@w7dgpP);#UFd zV(%8WuuP{0U&ULwti@~lzq`WZW^mYpBqq#D36GHwsS|YnK~e3|6gnZR87fOEvM}@E z-R@_4+iOnsMTCD?l@rf2b`E$F6u!%Le|WQJY|vFbmc!!yg@`O>{XG?hS+9Xht_#rK za;Dx z`hAx-f846v4mFo_cxTH8S{=Y-=~V(l=btz7ii%K)A(o02eS1#C4Ro?}7nFCu5T1+^ z5jCn+bIBSnXT9tkLesdVU#&YPQ1wq9qP3ssw$2Y?2d|0yYjDbimNR9f!?&T8ZR`1w ztKtSSHKNKP>=~SI{Gp*+X9WKo1a{U~gVleCT*W92SZe}w*cTc9H~k{&@!!ZPou&V>aFV{UM6Cx1-P3E z_uD?4yPen1YjR3cjoiia$d{lc1n6gU60yp}S#W)@&Nq3AiRf%$=xSJsjE?5s2g_$M zKsFeu$K$Caec?z$NF_K>?^pU#y)0u8U+(Jc-pvZ+@kPGnuGnqhdazs=L|`4{=t+lp zxwZ7w3HiClwdzP=9qISzu)DCF=2z0WbJOqX201v%FuEmPlt-QVC+tYSDz)@^h_zmp)mEh*tJDI9@T|eoA8OT>cJIgOzhWz1(odhWaBo5T&tlh+AcPU7`M3;?P$Zj&el%ykaeBaLgVp$8{` z_h4i9cc!&rR_JSq%uuQM5`x_~yJ9VJx_=z(ZHU!Gc(%QsQ-$W+Vu#Kxd-OZ>Cc{N> z#Be}yj1y_E_HhKeN?XM~Z4qLFQ(THD22ZeY{U*vct9kz=*N5Hl{@_aRn|ABDGqfp_ zUZts*mB&sD>oW{4+oyn9vr6Q;>U(o|bg|iMwjt{WpqzZ&2z$29YiRW#LjU5j&TrQg zVCc&ZN2neM1HC|{l-5tX+Kq*&8B?Q}A=RMqhTe_f?s$2MFlpm|O2KEG$ z1|02or(2OZ!?==;B88YFbup+c9fc^aQf;;hV&9-FSuP&ODaS|SjZTfz;cu2$ioSKo z?|5>jIxgJ*t)AGE=$+P$)1b8<>Sq}MRV8DQZZ9R4Vo}ysOKHwadxh0+rGk!qMRDn1 z7nn%LF|o&Rt1K*2Grd)w7+27+mxkvmULqpLpPS*NwmqcpRy;u_qrLdS&%E3*k7{?K z!uqE1FUXM6fG|(UtNzY@Si--7EO#~t{8W-(H&PV@b+`dqzg7-Rg4j~4?2l7?an>uq z@GXUu8PF}W1hQ-$p_12MEV0`_hB`JV;Uwd*>OtV()^pUQBWJI&4Ye%vYfi97>(w4N z%8e89$(&nZh~#Tv)E~6b5G@~^@P!Z>EOg?1@VQ<}CEF7o&K`c7%&ITi8SGuH-1XX*j=fKR4d@Z&G*uX-x-F*kRrcA93PWkg zSKS&rymtiUH|q5R@GtMAer99G^LX)w%STY&SQ01nT6WK~vYUM+rL?4Ll!3*hoXUNf z%FXB8BGF@rN#cdyy}A_V%_%_Xk3{=wQjf4oxjHAiWa0AAU_j`B;?%>sCtO@$m&aav zS7Xw&*Lg*etwgH8FCvE`3N0MTHdS$hkaXN5_;Z6v@u?(tJ0<8t$t_gs$zjRS$y)LX zE|2GN?y-nwRE;5p5Vzrmw3iID&W(;NisJrW$mFrm`AAr+z(q zWVJFY)z=T*H|2;#5hn&~c}muy@z>(7 zKjH3=!bk-Nmm@;PvEcqW3XSOds^Ob#aVeUcbb7qO-=0GrgRiF9lMbApP|@m{_Otc# z&OPfXTIJu)9gfSu&8fqi%4@V1f1fTOMQxV8Ev!{nRt8Ac%@qYnZF33CZzdj$E#bI` zFn_{pwRSv}0 zIBWQT1`a`?xKH-mG8<7>bD48anqmk*Di4*#Ojs+*$>E3C-%O~>yF-To{LTe+}wjR4Kp>AsWvKAi#Q2NuY40Z^Ud z>GWal!VyptSIayFr{F4`GhA%G(5AtzrejZRvzc2leZr#ycSUgdJ-7rR*ZnsFF-k+8 zJEr?DF48Ur(qk9AT+Uh_RA1sKJdTjE`yAe4n|Dl_%YSov&Xy*<+1><~} zVAi38erLe)u0{Z}fu)G3z0oW};3$5y87B{K;rzo~Y%CGiSw4g!zf(>qqsb+feh8QN zS1OoMPLQN2Hbp0>@$0X88~FQPXz=d9XSd(g#&jE{`mv4DoW{jMak9{HIOB`r(;1Lc zrhbERw68*+LYvVWw}&>?4%U915hw8{aUHGB7RO5ENL<#2Rf`+7;{;n>afRy^(eR_W zDxgq69;Cy$ReMNeecYL1tb~&}XflW{O{5Z>Px=hB$I(EEc!bzhhyI&B@{LBwFvk)NZeAntQ7mNb~5C=QcB?F|C7>;i)|7u+b^5ZnjlYSS0$i z+hkHctb-7ydm6Z@Z#h+Mry6xx%20^Y|H1`s4A>c^E~J&J|JNAI!c^BiA_$AO^%F#U z?vDMs!3cB^%p)QEzstA1Fi*{FPS&W+u3S*4{X^`STz2R80e(!k6oRXFFd4bs$-!p+ zuiC9n?~F8%z3GZVuh)Kl=OWB}Wo5GgADX^JZIyx$yNW@VM9!^BPDIX`P8c_Su0yMQ;N7d=r1VCD1o6A|IoI{uJwI=f0)p0TtW+e7}hc;R3r=z>S zo2}MsOfY@LkWaBQXqBmfny%C=(^Vx zv9Mh7>e+SME4$O$f(}wl*?ijDGDTGtXDTzc)u7YjkChos{+3A}9XZe)o}8N#ZaI7g zG!%csOj-t~UXMoYdXCD)dIU8;xHlu~wk@4<%v++yeQl>)k{3sC5y$^VzCCW0XZxHA zNL2b?^sIZNNCk)=UF!NbLsM=}UbqzXooui^cp55sHnK>hPdN%Y+os42 z!wNnUeqBDU*#WcaseO&@Ir}cu9t;2=`RqGcHiRua_zJ?J@Dc{aG>U@u-qLsDgLEXD z>jJyux+>RWEy-$pbRUBso%AUJevA>D@)DBEt32Q`f(_ST)QycjeW8LY$LDg`Ch(`a z^FD!G7&@?Lr&W6Rvf?TFAR0vn^QL~6UA)9d=?LSSeum|EewqCYVwAtSv9F0GvB|XK z3<^z=e4Y!Ni(s4jJ|0XW(9otnj0*+tP(5M-HkVxVfv`-G+~De@M(LMV=qQn{?AOW}a!>C*yi2KhM{$ub^OLTau}v2kYZ`ZU+?8 zWTR|tD|(PA3+Ib9!W!W4@~(|Rwbz(cP%sxRFKe2n(^^qvv+T*S1U!ys>GX*b<9$N} z^K_N|DW<|!UtdEU^|+8NpIG8M$NgQ)z4+*=`)SRUlqK1T!fa3QgSD*5OJik!NrIQY zCLelTs^r(y{KeNTh?dif-Ftv(7a?`txRA%JZB6o@@f)$AH!4pGse>VR^scqm52lyQ z?N{h68b!dGLT|cr7#sP5VbBQZ)y0PqeHz{ zdP{@QtVaEaE|)ZNub$pW8lG_Y3@hJG|D3^hx7_>AH*bFqN!$XL+aaP4lJy7s_+i7* zJSsbj3^p?Wz`KvHc;gbAI93)0ja!rdKT&YU8WFj{41d?X9N+k7&C=sQ|K%|13=X{t zL0E-}BMAvfhX2`~Z|CLdoGXH2uo80h@VdM?2W|z;VGs4S5G&-`fwD#JweEBCfd5&? zl&@Ai4xiLBb9R|;8ofk~1iS1lL6!ng>uE?rR+|F5CbNLUFwnuG|NaYM*F`5&|J@hZ zwlmzCo+Bdzzblno{*X>{UK*zj`3yOE;DFiHQQ8nkW!u>0)fvQfG3a6!j)RmToXnGf zONkP~t?kJsSIN`kRkBcW=Zv=<^fTB5}hr`F(>c zGz@YI91vdg$!`wAv|xXXEM1*8!jm*44s(~%Re1Y0Zu)Wh`}l0+ZZCEO&PBt&8#M;p zV97b|d-Bifs~*MHjh8B8e6t3L`eQ{0`Ee3&C9szsSkIG-eMlvRY6$<>1-NbC@_1YW zlRtx7#|1&*2C=e4SE%toQ|g~vl$a1SY7}!!lj@zylA0TMYT!qwf)-9QAG0#hGSD(2 zS93o-gfjX=S#s*OS@QS4|M=T|!roaqF?m=##WHX`=x1!m@R=2}a?l;04sCILVFeHP>2KQ-fDr^rvs{r74SSZVxHa Date: Wed, 16 Jan 2019 00:48:30 +0000 Subject: [PATCH 09/10] Merged PR 13802: Removed Edge and Cortana info, and added notes about Intune and kiosk There was still tons of Edge info in this topic, but LTSC doesn't support Edge, so it needs to be out of there. --- .../ltsc/whats-new-windows-10-2015.md | 15 +----- .../ltsc/whats-new-windows-10-2019.md | 52 +++++-------------- 2 files changed, 14 insertions(+), 53 deletions(-) diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2015.md b/windows/whats-new/ltsc/whats-new-windows-10-2015.md index cc7f3c8058..ce85311efd 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2015.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2015.md @@ -286,20 +286,7 @@ For more information about updating Windows 10, see [Windows 10 servicing optio ## Microsoft Edge -Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana. - -- **Web Note.** Microsoft Edge lets you annotate, highlight, and call things out directly on webpages. -- **Reading view.** Microsoft Edge lets you enjoy and print online articles in a distraction-free layout that's optimized for your screen size. While in reading view, you can also save webpages or PDF files to your reading list, for later viewing. -- **Cortana.** Cortana is automatically enabled on Microsoft Edge. Microsoft Edge lets you highlight words for more info and gives you one-click access to things like restaurant reservations and reviews, without leaving the webpage. -- **Compatibility and security.** Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or that are included on your Enterprise Mode Site List. You must use IE11 to run older, less secure technology, such as ActiveX controls. - -### Enterprise guidance - -Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, if you're running web apps that need ActiveX controls, we recommend that you continue to use Internet Explorer 11 for them. If you don't have IE11 installed anymore, you can download it from the Microsoft Store or from the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956). - -We also recommend that you upgrade to IE11 if you're running any earlier versions of Internet Explorer. IE11 is supported on Windows 7, Windows 8.1, and Windows 10. So any legacy apps that work with IE11 will continue to work even as you migrate to Windows 10. - -[Learn more about using Microsoft Edge in the enterprise](https://technet.microsoft.com/itpro/microsoft-edge/enterprise-guidance-using-microsoft-edge-and-ie11) +Microsoft Edge is not available in the LTSC release of Windows 10. ## See Also diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index e05f864f1b..c38900e51a 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -30,6 +30,11 @@ The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC use >[!IMPORTANT] >The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the semi-annual channel release of Windows 10 might be limited. +## Microsoft Intune + +>[!NOTE] +>Some features that are described on this page require Microsoft Intune. Currently, information about Microsoft Intune support for LTSC 2019 is pending. + ## Security This version of Window 10 includes security improvements for threat protection, information protection, and identity protection. @@ -175,12 +180,6 @@ This release enables support for WIP with Files on Demand, allows file encryptio The minimum PIN length is being changed from 6 to 4, with a default of 6. For more information, see [BitLocker Group Policy settings](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-group-policy-settings#bkmk-unlockpol3). -#### Delivering BitLocker policy to AutoPilot devices during OOBE - -You can choose which encryption algorithm to apply automatic BitLocker encryption to capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before automatic BitLocker encryption begins. - -For example, you can choose the XTS-AES 256 encryption algorithm, and have it applied to devices that would normally encrypt themselves automatically with the default XTS-AES 128 algorithm during OOBE. - #### Silent enforcement on fixed drives Through a Modern Device Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (AAD) joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard AAD users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don’t pass the HSTI. @@ -396,6 +395,13 @@ In the Feedback and Settings page under Privacy Settings you can now delete the ## Configuration +<<<<<<< HEAD +### Kiosk configuration + +Microsoft Edge has many improvements specifically targeted to Kiosks, however Edge is not available in the LTSC release of Windows 10. Internet Explorer is included in Windows 10 LTSC releases as its feature set is not changing, and it will continue to get security fixes for the life of a Windows 10 LTSC release. + +If you wish to take advantage of [Kiosk capabilities in Edge](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy), consider [Kiosk mode](https://docs.microsoft.com/windows/configuration/kiosk-methods) with a semi-annual release channel. +======= ### Kiosk Configuration We introduced a simplified assigned access configuration experience in **Settings** that allows device administrators to easily set up a PC as a kiosk or digital sign. A wizard experience walks you through kiosk setup including creating a kiosk account that will automatically sign in when a device starts. @@ -444,6 +450,7 @@ With this release you can easily deploy and manage kiosk devices with Microsoft For more information, see: - [Making IT simpler with a modern workplace](https://www.microsoft.com/en-us/microsoft-365/blog/2018/04/27/making-it-simpler-with-a-modern-workplace/) - [Simplifying kiosk management for IT with Windows 10](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Simplifying-kiosk-management-for-IT-with-Windows-10/ba-p/187691) +>>>>>>> 29ecd8ba10cf9401b75cb72a382839f4b4becd26 ### Co-management @@ -455,20 +462,6 @@ For more information, see [What's New in MDM enrollment and management](https:// The OS uninstall period is a length of time that users are given when they can optionally roll back a Windows 10 update. With this release, administrators can use Intune or [DISM](#dism) to customize the length of the OS uninstall period. -### Windows Configuration Designer - -Previously known as *Windows Imaging and Configuration Designer (ICD)*, the tool for creating provisioning packages is renamed **Windows Configuration Designer**. The new Windows Configuration Designer is available in [Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22) as an app. To run Windows Configuration Designer on earlier versions of Windows, you can still install Windows Configuration Designer from the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). - -Windows Configuration Designer in Windows 10 Enterprise 2019 LTSC includes several new wizards to make it easier to create provisioning packages. - -![wizards for desktop, mobile, kiosk, Surface Hub](../images/wcd-options.png) - -Both the desktop and kiosk wizards include an option to remove pre-installed software, based on the new [CleanPC configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cleanpc-csp). - -![remove pre-installed software option](../images/wcd-cleanpc.png) - -[Learn more about Windows Configuration Designer.](/windows/configuration/provisioning-packages/provisioning-packages) - ### Azure Active Directory join in bulk Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards. @@ -495,25 +488,6 @@ Previously, the customized taskbar could only be deployed using Group Policy or - Settings for Power: [**Start/HidePowerButton**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidepowerbutton), [**Start/HideHibernate**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidehibernate), [**Start/HideRestart**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderestart), [**Start/HideShutDown**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideshutdown), and [**Start/HideSleep**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesleep) - Additional new settings: [**Start/HideFrequentlyUsedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideapplist). - -### Cortana at work - -Cortana is Microsoft’s personal digital assistant, who helps busy people get things done, even while at work. Cortana has powerful configuration options, specifically optimized for your business. By signing in with an Azure Active Directory (Azure AD) account, your employees can give Cortana access to their enterprise/work identity, while getting all the functionality Cortana provides to them outside of work. - -Using Azure AD also means that you can remove an employee’s profile (for example, when an employee leaves your organization) while respecting Windows Information Protection (WIP) policies and ignoring enterprise content, such as emails, calendar items, and people lists that are marked as enterprise data. - -For more info about Cortana at work, see [Cortana integration in your business or enterprise](/windows/configuration/cortana-at-work/cortana-at-work-overview) - -## Microsoft Edge - -iOS and Android versions of Edge are now available. For more information, see [Microsoft Edge Tips](https://microsoftedgetips.microsoft.com/en-us?source=firstrunwip). - -Support in [Windows Defender Application Guard](#windows-defender-application-guard) is also improved. - -#### Microsoft Edge Group Policies - -We introduced new group policies and Modern Device Management settings to manage Microsoft Edge. The new policies include enabling and disabling full-screen mode, printing, favorites bar, and saving history; preventing certificate error overrides; configuring the Home button and startup options; setting the New Tab page and Home button URL, and managing extensions. Learn more about the [new Microsoft Edge policies](https://aka.ms/new-microsoft-edge-group-policies). - ## Windows Update ### Windows Update for Business From 67c4105b130806ef92f01f3aa72b33633267e6b7 Mon Sep 17 00:00:00 2001 From: Heidi Lohr Date: Wed, 16 Jan 2019 09:56:00 -0800 Subject: [PATCH 10/10] Updated metadata date and change history --- .../mdm/new-in-windows-mdm-enrollment-management.md | 1 + windows/client-management/mdm/sharedpc-csp.md | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 7f6abebf1e..c50d59e7fa 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -1765,6 +1765,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware |New or updated topic | Description| |--- | ---| |[Policy CSP - Storage](policy-csp-storage.md)|Added the following new policies: AllowStorageSenseGlobal, ConfigStorageSenseGlobalCadence, AllowStorageSenseTemporaryFilesCleanup, ConfigStorageSenseRecycleBinCleanupThreshold, ConfigStorageSenseDownloadsCleanupThreshold, and ConfigStorageSenseCloudContentCleanupThreshold.| +|[SharedPC CSP](sharedpc-csp.md)|Updated values and supported operations.| ### December 2018 diff --git a/windows/client-management/mdm/sharedpc-csp.md b/windows/client-management/mdm/sharedpc-csp.md index dad95a061e..6e97992194 100644 --- a/windows/client-management/mdm/sharedpc-csp.md +++ b/windows/client-management/mdm/sharedpc-csp.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 06/26/2017 +ms.date: 01/16/2019 --- # SharedPC CSP