From 1a1f3c554ec17009d41350576e3e560070c55586 Mon Sep 17 00:00:00 2001 From: Evan Miller Date: Mon, 9 Mar 2020 08:15:18 -0700 Subject: [PATCH 01/60] March HoloLens release notes. @yannisle @scooley March release notes. --- devices/hololens/hololens-release-notes.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/devices/hololens/hololens-release-notes.md b/devices/hololens/hololens-release-notes.md index 737b6bcc0e..5dcb69f25f 100644 --- a/devices/hololens/hololens-release-notes.md +++ b/devices/hololens/hololens-release-notes.md @@ -26,6 +26,13 @@ appliesto: > [!Note] > HoloLens Emulator Release Notes can be found [here](https://docs.microsoft.com/windows/mixed-reality/hololens-emulator-archive). +### March Update - build 18362.1056 + +- Improve hologram stability in mixed reality capture when the HolographicDepthReprojectionMethod AutoPlanar algorithm is used. +- Ensures the coordinate system attached to a depth MF sample is consistent with public documentation. +- Developers productivity improvement by enabling customers to paste large amount of text through device portal. +- Enables an app to query the depth camera pose and compute the location of each depth pixel in the world. + ### February Update - build 18362.1053 - Temporarily disabled the HolographicSpace.UserPresence API for Unity applications to avoid an issue which causes some apps to pause when the visor is flipped up, even if the setting to run in the background is enabled. From a658b3d194baefc173737e48c7989f5933936b8b Mon Sep 17 00:00:00 2001 From: tiburd Date: Tue, 17 Mar 2020 16:30:42 -0700 Subject: [PATCH 02/60] Edit Pass: Windows Security articles --- ...card-group-policy-and-registry-settings.md | 227 ++++++++++++------ ...-basic-audit-policy-on-a-file-or-folder.md | 35 +-- ...icies-associated-with-files-and-folders.md | 52 ++-- ...l-administrators-in-admin-approval-mode.md | 15 +- 4 files changed, 203 insertions(+), 126 deletions(-) diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md index f663299fb7..a93f2fb987 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md +++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md @@ -18,9 +18,9 @@ ms.reviewer: # Smart Card Group Policy and Registry Settings -Applies To: Windows 10, Windows Server 2016 +Applies to: Windows 10, Windows Server 2016 -This topic for the IT professional and smart card developer describes the Group Policy settings, registry key settings, local security policy settings, and credential delegation policy settings that are available for configuring smart cards. +This article for IT professionals and smart card developers describes the Group Policy settings, registry key settings, local security policy settings, and credential delegation policy settings that are available for configuring smart cards. The following sections and tables list the smart card-related Group Policy settings and registry keys that can be set on a per-computer basis. If you use domain Group Policy Objects (GPOs), you can edit and apply Group Policy settings to local or domain computers. @@ -66,21 +66,23 @@ The following sections and tables list the smart card-related Group Policy setti ## Primary Group Policy settings for smart cards -The following smart card Group Policy settings are located in Computer Configuration\\Administrative Templates\\Windows Components\\Smart Card. +The following smart card Group Policy settings are in Computer Configuration\\Administrative Templates\\Windows Components\\Smart Card. The registry keys are in the following locations: -- HKEY\_LOCAL\_MACHINE\\SOFTWARE\Policies\\Microsoft\\Windows\\ScPnP\\EnableScPnP +- **HKEY\_LOCAL\_MACHINE\\SOFTWARE\Policies\\Microsoft\\Windows\\ScPnP\\EnableScPnP** -- HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\SmartCardCredentialProvider +- **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\SmartCardCredentialProvider** -- HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CertProp +- **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CertProp** -> **Note**  Smart card reader registry information is located in HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Cryptography\\Calais\\Readers.
Smart card registry information is located in HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Cryptography\\Calais\\SmartCards. +> [!NOTE] +> Smart card reader registry information is in **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Cryptography\\Calais\\Readers**.
+Smart card registry information is in **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Cryptography\\Calais\\SmartCards**. The following table lists the default values for these GPO settings. Variations are documented under the policy descriptions in this topic. -| **Server Type or GPO** | **Default Value** | +| **Server type or GPO** | **Default value** | |----------------------------------------------|-------------------| | Default Domain Policy | Not configured | | Default Domain Controller Policy | Not configured | @@ -91,13 +93,14 @@ The following table lists the default values for these GPO settings. Variations ### Allow certificates with no extended key usage certificate attribute -This policy setting allows certificates without an enhanced key usage (EKU) set to be used for sign in. +You can use this policy setting to allow certificates without an enhanced key usage (EKU) set to be used for sign in. -> **Note**  Enhanced key usage certificate attribute is also known as extended key usage. +> [!NOTE] +> Enhanced key usage certificate attribute is also known as extended key usage. +> +> In versions of Windows before Windows Vista, smart card certificates that are used to sign in require an EKU extension with a smart card logon object identifier. This policy setting can be used to modify that restriction. -In versions of Windows prior to Windows Vista, smart card certificates that are used to sign in require an EKU extension with a smart card logon object identifier. This policy setting can be used to modify that restriction. - -When this policy setting is enabled, certificates with the following attributes can also be used to sign in with a smart card: +When this policy setting is turned on, certificates with the following attributes can also be used to sign in with a smart card: - Certificates with no EKU @@ -105,7 +108,7 @@ When this policy setting is enabled, certificates with the following attributes - Certificates with a Client Authentication EKU -When this policy setting is disabled or not configured, only certificates that contain the smart card logon object identifier can be used to sign in with a smart card. +When this policy setting isn't turned on, only certificates that contain the smart card logon object identifier can be used to sign in with a smart card. | **Item** | **Description** | |--------------------------------------|-------------------------------------------------------------------------------------------------------------| @@ -116,68 +119,87 @@ When this policy setting is disabled or not configured, only certificates that c ### Allow ECC certificates to be used for logon and authentication -This policy setting allows you to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to sign in to a domain. When this setting is enabled, ECC certificates on a smart card can be used to sign in to a domain. When this setting is disabled or not configured, ECC certificates on a smart card cannot be used to sign in to a domain. +You can use this policy setting to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to sign in to a domain. + +When this setting is turned on, ECC certificates on a smart card can be used to sign in to a domain. + +When this setting isn't turned on, ECC certificates on a smart card can't be used to sign in to a domain. | **Item** | **Description** | |--------------------------------------|-------------------------------| -| Registry key | EnumerateECCCerts | +| Registry key | **EnumerateECCCerts** | | Default values | No changes per operating system versions
Disabled and not configured are equivalent | | Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None | -| Notes and resources | This policy setting only affects a user's ability to sign in to a domain. ECC certificates on a smart card that are used for other applications, such as document signing, are not affected by this policy setting.
If you use an ECDSA key to sign in, you must also have an associated ECDH key to permit sign-in when you are not connected to the network. | +| Notes and resources | This policy setting only affects a user's ability to sign in to a domain. ECC certificates on a smart card that are used for other applications, such as document signing, aren't affected by this policy setting.
If you use an ECDSA key to sign in, you must also have an associated ECDH key to permit sign in when you're not connected to the network. | ### Allow Integrated Unblock screen to be displayed at the time of logon -This policy setting lets you determine whether the integrated unblock feature is available in the sign-in user interface (UI). The feature was introduced as a standard feature in the Credential Security Support Provider in Windows Vista. +You can use this policy setting to determine whether the integrated unblock feature is available in the sign-in user interface (UI). The feature was introduced as a standard feature in the Credential Security Support Provider in Windows Vista. -When this setting is enabled, the integrated unblock feature is available. When this setting is disabled or not configured, the feature is not available. +When this setting is turned on, the integrated unblock feature is available. + +When this setting isn't turned on, the feature is not available. | **Item** | **Description** | |--------------------------------------|---------------------------------------------------------------------------------------------------------------| -| Registry key | AllowIntegratedUnblock | +| Registry key | **AllowIntegratedUnblock** | | Default values | No changes per operating system versions
Disabled and not configured are equivalent | | Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None | -| Notes and resources | To use the integrated unblock feature, the smart card must support it. Check with the hardware manufacturer to verify that the smart card supports this feature.
You can create a custom message that is displayed when the smart card is blocked by configuring the policy setting [Display string when smart card is blocked](#display-string-when-smart-card-is-blocked). | +| Notes and resources | To use the integrated unblock feature, the smart card must support it. Check with the hardware manufacturer to verify that the smart card supports this feature.
You can create a custom message that the user sees when the smart card is blocked by configuring the policy setting [Display string when smart card is blocked](#display-string-when-smart-card-is-blocked). | ### Allow signature keys valid for Logon -This policy setting lets you allow signature key-based certificates to be enumerated and available for sign in. When this setting is enabled, any certificates available on the smart card with a signature-only key are listed on the sign-in screen. When this setting is disabled or not configured, certificates available on the smart card with a signature-only key are not listed on the sign-in screen. +You can use this policy setting to allow signature key–based certificates to be enumerated and available for sign in. + +When this setting is turned on, any certificates that are available on the smart card with a signature-only key are listed on the sign-in screen. + +When this setting isn't turned on, certificates available on the smart card with a signature-only key aren't listed on the sign-in screen. | **Item** | **Description** | |--------------------------------------|-------------------------------------------------------------------------------------------------------------| -| Registry key | AllowSignatureOnlyKeys | +| Registry key | **AllowSignatureOnlyKeys**| | Default values | No changes per operating system versions
Disabled and not configured are equivalent | | Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None | | Notes and resources | | ### Allow time invalid certificates -This policy setting permits those certificates that are expired or not yet valid to be displayed for sign-in. +You can use this policy setting to permit certificates that are expired or not yet valid to be displayed for sign in. -Prior to Windows Vista, certificates were required to contain a valid time and to not expire. To be used, the certificate must be accepted by the domain controller. This policy setting only controls which certificates are displayed on the client computer. +> [!NOTE] +> Before Windows Vista, certificates were required to contain a valid time and to not expire. For a certificate to be used, it must be accepted by the domain controller. This policy setting only controls which certificates are displayed on the client computer. -When this setting is enabled, certificates are listed on the sign-in screen whether they have an invalid time or their time validity has expired. When this setting is disabled or not configured, certificates that are expired or not yet valid are not listed on the sign-in screen. +When this setting is turned on, certificates are listed on the sign-in screen whether they have an invalid time, or their time validity has expired. + +When this policy setting isn't turned on, certificates that are expired or not yet valid aren't listed on the sign-in screen. | **Item** | **Description** | |--------------------------------------|-------------------------------------------------------------------------------------------------------------| -| Registry key | AllowTimeInvalidCertificates | +| Registry key | **AllowTimeInvalidCertificates** | | Default values | No changes per operating system versions
Disabled and not configured are equivalent | | Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None | | Notes and resources | | ### Allow user name hint -This policy setting lets you determine whether an optional field is displayed during sign-in and provides a subsequent elevation process that allows users to enter their user name or user name and domain, which associates a certificate with the user. If this setting is enabled, an optional field is displayed that allows users to enter their user name or user name and domain. If this setting is disabled or not configured, the field is not displayed. +You can use this policy setting to determine whether an optional field appears during sign in and provides a subsequent elevation process where users can enter their username or username and domain, which associates a certificate with the user. + +When this policy setting is turned on, users see an optional field where they can enter their username or username and domain. + +When this policy setting isn't turned on, users don't see this optional field. | **Item** | **Description** | |--------------------------------------|-------------------------------------------------------------------------------------------------------------| -| Registry key | X509HintsNeeded | +| Registry key | **X509HintsNeeded**| | Default values | No changes per operating system versions
Disabled and not configured are equivalent | | Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None | | Notes and resources | | ### Configure root certificate clean up -This policy setting allows you to manage the cleanup behavior of root certificates. Certificates are verified by using a trust chain, and the trust anchor for the digital certificate is the Root Certification Authority (CA). A CA can issue multiple certificates with the root certificate as the top certificate of the tree structure. A private key is used to sign other certificates. This creates an inherited trustworthiness for all certificates immediately under the root certificate. When this setting is enabled, you can set the following cleanup options: +You can use this policy setting to manage the cleanup behavior of root certificates. Certificates are verified by using a trust chain, and the trust anchor for the digital certificate is the Root Certification Authority (CA). A CA can issue multiple certificates with the root certificate as the top certificate of the tree structure. A private key is used to sign other certificates. This creates an inherited trustworthiness for all certificates immediately under the root certificate. + +When this policy setting is turned on, you can set the following cleanup options: - **No cleanup**. When the user signs out or removes the smart card, the root certificates used during their session persist on the computer. @@ -185,122 +207,168 @@ This policy setting allows you to manage the cleanup behavior of root certificat - **Clean up certificates on log off**. When the user signs out of Windows, the root certificates are removed. -When this policy setting is disabled or not configured, root certificates are automatically removed when the user signs out of Windows. +When this policy setting isn't turned on, root certificates are automatically removed when the user signs out of Windows. | **Item** | **Description** | |--------------------------------------|-------------------------------------------------------------------------------------------------------------| -| Registry key | RootCertificateCleanupOption | +| Registry key | **RootCertificateCleanupOption**| | Default values | No changes per operating system versions
Disabled and not configured are equivalent | | Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None | | Notes and resources | | ### Display string when smart card is blocked -When this policy setting is enabled, you can create and manage the displayed message that the user sees when a smart card is blocked. When this setting is disabled or not configured (and the integrated unblock feature is also enabled), the system’s default message is displayed to the user when the smart card is blocked. +You can use this policy setting to change the default message that a user sees if their smart card is blocked. + +When this policy setting is turned on, you can create and manage the displayed message that the user sees when a smart card is blocked. + +When this policy setting isn't turned on (and the integrated unblock feature is also enabled), the user sees the system’s default message when the smart card is blocked. | **Item** | **Description** | |--------------------------------------|-------------------------| -| Registry key | IntegratedUnblockPromptString | +| Registry key | **IntegratedUnblockPromptString** | | Default values | No changes per operating system versions
Disabled and not configured are equivalent | | Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: This policy setting is only effective when the [Allow Integrated Unblock screen to be displayed at the time of logon](#allow-integrated-unblock-screen-to-be-displayed-at-the-time-of-logon) policy is enabled. | | Notes and resources | | ### Filter duplicate logon certificates -This policy setting lets you use a filtering process to configure which valid sign-in certificates are displayed. During the certificate renewal period, a user’s smart card can have multiple valid sign-in certificates issued from the same certificate template, which can cause confusion about which certificate to select. This behavior can occur when a certificate is renewed and the old certificate has not expired yet. +You can use this policy setting to configure which valid sign-in certificates are displayed. -Two certificates are determined to be the same if they are issued from the same template with the same major version and they are for the same user (this is determined by their UPN). When this policy setting is enabled, filtering occurs so that the user will only see the most current valid certificates from which to select. If this setting is disabled or not configured, all the certificates are displayed to the user. +> [!NOTE] +> During the certificate renewal period, a user’s smart card can have multiple valid sign-in certificates issued from the same certificate template, which can cause confusion about which certificate to select. This behavior can occur when a certificate is renewed and the old certificate has not expired yet. +> +> If two certificates are issued from the same template with the same major version and they are for the same user (this is determined by their UPN), they are determined to be the same. + +When this policy setting is turned on, filtering occurs so that the user can select from only the most current valid certificates. + +If this policy setting isn't turned on, all the certificates are displayed to the user. This policy setting is applied to the computer after the [Allow time invalid certificates](#allow-time-invalid-certificates) policy setting is applied. | **Item** | **Description** | |--------------------------------------|--------------------------------------------------------------------------------------------------| -| Registry key | FilterDuplicateCerts | +| Registry key | **FilterDuplicateCerts**| | Default values | No changes per operating system versions
Disabled and not configured are equivalent | | Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None | | Notes and resources | If there are two or more of the same certificates on a smart card and this policy setting is enabled, the certificate that is used to sign in to computers running Windows 2000, Windows XP, or Windows Server 2003 will be displayed. Otherwise, the certificate with the most distant expiration time will be displayed. | ### Force the reading of all certificates from the smart card -This policy setting allows you to manage how Windows reads all certificates from the smart card for sign-in. During sign in, Windows reads only the default certificate from the smart card unless it supports retrieval of all certificates in a single call. This policy setting forces Windows to read all the certificates from the smart card. +You can use this policy setting to manage how Windows reads all certificates from the smart card for sign in. During sign in, Windows reads only the default certificate from the smart card unless it supports retrieval of all certificates in a single call. This policy setting forces Windows to read all the certificates from the smart card. -When this policy setting is enabled, Windows attempts to read all certificates from the smart card regardless of the CSP feature set. When disabled or not configured, Windows attempts to read only the default certificate from smart cards that do not support retrieval of all certificates in a single call. Certificates other than the default are not available for sign in. +When this policy setting is turned on, Windows attempts to read all certificates from the smart card, regardless of the CSP feature set. + +When this policy isn't turned on, Windows attempts to read only the default certificate from smart cards that don't support retrieval of all certificates in a single call. Certificates other than the default aren't available for sign in. | **Item** | **Description** | |--------------------------------------|----------------------------------------------------------------------------| -| Registry key | ForceReadingAllCertificates | +| Registry key | **ForceReadingAllCertificates** | | Default values | No changes per operating system versions
Disabled and not configured are equivalent | -| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None

**Important**  Enabling this policy setting can adversely impact performance during the sign in process in certain situations. | +| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None

**Important**: Enabling this policy setting can adversely impact performance during the sign in process in certain situations. | | Notes and resources | Contact the smart card vendor to determine if your smart card and associated CSP support the required behavior. | ### Notify user of successful smart card driver installation -This policy setting allows you to control whether a confirmation message is displayed to the user when a smart card device driver is installed. When this policy setting is enabled, a confirmation message is displayed when a smart card device driver is installed. When this setting is disabled or not configured, a smart card device driver installation message is not displayed. +You can use this policy setting to control whether the user sees a confirmation message when a smart card device driver is installed. + +When this policy setting is turned on, the user sees a confirmation message when a smart card device driver is installed. + +When this setting isn't turned on, the user doesn't see a smart card device driver installation message. | **Item** | **Description** | |--------------------------------------|------------------------------------------------| -| Registry key | ScPnPNotification | +| Registry key | **ScPnPNotification** | | Default values | No changes per operating system versions
Disabled and not configured are equivalent | | Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None | | Notes and resources | This policy setting applies only to smart card drivers that have passed the Windows Hardware Quality Labs (WHQL) testing process. | ### Prevent plaintext PINs from being returned by Credential Manager -This policy setting prevents Credential Manager from returning plaintext PINs. Credential Manager is controlled by the user on the local computer, and it stores credentials from supported browsers and Windows applications. Credentials are saved in special encrypted folders on the computer under the user’s profile. When this policy setting is enabled, Credential Manager does not return a plaintext PIN. When this setting is disabled or not configured, plaintext PINs can be returned by Credential Manager. +You can use this policy setting to prevent Credential Manager from returning plaintext PINs. + +> [!NOTE] +> Credential Manager is controlled by the user on the local computer, and it stores credentials from supported browsers and Windows applications. Credentials are saved in special encrypted folders on the computer under the user’s profile. + +When this policy setting is turned on, Credential Manager doesn't return a plaintext PIN. + +When this setting isn't turned on, Credential Manager can return plaintext PINs. | **Item** | **Description** | |--------------------------------------|-----------------------------------------------------------------------------------| -| Registry key | DisallowPlaintextPin | +| Registry key | **DisallowPlaintextPin**| | Default values | No changes per operating system versions
Disabled and not configured are equivalent | | Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None | -| Notes and resources | If this policy setting is enabled, some smart cards may not work in computers running Windows. Consult the smart card manufacturer to determine whether this policy setting should be enabled. | +| Notes and resources | If this policy setting is enabled, some smart cards might not work in computers running Windows. Consult the smart card manufacturer to determine whether this policy setting should be enabled. | ### Reverse the subject name stored in a certificate when displaying -When this policy setting is enabled, it causes the display of the subject name to be reversed from the way it is stored in the certificate during the sign-in process. +You can use this policy setting to control the way the subject name appears during sign in. + +> [!NOTE] +> To help users distinguish one certificate from another, the user principal name (UPN) and the common name are displayed by default. For example, when this setting is enabled, if the certificate subject is CN=User1, OU=Users, DN=example, DN=com and the UPN is user1@example.com, "User1" is displayed with "user1@example.com." If the UPN is not present, the entire subject name is displayed. This setting controls the appearance of that subject name, and it might need to be adjusted for your organization. + +When this policy setting is turned on, the subject name during sign in appears reversed from the way that it's stored in the certificate. + +When this policy setting isn’t turned on, the subject name appears the same as it’s stored in the certificate. -To help users distinguish one certificate from another, the user principal name (UPN) and the common name are displayed by default. For example, when this setting is enabled, if the certificate subject is CN=User1, OU=Users, DN=example, DN=com and the UPN is user1@example.com, "User1" is displayed with "user1@example.com." If the UPN is not present, the entire subject name is displayed. This setting controls the appearance of that subject name, and it might need to be adjusted for your organization. | **Item** | **Description** | |--------------------------------------|-------------------------------------------------------------------------------------------------------------| -| Registry key | ReverseSubject | +| Registry key | **ReverseSubject** | | Default values | No changes per operating system versions
Disabled and not configured are equivalent | | Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None | | Notes and resources | | ### Turn on certificate propagation from smart card -This policy setting allows you to manage the certificate propagation that occurs when a smart card is inserted. The certificate propagation service applies when a signed-in user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store. +You can use this policy setting to manage the certificate propagation that occurs when a smart card is inserted. +> [!NOTE] +> The certificate propagation service applies when a signed-in user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store. -If you enable or do not configure this policy setting, certificate propagation occurs when the user inserts the smart card. When this setting is disabled, certificate propagation does not occur and the certificates will not be made available to applications such as Outlook. +When this policy setting is turned on, certificate propagation occurs when the user inserts the smart card. + +When this policy setting is turned off, certificate propagation doesn't occur, and the certificates aren't available to applications, like Outlook. | **Item** | **Description** | |--------------------------------------|----------------| -| Registry key | CertPropEnabled | +| Registry key | **CertPropEnabled**| | Default values | No changes per operating system versions
Enabled and not configured are equivalent | | Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: This policy setting must be enabled to allow the [Turn on root certificate propagation from smart card](#turn-on-root-certificate-propagation-from-smart-card) setting to work when it is enabled. | | Notes and resources | | ### Turn on root certificate propagation from smart card -This policy setting allows you to manage the root certificate propagation that occurs when a smart card is inserted. The certificate propagation service applies when a signed-in user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store. When this policy setting is enabled or not configured, root certificate propagation occurs when the user inserts the smart card. +You can use this policy setting to manage the root certificate propagation that occurs when a smart card is inserted. + +> [!NOTE] +> The certificate propagation service applies when a signed-in user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store. + +When this policy setting is turned on, root certificate propagation occurs when the user inserts the smart card. + +When this policy setting isn’t turned on, root certificate propagation doesn’t occur when the user inserts the smart card. | **Item** | **Description** | |--------------------------------------|---------------------------------------------------------------------------------------------------------| -| Registry key | EnableRootCertificate Propagation | +| Registry key | **EnableRootCertificate Propagation** | | Default values | No changes per operating system versions
Enabled and not configured are equivalent | | Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: For this policy setting to work, the [Turn on certificate propagation from smart card](#turn-on-certificate-propagation-from-smart-card) policy setting must also be enabled. | | Notes and resources | | ### Turn on Smart Card Plug and Play service -This policy setting allows you to control whether Smart Card Plug and Play is enabled. This means that your users can use smart cards from vendors who have published their drivers through Windows Update without needing special middleware. These drivers will be downloaded in the same way as drivers for other devices in Windows. If an appropriate driver is not available from Windows Update, a PIV-compliant minidriver that is included with any of the supported versions of Windows is used for these cards. +You can use this policy setting to control whether Smart Card Plug and Play is enabled. -When the Smart Card Plug and Play policy setting is enabled or not configured, and the system attempts to install a smart card device driver the first time a smart card is inserted in a smart card reader. If this policy setting is disabled a device driver is not installed when a smart card is inserted in a smart card reader. +> [!NOTE] +> Your users can use smart cards from vendors who have published their drivers through Windows Update without needing special middleware. These drivers will be downloaded in the same way as drivers for other devices in Windows. If an appropriate driver isn't available from Windows Update, a PIV-compliant mini driver that's included with any of the supported versions of Windows is used for these cards. + +When this policy setting is turned on, the system attempts to install a smart card device driver the first time a smart card is inserted in a smart card reader. + +When this policy setting isn't turned on, a device driver isn't installed when a smart card is inserted in a smart card reader. | **Item** | **Description** | |--------------------------------------|------------------------------------------------| -| Registry key | EnableScPnP | +| Registry key | **EnableScPnP** | | Default values | No changes per operating system versions
Enabled and not configured are equivalent | | Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None | | Notes and resources | This policy setting applies only to smart card drivers that have passed the Windows Hardware Quality Labs (WHQL) testing process. | @@ -309,9 +377,9 @@ When the Smart Card Plug and Play policy setting is enabled or not configured, a The following registry keys can be configured for the base cryptography service provider (CSP) and the smart card key storage provider (KSP). The following tables list the keys. All keys use the DWORD type. -The registry keys for the Base CSP are located in the registry in HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Smart Card Crypto Provider. +The registry keys for the Base CSP are in the registry in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Smart Card Crypto Provider**. -The registry keys for the smart card KSP are located in HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Cryptography\\Providers\\Microsoft Smart Card Key Storage Provider. +The registry keys for the smart card KSP are in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Cryptography\\Providers\\Microsoft Smart Card Key Storage Provider**. **Registry keys for the base CSP and smart card KSP** @@ -320,7 +388,7 @@ The registry keys for the smart card KSP are located in HKEY\_LOCAL\_MACHINE\\SY | **AllowPrivateExchangeKeyImport** | A non-zero value allows RSA exchange (for example, encryption) private keys to be imported for use in key archival scenarios.
Default value: 00000000 | | **AllowPrivateSignatureKeyImport** | A non-zero value allows RSA signature private keys to be imported for use in key archival scenarios.
Default value: 00000000 | | **DefaultPrivateKeyLenBits** | Defines the default length for private keys, if desired.
Default value: 00000400
Default key generation parameter: 1024-bit keys | -| **RequireOnCardPrivateKeyGen** | This key sets the flag that requires on-card private key generation (default). If this value is set, a key generated on a host can be imported into the smart card. This is used for smart cards that do not support on-card key generation or where key escrow is required.
Default value: 00000000 | +| **RequireOnCardPrivateKeyGen** | This key sets the flag that requires on-card private key generation (default). If this value is set, a key generated on a host can be imported into the smart card. This is used for smart cards that don't support on-card key generation or where key escrow is required.
Default value: 00000000 | | **TransactionTimeoutMilliseconds** | Default timeout values allow you to specify whether transactions that take an excessive amount of time will fail.
Default value: 000005dc1500
The default timeout for holding transactions to the smart card is 1.5 seconds. | **Additional registry keys for the smart card KSP** @@ -332,14 +400,14 @@ The registry keys for the smart card KSP are located in HKEY\_LOCAL\_MACHINE\\SY ## CRL checking registry keys -The following table lists the keys and the corresponding values to turn off certificate revocation list (CRL) checking at the Key Distribution Center (KDC) or client. To manage CRL checking, you need to configure settings for both the KDC and the client. +The following table lists the keys and the corresponding values to turn off certificate revocation list (CRL) checking at the Key Distribution Center (KDC) or client. To manage CRL checking, you must configure settings for both the KDC and the client. **CRL checking registry keys** | **Registry Key** | **Details** | |------------|-----------------------------| -| HKEY\_LOCAL\_MACHINE\\SYSTEM\\CCS\\Services\\Kdc\\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors | Type = DWORD
Value = 1 | -| HKEY\_LOCAL\_MACHINE\\SYSTEM\\CCS\\Control\\LSA\\Kerberos\\Parameters\\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors | Type = DWORD
Value = 1 | +| **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CCS\\Services\\Kdc\\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors**| Type = DWORD
Value = 1 | +| **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CCS\\Control\\LSA\\Kerberos\\Parameters\\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors**| Type = DWORD
Value = 1 | ## Additional smart card Group Policy settings and registry keys @@ -349,40 +417,41 @@ In a smart card deployment, additional Group Policy settings can be used to enha - Interactive logon: Do not require CTRL+ALT+DEL (not recommended) -The following smart card-related Group Policy settings are located in Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options. +The following smart card-related Group Policy settings are in Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options. **Local security policy settings** -| Group Policy Setting and Registry Key | Default | Description | +| Group Policy setting and registry key | Default | Description | |------------------------------------------|------------|---------------| -| Interactive logon: Require smart card

scforceoption | Disabled | This security policy setting requires users to sign in to a computer by using a smart card.

**Enabled** Users can only sign in to the computer by using a smart card.
**Disabled** Users can sign in to the computer by using any method. | -| Interactive logon: Smart card removal behavior

scremoveoption | This policy setting is not defined, which means that the system treats it as **No Action**. | This setting determines what happens when the smart card for a signed-in user is removed from the smart card reader. The options are:
**No Action**
**Lock Workstation**: The workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session.
**Force Logoff**: The user is automatically signed out when the smart card is removed.
**Disconnect if a Remote Desktop Services session**: Removal of the smart card disconnects the session without signing out the user. This allows the user to reinsert the smart card and resume the session later, or at another computer that is equipped with a smart card reader, without having to sign in again. If the session is local, this policy setting functions identically to the **Lock Workstation** option.

**Note**  Remote Desktop Services was called Terminal Services in previous versions of Windows Server. | +| Interactive logon: Require smart card

**scforceoption** | Disabled | This security policy setting requires users to sign in to a computer by using a smart card.

**Enabled** Users can sign in to the computer only by using a smart card.
**Disabled** Users can sign in to the computer by using any method. | +| Interactive logon: Smart card removal behavior

**scremoveoption** | This policy setting isn't defined, which means that the system treats it as **No Action**. | This setting determines what happens when the smart card for a signed-in user is removed from the smart card reader. The options are:
**No Action**
**Lock Workstation**: The workstation is locked when the smart card is removed, so users can leave the area, take their smart card with them, and still maintain a protected session.
**Force Logoff**: The user is automatically signed out when the smart card is removed.
**Disconnect if a Remote Desktop Services session**: Removal of the smart card disconnects the session without signing out the user. The user can reinsert the smart card and resume the session later, or at another computer that's equipped with a smart card reader, without having to sign in again. If the session is local, this policy setting functions identically to the **Lock Workstation** option.

**Note**: In earlier versions of Windows Server, Remote Desktop Services was called Terminal Services. | From the Local Security Policy Editor (secpol.msc), you can edit and apply system policies to manage credential delegation for local or domain computers. -The following smart card-related Group Policy settings are located in Computer Configuration\\Administrative Templates\\System\\Credentials Delegation. +The following smart card-related Group Policy settings are in Computer Configuration\\Administrative Templates\\System\\Credentials Delegation. -Registry keys are located in HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\Credssp\\PolicyDefaults. +Registry keys are in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\Credssp\\PolicyDefaults**. -> **Note**  In the following table, fresh credentials are those that you are prompted for when running an application. +> [!NOTE] +> In the following table, fresh credentials are those that you are prompted for when running an application. **Credential delegation policy settings** -| Group Policy Setting and Registry Key | Default | Description | +| Group Policy setting and registry key | Default | Description | |----------------------------------------------------------------------------------------------------------------------|----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **Allow Delegating Fresh Credentials**

AllowFreshCredentials | Not Configured | This policy setting applies:
When server authentication was achieved through a trusted X509 certificate or Kerberos protocol.
To applications that use the CredSSP component (for example, Remote Desktop Services).

**Enabled**: You can specify the servers where the user's fresh credentials can be delegated.
**Not Configured**: After proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Services running on any computer.
**Disabled**: Delegation of fresh credentials to any computer is not permitted.

**Note**  This policy setting can be set to one or more service principal names (SPNs). The SPN represents the target server where the user credentials can be delegated. A single wildcard character is permitted when specifying the SPN, for example:
Use \*TERMSRV/\*\* for Remote Desktop Session Host (RD Session Host) running on any computer.
Use *TERMSRV/host.humanresources.fabrikam.com* for RD Session Host running on the host.humanresources.fabrikam.com computer.
Use *TERMSRV/\*.humanresources.fabrikam.com* for RD Session Host running on all computers in .humanresources.fabrikam.com | -| **Allow Delegating Fresh Credentials with NTLM-only Server Authentication**

AllowFreshCredentialsWhenNTLMOnly | Not Configured | This policy setting applies:
When server authentication was achieved by using NTLM.
To applications that use the CredSSP component (for example, Remote Desktop).

**Enabled**: You can specify the servers where the user's fresh credentials can be delegated.
**Not Configured**: After proper mutual authentication, delegation of fresh credentials is permitted to RD Session Host running on any computer (TERMSRV/\*).
**Disabled**: Delegation of fresh credentials is not permitted to any computer.

**Note**  This policy setting can be set to one or more SPNs. The SPN represents the target server where the user credentials can be delegated. A single wildcard character (\*) is permitted when specifying the SPN.
See the **Allow Delegating Fresh Credentials** policy setting description for examples. | -| **Deny Delegating Fresh Credentials**

DenyFreshCredentials | Not Configured | This policy setting applies to applications that use the CredSSP component (for example, Remote Desktop).

**Enabled**: You can specify the servers where the user's fresh credentials cannot be delegated.
**Disabled** or **Not Configured**: A server is not specified.

**Note**  This policy setting can be set to one or more SPNs. The SPN represents the target server where the user credentials cannot be delegated. A single wildcard character (\*) is permitted when specifying the SPN.
See the **Allow Delegating Fresh Credentials** policy setting description for examples. | +| Allow Delegating Fresh Credentials

**AllowFreshCredentials** | Not configured | This policy setting applies:
When server authentication was achieved through a trusted X509 certificate or Kerberos protocol.
To applications that use the CredSSP component (for example, Remote Desktop Services).

**Enabled**: You can specify the servers where the user's fresh credentials can be delegated.
**Not configured**: After proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Services running on any computer.
**Disabled**: Delegation of fresh credentials to any computer isn't permitted.

**Note**: This policy setting can be set to one or more service principal names (SPNs). The SPN represents the target server where the user credentials can be delegated. A single wildcard character is permitted when specifying the SPN, for example:
Use \*TERMSRV/\*\* for Remote Desktop Session Host (RD Session Host) running on any computer.
Use *TERMSRV/host.humanresources.fabrikam.com* for RD Session Host running on the host.humanresources.fabrikam.com computer.
Use *TERMSRV/\*.humanresources.fabrikam.com* for RD Session Host running on all computers in .humanresources.fabrikam.com | +| Allow Delegating Fresh Credentials with NTLM-only Server Authentication

**AllowFreshCredentialsWhenNTLMOnly** | Not configured | This policy setting applies:
When server authentication was achieved by using NTLM.
To applications that use the CredSSP component (for example, Remote Desktop).

**Enabled**: You can specify the servers where the user's fresh credentials can be delegated.
**Not configured**: After proper mutual authentication, delegation of fresh credentials is permitted to RD Session Host running on any computer (TERMSRV/\*).
**Disabled**: Delegation of fresh credentials isn't permitted to any computer.

**Note**: This policy setting can be set to one or more SPNs. The SPN represents the target server where the user credentials can be delegated. A single wildcard character (\*) is permitted when specifying the SPN.
See the **Allow Delegating Fresh Credentials** policy setting description for examples. | +| Deny Delegating Fresh Credentials

**DenyFreshCredentials** | Not configured | This policy setting applies to applications that use the CredSSP component (for example, Remote Desktop).

**Enabled**: You can specify the servers where the user's fresh credentials can't be delegated.
**Disabled** or **Not configured**: A server is not specified.

**Note**: This policy setting can be set to one or more SPNs. The SPN represents the target server where the user credentials can't be delegated. A single wildcard character (\*) is permitted when specifying the SPN.
For examples, see the "Allow delegating fresh credentials" policy setting. | -If you are using Remote Desktop Services with smart card logon, you cannot delegate default and saved credentials. The registry keys in the following table, which are located at HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\Credssp\\PolicyDefaults, and the corresponding Group Policy settings are ignored. +If you're using Remote Desktop Services with smart card logon, you can't delegate default and saved credentials. The registry keys in the following table, which are at **HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\Credssp\\PolicyDefaults**, and the corresponding Group Policy settings are ignored. | **Registry key** | **Corresponding Group Policy setting** | |-------------------------------------|---------------------------------------------------------------------------| -| AllowDefaultCredentials | Allow Delegating Default Credentials | -| AllowDefaultCredentialsWhenNTLMOnly | Allow Delegating Default Credentials with NTLM-only Server Authentication | -| AllowSavedCredentials | Allow Delegating Saved Credentials | -| AllowSavedCredentialsWhenNTLMOnly | Allow Delegating Saved Credentials with NTLM-only Server Authentication | +| **AllowDefaultCredentials** | Allow Delegating Default Credentials | +| **AllowDefaultCredentialsWhenNTLMOnly** | Allow Delegating Default Credentials with NTLM-only Server Authentication | +| **AllowSavedCredentials** | Allow Delegating Saved Credentials | +| **AllowSavedCredentialsWhenNTLMOnly** | Allow Delegating Saved Credentials with NTLM-only Server Authentication | ## See also diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index f15fee7c4d..14179cf7bc 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -23,25 +23,26 @@ ms.date: 07/25/2018 - Windows 10 You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log. -To complete this procedure, you must be logged on as a member of the built-in Administrators group or you must have been granted the **Manage auditing and security log** right. + +To complete this procedure, you must be signed in as a member of the built-in Administrators group or have **Manage auditing and security log** rights. **To apply or modify auditing policy settings for a local file or folder** -1. Right-click the file or folder that you want to audit, click **Properties**, and then click the **Security** tab. -2. Click **Advanced**. -3. In the **Advanced Security Settings** dialog box, click the **Auditing** tab, and then click **Continue**. +1. Select and hold (or right-click) the file or folder that you want to audit, select **Properties**, and then select the **Security** tab. +2. Select **Advanced**. +3. In the **Advanced Security Settings** dialog box, select the **Auditing** tab, and then select **Continue**. 4. Do one of the following: - - To set up auditing for a new user or group, click **Add**. Click **Select a principal**, type the name of the user or group that you want, and then click **OK**. - - To remove auditing for an existing group or user, click the group or user name, click **Remove**, click **OK**, and then skip the rest of this procedure. - - To view or change auditing for an existing group or user, click its name, and then click **Edit.** + - To set up auditing for a new user or group, select **Add**. Select **Select a principal**, type the name of the user or group that you want, and then select **OK**. + - To remove auditing for an existing group or user, select the group or user name, select **Remove**, select **OK**, and then skip the rest of this procedure. + - To view or change auditing for an existing group or user, select its name, and then select **Edit.** 5. In the **Type** box, indicate what actions you want to audit by selecting the appropriate check boxes: - - To audit successful events, click **Success.** - - To audit failure events, click **Fail.** - - To audit all events, click **All.** + - To audit successful events, select **Success.** + - To audit failure events, select **Fail.** + - To audit all events, select **All.** -6. In the **Applies to** box, select the object(s) that the audit of events will apply to. These include: +6. In the **Applies to** box, select the object(s) to which the audit of events will apply. These include: - **This folder only** - **This folder, subfolders and files** @@ -55,16 +56,20 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - **Read and execute** - **List folder contents** - **Read** - - Additionally, you can choose **Full control**, **Modify**, and/or **Write** permissions with your selected audit combination. + - Additionally, with your selected audit combination, you can select any combination of the following permissions: + - **Full control** + - **Modify** + - **Write** -> **Important:**  Before setting up auditing for files and folders, you must enable [object access auditing](basic-audit-object-access.md) by defining auditing policy settings for the object access event category. If you do not enable object access auditing, you will receive an error message when you set up auditing for files and folders, and no files or folders will be audited. +> [!IMPORTANT]   +> Before you set up auditing for files and folders, you must enable [object access auditing](basic-audit-object-access.md). To do this, define auditing policy settings for the object access event category. If you don't enable object access auditing, you'll receive an error message when you set up auditing for files and folders, and no files or folders will be audited.   ## Additional considerations -- After object access auditing is enabled, view the security log in Event Viewer to review the results of your changes. +- After you turn on object access auditing, view the security log in Event Viewer to review the results of your changes. - You can set up file and folder auditing only on NTFS drives. -- Because the security log is limited in size, select the files and folders to be audited carefully. Also, consider the amount of disk space that you want to devote to the security log. The maximum size for the security log is defined in Event Viewer. +- Because the security log is limited in size, carefully select the files and folders to be audited. Also, consider the amount of disk space that you want to devote to the security log. The maximum size for the security log is defined in Event Viewer.     diff --git a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md index 94499439b0..e6131584e5 100644 --- a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md +++ b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md @@ -22,38 +22,39 @@ ms.date: 04/19/2017 **Applies to** - Windows 10 -This topic for the IT professional describes how to monitor changes to the central access policies that are associated with files and folders when you are using advanced security auditing options to monitor dynamic access control objects. +This article for IT professionals describes how to monitor changes to the central access policies that are associated with files and folders when you're using advanced security auditing options to monitor dynamic access control objects. -This security audit policy and the event that it records are generated when the central access policy that is associated with a file or folder is changed. This security audit policy is useful when an administrator wants to monitor potential changes on some, but not all, files and folders on a file server. +This security audit policy and the event that it records are generated when the central access policy that's associated with a file or folder is changed. This security audit policy is useful when an administrator wants to monitor potential changes on some, but not all, files and folders on a file server. -For info about monitoring potential central access policy changes for an entire file server, see [Monitor the central access policies that apply on a file server](monitor-the-central-access-policies-that-apply-on-a-file-server.md). +For information about monitoring potential central access policy changes for an entire file server, see [Monitor the central access policies that apply on a file server](monitor-the-central-access-policies-that-apply-on-a-file-server.md). Use the following procedures to configure settings to monitor central access policies that are associated with files. These procedures assume that you have configured and deployed Dynamic Access Control in your network. For more information about how to configure and deploy Dynamic Access Control, see [Dynamic Access Control: Scenario Overview](https://technet.microsoft.com/library/hh831717.aspx). ->**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. +> [!NOTE] +> Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. **To configure settings to monitor central access policies associated with files or folders** 1. Sign in to your domain controller by using domain administrator credentials. -2. In Server Manager, point to **Tools**, and then click **Group Policy Management**. -3. In the console tree, right-click the flexible access Group Policy Object, and then click **Edit**. +2. In Server Manager, point to **Tools**, and then select **Group Policy Management**. +3. In the console tree, right-click the flexible access Group Policy Object, and then select **Edit**. 4. Double-click **Computer Configuration**, double-click **Security Settings**, double-click **Advanced Audit Policy Configuration**, double-click **Policy Change**, and then double-click **Audit Authorization Policy Change**. -5. Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then click **OK**. -6. Enable auditing for a file or folder as described in the following procedure. +5. Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then select **OK**. +6. Turn on auditing for a file or folder as described in the following procedure. -**To enable auditing for a file or folder** +**To turn on auditing for a file or folder** -1. Sign in as a member of the local administrators group on the computer that contains the files or folders that you want to audit. -2. Right-click the file or folder, click **Properties**, and then click the **Security** tab. -3. Click **Advanced**, click the **Auditing** tab, and then click **Continue**. +1. Sign in as a member of the local administrator's group on the computer that contains the files or folders that you want to audit. +2. Right-click the file or folder, select **Properties**, and then select the **Security** tab. +3. Select **Advanced**, select the **Auditing** tab, and then select **Continue**. - If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. + If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then select **Yes**. -4. Click **Add**, click **Select a principal**, type a user name or group name in the format **contoso\\user1**, and then click **OK**. +4. Select **Add**, select **Select a principal**, type a user name or group name in the format **contoso\\user1**, and then select **OK**. 5. In the **Auditing Entry for** dialog box, select the permissions that you want to audit, such as **Full Control** or **Delete**. -6. Click **OK** four times to complete the configuration of the object SACL. -7. Open a File Explorer window and select or create a file or folder to audit. -8. Open an elevated command prompt, and run the following command: +6. To complete the configuration of the object SACL, select **OK** four times. +7. Open a File Explorer window, and then select or create a file or folder to audit. +8. Open an elevated command prompt, and then run the following command: `gpupdate /force` @@ -61,15 +62,16 @@ After you configure settings to monitor changes to the central access policies t **To verify that changes to central access policies associated with files and folders are monitored** -1. Sign in as a member of the local administrators group on the computer that contains the files or folders that you want to audit. -2. Open a File Explorer window and select the file or folder that you configured for auditing in the previous procedure. -3. Right-click the file or folder, click **Properties**, click the **Security** tab, and then click **Advanced**. -4. Click the **Central Policy** tab, click **Change**, and select a different central access policy (if one is available) or select **No Central Access Policy**, and then click **OK** twice. - >**Note:**  You must select a setting that is different than your original setting to generate the audit event. +1. Sign in as a member of the local administrator's group on the computer that contains the files or folders that you want to audit. +2. Open a File Explorer window, and then select the file or folder that you configured for auditing in the previous procedure. +3. Right-click the file or folder, select **Properties**, select the **Security** tab, and then select **Advanced**. +4. Select the **Central Policy** tab, select **Change**, select a different central access policy (if one is available) or select **No Central Access Policy**, and then select **OK** twice. + > [!NOTE] + > You must select a setting that is different than your original setting to generate the audit event. -5. In Server Manager, click **Tools**, and then click **Event Viewer**. -6. Expand **Windows Logs**, and then click **Security**. -7. Look for event 4913, which is generated when the central access policy that is associated with a file or folder is changed. This event includes the security identifiers (SIDs) of the old and new central access policies. +5. In Server Manager, select **Tools**, and then select **Event Viewer**. +6. Expand **Windows Logs**, and then select **Security**. +7. Look for event 4913, which is generated when the central access policy that's associated with a file or folder changes. This event includes the security identifiers (SIDs) of the old and new central access policies. ### Related resource diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md index 4a75974332..fb06a1c928 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md @@ -22,7 +22,7 @@ ms.date: 04/19/2017 **Applies to** - Windows 10 -Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Run all administrators in Admin Approval Mode** security policy setting. +This article describes the best practices, location, values, policy management and security considerations for the **User Account Control: Run all administrators in Admin Approval Mode** security policy setting. ## Reference @@ -38,11 +38,12 @@ This policy setting determines the behavior of all User Account Control (UAC) po Admin Approval Mode and all related UAC policies are disabled. - >**Note:**  If this security setting is configured to **Disabled**, the Security Center notifies the user that the overall security of the operating system has been reduced. + > [!NOTE] + > If this security setting is configured to **Disabled**, the Security Center notifies the user that the overall security of the operating system has been reduced. ### Best practices -- Enable this policy to allow all other UAC features and policies to function. +- Turn on this policy to allow all other UAC features and policies to function. ### Location @@ -67,11 +68,11 @@ This section describes features and tools that are available to help you manage ### Restart requirement -A restart of the computer is required before this policy will be effective when changes to this policy are saved locally or distributed through Group Policy. +The computer must be restarted before this policy is effective when changes to this policy are saved locally or distributed through Group Policy. ### Group Policy -All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU). +All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console or Local Security Policy snap-in for a domain, site, or organizational unit. ## Security considerations @@ -79,11 +80,11 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -This is the setting that turns UAC on or off. If this setting is disabled, UAC is not used, and any security benefits and risk mitigations that are dependent on UAC are not present on the computer. +This setting turns on or turns off UAC. If this setting isn't turned on, UAC isn't used, and any security benefits and risk mitigations that are dependent on UAC aren't present on the computer. ### Countermeasure -Enable the **User Account Control: Run all users, including administrators, as standard users** setting. +Turn on the **User Account Control: Run all users, including administrators, as standard users** setting. ### Potential impact From 69c1584504373f4c340796b9de4644f1add9779d Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Tue, 17 Mar 2020 16:46:12 -0700 Subject: [PATCH 03/60] pencil edit --- .../smart-card-group-policy-and-registry-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md index a93f2fb987..04e43174e8 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md +++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md @@ -80,7 +80,7 @@ The registry keys are in the following locations: > Smart card reader registry information is in **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Cryptography\\Calais\\Readers**.
Smart card registry information is in **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Cryptography\\Calais\\SmartCards**. -The following table lists the default values for these GPO settings. Variations are documented under the policy descriptions in this topic. +The following table lists the default values for these GPO settings. Variations are documented under the policy descriptions in this article. | **Server type or GPO** | **Default value** | |----------------------------------------------|-------------------| From e8a6b2c386998e0ddd228dccf8fa9a440d70fbee Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Tue, 17 Mar 2020 16:48:50 -0700 Subject: [PATCH 04/60] pencil edit --- .../auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index 14179cf7bc..8999e420aa 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -62,7 +62,6 @@ To complete this procedure, you must be signed in as a member of the built-in Ad - **Write** - > [!IMPORTANT]   > Before you set up auditing for files and folders, you must enable [object access auditing](basic-audit-object-access.md). To do this, define auditing policy settings for the object access event category. If you don't enable object access auditing, you'll receive an error message when you set up auditing for files and folders, and no files or folders will be audited.   From 8fef1868fd38cfebf37bc06875553e64f9eea5a1 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 19 Mar 2020 10:20:30 -0700 Subject: [PATCH 05/60] Updated the example --- .../mdm/policy-csp-restrictedgroups.md | 22 ++++++++++--------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index ceef7004b4..37921c714c 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -122,24 +122,26 @@ Starting in Windows 10, version 1809, you can use this schema for retrieval and -Here is an example: +Here's an example: ``` - - - - + + + - - + + + ``` +where: +- `` contains the local group SID or group name to configure. If an SID is specified here, the policy uses [LookupAccountName](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API to get the local group name. For best results, use names for ``. +- `` contains the members to add to the group in ``. If a Name is specified here, the policy will try to get the corresponding SID using [LookupAccountSID](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. (Note: This doesn't query Azure AD). For best results, use SID for ``. Groups can be renamed and account name lookups are limited to AD/local machine, so SID is the best and most deterministic way to configure. +The member SID can be a user account or a group in AD, Azure AD, or on the local machine. Membership is configured using [NetLocalGroupSetMembers](https://docs.microsoft.com/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API. +- `Group1` and `Group2` are group locals on the device being configured. -> [!Note] -> * You should include the local administrator while modifying the administrators group to prevent accidental loss of access -> * Include the entire UPN after AzureAD From b970f8dc2db128f7593a3ccf14774410ba1a8614 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 19 Mar 2020 11:45:31 -0700 Subject: [PATCH 06/60] minor updates --- windows/client-management/mdm/policy-csp-restrictedgroups.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 37921c714c..45f5805676 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -138,7 +138,7 @@ Here's an example: ``` where: - `` contains the local group SID or group name to configure. If an SID is specified here, the policy uses [LookupAccountName](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API to get the local group name. For best results, use names for ``. -- `` contains the members to add to the group in ``. If a Name is specified here, the policy will try to get the corresponding SID using [LookupAccountSID](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. (Note: This doesn't query Azure AD). For best results, use SID for ``. Groups can be renamed and account name lookups are limited to AD/local machine, so SID is the best and most deterministic way to configure. +- `` contains the members to add to the group in ``. If a name is specified here, the policy will try to get the corresponding SID using [LookupAccountSID](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. (**Note:** This doesn't query Azure AD). For best results, use SID for ``. As groups can be renamed and account name lookups are limited to AD/local machine, hence SID is the best and most deterministic way to configure. The member SID can be a user account or a group in AD, Azure AD, or on the local machine. Membership is configured using [NetLocalGroupSetMembers](https://docs.microsoft.com/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API. - `Group1` and `Group2` are group locals on the device being configured. From 93aa06ca24f68fc7e558191c72f06e9a44f3da9a Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 19 Mar 2020 12:05:34 -0700 Subject: [PATCH 07/60] minor update --- .../client-management/mdm/policy-csp-restrictedgroups.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 45f5805676..aba7ce2672 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -137,9 +137,9 @@ Here's an example: ``` where: -- `` contains the local group SID or group name to configure. If an SID is specified here, the policy uses [LookupAccountName](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API to get the local group name. For best results, use names for ``. -- `` contains the members to add to the group in ``. If a name is specified here, the policy will try to get the corresponding SID using [LookupAccountSID](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. (**Note:** This doesn't query Azure AD). For best results, use SID for ``. As groups can be renamed and account name lookups are limited to AD/local machine, hence SID is the best and most deterministic way to configure. -The member SID can be a user account or a group in AD, Azure AD, or on the local machine. Membership is configured using [NetLocalGroupSetMembers](https://docs.microsoft.com/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API. +- `` contains the local group SID or group name to configure. If an SID is specified here, the policy uses the [LookupAccountName](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API to get the local group name. For best results, use names for ``. +- `` contains the members to add to the group in ``. If a name is specified here, the policy will try to get the corresponding SID using the [LookupAccountSID](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. (**Note:** This doesn't query Azure AD). For best results, use SID for ``. As groups can be renamed and account name lookups are limited to AD/local machine, hence SID is the best and most deterministic way to configure. +The member SID can be a user account or a group in AD, Azure AD, or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](https://docs.microsoft.com/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API. - `Group1` and `Group2` are group locals on the device being configured. From b4b0efd354dc4a26c5698659f00e8ce608f4295d Mon Sep 17 00:00:00 2001 From: Jreeds001 Date: Fri, 20 Mar 2020 11:42:50 -0700 Subject: [PATCH 08/60] Update applocker-overview.md Added Note about control processes --- .../applocker/applocker-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md index 320db86050..4777a11a1c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md @@ -23,7 +23,7 @@ ms.date: 10/16/2017 - Windows 10 - Windows Server -This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. +This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. **Note:** AppLocker doesn't control processes running under system account on all OS versions. AppLocker can help you: From 33aeb5c7cc5bc172e5a115967639bc0a4a0d4fe8 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Fri, 20 Mar 2020 13:18:03 -0700 Subject: [PATCH 09/60] Added review feedback --- .../mdm/policy-csp-restrictedgroups.md | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index aba7ce2672..bc428c7e27 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -74,10 +74,17 @@ manager: dansimp -This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership. Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group. +This security setting allows an administrator to define the members that are part of a security-sensitive (restricted) group. When a Restricted Groups policy is enforced, any current member of a restricted group that is not on the Members list is removed, except for the built-in administrator in the built-in Administrators group. Any user on the Members list who is not currently a member of the restricted group is added. An empty Members list means that the restricted group has no members. The membership configuration is based on SIDS, therefore renaming these built-in groups does not affect retention of this special membership. + +For example, you can create a Restricted Groups policy to allow only specified users, Alice and John, to be members of the Administrators group. When this policy is refreshed, only Alice and John will remain as members of the Administrators group. > [!CAUTION] -> If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members. +> Attempting to remove the built-in administrator from the Administrators group will result in failure with the following error: + +> | Error Code in Hex | Error Code in Dec| Symbolic Name | Error Description | Header | +> |----------|----------|----------|----------|----------| +> |0x55b|1371|ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.|winerror.h| + Starting in Windows 10, version 1809, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of 0 members when applying the policy implies clearing the access group and should be used with caution. @@ -140,7 +147,7 @@ where: - `` contains the local group SID or group name to configure. If an SID is specified here, the policy uses the [LookupAccountName](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API to get the local group name. For best results, use names for ``. - `` contains the members to add to the group in ``. If a name is specified here, the policy will try to get the corresponding SID using the [LookupAccountSID](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. (**Note:** This doesn't query Azure AD). For best results, use SID for ``. As groups can be renamed and account name lookups are limited to AD/local machine, hence SID is the best and most deterministic way to configure. The member SID can be a user account or a group in AD, Azure AD, or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](https://docs.microsoft.com/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API. -- `Group1` and `Group2` are group locals on the device being configured. +- In this example, `Group1` and `Group2` are local groups on the device being configured. From 1eb0e9e14ed635649bc2f255733165103d4b9681 Mon Sep 17 00:00:00 2001 From: Jreeds001 Date: Mon, 23 Mar 2020 10:26:22 -0700 Subject: [PATCH 10/60] Update applocker-overview.md Updated copy to Notes --- .../applocker/applocker-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md index 4777a11a1c..96bda3d33b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md @@ -23,7 +23,7 @@ ms.date: 10/16/2017 - Windows 10 - Windows Server -This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. **Note:** AppLocker doesn't control processes running under system account on all OS versions. +This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. **Note:** AppLocker is unable to control processes running under the system account on any OS. AppLocker can help you: From 189b52f907d34e2b4e859b4f6ffc7c19a55dce8c Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Mon, 23 Mar 2020 11:04:19 -0700 Subject: [PATCH 11/60] updated text --- .../microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md index 8d2e155a2e..3c17e82061 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md @@ -52,9 +52,9 @@ DeviceName=any(DeviceName) by DeviceId, AlertId ## Find and remediate software or software versions which have reached end-of-support (EOS) -End-of-support (otherwise known as end-of-life) for software or software versions means that they will no longer be supported or serviced. When you use software or software versions which have reached end-of-support, you're exposing your organization to security vulnerabilities, legal, and financial risks. +End-of-support (otherwise known as end-of-life) for software or software versions means that they will no longer be supported or serviced, and will not receive security updates. When you use software or software versions which have reached end-of-support, you're exposing your organization to security vulnerabilities, legal, and financial risks. -It is crucial for Security and IT Administrators to work together and ensure that the organization's software inventory is configured for optimal results, compliance, and a healthy network ecosystem. +It is crucial for Security and IT Administrators to work together and ensure that the organization's software inventory is configured for optimal results, compliance, and a healthy network ecosystem. They should examine the options to remove or replace apps that have reached end of support, and update versions that have reached end of support. It is best to create and implement a plan **before** the end of support dates. To find software or software versions which have reached end-of-support: From b2bb2457835626907aa451befb567ac9d54f017f Mon Sep 17 00:00:00 2001 From: Teresa-Motiv Date: Mon, 23 Mar 2020 14:41:07 -0700 Subject: [PATCH 12/60] adding content --- devices/hololens/hololens-updates.md | 92 ++++++++++++++++++---------- 1 file changed, 60 insertions(+), 32 deletions(-) diff --git a/devices/hololens/hololens-updates.md b/devices/hololens/hololens-updates.md index 561eb79861..5bd43f660c 100644 --- a/devices/hololens/hololens-updates.md +++ b/devices/hololens/hololens-updates.md @@ -8,10 +8,11 @@ ms.author: v-tea audience: ITPro ms.topic: article ms.localizationpriority: high -ms.date: 11/7/2019 +ms.date: 03/24/2020 ms.reviewer: jarrettr manager: jarrettr ms.custom: +- CI 115825 - CI 111456 - CSSTroubleshooting appliesto: @@ -21,9 +22,58 @@ appliesto: # Manage HoloLens updates -HoloLens uses Windows Update, just like other Windows 10 devices. When an update is available, it will be automatically downloaded and installed the next time your device is plugged in and connected to the Internet. +HoloLens uses Windows Update, just like other Windows 10 devices. When an update is available, it will be automatically downloaded and installed the next time your device is plugged in and connected to the internet. This article describes how to manage updates in an enterprise or other managed environment. For information about managing updates to individual HoloLens devices, see [Update HoloLens](hololens-update-hololens.md). + +## Automate update management + +Windows Holographic for Business can use [Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb) to manage updates. All HoloLens 2 devices use Windows Holographic for Business. If you have HoloLens (1st gen) devices, you have to [upgrade them to Windows Holographic for Business (build 10.0.18362.1042 or a later build)](hololens1-upgrade-enterprise.md) to manage their updates. + +Windows Update for Business connects HoloLens devices directly to the Windows Update service. You can use Mobile Device Management (MDM) solutions such as Microsoft Intune to configure the Windows Update for Business settings that control how and when HoloLens devices are updated. You can configure these settings by using enterprise Group Policy or by using policies in a Mobile Device Management (MDM) solution such as [Microsoft Intune](https://docs.microsoft.com/intune/protect/windows-update-for-business-configure). + +By using Windows Update for Business, you can control multiple aspects of the update process: which devices get which updates at what time. For example, you can roll out updates to a subset of devices for testing, then roll out updates to the remaining devices at a later date. + + +For information about the specific policies that you can configure, see [Reference: Group policies that manage HoloLens updates](#reference). + + + + +Specifically, Windows Update for Business allows for control over update offering and experience to allow for reliability and performance testing on a subset of systems before rolling out updates across the organization as well as a positive update experience for those within your organization. + + +Utilizing Windows Update for Business, you can control which types of Windows Updates are offered to devices in your ecosystem, when updates are applied, and deploy to devices in your organization in waves. + +Windows Update for Business provides management policies for several types of updates to Windows 10 devices: + +* **Feature updates** Previously referred to as upgrades, feature updates contain not only security and quality revisions, but also significant feature additions and changes. They are released semi-annually in the fall and in the spring. +* **Quality updates**. These are traditional operating system updates, typically released the second Tuesday of each month (though they can be released at any time). These include security and critical updates. + +## Reference: Group policies that manage HoloLens updates + +To configure how and when updates are applied, use the following policies: + +* [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) +* [Update/ScheduledInstallDay](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallday) +* [Update/ScheduledInstallTime](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstalltime) + +To turn off the automatic check for updates, set the following policy to value **5** – Turn off Automatic Updates: + +* [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) + +In Microsoft Intune, you can use **Automatic Update Behavior** to change this policy. (See [Manage software updates in Microsoft Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure)) + +For devices on Windows 10, version 1607 only: You can use the following update policies to configure devices and get updates from the Windows Server Update Service (WSUS), instead of Windows Update: + +* [Update/AllowUpdateService](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowupdateservice) +* [Update/RequireUpdateApproval](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-requireupdateapproval) +* [Update/UpdateServiceUrl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updateserviceurl) + +For more information about using policies to manage HoloLens, see the following articles: + +* [Policies supported by HoloLens 2](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#policies-supported-by-hololens-2) +* [Policies supported by Windows Holographic for Business](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#a-href-idhololenspoliciesapolicies-supported-by-windows-holographic-for-business) +* [Manage software updates in Microsoft Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure) -This article will walk through all of the way to manage updates on HoloLens. ## Manually check for updates @@ -31,7 +81,9 @@ While HoloLens periodically checks for system updates so you don't have to, ther To manually check for updates, go to **Settings** > **Update & Security** > **Check for updates**. If the Settings app says your device is up to date, you have all the updates that are currently available. -## Go back to a previous version (HoloLens 2) +## Manually revert an update + +### Go back to a previous version (HoloLens 2) In some cases, you might want to go back to a previous version of the HoloLens software. You can do this by using the Advanced Recovery Companion to reset your HoloLens to the earlier version. @@ -49,7 +101,7 @@ To go back to a previous version of HoloLens 2, follow these steps: 1. On the next screen, select **Manual package selection** and then select the installation file contained in the folder that you unzipped in step 4. (Look for a file with the .ffu extension.) 1. Select **Install software**, and follow the instructions. -## Go back to a previous version (HoloLens (1st gen)) +### Go back to a previous version (HoloLens (1st gen)) In some cases, you might want to go back to a previous version of the HoloLens software. You can do this by using the Windows Device Recovery Tool to reset your HoloLens to the earlier version. @@ -70,31 +122,7 @@ To go back to a previous version of HoloLens (1st gen), follow these steps: > [!NOTE] > If the WDRT doesn't detect your HoloLens, try restarting your PC. If that doesn't work, select **My device was not detected**, select **Microsoft HoloLens**, and then follow the instructions. -## Use policies to manage updates to HoloLens +## Related articles -> [!NOTE] -> HoloLens (1st gen) devices must be [upgraded to Windows Holographic for Business](hololens1-upgrade-enterprise.md) to manage updates. - -To configure how and when updates are applied, use the following policies: - -- [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) -- [Update/ScheduledInstallDay](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallday) -- [Update/ScheduledInstallTime](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstalltime) - -To turn off the automatic check for updates, set the following policy to value **5** – Turn off Automatic Updates: - -- [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) - -In Microsoft Intune, you can use **Automatic Update Behavior** to change this policy. (See [Manage software updates in Microsoft Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure)) - -For devices on Windows 10, version 1607 only: You can use the following update policies to configure devices and get updates from the Windows Server Update Service (WSUS), instead of Windows Update: - -- [Update/AllowUpdateService](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowupdateservice) -- [Update/RequireUpdateApproval](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-requireupdateapproval) -- [Update/UpdateServiceUrl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updateserviceurl) - -For more information about using policies to manage HoloLens, see the following articles: - -- [Policies supported by HoloLens 2](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#policies-supported-by-hololens-2) -- [Policies supported by Windows Holographic for Business](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#a-href-idhololenspoliciesapolicies-supported-by-windows-holographic-for-business) -- [Manage software updates in Microsoft Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure) +* [Assign devices to servicing channels for Windows 10 updates](https://docs.microsoft.com/windows/deployment/update/waas-servicing-channels-windows-10-updates) +* [Manage Windows 10 software updates in Intune](https://docs.microsoft.com/mem/intune/protect/windows-update-for-business-configure) From ce9870d29438e1d007c049a46c4696baa0dfa1cf Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Mon, 23 Mar 2020 15:59:41 -0700 Subject: [PATCH 13/60] Updated example --- windows/client-management/mdm/policy-csp-restrictedgroups.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index bc428c7e27..b9d942f86e 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -76,7 +76,7 @@ manager: dansimp This security setting allows an administrator to define the members that are part of a security-sensitive (restricted) group. When a Restricted Groups policy is enforced, any current member of a restricted group that is not on the Members list is removed, except for the built-in administrator in the built-in Administrators group. Any user on the Members list who is not currently a member of the restricted group is added. An empty Members list means that the restricted group has no members. The membership configuration is based on SIDS, therefore renaming these built-in groups does not affect retention of this special membership. -For example, you can create a Restricted Groups policy to allow only specified users, Alice and John, to be members of the Administrators group. When this policy is refreshed, only Alice and John will remain as members of the Administrators group. +For example, you can create a Restricted Groups policy to allow only specified users, Alice and John, to be members of the Backup Operators group. When this policy is refreshed, only Alice and John will remain as members of the Backup Operators group and all other members will be removed. > [!CAUTION] > Attempting to remove the built-in administrator from the Administrators group will result in failure with the following error: From d2ca10080e55222e7f943874e4fc43c390c7d99e Mon Sep 17 00:00:00 2001 From: Emily Bender <44589070+embender@users.noreply.github.com> Date: Mon, 23 Mar 2020 16:23:19 -0700 Subject: [PATCH 14/60] Remove TSF1/2 Deprecate PM for Text Input team here - The Text Input team is not poised to release the TSF3 IMEs publicly at this time so we would like to remove this update as it's not accurate and can lead to confusion amongst our external customers. thanks! reach out to @embender if you have more questions --- windows/deployment/planning/windows-10-deprecated-features.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/deployment/planning/windows-10-deprecated-features.md index 3276da608a..520d6cc598 100644 --- a/windows/deployment/planning/windows-10-deprecated-features.md +++ b/windows/deployment/planning/windows-10-deprecated-features.md @@ -28,7 +28,6 @@ The features described below are no longer being actively developed, and might b | Hyper-V vSwitch on LBFO | In a future release, the Hyper-V vSwitch will no longer have the capability to be bound to an LBFO team. Instead, it can be bound via [Switch Embedded Teaming](https://docs.microsoft.com/windows-server/virtualization/hyper-v-virtual-switch/rdma-and-switch-embedded-teaming#bkmk_sswitchembedded) (SET).| 1909 | | Language Community tab in Feedback Hub | The Language Community tab will be removed from the Feedback Hub. The standard feedback process: [Feedback Hub - Feedback](feedback-hub://?newFeedback=true&feedbackType=2) is the recommended way to provide translation feedback. | 1909 | | My People / People in the Shell | My People is no longer being developed. It may be removed in a future update. | 1909 | -| TSF1/TSF2 IME | TSF1 and TSF2 IME will be replaced by TSF3 IME in a future release. [Text Services Framework](https://docs.microsoft.com/windows/win32/tsf/what-is-text-services-framework) (TSF) enables language technologies. TSF IME are Windows components that you can add to enable typing text for Japanese, Simplified Chinese, Traditional Chinese, and Korean languages. ​| 1909 | | Package State Roaming (PSR) | PSR will be removed in a future update. PSR allows non-Microsoft developers to access roaming data on devices, enabling developers of UWP applications to write data to Windows and synchronize it to other instantiations of Windows for that user.
 
The recommended replacement for PSR is [Azure App Service](https://docs.microsoft.com/azure/app-service/). Azure App Service is widely supported, well documented, reliable, and supports cross-platform/cross-ecosystem scenarios such as iOS, Android and web. | 1909 | | XDDM-based remote display driver | Starting with this release, the Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information about implementing a remote indirect display driver, ISVs can reach out to [rdsdev@microsoft.com](mailto:rdsdev@microsoft.com). | 1903 | | Taskbar settings roaming | Roaming of taskbar settings is no longer being developed and we plan to remove this capability in a future release. | 1903 | From d4bcfdea0c85980db3d9d9ff8fa5ee953e00e72e Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Mon, 23 Mar 2020 17:04:42 -0700 Subject: [PATCH 15/60] minor change to trigger publishing --- windows/client-management/mdm/policy-csp-restrictedgroups.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index b9d942f86e..8109b11730 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -7,7 +7,8 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 03/12/2020 +ms.date: 03/23/2020 + ms.reviewer: manager: dansimp --- From 8c644834cf623c64bb41e279274d9e5e871b7433 Mon Sep 17 00:00:00 2001 From: Teresa-Motiv Date: Mon, 23 Mar 2020 17:10:39 -0700 Subject: [PATCH 16/60] Added content --- devices/hololens/hololens-updates.md | 104 +++++++++++++----- .../images/hololens-updates-timeline.png | Bin 0 -> 53700 bytes 2 files changed, 76 insertions(+), 28 deletions(-) create mode 100644 devices/hololens/images/hololens-updates-timeline.png diff --git a/devices/hololens/hololens-updates.md b/devices/hololens/hololens-updates.md index 5bd43f660c..b8c2a10cf2 100644 --- a/devices/hololens/hololens-updates.md +++ b/devices/hololens/hololens-updates.md @@ -24,55 +24,102 @@ appliesto: HoloLens uses Windows Update, just like other Windows 10 devices. When an update is available, it will be automatically downloaded and installed the next time your device is plugged in and connected to the internet. This article describes how to manage updates in an enterprise or other managed environment. For information about managing updates to individual HoloLens devices, see [Update HoloLens](hololens-update-hololens.md). -## Automate update management +## Manage updates automatically -Windows Holographic for Business can use [Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb) to manage updates. All HoloLens 2 devices use Windows Holographic for Business. If you have HoloLens (1st gen) devices, you have to [upgrade them to Windows Holographic for Business (build 10.0.18362.1042 or a later build)](hololens1-upgrade-enterprise.md) to manage their updates. +Windows Holographic for Business can use [Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb) to manage updates. All HoloLens 2 devices can use Windows Holographic for Business. If you have HoloLens (1st gen) devices, you have to [upgrade them to Windows Holographic for Business (build 10.0.18362.1042 or a later build)](hololens1-upgrade-enterprise.md) to manage their updates. -Windows Update for Business connects HoloLens devices directly to the Windows Update service. You can use Mobile Device Management (MDM) solutions such as Microsoft Intune to configure the Windows Update for Business settings that control how and when HoloLens devices are updated. You can configure these settings by using enterprise Group Policy or by using policies in a Mobile Device Management (MDM) solution such as [Microsoft Intune](https://docs.microsoft.com/intune/protect/windows-update-for-business-configure). +Windows Update for Business connects HoloLens devices directly to the Windows Update service. By using Windows Update for Business, you can control multiple aspects of the update process: which devices get which updates at what time. For example, you can roll out updates to a subset of devices for testing, then roll out updates to the remaining devices at a later date. Or you can define different update schedules for different types of updates. -By using Windows Update for Business, you can control multiple aspects of the update process: which devices get which updates at what time. For example, you can roll out updates to a subset of devices for testing, then roll out updates to the remaining devices at a later date. +> [!NOTE] +> For HoloLens devices, You can automatically manage feature updates (released twice a year) and quality updates (released monthly or as needed, including critical security updates). For more information about update types, see [Types of updates managed by Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb). +You can configure Windows Update for Business settings by using enterprise Group Policy or by using policies in a Mobile Device Management (MDM) solution such as Microsoft Intune. -For information about the specific policies that you can configure, see [Reference: Group policies that manage HoloLens updates](#reference). +For a detailed discussion of how to use Intune to configure Windows Update for Business, see [Manage Windows 10 software updates in Intune](https://docs.microsoft.com/intune/protect/windows-update-for-business-configure). +> [!IMPORTANT] +> Intune provides two policy types for managing updates: *Windows 10 update ring* and *Windows 10 feature updates*. The Windows 10 feature update policy type is in public preview at this time and is not supported for HoloLens. +> +> You can use Windows 10 update ring policies with HoloLens. +### Plan the update strategy +Deferral policies work by ensuring that only updates of a certain age are offered to a device. -Specifically, Windows Update for Business allows for control over update offering and experience to allow for reliability and performance testing on a subset of systems before rolling out updates across the organization as well as a positive update experience for those within your organization. +Much like any other MDM policy dictated by group assignments, an update ring with a deferral configures the behavior of a specified subset of your device fleet. +Multiple update rings can then be used to coordinate an update rollout strategy for your organization. -Utilizing Windows Update for Business, you can control which types of Windows Updates are offered to devices in your ecosystem, when updates are applied, and deploy to devices in your organization in waves. +Let's assume an organization with 1000 devices that are updated over 5 waves. Following the steps above, we could create 5 rings: -Windows Update for Business provides management policies for several types of updates to Windows 10 devices: +|Group |Number of devices |Deferral (days) | +| ---| :---: | :---: | +|Grp 1 (IT Staff) |5 |0 | +|Grp 2 (Early Adopters) |50 |60 | +|Grp 3 (main 1) |250 |120 | +|Grp 4 (main 2) |300 |150 | +|Grp 5 (main 3) |395 |180 | -* **Feature updates** Previously referred to as upgrades, feature updates contain not only security and quality revisions, but also significant feature additions and changes. They are released semi-annually in the fall and in the spring. -* **Quality updates**. These are traditional operating system updates, typically released the second Tuesday of each month (though they can be released at any time). These include security and critical updates. +Here's how the rollout progresses over time to the entire organization: + +![Timeline for deploying updates](./images/hololens-updates-timeline.png) + +### Configure update policies + +The [Policy configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update) defines the policies that configure Windows Update for Business. + +> [!NOTE] +> For details about specific policies that are supported by specific editions of HoloLens, see the following articles: +> - [Policies supported by HoloLens devices](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#policies-supported-by-hololens-devices) +> - [Policies supported by Windows Holographic for Business](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#a-href-idhololenspoliciesapolicies-supported-by-windows-holographic-for-business) + +#### Configure automatic checks for updates + +You can use the [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) policy to manage automatic update behavior, such as scanning, downloading, and installing updates. + +The supported values for this policy are the following: + +- **0** - Notify the user when there are updates that apply to the device and are ready for download. +- **1** - Automatically install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed when the device is not in use and is not running on battery power. If unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. +- **2** - [Recommended, Default] Automatically install and restart. Updates are downloaded automatically on non-metered networks and installed when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. +- **3** - Automatically install and restart at a specified time. Specify the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. +- **4** - Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This option also sets the Settings page to read-only. + +- **5** - Turn off automatic updates. + +> [!NOTE] +> In Microsoft Intune, you can use **Automatic Update Behavior** to change this policy. For more information, see [Manage software updates in Microsoft Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure). + +#### Defer an update + +You can use deferrals to stage + +Deferrals are useful in allowing time to validate deployments as they are pushed to devices by staging their rollout across rings. An IT administrator can defer the installation of both feature and quality updates from deploying to devices within a bounded range of time from when those updates are first made available on the Windows Update service. They work by allowing you to specify the number of days after an update is released before it is offered to a device. + +Feature and quality updates can be configured independently and applied via the following policies: + +|Category |Policy |Maximum deferral | +| --- | --- | --- | +|Feature updates |DeferFeatureUpdatesPeriodInDays |365 days | +|Quality updates |DeferQualityUpdatesPeriodInDays |30 days | -## Reference: Group policies that manage HoloLens updates To configure how and when updates are applied, use the following policies: -* [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) -* [Update/ScheduledInstallDay](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallday) -* [Update/ScheduledInstallTime](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstalltime) +- [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) +- [Update/ScheduledInstallDay](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallday) +- [Update/ScheduledInstallTime](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstalltime) -To turn off the automatic check for updates, set the following policy to value **5** – Turn off Automatic Updates: -* [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) +**For devices that run Windows 10, version 1607 only** -In Microsoft Intune, you can use **Automatic Update Behavior** to change this policy. (See [Manage software updates in Microsoft Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure)) +You can use the following update policies to configure devices and get updates from the Windows Server Update Service (WSUS), instead of Windows Update: -For devices on Windows 10, version 1607 only: You can use the following update policies to configure devices and get updates from the Windows Server Update Service (WSUS), instead of Windows Update: +- [Update/AllowUpdateService](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowupdateservice) +- [Update/RequireUpdateApproval](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-requireupdateapproval) +- [Update/UpdateServiceUrl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updateserviceurl) -* [Update/AllowUpdateService](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowupdateservice) -* [Update/RequireUpdateApproval](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-requireupdateapproval) -* [Update/UpdateServiceUrl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updateserviceurl) -For more information about using policies to manage HoloLens, see the following articles: - -* [Policies supported by HoloLens 2](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#policies-supported-by-hololens-2) -* [Policies supported by Windows Holographic for Business](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#a-href-idhololenspoliciesapolicies-supported-by-windows-holographic-for-business) -* [Manage software updates in Microsoft Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure) ## Manually check for updates @@ -124,5 +171,6 @@ To go back to a previous version of HoloLens (1st gen), follow these steps: ## Related articles -* [Assign devices to servicing channels for Windows 10 updates](https://docs.microsoft.com/windows/deployment/update/waas-servicing-channels-windows-10-updates) -* [Manage Windows 10 software updates in Intune](https://docs.microsoft.com/mem/intune/protect/windows-update-for-business-configure) +- [Deploy updates using Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb) +- [Assign devices to servicing channels for Windows 10 updates](https://docs.microsoft.com/windows/deployment/update/waas-servicing-channels-windows-10-updates) +- [Manage Windows 10 software updates in Intune](https://docs.microsoft.com/mem/intune/protect/windows-update-for-business-configure) diff --git a/devices/hololens/images/hololens-updates-timeline.png b/devices/hololens/images/hololens-updates-timeline.png new file mode 100644 index 0000000000000000000000000000000000000000..4b1e9869482736ce875eee6b6f9709ca3b47560d GIT binary patch literal 53700 zcmd43WmJ^?8aGNeNXO7aHzJMFjWps&51@1-A>EC%iXvSK5)z6?r;1XJh?1fL($W&= zV()#wVVKiy7v=?<;=wpCls#EpieB2^JO>xsJBF2^JRa5Ed48I1vu~pRucD zwD1pXKNBrgtQQ|yR^UJIoK*Bxu&^5Llb)dQ;lGK!wQu=hVbSwk{DrM!!o3BryQQP9 zVishxR)8Nwdy^qPg)T5bH3|nmx#iUxH=hTKi0=X$7k^MPa1i@&ZEQSsKkWQ^cSuelz-{rzO~!|bCY9p3EVd-v{%llA`R&%bZEd3a7~+1S{an2s{h zjPVzLKHTiVVCYLMC^2JWWA@Dd{mEYOxuJwh>?qWg|GxCY{hpru|GmHri`4BuuVjoj z#ulz&`tQGM;@8*T`R_Y2(slh`^uxUGGjehqot>+mKYw0VxB2sDZdMjj)Q*w&&yQcf z2sR1m>FI0UHS&KoMGf}%%gM{96D`9PvTQD55|U^(jqA$ey4SDM zTE3+1?(RPN`}c-FKYsMzzLngc!jK&( z8!(Zd^ttBl^s#jK4w#KscMfmCQYu}$pLiVdc;=T>9P+U6jhqg8m8JVPv%)$OX zy(OK!*|!#t+S=NFb6&m7nOLdNYRgtnNzq(JIbZI*sE3N)^IcmDz06XsOjz;W;7@S?=dpZf@?>JMq*zl+4Wk4(1}Vv!e|PUl)w1%m*G%})W)>2o0q7b;z6GtlX zh%9V>W5%*0GJ@)h4a~ z`gv^3Cos^^z#zcSuh$J17uO|se%@}iR8~g~$;(S{IjV=q+~40{eMC$&+i*)C>k{DTiv`1~;lMwIqG6G$^>Ztt=j6B^pp(b(NI~%C-D8#qCthYwPO`QtlI9zC1AJ zqo$$BY*%shb^TRS_*`{Gxw#5~v3 z(0ChiK;h-#;W7Mx3VXiOIchM>hsy|OoX*N?uH#0&8G%@Z#?U|S6R3Itb8SIVPJFF@ zgX|Hb-G=#+#H`L6@1U@%8p8hVJ4bagGclp7;XayFsmMx5Nog#1nY@z2)1iOs$^9?0 zHdcxNQ=}5(Y!t9O+Wqf4&f=g_v<(Js5cCFrimqTUwvy;L0wJ$y* z-~2)7E1S3X6av2o{S;uPu-`bzzI0on?-GRCM*RPSsoY8xGdz_Lh*Kb*H1ZHb>ZHijA;j!~2xQ-Te!#fncgs~)W zv{{et<#^RE^^+QhM-(q+sRyPQyNu^|cyQeKJOV$UxO;#6`tV5YCiBf|liR;P7I5>? z3!{|7XuF-dOYZ)`j9JFA)+qY@`Ve}wv*58l-R#p;g*Qt0SyuhLFNvmlfS33B!^lx? z7VJ{b#@u?%fqbQi4%v50e&=PHad-*!E zw0k1G@*_t1f4eIaO~;vBT1(9IvA!@DSEMwR#+h5xycWD*r1DA1d}nU1k*xHC_HCky zM@!IXUvJwe(aGj*^_)RIxNeIwW$z=L{NVo)W&gGDwr-q%v1(k#N1giPqa)6hWKzXS z=zsqtY6&6YgTjcjN6CH~$9sPgYLZUU7^GY$hYA#A5I$sycQR)3^769kH7R>5GwOCD zc=hvRxw`4gbbLNPzo{kZ_W9Y30{OcwUUTUhJBGvJx7eVi}1U>!wyJ3+H9G6rBm=g~)!#4Wiw) z1YU9PsTk|FzEwN5YW1{stud>nZfDkRz&Z2u^i22s^QEqm9!o}@eaKCKNZ6t&F_bb( zx$T$lA53je=5XdO6fX1w1-ZTt*68hYldq}oSR`;o0EHcF%w&htJ51^Y&|qNKx5B9L z4=%y8xUR2XPO(H*wNJq!tDJ`CTbqooJ@eE44((`t-&PGYWuDlG{+JCUo^ zX1N-aL9c>>^^;Uf)?0NcEG+C<+WE=fPk@G zJGX4Ed?jAFV^x*6@=inc%Xqn-%QHU5KMYSLKu2fNpRWTz8=oYrj z^E2)Ea*pV?T?H+XHTVJV(JkO!T1ql!7>UclOvalWu( z;D(j!6G<0pB<^IpnbOkx2X!F_8*mFWDU0lSstVkBYB-`el^M&CSY6rBaQQSZR)b43RT*C{{3Phz4V1B=;iWKcbXv{z$61lel^WU$yu7^j zLcQXvxDxpW-z)k7N|_c;n9yRLo7bx5rfUMY$tTB=(=#m}Bac$;U_zfss`4L?mRgc9 zh}Hy^VpX&LQKc6m`IE*hvnX=R;XSrb7uW31hR~t?_P}fH{Xs*#4c~ft2CPe=CXU8S zjN(PGZw_gl38y4_5Qg~ZM)EIpwtR#uFwecc#idr4mq#~0L;sZZ)y8tyoFD%Y)5Q?s zm{uB;4``&&8@Iv@$bB$(jqGE{&v$f9*B^>U9m6P%KE~=xfW4G3{XoPro?Zvl>iRjE zHv!9Kv6;JOwg+LRT9dhr34eNIip2Xn4A z)EJnvC3ErI>Fi1do%?6ogY3ZDG-;+t3=V-ZbUb6n%PrYf{?Qs#ytHJJ(x0+Pt)%BLhH00{+iVx_Rrm)$VJcsyBO zWU*Ed)bYcs9AXnc!$wEP>$OCA1KnoZj~EICGCS%u8}w(m(d2<|LXRXY=5;5XMvGL& zM?yJ^o%0F52TxS!J0F$Q+q?-7k<#r!ER?_snk4$FKhwn!*DQH}+hZXgvi$ouVerJ; zkig>x(zV&QkLfS3@&NLN25@`@sNc?c_O;({SbnhQRY}t>(9_s=0YXB;m9twB=ch7l zw=66G^yFBGUtcHzP`x%FL z#{i8QW={|tueo()g~b~SlCeMur$nXN}n`ycS~KHt#aq9*iO_ zo_C9tQg(g7Yr}Qh)y*v-F7C9l9^Oa_0sOG+KEW+zoVRAxCc2#~m#<^+R|8HCw;89f zHcr;Qz7)FoLVF^!SY`Ni&LIU_|BH&vEAL|Og&ybbIRVp(s}W}`6zL4KCLG%!yE0V!@8_;Pd$Ax<_@D&7A$?=B<|8&Ws1jF zoG5;3PX@zsXJ8m&x^{23T<<}jOkt#Y#jRXhuA1!@Or^pG)zDW(MMWs70k@^G=Qrz; zt(oGDX|&BGy{OCg7{uIh=J;x;RL6pT43Mv^Wl}?rRQ4ze3a$#p?LC(9D*N`6TFj=M z=+yts+oo8lXu4znKNt_#AKE9{=UIo!E-LH^=tjZ|Ko)3(vq4ZT7;yY#lOE$8I{Y&? zQcMh<(vv?zaZ&*!#s+D9a}npYQ&&XLX|0Du&=MMS+kkL^4SlY;MU#?DFY@mG`%y|j zlkxVL@o}V620*mHT)`XSEOhL}{@aThD=nPbg^cfDU(dV=tYp8g0?d)4ZzWy;xzlV8Y{rD=5r^1~NjIK}Q{CMxa3I59) ze3`p%IGeB97+?idhAsjZ$KiN)WxQ6d>}YiF&zDLIgs^2xDuVD5+jR}uS7HC8XN+Tu z+>qt$pQt3u{+Z}qTE5`_v%1sPIJ&qJn$r@cHgI>UOnv=;2mz{g~$rFq^z%&a;fY zE!1S@a=qIZ(G$JWl9KtqL8P`f+V!vi!GOYoo~lQC>+t_-%Azb=T^=hPBh1}@bj4}8 zI(aM5QC$*QmVwl2)qgBqj4y24Vdb+SA?Qjw4u#xRq7p;k@wHK7TYCTU<;%3e_x9I< zSH^iv2As>*xgxcP8H0j@J?1)C*JU4aX{8r22gG`m;A=&5Xa-8Dgfh!|b07%G80~J~ zjysH}jFrXQplE6L`~7j!u;li`HSFCDXwL<%xA*p<#ig!XpI zCf}d$G@cUHj?>Jdh|7#130%`Y$i6-#-wmd-maA zPk9f4K#1OIECZH*b@8M;KcX=Xj!cXrt>~yJH5voG%?$jzH0ZcMoLrdCs)oHiQr<4GsTy{3Y;3Gu zErXa1;A*9#ou9qfw4zpr)6H&EcR*V+PfAJoyS1fkXo3F+sWXAW!bpJt^zX;ueGy^d zQKrEpE)~blkOR+`cSh<}Mq50-{X5v~3_pe6!c=TyYs>x|WoemWiGEmv72jG}`TJX| z*MdD`*A_xn>?A+0M_>FG{Jfzr@m}30u_Gv7U;)X1mJT5mSI*WK@<&x~51Ng>yN9;*vds4_2C}s3=UwXF#`EyWpwU z)84rDgvuC)3hT3CsA&fcC$GAu<~Szu{{2fWF#-O{-fD4?Uk=q}&p_v-7cjwN7B(*F z1F)A8a9mBUP<{rIU=tN@HX1!5eq9>-mebkE(FG>OBPc3{hD~peD<49GvcSN=FCM(( zxc&LJReMmTG^v~-6rE}uiE&7?>t|4%f32=2YiO^+wO0ms!yN|byMQm>H#j)4NG#_J1jOxQ5ExXaD;yjc$q75Wffa+q1{!ZF!4+p%mG6EeCKCBiHQr8{ zdWKb^0;ITKhNNh+tcNb*VD0NfnGTIlx1kd3mrFR;q^0TgI3oaD7_7s{EG^6pKR*o| zvR!yc+qJN=vZDV`99!bSaZGm%;b33i#a;-l!%`%&nwp(u;|T*HsvlDr{>-Qt=LrKo zuE+j|M_0_e9A3I%YM2y5Wo=6DIDdIj(EiWKeY%NQl|rH44G+62_{Qmee<;m`&oRu) zh(KVfj7#A@v4TVh3Srj9C#CaL7TgskM#e-6=rY%tHmPAZZZ`iv-&!}TO)E9i5PKKu zr3c>VY_%z0lY<+oe`qN2MVugv50IGU{g;)4J%=(l{Z*YeXW#C|xNm%a4csP~!4BFU zKyYv%aFeDc5C~!Q_Zb6=Vt2)g4%uBEySqBsO<#ZEBxHPyAs}z8uUAG55FY(}V4E=m zG=x0P8WfVklY{bKpbn-j6HS9N6!p77oFxWSoMKDgi1_0#z|Z4I{=o@rAF0WB6%syfH5 zo~bhC64qc>XLBbRB$i1~?*P=|fA!RefU>BbR!SP98kZUdi1N~n%U4g~CYNR4M;Uy^ zA@Q=H3VF~X?!P<=lup|7`$Kyw90cnLF#oGpuUfRY>&$?Z@!_U<)qggVBMl2HDJlh8XoJDoP zgDGRL&Sdyhpx|U@rz|qXOD(t_2D45;Kwxm*Y+5d%zgVd@F<$EZXaULUOze zu^xr5PF82EP_m4FS|%%9=wd3o8ti+17B>8{NWWS;el*7_K31ZO)D?Snc6N)@_2v@? z@;biXr~fuPb%uJXg>F1k7inl{AQBi~a^L#q)!FR>HIsV}@fqM&)g_WUB*NI(*i(pt zkbr;yO~)dNWWO5YRyBDp6CE!B$Knqd3`UbQuf(^AuJ|=)z7G~i54|NY0!EQ|c`$>A zWH`Q`;N2!TE;9e!c+2`fo8cc;x!djAd%G*9jtt!OooB}>zSK(sNkgq(b6H(+_2%vW z28-1aoZIkY>m-M%ecOY!7oAU_JUwUIlO%~R1Z1b&`mp6`z`-V-@v{KfJ+EIUGgnvV zc`b~M*8lyXeh#2C69OSPdyHEUxHhE%`ch8LwW#(K;SgvRz{LhY!wgLCZqBmW;{=;g zV|euP+I@eL)Z%Po7mrpNvRg=ke8W@xN&FU-l9E!;1xj702UV-cg%hCS*4|#f$syPG z?18H`qk>q+uiU=8m{bI(#WhyXAYU>Gv5@uY>9vbq11Jshj$xB>k1EZZwl>|KHYjlJ z04hh?N);MVrHed)VaxmdN|k&NQ{U9&4rA>u>PqsLS9Au9T*3UD=udZ# zc5Vybpv6?NZ*7lh|1K7@dZqlk9?-`9c@FoKF|rFqJj})3K0390m&={LXKs$Y!^6!@ zsKbfz*YoY|ZI$s7cE8+6Zl2pm0Csdx6IWeSjZtsjyfOU&lI^nOKEtgRcP7Us?ix~h z;i?>cy6)M*`|O57(aCf|sz|k(>~?c%Ox7<=0*&LGJH|pLZvs4o`|t3eXNuJbHKZ<~ zfgX8T;GqldmLhwxmI7%%NN(#S!NeP54IllT(t}8UWPwtUlhbJ((HQ{&!V`^-nzp3I z@IQ9x7mM!GkBW2t)*^B>|AkSXiTi3w&-B2+9avAG6_;xyuYGI1#0v6`{TYzACVHQZ z?{f5*d>sN3H?zA_$500uS6>Xj2DS3V3sJ6bVMf#Aj_6;yf?9Y$`|I)LsP*9{R5Mlyss zt0e-cAA^&_t$+%BZ>W%SBo{QcC zQEM3WjyS2W0T8^fXnr?2X|`4=Z)DYDSX8@mv$%$6^&_lw9iF|2XjjH&*=IH%^RH8Y z7#u6Q_S~dA*~~(Xq_=o9u`CzVoxBq6+Mog8nG@VK4f^@b!kjM4;2P=n9J}e>i&bPH zqg5Jqb6Ff*=uKEbYFFd;Sm^1IipZL^T_xoh%R19Ex&e1vD5nj(%wyTbBKAB69NSxz zj`EYkk`If8s!Erl%1viX6cFWw{&~W;R89MdWI6O-#~y?0M7BGc1ByuLdcjq}jeB_bkXB?Fd7B1m#-3Nx?$ zv^t&+!Hih(rQ#P-bf`6Utf{vFmD~jXOfl0B6ul*4GBNIWAPl4aJanp^(@oA}NIlX& z;O0iWt=B{*T)M=rXywzv+q0f^9y%6nBai|n0W!5NJ&<0%EXbHw@jJgV{XrS@-`;P?*2jKO2 zZ$b5vvt2!et3*-#+y%kOY|DPG@eV5~0Pr~U|8TYPQ{DS^8C53bBzTfGCzbUr zFJER$N~&BzIDLE~&~eVfz2`-Z$#@An<*8DHVknD?S5GW)Q^EfFw~08TJ9qBv_P*!? zYYD_%v5q74T8rl8#r|_z4A3VS3>6x9iV~{VvgBQkmCjElzJ0S?8xhYZXGx21z%#@9 zJPuN+u_I8z*lA*Id|4ulY9i%h#ou6UqPG9U?LknW&40xg;s-$oXQ%&GFq44dd85*C zOOsrwVb_Q5t>*gQl`;lh*f#tq&gQ(bKET)a0yy5~ZE^n^EgK`N>;>NR&_RPaDU)c8 zaR#g^ZTDk!U*8>g98iYkyWYmB;WRYaU_6x;NnTL04J>Y~)SE!cYuucjgVv{|99d0G zP5T8XU5MR6hhPCraC?>ASV6Km+OseV-n=IiwMhN%c(K-X%QjkQafB1kTc`0xgLi%Btu|C{k9IP_mr#ww~_`rZJME6Bu~%-kK!-fQn<^o zAm}~@@2}lDnWNprjzxe@kf12#+p>s#<$8-FY|-(zPxSJHiIuX#Z{}`%iCR`M6^P8z zQ&lsizy%AwSOJBPhX;;Ce7J9Jm!*4#J+JDcspAPlNx6S1MK2e_DzLNocaW-trv&8p z$r`!2m8h1^JCph zng1ZOWZy_Kna0UmE;jku zctPkE!mU6tEMIZwf+5fvKF;b|MWq~rZ@&eZma6q5MU1P~wH^fIbnG%XowTDrO-x)! z5R8j-f@WPt&n;Uwpxeto1j6Vhqn#`Q`UpuGrtidGsa_M_sM!tCaz&FTg~B=tSf55e z=0D7662}0i(DCEvjA)315yfBL3l^b+Ex&jF0m*#*82eGuQyG=1Z{N;A|DO^&ElW9H zf?&_(@1WtO-H$vwMR#|4(dAX zI_lox7JB7r;8ruND-e*~VD_OT@2;A0JGku7y#wTuP{JBfe#0atC^5~!dUx$h-5k&~ zBZ5)GR_gHZaG)u@HeG<>R<29$_JOL^KwnarmPT&HynycoZVG5em*gnE3|L|v7+Nc- zF>!R-3n)st;NzV#UAa?q8^oaGzq(ACy-{pM-DFD9wq2~S(-T|yi&r-G7|)@(v`D*1 zEmE`%3^dD0#0E+Ln{*ln`Ip4S^@CiInbJUH(+(n!Gw!=d*yxmGJL|-kV~-=KfH*kc zcE_6~Kkw(f7Ithl#_oejx`bCsH|Z-DX; z%*^jwcOxi~AD>>+!$t!{q8;VP+Y0#p%IA=FGHuv#lDDQoi#BHzveYAA zk>oq>*o8l#Nb)6J#(}D3e3JH<#!It&ZZ0xhsIRXNqszA1golN@X=nXgE0yplA-ieY z%WI*zzT$b{mT>vNPHzM}KBdr3doCXu;OrUdD7ygQ)Q21O{@XX^+-ogl#_1w+ul)!M z5$F6%#yXh)Wfh-kc=X5%2oUSN&k^{m9R8Rwu@g$B#J;rr;?WnYgOs&>49~^r3H;&* zqEm#U6*r!lxnOE;DJx^m3KF}S#iCfBS;)8Il`I{^f>d@0L}P0oFbgFnxwW;lx#)KP zK_M=B27*YFJqQKB^8C~sbLHQTDWR6)+R9&!Wo%ZlfElI!NuS5a`uZaYe0G{RvF7<+ z!Igjbr1Z*-O5rCDXYIehcu{}*{4nJcgw%|p_-&YzH%l(cQ6b>^d4S#jl9z#{(&)7E z_jw}EQ4J;O=@jbHyGR>|^KGs2y|C@1z_)60Ha6*cAZ8oC*hk=U7l-*)qvNnx=Sj)) z=P9jO^}I)kwLeE5Gx(a%9-J$``~5CArSJLu`-Wh`5*_xUXiQLXKQ6tZicR7Z=E z-GR9`@r0Zh95w%#uH0cq$&j*$^Rwi?L)eP4>H0dEKc06V#0oA#k%N0Qn2;q%DJ1m# zLPG_GW{#sdHZBhR()nuGvE(Tq_EHEm4=i?9M@RLU|D{7emq??@Ph~)gf`_0+u2z-p-UbHnR zME!r#u}2a#iLuAdfe?bXFZ6Mp7p@7ZkFW9;n=bu_ap=-F*c@9CM${PKbP2AN^xEej zXaxMh=)3+ek1P>I#(??xF1IuoK|NaF^yz8b{Ki-*;mmIeRq$;JV6V)+bh@<1>8%aJ zclQ{65oL~134~`SakQVcxP943VGx^byDJ3d3i$ZB2d7GK6Fxo=E8I=A^Iq&rf@f14 z1`3_*GygL>@V}OgAOh4@mh~$5?;S{PfWyo~{0ElH1L0dH+jqF;A#4Fut@7~)Ncw_` z-43C%WW$`qw6p?QAEYAh%*rNQ$<$a^6t1z75utnV@@R3gQ_UD5ei9Tf5d6cT@$de` zIpm=~k^c!}UmwV9=z-tz85XN-;0DVQmt<2+46gb<;PDhXAWmQ7F{O&U-O% zGv5SmvfaBE5>l!GfF(cI=k)k4|3{cr8$iCF(K5$Yu*i6_m{ma1D64*dcQ;lru50FP zNGt5aYd*VBvQzING)a4dHxFWy#enOe{qj6#AJ8+)c=lxqTfNGlPy-XFjlQQ10-IU& z6_w4+9^Wp;AGKK2@nV9<%EFPwLjpa!L)fSMf54{R6i zB);|GpSn(Pj&kKktyM;+YAt2l$xqJyZG!J%+vrFfE4=69jDtsQ`7+YyFp>M`*%;J>D7d^(gJa`D#QiAHlc7a_@+Wi;jptbJo$U7 z!Qn6!>#^#HxX+^c8ZE0qp`t#kiHQktMe};QZl$xsQlB3K018zd+}(xGybd>uW0z;& zDo|kMcR;TJ5G-!~-@MJuj_Lv11Jt6&0IOC(wZ;=FTLA0@8@Mj0#3BjsA1L-j*EmrZ z=oGxYm2Nx9!FzBoA>5czJ2emPD=Zui{cJ3d5Jv|AgylZ%C&IzSz0V>i;XWl^gY)y= z*1SqT^F3`qAY3rZtAD43QYCs3-6O&P9kOZjC-#Dmlw>`TJdY!>`?HW+g<@z>mV5BjAU9VDhXVX(!(_adKwHEAq;cRX=P+uL1=is+8vu!|Esd$zm>Mc;@ec8 zo}BC(7&zEz2TwV8XGso1ldt9n?ZAe)Sk~FN!xBBmVB1n+0Nubl;aFOJgS-Zqn@x~} zh4FdFmq;2;cEShG%>uUcDLvGA(Zgv8&2k&)bu2V@+ zP}ltw4b=v;P}c9)b%<78oCvtsK*Jl3O#l1+z2f;~|NloboMY?rh8@k#&EfS%!!sN3 z%J7V$A`W%#zVf9dM|iJ?EQTf~S&%b?RYg~*HYlD9uQAZpeh8v096*5&AtwFPJvt@^ z0>pKo2f-5}We~j@elpeF%?Vzu)dz98OOB0D#!nRjDGYpo3AV$5lI@)xYKG?s507;q zGq4vGczHG5-yw^r>l+$Wg!?0i&tJf>RV4(g&pWQmQAzyS9FznYHNafBBqE{G-i97Q z97kun`hy_1ghV4`8NfLT{rf8oyv@Q=fu4IHlR?`?>?|csfEHkzMt|Mr6v^M zueCMd0Q-k)IIFWD_z`Aaq;|Yf%E2!o9R@h4v9Xc*Uv+v_RTa87{uCz8&_8=qg2-oG zCKQvIQ+6H7at7KAnD7`NGPHr$bW=5eZ`kBPVCzoZM>mpse*!zJWL7gOZ3ydy&D%D( zFleWxce$k7DnEbcUeUVHpuw>7gRCIYzEYrCi3jWo1#JVtoAk&aiw(F|a^P)}N$(kaKto zp9s>PE6dA?n-N&hrNAgSlA+!VKpe5RUjz>b4kz3|&M|5FMTVS#YYa^e2Tp3IxCu*e zczBXOP_W7eg@mNkKI8Cq|HadamjIat*lt6$6=Rj<2>$wq-j!8(yO%} zT5zNT{LTV7KZ13XU`vHaO+i7y#Zo^tJx>SI4*(~rVX8=4|1N0T^ld6{(-$ zYzJ+#n3-_ zRGgifdMF*;Ti@JF$50jpY1YtYI6QEEgnCp~#tjkjle*>1wL^ci90vv%(!HJdwm+e5 z8*D?BuUvV_&TvXr8Zgfa%Ja_lHq~4NPQ!Cp)T0>4Kig-s*xJs4!j;9qLCf!|i&qHK zv`8?%vi;s3N!Uj?UchIvn-P#)>Ki9jGdOoEmcxsotF9OSlN>?yIgt6>f3S zeoD^7mU*#boS27D3Y9mdNKsp@pEt9-TH` z57@D)iL!L%<}{R95$ib9!W+Pr8O4mEqoXjO)R4v8ITk3jT%;b@Pu8pV+h`tLM?_0Y zOEZ2)S-=RP_T@Evy7udrre0<&D9(Go3nR>5STX(i1yKoTk#VVZ#zdHXp0G*)v^CIL zc2&%4G|`?#7Q+tx0icufrTq+G$Axn>J)U`PA@dr3oAw}p3NTlGLrFalyg^bJomcW5 z2q0DHC1&iZ$Hm0+C0Q>8qCPdlbiu(VnZJ^(@1n+FIR6r?#6}pVhkSwS({$?)FYI$W zv4*1ozzVj%{{8tr!SnEDSz#`d=3gB>6fTjGEXNasT#`k`RM9Qt?VfHSvns5>*#?J% z92Iy2AOWIg{X=g+HI07UyO;5JjPO?WaTz^ke}5mALXB-_ILz9HTWeHxU@>d5*3){X zUlSBC_K&=|ST|m71}73>utd@hWOAhD2$&Lht?&u3@Y&-dxhaSTBU#ZaFoU3boM$HC zlvD2$V#s# zV4U*4aTvE02A(FsE*M)BI}-F4Ub2dEzBa)Oj#wnyD{u*sY5=NTR;8brFW*_swm@;! zszq~=_7XPSk`*?8B<+E)$I0t?SrkVp$+1|igsq>7M}D`MmWe~UUNlD6EkrTKqb zeW1SEQ|(eq$|IQ-#VFW9x=R2G3wb;;RuH7ebaZs6#gj$R#`AhkHwkq3I*K)MeM0l^ zZp<*_GJKwb#Zr7CE-}QEL6IA~2lFc&?0blas-$z_q9=Q>#U0B{dnk*5NA(Rf?81Nm z>oQVFd1ZVYW;F1PMriDzSKv*lcBr3fRhDypg=0EIoD?^^jnOM0-(Lukk>%_ zB5{>QuYq*eFl?G&a1ADCC^4bicp0%G!|7DA254l!Nwf^|AwDP_O-7D?0>?8rli1|_ zwO3;4saROZYRL}%O>i%PAYPZxE&V3g~_%s4{RoWD83H5BH4=Z2=M|t?5gjQc3HUlUtm2be9v?v zWhMS{$hV@@35FuU?6iOB{RHHouE!jL{5IXi^>J{0#t~SB)*Yd8lPzVz+#JSm+@+|D zGYV27k!n2z*4EYy%K&y@)nC{v^#bYy?Qyay52N!<qsVPR{yD;u14LHVBo4MxZ_keYB)~xUu;= zg^i>+?%9dtQ)s0un=xe_!`-jOpJz{bhV=}G-O4>HAs@Q(M?`sLC7<-=R9=X<$I}js z!<`(jf`hYIJ&7fcv8o)0XNv3>dVqsomXWC}$GYJIUBls|(+*;zGuC7mton= z1u=jOiX|JkSve9xQA#S!dQn|6cBxJ;40{o@G0p?va6%n7u?jd5K())Ok~s4@3o^wP z^t_F=3C-}G2Squk>II(RabL&-o`d-AzZ0EvoA{gmI*`|)#Je&9g{9*GdhBemUoXD(gMpE$a9sSmb45~ z0Xwn{{Un~R4&wpN*BYcvCLyy;IHPgD7xv&p4k%B@WoK=6Ng3Gy4#+isFxBG0{QcxY zsf30cOH6*y7lV{#)6NIMqU)MZhPMn6qszwusN7<;<%1J3XjFo*`>g1|$>_TcaUe9A zR*PYO@&Lb3J<+vpj2kD$AzDr8G2&w=`7;I#Wgm#`<|pZy(v%oj#;HE$`!qr1=rnY~ z^Pom1(pdMg63ek{3=slz(>`vRKBkZW|2tad(e_% ze`FMf*g&L2I=$)Ht8D-#=pT~rGP{hJIa=>7k75TKZ?^}znvl9VIXN{!!e3<1+Lz;? z;SYqwlQ-$QEHdziT$34)9EPRi8eg%z1_@O@R$Rg{WCjs)7Kt)4Tm+S*f4|Q94R6PJ zA9zfZ`m}o9@x#7lTs2hWMjyByc1gK=cog%xcp`VomltloH(@fY%+ofw{5`jFJxSAoG>ownlWtsaC zO_RuX5xEOly~QMZwFV!Zrpzfl{OKaw0x*3CBs_S9hO!zv^~mVPlz?K*q7Di8tFcz< zX64y`hA5|YV8Q0%$@DtotdP1XDRn|QwLlzzn;XvrbQmCW+?sTnEn`hAGi$+e;f8qS9d}7l$#(h*HB@ zSqm5nmHQG>K}lA5Y9#Lv23q=Vp|pp^>KSFeH+R)1kj;^Ss@M)sX5ge+Z`+09Ucp_1 zeazw4g&wViH8I7zpOujz4tm3qL75ty*!G#&NmIJFJ2Ws5kBO5(W?mdtr7(p6k-L?^ zS8V`*5G~WsmyE*ARuBLjHlT#vh!w58-GQW*-2vS2Lz^32yF5kBU1Rz_4%jKsQCm*& z)cEZ5dI}9ozKc+m+fEgGV$oObP8sy>Sbt!Y}Vz0ajG!&4S z7qQ0A%&YGJz60*cjs}|CNo)Gl5WT**h=U#l)#6Z=I~>x+7pi;S3#{t6Js{}~Tv@-8 z9jog1chc@TEI9q4?U_D)JVb^*g+UIBluILN)3n(CCS~90MaJePvVuSt!Q~DCn#GXU zwDIwpXxI=qG1R?Oibfz$IO;CNgBr?NJ(@nwCm}(dj;HfX@}&k9H3oF8OkOtt*5jG{ z`k8pz-}oO)w54x>#(Zd`d*vl@s1y;otw2rgRhBd10{K(=pllr6hjgoPHBP2atJ~_9yg4m&LD+@MVuoL zdE|#qhbdKc6_hh)j+Or;R^W|k`HkkEoP69E#i4wL+?m&~(2e9kUjx}k=b_3z$E31=K(IZW z+oQdJl~)!wu2Et(YfeULa8Z^KG>m+J?7082lPG(dUE9BidUV>Xd@g}3t?%19FeEY}XSmBG|{^bu3#O8p;&}PFakf^MI zWZk16@IFw1btiXZs=JFzh&HC1pZmLTv_v|lT0c1pCEz>j1&c3MrXtrF5MA+5=6kw2 z{w&68_xvw%C~Sui*^pJDpo{1~@NH^t2I8mPnU$hXmW|&X=`~)KwD>a~3mXmDEy$+) zg`>S?!-GQwqeZ$(V;s{QvKe34<^73p?k)7hC4Z#2W(`;eX555}iw=rQenDg(=XV>N z@dlV=&-(t?(|krzOy}W`$9TTiBox~X<)5d;#7;#f$cLYm zk*ePZVr&RxJEimXDF=7W+&6;8mNQ-nHB_m0Y?a0+e2W1~BP+M?KFN_ROxV~U|E^JE zT8wta#SvrfsL1p)#!(Q9pD2dOpWeB*IeRVj3?LPf7`{YDRl&Z9OGx?Qg^IEVCT;Pn zzC*PZ<*39lV#1JEt}CA~$+CE;=6tbswWwdB&rk4b>in01#YbIA?-NIx)$Nyy-lgvMH*ID#NnYJe~F=pqlO zn;Pusks5KRppG+{xLEp?gAUHrSc10kN)Cw&-)$0mHDgJvNlaaEsT<(wLYTMAA=OnR zcogGHcgjylJ1ybN3t-zjpPr^I$NJwtjGVl0Mj`itKboqPG6y0zM?i()z=DOlKCb%` zWO-t9dZ-p@7D|hKK+i?c!8zrmsaEn8gzw);W!zx= z17opoY8^TlzLDkL!A6>6yuB!RuV4Rznv@44|4cUvC12GZ2SH1Fk44fA&R)$cO%}sJ zCB_GU+*Ned?BP3S&1Vkspm)*z)M7`DPNSOQ#$1B!KV5!Ke2Kj<& zHUHdObv1)tR+>8~bjze%x4U|)+nArrbzaPTu#+JS$;Fk~GN$FCD!mj0KJC`|;5eY5 zA9K;i4@INRKNOK=(}B%~REN;yhlybUft&DFYEjfvZ%1|J z!$yCDKk&^3MtO;R8PBE=${wj4SeHuvPGH@WwCxCmcgR{K@R!?9pO0LQxC?0*Xev>j*5>8S@i#Kb=7fIWouidyCelk0Vx3~>29RELmELzrKCFqL_!24 zBn2cS1oY4#-G~B$2-1z@_nx`;elz!;KW65)XP?8`d#&~6^E_*}>H#%d7Kegg2*)Qf zx}OUJLW;5kA2rzWwHLRx5-iXT5>_VLNR>IgPd~fQ*xN{U{avy+I9>H23`$O&F|b1MsrV5Nk=%&%cqZ1F7KU zxKHc_UqkZI{77DK%i=Q;ic{I3Q&lF{?4ijmw4Jcj>O(3xwjS!>DKVdspRm}n7TxRaUuqCihppH?9 zPtjkbt*K^JZGh_f1UdjC-&|58$+~j73M;X_nCg1pn&;scntn;+L5WTuNIhq9yMS&< z?ueviwC4^jk}&ZDPtvUjtb}=u{d28@-~?Ptpx^KdiHh_4^Q}fD;U*VIt%^8~u@+h4 zI$y~KlvqjgjUAK#d&&rf2gj8rU{Kn?B@McT}6Ou8yLSu!C6~x zgL~=Apbz*Ln?YrLwt?g|v=S+In%N{zoI&{ukl6v}2l_r%smX7lntz-P2_>kRC0jQD zJLsbY-0`p8D9{Ga0CI%X`Z69cdU@?FW0_@H`6%)U7a+TXat1$8#pdqf?%jf-IS;7O zjGIk@oQ?$4U;r(M#00ZDjwU81LOKm)%&nN0*1W3sKh4hiLF3HL62=o569en`3PT(G zTmcK89Vui6+zoa3wl3wU|7o%=-@VW_XhU^552`(|`+xa6@kQYM$JW*o|3@1yZ4f|6 zc-AiEn16q<#SHmUR4OaUw)gk_pm_fB3{J54xV@{pThZVD99B5QdMn+}86ha4R-$0u!@|V{bTR3Z9}usBQ49NW6F|bb zAG$&8%kOZVQcUs$0CYa($C3*A`jgP=0((In;c-j?UBDk!{5ycLMt5<+aiK{ct>wpY zx+-JKDP;m5AD>MuU{7rB8eD*OpAM4J?0aHk-NVJFQK&u-)s0tO$~Ii)AkO>AI4$) zszVd^@0l7`S6)Oicp~ABUlgN@=m6Q94c(Baz9s1VAsJPGAg5TNI08&HCN?(lOCH=d zKg73h&EV^xfc$9eiD06?HXYY7RvQ~i9Sex z5rP08Y;Gl7OGmD>JYJc|y)#VANsFBPW6ex#=>(YCj$CEatx5VW6Y400acs{T#0!fYj>_ z1iXeprNvdY0Vo+%Az8ZoU;rUkxo==VVMYrS0*Iq{(__gB(7ypg@(566HVsW*c~w&x z0S*H|b$E}Pqi++S_AqsV#hQym4~B+DZt3E+dq7DgulW zR-gw0o?Ff0=O3Fp@j}rfyuwayuP%w z1e=v%^z`%;@}D*vT<8>5KxhM@0o~K~LcV9HljGyf;MHVhLrY7M_@CUXLl1$uKM61` zm>B@Ji1}>Or8I(S!^voLagcL8AXgdMz&xWE&e(Rg19jLh}<2p&2xP0I|TTjR^#n;FT`> z?zBo;%18}2DkFs#vL$GT=OGtk)h@)X3xD>EbCF*z3YwXkgD_d3Pm#TulXLGZvNHUq zflHQqSS_-FW%S|U#`=2fBrIbj^s)ABI9PM;)o1f=D?{`jBcq}qi;NBmx?1~|nStR4 zV8j4!C!;qIogitK#vuy{cFki*uz_FMQCJg1Mg>ub$6f42$T(DA3GG0s!+x&L#TY^h z`sc_n7WO;fi;?9rpy$B82i_cRc_x|L9+(6Sbo3uc$MWLcqOzhQ1;3*X>=20O!(UI8 zg@uLHtCpYTz|d7)vPQ!^m6efVfOKVxi;J3X<0*Ko0BZT;z0P0cM9$f7-=J+N*}4HH zq6tznWeH)%nU8^&7ho@;29XB3MTh|~IflA-Rpn9CLAdW$KBwuWWN3K!NGv`Q_y>gN z#O*M$3`k($-Sb&|x`Kg$@f#P((U51g(CM%m?MeWW`q7h!~oybt3=wJUHyY3xRsvaA+UQ75F245Ow+}1{7E%27flnX7-I7&c~lv6S&F4 zQ`6G`p~#0N6Rk!1hLSS-6;X5pd^bEi+&+RV7@te8EX|`r)e5rA6;PacwA1_w0ugW* zP|e2RubxVYPD@LJbqCuOufoOI`QPFhMzR)+_JKP;&}X2AJ(9$^q5dtf7Wgezv z%_x`>K9?++Fn%^g+&M_*DvWA>!{8wMVKf6KEC5RyS+#bk7R3+R6_AP%tUWAt!uZ}d&kpjME;fN~b5I3SkNKs^B>cn}TDIo#92O>Pc?moxbe z>?oKPt7Jbez_;G}HuVn7A7R%%2abI%ls12qj}(MLVf9(1USlSPL8HfQ>N%jc`CVdl z{{+N7BQJDMmtdPn7Q{^=o5ZF~hd>$FK7ni)I0;r;gFy)JFpmLWK}sOBrwPI`KUtAa z=m|g*h`7=5si%N)*!Y;J0*Pb?#4@DE3kSfO(lVF-OOoRjRIR&WDMvxm5ZO?o%;QzK z0?`Hmo7YDQUYl-+oJNE@WKTSinsC~u8H&0d zHSNHwLGt7Q4!YAUtdUz89yKG3A-X5}Rvk_A%2Ag2(9W`c)R=OTnCc&uiTPb~At}l_h9zUqg$XsRzs z4g@e~p-y58jM+(GegZ~R#-PHWO4{!ZpyV*(!Gqf?VpgrXSKjGhCkMDothA9yssIvm zg6jbEQSz;^bcZ4nF!sT91H*`!xw%#d0o>?6b_#`CnL+BzdBX75TftM_hk#4JL?`N< ztZc(~m}!t@Gg7A80@U;=AS3}@2PzK$IRGanv#aO3X_H2cfVF|FYk}K=&_~qoI8k&5 zA~4{PKV#7YCdB#O35b)!D#I@T3E2wBBJg4mmVE_R2=G7vsYPdL1w91Di!rQUv$fy9 z0gB=QJ_Dk#XvEOa(3dZ`S-Cy1^1`TcKu#EpE3t1;R4m~{rE^8Odrjrx&Q4Io(2G{W zekkkw`GLxT8Bc0iPO7YR#&<}5wd5C%WDDX%5e zgq(kRSINfUz78#dmL)bDU=RCRAgrcG$}P14i-u2cOvj^pnC?n z{77`{4Wa|~F9|#jF7ZU=dO7lOF7$HVA|+WNysrt^2k@g34nWIct;R#jTkH>bU05nQ zTemI&iW!6%060029frm?iaN5Qmr@lM7gvA0*aiGZNTfl*V5Gla%{i$WY%%QgT<37! z*C2~EVG1ehh~dT-%C&XC@kU}zF~>W?6hKP(gSR&65m@UuWOV!&{6B49aqS)5bQ&%x zjIpHL@ZWmb`50Jh;F)8#+^H_OdS0D4vJ-~u`Ae|Y2m_*aDNQBp>Z`RD*W|v$Z&XHcVF88 zWn$t#f7Cg{ma4RTlw{&rE&q*we=-ZxZ5`Jx3IFFBI$R_B?`xD}#pT*=KKX_AYZb)* z{lC)X9o8yH|L5AW{hI6l{%km0``mlgtHS?0 zKyckfj)2Q~7J{m>&KB68e|<*zwDamN0xavxX)44b<93u|T!DqQh#(B&Ei%}0> zYDtuu+P!eWmpr)G^I5GmVJC`wSd5*JeB?{>>+(3Axbpb&G09G8&F+};*E>lurm3y6 z8KMZOowKB=P1|7knu;-s`Y|-~h@QRKzUDd{DOX1;9a?46aZgAjZGU{RHp?Azc5a$+ z7Eej`Vw_RP2gK6OG5ij=axrP7?Yi&WXE5xYuiSN=o*NPGzWMnwS!bJ}_}RR=)@M#! zmEm8>-g_U)a#M3>g!4f8*UcpkCB$$VgC1X+I4rc|787$!#KoK8#gJXKM=hS5S4TF)6&qT{Ao}eEgIb$>`Px>b+OFQzVtB!%JNwlhtVhjC_z{BTT)Cdob z;G2}E-zN5+Sgah)h;GN37QIjjRgmQHM0u`>C4Qj^Q+S>7McrU(R&0y8!X)?Hvz4M1 zRH`c)Y7Z}}QU{2by>ctQT-&;FVpSt5urpbU%j=0-?HRLAKVvmoeg z{i8Y#7mt#W5iU$&Ea`h(Tv09iMfEl;TPsJj2)uHc*R449PV>I{b4Sx(ub`AB9^GGv zH`65Iu^K!+Uiy@1pg-uQbIeguotS&SQ{Q!w0#}TNm@G4eiTQcXwyemJ;@vK8vA%g0 z*E1rrP0HgIJ{-O}yebcT?}NDes$`zt9;$E5E%<6O!bCr_yJV}8;F|Mjef$L^A<#vUCeNS~`#Njsc6JAS|& znV@7Z3zBzm!hJ{`Rcl@OR^3Kbm4PNV#ufM4+z!S=m4xa0-ye!Qo;O{v$BHS=tIY zVO9z&(?Dqc^%OIL*t5e~w+Ueje#@BY%34?7J3NjO3Iurtdw%Cv*<%%4d;}kyo|3XS ztBXCJ6d-tflt9#p-LB^m9HE~7LZ(vGfPE{5voC%2X9(detj!g6{3umf!vLADc6)MN z>AoDDF1$1!XYx-O+Ulx3zkV6nXc^kx(q*<5OdptXsap8hHm+}0G=u)!GB%Zc41+l9&ewlO?Q+fN1y4g$x zH{#usyO!0{v*)QI75AhZjT>d#+i~o~l9L}?mE!qvkLp5G#X8obGA@s<*xFjI_?aW+ z&z=!+E@Ajy~Rdh*o&C1u`&5xr_Tg))MHA0nKNBjupB(a9GG0t&<70yiNXaKk4$t#fn9Z#fZh0)%{qI8_W~(JY*+CGqfs{ zXxz17=S)VAg|;zMIJ8G$wyUz+N3a6ZIr~6+f)OeM@665U zk^_!!sdrKD$+hKG^NH5%?~t{j#2EDtx$tXaIQWd;{<=0J&LzG(m6=3*ooa1~Sv7lc zMCC5t?oqQ^PN{;AeSKOurzv7keCJszRZVaH9}gP8)8l|0PWFHUOd=n4b%v*$g=_O@ zOXMXL3d{klos~oj)M}D78xe$f_fTH6;o;jmkT0#0C`oAcYH9742NQhvO0S)K^UJEu zHd;$cB?UW6iA`ghJUDE zw{(`9bq}BK4!^wCJn)OTx(Ms-d*^Gf#1IZY6eR7>tVu4zBFerF1e=frEJ~;9QlXpI zaN*z%QSMS{Id2B^HKDhNOCi!-LzVRhG1tRtYYQo<$sVr#ydgK9lB_>gK>j+ho3qeK z#z9J$-M_`i|q5Sw2A>Q4_!fVJ?9_u2bm;HXNaftA9{@>KJ-Dnr8g?%bT^swYUgd zV8(tt&*NAR4&BQujt}D8!&4@o3#+x(kgRlbWEK$r(~>*)MT~44WKopOS0-=hP+e1* zd(io{LddX5-lFdjmJ-*^1;ovJ95#(TA%V}D-4*N4R_O!iAKAUGPnfZY-ooUs9PvIn zn2_Qk4X^O^-OUwIYb9f6#lN7kWgDAFXDO3fc5+H;m~yD`ldr8--w$^`WWDwE%fv=f z@70zzLS6c_W!g$U&+7qe>WYe9NAWd@Tl%YtQ+#vV4VC-S$Lv6B68U8HR{pCsf4 z?-%bk2S#9>IMhA-5QhGhOXLYE=IT9O;m5%1*tI=#( zI?dI*KEP}BF0hu?$S62Ha!ghk6l44;N27e_#zH4iZ^Y-+9%i2+7rK-omS)n{%T)Kl z4*BDjmfgvyeY`h#Qp?#cw%|WC-}Tts7QaA*UcLBzca-%(laG9RcVN_e?*x-42(k={ zKc=gvC*n?m#%VX|_KRxcGCu}Kt3N)tzKr@_XNXn%McsgoC0)?GE@J{%2}4;t&& zn*{3c(pyf?1=Y@usn$g2t`K=GoqQmOJ0ngeBGra~s>&Qc#;|W`_3o!W{rXuZaVanD zF1wWsK|qH2Gw;TPS4CJkf4{2Y&XP+U6Qk~xa(Nt6RpKEE!Tpdhy`}W01A@3Y-?oM> z1{oXW7mDmXEA14@cU=F}ByLBdvPaMrv|042CTEwDZQiHhYz^+85PQ7JbHh(fV)s_x%M z7H+(h0zcLJ%8w4B2}Ah<`!Z~T>%2}hU9zSTR5lrPg@GEeqIACv(WOr7(sJ|oCUhT^ z+pg>zI(o=-iO_4Nrm?y|##wZttWLG85%LXXVd=A4Oui$!7wYUNrlP-UtQX~JXz}ck zP(aM|4H3%;Qytad+B~;X!h%K1QEHOqk29!}YxAeUC1!yGEgR0w`0l#5%b7x~+CCXS zLBt2}<737X;Xl)^$oTSw`3f5814H(gk*iG{Mgv2dE>)bA=%jUi`z^*cs#?mu3W8ga zs=_EQ7V$3a#_m_`C=E3Yen-bOJ4c^;Kk^}utt}Pf9p4j+^_LtfL1d5JuztE4j>hIM zCfGaiV>%^b%}^<$U46c++v<*aqv67IEnWDVR@`Gpa5DSmwAQ zs(L)JWT<*4MBBfeT#FnnXXHy<4RymgKV%e(SjH5;@UwcLVb5XSS5$?riR1ZmnUr2d zDd@+v$LFf^SFZKpt0JoP>kf6_OOm}l?;6Yd9Lr`HR@do;EckYrw@T9A74}t-(f#l` zoxVeW5^*hD@8utK7TN}uTR0_s!~7}gLpC+^YR30al6X3_@_nCzf}6-Umn_RQ0@D(+qt%jZ_CEb=A-# z9Qd{Ej%Pl2oV(ile0(9pJ(x4%*XC`rNI`u+Xq>@*h%H$Fv#hwqe4MIo?s5140-Osy zBEbJFZ|*CW!W$1~XGcL+BbLdb<91L!OL$BBL{iK9OPc$5ba=C*HBIAUQd&w<3e)NQ zO)gBQiHUUkrPw0J`PcN%u}ama=|8gjtFZ}&qNVKnzoe27IP40@dqeX48`!Q_3xQ4! zw6f&)r+j5Es{2h6u_+5ndMf=F6#DvYC*C1eu(9Kk)r)_*8dk3>)YQ&|^3%Cw5wZNP zR3lH=1_`#xqIR`kG=wE7@?M>WnTCz-hejjTQhq3J{_y25XQrz?YyF7sz8jtKzRg5e zzx3=atka=@ci%VHXx}U*B|W%(pK=k$S;A_0w|LxRb+6j{>iJ8Y!4Qp;n|Hf~omP*` z9DN2qkvGN1sk|pE@%Y(h-6s?>^vDfMO*QEjQ&0Ri?+rfnioRggli!-!ao_AuE@XsS zPUeS%xQciO2p@lIM)SNuNY%O<>XK=ge*Mf+kuN4;>KGkIqQv(^{?YcN?X0egV-gr^2}=v~^Z1D^6S@$*;W47ThPqLqn8R+Or$^8G*aWSy4ujH-#)@t=pQqIRO*SF4K(e;MtwDMr3m2;U!J@#+lh z{<7HqQ1=&a-eo*>o0k4-!i`?iM!b|br==piE#AGCF7Lgn!%mGeMX)5)j*k^!j#No% z4g|l4sGmbHpPO20Skp6x?Ps8uLk*S(y zlm!){QQG>EcB6nT<4egFG-F!|>Y-k7Rt{0|+xLEkIY^RohH#mmSL%`)eKmaQerR|S z*2&Um^X@efHJOgnao~(UW>kzybi9i2<4OLI&8r95=*5*sh3-1eT7G^>A=PISrN#I! z)HV*wXN(v_`8DF|Qs?55?(2VTP{2PuQj7SKL0D`v<(gd}ul^mAJco{Em*7c;{ce*O zY6RxX^4Xz-)rKkV(ZWGCO8LIDxUJc<&?ny^4iREoxOnL7$iJe`9+4C3vp{ydHh9nD zb$0RHUZ#-zwt$zkAJkI)Rh5&bF<-vFP0N<)h=;$jM0U7it!!a%wzRPn#? zRNQ!nPw0G#hLM|t_d+ZJ?FChS@Y@RRzO{1yl^oqpN{^#2mwc#~khUF^2R~vGzYrZY za^J|TsV&5Wbp1r3kdmIx2#erRq>8F?!#<+4gU_Wv>Q(xLU&i4{_2KZN9+*7=KPs&~ z+`NuM8AU%oEgRL5k-WP8x25hiHLr5r_08+69W2~p-NNcQ6Ug{)$l^x7O1ORd=GCge zil@nclCLs_RIW9*cMoev4n8#7eOp@~Y$Pyl_$C;53E?+mqtzQdd`|o_ z-pdbT61&^mnbJetStHPNDMzYa$hgVc`1!qA?-u)D>-Yk@ztC~3VS)N3T}Et9Eaj8c!2}U2ZJCci9zs~eeKpOl7VOW1Js?-j3E?#F8 zH&3pfi}TjcIMbCCyu#l!oI@_9_ovaqSeTf1(JFom3bS*VG%>3*oQ_xu(l_^A^f^PZo-*d^Pb|oJwY~A`>H7C4E!!UrJ1XuZ zmsh8L{`8{LYZIZKJg~X&N^0Cm<6Y`u5Ed3fG*K?1e4)=V{ejAaTmb3fmv3ZXgz{}D z=e+O8;Jy2`!XO&?iJjXEeBJRNyFX33gS5#A@09x@N<2oxZ0y_XCEbbfV*a6hEM~0) zvg0MGhGt2YTi?hjMR|yrql>7Zm5#&F62l zv_d1chusNZw8W^^>D~3T-Kvd^yf2+@cN*lxMoK}<)4M#hU7x>{vPkePvGB#kuXNY` z!d2?}pGk=+#AK9q9okp=k5x2$|7BdzcEYR=|F?J#s*{Ai>wdU*XB~nd=G{%AIly=y%kBstp#mCZm-}13E^ecbeqmPw2S0g#!X}9$oG?1k z_D;*=P*qZ@`gJ3tWKgj>Jfcg+VC&=WG3(qMrxz_{ssfgUThbwTzt$H?Y#@H%D7)J| z?@@REbB_{lYhr!FDJQ?I!I7!0$7&c$@C)-R=B-87WEi|2k-zKU^~AhUdyy5c7`EUv zM>UN}@WOou*RD8GmxI%#d>A};S73Qvr-6qTd9Q~1TkdW{ezT4{l<~Qf#BEkC+iivpP?%{jrI z85MIbL7x|zxG-^~=&Lx&0%r-&R+%xLrb?abQ8-2FNdDPJ@Lf^(x!He2*r$9b=Tg3k zpprDknOw_15mgSaTKRq3Cnm^~Ti%fzFEYw>c@4@`-kZg4?>|ehE@!=H9pR}i?&CHJ zmJTxxrfysuv3&PhK9=l{sF8}@!cHBcB8b{}+=i(PiqrIEcAHfzLh9;qf+mb1mGZyA z7IQFjQAXS%pAZ$*aqWJN&$U|}-ZG2=0}HN{Czg6PvmqKtzRF_uixK>^W5DuVUeUhufxYlNbb?v#tY`4E0dDd`50!JI1-`BTZ}s{K;WDg zZ>RlMAipj3u4nw5cbg^}YIWrVU7I}?UQFB3`^9MOQc7VeUL!)|e(JDQ)d7yOaXUEF z%bdQf%T-`B^mbZh{NBDonJ6oI*Lt`YC5z5xsNL%Qq0$My5-W z>x4?WyHUv|BpxcZo3#X2w&ZP<-uv7-u9{U^(d?!pelZNgebrpOe>s2ibs}q>oO?JdUP7ivDJ@?it&H<*5d`e+p6$kX}hwcZypXJHy%)ASJ{%N?Zh6`WNnFT zQ?5~4k5D?19vM#Ipx4OW zeaKGRxMwQ$IQH}E$~(FX`bXd*b0>697Gl*Co=pMl5X6V7u^4#kc+xrh^EU4C5Jk^3asACE6WwwF4t2kgF)r)4|yxJehB$Cnla~IO=RkPK|r+%G2F95)w~%eog&SH}eQ9+IT~$Zsx}rxclaY#1l=@ z@S&4SmOD4c)8HRVEO%^gwRxwcmY`>_mbJ?0_Hlk1i66M@|8cjssl$V&pepkZL|Fr! zIQWmS-WRRNE=UI$gK?<35;>Vx-@bCZ^s~zajB!my@#&{-0{*l>i<+=3x6tDFbk1bl z_Xi=FbPqm;{0J|5l6UBC#7BGOmM|jEZA(*coYHzf;ovYPslacn7Wbiqg8Bxc5tbq( zw{3YOB*e)s5~zFnmtcmS9cU@YZoW+85H%uoFj@_K{b#~CW8lJ=3rp$!cDE3_Zz^`i z!_`v9oJR;@ar)_>zB;uQg%dyIu(qhBPdV=X&YwtAl%O^D--uh>A&6Zt)XuQo#!In0 z_PQ_TwZ&mVU3i9PTj)8#OHn^EHDH>S^<(|!fE~w}Q{o-PW-P3pV_`Cyy6`)tI}=xT zPg_<8XI+T0Syhx%4Mi#&dnH5G?)7ff|01Oj@!K#yF#EvPev30iOi+B@2f_H`$<4?T z+|{&)xVtC*7722Wuh(v=?i<-`x3|-FEpE_uXi2qgT$WIo8&KJ&R?0JQy{{EcfkJa)C*}>bP%|uq(}wk_v6Z0V)nIhm*u)3$ViHspc8OuRxmJ4H{_*pi2oXaB>?>bVSx^r2inDGIUYMW zk*Pi6(!+IGs((*iYuceeOb2nqed}R0WvF!AM@4NmnHqs2W z@$c?!_XOynuz6JhX2p7gU6+68y5;#|i4pgWh2$n*oNB4{S;mO-)54I9fxDKi{;5>r zsh9POwAcG3798GK)=Z(I_SuEZ4(&iDr6DBp;&Yc1obKH1TD}05HUZoA& zha~nt2~!B~d_gx19LU}C^RGQK2Y$k~_Aj-d zj!Fo;Ug{WETcJNL$rxJes8c(;z2K51ZDmEWNSrh%wSe^4o#qqBsHv;M{p|a`8 z>~jRNGW}!1pQbrEc$CPlzph+Qb8+$%#iI3f7F5_ueTPhP*@UmY>&ufPiQQ+{qPdom z?7a`YH<1#?18Gw{0|%=OwpSe61hJ|3v7C#z`1TKI;RyMcDX(_VOfAScb3baHnDKs| z85qf|o#wBiUA1sj=M+sp1=N_ zOf4?Q#78b8)aYMH8|d1_f5yw2MQGXFw$zL=!YJbnWYCCcIB6!k@onhv^At`DA@c+~ z4U`;^WvQ1H8uyHwE>ncoQkHo92?-TNv1W1RU*i_k4!pW1q)z+iBIG4udh^*EH&KWm zyXYQqYy^jbFpfBt0R|47zGP*v!b__p>)NB43HdCf9Rv?8smXW|irjKt%$+Q~1L8X? z+;^%&B(Uoi31)u~+f+SLV$J;1z)fX8ms=7f9Ofxs;0x%$`dXJRM4u1!Y3Pfteo$67 ze{EVG6@KTZhz`F-X61m8E}o2PO(o85a_KEWWNnqhNOf{G)zPMOqLK6Z!(|C)fKhrO zTr_0hZHJn4e}A(YzSZ5yBgDXVb1vhZ+)$1#bGhAb+hhCZb67T?>3J$ojurZ7-*)B6 zE#f|&=;7p`C#oIn8cmoL=^q^o?U_JKm)(1c@vw=Bxq#_bk9a)}L71gwR=WJa3Vk*k zA#r-;Nj?ptX=F10v5dj9@4u_ZR-RXFyM135Qk05LSRhqJ&gdYrsk&YP)7)oJ?tBo2k-StAG7ehs)c0QC@9)2sKDpD}8D=J}blRyjM=QGjZ+*)sw ze-}9U)E3>*sa_e%tIaQ|zVQ&-vl zCX-S381oGYyD*tlh<=}XnN3<@XZKQbk$@){P&ONsmr_UpBH~5 z)0j&4mub`BW-e2r>M5qtRi4Q#9({M)Z0W8%HxVPnC(tpWS@O=F@|x}uQ9Lf@6y^Qg zORu=fJ;gh%F)ryT*QY)-)u_NFW*btWRI9zg6P=ir^MOnBC^njOQ+n~nrw@8xbY#%b z9wenPwMm%&@*m1Cx5d23`d2p#8ot$`v~1>S=+d8ASPJT&%2nzN@tr<`2iG;QdtVZ6 zImRI1??#YUxw1|J;e%Lv99^1L-04=Om-{{xsYZn@9DdWi@>f+<^*W0BM@Q3e3hfEB zG<(`gb3M0X#iVbc-!4NoG&MKdV_aTRi=Bl{Up^nk0(c-r_ABw~&;_UWk8lfD)2eoQ zCTp7`%Kb;5raEFD3>YDzez)qUoA_-~QZg!*&Q}Vxw7zCeo6oHa0yI#O`*!njSo>Df z>a2T}W~O0DaU=a`Rk707FJ>8Nh53FdJz9Qec}vL;pC=qxY(E zm0P`gOL=bc$gpYpX;B-LD7`-UQaHGKP7@!p>AN;Qo=0bgOKRk zlu*v0%LIeg5BTowl5?MIqX)A?|B zo_2non3%pI$1h~@zJwQT?E*~;9LstA4D=DEy<&SEVr-5_+aBoE~&t}z$r7hIA~kr}wT@MuSRm6VX`vU|$)Grd#f zqTXGP&>NwT%if>&sq_#KJ&X`CCHu*n{6mmiMcRdkD|U zX@XHg(9m#IX%P6cUX%c8S=CVtbFFtYtVgBPvMlksB<=Kd6>hB}4;V#PNksd(+T~x)Zb=5+{TJ9kj{qUV=cZBP2l{+0KKaC zk5I$vhh~U7&&o=w-$@L1%3E z1f2dKJGMW)fwxXy3~r;A%WCkVjI~7Lj*7I^dsmAZz{qK{i}U9N zgrFETWaM(bR2Mm5X?SKZjPWHF&yut3GYnD{RA=@`${C=0Lr#Sq5)j~ja<9NSRQEa-B+ znEn@ht}kwZsoQTmS-dYcyuv?5sD3_?-(>B1RBM((zGyo32f>{K1-|QC;?`Ly=c+@3 z6ITxhas#doD@7s7)&Mwn<3l%i7>KQ%Xeu)*JDjIxJ~Y3ipiirNT^xe>H86}Pe>`Pl zOaE1+*g?1HS5eF)6$*A*33)jdXm-E3LL$)j{`OiXfab*OBhVtE7lfF2iAcxrT(bMg zX>2#EC_eOfY&#}z?ivd+kT4EkH22!9Gmla>aSFWhu0QEri!-&is5e-GPTjqxh&@ws zu(=}dYY4pdqGJ>1I8lAjI;DNHe1A9mPWd)Qv!&qbBj{G31VEy4yVaV^@<|8=!G|$B z3uHFUIsU38IKuVgG-a^*5w^$s-o{W;BQ_+4J0fv&vkTy!gmJFZojmPd@383w1d+Mz z#s?e<%tLpkL!pet<*tI|tZVvqJF8+C)Xz@1?#lOpM~aCzplw+^*;jj(_tNdQXk-k@ zK+Ci+R)VF#;(Uc=_#L@g*fV97sgPPVZR%3YPF(f6PY+wylIYQX)6H$H_-d~>A1B(9 zb8*ZctEuk>{ZZ!hZG)J-=m8eGdGW(lhK`r*vml*vZ1^k8>e}I>wH2!68-#d|R8g+T zboSrrMBJMNFkXQJ9q%pqK1S<6nwT8uun^8&Hk@qV(q2DB|#6YZC4Dkz9@5%lQj3%8s!h zN~UjO*g+S(GyYWw9bmQLfa>kL8h_|U`*kSpc+sLh;hcTUBX_p>5oNK=gi(V6a9@5F ztS_;{TYOxs$Q^$YFOae-)ucog`M6%PV%RC7@w}*XNLf%J(m8mW%vi#J5>{(l;@GoI z5JsPUuOaNoAMDRO^qOB{%$aU0p-=Aa#60#QP!Q$+fIn}aCKDTQqQF-B2-|B1^9UxBb%h7|GQIg47MJv6{dW-(tmqj^Y?Im{a#fF_ zu72j(G$VqoVK6)veakbI&qmPiAk~ZYql}mzLx{BXB1zKxg+map2-E~_3A6G1;WQ7W zZZ~fZzoCTY6k(wwWfq{ByYMJVX;lf00}m%5f()vr=)>WjhHUnQSmvcBx`8EWI`Z;Z zPI&s`Nt!ecjz3*3$s?ICp5y&o+N4?idE@6IE!rJ~6RMO?WQaMY2=5p zh!Z8X-Ua8W@eGC(uB1&MGwIT2^F-{2kBcn^wWLPz=4{c69TVvh!lgxya(VNL^aNZx z1HIX?vms=Uux%JgLdyJ#w(Tvoc{5nH9efn6Wh{NBwzFv8=N4qiUR;h>kM#cT)S|yZ z(UKRdJuZ2G5T@6x$H08K_%|uS`b`ObAFD2&4o6vTiK&>O?%y1W#0SA8=q1-D%1Zvh zA>dWeMR|ecq&NQePuQjxmIMJwpwtoMbpQ2HtNx-hE{TQ^4tibQUGg`r!I~pkm;YGP zvi~2~MmhH28vTD?Q{^n7@@uWM)%^$WppZ)!uSMISy5zs84<+bxjAdagse9F=e-E=~ zthD4auqys*nDC^!nQ%LE**~8$!vUUhj_!Z1MV6qOv;WVvc(``!zpoXaJIdXT@UC0j&)=@T1%6c?qaP14jS6PlhDaGgW*1*}th$ zxOMypo&x_h z;B>mO>g*D9pkFO3z;OaSa7;L89@N1>p@M>fRs7Z5+}s9m`rsix@DOh&_q3w{2c8jV zr9J&X*oT8R>ERIc@aI5U{K9;r1UVQ@6i`F~cI)KGNCuEjL17M*9v8N@?r`-5mzg!6 zu-pUPXgFQty7ApGkbMW)-e-sSz$r|5^@@YbI*nRYQL!7y)`XTR2CV_jQ;emL;QZOg zd%$%EEm;}o2WhyB!12|oeUVeLSe=d>dAjN?&~gCEKb&!J+weWpEv#pgK*$TYyl9?M z3JJ=b7Xrn8kRB}f^hwfD_JT{Nh)`S+*mR&OArqH=fSW!_im1+5y7)X^!IRzS-tM#!{GTK2v`NPP}$N=d+!d!Xh^WzYeC7rb z;o-n+t_7AY$P#Xh6(>*iA~JeBcohxoT>n}w>Dc*upbZDgP0d~#Mwp*L%nT`!3F=cR z+h(l+oQI=2AY&ri0D`5@llnlC+>jIT6ht>bYvAsoi0v1Oj^c3;fJ>xZRENW&#?Fkw zEO~=Lh@uS*8%{5RW9LJuqJTjfCC2ySUo`F{oTK04aLA`+zl|^@eOWbBSCNy1*7jv) zhN|tpAIR2$@{iM4QIIq8%oX5?N0n!XTo69zlN$jxY1;vu3*rM*(8oY%`@IKpE%2gp ziL7X7iZl^pV;-Qye%Ee57K4+s9R3Y|GO};Uy#@3lZaMq+UU%je5=yhR$*X@=)Fxv;~l(Zp#$&6-XU`v(bS* zt4zZrEh7Ub7;W>|^=HUsf#xb1A)%xSJyj}~=?sXqA|=IILCS>^^xPWZ-0uZzwB|V&xNEQTVM7^OgY4XC0P<92fZAS-gvS(#w zpk&76}On zHq8~Y@BufQN9nWY4#Pk+b@Q3}h7@HZ3+njv>DdV|@pJFL(=8>#zo`Sd?=&F2Kubch zclO8Ku?)`BlP-vf!IA3#9=$$x2x{;+XdkQ!?T|-g=)JN`^U!Fh9KiZ({f@=v=30V^ z#&b@jn&=n$x_|*76@%7&fBuB;w_kG8>74VtuE+Hl_s8S9-?#P}^FzbkuG&G> zF2*6Y&ajnz9ddv+Ne4i=bcuJz>FI8Uf(Xd%u@0Iy^{jzcvY=!}0~#;IX2W!>q1b<{ zr=d|I98jO-4&45=#%U#9;tQsz&leNuFn3;1|2a_%~@OA3URC4=D51If1Wrm!4+}%U!X|(=SM3CD%4D^+n zZ0G0aU&^dDw<-o{2k61U*-_Y#F*+28{hXDZfeg;*PBE~dfcOg3425HN5?}$YM}G_N zdbu~>&Us_DJLH`M$)TrYN1DqyH0~e|{GNf}big6N_bBHRmJ4Y1-S z`c4V?f*LAia6cqYu{9lAZ&L7kdwC@v=u*2Vw+Z3vnb>v+d9<~*hK7cc)Neo_;JJ>= z)%h;H6!H*#=r~XrCge3X6cNH&Ua`bRbFg9kxnfGf=Q<4Re1NjygZk5 zd2sfq^ZqPlK6{zzTAMz~~7**rqC_;@zp)QU8lj(ecxVFOW4vBV2V8JOd zfz%}M2t(-`Cqr8MU-s+I)Zhq>Z*%W0@?^)doB-Yoz%%H_)CEzbptcNh$OEExf|KtZZx*EaRIx-&9V|Rtv!}3;NgbLD7u)1aAh} zRo@=vG)uK@*c(v$aC=gLUU=^1F59gt%30MaSsE4~WE?1*&3SM+M)^Vmc9bivD%dL% zl9+s;_~ekx^@vL^s(YG*=jfByOW1A0Lgoe)!zq7>#D-Jv<9sgGQYD;c?n!ER;XP2! zq8APEkYFX{LVeCOW6-(s!YiEv2S>t|zNtD0ql_OasxECXpX#IB)fKYh@>$*da&5Q8 zzdk7X{(TbLsLpgHT)3Zx zD??_sPr^+lAU_Y`lAe(ppS&s`wDV48vOeQc314jP5Bvs2z`JD4DijW#(b4#9T!R3id>0DafP*DhSFeVPPL ztvZo5H`VbA5_BHBq{+y#2M^_lIWy2OmJ#Ug-9;ki852`N{(g8kdtgt}6bLp7K7oH_ zU>gyUk*oFI)ZV^4h`QD5WEO4pPx%1J%8U1y^3y9=Ot(d*T>(D?)*DiFsZC^HUv<*X zJX93Gwt*B+B++$#iL(>=m(V(!jpgpKRKu7+(|>ZqA}Ztsw^!{+Y*3;iBJIZ=vCcR5 zpTEM3^QARimRaY1WtXBYIMgcMBk1&yZy27*E;!D?M&BpAQTZM`#Ey=RAaFCVF>1L! zDKuNG!de-SrW)p)nyPQ6t5c!LCYwJ>q-z|ivb{TXi&p3x#M?M&SCdr_sH&a=B~4$2 z%mC9Wd%%1af~@{8)8FFGqaZqWw)fEdsa_(#)l*=bu{4OJCl!^|CqCqDt0oy8ZKtUK6~d z#RtIdIgr47kc$>l$b>{W6XEj<<7CQvyawt0#dqx@NjMFV=Z{aU;`Dd-nT@*)bfnXH z-SuAc?pSh0qO+&R@1k3bX>2*va#9O1r@gMC4C#sl-7_uW8~Qe)!oo}z4M@-mjw7gx z<@Z)gID@sxr0*^w3#7@x$TKia;`NVR1{JxTWf#8*USt4 zbxChIPK`7wNJ%9f&fK+ocTu7sT(a()NYTiV8fc8%7Wp(#7o(g+JFEv5v*L52eOcV= zuU~gPxdH~9Af!MDZoL}>G3WgVh5_N4PTUMTm!mhJeg=w=Wa80EE6I+sY6%gVFGx9` zNcI#4e|`X~9RM{;1$1ECpMhr>X4e~~QZx{+0$!{72G2LN&_6f|T3mz1GS0z;;~vj# z5yvaGXT$_r$G-n2%xjL(@uNFaqayGb5UjdbouZr7)%5y?+dvl+?U$SiQk5fq2qdID zs;9+V!ocbR1wVO{6_cAwv4P0ki+Asb#9z#>nO@N*8Unm$=G4>|n$9g@#paN{&!`9RX|(Se-6pdsP!WLVYSQ^UI10FCTcd@_mw8vuT4pPMiU&y1YZ9=IHog^9J{qH}=jWU+fWi zMLf)o46LP;U|@4lSJ&z8z)*qCwmGUt5>+6D)5i2>(llenu)i2Gsr-_pUu`F@)l40X z2~4vlRhXA5geZDHEo587-dD=4P>>nf?ZW?eMim9b$<5U-JQ=4 zmpeDDP~ZP19lHz$k=eNISe|)k5~H|)X>rWEZh$@fjhC-)O;M3(g*7Yyw?YW1hGEIJ z5`o!aX`64r4+XcCENe7<6BL7v4?`}0&yCXQ(4Z9L2~RVY8LfvzBh`@ju!WP;3y@ho z-lUbjQ+wjhw(=_lDY4f?wiO+v6#|#pc9Y|#uY#z(nz*(}O+(7jVsFVG(cJ^#EVD^`J06+Y^nctAvX?7sj3MoH9{u_Uq(1n_hdGC#gzWgU zp_PB*#tp&0n1QQ{2?S%<4@c}SatKD2eJFE^2{NrM9f*!3~~>XK@nAW zlEe4-mRdt&1F58>_43luPBSh=*o9^$WrAheWXNRBb;b13oS+!7HuIy`g(9kd)KyGJdE``A@8K z-^8DoK*l5gKA^<0$5*rKV(RbRyC)`%vdb(LIthhW5CZxoB~ZH{s3XTnNlw-g{R^=< zX4N>KMJ*v3upAw3T3dhz?_*etIF0228zoDc z*Fgu=b`oVAyRSBr+S#wc;2Z0ne;KsE-N=5uvVmae z+SZLU1sW~-^cNHq42dc#t(XQS)f0*LgBL}XvtsU`e*b2AC zVee7|#i~%!&z8*l75uZR%jW{(o=Iskw?#NM2W#o@e^^5iU3cPwzUH;Q)s~Ru%76*7 z!9v390Ra{kmW;dZk!K8kJrXm&Wn>!TenIGhD9hDnHHO7{8RLBvwj1l~Q}d)oS6;y)5$&`%y5KU?bvmjA+O z#qw2p*8I;a?Rfsz??kIOtdw7P9{(@M29bml*0~4%Ar-oo6BQZx1Q8aQg*s%INu)?% z3@x5ah6yZ3wEly+J^Kq$I4m8B<$tp6QN$Vu>t9#I|TaLp`KVrEM2aYDvlQ%Tm_5CbH0P_^Wju4rhc! zI0uJQns+_XSe%ZYUP(dW9eCtGX4f$&2wu!*{rx{d(6*}EcWH>{vpo_3^EZd9DqG0$ zw3o!eGfX0=1rZ`>Jm)7TMIfGNK24%D1O5Wq=eM`*uV!Qj$$=kBG?Kj$WLmSc@Gq_P zi<}{_8qkaH_xlN^OJ$!Co3FWvP{{^jRss1z97WJTqO5cks)3&B9k}TPl4LfkJ|khJp1?s;|{C`vstFbD7F zx{wR)Ox=EPThGJuLB!=wztg8H?dqlWT!S(-@|J|#^gmOfw`;w;7sb`HSx`p`sQ5Xd z(u52dl-1T@dSRiV8P`dw+Ne=2TXnARs`!mVh5^tCF$voCSS;*An)Q~$s3Z2DVxZi% zttgiBVele(G7d>Y@S=-^hg%PVUjLqg+Jk9)P&yWF%mZ;SaLyi*eu9C4!DJkF+;6pv z)__0~=kp)%t3OUhZ(7y{&Wa}yH^o&)8;Brkr!e$wVq2Z1$z67>QI08PFvm{dJ* zdP0u6$xdO{X-!?D8sfY|AZB?uo)X0mq)XrrvN;s zlh7l0UL$zH$=o~xg36V@AQIj~2K8|=qa#%|EZp39B2eT z_UPy+i*?Tdm?^B$*49=y6bJ(CEr?n|qupi531TmxL`^sV(zPd201IYPd=hrovBVi{ zV! zd*t#{4mr8G>H#yF*Qt1x@aeFc$ZisExx4!e>|f}NhX=3@ECP5uHvrv%?@h=Vgy-ME zY0KQd`S*`6fS2AfuqtAUhh!8B>!7<8JF5rV>CW4qT>R&~Z;QnXWLFEE&y-Q{AS)kG z0c7aw>#Mde&iN6Q#1R#)oB*sEEIaNJ!v>3!J939?8tYftt@ulJh_J9@HZNQuUm&@Smvf50JA(YDbZJ{dOGop9ebeLQ2PpHgT>w~N>Jbi1k+#Q#IWA{ zDGE4qX<)%QF97;TOh6QO22j(0yRWbO=oU(v%RhQRj9Q{P2rWRr?Xyif#f0a{T~+$e z+~I?^Y`-5c+lQAEV;dV)W}B5aRE(T%por4@d*<}%N#>`!#$t@ce=aU&iidB}H&ct; z04J^fHy~}IZ@thMsAmRhSV$7!N-`1DAkpHQ?h2aii~atA!kN|}mD7C?TPo^d*vk93 z2E|hR(VpMldeA~=NT=)x*HZYarI2&+5$W)CcR*m(l>F1P zOJ!IyU@x_h<-Pih=Rj!VzEc}Y@CZ|4MC-hpXVFnWaw^tJN^7N$q&2~`X^k@FcQ}uN zdb{I&qEiPPU4J3O!4|)*a1*RGd$IMb2j0Wu>QA9oYkMJ7HM=g?PBwDM!EEunAX3)8 zj^vBu1TqL3hIq#C=IwGOH}vwpKH!P61$7QT3yUz#B>a%jwVtMm++hI8-6x^?%iS55 z#Cz_D1Fqp}YHqn__C7L!%l?y)yrAl7N+T2ikQB4erb{zHXNAs)BQ}u4xvj13E_)%O z187a!3J|u*=zm8AoFiLWf3g3~K#`MXAEJJ{WwrWR^pGuG%& z(WD9)2KUY}=rQTvB_gV%tbhCX5%|5EvaYxt3n`hn48BsjUYY&BOJE!F%zyUKr0DNWk>cwJU*#~ zqI9*&_`0I`v!y1S@fjf+FI{0P_Bu{ddu{*(>f#64n3??$aG`W4aZIev?HOw@<&{49 z7N?QMUe1E-)r(KQCT*o(DSs+B}WMn-_^5t2dW zTiBT3d~Ke>Cw7hVz}8bFkt|SCBLXUW4>8Mvb(Ta$h?OKleq^64KO39q zQ8}DnOEkx>&2JS50{HqvayDfi0cGYQNu3xfz-dik7B&#M_8F>;90mus?wRa~yFEn% z)MoK-51n*6e!QfnCY>wk$llV3r*`BDl<{j&x9_(T>ntiPG=Fx;2z60;85EVR$3aTH zTTxM)ZfWoH^K*mX*scREq!~#L=UfxIpXJ~|QYz?@DK^Fv_e=?CohlbvO*0-dP9YBv zF3_?R-7fsI_qT`Gk?hYvKzm^{!g{&TuO(q1kmsfr`$1Ac+$=Wwu?ap#?|4q(BK)Cijq)(#p2p;hIRAwEP2^uO^9koTN9X& z{WStVSUA(oBmNN^JLP~>Yvgb@5}M5T8UI~fMOerr)RXauY!V+j?jh*FHC{DUVFABt zSpdZ-uI-`2QT+RzF3$LPSYPU6yL;Zxa0Bg{FF6NE!KEvjdR5Wn{$DeYRk#@Fuw}eO zPgOxdL87>$^!0V{pboBuIN!c?i>|{sP=zuCk+IegF*03Xzac-fwYxf{;deN8gI`j@ z`FSPT>l(4jt#5Hy%6Iny2E>iGHaA966rsCwHR~3&n11=(1v922(TBX>-%Di`=2ksj z+|tsLmv;=lzoG1KC<7r~ zz=TBza^a9CgXnePZ>M~#3QKBooXe+uDB?j<9IUj2vTsIN65ypjKq>My zcI{)=?*pg`wEp#?vPd?tW)J125y*q-u1m{ZVPj!&c5=EvB09(N6G8|@fOF5Lec8Io>LlME4prWjj1J%{l?qq!?Uv^~t?Ro`Y_Yoz@Z<%|pK0c<8&OrlE-?QR-YP$$)PE*1 z+RC^5Pk~5ZME;+`FopI%_2~bjFE(b}p`;W5#Tk@ewA9qhH@M@Ty(=y*CXw)>4?@92$z*0O zuK0)-piIXsz$ic%G72i0W6i73ELc6L#hH-HEp9*l>C>B*h)twN<~ENnAhb^bXu_Zb zo1mclSxbJ!>)vpk8XHUf0G2vRtDG)`nQdFq7se~+*-@SXr#iej4+WA^a ze5`U23+2|WI9ZIps{kkUB#)!O0`a*Un!!*GSpcd_yg9e9ynG5O6;-*S`g z+!}z{N>;KSHuTL}TS~x>y!sj;z63nqt1ZwUCds;IY<1Cyd&X&FZ|@q+C2PmNBM2@D zN*yU=j!glxIJY_~(Chn8H0!d$%&_GFQR zkmShIp?J`;VD{pshDN}>n>TL`rT^zqwr$f971=TK<%`Y_a&`3wI4W5EM<}`QY!4$g z9}QXSxuw+(_V%Jme~!4u#>(1WDmV`RT)tQ8NOiMw8nwRcDVonOj=^c((H##O#ZZ z7%Vp3LJa@&tzrMZeMw14#f6@gm6hQ3hUy2ROy$_p!Whe!loWa+qZbPcejXbcTA&1Z=iJu?wAo+Gz75Wd+atR(q<}qllCz&V{ot{KN(gw=y26i<(ImhvT z5SPGuk8pS;J)P;P7&A+#1B$Fw=0_VV_P~R4xSp+|67BPe8Q33VgRzyvc1O0P>o&BS zA38V2mFSI6n1A?7AY>5xgn%LYy0ulDGKq#w9Or9?x;k_O7t5p5YLQx;<2-HRlIp|C z%bT?31f4C=^Y_J#MI1axr~_zqweHv}$SX9VFb>eM-fUfj0tTeOj=Q?{L(k33%q&1B zz|!MPpqK-c7a*VGSBQ22Fbcz8{cjSs1E7V(g!bdiB+o4e0c-R^AAp$*hQY$==a(gF zTDXyzn5fc=6W)<^V_{)oI;1m_nIev~Z))wlj|&{nf2)@~RGOfEXB8o_S$|9y>Qre31SpAdQ|J+s@?wvr*C-7zkCD_!icXs3 z?c>Q#zRhi~T@L^}$=@4!O>bu}OV8fk3KaeGqYvWMhF!wo(}CmN^BLt;)*CzbF?Dax zWgvdCpM&^O2ppxKF!~))j0)e?&Bw!oCh=-grIrz71K!^~X%-MsM@csmr;;_4ef@gk z9#^(WRyBEYmbr129~T_9+C4b&ig(H7H(L+c0X{y?BSi0aio193uH!j*P<5q4F;op& zfGj7vGK3S1R$uxbv#t`28K6p1u3($t`~rk*d8U_w{HTLN${WC>Q}+S6A=PIrOdR0g z;Yp;&&WkvIxEZ!`z0s^0!xLy_Q#65)5A*ndze-`J3EmNiR^F7gS}>FWm#ETM!gttS6a;y zH_f4L=``rg1MYC`Alz2?`r<*4liG8vO&x1EYVd;X)SNFaU%t%k`~KZK)MYfI45IH_ zTeZI?uq?y=%nPcjzJ5&CAcV=w*I+y+|DaH94$AmZ^pnJA=*lTn4<{<`%Ghz6pa3O_3G8>>FJNf)Gp<5J_$4N zCNmeQ{b%k`^I}WFM1A4Uei%<1<{ z;$WkuO|+lrQh_sdmIt`d>HKzTkmSVdJe(SS>eXsWO8KGI0+>M?9*@R*Uj0!1j0wbtm& ze0nE@i5~s;`qRpzizY@!(f8wGV-3Cl7x;?01>y8oNU9TrAMU6>r82WRsr35!b5Df& z=lkNTQYe{jb8RZ8B_*-mq$z%aWWJ+AZ$yX-f;MF201xKh(Y3a<3Cq0>BuENxDl~QQ z+Jl*qf`UlT(-9=Vf7qMVsh#?GyAbD#nR|j^ODrZqV2h@BYS`*AX!<=#+abnc#w8>iaKCh$;ima z>_Dt!ID0U>KQD!EhR7k0dwZui@08L!sUYRkTNpccj!Kt~9w)2x%uP)4S;$Gb2Bew`dD6m_#Lh$tKdk$E4T+hpy}h7{ zpQhc;m;uKB>zPo<)xnWTNKo4)TG5i#-@U8zd0}NG&XO);y438Z+y_39_Ope2eKWa@iZSm&&R@Y09dmMV5y|4`r0Za!ryp4Cd3etTt$*fI z{o&`GEG$?o)fI0x&Q?!i+>Mz$xcP?zyz~R4R>%htng@YOJ49uiPEht1QdG2@eXdlgoD8)nM&i@GE4OMM!SAwZe8xnVXgja7GvEdh8O;h79!T(9 zpgn&4xOSCwkaOl=c)FjuM1p2H64S1}q&?K1+*bB_AawXUce5Mn-~B z`>0RWc)#D7Gl%r9VW?zsl{6eYD0mkcL&|H+A`}N|>wn9)xuh29Lp=82tgQAX0Onem z5A+PVv5DH!6P@I4bX7^4CuoU(f4q>t_3JO!f-Cp^U~ZNN5*@>@U%!Szl6{p0&x0

r71|V?7ZHW_RnlOkgq$4VRvaULCHoh^ z&XT^qbVLE50CQ=on_x1`8a@&M2JlTdi86sXb8w5(Ea)AQZXAyQ?$z3LclYpiGs*i6j6lkQ%92k$9O>JU33 z;ijHd`?Tn5Z3`9w0ZeS)X8!_Ysq&bIR68$=rd>ozqiZU)_-(fTIpqn<8k@h(PM$m& z6cpsYcMbJ{xv_$*u2l~qq25z`#{lQKj^19DZS7Ku)s|J64Rdd61h;RuKl;lt6e%=; zK=>guS6L}Fb;7M3X)uCEfpt^Fq*ek6RNKj$*gA83?$P-j&_Vu0|?CfG@_+nLrG$hG{zxS0S*VM?L_5_IY z;r#r5etttvFDuR+K#mT+@RxJ1lgLCyhYne_K`#2{{Cs?9*mOjX8Zw{Rm9nWr`bYF{Cj8Ytm8nZI;|{CQ3{wMx%(9)@ zRhcQ){Zcp;$d1ShUzwxSf~6)Z<}xQW9-Igu1%= z67@N^tl^KP_Q^7MkraTI8TFKg* zfPN!n^!E0eyLCxVaXXJ9)_(X94h-Q(&Atn$afBnE1R=#Bq2d^QonjiuI(gh_3}udv zNG5xxe8I)8vnr-Ykfz4GF4zPC@5Wpvwnu~HpxiJce;+j@T4;D%ZEF)_W2jCRgdTg; z+{{&Gm6ahKd!&1`H7FRx`RW1J$0^6scSXsi za7TH%eBahL(kU1*lCMP(@C>IfvB;S${>S1X%TcB_yQM=gYvI9#uQ@q#48agQcz!=#$O$RejFCFeD@VNwft>D9o%fUNyJ zA-)2I;k(0G`ESjxE0!RP%cK!T|SU2Gk^WUt=74MI`Z zNNA78l(ExD;YXskw!VpZl|ioNzH8~LBrj`^2JuxP!GNzr{%HU8xW6%Rs1jKdWzZCK zevMKL&Kzead*7zb2oaO{YZ&STqMP_Ns!b&5#PQ?L4k>1w$dI2H#NM;+=rRK^{nlMc zzYb@z1bfk0P&a)-v%hx$?U0e4H3nx6_c<=dP_kKHwB4#_fRsz<+NCBZM>Bj>>s_2~W7d!r{v1cR!(tZAC0sBZZkw9?_$8k@%) zoUZNqr8(e8g5j&q*wEgJjxS+7(F4Wt0utTq_JTG^kNO#|wr(uI0Rv-X*jtrJiFp3Fr1aC`JO%;_aAp7r-vNTYJS^08Rccq@773!wP|1`+iI=3C z{4t-=Q);u9CgWBbBy@jF8GPDQ%REf#TvE7PotknJ(>O;Pe^I_=9St5aH8nerYURj} zm`fmk8>?Fq8Waf3z|fG^bZInbY-0HG=H?rQuRIKGJ>)l8_07!Um81{J2WZI3GEh(* z|JcFjB{qyrhekH-w28icPj~~Da3HOic<39wtCTYb(JGQswu+kHHyKx+{x`Pf;XWCz zGgUx3QhOy81=skSn2LF3&8)TzZJ;LxPih%Uw^V@v-0^EeKpeKmU)&?1iNl{u>yPP~ zI;&zf2R$TJ)%vQ^^bfa-x@CQINQhUfw%Q)>t*T1Kfor8>XU2^iw?gyDiR?Svn?29Q z2L~_qn`r>il$(rO9jW%*nB)*HzG7aLNG8&5_nR#-gtB6$Ytz zHtEYvjF%F?nA4QJ#( zR64kkQCv5%mCWVa%#2E5oa0%s_VGv?(%iuETgSIGHt-oWFd4LIaDNUR!-xq*$&PI1 z4MahzF05Ool+`>joFM1;Xnp0qFMzQ|1af4*5fjIX7TcIK(AmeB$KYoc18w?rBzW)} zwl+59A6z$5+)kcsS?V+T{P{B${pIV|R}CHc?)i?TxmSdwE5il>tI%f@78YW-&wbOS z^{%arZubg9n~BnD%cwW)<;X2_D1h5z|6|O(v{j$C zTz4=xN7GaToj@d)jNA8+tQFH+2U#~Tg`&GvJ3;GWW~Q^3*9~~>Pct*_fO@mTCzWJn zUv+hrBZ}dgpe2iN`vpA75B97pSDNnMPZT`V2oMxLGV9$Uf)Lu;@aiPw*B7_xfK&i? z;N8A`cQmWZV=HTG%wK+Z_KYU_8wyNJVlB^)IS#MPKfVWi-5&Ru&Y%AS*J@M}!%Pw7 zV$yZU9A6k~gRmjv#nr4 zw>E{icR*E4OxN3zh&m3|DB^<=Oc<(yJ{Esn0f!gk7Wk~7z`#>|#ffO3UO~&i^~8zN zUiaD@+{(1x2tqp$5YCD2oM$(W3%5U(kd&mMqtp2{kEHMRZP`MyE6{3;A=aTAa0T;T zWqcN*qfHM;Lb}LV?QCr={_|;ou5dpbomITsnb6#Ed~50OSyCB4*F~< zZ7t~WV#)1oZ1SUqbg31@NEWsglg-&G{)IN*(GI~`>Nss;oUKG-%V{ZxQ%;|TyEAaU ze~~BIq$MW$pFMje%b1}9&M_Z6^bj7(_&7(&NI|GmJat5@G*SOST) z1nkG;yf%)&Bc7=;Hx0#^e(R2Z!@A3?Mln;erif;6W>)7;aWPz~2ji|00%p55gS# z-IZ|h#MIQ(hSN+=O{O;fDSSmKZK%4&jtd1+sYMhoJ`5cRBL;GR&4~_mGKf7X>U>TEkuW#&qJu(ssOD-uX zS#RMKrlRV|&alhO%d75nM+!h}Mk!0WXQg^t*Zbn)@-imYNpip1+O0lYVVGT|mOHc) z3byQKq@_g;`sB2QMP^G&gr8sSP;oT0qL(foImV(fZb+@Li?j+!fVMt=`Xrq0a=)>0 z6$0+hw{dFO+Fp;3KZxww*u+FuMkYh$xOwXlTQ-+qE7Z-LoX3E$y+8q{ael?yq=jS0 zPjtm_u@>&b=8xkscqVxCgmCycQoV_R3r0Sbj34v)l*i=Wh{mil9kRBzM!J@p8-~tW zMFO)6DLnoY3wkMFj{n4hr7ehY|NOXLlPLaAoX} Date: Mon, 23 Mar 2020 20:37:45 -0700 Subject: [PATCH 17/60] Added content --- devices/hololens/hololens-updates.md | 47 ++++++++++++++-------------- 1 file changed, 24 insertions(+), 23 deletions(-) diff --git a/devices/hololens/hololens-updates.md b/devices/hololens/hololens-updates.md index b8c2a10cf2..9e6e81548a 100644 --- a/devices/hololens/hololens-updates.md +++ b/devices/hololens/hololens-updates.md @@ -44,13 +44,9 @@ For a detailed discussion of how to use Intune to configure Windows Update for B ### Plan the update strategy -Deferral policies work by ensuring that only updates of a certain age are offered to a device. +Windows Updates for Business supports deferral policies. A deferral policy specifies the number of days between the date that an update becomes available and the date that the update is offered to a device. By associating subsets of your devices (referred to as *update rings*) with deferral policies, you can coordinate an update rollout strategy for your organization. -Much like any other MDM policy dictated by group assignments, an update ring with a deferral configures the behavior of a specified subset of your device fleet. - -Multiple update rings can then be used to coordinate an update rollout strategy for your organization. - -Let's assume an organization with 1000 devices that are updated over 5 waves. Following the steps above, we could create 5 rings: +For example, consider an organization that has 1,000 devices and has to update them in five ways. The organization can create five update rings, as shown in the following table: |Group |Number of devices |Deferral (days) | | ---| :---: | :---: | @@ -75,45 +71,50 @@ The [Policy configuration service provider (CSP)](https://docs.microsoft.com/win #### Configure automatic checks for updates -You can use the [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) policy to manage automatic update behavior, such as scanning, downloading, and installing updates. +You can use the Update/AllowAutoUpdate policy to manage automatic update behavior, such as scanning, downloading, and installing updates. The supported values for this policy are the following: -- **0** - Notify the user when there are updates that apply to the device and are ready for download. -- **1** - Automatically install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed when the device is not in use and is not running on battery power. If unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. -- **2** - [Recommended, Default] Automatically install and restart. Updates are downloaded automatically on non-metered networks and installed when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. -- **3** - Automatically install and restart at a specified time. Specify the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. -- **4** - Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This option also sets the Settings page to read-only. +- **0** - Notify the user when there is an update that is ready to download that applies to the device. +- **1** - Automatically install the update and then notify the user to schedule a device restart. +- **2** - Automatically install the update, and then restart the device. *This is the recommended value*, and is the default value for this policy. + +- **3** - Automatically install the update, and restart at a specified time. Specify the installation day and time. If no day and time are specified, the default is daily at 3 AM. + +- **4** - Automatically install the update, and then restart the device. This option also sets the Settings page to read-only. - **5** - Turn off automatic updates. +For more details about the available settings for this policy, see [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate). + > [!NOTE] > In Microsoft Intune, you can use **Automatic Update Behavior** to change this policy. For more information, see [Manage software updates in Microsoft Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure). -#### Defer an update +#### Configure an update deferral -You can use deferrals to stage +A deferral policy specifies the number of days between the date that an update becomes available and the date that the update is offered to a device. -Deferrals are useful in allowing time to validate deployments as they are pushed to devices by staging their rollout across rings. An IT administrator can defer the installation of both feature and quality updates from deploying to devices within a bounded range of time from when those updates are first made available on the Windows Update service. They work by allowing you to specify the number of days after an update is released before it is offered to a device. - -Feature and quality updates can be configured independently and applied via the following policies: +You can configure different deferrals for feature updates and quality updates. The following table lists the specific policies to use for each type, as well as the maximum deferral for each. |Category |Policy |Maximum deferral | | --- | --- | --- | |Feature updates |DeferFeatureUpdatesPeriodInDays |365 days | |Quality updates |DeferQualityUpdatesPeriodInDays |30 days | +#### Configure an update schedule To configure how and when updates are applied, use the following policies: -- [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) -- [Update/ScheduledInstallDay](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallday) -- [Update/ScheduledInstallTime](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstalltime) +- [Update/ScheduledInstallDay](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallday). + - Values: **0** – **7** (0 = every day, 1 = Sunday, 7 = Saturday) + - Default value: **0** (every day) +- [Update/ScheduledInstallTime](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstalltime). + - Values: 0 – 23 (0 = 12AM, 23 = 11PM) + - Default value: 3pm +#### For devices that run Windows 10, version 1607 only -**For devices that run Windows 10, version 1607 only** - -You can use the following update policies to configure devices and get updates from the Windows Server Update Service (WSUS), instead of Windows Update: +You can use the following update policies to configure devices to get updates from the Windows Server Update Service (WSUS), instead of Windows Update: - [Update/AllowUpdateService](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowupdateservice) - [Update/RequireUpdateApproval](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-requireupdateapproval) From ca56a843cf7c75d559d0a44988d5533c3f1a0205 Mon Sep 17 00:00:00 2001 From: Teresa-Motiv Date: Mon, 23 Mar 2020 20:38:25 -0700 Subject: [PATCH 18/60] Revised --- devices/hololens/hololens-updates.md | 29 ++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/devices/hololens/hololens-updates.md b/devices/hololens/hololens-updates.md index 9e6e81548a..4c6c325c13 100644 --- a/devices/hololens/hololens-updates.md +++ b/devices/hololens/hololens-updates.md @@ -120,8 +120,37 @@ You can use the following update policies to configure devices to get updates fr - [Update/RequireUpdateApproval](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-requireupdateapproval) - [Update/UpdateServiceUrl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updateserviceurl) +### Examples - using Intune to manage updates +#### Creating and assigning an update ring +1. Sign-in to the Intune profile and navigate to your Intune profiles. +1. Select **Software Updates** > **Windows 10 update rings** > **Create**. +1. Under **Basics**, specify a name, a description (optional) and then select **Next**. +1. Under **Update ring settings**, for **Servicing channel**, select **Semi-Annual Channel**, and then change **Feature update deferral period** to **120**. When finished, select **Next**. +1. Under **Assignments**, select **+ Select groups to include** and then assign the update ring to one or more groups. Use **+ Select groups to exclude** to fine-tune the assignments. When finished, select **Next**. +1. Under **Review + create**, review the settings. When you're ready to save the update ring configuration, select **Create**. + +The list of update rings now includes the new Windows 10 update ring. + +#### Pausing an update ring + +If you discover a problem while deploying a feature or quality update, you can pause the update for 35 days (starting from a specified date). This pause prevents other devices from installing the update until you mitigate the issue. If you pause a feature update, quality updates are still offered to devices to ensure they stay secure. After the specified time period has passed, the pause automatically expires. At that point, the update process resumes. + +To pause an update ring in Intune, follow these steps: + +1. On the overview page for the update ring, select **Pause**. +1. Select the type of update (**Feature** or **Quality**) to pause, and then select **OK**. + +When an update type is paused, the Overview pane for that ring displays how many days remain before that update type resumes. + +While the update ring is paused, you can select either of the following options: + +- To extend the pause period for an update type for 35 days, select **Extend**. +- To restore updates for that ring to active operation, select **Resume**. You can pause the update ring again if needed. + +> [!NOTE] +> The **Uninstall** operation for update rings is not supported for HoloLens 2 devices. ## Manually check for updates From edd3b71470ca5866974097501a4237f3f5e9b6c3 Mon Sep 17 00:00:00 2001 From: Teresa-Motiv Date: Mon, 23 Mar 2020 20:48:07 -0700 Subject: [PATCH 19/60] Added link --- devices/hololens/hololens-updates.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/devices/hololens/hololens-updates.md b/devices/hololens/hololens-updates.md index 4c6c325c13..5a9627ba92 100644 --- a/devices/hololens/hololens-updates.md +++ b/devices/hololens/hololens-updates.md @@ -124,7 +124,9 @@ You can use the following update policies to configure devices to get updates fr #### Creating and assigning an update ring -1. Sign-in to the Intune profile and navigate to your Intune profiles. +For a more detailed version of this example, see [Create and assign update rings](https://docs.microsoft.com/mem/intune/protect/windows-update-for-business-configure#create-and-assign-update-rings). + +1. Sign-in to the [Microsoft Endpoint Manager Admin Center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to your Intune profiles. 1. Select **Software Updates** > **Windows 10 update rings** > **Create**. 1. Under **Basics**, specify a name, a description (optional) and then select **Next**. 1. Under **Update ring settings**, for **Servicing channel**, select **Semi-Annual Channel**, and then change **Feature update deferral period** to **120**. When finished, select **Next**. From 6e47e6962b93c29c2bb8a1c560873af7632f8955 Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Tue, 24 Mar 2020 10:53:49 +0200 Subject: [PATCH 20/60] update link https://github.com/MicrosoftDocs/windows-itpro-docs/issues/6053 --- devices/surface-hub/surface-hub-2s-pack-components.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface-hub/surface-hub-2s-pack-components.md b/devices/surface-hub/surface-hub-2s-pack-components.md index ff8dbd07ad..2c713a0a21 100644 --- a/devices/surface-hub/surface-hub-2s-pack-components.md +++ b/devices/surface-hub/surface-hub-2s-pack-components.md @@ -36,7 +36,7 @@ Use the following steps to pack your Surface Hub 2S 50" for shipment. | **7.** | Replace the cover and slide the Compute Cartridge back into the unit. | ![Replace the cover and slide the Compute Cartridge back into the unit.](images/surface-hub-2s-repack-9.png)| | **8.** | Re-fasten the locking screw and slide the cover into place. | ![Re-fasten the locking screw and slide the cover into place.](images/surface-hub-2s-repack-10.png)| | **9.** | Remove any base or mounting hardware. Using two people, place the unit in the base of the shipping container. | ![Remove any base or mounting hardware. Using two people, place the unit in the base of the shipping container.](images/surface-hub-2s-repack-11.png)| -| **10.** | Replace the cover of the shipping container, and insert the four clips. | ![Replace the cover of the shipping container, and insert the four clips.](images/surface-hub-2s-repack-12.png| +| **10.** | Replace the cover of the shipping container, and insert the four clips. | ![Replace the cover of the shipping container, and insert the four clips.](images/surface-hub-2s-repack-12.png)| | **11.** | Close the four clips. | ![Close the four clips.](images/surface-hub-2s-repack-13.png)| From 5472dd8324239122d3aaeec29ab4b929436f2dc0 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Tue, 24 Mar 2020 16:44:49 +0500 Subject: [PATCH 21/60] Added a link Added link to TPM information so that the user can get more details on this. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/6208 --- .../windows-autopilot/windows-autopilot-requirements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md index 0e9d529823..997cca0f1f 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md @@ -81,7 +81,7 @@ If the Microsoft Store is not accessible, the AutoPilot process will still conti Office 365As part of the Intune device configuration, installation of Office 365 ProPlus may be required. For more information, see Office 365 URLs and IP address ranges (includes all Office services, DNS names, IP addresses; includes Azure AD and other services that may overlap with those listed above). Certificate revocation lists (CRLs)Some of these services will also need to check certificate revocation lists (CRLs) for certificates used in the services.  A full list of these is documented at Office 365 URLs and IP address ranges and Office 365 Certificate Chains. Hybrid AAD joinThe device can be hybrid AAD joined. The computer should be on corporate network for hybrid AAD join to work. See details at Windows Autopilot user-driven mode -Autopilot Self-Deploying mode and Autopilot White GloveFirmware TPM devices, which are only provided by Intel, AMD, or Qualcomm, do not include all needed certificates at boot time and must be able to retrieve them from the manufacturer on first use. Devices with discrete TPM chips(including ones from any other manufacturer) come with these certificates preinstalled. Make sure that these URLs are accessible for each firmware TPM provider so that certificates can be successfully requested: +Autopilot Self-Deploying mode and Autopilot White GloveFirmware TPM devices, which are only provided by Intel, AMD, or Qualcomm, do not include all needed certificates at boot time and must be able to retrieve them from the manufacturer on first use. Devices with discrete TPM chips(including ones from any other manufacturer) come with these certificates preinstalled, see TPM recommendations for more details. Make sure that these URLs are accessible for each firmware TPM provider so that certificates can be successfully requested:
Intel- https://ekop.intel.com/ekcertservice
Qualcomm- https://ekcert.spserv.microsoft.com/EKCertificate/GetEKCertificate/v1
AMD- https://ftpm.amd.com/pki/aia From eb2428d542506a85f2cab39499623035f77b03d3 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Tue, 24 Mar 2020 18:18:09 +0500 Subject: [PATCH 22/60] modification in notes Updated a note and added more information provided by the user regarding white-glove deployment. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/6260 --- windows/deployment/windows-autopilot/white-glove.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/windows-autopilot/white-glove.md b/windows/deployment/windows-autopilot/white-glove.md index a0bef4bb0b..bbffd240e3 100644 --- a/windows/deployment/windows-autopilot/white-glove.md +++ b/windows/deployment/windows-autopilot/white-glove.md @@ -61,8 +61,8 @@ To enable white glove deployment, an additional Autopilot profile setting must b The Windows Autopilot for white glove deployment pre-provisioning process will apply all device-targeted policies from Intune. That includes certificates, security templates, settings, apps, and more – anything targeting the device. Additionally, any apps (Win32 or LOB) that are configured to install in the device context and targeted to the user that has been pre-assigned to the Autopilot device will also be installed. Please make sure not to target both win32 and LOB apps to the same device. ->[!NOTE] ->Other user-targeted policies will not apply until the user signs into the device. To verify these behaviors, be sure to create appropriate apps and policies targeted to devices and users. +> [!NOTE] +> The white glove technician phase will install all device-targeted apps as well as any user-targeted, device-context apps that are targeted to the assigned user. If there is no assigned user, then it will only install the device-targeted apps. Other user-targeted policies will not apply until the user signs into the device. To verify these behaviors, be sure to create appropriate apps and policies targeted to devices and users. ## Scenarios From ca2aed342e51159ad4dfb24a16c9a53149f3dcae Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Tue, 24 Mar 2020 10:43:53 -0700 Subject: [PATCH 23/60] pencil edit --- .../applocker/applocker-overview.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md index 96bda3d33b..8deb7aec05 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md @@ -23,7 +23,10 @@ ms.date: 10/16/2017 - Windows 10 - Windows Server -This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. **Note:** AppLocker is unable to control processes running under the system account on any OS. +This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. + +> [!NOTE] +> AppLocker is unable to control processes running under the system account on any OS. AppLocker can help you: From 1d11528f3c7806b2b6a3ad90466b6181049b0dc0 Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Tue, 24 Mar 2020 10:44:27 -0700 Subject: [PATCH 24/60] pencil edit --- .../applocker/applocker-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md index 8deb7aec05..e153eda8b0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md @@ -26,7 +26,7 @@ ms.date: 10/16/2017 This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. > [!NOTE] -> AppLocker is unable to control processes running under the system account on any OS. +> AppLocker is unable to control processes running under the system account on any operating system. AppLocker can help you: From 2980454a7b072dd3d1cc8af45e60970b364d0638 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Tue, 24 Mar 2020 22:49:00 +0500 Subject: [PATCH 25/60] Update windows/deployment/windows-autopilot/windows-autopilot-requirements.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../windows-autopilot/windows-autopilot-requirements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md index 997cca0f1f..afedf2b235 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md @@ -81,7 +81,7 @@ If the Microsoft Store is not accessible, the AutoPilot process will still conti Office 365As part of the Intune device configuration, installation of Office 365 ProPlus may be required. For more information, see Office 365 URLs and IP address ranges (includes all Office services, DNS names, IP addresses; includes Azure AD and other services that may overlap with those listed above). Certificate revocation lists (CRLs)Some of these services will also need to check certificate revocation lists (CRLs) for certificates used in the services.  A full list of these is documented at Office 365 URLs and IP address ranges and Office 365 Certificate Chains. Hybrid AAD joinThe device can be hybrid AAD joined. The computer should be on corporate network for hybrid AAD join to work. See details at Windows Autopilot user-driven mode -Autopilot Self-Deploying mode and Autopilot White GloveFirmware TPM devices, which are only provided by Intel, AMD, or Qualcomm, do not include all needed certificates at boot time and must be able to retrieve them from the manufacturer on first use. Devices with discrete TPM chips(including ones from any other manufacturer) come with these certificates preinstalled, see TPM recommendations for more details. Make sure that these URLs are accessible for each firmware TPM provider so that certificates can be successfully requested: +Autopilot Self-Deploying mode and Autopilot White GloveFirmware TPM devices, which are only provided by Intel, AMD, or Qualcomm, do not include all needed certificates at boot time and must be able to retrieve them from the manufacturer on first use. Devices with discrete TPM chips (including devices from any other manufacturer) come with these certificates preinstalled. See TPM recommendations for more details. Make sure that these URLs are accessible for each firmware TPM provider so that certificates can be successfully requested:
Intel- https://ekop.intel.com/ekcertservice
Qualcomm- https://ekcert.spserv.microsoft.com/EKCertificate/GetEKCertificate/v1
AMD- https://ftpm.amd.com/pki/aia From f5a8683ab62dd60fa76cb28d03cc3f2ce1d49029 Mon Sep 17 00:00:00 2001 From: Tudor Dobrila Date: Tue, 24 Mar 2020 10:59:23 -0700 Subject: [PATCH 26/60] Add known issue on CentOS 7.0 and 7.1 --- .../microsoft-defender-atp/microsoft-defender-atp-linux.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md index a9f725d9fc..34bd1f07fc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md @@ -53,6 +53,7 @@ This topic describes how to install, configure, update, and use Microsoft Defend ### Known issues - Logged on users do not appear in the ATP portal. +- Running the product on CentOS / RHEL / Oracle Linux 7.0 or 7.1 with kernel versions lower than 3.19.8 can result in hanging of the operating system. - In SUSE distributions, if the installation of *libatomic1* fails, you should validate that your OS is registered: ```bash From 76857325a2dfec49bd71d1d6fe1510ed2c8a927f Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Tue, 24 Mar 2020 12:01:03 -0700 Subject: [PATCH 27/60] apis --- .../get-missing-kbs-machine.md | 86 +++++++++++++++++ .../get-missing-kbs-software.md | 93 +++++++++++++++++++ .../microsoft-defender-atp/machine.md | 5 +- .../microsoft-defender-atp/software.md | 16 ++-- .../microsoft-defender-atp/tvm-remediation.md | 8 +- 5 files changed, 195 insertions(+), 13 deletions(-) create mode 100644 windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md create mode 100644 windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md new file mode 100644 index 0000000000..0a94ffa148 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md @@ -0,0 +1,86 @@ +--- +title: Get missing KBs +description: Retrieves a list of software inventory +keywords: apis, graph api, supported apis, get, list, file, information, software inventory, threat & vulnerability management api, mdatp tvm api +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Get missing KBs + +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +Retrieves missing KBs by machine Id + +## HTTP request + +``` +GET /api/machines/{machineId}/getmissingkbs +``` + +## Request header + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + +## Request body + +Empty + +## Response + +If successful, this method returns 200 OK, with the specified machine missing kb data in the body. + +## Example + +### Request + +Here is an example of the request. + +``` +GET https://api.securitycenter.windows.com/api/machines/2339ad14a01bd0299afb93dfa2550136057bff96/getmissingkbs +``` + +### Response + +Here is an example of the response. + + +```json +{ + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.PublicProductFixDto)", + "value": [ + { + "id": "4540673", + "name": "March 2020 Security Updates", + "productsNames": [ + "windows_10", + "edge", + "internet_explorer" + ], + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4540673", + "machineMissedOn": 1, + "cveAddressed": 97 + }, + ... + ] +} +``` + +## Related topics + +- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) +- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md new file mode 100644 index 0000000000..a42ffaea6b --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md @@ -0,0 +1,93 @@ +--- +title: Get missing KBs +description: Retrieves a list of software inventory +keywords: apis, graph api, supported apis, get, list, file, information, software inventory, threat & vulnerability management api, mdatp tvm api +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Get missing KBs + +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +Retrieves missing KBs by software Id + +## Permissions + +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details. + +Permission type | Permission | Permission display name +:---|:---|:--- +Application |Software.Read.All | 'Read Threat and Vulnerability Management Software information' +Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information' + +## HTTP request + +``` +GET /api/Software/{Id}/getmissingkbs +``` + +## Request header + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + +## Request body + +Empty + +## Response + +If successful, this method returns 200 OK, with the specified software missing kb data in the body. + +## Example + +### Request + +Here is an example of the request. + +``` +GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/getmissingkbs +``` + +### Response + +Here is an example of the response. + + +```json +{ + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.PublicProductFixDto)", + "value": [ + { + "id": "4540673", + "name": "March 2020 Security Updates", + "productsNames": [ + "edge" + ], + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4540673", + "machineMissedOn": 240, + "cveAddressed": 14 + }, + ... + ] +} +``` + +## Related topics + +- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) +- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory) diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine.md b/windows/security/threat-protection/microsoft-defender-atp/machine.md index a38094be67..92e5b76fd8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine.md @@ -25,6 +25,7 @@ ms.topic: article [!include[Prerelease information](../../includes/prerelease.md)] ## Methods + Method|Return Type |Description :---|:---|:--- [List machines](get-machines.md) | [machine](machine.md) collection | List set of [machine](machine.md) entities in the org. @@ -36,9 +37,11 @@ Method|Return Type |Description [Get security recommendations](get-security-recommendations.md) | [recommendation](recommendation.md) collection | Retrieves a collection of security recommendations related to a given machine ID. [Add or Remove machine tags](add-or-remove-machine-tags.md) | [machine](machine.md) | Add or Remove tag to a specific machine. [Find machines by IP](find-machines-by-ip.md) | [machine](machine.md) collection | Find machines seen with IP. +[Get missing KBs](get-missing-kbs-machine.md) | KB collection | Get a list of missing KBs associated with the machine ID ## Properties -Property | Type | Description + +Property | Type | Description :---|:---|:--- id | String | [machine](machine.md) identity. computerDnsName | String | [machine](machine.md) fully qualified name. diff --git a/windows/security/threat-protection/microsoft-defender-atp/software.md b/windows/security/threat-protection/microsoft-defender-atp/software.md index 49e8e4c12d..414a3a54fc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/software.md @@ -20,11 +20,12 @@ ms.topic: article **Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) [!include[Prerelease information](../../includes/prerelease.md)] ## Methods + Method |Return Type |Description :---|:---|:--- [List software](get-software.md) | Software collection | List the organizational software inventory. @@ -32,16 +33,17 @@ Method |Return Type |Description [List software version distribution](get-software-ver-distribution.md)| Distribution collection | List software version distribution by software ID. [List machines by software](get-machines-by-software.md)| MachineRef collection | Retrieve a list of machines that are associated with the software ID. [List vulnerabilities by software](get-vuln-by-software.md) | [Vulnerability](vulnerability.md) collection | Retrieve a list of vulnerabilities associated with the software ID. +[Get missing KBs](get-missing-kbs-software.md) | KB collection | Get a list of missing KBs associated with the software ID ## Properties -Property | Type | Description + +Property | Type | Description :---|:---|:--- id | String | Software ID -Name | String | Software name -Vendor | String | Software vendor name -Weaknesses | Long | Number of discovered vulnerabilities +Name | String | Software name +Vendor | String | Software vendor name +Weaknesses | Long | Number of discovered vulnerabilities publicExploit | Boolean | Public exploit exists for some of the vulnerabilities activeAlert | Boolean | Active alert is associated with this software exposedMachines | Long | Number of exposed machines -impactScore | Double | Exposure score impact of this software - +impactScore | Double | Exposure score impact of this software diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md index 255962e9a7..6162539530 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md @@ -30,17 +30,15 @@ After your organization's cybersecurity weaknesses are identified and mapped to Lower your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations. -## Remediation - ## How remediation requests work When you submit a remediation request from Threat & Vulnerability Management, it kicks-off a remediation activity. A security task is created which will be tracked in the Threat & Vulnerability Management **Remediation** page, and a remediation ticket is created in Microsoft Intune. The dashboard will show the status of your top remediation activities. Select any of the entries to go to the **Remediation** page. You can mark the remediation activity as completed after the IT admin team remediates the task. -## Accessing the Remediation page +## Accessing the remediation page -You can access the Remediation page in a few places in the portal: +You can access the remediation page in a few places in the portal: - Security recommendations flyout panel - Navigation menu @@ -70,7 +68,7 @@ If you want to check how the ticket shows up in Intune, see [Use Intune to remed 2. Select the remediation activity that you want to view. ![Screenshot of the remediation page flyout for a software which reached end-of-support](images/remediation_flyouteolsw.png) -### Top remediation activities card the dashboard +### Top remediation activities in the dashboard 1. Go to the Threat & Vulnerability Management dashboard and scroll down to the **Top remediation activities** card. The list is sorted and prioritized based on what is listed in the **Top security recommendations**. 2. Select the remediation activity that you want to view. From 9ae21fb78b5acd26b9f3756b1e6692eae4c27fa8 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Tue, 24 Mar 2020 12:29:57 -0700 Subject: [PATCH 28/60] fix bold text --- .../deploy-windows-10-using-pxe-and-configuration-manager.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md index 8e1aead949..19ebb6ea7b 100644 --- a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md @@ -79,7 +79,7 @@ Examples are provided below of various stages of deployment: ![pc0001k](../images/pc0001k.png)
![pc0001l](../images/pc0001l.png)
![pc0001m](../images/pc0001m.png)
-![pc0001n](../images/pc0001n.png)
+![pc0001n](../images/pc0001n.png) Next, see [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md). From a33284172ce668e12eec0ce9c0f09dc72d192f58 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Tue, 24 Mar 2020 13:01:18 -0700 Subject: [PATCH 29/60] redirect fix --- .openpublishing.redirection.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index b79b7c666a..0991c425ae 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -15850,6 +15850,11 @@ "source_path": "windows/deployment/deploy-windows-sccm/get-started-with-configuraton-manager.md", "redirect_url": "https://docs.microsoft.com/windows/deployment/deploy-windows-cm/get-started-with-configuraton-manager", "redirect_document_id": false +}, +{ +"source_path": "windows/deployment/deploy-windows-sccm/deploy-windows-10-with-configuration-manager.md", +"redirect_url": "https://docs.microsoft.com/windows/deployment/deploy-windows-cm/get-started-with-configuraton-manager", +"redirect_document_id": false } ] } From dc7f704fb009a79cebf952fee7d6fc764f8f9dc7 Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Tue, 24 Mar 2020 14:18:19 -0700 Subject: [PATCH 30/60] TOC --- windows/security/threat-protection/TOC.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 72edc00443..4ad6ee6826 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -464,6 +464,7 @@ ####### [Get security recommendations](microsoft-defender-atp/get-security-recommendations.md) ####### [Add or Remove machine tags](microsoft-defender-atp/add-or-remove-machine-tags.md) ####### [Find machines by IP](microsoft-defender-atp/find-machines-by-ip.md) +####### [Get missing KBs](microsoft-defender-atp/get-missing-kbs-machine.md) ###### [Machine Action]() ####### [Machine Action methods and properties](microsoft-defender-atp/machineaction.md) @@ -525,6 +526,7 @@ ####### [List software version distribution](microsoft-defender-atp/get-software-ver-distribution.md) ####### [List machines by software](microsoft-defender-atp/get-machines-by-software.md) ####### [List vulnerabilities by software](microsoft-defender-atp/get-vuln-by-software.md) +####### [Get missing KBs](microsoft-defender-atp/get-missing-kbs-software.md) ###### [Vulnerability]() ####### [Vulnerability methods and properties](microsoft-defender-atp/vulnerability.md) From 1ce7af4a6976e9e4d3224b09525e030c9ea6acd2 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 24 Mar 2020 14:34:04 -0700 Subject: [PATCH 31/60] Incorporated PubOps feedback --- windows/client-management/mdm/policy-csp-restrictedgroups.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 8109b11730..375410ceae 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -81,7 +81,6 @@ For example, you can create a Restricted Groups policy to allow only specified u > [!CAUTION] > Attempting to remove the built-in administrator from the Administrators group will result in failure with the following error: - > | Error Code in Hex | Error Code in Dec| Symbolic Name | Error Description | Header | > |----------|----------|----------|----------|----------| > |0x55b|1371|ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.|winerror.h| From a15c4f78e87380fb023105d99e6fe614e448ff70 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 24 Mar 2020 14:46:14 -0700 Subject: [PATCH 32/60] Formatting --- windows/client-management/mdm/policy-csp-restrictedgroups.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 375410ceae..135ea0963e 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -81,6 +81,7 @@ For example, you can create a Restricted Groups policy to allow only specified u > [!CAUTION] > Attempting to remove the built-in administrator from the Administrators group will result in failure with the following error: +> > | Error Code in Hex | Error Code in Dec| Symbolic Name | Error Description | Header | > |----------|----------|----------|----------|----------| > |0x55b|1371|ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.|winerror.h| From dc7701a3792f762875c8e76f38e353a366ea7ca6 Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Tue, 24 Mar 2020 14:47:33 -0700 Subject: [PATCH 33/60] new sections --- .../threat-and-vuln-mgt-scenarios.md | 15 ++++++++++----- .../tvm-dashboard-insights.md | 2 +- .../tvm-security-recommendation.md | 8 +++++++- 3 files changed, 18 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md index 3c17e82061..f31d2e82a4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md @@ -69,6 +69,16 @@ To find software or software versions which have reached end-of-support: After you have identified which software and software versions are vulnerable due to its end-of-support status, remediate them to lower your organizations exposure to vulnerabilities and advanced persistent threats. See [Remediation and exception](tvm-remediation.md) for details. +## Use APIs + +Threat and vulnerability management supports multiple APIs. See the following topics for related APIs: + +- [Machine APIs](machine.md) +- [Recommendation APIs](vulnerability.md) +- [Score APIs](score.md) +- [Software APIs](software.md) +- [Vulnerability APIs](vulnerability.md) + ## Related topics - [Supported operating systems and platforms](tvm-supported-os.md) @@ -83,8 +93,3 @@ After you have identified which software and software versions are vulnerable du - [Advanced hunting overview](overview-hunting.md) - [All advanced hunting tables](advanced-hunting-reference.md) - [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) -- [Recommendation APIs](vulnerability.md) -- [Machine APIs](machine.md) -- [Score APIs](score.md) -- [Software APIs](software.md) -- [Vulnerability APIs](vulnerability.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md index d2c196a62c..839193db64 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md @@ -76,7 +76,7 @@ Area | Description [**Exposure score**](tvm-exposure-score.md) | See the current state of your organization's device exposure to threats and vulnerabilities. Several factors affect your organization's exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower the exposure score of your organization to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations. [**Configuration score**](configuration-score.md) | See the security posture of the operating system, applications, network, accounts and security controls of your organization. The goal is to remediate the related security configuration issues to increase your configuration score. Selecting the bars will take you to the **Security recommendation** page. **Machine exposure distribution** | See how many machines are exposed based on their exposure level. Select a section in the doughnut chart to go to the **Machines list** page and view the affected machine names, exposure level, risk level, and other details such as domain, operating system platform, its health state, when it was last seen, and its tags. -**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization's risk exposure and the urgency that it requires. Useful icons also quickly calls your attention to

  • ![Possible active alert](images/tvm_alert_icon.png) possible active alerts
  • ![Threat insight](images/tvm_bug_icon.png) associated public exploits
  • ![Recommendation insight](images/tvm_insight_icon.png) recommendation insights

Tags also indicates the remediation type required, such as **Configuration change**, **Software uninstall** (if the software has reached its end-of-life), and **Software update** (if the software version has reached end-of-support, or if a vulnerable version requires updating). You can drill down on the security recommendation to see potential risks, list of exposed machines, and insights. You can then request a remediation for the recommendation. Select **Show more** to see the rest of the security recommendations in the list or **Show exceptions** for the list of recommendations that have an exception. +**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization's risk exposure and the urgency that it requires. Select **Show more** to see the rest of the security recommendations in the list or **Show exceptions** for the list of recommendations that have an exception. **Top vulnerable software** | Get real-time visibility into your organization's software inventory with a stack-ranked list of vulnerable software installed on your network's devices and how they impact your organizational exposure score. Select an item for details or **Show more** to see the rest of the vulnerable software list in the **Software inventory** page. **Top remediation activities** | Track the remediation activities generated from the security recommendations. You can select each item on the list to see the details in the **Remediation** page or select **Show more** to view the rest of the remediation activities, and active exceptions. **Top exposed machines** | View exposed machine names and their exposure level. Select a machine name from the list to go to the machine page where you can view the alerts, risks, incidents, security recommendations, installed software, and discovered vulnerabilities associated with the exposed machines. Select **Show more** to see the rest of the exposed machines list. From the machines list, you can manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate machine. diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md index 09f5eadae8..d28353f90b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md @@ -61,10 +61,16 @@ Go to the Threat & Vulnerability Management navigation menu and select **Securit You will be able to view the recommendation, the number of weaknesses found, related components, threat insights, number of exposed machines, status, remediation type, remediation activities, impact to your exposure and configuration scores, and associated tags. -The color of the **Exposed machines** graph changes as the trend changes. If the number of exposed machines is on the rise, the color changes into red. If there's a decrease in the amount of exposed machines, the color of the graph will change into green. This happens when the numbers on the right hand side is greater than what's on the left, which means an increase or decrease at the end of even a single machine will change the graph's color. +The color of the **Exposed machines** graph changes as the trend changes. If the number of exposed machines is on the rise, the color changes into red. If there's a decrease in the amount of exposed machines, the color of the graph will change into green. This happens when the numbers on the right hand side is greater than what's on the left, which means an increase or decrease at the end of even a single machine will change the graph's color. ![Screenshot of security recommendations page](images/tvmsecrec-updated.png) +### Icons + +Useful icons also quickly calls your attention to
  • ![Possible active alert](images/tvm_alert_icon.png) possible active alerts
  • ![Threat insight](images/tvm_bug_icon.png) associated public exploits
  • ![Recommendation insight](images/tvm_insight_icon.png) recommendation insights

+ +### Investigate + Select the security recommendation that you want to investigate or process. ![Screenshot of the security recommendation page flyout for a software which reached its end-of-life](images/secrec-flyouteolsw.png) From 2207aa9c3c25e0d8a4764e2301e667323b5e5743 Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Tue, 24 Mar 2020 14:51:16 -0700 Subject: [PATCH 34/60] metadata --- .../get-missing-kbs-machine.md | 12 ++++++------ .../get-missing-kbs-software.md | 14 +++++++------- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md index 0a94ffa148..86ce1c9e6a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md @@ -1,14 +1,14 @@ --- -title: Get missing KBs -description: Retrieves a list of software inventory -keywords: apis, graph api, supported apis, get, list, file, information, software inventory, threat & vulnerability management api, mdatp tvm api +title: Get missing KBs by machine ID +description: Retrieves missing KBs by machine Id +keywords: apis, graph api, supported apis, get, list, file, information, machine id, threat & vulnerability management api, mdatp tvm api search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: dolmont -author: DulceMontemayor +ms.author: ellevin +author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro @@ -16,7 +16,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Get missing KBs +# Get missing KBs by machine ID **Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md index a42ffaea6b..e91d137857 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md @@ -1,14 +1,14 @@ --- -title: Get missing KBs -description: Retrieves a list of software inventory -keywords: apis, graph api, supported apis, get, list, file, information, software inventory, threat & vulnerability management api, mdatp tvm api +title: Get missing KBs by software ID +description: Retrieves missing KBs by software ID +keywords: apis, graph api, supported apis, get, list, file, information, software id, threat & vulnerability management api, mdatp tvm api search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: dolmont -author: DulceMontemayor +ms.author: ellevin +author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro @@ -16,13 +16,13 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Get missing KBs +# Get missing KBs by software ID **Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -Retrieves missing KBs by software Id +Retrieves missing KBs by software ID ## Permissions From 8b52d1ef46a91a7498d3cfe6ad91281121c50011 Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 24 Mar 2020 17:51:16 -0400 Subject: [PATCH 35/60] customize exploit protection was missing from TOC --- windows/security/threat-protection/TOC.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 72edc00443..090ae52053 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -199,6 +199,7 @@ ##### [Exploit protection]() ###### [Enable exploit protection](microsoft-defender-atp/enable-exploit-protection.md) +###### [Customize exploit protection](microsoft-defender-atp/customize-exploit-protection.md) ###### [Import/export configurations](microsoft-defender-atp/import-export-exploit-protection-emet-xml.md) ##### [Network protection](microsoft-defender-atp/enable-network-protection.md) From 9f0d66c64bc5e5b9f9c112607f8476c8e7ce4e36 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 24 Mar 2020 14:55:37 -0700 Subject: [PATCH 36/60] Formatting --- windows/client-management/mdm/policy-csp-restrictedgroups.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 135ea0963e..77dbb8f681 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -80,8 +80,7 @@ This security setting allows an administrator to define the members that are par For example, you can create a Restricted Groups policy to allow only specified users, Alice and John, to be members of the Backup Operators group. When this policy is refreshed, only Alice and John will remain as members of the Backup Operators group and all other members will be removed. > [!CAUTION] -> Attempting to remove the built-in administrator from the Administrators group will result in failure with the following error: -> +> Attempting to remove the built-in administrator from the Administrators group will result in failure with the following error: > | Error Code in Hex | Error Code in Dec| Symbolic Name | Error Description | Header | > |----------|----------|----------|----------|----------| > |0x55b|1371|ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.|winerror.h| From b1148fab9b9994ac373b9f8b1e91e9cb67f90ab0 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 24 Mar 2020 15:00:42 -0700 Subject: [PATCH 37/60] Formatting --- windows/client-management/mdm/policy-csp-restrictedgroups.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 77dbb8f681..0c768e2b75 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -81,9 +81,9 @@ For example, you can create a Restricted Groups policy to allow only specified u > [!CAUTION] > Attempting to remove the built-in administrator from the Administrators group will result in failure with the following error: -> | Error Code in Hex | Error Code in Dec| Symbolic Name | Error Description | Header | +> | Error Code | Symbolic Name | Error Description | Header | > |----------|----------|----------|----------|----------| -> |0x55b|1371|ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.|winerror.h| +> |0x55b (Hex)
1371 (Dec)|ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.|winerror.h| Starting in Windows 10, version 1809, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of 0 members when applying the policy implies clearing the access group and should be used with caution. From e646fc36c5a824b6fab56e29e7d1565062f5e3a0 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 24 Mar 2020 15:10:28 -0700 Subject: [PATCH 38/60] minor update --- windows/client-management/mdm/policy-csp-restrictedgroups.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 0c768e2b75..43888ae836 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 03/23/2020 +ms.date: 03/24/2020 ms.reviewer: manager: dansimp From 8ff1fc92f66a9faa18138c75c6e728076ffc01f8 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 24 Mar 2020 15:19:42 -0700 Subject: [PATCH 39/60] Formatting --- windows/client-management/mdm/policy-csp-restrictedgroups.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 43888ae836..3f27668d11 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -81,6 +81,7 @@ For example, you can create a Restricted Groups policy to allow only specified u > [!CAUTION] > Attempting to remove the built-in administrator from the Administrators group will result in failure with the following error: +> > | Error Code | Symbolic Name | Error Description | Header | > |----------|----------|----------|----------|----------| > |0x55b (Hex)
1371 (Dec)|ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.|winerror.h| From 94a788e1e77248ccf7ec7e0fdf29fba268dedfa4 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 24 Mar 2020 15:27:03 -0700 Subject: [PATCH 40/60] update to trigger build --- windows/client-management/mdm/policy-csp-restrictedgroups.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 3f27668d11..dc3e4f0f4e 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -86,7 +86,6 @@ For example, you can create a Restricted Groups policy to allow only specified u > |----------|----------|----------|----------|----------| > |0x55b (Hex)
1371 (Dec)|ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.|winerror.h| - Starting in Windows 10, version 1809, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of 0 members when applying the policy implies clearing the access group and should be used with caution. ```xml From d075491f7c1ce3f6d8961e3aea28d3e1fa2c7059 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 24 Mar 2020 15:36:34 -0700 Subject: [PATCH 41/60] Table format update --- windows/client-management/mdm/policy-csp-restrictedgroups.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index dc3e4f0f4e..69c1cffc16 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -83,7 +83,7 @@ For example, you can create a Restricted Groups policy to allow only specified u > Attempting to remove the built-in administrator from the Administrators group will result in failure with the following error: > > | Error Code | Symbolic Name | Error Description | Header | -> |----------|----------|----------|----------|----------| +> |----------|----------|----------|----------| > |0x55b (Hex)
1371 (Dec)|ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.|winerror.h| Starting in Windows 10, version 1809, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of 0 members when applying the policy implies clearing the access group and should be used with caution. From a22b2731f67ff827a36eda67a8efaa3a979ea78b Mon Sep 17 00:00:00 2001 From: Tudor Dobrila Date: Tue, 24 Mar 2020 15:37:00 -0700 Subject: [PATCH 42/60] Fixes --- .../microsoft-defender-atp-linux.md | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md index 34bd1f07fc..38477041ca 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md @@ -38,10 +38,6 @@ This topic describes how to install, configure, update, and use Microsoft Defend > [!CAUTION] > Running other third-party endpoint protection products alongside Microsoft Defender ATP for Linux is likely to cause performance problems and unpredictable system errors. - - - - ## How to install Microsoft Defender ATP for Linux ### Prerequisites @@ -53,7 +49,7 @@ This topic describes how to install, configure, update, and use Microsoft Defend ### Known issues - Logged on users do not appear in the ATP portal. -- Running the product on CentOS / RHEL / Oracle Linux 7.0 or 7.1 with kernel versions lower than 3.19.8 can result in hanging of the operating system. +- Running the product on CentOS / RHEL / Oracle Linux 7.0 or 7.1 with kernel versions lower than 3.10.0-327 can result in hanging the operating system. We recommend that you upgrade to version 7.2 or newer. - In SUSE distributions, if the installation of *libatomic1* fails, you should validate that your OS is registered: ```bash @@ -78,12 +74,12 @@ In general you need to take the following steps: - Supported Linux server distributions and versions: - - Red Hat Enterprise Linux 7 or higher - - CentOS 7 or higher + - Red Hat Enterprise Linux 7.2 or higher + - CentOS 7.2 or higher - Ubuntu 16.04 LTS or higher LTS - Debian 9 or higher - SUSE Linux Enterprise Server 12 or higher - - Oracle Linux 7 + - Oracle Linux 7.2 or higher - Minimum kernel version 2.6.38 - The `fanotify` kernel option must be enabled From 76f2391de5d1a01ef147785e178fd4318124b6f1 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 24 Mar 2020 15:41:46 -0700 Subject: [PATCH 43/60] Minor update --- windows/client-management/mdm/policy-csp-restrictedgroups.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 69c1cffc16..959f35a071 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -84,7 +84,7 @@ For example, you can create a Restricted Groups policy to allow only specified u > > | Error Code | Symbolic Name | Error Description | Header | > |----------|----------|----------|----------| -> |0x55b (Hex)
1371 (Dec)|ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.|winerror.h| +> | 0x55b (Hex)
1371 (Dec) |ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.| winerror.h | Starting in Windows 10, version 1809, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of 0 members when applying the policy implies clearing the access group and should be used with caution. From eb07a9b365438dd7d3f50fcc99f5249db6d9af23 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 24 Mar 2020 16:06:49 -0700 Subject: [PATCH 44/60] Removed "/en-us" in a Microsoft URL --- .../windows-autopilot/windows-autopilot-requirements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md index afedf2b235..ec42f18fb9 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md @@ -81,7 +81,7 @@ If the Microsoft Store is not accessible, the AutoPilot process will still conti Office 365As part of the Intune device configuration, installation of Office 365 ProPlus may be required. For more information, see Office 365 URLs and IP address ranges (includes all Office services, DNS names, IP addresses; includes Azure AD and other services that may overlap with those listed above). Certificate revocation lists (CRLs)Some of these services will also need to check certificate revocation lists (CRLs) for certificates used in the services.  A full list of these is documented at Office 365 URLs and IP address ranges and Office 365 Certificate Chains. Hybrid AAD joinThe device can be hybrid AAD joined. The computer should be on corporate network for hybrid AAD join to work. See details at Windows Autopilot user-driven mode -Autopilot Self-Deploying mode and Autopilot White GloveFirmware TPM devices, which are only provided by Intel, AMD, or Qualcomm, do not include all needed certificates at boot time and must be able to retrieve them from the manufacturer on first use. Devices with discrete TPM chips (including devices from any other manufacturer) come with these certificates preinstalled. See TPM recommendations for more details. Make sure that these URLs are accessible for each firmware TPM provider so that certificates can be successfully requested: +Autopilot Self-Deploying mode and Autopilot White GloveFirmware TPM devices, which are only provided by Intel, AMD, or Qualcomm, do not include all needed certificates at boot time and must be able to retrieve them from the manufacturer on first use. Devices with discrete TPM chips (including devices from any other manufacturer) come with these certificates preinstalled. See TPM recommendations for more details. Make sure that these URLs are accessible for each firmware TPM provider so that certificates can be successfully requested:
Intel- https://ekop.intel.com/ekcertservice
Qualcomm- https://ekcert.spserv.microsoft.com/EKCertificate/GetEKCertificate/v1
AMD- https://ftpm.amd.com/pki/aia From 07556f20b3b5e8c00aa3d5f4d45e117da8a4ea1c Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 24 Mar 2020 16:08:30 -0700 Subject: [PATCH 45/60] Capitalized "directory" in "Azure Active directory" --- windows/deployment/windows-autopilot/white-glove.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopilot/white-glove.md b/windows/deployment/windows-autopilot/white-glove.md index bbffd240e3..88eb4f33e3 100644 --- a/windows/deployment/windows-autopilot/white-glove.md +++ b/windows/deployment/windows-autopilot/white-glove.md @@ -30,7 +30,7 @@ With **Windows Autopilot for white glove deployment**, the provisioning process ![OEM](images/wg02.png) -Enabled with Microsoft Intune in Windows 10, version 1903 and later, white glove deployment capabilities build on top of existing Windows Autopilot [user-driven scenarios](user-driven.md), supporting both the user-driven mode for Azure Active Directory Join, and user-driven mode for Hybrid Azure Active directory join scenarios. +Enabled with Microsoft Intune in Windows 10, version 1903 and later, white glove deployment capabilities build on top of existing Windows Autopilot [user-driven scenarios](user-driven.md), supporting both the user-driven mode for Azure Active Directory Join, and user-driven mode for Hybrid Azure Active Directory join scenarios. ## Prerequisites From 5866f706176e0535ac2dfe46de846dbcb2753c76 Mon Sep 17 00:00:00 2001 From: Teresa-Motiv Date: Tue, 24 Mar 2020 16:09:39 -0700 Subject: [PATCH 46/60] Tech review changes --- devices/hololens/hololens-updates.md | 114 ++++++++++++++------------- 1 file changed, 61 insertions(+), 53 deletions(-) diff --git a/devices/hololens/hololens-updates.md b/devices/hololens/hololens-updates.md index 5a9627ba92..c6035261a6 100644 --- a/devices/hololens/hololens-updates.md +++ b/devices/hololens/hololens-updates.md @@ -26,41 +26,25 @@ HoloLens uses Windows Update, just like other Windows 10 devices. When an update ## Manage updates automatically -Windows Holographic for Business can use [Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb) to manage updates. All HoloLens 2 devices can use Windows Holographic for Business. If you have HoloLens (1st gen) devices, you have to [upgrade them to Windows Holographic for Business (build 10.0.18362.1042 or a later build)](hololens1-upgrade-enterprise.md) to manage their updates. +Windows Holographic for Business can use [Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb) to manage updates. All HoloLens 2 devices can use Windows Holographic for Business. Make sure that they use Windows Holographic for Business build 10.0.18362.1042 or a later build. If you have HoloLens (1st gen) devices, you have to [upgrade them to Windows Holographic for Business](hololens1-upgrade-enterprise.md) to manage their updates. Windows Update for Business connects HoloLens devices directly to the Windows Update service. By using Windows Update for Business, you can control multiple aspects of the update process: which devices get which updates at what time. For example, you can roll out updates to a subset of devices for testing, then roll out updates to the remaining devices at a later date. Or you can define different update schedules for different types of updates. > [!NOTE] > For HoloLens devices, You can automatically manage feature updates (released twice a year) and quality updates (released monthly or as needed, including critical security updates). For more information about update types, see [Types of updates managed by Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb). -You can configure Windows Update for Business settings by using enterprise Group Policy or by using policies in a Mobile Device Management (MDM) solution such as Microsoft Intune. +You can configure Windows Update for Business settings for HoloLens by using policies in a Mobile Device Management (MDM) solution such as Microsoft Intune. For a detailed discussion of how to use Intune to configure Windows Update for Business, see [Manage Windows 10 software updates in Intune](https://docs.microsoft.com/intune/protect/windows-update-for-business-configure). > [!IMPORTANT] > Intune provides two policy types for managing updates: *Windows 10 update ring* and *Windows 10 feature updates*. The Windows 10 feature update policy type is in public preview at this time and is not supported for HoloLens. > -> You can use Windows 10 update ring policies with HoloLens. +> You can use Windows 10 update ring policies with HoloLens 2. -### Plan the update strategy +### Configure update policies for HoloLens 2 or HoloLens (1st gen) -Windows Updates for Business supports deferral policies. A deferral policy specifies the number of days between the date that an update becomes available and the date that the update is offered to a device. By associating subsets of your devices (referred to as *update rings*) with deferral policies, you can coordinate an update rollout strategy for your organization. - -For example, consider an organization that has 1,000 devices and has to update them in five ways. The organization can create five update rings, as shown in the following table: - -|Group |Number of devices |Deferral (days) | -| ---| :---: | :---: | -|Grp 1 (IT Staff) |5 |0 | -|Grp 2 (Early Adopters) |50 |60 | -|Grp 3 (main 1) |250 |120 | -|Grp 4 (main 2) |300 |150 | -|Grp 5 (main 3) |395 |180 | - -Here's how the rollout progresses over time to the entire organization: - -![Timeline for deploying updates](./images/hololens-updates-timeline.png) - -### Configure update policies +This section describes the policies that you can use to manage updates for either HoloLens 2 or HoloLens (1st gen). For information about additional functionality that is available for HoloLens 2, see [Plan and configure update rollouts for HoloLens 2](#plan-and-configure-update-rollouts-for-holoLens-2). The [Policy configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update) defines the policies that configure Windows Update for Business. @@ -73,7 +57,7 @@ The [Policy configuration service provider (CSP)](https://docs.microsoft.com/win You can use the Update/AllowAutoUpdate policy to manage automatic update behavior, such as scanning, downloading, and installing updates. -The supported values for this policy are the following: +This policy supports the following values: - **0** - Notify the user when there is an update that is ready to download that applies to the device. - **1** - Automatically install the update and then notify the user to schedule a device restart. @@ -90,17 +74,6 @@ For more details about the available settings for this policy, see [Update/Allow > [!NOTE] > In Microsoft Intune, you can use **Automatic Update Behavior** to change this policy. For more information, see [Manage software updates in Microsoft Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure). -#### Configure an update deferral - -A deferral policy specifies the number of days between the date that an update becomes available and the date that the update is offered to a device. - -You can configure different deferrals for feature updates and quality updates. The following table lists the specific policies to use for each type, as well as the maximum deferral for each. - -|Category |Policy |Maximum deferral | -| --- | --- | --- | -|Feature updates |DeferFeatureUpdatesPeriodInDays |365 days | -|Quality updates |DeferQualityUpdatesPeriodInDays |30 days | - #### Configure an update schedule To configure how and when updates are applied, use the following policies: @@ -120,13 +93,46 @@ You can use the following update policies to configure devices to get updates fr - [Update/RequireUpdateApproval](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-requireupdateapproval) - [Update/UpdateServiceUrl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updateserviceurl) -### Examples - using Intune to manage updates +### Plan and configure update rollouts for HoloLens 2 -#### Creating and assigning an update ring +HoloLens 2 supports more update automation features that HoloLens (1st gen), especially if you use Microsoft Intune to manage Windows Update for Business policy. These features make it easier for you to plan and implement update rollouts across your organization. + +#### Plan the update strategy + +Windows Updates for Business supports deferral policies. After Microsoft releases an update, you can use a deferral policy to define how long to wait before installing that update on devices. By associating subsets of your devices (referred to as *update rings*) with different deferral policies, you can coordinate an update rollout strategy for your organization. + +For example, consider an organization that has 1,000 devices and has to update them in five ways. The organization can create five update rings, as shown in the following table: + +|Group |Number of devices |Deferral (days) | +| ---| :---: | :---: | +|Grp 1 (IT Staff) |5 |0 | +|Grp 2 (Early Adopters) |50 |60 | +|Grp 3 (main 1) |250 |120 | +|Grp 4 (main 2) |300 |150 | +|Grp 5 (main 3) |395 |180 | + +Here's how the rollout progresses over time to the entire organization: + +![Timeline for deploying updates](./images/hololens-updates-timeline.png) + +#### Configure an update deferral policy + +A deferral policy specifies the number of days between the date that an update becomes available and the date that the update is offered to a device. + +You can configure different deferrals for feature updates and quality updates. The following table lists the specific policies to use for each type, as well as the maximum deferral for each. + +|Category |Policy |Maximum deferral | +| --- | --- | --- | +|Feature updates |DeferFeatureUpdatesPeriodInDays |365 days | +|Quality updates |DeferQualityUpdatesPeriodInDays |30 days | + +#### Examples: Using Intune to manage updates + +**Example 1: Create and assign an update ring** For a more detailed version of this example, see [Create and assign update rings](https://docs.microsoft.com/mem/intune/protect/windows-update-for-business-configure#create-and-assign-update-rings). -1. Sign-in to the [Microsoft Endpoint Manager Admin Center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to your Intune profiles. +1. Sign in to the [Microsoft Endpoint Manager Admin Center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to your Intune profiles. 1. Select **Software Updates** > **Windows 10 update rings** > **Create**. 1. Under **Basics**, specify a name, a description (optional) and then select **Next**. 1. Under **Update ring settings**, for **Servicing channel**, select **Semi-Annual Channel**, and then change **Feature update deferral period** to **120**. When finished, select **Next**. @@ -135,7 +141,7 @@ For a more detailed version of this example, see [Create and assign update rings The list of update rings now includes the new Windows 10 update ring. -#### Pausing an update ring +**Example 2: Pause an update ring** If you discover a problem while deploying a feature or quality update, you can pause the update for 35 days (starting from a specified date). This pause prevents other devices from installing the update until you mitigate the issue. If you pause a feature update, quality updates are still offered to devices to ensure they stay secure. After the specified time period has passed, the pause automatically expires. At that point, the update process resumes. @@ -162,44 +168,46 @@ To manually check for updates, go to **Settings** > **Update & Security** > **Ch ## Manually revert an update +In some cases, you might want to go back to a previous version of the HoloLens software. The process for doing this depends on whether you are using HoloLens 2 or HoloLens (1st gen). + ### Go back to a previous version (HoloLens 2) -In some cases, you might want to go back to a previous version of the HoloLens software. You can do this by using the Advanced Recovery Companion to reset your HoloLens to the earlier version. +You can roll back updates and return to a previous version of HoloLens 2 by using the Advanced Recovery Companion to reset your HoloLens to the earlier version. > [!NOTE] > Going back to an earlier version deletes your personal files and settings. To go back to a previous version of HoloLens 2, follow these steps: -1. Make sure that you don't have any phones or Windows devices plugged in to your PC. -1. On your PC, download the [Advanced Recovery Companion](https://www.microsoft.com/p/advanced-recovery-companion/9p74z35sfrs8?activetab=pivot:overviewtab) from the Microsoft Store. +1. Make sure that you don't have any phones or Windows devices plugged in to your computer. +1. On your computer, download the [Advanced Recovery Companion](https://www.microsoft.com/p/advanced-recovery-companion/9p74z35sfrs8?activetab=pivot:overviewtab) from the Microsoft Store. 1. Download the [most recent HoloLens 2 release](https://aka.ms/hololens2download). 1. When you have finished these downloads, open **File explorer** > **Downloads**. Right-click the zipped folder that you just downloaded, and select **Extract all** > **Extract** to unzip it. -1. Connect your HoloLens to your PC using a USB-A to USB-C cable . (Even if you've been using other cables to connect your HoloLens, this one works best.) -1. The Advanced Recovery Companion automatically detects your HoloLens. Select the **Microsoft HoloLens** tile. -1. On the next screen, select **Manual package selection** and then select the installation file contained in the folder that you unzipped in step 4. (Look for a file with the .ffu extension.) -1. Select **Install software**, and follow the instructions. +1. Use a USB-A to USB-C cable to connect your HoloLens device to your computer. Even if you've been using other cables to connect your HoloLens, this type of cable works best. +1. The Advanced Recovery Companion automatically detects your HoloLens device. Select the **Microsoft HoloLens** tile. +1. On the next screen, select **Manual package selection** and then open the folder that you previously unzipped. Select the installation file (the file that has a .ffu extension). +1. Select **Install software**, and then follow the instructions. ### Go back to a previous version (HoloLens (1st gen)) -In some cases, you might want to go back to a previous version of the HoloLens software. You can do this by using the Windows Device Recovery Tool to reset your HoloLens to the earlier version. +You can roll back updates and return to a previous version of HoloLens (1st gen) by using the Windows Device Recovery Tool to reset your HoloLens to the earlier version. > [!NOTE] > Going back to an earlier version deletes your personal files and settings. To go back to a previous version of HoloLens (1st gen), follow these steps: -1. Make sure that you don't have any phones or Windows devices plugged in to your PC. -1. On your PC, download the [Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379). +1. Make sure that you don't have any phones or Windows devices plugged in to your computer. +1. On your computer, download the [Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379). 1. Download the [HoloLens Anniversary Update recovery package](https://aka.ms/hololensrecovery). -1. When the downloads finish, open **File explorer** > **Downloads**. Right-click the zipped folder you just downloaded, and select **Extract all** > **Extract** to unzip it. -1. Connect your HoloLens to your PC using the micro-USB cable that it came with. (Even if you've been using other cables to connect your HoloLens, this one works best.) -1. The WDRT will automatically detect your HoloLens. Select the **Microsoft HoloLens** tile. -1. On the next screen, select **Manual package selection** and choose the installation file contained in the folder you unzipped in step 4. (Look for a file with the .ffu extension.) -1. Select **Install software**, and follow the instructions. +1. When the downloads finish, open **File explorer** > **Downloads**. Right-click the zipped folder that you just downloaded, and select **Extract all** > **Extract** to unzip it. +1. Use the micro-USB cable that came with your HoloLens device to connect your HoloLens device to your computer. Even if you've been using other cables to connect your HoloLens device, this one works best. +1. The WDRT automatically detects your HoloLens device. Select the **Microsoft HoloLens** tile. +1. On the next screen, select **Manual package selection** and then open the folder that you previously unzipped. Select the installation file (the file that has a .ffu extension). +1. Select **Install software**, and then follow the instructions. > [!NOTE] -> If the WDRT doesn't detect your HoloLens, try restarting your PC. If that doesn't work, select **My device was not detected**, select **Microsoft HoloLens**, and then follow the instructions. +> If the WDRT doesn't detect your HoloLens device, try restarting your computer. If that doesn't work, select **My device was not detected**, select **Microsoft HoloLens**, and then follow the instructions. ## Related articles From f76b1d94326b522ab7a4ad29bc7c9817e751b70e Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 24 Mar 2020 16:10:02 -0700 Subject: [PATCH 47/60] Capitalized "semi-annual channel" --- .../windows-autopilot/windows-autopilot-requirements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md index ec42f18fb9..e1b8727f43 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md @@ -27,7 +27,7 @@ Windows Autopilot depends on specific capabilities available in Windows 10, Azur ## Software requirements -- A [supported version](https://docs.microsoft.com/windows/release-information/) of Windows 10 semi-annual channel is required. Windows 10 Enterprise 2019 long-term servicing channel (LTSC) is also supported. +- A [supported version](https://docs.microsoft.com/windows/release-information/) of Windows 10 Semi-Annual Channel is required. Windows 10 Enterprise 2019 long-term servicing channel (LTSC) is also supported. - The following editions are supported: - Windows 10 Pro - Windows 10 Pro Education From cc2be7f578fa41e43c7857cb1475ca2bfb79226f Mon Sep 17 00:00:00 2001 From: Teresa-Motiv Date: Tue, 24 Mar 2020 16:54:23 -0700 Subject: [PATCH 48/60] link fix --- devices/hololens/hololens-updates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/hololens/hololens-updates.md b/devices/hololens/hololens-updates.md index c6035261a6..664bdfa289 100644 --- a/devices/hololens/hololens-updates.md +++ b/devices/hololens/hololens-updates.md @@ -44,7 +44,7 @@ For a detailed discussion of how to use Intune to configure Windows Update for B ### Configure update policies for HoloLens 2 or HoloLens (1st gen) -This section describes the policies that you can use to manage updates for either HoloLens 2 or HoloLens (1st gen). For information about additional functionality that is available for HoloLens 2, see [Plan and configure update rollouts for HoloLens 2](#plan-and-configure-update-rollouts-for-holoLens-2). +This section describes the policies that you can use to manage updates for either HoloLens 2 or HoloLens (1st gen). For information about additional functionality that is available for HoloLens 2, see [Plan and configure update rollouts for HoloLens 2](#plan-and-configure-update-rollouts-for-hololens-2). The [Policy configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update) defines the policies that configure Windows Update for Business. From 25dd2bf28995e950a744cc3a47e46aa838ec956e Mon Sep 17 00:00:00 2001 From: tgrolleman <62642995+tgrolleman@users.noreply.github.com> Date: Wed, 25 Mar 2020 09:53:28 +0100 Subject: [PATCH 49/60] Update configure-splunk.md See documentation of https://splunkbase.splunk.com/app/4128/ also, the URL's are wrong. It doesn't work with /api/alerts after the domain, Because the splunk app already adds it themself (and makes it https://wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts/api/alerts...) : input_module_windows_defender_atp_alerts.py: uri = "%s/%s%s" % (endpoint,"/api/alerts?sinceTimeUtc=",max_date) --- .../microsoft-defender-atp/configure-splunk.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md b/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md index fd5efbf9ea..10c69301a9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md @@ -78,7 +78,7 @@ You'll need to configure Splunk so that it can pull Microsoft Defender ATP detec URL to authenticate the azure app (Default : https://login.microsoftonline.com) Endpoint - Depending on the location of your datacenter, select any of the following URL:

For EU: https://wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts

For US:https://wdatp-alertexporter-us.securitycenter.windows.com/api/alerts

For UK:https://wdatp-alertexporter-uk.securitycenter.windows.com/api/alerts + Depending on the location of your datacenter, select any of the following URL:

For EU: https://wdatp-alertexporter-eu.securitycenter.windows.com

For US:https://wdatp-alertexporter-us.securitycenter.windows.com

For UK:https://wdatp-alertexporter-uk.securitycenter.windows.com Tenant ID From 68c3bd55b7573d765bee63ad7df337b7dd519e55 Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Wed, 25 Mar 2020 14:32:25 +0200 Subject: [PATCH 50/60] add note about best practices https://github.com/MicrosoftDocs/windows-itpro-docs/issues/6040 --- .../password-must-meet-complexity-requirements.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md index 20fd54f909..ecc8a51c2b 100644 --- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md @@ -59,6 +59,9 @@ Additional settings that can be included in a custom Passfilt.dll are the use of ### Best practices +> [!NOTE] +> For the latest best practices, please check [this article](https://www.microsoft.com/en-us/research/publication/password-guidance/). + Set **Passwords must meet complexity requirements** to Enabled. This policy setting, combined with a minimum password length of 8, ensures that there are at least 218,340,105,584,896 different possibilities for a single password. This makes a brute force attack difficult, but still not impossible. The use of ALT key character combinations can greatly enhance the complexity of a password. However, requiring all users in an organization to adhere to such stringent password requirements can result in unhappy users and an extremely busy Help Desk. Consider implementing a requirement in your organization to use ALT characters in the range from 0128 through 0159 as part of all administrator passwords. (ALT characters outside of this range can represent standard alphanumeric characters that do not add additional complexity to the password.) From 847d916b597c5eb53a12303a5cf0f547b7ea3cbf Mon Sep 17 00:00:00 2001 From: amirsc3 <42802974+amirsc3@users.noreply.github.com> Date: Wed, 25 Mar 2020 15:05:48 +0200 Subject: [PATCH 51/60] Update respond-file-alerts.md Added improvement to note --- .../microsoft-defender-atp/respond-file-alerts.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md index 8998da024b..2c33bef617 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md @@ -126,7 +126,8 @@ You can roll back and remove a file from quarantine if you’ve determined that ``` > [!NOTE] -> Microsoft Defender ATP will restore all files that were quarantined on this machine in the last 30 days. +> In some scenarios the ThreatName may appear as: EUS:Win32/CustomEnterpriseBlock!cl.
+> Microsoft Defender ATP will restore all custom blocked files that were quarantined on this machine in the last 30 days. ## Add indicator to block or allow a file From c1a9ba5dbca10ad0b4cc947643b2782f636ca6fe Mon Sep 17 00:00:00 2001 From: amirsc3 <42802974+amirsc3@users.noreply.github.com> Date: Wed, 25 Mar 2020 15:06:56 +0200 Subject: [PATCH 52/60] Update respond-file-alerts.md --- .../microsoft-defender-atp/respond-file-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md index 2c33bef617..7c05201256 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md @@ -126,7 +126,7 @@ You can roll back and remove a file from quarantine if you’ve determined that ``` > [!NOTE] -> In some scenarios the ThreatName may appear as: EUS:Win32/CustomEnterpriseBlock!cl.
+> In some scenarios the ThreatName may appear as: EUS:Win32/CustomEnterpriseBlock!cl. > Microsoft Defender ATP will restore all custom blocked files that were quarantined on this machine in the last 30 days. ## Add indicator to block or allow a file From 9d72c7a5de1525587b623cbdd107838ad386adbb Mon Sep 17 00:00:00 2001 From: hihayak Date: Thu, 26 Mar 2020 00:26:13 +0900 Subject: [PATCH 53/60] Update waas-manage-updates-wsus.md As a note I added, WUA client can fail to apply Feature update if we approve multiple versions of it. Administrators of WSUS should know about that. --- windows/deployment/update/waas-manage-updates-wsus.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md index 14223dbdc3..61bd446af0 100644 --- a/windows/deployment/update/waas-manage-updates-wsus.md +++ b/windows/deployment/update/waas-manage-updates-wsus.md @@ -280,6 +280,8 @@ You can manually approve updates and set deadlines for installation within the W To simplify the manual approval process, start by creating a software update view that contains only Windows 10 updates. +> [!NOTE] If you approve more than one feature update for a computer, an error can result with the client. Only approve one feature update per computer. + **To approve and deploy feature updates manually** 1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Updates. In the **Action** pane, click **New Update View**. From 8735a5fd49a2b8e271d8624ec528b19a85ceea07 Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Wed, 25 Mar 2020 08:56:43 -0700 Subject: [PATCH 54/60] pencil edit --- .../auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index 8999e420aa..a18783d92c 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -61,8 +61,7 @@ To complete this procedure, you must be signed in as a member of the built-in Ad - **Modify** - **Write** - -> [!IMPORTANT]   +> [!IMPORTANT] > Before you set up auditing for files and folders, you must enable [object access auditing](basic-audit-object-access.md). To do this, define auditing policy settings for the object access event category. If you don't enable object access auditing, you'll receive an error message when you set up auditing for files and folders, and no files or folders will be audited.   ## Additional considerations From 728dd5cdeaa0b15c3a268122b63b5e090557c6a1 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 25 Mar 2020 09:00:44 -0700 Subject: [PATCH 55/60] Update password-must-meet-complexity-requirements.md --- .../password-must-meet-complexity-requirements.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md index ecc8a51c2b..b32a32dad0 100644 --- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md @@ -14,7 +14,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 09/08/2017 --- # Password must meet complexity requirements @@ -60,7 +59,7 @@ Additional settings that can be included in a custom Passfilt.dll are the use of ### Best practices > [!NOTE] -> For the latest best practices, please check [this article](https://www.microsoft.com/en-us/research/publication/password-guidance/). +> For the latest best practices, see [Password Guidance](https://www.microsoft.com/research/publication/password-guidance). Set **Passwords must meet complexity requirements** to Enabled. This policy setting, combined with a minimum password length of 8, ensures that there are at least 218,340,105,584,896 different possibilities for a single password. This makes a brute force attack difficult, but still not impossible. From 6b56302223467c6e3cab35e72525e406a8b2bbac Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 25 Mar 2020 09:01:19 -0700 Subject: [PATCH 56/60] Update password-must-meet-complexity-requirements.md --- .../password-must-meet-complexity-requirements.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md index b32a32dad0..b713a96ecb 100644 --- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md @@ -58,7 +58,7 @@ Additional settings that can be included in a custom Passfilt.dll are the use of ### Best practices -> [!NOTE] +> [!TIP] > For the latest best practices, see [Password Guidance](https://www.microsoft.com/research/publication/password-guidance). Set **Passwords must meet complexity requirements** to Enabled. This policy setting, combined with a minimum password length of 8, ensures that there are at least 218,340,105,584,896 different possibilities for a single password. This makes a brute force attack difficult, but still not impossible. @@ -106,6 +106,6 @@ If your organization has more stringent security requirements, you can create a The use of ALT key character combinations can greatly enhance the complexity of a password. However, such stringent password requirements can result in additional Help Desk requests. Alternatively, your organization could consider a requirement for all administrator passwords to use ALT characters in the 0128–0159 range. (ALT characters outside of this range can represent standard alphanumeric characters that would not add additional complexity to the password.) -## Related topics +## Related articles - [Password Policy](password-policy.md) From 80d1e228840a770916eb9d6a1fe35625552f0aca Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 25 Mar 2020 09:44:07 -0700 Subject: [PATCH 57/60] Update TOC.md --- windows/security/threat-protection/TOC.md | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 9df70023a8..b74873055f 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -401,10 +401,10 @@ ##### [Web protection]() ###### [Web protection overview](microsoft-defender-atp/web-protection-overview.md) -###### [Web threat protection]() +###### [Web threat protection]() ####### [Web threat protection overview](microsoft-defender-atp/web-threat-protection.md) ####### [Monitor web security](microsoft-defender-atp/web-protection-monitoring.md) -#######[Respond to web threats](microsoft-defender-atp/web-protection-response.md) +####### [Respond to web threats](microsoft-defender-atp/web-protection-response.md) ###### [Web content filtering](microsoft-defender-atp/web-content-filtering.md) ##### [Controlled folder access](microsoft-defender-atp/controlled-folders.md) @@ -414,17 +414,13 @@ #### [Next-generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) ##### [Better together: Windows Defender Antivirus and Microsoft Defender ATP](windows-defender-antivirus/why-use-microsoft-antivirus.md) ##### [Better together: Windows Defender Antivirus and Office 365](windows-defender-antivirus/office-365-windows-defender-antivirus.md) -##### [Shadow protection](windows-defender-antivirus/shadow-protection.md) - #### [Endpoint detection and response](microsoft-defender-atp/overview-endpoint-detection-response.md) +##### [Shadow protection](windows-defender-antivirus/shadow-protection.md) #### [Overview of AIR](microsoft-defender-atp/automated-investigations.md) - - - ### [Management and APIs]() #### [Overview of management and APIs](microsoft-defender-atp/management-apis.md) From f9b8a87423f89f3dc2588771f9fe694a04a07747 Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Wed, 25 Mar 2020 10:01:50 -0700 Subject: [PATCH 58/60] pencil edit --- windows/deployment/update/waas-manage-updates-wsus.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md index 61bd446af0..ba8a3e7ecb 100644 --- a/windows/deployment/update/waas-manage-updates-wsus.md +++ b/windows/deployment/update/waas-manage-updates-wsus.md @@ -280,7 +280,8 @@ You can manually approve updates and set deadlines for installation within the W To simplify the manual approval process, start by creating a software update view that contains only Windows 10 updates. -> [!NOTE] If you approve more than one feature update for a computer, an error can result with the client. Only approve one feature update per computer. +> [!NOTE] +> If you approve more than one feature update for a computer, an error can result with the client. Only approve one feature update per computer. **To approve and deploy feature updates manually** From db3ac0f62b1ce4ea71dd1a317b24dfb4fcea1be4 Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Wed, 25 Mar 2020 10:02:38 -0700 Subject: [PATCH 59/60] pencil edit --- windows/deployment/update/waas-manage-updates-wsus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md index ba8a3e7ecb..13b02958f8 100644 --- a/windows/deployment/update/waas-manage-updates-wsus.md +++ b/windows/deployment/update/waas-manage-updates-wsus.md @@ -281,7 +281,7 @@ You can manually approve updates and set deadlines for installation within the W To simplify the manual approval process, start by creating a software update view that contains only Windows 10 updates. > [!NOTE] -> If you approve more than one feature update for a computer, an error can result with the client. Only approve one feature update per computer. +> If you approve more than one feature update for a computer, an error can result with the client. Approve only one feature update per computer. **To approve and deploy feature updates manually** From b4ebe54456399a79d7e914e914d560b9b549dbaf Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Wed, 25 Mar 2020 10:31:39 -0700 Subject: [PATCH 60/60] pencil edit --- .../microsoft-defender-atp/respond-file-alerts.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md index 7c05201256..9213bd067e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md @@ -126,7 +126,8 @@ You can roll back and remove a file from quarantine if you’ve determined that ``` > [!NOTE] -> In some scenarios the ThreatName may appear as: EUS:Win32/CustomEnterpriseBlock!cl. +> In some scenarios, the **ThreatName** may appear as: EUS:Win32/CustomEnterpriseBlock!cl. +> > Microsoft Defender ATP will restore all custom blocked files that were quarantined on this machine in the last 30 days. ## Add indicator to block or allow a file