From 032ab23a764e62a1bc39a8e69e51f8d9325592c4 Mon Sep 17 00:00:00 2001
From: ImranHabib <47118050+joinimran@users.noreply.github.com>
Date: Thu, 25 Jun 2020 11:11:06 +0500
Subject: [PATCH 001/125] Note Addition
As suggested, added a note in the documents regarding usage of 1903 settings in 1909 version as 1909 is incremental version of 1903.
Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/5930
---
...-windows-operating-system-components-to-microsoft-services.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 7d7448f4d5..d72c9f1fbd 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -30,6 +30,7 @@ This article describes the network connections that Windows 10 components make t
Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly.
>[!IMPORTANT]
+> - The downloadable 1903 scripts/settings can be used on 1909 devices.
> - The Allowed Traffic endpoints are listed here: [Allowed Traffic](#bkmk-allowedtraffic)
> - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
> - For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: Windows Update, Automatic Root Certificates Update, and Windows Defender. Accordingly, we do not recommend disabling any of these features.
From 40254907157f3e6c999a6f04b51f9388d0cea212 Mon Sep 17 00:00:00 2001
From: ImranHabib <47118050+joinimran@users.noreply.github.com>
Date: Thu, 25 Jun 2020 12:31:59 +0500
Subject: [PATCH 002/125] Update
windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
...windows-operating-system-components-to-microsoft-services.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index d72c9f1fbd..d5c9df4cc7 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -30,7 +30,7 @@ This article describes the network connections that Windows 10 components make t
Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly.
>[!IMPORTANT]
-> - The downloadable 1903 scripts/settings can be used on 1909 devices.
+> - The downloadable Windows 10, version 1903 scripts/settings can be used on Windows 10, version 1909 devices.
> - The Allowed Traffic endpoints are listed here: [Allowed Traffic](#bkmk-allowedtraffic)
> - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
> - For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: Windows Update, Automatic Root Certificates Update, and Windows Defender. Accordingly, we do not recommend disabling any of these features.
From 6c47ac8ede4345730243f6fcc2dab07f081fe15e Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Tue, 30 Jun 2020 21:21:04 +0500
Subject: [PATCH 003/125] Update virtual-smart-card-tpmvscmgr.md
---
.../virtual-smart-cards/virtual-smart-card-tpmvscmgr.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
index bb1cf1508f..a979d2b781 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
@@ -35,7 +35,7 @@ The Create command sets up new virtual smart cards on the user’s system. It re
| Parameter | Description |
|-----------|-------------|
| /name | Required. Indicates the name of the new virtual smart card. |
-| /AdminKey | Indicates the desired administrator key that can be used to reset the PIN of the card if the user forgets the PIN.
**DEFAULT** Specifies the default value of 010203040506070801020304050607080102030405060708.
**PROMPT** Prompts the user to enter a value for the administrator key.
**RANDOM** Results in a random setting for the administrator key for a card that is not returned to the user. This creates a card that might not be manageable by using smart card management tools. When generated with RANDOM, the administrator key must be entered as 48 hexadecimal characters. |
+| /AdminKey | Indicates the desired administrator key that can be used to reset the PIN of the card if the user forgets the PIN.
**DEFAULT** Specifies the default value of 010203040506070801020304050607080102030405060708.
**PROMPT** Prompts the user to enter a value for the administrator key.
**RANDOM** Results in a random setting for the administrator key for a card that is not returned to the user. This creates a card that might not be manageable by using smart card management tools. When generated with RANDOM, the administrator key is set as 48 hexadecimal characters. |
| /PIN | Indicates desired user PIN value.
**DEFAULT** Specifies the default PIN of 12345678.
**PROMPT** Prompts the user to enter a PIN at the command line. The PIN must be a minimum of eight characters, and it can contain numerals, characters, and special characters. |
| /PUK | Indicates the desired PIN Unlock Key (PUK) value. The PUK value must be a minimum of eight characters, and it can contain numerals, characters, and special characters. If the parameter is omitted, the card is created without a PUK.
**DEFAULT** Specifies the default PUK of 12345678.
**PROMPT** Prompts the user to enter a PUK at the command line. |
| /generate | Generates the files in storage that are necessary for the virtual smart card to function. If the /generate parameter is omitted, it is equivalent to creating a card without this file system. A card without a file system can be managed only by a smart card management system such as Microsoft Endpoint Configuration Manager. |
From 56515512dc11b2921f68609b5d44d3e606a024f1 Mon Sep 17 00:00:00 2001
From: illfated
Date: Wed, 20 May 2020 01:33:42 +0200
Subject: [PATCH 004/125] VPN/SSO NDES: SCEP link URL update
Description:
As reported in issue ticket #6766 (Dead link), the current link to
"Configure certificate infrastructure for SCEP" returns a 404 error
because the page has been moved to a new directory structure in commit
4ae71ed25d10 on February 28, 2020. 1702 files and folders have been
moved and/or renamed in this process, making it a game of chance to
correct more than one 404 link discovery at a time. (I hope some links
were corrected back then, but I have not researched the details.)
Thanks to rossmpersonal for reporting this 404 issue.
Changes proposed:
- Update the link URL to its current location
(docs.microsoft.com/mem/intune/protect/certificates-scep-configure)
- Remove redundant end-of-line whitespace (blanks) throughout the page
Ticket closure or reference:
Closes #6766
---
...n-on-sso-over-vpn-and-wi-fi-connections.md | 58 +++++++++----------
1 file changed, 29 insertions(+), 29 deletions(-)
diff --git a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
index a162e20e45..0b6ff85b21 100644
--- a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
+++ b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
@@ -16,38 +16,38 @@ ms.author: dansimp
This topic explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections. The scenario is:
-- You connect to a network using Wi-Fi or VPN.
-- You want to use the credentials that you use for the WiFi or VPN authentication to also authenticate requests to access a domain resource you are connecting to, without being prompted for your domain credentials separately.
+- You connect to a network using Wi-Fi or VPN.
+- You want to use the credentials that you use for the WiFi or VPN authentication to also authenticate requests to access a domain resource you are connecting to, without being prompted for your domain credentials separately.
For example, you want to connect to a corporate network and access an internal website that requires Windows integrated authentication.
-At a high level, the way this works is that the credentials that are used for the connection authentication are put in Credential Manager as the default credentials for the logon session.
-Credential Manager is a place where credentials in the OS are can be stored for specific domain resources based on the targetname of the resource.
-For VPN, the VPN stack saves its credential as the session default.
-For WiFi, EAP does it.
+At a high level, the way this works is that the credentials that are used for the connection authentication are put in Credential Manager as the default credentials for the logon session.
+Credential Manager is a place where credentials in the OS are can be stored for specific domain resources based on the targetname of the resource.
+For VPN, the VPN stack saves its credential as the session default.
+For WiFi, EAP does it.
-The credentials are put in Credential Manager as a "\*Session" credential.
-A "\*Session" credential implies that it is valid for the current user session.
-The credentials are also cleaned up when the WiFi or VPN connection is disconnected.
+The credentials are put in Credential Manager as a "\*Session" credential.
+A "\*Session" credential implies that it is valid for the current user session.
+The credentials are also cleaned up when the WiFi or VPN connection is disconnected.
-When the user tries to access a domain resource, using Edge for example, Edge has the right Enterprise Authentication capability so [WinInet](https://msdn.microsoft.com/library/windows/desktop/aa385483.aspx) can release the credentials that it gets from the Credential Manager to the SSP that is requesting it.
-For more information about the Enterprise Authentication capability, see [App capability declarations](https://msdn.microsoft.com/windows/uwp/packaging/app-capability-declarations).
+When the user tries to access a domain resource, using Edge for example, Edge has the right Enterprise Authentication capability so [WinInet](https://msdn.microsoft.com/library/windows/desktop/aa385483.aspx) can release the credentials that it gets from the Credential Manager to the SSP that is requesting it.
+For more information about the Enterprise Authentication capability, see [App capability declarations](https://msdn.microsoft.com/windows/uwp/packaging/app-capability-declarations).
-The local security authority will look at the device application, such as a Universal Windows Platform (UWP) application, to see if it has the right capability.
-If the app is not UWP, it does not matter.
-But if it is a UWP app, it will look at the device capability for Enterprise Authentication.
+The local security authority will look at the device application, such as a Universal Windows Platform (UWP) application, to see if it has the right capability.
+If the app is not UWP, it does not matter.
+But if it is a UWP app, it will look at the device capability for Enterprise Authentication.
If it does have that capability and if the resource that you are trying to access is in the Intranet zone in the Internet Options (ZoneMap), then the credential will be released.
-This behavior helps prevent credentials from being misused by untrusted third parties.
+This behavior helps prevent credentials from being misused by untrusted third parties.
## Intranet zone
-For the Intranet zone, by default it only allows single-label names, such as Http://finance.
-If the resource that needs to be accessed has multiple domain labels, then the workaround is to use the [Registry CSP](https://msdn.microsoft.com/library/windows/hardware/dn904964.aspx).
+For the Intranet zone, by default it only allows single-label names, such as Http://finance.
+If the resource that needs to be accessed has multiple domain labels, then the workaround is to use the [Registry CSP](https://msdn.microsoft.com/library/windows/hardware/dn904964.aspx).
### Setting the ZoneMap
-The ZoneMap is controlled using a registry that can be set through MDM.
-By default, single-label names such as http://finance are already in the intranet zone.
+The ZoneMap is controlled using a registry that can be set through MDM.
+By default, single-label names such as http://finance are already in the intranet zone.
For multi-label names, such as http://finance.net, the ZoneMap needs to be updated.
## MDM Policy
@@ -56,9 +56,9 @@ OMA URI example:
./Vendor/MSFT/Registry/HKU/S-1-5-21-2702878673-795188819-444038987-2781/Software/Microsoft/Windows/CurrentVersion/Internet%20Settings/ZoneMap/Domains/``/* as an Integer Value of 1 for each of the domains that you want to SSO into from your device. This adds the specified domains to the Intranet Zone of the Edge browser.
-## Credential requirements
+## Credential requirements
-For VPN, the following types of credentials will be added to credential manager after authentication:
+For VPN, the following types of credentials will be added to credential manager after authentication:
- Username and password
- Certificate-based authentication:
@@ -67,7 +67,7 @@ For VPN, the following types of credentials will be added to credential manager
- Smart Card Certificate
- Windows Hello for Business Certificate
-The username should also include a domain that can be reached over the connection (VPN or WiFi).
+The username should also include a domain that can be reached over the connection (VPN or WiFi).
## User certificate templates
@@ -82,17 +82,17 @@ If the credentials are certificate-based, then the elements in the following tab
## NDES server configuration
-The NDES server is required to be configured so that incoming SCEP requests can be mapped to the correct template to be used.
-For more information, see [Configure certificate infrastructure for SCEP](https://docs.microsoft.com/intune/deploy-use/Configure-certificate-infrastructure-for-scep).
+The NDES server is required to be configured so that incoming SCEP requests can be mapped to the correct template to be used.
+For more information, see [Configure certificate infrastructure for SCEP](https://docs.microsoft.com/mem/intune/protect/certificates-scep-configure).
## Active Directory requirements
-You need IP connectivity to a DNS server and domain controller over the network interface so that authentication can succeed as well.
+You need IP connectivity to a DNS server and domain controller over the network interface so that authentication can succeed as well.
The domain controllers will need to have appropriate KDC certificates for the client to trust them as domain controllers, and since phones are not domain-joined, the root CA of the KDC’s certificate must be in the Third-Party Root CA or Smart Card Trusted Roots store.
-The domain controllers must be using certificates based on the updated KDC certificate template Kerberos Authentication.
-This is because Windows 10 Mobile requires strict KDC validation to be enabled.
-This requires that all authenticating domain controllers run Windows Server 2016, or you'll need to enable strict KDC validation on domain controllers that run previous versions of Windows Server.
-For more information, see [Enabling Strict KDC Validation in Windows Kerberos](https://www.microsoft.com/download/details.aspx?id=6382).
+The domain controllers must be using certificates based on the updated KDC certificate template Kerberos Authentication.
+This is because Windows 10 Mobile requires strict KDC validation to be enabled.
+This requires that all authenticating domain controllers run Windows Server 2016, or you'll need to enable strict KDC validation on domain controllers that run previous versions of Windows Server.
+For more information, see [Enabling Strict KDC Validation in Windows Kerberos](https://www.microsoft.com/download/details.aspx?id=6382).
From 2a12bea601653a4b4a9af411e9a1848689a73c8d Mon Sep 17 00:00:00 2001
From: illfated
Date: Mon, 25 May 2020 02:25:22 +0200
Subject: [PATCH 005/125] MSCT/Baselines blog: update URLs and link text
Description:
Based on the reference to this page in issue ticket #6784
(Scripts documentation missing), I noticed that 2 of 3 links pointing
to the Microsoft Security Baselines blog still used the old and
archived technet blog pages instead of the new and improved
Tech Community pages, in addition to using the outdated name
"Microsoft Security Guidance blog" instead of the new name
"Microsoft Security Baselines blog".
To make this PR easier to review, I have restricted myself to making
only 2 types of change here: URL updates (2) and link text updates (3).
Changes proposed:
- Replace the outdated technet blog links with Tech Community links
- Update the link text names to "Microsoft Security Baselines blog".
Ticket closure or reference:
Ref. #6784
---
.../threat-protection/security-compliance-toolkit-10.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md
index 0ac210bfc0..a0f2ccf3df 100644
--- a/windows/security/threat-protection/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/security-compliance-toolkit-10.md
@@ -51,7 +51,7 @@ The Security Compliance Toolkit consists of:
- Local Group Policy Object (LGPO) tool
-You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions. For more details about security baseline recommendations, see the [Microsoft Security Guidance blog](https://techcommunity.microsoft.com/t5/Microsoft-Security-Baselines/bg-p/Microsoft-Security-Baselines).
+You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions. For more details about security baseline recommendations, see the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/Microsoft-Security-Baselines/bg-p/Microsoft-Security-Baselines).
## What is the Policy Analyzer tool?
@@ -63,7 +63,7 @@ The Policy Analyzer is a utility for analyzing and comparing sets of Group Polic
Policy Analyzer lets you treat a set of GPOs as a single unit. This makes it easy to determine whether particular settings are duplicated across the GPOs or are set to conflicting values. Policy Analyzer also lets you capture a baseline and then compare it to a snapshot taken at a later time to identify changes anywhere across the set.
-More information on the Policy Analyzer tool can be found on the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2016/01/22/new-tool-policy-analyzer/) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
+More information on the Policy Analyzer tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-tool-policy-analyzer/ba-p/701049) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
## What is the Local Group Policy Object (LGPO) tool?
@@ -73,4 +73,4 @@ LGPO.exe can import and apply settings from Registry Policy (Registry.pol) files
It can export local policy to a GPO backup.
It can export the contents of a Registry Policy file to the “LGPO text” format that can then be edited, and can build a Registry Policy file from an LGPO text file.
-Documentation for the LGPO tool can be found on the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0/) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
+Documentation for the LGPO tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/lgpo-exe-local-group-policy-object-utility-v1-0/ba-p/701045) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
From 963dfdb3d261bb08d0b11d842235119512b13393 Mon Sep 17 00:00:00 2001
From: illfated
Date: Wed, 1 Jul 2020 23:03:35 +0200
Subject: [PATCH 006/125] Microsoft Security Compliance Toolkit scripts list
(as requested in ticket #6784)
Closes #6784
---
.../security-compliance-toolkit-10.md | 106 ++++++++++++++----
1 file changed, 83 insertions(+), 23 deletions(-)
diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md
index a0f2ccf3df..c23dcd4785 100644
--- a/windows/security/threat-protection/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/security-compliance-toolkit-10.md
@@ -26,29 +26,29 @@ The SCT enables administrators to effectively manage their enterprise’s Group
The Security Compliance Toolkit consists of:
-- Windows 10 security baselines
- - Windows 10 Version 1909 (November 2019 Update)
- - Windows 10 Version 1903 (May 2019 Update)
- - Windows 10 Version 1809 (October 2018 Update)
- - Windows 10 Version 1803 (April 2018 Update)
- - Windows 10 Version 1709 (Fall Creators Update)
- - Windows 10 Version 1607 (Anniversary Update)
- - Windows 10 Version 1507
+- Windows 10 security baselines
+ - Windows 10 Version 1909 (November 2019 Update)
+ - Windows 10 Version 1903 (May 2019 Update)
+ - Windows 10 Version 1809 (October 2018 Update)
+ - Windows 10 Version 1803 (April 2018 Update)
+ - Windows 10 Version 1709 (Fall Creators Update)
+ - Windows 10 Version 1607 (Anniversary Update)
+ - Windows 10 Version 1507
-- Windows Server security baselines
- - Windows Server 2019
- - Windows Server 2016
- - Windows Server 2012 R2
+- Windows Server security baselines
+ - Windows Server 2019
+ - Windows Server 2016
+ - Windows Server 2012 R2
-- Microsoft Office security baseline
- - Microsoft 365 Apps for enterprise (Sept 2019)
+- Microsoft Office security baseline
+ - Microsoft 365 Apps for enterprise (Sept 2019)
-- Microsoft Edge security baseline
- - Version 80
+- Microsoft Edge security baseline
+ - Version 80
-- Tools
- - Policy Analyzer tool
- - Local Group Policy Object (LGPO) tool
+- Tools
+ - Policy Analyzer tool
+ - Local Group Policy Object (LGPO) tool
You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions. For more details about security baseline recommendations, see the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/Microsoft-Security-Baselines/bg-p/Microsoft-Security-Baselines).
@@ -56,10 +56,10 @@ You can [download the tools](https://www.microsoft.com/download/details.aspx?id=
## What is the Policy Analyzer tool?
The Policy Analyzer is a utility for analyzing and comparing sets of Group Policy Objects (GPOs). Its main features include:
-- Highlight when a set of Group Policies has redundant settings or internal inconsistencies
-- Highlight the differences between versions or sets of Group Policies
-- Compare GPOs against current local policy and local registry settings
-- Export results to a Microsoft Excel spreadsheet
+- Highlight when a set of Group Policies has redundant settings or internal inconsistencies
+- Highlight the differences between versions or sets of Group Policies
+- Compare GPOs against current local policy and local registry settings
+- Export results to a Microsoft Excel spreadsheet
Policy Analyzer lets you treat a set of GPOs as a single unit. This makes it easy to determine whether particular settings are duplicated across the GPOs or are set to conflicting values. Policy Analyzer also lets you capture a baseline and then compare it to a snapshot taken at a later time to identify changes anywhere across the set.
@@ -74,3 +74,63 @@ It can export local policy to a GPO backup.
It can export the contents of a Registry Policy file to the “LGPO text” format that can then be edited, and can build a Registry Policy file from an LGPO text file.
Documentation for the LGPO tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/lgpo-exe-local-group-policy-object-utility-v1-0/ba-p/701045) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
+
+## List of PowerShell scripts
+
+This list of PowerShell script names, divided into categories by the name of the ZIP file containing those scripts, is based on the download page content listing of the full package download (12 files).
+
+1. **Windows 10 Version 1909 and Windows Server Version 1909 Security Baseline.zip**
+
+ - Baseline-ADImport.ps1
+ - Baseline-LocalInstall.ps1
+ - Remove-EPBaselineSettings.ps1
+ - MapGuidsToGpoNames.ps1
+
+2. **LGPO.zip**
+ - (none)
+
+3. **Microsoft Edge v80.zip**
+
+ - Baseline-ADImport.ps1
+ - Baseline-LocalInstall.ps1
+ - MapGuidsToGpoNames.ps1
+
+4. **Office365-ProPlus-Sept2019-FINAL.zip**
+
+ - Baseline-ADImport.ps1
+ - Baseline-LocalInstall.ps1
+ - MapGuidsToGpoNames.ps1
+
+5. **PolicyAnalyzer.zip**
+
+ - Merge-PolicyRules.ps1
+ - Split-PolicyRules.ps1
+
+6. **Windows 10 Version 1507 Security Baseline.zip**
+ - (none)
+
+7. **Windows 10 Version 1607 and Windows Server 2016 Security Baseline.zip**
+
+ - MapGuidsToGpoNames.ps1
+
+8. **Windows 10 Version 1709 Security Baseline.zip**
+
+ - MapGuidsToGpoNames.ps1
+
+9. **Windows 10 Version 1803 Security Baseline.zip**
+
+ - MapGuidsToGpoNames.ps1
+
+10. **Windows 10 Version 1809 and Windows Server 2019 Security Baseline.zip**
+
+ - BaselineLocalInstall.ps1
+ - MapGuidsToGpoNames.ps1
+
+11. **Windows 10 Version 1903 and Windows Server Version 1903 Security Baseline - Sept2019Update.zip**
+
+ - Baseline-ADImport.ps1
+ - Baseline-LocalInstall.ps1
+ - MapGuidsToGpoNames.ps1
+
+12. **Windows Server 2012 R2 Security Baseline.zip**
+ - (none)
From 57ff71e27811f073a4baab1bdf85aaea5db3d165 Mon Sep 17 00:00:00 2001
From: "Brian Steingraber [KSM]"
<43631189+BrianSteingraber@users.noreply.github.com>
Date: Wed, 1 Jul 2020 16:21:02 -0500
Subject: [PATCH 007/125] Added Powershell scripts
Added new section for PowerShell scripts
---
.../threat-protection/security-compliance-toolkit-10.md | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md
index 0ac210bfc0..f6885f5259 100644
--- a/windows/security/threat-protection/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/security-compliance-toolkit-10.md
@@ -50,6 +50,12 @@ The Security Compliance Toolkit consists of:
- Policy Analyzer tool
- Local Group Policy Object (LGPO) tool
+- Scripts
+ - Baseline-ADImport.ps1
+ - Baseline-LocalInstall.ps1
+ - Remove-EPBaselineSettings.ps1
+ - MapGuidsToGpoNames.ps1
+
You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions. For more details about security baseline recommendations, see the [Microsoft Security Guidance blog](https://techcommunity.microsoft.com/t5/Microsoft-Security-Baselines/bg-p/Microsoft-Security-Baselines).
From 7580546999dd28c975adb7c821f178a4dcf86049 Mon Sep 17 00:00:00 2001
From: Joey Caparas
Date: Thu, 2 Jul 2020 14:10:21 -0700
Subject: [PATCH 008/125] update to MSSP content
---
windows/security/threat-protection/TOC.md | 4 +
.../access-mssp-portal.md | 56 ++++
.../configure-mssp-notifications.md | 46 ++++
.../configure-mssp-support.md | 247 +-----------------
.../fetch-alerts-mssp.md | 196 ++++++++++++++
.../grant-mssp-access.md | 133 ++++++++++
.../images/access-properties.png | Bin 0 -> 16921 bytes
.../images/goverance-catalog.png | Bin 0 -> 12359 bytes
.../images/mssp-access.png | Bin 0 -> 41134 bytes
.../images/new-access-package.png | Bin 0 -> 58871 bytes
10 files changed, 441 insertions(+), 241 deletions(-)
create mode 100644 windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md
create mode 100644 windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md
create mode 100644 windows/security/threat-protection/microsoft-defender-atp/fetch-alerts-mssp.md
create mode 100644 windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access.md
create mode 100644 windows/security/threat-protection/microsoft-defender-atp/images/access-properties.png
create mode 100644 windows/security/threat-protection/microsoft-defender-atp/images/goverance-catalog.png
create mode 100644 windows/security/threat-protection/microsoft-defender-atp/images/mssp-access.png
create mode 100644 windows/security/threat-protection/microsoft-defender-atp/images/new-access-package.png
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index a35fd74410..212855c5b0 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -611,6 +611,10 @@
###### [Create and manage device tags](microsoft-defender-atp/machine-tags.md)
#### [Configure managed security service provider (MSSP) integration](microsoft-defender-atp/configure-mssp-support.md)
+##### [Grant MSSP access to the portal](microsoft-defender-atp/grant-mssp-access.md)
+##### [Access the MSSP customer portal](microsoft-defender-atp/access-mssp-portal.md)
+##### [Configure alert notifications](microsoft-defender-atp/configure-mssp-notifications.md)
+##### [Fetch alerts from customer tenant](microsoft-defender-atp/fetch-alerts-mssp.md)
### [Partner integration scenarios]()
#### [Technical partner opportunities](microsoft-defender-atp/partner-integration.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md b/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md
new file mode 100644
index 0000000000..647939803c
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md
@@ -0,0 +1,56 @@
+---
+title: Access the Microsoft Defender Security Center MSSP customer portal
+description: Access the Microsoft Defender Security Center MSSP customer portal
+keywords: managed security service provider, mssp, configure, integration
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Access the Microsoft Defender Security Center MSSP customer portal
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
+
+
+
+
+>[!NOTE]
+>These set of steps are directed towards the MSSP.
+
+By default, MSSP customers access their Microsoft Defender Security Center tenant through the following URL: `https://securitycenter.windows.com`.
+
+
+MSSPs however, will need to use a tenant-specific URL in the following format: `https://securitycenter.windows.com?tid=customer_tenant_id` to access the MSSP customer portal.
+
+In general, MSSPs will need to be added to each of the MSSP customer's Azure AD that they intend to manage.
+
+
+Use the following steps to obtain the MSSP customer tenant ID and then use the ID to access the tenant-specific URL:
+
+1. As an MSSP, login to Azure AD with your credentials.
+
+2. Switch directory to the MSSP customer's tenant.
+
+3. Select **Azure Active Directory > Properties**. You'll find the tenant ID in the Directory ID field.
+
+4. Access the MSSP customer portal by replacing the `customer_tenant_id` value in the following URL: `https://securitycenter.windows.com?tid=customer_tenant_id`.
+
+
+## Related topics
+- [Grant MSSP access to the portal](grant-mssp-access.md)
+- [Configure alert notifications](configure-mssp-notifications.md)
+- [Fetch alerts from customer tenant](fetch-alerts-mssp.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md
new file mode 100644
index 0000000000..b7c4bf19d6
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md
@@ -0,0 +1,46 @@
+---
+title: Configure alert notifications that are sent to MSSPs
+description: Configure alert notifications that are sent to MSSPs
+keywords: managed security service provider, mssp, configure, integration
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Configure alert notifications that are sent to MSSPs
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
+
+
+>[!NOTE]
+>This step can be done by either the MSSP customer or MSSP. MSSPs must be granted the appropriate permissions to configure this on behalf of the MSSP customer.
+
+After access the portal is granted, alert notification rules can to be created so that emails are sent to MSSPs when alerts associated with the tenant are created and set conditions are met.
+
+
+For more information, see [Create rules for alert notifications](configure-email-notifications.md#create-rules-for-alert-notifications).
+
+
+These check boxes must be checked:
+- **Include organization name** - The customer name will be added to email notifications
+- **Include tenant-specific portal link** - Alert link URL will have tenant specific parameter (tid=target_tenant_id) that allows direct access to target tenant portal
+
+
+## Related topics
+- [Grant MSSP access to the portal](grant-mssp-access.md)
+- [Access the MSSP customer portal](access-mssp-portal.md)
+- [Fetch alerts from customer tenant](fetch-alerts-mssp.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md
index 852f5ff3b8..5aafc31c98 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md
@@ -1,8 +1,6 @@
---
title: Configure managed security service provider support
-
description: Take the necessary steps to configure the MSSP integration with Microsoft Defender ATP
-
keywords: managed security service provider, mssp, configure, integration
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -17,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 09/03/2018
---
# Configure managed security service provider integration
@@ -67,247 +64,15 @@ This action is taken by the MSSP. It allows MSSPs to fetch alerts in SIEM tools.
This action is taken by the MSSP. It allows MSSPs to fetch alerts using APIs.
-## Grant the MSSP access to the portal
->[!NOTE]
-> These set of steps are directed towards the MSSP customer.
-> Access to the portal can only be done by the MSSP customer.
-
-As a MSSP customer, you'll need to take the following configuration steps to grant the MSSP access to Microsoft Defender Security Center.
-
-
-Authentication and authorization of the MSSP user is built on top of Azure Active Directory (Azure AD) B2B functionality.
-
-You'll need to take the following 2 steps:
-- Add MSSP user to your tenant as a guest user
-
-- Grant MSSP user access to Microsoft Defender Security Center
-
-
-### Add MSSP user to your tenant as a guest user
-Add a user who is a member of the MSSP tenant to your tenant as a guest user.
-
-To grant portal access to the MSSP, you must add the MSSP user to your Azure AD as a guest user. For more information, see [Add Azure Active Directory B2B collaboration users in the Azure portal](https://docs.microsoft.com/azure/active-directory/b2b/add-users-administrator).
-
-### Grant MSSP user access to Microsoft Defender Security Center
-Grant the guest user access and permissions to your Microsoft Defender Security Center tenant.
-
-Granting access to guest user is done the same way as granting access to a user who is a member of your tenant.
-
-If you're using basic permissions to access the portal, the guest user must be assigned a Security Administrator role in **your** tenant. For more information, see [Use basic permissions to access the portal](basic-permissions.md).
-
-If you're using role-based access control (RBAC), the guest user must be to added to the appropriate group or groups in **your** tenant. Fore more information on RBAC in Microsoft Defender ATP, see [Manage portal access using RBAC](rbac.md).
-
-
->[!NOTE]
->There is no difference between the Member user and Guest user roles from RBAC perspective.
-
-It is recommended that groups are created for MSSPs to make authorization access more manageable.
-
-As a MSSP customer, you can always remove or modify the permissions granted to the MSSP by updating the Azure AD user groups.
-
-
-## Access the Microsoft Defender Security Center MSSP customer portal
-
->[!NOTE]
->These set of steps are directed towards the MSSP.
-
-By default, MSSP customers access their Microsoft Defender Security Center tenant through the following URL: `https://securitycenter.windows.com`.
-
-
-MSSPs however, will need to use a tenant-specific URL in the following format: `https://securitycenter.windows.com?tid=customer_tenant_id` to access the MSSP customer portal.
-
-In general, MSSPs will need to be added to each of the MSSP customer's Azure AD that they intend to manage.
-
-
-Use the following steps to obtain the MSSP customer tenant ID and then use the ID to access the tenant-specific URL:
-
-1. As an MSSP, login to Azure AD with your credentials.
-
-2. Switch directory to the MSSP customer's tenant.
-
-3. Select **Azure Active Directory > Properties**. You'll find the tenant ID in the Directory ID field.
-
-4. Access the MSSP customer portal by replacing the `customer_tenant_id` value in the following URL: `https://securitycenter.windows.com?tid=customer_tenant_id`.
-
-## Configure alert notifications that are sent to MSSPs
-
->[!NOTE]
->This step can be done by either the MSSP customer or MSSP. MSSPs must be granted the appropriate permissions to configure this on behalf of the MSSP customer.
-
-After access the portal is granted, alert notification rules can to be created so that emails are sent to MSSPs when alerts associated with the tenant are created and set conditions are met.
-
-
-For more information, see [Create rules for alert notifications](configure-email-notifications.md#create-rules-for-alert-notifications).
-
-
-These check boxes must be checked:
-- **Include organization name** - The customer name will be added to email notifications
-- **Include tenant-specific portal link** - Alert link URL will have tenant specific parameter (tid=target_tenant_id) that allows direct access to target tenant portal
-
-
-## Fetch alerts from MSSP customer's tenant into the SIEM system
-
->[!NOTE]
->This action is taken by the MSSP.
-
-
-To fetch alerts into your SIEM system you'll need to take the following steps:
-
-Step 1: Create a third-party application
-
-Step 2: Get access and refresh tokens from your customer's tenant
-
-Step 3: allow your application on Microsoft Defender Security Center
-
-
-
-
-### Step 1: Create an application in Azure Active Directory (Azure AD)
-
-You'll need to create an application and grant it permissions to fetch alerts from your customer's Microsoft Defender ATP tenant.
-
-
-1. Sign in to the [Azure AD portal](https://aad.portal.azure.com/).
-
-2. Select **Azure Active Directory** > **App registrations**.
-
-
-3. Click **New registration**.
-
-
-4. Specify the following values:
-
- - Name: \ SIEM MSSP Connector (replace Tenant_name with the tenant display name)
-
- - Supported account types: Account in this organizational directory only
- - Redirect URI: Select Web and type `https:///SiemMsspConnector`(replace with the tenant name)
-
-5. Click **Register**. The application is displayed in the list of applications you own.
-
-6. Select the application, then click **Overview**.
-
-7. Copy the value from the **Application (client) ID** field to a safe place, you will need this in the next step.
-
-8. Select **Certificate & secrets** in the new application panel.
-
-9. Click **New client secret**.
-
-
- - Description: Enter a description for the key.
- - Expires: Select **In 1 year**
-
-
-10. Click **Add**, copy the value of the client secret to a safe place, you will need this in the next step.
-
-
-### Step 2: Get access and refresh tokens from your customer's tenant
-This section guides you on how to use a PowerShell script to get the tokens from your customer's tenant. This script uses the application from the previous step to get the access and refresh tokens using the OAuth Authorization Code Flow.
-
-After providing your credentials, you'll need to grant consent to the application so that the application is provisioned in the customer's tenant.
-
-
-1. Create a new folder and name it: `MsspTokensAcquisition`.
-
-2. Download the [LoginBrowser.psm1 module](https://github.com/shawntabrizi/Microsoft-Authentication-with-PowerShell-and-MSAL/blob/master/Authorization%20Code%20Grant%20Flow/LoginBrowser.psm1) and save it in the `MsspTokensAcquisition` folder.
-
- >[!NOTE]
- >In line 30, replace `authorzationUrl` with `authorizationUrl`.
-
-3. Create a file with the following content and save it with the name `MsspTokensAcquisition.ps1` in the folder:
- ```
- param (
- [Parameter(Mandatory=$true)][string]$clientId,
- [Parameter(Mandatory=$true)][string]$secret,
- [Parameter(Mandatory=$true)][string]$tenantId
- )
- [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-
- # Load our Login Browser Function
- Import-Module .\LoginBrowser.psm1
-
- # Configuration parameters
- $login = "https://login.microsoftonline.com"
- $redirectUri = "https://SiemMsspConnector"
- $resourceId = "https://graph.windows.net"
-
- Write-Host 'Prompt the user for his credentials, to get an authorization code'
- $authorizationUrl = ("{0}/{1}/oauth2/authorize?prompt=select_account&response_type=code&client_id={2}&redirect_uri={3}&resource={4}" -f
- $login, $tenantId, $clientId, $redirectUri, $resourceId)
- Write-Host "authorzationUrl: $authorizationUrl"
-
- # Fake a proper endpoint for the Redirect URI
- $code = LoginBrowser $authorizationUrl $redirectUri
-
- # Acquire token using the authorization code
-
- $Body = @{
- grant_type = 'authorization_code'
- client_id = $clientId
- code = $code
- redirect_uri = $redirectUri
- resource = $resourceId
- client_secret = $secret
- }
-
- $tokenEndpoint = "$login/$tenantId/oauth2/token?"
- $Response = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -Body $Body
- $token = $Response.access_token
- $refreshToken= $Response.refresh_token
-
- Write-Host " ----------------------------------- TOKEN ---------------------------------- "
- Write-Host $token
-
- Write-Host " ----------------------------------- REFRESH TOKEN ---------------------------------- "
- Write-Host $refreshToken
- ```
-4. Open an elevated PowerShell command prompt in the `MsspTokensAcquisition` folder.
-
-5. Run the following command:
- `Set-ExecutionPolicy -ExecutionPolicy Bypass`
-
-6. Enter the following commands: `.\MsspTokensAcquisition.ps1 -clientId -secret -tenantId `
-
- - Replace \ with the **Application (client) ID** you got from the previous step.
- - Replace \ with the **Client Secret** you created from the previous step.
- - Replace \ with your customer's **Tenant ID**.
-
-
-7. You'll be asked to provide your credentials and consent. Ignore the page redirect.
-
-8. In the PowerShell window, you'll receive an access token and a refresh token. Save the refresh token to configure your SIEM connector.
-
-
-### Step 3: Allow your application on Microsoft Defender Security Center
-You'll need to allow the application you created in Microsoft Defender Security Center.
-
-
-You'll need to have **Manage portal system settings** permission to allow the application. Otherwise, you'll need to request your customer to allow the application for you.
-
-1. Go to `https://securitycenter.windows.com?tid=` (replace \ with the customer's tenant ID.
-
-2. Click **Settings** > **SIEM**.
-
-3. Select the **MSSP** tab.
-
-4. Enter the **Application ID** from the first step and your **Tenant ID**.
-
-5. Click **Authorize application**.
-
-
-You can now download the relevant configuration file for your SIEM and connect to the Microsoft Defender ATP API. For more information see, [Pull alerts to your SIEM tools](configure-siem.md).
-
-
-- In the ArcSight configuration file / Splunk Authentication Properties file you will have to write your application key manually by settings the secret value.
-- Instead of acquiring a refresh token in the portal, use the script from the previous step to acquire a refresh token (or acquire it by other means).
-
-## Fetch alerts from MSSP customer's tenant using APIs
-
-For information on how to fetch alerts using REST API, see [Pull alerts using REST API](pull-alerts-using-rest-api.md).
-
## Related topics
-- [Use basic permissions to access the portal](basic-permissions.md)
+- [Grant MSSP access to the portal](grant-mssp-access.md)
+- [Access the MSSP customer portal](access-mssp-portal.md)
+- [Configure alert notifications](configure-mssp-notifications.md)
+- [Fetch alerts from customer tenant](fetch-alerts-mssp.md)
+
+
- [Manage portal access using RBAC](rbac.md)
- [Pull alerts to your SIEM tools](configure-siem.md)
- [Pull alerts using REST API](pull-alerts-using-rest-api.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/fetch-alerts-mssp.md b/windows/security/threat-protection/microsoft-defender-atp/fetch-alerts-mssp.md
new file mode 100644
index 0000000000..f0ccb1577e
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/fetch-alerts-mssp.md
@@ -0,0 +1,196 @@
+---
+title: Fetch alerts from MSSP customer tenant
+description: Learn how to fetch alerts from a customer tenant
+keywords: managed security service provider, mssp, configure, integration
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Fetch alerts from MSSP customer tenant
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
+
+
+>[!NOTE]
+>This action is taken by the MSSP.
+
+
+There are two ways you can fetch alerts:
+- Using the SIEM method
+- Using APIs
+
+## Fetch alerts into your SIEM
+
+To fetch alerts into your SIEM system you'll need to take the following steps:
+
+Step 1: Create a third-party application
+
+Step 2: Get access and refresh tokens from your customer's tenant
+
+Step 3: allow your application on Microsoft Defender Security Center
+
+
+
+
+### Step 1: Create an application in Azure Active Directory (Azure AD)
+
+You'll need to create an application and grant it permissions to fetch alerts from your customer's Microsoft Defender ATP tenant.
+
+
+1. Sign in to the [Azure AD portal](https://aad.portal.azure.com/).
+
+2. Select **Azure Active Directory** > **App registrations**.
+
+
+3. Click **New registration**.
+
+
+4. Specify the following values:
+
+ - Name: \ SIEM MSSP Connector (replace Tenant_name with the tenant display name)
+
+ - Supported account types: Account in this organizational directory only
+ - Redirect URI: Select Web and type `https:///SiemMsspConnector`(replace with the tenant name)
+
+5. Click **Register**. The application is displayed in the list of applications you own.
+
+6. Select the application, then click **Overview**.
+
+7. Copy the value from the **Application (client) ID** field to a safe place, you will need this in the next step.
+
+8. Select **Certificate & secrets** in the new application panel.
+
+9. Click **New client secret**.
+
+
+ - Description: Enter a description for the key.
+ - Expires: Select **In 1 year**
+
+
+10. Click **Add**, copy the value of the client secret to a safe place, you will need this in the next step.
+
+
+### Step 2: Get access and refresh tokens from your customer's tenant
+This section guides you on how to use a PowerShell script to get the tokens from your customer's tenant. This script uses the application from the previous step to get the access and refresh tokens using the OAuth Authorization Code Flow.
+
+After providing your credentials, you'll need to grant consent to the application so that the application is provisioned in the customer's tenant.
+
+
+1. Create a new folder and name it: `MsspTokensAcquisition`.
+
+2. Download the [LoginBrowser.psm1 module](https://github.com/shawntabrizi/Microsoft-Authentication-with-PowerShell-and-MSAL/blob/master/Authorization%20Code%20Grant%20Flow/LoginBrowser.psm1) and save it in the `MsspTokensAcquisition` folder.
+
+ >[!NOTE]
+ >In line 30, replace `authorzationUrl` with `authorizationUrl`.
+
+3. Create a file with the following content and save it with the name `MsspTokensAcquisition.ps1` in the folder:
+ ```
+ param (
+ [Parameter(Mandatory=$true)][string]$clientId,
+ [Parameter(Mandatory=$true)][string]$secret,
+ [Parameter(Mandatory=$true)][string]$tenantId
+ )
+ [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+
+ # Load our Login Browser Function
+ Import-Module .\LoginBrowser.psm1
+
+ # Configuration parameters
+ $login = "https://login.microsoftonline.com"
+ $redirectUri = "https://SiemMsspConnector"
+ $resourceId = "https://graph.windows.net"
+
+ Write-Host 'Prompt the user for his credentials, to get an authorization code'
+ $authorizationUrl = ("{0}/{1}/oauth2/authorize?prompt=select_account&response_type=code&client_id={2}&redirect_uri={3}&resource={4}" -f
+ $login, $tenantId, $clientId, $redirectUri, $resourceId)
+ Write-Host "authorzationUrl: $authorizationUrl"
+
+ # Fake a proper endpoint for the Redirect URI
+ $code = LoginBrowser $authorizationUrl $redirectUri
+
+ # Acquire token using the authorization code
+
+ $Body = @{
+ grant_type = 'authorization_code'
+ client_id = $clientId
+ code = $code
+ redirect_uri = $redirectUri
+ resource = $resourceId
+ client_secret = $secret
+ }
+
+ $tokenEndpoint = "$login/$tenantId/oauth2/token?"
+ $Response = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -Body $Body
+ $token = $Response.access_token
+ $refreshToken= $Response.refresh_token
+
+ Write-Host " ----------------------------------- TOKEN ---------------------------------- "
+ Write-Host $token
+
+ Write-Host " ----------------------------------- REFRESH TOKEN ---------------------------------- "
+ Write-Host $refreshToken
+ ```
+4. Open an elevated PowerShell command prompt in the `MsspTokensAcquisition` folder.
+
+5. Run the following command:
+ `Set-ExecutionPolicy -ExecutionPolicy Bypass`
+
+6. Enter the following commands: `.\MsspTokensAcquisition.ps1 -clientId -secret -tenantId `
+
+ - Replace \ with the **Application (client) ID** you got from the previous step.
+ - Replace \ with the **Client Secret** you created from the previous step.
+ - Replace \ with your customer's **Tenant ID**.
+
+
+7. You'll be asked to provide your credentials and consent. Ignore the page redirect.
+
+8. In the PowerShell window, you'll receive an access token and a refresh token. Save the refresh token to configure your SIEM connector.
+
+
+### Step 3: Allow your application on Microsoft Defender Security Center
+You'll need to allow the application you created in Microsoft Defender Security Center.
+
+
+You'll need to have **Manage portal system settings** permission to allow the application. Otherwise, you'll need to request your customer to allow the application for you.
+
+1. Go to `https://securitycenter.windows.com?tid=` (replace \ with the customer's tenant ID.
+
+2. Click **Settings** > **SIEM**.
+
+3. Select the **MSSP** tab.
+
+4. Enter the **Application ID** from the first step and your **Tenant ID**.
+
+5. Click **Authorize application**.
+
+
+You can now download the relevant configuration file for your SIEM and connect to the Microsoft Defender ATP API. For more information see, [Pull alerts to your SIEM tools](configure-siem.md).
+
+
+- In the ArcSight configuration file / Splunk Authentication Properties file you will have to write your application key manually by settings the secret value.
+- Instead of acquiring a refresh token in the portal, use the script from the previous step to acquire a refresh token (or acquire it by other means).
+
+## Fetch alerts from MSSP customer's tenant using APIs
+
+For information on how to fetch alerts using REST API, see [Pull alerts using REST API](pull-alerts-using-rest-api.md).
+
+
+## Related topics
+- [Grant MSSP access to the portal](grant-mssp-access.md)
+- [Access the MSSP customer portal](access-mssp-portal.md)
+- [Configure alert notifications](configure-mssp-notifications.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access.md b/windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access.md
new file mode 100644
index 0000000000..6e1bf6397b
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access.md
@@ -0,0 +1,133 @@
+---
+title: Grant access to managed security service provider (MSSP)
+description: Take the necessary steps to configure the MSSP integration with Microsoft Defender ATP
+keywords: managed security service provider, mssp, configure, integration
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Grant managed security service provider (MSSP) access
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
+
+To implement a multi-tenant delegated access solution take the following steps:
+
+1. Enable [role-based access control](rbac.md) in Microsoft Defender ATP and connect with Active Directory (AD) groups.
+
+2. Configure [Governance Access Packages](https://docs.microsoft.com/en-us/azure/active-directory/governance/identity-governance-overview) for access request and provisioning.
+
+3. Manage access requests and audits in [Microsoft Myaccess](https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-request-approve).
+
+## Enable role-based access controls in Microsoft Defender ATP
+
+1. **Create access groups for MSSP resources in Customer AAD: Groups**
+
+ These groups will be linked to the Roles you create in Microsoft Defender ATP. To do so, in the customer AD tenant, create 3 groups:
+
+ - Tier 1 Analyst
+ - Tier 2 Analyst
+ - MSSP Analyst Approvers
+
+
+2. Create Microsoft Defender ATP roles for appropriate access levels in Customer Micorosft Defender ATP.
+
+ To enable RBAC in the customer Microsoft Defender Security Center, access **Settings > Permissions > Roles** and "Turn on roles", from a user account with Global Administrator or Security Administrator rights.
+
+ 
+
+ Then, create RBAC roles to meet MSSP SOC Tier needs. Link these roles to the created user groups via “Assigned user groups”.
+
+ Two possible roles:
+
+ - **Tier 1 Analysts**
+ Perform all actions except for live response and manage security settings.
+
+ - **Tier 2 Analysts**
+ Tier 1 capabilities with the addition to [ive response](live-response.md)
+
+ For more information, see [Use role-based access control](rbac.md).
+
+
+
+## Configure Governance Access Packages
+
+1. **Add MSSP as Connected Organization in Customer AAD: Identity Governance**
+
+ Adding the MSSP as a connected organization will allow the MSSP to request and have accesses provisioned.
+
+ To do so, in the customer AD tenant, access Identity Governance: Connected organization. Add a new organization and search for your MSSP Analyst tenant via Tenant ID or Domain. It is recommended to create a separate AD tenant for your MSSP Analysts.
+
+2. **Create a resource catalog in Customer AAD: Identity Governance**
+
+ Resource catalogs are a logical collection of access packages, created in the customer AD tenant.
+
+ To do so, in the customer AD tenant, access Identity Governance: Catalogs, and add **New Catalog**. In our example, we will call it **MSSP Accesses**.
+
+ 
+
+ Further more information, see [Create a catalog of resources](https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-catalog-create).
+
+
+3. **Create access packages for MSSP resources Customer AAD: Identity Governance**
+
+ Access packages are the collection of rights and accesses that a requestor will be granted upon approval.
+
+ To do so, in the customer AD tenant, access Identity Governance: Access Packages, and add **New Access Package**. Create an access package for the MSSP approvers and each analyst tier. For example, the following Tier 1 Analyst configuration creates an access package that:
+
+ - Requires a member of the AD group **MSSP Analyst Approvers** to authorize new requests
+ - Has annual access reviews, where the SOC analysts can request an access extension
+ - Can only be requested by users in the MSSP SOC Tenant
+ - Access auto expires after 365 days
+
+ 
+
+ For more information, see [Create a new access package](https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-access-package-create).
+
+
+4. **Provide access request link to MSSP resources from Customer AAD: Identity Governance**
+
+ The My Access portal link is used by MSSP SOC analysts to request access via the access packages created. The link is durable, meaning the same link may be used over time for new analysts. The analyst request goes into a queue for approval by the **MSSP Analyst Approvers**.
+
+
+ 
+
+ The link is located on the overview page of each access package.
+
+## Manage access
+
+1. Review and authorize access requests in Customer and/or MSSP myaccess.
+
+ Access requests are managed in the customer My Access, by members of the MSSP Analyst Approvers group.
+
+ To do so, access the customer’s myaccess using:
+ `https://myaccess.microsoft.com/@`.
+
+ Example: `https://myaccess.microsoft.com/@M365x440XXX.onmicrosoft.com#/
+2. Approve or deny requests in the **Approvals** section of the UI.
+
+ At this point, analyst access has been provisioned, and each analyst should be able to access the customer’s Microsoft Defender Security Center: `https://securitycenter.Microsoft.com/?tid=`
+
+## Related topics
+- [Access the MSSP customer portal](access-mssp-portal.md)
+- [Configure alert notifications](configure-mssp-notifications.md)
+- [Fetch alerts from customer tenant](fetch-alerts-mssp.md)
+
+
+
+
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/access-properties.png b/windows/security/threat-protection/microsoft-defender-atp/images/access-properties.png
new file mode 100644
index 0000000000000000000000000000000000000000..aa284279f96d9d09473f483a8519757297790b37
GIT binary patch
literal 16921
zcmcJ%Ra9J28zop+a46i}p>TJ1OCW*5g1fuBy9N#J0fJkA5Zv9}-GVzz<^Q{9&CJ6*
zbgzD>;?&~SJ-3d0viJT@?*%nrUuFUTi2szA694S+^(_0|
zKW)kJ;u?K*_szk6`<$=O&1S$&*NCpR4a88a=pIM|GfK48?JRS4c6Klli*9#!C^<*S^J;f!hFN_xIxH-V@7pQ@
zRceR#y~39--%eLsXOihuAy@n|4PtdWTc)|ay>(=4#W+WD<|9UvmDuXt{?|#!|F;t)
zI^1wbZ`9Z-AT&rrj{ZBC7}7}m$X5&bUN}|0gOTI^*&9T`=YW55amksQ7JnD^=JD(Q
zHwaaTRH@brKZm@tc!sv6ql=6#jmpcwpp|C(W}Ua_+$Y?b<
z@9mjh6|?$&3PU5X8TdB<7J6KmBQvVP4Ej&ocqVFAKTL{BM>^jgWUmrCADlDT4BOW{
zIyXiAp41-)?ENHJ^nVkJQaRn(*uJFwn>1~r*xswzWYxiix2+1No5N3S3Awp+Wbccz
zdsWTrDad#%a%N^>DJdy(uC9%{Cgwxs>ZPZ@gW=JKZ;obS0yL_%O%KHM^s<$*1^Pfy
zoaW8cL
zrS|?K(|Lg~rYlXh+8b6GLj20})%x}m(8D7`L#Zh#CQH9NIQ)3RxGOYQ9vd3u>-^t;
zKWP1D4IqtSDn8AYUwvu>d)=N|QeUC#zec^RK*sXrZc28qkn9n;{KqnbA|vB&?)%Zo
z)sd>N+S@UwKSS>8N@pU}>$9SyWH2$mlhoUrqJ9e5+vf9?OBT<*(M~I#zK{5LwxGGG
z*yoL>0sG9AGi3jJ&&TTb7j&Gv=i=XQbuVJM&yYvg$?-quf4qKw_AmMd$bI^hh%wR|
ziDlXohI;il@m8h9;6n|d@KK2;^FIAVRjmKosXxq{(r|aSM&wV3r`7Rt+W9tvK-n@o
zJUko&?zhOm8_(s1HbE`%eQr*n76f;6K7FfRq#Lqb`OTR7@G!8;UZt)ve?v5H`5y~|
z&xNU&wE@{^k5_4?LrF;dJ`Xjs3kxf#fM#44R!~yFbP^_2>UxJ)-$X=8MZ$aUfQT1N
ztbk?(evN|0(UwYNGK|F8;g@H}>JBCR*-i|Xgb2Nedxqk(e<;>mdL=RF&RYLpzj
z=jOk@Z=Y=UMPFU#zK+g=9ReM7MLJg_OlQjyWiY{VK5I=bM{3?-2i8_ryD>>~$8!+h
z#bdv2bHbXS-Jvc1AFEAF7`f-~cZvKsS}JM^JBeMXTC@0C|Ng{kX%T^eET^bge_h!j
zhMD^~qAGu&LNd0@?^dZz>bdKEmF@p%{&*ShN3H+xahB*b@)>~Vl3^&R^2xN^
z+8`*1#ZMH6fnO{TJg;R!)jWOK>IpxMuExvpU&md3zBy+;QZHTIT!seSI9E9zsN4~7
z;vz@i@ASugn<|ve_<{*%SBJQxUZm6fv(9(`O=t3AxiLD0DIeCRx-tc$CtQBOeWMl~
z-r+1T$@98MF>PE!(~SVKkZ{d9TyyBD;><#lv~qf1KteMYk{&?z}CyDBiE>^xwt|C%cdNj~l(*3i%(-
z{C~;MdIU_lsDs0I{QjW!*7?19Ww2Ap;*RFp3!-cwpRTnvvvbgp-wm(wJFhoK*Y;ra
z9nV#m%BaMFwCZ+q5NDJjzOx_{c}KP?ntOSDbyYW-1U8+n-gRB7Fb8w&+ooq4i(XXj
z8cuHHMP0U^)L&15P2KeN$Cpg~obLjz!$y^-@z!dx@uc5K1e;du
z2g1=|owE2YWyEED@{|>@nKVGn55gq5-ZOFj|-)EnO!!L^-+xnLk2;Yn!C~N0o3i
zfo8WA?vMFWnN_bJ5dO+~JGsQoprZ|}{fP*bZ?!wq7Q_%c+-lx9Ctqo@YebCxB2LaK
z0nj`vOF|{$k<-#Dx6}YL_O@Nj)t4$;DIFcnl*;>k&3UEa8JVOAKJ$cjh$ZCb_!_ln
za#o?ebgESkqBK!Zs8e}Slh>?5B`0?n;}`j!&f!_tYF@DT%Qf2N_~9qw7i@xlC3zp4
zf(YPKCcBh_K!eL*f&aUoTUA-vWIr}^gB%>Yg!|u3aa@%)+52;WucZTukyn%
zElNzxicZqM|B!N)SoggrA-Vv6@)YRDLfrpTXF9Si%f5LY#P$J|&|+8In;a>ntwBC{
zdw2=knH?*}{%D$}&TdUR%h_}pUB?xzwBm}#Vv?NSi5m9?%^)8K7k8NA3n4rzp+VPG
zO#(vEfx{|l445sP*9L4)2kmyTzJ~uR4Qe4@(tBuHexXqjk7O5l?6z;iPXIV|hejq~
zVoej^T@yg7l3o_<9ibdDout;*FO>siZ#+3ZHi2yY*vyTG%N=H(*I5Sj-QG*ASge7|
zEm*^1_w&jqvc4MA5!?(8)4JFGP{o^12>H$faWVqH!63NnV()u9Gk(o4UzXSp%R;!s
z2f%f4wv;JmCMJVVt|zC4$vAubuEoW$oW0LODmz`Vr$%nAnu&G7XTt5AqSTq
zHq0*ESC-`SX@h4Z~$o$n2IW?JBpojg}g%
z(^^{r+UP&4AOY77sKS
zI^F)^qJ*4GAWn9n2K*nmXzs2>p`uiFE(K_b&p!Yt0xmMNwH9L`Tet6MEZ__b_cb(cJ}
zPquV|Oe3Rb!^5^_UtyH&B49^gn8UlGp92B~O#T{NkLB<=O8jy^F(aI4_jI;3C`80a
zdn?0~&K2oUz9xi(m8~FXhfvp<10XP2jV?13`i`;o_3fLc-CsmO5g&so!n7GV5?(E>
z8CRt-?t;N-M`>5L2Rsg~dk>#bm=}+GW8!e^F;!
zN78#TGCYI6t<;Jt;fkV6!xJ{kWI8QjN2t2DAnPo1$LA^87TAAL--#p?PBh-iccHSP
z)izC59YsPRiv&+p;<&az48=bR+-U^5l^F)|Y!omxlx$hGe3K=U59tkH#+JT6Pq!z8
zokA3>Ae>c9Kx~qBAdwl#fEt&
z#^F|Qpp-Ff8wv=!pr5#?2{1Tqe^b1#Xyy>
zUlV(G;C%kmWcA1w+7NQr!T$YSmMnPt^_QF>`SZef4;Dee6JHL#sTSti8hboJ{0)}R
z>{&bPhFLJsNfxd)!K#3of^O(m4~nKQZ#wqB89ZBC?*#J{55}8{d09gy8%{qH8SRmY
z`1Edf#E^0iQ=YQ}moid~VQI4cImsV3e6CSx0vG%J0{*C;wxbM2XFI{89B$wbr=lW<
zqZ662v*3%N9I_iH71?iyG^vAN607EyVpB=-vh0jJngb$wXmcZBeR+Hy*sLWNCEomC
ziRkM%FVl;tR}%REP>I~WnGE!Zu=GEIPhMGfqSkW
zNujGIU$WT0(~rjzL*w+zKx?hQI63o^MQ_9wN1ng`O2_lppfL`J{jh~51?m0z{LA&o
zhTVi*Fhrn@NVcm(xd(+8KBc00-D_rf4f}>n=ZY66bkT*miDD?{`lqOSNt
z7I|GM2V(2f1_QX1rHNEwFub<*9J0+@4vMUP=vN@?4DZy2yi47i%#${=6m!{W;WxvRLL&4{FGBJLgTK7ns<)2NY
zkHICCxGvR;fv1$YN_z%eq-G~(>^6{18yZR4+(VCM9L;dps(|!yXEGyAv7sHI`iZ0P
zcSKGPV;Y0H!wjOru1ZL1*_~h4C{O*~heu*Bu2LA|PnA^O**AbfDP8y-K+U%T0~QW+
zd`0?fLm#_2_de$krqWI^L-8%t-QaE+i@2=7%j;=H)@7EFfM4XY2n?v{$b-~ZR5AR5
zYV|N&V!vycyw!<6(WH{JyCl)>io1e$VCsz1Q#B#CseBg${qY8EmINjxl5gd^(QCMvePGLcgO-mNocKFgI
z5P^@~;fkr6^WCibd!E$i^iA1aNe33f7&D1Hnh^8z7-B2~&SKxjAA2IRvS%q^$X>7a~uiK;&_$QjAy3X0T1gE$SV#
zdHLkTtUM7VCN2)n;`|!|3oYU;+-%0jQQ#EVx3+hH{0$yvHwg)s(!7A3eKH*d{5hcR
zs0UEV#f4<#HfaV+7#!q5*o!C5RB|!NhyT&{`KH!qC?0WSv!oN4bJGRE0jvBik7Q2+GkRL>P}$~
z-=u)1*}<>}Xpmgz&VHu}$de@6CjruZi2mu}R@-N5v<}ssn9RBFIS
z7K(>f)N+!5c;@AbL%SB$@L!m^u%Q23zWQk8jc+JWE9j44|?Ae
zkBRIG&S)MBH-LovG$IbIqS9vZVy`hrhST=T%$RdeL4l5I7Z)g!Ty~?kD7L8*Ml2h>Wpc)PtedO`SLsa
zXKQU~iB|XLYqp@`aswk$G2$5XeZaZ!zTZDgsWpCtxzchvK1Ot(>pHa#YA5wE77#WY
zlmL?eu$ZhPu9IImMpk>pH`2F_|UNMXvkAcQOu-gitYAe&j18pd*(DNdyQ9u@HOb2PGF*
z*SeR5KBf<9lA$nqKAJeESzIok9m@~wv*x5}H7ZOoqG0cD*(+Mn;)amf=a9);PNR}V
zTj(rQKF^<}@pD5MiXtPdf}PZI0gy!KCm~{RiO7ZHjR9mG*gr)s%gU0|
z^G!s{V1=Q8D+~f4^vv>0Fv>1Ha5KH~Qw5+~d;}=~rTb}+$?81qXr$QY11{FZl6h{e
zyga25?Xp`|sh|0>O~j>Yw#SlGf5;{vH~|VnjA)7+z)FmYdqVdRJ_K_XVI2@Ds0xq#
zI&1*jVs+RCL`!Q54IJz}ShmTwsQ8>LaS{c6R=WQ=Rv8!87*G_HU`QVSak^N9bJhqY
zC}BvBi~=7Tae5*Jr^ab7iU^h$YR&Ap4QZ1fx-~RXg=``|ylHRwcgtUSuJk|Pd?np}
zIlwNECN+RyIjz@I*0LKDo*tT>twN)!&Nu`;8B-cCIT0hhsv2^NW^l?T50$zB)fjb7
zQ_zbEs5Q*sm=CH6=y29ikN2^yQXMK!Fy80z#HxJ`i?ySo_Cx;8p%k
zP*d>cZt*og7R*?7U__1AR_lRH-A)0+C@b3;{8?yV0Kjyb%@DZl
z{MlP9+8A>)$!Jm{hPW^?ziSgyBEo2#>J)>rlAHW51}zFHuHT7k-i(Nn$tt20YLN{s
z$2}FBB}@sEzINUbIXGi6y(T3-HNq{}Os0+Clsd;ah-#A@}udsD|*;E>oT;
zna?Q{t|{5&$hM&&^>jf0)ZZt_tImLFXcHR>X1}{zAyINLiml7(N;knEpo#J-uq;&C
z95xf$Rx?3k+qdM@KwEI!z)U4(&hgyHJ3F2#42Q!o7C|HBn|$I$T4y)@P?gmvoPyKO
zfy)nl<1%JR#9OIMVbGI_VyA|kleLvJE~=wH&90(PWuG8UpVvTU3O^DhFt93YTq#Wd
zlU}W*+(Hw(B_CKMG*i3NR)WI8njq>yTqb%=Y?|8op({^!=3Y5)B<-aP`P_Y3QXlgN
zAuq=S>6Ab+`US#t$r=!S9yJGPKDDh7lbi#w~q2GRyN6%sB*kM2E*u`!TC&SD!ET*z*4MB!H)f=}SKp1Zbim>?I*nx3>
zB$-ffma9kt$>A*GT*mujvrb8AT_#T_Kc}C%KufrX*3pqPKX#1Wq2yr^;JZ-Yhp8BF
zoG$+E31QdwBX{Vb6xuUDl4NYxjjL_(@B}L>d5!x2$&+A%`zukHiOiat1_vU;A#C{-
zq@Q6kxL
z^~*(H31~@fdpi1k#VdM$gd9F_gbhjNnppUY|M8&*q=L%X(#Qz$F4BhLagiNxBtR*R
zVxa^JQ!nWb^ti;=a2T2FK{3B3KhV-gFf;bA+F8gc!%eLLpn`RPhC_H!G0g_d@PBbI
z?WEQPbEgV!Hpj)i3omNE_dJITdio;>tt0!6H(JhcDCJGM$M8QzISp85Sqkby4A0cN
zq0fdQIdxD_|3d&du!UZ)-9CixBItg+Jzph()Hw*kV2wieJO`X$RwTFL{?SFd4qzAe
zo=R_pmoNw<+oPSOKspZmSoBVhOup-|P>{~fa>NAt_2E~Ph|Fc7zdf8tiC7{ucq&D5
z(DYdPwT6vc7nVz^8{gc9+&DAn(#V?9@g&(1k%A+)M~F(lQoWzY78Uvz1O9abHw}%9
z1Qc!OXTQ8niu%7Lc|{?u@;NO-!AXFc^F%!FyWSAdvqF^wMQnPntzg)8z@YJJNIuyS
z`cpXfF2ICgM-Y5N4_~UH_x^-BfgCl|5r#1W4+V>1MzegbJ7@RkG`jU*3>EoBbK~(~
z0jw{yJNg%*B%R!87)Xht#terHCgJ0;0()7t*MI_B(YX1edbz!QUL}OayTxYuHNk~KuiW3
z!AjcA0uPL8vW(D<(;-wyKR{?yqSx9U3IE&g9xO(^4_ywX@>
z;5C7Dyy9_P@Fh>~w^QX()9q=Pq{dpA{?QGFj1!giYS9)R!=bl+XJss@q&ko4n_(@6
zwNln(jO(VQ$LCsm(i;~=BZ}VwwR_&T$Cj7XtY3XZ<-eC#+47jVYG|bP)w}ayB5voT
zrKa}BOKDVs?Ho@ck4Uyt;ZsJl%-Np`$=4sh^E+?Ly2qWZG%LEfHC1Xi4ja{Aspf#6
z+=(vUGckF7kmTNOo=;4t~IoirRtUx$N14)L$8i2
z&!NMoLfM>v-Ms?)yv5?4lGu5D#)r!>#zDH?-)xi1QyPxtpcS4X`fnfO=I@|kWDegR
z2Ely+iOho*Tv)+@)nqcfMaa6~PQ}99bBtdrod{_kGDw-x1oQT3w0DnDg-W
zNWDX4T7MBS@^p1cEUNz5w3C4DU#^pQ2i1Eu{dcwB8u+2p@&bI;!>hIrZq+R$>@^
za74fNQc$u=1@Dh%Q%OtnT6rloy|fDva9QMy<_NFoBH8Nuei3l>(L^H=vLIZAuxPH(
zW{VxIt(+zszkQvaTw;sL_BcKMl4q18*XM8jAQp8~l8Gf`z@m*wGwcZ)KG$p8F6JX{
z?uXD_Ca3A_YI=IM44hPwjEuM={jo&Kllq^prw^HLbMq#57_^t
zC9z+|#c>N|;u7{o(lWZaY_&^FDvH;dRmtiVpf!G6HJFVNK94y+-(NIuGr;CnnXh-1-xvTRa(|J
z&F@<~|6J4fJeJaGHg>DwlwNmSrp3MbJUr+_g>~G24W>(hvNXKi#M}|`l_v50U}UrW
zo}-5T3D2?@3s9#$y6Q>s#$M(i|^56#w5`($VrGM+6k3}Np6GmjsBmZjO}btl)hdUlLN0eqZ;!uB
zm%6i(Tx8wa+p8z-Pq3!#?(TX-Qqs`SIDMRe0bRHXd=36q=XR#;+|!8NOqDuiDp+JY
zt%P;j;s_kCrkh~T7x)+n(=A>`sk1ifb
zvIk>H&AMDgolGIW_eDm#=fEa$z`JDW_8@#WebQGV61py5Bw@60jZPsGQ*HD|;2#!x
ze%o&wF4+bWSptR>w?lfixUi2#IAZj{=C*2T!!=K_psEznL;euK`ToUF_KNL249|J9
zh#j-uZceOJVz#<7VdLUClIG2as16zW1jU6>Bq}6K4WzTY4&c~Bl<&S3mHzQMO=0&_
zina3dhWdzFeQy#3-(U%+uleZUo4@CJw5o+hCStQpZW8otUX
zTU(XtqC-gxWFg~Qzy0wafgYgWi
znNsEYK3@P7^DHa_Dlyxie&gd_L>>(-NhmP&CnLjJQg=2!=lvLvc0*YrxF!!gXwP6L
z3jz}Yk^MJ5as-0Ha68RA`4`l={TlqnFmBUCM9Nl@vt$
zmhjo62$8+ENy69SqWV{i{V5Cr$m-kXTfwT|qxBi7+5iJGb0;*-cFF5SxoNqUQ6R{x
zY_BVbM&E62etvi~Lz=^}8!6F7N)E1^=CH!+8S>am8#A~
zwoLjg5fB{F!lpNze4defK7mLITG@%?1fe8Inl;4o(myt_aj_R$`ql&>
zT1}$T${q*1hZ;k(K<
z-$KvE4iJmwdK;vTj-UX0Q9Z}8d4C~`lPNZ!-8JkXS%nYFfC#nB?HsAaNwsflOAQZ#
zhvn54$rSR>J4lLI-}fYR
z1yi%~F5o^@QaH#~t+IF>{8J;lq?96{|2)fE3!wJHR{&Loz=G$hOj9wF9`kwh0Mh
zKAKbk#z@5@YRr6tHY~PUV$90#CIn!lIO>n<5amMHAt7WJp}68j$-Njy{JjDvGugtI
zjrKXlMY@bHA>Vprp;d2kDpR{EAATuEHhfYustWs6^9F6W^;Y25^`qM~3>l?hTcjdb
zTe9*3tj2l`V&=)e_$Y2mk&ULdPY@dRg#-sUAoFL2&BZ50n*N6hDpQsng
z&h@AGHNV?wx*iOLe!p1*N`R}d`?>DW$OtDdD=vBwPQQnuBa;zDzH&J0_aNNyi@zD5
z1uY%1Mat10XN1+if?jBb(RtGJ&T+;eAVdl!Qj04D$EyLPj3Q6xSmVmD8}7L~;t8r0
zjB)$YR01dmf8ZfC1U%pm|01=`|ML^saku?(k8eXb_Bk@c4b*{T?q6PA^a&%42Ti(|0vj6d2yI1a>B?PEe?oCL7`o}ATD6jNhKMba35Whp8rgT^9U#lJqtOdVH{#nfga+Qi`QG(I-}lak)C<(17)1Kb&fAFy;I==6CRF}?+m3gStuWIQ^n@SBQ#m==j2Vc
zGMnqC+LUTDA_u$|neL>vSO;0Zv$C?=lBIs1=KaaBI&~ZKb4XdZ5xLqIiJ&>Xp1;X4
zi!^nrh)yyctncEy_$l
zG>(7iqBech`L~6-x-!w+8GVF-CW(I7eQxM};NqLItdLOc&UjaUe7w+=@QNiqFf%Y#
ziR^Pj2)Lymt-FP`AXyaQo0t$YMy2P|XoG9*$6ld{u(%^@Bg1HWxA)i7GCD%;OXJL$
zGM&st@7R|mn#}Bytn=8^2&uRBPLwm}I121LZew$cb^eQBXPcTxg9B|3-j}_OP*kbH
z$8|FZy|lkMOVi1ROY#~-NPj&?TsA{vp$Bluy3=@zcI5?
z9i?;okaoP1zIIj)#KB{QAf9h@=Gqzz+pRz(B1tJJ*ljWvMolAh66I$NuYf$7-XJmK
zEFYfS?``*1g*+pfD9f}ud-btG&>zOKt*Jv`gUErZeEaU7#ehcXJ_v)-pkz|55t|CX
zVZ>B`E5gJj?`-16mcV_OP;30vpmG2H$=-F^$@hbdNtHOsSG!bw`e^6Xk;_q%+81)%
zZdll^0bvSz?~nj4o-{m3Lr1MY;m*Qef>Zqs
z?cYPzyl$|7jcjnoygNv(por#@dHFU=_Co&oHV
zKw?)$5Fh3Ij;?c8$V}z%sHo%|SBAd|{h?-->gyvoLBhGaK5=$)PLH@K6^Ga=4jHr_iW84bbY
z2D^%_4aM?s}N7^@myN-716
z&O$=?O3-$tGiDPVprn?I-gd>klq0kK3Rps<(rZj|rRR#O%UEko%UC}N_)ojlG)B71
zuK3UU6$$auj~ru?a5gKf4&a}BtM6XN+KCd`8L1xlrTRIkyvA==Kd2!BoMdFfF&i3Fa5Qr;RXfz0x0b{_vPQzV`ym$saIyDWh?jp-$%hhJ
zYFweqT?(>@AOpR#{&6m-pf5pxx~D0=A{L1`utmV45>&lFQfeD(p90||_z=kkd03tS
z1RhE$%vI}zBtU)$0~u5lz-mUcr<)oJj6z9HjxUj1_D#x#S`MEgR!~{bLgFDbU)vmK
zo9f_;!a;d7h>&KAv>f?NRijHq&*Hssjh2uA^J7d|3WED_TJ2rB)fyh{b11~JqS
zJxqRVz&=4x42B#^9gQ|!?u-Q3_}1_E@%S*~4v&LEsf%@8o@4s?!o5Eo7*1}q>p4p4
zGTkiIQ*@F0sVdjw9agna^a%Y}%ok(%#-6B(%(jPdH>1fb_Ty0YoK>I_#zRO*2?!zV
zj|EUje4-|&=Ig3ILB(54}6^!FHg{%9;WTe&b
z-0q^OSa7En-0&$dPE5w5le1ZS{)YkD2~A7Z*J*3IaXt1E7y|;(va?DUJ$u#Xtqp9=
zl)&Y&&q4H68fpSG)r|b8x-Jq)x4fy+Vhhv89I}ygc~$GY^;ea|6>XHV+=0m2mpKZg
zU8wLF!ooWVN}7tt-@1EbEW+ouw}XQnUKbQhx}*<0{)$<~8r<3N-&z7TY>PcJ`5C|KsbGG{<9~TChX#golS|^4DWRex6l&`7JGFlze0wrodI(
z?yRr_!R2_|u|^64eR2hE_!&jcMZz9k5>H5ezVX$kp?%!Wq6hi>DcHFy
z2CLg>SVO020rayvcupd;$q&Y$kBe~SFYg4F^7afa#n`|cExlhqV-}v)WxJ-L<6`5Y
zAjkP|1+>LIJ8qzs^D&%7SD5ZjtDEVGYd3`Q5SMqb3*_x|bxjv5njWVxKu}Uhor&Vb
zdIz(cuwghvqNc7!U>W^_4y|ofORkHsA*jjy1(pPwOcSq{Lp5^mcGn0iM@ZJkBcyA!
zG?fg=PrDB%E68Ks<@3;5CEJ>f&`E(Rr-6XBPb8klG{^ne^REIx?!
zX}S{47Y!;pK&qnToE2?^ecRAC!p+E&92;Y_A^2{4#lLO>y8i?zWQ-C
ztIiTW=z@j@VbyaMqpnXoPdE@<^YbuyQ>_54R$xy%TPE#-4fCwn)=P_-5fo7uY~=ev
z{!Se^_Aq%@KARlZ5AVXRhJylaS-#_t41|_LM}`34B{*w%n|bk&ojs9mbUJh%7cXlF
z71{NSz&b%Z8Aec@V*<=?VZ5;AZImU^EPtIr%b6E2!fQ0MQ
zPQ2I6CN^+tzkfM_RVE{U=s|_QB}U!=)0+xT4DBDM@5d9_oaIN;zMQc1RR;Gkwx4k2
zmhe^0s|*SPMxYfx;AvaV@h|CMJ+lQ|7b{SPPxMC^WN8x@e{of-!X4>*vR2?bh&cr8
zc5xqnIOY~buHhI@*)1y(KWF_b&jam+Y
zy=x`R>=ogzSZ~!T;gP0I^#BPD=}^JkcC;BE3Zmfxm0j`5H$!J0os3FD2UMu_uPdr8
zh9H7vS#Jx$)B$8kvvlux^BN}yb;H_^<{+9UR869Lsuzsi8@dx>1Z`dYl*g9@o4MuY
zj8Fi@l;0DY6H)1-n!a3WBl94Yd}Ll{()P@gNSUCW=&Cu8=61_-Fh+>NZn(=U@Vf=P
z1TmCqt`qwFNX>&_p>GV-lUs{6X3MSLUnkKMohKkuth-EWLox>i%$tfn+4C~1z`Ps~
zmZiJNII1Cr-woY3;Xaq`Uqvw)3dGLoN-lnYf{`}}G_e&j?Zy}H4PxnRMOV&ZjRN+z
zsDblL$7m|G{t9VdSbK@?CA8pCNWURqa`_DJKT_25W+ZH_O5v=(gteE!1R(?!j*`x#
zEfFGlk|$`jbI-A
z%pg0=>n~A3!9*Fn>n`!5WDA&O7B!7*08F?W{x>{8;(bb^QX=BJJ9K0sx@~?AIDM8v
zNLFwt&0R`Vviqe(|48;JR6y*<4O}W}uUO|N_~EFy;sm|{@EB
zrQ81*Ct~O9UVB*7&Q|zll;mvV22WT-2?E1EjxFe0II!TUIK`4G$>bRv}-q&llg|1ERum^mkz&Oagty$nraK-hY{!e?+&rX
z<1=*16Uh%G%yioEB?CfaSIB!;S=L*+^!_C|(WK!AL-F47`R@|^o+}QVb`7@-agti#
zfCSugwn_q!Vh$oixK`!2TR5;K>QzEnf4sPRwK%XWe>|
z!w#}1fN!2U
zeF#jjIsgF#YWhClDndf*kgPqk1FXa{O~2yg;cyyu77A=PUN^{MJXhzE1t}S=g6);l
znR<;qsanA^HmW(={5U%F@bh|$O976AB+bn5rq#}ET6x88Je%s
z`B$O-KaVuP^7*8t#qh5nQGF%+gp46b&MRMhKn6<@0V6^{}l2L8|AH~*jV
h$}KtIPrc{&5*ppft0R9X$Z-w;d1)1?pArT^{}*VOXu$vg
literal 0
HcmV?d00001
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/goverance-catalog.png b/windows/security/threat-protection/microsoft-defender-atp/images/goverance-catalog.png
new file mode 100644
index 0000000000000000000000000000000000000000..69e92ad46d671489baf4985d9dcc5b0eb55aed9c
GIT binary patch
literal 12359
zcmeIZRZtzz7cEReaCZ$5+}+*X-3fkhw}S94K
z(7UTSsHFh5oc(DISwQJ2*#a9Tx})
z5!A1uD3^~r
zaT}*V*d7Llm-{n-gFD5ytvc~nS;xD|5by3){okoSu6l`0)7Jglo9aUD*SBmc37HSpU%7t2pED`D
zE*L5nu%QwWiNqU6LWNAWH8ygFhKBz296z~J)zacBzb^jH4JFXDc7ryxU14HY9abO}$IPz5M!Sl>
zYR@$(@IVL&3E5?~==U^gG_$h8SAKn~#>6Uf?NyEacY8&Nerwnt7&=aHUrpQV+V7Ra
zzdro&e(u3-Ig4(Y`Z$hIb)zKoL}7I{__%U$zSH#bP{%wldh_whUbXDZ?ewaF9$NmC
zyYb{r^xCb5St#ZEhn@K1^%d{^Bn5q2ZI&6gUVN9{G{Gm)|6}qX{w{$#4D9*dZ_Ge?*?-e}NGl#}4(@^E?`VcwDOcP;7f2>14Z;YPvZi
z=8t2cP5J4SOf2+5_xnBfBP~qJoK4?9z2xKE8xeppET?2X2tXJ-f$@5;B&(3cV%V+x
z`{xgYOrqyeQJUvz&ER6I2b0VGm~n3?QXQS+N~7KJ9RD#2(NezP<(W}A2vjQcp4B?1
z;QtOeUj;fA`q-nq+q!s_)zHvbyE8J<(pr7cI-V+Ocz-#XEPwFd(U}*T1_@RJTb{F$
z+Ci-PWqvm`49CZOzm?+}xaT|6I@P!wo@$r3I-H|&sQk+r88S=WZMB|u5o-0^fadcT
zgqkqW&vSX}?svPbohoTqyQM-tb@Km>_ApyA*WlqV_Ptd-)O)V@ei?fH{jY`Fq}+#8
zjvlv?Z;^?(hMncS1|4=e)9*t~4W*LjzGsPJwT}}I(8El}`zdh~sQ1O5Np^@Hp??sj(`&8j`>H)TeJYs{*h?aB9WK-BlQ
zXdSyMzpIH$PE9yE-VwBMu#)gy_lieQa>diyQmHNsnV$kV!+(-3E+0Q#)iJUDjq56n
zEr8?Px@!J%Im!y6-BI}=4=Lbg`E-TgkcSfWZ2=-Z5YGiDT<}HM0k&tuH?R>6>0_sR
z()3$b-@y&gPJ
zKWq&DPWwQMS?zzzIv?;qa+OUbpE|AqK)A&dzgPJW7`=Wse0(RH@{ZJacxNEyk5a?L
zGmvKIotM)3AlcP}z^!&G;Lr_+LlB9AZhd=OfqBdM{^$drDVK+3Z-*Qfgk$I#(ALJ!
z>98*E=Em`#gB!hW2i$8qxPy>
zh)jSpR>3Bc=Wzz*X{r38*8jk!t?h;!H*nMRLKeO$^Z6MV85z0Q=EVjfAtABq|M8~Z
z=INxlchqRV_B__+byKV@pI6ri?YpecN#BZz923zJl5y+dmQ>^U-3EIfJx3t-iN*rC
z;|AuQh+Fa^IF^D=Gal1;0MIaFG%xMBu1mDs3?Wt;(pZd7%EonR>A|?$n?@YHB~xKg
zhp2aEwZ7&NFQ|lS!)0&MU)#TUEW4;S)0H^6rkJktqred=%6VHxdbFQQdC*%5M5FuR
zMYLF-4o+(2F=QLdR3NC9W_>E>RQ;JkQ+4ulcqC?*Qdb8I6xezfbUy=z-HeObdTkRw
z?&ENoP6?m)?DdrewY{7Z4FtL@w(+LS+z71R4do`FlJXv}9w#Oy4vmeqZ8t0~YCF5Q
zSn6wPXkca9tu&TxTLm2Py^cCuR-Wy&y{$(TW;(dr1uG?;tu#%Z6Q0)<-t`#E^0i}H
zkWcIShJU;zJ!n6036bgqE2KlAHPhfW2*$R*k*>f{P3e((ZF>uCO%k^l+&*JlNPM%0
zA4cH3iAv)vpdHy;Ar55L+a_RFAhqqeBk7O`L=`4={J&{t;j?$$SXrH|MktpC7Z17p
zkAqux&b~`CKICdglK6n-=^V)vq@G67I>wHOP#%Gv=Ort6*K~_uJ-|suw&UsrzGZ1=
zST_q!M}#r>Jh+hV9VDZSn~G`hWqBtKkxP99oBO4bYB)bSgF7Y$?aT9$ww2j
z#N*t2f-GwKi{Hby_67|?UblojJz~r4u?s6lNoLMD36p!m&}H4l*P>2QJ02OYL0Hf`
z;)5VJPrsV7Jo~ya-|{PeV19waB_n(f)!^;dgPQ~$AL9NkjJEdy@1MxfuEB!?#@Dg4
z$}1w#nxiA$#1@W|aVj{rCOYY9$B7uO*#aWhBO2`g)Td7_6Hw8EDOdvBI-l_(=?gf*
zkC1{VW37Bwu!e)ikw=NaVUZWUDQW^C^z>d~1vuaPpkRXN3#0|-2;j=y1`bNK|54Qvb?d&+L62bLQE!KavRAAh8uSCRWi+kT&h!EuKZZpr|&MrC(
ztdky}=-y<y#XhZW=XAbp}i+~;fVP(gAamp7XH!?tu&$h*;IQEMc_Dikri@Ou?
zC%&^Pz6oZ)y=A+c}T-U
z;`aYc8w!xAK`Y)5%P;Czybrvd=*oyR&nNSHqYcxUG8+kK&hm!M;<+tUss=ii&)}8B
z&LXt{wr`rRp5Ky$O3@k9(uCYkufYb=#~NB#!Ae*XDHipw6&KOp{oc}|i|H*-BADdd9%9AC({j|^^zo1;;?$b!uu@RG9O5%qKLtqPItcXqPPEAHOqeQq_
z@jTnp8g9R_p_k3BNF;qyVF%vwB7sh&RNZiIbuowIBpuTElhn<8Y9purbk;{>2N}ZD
z66@FqbG4uv=0;BgP%U$N+~%1*Bhj?D`mIouymNG5CJrA|42&jIv2GH0kDI3!NB8gS
zCz9E#AMcrJ`T4RNXRD^F#DbN7S$Yf^E%(WD{xR;z@UsVx1@uRH@lqZ80#aO
zilDxh+lB1?9FI7(Iul4bRneu^o$q4^_NHQn*c2})n@ZG$&D4=MFtNhdUsLz>xE)J_
z4_i)jQn32o+hGz&lXQf*a*s{JaA(LJA9@Mku%rfh=)EX#D19&YatUCRR2=vwLQkv4
zO0#u{RB69a?W*9~=QsWhEA9~4|En72ik8CD5<9Ix`9ELH2K
z=iz?+#~9m$l$4F{QAQsTIU=bk=*iWQU@<@_mJK-Fndp4yJ2&{DX&>
zf9{u*a7itBOv~+kPxu#AK;q`c(e+_76+=5UZKS2WYI920$<1I_*&GRj5hq0MMq)8o
zNan*6119S?qtAZQZH<$cWqaEOB_S(YcIPug879uuDqGqH^
zDjK6NSGeZ0+j+YF_zVI=?`)NQ2aIGKCea&jKp1ylZoTs%W0Ss~f7>C2dh1Lj0Wv=FFDyIHJ
zPt_d~*MqXO@gAP|APi~2BV6_Pl~<#jeDy<-m`NfxQ{1)Lsj-z77J^>3Bdhuk0KNCd
z5{olk(nxlgPVL#`J6(q^dpo)YR_ZE=sF}NG>O=I9div|DAUmq{G!er_s;nnX}vY`1V>8fK%Zn?#9l9yIHN|W!)
z{Zf;oR?)ORGQqEP=GIh+a{o?i{G4}Z2@YKW|F*R}4*ZX12+18RIwQk@pO_3;sKRQi
z*O{!2x;fCpWYfU>2h{~e5mZ5G^IECY4T`*+ZDsr8uA>Ib^&}CcepLJ%=osm25`7U3
zkrWO1^O5x0rr~;Inu6M%h!OZs#uSX;N!Ba=Y?5#Bu>Z?UF%UP`)UXgD503v0C4rc2
zyE?-=+rG@(iGEfv!(=e`Qdy4Xnp5))HB8jjO?K`->GjP4kg2lp9aGz+XgBzrC!5RI
za~0ghc%HhOU^8@?HTap~wfd%mmvzl_L^RD@bs3`4==)7-eB>hnQE|bQdQF0C4(n|;
zjB{Ep;TuFY#&@r_il=@tL<+PaN5<`}l#rYpEqSYiVIK$rfvgnw1AaGGh^AI82^&}B<`VMszjx2F$KWY5btw94eL1sa
zRCfK)JXNqKON2G6t_|^2cM-~Yz^Y){>sdb
zwsy#C6v=PeV#nyF!L^R75&L3##^s`u+|NE&kaqE|l+EL2%f&X06(~iU@KG?1b+Yo1$(4hC9^Dg+;3^eo*r4XbFkqk%6wqpu1>lbfDZ4hmSjFE
zKta`w=4MY`KHf`D{;`atuwk?Os;}g83=rNjXDe-t{
zWk6ZSFEIicKTUqShIs(#?2uekuiZr<*e$q%N2ipL3(bkeQ_}X)P2}`-?L$OiV{B$s
z9^NHUMZk2f=@u1>ILeSfyl`IB)ErOMlNRd8DH`cM4=MBM&9rLLZ?
zjI^|{M88Fyin_YEk57-=NX5bG}qdt9SM9_qh9!exFOaBJ>@0=w85n~n9Pg0z
z)nF7=rw%zVS5y21PN-m;vei04l2>#Kh^zI_s*%6(0+~5tLTN08-;#Klyayz!%u
zq=K^U&Na8}ILFHgLbv}MJs7CUkEzS4i+p#FxvH_^VB+)!Y%U6)O?vB5O!OwtEC*Mp
zt_)fO7oS_5o;Uo>%>bxX@I>AyB}%`G?S|llrR;c0=&YUSnE!2zWT;VDof70&*a=E+
zkF_M#8xd6+6oG7sD;JFM0mFL(2N+>bb>>-stm$ii(M|Q(wrf2<@5{bDruxd(gqyvX
z(ysK%7?*>SOUNC_%ItEhFTzepYAU+Jr37tc-}RfdU7kkic%T;>&X7R5z(eb*g2^Ig
zFiD1PG|Q7fzoxg{H$(oZ-MW9ra3;=*)3Aj3U8JPc3<
zFf#3!=m|k|T*2|`9hcdiw6}2yN}*hQUz3xz;DoLUx}K@KjrN4d*a~ph)qP=n`{H<=
zg_CRkFuXsk)V(yO)bT)%#c@Zt>Kpi;_rtdF%duRXOKp8fz`7ve4p}nMs*+ZC4qor2XFzmODS}ey4
zTMbPvTP6&G!p_mt+Ik8Xm(-93l3if?ACADqQXmRj@D2=h2jGV3{<*YCMFE)n2
zH)i|kFO~zyTpyVe2_txwY$q#U1@*`>SLsy;uz-|ZtlASRVYJnuR2X>MyM1L*xQHyl
zA;2<_P47kSPyO10GEklnc}Q>}=Q?j~ZhG+7+I{&{9W9+mE_0r^s$3uAiq41}f9`O6
zBGHH7G_R{4-w4{%>$^7_oR0hOo&^NKgse*mri6SO5{jx{#Z1Y#^(CQOGmijw7+J@E
zUSA=WtE~g&vyQwRaQ6H#u+tzf1mbF#+2Dsy`t}l(eR>Ijt;s}jUrcjj%q1dD{p?^|
z{`m&XjeT>C6y47L3JuP>DqX7AockFuOo<-C86@7ltuZFosOnPtg@!b^fq?TT#}l)J
z*-cR^m(%+pGJe?VZoeMxx$XAiw6hPdfZ-%}gT{+Wbd5Z>b@M~sOZwqqA-Fg|#0v@g
z0~e{XL4Hnt^Va@HAAXF<#irv46s10qels4Aj!21Nl(#KPLYbBPEx7q(tMw4XC)2bh
z(YYcs)CGH>7Y5fT&wQ*OHhW?+WHVUx%d62Sbn=(6B@Qqr;qni+x_T^U=PwxtW0{dR
zHd@P(5-3caq7swvWQrQCHbW;9p@tyizFGNPA^bIEEEzgtleb!ZFcTrAPq%@sAsfm|
z{~KZ1DHSCw*cT0x9M{paes{NU6Sr}PZ7@CyJxrvesIC&4hcfqcaoDSw*G9=$NpG^C
zsj9H9G9dwut9ByTusq*si3gY$c}R`WSo~#m1lL38iClswBe=y^yokYAF;U#cjZFg|
zLrD;vLUHvYIrl{Ps+_*%MkRINev03ogpLL|hyt@
zAWylS(Is-b4(zk!szu~>S_}wnb4VsO&3*d9_;@43hxNpObV`aOMkAlCpEcq<@V9m@3!^1Hm0`|*tKiP-8CkFWW>RG8G)6F
z%y(Ig?IsXcyuv=GL(a1pQZn>pjcAD)l0}PSFc@w2NZ+Ys!my6aueD^7Y|ltJiZiH@
zfAAuRxGAUtP8Whe*6v}+k>$COf4|5-qYd}~k3pljSI}x+ugncdmD12`4JC4=AUnxg
zats^{MOz>mN`--_s5Rq=@OKIvFwNLRVN-E(VzCH>^DOI;p972~U3sZZMQ;e4_Z}QA
z?Wp50tx6u{DiM=m6NZ>HCXb5BHz}%`^J%_n5G%~X@4}W!3@$_7WgA>Vrvh9tnaen*
z+aailf9e>S_!0lewjPG0AE%E~hI0~qqnE@)oN=EnDggh+Pvw~fN$&@DiuvvGs;o}`wY8>P!GF%L8>
zelKqdR@Mk|IoKK=iHdc8;^CtK$ioKgP(4P+!oO*Shsv(JSR0olDO97}?u7y2hva6H
z-1~=sd^H8_9p|N5XAa3ujI@=IT`iSYLw!cBfj`XK&SbFgQRZ)vD>BS<%?3oTwaBg_
zLo>MJ3=P}y&hSoo85Lum+3j~i-Da@H63+#7w3eC-*{67e=xM#h^X1gpO~Kslq4hl>
zKOO!!NgI!c#vBgnmYzGQv{^71s|t-9xNobf;{L7bAxi99-u`+_I|3U?YqmCHd#j5i
z^3OBTls&ssxx1M$Qlp7s@R+!;ts`lh!y_IGCz6LevG9;umF-3bHsLe&4iY8}gZ6HY
zKs5b|3@H>htN>bp5I)wd2Dt-MR=f!L@E&yA0d#CRZO6-9a&k#F
zr!p_I&?9PwauVNn{M5aod@dZYwQRo
zj?H;X829+6r{oC7Fqo}@p0vlX6K9iHd^c$|J$*jOsTH1Me0rvWt`9p4nx;G@BpgqM
z_Ns66ura-Mb#U~qG@-zFv;0woUQ0Yl&hOj&{=Rf70H6^qC0SNimhfLXwWwH7&42_3
zz6m8KRa$g13BFAxiv)RmMvACebjlPnTk#)hR@Mr{n0vIGWQFR(CwB$xf)p>frX=gP
z$FRbZ*&c(BBha@kHf!EljkRmjOxPZ(i2q4e{x_BRe`o(cvZt?f+_3Rasi8x%r28WE
zkk>)XVJ5G|5DOz%FBpDE5HD9vw7k<@^fQ;GSViG4hcAE?1aQNj3Lk>&!BWSP&>U_h
z!^%fi0jyKZlR{5E2yte
zo|#dVm6gRMCeBrKgWAHd(G56p;2qbqBp4bVA!nD)Yi~@P9gK6VZA1HYpUHN*>I;!2
z*CQk-YWie_Oeh#2_9fReJONJVQHrO{A4kJZ48rwavh&Xa!Aw4w1i`s2H5E)+I=UL&
zN=zJ_I-e)!?VX*n(o*5ny^|L>SWyUta+@?m2XQ8EJVIg$34(!%G$Rt%Y2N4i_ArWV
zzCL_~X!i4+c_$_>Acm%JGT@QOUfG?8Obj%N6^q1o|v%k^i0po`?0;f{r3gt2W$XyCAOl3L^&5aI(~pm
z`6pcHA9y*Z;-XDnE`|=ZLv{tGSEFoB<7PBjAUtf;g$7J0>Vv*4ElE8c(fXvrMuh(<
z-zP*{vT3>Ls1%pfzLe3jpS*Y|SWtRrz$GL!b9B7C_BO0~cs^?<`L3*^GNvZ2MPOs
zLLIUH>y-^7d5ct8hi5__Tt>y~S9*{*z~^i1y8Z3ewEQgx%l145F|ks-X3xKc-tfu3
z#QufX9TPi-gz{GI>>dqynZtV`3?Ic!*}hmY47E
z-7_;Yr4>
zVsL-x5)9yiIszcI=`Li+!2fhltjz*2CSgUjEib*<>8gLIC8A0dw)%4Uyo{1ePzc!`>d(V2onyBzAP=UC
zy}F;Kg&2V0E3-Syal#{3*VdN)6g)w|n+duQr6wB45^8w-C8-jjWYd@eRQ7&a{L9u?
zajLK@abwtr{Safg`J3A{r`NM<*hE)d!A{mphl(gt3UvfE156fxQ{2;%2Gd2DZrr#eFlV_f3TPP1SS)$_N-$0;k_f|`N9Fbo~(8yRNg;MUL
zYAD~zr~i!j`2l^B83V$tl0quQEa)
zg^^lk8-(Oo|$@@p)@)nE#1^*Bqhc8Pw^CV(L{dz)y;eZhW#qf=6Dz+
z{g1C%U;};@%*wNb?%Du6JWO2F
zfk9})2V{&6NGby&y04U)<`Q)Wo&Md8YZSW`6FJj49|;L)^|}lqA|h;mqe!~g9S{l&
zi)Pim6a4i$vm+OcA)2~;T!2je^)nk&axF9cCYIy@gYUhSP4?HSqhvn
zCGsjN5Tp7{Mjz6a@h+yMW$eo*?XIXX(y}%^DuIyJCIKh
z)=aRMoMD_kat#g+uKskr3QZR8_{)+kr-Qwzc+_hIczbb!Z(FHUz-@R@h=?w@|6zRd
z!-iW^+}zz+Sy%$*tv?fmTNYYUu<=$6j&fsV1uYGa=-l>3jIiFIjSJJce^PS34C8A_rZJ0Pd}@ZO
zfyyprJ+gTmCRL4<;BSk3_<$p42tg3t$YG6Au}wv1PE^UHvgUMGU(o?i*h$>wwH{2k
zqGAshi}+H@O|&Pbut{}!%=3U|c3N)kjjEc8cpdaF|_juqh0q5L0=3zjA2fkYC&Z1$7yXgaetz_{e~)eCx1=y|ZLxHz=5lsc6`
zPf}76+U8${h=v9j47RvKz!Wqn=E{IUHHo2OV@ervBxZU$iBncXz&p1+n67$MxWAb5fOV#EPERa#4|4;2r%tn0ekqx=}#a3Xl{M4csSYUV+4}0KmkYzRBD>tp4
zb`rsW!#a0&uTfjpgP#Y)%(V_ilA?U+QRL)|eN&y^8&IDS2MGy@Uav9w^wc&pD@#T}
zp*^-!cPj~?%aE;E-Yc*wCnkqt--J@Y6U^X$4|Uz^rrzLMu#gGIGJNaNxH*Tb(`-zq
zBmm?apKp*y4d$Qjo)(}O;zgKQ_7vp;6K
zlgd#~EF>Lg5Hu;EsI>th!m_klV?|Sw2Ys!zG3k4P0H`SMW+>ApqmRD#U^z~%!o3sG
zRF4)BIdp@s9guc*M#m3|w5bRyfKmMOEz8Lj@h5?M0*fV2IW~4u4tmgTvf%x&V~k`F
zxy(>)^qM^kWyvP`NyVgt3cIm{={AW>JWAMWIVw835pZQ;>
z?ke8jwPRP3Z!4v6>W+FY*8bA2}t>YYb+t*z0m!}P^EwQSyw(^Yg
zXH};cX?ZT!1+%-S&8UL6UA(W}ov6`z&AbeCM$aAuMHi*N+r6t}Qv$hH=HevWoc`|e
z|I6k%Y(Nj`|C~M%&Yiz-s6}8Q=L6E+PSVi&jQ&&>UZpEiZbk%Z=lwEG(0@Kx$F*2aIF}NTSDdYN;!9T?5YRxtDubsR{m`$
znHC^q$>n=<3N70SW#w00B;LAMnEjBeS#OMRq!yl%EQ`8~*H<4>GBO$l2J^G!hWsK7
z3p?G7?a!)LbW_qrHr!sJwq<@E&vF^>`3M1ad?XQFtcM~z=fGQC{tmetbU-@4VH+mM
zCIKsDBbRW1uDtC@93G6h^w?=J4YSSq?`w_ZsXk@6S!gWPjGk+`@vDmlrr{
zM2~KtO{2%HlREul`ix_C#xe_Wr2)Y4NN696sP{Co%nfdU<{j8P(aWC(Z|RS7N2TfF
z5jx%|<^-LyK>c;gES~?Rx366uwc;XbQSSo2bQDeDlpW<8j+@<1GcG;hcj#0JT)`g+
zWq43QCFVH09kAZGlQIH-Q`w!#9V4ugu#ZZGRfNTd4xa#h?jY;aL3XJyq#UWkI
z(LdjreSdH?ypXTH>}e?kd(ina72iS92%&X7l2CdR+E7cX?&|q(`q|=3bxx
zl#^tjSoEq2>Srb^DAI3ZF07O>;t8*NRUqmJR8eCko`H!t-C_$i{qiGW+E%|Mx$(i!
z*k~S=j&m$mWfKSlGG~o%OExpx%pS`fU3qdFIA`Bxm6?GkylW=ibWWeu_({SwTW?YcZ=2_jT+Klew}o
zDwNBCnvvV@4}F!cf3Jx594$4iRZhg`V(++0<6-aq4Ix3d_?njAZg%rg>AAd03jzYZ
zd{WL&7ezJ3cqgCj$RfnS2^+3Y1}|IJBI$M*nIQ=?J*YtIs{16e7L)~4;Yg@3Za`}{
zJN{r{Vd2Wd?x{4BT;n1oCDraQ!6G9gi(Wiy_VKfqHX1>h1~hzG97*|P^=7OrmJ@{e
z1qG08Zd;lh^|0Cgo
literal 0
HcmV?d00001
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mssp-access.png b/windows/security/threat-protection/microsoft-defender-atp/images/mssp-access.png
new file mode 100644
index 0000000000000000000000000000000000000000..143628c6838f0258504ebd481deb4a6de1b3b8a6
GIT binary patch
literal 41134
zcmce-b!;8M(=F)OiJ5)P%*@QpjJb}PnVI95*}i7BV`hw*nIUFoJ7#9u`}5Xb}nxxOURBjbZ#!nn#RO2X{JKmu^_D9k#HARtH}WF@p%00{
zCO}g}hoF)n$>1Q6O5nw_V2OoukQgxpqgsjd0bxo1{`{{GzWguvz*hu^`q-TvZ912kj#CO%)lI?pfiW`5eLhFa$tZF*9WLLQ9z-DjF5)-~ra
zx9juhZ7p26=H-f4f{l*ZV0=X0$o2o_-h$^%$-ha<;KRFej>
znt>4#457ta665OPS<1_$jYukMGoydYA&uYfZP)xjJ%vRK)nmo(m-rmP&Onz}Nch`Z
z#})-k@+#X6r}&BAR!RFw@rf0VT~#qTE+sSdN43^d5+tKL**cc^*A0hVl%{Ejv6owN
zI&o5`j?n^=t?SW&i(DKY@#}f%hfPE`QBlW&jhW=xq=z*fnIMHAD1NRv%TS{5fYT1m-4U^{=QonTyGBy`r3Y`d2&ct3yc7o=Cx&r^lQ
zly%x`%w=FdT-NO2SlEPuV>Y)5MIc-svxGv>iw$ciJIK>=kE!&i<3z!~?B1BLXu|)r
zARp$qT&e557W2wge*h$A8m8&?JUp658s>Q!yR{W!4Oev7OP%hL7&)Qx_D889sw^n!
ziamG8{j%Nj;ZbUHdAM*CFhT!^yyYHQf4wFB7HQbi{uHcO$q
z*F)BT6AJen!oIWvO8#aLgA2E~5mfU^%;a%l%`rz+v2~Z<65H>hm5zFTQL(VMbeopF
zSj~N_bJvIL5{ES*K4*)3{GjNpCD|l*=OvSXu_Q#C@b_Q|wRYbV1uT5zcBI;!#`G)b
zaayLz0_r5w1o@(mW%D-n6r;s~MsN>bhoMJ1F$^lY&BY;^V^Xa<50w?EW=m6*RxJ{QyAvClkFA~$E#>^SIq=^8a)jVKDax8fpsGXf8}Ybkj9o;()D0aI>n9=M_ree@Aug7cA0BOIhPw_
zU;0lf637wh9)vw`Cxbw}`tEzGqkP+AqU`dytJ~D=6#bUo0OX{O%I@}#iQgF4L#Zb5
zcP8eK<1nFt<_e2Z(Gk?^@8`(jmG~|K6&lUqIZnDcCOmizKU}uATKUX??m2Xce@C}cou^Lk-%akgSw%*W%n&mkp6G)J9^iU+GIWJ82ohW3((
zD{%MEZ#i_zx%7fzvC_Gm>IoOIC{3UtgCRGlE2SYigPoR+!T9CQilz=$a_$IpN*M6u
zEs#GY1ugJgnI)JUjmRvSZr%pNXT|FiDma|ka=!UGsy=;tioMmN$`-PgI!(#TBli5)
zEGeCDrNsGJ)j#VzMr
zr|@49ni`7L6yv-PJ`C+M{rMXXYHN7;mSe6|&**2%cj(!(#ur|Ol!*wpr7O)bd-rxv
za#ZSPsxqyR0L*9RE_@71v%##5Pd4ccsqhkXjR~NHO4QECGxr
zMR)dYpYH1Ph3WXL7Nn$^hB9r@tuOhcMV#}tDR&gHPZqolHNO8XJozF-bB$iamYv@v
z23_!z!ouR>Z`BMJbxY;nN`*RjKljFM?LUNdk45Jx5Mu9Y-JUf}cMaP{PScaiO3&e*toE5scVxq0
z`9FvvqT(OtUuY1vCG7B_t%K=Zp<6_GU6T6rQ
z0T5K0R)LNBMh3-rw&@qYnXun3#~O|lH?yKUoe$+U&{$_jIO%q_;t?NM3QrrO;=o*D
z6FWz!iFPDt&CB`AMf%>Oia6H2o7qjUU=_SoUWPOy^$TT4t4_JwBx-Y
z2u>H?wwUREp|Hh#m15S|xiSH(%9nfJg?+I8_|jsq@$vc#C4SyaI$Yg(Xv3wTXdPG0qH#u}soe@VAcF6)sj?C_zIVky{sJ105vaEpyX_Yy}*sw2h
zWrnnTx0WAlFaGu)Zdl0&vp{08IYe75c3P75<*+%pf*?4J{;2*;QTrYxqfv=24nI;1
zD7I^H*z0Fb`@R)H?UqT}E3E6Q4mIQjq}Xd7k<5_
zXXV$s94RSf5%<}5YDA__bTDLTK}{e#2l+#ODBOkODRFuv8mNVjAN1v(LiOxS_1Z%=
z%!O_371w)Xx@3{McQr&c9KF>37`7=x74sFM!RNANS*$Vm?BXv{<1=r7j)~N#QNVBu5T=wfv
zJ4EfKTybuBRZ7fz9x9BUotr3{tt&fy@1*$f<^sg^y5Lz(9u=tsrz!uJtfLyAebFs@
zXh;e)Nn`zSLsZLolC+9b{TOsK!_)U
zocP{K9M({%QT#EAiken*ajZu;s#y5rZyMAntHuFnhkq?jB~8a|vBkfNN6FH`<0S`3
ziq2^u?hW0j|Bt(dqj;1W9&}n2Jket^AZ~cLse}Vc^GJN7-nO2GrxG;^_q!nD087t>
zN^Lp`0jG*kDGQW>*0&N|vWUk|IYTyj99r=lC9+@{d2Yav7XRI%!=8cusA9fNgk9pMXYJ^Yk;U;nPID@yYyC@L({t`qY4`M&@Yizm5eyhKgdExjiIZP
zyb4VCz>Y23nr{@D1f7#rwq9orhe%Xn`=O_ht1BaUjrdCmBNFq@6dj302f%>El3!46
z;<7)%6_Woz{?;%2f%bWKLc|f}OlhkK{{STRdF-Q_T+PXnkZz+?5;25PWHl%J-}BjL5**nOR^LQSv8!`E%NeZ|G*OqL!rSF)mwv@kZz3?54l@fh>0c
zShr}po!9|N=K4&L3+T)j_}P(g-*UD9Azw#b(?fJ
zap|x&C*ky!mH&00P|^sl|MdiP26P{gOz`b0Ot@GuUOt_#C*b2MjDU|z;=pchgd=mN
zCAv$~weLi0l)U~uK_FU-~a5_?GY!Q_Un&^m7pdXQ3nD@9>z^ugL`SVG6QoDC-
zm+$_`1Zs;IDuynud}sf7x^A7f4M_Kt5_;SWAa+6MB=Fk9fy+c{=MUdl8{ae$bmbrv
z8F%{YVo&_BGTvfw{^M{WeOyqU=x8mjD&J*GRX4Cz;2y>UwU*WrGyrA<9B&(FnPQvq
zXqL~AC$3fb?kMb#+z>tMX|pwcE*%&fI|)(k8K2SR*~F`8R=0u7A?GY%!tmN7a`|QS
zM)I1UA&$I5ua&bDomAsH`bf+IzbFw~@BF)%bA4yh?p{=
zGpMKRn+oz|6!yL6cBMeFjYMc)87dd{1)coT*ME;Ao?XEorkh^C5GxGKL^KJ~kdx#V
z=@pTekTpxb9mv8p{ig(}ZN^YmN>MZ@Lot79!Ggp0L$14H;UR(Ti?$NyN;>Q8KrATZLxiOCQ)Ze;R0=y?C@8x9qM
zuH1yk+(@4K1;m)4qY_8R;?fLT6`A
zTqcBsU@`aFUmYS?>cyJsNjpOqqf{lPR4x_ctbIXGRFenQW(!aCw`pn`64hIx=d*VE
zOs#RxgW5P{G=i$^6dXZjs7yf`W@+FZ;JS5%buaS;
zWKY9&BS#HVLjr{+|Lr4F%Meu?HJ#i;F@)Sjn^822hg9UQjz+=%IXRxB#vHM~tihoe
zw0=W2AtJ!a#XXfkSV)1Q@Um>TLTeN6%lr>|{S}BN2fs^aNt>2~dld5d7@+Q;-Ji>l
zCBtK`BH+iG>>?V|Z@ErV;VSf)Bu@4%(OgMVUWCEkwMQ8aZZPTmLZZ$bM-
z-$D?BWd7;37crf?obNzi?4an8}
zAYtkk;S^EEDUGNYC+=+dENYTRMIik$1e453B_58EYw_2F%WH5?PVzhZ&(ptfC~R_}kia@*ks0zk^kUjI{+M7)_J-gEHiPc4m=Y8x2Ur9jU3Dk&}KO{_gLFdi|_xSA8&IR$y1f6KD@KI6UZbpq|D&?l|+
zJ8a3_L5grvO4XLYc55&YD@OWKcXX}&fi>WOOzCYKH#BP8sX}nxt*nxcfOLLN_EUxU
zXlj1OzRJ*k5O%t&5hitdDuEnH;A39g_T~Q5XhikbtXE)Sw(`{ifALr(F4)T1C>=j7
z*mNQqbM}i0N@`zx2cVT3&etI}ClqXZ1*jBrdPak&M|1Bvw%!W1Om_OpC@{FRHb28A
zGFf9Z*g}h~cm%xG@9(LfUjlsa9%qyoLdLb-x5U>4Yw&F7kmaJ)VNlo~dmXN-9Q-qR
zG0h*cYzNS3c4C=7g#vDTJmSyzOtGMR%8zOG?@zsk{6L+o?
zj;GBwSBG0{lyEU`iOgk1LD*b^(%;35I5=QM=!mGyoPOiTk|@b>_xvoB#n(|0nin6~
z?*&Do!-qvcg;p1wQk@~Q2X($fP@qHGw`2C73>1p1Y1V0P3+8;K3`T8kJPoDo$U%(l
zd`6hMxJ%F!NYJ#opb{SLg<7Cqu5;i<4!}iGWZ3J;oK~O1&3C-8)>0lby{*81%IsuX
zTz8@7ZC&B9r4k|Co*po3HeQhObnEZF^)?9pX7EDC+iEWtYGAZ?s5fzUw9D#~#`{U+
z->}2|HaUfZLB)KybK=Z}lr>xop~an^?w=k-9sH!L_8;Q9(xCfe46C063odcSwIe;f
z!$)#zHi49*(vwYq#yVIZbApnnA^)};M1}+7%Itxw+A0DOe)>i7wPXI4c)gN
z`KyIK{%#3Bb;6MjFdol&LFbH)ceFdaYLtWXI-LZ>-v2YbbzESPR9N8sn?PbV@&v}U
z>xhcnX=!Ff40A8N{N3Z4M(aYLUEA)lH?puoFgw2^?;&8BE*f
zVzj%T8+&>_HQ0x?$b!j!U!`SRE(NM*gBL9~6OV1mFkatn3d-A*gj2js`+OvhhW4&p
zN_nh2_gu5nO_S0KNPB}nfNrZazcu$6A}&^oXF`R$U{9Y@q0j|@q&jxJr}rojmz?ly
zwIQyz1()1Rg~N$!a0QRm1vxn+ow(ZWg~npaRh6eM3o-1uJeACElE5LN!S$mNMKcNQ
z{AeJ=s934I=R+vhuAfCjRp@RY@dLcFHjv~~wM@iH?&q}`S_c8pdY76|=aUw)EeL68
zr(XmW{1h=-H5;zhgmtqSsheC{>QE9_#yb`&XeZy|Vf>2`p)*dF{YsJL^Rf;+7)bhE
zC$+f{5dna2h#MlTv=ZK#R>$nDf6C8_eQ;-Uq>!73fE|WZsnsDK90Wy_8H1n|GvXaV
zKj+O(|ELzXjb#fip@9o-|0(=1ekS`F-o|q?{gt-3{0ptkWw$KZTP&6;78uHf;ifHn
zvFQr)iwQP{$SDzd_9K3P`DFR;^JOMvuCO7zojX-tJE}YG->-5s^izGg$c0!tw;}f(8K<$h1X5R))jc$Ie9n1cSpLeZ(Ax!*74WQloSi_i~Z&Ycl
z1SP_3?rN-|UiW@+J`x&PUEwA0_hF}=@<`Nc4fZ+mxq24J5^f6$4!}d8bK&`z(waBK
z5_faEM^s4n$KdvI|<`4yNqpiF&37leTe^fM{Ca=g{|dcJk77*eMYp-
z1cMb8v@FB#V7o46pipG`*Z4wL2F!Nydl@+~_Ycamj6vP4pWGjho3*wi-
z)Yv=b?Yl_C9-+w`^rJsAYWECZ$Q}$nq1DJx$P!qB_>q*Mr^B<#CL+3^W}mCsSJ!NC
zq~Q_WT5-{fU%lrzhgx<8@c?QS=rG12{L}7rs{$1|IC#@eTu5gUtXOkqHjrfMIX`Hk
zyb-kMoz?u1J)pyp3!|l+@Aawwz}*Pa<_h~$ainXn?9flj)$Q^tZP##W6($WE@p`C2
z2e&b~;bn>vU=CDe;6lGfh5Ig~PSpYt6u6jZyWtWY3>rT9(@@G=n~C=aDb)_z2c;{B
zNbQP=7Tlwl)4)Iz)Nri?G_JGaL0Q;$&>7$4kR1$57A}vUsJ#JKYGUTrw(W@F$CytU
z6X9$6aWMm(obP;gxrN+^E%a2b)MQRyBOCD#wu$QI&28OB)MR-gW66l2!)AAk*xp+E
zoqTGd-leUcaefpQbdUO*-eH;skGg|o#^7`0voeJg0Y~QQUcSwBui%!1Nx!%a*{y3m
z0;}`>@FJRQEzzTNJW!x^Wp@DS>WtT>mkEkqTQa7Hu*A>|sXOs0Dc5|M&ye$?LY<@I
zFxI-D))^mg;;(p@=7!2NP`S)BNuijmf8e;GGfP-Aj6MMRIhLo`5YFa1!}fY?>eB{(
zJ8a2WrSB6F+e_SS|B-%?oy6cN=bYmmqyNKr?q3T)U7moW=5u+9n0g`vBFY^L%kp@j
zoer#-vWbxy)$0RsUPW`Rs9@rPM-_$RwNK&TK}l%~?A>WD%ZA?z%MlqJt`>VX5@)H1
z!7HyqNYv9`ar%FJt(oygzb#i?v6!>O3~ovJ!rU0rt}UK<4SX_2EV+-M-5T?`R;zF;
zf%Rz-lx7p9Im6jDS_$cvd%E9)B|X*$lYU(X;gBTDfYkrQhkS$fiJLcaZ>^bhCs~f8A!l{Z
zuW^Ys#(npHA@{!@b2{AU2JK{QoY~0LnO;M-ouIhX=O+~J7#&u31sxZOw*A1zaZ0&<
z!cgAD6PnI12;=oEj`^eP8&jgC>1g>V`Xbif=r#bn?IG7V7~)l15)=2spQ@Lv)ECHB
z8CTupo1J{a91rIv-k*7{%jrZrHk{j(!VmpFUQHFPu;Ky&gAEGk~2R{oHX9AXKJb659UGuC3#@2fn~o~ZsY!l9J+-&%m4
z?21$j4QNZdOG>tNMd^XwjX3|94j|N@qbV1|EmretKag~aQek_0P|l)M1{qvRm45#|
zI#JN{f;RN9S2CwgA(54MTJXacZV
z%%Z1M>ne8PH==k0+GTXOc^b`8<$-1TK*i6U=H-QQbwLxzvS2wjxOB4y&olaNWy8{t
z4e1{&?YG+3|5802LFvtp1XSg#G&D7bIqk&TU9aC+rXn*_(;2lYy+J#szj{BE_{5<@
z%)HV9MT}U9Dh^KSe%N&kCsUR2Z;ATWMr9o8ql*)AxWyTw0Mv9fe$uB&iiSo6ZW66d
zWffOdMb%apl&BS|;e9ik8>zd$d8p=tr&2JTtp{(Pz5P>m{FY}(CJoDuz^WGbqx!=p
ztN9DROmRiVJ^#rL*Nv&#$nL~Z-?tajX9?E_L6uC2OED!ML4s
z*sEx$Da@QxFjLFWSXmseF6>(}o~^q@UnJn{Xhb7S9yz6Gg3fVYAyncCD`cp8VcIVNAIwY-aMD+t*mkGtZ
z;Ts|XQ5;6*!mkxuv1XnT#R0bRPtzh1DP6xK(N82My
z^`&-y2|S*Lbk5G7+1)+~q&B#T@@%tiLA^O#vAO)p^3uXTbj9aLyF1csn}f0p(cImV
z7Mt9sa%@VN0Ye1%zwKnGfk{CNiP9;;2#jdtLZH0vf{@ysqLz^`qw(TOo-mOQK#D?|
zSSWR(LX8+5o&`{zWqC>Is8q~fmB>9RVmBg$XG8m|o{(A@Aae8Tg5U3U9mL%g)}
z%7BDI&Mv>AJqirv)Q5@YzWythTi-P~yrVT;vujxwEmo%KHIhY(q8_p#$SBt15@E8#E}2iKk7PfyX-_X3kCT7OGSuqdC(
z#Bkd5z7KbPiIBn^NlmEer(R9R$YB-!F+n|RC&lR)iVTvI>myc^{hF+wIx`KehOGkA
z{IW+!a^G*VUxNn<%u@sAE~;u;5>`2{W4sGUx+@2jZ9c5nO%A_@Rb|`~P{R5L2O{A-
z(f#JL&wEY&%nGCTmP?jxykqfidWF1He?>@T=*K_ZTUlzZJzi)YEu|qHwj#reDu604
zH&P0<;&IDJ>KE;(!PapkbGdm3>JiDoQ>o8Bi%%T(9l3xSzon^K
zn=M5#*I7(wW}RO2?lAwh-UMW6AzZ9OM$*gGQjiUR=)C2~)8~HztjQuyu2@T~*+er5
zQ@JzC;V6NMcy&N@nFI|@*C?c1?Y;dRaaZYHvP4>Y?f)){znKXWcvfKa2IMV
z@@lc$3o!OwdEWmD#Zzf6@B!hqA_^ZRUsv8AyoYBW5Wn658R_hN)mEL3nFk!594Duq
z3%cKJNw3x!VXP+kM|k?H-M7`$%#(&DTSm1fs{fE8UQc8+*x8pU#&LbLQnG<|Y_y0*
z7$tW+gv&RuSc0pAo@&y}UXm!?OH_q~njeOeHyk}}pgd&ZiOuip8!oWM
zE7LxJ$;*qE=UnS7Q0;J{9NbFAU-sJ`xaMde|Z;t71U=2uDr7xIn
zktiMxnoAX58HfNJJl8J!0ZdzQa0s9?gA7?-jW^&w3`wnRskJ68j^RkIBm<{D7i|+)J*_sn7lcbJC5~!6+
zxf^{elJxpo?@Tj=wCl7w3VWE4ts`Q#pg~}rRG1>6n3l%b9BJA@tmDW=kFB9wy>@Y}
zo^?8WI%T@rNEdml3$(@EKR8s;;``#kCefEY{?^Jq0tY=h$=q}9zVq-p%EVAu&yo4>
zishr;Y9d`t^myOObOrQ}Dke~$T^(CPT{}hiL7#&?u+nx+E^_4B$Ej7&^Z>@Ojqs~8
z{K(z&2qRr@7LE}|^$yZkS_WEj?zE6Od+M}YagsDyRVAiKyplidaaPG@ExPst7SvfY
z$M7X-fVXWkO2q#zUfi3c;=O7zAy!nDdB&A#b^9X|xLewVR5H|NfCJn_dFcDA(F#0|
zCYbqVVfji+I7Z!bZNgH37fXo0*4%1V*-?`7OT_T4?XSpm`g=#~D@U{79cA&pr_kx4
zFWtlCa`=yW(80kb%H}iHUyX(+@)$wOez>vJs>7zTZ@F@vofdIUdBq7kg>r_wz8Cr&
z2N*uT`$G-hL7X1zvika))EYrgEPUd4!+aR)+y_Acv|XPjshiWF!K+h){<~uq0mNAz
z4dpNlYQqIO9!CiC>ChCcE6<+eV0H_`-oCn}6o$Y=>ioj5Vx*SVa;Gd0san@EqYP~8
zdxF6yw^qG>|KJo)Zvo1FMdDVDWCl+jlW)J?`R9D}$zgfjvfA1^L*eFH>amww>|Xn_
z@*(9)b7Kt^6UH~_uhxB51FtuStADuN2RMA;`VMW-cz-&PqI@K)o6A))9Cyn;
zLR&E|AA36YoWkmIIH6obbUhls=y
z);JO|{ePsU#88TJ%gq+t;PS1)A%2|Jf3*q+*LnFpE((AD2EmyXmCD|Sj{leXA`V(n0wadN-*?Amyc2;
zj^Z<&maCfg|NO9w%$Ws%M!`)#prNI&50wW}GzUbK!^`Fl=eUw6@;9GsBP;rNrfm*2
zYWjMccq0Ep%XKg}@IoarCQhZmHciMqG)qO4K_@m;aqBK>8lAbM0lyzSFXPb#qZ%Nl
z4uv}i1T!Zfc>ez>ul>IptA}k<%C9gx#=)*YIB6h9z1Pp?dx90d!!&+8yo=!{ZKTCi
z$&8JEE}Xix3s{4_W`BONqHUQ-7DpN
zdILX5n@8NHOCfoQD0a7F-BrF!SvPR?fwkvGny7D~K35UuB;99;TbrG^=lLB;W0R0#
z);ajdzd54N1@AQ1A7FEd=KsE%NpUv!^fGs9Y2!eV%pS&@@>R#cFCyawVc9oX;A$Q!
z$%6K5>ki!yFRRRkjOUdp=SO?E<*mQIr#*iEO0vNHKmqa0D_G-v$7avHV5n7h&
zU&&{*@aGVpv+h`l9}$@CCCBBCW;728bm8oHKE&r3zR_+r=fvha<#D